The Gaslit Asset Class

James Grant invited me to address the annual conference of Grant's Interest Rate Observer. This was an intimidating prospect, the previous year's conference featured billionaires Scott Bessent and Bill Ackman. As usual, below the fold is the text of my talk, with the slides, links to the sources, and additional material in footnotes. Yellow background indicates textual slides.

The Gaslit Asset Class

Before I explain that much of what you have been told about cryptocurrency technology is gaslighting, I should stress that I hold no long or short positions in cryptocurrencies, their derivatives or related companies. Unlike most people discussing them, I am not "talking my book".

To fit in the allotted time, this talk focuses mainly on Bitcoin and omits many of the finer points. My text, with links to the sources and additional material in footnotes, will go up on my blog later today.

Why Am I Here?

I imagine few of you would understand why a retired software engineer with more than forty years in Silicon Valley was asked to address you on cryptocurrencies^[1].

NVDA Log Plot

I was an early employee at Sun Microsystems then employee #4 at Nvidia, so I have been long Nvidia for more than 30 years. It has been a wild ride. I quit after 3 years as part of fixing Nvidia's first near-death experience and immediately did 3 years as employee #12 at another startup, which also IPO-ed. If you do two in six years in your late 40s you get seriously burnt out.

So my wife and I started a program at Stanford that is still running 27 years later. She was a career librarian at the Library of Congress and the Stanford Library. She was part of the team that, 30 years ago, pioneered the transition of academic publishing to the Web. She was also the person who explained citation indices to Larry and Sergey, which led to Page Rank.

The academic literature has archival value. Multiple libraries hold complete runs on paper of the Philosophical Transactions of the Royal Society starting 360 years ago^[2]. The interesting engineering problem we faced was how to enable libraries to deliver comparable longevity to Web-published journals.

Five Years Before Satoshi Nakamoto

I worked with a group of outstanding Stanford CS Ph.D. students to design and implement a system for stewardship of Web content modeled on the paper library system. The goal was to make it extremely difficult for even a powerful adversary to delete or modify content without detection. It is called LOCKSS, for Lots Of Copies Keep Stuff Safe; a decentralized peer-to-peer system secured by Proof-of-Work. We won a "Best Paper" award for it five years before Satoshi Nakamoto published his decentralized peer-to-peer system secured by Proof-of-Work. When he did, LOCKSS had been in production for a few years and we had learnt a lot about how difficult decentralization is in the online world.

Bitcoin built on more than two decades of research. Neither we nor Nakamoto invented Proof-of-Work, Cynthia Dwork and Moni Naor published it in 1992. Nakamoto didn't invent blockchains, Stuart Haber and W. Scott Stornetta patented them in 1991. He was extremely clever in assembling well-known techniques into a cryptocurrency, but his only major innovation was the Longest Chain Rule.

Digital cash

The fundamental problem of representing cash in digital form is that a digital coin can be endlessly copied, thus you need some means to prevent each of the copies being spent. When you withdraw cash from an ATM, turning digital cash in your account into physical cash in your hand, the bank performs an atomic transaction against the database mapping account numbers to balances. The bank is trusted to prevent multiple spending.

There had been several attempts at a cryptocurrency before Bitcoin. The primary goals of the libertarians and cypherpunks were that a cryptocurrency be as anonymous as physical cash, and that it not have a central point of failure that had to be trusted. The only one to get any traction was David Chaum's DigiCash; it was anonymous but it was centralized to prevent multiple spending and it involved banks.

Nakamoto's magnum opus

Bitcoin claims:

• The system was trustless because it was decentralized.
• It was a medium of exchange for buying and selling in the real world.
• Transactions were faster and cheaper than in the existing financial system.
• It was secured by Proof-of-Work and cryptography.
• It was privacy-preserving.

When in November 2008 Nakamoto published Bitcoin: A Peer-to-Peer Electronic Cash System it was the peak of the Global Financial Crisis and people were very aware that the financial system was broken (and it still is). Because it solved many of the problems that had dogged earlier attempts at electronic cash, it rapidly attracted a clique of enthusiasts. When Nakamoto went silent in 2010 they took over proseltyzing the system. The main claims they made were:

• The system was trustless because it was decentralized.
• It was a medium of exchange for buying and selling in the real world.
• Transactions were faster and cheaper than in the existing financial system.
• It was secured by Proof-of-Work and cryptography.
• It was privacy-preserving.

They are all either false or misleading. In most cases Nakamoto's own writings show he knew this. His acolytes were gaslighting.

Trustless because decentralized (1)

Assuming that the Bitcoin network consists of a large number of roughly equal nodes, it randomly selects a node to determine the transactions that will form the next block. There is no need to trust any particular node because the chance that they will be selected is small.^[3]

At first, most users would run network nodes, but as the network grows beyond a certain point, it would be left more and more to specialists with server farms of specialized hardware. A server farm would only need to have one node on the network and the rest of the LAN connects with that one node.

Satoshi Nakamoto 2^nd November 2008

The current system where every user is a network node is not the intended configuration for large scale. ... The design supports letting users just be users. The more burden it is to run a node, the fewer nodes there will be. Those few nodes will be big server farms. The rest will be client nodes that only do transactions and don’t generate.

Satoshi Nakamoto: 29^th July 2010

But only three days after publishing his white paper, Nakamoto understood that this assumption would become false:

At first, most users would run network nodes, but as the network grows beyond a certain point, it would be left more and more to specialists with server farms of specialized hardware.

