Why Bitcoin is Doomed

Confessions of a Disappointed Libertarian

Some bona fides: I’m a caricature of a libertarian. You’d probably laugh at my politics. There are almost no heights I think markets can’t reach, nor depravities that government can’t plumb. I think most crypto bulls don’t go far enough in their reveries: control of the money supply is the proximate means by which the state exercises its monopoly on violence, and a decentralized, immutable, anonymous, scalable, and fungible currency would be the foundation for Civilization 2.0. Which is to say that I would love to see crypto succeed.

Alas, Bitcoin is probably doomed

Let’s jump right in. Bitcoin is a roughly $1T asset, and you—an irritated government or greedy hedge fund—would like to destroy it. To destroy it, you need to control—in the worst case—51% of the network hashpower. What does that cost?

There’s a simple way to think about this for a generic blockchain, and it spares us a dive into the particulars of the Bitcoin protocol. What makes a distributed network secure against attack is the costly redundancy built into the system (whether that redundancy is competing miners in a Proof of Work system or competing validators in a Proof of Stake system). Costs are ultimately borne by users of the network, so if users want protection against a nation state level attack, they must be willing to pay—through fees or through inflation—an amount in excess of what a nation state can afford. Since inflation is just a hidden fee, I will refer to both as “fees” for simplicity. We can thus pass over the cost of attacking Bitcoin today, and steelman the case for crypto by asking: what would user fees look like in a future where Bitcoin has grown into the nation-state challenging behemoth we would like it to be?

A number that is high enough to make the point, but low enough to avoid serious objection, might be $100B in annual fees. Consider how small this really is: it is a fraction of the US’ $700B military budget. It’s only marginally more than Bill Hwang spent trying to corner a bunch of blue chip stocks. And it’s still a wild underestimate, because to kill Bitcoin you don’t have to take the network offline for an entire year; a couple of days, plus the credible threat of a future attack, would suffice to make it radioactive to most institutions.

So, $100B in annual fees. An optimistic estimate of maximum transaction throughput is around 200M transactions per year, which means $500 per transaction. Easy math. So here we are with our first big problem: the money of the future cannot cost users $500 per transaction. And close on its heels: the money of the future cannot be limited to 200M transactions per year, which is only sufficient to let everyone on earth make two transactions in their entire life. Bitcoin as “the future of money” is broken. It either needs to vastly lower its security costs by substituting centralization for decentralization, or it needs to become a mere settlement layer, handling the occasional bulk netting transactions for a high throughput “Level 2” network like Lightning (more on this later).

Why can’t we just increase transaction throughput?

Well, you can fiddle with any of the parameters, which is why there are something like 10,000 cryptocurrencies in existence. But the tradeoffs are ironclad: increase the size of a block to allow more transactions per block, and propagation through the network slows, giving a head start to larger miners and reintroducing the centralization that is antithetical to the premise of crypto. Decrease the time between blocks and the same tradeoff bites you from a different direction: synchronizing the network becomes difficult, and large miners once again have a speed advantage over small ones. In the limit, a network fast enough and cheap enough to handle the world’s Starbucks orders is just Visa; centralized, mutable, and vulnerable to government force.

Wait, about that attack…

Ok, we have to back up a little. How does one, logistically, attack Bitcoin? The waiting list for mining rigs is a mile long, and it’s questionable whether even a determined superpower like the US or China could expropriate enough mining capacity to mount a 51% attack. For answers to these objections, you can hardly do better than Joe Kelly’s three part series.

But controlling hashpower may not be necessary if you can just bribe the miners. Imagine an attacker who funds a contract on another blockchain—Ethereum, say—and that contract pays Ethereum to addresses that submit cryptographic proofs of having mined an empty block on Bitcoin. As long as the payout is higher than the fees for honest mining, miners will prefer to mine empty blocks, rendering the Bitcoin network useless. In a world where DeFi succeeds in creating decentralized versions of financial derivatives, you can imagine yet more fanciful schemes. Imagine a liquidity pool that pays tokens to depositors in proportion to how much Ethereum they’ve deposited in the pool, and how long they leave it there. The liquidity is used, in turn, for two things: 1) to pay miners for empty Bitcoin blocks, as before, and 2) to purchase on-chain puts on Bitcoin, denominated in another cryptocurrency. After a successful attack, proceeds from the puts are paid out, algorithmically and pro rata, to the token holders who funded the original liquidity pool. The whole attack is—potentially—self funding, like a conscript army paid only in plundered goods.

