Selﬁsh Behavior in the Tezos Proof-of-Stake Protocol

Proof-of-Stake consensus protocols give rise to complex modeling challenges. We analyze the Babylon update (October 2019) to the Proof-of-Stake protocol on the Tezos blockchain, and demonstrate that, under certain conditions, rational participants are incentivized to behave dishonestly. In doing so, we provide a theoretical analysis of the feasibility and proﬁtabil-ity of a block stealing attack that we call selﬁsh endorsing , a concrete instance of an attack previously only theoretically considered. We propose and analyze a simple change to the Tezos protocol which signiﬁcantly reduces the (already small) proﬁtability of this dishonest behavior, and introduce a new delay and reward scheme that is provably secure against length-1 and length-2 selﬁsh endorsing attacks. Our framework provides a template for analyzing other Proof-of-Stake protocols for the possibility of selﬁsh behavior.


Introduction
Blockchain technologies have received significant attention since the release of the Bitcoin protocol in 2008 [25].Blockchains arose as a solution to a critical problem in enabling permissionless, decentralized cryptocurrencies: how to maintain a global consensus on user account balances.The Bitcoin network addressed this problem by putting every transaction into a globally visible ledger protected by a Proof-of-Work (PoW) consensus protocol.In PoW, each block creator is tasked with assembling a list of valid transactions and doing costly computational work, and is rewarded with some amount of the native asset, Bitcoin.
Proof-of-Stake (PoS) protocols are seen as potential successors of PoW protocols.Both kinds of protocols run a lottery to select the creator of the next block (the lottery is implicit in PoW, explicit in PoS), and in order to prevent malicious participants from creating many identities to increase their chances of winning, entry into these lotteries must be costly.PoW requires that lottery entrants burn computational cycles † Work completed while MN was visiting Harvard University. in order to join, while PoS requires participants to forego the use of staking capital for some duration of time.In particular, PoS protocols require that staked capital be forfeited if the behavior of a miner is not consistent with that specified by the rules of the protocol.While both approaches reward participants proportionally to expenditure, PoW has received criticism, and PoS is thought to provide an important step forward for consensus protocols on blockchains.
The three main critiques of PoW protocols are the environmental impact, the inflationary tendencies, and the centralization found in many digital currencies.The environmental argument is a result of PoW using significant amounts of energy; by some estimates, the annual energy consumption of the Bitcoin network is equivalent to that of Austria [7].The related inflationary criticism stems from the fact that it requires substantial real world expenditures by miners on hardware and electricity.These miners are in turn compensated by large block rewards that lead to inflationary pressure on the currency, and if the rewards are reduced, fewer miners participate and the security of the network degrades.PoS protocols do not suffer from these limitations.Another critique of PoW arises from concerns around the concentration of mining power.As of November 2019, F2Pool owned 18% of the hashpower in the Bitcoin network, and the top four mining pools combined controlled more than 50% of the hashpower [3].However, because the ownership of cryptocurrencies is far from decentralized [28], PoS may not address this issue either.
Tezos [14], EOS [8], Cardano (ADA) [15], BlackCoin [29], and Nxt [6] represent the major PoS networks that are currently running. 1 One of the distinguishing features of Tezos is that it has a built-in governance protocol, which allows changes to the specification to be voted on by participants in the P2P network.In contrast, the development of Bitcoin has been slow because few developers want to risk forking the network over a protocol change [22].The design of the Tezos network hopes to encourage agreement on upgrades by creating a specific venue and timeline for voting on software updates.As of January 2020, each change required a quorum of participants and over 80% approval to be instantiated [10].On October 17, 2019, an update called Babylon [12,11] was accepted into the Tezos protocol.
In the paper, we analyze a large component of this upgrade: a new consensus protocol called Emmy + [20].In particular, we identify an incentive vulnerability in the Tezos PoS mechanism, analyze the severity of an attack, and establish security properties of alternative mechanisms.In doing so, we provide a simple theoretical framework that can be used to analyze other implementations, and that we hope will encourage a more formal treatment of the security properties of PoS protocols.
Section 2 describes how PoS is implemented in Tezos, Section 3 formalizes the attack that we call selfish endorsing and assesses the probability of it being profitable for a rational agent, Section 4 proposes a simple heuristic fix to the Emmy + protocol, and Section 5 proposes an alternative mechanism and proves that it is secure against a subset of selfish endorsing attacks, before concluding in Section 6.

