F2Pool allegedly censors shielded Zcash transactions for reasons unknown

Is it insidious censorship, secretive economic edges or just good old fashioned laziness? You be the judge.

Key points

• One of the largest Zcash mining pools, F2Pool, has not been processing certain types of transactions.
• On the surface, it appears to be a counter-intuitive move, and it's not clear why F2Pool is doing this.
• F2Pool has said it's probably just a mistake, but the other theories are more fun.

F2Pool is one of the world's largest mining pools and is generally the second or third biggest Zcash (ZEC) mining pool by hashrate at any given time. And it has been censoring shielded transactions since around April 2017, computer scientist Lev Dubinets says.

What?

Shielded transactions in Zcash are private transactions. These transactions hide the sending and receiving addresses as well as the amount being sent. Without those details you can't tie users and transactions together, and therefore have anonymous transactions.

Zcash users can shield their transactions by sending funds between shielded addresses, while those who prefer transparency can use non-shielded addresses instead. The end result is an optional privacy mode. Both types of addresses are interoperable and there's also a kind of partial privacy for transactions between shielded and non-shielded addresses.

F2Pool has been censoring shielded transactions. Specifically, it's not touching transactions that are going to or from shielded addresses. For more than two years now, it has been avoiding these types of transactions. This is problematic for a couple of reasons.

The first is that this is harming the Zcash network by making shielded transactions slower, more expensive and more annoying. A huge chunk of the total network just isn't touching them, and it means people are more likely to have to send shielded transactions multiple times, as they "time out" of the mempool if they sit around for too long without a miner processing them.

The second is that it's ideologically outrageous and serves as an uncomfortable reminder of how much control miners have over ostensibly immutable networks, and how a miner's motivations do not always align with the well-being of the network they're serving.

In this case, a miner appears to be deliberately harming the functionality and user experience of the network.

How do we know?

We know this is happening because you can clearly differentiate between transactions that are shielded and unshielded, can clearly see which mining pool processed a block and can conclude that this is either a staggering ongoing coincidence or F2Pool is avoiding shielded transactions.

"Out of 86,849 shielded transactions year-to-date only 120 have been mined by F2Pool. Given their share of the hashpower, they should have mined around 15,000 shielded transactions year-to-date," Dubinets explains.

It's not clear why those 120 transactions went through. Dubinets guesses they might be transactions from the F2Pool team themselves, who may have whitelisted their own addresses, but says there's no way of knowing for sure.

We know it's happening. The more puzzling part is trying to work out why it's happening and what, if anything, can or should be done about it.

Why?

One of the most obvious answers is regulatory concerns. Maybe F2Pool doesn't want to end up on the wrong side of the law by processing anonymous transactions?

That's probably not it, says Zcoin chief operating officer Reuben Yap.

"Given that F2Pool also mines other privacy coins such as Zcoin, Monero and Grin and processes their private transactions fine, it is unlikely to be a regulatory issue or any legal concerns," he points out.

There are no obvious financial benefits either. It doesn't noticeably cost miners any more to verify shielded transactions than non-shielded, and theoretically the main objective for a profit-motivated Zcoin miner should be to process as many transactions as possible as fast as possible.

But F2Pool isn't simply prioritising unshielded transactions – it's actively avoiding shielded transactions even when there's plenty of block space. It's mining empty blocks instead of shielded transactions.

"It's a very perplexing stance that F2Pool took, given that the time to verify private shielded transactions in the Zerocash protocol isn't all that different than a regular transaction," Yap muses. "Mining pools can always choose which transactions to include in the block and the general idea is that miners are incentivised to process as many transactions as they can to receive the fees associated with it. This isn't always the case however and even in Bitcoin, sometimes the economic incentives line up to mine empty blocks."

Best guess

It's a bit of a mystery, but there are three best guesses.

The first, very tentatively put forward by an unconvinced-sounding Dubinets, is that it's just a convenience measure to reduce some of the hassles associated with Zcash updates. But the fact that this has been going on for two years, combined with the theory's inability to pass the sniff test, says that's probably not the answer.

The second is that F2Pool has found a competitive advantage by avoiding shielded transactions, and everyone else has overlooked it for years. That's Yap's guess.

"My guess is that F2Pool engineers (who are among the best in the world) have determined that not processing shielded transactions gives them some advantage in mining blocks (in a similar vein to mining empty blocks). If so, it's a risk given that F2Pool may face backlash from the Zcash community," he says. "Or perhaps as the original post suggested the reason might be more towards not wanting to deal with the complexities with verifying the zero knowledge proofs which also change from time to time.

"If there is something particular about shielded transactions that causes inefficiencies in mining, the fee incentives to process them need to be relooked at."

The third, proposed by the guy who wrote the F2Pool Zcash mining pool program in 2016, is that he just wasn't really feeling it and subsequent developers weren't either.

April 2017, which is when this is all believed to have begun, saw a flurry of Zcash updates and it's possible that something broke with F2Pool and no one noticed until now. It's still a little bit mysterious that a small handful of shielded transactions were still going through though. But that would still be a bit mysterious under any other theory, so who knows.

Problems and solutions

If there's actually some kind of competitive advantage in avoiding shielded transactions, it's safe to say everyone's going to start doing it once they sniff out what it is. Then no one will process shielded transactions, which would completely ruins one of the key elements of Zcash.

Solving this problem, if there is one, could be deceptively complicated. Because of the way Zcash is set up, it's not always possible to just jump in and improvise surgery on its mining incentive system.

Fortunately, there are other potential solutions.

1. Always-on privacy

You could just make shielded transactions mandatory, kind of like Monero did when it became apparent that the CryptoNote privacy scheme wouldn't work otherwise.

But this would reduce the utility of the coin. Transparency is just as much a feature as privacy, and being able to do both with the same coin is a key.

2. Get more people to use shielded transactions

You could also pressure more people to use shielded transactions. Right now, they make up the minority of transactions, but if the majority of people start using shielded addresses it probably won't be economical to censor them.

Zcash is already moving towards this with the release of new systems intended to make shielded addresses easier to use.

3. Apply social pressure to F2Pool and the miners using it

Shame, shame, shame. Boooo.

4. Prevent the selective censoring of shielded transactions

It may or may not be doable, and it may or may not have unforeseen consequences.

5. Add checks and balances

"Perhaps the bigger question is whether miners should be the sole determinant of that choice, or should that power be also kept in check with other hybrid systems such as masternodes or PoS/PoW combinations or penalty systems in place for withholding the processing of transactions?" Yap asks.

6. All, some or none of the above

All, some or none of the above.

Also watch

Disclosure: The author holds BTC, BNB, ATOM and IOTA at the time of writing.

Picture: Shutterstock