pith. sign in

arxiv: 2604.04744 · v1 · submitted 2026-04-06 · 💻 cs.CR · cs.GT

Economic Security of VDF-Based Randomness Beacons: Models, Thresholds, and Design Guidelines

Zhenhang Shang , Kani Chen This is my paper

Pith reviewed 2026-05-10 19:31 UTC · model grok-4.3

classification 💻 cs.CR cs.GT
keywords VDFrandomness beaconeconomic securityoptimal stoppingMEVblockchainverifiable delay functionthreshold security
0
0 comments X

The pith

VDF-based randomness beacons with delays of a few seconds are economically insecure against rational adversaries who can accelerate hardware to capture rewards.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper models attackers on VDF randomness beacons as rational agents who compare hardware speedup costs against stochastic rewards such as MEV opportunities. It casts the decision to attack as an optimal-stopping problem and proves that the optimal policy follows a simple monotone threshold rule. This rule supplies tight necessary and sufficient conditions that link required delay length to cost and reward distributions. The authors then plug in realistic cloud prices, hardware benchmarks, and MEV statistics to show that many published short-delay proposals fall below the security threshold. A reader cares because an economically breakable beacon can produce biased randomness that downstream protocols rely on for fairness.

Core claim

VDF randomness beacons remain sequentially secure in the cryptographic sense yet become vulnerable once an adversary treats the delay as an economic option: by purchasing faster hardware the attacker can finish early and claim extra rewards before honest parties. The authors formalize this as an optimal-stopping problem whose solution is a monotone threshold on the remaining delay; crossing the threshold triggers acceleration. The resulting conditions give precise lower bounds on delay in terms of operating cost, hardware speedup factor, and the distribution of per-block rewards. They further show that grinding, selective abort, and competition among multiple adversaries each raise the bar,,

What carries the argument

The optimal-stopping formulation of the attack decision, which reduces the problem to a monotone threshold on remaining delay and yields explicit security conditions relating that threshold to cost-reward parameters.

If this is right

  • Delays must be chosen to exceed the derived cost-reward threshold rather than set by heuristic timing targets.
  • Grinding and selective-abort strategies tighten the required delay by a multiplicative factor that depends on the reward variance.
  • Multiple competing adversaries further increase the effective reward per attacker and therefore demand still longer delays.
  • Systems should adopt the introduced Economically Secure Delay Parameters instead of the short values currently proposed in many designs.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Protocol designers may need to treat delay selection as a joint cryptographic-economic optimization rather than a pure timing parameter.
  • The same threshold structure could be applied to other delay-based primitives whose security rests on sequential hardness alone.
  • Empirical monitoring of real-time MEV revenue and cloud spot prices could be used to dynamically adjust delay parameters in production.
  • If adversaries deviate from perfect rationality the model still supplies a conservative lower bound on the delay needed to deter profit-seeking attacks.

Load-bearing premise

Adversaries act as fully rational economic agents who can perfectly forecast hardware costs, reward distributions, and the value of any MEV opportunities.

What would settle it

Measure whether a live beacon with a few-second delay experiences profitable hardware-acceleration attacks when MEV rewards exceed the paper's computed threshold for current cloud GPU prices.

Figures

Figures reproduced from arXiv: 2604.04744 by Kani Chen, Zhenhang Shang.

Figure 2
Figure 2. Figure 2: plots the required delay Δ ★ as a function of 𝑉max under these parameters [PITH_FULL_IMAGE:figures/full_fig_p009_2.png] view at source ↗
Figure 1
Figure 1. Figure 1: Expected profit per attack as a function of delay [PITH_FULL_IMAGE:figures/full_fig_p009_1.png] view at source ↗
Figure 3
Figure 3. Figure 3: plots 𝑇 ★ grind (𝐺) for 𝐺 up to 2 10 on a logarithmic 𝐺-axis [PITH_FULL_IMAGE:figures/full_fig_p010_3.png] view at source ↗
read the original abstract

