In part 1 we looked at the myth of ‘unstoppable code’.
Recap: We don’t need to stop the code. We’re going to exploit the Bitcoin protocol exactly as it is, break its guarantees, and render it useless instead.
Fire In The Hole…
You’re Steven Mnuchin, US Secretary of the Treasury. You’re good at numbers and economic astrophysics. Your star sign is ‘$’ and your spirit animal is the Federal Reserve.
Your team conducts an investigation into Bitcoin and concludes that it should be banned because it appears to be making a significant net-negative contribution to society, disproportionately generating undesirable/criminal utility for little, if any, observable benefit to businesses and consumers.
Many freshly-minted experts in armchair Austrian economics, who don’t have a star sign but did recently discover a financial opportunity in Bitcoin, disagree and want to shoot you. “Net-negative?!” they exclaim. “Censorship-resistant savings technology is worth literally any price. Criminals use roads too… ROADS I tell you! Should we ban those? By the way, you’re an idiot.”
But you don’t care. And now you’re going to shoot down their precious money system using a missile made out of computers and game theory.
Step 1: Great Minds Think Alike
You call your friends around the globe and compare notes. Turns out they’ve all independently reached the same conclusion: they also think it would be good to get rid of Bitcoin if possible because, on balance, it’s a bad thing for society. Non-petty criminal usage continues to grow geometrically year on year, it undermines AML laws, counter-terrorism efforts, international sanctions, the tax system, the ability to influence the economy via control of the money supply, respond to economic shocks and maintain financial stability, etc. and it has to forever chew through tonnes of chips and electricity to do all that.
Plus it seems that North Korea has been building up a sizeable Bitcoin war chest for a long time now (via its Lazarus Group stealing from people and ransomwaring hospitals, amongst other things). We hardly need NK and other malicious actors becoming ultra-rich via such obviously destructive activity.
So you get almost no objections and a quick “I’m glad you said something, Steven — yes, we’re aligned on this” from your counterparts in the G20 nations and beyond: Canada, the UK, Germany/EU, China, India, Japan, South Korea, Australia, and more, are all on board and agree to do their part in whatever plan you’re cooking up. Even Iran is in, although the Iranian ambassador made it clear he thinks you’re an idiot too.
Kim Jong Un didn’t answer your call. He was busy eating. And Vladimir was busy too, out riding a horse without a shirt on. Rumour has it he doesn’t want to play ball: he actually thinks Bitcoin is kind of amusing in a haha-fuck-you-America-deal-with-it sort of way, so Mother Russia will not be participating in the ban for the rest of this example.
NB: Widespread international coordination (as described above) is not actually required for the attack that follows. There’s a myth that all countries would need to participate in any action against Bitcoin and there’s a so-called Prisoner’s Dilemma associated with killing it. There isn’t, as we shall see. It can be attacked remotely, from anywhere on Earth, by any sufficiently large actor or group.
In other words, even though international coordination around this goal (including Russia) seems like it would be very likely, since functionally speaking Bitcoin is in no government’s interest, the US or China for example would be able to kill Bitcoin on their own, if they decided to.
Step 2: Size Up The Target
How formidable is our enemy, really? Just as a back-of-the-envelope calculation, what sort of numbers are we looking at here in terms of Bitcoin security? How much computation is happening? How much proof-of-work is being produced right now, in total, on the Bitcoin blockchain by honest/for-profit miners — i.e. miners dutifully following the protocol rules and collecting BTC block rewards every 10 minutes?
~$9 million per day
~$3.3 billion per year
Notice the question isn’t “What very-impressive-sounding number of exahashes per second are being produced?”
It’s currently around 100 exahashes/sec, but that number is arbitrary. What matters is the production cost: how much $ is actually being spent, worldwide, to generate all those hashes. That’s the important measure when it comes to security. That’s what, for example, can give us a ballpark figure for how much it would cost to brute-force 51% attack Bitcoin, if you started completely from scratch, using today’s technology.
It’s calculated as follows:
Total block rewards = 900–1,000 BTC per day
144 blocks per day, 6.25 BTC per block + fees
Price of BTC = $9k
∴ Maximum total proof-of-work expenditure = $9m per day
1,000 * $9,000 = $9,000,000
Yep, it’s an open blockchain so the enemy’s finances and firepower are completely public, and the news is good! $3.3 billion/year (an upper bound value, not accounting for miner profit etc.) is a proverbial fart in the wind for world governments. The US alone spends $700 billion/year on defence. A single aircraft carrier costs ~$15 billion, for example, and defends much less.
