Hacks & Frauds 4 min, 54 sec READ

by Mike Dalton

Bitcoin is larger ever. Will it be able to stay secure? Eric Budish's new paper outlines the high cost of keeping a blockchain secure.

A recent paper titled "The Economic Limits of Bitcoin and the Blockchain" was published earlier this month. Written by Eric Budish, an economics professor at the University of Chicago, the paper examines the costs of keeping Bitcoin-like blockchains secure as they operate on an increasingly larger scale. Budish's major concern is that the security model that the blockchain is built upon makes attack prevention more expensive as a blockchain grows.

The Equilibrium of Mining Costs

The cost of mining exists as a delicate balance. Mining on a blockchain is not free, and demands significant investment in "costs such as electricity and a rental cost for capital equipment." An equilibrium occurs when global electricity costs for mining are approximately equal to the value of mining rewards and transaction fees. This is efficient on a small scale, but Budish offers a startling analogy of just how expensive large-scale blockchain security could become,

imagine if [Visa users] had to pay fees to Visa [...] that were large relative to the value of a successful one-off attack on the Visa network.

Fortunately, these costs make it difficult for any one miner to gain control over a blockchain. In the event that an attacker does gain control over 50% of the network, it is possible for the attacker to perform a double-spend attack and create their own fork of the blockchain.

Although double-spend attacks happen occasionally, such as recent attacks on Bitcoin Gold, they are generally assumed to be too costly to carry out, besides the fact that they can be undone. Joshua Gans on Medium summarizes the benefits most succinctly,

computational power [...] applied to mining is assumed to be fungible (and so can be easily deployed in and out of the system at will [...] Once the attack is over, everyone competes as per normal.

While also noting the problem, Budish states, "Bitcoin is an institution whose long-term viability is based on the potential for very short-term enforcement mechanisms."

The Potential for Pure Sabotage

Typically, double-spend attacks would be detected quickly and stolen funds are quickly flagged. But Budish notes that there is the possibility of a "sabotage" attack, by attacking the network and exposing Bitcoin's vulnerabilities, the attacker could drive down the market price of Bitcoin without reaping the rewards,

While the attack would indeed work in the sense of obtaining the hoped-for goods or assets [...] the attack will harm the subsequent value of the attacker's own Bitcoin holdings.

But the saboteur's intent may not actually be to acquire Bitcoin, it may be to devalue cryptocurrency in comparison to other assets, or to short Bitcoin on the futures market, especially "if [Bitcoin] became sufficiently economically important — e.g., if it became a 'store of value' akin to gold."

However, it is worth noting that investors and institutions have been accused of manipulating the market even in the absence of sabotage attacks. It's not obvious that a sabotage attack would be any more damaging than any previous crash.

The Security Costs of Specialized Hardware

The "flow" or mining-related costs of attack prevention is one issue. But there is also the problem of "stock" costs, or how the existence of specialized mining hardware (ASICs) makes attack prevention more expensive. Because the newest ASIC chips are very expensive, it is typically assumed that it is very expensive to amass enough ASIC devices to carry out an attack.

But Burdish notes that this is not necessarily the case. There may be some mixture of moderately efficient ASIC chips, last-generation ASIC chips, and general-purpose chips on the market. These may not be hyperefficient, but they could still be efficient enough to carry out an attack. Furthermore, an attack could cause a decline in the value of mining equipment.

Budish does note that this is fortunately not the case with Bitcoin,

there is not a glut of previous-generation chips that could be cheaply deployed for an attack.

That said, Bitcoin is not the only cryptocurrency that is mined, merely the most valuable. Different coins use different algorithms, some of which may be more vulnerable to what Budish suggests.

Will Proof-of-Stake Solve the Problem?

Budish's paper specifically describes proof-of-work (PoW) mining and blockchains, but notes that his model may partly apply to proof-of-stake (PoS) blockchains, such as Ethereum. Budish notes that flow costs are likely an issue for both PoW and PoS systems, but that PoS systems may introduce new ways of stopping attacks,

[Proof-of-stake] may open new possibilities for thwarting attacks, e.g., confiscation of an attacker’s stake, or building some limited forms of reputation.

These solutions have become a reality, to some extent. Recently, several attackers' funds were confiscated on the EOS blockchain, which runs on a designated PoS model.

Collapse Scenarios

The question remains: What worst-case scenario is Budish actually warning the crypto community of?

His first scenario in which Bitcoin collapses occurs with an influx of mining hardware. If ASICs become cheaper, more readily available, and take longer to become obsolete, or if general-purpose chips become efficient enough to compete with ASICs, this could lead to disastrous attacks.

Budish's other scenario occurs if the security costs of Bitcoin become unmanageable: if Bitcoin is valuable enough, outside economic actors may have a reason to sabotage it, that is, either simply to damage Bitcoin if it is a threat to other assets, or to short Bitcoin and create a market in which it can be bought cheaply.

These scenarios are somewhat alarmist. Budish's most basic contention is that blockchain security is expensive, "the security of the blockchain requires on scarce, non-repurposable technology" and requires mining costs to be proportionate to the cost of that technology.

If Budish's worst case scenario is true, we can have secure blockchains, or inexpensive large-scale blockchains, but not both.