Are you comfortable with Bitcoin's security model? \ stacker news ~AskSN

pull down to refresh

Are you comfortable with Bitcoin's security model?

1248 sats \ 54 comments \ @klk 3 Jun AskSN

Summary: Bitcoin's security depends on exponentially decreasing block rewards being compensated by exponentially increasing transaction fees, but fee growth is constrained by the block size limit and user tolerance, creating an inevitable security budget crisis when Bitcoin's price growth inevitably slows from its current exponential trajectory.

At that point, say this century, the average transaction fee should be in the 100k sats range for miners to make collectively ~0.5% of what they're protecting yearly. Currently miners are making ~0.8% yearly.

The less profitable miners are, the easier it is to convince them for attacking the network. And this only gets more economically viable to achieve as time passes and there's a larger price with a smaller relative security budget.

Am I missing something? Are you comfortable with this?

References:

view all related items

175 sats \ 1 reply \ @nullcount 3 Jun

In your scenario, transaction fees must rise because the network is willing to pay to maintain the security budget.

Here's another scenario... transaction fees stay low, even below the security budget, because the ecosystem has evolved to withstand occasional attacks, and participants are not willing to bear the cost of high transaction fees.

This scenario actually describes the Bitcoin Testnet pretty well. Sure, testnet is always getting re-org or 51% attacked. Its inconvenient, unpredictable, and sometimes unusable. But for the most part, transactions still get processed, and txns that have thousands of confirmations are still extremely unlikely to get undone.

The testnet3 lightning network is surprisingly robust: https://mempool.space/testnet/lightning/nodes/rankings/liquidity

Just because BTC has never successfully been attacked like this, does not mean it is so fragile that it will die if an attack ever does succeed.

There are ways for you to guard yourself in an environment where BTC is suffering from attacks:

Increase the number of confs before you consider your onchain txns "final"
Use off-chain protocols that "anchor" periodically to the chain

Owning a LN channel that has been open for +100,000 blocks is probably a good investment in either scenario.

0 sats \ 0 replies \ @klk OP 4 Jun

Sounds reasonable. Thanks for your comment.

60 sats \ 12 replies \ @freetx 3 Jun

There is no problem that needs to be fixed. You are unintentionally gaslighting.

If mining is unprofitable, then miners stop doing it.....once hash rate falls (or prices rise) it becomes profitable again.

The systems was designed to self-balancing. There is no need for there to be "ever increasing hashrate". Bitcoin is secure as long as present hashrate is sufficient to stop attacks on the chain...

Wall-street loves ultra-predictable, low-margin businesses, since they provide predictable yield that can operate in a more structured finance view of capital deployment, thus there will always be money available for such ventures.

21 sats \ 3 replies \ @02e29ba41b 3 Jun

The hashrate has to change to ensure the blocks are created at a predictable rate.

10 sats \ 2 replies \ @klk OP 3 Jun

Hashrate or difficulty? I'm not sure what are you replying to.

10 sats \ 0 replies \ @Bell_curve 3 Jun

I think he means difficulty because hash rate and price are usually correlated

0 sats \ 0 replies \ @02e29ba41b 3 Jun

Both. If difficulty doubles, the required hashrate to produce a block in the same amount of time also doubles. Could be either total # of hashes for all miners combined, or # of hashes per CPU. Whatever your hashrate, it has to "change to ensure the blocks are created at a predictable rate."

What did you mean?

10 sats \ 7 replies \ @klk OP 3 Jun

Sorry for the gaslighting, definitely not intentional. I want to be proved wrong and to learn.

The self-balancing part has a tradeoff. Less total hashrate, once ASICs have been manufactured, means that there's a lot of supply of powerful tools to attack Bitcoin laying around.

From another comment:

[...] leaves a lot of unprofitable ASICs for sale at very low prices. Something like having a lot of guns to defend something but stopping to pay the security guards. Some might stay out of conviction or whatever. But only from the ones that have the capacity to work for free. And now there are a lot of guns from the ex-security guys being sold for peanuts in the streets. It's the same guns used to protect than to attack.

