Pool Attribution

Every Zcash block contains a coinbase transaction created by the miner who found it. Mining pools typically leave identifiable fingerprints in this transaction: a readable name, a binary signature, or a structural pattern unique to their software. We search for these fingerprints using five attribution methods, each explained below with real examples from the Zcash blockchain.

The coinbase transaction is the first transaction in every block. Unlike normal transactions that spend existing coins, the coinbase transaction creates new ZEC. This is how miners receive their block reward.

The coinbase transaction includes a free-form data field called the scriptSig. The only requirement is that it starts with the block height (a rule called BIP34). After that, the miner can embed whatever they want: a pool name, a message, random bytes, or nothing at all.

This free-form data is the foundation of pool attribution. Most pools use it to advertise their identity, and even pools that don't leave an explicit tag often produce a distinctive pattern. You can inspect the coinbase data yourself on any block detail page in the "Coinbase" section.

The most common identification method. Many pools embed a human-readable ASCII string in the coinbase scriptSig, signing every block they mine with their name.

Examples of tags found on the Zcash blockchain:

• /ViaBTC/Hello world!/ (ViaBTC)
• Antpool, /Antpool/ (Antpool)
• 2miners.com (2Miners)
• Poolin, poolin.com (Poolin)
• /flypool/ (Flypool / Bitfly)
• Mining-Dutch (Mining Dutch)

When we find a recognized tag in the coinbase text, the confidence is very high. The pool explicitly signed the block — though any miner could technically include another pool's tag. This is the same technique Bitcoin block explorers use.

Some pools embed a signature that isn't readable ASCII text. Instead, it's a binary pattern buried in the raw hex data of the coinbase transaction. These signatures don't show up when decoding the coinbase as text. They require hex-level analysis.

The best example is F2Pool (also known as Discus Fish). Every F2Pool block contains the Chinese characters 七彩神仙鱼 ("Colorful Angelfish," their brand name) encoded as UTF-8 bytes:

Each Chinese character occupies 3 bytes in UTF-8. This 15-byte signature appears in 100% of blocks from F2Pool's addresses and in 0% of blocks from any other pool, making it just as reliable as a text tag.

Signatures like this are also valuable for tracking pools across address changes. Even when F2Pool rotated to a new payout address, the hex signature was still present, confirming continuity.

Even when a pool doesn't embed an explicit tag or signature, their mining software can produce structurally distinctive coinbase data. By analyzing the hex structure of confirmed blocks from a known pool, we can derive a fingerprint: a pattern in the coinbase bytes that's unique to that pool's software.

A real example: Slushpool (now Braiins) originally tagged blocks with /slush/. When they later removed the tag, a remnant persisted. Every block still ended with the byte 0x2f (the ASCII character /). This trailing slash appeared in 100% of blocks from Slushpool's known addresses and in 0% of blocks from any other pool.

By following this fingerprint across multiple address changes, we traced the full chain of Slushpool addresses from 2017 through their shutdown in 2022, even though only the earliest blocks carried the readable /slush/ tag.

Fingerprint-based attribution is high confidence when the pattern is exclusive to one pool. We validate exclusivity by checking whether any other addresses on the network share the same pattern.

Mining pools periodically rotate their payout addresses. When this happens, one address stops producing blocks at the exact same time a new address begins, often within minutes or even a single block height.

To confirm a handoff, we plot the combined monthly block share of both addresses through the transition period. If the combined share is continuous with no discontinuity, that's strong evidence that both addresses belong to the same pool.

In the example above, Address A (a known pool) stops mining in June. Address B (untagged) starts at the exact same time. Their combined network share is smooth through the transition: no spike, no drop, just a seamless continuation.

This method has been used to track several major pools through address rotations, including ViaBTC, Antpool, Binance, and Flypool. The confidence is high when the timing is tight (same day, single-digit block gap) and the share continuity is clean.

The final method combines two signals: on-chain funding traces and solrate correlation.

If a known pool's address sends funds directly to an unknown mining address, and that unknown address's block-implied solrate closely matches what the pool publicly reports via their API, the two are likely the same entity.

This is the most circumstantial method and is never used as the sole basis for attribution. It serves as supporting evidence, helping increase confidence when other indicators (like timing or fingerprint similarities) are present but not conclusive on their own.

A real example: Luxor tagged blocks with readable coinbase text until January 2022, mining tens of thousands of blocks. Five months later, an untagged address began mining — no coinbase tags, no hex signatures, and a four-month gap that ruled out a clean address handoff. But two on-chain transactions totaling hundreds of ZEC linked Luxor's old address directly to the new one:

Luxor's API still reported a substantial solrate but had zero identifiable blocks since January 2022. The unknown address's block-implied solrate — derived from its share of network blocks — was nearly identical to what Luxor reported. Combined with the direct funding link, this was enough to attribute tens of thousands of additional blocks to Luxor with medium confidence.

Not all attribution methods carry the same weight. We group them into three confidence tiers:

Most blocks are attributed through coinbase tags and signatures alone. The other methods primarily extend coverage to blocks that would otherwise show as unknown — tracking pools across address rotations or linking untagged addresses back to known operators. When the evidence doesn't meet at least the medium confidence threshold, the block stays unattributed rather than risk a misattribution.

Blocks we can't attribute to any pool appear as "Unknown" on the Pools page. These include solo miners, pools that don't leave any identifying marks, and historical blocks from before pool tagging became standard practice. Attribution is an ongoing process, and coverage continues to improve as new patterns are identified.

Everything described here is transparent and verifiable on the explorer:

• Pools page: All identified pools, their block counts, and network share over different time periods.
• Pool detail pages: Click any pool to see its known coinbase tags, payout addresses, historical dominance, and individual blocks. For example, visit the ViaBTC or F2Pool detail pages.
• Block detail pages: Click any block on the Blocks page to see the raw coinbase text, hex data, payout address, and which pool was identified.

If you have questions about a specific attribution or notice something that looks off, let us know on the Contact page.