
The Economic Limits of Bitcoin and the Blockchain [pdf] - ot
http://faculty.chicagobooth.edu/eric.budish/research/Economic-Limits-Bitcoin-Blockchain.pdf
======
apo
The paper outlines two attacks that a hash rate majority can undertake: (1)
double-spending; and (2) sabotage (force a decline in exchange rate).

But there is a far more benign and profitable attack: collect _all_ of the
block reward. No need to tell anybody, and no need to upset users by double-
spending. Business as usual.

In other words, establish a benevolent mining monopoly:

[https://bitzuma.com/posts/bitcoins-end-game-the-
benevolent-m...](https://bitzuma.com/posts/bitcoins-end-game-the-benevolent-
mining-monopoly/)

The hash rate majority becomes an effective monopoly by censoring blocks from
outside the cartel. The incentive is equal to half the block reward. If done
properly and gradually, few users would notice. Nor would many care. Those who
did would simply leave.

I suspect there's even a version of this attack in which a cartel makes public
threats to censor blocks it disapproves of. This is, after all, what BIP-9
does:

[https://github.com/bitcoin/bips/blob/master/bip-0009.mediawi...](https://github.com/bitcoin/bips/blob/master/bip-0009.mediawiki)

Using this approach, a cartel may be able to leverage a hash rate below 50% to
100%.

There's some precedent for this with UASF. The hash rate of the group
threatening to censor blocks there was quite small (certainly below 50%).
Depending on who you talk to, the threat of block censorship by this group was
enough to shut down segwit2x.

~~~
erikpukinskis
Would lower the carbon footprint of the mines.

~~~
wmf
The "losing" miners would continue mining on a separate chain (e.g. Monero
Classic) as long as it was marginally profitable. They wouldn't just throw
away their hardware.

~~~
Kadin
Only until someone does the same thing to the other chain. The logical next
step is for the miners leaving the biggest chain to concentrate on a chain
where they can successfully pull off the same attack that just drove them
away, and on down the line until all chains have been taken over by one large
participant each.

The steady-state is a reduction in mining activity across all public
blockchains by ~50% or so, although that's probably an upper bound that
wouldn't actually be reached.

------
cs702
Great paper!

Based on a quick first read, and ignoring numerous important details, the main
argument boils down to this: "mining" costs (i.e., the computational and other
costs of processing transactions) in the network must be greater than the
profits that could be obtained by compromising or sabotaging the network.
Otherwise, it becomes profitable to compromise or sabotage the network. For
example, if the cost of mining is lower than the one-time profit that could be
made by betting a large sum against the price, it becomes profitable to bet
such a large sum against the price and then investing a _smaller_ sum
necessary to acquire a majority of the computing power to sabotage the
network.

This is correct... but only if there is a zero-profit condition among miners
-- i.e., if the Bitcoin network behaves like a standard theoretical rent-
seeking tournament that reaches and settles into a classical equilibrium,
instead of behaving like a distributed transaction processing network that
produces profits for the parties that process transactions (AKA "miners"). I
have not seen a good study (or actually any study) on the profitability of
miners, but many miners claim to be making money by processing transactions!

If mining is profitable, as miners claim, we have to add another condition:
the net present value of the profits that could be obtained from compromising
or sabotaging the network would need to exceed the net present value of the
profits that could be obtained in perpetuity from behaving honestly. If the
value of the profits that could be obtained in perpetuity by behaving honestly
are greater, there would be no incentive to compromise or sabotage the
network.

Those are my initial thoughts, based on a quick first read. But I'm barely
doing justice to the paper, which I found to be well-written and easy-to-
follow. I've downloaded it to read it (and think about it) more carefully.

Highly recommended reading if you have an interest in cryptoassets!

~~~
Blackthorn
> If mining is profitable, as miners claim, we have to add another condition:
> the net present value of the profits that could be obtained from
> compromising or sabotaging the network would need to exceed the net present
> value of the profits that could be obtained in perpetuity from behaving
> honestly.

This is really why I don't think that 51% attacks are a problem for Bitcoin
(and only Bitcoin). As soon as one is shown, the network's value will be
destroyed. And if you're already on the gravy train through cheap power and
cheap asics, why would you give that up?

~~~
QML
> As soon as one is shown, the network's value will be destroyed.

I don't believe this to be accurate statement. Looking at two other
cryptocurrencies -- Verge and Bitcoin Gold -- which have undergone 51%
attacks, neither of them have experienced a collapse in value as a result.

