The bitcoin security model endgame

(Part 2) Open questions on the dynamics of subsidy-free proof-of-work

Jun 29, 2022

Author’s Note:

This article is part two of a discussion around the dynamics of bitcoin’s transition to becoming reliant on transaction fees for network security. It consists of my views on potential long-term tail risks to the bitcoin network. None of them are fatal, but they are issues that I believe will need to be overcome.
The nature of these questions is such that we don’t currently have answers, yet are crucial discussions to engage before they become issues. I will provide my suppositions, but they shouldn’t be taken as expert opinion.

tldr;

If the trend in bitcoin fees continues, bitcoin will likely be fine but bitcoin miners will not. The network’s power costs are likely already near the peak that can be supported before accounting for positive externalities from mining. The fee-only security budget will likely never grow large enough to withstand an attack by a motivated sovereign superpower.

Part 1: State of Transaction Fees

What are sufficient fees?

In part one of this writing, I discussed the current state of the bitcoin transaction fee market and how its contribution to miner revenues has begun to fall well short of modelling done only a couple years ago. Many people have used these decreases to suggest that fee revenue is too low, I do however shy away from agreeing with this sentiment.

On the topic of fee revenue being too low, Nic Carter is right on the money:

the 'fees aren't going to be sufficient' crowd need to understand that they are making a specific, burden-of-proof-on-them claim, and if they want to say that, they have to define sufficiency! what's sufficient?
— Nic Carter during an AMA on GM

This crowd doesn’t define sufficient because it’s a difficult exercise to do—even I would prefer not to, but it’s a crucial exercise. The first step is defining the problem, not just what is sufficient, but what are fees sufficient for?

Dan Held hypothesized in 2019 that to discourage governments from attempting to attack the network, the annual security spend should be “several hundred billion, in present value USD”. His modelling at the time suggested that a bitcoin market cap of approximately $30T would induce enough transaction fees to achieve this level of fee security; however, the past three years have seen fee security fall well short of predictions from the time period.

In part one of this writing, I showed that transaction fee revenue has not kept pace with increases in market cap. I expect this decline to continue as the digital gold narrative grows stronger, but assuming it settles at its current state, to generate $100 billion in transaction fees alone, a paltry 13% of the 2022 US military budget, would require a network value of $370 trillion. This market capitalization would be greater than the value of all assets on the planet in 2019 ($361 trillion via Credit Suisse).

Clearly, on the current path, transaction fees alone are not enough to meet Held’s criteria for deterring government attacks.

In a more reasonable bitcoinization scenario, we could estimate the market cap of bitcoin as perhaps $50 trillion (5x the value of all gold in the world), which could potentially generate $13.5 billion in fee revenue for bitcoin miners—a total lower than 2021 miner revenue of approximately $16.7 billion. If transaction fees do not rise (in relation to market cap), the mining market is already oversaturated for an endgame where bitcoin is $50 trillion asset—future hash rate expectations need to come down, as the current power consumption is not financially sustainable, growing only with the increasing efficiency of new generations of miners.

Lyn Alden also wrote about fee security in March 2021, and although she did not define a level of sufficient security, it’s worth noting that the trend in fee security is now towards 0.025% of market capitalization (10x lower than her low-case).

Source: Lyn Alden — Bitcoin: Fee-Based Security Modelling

The alternative to the power consumption saturation is to harness the waste energy through positive externalities:

Household heating
- All a space heater does is waste power to provide heat, by definition adding any value to the process is objectively better. Subsidizing your heat generation through mining rewards is an application that needs to become commonplace.
Grid balancing
- The biggest issue with the rollout of clean energy is the disconnect between base load and maximum required load. Companies do not want to invest in renewable energy because they have to overproduce it; incentivizing them to monetize the divergence through bitcoin mining can result in carbon negative bitcoin mining.
- There is no better interruptible large scale energy use than bitcoin at this time. If there was one instead that could handle infinite load like bitcoin than I would be pushing it instead.
Flare mining
- Mining at oil flaring sites is carbon negative and allows for risk-free profit. There is no other application that can go out to oil fields temporarily and take advantage of the energy supply while reducing methane emissions.

Mining applications with positive externalities work as a pseudo subsidy with the ability to make non-profitable mining profitable. They are the only way that bitcoin mining can continue to scale without a change in the fee market trend.

Arguments from Carlsten et. al (2016)

There are two arguments from the 2016 paper On the Instability of Bitcoin Without the Block Reward, by Carlsten et al. that I feel are worth exploring.

Mining Gaps

The first argument speaks of mining gaps: the thesis suggests that without a block subsidy the longer the period of time between two blocks, the more valuable that block becomes (as the mempool builds up). It suggests that an equilibrium likely exists where directly after a mined block the expected return of each computed hash is negative (less than the energy cost), and that until fees have built up sufficiently, if practical, bitcoin miners would prefer to shut down their miners until this barrier is crossed.

Source: Carlsten et al. On the Instability of Bitcoin Without the Block Reward

The authors argue:

Clearly, this would have a negative impact for Bitcoin security, as the effective hash power in the network would drop, and it would become easier for a malicious miner to fork.

