Papers
2022
- Suboptimality in DeFi2022
@misc{yaish2022suboptimality, author = {Yaish, Aviv and Dotan, Maya and Qin, Kaihua and Zohar, Aviv and Gervais, Arthur}, title = {Suboptimality in DeFi}, keywords = {Cryptocurrency, Blockchain, DeFi, Miner Extractable Value}, year = {2022}, numpages = {22}, }
- Greedy Transaction Fee Mechanisms for (Non-)myopic MinersYotam Gafni, and Aviv Yaish2022
Decentralized cryptocurrencies are payment systems that rely on aligning the incentives of users and miners to operate correctly and offer a high quality of service to their users. Recent literature studies the mechanism design problem of the auction serving as the transaction fee mechanism (TFM). We show that while the protocol that requires a user to “pay as bid” and greedily chooses among available transactions based on their fees is not dominant strategy incentive-compatible (DSIC) for users, it has a Bayesian-Nash equilibrium (BNE) where bids are slightly shaded. Relaxing this incentive compatibility requirement circumvents the impossibility result of (Chung & Shi, 2021) and allows for an approximately revenue and welfare optimal, myopic miners incentive-compatibility (MMIC), and off-chain-agreement (OCA)-proof mechanism. We prove its guarantees using different benchmarks, and in particular, show it is the revenue optimal Bayesian incentive-compatible (BIC), MMIC and 1-OCA-proof mechanism among a large class of mechanisms. We move beyond the myopic model to a model where users offer transaction fees for their transaction to be accepted, as well as report their urgency level by specifying the time to live (TTL) of the transaction, after which it expires. We show guarantees provided by the greedy allocation rule, as well as a better-performing non-myopic rule. The above analysis is stated in terms of a cryptocurrency TFM, but applies to other settings, such as cloud computing and decentralized “gig” economy, as well.
@misc{gafni2022greedy, author = {Gafni, Yotam and Yaish, Aviv}, title = {Greedy Transaction Fee Mechanisms for (Non-)myopic Miners}, keywords = {Optimal Auctions, Blockchain, Mechanism Design, Transaction Fee Mechanisms}, year = {2022}, numpages = {30}, }
- Uncle Maker: (Time)Stamping Out The Competition in EthereumAviv Yaish, Gilad Stern, and Aviv ZoharIn Crypto Economics Security Conference (CESC ’22), 2022
We present an attack on Ethereum’s consensus mechanism which can be used by miners to obtain consistently higher mining rewards compared to the honest protocol. This attack is novel in that it does not entail withholding blocks or any behavior which has a non-zero probability of earning less than mining honestly, in contrast with the existing literature. This risk-less attack relies instead on manipulating block timestamps, and carefully choosing whether and when to do so. We present this attack as an algorithm, which we then analyze to evaluate the revenue a miner obtains from it, and its effect on a miner’s absolute and relative share of the main-chain blocks. The attack allows an attacker to replace competitors’ main-chain blocks after the fact with a block of its own, thus causing the replaced block’s miner to lose all transactions fees for the transactions contained within the block, which will be demoted from the main-chain. This block, although “kicked-out” of the main-chain, will still be eligible to be referred to by other main-chain blocks, thus becoming what is commonly called in Ethereum an uncle. We proceed by defining multiple variants of this attack, and assessing whether any of these attacks has been performed in the wild. Surprisingly, we find that this is indeed true, making this the first case of a confirmed consensus-level manipulation performed on a major cryptocurrency. Additionally, we implement a variant of this attack as a patch for geth, Ethereum’s most popular client, making it the first consensus-level attack on Ethereum which is implemented as a patch. Finally, we suggest concrete fixes for Ethereum’s protocol and implemented them as a patch for geth which can be adopted quickly and mitigate the attack and its variants.