If Bitcoin is vulnerable, why hasn’t anyone attacked it yet?

The industry joke is that Bitcoin is insecure in theory, but not in practice. Why? In the case of governments, I think the answer is that western bureaucracies are slow, they tend to be dazzled by new technology before it occurs to them to be threatened by it, and when they do rouse themselves to action, they move carefully through existing legal channels; witness the corset of AML/KYC thrown over crypto’s onramps and offramps over the last year. Witness the SEC setting up a careful long game by making imaginative extensions of the term “securities” to encompass more and more of crypto. If crypto survives this strangulation by Lilliputian encumbrance, it will emerge with all the transparency of existing financial rails, plus the hideous costs of decentralization. It will be a dead letter. And while democracies can kill crypto by co-opting it into traditional regulatory channels, authoritarian regimes can be swifter; China recently banned crypto mining outright.

But the steelman critique of Bitcoin is not a government attack. Who knows, maybe crypto will capture its regulators, like wild Picts subverting the Romans sent to tame them. The steelman critique of Bitcoin is that—as discussed above—at some point attacking the network will be in reach of a hedge fund. So why haven’t the hedge funds attacked?

One reason is anonymity. Contrary to popular belief, Bitcoin does not offer it. The ledger is open, and transactions are not shielded, meaning that a hedge fund would need fancy footwork to monetize an attack without leaving footprints back to its bank. But that’s changing as we speak. The forthcoming Taproot upgrade will add Schnorr Signatures, a bit of cryptography that will make it harder for authorities to see who sent what to whom, and when. And here we glimpse another deep tension in distributed systems: innovations that protect users from the state also protect attackers. If crypto promises a frictionless, idealized version of commerce where every Coasian outcome is realized, expect that the most baroque hacks will also be realized.

In addition to privacy concerns, there is also the issue of monetizing an attack. It is no good to attack Bitcoin if the spoils are denominated in Bitcoin; you need an attack to pay out in fiat, or in some other cryptocurrency. To date, fiat derivatives markets have been shallow, but they are deepening. This feels like a vindication of the Bitcoin bull narrative, but it is actually worrisome. Every quant shop employs some PhD who has eyeballed the CME open interest on Bitcoin futures and calculated whether an attack on the network could pay for itself with an offsetting derivatives short. If that math hasn’t penciled out so far, one day it will.

And if the enemy hasn’t been bold enough to bring a frontal assault, he has nevertheless been practicing ominous maneuvers in the field. Consider the February 2021 reorg of the Verge chain. Was it a government playing wargames, or a private actor sharpening his claws? Either way, it suggests an emerging form of warfare.

Long term, things get worse

So far, I’ve offered a generic critique of Bitcoin, which may not impress a crowd who are—above all else—extremely clever in harnessing math to solve coordination problems. So before moving on to criticizing the remedies that have been suggested for fixing Bitcoin, let me shoot a few more arrows into its flank:

Moore’s Law has been protecting Bitcoin, but nobody talks about it

One of the things that currently makes an attack on Bitcoin costly is that you can’t just buy a bunch of old mining rigs and put them into service for a 51% attack. Even if you could get them for free, advances in lithography and circuit design mean that yesteryear’s rigs are horribly expensive to run just in terms of electricity cost. The cost curve is steep, in the same way that a dispatch curve for a power utility is steep; after you’ve maxed out the cheap baseload like nuclear and efficient gas plants, you then have to add increasingly inefficient older plants, making each incremental unit of supply more costly.

But Moore’s Law is not a law. At some point, the march downward in node size will hit fundamental physical limits, beyond which gate architecture simply doesn’t work. Perhaps we’ll then move to quantum computing (another threat to Bitcoin), but there’s likely to be a long period where node shrink slows dramatically, or perhaps even stalls. In that world, mining rigs still go obsolete due to minor improvements in chip layout, in heat management, in packaging, but the obsolete capacity is only a little more expensive to run than new capacity. When the cost curve for mining rigs becomes flat, it will be like a perfect commodity from the econ textbooks; new supply can be added almost infinitely and at small marginal cost. Worse, because mining ASICs are specifically built to optimize SHA256 hashes, they have no other economic use. Obsolete capacity thus accumulates like rusty plowshares, and the only thing it’s good for is being hammered back into swords. Over time, the accumulation of obsolete mining rigs becomes like a restive Ronin; for sale to whoever wants to launch an attack.