10 sats \ 6 replies \ @freetx 3 Jun

once ASICs have been manufactured, means that there's a lot of supply of powerful tools to attack Bitcoin laying around.

The electricity is not free, so having an ASIC laying around doesn't matter.

Look mining started with CPUs and GPUs....you probably have several of those laying around your house....does that present a "threat" to bitcoin?

Mining is always going to operate at the margins of profitability. Its the nature of the industry...

10 sats \ 5 replies \ @klk OP 3 Jun

Sure, but why didn't Satoshi choose PoW that CPUs or GPUs could already do efficiently back then? Because that would give some countries and companies with huge datacenters the possibility of attacking Bitcoin when it was still wearing diapers.

If at some point ASICs that consume more than X W/Th are being disconnected because they're no longer profitable, and someone can get access to those for very cheap, there could be more hashrate in machines of X+1 W/Th laying around than in the network. And if by then the cost of an attack is just 10x of the security budget, and the security budget does not even reach 0.1% of what's protecting, it's simple math for someone to do an attack for profit or just reckless to “end” Bitcoin.

It's better explained here: https://www.youtube.com/watch?v=0bUpF0wJrxo

80 sats \ 4 replies \ @02e29ba41b 3 Jun

Because Satoshi never intended for PoW to be the end-all be-all solution to the double spending problem. How could anyone believe that a cypherphreak trying to implement a workaround to totalitarian power would create something that gives the most money to the most powerful. It's the exact opposite of decentralized (aka p2p). Just ask yourself, does this benefit peers in a p2p network? If the answer is no, then it is not what Satoshi intended.

Satoshi posted a lot about Proof of Stake and Web of Trust, terms that he repeatedly noted had novel definitions. He defined proof-of-stake as the hash of your stake in a given system. Your participation. In a txting app, it's your conversations. Where there exists public and private data. Public data is that which can be agreed upon by other actors (generals), such as your name and phone number and length of time online. Private data is the content of the texts between two parties. If encrypted in an append only hashed timechain, that content can be used to do one-way authentication and signing, which is very useful for circumventing surveillance. This concept can be applied to any p2p app, such as a Bitcoin ledger.

Once the initial network is generated and agreed upon using proof of work, you no longer need to use PoW to ensure byzantine consensus, or perhaps it is not needed at all, if the network is agreed upon in some other way, perhaps by wide publication of the genesis block.

How can anyone mention "$100k per transaction fees" as being logically sound? Obviously that is not how Bitcoin is supposed to work. How does that facilitate "probably there will always be miners willing to accept zero fee transactions" from the whitepaper?

Remember the difficulty is auto adjusting. Obviously everything should be auto adjusting to facilitate all beneficial transaction types. Miners should only be eligible for reward when they have a block that contains sufficient diverse attributes defined such that they facilitate the network goals. Goals like micro transactions, large cheap transactions, time-stamping documents, encrypted communication, fast tx for messaging apps, proof of replication for archival purposes, reputation/reviews for spam/DOS prevention, distributed p2p network health, etc...

When Satoshi wrote one-cpu-one-vote he proffered that as an alternative to one-IP-one-vote in order the prevent large orgs buying up many IPs and getting a disproportionately high voting power. The system should be designed to distribute the wealth and power fairly to each person and use this distributed network to disincentivise concentration of power.

Why are we worried about Cybill attacks? Doesn't the timechain automatically buffer against them? Oh look, here's a transaction signed by this address with a prior sequence (block) number and a prior time, sent from these coins, to recipientX, now here's another transaction spending the same coins but with different attributes. Why would anyone do that in good faith? If only we had a distributed network that could broadcast information about such haxxor attempts to prevent them from being performed secretly. Oh, we do? Why isn't it being used?

