How much does it cost to destroy Bitcoin?
There has been a dreaded myth surrounding the so-called 51% PoW attacks against Bitcoin since inception. It is often believed that anyone able and willing to spend an amount equal to the “security budget” forever can destroy Bitcoin. That is, any evil government willing to spend about $60 million per day (matching miner’s revenue) would be able to destroy its $1.16 trillion current market capitalization. And worse, this figure may become lower and lower as halvings arrive if fee revenue is not able to take off consistently. Note that “forever” is just a credible threat, he will only need to spend that money for a period of time long enough until Bitcoin has been destroyed, which may be just a few weeks (at $420 million per week).
Here I will try to explain why the mentioned figure (currently 0.005% of bitcoin’s mcap per day) is not nearly enough to destroy Bitcoin, and show why it is unlikely that an attacker would carry such an ineffective attack for a long period of time.
I believe this misconception originates from the difficulty to understand the nature of the value of money and of media of exchange in general. Bitcoin’s value is perceived as dependent on others’ judgement, who could suddenly change their capricious minds, giving an impression of fragility. What happens if a majority is convinced by the ideas of a lunatic and stops considering my coins valuable? What happens if they stop being able to agree on a single UTXO set representing the legitimate version of Bitcoin? Those of you who got through the 2017 forks drama will surely have these feelings very present.
We should have learnt something from those events, and from the solution to the inflation bug. Bitcoin consensus is not driven by miners and neither consensus nor the value of each coin arise from a process of deliberation among big companies or even influenceable users running a full node. We should have learnt that it cannot be changed at will neither by a majority of miners nor a majority of nodes with a mistaken conception of Bitcoin that implies the destruction of the value of our coins. The focal point driving Bitcoin consensus should be crystal clear by now: market value maximization. It is the market that determines what chain represents the most valuable UTXO set, all things considered, and hence the valid one. Not miners. Not big merchants. Not users. Not full nodes. All these participants are part of the market, but only individual fractions of it, risking their own wealth when participating in the processes of price discovery, and losing it —along their influence— when they fail to identify the most valuable UTXO set.
Sure, proof-of-work is crucial, no substitute is being proposed here. The geniality of Bitcoin is that it allows users to determine what is the most valuable UTXO set with minimal trust requirements by using these —costly to produce— proofs. Bitcoin is a trust minimization tool. Miners will generally spend in PoW only to mine those blocks that provide valuable rewards, providing users a —generally unique— honest signal. But we need to be careful not to slip from here into assuming that costs drive value and think that users have no option but to accept any chain having the most PoW as the most valuable one at all times, even if coins in that chain are clearly worthless. PoW represents a trust-minimized signal, not a trustless one.
An attacker controlling a majority of the hashing power has the capacity to break the assumption of the chain with the most accumulated PoW being also the most valuable one, degrading the quality of the honest signal, which may stop being unique, and making it more difficult to find what is the block leading to the most valuable UTXO set. This looks scary! And for a good reason. How can we know in such circumstances what is the most valuable chain then? How can we avoid following a censored chain with worthless coins? How can we defend from an attack to destroy Bitcoin and our supposedly censorship-resistant wealth?
Bitcoin does not exist in a vacuum, it is a product of the market, and it is valuable because it provides some utility. When its useful trust minimization capabilities are temporarily degraded its value will be certainly affected. But, as long as it provides some degree of trust minimization, there will always be a block leading to a valuable UTXO set in the view of the market. That block will sooner or later become part of the chain with the most accumulated PoW, the same way a chain leading to a worthless UTXO set will be orphaned sooner or later.
Ok, you are thinking this is all very conceptual. What can miners and users actually do if an attacker with a majority of the hashpower creates a chain censoring legit transactions and blocks from honest miners to destroy Bitcoin?!
At first, no one can anticipate the evil intentions of the attacker orphaning the first block. After all, orphans still happen in Bitcoin once in a while. Honest miners will try to mine the next block on top of the heaviest chain and merchants will keep waiting for confirmations to their pending payments.
Oh! What a sudden increase in the orphan rate! Honest miners start to wonder why all their blocks are being orphaned, making them lose their revenue. Are there other transactions being censored or is it just their blocks and coinbases? Should they try to build another block on top of the heaviest chain that is likely to be orphaned? Or should they stop mining? But mining is not just OPEX. CAPEX depreciates quickly. What should they do? Well, it will not take long for them to consider if it may be worth invalidating the longest chain and start mining on top of an alternative block to create a minority chain. The longer the attack is sustained the clearer it becomes that coins in the censored heavier chain are worthless, and it is well known that an uncensored chain is worth something, so it is reasonable to expect the market to follow the lead.
This is not an easy decision to make for an honest miner. Identifying the last uncensored block, and hence the most valuable UTXO set may not be trivial in these circumstances. Different honest miners could even try to build a minority chain starting on different blocks. Also, the attack could end at any moment, rendering any minority chain worthless (Imagine the attacker saying: Sorry, I was just kidding. I didn’t want to destroy Bitcoin after all.). All these risks represent a cost that prevents honest miners from invalidating the attacker’s chain straight away, the cost to switch to a minority PoW chain that we consider more valuable.
If you are a bitcoin owner or a merchant, you can just wait and observe closely how this situation develops. But what would you do if you were an honest miner?
We are so imbued with the need to minimize trust that sometimes we forget people trust other people in a productive way all the time. Bitcoin is a tool to minimize trust but, while merchants are the consumers of trust minimization, miners are the providers of the service, the creators of the honest signal. A trust minimized coordination of many small miners may be the ideal, but this does not mean they cannot use trust to coordinate among themselves against an attacker to produce a valuable chain that minimizes the trust requirements for the rest of the nodes of the network. A valuable minority chain could even be created by one single miner controlling 25% of the hashing power before the attack, knowing that total hash rate has not increased, and that he can lead a minority chain without trusting or coordinating with anybody else. The only thing important is that the market acknowledges its PoW as the best honest signal of the most valuable UTXO set.
A miner controlling the majority of the honest hashing power knows he can build a valuable chain just by keeping confirming legitimate transactions while ignoring any other blocks. Even if the attacker creates heavier chains on top of his blocks, their coins are worthless, so sooner or later they will be abandoned and the market will acknowledge the value of his rewards. The only risk for him would be that the attacker decides to create an uncensored heavier chain at some point. But even that risk has a limited cost. After all, the attacker can only create blocks so much faster than the honest miner, so he cannot reorg many honest blocks. What would you do if you were in the shoes of that miner? Would you create a valuable minority chain providing valuable revenues, despite knowing that the attacker may keep messing up with it, or would you close your mining operation and lose all your investment?
The answer to this question is important, because once it becomes clear that the market considers that bitcoin has a positive value, even when operating suboptimally under attack, its hard to believe that the attacker will maintain such an ineffective attack for much longer.
An attacker with a majority of the hashing power can be very damaging for Bitcoin. He can make merchants wait much longer for transactions confirmation, and even force an active invalidation of the heaviest chain by every node before being able to confirm transactions again, but he cannot destroy Bitcoin.
PS. Sorry for not answering the question in the title. The cost required to destroy Bitcoin is greater than the security budget, but I do not think it is possible to provide an exact figure. I get into a bit more detail in Part 2.