He didn't change his mind. On 29^th July 2010, less than five months before he went silent, he made the same point:

The current system where every user is a network node is not the intended configuration for large scale. ... The design supports letting users just be users. The more burden it is to run a node, the fewer nodes there will be. Those few nodes will be big server farms.

"Letting users be users" necessarily means that the "users" have to trust the "few nodes" to include their transactions in blocks. The very strong economies of scale of technology in general and "big server farms" in particular meant that the centralizing force described in W. Brian Arthur's 1994 book Increasing Returns and Path Dependence in the Economy resulted in there being "fewer nodes". Indeed, on 13^th June 2014 a single node controlled 51% of Bitcoin's mining, the GHash pool.^[4]

Trustless because decentralized (2)

In June 2022 Cooperation among an anonymous group protected Bitcoin during failures of decentralization by Alyssa Blackburn et al showed that it had not been decentralized from the very start. The same month a DARPA-sponsored report entitled Are Blockchains Decentralized? by a large team from the Trail of Bits security company examined the economic and many other centralizing forces affecting a wide range of blockchain implementations and concluded that the answer to their question is "No".^[5]

The same centralizing economic forces apply to Proof-of-Stake blockchains such as Ethereum. Grant's Memo to the bitcoiners explained the process last February.

Trustless because decentralized (3)

Another centralizing force drives pools like GHash. The network creates a new block and rewards the selected node about every ten minutes. Assuming they're all state-of-the-art, there are currently about 15M rigs mining Bitcoin^[6]. Their economic life is around 18 months, so only 0.5%% of them will ever earn a reward. The owners of mining rigs pool their efforts, converting a small chance of a huge reward into a steady flow of smaller rewards. On average GHash was getting three rewards an hour.

A medium of exchange (1)

Quote from: Insti, July 17, 2010, 02:33:41 AM

How would a Bitcoin snack machine work?

1. You want to walk up to the machine. Send it a bitcoin.
2. ?
3. Walk away eating your nice sugary snack. (Profit!)

You don’t want to have to wait an hour for you transaction to be confirmed.

The vending machine company doesn’t want to give away lots of free candy.

How does step 2 work?

I believe it’ll be possible for a payment processing company to provide as a service the rapid distribution of transactions with good-enough checking in something like 10 seconds or less.

Satoshi Nakamoto: 17^th July 2010

Bitcoin's ten-minute block time is a problem for real-world buying and selling^[7], but the problem is even worse. Network delays mean a transaction isn't final when you see it in a block. Assuming no-one controlled more than 10% of the hashing power, Nakamoto required another 5 blocks to have been added to the chain, so 99.9% finality would take an hour. With a more realistic 30%, the rule should have been 23 blocks, with finality taking 4 hours^[8].

Nakamoto's 17^th July 2010 exchange with Insti shows he understood that the Bitcoin network couldn't be used for ATMs, vending machines, buying drugs or other face-to-face transactions because he went on to describe how a payment processing service layered on top of it would work.

A medium of exchange (2)

assuming that the two sides are rational actors and the smart contract language is Turing-complete, there is no escrow smart contract that can facilitate this exchange without either relying on third parties or enabling at least one side to extort the other.

two-party escrow smart contracts are ... simply a game of who gets to declare their choice first and commit it on the blockchain sooner, hence forcing the other party to concur with their choice. The order of transactions on a blockchain is essentially decided by the miners. Thus, the party with better connectivity to the miners or who is willing to pay higher transaction fees, would be able to declare their choice to the smart contract first and extort the other party.

Amir Kafshdar Goharshady, Irrationality, Extortion, or Trusted Third-parties: Why it is Impossible to Buy and Sell Physical Goods Securely on the Blockchain

The situation is even worse when it comes to buying and selling real-world objects via programmable blockchains such as Ethereum^[9]. In 2021 Amir Kafshdar Goharshady showed that^[10]:

assuming that the two sides are rational actors and the smart contract language is Turing-complete, there is no escrow smart contract that can facilitate this exchange without either relying on third parties or enabling at least one side to extort the other.

Goharshady noted that:

on the Ethereum blockchain escrows with trusted third-parties are used more often than two-party escrows, presumably because they allow dispute resolution by a human.

And goes on to show that in practice trusted third-party escrow services are essential because two-party escrow smart contracts are:

simply a game of who gets to declare their choice first and commit it on the blockchain sooner, hence forcing the other party to concur with their choice. The order of transactions on a blockchain is essentially decided by the miners. Thus, the party with better connectivity to the miners or who is willing to pay higher transaction fees, would be able to declare their choice to the smart contract first and extort the other party.

The choice being whether or not the good had been delivered. Given the current enthusiasm for tokenization of physical goods the market for trusted escrow services looks bright.

Fast transactions

Actually the delay between submitting a transaction and finality is unpredictable and can be much longer than an hour. Transactions are validated by miners then added to the mempool of pending transactions where they wait until either:

• The selected network node chooses it as one of the most profitable to include in its block.
• It reaches either its specified timeout or the default of 2 weeks.

Mempool count

This year the demand for transactions has been low, typically under 4 per second, so the backlog has been low, around 40K or under three hours. Last October it peaked at around 14 hours worth.