Randomness beacons based on Verifiable Delay Functions (VDFs) are increasingly proposed for blockchains and distributed systems, promising publicly verifiable delay and bias resistance. Existing analyses, however, treat adversaries purely as cryptographic entities and overlook that real attackers are economically motivated. A VDF may be sequentially secure, yet still vulnerable if a rational adversary can profit by purchasing faster hardware and exploiting reward spikes such as MEV opportunities. We develop a formal framework for economic security of VDF-based randomness beacons. Modeling the attacker as a rational agent facing hardware speedup, operating costs, and stochastic rewards, we cast the attack decision as an optimal-stopping problem and prove that optimal behavior has a monotone threshold structure. This yields tight necessary and sufficient conditions relating delay parameters to adversarial cost and reward distributions. We extend the analysis to grinding, selective abort, and multi-adversary competition, demonstrating how each amplifies effective rewards and increases required delays. Using realistic cloud costs, hardware benchmarks, and MEV data, we show that many proposed VDF delays, on the order of a few seconds, are economically insecure under plausible conditions. We conclude with deployable guidelines and introduce Economically Secure Delay Parameters (ESDPs) to support principled parameter selection in practical systems.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The paper develops a formal framework for the economic security of VDF-based randomness beacons. It models the adversary as a rational economic agent facing hardware costs, speedups, and stochastic rewards (including MEV), casts the attack decision as an optimal-stopping problem, proves that optimal behavior exhibits a monotone threshold structure, derives necessary and sufficient conditions relating VDF delay to cost/reward distributions, extends the analysis to grinding, selective abort, and multi-adversary competition, and uses cloud costs, hardware benchmarks, and MEV data to conclude that many proposed short delays (a few seconds) are economically insecure, while introducing Economically Secure Delay Parameters (ESDPs) for practical design.

Significance. If the modeling and derivations hold, the work is significant for bridging cryptographic VDF analysis with economic incentives in blockchain randomness beacons. The monotone threshold proof and ESDPs provide a principled way to set delays beyond pure cryptographic security, with direct implications for systems relying on verifiable randomness. The empirical component using real MEV and cost data adds practical value, though its robustness determines the strength of the insecurity claims for short delays.

major comments (3)
  1. [model section] Optimal-stopping model (model section): The monotone threshold structure and resulting necessary/sufficient conditions on delay assume stationary, accurately forecastable reward distributions including MEV spikes; the paper should provide a concrete sensitivity analysis or bounds showing how threshold shifts under forecast error or non-stationarity, as this directly affects the claim that few-second delays are insecure.
  2. [evaluation section] Numerical evaluation (evaluation section): The conclusion that delays on the order of a few seconds are economically insecure relies on specific cloud/hardware/MEV parameter choices; without reported error analysis, confidence intervals, or sensitivity tables on the computed thresholds, it is unclear whether the insecurity result is robust or parameter-specific.
  3. [extension section] Multi-adversary extension (extension section): While the analysis shows amplification of effective rewards, it is unclear whether the monotone threshold property and derived conditions remain necessary/sufficient under strategic competition or if new equilibria alter the security thresholds; a formal statement of the extended conditions is needed to support the design guidelines.
minor comments (2)
  1. [abstract and model section] The abstract claims 'tight necessary and sufficient conditions' but the main text should explicitly restate them as equations or theorems with clear variable definitions for reader accessibility.
  2. [model section] Notation for reward processes and cost functions could be introduced more formally early in the model to aid readability of the optimal-stopping formulation.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive and detailed comments on our manuscript. These have helped us strengthen the formal analysis and empirical robustness of the economic security framework for VDF-based randomness beacons. We address each major comment point by point below, indicating revisions made to the manuscript.

read point-by-point responses

  1. Referee: [model section] Optimal-stopping model (model section): The monotone threshold structure and resulting necessary/sufficient conditions on delay assume stationary, accurately forecastable reward distributions including MEV spikes; the paper should provide a concrete sensitivity analysis or bounds showing how threshold shifts under forecast error or non-stationarity, as this directly affects the claim that few-second delays are insecure.

