Depth | Block rewards are about to be halved, is BTC still safe? (on)

Author: Hasu, James Prestwich, Brandon Curtis
Translation: Harry Zhang
Source: Encrypted Valley

If an application or protocol can achieve its goals in a confrontational environment, it is safe. In the case of BTC, the goal is to create a payment system that anyone can participate in. Only legal owners can spend tokens, and all valid transactions will eventually be deposited in a distributed ledger.
In its first decade of existence, BTC successfully acquired these security attributes. At the same time, however, the academic community has largely failed to replicate the stability of BTC in its research model, resulting in arguments such as "BTC is safe in practice, but not theoretically safe." . This paper aims to bridge the gap between theory and practice by introducing the BTC security model.
We believe that BTC can now withstand high attacks, so that miners' motives remain consistent with system benefits for a long time. Mining requires a large amount of upfront investment, and its value is closely related to the health of the network. Normally, miners are equivalent to buying in advance half of all the tokens they are expected to mine in the next two years. Before the miners receive these tokens, any damage to the value of the token is extremely destructive, which explains why many of the attacks that scholars are worried about do not work in practice.
On the other hand, the biggest threat to BTC security is more reflected in the protocol itself than external attackers. BTC's block reward halving mechanism will result in a reduced binding of the network to the interests of miners. If there is no booming block space market, the decline in block rewards will pose a major threat to the future. Users cannot make up for this by simply waiting for more block confirmations.
Finally, we have provided new ideas, including some suggestions for improvement for community discussions.
This article was officially released in October this year. It is a joint work of Hasu, James Prestwich and Brandon Curtis. In the process of creation, it draws on the existing research results of Nick Szabo and Emin Gun Sirer. Encrypted Valley compiles this article for professional investors and technology enthusiasts. Due to the length of the full text (close to 16,000 words), it will be divided into three journals, this is the first.
Why does BTC need to mine?
In past payment systems, transactions were required through a trusted centralized server. This turns out to be the key to failure, as central validators often fail or are forced to exclude certain people or certain types of transactions. Therefore, systems designed to provide unlicensed access cannot rely on centralized servers.
Nakamoto found a solution to replace the popular client-server model with a flattened peer-to-peer network model that has proven its worth in distributed networks such as BitTorrent.
With public key cryptography, it is possible to prove and verify the ownership of a message. In the BTC system, the owner of the BTC can sign the message with its private key, and other nodes in the network can use the sender's hash public key to verify the validity of the message. This satisfies the "safety" requirements of the BTC system. However, when a node receives two conflicting messages that are valid but not valid at the same time (for example, "double flower"), public key encryption is almost unhelpful.
BTC elegantly solves this problem by replacing the signature of the trusted server with a set of computational signatures. Nodes can follow this type of signature mechanism to coordinate on a single chain. The node can trust this signature highly because it is costly to produce and can easily verify costs.
When a node receives two conflicting signatures from a miner, they tend to accept higher cost signatures. This "forking selection rule" is now called Nakamoto consensus.
Back and Corallo et al. first proposed the idea of ​​BTC mining as a dynamic multi-party membership signature (DMMS). A DMMS is a signature consisting of a set of anonymous nodes that can join or leave the network at any time. Their power share of the BTC network is measured by the contribution to the signature. These signatures are cumulative because each block references the previous block, forming a blockchain.
The process of creating a power signature is as follows:
First, the miner performs a self-weight calculation by generating a random output value. When these output values ​​fall within a certain range, other nodes can use this as a basis to prove that the virtual dice must roll on average a certain number of times (similar to the average must roll 1000 dice 100 times until there is a between 1 and 10 digital.)
Next, the miner publishes its block (including proof of workload) to the network. If the consensus rule is met, the other nodes will add it to the blockchain and compensate the winning miner with the block reward and all transaction fees in the block.
1.1 Limitations of cryptography
Although miners have a certain degree of freedom in creating their own blocks, they can't create more tokens for themselves, can't steal other people's tokens on the same chain, or even trace the benefits of changing blocks. The miner must follow the BTC protocol like any other node, and the node will automatically reject any attempts to compromise the protocol.
However, the protocol cannot be enforced by cryptographic rules in some important respects. A node does not know which of the two conflicting transactions is valid, or which competition chain is chosen. Therefore, the user relies on the consensus mechanism to coordinate on a single chain. Although the fork selection rule is necessary to maintain the BTC consensus, it also gives the miner considerable power, which is not subject to the agreement itself (and is not regulated!).
The most famous example of “incentive failure” is the “double flower” attack, where most miners first use BTC to purchase products or services in the original chain. Once he receives the goods or services delivered in an irreversible manner, he then produces a longer chain that does not contain the transaction information, and ultimately achieves both money and goods. Even if it involves chain theft or other malicious acts, the node that follows the highest cost signature will automatically switch to the new chain.
