In part 1 of this friendly neighbourhood guide to killing a proof-of-work cryptocurrency, we looked at the myth of ‘unstoppable code’.
Recap: We don’t need to stop the code. We’re going to exploit the Bitcoin protocol exactly as it is, break its guarantees, and render it useless instead.
Time’s Up, Let’s Do This…
You’re Steven Mnuchin, US Secretary of the Treasury. You’re good at numbers and economic astrophysics. Your star sign is ‘$’ and your spirit animal is the Federal Reserve.
Your team conducts an investigation into Bitcoin and concludes that it should be banned because it appears to be making a significant net-negative contribution to society, disproportionately generating undesirable/criminal utility for little, if any, observable benefit to businesses and consumers.
Many freshly-minted experts in armchair Austrian economics, who don’t have a star sign but did recently discover a financial opportunity in Bitcoin, disagree and want to shoot you. “Net-negative?!” they exclaim. “Censorship-resistant savings technology is worth literally any price. Criminals use roads too… ROADS I tell you! Should we ban those? By the way, you’re an idiot.”
But you don’t care. And now you’re going to shoot down their precious money system using a missile made out of computers and game theory.
Step 1: Great Minds Think Alike
You call your friends around the globe and compare notes. Turns out they’ve all independently reached the same conclusion: they also think Bitcoin would be better off shut down because, on balance, it’s a bad thing for society and non-petty criminal usage continues to grow geometrically year on year. It undermines AML laws, counter-terrorism efforts, and international sanctions, the tax system, the ability to affect the economy via control of the money supply, etc. and it has to forever chew through tonnes of chips and energy to do so.
Plus it seems that North Korea has been building up a sizeable Bitcoin war chest for a long time now (via its Lazarus Group stealing from people and ransomwaring hospitals, amongst other things). We don’t need NK and other malicious actors becoming ultra-rich via such obviously destructive activity.
So you get almost no objections and a quick “I’m glad you said something, Steven — yes, we’re aligned on this” from everyone in the G20 and beyond: Canada, the UK, Germany/EU, China, India, Japan, South Korea, Australia, and more, are all on board and agree to do their part. Even Iran is in, although the Iranian ambassador made it clear he thinks you’re an idiot too.
Vladimir was busy, out riding a horse without a shirt on. Rumour has it he doesn’t want to play ball: he actually thinks Bitcoin is kind of amusing in a haha-fuck-you-America-deal-with-it sort of way, so Mother Russia will not be participating in the ban for the rest of this example.
Jokes aside, this character is useful to dispel the myth that *all* countries need to participate and that there’s a so-called Prisoner’s Dilemma associated with killing Bitcoin. There isn’t, as we shall see.
In fact, even though international coordination around this goal (including Russia) is extremely likely, since functionally speaking Bitcoin is in no state’s interest, the US or China could comfortably handle killing Bitcoin on their own.
Step 2: Size Up The Target
How formidable is our enemy, really? Just as a back-of-the-envelope calculation, what sort of numbers are we looking at here in terms of Bitcoin security? How much computation is happening? How much proof-of-work is being produced right now, in total, on the Bitcoin blockchain by honest/for-profit miners — i.e. miners dutifully following the protocol rules and collecting BTC block rewards every 10 minutes?
~$9 million per day
~$3.3 billion per year
Notice the question isn’t “What very-impressive-sounding number of exahashes per second are being produced?”
It’s currently around 100 exahashes/sec, but that number is arbitrary. What matters is the production cost: how much $ is actually being spent, worldwide, to generate all those hashes. That’s the important measure when it comes to security. That’s what, for example, can give us a ballpark figure for how much it would cost to brute-force 51% attack Bitcoin, if you started completely from scratch, using today’s technology.
It’s calculated as follows:
Total block rewards = 900–1,000 BTC per day
144 blocks per day, 6.25 BTC per block + fees
Price of BTC = $9k
∴ Maximum total proof-of-work expenditure = $9m per day
1,000 * $9,000 = $9,000,000
Yep, it’s an open blockchain so the enemy’s finances and firepower are completely public, and the news is good! $3.3 billion/year (an upper bound value, not accounting for miner profit etc.) is a proverbial fart in the wind for world governments. The US alone spends $700 billion/year on defence, and a single aircraft carrier costs ~$15 billion, for example, and defends much less.
And of course your friends around the globe (apart from Vlad) are all ready to send you a cheque to cover their share of the cost too. So it’s safe to say that money’s not an issue here: out-working — i.e. out-spending — all Bitcoin miners combined in order to attack the network is well within our capacity.
