Originally published: March 2021
Over the past decade, the bitcoin network has been the most secure public blockchain.
This is because it has by far the highest market capitalization and hash rate in the asset class, along with customized hardware required to mine it, meaning that the cost for a potential attacker to try to control 51% of the hash rate for a lengthy period of time (which would allow for double-spending attacks and other security disruptions) is quite high.
However, in the decade ahead, bitcoin will gradually shift from paying miners primarily through bitcoin block rewards to paying miners primarily through bitcoin transaction fees, and so it has to navigate a gradual change in its security model.
Some bitcoin bears consider it inevitable that bitcoin will fail in this transition and encounter security problems. Many bitcoin bulls consider the risk to be a non-issue.
Like most things in life, in my analysis I find the transition to be middling in terms of risk potential. It’s something to think about and monitor to see how it develops over time as one of bitcoin’s final tests on its way to maturity, but not something that has insurmountable economic or technical issues.
This article dives into some of the nuances, where I analyze the topic mostly from an economic point of view rather than a technical point of view.
How Bitcoin Manages Security
Bitcoin’s blockchain is a public and immutable ledger of past transactions, stored by countless devices around the world.
Every ten minutes on average, another block is added to the blockchain by a miner that solves a puzzle from the previous block, and in doing so, it processes up to a few thousand bitcoin transactions and adds them to the blockchain, encased in that new block. Once several more blocks have been built on top of that block, the transactions in that block become effectively permanent. As of this writing, there are over 670,000 blocks on the bitcoin blockchain since its genesis in 2009.
The primary reward for the miner that adds the block is a certain number of newly-generated bitcoins. That’s the only way that new bitcoins are created. During the first 210,000 blocks (approximately 4 years of time), the reward was 50 new bitcoins per block, to the successful miner. During the next 210,000 blocks, the reward was 25 new bitcoins per block. It keeps getting cut in half like that every 210,000 blocks, and is currently 6.25 new bitcoins per block. This process asymptotically approaches a total number of 21 million coins in existence sometime after 2100, although by 2030, the vast majority will have been mined.
The secondary reward is transaction fees. Users can add fees to their transactions to incentivize miners, which during busy times (meaning too many transactions trying to clear vs the amount of available block space) helps miners prioritize high-importance transactions. If you’re trying to settle a $10 million transaction, for example, you’ll be willing to pay a higher fee than someone trying to settle a $1,000 transaction. This dynamic helps get the most transaction value settled per block in a free market way. The fees are denominated in fractional bitcoins and paid by the sender as part of the transaction.
Here’s an annual history of block rewards and fees for miners, in terms of dollar value, from back in autumn 2020:
Chart Source: NYDIG: The Power of Bitcoin’s Network Effect
The numbers in this chart represent the annual security and processing budget for the store of value and payment settlement network.
As bitcoin’s price has gone up over time, miner revenue has increased, even though the block reward was cut in half every 4 years. In other words, miners receive fewer coins for their efforts, but a higher dollar amount worth of coins, and a small but growing amount of fees. Fees tend to spike during congested periods, in addition to having a structural growth trend.
Here in 2021, there will be a total of about 330,000 bitcoins rewarded to miners as block rewards. At an average bitcoin price of $40,000 as an example, the total amount of block rewards to miners would be approximately $13 billion. Fees would be added to that. We won’t know the total security budget until the end of the year, based on average prices and fees. Until then we can monitor it over time.
Looking back over the past decade, this chart shows the average market capitalization of bitcoin, the annual security spend, and the percent of market capitalization spent on security:
Data Source: YCharts
For the first two months of 2021, the average market capitalization was $740 billion, with an annualized security spend rate of $15.3 billion, representing 2.0% of the market capitalization. This continued the trend of higher absolute security with a smaller percentage of market capitalization being spent on security.
Importantly, the market decided how much security there would be, rather than some central authority. As bitcoin followed its algorithm, including difficulty adjustments and supply flow halvings, users purchased or sold bitcoin based on the prices they wanted, and miners allocated capital to mining based on risk/reward assessments. Miners could have mined other blockchains or they could have done something entirely different with their capital.
This chart shows what the average cost of transaction was since inception of the data, along with the fee portion of that cost:
A Closer Look at 2020
If I take a snapshot of full-year 2020, we can dig a little deeper and firm up the numbers of what a given year looked like.
