How to use the model to analyze the security of Bitcoin, how to ensure security after the block subsidy is reduced?

Authors: Hasu (independent researcher), James Prestwich (Summa founder), Brandon Curtis (Radar Research Director) to compile and interpret: LeftOfCenter

If an application or protocol achieves its goals in a hostile environment, including against those who are willing to spend a lot of resources to destroy the system, then we call it "safe." Unfortunately, no system can defend against omnipotent attackers. Therefore, a practical approach to security is to maximize incentives for people to act in accordance with the agreement while minimizing the incentive to violate the agreement.

From this perspective, let's see if the Bitcoin network is "safe": The goal of Bitcoin is to build such a payment system.

• Anyone can participate (free license access),
• Only legal holders can consume tokens (security), and
• All valid transactions will eventually enter the ledger (activity).

People have been holding Bitcoin assets for more than 10 years, which indicates that Bitcoin is safe in practice. On the other hand, in the academic and theoretical circles, it has not been possible to reproduce the security features of Bitcoin in the model of academic research. Scholars have called it "missing and leaking" and "difficult to escape". It has led to a kind of "meme" in which "bitcoin is safe in practice and not safe in academics."

• Ripple Q3 Quarterly: You sell less coins, you say that you are right
• Speed ​​reading | Can EOS and Cosmos be in the DeFi field and Ethereum
• Opinion: The encryption technology hype cycle has begun, and the idea of ​​retail investors is easier to guess than the wallet password.

Fortunately, independent cryptocurrency researcher Hasu, Summa founder James Prestwich and Radar research director Brandon Curtis recently published a paper hoping to change the status quo.

In this paper, the three authors bridge the gap between theory and practice by introducing a bitcoin security model. The paper proves that Bitcoin is currently able to tolerate very high attack motives, which is determined by a surprisingly small number of factors.

The paper further explains why many of the attacks put forward by scholars are unreasonable and uneconomical for miners.

In the second part of the paper, the three authors also proved that the biggest threat to Bitcoin security is rooted in the protocol itself, not any external attacker.

The problem is the security risk of reduced block rewards: as part of the Bitcoin fixed issuance program, the block rewards program will be reduced as scheduled. A common view is that this will reduce the miners' predictable income and thus reduce the miners. Commitment to maintaining Bitcoin network security. The paper explains that if a robust block space market does not develop, the decline in block returns will pose a huge risk to the future. The paper contrasts with the general view that users cannot make up for this by simply waiting for more confirmations .

Finally, the paper also proposes several possible improvements.

The following are some of the core content of the paper:

1. Why do Bitcoin need to mine?

In the Bitcoin system, public key cryptography has been used to prove and verify message ownership. Among them, the owner of a token can sign a message with its private key. Then, other nodes in the network can use the sender's hash public key to verify that the message is valid, which satisfies the "security" requirements in the bitcoin system.

However, sometimes the node will receive two messages, they are all valid, but not both ( such as double-flower attack ), in which case public key encryption does not work at all.

How does Bitcoin solve this problem? It uses a set of computational signatures instead of a single trusted server signature, from which nodes can coordinate on a single chain. The cost of generating these signatures is high and the cost is easily verified and therefore highly trusted. Therefore, when a node receives two conflicting signatures from a miner, it chooses the higher cost one. The fork choice rule is the "Zhongbencong consensus."

The idea of ​​using dynamic member multi-party signature ( DMMS ) for bitcoin mining was first proposed by Adam Back and Matt Corallo et al. A DMMS is a signature consisting of a variable and a set of anonymous signers that can enter and leave at any time. Their computing power in the Bitcoin network represents their signature weight in the network. These signatures are cumulative because each block references the previous block and eventually creates a blockchain.

Although miners have some freedom in building their own blocks, they can't distribute more tokens to themselves, they can't steal other people's tokens on the same chain, and they can't tamper with the order in which they happen. Like other nodes, miners must follow the Bitcoin protocol like any other node, and the node will automatically reject any attempts to compromise the protocol.

