8

If I understand correctly, the smart contracts are run by the miners. What incentive do the miners have to execute the smart contracts correctly? What stops a malicious miner from changing the result, or a simply lazy miner from doing a simpler computation?

In bitcoin, the proof-of-work is hard to calculate but easy to verify. I don't expect this to be true of all contracts.

eth
  • 85,679
  • 53
  • 285
  • 406
Christopher King
  • 181
  • 3

2 Answers2

8

Every full node will run the same contract with the same input (with the goal of checking the output).

So, when a miner runs a contract and notes its execution in a published block, every full node then runs the same contract (with same inputs) for themselves, in order to verify the output of the miner. If the output if different, then the block is rejected.

Therefore, the miner's incentive is that the block will be rejected if the miner does not process the contract correctly or maliciously - the consensus process!

Slender
  • 141
  • 3
4

Every full node verifies every contract execution, so they will not relay invalid blocks, and miners will not mine on top of invalid blocks.

This does mean that calculation on Ethereum is relatively inefficient, since the computation must be carried out by every node, but there are techniques for moving computation off the blockchain in a secure manner.

Tjaden Hess
  • 37,046
  • 10
  • 91
  • 118
  • Okay, so smart contracts are intended to be cheap then. Right? – Christopher King Apr 17 '16 at 23:47
  • There is a very small amount of computation available per block, and thus computation can be somewhat expensive (not exorbitantly so, still under $0.01 per transaction). Thus, it is in the designer's best interest to only put critical components on the blockchain, usually the money-handling components. – Tjaden Hess Apr 18 '16 at 00:00
  • Is the small amount of computation a hard limit? If so, how does the technique you linked of having the computation be run on-chain if there is a dispute work? – Christopher King Apr 18 '16 at 00:03
  • 1
    The amount of computation allowed per block (as measured in gas and called the block gas limit) is voted up or down by miners. So it is flexible, and will increase as supply of computing power increases. Another thing that can be done to get around the limit, is that large computations can be broken up across multiple blocks, if they need to be run on-chain – Tjaden Hess Apr 18 '16 at 00:06
  • Hopefully cryptographic obfusication becomes practical at some point. It would allow computations to be run and signed in such a way that it couldn't be altered. – Christopher King Apr 18 '16 at 00:09
  • @PyRulez The consensus algorithm already allows that in the context of Ethereum contracts. Tjaden's link shows how some of it can be offloaded from the blockchain, too. – Nick Johnson Apr 18 '16 at 06:23
  • @NickJohnson obfuscation would mean you wouldn't need consensus since no computation could be forged. – Christopher King Apr 18 '16 at 10:40
  • @PyRulez Consensus means you don't need obfuscation. :) – Nick Johnson Apr 18 '16 at 11:01
  • @NickJohnson oh yeah, don't get me wrong. What we have now is the best for what we get. I'm just saying that Cryptographic obfuscation than the potential to revolutionize cryptocurrency, and all of cryptography for that matter. – Christopher King Apr 18 '16 at 11:03
  • @PyRulez I'm kind of of the reverse opinion: Development of distributed consensus protocols has made it possible to achieve many of the things dreamed of for obfuscation, and other things besides (preventing double spending, for instance). I'm skeptical that obfuscation protocols will ever be complete enough to permit turing-complete computation, or efficient enough to be practical. In fact, it may even be provably impossible for them to be turing complete. – Nick Johnson Apr 18 '16 at 14:21
  • @NickJohnson it's already Turing complete (I think), just not efficient enough yet. – Christopher King Apr 18 '16 at 15:44