Identifying Incentive Attacks in DAG-Oriented Blockchain Protocols

cover
18 Sept 2024

Abstract and I. Introduction

II. Background

III. Problem Definition

IV. DAG-Oriented Solutions

V. Game Theoretical Analysis

VI. Simulation Model

VII. Evaluation

VIII. Countermeasures

IX. Discussion and Future Work

X. Related Work

XI. Conclusion and References

III. PROBLEM DEFINITION

Let there be a PoW blockchain network that uses the Nakamoto consensus and consists of honest and greedy miners, with the greedy miners holding a fraction κ of the total mining power (i.e., adversarial mining power). Then, we denote the network propagation delay in seconds as τ and the block creation time in seconds as λ. We assume that the minimum value of λ is constrained by τ of the blockchain network. It is well-known that Nakamoto-style blockchains generate stale blocks (a.k.a., orphan blocks). As a result, a fraction of the mining power is wasted. The rate at which stale blocks are generated increases when λ is decreased, which is one of the reasons why Bitcoin maintains a high λ of 600s.

DAG-Oriented Designs. Many DAG-oriented designs were proposed to allow a decrease of λ while utilizing stale blocks in parallel chains, which should increase the transaction throughput. Although there are some DAG-oriented designs that do not address the problem of increasing transaction throughput (e.g., IoTA [39], Nano [25], Byteball [3]), we focus on the specific group of solutions addressing this problem, such as Inclusive [26], GHOSTDAG, PHANTOM [44], SPECTRE [43], and Prism [6]. We are targeting the RTS strategy, which is a common property of this group of protocols. In the RTS, the miners do not take into account transaction fees of all included transactions; instead, they select transactions of blocks randomly – although not necessarily uniformly at random (e.g., [42]). In this way, these designs aim to eliminate transaction collision within parallel blocks of the DAG structure. Nevertheless, the interpretation of randomness in RTS is not enforced/verified by these designs, and miners are trusted to ignore fees of all (or the majority of [42]) transactions for the common “well-being” of the protocol. Contrary, miners of blockchains such as Bitcoin use a wellknown transaction selection mechanism that maximizes profit by selecting all transactions of the block based on the highest fees – we refer to this strategy as the greedy strategy in the context of considered DAG-based protocols.

A. Assumptions

We assume a generic DAG-oriented consensus protocol using the RTS strategy (denoted as DAG-PROTOCOL). Then, we assume that the incentive scheme of DAG-PROTOCOL relies on transaction fees (but additionally might also rely on block rewards),[4] and transactions are of the same size.[5] Let us assume that the greedy miners may only choose a different transaction selection strategy to make more profit than honest miners. Then, we assume that DAG-PROTOCOL uses rewarding where the miner of the block A gets rewarded for all unique not-yet-mined transactions in A (while she is not rewarded for transaction duplicates mined before).

B. Identified Problems – Incentive Attacks

Although the assumptions stated above might seem intuitive, there is no related work studying the impact of greedy miners deviating from the RTS strategy on any of the considered DAG-PROTOCOLs (GHOSTDAG, PHANTOM [44], SPECTRE [43], Inclusive [26], and Prism [6]) and the effect it might have on the throughput of these protocols as well as a fair distribution of earned rewards. Note that we assume GHOSTDAG, PHANTOM, and SPECTRE are utilizing the RTS strategy that was proposed in the Inclusive protocol [43], as recommended by the (partially overlapping) authors of these works – this is further substantiated by the practical implementation of GHOSTDAG/PHANTOM called Kaspa [42], which utilizes a variant of RTS strategy (see Sec. IV) that selects a majority portion of transactions in a block uniformly at random, while a small portion of the block capacity is seized by the transaction selected based on the highest fees. Nevertheless, besides potentially increased transaction collision rate, even such an approach enables more greedy behavior.

We make a hypothesis for our incentive attacks:

Hypothesis 1. A greedy transaction selection strategy will decrease the relative profit of honest miners as well as transaction throughput in the DAG-PROTOCOL.

Note that the greedy transaction selection strategy deviates from the DAG-PROTOCOL and thus is considered adversarial.

Authors:

(1) Martin Peresıni, Brno University of Technology, Faculty of Information Technology (iperesini@fit.vut.cz);

(2) Ivan Homoliak, Brno University of Technology, Faculty of Information Technology (ihomoliak@fit.vut);

(3) Federico Matteo Bencic, University of Zagreb, Faculty of Electrical Engineering and Computing (federico-matteo.bencic@fer.hr);

(4) Martin Hruby, Brno University of Technology, Faculty of Information Technology (hruby@fit.vut.cz);

(5) Kamil Malinka, Brno University of Technology, Faculty of Information Technology (malinka@fit.vut).


This paper is available on arxiv under CC BY 4.0 DEED license.

  1. Note that block rewards would not change the applicability of our incentive attacks, and the constraints defined in the game theoretic model (see Sec. V-B) would remain met even with them.

  2. Note that this assumption serves only for simplification of the follow-up sections. Transactions of different sizes would require normalizing fees by the sizes of transactions to obtain an equivalent setup (i.e., a fee per Byte).