However, as a cryptographic technique, the limitation of this protocol is that it cannot cover all aspects. In some important aspects, the protocol cannot be enforced. For example, a node itself does not know which of the two conflicting transactions is valid, or Which of the two competition chains is more popular. Therefore, users rely on forked selection rules to coordinate on a single chain. Although this rule is necessary for Bitcoin to maintain consensus, it also gives the miners considerable power, which is not subject to the agreement itself (and is not regulated!) .

One of the most famous incentive failures is the double flower attack. In this case, most miners first use BTC to purchase non-BTC products or services in the original chain. Once he has obtained non-returnable goods or service delivery, he can generate a longer chain and the transaction never occurs. So, at the same time, I got money and goods. Nodes follow a more costly signature and automatically switch to the new chain, even if it contains chain theft or other malicious behavior.

Thus, "hard" protocol rules such as cryptographic signatures do not fully ensure the security of the transaction sequence. It also relies on the "soft" economic motives issued by miners for serving Bitcoin users.

2. Modeling the security of Bitcoin

For miners, there is no incentive to revoke the transaction only if there is no profit, thus generating a final confirmation for the transaction. Someone will ask, how many confirmations are needed to guarantee the finality of the payment?

Hasu, James Prestwich, and Brandon Curtis built a model for the security of Bitcoin. Their security model concluded that the security of Bitcoin has nothing to do with the number of acknowledgments. Security is only related to two factors.

2.1 Security assumptions

In the basic payment system assumption established by the model, the block reward is 12.5 BTC and the transaction fee is 0. All the hardware and hashing power required for mining can be rented on demand, so miners have no long-term commitment to the Bitcoin network. The behavior of the miners will not affect the trading price of the BTC, and the users will not violate the Nakamoto consensus.

In the paper, the value obtained through this “honest mining” behavior is defined as EV (honest mining) , then, in the 10 block intervals, miner revenue MR (miner revenue)   It is 125 BTCs.

Assuming that the miners are free to join the network for mining and there is perfect competition between the miners, it can be expected that the mining cost of the award (MC: mining cost) is 125 BTC, which leads to:

Equation 1: Mining revenue (MR) – Mining cost (MC) = 0 Equation 2: EV (honest mining) = MR – MC

Therefore, the benchmark for EV (the value of honest mining) is 0 BTC.

The value of the bitcoin that miners want to extract from the attack is defined as MEV ( Miner-extractable value ), which refers to other values ​​that miners take by manipulating consensus or trading orders. The final EV (eg double flower ) of the attack mining can then be modeled as:

Equation 3: EV (attack mining) = MEV + MR-MC

As long as you keep EV (honest mining) > EV (attack mining) , then a rational miner will abide by the agreement, not attack. Therefore, in order to ensure the security of Bitcoin, it is necessary to let EV (honest mining) > EV (attack mining).

Suppose a miner draws a MEV of 100 from a 10-block interval, then you can get:

Case 1: EV (attack mining) = MEV + MR – MC = 100 + 10-10 = 100;

Since 100>0, it can be introduced that bitcoin is not safe at this time.

This finding is intuitive, because this attack blockchain has no real cost to the attacker, only 10 BTC budgets, the cost can be offset by the reward after the attack is successful.

Here are 3 notable warnings :

1) Once an attacker cancels certain blocks that he or she has generated, the attack begins to incur actual costs because his effective mining income MR (attack mining) drops while the MC remains unchanged.

2) If a few defensive miners continue to mine the original chain, it will increase the duration of the attack. However, as long as the attacker eventually surpasses the original chain, this will not lower his EV (attack mining), but will only increase his budget, and the resources of the defender attempting to defend will be wasted.

3) In this model, we assume that the attacker has a large number of hashing powers or several smaller attackers for joint attacks, and there is no cost to coordinate between the attackers. But in the real world, if miners have differences in MEV values ​​or duration of attacks, they may increase the cost of coordination.

