Explaining many of the risks, rumors, and realities about Bitcoin’s issuance schedule and fee-based security in the future.
This article was written for the Braiins blog by Econoalchemist, a bitcoin educator and home miner.
As the bear market continues, it’s becoming more popular to share ideas about Bitcoin’s fee-based security model and how some investors think it will be insufficient to secure the network once the block subsidy is gone. The primary concern here seems to be that at some point in the distant future, Bitcoin will be less secure because miners will not make as much revenue when the block subsidy is depleted.
Some proposals to address these kinds of concerns include increasing Bitcoin’s 21 million hard cap, switching fees to a demurrage model, or reducing the blocksize over time. These discussions have brought focus to censorship, game theory, the fee market and more for many Bitcoiners. Although these ideas can be entertaining and it can be fun to war-game different scenarios, it can also be difficult to distinguish between FUD and actual threats. Some miners may find themselves questioning whether their bitcoin is secure or not. This article aims to bring clarity to issues surrounding the Bitcoin fee-based security model.
Bitcoin miners contribute computational power in the form of hashrate to the network with specialty mining hardware that runs on electricity. Their compensation for doing this is claiming block rewards, and on average, the more hashrate a miner contributes to the network, the more bitcoin they earn. The bitcoin earned comes from the block subsidy and the transaction fees, collectively referred to as mining rewards. Most miners choose to pool their resources together and split the mining rewards among the pool’s participants proportionally based on hashrate contributed. This helps reduce the variability in Bitcoin mining revenue streams for miners; smaller but consistent rewards versus larger but highly inconsistent rewards. But different mining pools implement different payout structures for their miners.
The block subsidy is not static though, it changes every 210,000 blocks or roughly every four years. When Bitcoin first launched, the block subsidy was 50 BTCn awarded to any miner who solved for a block. The next subsidy epoch started in November 2012 and cut the subsidy in half to 25 BTC. In 2016, the subsidy was cut in half again to 12.5 bitcoin per block, then again in 2020 to the current block reward, 6.25 bitcoin. These halving events are hard coded in the bitcoin protocol and they are currently set to continue until approximately the year 2140 when the 21 millionth bitcoin is mined and then there will be no more subsidies after that.
This leaves many people asking: “what happens when the subsidy is gone?”, “is my bitcoin going to be secure?”, and “what if someone attacks the network?”. In the sections below, this article will explore what a 51% attack would mean as the subsidy continues to decrease, what solutions some people are suggesting to avoid such an attack, and how these proposals would impact Bitcoin.
One of most critical security concerns regarding the block subsidy coming to end is the possibility of 51% attacks. The logic seems to go something like: if there is no more block subsidy then miners will not have the incentive necessary to provide ASICs and electricity. Then if miners are not providing these resources, hashrate will fall off the network. Then less hashrate from honest miners would mean that malicious miners would be able to gain a majority of hashrate and carry out a 51% attack. The conclusion then seems to be that Bitcoin should be changed soon so that the future potential for a 51% attack can be mitigated.
There is a lot to unpack here, including topics like: what is really at stake with a 51% attack, the assumption that ASICs are still specialty hardware in the distant future, and the assumption that transaction fees alone will not incentivize miners.
First, it is important to understand what is at stake in a 51% attack situation. Hearing “51% attack” can sound scary, especially if the implications are not well understood. There seems to be a common misconception that in the event of a 51% attack, the attacker could just make any transaction they want, this is not the case. A successful attacker could not spend coins that did not already belong to them, to be clear, the attacker would only be able to double-spend their own bitcoin. Bitcoin would only be at risk if someone received it from the attacker shortly before the attack was carried out and then the attacker made a new transaction in place of the original that sent your coins to an address under their control instead or just disregarded the transaction entirely.
There is an informative series of Medium posts on Bitcoin fee-based security by Joe Kelly. In this series, Kelly explains several common misconceptions, including about 51% attacks. The motivation behind a 51% attack would be to gain some irreversible goods, service, or payment and wind up with the bitcoin that was used in the exchange for those goods, services, or payment. A successful attacker would also get the block rewards for all the re-organized blocks that re-wrote the history of the ledger. There could even be some external financial instruments used to generate more profit for the attacker if they were to short BTC in anticipation of a price drop on news of an attack being carried out.