The distribution of transaction wait times is highly skewed. The median wait is typically around a block time. The proportion of low-fee transactions means the average wait is normally around 10 times that. But when everyone wants to transact the ratio spikes to over 40 times.

Cheap transactions

Average fee/transaction

There are two ways miners can profit from including a transaction in a block:

• The fee to be paid to the miner which the user chose to include in the transaction. In effect, transaction slots are auctioned off.
• The transactions the miner included in the block to front- and back-run the user's transaction, called Maximal Extractable Value^[11]:
  

  Maximal extractable value (MEV) refers to the maximum value that can be extracted from block production in excess of the standard block reward and gas fees by including, excluding, and changing the order of transactions in a block.

The block size limit means there is a fixed supply of transaction slots, about 7 per second, but the demand for them varies, and thus so does the price. In normal times the auction for transaction fees means they are much smaller than the block reward. But when everyone wants to transact they suffer massive spikes.

Secured by Proof-of-Work (1)

In cryptocurrencies "secured" means that the cost of an attack exceeds the potential loot. The security provided by Proof-of-Work is linear in its cost, unlike techniques such as encryption, whose security is exponential in cost. It is generally believed that it is impractical to reverse a Bitcoin transaction after about an hour because the miners are wasting such immense sums on Proof-of-Work. Bitcoin pays these immense sums, but it doesn't get the decentralization they ostensibly pay for.

Monero, a privacy-focused blockchain network, has been undergoing an attempted 51% attack — an existential threat to any blockchain. In the case of a successful 51% attack, where a single entity becomes responsible for 51% or more of a blockchain's mining power, the controlling entity could reorganize blocks, attempt to double-spend, or censor transactions.

A company called Qubic has been waging the 51% attack by offering economic rewards for miners who join the Qubic mining pool. They claim to be "stress testing" Monero, though many in the Monero community have condemned Qubic for what they see as a malicious attack on the network or a marketing stunt.

Molly White: Monero faces 51% attack

The advent of "mining as a service" about 7 years ago made 51% attacks against smaller Proof-of-Work alt-coin such as Bitcoin Gold endemic. In August Molly White reported that Monero faces 51% attack:

In 2018's The Economic Limits Of Bitcoin And The Blockchain Eric Budish of the Booth School analyzed two versions of the 51% attack. I summarized his analysis of the classic multiple spend attack thus:

Note that only Bitcoin and Ethereum among cryptocurrencies with "market cap" over $100M would cost more than $100K to attack. The total "market cap" of these 8 currencies is $271.71B and the total cost to 51% attack them is $1.277M or 4.7E-6 of their market cap.

His key insight was that to ensure that 51% attacks were uneconomic, the reward for a block, implicitly the transaction tax, plus the fees had to be greater than the maximum value of the transactions in it. The total transaction cost (reward + fee) typically peaks around 1.8% but is normally between 0.6% and 0.8%, or around 150 times less than Budish's safety criterion. The result is that a conspiracy between a few large pools could find it economic to mount a 51% attack.

Secured by Proof-of-Work (2)

However, ∆_attack is something of a “pick your poison” parameter. If ∆_attack is small, then the system is vulnerable to the double-spending attack ... and the implicit transactions tax on economic activity using the blockchain has to be high. If ∆_attack is large, then a short time period of access to a large amount of computing power can sabotage the blockchain.

Eric Budish: The Economic Limits Of Bitcoin And The Blockchain

But everyone assumes the pools won't do that. Budish further analyzed the effects of a multiple spend attack. It would be public, so it would in effect be sabotage, decreasing the Bitcoin price by a factor ∆_attack. He concludes that if the decrease is small, then double-spending attacks are feasible and the per-block reward plus fee must be large, whereas if it is large then access to the hash power of a few large pools can quickly sabotage the currency.

The implication is that miners, motivated to keep fees manageable, believe ∆_attack is large. Thus Bitcoin is secure because those who could kill the golden goose don't want to.

Secured by Proof-of-Work (3)

proof-of-work can only achieve payment security if mining income is high, but the transaction market cannot generate an adequate level of income. ... the economic design of the transaction market fails to generate high enough fees.

Raphael Auer: Beyond the doomsday economics of “proof-of-work” in cryptocurrencies

The following year, in Beyond the doomsday economics of “proof-of-work” in cryptocurrencies, Raphael Auer of the Bank for International Settlements showed that the problem Budish identified was inevitable^[12]:

proof-of-work can only achieve payment security if mining income is high, but the transaction market cannot generate an adequate level of income. ... the economic design of the transaction market fails to generate high enough fees.

In other words, the security of Bitcoin's blockchain depends upon inflating the currency with block rewards. This problem is excerbated by Bitcoin's regular "halvenings" reducing the block reward. To maintain miner's current income after the next halvening in less than three years the "price" would need to be over $200K; security depends upon the "price" appreciating faster than 20%/year.

Once the block reward gets small, safety requires the fees in a block to be worth more than the value of the transactions in it. But everybody has decided to ignore Budish and Auer.

Secured by Proof-of-Work (4)

Farokhnia Table 1

In 2024 Soroush Farokhnia & Amir Kafshdar Goharshady's Options and Futures Imperil Bitcoin's Security:

showed that (i) a successful block-reverting attack does not necessarily require ... a majority of the hash power; (ii) obtaining a majority of the hash power ... costs roughly 6.77 billion ... and (iii) Bitcoin derivatives, i.e. options and futures, imperil Bitcoin’s security by creating an incentive for a block-reverting/majority attack.