Thus, "hard" protocol rules such as cryptographic signatures do not fully secure transactions. We need more "soft" economic design to enable miners to release updates that serve BTC users.

Modeling about BTC security

If the user does not trust the enforced, "correct" transaction history, how do they know if the transaction was finalized or will it be withdrawn by the miner in the future?
In the traditional financial system, the transaction is finalized because the law prohibits the withdrawal. But in the BTC network, the law is beyond the reach of the law. Miners can be anonymous, can operate anywhere in the world, and can join and exit the network at any time.
If it is profitable, the miner will always revoke the transaction and help other people willing to pay for the cancellation of the transaction. Users should not treat payments as final results until the act of canceling the transaction becomes unprofitable. This problem is generally expressed as "the final block of a transaction needs to wait for how many blocks to confirm." The additional block confirmation does not make much sense for the security of the BTC, and security depends mainly on two factors.
2.1 Security assumptions
We first set up a basic payment system with a 12.5 BTC block reward and no transaction fees. All the hardware and computing power required for mining can be rented on demand, so miners have no long-term benefits tied to the BTC network. Their behavior will not affect the transaction price of BTC, and no user will ignore the choice of Nakamoto. All models use BTC as the base currency.
We will define the BTC value obtained by mining in accordance with the agreement as EV (honest mining). In the time period of ten blocks, the miner's income (MR) will be 125 BTC. Assuming that mining is a market without barriers and that miners are completely competitive, we can expect that the miners will spend a total of 125 BTC on the mining cost (MC) to receive this reward.
Therefore, the EV baseline for honest mining is determined to be 0 BTC.
The Miner-extractable value (MEV) describes how much BTC a miner wants to win from an attack. The concept was proposed by Daian, Goldfeder et al. to describe the value that miners can obtain from smart contracts, but we extend it to: Cover the value that miners can obtain from any manipulation consensus or transaction sequence.
Importantly, the MEV does not describe how many transactions an individual user can securely perform in a block, because an attacker can "double-flower" attacks on many different users at once. It is also not a description of how many transactions a user in a block can safely conduct, because an attacker may continuously perform a "double flower" attack across multiple blocks. The MEV describes the full value of the attacker. For users waiting for six block acknowledgments, the attacker's minimum attack duration is seven blocks. Therefore, users who only calculate MEVs based on their own personal transactions will underestimate the actual incentive range of miners.
The final EV for aggressive mining can be modeled as:
As long as EV (honest mining) > EV (attack mining), rational miners will follow the agreement.
Therefore, we can conclude that EV (honest mining) > EV (attack mining) is a necessary condition for BTC to guard against rational attackers.
The difference between EV (honest mining) and EV (attack mining) describes the BTC's tolerance for irrational ("Byzantine") attackers. The latter does not care about profits, but will attack the BTC for any reason.
It is worth noting that the MEV does not need to add additional value, for example, obtained by an attacker by shorting the BTC price. The MEV contains all such values ​​by default.
In this simple model, we don't even need to talk about Byzantine attackers. The system has been unable to fight against rational attackers because any MEV > 0 is enough to make attack mining more attractive than honest mining. Suppose a miner can extract 100 MEV from an attack that lasts 10 blocks. We can see:
Example 1: EV (attack mining) = MEV + MR-MC = 100 + 10-10 = 100; 100 > 0, so BTC is no longer safe.
This finding is consistent with intuition. Because for the attacker, there is no real cost to attack the blockchain. Its budget requirement is only 10 BTC. After the attack is successful, the attacker can recover all costs.
There are three points worth noting:
  • If the attacker's attack scope contains its own block, the attack will begin to produce actual cost because his effective MR (attack mining) drops while the MC remains unchanged.
  • If a few miners ("defenders") continue to mine in the original chain, the duration of the attack will be extended. However, as long as the attacker eventually catches up with the original chain, it will not lower his EV, but will only raise the budget. In this case, the resources of the miners ("defenders") will be wasted.
  • In this model, we assume that the attacker has a majority of computing power, or that the collusion between several smaller attackers is zero cost. In the real world, if the miners are unable to agree on the value of the MEV or the necessary attacks, the cost of collusion may increase.
2.2 Market Governance
According to the "economic man hypothesis", there are interests behind any of our actions, which is essentially a vote based on "opportunity costs." The same is true for the blockchain market.
When users (consumers) buy and sell BTCs, they are equivalent to constantly voting on the miners system to support producers or service providers in a particular way. When the user is dissatisfied with the services provided by the miners, confidence in the payment system may decline. As a result, the transaction price of BTC may also decline.
We define p(postAttackPrice) as the relative BTC/USD price after the attack. For example, a postAttackPrice of 95% means that the price has dropped by 5% from the attack.
