Cryptocurrencies: Miner Heterogeneity, Botnets, and Proof-of-Work Efficiency

Proof-of-work cryptocurrencies are heavily criticized for the alleged inefficiency of their mining mechanism. However, critics fail to distinguish between the resources that are used to secure the blockchain and those that are wasted. In this paper, we introduce a simple mining model and use this model to analyze the consensus protocol's efficiency, while accounting for the heterogeneity of the miners involved. We categorize the resources allocated by the miners as either useful or wasteful, and then use this to introduce a new measure of efficiency. We then demonstrate how this value depends on a set of potential miners and the variation of their marginal costs. Using this model, we then consider the existence of botnets and show how one could affect the security of the network. This analysis indicates that botnets can significantly change the mining landscape and, under certain circumstances, may lead to a dissipation ratio >1.


INTRODUCTION
Bitcoin (Nakamoto, 2008) and similar cryptocurrencies employ a consensus mechanism referred to as proof-of-work. Participants allocate computational resources in an attempt to find a set of transactions and additional data, that satisfy a pre-defined set of conditions (i.e., a valid block). In the long run, the probability of success is a function of a participant's computing power in relation to the computing power of the other participants. The greater the relative contribution of an individual, the greater the probability that this individual will find the next valid block and claim the block reward.
From a game theoretical perspective, this mechanism can be simplified and modeled as a nonstandard, all-pay auction with full information (Dimitri, 2017). Participants allocate resources to compete for an exogenously given reward (Sams, 2014), trying to maximize their expected return. In the absence of any barriers to entry, participants will allocate resources up to the value of the reward.
The increasing amount of computational resources used in this process and the fact that resource allocation has no effect on the number of transactions that can be processed by the network, has led to strong concerns about the efficiency of the proof-of-work consensus protocol (O'Dwyer and Malone, 2014). Proponents argue that the situation is not as straightforward as resources are used to secure the network. As more computing power is allocated, the blockchain becomes more secure, and it becomes harder to attack the chain and reverse transactions. A fair comparison to the existing payment systems would require the inclusion of any security measures employed by those systems as well as the risk of misconduct and rent-seeking by a monopolist Schär, 2017, 2018). While we will not try to propose a solution to the efficiency debate in absolute terms, we strongly believe that a theoretical framework is needed to provide a better understanding of how the computing power is being used.
In this context, here we will introduce a model based on rentseeking literature, in particular Tullock (1980), that allows us to classify the allocated resources as either useful or wasteful. The useful resources contribute to the security of the network, while the wasted resources have no social benefit to the system. This distinction allows for an analysis of the efficiency of the network while taking into account the effect of miners with differing marginal costs on the system. Depending on which miner contributes to the computing power, the security level and its cost to reach it may vary significantly.
We will first present the base model and discuss the case ofN ≥ 2 homogeneous miners. We use this model to define the terminology and introduce our measure of network security. We will then relax the assumptions by allowing miners to be heterogeneous and show the effect that heterogeneity has on the dissipation ratio and network security. Next, we will introduce our efficiency measure, which combines dissipation and network security considerations. It represents the proportion of expenditures that directly serve to protect the network. Finally, we will consider the existence of botnets. We use the term botnet somewhat liberally in that we use it for any mining resources whose costs are not borne by their respective decisionmakers, i.e., mining malware. We show how the presence of such resources may change the mining landscape and demonstrate how they affect the aggregate expenditures, security, and efficiency of the network.

MODEL
Let N be a set ofN ≥ 2 potential miners denoted by n i with i ∈ {1, . . . ,N}. Each miner decides to use a certain hashing power 1 h i ≥ 0 to maximize its own expected payoff function, given by Equation (1). The hash rate allocation vector, h h h, is of lengthN and includes all the individual hash rates, h i , for each miner, n i . The cost function, c i (h i ), is assumed to increase linearly in hashing power, h i , such that ∂c i (h i ) Miners compete for a reward. The value of this reward is exogenously given, and mining resources are in fact a function of the reward rather than vice versa. We represent the individual valuation of this reward by v i and restrict v i = v > 0, ∀i, where v represents the coinbase and the expected transaction fees. In contrast to the analogy of gold mining, this reward is, in the long run, independent of the respective choices for h h h. The hashing vector only influences the allocation probabilities of this reward. Thus, cryptocurrency mining essentially corresponds to a rentseeking game, where the prize corresponds to the block reward, v, and the probability, p i (h h h), is given by Equation (2).
This setup describes a non-standard, all-pay auction, in which any miner i with h i > 0 has a proportionate chance of winning the reward. Consequently, the miner's decision problem can be formalized as shown in Equation (3).

