Yesterday I published an op-ed for CoinDesk arguing that concentration of hashpower is not going to break Bitcoin. The reason is that miners who have more power in the network also have more to lose in terms of opportunity cost if they destroy the network or otherwise mess with its operations. (The same argument applies to stakers in PoS).
The article spawned many vivid discussions on Twitter, and I went back and forth talking to different people about it all day. Thanks so much for engaging with the article, it’s really the best thing a writer can hope for. In this follow-up post, I want to take the time and respond to some excellent questions and counterpoints.
Wouldn’t it be better if hashpower was more distributed?
Absolutely. I regret not making that more clear in the article itself, but widely distributed hashpower is strictly better than concentrated hashpower. Concentrated hashpower just doesn’t break the system. That’s a big difference.
You can think of Bitcoin having different layers of security guarantees, and as you peel them off, the security of the system degrades but doesn’t fall apart immediately. Imagine there are ten miners, each of whom controls ten percent of the hashpower and who never collude with each other, then most attacks are fundamentally impossible. Any attacker would race with a chain that outpaces his own nine to one – a huge uphill battle. That is the best possible scenario for the network.
But even if a miner controlled more hashpower than that, Bitcoin has the nice property that the amount of value a miner has at stake scales linearly with his power in the network. So there is still an incentive to be honest because misbehavior is met with a steep penalty. At least as long as the block reward is sufficiently high.
Nic Carter summed that up better than I did:
“Bitcoin consensus is protected, effectively, by two layers of defense.
#1 it’s hard to obtain control at the network level
#2 even if you have control, it’s not in your interest to interfere with the network”
Many people are not aware the #2 layer even exists, and I want to change that.
Folk wisdom still says that a network becomes insecure the moment a single party controls >50% hashpower. Of course, we would prefer that hashpower is widely distributed, but there’s only so much we can do in that regard without moving away from the idea of a permissionless system.
If hashpower concentration doesn’t break Bitcoin, why have smaller systems been attacked?
Ethereum Classic and Bitcoin Gold are two examples from the top 50 of crypto assets that have been attacked before, and more than once respectively.
The intuitive reaction may be to blame it on the size difference (Bitcoin is 175x larger than ETC and 985x larger than BTG). In my opinion that is not the primary reason these systems are insecure, but their lack of forced commitment from miners. It’s no coincidence both systems subscribe to a fallacy called ASIC resistance. The goal behind ASIC resistance is to keep mining competitive for hobbyists, which they achieve by using memory-hard hashing algorithms.
But the perceived benefits for fairness come with significant downsides for system security. Bitcoin ASICs are so specialized, they are not useful for much else other than mining bitcoin. If Bitcoin ever went away, their market value would drop to zero. Miners in Bitcoin need to own a lot of Bitcoin ASICs, so their balance sheet is necessarily tied to the health of the Bitcoin network.
GPU miners, on the other hand, are available to hobbyists because they are not specialized. Most people have one in their gaming PC and can continue to use them for gaming or mining other GPU coins (or sell them to other gamers or GPU miners). So their value is not tied to the value of a particular coin. Further, because many use cases require GPUs (e.g. machine learning or video processing) there are compute-marketplaces where such general-purpose hardware can be rented.
The attacks on ETC and BTG have been executed with such rented hardware, allowing a miner to acquire temporary power over a network without forcing them to enter a long-term commitment to the particular network.
So the reason that some smaller coins (but not others) are at risk, is that miners incur no financial penalty from attacking them – largely due to the fallacy of ASIC resistance.
(Thanks to Amrit Kumar for this question.)
So Bitcoin miners are financially bound to the network, and attacking the network would be self-destructive. But this leaves wiggle room for a third party to force miners to attack the network against their will, or simply confiscate their equipment in a large-scale operation and use it to attack.
By coercing miners, couldn’t the Chinese government attack Bitcoin for free?
In practice, I think this is not true because countries, similar to the private sector, incur an opportunity cost from attacking Bitcoin. By driving out a profitable industry such as mining, they would sacrifice future tax revenue. Bitcoin mining is great for countries with a lot of cheap energy but no way to use it domestically. Previously, aluminum refining has been used for the purpose of de-facto exporting electricity from low-cost countries to high-cost countries.
Depending on how a mining crackdown happens, it can also disrupt faith in local property rights and the rule of law, which are important drivers of economic prosperity and foreign investment.
Finally, no system is secure against an attacker who’s willing to incur an unlimited opportunity cost. If the US or China set their mind to destroying Bitcoin, no matter the cost, then there’s nothing that can be done about it. We can, however, make it as painful as possible to destroy Bitcoin by driving up that cost. That is the strongest deterrent we have.
Concentration of hashpower may be inevitable unless we start vetting miners (effectively turning the system into a permissioned one), but this raises the question how Bitcoin with a single miner even differs from a centralized company like Paypal.
Does this “more power, more to lose” argument not equally apply to centralized systems?
Before we start, let me point to the very first answer. We don’t want hashpower to be concentrated, it’s simply not possible to disprove that concentration exists. Don’t assume something you can’t prove, at least directionally!
The way mining works, any moment now existing miners could reveal that they have been colluding on a secret chain. And the same applies to an entirely new miner, of course. Models that don’t consider collusion by miners by capping their maximum hashpower are simply not realistic and offer strictly worse security guarantees than models that do.
Though I understand that may not necessarily convince you that the huge amounts of electricity we spend on PoW are “worth it” under that assumption. So let me try a different explanation. I will argue that, even as all hashpower is currently controlled by a single miner, Bitcoin still differs significantly from a system like Paypal or a commercial bank. So the worst case is not actually as bad as it may seem.
- Bitcoin is fully auditable with no trust required. Users can validate that the central miner follows the rules of the network. These validity rules apply to a 100% miner the same way they apply to ten 10% miners. Users can also transparently evaluate the work of that miner. If the miner double-spends or censors transactions, users will be aware of that.
- Users can exit more easily. Building on the previous idea, if users are unhappy with the work of the current miner, they can simply fire him by collectively forking to a different PoW algorithm. This is significantly easier to coordinate than collectively switching to a Paypal competitor – which may not even exist. All users have read access to the shared state – the UTXO set – making it really easy to take that state and leave if the need arises. If Paypal failed, and someone starts a new one, you would not get your Paypal balance back.
- Governments have less leverage on miners. Now you might respond that in capitalism, it is rarely the companies itself that hurt users – it’s usually a result of government intervention, whether via direct regulation or indirect pressure to cut off certain people. And I agree that nation-states are the biggest threat for Bitcoin, as they, in turn, see it as a threat to their monetary and fiscal sovereignty. But nation-states have very different leverage over Paypal or a commercial bank than they have over miners. Let’s dissect why:
- Leverage is inversely correlated to mobility. Someone who can pick up and walk away can not be coerced. This applies to miners! If miners expect the local policy to turn to worse, they can move to a different country with minimal effort. As a result, their leverage over local policy may actually be bigger than vice versa. We see evidence of that with the rise of “special economic zones” for mining in some countries.
- The miner can be replaced. If the local government “disappeared” the miner, that’s when the free entry to mining matters, as miners in other countries can simply come online and pick up the slacks. So the government must be aware that any shenanigans it can do by confiscating mining hardware, and possibly using it to attack, can only be done once. Finally, a miner can always be disrupted in an organic way by another miner who makes more profit. For example, if the old miner does not process some transactions (censorship), he creates an incentive for a new miner to step in a make more money by processing them.
(Thanks to Raphael Auer, figo, and latetot for asking this question.)