Satoshi said the network would ignore invalid transactions automatically, so no need to track bad actors. This is generally true, unless there is a huge state level actor doing a Cybill attack and rewriting a long chain of blocks. Well, this is easily preventable because why did all of the Western hemisphere not hear about any of the last 20 blocks then all the sudden everyone else is spamming us with 20 blocks different from our 20 blocks?? If there is not already coded alarms/logs for such anomalies, then the system was designed to facilitate them.

so... is Bitcoin designed to facilitate theft?

0 sats \ 3 replies \ @klk OP 3 Jun

Because Satoshi never intended for PoW to be the end-all be-all solution to the double spending problem. How could anyone believe that a cypherphreak trying to implement a workaround to totalitarian power would create something that gives the most money to the most powerful. It's the exact opposite of decentralized (aka p2p). Just ask yourself, does this benefit peers in a p2p network? If the answer is no, then it is not what Satoshi intended. Satoshi posted a lot about Proof of Stake and Web of Trust, terms that he repeatedly noted had novel definitions. He defined proof-of-stake as the hash of your stake in a given system. Your participation. In a txting app, it's your conversations. Where there exists public and private data. Public data is that which can be agreed upon by other actors (generals), such as your name and phone number and length of time online. Private data is the content of the texts between two parties. If encrypted in an append only hashed timechain, that content can be used to do one-way authentication and signing, which is very useful for circumventing surveillance. This concept can be applied to any p2p app, such as a Bitcoin ledger. Once the initial network is generated and agreed upon using proof of work, you no longer need to use PoW to ensure byzantine consensus, or perhaps it is not needed at all, if the network is agreed upon in some other way, perhaps by wide publication of the genesis block. How can anyone mention "$100k per transaction fees" as being logically sound? Obviously that is not how Bitcoin is supposed to work. How does that facilitate "probably there will always be miners willing to accept zero fee transactions" from the whitepaper? Remember the difficulty is auto adjusting. Obviously everything should be auto adjusting to facilitate all beneficial transaction types. Miners should only be eligible for reward when they have a block that contains sufficient diverse attributes defined such that they facilitate the network goals. Goals like micro transactions, large cheap transactions, time-stamping documents, encrypted communication, fast tx for messaging apps, proof of replication for archival purposes, reputation/reviews for spam/DOS prevention, distributed p2p network health, etc... When Satoshi wrote one-cpu-one-vote he proffered that as an alternative to one-IP-one-vote in order the prevent large orgs buying up many IPs and getting a disproportionately high voting power. The system should be designed to distribute the wealth and power fairly to each person and use this distributed network to disincentivise concentration of power. Why are we worried about Cybill attacks? Doesn't the timechain automatically buffer against them? Oh look, here's a transaction signed by this address with a prior sequence (block) number and a prior time, sent from these coins, to recipientX, now here's another transaction spending the same coins but with different attributes. Why would anyone do that in good faith? If only we had a distributed network that could broadcast information about such haxxor attempts to prevent them from being performed secretly. Oh, we do? Why isn't it being used? Satoshi said the network would ignore invalid transactions automatically, so no need to track bad actors. This is generally true, unless there is a huge state level actor doing a Cybill attack and rewriting a long chain of blocks. Well, this is easily preventable because why did all of the Western hemisphere not hear about any of the last 20 blocks then all the sudden everyone else is spamming us with 20 blocks different from our 20 blocks?? If there is not already coded alarms/logs for such anomalies, then the system was designed to facilitate them. so... is Bitcoin designed to facilitate theft?

Thanks for the thoughtful response.

The 100k transaction fee scenario was in sats, not USD. It's basic math about what would be needed to maintain current security levels if block rewards continue halving and the security budget shrinks relative to network value. The whitepaper's mention of "zero fee transactions" was written when block rewards were 50 BTC and the network was tiny. Economic incentives evolve.