307,439 transactions were settled per day on average:
Since a single transaction can send to multiple addresses, the total number of individual payments was higher, at over half a million.
The average cost per transaction was over $44, which includes fees and block rewards to miners:
With 366 days in the leap year, that gives us a total of well over 100 million transactions and over $5 billion in miner revenue.
The average market capitalization was $203.53 billion:
So, bitcoin spent about 2.5% of its average market capitalization on security and processing that year.
However, the vast majority of the cost per transaction was in the form of block rewards, which is a form of inflation that doesn’t affect the sender directly, and instead affects the whole network. In terms of fees for the sender, the average transaction took just $2.86 in fees:
The mean transaction size was several thousand dollars, while the median transaction was much smaller.
Special thanks to Nic Carter for the Coin Metrics chart and his previous work on the subject of bitcoin fees. He gave a talk at MIT back in 2019 about this topic that remains relevant through today.
Overall, nearly $1 trillion in USD value was settled on the bitcoin blockchain during the 2020 year. That’s important to note; annual settlement value was much higher than bitcoin’s average market capitalization, and that’s true for prior years as well.
If bitcoin were running on a fee-driven model in 2020, with say $40 in fees per transaction, the average $8,000-sized transaction would have a relatively low fee (~0.5%), but many of the median-or-smaller transactions would no longer make sense. Most folks wouldn’t want more than, say, a 1-2% transaction fee, and so transactions under $4,000-$8,000 would be less attractive to do as a matter of normal operation.
Bitcoin, therefore, would be a base settlement layer, rather than a frequent payment network. Payment networks can be built on top of it, as some applications are already doing via the lightning network and other solutions. This should work well if bitcoin’s adoption continues to increase in the decade ahead.
Incentives Against Attacks
Small blockchains are often the victims of 51% attacks. With little hash power, few nodes, and small developer communities, they have limited resources to deal with an attack. A profit-driven entity can invest a manageable sum of money and perform a double-spend attack to steal millions of dollars worth of tokens.
Bitcoin, however, is extremely resistant to 51% attacks, because the amount of dedicated hardware and electricity that an entity must acquire to attempt one is massive.
In the early days, mining rigs believed to belong to Satoshi Nakamoto controlled over half of the bitcoin network, but he had no incentive to undermine his own creation, and as the network proliferated, these rigs became less important and eventually ceased. And in 2014, a mining pool came rather close to the 51% threshold, but seemingly without intent to attack it. As bitcoin has grown larger, there haven’t been any more instances of entities coming near the 51% threshold.
Besides the consensus node network, rational self-interest is basically the backup defense for a 51% attack. Miners invest a ton of capital into their rigs and generally own a lot of coins; if they were to achieve a successful 51% attack on bitcoin and threaten the security of the system, it would likely damage the market capitalization of the network, resulting in a reduction in their income and net worth, even if they were able to steal some coins in the attack. And the resulting pushback from the rest of the ecosystem in the wake of such an attack against them would be immense.
As the network has grown larger and larger, and the bitcoin network consumes as much electricity as a small country, the cost for coming anywhere close to a 51% attack threshold and holding it persistently, is out of the reach of most entities. Only an extremely well-capitalized attack, such as a consortium of state actors, could potentially be incentivized to attempt a credible attack of that magnitude.
A Hypothetical State Attack
For a sophisticated state entity to attempt an attack on bitcoin in its current form (most likely for reasons other than profit, although they could also short the protocol to recoup costs and potentially make a profit), they’d have to do a bunch of things.
First, they’d have to acquire the majority of dedicated ASIC hardware for bitcoin mining. These are often in short supply, meaning if they tried to buy up a significant portion of new mining rigs from manufacturers and old mining rigs from the second-hand market, they’d likely be unable to, and the market would notice. As I write this, new mining rigs are sold out months in advance.
If they were to build their own mining rigs in some covert way, down to custom chips via their own foundry (and very few countries have sizable foundries), it would be a long and challenging process and require avoiding information leaks. This would be a multi-billion dollar long-term effort in secret.
