On Bitcoin’s Fee-Based Security Model — Part 2: Security vs. What?

Why does Bitcoin need a high hash rate? What actually goes wrong within the network if it’s not high enough?

← Part 1: Beware The Turkey Fallacy

You can’t talk about security — fee-based or otherwise — and how much security is enough without first defining what is being secured against. So what is the actual attack that’s being prevented by all that resource-intensive mining distributed around the world?

The short answer is double-spending.

If the hash rate isn’t high enough, it can be profitable for someone to execute a “51% attack” and exploit the proof-of-work mining mechanism in order to spend their coins twice. That is: to spend their coins, and gain possession of what was exchanged for them, then take back the coins by overwriting the recent history of the blockchain (replacing the original transaction).

We need to understand how a double-spend attack works, and under what real-world conditions it’s profitable, because that is what Bitcoin’s incentive-based security is all about.

Sidenote: There are also nation state/military attacks to consider, where the motivation is to disrupt Bitcoin rather than profit. I’ve written about those before in depth and we’ll cover them briefly at the end.

It costs money — resources have to be expended — to overwrite the recent history of the blockchain of course, and the higher the hash rate, the more it costs. But when you’re done with a double-spend you end up with the goods and the coins and the mining rewards in your possession, so depending on what the cost is, maybe it’s worth it?

If these (anti-)double-spending incentives get out of whack, we have a problem. How big of a problem? A problem for who? Let’s see.

1) A Problem For BTC Receivers

If an anonymous party sends you $100,000 worth of BTC, how long does it take for the transaction to settle? How long, in other words, until it’s safe to exchange something — irreversibly — for the BTC you’re receiving?

Say your side of the exchange is a USD transfer, or some other cryptocurrency, digital property title, or bearer instrument… Or perhaps fast-forward into the future a bit and say it’s a same-day delivery of physical goods via drone or self-driving car…

Note that the transaction process is fully respectful of the right to privacy. There’s no KYC here and there’ll be no government intervention — you do not have legal recourse in the event of misbehaviour. Trust in the integrity of your BTC transaction comes exclusively from the peer-to-peer network.

If you’re a programmer and you’re writing a piece of software to automatically handle exchanges like this, i.e. if you’re writing code that will observe the blockchain via your fully-validating node and trigger the release of goods once the transaction is settled, when is that and how do you know?

“After 6 confirmations!” says an enthusiastic voice. “So like, roughly an hour, but once it’s 6 blocks deep it’s 99.99999% certain, right?”

Nope, not even close.

2.1) Myth #1: The 6 Confirmations Rule

Most people, including many of the most ardent and outspoken Bitcoiners you’ve heard of, don’t really understand how double-spending works. You can read in The Bitcoin Standard by Saifedean Ammous, under the heading ‘The 51% Attack’, that:

“If the recipient is willing to wait for six confirmations, the probability of an attack succeeding shrinks infinitely low.”

And therefore:

“A 51% attack is theoretically possible to execute if the recipients of the payment are not waiting for a few blocks to confirm the validity of the transaction.”

A lot of people have read this book and hold it in high regard.

Michael Saylor, CEO of MicroStrategy, who has very publicly put around $3.5 billion into Bitcoin and is a major fan of The Bitcoin Standard, echoes this belief in a recent video interview on Bitcoin security (6:32–6:42):

“It’s 100% — what is it, like 99.99999% certain after the 6 confirmations.”

…immediately corroborated by fellow fully-committed Bitcoin advocate Robert Breedlove:

“Yep.”

Ross Stevens, executive chairman of NYDIG-BTC (New York Digital Investment Group) and CEO of Stone Ridge Asset Management, wrote in his 2020 letter to shareholders about being all-in on Bitcoin (upheld as ‘required reading’ by legions of fans including the likes of Saylor and Twitter CEO Jack Dorsey):

“Bitcoin safely settles about every hour.”

Followed by:

“Even if all commercial Bitcoin miners, and their combined super-computing power, suddenly went offline overnight, hobbyists mining on laptops at Starbucks would keep the entire global network just as secure.”

His emphasis, not mine. In fact he also underlined it:

The spread of this meme is something to behold. The only slight problem with it, and with all of these grand proclamations based on it, is that the 6 confirmations rule is complete nonsense.

Why?