Homogeneous Miners
For now, we will only consider the case of homogeneous miners. Hence, c i (h i ) = αh i , ∀i = {1, . . . ,N}. Making use of homogeneity, the first order condition yields the profit maximizing h * as shown in Equation (4), where h i = h * , ∀i ∈ N corresponds to the symmetric Nash equilibrium. Figure 1 shows the optimal aggregated choices of h * as a function of the number of potential minersN and the marginal cost/reward ratio α v . It becomes apparent that the aggregate hash rate increases inN and decreases in α v . Plugging (4) back into (1) we get Equations (5) and (6), which can be interpreted as the individual and social profit functions, respectively.
As a consequence of an increase in aggregate hash rate expenditures, individual and social profits decrease withN. Note, that in the homogeneous case, profits are unaffected by any Frontiers in Blockchain | www.frontiersin.org changes in marginal costs α. An increase in α leads c.p. to a larger marginal cost/reward ratio α v . As shown in Figure 1, this causes a decrease in the total hash rate. At first, the drop could be falsely interpreted as a decrease in network security. However, assuming that a potential attacker is subject to the same terms as anyone else, α has no effect on the security of the network. This is shown in the proof of Proposition 2.
In rent-seeking literature, it is common to express social costs in relative terms to the value of the reward. This ratio as defined in Equation (7), is usually referred to as the dissipation ratio. Plugging Equation (4) into (7) and making use of homogeneity, we obtain Equation (8).
Proposition 1. In the homogeneous case, the dissipation ratio D is unaffected by changes in v. It is also unaffected by changes in α, as any changes in these two parameters will be offset by a proportional adjustment of h * .
However, D is a function of the number of potential minersN. Intuitively this is a consequence of the increase in aggregate hash rate,Nh * . In Figure 1 we observe that an increase inN leads to an increase in aggregate expenditures.
Recall that individuals always have the outside option of h i = 0. Consequently, the standard model will never deliver D > 1. A dissipation ratio >1 would mean that the total costs, caused by the allocation of mining resources, exceed the value of the reward-a rather unattractive business proposition. Thus, the dissipation ratio increases withN, where limN →∞ D = 1.
In the absence of any barriers to entry, potential miners will enter the market until the last bit of seigniorage is absorbed by the increasing hash rate.
Let us further denote network security as ϕ. As shown in Equation (9) we define network security as the minimum of all marginal costs multiplied by the network hash rate. In other words, ϕ is equivalent to the minimum cost an individual would have to bear to control half of the computation power and launch a surprise attack on the network. A surprise attack means that other miners are unaware of the imminent attack and hence, cannot adjust their resource allocations. Consequently, the larger the value for ϕ, the more expensive such an attack would be.
Although network security is an absolute measure that does not contain any information regarding efficiency, and although the dissipation ratio does not contain any information regarding network security, it can be shown that the two terms coincide under homogeneity assumptions.
Proposition 2. Let there beN ≥ 2 homogeneous miners. Then, network security must be equal to the dissipation ratio ϕ = D.
Consequently, an increase in the number of potential miners increases the dissipation ratio, drives down the expected payoffs, and ultimately leads to a seigniorage of 0. However, in the case of homogeneous miners we have shown that any expenditures positively affect network security ϕ to the same extent.

