ORIGINAL RESEARCH article
Cryptocurrencies: Miner Heterogeneity, Botnets, and Proof-of-Work Efficiency
- Faculty of Business and Economics, Center for Innovative Finance, University of Basel, Basel, Switzerland
Proof-of-work cryptocurrencies are heavily criticized for the alleged inefficiency of their mining mechanism. However, critics fail to distinguish between the resources that are used to secure the blockchain and those that are wasted. In this paper, we introduce a simple mining model and use this model to analyze the consensus protocol's efficiency, while accounting for the heterogeneity of the miners involved. We categorize the resources allocated by the miners as either useful or wasteful, and then use this to introduce a new measure of efficiency. We then demonstrate how this value depends on a set of potential miners and the variation of their marginal costs. Using this model, we then consider the existence of botnets and show how one could affect the security of the network. This analysis indicates that botnets can significantly change the mining landscape and, under certain circumstances, may lead to a dissipation ratio >1.
Bitcoin (Nakamoto, 2008) and similar cryptocurrencies employ a consensus mechanism referred to as proof-of-work. Participants allocate computational resources in an attempt to find a set of transactions and additional data, that satisfy a pre-defined set of conditions (i.e., a valid block). In the long run, the probability of success is a function of a participant's computing power in relation to the computing power of the other participants. The greater the relative contribution of an individual, the greater the probability that this individual will find the next valid block and claim the block reward.
From a game theoretical perspective, this mechanism can be simplified and modeled as a non-standard, all-pay auction with full information (Dimitri, 2017). Participants allocate resources to compete for an exogenously given reward (Sams, 2014), trying to maximize their expected return. In the absence of any barriers to entry, participants will allocate resources up to the value of the reward.
The increasing amount of computational resources used in this process and the fact that resource allocation has no effect on the number of transactions that can be processed by the network, has led to strong concerns about the efficiency of the proof-of-work consensus protocol (O'Dwyer and Malone, 2014). Proponents argue that the situation is not as straightforward as resources are used to secure the network. As more computing power is allocated, the blockchain becomes more secure, and it becomes harder to attack the chain and reverse transactions. A fair comparison to the existing payment systems would require the inclusion of any security measures employed by those systems as well as the risk of misconduct and rent-seeking by a monopolist (Berentsen and Schär, 2017, 2018). While we will not try to propose a solution to the efficiency debate in absolute terms, we strongly believe that a theoretical framework is needed to provide a better understanding of how the computing power is being used.
In this context, here we will introduce a model based on rent-seeking literature, in particular Tullock (1980), that allows us to classify the allocated resources as either useful or wasteful. The useful resources contribute to the security of the network, while the wasted resources have no social benefit to the system. This distinction allows for an analysis of the efficiency of the network while taking into account the effect of miners with differing marginal costs on the system. Depending on which miner contributes to the computing power, the security level and its cost to reach it may vary significantly.
We will first present the base model and discuss the case of homogeneous miners. We use this model to define the terminology and introduce our measure of network security. We will then relax the assumptions by allowing miners to be heterogeneous and show the effect that heterogeneity has on the dissipation ratio and network security. Next, we will introduce our efficiency measure, which combines dissipation and network security considerations. It represents the proportion of expenditures that directly serve to protect the network. Finally, we will consider the existence of botnets. We use the term botnet somewhat liberally in that we use it for any mining resources whose costs are not borne by their respective decision-makers, i.e., mining malware. We show how the presence of such resources may change the mining landscape and demonstrate how they affect the aggregate expenditures, security, and efficiency of the network.
Let N be a set of potential miners denoted by ni with . Each miner decides to use a certain hashing power1 hi ≥ 0 to maximize its own expected payoff function, given by Equation (1). The hash rate allocation vector, h, is of length and includes all the individual hash rates, hi, for each miner, ni. The cost function, ci(hi), is assumed to increase linearly in hashing power, hi, such that and .
Miners compete for a reward. The value of this reward is exogenously given, and mining resources are in fact a function of the reward rather than vice versa. We represent the individual valuation of this reward by vi and restrict vi = v > 0, ∀i, where v represents the coinbase and the expected transaction fees. In contrast to the analogy of gold mining, this reward is, in the long run, independent of the respective choices for h. The hashing vector only influences the allocation probabilities of this reward. Thus, cryptocurrency mining essentially corresponds to a rent-seeking game, where the prize corresponds to the block reward, v, and the probability, pi(h), is given by Equation (2).