And of course your friends around the globe (apart from Vlad) are all ready to send you a cheque to pay for their fair share of the operation’s cost too. So it’s safe to say that money’s not an issue here: there’s no insurmountable barrier due to the sheer scale of what’s required or anything like that, and out-working — i.e. out-spending — all Bitcoin miners combined in order to attack the network is well within our capacity.
But we can bring the cost down… way down.
Step 3: The Ban Hammer
Let’s get the obvious stuff out of the way before we get to the ‘on-chain’ strategy.
Participating nations take these basic actions to ban Bitcoin:
- Businesses transacting in Bitcoin is illegal
- Crypto exchanges are illegal
- Running a (non-government) mining operation is illegal
- Manufacturing and selling proof-of-work ASICs (to anyone except the government) is illegal
Some Bitcoin people get very upset and shout things at you like, “Running a proof-of-work mining operation is literally just doing computation, and you can’t just declare it illegal like that! I have rights! What is this — 1984? This is exactly what George Orwell was warni—” But you cut them off and point out that, by the same token, running a meth lab is just doing chemistry, and you can in fact just declare it illegal like that. That’s what you’re doing.
Plus we’re mostly talking about China and the CCP here, since that’s where the majority of mining activity is, so, yeah.
Participating nations physically seize and take control of all of the biggest mining operations within their jurisdiction (and compensate the former operators if they’re feeling generous). They’re in the best locations for cheap energy and economies of scale… muchas gracias market forces for a) building the weapon we need, and b) making it eminently seizable.
Overall, you successfully seize (let’s say for the purposes of this example) 80% of the global Bitcoin hash rate and all the best mining locations, and it’s now under your control to do with as you please.
Naturally, before you even take any on-chain action using this equipment, the market would react to the news, and the price of BTC would be impacted downwards (since you’re putting a pretty big dent in Bitcoin’s future prospects). We’ll come back to this effect later because it’s important.
NB: Seizing equipment (as described above) is not required. Obviously it makes sense as an action to take, if it’s available, so we’re describing it here, but as we’ll explain in more detail in Part 3 of this series (No Can Defend), it is not a prerequisite and the attack can also proceed without seizing anything. The only difference it makes is to speed and cost.
Step 4: The Contract
So you’ve taken over the proof-of-work game, now what?
You’re not done yet. You contract Lockheed Martin to coordinate a global mining operation capable of producing up to $100m per day worth of proof-of-work. They are to create a centrally-controlled weapon of hash production using the 80% hash rate that has been seized around the world and by acquiring and manufacturing whatever else, if anything, is required to get the job done, i.e. to accomplish the mission of killing Bitcoin.
Note: $100m per day is enough to out-work the entire network’s pre-attack mining capacity more than 10 times over, even if they hadn’t just had 80% of their equipment commandeered — which they have.
You make no secret of what you’re doing. You publicly announce the details of the operation to the world, underscoring the capacity to scale up to $100m per day if necessary. The President says something like, “We will stop at nothing to ensure the security of the great people of this nation.”
Step 5: No Can Spend
Right, you now have fully dominant control of the proof-of-work mining game, everyone knows it, and they know there’s nothing that can be done to unseat your position.
- You have all the best, most cost-effective mining locations
- You can massively expand capacity as required
- For all intents and purposes, you have a limitless advantage vs. rebel miners when it comes to producing proof-of-work
As it stands, after seizing 80% of the active hash rate, you can generate proof-of-work hashes at 4x the speed of the remaining miners around the world.
- You control ~80 exahashes/sec, they control ~20 exahashes/sec
- For every valid block that rebel miners, collectively, can produce on the Bitcoin blockchain, you can produce 4
So how do you kill Bitcoin? What do you actually do with your enormous hash power advantage?
This step is more technical but the reader only really needs to understand that in the land of trustlessness, proof-of-work is king. What matters and what we’re exploiting is the simple rule at the very heart of the Bitcoin protocol: that each of the 10,000+ nodes must follow the chain with the most cumulative proof-of-work, a.k.a. the ‘longest’ or the ‘heaviest’ chain.
You use your limitless advantage to execute the following strategy:
- Mine an empty block — i.e. a block which is perfectly valid but contains no transactions
- Keep 5–10 unannounced blocks to yourself — i.e. mine 5–10 ‘extra’ empty blocks ahead of where the chain tip is now, but don’t actually share any of these blocks with the network
- Whenever a rebel miner announces a valid block, orphan it (override it) by announcing a longer chain with more cumulative proof-of-work — i.e. announce 1–2 of your blocks
- Repeat (go back to 2)
The result of this is that Bitcoin transactions are no longer being processed, and you’ve created a black hole of expenditure for rebel miners.