An all-fee regime may be unstable

Today, fees on Bitcoin are de minimis, and miners earn the bulk of their revenue through the “block subsidy”, which is currently set—by the protocol itself—at 6.25 newly minted Bitcoin per successfully mined block. But in order to promise “hard money”, Bitcoin’s creator programmed in a sunsetting of the block subsidy. It falls in half every four years, reaching zero once there are 21M Bitcoin in existence. Bitcoin’s creator pinned his hopes on the attainment of a precarious balance, in which the falling block subsidy would be offset by growing demand for transactions, causing fees to rise and allowing miners to remain happy.

This is fine as far as it goes; we observed earlier that fees and inflation are just different ways of funding a network. But the difference between fees and inflation on a technical level is important for the game theory that commits miners to endorsing the same consensus. Under an inflationary regime, miners mostly play nice with each other. Although fees vary a little, any transaction submitted to the network is about the same as any other, so miners mostly ignore the specifics of transactions and just focus on mining blocks. That may not be the case in an all-fee regime. When fees are everything, the very notion of consensus begins to fray. Recall that at any time, there are as many different versions of the blockchain in existence as there are miners working on it, and it is only by announcing the discovery of a new block that a miner causes all other miners to abandon their chains and begin mining on top of the new, longest chain (technically “heaviest” chain, but whatever). Now consider a miner who has just found out that he is working on the second longest chain. Rather than abandon it for the longer chain, he can leave some high fee transactions up for grabs in the transaction queue as inducement to other miners to come work on his chain. Consensus is fractured, hashpower is fragmented across competing versions of the chain, the security budget falls, and throughput suffers. I am far from competent to speak on the general class of consensus attacks possible under a fee regime, but it is worth noting that there are attacks hypothesized to be possible with far less than 51% hashpower, possibly even less than 10%.

We don’t have to speculate about the viability of fee-based security. We can see it failing today.

Even if solutions are found for the consensus attacks made possible by a fee-only regime, the question remains: do users value the libertarianism of crypto enough to pay high fees? Early evidence suggests that they don’t:

·         Users of stablecoins such as Tether are promiscuous, happily abandoning Ethereum for low fee, centralized (and therefore unsecure) networks like Tron

·         The Bitcoin mempool (the queue of waiting transactions) is frequently empty

·         “Bitcoin dominance”, the measure of Bitcoin’s market cap relative to all crypto, is at best flat, and may be declining.

What these observations remind us is that security is a collective action problem. Everyone would be better off if everyone picked one blockchain that could then have a large security budget. But users are individually better off if they defect to lower cost chains; they enjoy 100% of the savings from lower fees, and they bear only an infinitesimal cost from having slightly lowered the security of the whole system.

What can be done?

The popular answers are unsatisfying. To avoid the consensus attacks in a fee-only regime, Bitcoin could fork itself to make inflation permanent. That would significantly weaken the narrative of “hard money”. And it would do nothing to solve the issues of throughput or user costs. Remember, if crypto is to consume the world, users eventually will have to fund a security model sufficient to deter nation states and large hedge funds.

Another proposal is that Bitcoin be forked to add a governing counsel of elite super nodes. During an attack, these elites could trigger a “bunker mode” and run Bitcoin like a centralized spreadsheet. Such “Turning Turk” can hardly appeal to the soul of the committed cryptopunk, since it reintroduces all the vulnerabilities that crypto is meant to expel.

Then there are the “Layer 2s” alluded to earlier. But adding another layer on top of a settlement layer just reintroduces the same security budget problems, plus some new ones. It’s turtles all the way up.

Perhaps the road to crypto success is path dependent. Perhaps states as large as we have today can smother crypto in its crib, but smaller ones couldn’t. Possibly a world that had 10,000 city states rather than 200 countries might not have a political entity large enough to kill a mature blockchain. But I’m skeptical; private actors would still marshal economic resources to launch profitable attacks, and a community with enough internal trust to organize a centralized defense could employ that trust to centralize finance along cheaper, traditional rails.

I am in awe of what crypto claims to be. It is one of the most beautiful narratives in history. But facts owe no allegiance to beauty, and crypto is beset by ugly facts. My guess is Bitcoin goes to zero.