Related Work
We seek to understand the extent to which rational participants in a particular PoS system can benefit by not behaving according to the protocol.This is analogous to the question asked by Eyal and Sirer (2013) [9], who demonstrate that miners can earn a higher proportion of rewards in a PoW protocol by deviating from the honest protocol and following a selfish mining strategy.Follow-up work includes Sapirshtein et al. (2016) [27], who identify the optimal such policy, Nayak et al. (2016) [26], who consider network attacks, and Kwon et al. (2017) [17], who consider the impact of selfish mining in the context of mining pools.
In regard to PoS, Brown-Cohen et al. (2019) show that complete security in their model of longest-chain PoS protocols is not possible [4].The dishonest behavior that we refer to as selfish endorsing is a real-world instance of the theoretical predictable selfish mine attack that appears in their work.We are not aware of any other academic work that formally analyzes the incentives of the Tezos PoS protocol.Nomadic Labs, the team that implemented Emmy + [20], did provide a blog post with the results of an incentive analysis [19], but without providing an explicit formalism for the model used or the probabilistic analysis. 2In this work, we present the complete derivation of an attack model, and make explicit the methods used to obtain our results. 2We have verified with the authors of the blog post that the two models achieve similar numerical results when calculating the probability of a profitable attack using the same parameters.

The Basics
Tezos implements an optional Delegated Proof-of-Stake (DPoS) protocol [14,10], which is sometimes referred to as Liquid Proof-of-Stake [1] to distinguish it from other, more rigid DPoS implementations [8]. 3embers of the Tezos consensus layer are called delegates and are considered active when they participate in the creation and validation of blocks (and passive otherwise).The Tezos unit of account (XTZ) is split into groups of 8,000 tokens called rolls, and each delegate is associated with a set of rolls.Active delegates participate in a lottery to bake and endorse a block at every block-height in the chain.Bakers are responsible for including transactions in blocks while endorsers cryptographically sign the "best" block that they have seen at each height.
The baking-and-endorsing priority lottery is carried out by randomly selecting rolls and giving the next available priority to the owner of that roll, a technique known as follow-the-Satoshi [2].For each block-height, a list of bakers is created using the random roll selection process, and the index of a baker in this list determines the priority with which they can create a block at this height.Additionally a set of 32 endorsers is created for each block-height.There is no priority list for endorsers, and each has equal weight.Each draw from the set of rolls is done with replacement, so the same delegate may appear many times on the baking priority list as well as in the set of endorsers.
Bakers and endorsers are rewarded based on participation, which creates an incentive for delegates to remain active.Figure 1 shows how the blocks are created and endorsed as well as the value of each, which is a function of the reward scheme described below.

