^{*}

Edited by: Joerg Osterrieder, Zurich University of Applied Sciences, Switzerland

Reviewed by: Gina C. Pieters, University of Chicago, United States; Nicolas T. Courtois, University College London, United Kingdom

This article was submitted to Financial Blockchain, a section of the journal Frontiers in Blockchain

This is an open-access article distributed under the terms of the Creative Commons Attribution License (CC BY). The use, distribution or reproduction in other forums is permitted, provided the original author(s) and the copyright owner(s) are credited and that the original publication in this journal is cited, in accordance with accepted academic practice. No use, distribution or reproduction is permitted which does not comply with these terms.

Proof-of-work cryptocurrencies are heavily criticized for the alleged inefficiency of their mining mechanism. However, critics fail to distinguish between the resources that are used to secure the blockchain and those that are wasted. In this paper, we introduce a simple mining model and use this model to analyze the consensus protocol's efficiency, while accounting for the heterogeneity of the miners involved. We categorize the resources allocated by the miners as either useful or wasteful, and then use this to introduce a new measure of efficiency. We then demonstrate how this value depends on a set of potential miners and the variation of their marginal costs. Using this model, we then consider the existence of botnets and show how one could affect the security of the network. This analysis indicates that botnets can significantly change the mining landscape and, under certain circumstances, may lead to a dissipation ratio >1.

Bitcoin (Nakamoto,

From a game theoretical perspective, this mechanism can be simplified and modeled as a non-standard, all-pay auction with full information (Dimitri,

The increasing amount of computational resources used in this process and the fact that resource allocation has no effect on the number of transactions that can be processed by the network, has led to strong concerns about the efficiency of the proof-of-work consensus protocol (O'Dwyer and Malone,

In this context, here we will introduce a model based on rent-seeking literature, in particular Tullock (

We will first present the base model and discuss the case of

Let _{i} with ^{1}_{i} ≥ 0 to maximize its own expected payoff function, given by Equation (1). The hash rate allocation vector, _{i}, for each miner, _{i}. The cost function, _{i}(_{i}), is assumed to increase linearly in hashing power, _{i}, such that

Miners compete for a reward. The value of this reward is exogenously given, and mining resources are in fact a function of the reward rather than _{i} and restrict _{i} = _{i}(

This setup describes a non-standard, all-pay auction, in which any miner _{i} > 0 has a proportionate chance of winning the reward. Consequently, the miner's decision problem can be formalized as shown in Equation (3).

For now, we will only consider the case of homogeneous miners. Hence, _{i}(_{i}) = α_{i}, ^{*} as shown in Equation (4), where

^{*} as a function of the number of potential miners

Aggregate hash rate ^{*}(α,

Plugging (4) back into (1) we get Equations (5) and (6), which can be interpreted as the individual and social profit functions, respectively.

As a consequence of an increase in aggregate hash rate expenditures, individual and social profits decrease with

In rent-seeking literature, it is common to express social costs in relative terms to the value of the reward. This ratio as defined in Equation (7), is usually referred to as the dissipation ratio. Plugging Equation (4) into (7) and making use of homogeneity, we obtain Equation (8).

Proposition 1. ^{*}

However,

Recall that individuals always have the outside option of _{i} = 0. Consequently, the standard model will never deliver

In the absence of any barriers to entry, potential miners will enter the market until the last bit of seigniorage is absorbed by the increasing hash rate.

Let us further denote network security as φ. As shown in Equation (9) we define network security as the minimum of all marginal costs multiplied by the network hash rate. In other words, φ is equivalent to the minimum cost an individual would have to bear to control half of the computation power and launch a surprise attack on the network. A surprise attack means that other miners are unaware of the imminent attack and hence, cannot adjust their resource allocations. Consequently, the larger the value for φ, the more expensive such an attack would be.

Although network security is an absolute measure that does not contain any information regarding efficiency, and although the dissipation ratio does not contain any information regarding network security, it can be shown that the two terms coincide under homogeneity assumptions.