But we can bring the cost down… way down.
Step 3: The Ban Hammer
Let’s get the obvious stuff out of the way before we get to the ‘on-chain’ strategy.
All participating nations take these basic actions to ban Bitcoin:
- Businesses transacting in Bitcoin is illegal
- Crypto exchanges are illegal
- Running a mining operation is illegal
- Manufacturing and selling proof-of-work ASICs is illegal
Some Bitcoin people get very upset and shout things at you like, “Running a proof-of-work mining operation is literally just doing computation, and you can’t just declare it illegal like that! I have rights! I have free speech! What is this — 1984? This is exactly what George Orwell was warni—” But you cut them off and point out that, by the same token, running a meth lab is just doing chemistry, and you can in fact just declare it illegal like that. That’s literally what you’re doing.
Plus we’re mostly talking about China and the CCP here, since that’s where the majority of mining activity is, so, yeah.
All nations physically seize and take control of all of the biggest mining operations within their jurisdiction. They’re in the best locations for cheap energy and economies of scale… muchas gracias market forces for a) building the weapon we need, and b) making it eminently seizable.
Overall, you successfully seize 80% of the global Bitcoin hash rate and all the best mining locations, and it’s now under your control to do with as you please.
Naturally, before you even take any on-chain action using the equipment, the market would react to the news of these actions, and the price of BTC would be impacted downwards (since you’re putting a pretty big dent in Bitcoin’s future prospects). We’ll come back to this effect later.
Step 4: The Contract
So you’ve taken over the proof-of-work game, now what?
You’re not done yet. You contract Lockheed Martin to coordinate a global mining operation capable of producing up to $100m per day worth of proof-of-work. They are to create a centrally-controlled weapon of hash production using the 80% hash rate that has already been seized around the world and by manufacturing whatever else, if anything, is required to get the job done and accomplish the mission of killing Bitcoin.
Note: $100m per day is enough to out-work the entire network’s pre-attack mining capacity more than 10 times over, even if they hadn’t just had 80% of their equipment commandeered — which they have.
Recall from step 2: the Bitcoin blockchain currently pays out ~1,000 BTC per day in block rewards, so (based on the pre-attack sale price of $9k) ~$9m per day is the total reward paid out to honest/for-profit miners around the world.
You make no secret of what you’re doing. You publicly announce the details of the operation to the world, underscoring the capacity to scale up to $100m per day if necessary. The President says something like, “We will stop at nothing to ensure the security of the great people of this nation.”
Step 5: No Can Spend
Right, you now have fully dominant control of the proof-of-work mining game, everyone knows it, and they know there’s nothing that can be done to unseat your position.
- You have all the best, most cost-effective mining locations
- You can massively expand capacity as required
- For all intents and purposes, you have a limitless advantage vs. rebel miners when it comes to producing proof-of-work
As it stands, after seizing 80% of the active hash rate, you can generate proof-of-work hashes at 4x the speed of the remaining miners around the world.
- You control ~80 exahashes/sec, they control ~20 exahashes/sec
- For every valid block that rebel miners, collectively, can produce on the Bitcoin blockchain, you can produce 4
So how do you kill Bitcoin? What do you actually do with your enormous hash power advantage?
This step is more technical but the reader only really needs to understand that in the land of trustlessness, proof-of-work is king. What matters and what we’re exploiting is the simple rule at the very heart of the Bitcoin protocol: that each of the 10,000+ nodes must follow the chain with the most cumulative proof-of-work — a.k.a. the ‘longest’ or the ‘heaviest’ chain.
You use your limitless advantage to execute the following strategy:
- Mine an empty block — i.e. a block which is perfectly valid but contains no transactions
- Keep 10–100 unannounced blocks to yourself — i.e. mine 10–100 ‘extra’ empty blocks ahead of where the chain tip is now, but don’t actually share any of these blocks with the network
- Whenever a rebel miner announces a valid block, orphan it (override it) by announcing a longer chain with more cumulative proof-of-work — i.e. announce 2 of your blocks
- Repeat (go back to 2)
The result of this is that Bitcoin transactions are no longer being processed, and you’ve created a black hole of expenditure for rebel miners.
- Every time a rebel miner spends $ to mine a block, it’s money down the drain: they don’t earn any block rewards for it
- All transactions just sit in the mempool, being (unstoppably) messaged back and forth between nodes, waiting to be included in a block, but they never make it in
In other words, no-one can spend their bitcoin, no matter who they are or where they are in the world. Bitcoin is no longer functional as money and the blockchain is now effectively frozen in its final state. Or, more accurately, the UTXO set is frozen in its final state (new empty blocks will be added indefinitely).