2.2 Market Governance

 

As the saying goes, consumption can be said to be a kind of voting. It means that economic participants vote by consumption. In the blockchain market, the sale of BTC by users (consumers ) is also a vote for miners (producers or service providers) . Once the user is dissatisfied with the services provided by the miners, the confidence in the payment system may be degraded. If the miners' security services are not in place and the system is attacked, the consumer will be dissatisfied, resulting in a drop in the BTC transaction price.

The paper will be expressed as p (the post-attack value, postAttackPrice) after the attack, and postAttackPrice=95% means "the attack caused the bitcoin price to fall by 5%".

Equation 4: EV (attack mining) = p (post-attack value postAttackPrice) x (MEV +MR)-MC

In the updated formula, the value of MR (block reward + cost) and MEV decreased as the BTC price fell due to the attack, while the mining cost (MC) remained unchanged. This is a good reasoning. After the attack, although the number of BTCs is not lost, it loses 5% of purchasing power, and the value is only 95% of the pre-attack.

Since the introduction of market governance, as long as MR (honest mining) is greater than p (postAttackPrice) * (MEV + MR (attack mining)) , then we can say that EV (attack mining) is unprofitable, Expressed as:

Equation 5: If MR>p (postAttackPrice)*(MEV +MR), EV (attack mining)<0,

From this, we can derive three ways to keep the system safe:

1) The MEV remains low enough, for example, because few people use Bitcoin for transactions, or the user does not consider final payments without other guarantees (such as knowing the buyer's identity).

2) p (postAttackPrice) is very low, which means that users are very sensitive to the use of bitcoin. Once the miners are unable to perform their duties, these users will immediately transfer to their competitors. If the price of the BTC is prone to collapse, then other forms of attacks (such as sabotage attacks) become more attractive, increasing the MEV.

3) The MR value is high enough that the effect of p(postAttackPrice) on MR begins to exceed the potential benefit from the MEV.

2.3 Miners' long-term commitment

These previous assumptions are “unrealistic assumptions” and all the resources needed for mining can be rented on demand (this view dominates the academic commentary on bitcoin security) . In fact, the actual mining behavior is not the case. In the fierce competition, if a miner increases the income available under the same budgetary cost, then other miners must keep up with the pace, or else there will be a risk of income reduction.

There is almost no moat that has always existed in mining. As a result, the mining industry may be industrialized faster than any other industry in history.

As the mining industry becomes more and more industrialized, the unit cost of creating blocks becomes more and more important. In practice, there are several ways to reduce the unit cost of a business:

1) If the capacity of the production facility is insufficient, the company can sell more products and distribute the daily expenses evenly on more commodities. In the mining industry, each hash has an automatic purchaser in the form of a bitcoin network, so there is no room for optimization at this point.

2) This business can reduce the daily material cost of production. Specific to mining, the goal is to constantly look for cheaper energy, better heat dissipation or cooling, and manufacturing optimization.

3) Companies can reduce costs by specializing their production facilities. In the bitcoin, this means that only the professional hardware optimized for the SHA-256 hash algorithm, once the hardware device can not dig bitcoin, is worthless. It's worth noting that this even applies to large GPU mining networks such as Ethereum. Although Ethereum tokens can be dug with common hardware, the demand for GPUs is not sufficient to suddenly supply saturation. Therefore, once the price of Ethereum collapses, the miners of Ethereum will also lose most of their value.

4) Miners can also reduce their energy costs by signing a long-term power purchase agreement (PPA).

Therefore, in order to reduce unit costs and maintain mining competitiveness, a rational miner needs highly specialized hardware and is committed to the long-term development of the network. The higher the degree of specialization of miners, the greater the unrecyclability of their assets and expenditures. From Equation 1, MR + MC =0 is known . This means that the total mining revenue (that is, the sum of the block awards) can be used to fill the mining costs .

So, how much does a miner have to pay in advance? After talking to Bitcoin miners and experts, the authors of the paper came up with a rough estimate that ordinary miners and even the entire mining industry, the non-recyclable cost is about 50% of the total cost, in addition, these assets will average 24 Depreciation within a month.

Based on this calculation, if it is expected to mine two years of bitcoin, then the entire mining industry must take a full year (two years * 50%) of the block award as a long-term commitment cost.