Proposition 2.

Thus, φ =

□

Consequently, an increase in the number of potential miners increases the dissipation ratio, drives down the expected payoffs, and ultimately leads to a seigniorage of 0. However, in the case of homogeneous miners we have shown that any expenditures positively affect network security φ to the same extent.

Let us now relax the assumption of miner homogeneity. Instead we shall presume that there are different types of miners with varying marginal costs, _{i}(_{i}, α_{i}) = _{i} α _{i}. These marginal costs are exogenously given and are represented by the vector _{i}, ∀

To keep our model simple, we will limit _{i} (i.e., we will maintain our assumption that _{i} =

The first order conditions, solved for

The set of Equation (11) represents the optimal choices depending on the respective choice of the opponent _{3−i}; the reward value, _{i}. In

Reaction curves from (11) with α_{1} = α_{2} = 1 and α_{1} = 1.3 (dashed).

Note, that we represent _{i} on the other hand, extends or compresses the respective curve. The dashed line represents an example of such a change, or more specifically, an increase of α_{1}. The intersection at the origin generally does not constitute a stable equilibrium. More precisely,

Plugging one of the equations in (11) into the other and solving it for _{i} yields Equation (12), which expresses the same maximization decision as a function of

To obtain Equation (13), an expression of the dissipation ratio, which is conditional on

From (13) it can be shown, that the dissipation ratio decreases with miner heterogeneity. The first order derivative with respect to α_{1} delivers Equation (14), which becomes negative if and only if α_{1} > α_{2}. In this case an increase in α_{1} is equivalent to an increase in heterogeneity.

However, the dissipation ratio contains no information on the extent of network security. In particular, a high dissipation ratio does not imply a high value for network security, φ, as it could instead be driven by a large number of highly inefficient miners. In such a case, the most efficient miner in the market could easily attack the network, despite the dissipation ratio being high. The network security on the other hand, has no explanatory power for the number of resources that have been spent to provide a certain value of φ.

Let us now combine the two, and introduce a measure, henceforth referred to as the security-efficiency ratio. It expresses the proportion of expenditures that serves to protect the network and hence, combines both the network's security and efficiency in one measure.

As visualized in

Proposition 3.

Let us now assume without loss of generality that α_{1} ≥ α_{2}, such that

Case 1 (α_{1} = α_{2}): As already shown in the proof of Proposition 2, presuming miner homogeneity, we get _{1} = α_{2}.

Case 2 (α_{1} > α_{2}): Let us first consider the upper bound. By definition α_{1} > α_{2}. Thus, values for _{1} and α_{2} to get infinitely large,

Thus,

□

Recall the homogeneous miners case, where we found

In the previous two sections, we limited our analysis to ordinary miners. Let us now consider a special type of miner whose marginal costs are larger than its expected marginal profits. Although puzzling at first, this type of miner may exist for a number of reasons including “hobbyists and researchers,” “wishful thinkers,” “botnet operators,” “political actors,” and “individuals looking for a virgin coinbase” (Swanson,

The existence of botnets raises a couple of very interesting research questions for our analysis. First, is it possible that the dissipation ratio takes on values larger than 1? Recall that this means that miners as a whole consistently spend more than there is to gain. Likewise, what implications does the emergence of botnets have for network security, φ, and more importantly, for the security-efficiency ratio,

To answer these questions, we extend our model and assume that there exists a botnet with _{i} = α, ∀

Recall that an illegal botnet is a distributed pool of hardware resources (e.g., desktop computers) that have been taken over by a botnet operator. Botnets make use of the victims' computation and network resources. They carry out tasks, such as sending junk mail, click fraud to collect advertising revenues, and cryptocurrency mining. The botnet operator has a marginal cost of 0, as all the costs are borne by the actual owner of the resources. Consequently, we assume that botnets will always allocate the maximum amount of available resources, _{b} and restrict α_{b} > α. As mentioned before, these costs are borne by the owners of the infected computers.