I actually believe the authors have their logic backwards. In terms of security, it is not the effective hash power of the network that matters, but instead the potential hash power of the network.

If a malicious actor gained control over 51% of the effective hash power of the network, the good actors could then choose to run their machines without gaps (which the attacker would likely already be doing) and therefore regain control. In practice, these mining gaps should drop the block difficulty and act as a pseudo subsidy for the network allowing the potential hash rate to grow higher than a gap-less network.

Despite violating the premise of decentralization and non-cooperation, miners colluding to mine less frequently and decrease the difficulty of finding blocks would be a net benefit to the security of the network—allowing for more potential hash power at the same energy use and cost.

Undercutting Attacks

Undercutting attacks are likely a valid criticism that the market will need to work around. The authors describe the strategy:

if there is a 1-block fork, it is more profitable for the next miner to break the tie by extending the block that leaves the most available transaction fees rather than the oldest-seen block.

The simplest way, and please allow some technical leeway for the broad audience, to conceptualize this is to imagine a mempool containing less than a full block of transactions. If Miner A wins the block and clears out the mempool to maximize their fees, then the winner of the next block, Miner B, could choose to ignore Miner A’s chain and fork the previous block while leaving a sufficient amount of transactions in the mempool for the next block winner, Miner C, to prefer to extend Miner B’s chain than Miner A’s chain.

This theoretical attack could result in leaving bitcoin open to constant reorgs if miners choose to maximize their own profits per block. The easiest strategy to avoid the prevalence of these undercutting attacks would be for miners to strategically leave transactions in the mempool of sufficient size to prevent forks from having a strategic preference to ignore their chain.

These attacks certainly are not a fatal flaw, but they do induce an inefficiency into the mining market that participants will need to work around.

The Dichotomy of Necessary Use Cases

While discussing Bitcoin’s Security Budget in the Long Run, Paul Sztorc presents the following table outlining the required future change in narrative as the block subsidy is replaced by transaction fee revenue. In order for bitcoin mining to continue functioning well it must transition from a perceived store of value into a medium of exchange.

Source: Paul Sztorc - Security Budget in the Long Run

The issue with this logic is that monetary theory (and common sense) tells us that goods with disinflationary properties, like bitcoin, become better stores of value in time. When a store of value increases in quality, the velocity of money tends to drop. In the case of bitcoin, the relationship between store of value and willingness to spend will make the transition into a medium of exchange far more difficult than most holders currently expect. We’re already seeing this with dollar denominated transaction fees no longer keeping up with growth in the value of the network.

As we approach terminal inflation (90% issued already), the store of value narrative will grow stronger and advice to never sell your bitcoin will become increasingly common. All these suggestions do is create a free rider problem, where few holders transact frequently enough to pay their share of the network—thus leading to stagnant and low fee revenue.

Centralization of Hash Rate via Public Miners

Hash rate centralization into publicly traded mining companies is an under discussed tail risk. Looking at bitcoin miner loans under stress and the falling market price of mining machines, it is likely that smaller industrial miners and those with less strength in the capital markets (especially private mining companies) will see capitulations during the bear market.

This will lead to companies like Marathon Digital, whose breakeven mining cost is obscenely low, being able to scoop up mining rigs at extreme discounts and continue to expand their market share.

As of March 2022, Arcane Research estimated that public miners already control 19% of global hash rate.

Source: Arcane Research - Bitcoin’s hashrate is going public

Supplementing Arcane’s data with analysis by Compass Mining, it seems likely, before accounting for upcoming large capitulations in the mining industry, that hash rate controlled by public companies should be on pace to climb above 30% by the end of 2022. With the coming capitulations this number could be significantly lower or higher, but with the relative strength of the US capital markets and a strengthening US dollar I think 30% is a short-term low end estimate.

In the long-term the market share of public hash rate will grow above 50% (better energy contracts, better access to bulk new mining machines, more capital, etc.) which creates a tail-risk of government control through regulation.

It’s not my contention that this control would destroy the Bitcoin network or coin prices, but it could lead to attempts to control transactions and only allow the majority of the network to process KYC transactions. This would put excess pressure on non-KYC and foreign mempool transactions leading to longer effective block times that could deter global usage of the protocol.

For example, if 80% of hash rate became publicly traded and enforced KYC then block times could effectively rise to 50 minutes for the rest of the world.

Bitcoin for National Defense

With a similar risk-profile as majority hash rate centralizing amongst public miners, the community’s encouragement of the militarization of bitcoin mining is also short-sighted. In Jason Lowery’s US Military sponsored master’s thesis, he suggests that heavily investing in bitcoin mining would offer the United States the ability to “impose unbounded physical costs” against its adversaries and to allow “nations [to seek] international power and influence”.

The second line of the bitcoin whitepaper emphasizes the need to move away from “the inherent weakness of the trust based model”. The goal of Bitcoin is certainly not to replace our trust in financial institutions with control of the United States military.

Frankly, this concept is dystopian and terrifying. Supporters of the notion are seeking a government to pump their bags. It’s simply driven by greed and the acceptance of government control should they make your life ‘better’.

I would love your feedback on what concerns you think I’ve missed, overstated, or underestimated. The way we solve problems is by confronting them, not by ignoring them.