The Babylon Upgrade and Emmy +
The new consensus protocol, Emmy + , which was part of the October 2019 Babylon update, is distinct from its predecessor, Emmy, in three important ways: 1.A block's validity-time is a function of the number of endorsements it includes, in addition to the priority of the baker.Each block includes a timestamp for when it was created.In order to regulate the rate at which blocks are created, Emmy + uses a minimum delay between blocks (see Equation 1), which is what we refer to as the validity-time.When a node in the P2P network checks an incoming block, it ensures that the difference in the timestamp of that block and the previous block in the chain is greater than the validity-time.
Before Emmy + , the validity-time was only a function of the priority of the baker, but now it is also a function of the number of endorsements it includes.Importantly, the number of endorsements is not the number of delegates who endorse the block itself, but rather the number of endorsements for the previous block that this block includes.Since endorsements are operations that are heard over the network, including an endorsement in a block is analogous to including a transaction.
In order for a block to be considered valid, its timestamp must differ from the previous block's timestamp by at least D seconds, where D defines the validity-time and is the following function of the baker's priority, p, and the number of endorsements included in the block, e (see Minimal block delays in [10]): The effect is that for each priority-level that a baker is below the highest-priority (0), the validity-time for the block increases by 40 seconds.Also, for each endorsement that is missed below 24 of the 32 endorsers, the validity-time increases by 8 seconds; a block may miss up to 8 endorsements without incurring a time penalty, but each additional missed signature slows validity by 8 seconds. 4If each block is baked by the 0 th priority delegate and endorsed by most of the endorser set, then a block will be created every 60 seconds and the Tezos network is considered healthy.
2. The fork-choice rule was changed.The fork-choice rule is used by nodes in a P2P network to choose the branch that they will extend.Before this update, the canonical fork (i.e., the currently active fork) was the one with the most endorsements (i.e., a heaviest-chain rule [14]).After the update, the best fork became the one with the longest chain from the genesis block.This modified rule makes evaluation of branches easier, and alleviates a baker's uncertainty as to when to publish blocks in order to avoid missing out on late endorsements. 5Brown-Cohen et al. [4] already showed that this longest-chain rule can lead to theoretical vulnerabilities.
Here we focus on one of these, predictable selfish mining, and our work represents a real-world instance of this vulnerability.
3. The rewards for baking and endorsing blocks were modified.Before the change, baking a block earned the delegate a constant reward of 16 XTZ, but in Emmy + the block rewards are a function of the baker's priority, p, and the number of endorsements e for the previous block that are included in this block (see Rewards in [10]).Let R b be the baking reward.In Emmy + , we have The rewards for endorsements were also modified.Previously, endorsement rewards were a function of the priority of the block that the endorsement signed, but in Emmy + they are a function of the priority of the block that includes the endorsements.Denote the priority of the baker who baked the block that includes an endorsement as p i .Then the endorsing reward, R e , is calculated as Figure 1 illustrates the rewards that the bakers and endorsers earn under the Emmy + rules.

The Selfish Endorsing Attack
We now give an example of the vulnerability that we call selfish endorsing, which with some probability incentivizes a rational baker to ignore the longest-chain rule and create a separate two-block fork faster than the rest of the network can publish two blocks.We give an example to illustrate that selfish endorsing is a profitable deviation from the intended protocol based on block and endorsement rewards alone.Additionally this attack provides an opportunity for a 1-confirmation double-spend. 6et X be a rational delegate who is willing to deviate from the Emmy + protocol.We describe baking and endorsing rights in terms of slots that correspond to a specific length of the chain (e.g., a block baked at height n from the genesis block occupies the n th slot).In the Emmy + implementation, delegates see exactly who will have baking and endorsing rights for the next several thousand (≈ 5 × 4096) blocks.For a given slot , let p be the highest priority and e the number of endorsement rights that X is randomly allocated.Priorities are zero-indexed, with 0 being the highest.Additionally, let n +1 denote the number of consecutive top baking priorities given to X at slot + 1 (e.g., if the baking priority list for the + 1 slot is [X , X , other, X , ...], then p +1 = 0 and n +1 = 2).2) and let R e (p) be as defined in (3).In this scenario, block will earn the baker a reward of R b (1, 32) = 8 XTZ, and block + 1 will earn the baker R b (0, 31) = 15.9XTZ.The endorsements for slot − 1 will each earn R e (1) = 1 XTZ and the endorsements for slot will each earn R e (0) = 2 XTZ.Notice that the slot endorsements still get the full reward when signing a lower priority block, simply because they are included in the 0 th priority block at the + 1 slot.Before the Emmy + upgrade the slot endorsements would only earn 1 XTZ each.
In our analysis, we make the assumption that messages are sent and received instantaneously.While it is out of scope handle propagation delays in this paper, this question has been studied in the context of Bitcoin [13] and offers an interesting avenue for future work.

