The Bitcoin Security Trilemma and the security budget

Bitcoin Security Trilemma: In as much as an attacker can marshal sufficient hashrate, Bitcoin must be A) Exploitable B)Value-Destructible or C)Mutable.

The proof is straightforward: First of all, let’s suppose that C) and B) both fail. If C) fails, Bitcoins rules are etched in stone, and nobody can change this — miners and nodes respect the longest chain as the valid chain, etc. If B) also fails, then no amount of selfish mining, double-spending, fee-sniping, malicious reorgs or whatever the attacker can come up with will harm the value of Bitcoin. In this case, not only is there nothing preventing selfish mining, but the market does not responder negatively to it. An attacker with 33% may begin selfish mining without fear of their blocks being considered invalid or losing value of Bitcoins mined. Similarly, an attacker who can string together enough blocks to perform a reorg resulting in a double-spend can enjoy the fruits of their double-spend without worrying about a loss of faith in the market. Necessarily, we conclude A) must true, the attacker can exploit Bitcoin for fun and profit.

Now of course, many will be howling “no attacker will every marshal sufficient hashrate” so this one of those theorems about the empty set. But this is where the discussions of dwindling security budget comes into play.

The block subsidy is halving roughly every four years: In 2024 this mandated security subsidy will drop to less than 1% of total market value per year. Fees are showing no signs of picking up the slack. Add another 12 years and the subsidy will be less than 0.1% of the total market value per year. Mining profits will decrease as revenue decreases, and the markets for ASICs and cheap energy mature. Miners may be operating with low margins. Aggressive corporations can mine at small losses to increase their market share. It may become difficult for the average person at home to compete with corporations that have access to dirt cheap electricity. So mining will be more concentrated, and it will be possible for certain entities to have a reasonable share of the hashrate.

A decade ago, most Bitcoiners seemed to think that C) was eternally false: If Bitcoin was ever exploited, the game would be over, and it would be time to go home. But this isn’t the consensus anymore. If Bitcoin is still around in a decade, it will be simply unacceptable for quite a few folks to simply pack everything up and move on. Bitcoin will have to continue, which means that the community has a decision to either allow occasional exploits or attacks to occur, or, to take steps to override these by an ill-defined community consensus.

It’s becoming now more an accepted view that the latter will happen. OG Bitcoiners may consider this blasphemy and say “why do we do PoW in the first place?” which is a valid question, and also has an answer. Proof of Work works day -to-day, while the attacks that require community override are extremely rare. The fact that such attacks are rare means that the attacker cannot count on the response by the community. Until such attacks occur, the attacker literally has no idea — will my double-spend be considered fair-play or will the community decide to consider my blocks invalid and my efforts wasted? Is it worth it to raise enough capital to start openly selfish mining?

This lack of certainty in the response makes returns on an attack uncertain, and thus discourages attacks.

However, as the security budget dwindles, the attacker can make attacks more cheaply. With each attack, they gain more information on how the community will respond. The community, on the other hand, has no good method of a decisive top-down response and will probably use previous responses as sort of a “common law” that acts as a Schelling Point. If the community rejected a clearly malicious 10 block reorg that happened in May, they will probably immediately reject a 10 block reorg that happens the following December.

So a wise attacker with some hash power, (but perhaps not over 51%) would be launch occasional attacks as sort of reconnaissance, in order to find the fracture points. If the community tends to agree that a four-block reorg is OK but a five-block reorg is too much, the attacker now has something to exploit: Enough carefully timed four-block reorgs will throw the network into confusion.

Similarly, someone with much less than majority hashrate (say 17%) can dip their toes into the waters of selfish mining. They would expect to supplant at least 4 honest blocks per day and perform 2-block reorgs several times per week. If the community does nothing, the selfish miner can attempt to add hashpower. On the other hand, if the community does decide to do something, one can study what the community does, what their procedures are, and use this as an attack vector.

The best-positioned attacker would be one who can gain in the case where the value falls, or their exploit is profitable.