If someone don’t provide irreversible goods, services, or payments then they are likely not at risk of being the victim of a 51% attack. Especially if they are not dealing in such large amounts of bitcoin that a transaction would justify the millions of dollars’ worth of resources it would take to carry out a 51% attack on you. Miners who earned honest block rewards would be at some risk of lost mining rewards if a malicious chain took the lead, giving the block rewards for the new blocks to the attacker. But if you’re not a large scale miner then this would have minimal effect on you, if any at all.
Although many people may think that an attacker would have to work backwards, selecting a target transaction at some previous block height and then working forward with enough hashrate to catch up to and then overcome the honest chain, that is not the case as Kelly points out. In a successful 51% attack scenario, the attacker makes a transaction on the honest chain. Next, the attacker starts diverting their hashrate to a separate and secret malicious chain which includes a different version of that transaction where the coins are spent to an address controlled by the attacker. [Figure 00].
There is no need for the attacker to go backwards in transaction history, and there is no catching up to do. The attacker would just need to keep pace with the honest chain, which shouldn’t be difficult with a majority of hashrate. Then once the malicious chain has the lead, the attacker announces their re-organized chain to the network. The way Bitcoin is coded, miners will respect the chain with the most Proof-of-Work and would therefore accept the re-organized chain as truth and start extending the blocks of that chain.
Here is where things start getting tricky. Once the attacker starts diverting their hashrate to the malicious chain, the hashrate on the honest chain starts to decline. When that happens, the time between blocks starts to get longer. But the victim in this example is waiting for a certain number of block confirmations before they irreversibly release their goods, services, or payment (at least common sense says they would be). So, the more hashrate the attacker diverts, the longer it will take the merchant to feel confident in the security of the transaction. But the attacker needs to divert as much hashrate as possible to their malicious chain and as quickly as possible so that they can carry out the attack. This would be a delicate balancing act that would be extremely difficult to manage. Especially if the victim is well-informed enough to know that a sudden decrease in a majority of hashrate should be a red flag for them to wait even longer than usual to irreversibly release their end of the exchange.
Another uncontrollable complication for the attacker would be that the faster they remove hashrate from the honest chain, the more profitable it becomes for other miners to turn on mining equipment that may have been unprofitable previously. A recent example occurred in the summer of 2021 when the Chinese Communist Party banned Bitcoin mining within the borders of China. Between May 14, 2021 and Jul 10, 2021 (57 days) the overall Bitcoin network hashrate dropped from roughly 177Eh to 90Eh (-49%), see [Figure 01].
This is the best real-world example of what a 51% attack would look like, though it is not a perfect example. For anyone mining bitcoin during this time, their average rewards increased from 508 sats/Th/day to 991 sats/Th/day by the time the hashrate bottom was in, a 195% gain, see [Figure 02].
Anything that could hash Bitcoin was being plugged in during this time by eager miners all around the globe. In an actual 51% attack scenario, the drop in hashrate would likely be much more sudden than the nearly two month downward grind it experienced during the Chinese mining ban. However, the impact on mining rewards would be similar and any shelved hardware would be plugged in, especially if the attack transpired over the course of a difficulty adjustment that accounted for the drop in hashrate. The longer the attacker attempts to carry out the attack, the more hashrate would join the honest network, therefore a 51% to 49% ratio would quickly change and the attacker would lose the majority unless they started with a much greater portion of the hashrate like 60% or more.
Consider too that the difficulty on both chains would be the same as it was where the split occurred; depending on which block out of the 2,016 block difficulty epoch the split happened, there could be a significant number of blocks needed before the chains re-adjusted themselves to their new level of hashrate. The attacker would have to carefully plan where in the difficulty epoch they decide to carry out the attack. If blocks were taking a 10-minute average prior to the attack and the attacker split off with 51% of the hashrate then both chains will be producing blocks closer to 20-minutes apart on average, the malicious chain would be producing blocks slightly faster on average but with 51%, the attacker would be forced to carry the attack out for a longer time until a longer chain is established. This again means that the attacker would realistically need more than 51% of the hashrate in order to establish a longer chain in a reasonable amount of time. Or they would need to be mining at a higher difficulty than the honest chain to be able to prove more work.
