My research focuses on the economics of computational systems and protocols, such as cryptocurrencies. I am part of Prof. Aviv Zohar’s lab, and my research is supported by the Ministry of Science & Technology, Israel.
If you would like to collaborate or discuss on any of my ongoing projects, feel free to get in touch. This includes bright undergrads who are looking for a tutorial work mentor (עבודה מודרכת, קורסים מספר 67524/67537/67538).
News
May 1, 2023
Uncle Maker was accepted to CCS23! The accepted version includes new results.
Existing economic models of blockchains and DeFi do not capture certain inherent intricate details. I’m in the process of creating a better model. An analysis of this model shows that players in the system can strategically manipulate it for profit using methods which are unexplored by the current literature.
Attacks on Proof-of-Work and Proof-of-Stake consensus mechanisms
Decentralized cryptocurrencies are payment systems that rely on aligning the incentives of users and miners to operate correctly and offer a high quality of service to users. Recent literature studies the mechanism design problem of the auction serving as a cryptocurrency’s transaction fee mechanism (TFM). We present a general framework that captures both myopic and non-myopic settings, as well as different possible strategic models for users. Within this general framework, when restricted to the myopic case, we show that while the mechanism that requires a user to "pay-as-bid", and greedily chooses among available transactions based on their fees, is not dominant strategy incentive-compatible for users, it has a Bayesian-Nash equilibrium where bids are slightly shaded. Relaxing this incentive compatibility requirement circumvents the impossibility results proven by previous works, and allows for an approximately revenue and welfare optimal, myopic miner incentive-compatible (MMIC), and off-chain-agreement (OCA)-proof mechanism. We prove these guarantees using different benchmarks, and show that the pay-as-bid greedy auction is the revenue optimal Bayesian incentive-compatible, MMIC and 1-OCA-proof mechanism among a large class of mechanisms. We move beyond the myopic setting explored in the literature, to one where users offer transaction fees for their transaction to be accepted, as well as report their urgency level by specifying the time to live of the transaction, after which it expires. We analyze pay-as-bid mechanisms in this setting, and show the competitive ratio guarantees provided by the greedy allocation rule. We then present a better-performing non-myopic rule, and analyze its competitive ratio. The above analysis is stated in terms of a cryptocurrency TFM, but applies to other settings, such as cloud computing and decentralized "gig" economy, as well.
@conference{gafni2022greedy,author={Gafni, Yotam and Yaish, Aviv},title={Greedy Transaction Fee Mechanisms for (Non-)myopic Miners},year={2022},conferencetitle={Annual Conference of the Israeli Chapter of the Game Theory Society},keywords={Optimal Auctions, Blockchain, Mechanism Design, Transaction Fee Mechanisms},numpages={38},}
Uncle Maker: (Time)Stamping Out The Competition in Ethereum
We present an attack on Ethereum’s consensus mechanism which can be used by miners to obtain consistently higher mining rewards compared to the honest protocol. This attack is novel in that it does not entail withholding blocks or any behavior which has a non-zero probability of earning less than mining honestly, in contrast with the existing literature. This risk-less attack relies instead on manipulating block timestamps, and carefully choosing whether and when to do so. We present this attack as an algorithm, which we then analyze to evaluate the revenue a miner obtains from it, and its effect on a miner’s absolute and relative share of the main-chain blocks. The attack allows an attacker to replace competitors’ main-chain blocks after the fact with a block of its own, thus causing the replaced block’s miner to lose all transactions fees for the transactions contained within the block, which will be demoted from the main-chain. This block, although “kicked-out” of the main-chain, will still be eligible to be referred to by other main-chain blocks, thus becoming what is commonly called in Ethereum an uncle. We proceed by defining multiple variants of this attack, and assessing whether any of these attacks has been performed in the wild. Surprisingly, we find that this is indeed true, making this the first case of a confirmed consensus-level manipulation performed on a major cryptocurrency. Additionally, we implement a variant of this attack as a patch for geth, Ethereum’s most popular client, making it the first consensus-level attack on Ethereum which is implemented as a patch. Finally, we suggest concrete fixes for Ethereum’s protocol and implemented them as a patch for geth which can be adopted quickly and mitigate the attack and its variants.