~~~
latchkey
Interestingly, Verge is one of the more profitable coins to mine right now.

------
mrb
The author claims Satoshi Nakamoto's vision was that miners would use
repurposable chips ("one-CPU-one-vote") but this is false. Satoshi correctly
envisioned mining farm would eventually use specialized hardware:

« _as the network grows beyond a certain point, it would be left more and more
to specialists with server farms of specialized hardware_ »
[https://satoshi.nakamotoinstitute.org/emails/cryptography/2/](https://satoshi.nakamotoinstitute.org/emails/cryptography/2/)

------
Animats
There was a paper last week pointing out how cost effective 51% attacks are on
the lesser cryptocurrencies.

Proof of work has become very expensive. Proof of stake has another set of
problems.

How about proof of geographical distribution? If each node had to be a minimum
physical distance from another node, that would put a big crimp into mining
farms.

Distance can be verified. You can use speed of light lag to verify that two
nodes are not further apart than some distance. So set up a mesh network. If
you claim to be at a location, others in the mesh can verify that it's roughly
correct by pinging it and measuring the round trip time. You can fake a longer
distance, but not a shorter one. You might be able to do something in the WiFi
bands in the 100m - 1KM range. Require that each node be at least a few
hundred meters from any other node. Give an advantage to suburbs and rural
areas.

"HeartlandCoin"?

~~~
mihaifm
Interesting, but if you can fake a longer distance then you can't enforce a
minimum physical distance. Perhaps you meant "maximum" ?

~~~
Animats
If you have a mesh, and you fake a longer distance on some edge, and there are
enough links, the discrepancy shows up.

------
aeternus
Interesting article. Related, this site attempts to track the cost of majority
hash power for various blockchains, and how much is rent-able via NiceHash.

[https://www.crypto51.app/](https://www.crypto51.app/)

------
hudon
This reminds me of another paper about proof-of-work blockchains called The
Blockchain Folk Theorem [0], which has a similar conclusion (aside from the
main conclusions):

> _Another issue relates to the negative externalities arising in proof-of-
> work blockchains. First, as shown above, when choosing individually optimal
> computing capacity, miners fail to internalise the negative externality
> their investment generates for other miners by increasing difficulty. This
> implies that equilibrium capacity acquisition in proof-of-work mining is
> excessive. Second, proof-of-work mining generates greenhouse-effect negative
> externalities, whose order of magnitude is significant. As of January 2018,
> the electricity consumed for Bitcoin mining was equal to the electricity
> consumption of over 3,400,000 US households, with an average consumption per
> transaction of around 300 KWh. Pigovian taxation could curb overinvestment
> in mining, but it might also be difficult to put in place, given the
> international decentralisation of mining._

The crux of the below paper, though, is that actual game theory shows that
miners are incentivized to create and persist alternative histories of the
blockchain, thus jeopardizing the blockchain's key function, that is to
produce a stable and immutable history of transactions. We've seen this in
practice with the dozens of Bitcoin forks and with Ethereum Classic, and how
unstable exchanges were during the forking process (eg. lost customer funds,
double spending, replay attacks, etc.).

[0] [https://www.tse-
fr.eu/sites/default/files/TSE/documents/doc/...](https://www.tse-
fr.eu/sites/default/files/TSE/documents/doc/wp/2017/wp_tse_817.pdf)

------
swfsql
While the attacker A is racing to build a heavier chain than honest miners H,
A is not profiting, on the contrary. He must hold the costs until he finishes
the race for the next B blocks.

If A was honest beforehand, everyone will notice the higher delay for block
mining. Two things follows: (1) B could easily increase, since those would be
"dangerous times". (2) Mining-related investors on standby may jump-in and
participate, increasing H since.. A's hashrate would suddenly vanish on the
public's perspective.

So while A is eating [temporary] loss, other miners are eating [temporary]
profit from block rewards (since equilibrium was assumed). B (for particular
receivers, those involved in high-valued transactions) may be arbitrarily
increasing while the mining delay is unstable. THat instability would reduce
while other participants enter the mining game.

But for how long would A hold it's [temporary] loss?

