Thursday, June 16, 2022

Microeconomics Of Cryptocurrencies

The Microeconomics Of Cryptocurrencies by Hanna Halaburda, Guillaume Haeringer, Joshua S. Gans and Neil Gandal is an extremely valuable survey of the relevant research literature. Their abstract reads:
Since its launch in 2009 much has been written about Bitcoin, cryptocurrencies and blockchains. While the discussions initially took place mostly on blogs and other popular media, we now are witnessing the emergence of a growing body of rigorous academic research on these topics. By the nature of the phenomenon analyzed, this research spans many academic disciplines including macroeconomics, law and economics and computer science. This survey focuses on the microeconomics of cryptocurrencies themselves. What drives their supply, demand, trading price and competition amongst them. This literature has been emerging over the past decade and the purpose of this paper is to summarize its main findings so as to establish a base upon which future research can be conducted.
Below the fold, a few comments.

Section 3.1, The longest chain rule discusses the basis for the "consensus" in "Nakamoto consensus". Proof-of-Work both deters Sybil attacks and elects a network node to add the next block to the chain. Because there are inevitable delays in propagating the result of this election across the network, other nodes may initially believe that they were elected and work on a chain with their block added. The "longest chain rule" (LCR) mandates that miners work on the longest chain, which over time leads to consensus. Halaburda et al note:
Kroll et al. (2013) note that Bitcoin’s success relies on three types of consensus: (1) consensus about rules, (2) consensus about the state (i.e., there is a unique ledger), and (3) consensus that bitcoins are valuable. These consensus elements are related to each other. The miners’ source of income are the rewards and fees they obtain when adding a block, which are included in that block. If the blockchain forks, the rewards that are included in a branch are not recognized in the other branches. For those other branches, such rewards do not exist. The value attached to a bitcoin in a block, insofar as its owner plans to eventually spend it, then crucially depends on whether that block is recognized by other users. Consensus about bitcoins’ ”value” thus depends on the consensus about the state of the blockchain.
Section 3.3, Consensus as an equilibrium looks at the stability of this consensus under attack:
a related question was how much computing power did a miner need to unilaterally cause a deliberate fork? This issue was examined by Kiayias et al. (2016). They found that so long as no miner had more than 36% of the computing power, the LCR is a Nash equilibrium. However, for any miner with more than 46% of the computing power, forking is a profitable deviation. In other words, such a miner will always ignore the blocks that have been just mined by the other miners.
Interestingly, they note that a miner forking the blockchain has two options. The first is to release their blocks as soon as they solved the hashing puzzle, and the second is to mine secretly. ... They show that with secret mining strategies the threshold drops from 36% to 30.8%.

The idea of secret mining actually dates back to Eyal and Sirer (2014). Their model is similar to that Kiayias et al. but is motivated slightly differently. They consider the case of a large miner (e.g., a pool of miners) who has just solved the hashing puzzle, and faces the decision of whether releasing the new block to the network or to mine secretly on top of it. Eyal and Sirer give a precise description of optimal, secret mining strategies. The pool mining secretly as long as its branch is longer than the main branch, and releases it otherwise. They find that such a strategy may pay off as soon as the pool has 10% of the hashing power.
Eyal and Sirer's paper was posted to in November 2013, and I wrote about it the same month in The Bitcoin vulnerability.

Thus the theoretical threshold pool sizes for attacks are 46% for forking and 10% for secret mining. Individual pools regularly exceed 10% but have rarely exceeded 46%, however there is nothing to stop pools conspiring. Makarov and Schoar write:
Six out of the largest mining pools are registered in China and have strong ties to Bitmain Techonologies, which is the largest producer of Bitcoin mining hardware
Halaburda et al write:
If a miner broadcasts a transaction, the probability that some other miner will include it in their block and collect the fee increases. In the extreme case, if a miner is the first and only node hearing about a transaction, they may have incentives not to broadcast it at all and hold on to it until they are the one adding the block to the blockchain. It may be especially tempting if the transaction fee is large. Such hold up would cause the validation of this particular transaction to be delayed. This issue, while theoretically interesting, turned out not to be a problem in practice.
This is true but misleading, as it ignores the problems in practice of dark pools, front-running and "Miner Extractable Value" (MEV). I discuss dark pools and front-running in The Order Flow and MEV in Ethereum Has Issues. Fundamentally, the problems exist because miners are themselves transactors.

