Since its launch in 2009 much has been written about Bitcoin, cryptocurrencies and blockchains. While the discussions initially took place mostly on blogs and other popular media, we now are witnessing the emergence of a growing body of rigorous academic research on these topics. By the nature of the phenomenon analyzed, this research spans many academic disciplines including macroeconomics, law and economics and computer science. This survey focuses on the microeconomics of cryptocurrencies themselves. What drives their supply, demand, trading price and competition amongst them. This literature has been emerging over the past decade and the purpose of this paper is to summarize its main findings so as to establish a base upon which future research can be conducted.Below the fold, a few comments.
Section 3.1, The longest chain rule discusses the basis for the "consensus" in "Nakamoto consensus". Proof-of-Work both deters Sybil attacks and elects a network node to add the next block to the chain. Because there are inevitable delays in propagating the result of this election across the network, other nodes may initially believe that they were elected and work on a chain with their block added. The "longest chain rule" (LCR) mandates that miners work on the longest chain, which over time leads to consensus. Halaburda et al note:
Kroll et al. (2013) note that Bitcoin’s success relies on three types of consensus: (1) consensus about rules, (2) consensus about the state (i.e., there is a unique ledger), and (3) consensus that bitcoins are valuable. These consensus elements are related to each other. The miners’ source of income are the rewards and fees they obtain when adding a block, which are included in that block. If the blockchain forks, the rewards that are included in a branch are not recognized in the other branches. For those other branches, such rewards do not exist. The value attached to a bitcoin in a block, insofar as its owner plans to eventually spend it, then crucially depends on whether that block is recognized by other users. Consensus about bitcoins’ ”value” thus depends on the consensus about the state of the blockchain.Section 3.3, Consensus as an equilibrium looks at the stability of this consensus under attack:
a related question was how much computing power did a miner need to unilaterally cause a deliberate fork? This issue was examined by Kiayias et al. (2016). They found that so long as no miner had more than 36% of the computing power, the LCR is a Nash equilibrium. However, for any miner with more than 46% of the computing power, forking is a profitable deviation. In other words, such a miner will always ignore the blocks that have been just mined by the other miners.Eyal and Sirer's paper was posted to arxiv.org in November 2013, and I wrote about it the same month in The Bitcoin vulnerability.
Interestingly, they note that a miner forking the blockchain has two options. The first is to release their blocks as soon as they solved the hashing puzzle, and the second is to mine secretly. ... They show that with secret mining strategies the threshold drops from 36% to 30.8%.
The idea of secret mining actually dates back to Eyal and Sirer (2014). Their model is similar to that Kiayias et al. but is motivated slightly differently. They consider the case of a large miner (e.g., a pool of miners) who has just solved the hashing puzzle, and faces the decision of whether releasing the new block to the network or to mine secretly on top of it. Eyal and Sirer give a precise description of optimal, secret mining strategies. The pool mining secretly as long as its branch is longer than the main branch, and releases it otherwise. They find that such a strategy may pay off as soon as the pool has 10% of the hashing power.
Thus the theoretical threshold pool sizes for attacks are 46% for forking and 10% for secret mining. Individual pools regularly exceed 10% but have rarely exceeded 46%, however there is nothing to stop pools conspiring. Makarov and Schoar write:
Six out of the largest mining pools are registered in China and have strong ties to Bitmain Techonologies, which is the largest producer of Bitcoin mining hardwareHalaburda et al write:
If a miner broadcasts a transaction, the probability that some other miner will include it in their block and collect the fee increases. In the extreme case, if a miner is the first and only node hearing about a transaction, they may have incentives not to broadcast it at all and hold on to it until they are the one adding the block to the blockchain. It may be especially tempting if the transaction fee is large. Such hold up would cause the validation of this particular transaction to be delayed. This issue, while theoretically interesting, turned out not to be a problem in practice.This is true but misleading, as it ignores the problems in practice of dark pools, front-running and "Miner Extractable Value" (MEV). I discuss dark pools and front-running in The Order Flow and MEV in Ethereum Has Issues. Fundamentally, the problems exist because miners are themselves transactors.
I first wrote about Eric Budish's The Economic Limits Of Bitcoin And The Blockchain in 2018's Cryptocurrencies Have Limits, which was an:
important analysis of the economics of two kinds of "51% attack" on Bitcoin and other cryptocurrencies, such as those becoming endemic on Bitcoin Gold and other alt-coins:Section 3.4 Longest-chain attack: a formal model, reviews and extends Budish's analysis with subsequent work. First, some notation:
- A "double spend" attack, in which an attacker spends cryptocurrency to obtain goods, then makes the spend disappear in order to spend the cryptocurrency again.
- A "sabotage" attack, in which short-sellers discredit the cryptocurrency to reduce its value.
- θ is the number of tokens in a block reward.
- e is the number of dollars per token.
- c is the cost to mine a block.
- N is the number of honest nodes in the network.
- The fraction of nodes controlled by an attacker is A/(A+1) where A > 1.
- t is the number of blocks to wait for finality.
- V(e) is the benefit an attacker gains.
- Miners' expected rewards must exceed their costs, i.e. eθ ≥ Nc.
- The cost of a majority attack is (ANc − eθ)t.
- A majority attack is profitable if V(e) > (ANc - θe)t.
- Budish's constraint for the blockchain to be secure is eθ(A − 1)t ≥ V(e), i.e. the benefit must be less than the cost of the attack.
