In Bitcoin and Ethereum Carbon Footprints – Part 2, Moritz Seibert claims the reason for mining is to get the mining reward:
Bitcoin transactions themselves don’t cause a lot of power usage. Getting the network to accept a transaction consumes almost no power, but having ASIC miners grind through the mathematical ether to solve valid blocks does. Miners are incentivized to do this because they are compensated for it. Presently, that compensation includes a block reward which is paid in bitcoin (6.25 BTC per block) as well as a miner fee (transaction fee). Transaction fees are denominated in fractional bitcoins and paid by the initiator of the transaction. Today, about 15% of total miners’ rewards are transactions fees, and about 85% are block rewards.So, he argues, Bitcoin's current catastrophic carbon footprint doesn't matter because, as the reward decreases, so will the carbon footprint:
This also means that the power usage of the Bitcoin network won’t scale linearly with the number of transactions as the network becomes predominantly fee-based and less rewards-based (which causes a lot of power to the thrown at it in light of increasing BTC prices), and especially if those transactions take place on secondary layers. In other words, taking the ratio of “Bitcoin’s total power usage” to “Number of transactions” to calculate the “Power cost per transaction” falsely implies that all transactions hit the final settlement layer (they don’t) and disregards the fact that the final state of the Bitcoin base layer is a fee-based state which requires a very small fraction of Bitcoin’s overall power usage today (no more block rewards).Seibert has some vague idea that there are implications of this not just for the carbon footprint but also for the security of the Bitcoin blockchain:
Going forward however, miners’ primary revenue source will change from block rewards to the fees paid for the processing of transactions, which don’t per se cause high carbon emissions. Bitcoin is set to become be a purely fee-based system (which may pose a risk to the security of the system itself if the overall hash rate declines, but that’s a topic for another article because a blockchain that is fully reliant on fees requires that BTCs are transacted with rather than held in Michael Saylor-style as HODLing leads to low BTC velocity, which does not contribute to security in a setup where fees are the only rewards for miners.)Lets leave aside the stunning irresponsibility of arguing that it is acceptable to dump huge amounts of long-lasting greenhouse gas into the atmosphere now because you believe that in the future you will dump less. How realistic is the idea that decreasing the mining reward will decrease the carbon footprint?
The graph shows the history of the hash rate, which is a proxy for the carbon footprint. You can see the effect of the "halvening", when on May 11th 2020 the mining reward halved. There was a temporary drop, but the hash rate resumed its inexorable rise. This experiment shows that reducing the mining reward doesn't reduce the carbon footprint. So why does Seibert think that eliminating it will reduce the carbon footprint?
The answer appears to be that Seibert thinks the purpose of mining is to create new Bitcoins, that the reason for the vast expenditure of energy is to make the process of creating new coins secure, and that it has nothing to do with the security of transactions. This completely misunderstands the technology.
In The Economic Limits of Bitcoin and the Blockchain, Eric Budish examines the return on investment in two kinds of attacks on a blockchain like Bitcoin's. The simpler one is a 51% attack, in which an attacker controls the majority of the mining power. Budish explains what this allows the attacker to do:
An attacker could (i) spend Bitcoins, i.e., engage in a transaction in which he sends his Bitcoins to some merchant in exchange for goods or assets; then (ii) allow that transaction to be added to the public blockchain (i.e., the longest chain); and then subsequently (iii) remove that transaction from the public blockchain, by building an alternative longest chain, which he can do with certainty given his majority of computing power. The merchant, upon seeing the transaction added to the public blockchain in (ii), gives the attacker goods or assets in exchange for the Bitcoins, perhaps after an escrow period. But, when the attacker removes the transaction from the public blockchain in (iii), the merchant effectively loses his Bitcoins, allowing the attacker to “double spend” the coins elsewhere.Such attacks are endemic among the smaller alt-coins; for example there were three successful attacks on Ethereum Classic in a single month last year. Clearly, Seibert's future "transaction only" Bitcoin must defend against them.
There are two ways to mount a 51% attack, from the outside or from the inside. An outside attack requires more mining power than the insiders are using, whereas an insider attack only needs a majority of the mining power to conspire. Bitcoin miners collaborate in "mining pools" to reduce volatility of their income, and for many years it would have taken only three or so pools to conspire for a successful attack. But assuming insiders are honest, outsiders must acquire more mining power than the insiders are using. Clearly, Bitcoin insiders are using so much mining power that this isn't feasible.