    Authors: We agree that the stationarity assumption merits explicit sensitivity analysis, as MEV rewards can exhibit forecast errors and non-stationarity. In the revised manuscript, we have added Section 3.4 containing a sensitivity analysis. We derive analytic bounds showing that under additive forecast errors bounded by ε in the reward distribution, the optimal threshold shifts by at most O(ε/c), where c denotes the per-unit-time hardware cost. Numerical evaluation for ε up to 25% of mean reward confirms that the insecurity conclusion for delays of a few seconds remains valid, while recommending conservative ESDPs under high uncertainty. revision: yes

  2. Referee: [evaluation section] Numerical evaluation (evaluation section): The conclusion that delays on the order of a few seconds are economically insecure relies on specific cloud/hardware/MEV parameter choices; without reported error analysis, confidence intervals, or sensitivity tables on the computed thresholds, it is unclear whether the insecurity result is robust or parameter-specific.

    Authors: We acknowledge that the empirical claims depend on parameter choices and that robustness requires explicit quantification. The revised evaluation section now includes comprehensive sensitivity tables varying hardware costs by ±50%, MEV spike rates from 0.05 to 0.6 per interval, and cloud rental prices across three providers. We also report 95% bootstrap confidence intervals on the derived ESDPs using the empirical MEV dataset. These additions demonstrate that the insecurity of sub-30-second delays holds across the tested parameter ranges, with the tables directly supporting the design guidelines. revision: yes

  3. Referee: [extension section] Multi-adversary extension (extension section): While the analysis shows amplification of effective rewards, it is unclear whether the monotone threshold property and derived conditions remain necessary/sufficient under strategic competition or if new equilibria alter the security thresholds; a formal statement of the extended conditions is needed to support the design guidelines.

    Authors: The referee correctly notes that the multi-adversary case requires a formal extension of the core results. In the revised extension section, we have added Theorem 5.3, which states that under symmetric Nash equilibrium the monotone threshold structure is preserved, with the effective reward distribution replaced by the equilibrium maximum over competitors. The necessary and sufficient conditions on delay are updated by substituting this stochastically dominant reward distribution, yielding strictly higher ESDPs. The proof follows from the single-agent optimality conditions applied to the equilibrium reward process, and the updated design guidelines now explicitly incorporate this adjustment. revision: yes

Circularity Check

0 steps flagged

No circularity: derivation proceeds from model assumptions to external evaluation

full rationale

The paper sets up an optimal-stopping model for a rational adversary, proves monotone threshold structure as a mathematical property of that model, derives necessary/sufficient conditions on delay vs. cost/reward distributions directly from the proof, extends the model to grinding/selective abort/multi-adversary cases, and finally plugs in external benchmarks (cloud costs, hardware data, MEV statistics) to obtain numerical thresholds. No step equates a fitted quantity to a prediction by construction, no uniqueness theorem is imported from self-citation, and no ansatz is smuggled; the central claims rest on the external data and the independent optimal-stopping analysis rather than on internal re-labeling of inputs.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review yields no explicit free parameters, axioms, or invented entities beyond standard rational-agent and optimal-stopping assumptions drawn from economics; the model treats hardware costs and reward distributions as exogenous inputs.

pith-pipeline@v0.9.0 · 5524 in / 1168 out tokens · 74655 ms · 2026-05-10T19:31:56.656084+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

36 extracted references · 36 canonical work pages

  1. [1]

    Damiano Abram, Lawrence Roy, and Mark Simkin. 2024. Time-based cryptogra- phy from weaker assumptions: randomness beacons, delay functions and more. Cryptology ePrint Archive(2024)

    work page 2024

  2. [2]

    Matthew Weinberg

    Ege Alpturer and S. Matthew Weinberg. 2024. Optimal RANDAO Manipulation in Ethereum. InProceedings of the 6th ACM Conference on Advances in Financial Technology (AFT)

    work page 2024

  3. [3]

    Vidal Attias, Luigi Vigneri, and Vassil Dimitrov. 2020. Preventing denial of service attacks in IoT networks through verifiable delay functions. InGLOBECOM 2020- 2020 IEEE Global Communications Conference. IEEE, 1–6

    work page 2020

  4. [4]