This setup describes a non-standard, all-pay auction, in which any miner i with hi > 0 has a proportionate chance of winning the reward. Consequently, the miner's decision problem can be formalized as shown in Equation (3).
2.1. Homogeneous Miners
For now, we will only consider the case of homogeneous miners. Hence, ci(hi) = αhi, . Making use of homogeneity, the first order condition yields the profit maximizing h* as shown in Equation (4), where corresponds to the symmetric Nash equilibrium.
Figure 1 shows the optimal aggregated choices of h* as a function of the number of potential miners and the marginal cost/reward ratio . It becomes apparent that the aggregate hash rate increases in and decreases in .
Plugging (4) back into (1) we get Equations (5) and (6), which can be interpreted as the individual and social profit functions, respectively.
As a consequence of an increase in aggregate hash rate expenditures, individual and social profits decrease with . Note, that in the homogeneous case, profits are unaffected by any changes in marginal costs α. An increase in α leads c.p. to a larger marginal cost/reward ratio . As shown in Figure 1, this causes a decrease in the total hash rate. At first, the drop could be falsely interpreted as a decrease in network security. However, assuming that a potential attacker is subject to the same terms as anyone else, α has no effect on the security of the network. This is shown in the proof of Proposition 2.
In rent-seeking literature, it is common to express social costs in relative terms to the value of the reward. This ratio as defined in Equation (7), is usually referred to as the dissipation ratio. Plugging Equation (4) into (7) and making use of homogeneity, we obtain Equation (8).
Proposition 1. In the homogeneous case, the dissipation ratio D is unaffected by changes in v. It is also unaffected by changes in α, as any changes in these two parameters will be offset by a proportional adjustment of h*.
However, D is a function of the number of potential miners . Intuitively this is a consequence of the increase in aggregate hash rate, . In Figure 1 we observe that an increase in leads to an increase in aggregate expenditures.
Recall that individuals always have the outside option of hi = 0. Consequently, the standard model will never deliver D > 1. A dissipation ratio >1 would mean that the total costs, caused by the allocation of mining resources, exceed the value of the reward—a rather unattractive business proposition. Thus, the dissipation ratio increases with , where .
In the absence of any barriers to entry, potential miners will enter the market until the last bit of seigniorage is absorbed by the increasing hash rate.
Let us further denote network security as φ. As shown in Equation (9) we define network security as the minimum of all marginal costs multiplied by the network hash rate. In other words, φ is equivalent to the minimum cost an individual would have to bear to control half of the computation power and launch a surprise attack on the network. A surprise attack means that other miners are unaware of the imminent attack and hence, cannot adjust their resource allocations. Consequently, the larger the value for φ, the more expensive such an attack would be.
Although network security is an absolute measure that does not contain any information regarding efficiency, and although the dissipation ratio does not contain any information regarding network security, it can be shown that the two terms coincide under homogeneity assumptions.
Proposition 2. Let there be homogeneous miners. Then, network security must be equal to the dissipation ratio φ = D.
Proof. From (8) we know that . Starting with Equation (9), plugging in (4) and making use of miner homogeneity, we get
Thus, φ = D. □
Consequently, an increase in the number of potential miners increases the dissipation ratio, drives down the expected payoffs, and ultimately leads to a seigniorage of 0. However, in the case of homogeneous miners we have shown that any expenditures positively affect network security φ to the same extent.
2.2. Heterogeneous Miners With
Let us now relax the assumption of miner homogeneity. Instead we shall presume that there are different types of miners with varying marginal costs, ci(hi, αi) = hi α i. These marginal costs are exogenously given and are represented by the vector α. The vector is of length and includes αi, ∀i ∈ N. The variation may be the result of differences in operational costs or in access to mining equipment.
To keep our model simple, we will limit to 2, although our numerical analysis has led to comparable results for . Furthermore, we will assume that the variation is exclusively driven by differences in αi (i.e., we will maintain our assumption that vi = v, ∀i). The miners' utility functions can now be expressed as (10).
The first order conditions, solved for and , respectively, lead to the set of equations as given in (11).
The set of Equation (11) represents the optimal choices depending on the respective choice of the opponent h3−i; the reward value, v; and the individual's marginal costs, αi. In Figure 2, we have visualized the reaction curves.