In the updated formula, the MR (block reward + transaction fee) and MEV are both smaller due to the BTC price drop due to the attack, while the MC (aggressive mining) remains unchanged. Although using BTC instead of fiat money as a basic unit may not be common, it is relatively easy to reason. In fact, the miners did not get a nominal amount of BTC after the attack, but because they lost 5% of purchasing power, he can only replace it with 95% of the pre-attack BTC.
Due to the introduction of market governance, EV (attack mining) is unprofitable as long as MR (honest mining) is greater than p(postAttackPrice)* (MEV + MR (attack mining)).
From this, we can come up with three ways to ensure system security:
  • MEV can be very low. For example, there are fewer people using BTC to trade, or the user does not consider finalizing the payment without other guarantees (such as knowing the buyer's identity).
  • p(postAttackPrice) can be very low. This means that users are very sensitive to BTC networks, and if miners do not perform their due diligence, they will turn to other BTC competitors. It's like a double-edged sword, because if the price of the BTC collapses easily, other forms of attack (such as vandalism) will become more attractive, increasing the MEV.
  • MR can be very high, so the impact of p(postAttackPrice) on MR begins to outweigh the potential benefits of MEV.
2.3 Miners' interests bundle
So far, what we have made is an idealized assumption that any resources needed for mining can be rented on demand (this idealized assumption also dominates the academic debate on BTC safety). In fact, mining is not the case.
In the fierce competition, the miners are engaged in an arms race. If a miner accelerates the mining speed and increases the output income at the same cost, then other miners must keep up with the pace, otherwise it may be completely eliminated.
There are almost no sustainable barriers in the mining industry to ensure that miners can maintain the same benefits for a long time. This ultimately led to the industrialization of the mining industry may be faster than any other industry in history.
With the industrialization of the mining industry, the unit cost of creating blocks is becoming more and more important. There are several ways to reduce the unit cost of your business:
  • If the production facility does not reach the full capacity, the company can reduce the average unit fixed cost by increasing the sales volume of the product. In the mining industry, each hash has an automatic purchaser in the form of a BTC network, so there is nothing to optimize here.
  • Companies can reduce the daily material costs of production. For the mining industry, it is constantly looking for cheaper energy, better heat dissipation or cooling processes, and optimizing the production process.
  • Companies can reduce management costs by increasing the degree of specialization in production facilities. In BTC mining, this led to more and more optimization of the mining machine for the hash SHA-256 algorithm. When the miner can no longer dig out the BTC, it will be worthless. The same applies to large GPU mining networks such as Ethereum. Even if you can use the general hardware such as GPU to dig Ethereum, the actual demand for GPUs other than mining is not enough to digest a lot of selling on the market. So once the price of Ethereum collapses, the miners’ initial investment will lose most of their value.
  • Miners can also reduce unit energy consumption by signing long-term power purchase agreements.
Therefore, if you want to reduce unit costs to maintain the competitiveness of mining, a rational miner needs highly specialized hardware and a longer-term perspective.
The higher the degree of specialization of miners, the greater the non-recyclability of asset inputs. From Equation 1, we know that MR + MC =0. This means that we can derive the total cost of mining from the total revenue of mining, which is only the sum of all the block rewards.
But how much upfront investment does the miner have to bear in advance? After talking to BTC miners and experts, we came up with a rough estimate that ordinary miners, and even the entire mining industry, would bundle half of their total cost on such non-recyclable assets. In addition, we understand that these assets depreciate on average within 24 months.
If we use this assumption as a premise for reasoning, then the entire mining industry needs to bundle the value assets equivalent to block rewards for a whole year in order to dig BTC in the next two years. Under the block reward of 12.5 BTC, it is equal to 658,800 BTC.
In other words, miners must purchase 50% of all tokens they expect to mine in two years before they can start mining.
Any damage to the value of the token is extremely devastating until the miner receives the token.
Therefore, it can be said that the mine union is firmly committed to digging BTC in a way that maximizes the value of BTC and the utility of the network.
In the first example, the miner can still lease the power, and p(postAttackPrice) 95% only affects the MR of the attack duration of 10 blocks. Once the miners are tied to the BTC interests, the price drop will affect the mining income for the whole year, which is 52,704 blocks! In other words, a 5% drop in price will wipe out all miners' equivalent of the BTC's earnings before the 32,940 attack.
It is worth noting that an attacker does not need to have 100% of the total power to make the attack successful. If an attacker attacks with 60% of the total power, then the attacker's own tied benefits will account for 60% of the total, or 395,280 BTCs.