You could call it the UUTXO attack: unspendable unspent transaction outputs.
Technical note: The network can be attacked in other ways than just going straight to empty blocks, and the overall strategy can be optimised much further than what is described above. But, as is, this method is good enough to work and it illustrates the core competitive dynamic that’s at play.
There are also predictable ways the network could try to counter the attack — things like changing the hashing algorithm, which we’ll cover in part 3 (changing the hashing algorithm won’t work, by the way). But first let’s game out this scenario to the end.
Step 6: Finish Him
It’s not quite dead yet. How long do you have to keep this up for, and how much is it going to cost? Answer: Not that long, and surprisingly little.
The first thing to notice, in terms of cost, is that this is a counter-punching strategy: you’re not using all of your capacity all the time. You only spend $ to mine new blocks when the rebels do. The rest of the time you sit idle, waiting for the next move, and so does the blockchain. You’re holding down a pillow, as one of the all-time-great strategists Miyamoto Musashi put it in his Book of Five Rings.
So the overall cost of execution here, for you, is a function of the overall amount spent (wasted) by rebel miners attempting to mine blocks and resist the attack. If they collectively spend, say, $150m of their money over the course of 2 weeks trying to mine blocks before each of them in turn realises it’s futile and gives up, then that’s roughly how much you’ll have to spend in order to out-work them, override their blocks, and keep the blockchain contained.
Except it’s not a level playing field, of course: your operation is far more cost-efficient because you have a huge unfair advantage with all the best mining locations and equipment, plus you can arrest people.
Note that the difficulty retargeting makes no difference. Lower difficulty makes it easier for rebel miners to mine blocks, but that doesn’t make it any easier for rebel miners to get ahead of you. They still can’t get out from under the pillow that you’re holding down. At low difficulty, it takes less hashes to mine a valid block for both of you, so for every block that rebel miners produce, you can produce e.g. not just 4 but 4,000.
The pattern of activity is still exactly the same: the rebels produce a block and you immediately override it with a heavier chain. The only difference at lower difficulty is that the game costs less to play.
Where does it end?
The contest is effectively over when the value of Bitcoin is understood by the market to be $0 (since bitcoin that can’t be transacted isn’t worth anything to anyone) and, as a result, virtually no rebel mining occurs.
That’s your goal.
You will always have to maintain some nominal level of spending (think of it like the cost of storing radioactive waste), but it’s nothing. What matters, and the reason why this containment strategy works, is that any would-be miner can clearly see that investing in an operation to try and un-freeze the chain would be a bad decision that will only result in failure and losses (and possibly jail time).
In other words, what this attack has really targeted is the incentives of the other participants in the network, with the goal of discouraging miners from mining and driving real-world demand for BTC to zero.
It’s important to remember that miners have to be paid for their work in BTC. The lower the price, the less valuable block rewards are, and the less incentive there is for anyone to try to mine blocks. And this attack — even just its announcement — lowers the price, as people run for the exit to save themselves in the face of impending disaster (the first out gets the highest price).
If anyone faced with this scenario wants to get into a spending contest with multiple unfairly-advantaged world governments who’ve publicly declared an intent to produce up to $100m per day of proof-of-work to get the job done… well good luck to them.
Even though you haven’t actually built a $100m operation yet, the threat of it has to be taken seriously because, as mentioned near the beginning, you clearly have the capacity to follow through.
That’s not fair
Nope, it’s not. It’s a highly asymmetric contest in more ways than one, and gravity is very much on your side as the attacker seeking to destroy the economic equilibrium and drive the price down to $0.
Rebel miners are not a coordinated unit, for example. They’re a disorganised body of individuals, each operating in their self-interest, spread around the world, who don’t know and can’t trust each other. So as a prospective miner, thinking about whether you should sink large sums of money into a mining operation to try to revive Bitcoin, you have to factor that in.
The most killer strategic asymmetry is probably that, for rebels, the level of spending to un-freeze the chain has to be sustainable, whereas for you it doesn’t. I.e. They have to believe they can out-work the Lockheed Martin $100m-per-day operation continuously, whilst being financed by block rewards, because an attack can be launched at any time: the moment they fall below your max attacking capacity, they’re toast because a sabotage is incoming.*
*Value-destroying methods available to you include double-spending and ‘purge’ attacks, for example: deliberately performing a deep reorg simply to cause chaos by undoing loads of transactions (i.e. popping them out of the blockchain so they can be opportunistically re-claimed/double-spent by whoever made them).