Also, if and after he wins the race, it's not like people can't ignore his
chain with a temporary hard-fork. If they do ignore it for a while, sooner or
later A's chain must get weaker, and that temporary hard-fork could be erased.

For the incentives for such temp hard-fork.. remember those temporary profit
and temporary loss during the race period? The attacker would need to happily
turn his losses into other miners losses, and their profits into his profit
(regarding block rewards). Also, standard users could be, very, negatively
impacted by such chain change. This impact could be reduced if the attacker
replicated the transactions in his private chain while racing, but some
transactions may be specific to the block height, so.. to replicate the
transactions, he can't be much faster than H chain.

So counting the chances of investors coming into mining field, temporary
losses that could least longer than expected due to block mining instability,
the possibility of a temporary fork..

I mean, I didn't get the paper's math nor read it fully, but I think that
there are more variables.

~~~
wmf
I think we should be specific about the time scale here. In the case of
Bitcoin a 6-confirmation double spend would only take 2-3 hours which doesn't
leave much time for the community to even notice, let alone coordinate a
response. I won't even consider the case where the community has been force-
fed a "never ever hard fork ever under any circumstances" message.

You can't assume that equilibrium holds since the difficulty only adjusts
every two weeks. (Even in cryptocurrencies with continuous difficulty
adjustment, 51% of the hashrate missing for 2-3 hours would not cause a
noticeable drop.) Because the difficulty does not adjust during the attack,
honest miners would be producing blocks at half rate (every 20 minutes) and
thus would still appear to get their fair share of the block reward; they
wouldn't get more.

For ASIC-based cryptocurrencies I don't think there's much if any hashrate
sitting on the sidelines and the attack would probably be over by the time
miners noticed.

~~~
swfsql
Yes, you are correct. New miners should not appear until difficulty
recalculation. But given this fact, depending on the intensity of the block
mining rate change and how far the next recalculation is, the network could
easily notice such changes. I don't just mean they "could", but they probably
"would" as well. The world's economy heartbeat h-a-l-v-i-n-g 6 times in a row?
(this drama is how critical I think that would be)

I don't know if an effective and immediate response could be taken place, but
this sort of monitoring could be anticipated, and also, they would probably
store the old chain's backup (just in case). I mean that if they do a rapid
decision, it's not necessarily final (although this would cost the whole world
economy a lot).

Only newcomers fullnodes, during the racing period, couldn't know which chain
actually appeared first, but all other fullnodes and miners do know which one
did, and that the alternative chain came at once and out of nowhere. This is
an easy target for an "temporary chain force-choosing" algorithm. And again,
this could be coded before the attack -try itself.

So I don't mean that this surely would be a "forced" (rushed) code-fork. On
the other hand, without such a thing, everyone would enter a rushed data-fork,
which probably will also be viewed as something risky and some costs may be
applied (prepared in antecedence).

------
rodonn
I found this to be very interesting. FWIW the author Eric Budish is one of the
top economic theorists. Whether or not that means you should trust his
analysis is left as an exercise to the reader.

~~~
vinchuco
how are economic theorists ranked?

~~~
mlinksva
For better or worse, on way is citations.
[https://scholar.google.com/citations?view_op=search_authors&...](https://scholar.google.com/citations?view_op=search_authors&hl=en&mauthors=label:microeconomic_theory)
(in top 30 according to that site)

------
maesho
This article is assumes that attacking a blockchain would be just the
classical 51% attack scenario of bitcoin. Innovation from coins such as Decred
show an evolution in blockchain technology that makes a 51% attack exceedingly
more challenging to pull off. "Apples to apples, Decred is 20x more expensive
to attack than Bitcoin" [https://blog.usejournal.com/apples-to-apples-decred-
is-20x-m...](https://blog.usejournal.com/apples-to-apples-decred-is-20x-more-
expensive-to-attack-than-bitcoin-68bafeb4546f)

~~~
asynchrony
It would be more convincing, or at least easier to take this comment in good
faith, if you were to provide some part of your understanding of the
innovation rather than to simply name drop a token and a link to a blog.

------
arisAlexis
the document says that governments have bettrr ways than to spend money for
this expensive luxury. But governments worldwide would never agree on a common
platform and that is the innovation itself and the paper misses this important
insight. Also let's all remember that this is a first itetation of a global
innovation.