An Illustrative Attack on Emmy +
Figure 2 shows that an attacker X with second priority (p = 1) at slot can bake a block that will end up on the final chain despite the first-priority (p = 0) delegate publishing on time.This is malicious because the baker with the lower priority stole the block reward from the highest priority baker.
Delegate X is able to look ahead and calculate when this attack can be executed because the baking priorities and endorsing rights are publicly known into the future.We verify that the selfish chain will create two blocks faster than the honest chain using Equation 1.
Let D h and D s be the total time to create two blocks for the honest and selfish chains, respectively.We have, The combination of having a large share of endorsements for slot and the two highest priorities for slot + 1 allows X to slow down the honest network by only endorsing a private block at slot .Attacker X can then produce a second valid block before the honest network does, and create the unique longest chain.Using Equations 2 and 3, we can verify that this selfish behavior also results in a greater reward than following the honest protocol, thus demonstrating that this is a profitable deviation in its own right, and not just an opportunity for a 1-confirmation double spend.
For this, let R h denote the total reward earned by X over the next two blocks while behaving honestly.The labels underneath the expressions indicate the reason each reward is added.We have Similarly we can calculate the total rewards that the attacker X earns while selfishly endorsing, denoted R s .We have This demonstrates that the gain in reward from creating a new block at slot outweighs the loss in reward from the endorsements on slot −1 ending up on a lower priority block, and because the block baked in slot + 1 only includes 14 endorsements.Critically, the rewards for the 14 endorsements for slot (which are essential in slowing down the honest network), do not decrease at all because these endorsements are still included on the block baked by X at slot + 1, which has priority 0.
Similarly to selfish mining, if this attack were to be executed it would be easily detected through the increased presence of orphan blocks, and the baker who was stealing the Figure 2: Let p be the highest priority allocated to the attacker at slot , and n +1 be the number of consecutive top priorities allocated to the attacker at slot + 1.Additionally, let e be the number of endorsement rights that the attacker owns at slot .This figure illustrates the selfish endorsing attack with e −1 = 2, e = 14, p = 1, and n +1 = 2.The top and bottom forks show the next two blocks for the honest and selfish chains respectively.Each block shows the priority of the baker who created it, p, and the number of endorsements that it includes, e.Note that e is not the number of endorsements that this block receives, but rather the number of endorsements for the block baked in the previous slot that it includes, thus both blocks created at slot have e = 32 because they both include all 32 endorsements of the block baked at slot − 1.The empty blocks labelled A, B, and C correspond to timestamps when the honest network would expect the second block to appear.A and B are empty because X holds the top two priorities for slot + 1. C is empty because the baker with priority 2 for slot + 1 is missing X 's 14 endorsements from slot , which incurs a 48 second penalty.block would be identified, which may act as a deterrent from this behavior.However, it is worth noting that there is no mechanism within the Emmy + mechanism to punish this block stealing attack.The protocol as originally defined has the ability to slash a delegate's block and endorsement rewards if they are caught signing multiple blocks of the same height [14], but selfish endorsing is different in that is impossible to cryptographically prove that a delegate is misbehaving and thus a punishment cannot be programmed in to the protocol.

Feasibility
Figure 2 describes just one instance of a whole family of length-2 selfish endorsing attacks.In order to calculate the probability that any such attack is possible, we develop a generalized model.Consider tuples of the form t = (e −1 , e , p , n +1 ).We define t as feasible if the selfish chain can create two valid blocks faster than the honest chain with this combination of parameters.Figure 2 demonstrates an attack that is feasible with the tuple t 0 = (e −1 = 2, e = 14, p = 1, n +1 = 2), but we want to find all such combinations of parameters with this property.As above, we use D h and D s to denote the total time to create two blocks, for the honest and selfish networks respectively.Let D 2 be the difference in the selfish and honest times, i.e., An attack is feasible if D s < D h , which implies D 2 < 0.
Now if D 2 < 0, then the attack is feasible.Notice that D 2 is not a function of e −1 because both chains will always include all the endorsement operations for the n − 1 slot.

Profitability
Now we need to parameterize the reward functions.As above, we use R h to denote the reward for delegate X playing honestly for the next two blocks, and R s to denote the reward for selfish endorsing over that same span.Further, let R 2 denote the difference in selfish and honest rewards, i.e., An attack is profitable if the amount of reward that X receives playing selfishly is greater than that which they would receive playing honestly, or if R 2 > 0. We are slightly abusing notation here, in that for delay, the subscripts s and h refer to the delay for X versus the delay for the rest of the network.In the case of rewards, the subscripts both refer to delegate X and correspond to selfish or honest behavior.
We express R 2 as a function of the tuple t = (e −1 , e , p , n +1 ).In this case, R 2 does not depend on n +1 .
Proof.First we focus on the reward for behaving honestly.We must take into account the endorsement rewards and the block rewards for the next two blocks.Using Equations 2 and 3, we define the total reward for honest behavior over the next two blocks as, We categorize the rewards for the endorsements under the next slot because that is where they are included in a block.Similarly, we calculate the total reward for selfish behavior over the next two blocks as, Now if R 2 > 0, then an attack parameterized is profitable.