I first wrote about Eric Budish's The Economic Limits Of Bitcoin And The Blockchain in 2018's Cryptocurrencies Have Limits, which was an:
important analysis of the economics of two kinds of "51% attack" on Bitcoin and other cryptocurrencies, such as those becoming endemic on Bitcoin Gold and other alt-coins:
  • A "double spend" attack, in which an attacker spends cryptocurrency to obtain goods, then makes the spend disappear in order to spend the cryptocurrency again.
  • A "sabotage" attack, in which short-sellers discredit the cryptocurrency to reduce its value.
Section 3.4 Longest-chain attack: a formal model, reviews and extends Budish's analysis with subsequent work. First, some notation:
  • θ is the number of tokens in a block reward.
  • e is the number of dollars per token.
  • c is the cost to mine a block.
  • N is the number of honest nodes in the network.
  • The fraction of nodes controlled by an attacker is A/(A+1) where A > 1.
  • t is the number of blocks to wait for finality.
  • V(e) is the benefit an attacker gains.
Second, some results:
  • Miners' expected rewards must exceed their costs, i.e. Nc.
  • The cost of a majority attack is (ANc − eθ)t.
  • A majority attack is profitable if V(e) > (ANc - θe)t.
  • Budish's constraint for the blockchain to be secure is eθ(A − 1)tV(e), i.e. the benefit must be less than the cost of the attack.
  • Chiu and Koeppl (2017) refine Budish's constraint, which assumes the probability of a successful fork is linear, by observing that it actually follows a power law. The constraint becomes eθt(t + 1)V(e).
Note that all these results make two assumptions. First, they assume all miners have the same power. Second, they assume the network is in equilibrium. Neither is the case in the real world. Halaburda et al observe:
consider the case of Bitcoin which is designed to have θ decreasing over time and, according to Bitcoin’s afficionados, will have a higher future exchange rate e. The only way to maintain Bitcoin’s sustainability in this case is if the elasticity of V with respect to e is less than one. In other words, the value of transactions should not grow as much as Bitcoin’s exchange rate.
Other constraints on the value of transactions are discussed in Section 3.7 below.

Section 3.6, Proof-of-Stake as an alternative consensus mechanism provides an attack analysis similar to that for Proof-of-Work above, starting from work by Saleh, who:
derives sufficient conditions that guarantee that consensus is an equilibrium, once we take into account the depreciation of the token in case of a fork. Saleh then derives two additional results. First, restricting the ability to large stakeholders facilitates and speeds up consensus in case of a fork. The intuition is that such stakeholders have the most to lose from a disagreement, i.e., from the persistence of two or more branches. Second, Saleh finds that the lower the miners’ reward the better. The reason behind this counter-intuitive result is that low rewards enable the accumulation of vested interest in the blockchain (i.e., miners have less incentives to cash out their tokens). Given this, preserving one’s vested interest in the blockchain (the tokens) increase the incentives to favor consensus.
The authors continue with the analysis of Gans and Gandal, which using the same methodology as Budish, concludes:
In the case of Permissionless blockchains (i.e. free entry,) the cost of PoW schemes are identical to the cost of PoS schemes.
The intuition here is that defense against Sybil attacks requires that the reward for an attack be less than the cost of mounting it. There is nothing in this constraint about how the cost is imposed.

If the stake is S and the dollar interest rate is r, the requrement is ANteSrteθV(e). In simple terms, the value of the attack has to be less than the interest on the attacker's total stake for the duration of the attack, less the rewards during the attack.