@conference{cryptoeprint:2022/1020, author = {Yaish, Aviv and Stern, Gilad and Zohar, Aviv}, title = {Uncle Maker: (Time)Stamping Out The Competition in Ethereum}, howpublished = {Cryptology ePrint Archive, Paper 2022/1020}, publisher = {Cryptology ePrint Archive}, keywords = {decentralized finance, proof of work, blockchain, cryptocurrency}, year = {2022}, numpages = {66}, note = {\url{https://eprint.iacr.org/2022/1020}}, url = {https://eprint.iacr.org/2022/1020}, conferencetitle = {Crypto Economics Security Conference}, series = {CESC '22}, }
- Blockchain Stretching & Squeezing: Manipulating Time for Your Best InterestAviv Yaish, Saar Tochner, and Aviv ZoharIn Proceedings of the 23rd ACM Conference on Economics and Computation (EC ’22), 2022
We present a novel way for cryptocurrency miners to manipulate the effective interest-rate on loans or deposits they make on decentralized finance (DeFi) platforms by manipulating difficulty-adjustment algorithms (DAAs) and changing the block-rate. This presents a new class of strategic manipulations available to miners. These manipulations allow miners to stretch and squeeze the time between consecutive blocks. We analyze these manipulations both analytically and empirically, and show that a 25% miner can stretch the time between consecutive blocks by up to 54% in Ethereum and 33% in Bitcoin, and squeeze it by up to 9% in Ethereum. Ethereum is particularly vulnerable, and even relatively small miners can seriously affect the block-rate. An interesting application of these manipulations is to create an artificial interest-rate gap between loans taken from one DeFi platform which accrues interest according to block height (such as Compound) and deposited in some other platform that does so according to elapsed time (like a bank, or other DeFi platforms such as Aave). Hence, stretching and squeezing the block-rate can decrease the interest paid on DeFi loans relative to external financial platforms. The profit made from this interest-rate gap provides a large incentive for miners to deviate. For example, a 25% Ethereum miner using our manipulations can increase mining profits by up to 35%, even after taking potential losses into consideration, such as less block-rewards. Our analysis of these manipulations and their mitigations has broad implications with regards to commonly-used cryptocurrency mechanisms and paradigms, such as Ethereum’s difficulty-adjustment algorithm and reward schemes, with Ethereum’s handling of uncle blocks being particularly manipulable. Interestingly, Bitcoin’s mechanism is more resistant Ethereum’s, owing to its larger incentives and a more resilient DAA.
@inproceedings{10.1145/3490486.3538250, author = {Yaish, Aviv and Tochner, Saar and Zohar, Aviv}, title = {Blockchain Stretching & Squeezing: Manipulating Time for Your Best Interest}, year = {2022}, isbn = {9781450391504}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/3490486.3538250}, doi = {10.1145/3490486.3538250}, booktitle = {Proceedings of the 23rd ACM Conference on Economics and Computation}, pages = {65–88}, numpages = {24}, keywords = {decentralized finance, proof of work, blockchain, cryptocurrency}, location = {Boulder, CO, USA}, series = {EC '22}, }
2020
- Correct Cryptocurrency ASIC Pricing: Are Miners Overpaying?Aviv Yaish, and Aviv ZoharIn Crypto Economics Security Conference (CESC ’22), 2020
Cryptocurrencies that are based on Proof-of-Work often rely on special purpose hardware (ASICs) to perform mining operations that secure the system. We argue that ASICs have been mispriced by miners and sellers that only consider their expected returns, and that in fact mining hardware should be treated as a bundle of financial options, that when exercised, convert electricity to virtual coins. We provide a method of pricing ASICs based on this insight, and compare the prices we derive to actual market prices. Contrary to the widespread belief that ASICs are worth less if the cryptocurrency is highly volatile, we show the opposite effect: volatility significantly increases value. Thus, if a coin’s volatility decreases, some miners may leave, affecting security. To prevent this, we suggest a new reward mechanism. Finally we construct a portfolio of coins and bonds that provides returns imitating an ASIC, and evaluate its behavior: historically, realized revenues of such portfolios have significantly outperformed ASICs, showing that indeed there is a mispricing of hardware, and offering an alternative investment route for would-be miners.
@conference{10.48550/ARXIV.2002.11064, doi = {10.48550/ARXIV.2002.11064}, author = {Yaish, Aviv and Zohar, Aviv}, keywords = {Cryptography and Security (cs.CR), FOS: Computer and information sciences, FOS: Computer and information sciences}, title = {Correct Cryptocurrency ASIC Pricing: Are Miners Overpaying?}, numpages = {33}, publisher = {arXiv}, year = {2020}, copyright = {Creative Commons Attribution 4.0 International}, conferencetitle = {Crypto Economics Security Conference}, series = {CESC '22}, }