Calculated in a block of 12.5 BTCs, 658,800 BTCs a year. In other words, the reasonable two-year mining unit cost is 658,800 BTC, or 105,408 blocks.

This commitment cost depends on the price expectations of bitcoin in the mining market (including energy and hardware producers) over the next two years. If they expect bitcoin to survive and prosper, they may assume that the average price of bitcoin is equal to or higher than the current bitcoin price. If the price of Bitcoin falls during the depreciation period (within 2 years) , miners may lose a lot of money.

So it can be said that the miners are firmly committed to digging bitcoin in ways that maximize BTC value and network utility. from that we get:

Equation 6: EV (attack mining) = p (post-attack value postAttackPrice) x (MEV +MR)-MC-(1- p)*Commitment

In the case of non-leased computing power, miners tapping bitcoin will have a commitment cost, and once the price falls due to the attack, it will affect the income for the whole year.

It is worth noting that an attacker does not need to have a 100% hashing power to attack successfully. If he uses a 60% hash calculation to attack, his own commitment will only account for 60% of the total commitment, which is 395,280 BTC.

Case 2: EV (attack mining with 60% hash calculation) = 95% (5BTC+8*12.5BTC)-(8X12.5 BTC)-5%*395280 BTC=-19.764 BTC

An attacker with a 60% hash calculation wants to profit from a mining attack. The MEV value is about ~21,000 BTC, or $187 million. The high tolerance to MEV indicates that the Bitcoin network is indeed safe.

These findings can be generalized to all cryptocurrencies that use PoW. This also shows that the non-recyclability of input costs is extremely important for safety.

2.4 Termination of the Nakamoto consensus

At this point, it has been proved that the bitcoin network's high tolerance to the MEV greatly increases the cost of attacking profits. However, in order to improve the bitcoin security model, the author of the paper also updated the last hypothesis: Bitcoin users will never question the Nakamoto consensus.

Users on the market need to seek a minimum trust signal that allows the user to coordinate on a single chain. Users are willing to pay for these signals because it is the cheapest way to coordinate. However, this means that if most users are not satisfied with this, the user will not necessarily follow the signals sent by the miners. In the history of Bitcoin, several examples show that users may ignore the Nakamoto consensus because the generated chains no longer represent the social contract they signed.

Multiple cases have shown that if there is a disagreement in governance decisions, users can run custom code commands (such as invalidateblock) to suspend the Nakamoto consensus and deprive the miners of their power.

Therefore, in the actual attack, the attacker also needs to consider the risk of the user suspending the consensus.

Here, the paper uses p (followNC) to define the probability that the user will suspend the Nakamoto consensus through the chain coordination, which will reduce the potential return of the attacker, while the attack cost remains unchanged.

From this: Equation 7: EV (attack mining) = p(followNC)*p (post-attack value postAttackPrice) x(MEV +MR)-MC-(1- p)*Commitment

Because it only affects MR and MEV during the attack period, it does not affect miners' commitments, and NC suspension has less impact on security than market governance.

However, in theory, users can not only change the transaction history, but also change the core protocol rules. If they change the mining algorithm from SHA256 to other algorithms, even if the bitcoin price does not fall to zero, the user may immediately make the entire miner's promise completely ineffective. This makes this social intervention a way to effectively defend against bitcoin prices or cyber attacks.

2.5 Summary

Some core findings:

1) In order to ensure a high degree of security, the value of honest mining must be higher than the value of attack mining during the period in which the user considers final confirmation.

2) If the user needs a large transaction, the value of the MEV needs to be high enough.

3) The system's high tolerance to MEV depends on the system's penalties for malicious behavior miners. Users can punish miners in two ways:

a) First, the user may sell some or all of the bitcoin. When bitcoin prices fall by 10%, miners lose 10% of the value of the promise before the attack.

b) Secondly, the user can coordinate the suspension of the Nakamoto consensus under the chain.