The short answer¹ is that it’s just derived from an offhand comment made by Satoshi and example calculations in the whitepaper (extract below) detailing what happens if a minority miner attempts a double-spend. It has nothing to do with ‘The 51% Attack’.

p = honest hash rate, q = attacker hash rate

In a so-called 51% attack, when an attacking group of miners commands more hash rate than the honest miners, they can execute a double-spend over any number of blocks — i.e. over any ‘reorganisation depth’ — and the math is reversed: the probability of an attack failing shrinks infinitely low.

They could mine 7 blocks and reorganise the chain after an hour…
Or 144 blocks and reorg after 24 hours…
Or 1,000 blocks and reorg after a week…

And they earn 100% of the mining rewards when they do.

What matters, as we said at the beginning, is whether the payoff is worth it — whether the expected value of taking that course of action is significantly positive for them or whether they’d expect to lose from it overall.

As we’ll see in a moment, 6 confirmations has more or less nothing to do with that calculation. And if you and everyone else in the world were to write code that automatically triggers the release of funds or goods after 6 confirmations, that could end up being very unsafe.

2.2) Myth #2: Digging Into The Past

Another common misconception about double-spending is that you have to go backwards and “dig into the past” to undo a transaction.

In other words, people imagine that — when receiving BTC — if their transaction is buried 6 blocks in the past, that means an attacker would have to go back 7 blocks, redo all that work that’s already been laid down, and catch up with the honest miners (who continue mining further ahead in the meantime).

If that were true, then as the attacker you’d need to do way more than 6 blocks’ worth of work to undo a 6-block-deep transaction, because by the time you’ve done 6 blocks, the honest miners will have moved forward e.g. 5 more of their own… so you’re still 5 behind… and then the same applies again for those 5 blocks… etc.

But it’s not true. You don’t need to dig into the past, that’s not how it works². Double-spending is a pre-planned thing: you make a transaction on the honest chain at the same time as you start mining your alternate attacking chain — i.e. forwards, into the future.

In other words, your right hand makes a regular “honest” transaction while your left hand starts your weapon of hash production, mining a secret chain that contains all of the same transactions except one — yours. Your version of history (which no-one knows about yet) spends the same coins in a transaction addressed to yourself instead of the target.

Your attacking chain advances in parallel to the honest chain, and then you announce it to the network as many blocks into the future as needed — 7 blocks, 20 blocks, or 100 blocks, doesn’t matter.

Once the recipient considers your transaction settled, and you’ve taken possession of the funds or goods in exchange, that’s when you announce your secretly mined chain to the network, overwriting the honest chain, taking back the BTC you spent, and claiming 100% of the mining rewards.

Note: Both chains are completely valid
The total accumulation of proof-of-work is what matters. According to the rules of the Bitcoin protocol, the chain which amasses the most proof-of-work — the ‘heaviest’ chain — is the true chain. A heavier chain can be longer (e.g. 7 blocks vs. 6 blocks) or it can be the same length but with some of the blocks mined at a higher difficulty.

So there’s no catching up to do. You start out in front, make your transaction on the honest chain, and advance faster in private (because you have a higher hash rate). The whole thing is forwards only.

A 7 block double-spend takes ~7 blocks’ worth of work.

2.3) Myth #3: Only My Transaction Matters

It’s useful to approach an understanding of double-spending via these myths because a) once you know them, you’ll see them everywhere, and b) their implications are pretty staggering, especially the one we’re about to look at now.

They say you only need to be concerned with your own transactions. What everyone else does is their business — as long as you take the appropriate amount of precaution based on the size of your transactions, you’ll be fine.

“If you’re worried someone might reorder history using a high hash-power collusion — just wait longer before you consider your transactions final.”
— Greg Maxwell

“If you are a recipient of a 50,000 BTC transaction, you might wait more than the six block rule of thumb out of an abundance of caution.”
— Nic Carter

“Every individual UTXO has its own level of security based on the block it is included in and the difficulty of that block and the ones built on top of it.”
— Shinobi

In other words, it may not be quite as simple as “6 confirmations and done” like it says in The Bitcoin Standard, but you can still look at how much your transaction is worth and calculate whether it would be economically rational for an attacker to invest resources in reversing it.

If your transaction is worth, say, $100 million or more, that’s an amount that might be worth double-spending. So you give transactions like that some extra time to settle. But what about $50,000, or the $100,000 transaction from earlier? Would anyone be going through all the trouble of a double-spend attack for a transaction so small?

