1 Introduction

The topic of merged mining has received little attention from the scientific community, despite having been actively employed by a number of cryptocurrencies for several years. New and emerging cryptocurrencies such as Rootstock continue to consider and expand on the concept of merged mining in their designs to this day [19]. Merged mining refers to the process of searching for proof-of-work (PoW) solutions for multiple cryptocurrencies concurrently without requiring additional computational resources. The rationale behind merged mining lies in leveraging on the computational power of different cryptocurrencies by bundling their resources instead of having them stand in direct competition, and also to serve as a bootstrapping mechanism for small and fledgling networks [27, 33].

In the past, concerns have been voiced that merged mining could lead to additional security risks and challenges [27]. In particular, the realistic threat of network centralization has rendered merged mining a controversial topic. Ali et al. [1] observed a critical level of mining centralization in the merge-mined cryptocurrency Namecoin, concluding that merged mining is failing in practice. These alarming findings were not the result of direct investigations into merged mining itself, but rather emerged as part of a report on the experiences with the real-world deployment of a decentralized PKI service on top of the Namecoin blockchain. Hence, an in-depth analysis of merge-mined cryptocurrencies based on real-world data is necessary to determine if such observed failures in practical applications are systemic to the underlying concept of merged mining.

In this paper we conduct the first extensive study on the impacts of merged mining on individual cryptocurrencies. We discuss security implications and considerations regarding merged mining, while relating previous arguments from [27] to the results of our study. We seek to provide empirical evidence either confirming or falsifying these arguments and extend the discussion by providing ideas and examples for future experiments, which can lead to a better understanding and classification of merged mining.

To cover a broad spectrum of merge-mined cryptocurrencies we analyzed two established players and pioneers of the field, namely Namecoin and Dogecoin, as well as two relatively young merge-mined cryptocurrencies supporting merged mining with more than one PoW algorithm, namely Huntercoin [14] and Myriadcoin [23]. Thereby, we present the following contributions:

  • We analyze the effects and implications of merged mining in four cryptocurrencies over time and comment on its adoption, the related difficulty increase, as well as other characteristic patterns.

  • We introduce a deterministic mapping scheme that attributes blocks to specific miners and mining pools.

  • We provide empirical evidence for centralization risks in cryptocurrencies involved in merged mining. Furthermore, we are successful in attributing merged mining activity to an apparently small set of mining pools.

  • Concluding, we discuss the related security implications for cryptocurrencies implementing merged mining.

The remainder of this paper is structured as follows. Section 2 provides the necessary background information on fundamental concepts regarding proof-of-work based cryptocurrencies and merged mining. Section 3 describes the cryptocurrencies considered in our study as well as the experimental methodology. Section 4 presents the results of our empirical analysis. In Sect. 5, we discuss the security implications in relation to established claims and theoretical arguments regarding merged mining. Furthermore, we propose new research questions and conclude the paper in Sect. 6, pointing out interesting directions for future work.

2 Background

A key aspect of Bitcoin constitutes its novel distributed consensus mechanism, generally termed Nakamoto consensus. It leverages on proof-of-work (PoW) puzzles and the blockchain data structure to achieve eventual agreement on the set and ordering of transactions by an anonymous and changing set of participants. Nakamoto consensus thereby facilitates decentralized or so-called permissionless cryptocurrencies. The process by which consensus participants in proof-of-work cryptocurrencies search for valid PoW puzzle solutions is referred to as mining and the speed at which such miners find solution candidates for the PoW is called hash rate.

While efforts towards replacing the resource-intensive mining process have so far yielded various promising approaches such as  [5, 18, 22], their viability in practice is yet to be tested at a larger scale. Furthermore, due to the high degree of adoption of proof-of-work in various cryptocurrencies and the difficulties related to changing this consensus critical component, it can be assumed that PoW will remain an integral part of the overall cryptocurrency landscape in the foreseeable future.

2.1 Attacks on the PoW Security Model

The security properties of PoW cryptocurrencies are derived from the assumption that the majority of the overall mining power belongs to honest miners. Early work in Bitcoin security modeling concluded that the mining power of all the honest miners has to be strictly greater than 50% to sustain the security of the blockchain [24, 31]. Should adversaries accumulate the majority of mining power, they can control the insertion of new transactions, the transaction fee market, and the supply of newly-mined coins, as well as potentially revert already recorded transactions.