Once the malicious chain is at a higher difficulty or has more blocks then it technically has more Proof-of-Work on it, therefore if this chain is then announced to the rest of the network, the other miners would accept the longest chain as the true chain and the attacker would get the mining rewards from all the re-organized blocks as well as their double spend. If the attacker were using some external financial instrument to short BTC, then they would have those off-chain gains as well if there was a sell off in the market on news of an attack. However, the attacker must also consider the risk of a successful double-spend actually causing irreversible damage to Bitcoin’s reputation; it could cause demand for bitcoin to vanish and send the price into a deep bear market thus impacting the attacker’s own fortune.
Another one of the common misconceptions Kelly presents is the idea of 6 block confirmations being sufficient for security. Extrapolating further, the false assumption becomes, if someone wants more security just wait for more block confirmations before considering your coins secure. As demonstrated though, the number of blocks can be meaningless depending on the how long the attack has been carried out and how many blocks the malicious chain re-organizes. An educated Bitcoiner would fair better gauging their security by watching for rapid changes in the overall Bitcoin network hashrate. In conditions where hashrate is not changing rapidly then 6 block confirmations seems like a reasonable number of blocks to mitigate a chain re-organization.
Some signs to watch out for related to 51% attacks would be:
If a user suspects a 51% attack is being carried out, some considerations to make would be:
51% attacks and double-spends are not a joking matter, but this should help add some context into what is at stake if someone were to attempt one and shed light on some of the game-theory considerations that could de-rail such an attempt. Even though risks associated with 51% attacks may get overstated and blown out of proportion, that hasn’t stopped several people from conjuring up solutions to unlikely problems. The following sections outline some of them.
Peter Todd proposed the idea of introducing tail emissions into Bitcoin in a recent blog post. Generally, the idea behind tail emissions is that at some point in the future the Bitcoin block subsidy stops shrinking and remains at a constant value in perpetuity. This would of course expand the supply of bitcoin beyond the 21 million hard cap. Todd explains in his blog post why he thinks tail emissions would not be inflationary based on his belief that people will lose access to more coins over time. Todd uses this assumption of lost coins to argue that a fixed block subsidy would not lead to an inflationary supply.
Todd cites what he calls an “academic analysis” in his blog post as evidence that block generation becomes unstable when a Proof-of-Work currency operates solely on transaction fees. The cited article appears to be written by four Princeton University students and can be found here. Important to note is that this is not a peer-reviewed article nor is it published in a scientific journal. So while it may have earned the description of an “academic analysis” by Todd on the basis of being written by university students, this should not confuse the reader with a scientific publication nor should it be regarded to bear some level of authority on the subject matter.
Essentially, the “academic analysis” creates a model to predict miner behavior in a future where several odd situations unfold. For example, the model is built with the assumptions that:
A) the block subsidy has been completely depleted (past the year 2140).
B) blocks don’t have a blocksize limit for some reason, so the default miner behavior is to include every single known transaction from the mempool in each block.
C) transactions simultaneously occur at a constant and continuous speed but also suddenly stop hitting the mempool immediately after each block is found, leaving what is defined as a “mining gap”
The “academic analysis” goes on to define “deviant behaviors” that the authors predict would occur in this fantasy world built on their model. Some of these behaviors are:
1) Petty Compliant Miners – who choose to mine on block templates built from all available transactions, on the longest chain, and publish all valid Proof-of-Work immediately upon discovery. However, in the event of a tie where two blocks are submitted at nearly the same time and the miner must choose one, these Petty Compliant Miners choose the block that has the fewest transaction fees. They do this so that they have an opportunity to include more of those transactions that were left on the table in their own block.