That seems extremely unlikely…

Bitcoin has settled countless transactions of that size and much larger over the last 12 years without a hitch. So, clearly, from that we know it’s fine… right?

Gobble gobble.

Elaine Ou, Nic Carter, and Nick Szabo are all big-time Bitcoiners, and they’ve each put forward a model for calculating settlement times based on comparing the value of your transaction vs. the total value of the rewards paid to miners since it was added to the chain.

The model recognises that any transaction can be undone for a price and that the total value of mining rewards is a reasonable proxy for the cost of the work that’s required to generate a chain of a certain length.

Miner Rewards ≈ Miner Spend
The value of block rewards is roughly equal to the value of resources that will have been expended by miners to mine it. In practice, there are some delays in there and a profit margin, but it’s a useful approximation. If there’s ~7 BTC rewards in each block, in general you can assume that miners will spend marginally less than 7 BTC in resources to chase those rewards down.

The idea is that you should wait until the value of your transaction matches the total value of the mining rewards that it’s buried under, and at that point you can consider it settled, because past that point — according to the model — it would be economically irrational for an attacker to try to reverse it.

So for example, say you’re receiving a 10 BTC transaction and it’s now 6 blocks deep in the chain, with each block containing ~7 BTC of rewards. That means roughly 42 BTC worth of work (6x7) has accumulated… 42 BTC worth of work is required to generate a chain of that length… which is more than 4x the size of your transaction… therefore it’s very safe.

A 50 BTC transaction should probably wait for 2 more blocks…
A 500 BTC transaction should probably wait for around 72 blocks…
A 94,500 BTC transaction should wait a very long time, as The Blockfather calculates here:

Note: Block rewards averaged 12.5–14 BTC at the time

It’s a convenient little model but there are two huge problems with it:

1. The attacker doesn’t forgo the mining rewards. In fact the attacker earns 100% of the rewards — every block subsidy and every transaction fee — because they mine 100% of the blocks on their attacking chain, which eventually replaces the honest chain
2. Yours is not the only transaction that matters. You cannot know that yours is the only transaction that the attackers have made. They can be attacking multiple targets at once — anywhere in the world — and you’re just one of them

#1 is just a mechanical error, apparently not recognising that when you’re done with a double-spend you end up with the goods and the coins and the mining rewards in your possession, so counting up the total value of mining rewards as an opportunity cost doesn’t make sense. Yes, you burned hundreds of thousands of $ to mine blocks but you earned hundreds of thousands of $ worth of BTC for it — that’s the point of mining.

#2 is a massive fundamental problem with Bitcoin settlement. It means the above model is practically useless and any calculations based on it will be wrong by several orders of magnitude. There are up to 3,000 transactions in each 1mb block every 10 minutes and all of the other transactions happening in the world at roughly the same time as yours could be concealing a much larger attack that you’re just one tiny part of.

In other words, your “very safe” 10 BTC transaction may in fact be one of hundreds or perhaps thousands of small- and medium-sized transactions, spread out across a series of blocks, that are all going to be reversed in one fell swoop. It could be a 10,000 BTC attack altogether, made against a wide array of targets from across the entire Bitcoin-connected economy, and no-one receiving the BTC can know it. Each individual target considers their small- to medium-sized transactions settled after just a few confirmations.

NB: I originally called this a “wide and shallow” double-spend.

Naturally, the deeper the double-spend, the worse this effect gets. For example, in the last 100 blocks of the Bitcoin blockchain there are up to 300,000 transactions. That’s a lot of space to hide a few thousand attacking transactions in, and it means right now — for all you know — you could be looking at a situation where a 100-block double-spend is about to go down, including:

• a bunch of large transactions (made 72-100 blocks ago)
• a load of medium-sized transactions (made 24–100 blocks ago)
• a tonne of small transactions (made 6–100 blocks ago)

Anyone who believes that only their own transaction matters when calculating attacking incentives will be off the mark by a shocking amount.

And as for the 6 confirmations rule, well that really is useless.

3) So How Does It Work Then?

If you can’t look at number of confirmations, what can you look at? So far double-spending seems like a pretty good deal for the attackers, so what’s the catch? If they end up with the goods and the coins and the mining rewards, where’s the downside?