If over half of the mining capacity exists within a single country, the government could theoretically confiscate enough mining rigs to reach a 51% attack threshold without buying new rigs. The only country where this is a possibility is China due to their large hash rate exposure, although it’s only an estimate that China has over half of the hash rate. However, miners often keep their locations relatively secret, because finding cheap sources of electricity is a key business advantage vs competitors. In addition, many miners are mobile; they move around to wet seasons where hydroelectric overcapacity exists, or to stranded shale energy. And if miners start getting confiscated systemically, the remaining miners would disappear. It would be exceedingly difficult for the Chinese government to locate and simultaneously seize the vast majority of mining that occurs in its jurisdiction. If they only get maybe 70%, that’s not really enough. And over time, if mining becomes more diversified across geographies, it would take that unlikely mass-confiscation option off the table entirely.
That’s the hardest part of doing a 51% attack on bitcoin; getting the dedicated hardware. Folks often calculate the cost of a hypothetical attack based on electricity or per-hour rates, but the sheer amount of hardware that would have to be acquired is immense. This is unlike GPU-based blockchains where a user could conceivably rent cloud GPU time (a use-case of generalized hardware, rather than dedicated hardware) to perform an attack.
Second, once they have this in place somehow, either through buying it, building it, or confiscating it, the state actor(s) have to concentrate more electricity than Singapore consumes, and channel it at the bitcoin blockchain through their dedicated ASIC hardware to try to do a constant series of double-spend attacks or other disruptive efforts. With their massive covert investment, they could very well be successful at messing up a few blocks and performing double-spend attacks or similar disruptions. They could, for example, send an entity some bitcoins in exchange for money, and then use their majority hash power to reverse that transaction and keep the bitcoins. They’d have to sustain this multiple blocks deep in order for it to have a sizable impact on transactions that were thought to be fully-confirmed.
At that point, it would become a battle between nodes and the majority miner, with the possibility of nodes changing to another algorithm or taking other major steps to avoid ongoing assault. A 51% attack does not undo the full blockchain; it reorganizes a few blocks deep or disrupts the process of ongoing blocks added to the blockchain, which gives time for countermeasures. It would be one of the biggest tests that bitcoin has ever faced.
The difficulty and cost for this type of attack is why so far it has not occurred for bitcoin, and why only a large state actor, or collection of state actors, who are particularly hostile to bitcoin’s existence and not concerned with the potentially unprofitable nature of the attack, could conceivably attempt it.
The more broadly that bitcoin spreads, including to a state’s own citizens, the more self-destructive such an effort would be even if successful, which deters this “James Bond villain” secretive level of capital and effort the state would have to go through to attempt it.
However, if it’s going to remain as successful as it has been, Bitcoin does have to grow a sustainable fee market to keep those types of attacks very expensive.
Determining an Appropriate Security Model
As bitcoin’s market capitalization has grown, the absolute amount spent on security has grown as well, but the percentage of the market capitalization spent on security has diminished.
Indeed, that’s what we should expect to occur over time. Paying a huge percentage of the market capitalization in security each year made sense in the beginning when the protocol was small, vulnerable, and highly inflationary, but in the long run from a large market size and small issuance rate, something more like 0.5% to 1.5% of market capitalization spent on security would probably be appropriate.
And remember, bitcoin’s annual settlement value is a few times larger than its market capitalization. Relatively small fees on transactions can potentially result in a sizable percentage of bitcoin’s market capitalization.
Ideally, the security spending rate should be large enough in absolute terms to deter most realistic attacks, and large enough as percentage of the market cap or annual settled value to make attacks uneconomic, while not so large as to make normal settlement transactions uneconomic due to needlessly high fees.
The challenging thing is that there’s no firm number on what level would be appropriate; it’s all an approximation. In practice, bitcoin doesn’t optimize itself for security, but rather security is a natural byproduct of the incentive mechanism for mining, which means there could conceivably be times where security is quite high or quite low compared to credible threats. Bitcoin’s network is not doing a qualitative or quantitative assessment of the threat landscape and adjusting fees accordingly.
After the next supply halving in 2024, bitcoin’s inflation rate will be less than 1% per year, and it will continue dropping every 4 years from there asymptotically toward zero, so in order to maintain something like a 0.5%-1.5% ongoing security rate as a percentage of market capitalization, it’ll need to develop a sizable and persistent fee market.