Probability
As a third step, we can calculate the probability of a tuple t = (e −1 , e , p , n +1 ) occurring randomly on the chain.Let α denote the fraction of active rolls that X owns.Given this, the probability of X receiving any priority or endorsement for slot is α.Let P ∼ Geometric(α) be the random variable representing the number of consecutive slots not owned by X . 7The distribution on X being allocated each of the first n priorities in slot + 1 is also a geometric random variable, but with probability (1 − α), and denoted N ∼ Geometric(1 − α).Lastly, the distribution on X being allocated e endorsement rights for slot is a binomial random variable with 32 draws, denoted E ∼ Binomial(32, α).Thus, we can calculate the probability of tuple t = (e −1 , e , p , n +1 ) given α, as (16) 7 Recall the intuition for a geometric random variable as counting the number of failures until the first success, where success has probability α.In this case a failure is defined as not being allocated a priority, which happens with probability 1 − α.

Generalizing
We can now calculate the probability of this family of length-2 attacks occurring.Let A 2 denote all tuples for which the attack is feasible (i.e., it creates two blocks faster than the honest network) and profitable (i.e., it has higher rewards than playing honestly).We have, We also want to measure how profitable these attacks are.Let V 2 be the expected increase in reward of the attacks in A 2 (i.e., how much more profit the selfish behavior will generate than by playing honestly).We have, Procedure 1 (in Appendix B) demonstrates these calculations, and the blue columns in Table 1 show the results of the analysis.Let C = 365 • 24 • 60 represent the number of minutes in a year, so C • Pr[A 2 ] is the expected number of attacks per year and C • V 2 is the expected increase in value (in XTZ) for following the selfish policy for a year.This shows the attack is not a serious threat, given that even with 40% of the stake, X is only expected to earn 254.94 XTC (≈ $307.23 in November 2019) more than if they had played honestly for the year.Regardless, this is an example of how this type of attack could be formulated against a longest-chain PoS system.

A Heuristic Fix to Emmy +
The profit from the attack can be reduced by introducing a simple modification to the Emmy + consensus protocol.Recall that in Emmy + the endorsement reward defined in Equation 3 is a function of the priority of the block that includes the endorsement, denoted p i .If the rewards for endorsements are switched to being a function of the block that they endorse, denoted p e , the attacks occur less frequently.
The green columns in Table 1 represent the probability and value of the attack at different levels of α after this fix, and the % column reports the improvement over the status quo.Recall that α represents the fraction of active rolls that are owned by X .The only exception to this reduction is the case of α = 0.1, where we observe that both the probability and the value of the attacks rise as a result of the suggested change.Since the expected increase in value of 0.21 XTZ ≈ $0.25 over a year is effectively no increase in profit, the fix still seems reasonable.See the caption of Table 1 for more discussion.
The values of the green columns in Table 1 were calculated using Procedure 1 in Appendix B, but with the reward function presented in Lemma 4.1.We defer the proof of this lemma to the Appendix because it is similar to Lemma 3.2.Proof.See Appendix A. This is not a security proof, but rather a heuristic change that decreases the probability and profitability of selfish endorsing for most values of α.