Note, that we represent h in terms of v. Hence, a change in v will not cause the curves to shift. A change in αi on the other hand, extends or compresses the respective curve. The dashed line represents an example of such a change, or more specifically, an increase of α1. The intersection at the origin generally does not constitute a stable equilibrium. More precisely, h = 0 becomes an equilibrium (and in fact the unique equilibrium), if and only if we are in the case of v ≤ 0. Whenever there is a positive reward at stake, miners have an incentive to set h > 0. For all v > 0, the equilibrium solution always incorporates two (or more) active miners, independent of the extent of the differences in their marginal costs.
Plugging one of the equations in (11) into the other and solving it for hi yields Equation (12), which expresses the same maximization decision as a function of α. It is a more convenient expression of the optimal choice function as we have endogenized the opponent's hash rate decision.
To obtain Equation (13), an expression of the dissipation ratio, which is conditional on α only, we can use (12) and plug it into (7).
From (13) it can be shown, that the dissipation ratio decreases with miner heterogeneity. The first order derivative with respect to α1 delivers Equation (14), which becomes negative if and only if α1 > α2. In this case an increase in α1 is equivalent to an increase in heterogeneity.
However, the dissipation ratio contains no information on the extent of network security. In particular, a high dissipation ratio does not imply a high value for network security, φ, as it could instead be driven by a large number of highly inefficient miners. In such a case, the most efficient miner in the market could easily attack the network, despite the dissipation ratio being high. The network security on the other hand, has no explanatory power for the number of resources that have been spent to provide a certain value of φ.
Let us now combine the two, and introduce a measure, henceforth referred to as the security-efficiency ratio. It expresses the proportion of expenditures that serves to protect the network and hence, combines both the network's security and efficiency in one measure.
As visualized in Figure 3 and shown in the proof of Proposition 3, the security-efficiency ratio cannot exceed 1 and decreases with increasing heterogeneity. Furthermore, presuming , it must lie in between and 1.
Proposition 3. Let there be miners. Then, the security-efficiency ratio decreases with relative heterogeneity and lies in the range of .
Proof. Plugging (12) into (9) and (13) and dividing (9) by (13), we get (15).
Let us now assume without loss of generality that α1 ≥ α2, such that . Through simplifying (15) we obtain (16).
Case 1 (α1 = α2): As already shown in the proof of Proposition 2, presuming miner homogeneity, we get D = φ and thus, . This result can be easily replicated by using (16) and setting α1 = α2.
Case 2 (α1 > α2): Let us first consider the upper bound. By definition α1 > α2. Thus, values for as shown in (16) must be smaller than 1. The relevant lower bound can be obtained by allowing the difference between α1 and α2 to get infinitely large, . The first addend of Equation (16) then becomes infinitely small.
Thus, . □
Recall the homogeneous miners case, where we found D = φ and hence, . This is perfectly consistent with Proposition 3 and demonstrates how the network would benefit from miner homogeneity, assuming a potential attacker would be bound by the same parameters. Although perfect homogeneity would lead to a large dissipation ratio, the spent resources could not be classified as social waste in a broader sense, as they would positively impact network security. This means that although decentralization is strengthened by a higher number of miners, these participants should be as homogeneous as possible for efficiency reasons. Any market distortion (e.g., subsidies) will lead to a lower security-efficiency ratio.
2.3. Botnets and Homogeneous Miners
In the previous two sections, we limited our analysis to ordinary miners. Let us now consider a special type of miner whose marginal costs are larger than its expected marginal profits. Although puzzling at first, this type of miner may exist for a number of reasons including “hobbyists and researchers,” “wishful thinkers,” “botnet operators,” “political actors,” and “individuals looking for a virgin coinbase” (Swanson, 2014). In our analysis we will focus on botnets, but the following model could be used to describe situations with any of the actors described above.
The existence of botnets raises a couple of very interesting research questions for our analysis. First, is it possible that the dissipation ratio takes on values larger than 1? Recall that this means that miners as a whole consistently spend more than there is to gain. Likewise, what implications does the emergence of botnets have for network security, φ, and more importantly, for the security-efficiency ratio, ?
To answer these questions, we extend our model and assume that there exists a botnet with units of hashing power, where represents the relative computation power of the botnet. For the sake of simplicity, we assume that the non-botnet miners are homogeneous with αi = α, ∀i ∈ N and further restrict , as would be sufficient to crowd out any non-botnet miners. As we will see, these are reasonable assumptions. If a botnet obtained a relative hash rate even close to our restrictions, the network would be seen as corrupted and our analysis would be redundant.