4) The greater the long-term commitment cost of the miners, the greater the potential penalty, the smaller the long-term commitment cost of the miners, and the less potential penalties

5) The long-term commitment cost of miners is related to miners' income ( MR ), the proportion of committed costs in total costs, and the depreciation schedule.

3. What are the mining attacks?

Based on the above model, the paper deduce how the most important attack on the Bitcoin system was carried out.

The attack is highly correlated with the hashing power. In theory, selfish mining or stubborn mining can be carried out with only 30% of the hashing power, but so far, such attacks have not yet occurred in the Bitcoin network.

The model established in the paper suggests that a rational miner's strategy to reduce public trust in Bitcoin is impossible, because even a small price decline will reduce the value of its commitment, which is more valuable than that obtained from MEV. High value.

A case can support this theory. In 2014, the GHash.io pool had a hashing power of more than 50%, which led to a double-flower attack on the betting site BetCoin Dice . The incident caused turmoil in the Bitcoin community, and it is widely believed that its centralized mining pool has led to a passive shake of trust. Many whales began selling their own bitcoins.

Afterwards, individual miners fled the pool in large numbers to protect their investment. After that, no mine pool dared to reach such a high proportion of the hashing power level. Miners seem to have realized that any form of market panic will eventually have an adverse effect on themselves.

Here we can see the difference between the Byzantine model and the rational model:

In Byzantine mode, once miners have a hashing power greater than 50%, bitcoin is not safe. However, the steady state of bitcoin in the complex world is likely to be caused by the monopoly of hash computing power. At present, it may belong to a monopoly state, which is powerless to refute.

Seeing the motivation of all participants can show that bitcoin does not automatically fail in the presence of a miner with more than 51% of the computing power. However, when the miners have more than 50% of the hashing ability, they can be sure that the chain they propose will eventually become the normative chain of the Nakamoto consensus, which may lead to two types of attacks: double-flower attacks and sabotage-attack attacks .

3.1 Double flower attack

 

The model suggests that a small drop in BTC prices is unlikely to result in a large-scale double-flower attack, as the benefits from the MEV must be higher than the long-term commitment cost of the miners to make the attack profitable. In addition, miners have to consider the possibility that users may suspend Nakamoto's consensus, thus completely denying the rewards available to attackers.

Along with this, the double-flower attacker hopes to minimize the perceived and actual network interruptions, so as not to cause any of the above penalties. The attacker can maintain the reorganization within 100 blocks, and the mining rewards of the original chain can be used for expenses. Such in-depth restructuring will no longer only affect individual users, and may lead to more invalid transactions than expected. The attacker will try to replay every transaction, including the mining bonus output, and recreate the exact same history using only the changed double flower transaction.

In view of the above restrictions, for a rational miner, it is not willing to choose an isolated double-flower attack.

4. Block rewards continue to decline, and how secure bitcoin is?

Models for bitcoin security must consider parameters that may change in the future, and consider why they change. According to the paper, the security of Bitcoin depends on these factors: miners' commitment, MEV and user sensitivity to price.

Today, the high volatility of Bitcoin requires miners to have high risk tolerance. Once the price of Bitcoin appreciates and peaks and remains at a stable peak for a long time, mining may begin to resemble a traditional commodity market, with producers' gains and volatility becoming lower. Lower volatility will make miners tend to seek higher leverage and amplify minimal price volatility.

If Bitcoin seriously threatens sovereign currency, then the government's chances of attacking it will increase, and they may implement a censorship system and other forms of sabotage and attack on the Bitcoin network. The existence of a deep derivatives market is easier for people to increase their bets to short the price of bitcoin, which further increases the possibility of MEV .

However, none of the above is the biggest factor. The biggest variable is the bitcoin protocol itself, for example, the impact of the decline in miners' incentives.

As a decisive factor in the long-term commitment cost of miners, all profits of miners come from block rewards, which consist of two parts:

1) Block subsidy for each new coin casting

2) Transaction fee

Block subsidies currently account for 99% of all block awards and are currently being gradually reduced. By 2020, the annual circulation of Bitcoin will fall to 1.8%, and by 2028, the figure will be halved to 0.5%.