Heterogeneous Miners WithN = 2
Let us now relax the assumption of miner homogeneity. Instead we shall presume that there are different types of miners with varying marginal costs, c i (h i , α i ) = h i α i . These marginal costs are exogenously given and are represented by the vector α α α. The vector is of lengthN and includes α i , ∀i ∈ N. The variation may be the result of differences in operational costs or in access to mining equipment.
To keep our model simple, we will limitN to 2, although our numerical analysis has led to comparable results forN > 2. Furthermore, we will assume that the variation is exclusively driven by differences in α i (i.e., we will maintain our assumption that v i = v, ∀i). The miners' utility functions can now be expressed as (10).
The first order conditions, solved for h * 1 and h * 2 , respectively, lead to the set of equations as given in (11).
The set of Equation (11) represents the optimal choices depending on the respective choice of the opponent h 3−i ; the reward value, v; and the individual's marginal costs, α i . In Figure 2, we have visualized the reaction curves. Note, that we represent h in terms of v. Hence, a change in v will not cause the curves to shift. A change in α i on the other hand, extends or compresses the respective curve. The dashed line represents an example of such a change, or more specifically, an increase of α 1 . The intersection at the origin generally does not constitute a stable equilibrium. More precisely, h h h = 0 0 0 becomes an equilibrium (and in fact the unique equilibrium), if and only if we are in the case of v ≤ 0. Whenever there is a positive reward at stake, miners have an incentive to set h h h > 0 0 0. For all v > 0, the equilibrium solution always incorporates two (or more) active miners, independent of the extent of the differences in their marginal costs.
Plugging one of the equations in (11) into the other and solving it for h i yields Equation (12), which expresses the same maximization decision as a function of α. It is a more convenient expression of the optimal choice function as we have endogenized the opponent's hash rate decision.
To obtain Equation (13), an expression of the dissipation ratio, which is conditional on α α α only, we can use (12) and plug it into (7).
From (13) it can be shown, that the dissipation ratio decreases with miner heterogeneity. The first order derivative with respect to α 1 delivers Equation (14), which becomes negative if and only if α 1 > α 2 . In this case an increase in α 1 is equivalent to an increase in heterogeneity.

∂D ∂α
However, the dissipation ratio contains no information on the extent of network security. In particular, a high dissipation ratio does not imply a high value for network security, ϕ, as it could instead be driven by a large number of highly inefficient miners.
In such a case, the most efficient miner in the market could easily attack the network, despite the dissipation ratio being high. The network security on the other hand, has no explanatory power for the number of resources that have been spent to provide a certain value of ϕ.
Let us now combine the two, and introduce a measure, henceforth referred to as the security-efficiency ratio. It expresses the proportion of expenditures that serves to protect the network and hence, combines both the network's security and efficiency in one measure.  Figure 3 and shown in the proof of Proposition 3, the security-efficiency ratio cannot exceed 1 and decreases with increasing heterogeneity. Furthermore, presumingN = 2, it must lie in between 1 2 and 1.

As visualized in
Proposition 3. Let there beN = 2 miners. Then, the securityefficiency ratio ϕ D decreases with relative heterogeneity and lies in the range of ϕ D = 1 2 , 1 .
Case 1 (α 1 = α 2 ): As already shown in the proof of Proposition 2, presuming miner homogeneity, we get D = ϕ and thus, ϕ D = 1. This result can be easily replicated by using (16) and setting α 1 = α 2 . Case 2 (α 1 > α 2 ): Let us first consider the upper bound. By definition α 1 > α 2 . Thus, values for ϕ D as shown in (16) must be smaller than 1. The relevant lower bound can be obtained by allowing the difference between α 1 and α 2 to get infinitely large, lim α 2 α 1 →0 . The first addend of Equation (16) then becomes infinitely small.
Thus, ϕ D ∈ 1 2 , 1 . Recall the homogeneous miners case, where we found D = ϕ and hence, ϕ D = 1. This is perfectly consistent with Proposition 3 and demonstrates how the network would benefit from miner homogeneity, assuming a potential attacker would be bound by the same parameters. Although perfect homogeneity would lead to a large dissipation ratio, the spent resources could not be classified as social waste in a broader sense, as they would positively impact network security. This means that although decentralization is strengthened by a higher number of miners, these participants should be as homogeneous as possible for efficiency reasons. Any market distortion (e.g., subsidies) will lead to a lower security-efficiency ratio.