The short answer is the price of BTC. The potential downside for the attackers lies in what happens after their successful double-spend — after they “undermine the validity of the system” as the whitepaper puts it. The goods that they extracted are clear of any danger of course, but a crash in the price of BTC means a crash in the value of the coins they took back, the mining rewards, and their mining hardware, which otherwise could’ve had some future value if it was returned to normal use, i.e. honest mining.

Note that if the price of BTC didn’t crash after an attack, and instead held its value as though nothing had happened, it would in fact be as good a deal as it seems for the attackers: they would gain the full value of the double-spend as profit and their mining hardware can simply be returned to normal use. (Or they could use it to attack again…)

Simple Example

Using round numbers… Let’s say you’re going to double-spend 20,000 BTC in 2,000 transactions. The price of BTC is $25,000 (so it’s a $500 million attack in total) and mining rewards are ~2 BTC per block.

• Your 2,000 transactions are all different sizes (average size: ~10 BTC)
• They’re made against hundreds of automated, vending-machine-like targets across the whole internet (or throughout the so-called “metaverse”), i.e. their geographic location is irrelevant
• All of your targets are programmed to use either the 6 confirmations rule or the mining-reward-counting rule discussed above just now (like THORchain does, for example — an automated market maker)
• You make the larger transactions first, e.g. 20–60 BTC ($500k–$1.5m), in case they take a bit longer to settle

After 12 blocks, the last of your 2,000 transactions is considered settled by the person or program receiving it and you’ve now got possession of all the goods (say $500m in digital cash for the sake of simplicity). So now you announce your secretly mined 13- or 14-block chain to the network, overwriting the honest chain, taking back the 20,000 BTC, and claiming 100% of the mining rewards.

Before the attack you had:

• 20,000 BTC
• Lots of mining hardware

After the attack you now have:

• $500 million in digital cash (the goods)
• 20,000 BTC (the coins)
• 28 BTC (14 blocks worth of mining rewards)
• Lots of mining hardware

Note you spent e.g. $350–$700k on electricity to mine the 14 blocks (depending on the efficiency of the hardware used)

Maximum overall gain = +$500 million

• If the price of BTC is completely unaffected, as though nothing had happened, the 20,028 BTC in your possession is worth $500.7 million and your mining hardware has exactly the same future potential value as it had before
• If the price of BTC falls 50%, the 20,028 BTC in your possession is worth $250.35 million, you’re +$250 million on the attack, and your mining hardware now has half the future potential value it had before (unless the price subsequently recovers… then it would again have the same value it had before)
• If the price of BTC crashes to zero, the 20,028 BTC in your possession is worth $0, you made no profit on the attack (you simply converted 20,000 BTC into $500 million) and your mining hardware now has no future potential value

Maximum overall loss = cost of electricity + future potential value of your mining hardware**

**Unless you can use a financial instrument to short BTC… then you can insure against the downside and construct a win-win scenario.

4) Use Old Hardware

In terms of minimising the downside then, as the attackers, you will want to use equipment that has the minimum future potential value. (Note the cost of electricity is basically just a rounding error in the grand scheme of things).

If you can use old, decommissioned hardware that’s no longer profitable, that would be ideal.

In other words, as much as possible you want to use a whole load of hardware that’s below market performance — uncompetitive hardware that no-one wants precisely because it has no value.

If you were mining for profit, then using uncompetitive hardware would of course be dumb: you would end up spending more than $700k on electricity to earn $700k of mining rewards… a pointless thing to do. But you’re mining for an attack — a high-leverage “short burst” attack — where the mining rewards really aren’t the point and a few hundred thousand $ overspent on electricity is neither here nor there.

So any hardware at the lower end of the performance spectrum, any hardware towards the end of its useful life that has already recovered most if not all of its original cost, is what you’re after.

Uncompetitive mining hardware has literally no other purpose in the world: the only valuable thing you can do with it is attack the network.

You can most likely acquire old hardware on the secondary market cheaply, or you can just wait for your expensive new hardware to gradually recover its cost over time, via mining, before it eventually becomes old hardware — meaning that the net cost of acquiring it is $0, or even a slight profit. But the point is that old mining chips (ASICs) are constantly pooling over time and you want to be using as much of this resource as you can.

Any repurposable hardware, i.e. that would still have value in other use-cases if the Bitcoin network died, doesn’t suffer the same downside (like GPUs for example). So again, even though it’s uncompetitive, you could potentially use that hardware to supplement your “attacking stack” too.

