We often get asked if there is anyone engaged in selfish mining right now. So let's discuss the telltale signs of selfish mining, how one might go about detecting them, and what the inherent limitations are of different detection techniques.
There are two distinct network signatures of selfish mining:
Number of abandoned (orphaned) blocks is a strong indicator of selfish mining activity. The entire idea behind selfish mining is for the selfish pool to outcompete the work of the honest pool. And this will leave behind a series of discarded blocks, where either the honest guy's work was wasted, or the miner took a slight risk and failed. Since every block race will leave such detritus behind in its wake, one could just count the number of such abandoned blocks to see if the rate is stable over time. A rise in the rate would indicate that a selfish mining pool is operating in the network.
The problem with this approach is that abandoned blocks are pruned inside the Bitcoin network, so it is very difficult to get a definitive count. A measurement tool that connects to the network from just one or a few vantage points may very well miss abandoned blocks, and it may erroneously give the impression that everything is fine when there are fierce battles being fought out inside the network. I am not sure how well blockchain.info is connected, but no web service can be everywhere at once to detect every single orphan, so I take its count of orphans with a large grain of salt.
Timing of successive blocks provides a hint that someone is engaged in selfish mining. Two blocks in close succession should be a rare occurence with the honest protocol, and more common when someone is quickly releasing selfishly mined blocks in order to squash the honest miners.
By "close succession," we mean within seconds or perhaps a minute or so of each other. The particular case we're detecting is that of a selfish miner who publishes a chain of length two to squelch a single block discovered by an honest pool. This corresponds to a particular transition in the selfish miner state machine; it is just a subset of the selfish miner's activity, the "double-down-and-squelch" action that a miner can engage in only when it is two or more blocks ahead.
One could detect this doubling-down scenario by looking at the timestamps on successive blocks in the blockchain. Since mining is essentially an independent random process, we'd expect the interblock time gap to be exponentially distributed. Any deviation from this expectation would be suggestive of selfish mining.
The problem with timing gap analysis is that it is a statistical test, and it may take a fair bit of selfish mining activity before it detects that something is amiss.
Note that ownership of succesive blocks is not a good sign of selfish mining. This is partly because a miner can mine selfishly, and profitably, without mining two blocks in a row. It's also partly because it's too easy to hide the true owner of a block.
Concerned Bitcoin enthusiasts were worried about selfish mining when the BTC Guild mined 4 blocks in succession recently. If you examine the blockchain carefully around the time of this occurrence, it looks like these blocks were released within minutes of each other, too far apart in time to indicate selfish behavior, and without any evidence of a corresponding orphan. This kind of successive mining by a given pool is kind of like tossing a coin and getting 6 heads in a row; it's rare, but it's bound to happen every so often in a long sequence. Timing, not ownership, of succesive blocks is the better indicator, ideally coupled with detected orphans at the same time.
As a result of the increased awareness of our findings, it is now inconceivable that someone could engage in selfish mining without facing some kind of backlash. So, any good selfish miner worth her salt will want to do so clandestinely. To stay one step ahead of the attacker, it's worth thinking about what she might do:
If the detectors examine block ownership, the attacker can easily cover her tracks and cloak her identity. She'd use different Bitcoin and IP addresses, she'd tumble her payouts before using them, and generally masquerade as N separate pools. Each of the N separate pools would look like they are competing with one another, and they would each look like they are too small to matter, and too small to successfully launch a selfish mining attack. But behind the scenes, and unknown to the public, these pools would be coordinated by the same single entity. Outing such collusion is difficult, and this is one of the main reasons why block ownership is a bad indicator.
If the detectors examine block timing, they are in effect detecting just a subset of the behaviors of a selfish miner. As shown in the state diagram in our paper, a selfish miner makes money by various different schemes, corresponding to different transitions of the state machine: sometimes she reveals 2 or more blocks to squelch an honest miner's single block (this is what the timing detects), and at others, she reveals a single block and competes head-to-head inside the network (this behavior is more common and would be undetected by the timing detector). A selfish miner determined to hide her activities might forego the former behavior to remain below the radar. She would make less money, but she'd remain undetected.
If the detectors examine abandoned (orphaned) blocks, the attacker is aided by the current behavior of the network where abadoned blocks are silently pruned and discarded, which makes accurately counting orphans impossible. In essence, the Bitcoin network is helping the attacker to destroy the evidence of her activities. If the protocol were to be modified to propagate every solved block, this countermeasure would be mitigated. Such propagation of all viable block solutions would not pose any denial of service or excess load, as block solutions are quite rare and, by design, very difficult to compute.
All of this shows that detecting selfish mining is possible, but difficult to perform accurately. So, no one can definitively claim that selfish mining is or is not taking place.
That said, both we and others have been looking for suggestive evidence of selfish mining. In particular, Matt Springer has done a fascinating timing gap analysis. You should read his analysis, but since he reveals the punchline in his first sentence, I'll mention it rihgt now: Luckily, the evidence so far indicates that selfish mining is not taking place in Bitcoin. Let's hope that things remain this way for the foreseeable future.