Botnets and Homogeneous Miners
In the previous two sections, we limited our analysis to ordinary miners. Let us now consider a special type of miner whose marginal costs are larger than its expected marginal profits. Although puzzling at first, this type of miner may exist for a number of reasons including "hobbyists and researchers, " "wishful thinkers, " "botnet operators, " "political actors, " and "individuals looking for a virgin coinbase" (Swanson, 2014). In our analysis we will focus on botnets, but the following model could be used to describe situations with any of the actors described above.
The existence of botnets raises a couple of very interesting research questions for our analysis. First, is it possible that the dissipation ratio takes on values larger than 1? Recall that this means that miners as a whole consistently spend more than there is to gain. Likewise, what implications does the emergence of botnets have for network security, ϕ, and more importantly, for the security-efficiency ratio, ϕ D ? To answer these questions, we extend our model and assume that there exists a botnet withb ≥ 0 units of hashing power, whereb/(b + N i h i ) represents the relative computation power of the botnet. For the sake of simplicity, we assume that the nonbotnet miners are homogeneous with α i = α, ∀i ∈ N and further restrictb ≤ v α , asb = v α would be sufficient to crowd out any non-botnet miners. As we will see, these are reasonable assumptions. If a botnet obtained a relative hash rate even close to our restrictions, the network would be seen as corrupted and our analysis would be redundant.
Recall that an illegal botnet is a distributed pool of hardware resources (e.g., desktop computers) that have been taken over by a botnet operator. Botnets make use of the victims' computation and network resources. They carry out tasks, such as sending junk mail, click fraud to collect advertising revenues, and cryptocurrency mining. The botnet operator has a marginal cost of 0, as all the costs are borne by the actual owner of the resources. Consequently, we assume that botnets will always allocate the maximum amount of available resources,b, to the hashing competition. We denote the average social cost per hash unit, as measured in (additional) electricity consumption and hardware depreciation, by α b and restrict α b > α. As mentioned before, these costs are borne by the owners of the infected computers.
As shown in Equation (17), we need to adjust the miners' expected payoff function by including the botnet's hash rate. Obviously, this has the effect of decreasing the miners' respective probabilities to win the competition and hence, has a negative impact on their expected payoff.
We can now derive the first order condition with respect to h i and presume non-botnet miner homogeneity. After a few more steps (shown in the Supplementary Material), we are able to solve for h in order to obtain Equation (18).
Let us now turn to the efficiency analysis. The equation for the dissipation ratio must be slightly adjusted to (19), to include the social cost inflicted by the botnet.
By using (18) we can eliminate h in (19) and re-express the equation, as shown in Equation (20).
The above expression allows us to demonstrate how the dissipation ratio changes in the presence of a botnet.
Proposition 4. Let there beN ≥ 1 homogeneous miners and a botnet withb ∈ [0, v α ] and α b > α. Then, the dissipation ratio monotonically increases withb and lies in the set D = [N −1 N , α b α ]. If we add a strict inequality by assumingb > 0, the dissipation ratio linearly increases with α b and, for sufficiently largeN, is >1.
Proof. Let us first show, that D linearly increases with α b for all b > 0. We derive (20) with respect to α b to obtain (21). It can now be easily observed that D increases at a constant growth rate for allb > 0, while it does not grow at all for the border cases withb = 0.
Let us now analyze (20), considering different assumptions regardingb and show that D ∈ D for allb ∈ [0, v α ]. Case 1 (b = 0): If we presumeb = 0 we are back in the homogeneous miners case and can simplify Equation (20) until we get D =N −1 N , which corresponds to (8) and represents the lower bound of D. As expected, this is consistent with the proof of Proposition 2.
Case 2 (b = v α ): If we setb = v α , botnets are the sole source of hashing power in the network. Hence, the dissipation ratio is unaffected byN. We can show this result by substitutingb with v α Frontiers in Blockchain | www.frontiersin.org in Equation (20). After a few simplification steps as shown in the Supplementary Material, we get D = α b α . 2 Case 3 (b ∈ (0, v α )): In between the two border solution cases, it remains to be shown that D ∈ D for allb ∈ (0, v α ). Let us establish our proof by first looking at the change of D inb. We derive (20) w.r.t.b and simplify the equation until we get (22).
The derivative shows, that D is monotonically increasing inb from our lower boundN −1 N , which must be smaller than 1, to our upper bound α b α , which by definition must be ≥1. Fitting all the pieces together, we know that for eachN, the border solutions are connected by a monotonically increasing path. This ensures that D will never exceed or undercut the border values, and hence, must always lie in D. An example of this relationship with v = α = 1 and α b = 2 is visualized in Figure 4.
As shown in the proof of Proposition 4, the presence of a botnet may cause the dissipation ratio to exceed 1. However, recall that the dissipation ratio is not a sufficient measure for our purposes, as it contains no information regarding the nature of the cost. In order to get an objective comparison, we need to reconsider the security-efficiency ratio, which was introduced earlier in this paper. Let us adjust Equation (9) to account for the 2 Note that it theoretically is possible to getb > v α . In such a case we would need to consider the non-negativity constraint h i ≥ 0, ∀i in order to reduce the dissipation α . However, this means that the (inefficient) botnet allocates more hashing power than the (efficient) miners would in a perfect competition equilibrium. We decided to mention this case in a side note, because it seemed to be very unlikely. botnet and divide it by (19) to obtain Equation (23).