The reason your level of spending, as the saboteur, doesn’t have to be sustainable is because a) your sabotage attack(s) can be opportunistic, and b) once you succeed and the value of BTC is understood to be $0, the rebel resistance goes away with that, and your output (and cost) can drop down to nominal levels, backed up by the threat that you’re able to increase your hash rate at any time to whatever level is necessary.
You can overspend (vs. the face value of block rewards) to bring about this result in a way that a disorganised body of individual miners self-interestedly pursuing block rewards can’t.
Normally what keeps the core structure of incentives in balance in the Bitcoin system, and the reason why miners famously can’t dictate changes to the protocol, or double-spend their coins at will, is the fact that for-profit miners have a stake in Bitcoin’s future, so they have a very strong disincentive towards using their power to attack the network.
In other words, for-profit miners are heavily invested in and very much care about the future value of bitcoin, because their revenue and the value of their mining equipment critically depends on it. If they attack the network and undermine the integrity of Bitcoin and its fundamental value proposition to end users, they’re shooting themselves in the foot.
You don’t have this problem.
In fact this critical variable is flipped on its head: you have a stake in the destruction of Bitcoin’s future. You are trying to get the price of BTC to $0, and the value of all future block rewards along with it. Attacking the network to undermine the integrity of Bitcoin and its value proposition to end users is precisely your goal.
This fundamentally breaks the game theory and the balance of power in the system, and the result is disequilibrium.
In short, Bitcoin is based on a Mexican Standoff security model which only works as a piece of economic design if you start from the assumption that every actor is rational and has a stake in the system continuing to function.
That is not a safe assumption.
Or to put it another way: Bitcoin’s core structure of economic incentives only balances internally; the system does not and cannot account for external incentives and destructive intentions.
It never could.
‘Unstoppable Code’ is a good advertising slogan for Bitcoin, and there’s even a narrow technical sense in which it’s true, as discussed in Part 1: the messaging back and forth between nodes in the network is indeed unstoppable.
But the lazy comparison to other robust peer-to-peer networking activities like file sharing stops there. Unlike file sharing, there’s much more to Bitcoin than simple messaging back and forth between peers: there’s an economic dimension to the system which is just as important to its existence, and it can be attacked there too. So it’s a fallacy to assume that the system as a whole automatically inherits the security characteristics and robustness of the peer-to-peer messaging layer at the bottom of the stack — it doesn’t.
In practice, the idea that an open blockchain based on proof-of-work creates government-resistant money is a myth. The (necessarily) open and neutral nature of the network and the blockchain means that governments can freely express their intent towards it as well — and their intent is both very large and, with very few exceptions outside of dictatorial nations like North Korea, not Bitcoin-friendly.
Government decision-makers may not have figured out Bitcoin just yet: ‘Unstoppable Code’ still seems to be the prevailing wisdom, because that’s what we’re all told (by people who own Bitcoin), along with, “It’s a mind-blowing financial innovation, Mr. Regulator, Sir — you don’t want to miss out on all that innovation and let it happen somewhere else, do you?”
But eventually they will see past these well-dressed performances. And when they do, they will also realise that the rules of the system give them the ability to easily force the entire thing into disequilibrium using the strategy described above, reducing Bitcoin to a state of total economic dysfunction, more or less just by flinching in its direction and signalling their destructive intent.
Again, just to re-emphasise, there’s no need to actually go through the full process and expense of the attack: it’s the game theory and the signalling that really matters. The moment the ban and the Lockheed Martin plan is announced, the honest-mining-will-lose game dynamic becomes clear to all other participants in the network. The threat of the attack is obviously 100% credible — the cost of execution is a piddly amount of money by world government standards; a nuisance, sure, but it’s nothing. So people will run for the exits to save themselves, tanking the price, making the actual attack easier and cheaper, and the whole thing becomes a self-fulfilling prophecy.
Some will cling to the myth that Bitcoin is invincible, that the attack is but a scratch, and that the Black Knight always triumphs. The stubbornness with which they cling to the myth will ultimately determine how much effort and money has to be spent to contain it. But so long as spending $ to generate proof-of-work is the name of the game, then sorry to be a wet blanket but when push comes to shove, there’s only going to be one outcome.
I’ll write ‘How To Kill Bitcoin (Part 3): No Can Defend’ soon, addressing the various ways that people say the network can defend itself against this attack. Follow me here or on Twitter if you want to be notified when that’s out.
I’m open to the possibility that the red team can still lose here in some way. If you think you can blue team the above scenario and you have an effective counter-strategy, please fire away in the responses.