@conference{yaish2023uncle,author={Yaish, Aviv and Stern, Gilad and Zohar, Aviv},title={Uncle Maker: (Time)Stamping Out The Competition in Ethereum},year={2023},series={CCS '23},conferencetitle={Proceedings of the 30th ACM Conference on Computer and Communications Security},keywords={decentralized finance, proof of work, blockchain, cryptocurrency},}
Blockchain Stretching & Squeezing: Manipulating Time for Your Best Interest
We present a novel way for cryptocurrency miners to manipulate the effective interest-rate on loans or deposits they make on decentralized finance (DeFi) platforms by manipulating difficulty-adjustment algorithms (DAAs) and changing the block-rate. This presents a new class of strategic manipulations available to miners. These manipulations allow miners to stretch and squeeze the time between consecutive blocks. We analyze these manipulations both analytically and empirically, and show that a 25% miner can stretch the time between consecutive blocks by up to 54% in Ethereum and 33% in Bitcoin, and squeeze it by up to 9% in Ethereum. Ethereum is particularly vulnerable, and even relatively small miners can seriously affect the block-rate. An interesting application of these manipulations is to create an artificial interest-rate gap between loans taken from one DeFi platform which accrues interest according to block height (such as Compound) and deposited in some other platform that does so according to elapsed time (like a bank, or other DeFi platforms such as Aave). Hence, stretching and squeezing the block-rate can decrease the interest paid on DeFi loans relative to external financial platforms. The profit made from this interest-rate gap provides a large incentive for miners to deviate. For example, a 25% Ethereum miner using our manipulations can increase mining profits by up to 35%, even after taking potential losses into consideration, such as less block-rewards. Our analysis of these manipulations and their mitigations has broad implications with regards to commonly-used cryptocurrency mechanisms and paradigms, such as Ethereum’s difficulty-adjustment algorithm and reward schemes, with Ethereum’s handling of uncle blocks being particularly manipulable. Interestingly, Bitcoin’s mechanism is more resistant Ethereum’s, owing to its larger incentives and a more resilient DAA.
@inproceedings{yaish2022blockchain,author={Yaish, Aviv and Tochner, Saar and Zohar, Aviv},booktitle={Proceedings of the 23rd ACM Conference on Economics and Computation},title={Blockchain Stretching & Squeezing: Manipulating Time for Your Best Interest},year={2022},address={New York, NY, USA},pages={65–88},publisher={Association for Computing Machinery},series={EC '22},doi={10.1145/3490486.3538250},isbn={9781450391504},keywords={decentralized finance, proof of work, blockchain, cryptocurrency},location={Boulder, CO, USA},numpages={24},url={https://doi.org/10.1145/3490486.3538250}}
Correct Cryptocurrency ASIC Pricing: Are Miners Overpaying?
Cryptocurrencies that are based on Proof-of-Work often rely on special purpose hardware (ASICs) to perform mining operations that secure the system. We argue that ASICs have been mispriced by miners and sellers that only consider their expected returns, and that in fact mining hardware should be treated as a bundle of financial options, that when exercised, convert electricity to virtual coins. We provide a method of pricing ASICs based on this insight, and compare the prices we derive to actual market prices. Contrary to the widespread belief that ASICs are worth less if the cryptocurrency is highly volatile, we show the opposite effect: volatility significantly increases value. Thus, if a coin’s volatility decreases, some miners may leave, affecting security. To prevent this, we suggest a new reward mechanism. Finally we construct a portfolio of coins and bonds that provides returns imitating an ASIC, and evaluate its behavior: historically, realized revenues of such portfolios have significantly outperformed ASICs, showing that indeed there is a mispricing of hardware, and offering an alternative investment route for would-be miners.
@conference{yaish2023pricing,author={Yaish, Aviv and Zohar, Aviv},title={Correct Cryptocurrency ASIC Pricing: Are Miners Overpaying?},year={2023},publisher={arXiv},series={CESC '22},archiveprefix={arXiv},conferencetitle={Crypto Economics Security Conference},doi={10.48550/ARXIV.2002.11064},eprint={2002.11064},keywords={Cryptography and Security (cs.CR), FOS: Computer and information sciences, FOS: Computer and information sciences},numpages={31},primaryclass={cs.CR},}