Even if your setup was overall only, say, 50% as efficient as profitable honest miner operations (meaning it consumed twice as much electricity to produce the same output), as long as you have enough electricity to power it for the duration of the attack, overspending vs. the value of mining rewards even by that much isn’t a problem. Spending $1 million on electricity instead of $500k as part of a $500 million (or larger) win-win bet is fine.

5) The Security Budget

i. Definition

Bitcoin’s security budget is the amount of money paid out to miners. It’s the total value of mining rewards, in other words, measured in $ per block (or better: $ per day/month/year).

The value of mining rewards (in $ per year) determines the amount of resource consumption by miners (in $ per year) which in turn determines the overall hash rate (in TH/s).

The overall hash rate (in TH/s) ultimately generated by all of the miners is a largely meaningless number that depends on the efficiency of the hardware available to them at the time. $100,000 per year spent chasing down mining rewards in 2013 generated far fewer hashes than $100,000 per year spent today, because hardware efficiency has improved. But in terms of economic security the $ expenditure is what really matters.

I.e. Even if the real-world value of mining rewards stays flat, the hash rate will increase over time as hardware improves, but that doesn’t automatically mean the level of security — the disincentive to attack (measured in $) — is increasing in direct proportion with it.

ii. Importance

The potential reward for a double-spend attack increases as the network grows (more on this in a moment). The security budget must always be large enough to offset that potential reward, so that, given the incentive to attack at any particular moment in time, there is sufficient disincentive to counteract it.

If, for example, the Bitcoin network grows from here in a way that means many billions of $ are regularly being transacted on top of a security budget of just a few hundred thousand $ per day, that will more than likely not be sufficient: the opportunity will exist to execute a significant double-spend.

This series of articles is about the changing economics of Bitcoin over time and the risks associated with its fee-based security model in future. So the key question is: Over time, does the reward for a double-spend attack grow at a rate that is not counteracted by the security budget? Will there emerge a point in the system’s future where the opportunity exists to execute a significant double-spend?

As I’m sure many have noticed, the earlier example with mining rewards of ~2 BTC per block skipped forwards into the future a couple of halvings (or roughly 6 years).

The block subsidy — 6.25 BTC today — declines at an exponential rate:

• 3.125 (2.5 years from now)
• 1.562 (6 years)
• 0.781 (10 years)
• 0.391 (14 years)
• 0.195 (18 years)

We’re going to go deeper into the economics of the fee market next, but for now let’s just note that a) outside of short-lived speculative frenzies, blocks aren’t full and total miner revenue from fees is regularly in the $100s-of-thousands per day, and b) there are reasons to believe it will stay that low.

https://www.blockchain.com/charts/transaction-fees-usd

If it does stay that low, and if the total value of mining rewards is ultimately trending down to this level over time while the reward for a double-spend attack grows, that’s a problem. That’s the recipe for our black swan event.

In the short term, a continuous exponential rise in the price of BTC may offset the effect of the 4-year halvings and keep the total value of mining rewards high. But behind all of the visible signs of the network’s wellbeing trending nicely up and to the right, the underlying long-term trajectory would nonetheless be that the potential reward for an attack is growing at a rate that is not counteracted by the security budget.

6) A Problem For Everyone

Systemic Risk

Double-spending is a systemic risk in both senses of the word: not just in terms of the consequences (a crash in the price of BTC affects everyone, whether they’re involved in the attack or not) but also the way the opportunity for it arises in the first place.

As is hopefully becoming clear at this point, the opportunity to double-spend on Bitcoin doesn’t emerge in a simple way that’s easy to measure and verify: the potential profitability of an attack at any given point in time depends on multiple real-world factors that aren’t directly observable — the configuration of the market around the protocol and how everyone is using Bitcoin — not just the readily quantifiable stuff like the security budget.

In other words, to properly assess the risk of a double-spend attack, (as above with Myth #3: “Only My Transaction Matters”) we have to again steer clear of the hyper-individualist mindset that’s characteristic of the crypto space and think in terms of the whole system, both before and after.