They assume that an attacker would purchase enough state-of-the-art hardware for the attack. Given Bitmain's dominance in mining ASICs, such a purchase is unlikely to be feasible.

Secured by Proof-of-Work (5)

Ferreira Table 1

But it would not be necessary. Mining is a very competitive business, and power is the major cost^[13]. Making a profit requires both cheap power and early access to the latest, most efficient chips. So it wasn't a surprise that Ferreira et al's Corporate capture of blockchain governance showed that:

As of March 2021, the pools in Table 1 collectively accounted for 86% of the total hash rate employed. All but one pool (Binance) have known links to Bitmain Technologies, the largest mining ASIC producer. ^[14]

Secured by Proof-of-Work (6)

Mining Pools 5/17/24

Bitmain, a Chinese company, exerts significant control of Bitcoin. China has firmly suppressed domestic use of cryptocurrencies, whereas the current administration seems intent on integrating them (and their inevitable grifts) into the US financial system. Except for Bitmain, no-one in China gets eggs from the golden goose. This asymmetry provides China with an way to disrupt the US financial system.

Mining Pools 4/30/25

It would be important to prevent the disruption being attributed to China. A necessary precursor would therefore be to obscure the extent of Bitmain-affiliated pools' mining power. This has been a significant trend in the past year, note the change in the "unknown" in the graphs from 38 to 305. There could be other explanations, but whether or not intentionally this is creating a weapon.^[15]

Secured by cryptography (1)

The dollars in your bank account are simply an entry in the bank's private ledger tagged with your name. You control this entry, but what you own is a claim on the bank^[16]. Similarly, your cryptocurrency coins are effectively an entry in a public ledger tagged with the public half of a key pair. The two differences are that:

• No ownership is involved, so you have no recourse if something goes wrong.
• Anyone who knows the secret half of the key pair controls the entry. Since it is extremely difficult to stop online secrets leaking, something is likely to go wrong^[17].

XKCD #538

The secret half of your key can leak via what Randall Munro depicted as a "wrench attack", via phishing, social engineering, software supply chain attacks^[18], and other forms of malware. Preventing these risks requires you to maintain an extraordinary level of operational security.

Secured by cryptography (2)

Even perfect opsec may not be enough. Bitcoin and most cryptocurrencies use two cryptographic algorithms, SHA256 for hashing and ECDSA for signatures.

Quote from: llama on July 01, 2010, 10:21:47 PM

Satoshi, That would indeed be a solution if SHA was broken (certainly the more likely meltdown), because we could still recognize valid money owners by their signature (their private key would still be secure).

However, if something happened and the signatures were compromised (perhaps integer factorization is solved, quantum computers?), then even agreeing upon the last valid block would be worthless.

True, if it happened suddenly. If it happens gradually, we can still transition to something stronger. When you run the upgraded software for the first time, it would re-sign all your money with the new stronger signature algorithm. (by creating a transaction sending the money to yourself with the stronger sig)

Satoshi Nakamoto: 10^th July 2010

On 10^th July 2010 Nakamoto addressed the issue of what would happen if either of these algorithms were compromised. There are three problems with his response; that compromise is likely in the near future, when it does Nakamoto's fix is inadequate, and there is a huge incentive for it to happen suddenly:

Secured by cryptography (3)

Divesh Aggarwal et al's 2019 paper Quantum attacks on Bitcoin, and how to protect against them noted that:

the elliptic curve signature scheme used by Bitcoin is much more at risk, and could be completely broken by a quantum computer as early as 2027, by the most optimistic estimates.

Their "most optimistic estimates" are likely to be correct; PsiQuantum expects to have two 1M qubit computers operational in 2027^[19]. Each should be capable of breaking an ECDSA key in under a week.

Bitcoin's transition to post-quantum cryptography faces a major problem because, to transfer coins from an ECDSA wallet to a post-quantum wallet, you need the key for the ECDSA wallet. Chainalysis estimates that:

about 20% of all Bitcoins have been "lost", or in other words are sitting in wallets whose keys are inaccessible

An example is the notorious hard disk in the garbage dump. A sufficiently powerful quantum computer could recover the lost keys.

The incentive for it to happen suddenly is that, even if Nakamoto's fix were in place, someone with access to the first sufficiently powerful quantum computer could transfer 20% of all Bitcoin, currently worth $460B, to post-quantum wallets they controlled. This would be a 230x return on the investment in PsiQuantum.

Privacy-preserving

privacy can still be maintained by breaking the flow of information in another place: by keeping public keys anonymous. The public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone.

As an additional firewall, a new key pair should be used for each transaction to keep them from being linked to a common owner.

Some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner. The risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.

Satoshi Nakamoto: Bitcoin: A Peer-to-Peer Electronic Cash System

Nakamoto addressed the concern that, unlike DigiCash, because Bitcoin's blockchain was public it wasn't anonymous:

privacy can still be maintained by breaking the flow of information in another place: by keeping public keys anonymous. The public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone.

This is true but misleading. In practice, users need to use exchanges and other services that can tie them to a public key. There is a flourishing ecosystem of companies that deanonymize wallets by tracing the web of transactions. Nakamoto added:

As an additional firewall, a new key pair should be used for each transaction to keep them from being linked to a common owner.