This chart shows the amount of fees per year and the percentage of the average market capitalization that the fees made up each year:
Data Source: YCharts
For the first two months of 2021, the average market capitalization was $740 billion, with an annualized fee spend rate of $1.85 billion, representing 0.25% of the market capitalization.
The way that a fee market develops over time is that the userbase for bitcoin grows more quickly than the block space. In other words, more people want to transact, but the number of how many transactions the base layer can do is finite. As long as that situation persists (as it is indeed beginning to do), bitcoin can maintain a persistent fee market.
There are also some conceptual ideas such as variable block space that could be turned to by the bitcoin community if a fee market fails to develop under the current design and security starts to become a tangible issue like it has for lesser blockchains.
Inflation vs Fees
If security is paid for primarily through block rewards, then the holders of the coins are the ones primarily paying for it, in the form of inflation.
If security is paid for primarily through fees, then the senders of the coins are the ones primarily paying for it, in the form of the miner taking a cut from their transactions.
So, over time, bitcoin’s security model is programmed to shift primarily from charging the holders to charging those whom transact.
If, in some alternative design, bitcoin eventually reached a point after a certain number of halvings where it had a constant issuance, like say 0.5% per year perpetually, then along with fees that senders pay, it would have a situation where both holders and senders continue to pay for a base level of security. But as it was designed, bitcoin shifts over time to putting all of the emphasis on sender fees for security, with holders paying virtually nothing.
Whether that’s good or bad is up for debate. On one hand, it’s sensible to argue that both holders and senders should contribute to security, since they both benefit from it. On the other hand, the hard supply limit has been a main selling point for people to buy units of the system, and likely increased its adoption rate and attractiveness as a store of value. A shift from a hard cap to low perpetual issuance would be the last resort among the community, so navigating to a fee model will be important for the ongoing success of the protocol.
A Spectrum of Security
This table shows the amount of money that would need to be spent on security to achieve a certain percentage of market capitalization, for various market capitalizations:
Bitcoin in its current form can settle 120+ million transactions per year on the base layer. Let’s call it 100 million as a round number, since we’re talking orders of magnitude here. And importantly, a transaction can send bitcoin to multiple addresses, so you can batch multiple payments into a transaction. So, the number of payments is realistically up to a few hundred million per year.
If bitcoin reaches a state where the average transaction fee is about $10, it would translate into $1+ billion per year towards miners. If we add a zero, and the average transaction fee gets to about $100, it would translate into $10+ billion per year towards miners. For reference, as of the first couple months of 2021, the typical fee has been up to $20+.
For payments of $10,000 or more, $100 or less in fees translates into 1% or less of the transaction value. So, the base layer would remain attractive for large settlement transactions, but would be unattractive for small payments. Bitcoin, in that sense, becomes something like a decentralized and permissionless Fedwire system, relying on secondary layers to improve transaction throughput for smaller users.
We can also compare it to gold, as a store of value. If you buy physical bullion, you would expect to pay a 2-10% or more markup over the spot price for your transaction, depending on whether you’re buying coins or bars, and sometimes more during supply shortages. And then you have to protect it yourself or pay a vault to store it safely.
Payment Scaling Solutions
If we look at the current financial system, it consists of layers.
There are deep settlement layers like Fedwire at the base, which process relatively low numbers of irreversible seven-figure transactions between banks.
On top of those deep layers, there are layers that optimize for more frequent and smaller consumer transactions which are reversible. When you spend with your Visa card, for example, that’s not a final settlement irreversible payment in and of itself; that’s merely a transaction that the bank will later batch into a larger Fedwire payment with another bank.
This is why the “bitcoin doesn’t scale; it processes only a fraction of what Visa can do” argument is like comparing apples to oranges. Or more specifically, it’s like comparing a wholesale distributor of apples to a retail apple-selling stand.
The bitcoin network has transaction count throughput capacity similar to Fedwire; when and if more and cheaper transactions than that are needed, that’s what secondary layers are for.
The various bitcoin forks that attempted to increase transaction throughput on the base layer didn’t work out well so far; they split the community, still didn’t achieve throughput anywhere near that of Visa, and sacrificed too much (accessibility and decentralization of node operation).