On difficulty adjustment - yes, it adjusts to maintain block times, but it doesn't magically solve the security budget problem. If total mining revenue (subsidy + fees) becomes too small relative to what's being secured, the network becomes vulnerable regardless of difficulty.

The "Sybil attack" concern you mention is actually exactly what I'm worried about, but in reverse. When mining becomes unprofitable for honest actors, attackers can potentially acquire cheap hashrate (from miners shutting down) and reorganize the chain. Maybe it's enough to add a limit of how many blocks in the past can be rewritten. But that's not yet part of the consensus rules or Bitcoin client implementations.

Bitcoin isn't "designed to facilitate theft" - but any system with economic incentives can become vulnerable if those incentives break down. That's why this conversation matters.

view all 3 replies

73 sats \ 7 replies \ @LibreHans 3 Jun

You're completely missing that miners don't have to make a profit, they can be attached to entities that make their money through other means. Those can be bitcoin service providers, bitcoin reserve companies, individuals, nation states, entities that mine to generate heat, etc.

100 sats \ 6 replies \ @klk OP 3 Jun

Maybe, but that's also not for sure. Unprofitable activities have a tendency to disappear. And for example mining to generate heat even if you got the ASICs for free would only have an maximum theoretical efficiency of 1 W of electricity to 1 W of heat whereas an air conditioner can achieve 3-5x that (see https://en.wikipedia.org/wiki/Coefficient_of_performance). So it would still be a sacrifice to use it for heating in the best case.

And the problem goes a bit deeper. When a lot of miners are unprofitable, that creates an opportunity and an incentive for attackers. It's pretty well explained in https://www.youtube.com/watch?v=0bUpF0wJrxo

And if it's sustained by large institutions and nation states, that's even worse. They could secure the network but implement arbitrary conditions for accepting transactions. Since they're doing it at a loss already so someone paying 2x fees won't make them change their mind about including your transaction or not. If their competitor is making a large transaction they don't like they could try to block it no matter how much fees it pays.

So I would say that miner profitability is key for keeping the network decentralized and secure. The only entities that have been able historically to sponsor large unprofitable things for sustained periods of time (e.g., wars) are nation state through taxation theft. So let's hope that's not what we wish for in this case xD

0 sats \ 5 replies \ @LibreHans 3 Jun

Unprofitable activities have a tendency to disappear.

You miss my point. They have profitable activities that depend on bitcoin working, so supporting the bitcoin network benefits them and is required for the profitable activities. The mining division can operate at a loss.

0 sats \ 4 replies \ @klk OP 3 Jun

I get you, but the incentives are still weird in that case.

Say Strategy₿ is that large institution that mines at a loss for supporting their profitable activities (if they even have some by then). They would be tempted to prioritize their transactions or de-prioritize/block others. They want to protect their stuff, but would then be one of the few large institutions able to subsidize a large hashrate for the network. And since they're doing it at a loss, they wouldn't care about missing out some fees on their competitors transactions.

It could be that mining is operated at a loss. But that hurts the decentralization of the network, and leaves a lot of unprofitable ASICs for sale at very low prices.

Something like having a lot of guns to defend something but stopping paying the security guards. Some might stay out of conviction or whatever. But only from the ones that have the capacity to work for free. And now there are a lot of guns from the ex-security guys being sold for peanuts in the streets. It's the same guns used to protect than to attack.

0 sats \ 3 replies \ @LibreHans 3 Jun

Anybody who needs bitcoin has no interest in attacking it.

0 sats \ 2 replies \ @klk OP 3 Jun

That's a weak argument. There are a lot of possible attacks. A double spend that only affects someone and benefits the miner wouldn't harm the network much. A government concentrating huge amounts of hashrate and only mining OFAC compliant transactions, and ignoring blocks from other miners, is another example. And those attacks can be performed without having any Bitcoin at all. So, no, “trust” is not a solid defense strategy.

view all 2 replies

100 sats \ 3 replies \ @klk OP 3 Jun

Something that would fix this is a set minimum block reward, even if subsidy + fees are below it. Which would break the 21M hard cap but ensure that if the theory of fees making up by then does not work, we end up with a slightly inflationary asset rather than an insecure one. Or maybe everything works fine and it's not needed (same case as now).