    Dan Boneh, Joseph Bonneau, Benedikt Bünz, and Ben Fisch. 2018. Verifiable delay functions. InAnnual international cryptology conference. Springer, 757–788

    work page 2018

  5. [5]

    Benedikt Bünz, Steven Goldfeder, and Joseph Bonneau. 2017. Proofs-of-delay and randomness beacons in ethereum.IEEE Security and Privacy on the blockchain (IEEE S&B)(2017)

    work page 2017

  6. [6]

    Pino Caballero-Gil, C Henández-Goya, and Carlos Bruno-Castañeda. 2007. A ra- tional approach to cryptographic protocols.Mathematical and computer modelling 46, 1-2 (2007), 80–87

    work page 2007

  7. [7]

    Ignacio Cascudo, Bernardo David, Omer Shlomovits, and Denis Varlakov. 2023. Mt. random: Multi-tiered randomness beacons. InInternational Conference on Applied Cryptography and Network Security. Springer, 645–674

    work page 2023

  8. [8]

    Kevin Choi, Arasu Arun, Nirvan Tyagi, and Joseph Bonneau. 2023. Bicorn: An optimistically efficient distributed randomness beacon. InInternational Conference on Financial Cryptography and Data Security. Springer, 235–251

    work page 2023

  9. [9]

    Kevin Choi, Aathira Manoj, and Joseph Bonneau. 2023. Sok: Distributed ran- domness beacons. In2023 IEEE Symposium on Security and Privacy (SP). IEEE, 75–92

    work page 2023

  10. [10]

    Naomi Ephraim, Cody Freitag, Ilan Komargodski, and Rafael Pass. 2020. Contin- uous verifiable delay functions. InAnnual International Conference on the Theory and Applications of Cryptographic Techniques. Springer, 125–154

    work page 2020

  11. [11]

    David Galindo, Jia Liu, Mihair Ordean, and Jin-Mann Wong. 2021. Fully dis- tributed verifiable random functions and their application to decentralised ran- dom beacons. In2021 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 88–102

    work page 2021

  12. [12]

    Chaya Ganesh, Shreyas Gupta, Bhavana Kanukurthi, and Girisha Shankar. 2024. Secure Vickrey Auctions with Rational Parties. InProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. 4062–4076

    work page 2024

  13. [13]

    Juan Garay, Jonathan Katz, Ueli Maurer, Björn Tackmann, and Vassilis Zikas. 2013. Rational protocol design: Cryptography against incentive-driven adversaries. In2013 IEEE 54th annual symposium on foundations of computer science. IEEE, 648–657

    work page 2013

  14. [14]

    Vincent Gramlich, Dennis Jelito, and Johannes Sedlmeir. 2024. Maximal ex- tractable value: Current understanding, categorization, and open research ques- tions.Electronic Markets34, 1 (2024), 49

    work page 2024

  15. [15]

    Xuan Hu. 2020. Research on Profit Maximization of New Retail E-Commerce Based on Blockchain Technology.Wireless Communications and Mobile Comput- ing2020, 1 (2020), 8899268

    work page 2020

  16. [16]

    Maozhou Huang, Xiangyu Su, Mario Larangeira, and Keisuke Tanaka. 2025. Optimizing liveness for blockchain-based sealed-bid auctions in rational settings. InInternational Conference on Financial Cryptography and Data Security. Springer, 1–28

    work page 2025

  17. [17]

    Aljosha Judmayer, Nicholas Stifter, Philipp Schindler, and Edgar Weippl. 2022. Estimating (miner) extractable value is hard, let’s go shopping!. InInternational Conference on Financial Cryptography and Data Security. Springer, 74–92

    work page 2022

  18. [18]

    2019.A reference for randomness beacons: Format and protocol version 2

    John Kelsey, Luís TAN Brandão, Rene Peralta, and Harold Booth. 2019.A reference for randomness beacons: Format and protocol version 2. Technical Report. National Institute of Standards and Technology

    work page 2019

  19. [19]