Recall that an illegal botnet is a distributed pool of hardware resources (e.g., desktop computers) that have been taken over by a botnet operator. Botnets make use of the victims' computation and network resources. They carry out tasks, such as sending junk mail, click fraud to collect advertising revenues, and cryptocurrency mining. The botnet operator has a marginal cost of 0, as all the costs are borne by the actual owner of the resources. Consequently, we assume that botnets will always allocate the maximum amount of available resources, , to the hashing competition. We denote the average social cost per hash unit, as measured in (additional) electricity consumption and hardware depreciation, by αb and restrict αb > α. As mentioned before, these costs are borne by the owners of the infected computers.
As shown in Equation (17), we need to adjust the miners' expected payoff function by including the botnet's hash rate. Obviously, this has the effect of decreasing the miners' respective probabilities to win the competition and hence, has a negative impact on their expected payoff.
We can now derive the first order condition with respect to hi and presume non-botnet miner homogeneity. After a few more steps (shown in the Supplementary Material), we are able to solve for h in order to obtain Equation (18).
Let us now turn to the efficiency analysis. The equation for the dissipation ratio must be slightly adjusted to (19), to include the social cost inflicted by the botnet.
By using (18) we can eliminate h in (19) and re-express the equation, as shown in Equation (20).
The above expression allows us to demonstrate how the dissipation ratio changes in the presence of a botnet.
Proposition 4. Let there be homogeneous miners and a botnet with and αb > α. Then, the dissipation ratio monotonically increases with and lies in the set . If we add a strict inequality by assuming , the dissipation ratio linearly increases with αb and, for sufficiently large , is >1.
Proof. Let us first show, that D linearly increases with αb for all . We derive (20) with respect to αb to obtain (21). It can now be easily observed that D increases at a constant growth rate for all , while it does not grow at all for the border cases with .
Let us now analyze (20), considering different assumptions regarding and show that for all .
Case 1 (): If we presume we are back in the homogeneous miners case and can simplify Equation (20) until we get , which corresponds to (8) and represents the lower bound of . As expected, this is consistent with the proof of Proposition 2.
Case 2 (): If we set , botnets are the sole source of hashing power in the network. Hence, the dissipation ratio is unaffected by . We can show this result by substituting with in Equation (20). After a few simplification steps as shown in the Supplementary Material, we get .2
Case 3 (): In between the two border solution cases, it remains to be shown that for all . Let us establish our proof by first looking at the change of D in . We derive (20) w.r.t. and simplify the equation until we get (22).
The derivative shows, that D is monotonically increasing in from our lower bound , which must be smaller than 1, to our upper bound , which by definition must be ≥1. Fitting all the pieces together, we know that for each , the border solutions are connected by a monotonically increasing path. This ensures that D will never exceed or undercut the border values, and hence, must always lie in . An example of this relationship with v = α = 1 and αb = 2 is visualized in Figure 4.
Thus, , which implies . □
As shown in the proof of Proposition 4, the presence of a botnet may cause the dissipation ratio to exceed 1. However, recall that the dissipation ratio is not a sufficient measure for our purposes, as it contains no information regarding the nature of the cost. In order to get an objective comparison, we need to reconsider the security-efficiency ratio, which was introduced earlier in this paper. Let us adjust Equation (9) to account for the botnet and divide it by (19) to obtain Equation (23).
Plugging (18) into (23), we get (24), which expresses the security-efficiency ratio with endogenized hash rate allocation decisions.
Equations (23) and (24) both show that the security-efficiency ratio must be 1 whenever and/or αb = α.
Proposition 5. Let there be homogeneous miners and a botnet with and αb ≥ α. Then, the security-efficiency ratio must c.p. monotonically decrease with and αb. Moreover, it must lie in .
Case 1 (): For and/or αb = α, the numerator and denominator in Equation (23), or alternatively in (24), must be equal. As a result, we get our upper bound which corresponds to .
Case 2 (): For we can reduce Equation (24) until we get . This corresponds to the case with h* = 0 in Equation (23), as any non-botnet miners would be crowded out by the botnet. If both and αb > α are satisfied, the numerator will always be smaller than the denominator, with
Thus, . □
Figure 5 shows the effects of a botnet, depending on the initial number of miners in the market. In the left-hand figure we have a mining market with . Hence, a botnet causes an immediate drop in . In the right-hand figure we observe a market with . Here, the drop in due to a change in αb is mitigated, as most of it occurs only if the botnet is able to take over a certain portion of the network.