Anyway, the network is secure for the mid term. So nothing to be done anytime soon.

21 sats \ 2 replies \ @klk OP 3 Jun

Or, something even cooler, some kind of script that uses a philanthropist coins to do the same. Imagine someone with millions of coins, ahem Satoshi, sponsoring the security budget in a way that we all know that there's enough funding for the next N blocks and others can add their donations to extend it.

0 sats \ 1 reply \ @jgbtc 20h

This is a great idea and it says a lot that the security budget fudders don't just do this. They can do this right now with time lock scripts but instead they want others to bear the burden (typically there's some anti-hodler sentiment involved) so they (e.g. Peter Todd ) want to remove the 21M cap instead.

0 sats \ 0 replies \ @klk OP 19h

Well there is no problem yet. And there might be better solutions. Let' see!

35 sats \ 0 replies \ @Sportystacker 3 Jun

I think it's OK, and other modifications come with other networks

14 sats \ 4 replies \ @The_Young_Bitcoiner 3 Jun freebie

Hey friend. I like your concern and I once had this in mind too. You're actually missing out on something which is the price. The price tends to at least go up 3, 4x each Halving cycle, making it worth mining even though the rewards halvened.

0 sats \ 3 replies \ @klk OP 3 Jun

Bitcoin price growth follows a power law (as any network) but the mining rewards decrease exponentially. A power law grows slower than an exponential so in practice the security budget goes down with time (not considering fees).

But If you check the calculations from the post, they are made in Bitcoin and as a percentage of the total network. So it's independent from USD price. Miners make ~0.8 % of the total Bitcoin supply yearly. If that number in the future becomes 0.1 % or 0.01% (all purely in Bitcoin terms) it would be equivalent to having a castle protected by less and less security guys.

If you consider the Bitcoin price in USD, it might look like the security budget grows, but so does the potential “loot” for attackers, because the Bitcoin to “steal” is now more valuable. That's why it should be measured as a percentage of the total supply, or at least as an absolute value in Bitcoin terms.

This might not be the best chart but should be good enough to see the trend: https://dune.com/niftytable/bitcoin-security-budget

0 sats \ 2 replies \ @The_Young_Bitcoiner 3 Jun

I know (and it's a very controversial topic) that Peter Todd plans Tail Emission to fix that. What's your opinion on this? Personally I'm totally against and I'm in favor of just waiting for the market regulate itself.

0 sats \ 1 reply \ @klk OP 3 Jun

No idea. Wouldn't touch what's not broken.

It might be the case that fees itself are enough and nothing needs to be done.

32 sats \ 0 replies \ @The_Young_Bitcoiner 3 Jun

I think if miners ever "go broke" they would active drivechains. Do you know about drivechains? It is a scaling BIP that also improves miners revenue. It would be a win/win situation for Bitcoin on this case. Or the community can just activate it before them through UASF or anything. Drivechains allow multiple different technologies working upon Bitcoin with bitcoin's hashrate and token.

0 sats \ 7 replies \ @optimism 3 Jun

At that point, say this century, the average transaction fee should be in the 100k sats range for miners to make collectively ~0.5% of what they're protecting yearly.

What value do you use for "what they're protecting"?

0 sats \ 6 replies \ @klk OP 3 Jun

20-21M BTC

0 sats \ 5 replies \ @optimism 3 Jun

Do miners protect my cold wallet that is sitting idle though?

0 sats \ 4 replies \ @klk OP 3 Jun

Yes! With enough share of the total hashrate you can rewrite the whole blockchain. Until before your wallet got its funds. Or until the Genesis block if you will (given enough time).

Apart from being able to block any transactions you try to make (way easier and equally harmful for that wallet).