Attack strategies which can be successful even without controlling the majority of mining power, most notably selfish mining [10, 32] and eclipse attacks [12, 13, 28] have been the topic of recent work. The success probability of such adversarial strategies depends on the mining power share (\(\alpha \)), as well as the network connectivity (\(\gamma \)) of the adversary [10, 28]. While a poorly connected attacker (\(\gamma \approx 0.1\)) is shown to require \(\alpha > 0.33\) to successfully perform selfish mining attacks, an adversary connected to half of the nodes in the network (\(\gamma \approx 0.5\)) only requires \(\alpha > 0.25\). Hence, in a conservative analysis, successful attacks on PoW cryptocurrencies are more likely when dishonest entities control more than \(25\%\) of the total mining power.

2.2 Merged Mining

Merged mining refers to the process of reusing (partial) PoW solutions from a parent cryptocurrency as valid proofs-of-work for one or more child cryptocurrencies. It was introduced as a solution to the fragmentation of mining power among competing cryptocurrencies and as a bootstrapping mechanism for small networks. Merged mining was first implemented in Namecoin in 2011, with Bitcoin acting as the parent cryptocurrency. One of the earliest descriptions of the mechanism as it is used today was presented by Satoshi Nakamoto in [33]. Apart from the source code of the respective cryptocurrencies implementing merged mining, a detailed technical explanation is presented in the Bitcoin Wiki [25].

The general idea of reusing proof-of-work such that the computational effort invested may also serve to verify a separate computation was first introduced by Jakobsson and Juels under the term bread pudding protocols in 1999 [15]. Previous research related to merged mining is mostly limited to the application layer of the underlying cryptocurrencies. A short description of merged mining is provided by Kalodner et al. in an empirical study of name squatting in Namecoin [16]. Ali et al. highlights that Namecoin suffers from centralization issues linked to merged mining, but provides no detailed study on the extent of the problem, nor on merged mining in general [1]. Other descriptions of and references to merged mining can be found in [2, 11, 27], whereas [4, 19] seek to employ merged mining as a component of various blockchain-based applications.

For a cryptocurrency to allow merged mining the parent blockchain must fulfill just one requirement: it must be possible to include arbitraryFootnote 1 data within the input over which the proof-of-work in the parent is established. The main protocol logic of merged mining resides in (i) the specification and preparation of the data linked to (or included in) the block header of the parent, e.g., a hash of the child block header, and (ii) the implementation of the verification logic in the client of the child blockchain.

2.3 Mining Pools

To generate a constant stream of revenue, miners may team up and form so called mining pools, where they bundle their resources and share the rewards based on their contribution and according to the rules of the pool. A mining pool can be described as a “pool manager and a cohort of miners” [9]. To compensate the administrative effort, the mining pool keeps a small proportion of the total revenue as a feeFootnote 2. Different reward distribution policies and related game-theoretic aspects are studied in [20, 30, 34]. Optimal strategies for mining pools in the context of adversarial behavior are discussed in [9, 28, 32]. Pool managers can have the ability to maliciously mislead their miners into participating in attacks, as happened in the case of Eligius (See Footnote 9). Although doing so might result in miners switching to another pool once they learn about the attack. The delay of these consequences however might be enough for the pool to complete the attack.

3 Methodology

In this paper we consider the following subset of cryptocurrencies exemplary for merged mining. Bitcoin, the first and currently largest cryptocurrency based on a SHA256 PoW, serves as a starting point of our analysis and acts as one of the two parent blockchains for merged mining we consider. Litecoin [21] is a fork of Bitcoin, which replaces SHA256 with the memory-hard Scrypt cryptographic hash function in its PoW algorithm. Litecoin’s primary aim was to counter the domination of ASICs, i.e., hardware devices specifically-built for high-performance SHA256 hashing operations, in Bitcoin. At the time of writing it is the largest Scrypt PoW cryptocurrency.

