Better Incentives for Proof-of-Work: A DAG-Based Protocol Analysis

1. Introduction

This work, originating from ETH Zurich, addresses a fundamental flaw in Nakamoto's original Bitcoin incentive reasoning. The paper argues that rational economic behavior does not necessarily equate to protocol honesty, as demonstrated by selfish mining strategies. The core problem is that in traditional Proof-of-Work (PoW) blockchains structured as trees, miners with advantageous network positions or significant hash power can profit by deviating from the protocol (e.g., by withholding blocks), jeopardizing system stability.

1.1. Blockchain Game

Standard blockchains like Bitcoin form a tree. Forks occur naturally or maliciously, leading to chain reorganizations where some blocks become orphaned and their creators lose rewards. This structure creates undesirable incentives where factors like network latency can influence miner profitability, encouraging non-cooperative behavior.

1.2. Our Contribution

The authors propose a novel blockchain design where the data structure is a Directed Acyclic Graph (DAG) of blocks, not a tree. The accompanying incentive scheme is rigorously designed so that following the protocol constitutes a strict, strong Nash Equilibrium. Any deviation (like creating an unnecessary fork) strictly reduces the deviator's rewards. This guarantees protocol adherence through pure self-interest.

1.3. Intuitive Overview

The protocol ensures miners are incentivized to reference all known unreferenced blocks when creating a new one. This leads to a dense DAG where no blocks are discarded. Consensus on transaction order is achieved by selecting a "main chain" from this DAG, similar to other protocols, but the reward mechanism is what enforces honest behavior.

2. Protocol Terminology & Definitions

The framework defines key concepts: Blocks as vertices in a DAG, containing transactions and references (edges) to previous blocks. Terminal blocks are those not yet referenced by any other block. The main chain is a specific path through the DAG selected via a deterministic rule (e.g., based on cumulative proof-of-work). The reward function $R(B)$ for a block $B$ is defined based on its position and references within the DAG structure.

3. Protocol Design & DAG Interpretation

Miners, upon creating a new block, must reference all terminal blocks in their local view of the DAG. This rule is enforced not by protocol fiat, but by the reward design: omitting a reference reduces the new block's own reward potential. The resulting structure is a constantly growing DAG where blocks have multiple parents.

3.1. Main Chain & Total Ordering

To achieve consensus on transaction order (e.g., for preventing double-spends), a single chain must be extracted from the DAG. The paper suggests using established methods like the GHOST rule or heaviest-chain rule applied to the DAG. All blocks not on the main chain are still included and rewarded, but their transactions are ordered relative to the main chain's timeline, as discussed in works like Sompolinsky and Zohar's "Secure High-Rate Transaction Processing in Bitcoin".

4. Reward Scheme Construction

The heart of the proposal. The reward for a block $B_i$ is not a fixed coinbase. It is calculated as a function of its contribution to the stability and connectivity of the DAG. A possible formulation (inspired by the text) could be: $R(B_i) = \alpha \cdot \text{BaseReward} + \beta \cdot \sum_{B_j \in \text{Ref}(B_i)} f(\text{depth}(B_j))$, where $\text{Ref}(B_i)$ are the blocks $B_i$ references, and $f$ is a decaying function. This makes referencing older, unreferenced blocks profitable.

4.1. Incentive Mechanism Details

The scheme is designed to satisfy two key properties: 1) Reference Incentive: For any new block, adding a reference to a known terminal block never decreases and often increases its expected reward. 2) Fork Punishment: If a miner attempts to create a parallel chain (fork) by not referencing the latest block, the reward mechanism ensures the cumulative reward for blocks in the fork is strictly less than if they had been built honestly on the main DAG. This makes forks economically irrational.

5. Core Insight & Analyst Perspective

Core Insight

Sliwinski and Wattenhofer have delivered a surgical strike on crypto-economics' most persistent wound: the misalignment between individual rationality and network health. Their work exposes Nakamoto's original incentive analysis as fundamentally incomplete—a dangerous oversight that has left every major PoW chain, from Bitcoin to Ethereum 1.0, perpetually vulnerable to selfish mining. The brilliance here isn't in creating a new consensus algorithm, but in re-engineering the payoff matrix itself. They've mathematically formalized what the industry has long sensed intuitively: in traditional chains, honesty is often just one suboptimal strategy among many.

