We study the incentives behind double-spend attacks on Nakamoto-style Proof-of-Work cryptocurrencies. In these systems, miners are allowed to choose which transactions to reference with their block, and a common strategy for selecting transactions is to simply choose those with the highest fees. This can be problematic if these transactions originate from an adversary with substantial (but less than 50\%) computational power, as high-value transactions can present an incentive for a rational adversary to attempt a double-spend attack if they expect to profit. The most common mechanism for deterring double-spend attacks is for the recipients of large transactions to wait for additional block confirmations (i.e., to increase the attack cost). We argue that this defense mechanism is not satisfactory, as the security of the system is contingent on the actions of its users. Instead, we propose that defending against double-spend attacks should be the responsibility of the miners; specifically, miners should limit the amount of transaction value they include in a block (i.e., reduce the attack reward). To this end, we model cryptocurrency mining as a mean-field game in which we augment the standard mining reward function to simulate the presence of a rational, double-spending adversary. We design and implement an algorithm which characterizes the behavior of miners at equilibrium, and we show that miners who use the adversary-aware reward function accumulate more wealth than those who do not. We show that the optimal strategy for honest miners is to limit the amount of value transferred by each block such that the adversary's expected profit is 0. Additionally, we examine Bitcoin's resilience to double-spend attacks. Assuming a 6 block confirmation time, we find that an attacker with at least 25% of the network mining power can expect to profit from a double-spend attack.

翻译：我们研究了在纳卡莫托式工作量证明加密货币中发起双花攻击的激励机制。在该类系统中，矿工可自行选择引用区块中的交易，常见的交易选择策略是优先选取手续费最高的交易。若这些交易源自拥有显著（但低于50%）算力的攻击者，则高价值交易可能为理性攻击者提供实施双花攻击的激励——只要预期可获利。当前最常用的防御机制是要求大额交易接收方等待更多区块确认（即提高攻击成本）。我们认为该机制并不理想，因为系统安全性取决于用户行为。相反，我们提出应让矿工承担双花攻击防御责任：具体而言，矿工应限制区块中包含的交易价值（即降低攻击收益）。为此，我们将加密货币挖矿建模为均场博弈，通过扩展标准挖矿收益函数来模拟理性双花攻击者的存在。我们设计并实现了能够刻画均衡状态下矿工行为的算法，结果表明采用攻击感知收益函数的矿工相较于未使用者能积累更多财富。我们证明诚实矿工的最优策略是限制每个区块转移的价值量，使攻击者的预期利润为零。此外，我们分析了比特币对双花攻击的抵御能力。假设6个区块确认时间，我们发现拥有至少25%网络算力的攻击者有望通过双花攻击获利。