- Every time a rebel miner spends $ to mine a block, it’s money down the drain: they don’t earn any block rewards for it
- All transactions just sit in the mempool, being (unstoppably) messaged back and forth between nodes, waiting to be included in a block, but they never make it in
In other words, no-one can spend their bitcoin, no matter who they are or where they are in the world. Bitcoin is no longer functional as money and the blockchain is now effectively frozen in its final state. Or, more accurately, the UTXO set is frozen in its final state (new empty blocks will be added indefinitely).
NB/Update: Don’t get hung up on the empty blocks here (mining empty blocks isn’t a new idea). The strategy in Step 3 is actually the important bit, due to the miner incentives it creates.
I’m adding this update because a bunch of people who’ve read this article have got hung up on the empty blocks part, and then said that the code of the Bitcoin client could simply be changed to make empty blocks invalid.
Part 3 (No Can Defend) will cover all of this in more detail, along with various ways the network can try to counter which you might’ve heard of — things like changing the hashing algorithm (which won’t work, by the way). But first let’s game out this scenario to the end, as is, within the existing rules which are supposedly immutable.
Step 6: Finish Him
It’s not quite dead yet. How long do you have to keep this up for, and how much is it going to cost? Answer: Not that long, and surprisingly little.
The first thing to notice, in terms of cost, is that this is a counter-punching strategy: you’re not using all of your capacity all the time. You only spend $ to mine new blocks when the rebels do. The rest of the time you sit idle, waiting for the next move, and so does the blockchain. You’re holding down a pillow, as one of the all-time-great strategists Miyamoto Musashi put it in his Book of Five Rings.
So the overall cost of execution here, for you, is a function of the overall amount spent (wasted) by rebel miners attempting to mine blocks and resist the attack. If they collectively spend, say, $150m of their money over the course of 2 weeks trying to mine blocks before each of them in turn realises it’s futile and gives up, then that’s roughly how much you’ll have to spend in order to out-work them, override their blocks, and keep the blockchain contained.
(Except it’s not a level playing field, of course: your operation is far more cost-efficient because you have a huge unfair advantage with all the best mining locations and equipment, plus rebel miners have to worry about getting raided, arrested etc.).
Note that the difficulty retargeting makes no difference. Lower difficulty makes it easier for rebel miners to mine blocks, but that doesn’t make it any easier for rebel miners to get ahead of you. They still can’t get out from under the pillow that you’re holding down. At low difficulty, it takes less hashes to mine a valid block for both of you, so for every block that rebel miners produce, you can produce e.g. not just 4 but 4,000.
The pattern of activity is still exactly the same: the rebels produce a block and you override it with a heavier chain. The only difference at lower difficulty is that the game costs less to play.
Where does it end?
The contest is effectively over when the value of Bitcoin is understood by the market to be $0 (since bitcoin that can’t be transacted isn’t worth anything to anyone) and, as a result, virtually no rebel mining occurs.
So that’s your end goal.
You will always have to maintain some nominal level of spending (think of it like the cost of storing radioactive waste), but it’s nothing. What matters, and the reason why this containment strategy works, is that any would-be miner can clearly see that investing in an operation to try and un-freeze the chain would be a bad decision that will only result in failure and losses (and possibly jail time).
In other words, what this attack has really targeted is the incentives of the other participants in the network, with the goal of deterring miners from mining and driving real-world demand for BTC to zero.
It’s important to remember that miners are paid for their work in BTC. The lower the price, the less valuable block rewards are, the less incentive there is for anyone to try to mine blocks. Banning bitcoin disrupts demand and lowers the price. And this attack — even just its announcement — lowers the price as people run for the exit to save themselves in the face of impending disaster (the first out gets the highest price).
If anyone faced with this scenario wants to get into a spending contest with multiple unfairly-advantaged governments who’ve publicly declared an intent to produce up to $100m per day of proof-of-work to get the job done… well good luck to them.
Even though you haven’t actually built a $100m operation yet, the threat of it has to be taken seriously because, as mentioned near the beginning, you clearly have the capacity to follow through.
That’s not fair
Nope, it’s not. It’s a highly asymmetric contest in more ways than one, and gravity is very much on your side as the attacker seeking to disrupt network activity, destroy the economic equilibrium, and drive the price down to $0.
Rebel miners are not a coordinated unit, for example. They’re a disorganised body of individuals, each operating in their self-interest, spread around the world, who don’t know and can’t trust each other. So as a prospective miner, thinking about whether you should sink large sums of money into a mining operation to try to revive Bitcoin, you have to factor that in.