This advice is just unrealistic. As Molly White wrote^[20]:

funds in a wallet have to come from somewhere, and it’s not difficult to infer what might be happening when your known wallet address suddenly transfers money off to a new, empty wallet.

Nakamoto acknowledged:

Some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner. The risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.

For more than a decade Jamison Lopp has been tracking what happens when a wallet with significant value is deanonymized, and it is a serious risk to life and limbs^[21].

One more risk

I have steered clear of the financial risks of cryptocurrencies. It may appear that the endorsement of the current administration has effectively removed their financial risk. But the technical and operational risks remain, and I should note another technology-related risk.

Source

Equities are currently being inflated by the AI bubble. The AI platforms are running the drug-dealer's algorithm, "the first one's free", burning cash by offering their product free or massively under-priced. This cannot last; only 8% of their users would pay even the current price. OpenAI's August launch of GPT-5, which was about cost-cutting not better functionality, and Anthropic's cost increases were both panned by the customers who do pay. AI may deliver some value, but it doesn't come close to the cost of delivering it^[22].

There is likely to be an epic AI equity bust. Analogies are being drawn to the telecom boom, but The Economist reckons^[23]:

the potential AI bubble lags behind only the three gigantic railway busts of the 19th century.

Source

History shows a fairly strong and increasing correlation between equities and cryptocurrencies, so they will get dragged down too. The automatic liquidation of leveraged long positions in DeFi will start, causing a self-reinforcing downturn. Periods of heavy load such as this tend to reveal bugs in IT systems, and especially in "smart contracts", as their assumptions of adequate resources and timely responses are violated.

Source

Experience shows that Bitcoin's limited transaction rate and the fact that the Ethereum computer that runs all the "smart contracts" is 1000 times slower than a $50 Raspberry Pi 4^[24] lead to major slow-downs and fee spikes during panic selling, exacerbated by the fact that the panic sales are public^[25].

Conclusion

The fascinating thing about cryptocurrency technology is the number of ways people have developed and how much they are willing to pay to avoid actually using it. What other transformative technology has had people desperate not to use it?

The whole of TradFi has been erected on this much worse infrastructure, including exchanges, closed-end funds, ETFs, rehypothecation, and derivatives. Clearly, the only reason for doing so is to escape regulation and extract excess profits from what would otherwise be crimes.

Footnotes

1. The cause was the video of a talk I gave at Stanford in 2022 entitled Can We Mitigate The Externalities Of Cryptocurrencies?. It was an updated version of a talk at the 2021 TTI/Vanguard conference. The talk conformed to Betteridge's Law of Headlines in that the answer was "no".
   
2. Paper libraries form a model fault-tolerant system. It is highly replicated and decentralized. Libraries cooperate via inter-library loan and copy to deliver a service that is far more reliable than any individual library.
3. The importance Satoshi Nakamoto attached to trustlessness can be seen from his release note for Bitcoin 0.1:

   The root problem with conventional currency is all the trust that's required to make it work. The central bank must be trusted not to debase the currency, but the history of fiat currencies is full of breaches of that trust. Banks must be trusted to hold our money and transfer it electronically, but they lend it out in waves of credit bubbles with barely a fraction in reserve. We have to trust them with our privacy, trust them not to let identity thieves drain our accounts. Their massive overhead costs make micropayments impossible.

   The problem with this ideology is that trust (but verify) is an incredibly effective optimization in almost any system. For example, Robert Putnam et al's Making Democracy Work: Civic Traditions in Modern Italy shows that the difference between the economies of Northern and Southern Italy is driven by the much higher level of trust in the North.
   
   Bitcoin's massive cost is a result of its lack of trust. Users pay this massive cost but they don't get a trustless system, they just get a system that makes the trust a bit harder to see.
   
   In response to Nakamoto's diatribe, note that:
   
   • "trusted not to debase the currency", but Bitcoin's security depends upon debasing the currency.
   • "waves of credit bubbles", is a pretty good description of the cryptocurrency market.
   • "not to let identity thieves drain our accounts", see Molly White's Web3 is Going Just Great.
   • "massive overhead costs". The current cost per transaction is around $100.
   I rest my case.
4. The problem of trusting mining pools is actually much worse. There is nothing to stop pools conspiring coordinating. In 2017 Vitalik Buterin, co-founder of Ethereum, published The Meaning of Decentralization:
   

   In the case of blockchain protocols, the mathematical and economic reasoning behind the safety of the consensus often relies crucially on the uncoordinated choice model, or the assumption that the game consists of many small actors that make decisions independently. If any one actor gets more than 1/3 of the mining power in a proof of work system, they can gain outsized profits by selfish-mining. However, can we really say that the uncoordinated choice model is realistic when 90% of the Bitcoin network’s mining power is well-coordinated enough to show up together at the same conference?

   See "Sufficiently Decentralized" for a review of evidence from a Protos article entitled New research suggests Bitcoin mining centralized around Bitmain that concludes:
   

   In all, it seems unlikely that up to nine major bitcoin mining pools use a shared custodian for coinbase rewards unless a single entity is behind all of their operations.

   The "single entity" is clearly Bitmain.
5. Peter Ryan, a reformed Bitcoin enthusiast, noted another form of centralization in Money by Vile Means:
   

   Bitcoin is anything but decentralized: Its functionality is maintained by a small and privileged clique of software developers who are funded by a centralized cadre of institutions. If they wanted to change Bitcoin’s 21 million coin finite supply, they could do it with the click of a keyboard.