2) Lazy Fork Miners – who choose to mine on block templates that ignore the tip of the chain if the transaction fees in that block are greater than the unclaimed transaction fees left behind in the mempool. Then when the Lazy Fork Miners do announce a valid Proof-of-Work, they only include half of the available transactions in the mempool so that other Lazy Fork Miners do not fork their fork.
3) Selfish Miners – who choose to not announce a valid Proof-of-Work that they have found and instead divert their hashrate from the honest chain to their own secret chain in the hopes that somehow all the other miners combined don’t extend the honest chain before the Selfish Miner finds their second block, then they announce both blocks to the network thus causing the other miners to have wasted their time and resources.
All of this is to say that Todd would prefer to break the 21 million bitcoin hard cap because he has concerns that beyond the year 2140, in the event of a block tie, some miners would choose the block that leaves more fees on the table because then they could maybe get more fees for themselves. But they would have to leave half the existing transactions in the mempool so other miners don’t do the same trick on them - and/or these deviant miners might hold back announcing blocks even though they have to pass up a perfectly valid block reward of transaction fees to do so. This is not a convincing argument to change one of the core features in Bitcoin, the 21 million BTC hard supply cap.
Bitcoin’s 21 million hard cap is a critical design element for an overwhelming majority of investors. To have control over bitcoin that cannot be debased through the monetary decisions of a central authority is arguably the primary reason many people turn to Bitcoin in the first place. Changing the 21 million hard cap would be an incredibly difficult change to current consensus rules, and many investors would view it as an attack on Bitcoin itself. There have been several instances of coins considered to be dormant forever suddenly being spent. For example, the mining rewards for block 3654 or the 1,000 BTC that were consolidated on Bitcoin’s 12anniversary. Although these occurrences may be few and far between, it goes to show that any bitcoin could be moved at anytime.
Demurrage is an idea where transaction fees fluctuate based on how long the coins have been held. The longer coins are held, the higher the percentage of those coins gets burned making space in the monetary supply to reward miners without triggering inflation. Freicoin is a failed fork of Bitcoin that attempted a demurrage model, readers can learn about it on the Bitcoin Talk forum here. At the time of writing, Freicoin is ranked #21,126 of all cryptocurrencies according to Coin Market Cap. Clearly the market is not demanding cryptocurrency that loses value the longer it is held… much like fiat currencies.
In Bitcoin, there is an on-chain metric called Coin Days Destroyed, defined as the amount of coins spent in a transaction multiplied by the number of days since those coins were last spent. So, if Alice received 0.25 BTC and held it for 30-days then spent it, her spending transaction would show 7.5 Coin Days Destroyed. One idea is to use Coin Days Destroyed as a way to figure out what percentage of the amount spent would be the miner fee; the higher that number, the higher the transaction fee. Or in other words, the greater the portion of your bitcoin would be burned to make room for miner fees.
There are a number of reasons demurrage would not work on Bitcoin such as:
Nicolas Dorier suggested that perhaps the way to deal with insufficient block rewards without creating inflation would be to dynamically adjust the block size down. Some pros to this idea would be that the 21 million hard cap remains intact, there would not be a hard fork (though it would require a soft fork which can be contentious), and miner revenue should be higher. Some cons are that smaller blocks might make it easier to censor transactions, or at least prolong their first confirmation; too much of a block space limit could make transaction fees too expensive or prohibitive to many people, especially for services like CoinJoin where users are trying to strike a balance between reasonable wait times and affordability.
Essentially, when someone sends a Bitcoin transaction their miners fee is buying them priority in a limited size block. By decreasing the available size in the blocks, it makes sense that paying more for inclusion in block would be the market response. However, smaller block sizes could have unforeseen effects that change miner or user behavior like motivating users to seek other off-chain or Layer 2 alternatives.
Not doing anything is also an option and arguably the most logical one considering that no one alive today will be around when the block subsidy is finally depleted in the year 2140. The effects, sustainability, and likelihood of a 51% attack are often overstated. The “solutions” being circulated like tail emissions, demurrage, and reducing the block size all have terrible tradeoffs. Finally, Upstream Data CEO, Steve Barbour, brought up a valid point on Twitter: the block subsidy enables censorship [Figure 04].