1. Before an attack, the opportunity to execute a significant double-spend depends on the availability of a wide array of appropriate targets, which in turn depends on the size and scope of the Bitcoin economy — worldwide — and the way everyone decides to handle receiving their BTC transactions
2. After an attack, the potential downside for the attackers, as we said, lies in a crash in the price of BTC, which in turn would mean a crash in the value of the coins they took back and their mining hardware; but this downside isn’t contained to the attackers, it falls on everyone (and the attackers know it’s coming when everyone else doesn’t)

If everyone, everywhere in the world conducts their private business according to the 6 confirmations rule, even large transactions, because they listened to Professor Ammous and The Bitcoin Standard, that’s going to be a problem. And the fallout from that problem when it eventually manifests is going to land on you, individually, even if you’re just quietly hodling.

If you want to evaluate this risk at any given point in time, your local knowledge is always insufficient. Your fully-validating node cannot tell you how the market is configured around the protocol and what all other entities, everywhere, are doing.

Risk Factors

The way the risk of an attack grows over time is not straightforward. The available attack surface, the scale of an attack that can be executed, and its potential profitability depend on a complex interaction of many factors:

• Number of Targets
  The larger the Bitcoin economy gets in general, and the more ways of spending BTC there are, the wider the array of targets that can be attacked simultaneously
• Block Size
  The larger Bitcoin’s blocks are, the larger the number of transactions that can be made (against many targets) simultaneously in a given period of time
• Confirmation Policies
  The fewer confirmations that targets require before they consider their BTC transactions settled, the shorter the time that’s needed for an attack of a given size

These first 3 factors determine how compressed or “succinct” an attack can be. Meaning e.g. a $1 billion attack fits into fewer blocks (a shallower reorg), because it can be broken up into smaller chunks and spread wider, so it takes less time to complete and fewer blocks need to be mined — less resources need to be expended — on the attacking chain.

• Privacy
  The more widespread strong privacy protection is in the world (the more cash-like our electronic transactions, and the less identifiable transacting parties are), the more the attackers can evade detection
• Irreversibility
  The more that goods are exchanged irreversibly/without intermediaries (obviously digital goods but also physical, e.g. same-day collection or delivery via drone), the larger the attack surface
• The Law
  The more targets/transactions that fall outside the protection of the law (the larger the portion of the Bitcoin economy that has no effective oversight, including due to privacy), the larger the attack surface

Privacy protection and a lack of government oversight/ability to intervene are essential development goals for cryptocurrency, but they increase the risk of a double-spend. Note that if you can identify the sender (e.g. Know Your Customer) and you do have legal recourse in the event of misbehaviour, you pretty much don’t need any confirmations: they’re not going to double-spend, because it’s an illegal act of fraud that will land them in jail.

Also note that in those circumstances, where a high degree of trust is achieved by other means, there’s no great need to be transacting on-chain anyway, and deferring settlement will save everyone money on fees.

• External Value
  The more other systems leverage the Bitcoin blockchain and use it as their source of truth, the more value there may be in re-ordering the recent history of transactions

Non-BTC tokens representing ownership of property outside the Bitcoin system itself may be traded on the Bitcoin blockchain, and single BTC transactions can potentially represent large amounts of off-chain value transfer. All of this activity may add (invisibly) to the potential reward for an attack.

• Security Budget (Mining Rewards)
  The lower the value of mining rewards, the lower the cost of an attack — i.e. the lower the value of hardware at risk and the lower the cost of electricity needed to generate an attacking chain of a given length
• Short Opportunity
  The deeper the derivatives market around BTC (ultimately the bigger the short you can place), the more an attack can hedge the downside, cover the value of hardware at risk, and profit from all outcomes
• Substitutes
  If there are alternative store-of-value assets that would predictably gain in value following a crisis of confidence in BTC, then having a position in these ahead of the event is another potential source of profit

Naturally, the security budget is typically what gets all the attention, because it’s an easy variable to isolate and observe, and its contribution to security is relatively straightforward compared to everything else. But the development of the opportunity to put a big short on BTC is also important, and it could even end up being the primary goal and source of profitability.

• Old Hardware
  The larger the pool of unprofitable / decommissioned / near-end-of-life ASICs in the world, the lower the potential value of hardware at risk can be made for an attack
• Volatility (and Halvings)
  Large downswings in the value of mining rewards (due to a halving of the block subsidy or simply to a downswing in the price of BTC) can cause lots of hardware to all be rendered unprofitable at the same time

The more compressed an attack can be (see first 3 factors — number of targets, block size, and confirmation policies), the greater the value of old hardware in an attack. I.e. The shorter the attack time, and the more that it’s a “short burst” of output, the more that attackers can afford to use even very inefficient equipment when generating their attacking chain.