Alternative Fix: New Delay and Reward Functions
In this section, we present modifications to both the delay and reward functions that would make the PoS protocol provably secure against a specific attack vector (in this case, length-1 and length-2 selfish endorsing).In contrast to the heuristic fix in Section 4, we change the validity-time and reward functions, as opposed to simply switching which block is used to calculate endorsement rewards. 8In practice, creating a fully secure PoS protocol is not as simple as implementing these functions, because there are other long-range forking attacks that must be taken into account.If the delay for each drop in baker priority is too large, then the honest network is slowed dramatically, which allows for an attacker to have more time to create a longer private chain.
Let D be the new delay function for a block being valid, which is a function of the priority of the baker, p, and the number of endorsements it includes, e.We define this as, D (p, e) = 60 + 193p + 8 max(24 − e, 0).
Relative to Emmy + , the new component is the amount of time added for each drop in priority of the baker.In Emmy + this value is 40, while in this revised expression D it is 193.This delay function was constructed to ensure that the highest priority block can always be published before the second highest priority (see Lemma 5.2).This is because given the following reward functions, length-1 block stealing attacks are profitable in some cases (they are not profitable in Emmy + because of Lemma 5.1), so in order to insure they do not occur, the delay function ensures that they are never feasible.
Let R b be the modified reward function for a block baked with priority p, and including e endorsements.It maintains an 80 XTZ per block inflation rate, but splits the rewards 40/40 between the baker and the endorsers: Let R e (p i ) denote the reward for an endorsement that is included in a block baked with priority p i .We have, ] represents the number of times the attack will be feasible and profitable over the course of a year, and C • V 2 will be the additional profit over honest behavior that the attacker makes in a year.The light blue cells represent the results under the current implementation and the green cells represent the results after our heuristic fix (described in Section 4) is applied.The % column shows the respective ratio of the green column to the blue column (e.g., 1% means that after the fix, the value of the attack is 1% of what it is currently).A subtle feature of these results is that the probability of an attack being profitable and feasible is not monotone increasing with respect to α.This is due to the fact that the endorsements owned by the attacker for the − 1 slot will end up on a lower priority block and thus be worth less in the case of an attack.As a result, the more endorsement slots owned by the attacker at − 1, the less profit they stand to gain by stealing the block.We see that there is a balance between having a large enough α to make the attack feasible, but not too large as to have a high probability of having many endorsement rights.We numerically calculated that an attacker makes the most profit when α = 0.351.
We see that if a block is baked with priority 0 and all 32 endorsements are included from the previous block, then the total reward for the block becomes R b (0, 32) + 32R e (0) = 40 + 40 = 80 XTZ.
In Section 5.1, we prove that length-1 selfish endorsing attacks are not feasible under this new delay schedule.In Section 5.2, we prove that length-2 selfish endorsing attacks are not profitable under this new reward protocol.

Security Against Length-1 Attacks
Lemma 5.1 establishes a useful result.It explains why we have not needed to consider single-block selfish endorsing attacks until this point.Lemma 5.1.For any tuple (e −1 , p ), the length-1 selfish endorsing attack is not profitable under Emmy + .

Proof. See Appendix C.
What about the new delay schedule (19)?In fact, we show that a length-1 selfish endorsing attack is never even feasible.Assuming the honest network has the highest priority baking rights, let D h,1 be the time for the honest network to create a single block under the new delay function, and D s,1 be the time for the selfish delegate to create a single block.Proof.In the worst case, the honest network will not receive any endorsements, so the slowest the block creation could be is, In the best case for the attacker, they will own all 32 endorsements, and a priority of 1 (2 nd best) in the block, and Putting this together, we have

Security Against Length-2 Attacks
We now turn to length-2 selfish endorsing attacks, and will establish that they are never profitable under the modified protocol.We first need a closed form representation of the rewards X would receive under the new reward function, denoted R h and R s for playing honestly and selfishly, respectively.The derivation of Lemma 5.3 is similar to Lemma 3.2, and deferred to Appendix D. Lemma 5.3.Under the modified PoS protocol, the total reward for a rational delegate X playing honestly over the next two blocks with the tuple (e −1 , e , p ) is R h (e −1 , e ) = 1.25(e −1 + e + 32), (25) and the total reward for X to play selfishly over the next two blocks is Proof.See Appendix D.
We now prove that length-2 selfish endorsing under this reward system is never profitable.
Collecting terms and simplifying, this is equivalent to Because p ≥ 1 , we have This along with the fact that e −1 ≥ 0 implies Substituting this into (28) implies that we would need e > 32 for profitability, and a contradiction, since e ∈ {0, 1, ..., 32}.