This leads to a result, as the most important source of income for miners, the gradual reduction of miners' subsidies must be replaced by a new source of income.

So far, the security of Bitcoin is supported by its own value. In the future, the security of Bitcoin will be supported by the secondary market that does not currently exist.

Whether there is enough secondary market to support Bitcoin security is highly uncertain. Now, the purpose of collecting transaction fees is to arbitrate the priority of the effective block space. In the future, in order to create sufficient income for miners, the demand for block space must be much larger than the supply of block space, in order to create demand for block space, thereby increasing the price of transaction costs.

However, even if the demand for block space is high in the future, it is possible that the transaction fee is still low. If most people only hold bitcoin, or if most of the transactions happen on a centralized exchange or various chain solutions, then there will be a lower transaction fee.

4.1 Can the increase in the number of confirmations compensate for the impact of the decline in incentive subsidies?

There is a saying that the impact of declining incentive subsidies on bitcoin security can be offset by increasing the number of confirmations. But the model built by Hasu, James Prestwich, and Brandon Curtis shows that even more block confirmations don't guarantee bitcoin security.

The paper gives an example to prove this conclusion:

However, the authors also point out that adding more confirmation does have another benefit, so that by increasing the minimum attack duration of miners, users can gain some form of group immunity.

However, the paper points out that increasing the number of confirmations will only have a positive impact on safety, but may not replace the miners' commitment to maintain high MEV tolerance in the system.

5. Long-term security considerations

Even if the market based on the demand for block space is ultimately unsuccessful, Bitcoin will not expire overnight. The bitcoin rewards have been steadily reduced over a long period of time. Therefore, any problems caused by the lowering of the mining cost MR will first appear in a weak form, and then gradually become more obvious, thus providing users with enough Time to react and coordinate, and possible solutions emerge.

It is worth noting that even if these issues affecting security become a reality, people are still optimistic about Bitcoin.

Bitcoin has the largest user base, the broadest distribution base and an increasing number of financial infrastructure integrations. In its short life, Bitcoin, as a currency, has evolved from a technology to a movement with sociopolitical ideology. It's hard to imagine that Bitcoin will end because of other factors besides the total lack of demand.

The authors point out that in the future , safety can be improved by increasing MR, reducing MEV, or increasing miners' penalties .

5.1 Requirements for upgrading block space

First, Bitcoin developers can try to increase the need for bitcoin block space, which can make Bitcoin block space more attractive by updating protocols, or by launching a business that can generate profit by consuming block space. The need for bitcoin block space, including bitcoin transaction requirements and the need to store arbitrary data on the chain.

In terms of bitcoin transactions, innovative applications, including increased time locks and Bitcoin lightning network construction, enhance bitcoin trading capabilities and flexibility. Any data store can be used to implement non-consensus asset ledgers, such as USDT or dyed coins, or anchor a certificate to another system, such as Factom or Veriblock.

The Bitcoin system is highly optimized for bitcoin transfers, but to a certain extent, there are limitations to the storage of arbitrary data, which is not encouraged in the system. Because these arbitrary data may represent infinite value outside the Bitcoin network, it is likely to trigger a very high willingness to pay, resulting in the reuse of the Bitcoin transaction structure to achieve its goals. Although this may result in stable demand for bitcoin block space, increasing transaction fees and increasing mining incentives, MR , it also potentially increases the infinite MEV and increases the incentive for blockchain attacks. Therefore, Bitcoin users need to consider the relative value and possible risks of block space requirements in this case.

5.2 Perpetual issue block rewards

The second mechanism may be to fork a new bitcoin that is permanently issued. If people agree that to some extent the mining reward MR is a necessary condition for maintaining the normal operation of Bitcoin, then the MR must be paid by the user in some way. Then, if the MR is set to 1% of the supply per year, then in order to support the bitcoin system, all Bitcoin users will lose a total of 1% of purchasing power.

It must be clarified that the supply of bitcoin is fixed, but the purchasing power it represents is not fixed. In addition, permanent issuance does not equal inflation.