When there’s a halving event and the total value of mining rewards is suddenly cut by ~50%, that means ~50% of the total current mining output (measured in $, not TH/s) gets forced offline at once. Note: It will be roughly 50% that’s forced offline if, as is the case today, the block subsidy makes up 99% of total mining rewards. If the block subsidy made up 80% of rewards, then ~40% would be forced offline, etc.

If a miner’s hardware is suddenly forced out of the money like that following a significant price downturn or a halving, and the future prospects for their investment look poor, that is a good time (for them) to consider the only other valuable thing they can do with that hardware to get back in black.

7) The Lightning Network

It’s worth noting that the surface area for an attack and the total number of targets available at any given point in time includes the Lightning Network.

When you open a new channel to join the Lightning Network, the on-chain funding transaction has a confirmation policy (here: minimum_depth) which is decided by the other party that you’re opening the channel with:

Excerpt from the specification.

The standard practice today appears to be wait 3 confirmations before the funding transaction is considered settled and your new channel is live (able to make payments). From there, Lightning transactions are treated as instantly settling (and the source of a payment is obscured within the network too, i.e. Lightning is designed to protect privacy) so virtually all merchants across the network are available and you can expect goods to be released to you immediately / automatically.

Steps: Fund new channel → <3 confirmations> → spend the funds → take the goods → undo the original funding transaction

Obviously the only sensible way to describe when targets are attacked this way is to say that they’ve been thunderstruck.

8) End

Today on the Bitcoin network, there are not thousands of available targets for an attack. There are a very limited number of targets in fact, because the scope of the Bitcoin economy is very narrow — it’s not being used for much.

The risk of a double-spend attack is extremely low because:

• The surface area for an attack is tiny
• The security budget (99% subsidy) is high
• There’s KYC/AML laws all over the place
• There’s no opportunity for a big short

In other words, even if you could command more hash rate than honest miners, the current configuration of the market around the protocol doesn’t allow for an attack of significant scale. But the current configuration of the market around the protocol and the current pattern of usage is not the long-term plan. Indeed it can’t be the plan, because it’s not sustainable: usage and thereby transaction fees must go up from today’s levels or the system is on a predictable path to eventual security failure (even within the narrow scope of its existence today).

Bitcoin is aiming at a future where it has succeeded near-totally, becoming the standard by which value is measured, ultimately seeing regular widespread use as an everyday medium of exchange (after having displaced all weaker currencies from the market), eliminating central banks and permanently restricting the ability of government to fund itself, and guaranteeing privacy and financial freedom to all…

In that hoped-for future:

• The surface area for an attack would be enormous
• There would be ubiquitous privacy protection
• There wouldn’t be KYC/AML laws and government intervention
• There would be much deeper derivatives markets around BTC, opening up the opportunity for a big short

What would the security budget be along the road to this scenario, and would it at all times be sufficient to counteract the potential reward for an attack? The Lightning Network is metaphorically about a gradual buildup of charge off-chain in a cloud of activity that is subsequently discharged back to earth in a sudden strike. Is there an analogous “gradual buildup of charge” here — i.e. of double-spend risk — and potential for a sudden strike as the network and its attack surface grows over time?

Can’t say for sure. Sort of looks like it though.

We need to look at the economics of the fee market, so that’s what we’ll do next. But first a brief detour to make some notes on mining security vs. nation state/military attacks, where the motivation isn’t straightforward profit but destruction. Continuing with the peak-fiat** AC/DC references from the 70s and 80s, Bitcoin’s security vs. the state is more along the lines of “If you want blood… (you got it).”

**Aside from being really, really wrong about how Bitcoin settlement works, The Bitcoin Standard also claims that all modern art and music is terrible because we left a sound money standard. 🤷‍♂️

Part 3: Bitcoin vs. The State →

[1] See this thread for a mechanical explanation of Ross’s error.

[2] The “digging into the past” myth goes all the way back to Satoshi (2008).

Thanks to Allen, Travis, Mike, Doug, and Alex for reviews and suggestions. Follow me on Twitter @joekelly100 for updates. Oh and please clap and share and stuff. Muchas gracias 👊