Namecoin [26], which intends to provide a decentralized and censorship resistant alternative to the Domain Name System (DNS), was the first alternative cryptocurrency and the first blockchain to introduce merged mining, in this case with Bitcoin. While its design is heavily based on Bitcoin, Namecoin extends the underlying protocol by introducing new transaction types, which enable the storage and management of additional information in the blockchain (e.g., DNS entries). Dogecoin [8] initially started as a non-serious project based on an internet meme but was able to attract and maintain a vivid community. It is roughly based on the Litecoin codebase and was the first cryptocurrency to introduce Scrypt-based merged mining with Litecoin.

A new generation of so called multi-PoW cryptocurrencies was marked by the introduction of Huntercoin [14] which supports SHA256 and Scrypt. Another notable pioneer in this field is Myriadcoin [23], maintaining five different PoW algorithms in parallel. The concept of multi-PoW aims to provide resistance to mining centralization by including different types of proof-of-work in a single cryptocurrency. Huntercoin and Myriadcoin furthermore are the first multi-merge-mined cryptocurrencies, as they allow merged mining with multiple parent chains, namely Bitcoin and Litecoin.

3.1 Data Set Collection

For our analysis we rely on the open and publicly-accessible ledgers (i.e., blockchains) of the examined cryptocurrencies, as they represent the most reliable source of information with regards to historical dataFootnote 3. The results presented in the rest of this paper are based on data collected from Bitcoin, Litecoin, Namecoin, Dogecoin, Huntercoin and Myriadcoin up to a cut-off date set to June 18, 2017 23:59:59 (UTC), i.e., Block 471,892 in Bitcoin, 347,175 in Namecoin, 1,224,533 in Litecoin, 1,763,524 in Dogecoin, 1,788,998 in Huntercoin and 2,089,974 in Myriadcoin.

3.2 Block Attribution Scheme

A key element for the investigation of mining power centralization issues is a correct attribution of blocks to the original miners. Hence, we devise an attribution scheme using publicly-available information contained in the coinbase transactions of both the parent and child blockchains as indicators. Thereby we rely on the following fields:

Reward payout addresses. The coinbase transaction represents the first transaction in a block and creates new currency units as reward for its miner. Assuming miners act rationally and profit-oriented, they are expected to specify one of their own addresses as output of this transaction. Hence, the reward payout addresses of blocks can be used as strong indicator in the attribution scheme.

Coinbase signatures (markers). Miners and especially mining pools often utilize the coinbase field of the coinbase transaction to publicly claim the creation of the respective block, by inserting their so-called block- or coinbase signature. As the latter represents a human-readable string indicating the pool name or an abbreviation thereof, rather than a cryptographically-strong signature, we hereafter refer to this piece of information as marker.

Collecting and Linking Markers and Addresses. At the time of writing there exists no global registry for markers or reward payout addresses of miners or mining poolsFootnote 4. Therefore, this information must be collected by analysis of publicly-available records including but not limited to websites of mining pools and discussion forums, as well as direct contacts with pool operators. As an outcome of this process, we are able to compile a list of block attribution indicators for 95 miners and mining pools, which operated in the observed cryptocurrencies.

Merge-mined blocks can contain up to four attribution indicators: the coinbase marker and reward payout addresses of the child chain, as well as the coinbase marker and reward payout addresses of the parent chain, which are stored in the so called AuxPoW headerFootnote 5. This allows to establish connections between reward payout addresses across multiple cryptocurrencies and to detect if miners switch between multiple addresses. Hence, reward payout addresses appearing in parent and child coinbase transactions of all blocks are checked for intersections. More specific: an address of the parent chain appearing in the coinbase of the AuxPow header allows to link it to the child chain address used in the coinbase transaction of the block. The child chain address in turn can appear in blocks together with other parent chain addresses, creating more links, and so on.

Attributing Blocks to Miners. A block is considered attributed to a miner if one of his markers or reward payout addresses appears in the respective fields of the coinbase transaction. However, a miner is technically allowed to use this first transaction to immediately split the block rewards to multiple outputs, this way also potentially obfuscating his identity. It is not easily possible to determine the miner of a block, unless a known coinbase marker is used or all addresses appearing in the outputs of the coinbase transaction are associated with the same miner or mining pool. If this is the case, the block is marked as non-attributable. A visualization of the scheme for merge-mined blockchains is provided in Fig. 1. Payout addresses appearing often in mined blocks but which cannot be linked to an identified miner or mining pool are denoted as other unknown miners.