Logical Flow

The argument proceeds with elegant, game-theoretic precision. First, they correctly frame blockchain participation as a repeated game with imperfect information, where the tree structure inherently creates zero-sum competitions for block inclusion. Then, their masterstroke: replace the tree with a DAG, transforming the game. By mandating (through incentives, not rules) that blocks reference all tips, they eliminate the "winner-takes-most" dynamics that fuel selfish mining. The DAG becomes a public good that all miners are paid to maintain, not a battleground. This aligns with foundational work in mechanism design, such as that outlined by Nisan et al. in "Algorithmic Game Theory," where the goal is to structure rules so that selfish agents' utility maximization leads to socially desirable outcomes.

Strengths & Flaws

Strengths: The theoretical guarantee of a strict Nash equilibrium for protocol compliance is monumental. It directly counters the selfish mining attack described by Eyal and Sirer. The DAG structure also promises tangible gains in throughput and reduced orphan rates, akin to projects like Spectre, but with stronger incentive guarantees. The design is elegantly minimalist—it fixes incentives without requiring complex cryptographic primitives.

Flaws: The elephant in the room is practical complexity. The reward function likely requires global DAG knowledge or complex calculations, posing significant implementation and verification challenges compared to Bitcoin's simple "longest chain" rule. The security analysis, while robust in a game-theoretic model, may not fully capture real-world nuances like coordinated cartel behavior or variable transaction fee markets, which could create new attack surfaces. Furthermore, as the DAG grows, the requirement to reference all tips could lead to bloated block headers, impacting scalability—a trade-off that needs rigorous simulation.

Actionable Insights

For blockchain architects, this paper is mandatory reading. Its core principle—incentive alignment through structural design—should be a first-order consideration, not an afterthought. While adopting the full protocol might be challenging for existing chains, its lessons can be hybridized. For instance, new L1 protocols or Ethereum's post-merge consensus layer could integrate a simplified version of its reference incentive to discourage withholding. Regulatory bodies should note: this work demonstrates that blockchain security can be mathematically engineered, moving beyond the hope of "altruistic majorities." The next step is for the industry to pressure-test this design through extensive agent-based simulation, similar to how the Flashboys 2.0 report analyzed MEV, to validate its resilience before any mainnet deployment.

6. Technical Details & Mathematical Framework

The incentive compatibility is proven using game theory. Consider a miner $m$ with hashrate $\alpha$. Let $\mathbf{s}$ be the strategy profile of all miners. Let $U_m(\mathbf{s})$ be the utility (expected reward) of miner $m$. The protocol strategy $\mathbf{s}^*$ (always reference all tips) is a Nash Equilibrium if for every miner $m$ and every alternative strategy $\mathbf{s}'_m$,

$$U_m(\mathbf{s}^*_m, \mathbf{s}^*_{-m}) \geq U_m(\mathbf{s}'_m, \mathbf{s}^*_{-m})$$

The paper constructs a reward function $R$ such that this inequality is strict ($ > $) for any deviation $\mathbf{s}'_m$ that involves withholding references or creating unnecessary forks. The function likely incorporates:

Age-based decay: Rewards for referencing a block decrease as the block gets older, encouraging timely inclusion.
Connectivity bonus: A block receives a bonus proportional to the number of previous blocks it directly or indirectly helps confirm.

A simplified model of the reward for block $B$ might look like:

$$R(B) = \frac{C}{\sqrt{k(B) + 1}} + \sum_{P \in \text{Parents}(B)} \gamma^{\text{distance}(P)} \cdot R_{base}(P)$$

where $k(B)$ is the number of blocks published concurrently that $B$ did not reference (measuring fork creation), $\gamma < 1$ is a decay factor, and $R_{base}(P)$ is a base reward for parent $P$.

7. Experimental Results & Performance

While the provided PDF excerpt does not contain explicit experimental results, the paper's claims imply significant performance improvements over tree-based blockchains:

Throughput Gain

Projected: 2-5x increase

By eliminating orphaned blocks, all block space is utilized for transactions. In a tree, during a fork, only one branch survives, wasting the capacity of the other. The DAG uses 100% of created blocks.

Confirmation Latency

Projected: Reduced significantly

With no risk of deep reorgs from selfish mining, transactions referenced by multiple subsequent blocks can be considered secure faster, potentially reducing safe confirmation times from ~60 minutes (Bitcoin) to a few block intervals.