Bitcoin Secondary Layers
Not all or even most bitcoin transactions have to settle on the base layer of the protocol. The base layer is ideal for final settlement for large transactions, especially as transaction fees grow as a percentage of the security budget.
Above the base layer, there are various scaling solutions for higher-frequency transactions, and they can be either trusted or trustless, or somewhere in the middle.
For a trusted example, every centralized exchange is basically a scaling mechanism. When you trade bitcoin or various altcoins on an exchange, those aren’t on-chain transactions. Those are transactions within the internal ledger of that exchange. In other words, many transactions occur back and forth, and some of the value is settled on-chain eventually when entities withdraw or deposit coins. The custodian acts as a way to greatly increase transaction volume, since those intra-exchange transactions are settling off-chain with occasional batching into bigger transactions to actually move coins.
For a trustless example, there’s the Lightning network. The Lightning network lets users open multi-signature channels with each other, and from there they can send fractions of bitcoins back and forth without the cost of an on-chain settlement. If at any point one of them wants to settle, they can close the channel and settle back on the base layer with an on-chain transaction. Therefore, you can fit many transactions, for a nearly free cost, into one fee-driven large settlement. Importantly, you don’t need a channel open with the person you’re trying to transact with. You only need to have a path from node to node to node that eventually links to that person.
The limitation of the Lightning network is liquidity. If you don’t want to open a private channel with someone, you have to send fractional bitcoins around from node to node to node in order to reach the target, and that means there has to be a sizable amount of channels between you and the target to make that possible, and there have to be sufficient tools to automate it. Public node operators can place some bitcoins on their channels, and sell access to those channels for a tiny fee, and thus earn a small ongoing yield on their bitcoins.
Lightning Labs and other developers continue to build tools to help apps and users enhance liquidity and usability on the network. The Lightning network itself, like the underlying base layer of bitcoin, is owned by no one. If it continues to grow larger and larger, then liquidity becomes less of a constraint, and the usability increases.
And then there are mixed solutions. Some trusted protocols can use a set of private channels in the Lightning network to provide fiat-to-BTC-to-fiat payment solutions to customers that don’t necessarily even know that they are using the Lightning network, like with the Strike and Bottlepay apps. The total addressable market for that, particularly with regard to small domestic and international payments, is huge.
Micropayments on the internet, such as through Sphinx Chat (which uses the Lightning network) open up all sorts of revenue models for online businesses, as well as anti-spam measures in chat interfaces (via a tiny but nonzero cost to post a message).
Other Uses of Block Space
Block space in bitcoin’s blockchain is just information; it doesn’t all have to be used purely for payment transactions. Messages can be and have been included in various transactions within blocks, including by Satoshi Nakamoto in the genesis block.
A given block on the bitcoin blockchain, as an immutable distributed public ledger, can be thought of as virtual real estate, and only 144 blocks are available per day on average. Most uses are for settling bitcoin payments, but the space within a transaction can be used for other purposes too, because any information you put there becomes permanent and publicly-available.
There’s potentially a use-case for that, because you can put something there as a matter of public record, as an arbiter of truth that is stored on countless devices around the world that can never be changed once it’s buried under more blocks.
Over time, various services have been willing to pay transaction fees to secure messages inside of the bitcoin blockchain. Veriblock, for example, has a service that allows weaker blockchains to “inherit” bitcoin’s security by using the OP Return operator. Veriblock and similar solutions accounted for a double-digit percentage of Bitcoin’s ongoing transactions for a couple years, although in recent years this practice has tapered off:
Chart Source: transactionfee.info
Overall, non-transactional messages are no longer a big portion of bitcoin’s block space usage, but in the future this could conceivably pop up again if new use-cases are identified. Many of the previous use-cases have migrated to become ethereum tokens and trading around in that space instead.
Potential Security Quirks
It seems that we’ve established that economically, bitcoin should be able to comfortably sustain itself with fees, although it’s by no means assured. It depends on bitcoin’s overall level of adoption and usage.
If bitcoin grows and sustains into a multi-trillion market capitalization protocol, and fees can become 0.5%-1.5% of the market capitalization due to packing a lot of value into the block space (including batching of smaller transactions), it would translate into a $5 billion to $15 billion annual security budget per trillion dollars in market capitalization, with dedicated hardware and high electricity costs.