However, for a permissionless proof-of-work cryptocurrency, where participants are not obliged to disclose their activity, it is not feasible for a third party to fully reconstruct a miner’s history of action retroactively. Furthermore, miners may actively try to hide their identity by avoiding the reuse of payout addresses, not using any markers or using markers associated with other identities. Hence, it is not possible to identify all miners and mining pools with 100% accuracy by relying only on the information present in the public ledger.

Fig. 1.
figure 1

Block attribution scheme for merge-mined blockchains. The process for parent chains like Bitcoin and Litecoin is analogous.

4 Merged Mining in Practice

In this section we present the results of our analysis of merged mining and provide evidence for mining power centralization issues in the implementing cryptocurrencies.

4.1 Degree of Adoption

Merged mining was introduced at block 19,200 in Namecoin (Oct. 2011), 11,163 in Huntercoin (Feb. 2014), 317,337 in Dogecoin (Jul. 2014) and 1,402,791 in Myriadcoin (Sept. 2015). The developers of Namecoin, Dogecoin and Huntercoin also disabled normal mining in the official clients at introduction. Hence, from that point forward over 99% of the blocks have been created through the process of merged mining in these cryptocurrencies. Table 1 shows the total distribution of normal and merge-mined blocks.

Table 1. Merge-mined blocks in examined cryptocurrencies.

4.2 Effects on PoW Difficulty

The main objective of merged mining is to attract more miners and hence increase the difficulty of the child blockchain [27]. By extracting the information on the PoW difficulty encoded in each block header, we are able to confirm merged mining indeed has a positive effect in this respect.

Figure 2 visualizes the development of the SHA256 PoW difficulty in Bitcoin compared to Namecoin, Huntercoin and Myriadcoin on a logarithmic scale. The PoW difficulty of the merge-mined chains rapidly increased after the introduction of merged mining. Furthermore, the behavior of Bitcoin’s difficulty is, to some extent, mirrored to the merge-mined cryptocurrencies. For example, between January 2012 and April 2013 the difficulty remained stable in both Bitcoin and Namecoin, until an upward trend occurred in May 2013. The latter coincides with the wide deployment of specialized hardware dedicated to mining (ASICs) [35]. The visualization for Litecoin and Scrypt merge-mined cryptocurrencies is provided in Fig. 3. An interesting observation is that the PoW difficulty of the multi-merge-mined cryptocurrency Myriadcoin exceeded that of Litecoin, one of its parent blockchains, by 31,85%.

Fig. 2.
figure 2

Difficulty development in Bitcoin compared to SHA256 merge-mined cryptocurrencies over time on a logarithmic scale (since the launch of Bitcoin).

Fig. 3.
figure 3

Difficulty development in Litecoin compared to Scrypt merge-mined cryptocurrencies over time on a logarithmic scale (since the launch of Litecoin).

4.3 Impacts on Mining Power Distribution

In order to investigate the connection of merged mining and mining power centralization, we apply the attribution scheme described in Sect. 3.2 to the evaluated cryptocurrencies. A block is considered successfully mapped, if we can attribute it to either a known mining pool, or a reused reward payout address. Based on this scheme we are able to map the following percentage of blocks within the respective cryptocurrency: 59.1% for Bitcoin, 88.5% for Namecoin, 73.2% for Litecoin, 99.5% for Dogecoin, 82.7% for Huntercoin and 87.2% for Myriadcoin.

Table 2. Bitcoin block attribution
Table 3. Namecoin block attribution
Table 4. Litecoin block attribution
Table 5. Dogecoin block attribution
Table 6. Huntercoin block attribution
Table 7. Myriadcoin block attribution

The low attribution success rate for Bitcoin may be explained by taking into consideration its early mining landscape, where blocks were primarily mined by individuals. It is generally considered best practice not to reuse reward payout addresses and the official client at the time would exhibit this behavior. The use of markers only became popular once miners started to join forces by forming mining pools in late 2011.

Similar observations can be made for the other cryptocurrecies we analyzed, albeit at a smaller scale.