   His account of the politics behind the argument over raising the Bitcoin block size should dispel any idea of Bitcoin's decentralized nature. He also notes:
   

   By one estimate from Hashrate Index, Foundry USA and Singapore-based AntPool control more than 50 percent of computing power, and the top ten mining pools control over 90 percent. Bitcoin blogger 0xB10C, who analyzed mining data as of April 15, 2025, found that centralization has gone even further than this, “with only six pools mining more than 95 percent of the blocks.”

6. The Bitmain S17 comes in 4 versions with hash rates from 67 to 76 TH/s. Lets assume 70TH/s. As I write the Bitcoin hash rate is about 1 billion TH/s. So if they were all mid-range S17s there would be around 15M mining. If their economic life were 18 months, there would be 77,760 rewards. Thus only 0.5% of them would earn a reward.
   
   In December 2021 Alex de Vries and Christian Stoll estimated that:
   

   The average time to become unprofitable sums up to less than 1.29 years.

   It has been obvious since mining ASICs first hit the market that, apart from access to cheap or free electricity, there were two keys to profitable mining:
   
   1. Having close enough ties to Bitmain to get the latest chips early in their 18-month economic life.
   2. Having the scale to buy Bitmain chips in the large quantities that get you early access.
7. See David Gerard's account of Steve Early's experiences accepting Bitcoin in his chain of pubs in Attack of the 50 Foot Blockchain Page 94.
   
   

   

   Chart 1

   U.S. Consumers’ Use of Cryptocurrency for Payments by Fumiko Hayashi and Aditi Routh of the Kansas City Fed reports that:
   

   The share of U.S. consumers who report using cryptocurrency for payments—purchases, money transfers, or both—has been very small and has declined slightly in recent years. The light blue line in Chart 1 shows that this share declined from nearly 3 percent in 2021 and 2022 to less than 2 percent in 2023 and 2024.

8. User DeathAndTaxes on Stack Exchange explains the 6 block rule:
   

   p is the chance of attacker eventually getting longer chain and reversing a transaction (0.1% in this case). q is the % of the hashing power the attacker controls. z is the number of blocks to put the risk of a reversal below p (0.1%).
   
   So you can see if the attacker has a small % of the hashing power 6 blocks is sufficient. Remember 10% of the network at the time of writing is ~100GH/s. However if the attacker had greater % of hashing power it would take increasingly longer to be sure a transaction can't be reversed.
   
   If the attacker had significantly more hashpower say 25% of the network it would require 15 confirmation to be sure (99.9% probability) that an attacker can't reverse it.

   For example, last May Foundry USA had more than 30% of the hash power, so the rule should have been 24 not 6, and finality should have taken 4 hours.
9. To be fair, Ethereum has introduced at least one genuine innovation, Flash Loans. In Flash loans, flash attacks, and the future of DeFi Aidan Saggers, Lukas Alemu and Irina Mnohoghitnei of the Bank of England provide an excellent overview of them. Back in 2021 Kaihua Qin, Liyi Zhou, Benjamin Livshits, and Arthur Gervais from Imperial College posted Attacking the defi ecosystem with flash loans for fun and profit, analyzing and optimizing two early flash loan attacks:
   

   We show quantitatively how transaction atomicity increases the arbitrage revenue. We moreover analyze two existing attacks with ROIs beyond 500k%. We formulate finding the attack parameters as an optimization problem over the state of the underlying Ethereum blockchain and the state of the DeFi ecosystem. We show how malicious adversaries can efficiently maximize an attack profit and hence damage the DeFi ecosystem further. Specifically, we present how two previously executed attacks can be “boosted” to result in a profit of 829.5k USD and 1.1M USD, respectively, which is a boost of 2.37× and 1.73×, respectively.

   They predicted an upsurge in attacks since "flash loans democratize the attack, opening this strategy to the masses". They were right, as you can see from Molly White's list of flash loan attacks.
10. This is one of a whole series of Impossibilities, many imposed on Ethereum by fundamental results in computer science because it is a Turing-complete programming environment.
11. For details of the story behind Miners' Extractable Value (MEV), see these posts:
    
    1. The Order Flow from November 2020.
    2. Ethereum Has Issues from April 2022.
    3. Miners' Extractable Value From September 2022.

    

    Source

    The first links to two must-read posts. The first is from Dan Robinson and Georgios Konstantopoulos, Ethereum is a Dark Forest:
    

    It’s no secret that the Ethereum blockchain is a highly adversarial environment. If a smart contract can be exploited for profit, it eventually will be. The frequency of new hacks indicates that some very smart people spend a lot of time examining contracts for vulnerabilities.
    
    But this unforgiving environment pales in comparison to the mempool (the set of pending, unconfirmed transactions). If the chain itself is a battleground, the mempool is something worse: a dark forest.

    The second is from Samczsun, Escaping the Dark Forest. It is an account of how:
    

    On September 15, 2020, a small group of people worked through the night to rescue over 9.6MM USD from a vulnerable smart contract.

    Note in particular that MEV poses a risk to the integrity of blockchains. In Extracting Godl [sic] from the Salt Mines: Ethereum Miners Extracting Value Julien Piet, Jaiden Fairoze and Nicholas Weaver examine the use of transactions that avoid the mempool, finding that:
    

    (i) 73% of private transactions hide trading activity or re-distribute miner rewards, and 87.6% of MEV collection is accomplished with privately submitted transactions, (ii) our algorithm finds more than $6M worth of MEV profit in a period of 12 days, two thirds of which go directly to miners, and (iii) MEV represents 9.2% of miners' profit from transaction fees.
    
