Bitcoin aspires to take over the world. But as we all know (according to poorly sourced conspiracy forums), the world is currently run by the Bank of International Settlements (BIS), the central bank to central banks. That means Bitcoin needs to displace the BIS in the near future if it is to get anywhere.Auer's is indeed an excellent piece of work. Follow me below the fold for some details.
But it takes one to know one.
So here's the dominant global payments system calling out the aspiring global payments system in an excellent piece of professional trolling this week
Kaminska notes the fact that each transaction is in a blind auction with all the pending transactions for inclusion in the next block:
This means you're a mug if you pay a high fee to get your bitcoin transaction processed more quickly because you can never be sure you're paying a fair price.That is part of Auer's analysis, which asks two questions:
In the world of bitcoin, urgent transactions subsidise non-urgent transactions.
This might be justifiable if payment urgency was somehow a reflection of status, wealth or hierarchy, but it's not. Poor people need to make urgent payments just as often as the wealthy. A payment network which depends on gouging the desperate to run efficiently, while giving free gifts to the non-desperate is no basis for a system of money. It's all made worse, according to the BIS, by the fact that one's excessive payment in one block can't even guarantee settlement finality. That depends not just on your block being mined successfully but subsequent ones too, which you cannot influence at all.
First, how efficient is the fundamental architecture of deterring forgeries via costly proof-of-work? And second, can the market for transactions actually generate rewards that are valuable enough to ensure that payment finality is really achieved?The TL;DR is simple:
Analysing these two elements uncovers fundamental economic limitations that cloud the future of cryptocurrencies based on proof-of-work. In sum, with the current technology, it is not even clear whether such cryptocurrencies can keep functioning as they do at the time of writing. This statement is unrelated to well known restrictions on the scale of such payment systems or the volatility of cryptocurrencies. Rather, it concerns the fundamentals of Nakamoto’s updating process, which has two limitations that interact in a fateful manner.
The key takeaway of this paper concerns the interaction of these two limitations: proof-of-work can only achieve payment security if mining income is high, but the transaction market cannot generate an adequate level of income. ... the economic design of the transaction market fails to generate high enough fees. A simple model suggests that ultimately, it could take nearly a year, or 50,000 blocks, before a payment could be considered “final”.Auer's first question arrives at a similar conclusion to Eric Budish, namely that the value of transactions in a block must be low relative to the block reward plus fees:
The first limitation is that proof-of-work axiomatically requires high transaction costs to ensure payment finality ... Counterfeiters can attack bitcoin via a “double-spending” strategy, ie spending in one block and later undoing this by releasing a forged blockchain in which the transactions are erased.Auer's different model of an attack results in a different criterion than Budish, but the basic idea is the same:
This paper starts by introducing the concept of “economic payment finality” in the blockchain. That is, a payment can be considered final only once it is unprofitable for any potential adversary to undo it with a double-spending attack. ... If the incentives of potential attackers are analysed, it is clear that the cost of economic payment finality is extreme. For example, to achieve economic payment finality within six blocks (one hour), back of the envelope calculations suggest that mining income must mount to 8.3% of the transaction volume – a multiple of transaction fees in today’s mainstream payment services.
double-spending is very profitable. In fact, attackers stand to gain a much higher bitcoin income than does an honest miner. While honest miners simply collect block rewards and transaction fees, counterfeiters collect not only any block rewards and transaction fees in the forged chain, but also the amount that was double-spent, ie the value of the voided transactions. This “attacker advantage” ultimately translates into a very high required ratio for miners’ income as compared with the transaction volume (the amount that can be double-spent).
Note that Huberman et al (2017) examine congestion in the market for transaction fees while assuming that “the mining resources are sufficient to guarantee the system's reliability and security” (see p 4), a focus very similar to Easley et al (2018). In contrast, Budish (2018) examines the economics of security, ie of double-spending attacks, but not how mining income is determined. In this paper, I combine these approaches to show how the economics of security and the market for transaction fees interact, ie how the market of transactions determines payment security and what this implies for the future liquidity of bitcoin.
The second fundamental economic limitation is that the system cannot generate transaction fees in line with the goal of guaranteeing payment security. Either, the system works below capacity and users’ incentives to set transaction fees are very low, or the system becomes congested ... Underlying this is a key externality: the proof-of-work and hence the level of security is determined at the level of the block one’s transaction is included in, with protection also being provided by the proofs-of-work for subsequent blocks. In contrast, the fee is set by each user privately, hence creating a classical free-rider problem, amounting to a veritable “tragedy of the common chain”. While each user would benefit from high transaction fee income for the miner, the incentives to contribute with one’s own fee are low.
Note that the economic attack vector outlined above crucially assumes that any amount of hash power can be rented at short notice. Up to December 2018, this would only have been a realistic possibility for cryptocurrencies with a modest network of users (some of which were, in fact, attacked), but not for Bitcoin. Since then, however, as the price of bitcoin has collapsed, many miners located in countries with high energy costs can no longer recover the cost of electricity and have turned off their equipment, as is evident from the decline in the total hash power of Bitcoin’s network of miners ... As a result, the surplus of mining equipment that could be switched on any time for high-return double-spending attacks might even bring an attack on Bitcoin within the realms of possibility. And this issue is set to intensify during mid-2020, when the block rewards are halved, pushing further mining equipment out of the regular mining market.In the future, when transaction fees have displaced block rewards, the blind auction for inclusion in a block malfunctions:
Furthermore, other forms of attack on bitcoin have become substantially cheaper in recent months. As an extreme example, consider how expensive it would be to amass equipment that, in total, would wield 101% of the hash power of all current bitcoin miners. This could then be used to launch double-spending attacks and essentially hold Bitcoin hostage. Although substantial, the cost of doing this has come down dramatically, not just because the hash rate of bitcoin’s network of miners has peaked, but thanks mainly to the steep recent fall in the price of mining equipment.
from an economic point of view, the consideration in Nakamoto (2008) that waiting time adds exponentially to the security of bitcoin payments does not hold true: equation (8) shows that waiting times only add linearly to the cost of a forgery, so that the system can sustain low transaction costs only by means of extremely long waiting times. This second consideration is crucial for Bitcoin’s future, ... The key result is that the fee set on a decentralised basis is much lower than the optimal fee ... resulting in extreme waiting times.Auer goes on to discuss the Lightning network:
There are two sets of key concerns. The first is of a technical nature and beyond the scope of this paper – it relates to what is required to deter potential attacks on this specific architecture and whether all participants need to be online all the time for payments to be routable.As I discussed in Techno-Hype part 2.5, the routing problem is far more difficult than Auer implies, and even without considering Auer's economic argument would have forced the Lightning Network into a hub-and-spoke configuration, which is where it has ended up. See also Shitcoin And the Lightning Network for the experience of actually running a Lightning hub.
The second concern relates to economic network theory on the trade-off between efficiency and centralisation. If the Lightning Network remains truly distributed, it would require substantial pre-funding. For example, if routing a payment from A to B typically involves four intermediate channels, it would in total require preloaded values five times as large as the actual payment amount. And it is uncertain whether a typical user, who might upload, say, USD 200 to finance small expenses, would also be willing to foot another USD 800 just to support the network’s routing capacity.
Especially when combined with Eric Budish's work, this is a very important paper. And it has a very useful 3-page bibliography.