In Economic Limits Of Proof-of-Stake Blockchains I critiqued the assumptions behind this analysis:
Gans & Gandal assume that PoS nodes are rational economic actors, accounting for the interest foregone by the staked cryptocurrency. As we see with Bitcoin's Lightning Network, true members of the cryptocurrency cult are not concerned that the foregone interest on capital they devote to making the system work is vastly greater than the fees they receive for doing so. The reason is that, as David Gerard writes, they believe that "number go up". In other words, they are convinced that the finite supply of their favorite coin guarantees that its value will in the future "go to the moon", providing capital gains that vastly outweigh the foregone interest.
There are a number of other practical problems here:
  • Presumably, this analysis should be refined using the logic of Chiu and Koeppl because the probability of success decreases with t in the same way.
  • The goal of cryptocurrencies, and in particular Ethereum, is to achieve transaction finality much quicker than Bitcoin's one hour. But even if they were as slow as Bitcoin, the foregone interest on the attacker's stake over one hour ANeSr would be small unless hourly interest rates were extraordinarily high. As I write BTC has a "market cap" of $575B and turns over $22B/day. This is the equivalent of an annual interest rate of about 1,400%.
  • With realistic interest rates the stake has to be extremely high to ensure that the requirement above is met. But this conflicts with Saleh's finding that the lower the miners’ reward the better. The reward term in ANteSrteθV(e) reduces the effectiveness of the stake. Given Bitcoin-like turnover this implies that for safety a large proportion of the available coins must be staked, reducing the proportion available for transactions. A currency where 100% of the coins were staked would be secure but not useful.
A Survey on Long-Range Attacks for Proof of Stake Protocols by Evangelos Deirmentzoglou et al is a useful reference for this topic; I discuss it and many others in Alternatives To Proof-of-Work.

Section 3.7, Transaction fees reports on various analyses of the future of Bitcoin as the mining reward decreases and fees become the major, and eventually the only source of miners' income:
Auer Graph 9
Halaburda et al don't cite Beyond the doomsday economics of “proof-of-work” in cryptocurrencies by Raphael Auer, which shows that:
with block rewards – which, at present, represent the vast majority of miners’ income and thus underpin the security of payments – being gradually phased out ... the security of payments is also set to deteriorate. Graph 9 gives an outlook regarding how waiting times could increase in the years to come, based on the above considerations of what is required to deter an attack
The graph was based on average transaction fees of 0.18BTC/block, close to today's 0.14BTC/block. Note that fees thus cover only about 2% of the cost of a transaction; they ar 98% subsidized by inflating the currency and speculation. Auer's analysis implies that currently transaction finality takes much longer than 6 blocks, but it assumes:
that attackers can rent any equipment they want at a stated price. The attack vector is thus certain to succeed
The difference between the two curves is the two assumptions about the difference between honest miners' cost per hash and the attacker's rental cost per hash. These rental economics are not currently a realistic scenario, but if Bitcoin's price continues to fall the pool of uneconomic mining power that is potentially rentable increases and thus the transaction finality waiting period tends to increase.

The long-term problem with a fee-only system is different. The average cost per transaction includes both the fee and the block reward. The graph shows it currently varies between $100 and $250/transaction, which is clearly enough to deter attacks. There is no possibility that a fee-only Bitcoin could charge $100-250 for the average transaction, so it would inevitably be less secure.

Cryptocurrency boosters continually complain about credit card fees at less than 3%. It is true that at present, with a relatively low demand for transactions, the total cost per transaction averages about half that. But:
  • Card fees are fixed, Bitcoin fees are set in an auction. Predictability has value.
  • In many cases a significant proportion of the fee is rebated to the originator of the transaction as an incentive in the competitive market for cards.
  • When the fixed supply meets variable demand, fees spike enormously. In April last year the average fee per transaction hit $60.
  • If the average fee to keep a fee-only system secure was $175/transaction, and it was 1.5% to compete with credit cards, the average transaction would be $11,666.67.
It isn't plausible that Bitcoin, with a limit of 7 transactions/sec and 1 hour finality, could ever provide a significant part of the overall transaction flow. But suppose it somehow did, so that people actually depended upon it to transact. Then, if some event caused a spike in demand for transactions, fees would spike and those unable to afford $60/transaction would face an indefinite wait for their transactions to be processed, while the rich would pay the price and get theirs processed. The resulting spiraling backlog would drive fees ever higher, while the inability to transact drove the majority of citizens to panic. This is a recipe for social collapse.