If Bitcoin requires the user to lose 1% of purchasing power anyway, then paying these costs through a permanent issue will not lose more purchasing power than paying the transaction fee.

In fact, in a bitcoin system where the perpetual release block is 1%, the bitcoin purchasing power and security will be higher than the bitcoin system with a 0% annual bonus.

Instead, what is the question is who is using the mechanism to pay for MR ?

In an ideal system, users will pay for operating costs based on the value they receive. This will maximize revenue and maximize security because all users will be charged for their utility. It further ensures system fairness and longevity. Systems that are considered unfair by some members are unlikely to last for a long time, which creates a great incentive to fork a system of their own, thereby smashing free-riding users.

In fact, system designers may not know who is a high-value user beforehand. Once established, all users may agree to change the original parameters to more optimized parameters, which is more expensive than simply using the original.

Conceptually, there are two mainstream users in the Bitcoin system: holders and traders. There is no clear boundary between them, because any trader must hold bitcoin, at least for a short period of time, any holder must ultimately trade Bitcoin (although not necessarily on the chain) .

In a permanent release paradigm, MR will not be affected by events in the block space market, and in the current paradigm, the impact on block space requirements may cause the overall system security to plummet.

The monetary commodity ownership we want is crucial. If you monetize the block space for the trader, you must ensure that most of the space units are owned by someone. Charging the holder completely eliminates this friction because there is always one user per bitcoin.

Finally, it should be noted that the contribution of the holder is more invisible than those of the trader, but it does exist. When the system is attacked, the holder is more painful and more willing to pay for social coordination costs. When evaluating how much each use case contributes to security, it is important to have a holistic view of the Bitcoin system.

5.3 Crowdfunding

Under the paradigm of the block space market, crowdfunding is a less controversial way for Bitcoin holders to bear the cost of MR .

The way to think about it is to let the whales (the people who hold a lot of bitcoins) and the holders who are very interested in maintaining the security of bitcoin by investing to create a fund to generate "anyone can spend the transaction" (can bit In the form of the currency DAO) , miners can declare these transactions at a block height, and these transactions can be privately subsidized block subsidies. The benefit of this solution is that there is no need to change the protocol.

The downside of this approach is that it may end up in a classic hitchhiking scene: many people want Bitcoin to be safe, but no one wants to pay for it. To this end, it can be solved in the form of a dominant assurance contract (DAC) .

As a variant of crowdfunding contracts, DAC attempts to make contribution strategies a dominant strategy rather than waiting for others to contribute. In the DAC , one must act as an entrepreneur, hoping to get a public good (in this case, MR) funded. The leader defines the target amount to be raised, and the fundraiser does not meet the target. In this case, encourage others to contribute by paying a small amount of money to others.

5.4 Adjusting the supply of block space

Finally, MR can be improved by changing the supply of block space. The biggest disadvantage of a fixed supply system is that the transaction fee immediately becomes zero as long as the demand is slightly lower than the supply.

Although all users in a block may be willing to pay a total of 5 BTC transaction fees, if they are over-provisioned, they will eventually not pay any fees because there will be no congestion.

Therefore, by manually reducing the size of the block to slightly below the demand, artificially causing permanent congestion to capture value. Such changes can be made manually by the developer or through the Bitcoin protocol itself. One of the solutions is the adaptive block size: the system looks at the MR generated from the cost and compares it to the desired target MR to ensure system security. If MR <targetMR , the block size is reduced to create a jam. If MR> targetMR , the cost to the user for security is high, and some people can remove the congestion, which increases the block size to the hard-top limit of the community selection. (currently 2.3 MB)

5.5 Lowering MEV

 

In addition to increasing MR , Bitcoin users can also consider reducing the various ideas of MEV . A good starting point is to consider the potential source blockchain of MEVs on Bitcoin.

5.6 Strengthen the punishment of miners

The low tolerance of Bitcoin users to the malicious behavior of miners can be checked by their behavior. When the price reacts strongly to the attack, although the bitcoin MEV remains the same, the promised input to the miner will cause a lot of losses. If the bitcoin price is very stable, the miner's commitment must be greater.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!