The point of mining isn't to create new Bitcoins. Mining is needed to make the process of adding a block to the chain, and thus adding a set of transactions to the chain, so expensive that it isn't worth it for an attacker to subvert the process. The cost, and thus in the case of Proof of Work the carbon footprint, is the whole point. As Budish wrote:
From a computer security perspective, the key thing to note ... is that the security of the blockchain is linear in the amount of expenditure on mining power, ... In contrast, in many other contexts investments in computer security yield convex returns (e.g., traditional uses of cryptography) — analogously to how a lock on a door increases the security of a house by more than the cost of the lock.Lets consider the possible futures of a fee-based Bitcoin blockchain. It turns out that currently fee revenue is a smaller proportion of total miner revenue than Seibert claims. Here is the chart of total revenue (~$60M/day):
And here is the chart of fee revenue (~$5M/day):
Thus the split is about 8% fee, 92% reward:
- If security stays the same, blocksize stays the same, fees must increase to keep the cost of a 51% attack high enough.
The chart shows the average fee hovering around $20, so the average cost of a single transaction would be over $240. This might be a problem for Seibert's requirement that "BTCs are transacted with rather than held".
- If blocksize stays the same, fees stay the same, security must decrease because the fees cannot cover the cost of enough hash power to deter a 51% attack. Similarly, in this case it would be 12 times cheaper to mount a 51% attack, which would greatly increase the risk of delivering anything in return for Bitcoin. It is already the case that users are advised to wait 6 blocks (about an hour) before treating a transaction as final. Waiting nearly half a day before finality would probably be a disincentive.
- If fees stay the same, security stays the same, blocksize must increase to allow for enough transactions so that their fees cover the cost of enough hash power to deter a 51% attack. Since 2017 Bitcoin blocks have been effectively limited to around 2MB, and the blockchain is now over one-third of a Terabyte growing at over 25%/yr. Increasing the size limit to say 22MB would solve the long-term problem of a fee-based system at the cost of reducing miners income in the short term by reducing the scarcity value of a slot in a block. Doubling the effective size of the block caused a huge controversy in the Bitcoin community for precisely this short vs. long conflict, so a much larger increase would be even more controversial. Not to mention that the size of the blockchain a year from now would be 3 times bigger imposing additional storage costs on miners.
That is just the supply side. On the demand side it is an open question as to whether there would be 12 times the current demand for transactions costing $20 and taking an hour which, at least in the US, must each be reported to the tax authorities.
|Short vs. Long|
In this section we will assume q < p [i.e., that the attacker does not have a majority]. Otherwise, all bets are off with the current Bitcoin protocol ... The honest miners, who no longer receive any rewards, would quit due to lack of incentive; this will make it even easier for the attacker to maintain his dominance. This will cause either the collapse of Bitcoin or a move to a modified protocol. As such, this attack is best seen as an attempt to destroy Bitcoin, motivated not by the desire to obtain Bitcoin value, but rather wishing to maintain entrenched economical systems or obtain speculative profits from holding a short position.Short interest in Bitcoin is currently small relative to the total stock, but much larger relative to the circulating supply. Budish analyzes various sabotage attack cases, with a parameter ∆attack representing the proportion of the Bitcoin value destroyed by the attack:
For example, if ∆attack = 1, i.e., if the attack causes a total collapse of the value of Bitcoin, the attacker loses exactly as much in Bitcoin value as he gains from double spending; in effect, there is no chance to “double” spend after all. ... However, ∆attack is something of a “pick your poison” parameter. If ∆attack is small, then the system is vulnerable to the double-spending attack ... and the implicit transactions tax on economic activity using the blockchain has to be high. If ∆attack is large, then a short time period of access to a large amount of computing power can sabotage the blockchain.The current cryptocurrency bubble ensures that everyone is making enough paper profits from the golden eggs to deter them from killing the goose that lays them. But it is easy to create scenarios in which a rush for the exits might make killing the goose seem like the best way out.
Seibert's misunderstanding illustrates the fundamental problem with permissionless blockchains. As I wrote in A Note On Blockchains:
If joining the replica set of a permissionless blockchain is free, it will be vulnerable to Sybil attacks, in which an attacker creates many apparently independent replicas which are actually under his sole control. If creating and maintaining a replica is free, anyone can authorize any change they choose simply by creating enough Sybil replicas.There are many attempts to provide less environmentally damaging ways to make adding a block to a blockchain expensive, but attempts to make adding a block cheaper are self-defeating because they make the blockchain less secure.
Defending against Sybil attacks requires that membership in a replica set be expensive.
There are two reasons why the primary use of a permissionless blockchain cannot be transactions as opposed to HODL-ing:
- The lack of synchronization between the peers means that transactions must necessarily be slow.
- The need to defend against Sybil attacks means either that transactions must necessarily be expensive, or that blocks must be impractically large.