- Chiu and Koeppl (2017) refine Budish's constraint, which assumes the probability of a successful fork is linear, by observing that it actually follows a power law. The constraint becomes eθt(t + 1) ≥ V(e).
consider the case of Bitcoin which is designed to have θ decreasing over time and, according to Bitcoin’s afficionados, will have a higher future exchange rate e. The only way to maintain Bitcoin’s sustainability in this case is if the elasticity of V with respect to e is less than one. In other words, the value of transactions should not grow as much as Bitcoin’s exchange rate.Other constraints on the value of transactions are discussed in Section 3.7 below.
Section 3.6, Proof-of-Stake as an alternative consensus mechanism provides an attack analysis similar to that for Proof-of-Work above, starting from work by Saleh, who:
derives sufficient conditions that guarantee that consensus is an equilibrium, once we take into account the depreciation of the token in case of a fork. Saleh then derives two additional results. First, restricting the ability to large stakeholders facilitates and speeds up consensus in case of a fork. The intuition is that such stakeholders have the most to lose from a disagreement, i.e., from the persistence of two or more branches. Second, Saleh finds that the lower the miners’ reward the better. The reason behind this counter-intuitive result is that low rewards enable the accumulation of vested interest in the blockchain (i.e., miners have less incentives to cash out their tokens). Given this, preserving one’s vested interest in the blockchain (the tokens) increase the incentives to favor consensus.The authors continue with the analysis of Gans and Gandal, which using the same methodology as Budish, concludes:
In the case of Permissionless blockchains (i.e. free entry,) the cost of PoW schemes are identical to the cost of PoS schemes.The intuition here is that defense against Sybil attacks requires that the reward for an attack be less than the cost of mounting it. There is nothing in this constraint about how the cost is imposed.
If the stake is S and the dollar interest rate is r, the requrement is ANteSr − teθ ≥ V(e). In simple terms, the value of the attack has to be less than the interest on the attacker's total stake for the duration of the attack, less the rewards during the attack.
In Economic Limits Of Proof-of-Stake Blockchains I critiqued the assumptions behind this analysis:
Gans & Gandal assume that PoS nodes are rational economic actors, accounting for the interest foregone by the staked cryptocurrency. As we see with Bitcoin's Lightning Network, true members of the cryptocurrency cult are not concerned that the foregone interest on capital they devote to making the system work is vastly greater than the fees they receive for doing so. The reason is that, as David Gerard writes, they believe that "number go up". In other words, they are convinced that the finite supply of their favorite coin guarantees that its value will in the future "go to the moon", providing capital gains that vastly outweigh the foregone interest.There are a number of other practical problems here:
- Presumably, this analysis should be refined using the logic of Chiu and Koeppl because the probability of success decreases with t in the same way.
- The goal of cryptocurrencies, and in particular Ethereum, is to achieve transaction finality much quicker than Bitcoin's one hour. But even if they were as slow as Bitcoin, the foregone interest on the attacker's stake over one hour ANeSr would be small unless hourly interest rates were extraordinarily high. As I write BTC has a "market cap" of $575B and turns over $22B/day. This is the equivalent of an annual interest rate of about 1,400%.
- With realistic interest rates the stake has to be extremely high to ensure that the requirement above is met. But this conflicts with Saleh's finding that the lower the miners’ reward the better. The reward term in ANteSr − teθ ≥ V(e) reduces the effectiveness of the stake. Given Bitcoin-like turnover this implies that for safety a large proportion of the available coins must be staked, reducing the proportion available for transactions. A currency where 100% of the coins were staked would be secure but not useful.
Section 3.7, Transaction fees reports on various analyses of the future of Bitcoin as the mining reward decreases and fees become the major, and eventually the only source of miners' income:
- Carlsten et al, On the Instability of Bitcoin Without the Block Reward (2016), who describe two vulnerabilities of a low-reward system. One is caused by the variability of fees. A block with low total fees makes it profitable for a miner to fork in the past. The other is that Eyal and Sirer's "selfish mining" strategy works even better than it does now.
- Gur Huberman et al, An Economic Analysis of the Bitcoin Payment System (2017), who show that in a low-reward system the delays caused by congestion are necessary to motivate payment of fees. In other words, if the system is capable of satisfying the demand for transactions it will not generate enough fees to be sustainable.
- Easley et al, From mining to markets: The evolution of bitcoin transaction fees (2019), who show empirically that transaction fees and waiting times are correlated.
|Auer Graph 9|
with block rewards – which, at present, represent the vast majority of miners’ income and thus underpin the security of payments – being gradually phased out ... the security of payments is also set to deteriorate. Graph 9 gives an outlook regarding how waiting times could increase in the years to come, based on the above considerations of what is required to deter an attackThe graph was based on average transaction fees of 0.18BTC/block, close to today's 0.14BTC/block. Note that fees thus cover only about 2% of the cost of a transaction; they ar 98% subsidized by inflating the currency and speculation. Auer's analysis implies that currently transaction finality takes much longer than 6 blocks, but it assumes:
that attackers can rent any equipment they want at a stated price. The attack vector is thus certain to succeedThe difference between the two curves is the two assumptions about the difference between honest miners' cost per hash and the attacker's rental cost per hash. These rental economics are not currently a realistic scenario, but if Bitcoin's price continues to fall the pool of uneconomic mining power that is potentially rentable increases and thus the transaction finality waiting period tends to increase.
- Card fees are fixed, Bitcoin fees are set in an auction. Predictability has value.
- In many cases a significant proportion of the fee is rebated to the originator of the transaction as an incentive in the competitive market for cards.
- When the fixed supply meets variable demand, fees spike enormously. In April last year the average fee per transaction hit $60.
- If the average fee to keep a fee-only system secure was $175/transaction, and it was 1.5% to compete with credit cards, the average transaction would be $11,666.67.