Unknown said...

Great article. But there are many more holes to explore... Some comments:

* There is a "67% attack" in which the attacker can impose any change to the protocol to every other user, hodler, exchange, miner, and "node", by freezing their coins until they switch to the attacker's hard-forked chain.

* While there is a correlation between fee and delay when the BTC network is congested, a stable "fee market" -- a practically computable function from desired delay to needed fee -- cannot exist. Such a "fee estimator" would require knowing which fees will be paid in the next 10 minutse by other users, who will be running fee estimators too. So it is somewhat like asking for an algorithm that will output a number that is more than twice the number it will output. Note that if 4 million txs arrive at the same time, many of them will take days to confirm -- even if they all pay 1 million USD of fee.

* Conversely, theory and history show that it is impossible to predict how long it will take for a transaction to be confirmed, given its fee. In particular, it is impossible to predict how long a backlog will last. We have seen transactions delayed by as much as 6 weeks.

* Moreover, it is impossible for the network to be permanently congested. Theory and history show that the incoming traffic T will grow until it is a bit below the capacity C, say 90%. Then random fluctuations in T and C will cause backlogs of random duration and size, separated by periods when the mempool is empty and the network is not congested. During these periods, there will be no "fee market" either, because any fee above the bare minimum will give confirmation in the next block.

* A 51% majority can raise the fees any way they like. One possibility is a demurrage tax -- an extra fee that depends on the age of the UTXO, say 5% per year, compounded on a block basis. For hodlers, that would be equivalent to a fixed 5% inflation per year. For miners, it would mean a fixed revenue of 5% of all existing coins per year, forever, independent of halvings. (Except that it would be distributed even more unevenly than the block reward. For example if Satoshi moved his 1 M BTC, the lucky miner who confirmed that tx would take more than 600'000 of those coins. How would the other miners react?

David. said...

Amy Castor and David Gerard celebrate the end of the current bubble, with BTC below $20K and below the high of the previous bubble, and ETH below $1K.

We should expect to see the hash rates start to drop. I'm told the break-even for BTC mining with the latest Bitmain chips is around $17K, and even before today's drop mining ETH with an Nvidia 2090 wasn't profitable on the East Coast. Let alone that if the long-delayed Merge really happens in September all their GPUs will be rendered obsolete. They will have to be sold into a collapsing market for used and even new GPUs.

David. said...

Amy Castor's The tale of a whale who took Solend’s money is a detailed look at how one whale took a notional 36% haircut to get $108M out of Solana's SOL token:

"In the case of Solend, a whale took out a large margin position. They parked 5.7 million SOL (currently worth $170 million) onto the platform to withdraw $108 million in USDC and USDT. The whale then vanished, and would not pay down the loan or respond to tweets from Solend’s pseudonymous founder Rooter. [Tweet]

This is one of the reasons we’ve seen such a proliferation of stablecoins in 2021 — they are used in DeFi lending. Retailers (the public) buy stablecoins and stake them on DeFi platforms hoping to earn higher interest than they can from traditional banks. The market cap of USDC was 4 billion in early 2021. Today, it is 56 billion.

The whale’s position represented 95% of all Solana deposits on Solend and 88% of all USDC the platform had lent out. If Solana dropped to $22.30, the whale risked partial liquidation — about $21 million worth of SOL — even though they didn’t seem to care. And the retail stakers risked losing their USDC."

Note that the whale lost a notional three times the liquidation they risked. This tells you that the whales are desperate to get their money out before the contagion spreads, as David Gerard and Amy Castor document in Crypto collapse latest: the contagion spreads:

"Fear spreads by contagion. There have never been enough dollars to cash out the paper wealth in crypto. So the whales — the largest crypto holders — are swinging their weight around to try to cash out before you can."