The observed change for crowded miner markets can be explained by the consideration of the crucial difference in the parameters and αb. Note that is an expression for hashing power provided by the botnet, and hence, influences all the optimal choice functions. Accordingly, a change in leads to a change in the allocation vector of the non-botnet miners, h, conditional on . The parameter αb on the other hand, is an expression of cost borne by society, which does not influence any of the individual hash rate allocation decisions. Since α < αb, the measure for network security, φ, is also unaffected by any changes in αb. Instead, αb exclusively influences D. In particular, an increase in αb must c.p. lead to a linear increase in D. Recall that this has been shown in the proof of Proposition 4. The linearly growing denominator, in turn, must c.p. lead to a convex decrease in . Thus, the larger the initial dissipation ratio, the less significant the increase. Taking into account the effects of on D, it becomes apparent, that αb has a larger effect on , in low markets.
We have proposed a model that allows for the evaluation of the efficiency of proof-of-work mining under different circumstances by categorizing the allocated resources as either useful or wasteful. The model also shows how security and efficiency are affected by miner heterogeneity. To relate those two values, we proposed the security-efficiency ratio, a value that expresses the portion of the aggregate expenditures that is used to secure the blockchain. We then showed that the security-efficiency ratio decreases with increasing miner heterogeneity. Any market distortion that increases miner heterogeneity will lower the security-efficiency ratio.
Additionally, we demonstrated how the introduction of a botnet affects the network. We concluded that botnets decrease the security-efficiency ratio and may even lead to dissipation ratios above 1. Consequently, systems that are more susceptible to botnet capture, such as ASIC-resistant proof-of-work implementations, may be more prone to these inefficiencies under the assumption that all other hashrate providers face the same cost.
This model is presented as a framework for future studies with questions regarding the efficiency of proof-of-work mining.
Data Availability Statement
All datasets generated for this study are included in the article/Supplementary Material.
The author confirms being the sole contributor of this work and has approved it for publication.
Conflict of Interest
The author declares that the research was conducted in the absence of any commercial or financial relationships that could be construed as a potential conflict of interest.
The Supplementary Material for this article can be found online at: https://www.frontiersin.org/articles/10.3389/fbloc.2020.00016/full#supplementary-material
1. ^i.e., a certain number of hashes per second.
2. ^Note that it theoretically is possible to get . In such a case we would need to consider the non-negativity constraint hi ≥ 0, ∀i in order to reduce the dissipation ratio equation to . However, this means that the (inefficient) botnet allocates more hashing power than the (efficient) miners would in a perfect competition equilibrium. We decided to mention this case in a side note, because it seemed to be very unlikely.
Nakamoto, S. (2008). Bitcoin: A Peer to Peer Electronic Cash System. Available online at: https://www.bitcoin.com/bitcoin.pdf (accessed January 18, 2018).
Sams, R. (2014). The Marginal Cost of Cryptocurrency. Available online at: http://www.cryptonomics.org/2014/01/15/the-marginal-cost-of-cryptocurrency/ (accessed January 18, 2018).
Swanson, T. (2014). The Anatomy of a Money-Like Informational Commodity: A Study of Bitcoin. Available online at: https://s3-us-west-2.amazonaws.com/chainbook/The+Anatomy+of+a+Money-like+Informational+Commodity.pdf (accessed January 18, 2018).
Keywords: bitcoin, blockchain, botnet, cryptocurrencies, mining, proof-of-work
Citation: Schär F (2020) Cryptocurrencies: Miner Heterogeneity, Botnets, and Proof-of-Work Efficiency. Front. Blockchain 3:16. doi: 10.3389/fbloc.2020.00016
Received: 02 July 2019; Accepted: 20 March 2020;
Published: 21 April 2020.
Edited by:Joerg Osterrieder, Zurich University of Applied Sciences, Switzerland
Reviewed by:Gina C. Pieters, University of Chicago, United States
Nicolas T. Courtois, University College London, United Kingdom
Copyright © 2020 Schär. This is an open-access article distributed under the terms of the Creative Commons Attribution License (CC BY). The use, distribution or reproduction in other forums is permitted, provided the original author(s) and the copyright owner(s) are credited and that the original publication in this journal is cited, in accordance with accepted academic practice. No use, distribution or reproduction is permitted which does not comply with these terms.
*Correspondence: Fabian Schär, firstname.lastname@example.org