So long as there is a block subsidy, then miners can choose to censor some transactions and still sustain their operations. If miners had to rely on transactions fees alone then they would not be able to afford to censor transactions because the transaction fees would be the only revenue stream. There would not be any empty blocks, which essentially censor everyone, if there was no block subsidy.
To date and to the author’s knowledge, there has not been an instance of a government demanding Bitcoin miners censor a transaction. There have been Bitcoin addresses added to the OFAC sanctions list and there have been mining pools, like MaraPool, that have tried to only mine OFAC compliant blocks. But the actions by MaraPool appear to have been voluntary and not the result of a government mandate.
If that were to change and governments did start demanding that Bitcoin miners censor certain transactions, the most likely miners to be affected are the publicly known large scale miners that are already well within the regulatory reach of government. Perhaps smaller miners would decide to comply out of fear of facing strict penalties. But it is important to note that while this hypothetical demand for censoring a Bitcoin transaction might impact miners in one jurisdiction, there are many miners outside that jurisdiction that would not feel compelled to comply with such a demand. So while the transaction in question may not be mined by a few large miners in a tyrannical jurisdiction, the transaction would eventually be picked up by a miner elsewhere. The other thing to keep in mind is that a compliant mining pool operating at the whims of government censorship requests would be able to sustain their business for some time initially as the censorship requests would likely be few and far between but that would change rapidly. At first, governments will demand censorship of transactions for egregious crimes that few would argue with, however once a precedence is set, the threshold for such demands will fall and eventually include requests to censor Bitcoin transactions related to individuals who may have done nothing more than post a contrarian view about politics or vaccines on their social media page. At that point, the government would be demanding that so many transactions be censored that the compliant miner would no longer be able to sustain their business. As the block subsidy gets smaller so do the chances of miners censoring transactions.
51% attacks are highly unlikely to occur even if there is no block subsidy because the candidate pool for victims is so small, very few people would irreversibly exchange multi-million-dollar goods, services, or payments for Bitcoin based on a single block confirmation. Not that this is impossible, but to make any of the trade-offs proposed above to avoid such an unlikely scenario is nothing short of an attack on Bitcoin.
Furthermore, in a world where Bitcoin mining is part of electric grid infrastructure, fee-based security concerns dissolve. When Bitcoin mining is integrated as part of energy infrastructure strategies then there is reason to consider utility companies as a type of pseudo-altruistic miner providing hashrate, not because of the fees they can earn, but because of the economically incentivized dynamic load response that only ASICs can provide.
There is potential in power generating assets like coal and natural gas fired plants to maintain peak efficiency during times of decreased demand. Bitcoin mining can be leveraged as a tool to burn fuels more efficiently, reduce pollution, extend the longevity of power generating equipment, reduce transmission loss, and capture stranded energy sources at oil & gas wells and coal mines. You can read more about these topics in the Upstream Data Monthly News Letter for July 2022.
The opportunity for efficiency gains is too great to pass up, those power producers who do not leverage Bitcoin mining as a tool to realize those gains will be squeezed out of competition over the long run. These kinds of miners who are the power generators will leap-frog the current-day mega miners entrenched in the fiat business model. The treasury strategies, ASIC collateralized lines of credit, volatile BTC price swings and electricity costs work as a disadvantage when compared to a utility that is not using Bitcoin as a financial instrument but as a tool in a greater system. The price of BTC does not matter to an ASIC, it will be the load of last resort, reliably providing demand when needed.
Not to mention that between now and the year 2140, many businesses will be built on top of Bitcoin. These businesses will likely be providing hashrate, even at a loss, to sustain the business model they built on top of it and continue earning their revenue from other streams that more than off-set the mining costs.
When you hear that the Bitcoin fee-based security model is unsustainable and requires some drastic change, try to stop and think about what is actually at risk, how it affects you personally, and what the trade-offs are of the proposed change.
Bitcoin mining software company: Braiins Pool, Braiins OS+ & Stratum V2.
By miners, for miners.