The attribution results, summarized in Tables 2, 3, 4, 5, 6 and 7, suggest that a small set of mining pools are able to control significant portions of the overall mining power across multiple cryptocurrencies. While in some cases this is explained by their long-term commitment to mining on the respective chain, pools like GHash.IO, BW Pool and F2Pool appear to have enough capacity to concurrently conduct competitive mining operations in both Bitcoin and Litecoin (i.e., on different PoWs). In fact, F2Pool, which represents one of the largest mining pools across both SHA256 and Scrypt PoW cryptocurrencies, was able to accumulate block shares exceeding the security guarantees of the Nakamoto consensus protocol (cf. Fig. 4).

However, not all miners and mining pools currently participate in merged mining. A possible explanation is the economies of scale attributed to merged mining [27]. Since no additional computational effort is required for the PoW, the costs of merged mining, namely bandwidth, storage and validation of blocks/transactions, are the same for all miners, regardless of their mining power. In particular smaller mining operations may face the situation that their additional expenditures for merge-mining another cryptocurrency exceed the expected rewards.

Resulting Mining Power Centralization Issues. The number of blocks found by a miner over a certain period indicate his actual hash rate (i.e., their mining power) during this period. Hence, we use the number of blocks generated by the largest miner or mining pool per day as an approximation for measuring the centralization of mining powerFootnote 6. Our findings are visualized as heatmaps in Fig. 4. Therein, each bar (column) represents the number of blocks mined by the largest entity on that day. We use the thresholds described in Sect. 2.1 as centralization indicators. If exceeded, the latter are known to introduce potential threats on the decentralization and security level of a PoW blockchain:

  • Below 25% (green) - Highest share is below the pessimistic threshold.

  • Greater 25% (yellow) - Highest share is between 25% and one third.

  • Greater 33.33% (orange) - Highest share is between one third and 50%.

  • Greater 50% (red) - Highest share controls the majority of mining power.

In Bitcoin no single miner or mining pool has been able to aggregate and maintain more than 50% of the overall mining power for an extended period, since blocks became attributableFootnote 7. (Table 8) However, the situation is quite different in Namecoin: here, F2Pool reached and maintained a majority of the mining power for prolonged periods.

Litecoin, despite being the largest Scrypt PoW blockchain, has experienced slight centralization since mid-2014, among others caused by Clevermining and lately F2Pool. Through merged mining, this situation is reflected and amplified in Dogecoin: F2Pool was responsible for generating more than 33% of the blocks per day for significant periods, even exceeding the 50% threshold around the end of 2016.

The effects of introducing merged mining have played out differently in the two multi-PoW cryptocurrencies we analyzed. While Huntercoin was instantly dominated by F2Pool and remained in this state until mid-2016, Myriadcoin appears to have experienced only a moderate impact. However, we note that so far none of the large mining pools that are active in other merge-mined chains have been observed to also operate in Myriadcoin.

Table 8. Distribution of overall percentage of days below/above the centralization indicator thresholds.
Fig. 4.
figure 4

Block share of largest miner/mining pool per day for Bitcoin (144 blocks), Litecoin (576 blocks), Namecoin (144 blocks), Dogecoin (1,440 blocks), Huntercoin (1,440 blocks) and Myriadcoin (1,440 blocks) since launch of the respective cryptocurrency. (Color figure online)

Mining Power Fluctuation. The operation of a mining pool requires extensive coordination effort in terms of recruiting miners or purchasing and installing the necessary infrastructure. Hence, it usually takes time until a mining pool is able to accumulate significant mining power shares. Merged mining, however, requires only minimal effort and can be described as a “software switch”. Consequently, the observable high fluctuations of mining power in merge-mined cryptocurrencies may be attributed to mining pools being able to easily start or end their operation without major preparations (cf. Fig. 5, e.g. around block 300,000).

A further interesting observation is the increase of non-attributable blocks occurring simultaneously to drops of mined blocks that are attributable to large mining pools. Such behavior is observed in Litecoin, Huntercoin and Namecoin (cf. Fig. 5 approximately at block 250,000). Further analysis and investigation into such events is necessary to rule out that these are attempts of pools to conceal their total mining power when operating near or beyond the security guarantees offered by Nakamoto consensus

Fig. 5.
figure 5

Distribution of blocks in Namecoin per pool over time. Each data point resembles the share among 2,016 blocks (\(\sim \) 2 weeks), i.e., the difficulty adjustment period.