As shown in Equation (17), we need to adjust the miners' expected payoff function by including the botnet's hash rate. Obviously, this has the effect of decreasing the miners' respective probabilities to win the competition and hence, has a negative impact on their expected payoff.

We can now derive the first order condition with respect to _{i} and presume non-botnet miner homogeneity. After a few more steps (shown in the

Let us now turn to the efficiency analysis. The equation for the dissipation ratio must be slightly adjusted to (19), to include the social cost inflicted by the botnet.

By using (18) we can eliminate

The above expression allows us to demonstrate how the dissipation ratio changes in the presence of a botnet.

Proposition 4. _{b} > α. Then, the dissipation ratio monotonically increases with_{b} and, for sufficiently large

_{b} for all _{b} to obtain (21). It can now be easily observed that

Let us now analyze (20), considering different assumptions regarding

Case 1 (

Case 2 (^{2}

Case 3 (

The derivative shows, that _{b} = 2 is visualized in

Thus,

□

As shown in the proof of Proposition 4, the presence of a botnet may cause the dissipation ratio to exceed 1. However, recall that the dissipation ratio is not a sufficient measure for our purposes, as it contains no information regarding the nature of the cost. In order to get an objective comparison, we need to reconsider the security-efficiency ratio, which was introduced earlier in this paper. Let us adjust Equation (9) to account for the botnet and divide it by (19) to obtain Equation (23).

Plugging (18) into (23), we get (24), which expresses the security-efficiency ratio with endogenized hash rate allocation decisions.

Equations (23) and (24) both show that the security-efficiency ratio must be 1 whenever _{b} = α.

Proposition 5. _{b} ≥ α. Then, the security-efficiency ratio must c.p. monotonically decrease with_{b}. Moreover, it must lie in

Case 1 (_{b} = α, the numerator and denominator in Equation (23), or alternatively in (24), must be equal. As a result, we get our upper bound which corresponds to

Case 2 (^{*} = 0 in Equation (23), as any non-botnet miners would be crowded out by the botnet. If both _{b} > α are satisfied, the numerator will always be smaller than the denominator, with

Thus,

□

_{b} is mitigated, as most of it occurs only if the botnet is able to take over a certain portion of the network.

The observed change for crowded miner markets can be explained by the consideration of the crucial difference in the parameters _{b}. Note that _{b} on the other hand, is an expression of cost borne by society, which does not influence any of the individual hash rate allocation decisions. Since α < α_{b}, the measure for network security, φ, is also unaffected by any changes in α_{b}. Instead, α_{b} exclusively influences _{b} must c.p. lead to a linear increase in _{b} has a larger effect on

We have proposed a model that allows for the evaluation of the efficiency of proof-of-work mining under different circumstances by categorizing the allocated resources as either useful or wasteful. The model also shows how security and efficiency are affected by miner heterogeneity. To relate those two values, we proposed the security-efficiency ratio, a value that expresses the portion of the aggregate expenditures that is used to secure the blockchain. We then showed that the security-efficiency ratio decreases with increasing miner heterogeneity. Any market distortion that increases miner heterogeneity will lower the security-efficiency ratio.

Additionally, we demonstrated how the introduction of a botnet affects the network. We concluded that botnets decrease the security-efficiency ratio and may even lead to dissipation ratios above 1. Consequently, systems that are more susceptible to botnet capture, such as ASIC-resistant proof-of-work implementations, may be more prone to these inefficiencies under the assumption that all other hashrate providers face the same cost.

This model is presented as a framework for future studies with questions regarding the efficiency of proof-of-work mining.

All datasets generated for this study are included in the article/

The author confirms being the sole contributor of this work and has approved it for publication.

The author declares that the research was conducted in the absence of any commercial or financial relationships that could be construed as a potential conflict of interest.

The Supplementary Material for this article can be found online at:

^{1}i.e., a certain number of hashes per second.

^{2}Note that it theoretically is possible to get _{i} ≥ 0, ∀