    Furthermore, in those 12 days, we also identify four blocks that contain enough MEV profits to make time-bandit forking attacks economically viable for large miners, undermining the security and stability of Ethereum as a whole.

    When they say "large miners" they mean more than 10% of the power.
12. Back in 2016 Arvind Narayanan's group at Princeton had published a related instability in Carlsten et al's On the instability of bitcoin without the block reward. Narayanan summarized the paper in a blog post:
    

    Our key insight is that with only transaction fees, the variance of the miner reward is very high due to the randomness of the block arrival time, and it becomes attractive to fork a “wealthy” block to “steal” the rewards therein.

13. The leading source of data on which to base Bitcoin's carbon footprint is the Cambridge Bitcoin Energy Consumption Index. As I write their central estimate is that Bitcoin consumes 205TWh/year, or between Thailand and Vietnam.
14. Ferreira et al write:
    

    AntPool and BTC.com are fully-owned subsidiaries of Bitmain. Bitmain is the largest investor in ViaBTC. Both F2Pool and BTC.TOP are partners of BitDeer, which is a Bitmain-sponsored cloud-mining service. The parent companies of Huobi.pool and OkExPool are strategic partners of Bitmain. Jihan Wu, Bitmain’s founder and chairman, is also an adviser of Huobi (one of the largest cryptocurrency exchanges in the world and the owner of Huobi.pool).

    This makes economic sense. Because mining rigs depreciate quickly, profit depends upon early access to the latest chips.
15. See Who Is Mining Bitcoin? for more detail on the state of mining and its gradual obfuscation.
16. In this context to say you "control" your entry in the bank's ledger is an oversimplification. You can instruct the bank to perform transactions against your entry (and no-one else's) but the bank can reject your instructions. For example if they would overdraw your account, or send money to a sanctioned account. The key point is that your ownership relationship with the bank comes with a dispute resolution system and the ability to reverse transactions. Your cryptocurrency wallet has neither.
17. Web3 is Going Just Great is Molly White's list of things that went wrong. The cumulative losses she tracks currently stand at over $79B.
18. Your secrets are especially at risk if anyone in your software supply chain use a build system implemented using AI "vibe coding". David Gerard's Vibe-coded build system NX gets hacked, steals vibe-coders’ crypto details a truly beautiful example of the extraordinary level of incompetence this reveals.
19. IBM's Heron, which HSBC recently used to grab headlines, has 156 qubits.
20. Molly White's Abuse and harassment on the blockchain is an excellent overview of the privacy risks inherent to real-world transactions on public blockchain ledgers:
    

    Imagine if, when you Venmo-ed your Tinder date for your half of the meal, they could now see every other transaction you’d ever made—and not just on Venmo, but the ones you made with your credit card, bank transfer, or other apps, and with no option to set the visibility of the transfer to “private”. The split checks with all of your previous Tinder dates? That monthly transfer to your therapist? The debts you’re paying off (or not), the charities to which you’re donating (or not), the amount you’re putting in a retirement account (or not)? The location of that corner store right by your apartment where you so frequently go to grab a pint of ice cream at 10pm? Not only would this all be visible to that one-off Tinder date, but also to your ex-partners, your estranged family members, your prospective employers. An abusive partner could trivially see you siphoning funds to an account they can’t control as you prepare to leave them.

21. In The Risks Of HODL-ing I go into the details of the attack on the parents of Veer Chetal, who had unwisely live-streamed the social engineering that stole $243M from a resident of DC.
    
    Anyone with significant cryptocurrency wallets needs to follow Jamison Lopp's Known Physical Bitcoin Attacks.

22. 

    Source

    Torsten Sløk's AI Has Moved From a Niche Sector to the Primary Driver of All VC Investment leads with this graph, one of the clearest signs that we're in a bubble.
    
    Whether AI delivers net value in most cases is debatable. "Vibe coding" is touted as the example of increasing productivity, but the experimental evidence is that it decreases productivity. Kate Niederhoffer et al's Harvard Business Review article AI-Generated "Workslop” Is Destroying Productivity explains one effect:
    

    Employees are using AI tools to create low-effort, passable looking work that ends up creating more work for their coworkers. On social media, which is increasingly clogged with low-quality AI-generated posts, this content is often referred to as “AI slop.” In the context of work, we refer to this phenomenon as “workslop.” We define workslop as AI generated work content that masquerades as good work, but lacks the substance to meaningfully advance a given task.
    
    Here’s how this happens. As AI tools become more accessible, workers are increasingly able to quickly produce polished output: well-formatted slides, long, structured reports, seemingly articulate summaries of academic papers by non-experts, and usable code. But while some employees are using this ability to polish good work, others use it to create content that is actually unhelpful, incomplete, or missing crucial context about the project at hand. The insidious effect of workslop is that it shifts the burden of the work downstream, requiring the receiver to interpret, correct, or redo the work. In other words, it transfers the effort from creator to receiver.

    David Gerard's Workslop: bad ‘study’, but an excellent word points out that:
    

    Unfortunately, this article pretends to be a writeup of a study — but it’s actually a promotional brochure for enterprise AI products. It’s an unlabeled advertising feature.