Discussion
This is a useful result in the context of defending against length-1 and length-2 selfish endorsing.And yet, this modification actually weakens the PoS system against longer forking attacks.This is because under the modified delay schedule, the time penalty for each drop in priority is so large that an attacker with a couple first priorities in the coming slots could withhold their blocks, and during the intermediate time work on creating a longer chain, while the honest nodes have to wait 193 extra seconds each time the attack has the 0 th priority.The last section of the analysis of Emmy + provided by Nomadic Labs discusses these kinds of trade-offs, and how the exact constants were selected for Emmy + [19].

Conclusion
We have demonstrated that live PoS systems can be formally analyzed for their incentive vulnerabilities.Our analysis of Tezos also serves as a real-world example of the predictable selfish mining attack that was theorized by Brown-Cohen et al. [4].At the same time, we recognize that, as of November 2019, length-2 selfish endorsing attacks do not seem to be a major threat to the Tezos network because the profit from executing such an attack is so low.However, we have also suggested a simple, heuristic fix that would reduce the probability and value of many of the attacks by an order of magnitude.We have further presented a modified delay schedule and reward function that is provably secure against length-1 and length-2 selfish endorsing (though we acknowledge that in practice other attack vectors must also be considered when implementing these protocols).
By no means have we provided a complete security analysis of the Tezos protocol.Future work combining selfish endorsing with other deviating strategies, as was done in the PoW literature [26,17], is critical to assessing the total security of the system.The formal framework introduced in our work can be used to check other PoS protocols for potential vulnerabilities to selfish behavior by parameterizing a model of time and reward with respect to a specific protocol.In fact, a new reward scheme was recently proposed by the Nomadic Labs developers under the name Carthage [21], and this framework can be applied directly to the new delay and reward functions.Nomadic Labs provide an analysis of the effect of this reward scheme on a few different off-protocol strategies, including the selfish endorsing attack [18].
We hope that our work serves as a starting point for analyses and a more formal treatment of the security properties of PoS systems.For immediate future directions, the first is to develop a theory of profitable selfish-endorsing attacks beyond length-2.This is non-trivial because the technique described in Appendix B scales exponentially due to the Cartesian product of each of the state variables.The second direction is to consider a more general forking attack that on its own would earn a smaller staking reward relative to honest behavior, but allow for an attacker to include a double-spend transaction. 9dditionally, more analysis needs to be done in regard to modelling the presence of multiple selfish delegates, which also remains an active area of research in the Bitcoin PoW literature [23,24].
A Proof of Lemma 4.1 Proof.First we focus on the reward for behaving honestly.We must take into account the endorsement rewards and the block rewards for the next two blocks.We define the total reward for honest behavior over the next two blocks as B Procedure 1 This procedure is used to calculate the total probability and value of a length-2 selfish endorsing attack.Note that × is the Cartesian Product of lists.(33) Now we find the time it takes for the selfish delegate to create a block, D s,1 .We have, D s,1 (p , e −1 ) = 60 + 40p + max(24 − e −1 , 0). (34) The best case scenario for the attacker is when p = 1, and for this we have D s,1 (e −1 ) = 100 + max(24 − e −1 , 0). (35) Now we find the number of endorsements required for the selfish delegate to produce a valid block faster than the honest network to be e −1 = 19.We verify this with the following calculations: Now we know that e −1 = 19 is the best case scenario for the attack being feasible.If e −1 < 19, then the selfish network will not be able to create a block fast enough, and if e −1 > 19, then the reward will be lower because additional endorsements will end up on the lower priority stolen block.Additionally, we know that the reward for playing honestly is R h,1 (e −1 ) = 2e −1 because we will get all the endorsement

Figure 1 :
Figure 1: Let R b (p, e) be as defined in (2) and let R e (p) be as defined in(3).In this scenario, block will earn the baker a reward of R b (1, 32) = 8 XTZ, and block + 1 will earn the baker R b (0, 31) = 15.9XTZ.The endorsements for slot − 1 will each earn R e (1) = 1 XTZ and the endorsements for slot will each earn R e (0) = 2 XTZ.Notice that the slot endorsements still get the full reward when signing a lower priority block, simply because they are included in the 0 th priority block at the + 1 slot.Before the Emmy + upgrade the slot endorsements would only earn 1 XTZ each.

Table 1 :
Let α be the percentage of rolls that the attacker owns, and let C = 365 • 24 • 60 be the number of minutes in a year.Then C • Pr[A 2