The most killer strategic asymmetry is probably that, for rebels, the level of spending to un-freeze the chain has to be sustainable, whereas for you, the attacker, it doesn’t have to be sustainable. I.e. The disorganised group of rebels have to each/all believe that they can out-work the government-funded Lockheed Martin $100m-per-day operation continuously and sustainably, whilst being financed by block rewards, because an attack can be launched at any time: the moment they fall below your max attacking capacity, they’re toast because a sabotage is incoming.*
*Value-destroying methods available to you include double-spending and ‘purge’ attacks, for example: deliberately performing a deep reorg simply to cause chaos by undoing loads of transactions (i.e. popping them out of the blockchain so they can be opportunistically re-claimed/double-spent by whoever made them).
The reason your level of spending, as the saboteur, doesn’t have to be sustainable is because a) your sabotage attack(s) can be opportunistic, and b) once you succeed and the value of BTC is understood to be $0, the rebel resistance goes away with that, and your output (and cost) can drop down to nominal levels, backed up by the threat that you’re able to increase your hash rate at any time to whatever level is necessary.
You can overspend (vs. the face value of block rewards) to bring about this result in a way that a disorganised, trustless body of individual miners self-interestedly pursuing block rewards can’t.
Normally what keeps the core structure of incentives in balance in the Bitcoin system, and the reason why miners famously can’t dictate changes to the protocol, or collude to double-spend their coins at will, is the fact that for-profit miners have a stake in Bitcoin’s future, so they have a very strong disincentive towards using their power to attack the network.
In other words, for-profit miners are heavily invested in and very much care about the future value of bitcoin, because their revenue and the value of their mining equipment critically depends on it. If they attack the network and undermine the integrity of Bitcoin and its fundamental value proposition to end users, they’re shooting themselves in the foot.
You don’t have this problem.
In fact this critical variable is flipped on its head: you have a stake in the destruction of Bitcoin’s future. You are trying to get the price of BTC to $0, and the value of all future block rewards and your mining equipment along with it. Attacking the network to undermine the integrity of Bitcoin and its value proposition to end users is precisely your goal.
This fundamentally breaks the game theory and the balance of power in the system, and the result is disequilibrium.
In short, Bitcoin is based on a Mexican Standoff security model which only works as a piece of economic design if you start from the assumption that every actor is rational and has a stake in the system continuing to function.
That is not a safe assumption.
Or to put it another way: Bitcoin’s core structure of economic incentives only balances internally; the system does not and cannot account for external incentives and destructive intentions.
It never could.
‘Unstoppable Code’ is a good advertising slogan for Bitcoin, and there’s even a narrow technical sense in which it’s true, as discussed in Part 1: the messaging back and forth between nodes in the network is indeed unstoppable.
But the lazy comparison to other robust peer-to-peer networking activities like file sharing stops there. Unlike file sharing, there’s much more to Bitcoin than simple messaging back and forth between peers: there’s an economic dimension to the system which is just as important to its existence, and it can be attacked there too. So it’s a fallacy to assume that the system as a whole automatically inherits the security characteristics and robustness of the peer-to-peer messaging layer at the bottom of the stack — it doesn’t.
In practice, the idea that an open blockchain based on proof-of-work creates government-resistant money is a myth. The (necessarily) open and neutral nature of the network and the blockchain means that governments can freely express their intent towards it as well — and their intent is both very large and, with very few exceptions outside of dictatorial nations like North Korea, not Bitcoin-friendly.
Government decision-makers may not have figured out Bitcoin just yet: ‘Unstoppable Code’ still seems to be the prevailing wisdom, because that’s what we’re all told (by people who own Bitcoin), along with, “It’s a mind-blowing financial innovation, Mr. Regulator, Sir — you don’t want to miss out on all that innovation and let it happen somewhere else, do you?”
But eventually they may see past these well-dressed performances. And if they do, they may also realise that the rules of the system give them the ability to easily force the entire thing into disequilibrium using a strategy along the lines described above, reducing Bitcoin to a state of total economic dysfunction more or less just by flinching in its direction and signalling their destructive intent.
Again, just to re-emphasise, there’s no need to actually go through the full process and expense of the attack: it’s the game theory and the signalling that really matters. The moment the ban and the plan is announced, the honest-mining-is-going-to-lose game dynamic becomes clear to all other participants in the network. The threat of the attack is obviously 100% credible — the cost of execution is a piddly amount of money by world government standards; a nuisance, sure, but it’s nothing. So people will race for the exits to save themselves, tanking the price, making the actual attack easier and cheaper, and the whole thing becomes a self-fulfilling prophecy.
Some will cling to the myth that Bitcoin is invincible, that the attack is but a scratch, and that the Black Knight always triumphs. The stubbornness with which they cling to the myth will ultimately determine how much effort and money has to be spent to contain it. But so long as spending $ to generate proof-of-work is the name of the game, then sorry to be a wet blanket but when push comes to shove, there’s only going to be one outcome.