    And goes on to explain where the workslop comes from:
    

    Well, you know how you get workslop — it’s when your boss mandates you use AI. He can’t say what he wants you to use it for. But you’ve been told. You’ve got metrics on how much AI you use. They’re watching and they’re measuring.

    Belle Lin and Steven Rosenbush's Stop Worrying About AI’s Return on Investment describes goalposts being moved:
    

    Return on investment has evaded chief information officers since AI started moving from early experimentation to more mature implementations last year. But while AI is still rapidly evolving, CIOs are recognizing that traditional ways of recognizing gains from the technology aren’t cutting it.
    
    Tech leaders at the WSJ Leadership Institute’s Technology Council Summit on Tuesday said racking up a few minutes of efficiency here and there don’t add up to a meaningful way of measuring ROI.

    Given the hype and the massive sunk costs, admitting that there is no there there would be a career-limiting move.
    
    None of this takes account of the productivity externalities of AI, such as Librarians Are Being Asked to Find AI-Hallucinated Books, academic journals' reviewers' time wasted by AI slop papers, judges' time wasted with hallucinated citations, a flood of generated child sex abuse videos, the death of social media and a vast new cyberthreat landscape.
23. The Economist writes in What if the AI stockmarket blows up?:
    

    we picked ten historical bubbles and assessed them on factors including spark, cumulative capex, capex durability and investor group. By our admittedly rough-and-ready reckoning, the potential AI bubble lags behind only the three gigantic railway busts of the 19th century.

    They note that:
    

    For now, the splurge looks fairly modest by historical standards. According to our most generous estimate, American AI firms have invested 3-4% of current American GDP over the past four years. British railway investment during the 1840s was around 15-20% of GDP. But if forecasts for data-centre construction are correct, that will change. What is more, an unusually large share of capital investment is being devoted to assets that depreciate quickly. Nvidia’s cutting-edge chips will look clunky in a few years’ time. We estimate that the average American tech firm’s assets have a shelf-life of just nine years, compared with 15 for telecoms assets in the 1990s.

    I think they are over-estimating the shelf-life. Like Bitcoin mining, power is a major part of AI opex. Thus the incentive to (a) retire older, less power-efficient hardware, and (b) adopt the latest data-center power technology, is overwhelming. Note that Nvidia is moving to a one-year product cadence, and even when they were on a two-year cadence Jensen claimed it wasn't worth running chips from the previous cycle. Note also that the current generation of AI systems is incompatible with the power infrastructure of older data centers, and this may well happen again in a future product generation. For example, Caiwei Chen reports in China built hundreds of AI data centers to catch the AI boom. Now many stand unused:
    

    The local Chinese outlets Jiazi Guangnian and 36Kr report that up to 80% of China’s newly built computing resources remain unused.

    Rogé Karma makes the same point as The Economist in Just How Bad Would an AI Bubble Be?:
    

    An AI-bubble crash could be different. AI-related investments have already surpassed the level that telecom hit at the peak of the dot-com boom as a share of the economy. In the first half of this year, business spending on AI added more to GDP growth than all consumer spending combined. Many experts believe that a major reason the U.S. economy has been able to weather tariffs and mass deportations without a recession is because all of this AI spending is acting, in the words of one economist, as a “massive private sector stimulus program.” An AI crash could lead broadly to less spending, fewer jobs, and slower growth, potentially dragging the economy into a recession.

24. In 2021 Nicholas Weaver estimated that the Ethereum computer was 5000 times slower than a Raspberry Pi 4. Since then the gas limit has been raised making his current estimate only 1000 times slower.
25. Prof. Hilary Allen writes in Fintech Dystopia that:
    

    if people do start dumping blockchain-based assets in fire sales, everyone will know immediately because the blockchain is publicly visible. This level of transparency will only add to the panic (at least, that’s what happened during the run on the Terra stablecoin in 2022).
    ...
    We also saw ... that assets on a blockchain can be pre-programmed to execute transactions without the intervention of any human being. In good times, this makes things more efficient – but the code will execute just as quickly in bad situations, even if everyone would be better off if it didn’t.

    She adds:
    

    When things are spiraling out of control like this, sometimes the best medicine is a pause. Lots of traditional financial markets close at the end of the day and on weekends, which provides a natural opportunity for a break (and if things are really bad, for emergency government intervention). But one of blockchain-based finance’s claims to greater efficiency is that operations continue 24/7. We may end up missing the pauses once they’re gone.

    In the 26^th September Grant's, Joel Wallenberg notes that:
    

    Lucrative though they may be, the problem with stablecoin deposits is that exposure to the crypto-trading ecosystem makes them inherently correlated to it and subject to runs in a new “crypto winter,” like that of 2022–23. Indeed, since as much as 70% of gross stablecoin-transaction volume derives from automated arbitrage bots and high-speed trading algorithms, runs may be rapid and without human over-sight. What may be worse, the insured banks that could feed a stablecoin boom are the very ones that are likely to require taxpayer support if liquidity dries up, and Trump-style regulation is likely to be light.

    So the loophole in the GENIUS act for banks is likely to cause contagion from cryptocurrencies via stablecoins to the US banking system.

Acknowledgments

This talk benefited greatly from critiques of drafts by Hilary Allen, David Gerard, Jon Reiter, Joel Wallenberg, and Nicholas Weaver.