39 sats \ 3 replies \ @optimism 3 Jun

Sure you can. But now I nominate a what iirc either Gavin or Sipa called a preciousblock: a user-enforced checkpoint. I'd do this because the rewritten chain has no value to me. It arguably has no value to anyone I transact with either.

So someone will waste tons of sats in electricity for an attack I can revert with a single command.

0 sats \ 2 replies \ @klk OP 3 Jun

That's sounds reasonable. I wonder why isn't there some kind of default in Bitcoin core for automatically setting that. Maybe because of the possibility of a long term disconnection between different parts of the world?

But let's leave that aside. Wouldn't you still think that miners protect all Bitcoin available anyway, because it becomes useless if you can't ever transact with it?

Even if you mined the block with your transaction yourself, evil miners could continue mining from the previous block and do it fast enough so that's the longest chain (even if it's just one block longer). For which the precious block wouldn't save you.

Its hard to determine the value that miners are protecting, the percentage of it that is a good enough security budget, and how this will evolve over time.

What's scary is that as of now, we have a rapidly decreasing security budget relative to the value of the network.

Maybe the tendency changes. Maybe we never stay below the real security threshold. I don't know.

view all 2 replies

952 sats \ 9 replies \ @guerratotal 3 Jun

This is one of the most important and uncomfortable conversations in Bitcoin… and it should be.

Am I comfortable? I’m not sure “comfort” is the right word. Bitcoin was never designed to make anyone comfortable — it was designed to be antifragile.

Yes, the security model is based on incentives that change over time. The block subsidy fades, fees become the primary security budget. Will fees scale enough? Nobody knows for sure. But the beauty of Bitcoin is that it forces reality checks. Either the network adapts — through higher fees, L2 adoption, or market-driven solutions — or it fails. There’s no bailout for bad incentives here.

It’s the opposite of fiat systems where the unsustainable gets prolonged indefinitely through coercion. In Bitcoin, unsustainable models collapse early — and that’s a feature, not a bug.

Are the risks real? Absolutely. But show me any system with perfect security incentives over centuries. Bitcoin is still the most transparent, predictable, and opt-in monetary system humanity has ever had.

The alternative is trusting systems where the real security model is: “because we said so.”

Would love to see more minds grappling with this openly, like you’re doing. This is how the protocol hardens — not just with code, but with conversation.

25 sats \ 0 replies \ @Msd0457890 3 Jun

I totally agree with you, for me Bitcoin has one of the most perfect networks.

0 sats \ 7 replies \ @02e29ba41b 3 Jun

"It’s the opposite of fiat systems where the unsustainable gets prolonged indefinitely through coercion."

Sorry. Had to chuckle at this.

0 sats \ 6 replies \ @klk OP 3 Jun

why?

0 sats \ 5 replies \ @02e29ba41b 3 Jun

Because that's exactly what Bitcoin is.

0 sats \ 4 replies \ @klk OP 3 Jun

What unsustainable thing does Bitcoin prolong through what coercion?

0 sats \ 2 replies \ @02e29ba41b 3 Jun

Bitcoin has been subverted into a positive feedback loop for concentrating wealth in the hands of a few. The richer you are the faster you can get more rich. Wealth = power = coercion = crime = a failed state. Pay to play organized crime. That may be the status quo but no one would vote for that.

Sorry, for those of you confused about this, it can be hard to see a problem when your job depends on not seeing the problem.

view all 2 replies

0 sats \ 0 replies \ @guerratotal 3 Jun

I don't understand the friend's point either.

reply on another page

0 sats \ 0 replies \ @Sportystacker 13h

Great

0 sats \ 0 replies \ @d680ecaa8e 3 Jun

I could guarantee that BTC LN is secure network because established a lot of transactions successfully, some websites find issue to credit the money that is all but could credit with support ticket.

0 sats \ 0 replies \ @nitter 3 Jun bot

https://xcancel.com/fuserleer/status/1816779841955393819