On the other hand, if it fails to sustain a sufficient market capitalization, or annual fees fail to reach and sustain 0.5%-1.5% or more of the market cap, then bitcoin could face some security issues in the long run, with 51% attacks becoming more economical to attempt compared to the possible rewards of achieving it.
From there, we can look into some non-economic issues that could theoretically occur.
A 2016 paper called “On the Instability of Bitcoin Without the Block Reward” by Princeton University researchers used game theory and simulations to assert that fee variability could be an issue, even if total fees are high enough. In other words, timing matters in addition to just average fee levels.
Blocks are generated every 10 minutes on average. However, there is a lot of randomness in the amount of time between blocks, since it relies on countless machines racing to solve a cryptographic puzzle. A block could be added seconds after the previous block, or could take 30 minutes or more.
In the current regime, that doesn’t matter too much because each successful block, no matter how short or long it took, provides economic value to the miner because it comes with a number of new coins. However, in a future world with virtually no block rewards and primary reliance on fees, a block that happens to be generated mere seconds after a previous block, might find itself with rather few transactions in it, making it a low-value block. With big variance in value between blocks, there are some games miners can play to fork the protocol to try to maximize their fee value, which could result in longer confirmation times or other security issues.
The primary counterargument for that, as described back in Dan Held’s 2019 piece referencing Dan McArdle, is that miners, as large operations with dedicated equipment and serious sunk capital expenditures, are unlikely to mess around with block-by-block games and instead will optimize for revenue over a full quarter.
Furthermore, if block reward variability does become a security issue over time, there are theoretical updates to smooth out the fees without increasing the 21 million supply limit.
A blockchain that is entirely reliant on fees rather than inflation for security, as bitcoin is destined to be in the future unless consensus rules change, only gains security benefits when its tokens are transacted with rather than held.
In that fee-based model, those who are holding the coins permanently and not moving them are not contributing to security, whereas those who are moving coins around for one reason or another are contributing to security.
If bitcoin theoretically were to reach a state of very low velocity, with plenty of people holding it but relying heavily on custodian solutions or things like ethereum-wrapped BTC to move it around without being willing to pay substantial fees for on-chain transactions, that can undermine the fee-based security model.
However, such a problem is likely self-correcting towards equilibrium. If few entities use on-chain transactions, then fees will diminish, as the supply/demand balance tilts more towards supply. That can attract entities back to using on-chain transactions, due to the security assurances of doing so.
The question is whether fees can reach a point where they reliably are 0.5%-1.5% of market capitalization, but fortunately the protocol has another full halving cycle or two to get there.
If bitcoin user adoption goes up another 5x or 10x in the years ahead while block space remains unchanged, it shouldn’t be too difficult to generate a persistent high fee market, with off-chain solutions used for smaller transactions where the fees would be uneconomic.
By the time the late 2020s are here, some of bitcoin’s hard forks such as BCH and BSV are likely to face increasingly existential security issues, since their large block space doesn’t have enough demand relative to supply to drive fees up, and block subsidies will diminish.
Indeed, their hash rates are already about 1% or less of bitcoin’s hash rate, and are near their all-time lows while bitcoin’s hash rate is near its all-time high:
Chart Source: BitInfoCharts
Bitcoin itself, however, has a sizable fee market for its rather tight block space; even at $10 in fees per transaction, it can sustain a $1+ billion annual fee rate. $20 per transaction gets you $2+ billion in annual fees, $30 per transaction gets you $3+ billion in annual fees, and so forth.
The question will be whether that’s enough, or whether fees will be notably higher than that. And overall, the answer to that question will largely depend on bitcoin’s eventual level of adoption.
Ultimately, since security through fees is economically workable based on achieving sufficient long-term adoption, it boils down to one of Satoshi’s original propositions that bitcoin will have a rather binary outcome:
I’m sure that in 20 years there will either be very large transaction volume or no volume.
The ideal state for the bitcoin network in the future is to reach equilibrium in the fee market such that blocks are consistently full, mostly with large transactions, and fees are substantial in absolute terms but low in percentage-of-value terms.
Some of those large transactions would be settlement between major entities, while another portion of those large transactions would be batches of many smaller transactions on the Lightning network and other trusted and trustless scaling solutions.