    Steve G Langer and Todd French. 2011. Virtual machine performance bench- marking.Journal of digital imaging24, 5 (2011), 883–889

    work page 2011

  20. [20]

    Suheyon Lee and Euisin Gee. 2025. Commit-Reveal 2: Randomized Reveal Order Mitigates Last-Revealer Attacks in Commit-Reveal.arXiv preprint arXiv:2504.03936(2025)

    work page arXiv 2025

  21. [21]

    Mohammad Mahmoody, Caleb Smith, and David J Wu. 2019. Can verifiable delay functions be based on random oracles?Cryptology ePrint Archive(2019)

    work page 2019

  22. [22]

    José I Orlicki. 2020. Fair proof-of-stake using vdf+ vrf consensus.arXiv preprint arXiv:2008.10189(2020)

    work page arXiv 2020

  23. [23]

    Mayank Raikwar and Danilo Gligoroski. 2022. Sok: Decentralized randomness beacon protocols. InAustralasian Conference on Information Security and Privacy. Springer, 420–446

    work page 2022

  24. [24]

    Lior Rotem. 2021. Simple and efficient batch verification techniques for verifiable delay functions. InTheory of Cryptography Conference. Springer, 382–414

    work page 2021

  25. [25]

    Yifeng Song, Danyang Zhu, Jing Tian, and Zhongfeng Wang. 2020. A High-Speed Architecture for the Reduction in VDF Based on a Class Group. In2020 IEEE 33rd International System-on-Chip Conference (SOCC). IEEE, 147–152

    work page 2020

  26. [26]

    Sarad Venugopalan, Ivana Stančíková, and Ivan Homoliak. 2023. Always on voting: A framework for repetitive voting on the blockchain.IEEE Transactions on Emerging Topics in Computing11, 4 (2023), 1082–1092

    work page 2023

  27. [27]

    Benjamin Wesolowski. 2020. Efficient verifiable delay functions.Journal of Cryptology33, 4 (2020), 2113–2147

    work page 2020

  28. [28]

    Qiang Wu, Liang Xi, Shiren Wang, Shan Ji, Shenqing Wang, and Yongjun Ren

    work page

  29. [29]

    Sensors22, 19 (2022), 7524

    Verifiable delay function and its blockchain-related application: A survey. Sensors22, 19 (2022), 7524

    work page 2022

  30. [30]

    Tao Yan, Shengnan Li, Benjamin Kraner, Luyao Zhang, and Claudio J Tessone

    work page

  31. [31]

    A Data Engineering Framework for Ethereum Beacon Chain Rewards: From Data Collection to Decentralization Metrics.Scientific Data12, 1 (2025), 519

    work page 2025

  32. [32]

    Xiongfei Zhao, Hou-Wan Long, Zhengzhe Li, Jiangchuan Liu, and Yain-Whar Si

    work page

  33. [33]

    Mitigating Blockchain Extractable Value threats by Distributed Transaction Sequencing Strategy.Digital Communications and Networks(2025)

    work page 2025

  34. [34]

    Wenwen Zhou, Dongyang Lyu, and Xiaoqi Li. 2025. Blockchain security based on cryptography: a review.arXiv preprint arXiv:2508.01280(2025)

    work page arXiv 2025

  35. [35]

    Danyang Zhu, Jing Tian, Minghao Li, and Zhongfeng Wang. 2022. Low-latency hardware architecture for VDF evaluation in class groups.IEEE Trans. Comput. 72, 6 (2022), 1706–1717

    work page 2022

  36. [36]

    Esteban Wilfredo Vilca Zuniga, Caetano Mazzoni Ranieri, Liang Zhao, Jó Ueyama, Yu-tao Zhu, and Donghong Ji. 2023. Maximizing portfolio profitability during a cryptocurrency downtrend: A Bitcoin Blockchain transaction-based approach. Procedia Computer Science222 (2023), 539–548. Open Science Appendix This paper follows the ACM CCS Open Science policy by do...

    work page 2023