Security Threshold

Theoretical: < 50% Hash Power

The protocol should maintain security against rational adversaries with any hash power share less than 50%, as attacking becomes strictly unprofitable. This is superior to the selfish mining threshold (~25%) in standard Bitcoin.

Chart Description (Conceptual): A simulated chart would show two lines over time: 1) Cumulative Reward for Honest Miner in the proposed DAG protocol, and 2) Cumulative Reward for Deviating Miner attempting a withholding attack. The honest miner's line would consistently stay above the deviator's line, visually demonstrating the strict Nash equilibrium. A second chart would compare Transaction Throughput (TPS) between a traditional blockchain (flat or slowly growing) and the DAG-based chain (showing a steeper, more efficient climb).

8. Analysis Framework: A Game-Theoretic Case

Scenario: Two rational miners, Alice (30% hash power) and Bob (20% hash power), in a traditional PoW chain vs. the proposed DAG chain.

Traditional Chain (Tree): Alice discovers a block. She can either broadcast it immediately (honest) or withhold it and start mining a secret chain (selfish). If she withholds and finds a second block before the network finds one, she can release both, causing a reorganization that orphans Bob's potential block, increasing her reward share from 30% to potentially 100% for that period. Eyal and Sirer's model shows this can be profitable for $\alpha > 25\%$.

Proposed DAG Chain: Alice discovers a block $A_1$. The reward function $R(A_1)$ is maximized only if she references all known terminal blocks (which includes Bob's latest block if he found one). If she withholds $A_1$ to mine $A_2$ secretly, she forfeits the reference reward from not linking to Bob's public block. When she finally reveals her chain, the calculation shows:

$$R(A_1) + R(A_2)_{\text{secret}} < R(A_1)_{\text{honest}} + R(A_2)_{\text{honest}}$$

Even if she causes a minor fork, the protocol's reward mechanics ensure her cumulative reward is less. The rational choice is to publish $A_1$ immediately with all references. Bob faces the same calculus. Thus, the only stable strategy for both is protocol compliance.

This case uses no code but illustrates the strategic decision matrix transformed by the new incentive scheme.

9. Application Outlook & Future Directions

Immediate Applications:

Next-Generation L1s: New proof-of-work blockchains can adopt this design from genesis to guarantee stronger security against mining pools.
Hybrid Consensus: The DAG incentive model could be adapted for proof-of-stake (PoS) or delegated proof-of-stake (DPoS) systems to discourage stake-grinding or similar attacks.
Layer 2 & Sidechains: The principles can secure faster-finality sidechains or rollup sequencing where incentive misalignment is also a concern.

Future Research Directions:

Dynamic Fee Markets: Integrating a robust transaction fee auction (like EIP-1559) into the DAG reward model without breaking incentive compatibility.
Quantum Resistance Preparation: Exploring how post-quantum cryptographic signatures, which are larger, affect the DAG's scalability and incentive model.
Formal Verification: Using tools like the Coq proof assistant or model checkers like TLA+ to formally verify the game-theoretic properties of the implemented protocol.
Cross-Chain Incentives: Applying similar incentive-alignment principles to protocols governing blockchain interoperability (bridges) to prevent cross-chain MEV exploits.

10. References

Nakamoto, S. (2008). Bitcoin: A Peer-to-Peer Electronic Cash System.
Eyal, I., & Sirer, E. G. (2014). Majority is not Enough: Bitcoin Mining is Vulnerable. In Financial Cryptography.
Sompolinsky, Y., & Zohar, A. (2015). Secure High-Rate Transaction Processing in Bitcoin. In Financial Cryptography.
Nisan, N., Roughgarden, T., Tardos, É., & Vazirani, V. V. (2007). Algorithmic Game Theory. Cambridge University Press.
Lewenberg, Y., Sompolinsky, Y., & Zohar, A. (2015). Inclusive Block Chain Protocols. In Financial Cryptography.
Buterin, V. (2014). Slasher: A Punitive Proof-of-Stake Algorithm. Ethereum Blog.
Daian, P., et al. (2019). Flash Boys 2.0: Frontrunning, Transaction Reordering, and Consensus Instability in Decentralized Exchanges. IEEE Symposium on Security and Privacy.
Sliwinski, J., & Wattenhofer, R. (2022). Better Incentives for Proof-of-Work. arXiv:2206.10050.