5 Discussion

In this section we discuss the security implications of merged mining on the ecosystem of cryptocurrencies and study how current theoretic arguments relate to our findings.

Introduction of New Attack Vectors. The advantage of merged mining is that miners are no longer forced to choose between mining one cryptocurrency or another. However, its biggest strength can also be viewed as a potential attack vector [27]. The ability to generate blocks for the merge-mined child blockchains at almost no additional cost, apart from maintaining a client node, allows misbehaving miners to carry out attacks without risking financial losses in both the parent and other child blockchains. Such an attack was carried out by the Eligius mining pool in 2012. Without their explicit consent, its miners were coerced to participate in an attack led by the pool operator, ultimately stalling the operation of the fledgling cryptocurrency CoiledCoin by mining empty blocksFootnote 8. This attack serves as the predominant example for highlighting threats posed by merged mining on child cryptocurrencies: the miners of the pool did not suffer any financial loss and, as it appears, were not even aware of the attack, as all actions were performed solely by the operator.

However, to the best of our knowledge, it was never explicitly stated that merged mining may also facilitate attacks against a parent cryptocurrency. Consider for example a miner who is highly invested in a multi-merge-mined cryptocurrency. Due to merged mining this miner can perform attacks on one of the supported parent blockchains (e.g. selfish mining or DoS through mining empty blocks) at no additional mining cost. While such scenarios previously seemed far-fetched, as the PoW difficulty of a parent blockchain was generally considered to exceed that of a merge-mined child, this is no longer the case for multi-merge-mined cryptocurrencies (see Sect. 4.2). This highlights that merged mining as an attack vector works both ways. Such attacks are particularly interesting because parent cryptocurrencies cannot easily prevent being merge-mined by child blockchains.

Furthermore, we describe a reputation attack as a noteworthy adversarial strategy in the context of merged mining. Since block attribution to pools is currently based on markers and addresses, rather than cryptographic signatures, an adversary can fake attribution of parent blocks while still earning revenue in the child chains. We consider a scenario where a targeted mining pool \(\mathcal {P}\) holds a 24% mining power share of a parent chain \(C_{parent}\), which can be used to merge-mine a child chain \(C_{child}\). We assume a malicious merged mining entity \(\mathcal {M}\) holds only 10% share of \(C_{parent}\) and uses the \(C_{child}\) (and not \(C_{parent}\)) as its main revenue channel. In such a scenario, it would be possible for \(\mathcal {M}\) to create \(\approx \) 10% of the blocks in \(C_{parent}\). \(\mathcal {M}\) could now fake the attribution of its blocks in \(C_{parent}\) by using the (public) reward address and/or coinbase marker of \(\mathcal {P}\). Due to the false flag blocks attributed to \(\mathcal {P}\), this pool would appear to hold 34% of the share for \(C_{parent}\). As a result, \(\mathcal {P}\) might be regarded as too large or nefarious for the parent cryptocurrency, which could in turn undermine the integrity of the parent chain as a whole. While \(\mathcal {M}\) will lose all revenue in \(C_{parent}\), it will still gain revenue in \(C_{child}\).

Centralization Risks. Merged mining does not increase the costs to the miner in regards to solving the Proof-of-Work puzzle, which is considered to be the primary cost factor in PoW cryptocurrencies. However additional costs regarding bandwidth, storage and validation of the merge-mined blockchain’s blocks/transactions are incurred regardless of the relative size or hash rate of the miner. Therefore, according to [27] merge-mined cryptocurrencies have a greater risk of centralization or concentration of mining power (economies of scale).

Our analysis indicates that merge-mined child blockchains experienced prolonged periods where individual mining pools have held shares beyond the theoretical bounds that guarantee the security of the cryptocurrency. We conclude that current merge-mined currencies have a trend towards centralization. However, it is too early to tell if the centralization trend also applies to multi-merged-mining in cryptocurrencies such as Myriadcoin. Multi-merge-mined blockchains allow for more than one parent cryptocurrency and have a greater chance to acquire a higher difficulty per PoW algorithm, in comparison to the respective parent blockchain. This, in fact, may change the underlying (crypto)economic assumptions with regards to merged mining and introduces new directions for research in this field.