Example 2: EV (attack with 10% of total power and 100 MEV for 10 blocks) = 95%*(100 BTC + 10 * 12.5 BTC)-(10 * 12.5 BTC)-5%* 395,280 BTC = – 19.675 BTC
For an attacker with a 60% hash rate, the MEV must be approximately 21,000 BTC, which is approximately $187 million at the current price to make the attack profitable. The high tolerance to MEV indicates that the BTC network is indeed safe at the moment.
These findings can be extended to all digital assets using the PoW mechanism, and how important the non-recyclable pre-miners' investment is to the security of the encrypted network.
2.4 Suspension of the Nakamoto Satoshi Consensus
We have shown that BTC networks can now tolerate a large number of MEVs, which creates great obstacles for attackers to profit. However, in order to improve the BTC security model, we need to add the final qualifications, that is, BTC users will never question the Nakamoto consensus.
Users seek signals on the market that minimize trust, which allows them to coordinate on a single chain. Although they spend a lot of money on these signals, it is still cheaper than any other coordination method (for example, direct face-to-face conversation).
However, this does not mean that when most users are dissatisfied with the signals sent by the miners, they will certainly follow this signal. There are many precedents in the history of BTC, and users choose to ignore the Nakamoto consensus because the chains generated by the longest chain principle no longer represent the contracts they sign.
In 2010, integer overflow errors at block heights of 74,638 resulted in the creation of up to 184 billion BTCs, which is much larger than the total of 21 million BTCs that should be present. Within three hours, Nakamoto released a new BTC client that fixed the error, thus “rolling back” the chain of excess inflation.
The second example is the 0.7/0.8 consensus error in 2013, which caused the BTC to fork for hours. Bitcoind was the most popular BTC implementation at the time, when it released its 0.8 update. Developers don't know that the new software has made minor changes to the consensus rules, which results in a block height of 225,430 that is not compatible with older clients. BTC developers and pools decided to solve this problem by temporarily suspending the "forking selection rules." They manually supported the 0.7 chain and gave up the 0.8 chain. This requires miners to abandon the block rewards already earned on the 0.8 chain to maximize the overall effectiveness of the network.
Perhaps the most famous example is the 2017 UASF movement. A full year after the code was released, most miners still refused to use SegWit, probably because it is not compatible with ASICBoost, a patent that improves mine efficiency. In any case, in order to promote this update, some BTC users installed a client, which once again threatened the Nakamoto consensus. Because it ignores the blocks generated by miners who reject SegWit after a certain date. If the miners let it go, it will lead to a controversial split in the main network. The potential impact of BTC's utility and value severely threatened the miners' bottom line, and they eventually gave up the resistance to the SegWit update.
These examples show that, ultimately, users will lead miners. When they believe that current governance decisions are not able to maximize the effectiveness of the entire network, users will run custom code (such as the invalidateblock parameter) to temporarily suspend the Nakamoto consensus and thus "deprive" the miners.
Even if the protocol rules are met, the attacker must consider the risk of the user rejecting its blockchain. We define p(followNC) as the probability that the user has not stopped the Nakamoto consensus through the chain coordination. From an attacker's perspective, this further reduces potential gains while costs remain the same.
Since Nakamoto consensus-Suspension only affects MR and MEV during the duration of the attack, it has no effect on the bundling of the miners' benefits. Therefore, compared with market governance, the safety of NC suspension is relatively less.
However, in theory, users can not only change the transaction history, but also change the core protocol rules.
If there is a consensus to change the mining algorithm from SHA256 to other algorithms, even if the BTC price does not fall to zero, the user can immediately invalidate the interests of the entire miners group. This makes community intervention a powerful defense against BTC price attacks or cyber attacks.
2.5 Summary
By building this model and substituting actual data, we gained some key insights.
  • In order to achieve high security, honest mining must be more profitable than aggressive mining within the final confirmation period that the user believes.
  • If the user wants to be able to make large transactions, the system must be able to tolerate high MEVs.
  • The ability of the system to tolerate high MEV depends on the penalties that miners receive from malicious behavior. Users can punish miners in two ways:
a) First, they can sell some or all of the BTC. When the BTC/USD trading price falls by 10%, the miner will lose 10% of the pre-attack BTC of its bundled interest.
b) Secondly, the user can carry out chain coordination to suspend the Nakamoto consensus.
  • In order to increase the punishment, the interests of the miners must be tied up, and the willingness of users to sell tokens must be very strong.
  • The total size of the miners' interest bundles is a function of the three variables of mining income (MR), interest bundle cost, and depreciation schedule.
  • If we maintain the benefits bundled cost, depreciation schedule, and willingness to sell tokens, MR is the determining factor for MEV tolerance and determines how much user activity the network can support.
We invite everyone to download and experiment with our model based on their own ideas. (To be continued)

The content is for reference only, not as an investment recommendation.

Copyright is strictly prohibited without permission