Proof.
Case 1 (b = 0): Forb = 0 and/or α b = α, the numerator and denominator in Equation (23), or alternatively in (24), must be equal. As a result, we get our upper bound which corresponds to ϕ D = 1.
. This corresponds to the case with h * = 0 in Equation (23), as any non-botnet miners would be crowded out by the botnet. If bothb > 0 and α b > α are satisfied, the numerator will always be smaller than the denominator, with , 1]. Figure 5 shows the effects of a botnet, depending on the initial number of miners in the market. In the left-hand figure we have a mining market withN = 2. Hence, a botnet causes an immediate drop in ϕ D . In the right-hand figure we observe a market with N = 20. Here, the drop in ϕ D due to a change in α b is mitigated, as most of it occurs only if the botnet is able to take over a certain portion of the network.
The observed change for crowded miner markets can be explained by the consideration of the crucial difference in the parametersb and α b . Note thatb is an expression for hashing power provided by the botnet, and hence, influences all the optimal choice functions. Accordingly, a change inb leads to a change in the allocation vector of the non-botnet miners, h h h, conditional onN. The parameter α b on the other hand, is an expression of cost borne by society, which does not influence any of the individual hash rate allocation decisions. Since α < α b , the measure for network security, ϕ, is also unaffected by any changes in α b . Instead, α b exclusively influences D. In particular, an increase in α b must c.p. lead to a linear increase in D. Recall  that this has been shown in the proof of Proposition 4. The linearly growing denominator, in turn, must c.p. lead to a convex decrease in ϕ D . Thus, the larger the initial dissipation ratio, the less significant the increase. Taking into account the effects ofN on D, it becomes apparent, that α b has a larger effect on ϕ D , in low N markets.

CONCLUSION
We have proposed a model that allows for the evaluation of the efficiency of proof-of-work mining under different circumstances by categorizing the allocated resources as either useful or wasteful. The model also shows how security and efficiency are affected by miner heterogeneity. To relate those two values, we proposed the security-efficiency ratio, a value that expresses the portion of the aggregate expenditures that is used to secure the blockchain. We then showed that the security-efficiency ratio decreases with increasing miner heterogeneity. Any market distortion that increases miner heterogeneity will lower the security-efficiency ratio.
Additionally, we demonstrated how the introduction of a botnet affects the network. We concluded that botnets decrease the security-efficiency ratio and may even lead to dissipation ratios above 1. Consequently, systems that are more susceptible to botnet capture, such as ASIC-resistant proof-ofwork implementations, may be more prone to these inefficiencies under the assumption that all other hashrate providers face the same cost.
This model is presented as a framework for future studies with questions regarding the efficiency of proof-of-work mining.

DATA AVAILABILITY STATEMENT
All datasets generated for this study are included in the article/Supplementary Material.

AUTHOR CONTRIBUTIONS
The author confirms being the sole contributor of this work and has approved it for publication.