The theoretic implications of a dishonest miner holding a large share of the network hash rate are well known [3, 12, 17, 28]. However, we are not aware of any recent case where such an attack has been carried out in one of the analyzed cryptocurrencies, as such evidence cannot easily be derived solely by analyzing the blockchain data structures. Rather, active measurements within the P2P network of the cryptocurrency are necessary [17]. Our analysis serves as a cautionary note – the impact of such an attack on the cryptocurrency market and the mining ecosystem are unclear. The apparent lack of cryptographically verifiable attribution information regarding the hash rate of mining pools only renders the situation worse. This bares additional risks of intended or unintended misattribution of non negligible fractions of the overall hash rate.

Furthermore, we want to point out that through the alternative use-cases of some of the merge-mined cryptocurrencies, certain attacks may also have additional implications. Namecoin for example, can be used to register and update arbitrary name-value pairs, such as DNS entries. In this case, every registered domain expires after a certain number of blocks (i.e., amount of time). Should a mining pool hold a large block share at that time, it can take over a domain name by blocking the required update (refresh) transaction to enter the blockchain in time. Once the domain name has expired, the misbehaving pool can register the domain himself.

Validation Disincentive. Not only the detection of misbehaving pools with large hash rates requires active network monitoring, but also the verification of the validation disincentive assumption: In [27] the authors propose that miners which participate in merged mining have an incentive to skimp on (transaction) validation, since it becomes the main (computational) cost driver in merged mining. Although not mentioned explicitly in [27], the rate of blockchain forks, i.e., stale block rate of merged mined cryptocurrencies, could be an indicator for relaxed transaction validation of miners. Since stale blocks are not directly recorded in the blockchain, the only way to acquire the required measurements is through active monitoring of the involved peer-to-peer networks, as demonstrated in [6, 7]. Conducting these measurements for multiple merge-mined cryptocurrencies is topic for future work. In addition, it might be necessary to actively trigger those conditions by broadcasting incorrect transactions/blocks. However, we stress that performing such tests in live networks raises ethical and financial questions.

Long-Term Dependency. Merged mining was originally conceived as a bootstrapping technique for alternative cryptocurrencies [27, 33]. To the best of our knowledge, once introduced, no cryptocurrency has abandoned merged mining – not even the child cryptocurrencies which our analysis in Sect. 4 has shown to suffer from centralization issues. Hence, we argue that although merged mining can increase the hash rate of child blockchains, it is not conclusively successful as a bootstrapping technique.

Results presented in [29] indicate that even if a PoW blockchain should just be used in a bootstrapping phase before switching to a different consensus algorithm, it is theoretically necessary to keep on mining infinitely long. Otherwise it would be impossible for new nodes joining the network to distinguish between the original bootstrapping chain and a longer, but malicious counterpart. In theory, this might pose a new use case for merged mining in scenarios where a blockchain is bootstrapped using PoW and then switches to a different consensus algorithm. In this case the PoW bootstrapping chain can be continued relatively cheap through merged mining by appending empty blocks.

6 Conclusion

In this paper, we assessed current theories regarding merged mining from an empirical point of view and contributed to the discussion by raising new questions and directions for future work.

We derived a simple attribution scheme and achieved to map a significant portion of the mining pool ecosystem of the analyzed cryptocurrencies, beyond what was publicly known until now. The collected information sheds some light on the long-term evolution of merged mining in different cryptocurrencies. While merged mining is a common practice in the cryptocurrency space, the empirical evidence suggests that only a small number of mining pools is involved in merged mining. These pools enjoy block shares beyond the desired security and decentralization goals. It is currently unclear and topic of future research whether new constructs, such as multi-merged mining, will succeed in resolving the outlined issues.

The multi-purpose usage of PoW in merged mining is an interesting application, not only from a resource consumption point-of-view, but also in the context of future sharding and scalability discussions. Therefore, further research and analysis regarding merged mining is required as a basis for developing and building solutions, which will be able to stand the test of time.