Thanks to Justin Drake for his helpful suggestions!

Bitcoin is getting more valuable, but less secure

In this writeup, we explore how plausible a 51% attack on Bitcoin is. After a short recap of what a 51% attack entails, we show how Bitcoin's exponentially decaying security factor is turning a naive 51% attack into a plausible scenario. Then, we dive into the various options that exist to improve upon this naive yet increasingly credible threat. Overall, Bitcoin's decreasing security budget and rising market cap are starting to resemble a systemic risk, threatening the crypto industry as a whole.

A small recap of how to double spend on Bitcoin

Let me first briefly recap what Bitcoin does.

Bitcoin is a proof-of-work chain. It is secured by "miners" who solve a cryptographic puzzle with the side-effect of producing new blocks. This requires computational work which is rewarded for each correct solution.

In the case of Bitcoin, the cryptographic puzzle consists of incrementing a specific value called "nonce" until a block's hash (a 32 bytes value) contains a required amount of leading zero bits.

In the case of two competing chains, Bitcoin follows the "longest chain rule": nodes adopt the chain with the most cumulative proof-of-work - i.e. the one with the greatest hashing power.

To double spend on Bitcoin:

1. Get your transaction $\mathsf{tx}$ included in block $\mathcal{B}_t$, which points to $\mathcal{B}_{t-1}$ within the main chain $C_{main}$.
2. Next, confirm your transaction with the seller you are buying from, while privately mining your own, private, chain $C_{priv}$, also built on top of $\mathcal{B}_{t-1}$ but omitting $\mathsf{tx}$
3. Finally, outpace $C_{main}$ and release $C_{priv}$ to the Bitcoin network. Following the longest chain rule, nodes will switch to $C_{priv}$ .

Note that the attacker can't create bitcoins or take money that never belonged to them in the first place - honest nodes will not accept such transactions or blocks in the first place.

Incentivizing hashing power

To make the success probability of this double-spend attack $1$, where the attacker catches up and eventually outpaces $C_{\mathsf{main}}$, you would need $\gt 50$% the hashing power of all the network combined. This means that the more hashing power Bitcoin has, the costlier an attack is.

Thus, securing Bitcoin to avoid double spends means incentivizing miners to provide the network with hashing power. This incentive is called the "block reward" and is obtained upon mining a block. It consists of:

1. Transaction fees, paid by users. Since miners collect fees, the higher it is, the more likely a transaction will be included in a block.
2. A block subsidy, a deterministic amount of Bitcoin, issued according to Bitcoin's emission rule. The block subsidy originally helped incentivizing early network participants to provide hashing power to the network. It is halved every 4 years.

Now, to estimate profits a miner makes from mining Bitcoin, we need to subtract costs. They non-exhaustively consist in:

1. ASICs. A mining operator balances between optimizing for TH/s (terahashes per second) and J/TH (joules consumed per terahash).
2. Cooling systems. They range from air cooling (least commons in high density setups), to immersion cooling (submerging a tank filled with ASICs within a dieletric fluid) or direct-to-chip cooling (saves up on space, but more complex).
3. Energy. Mara claims to be using north of 1GW in compute power. Riot's Rockdale facility is the largest mining data center in North America and is said to have a 700MW capacity. To manage energy costs, miners can negotiate fixed-rate, long-term electricity contracts, with the ability to resell power back to the grid when mining is unprofitable.

We could add things like land, racks, networking and OS setups, but I'm omitting them since they are either fixed or negligible costs compared to the costs listed above.

Bitcoin's security budget

As seen above, the security of Bitcoin depends on incentivizing the provision of hashing power to the network. The amount of money that goes into incentivizing hashing power on Bitcoin through block rewards is Bitcoin's "security budget" $S^{\mathsf{budget}}$ and consists, as mentioned earlier, of transaction fees and an exponentially-decaying block subsidy, halving every 4 years. The ratio of the budget security to Bitcoin's market cap $S^{\mathsf{factor}} = \frac{S^{\mathsf{budget}}}{M}$ is called the "security factor".

Basically, $S^{\mathsf{factor}}$ estimates how much of Bitcoin's market capitalization the block reward secures. While too much block reward can lead to overpay for security (which has happened in the past), too low of a block reward leads to too small amount of Bitcoin being allocated to secure the network, making an attack increasingly profitable - a low security budget drives unprofitable miners out, the network hashrate decreases, making an attack increasingly more profitable given Bitcoin's rising price, ...

How has $S^{\mathsf{factor}}$ been doing over the last ten years? Well, Bitcoin's rising price and halving block subsidy have made it clearly been trending downward.

Is this really a problem? To answer why this is, let me answer first the two most common questions.

1) Aren't fees making up for Bitcoin's halving block subsidy?

The theory has long been that the halving block subsidy would be offset by transaction fees. However, it now seems fairly safe to say that this hasn't been the case. Ignoring short spikes from various experiments (like ordinals) fees have been contributing from only 0.5% to 2% of miners' rewards. Today, fees contribution to miners' rewards has remained relatively flat.

2) Isn't Bitcoin's increasing market price making up for miners' costs?

Yes and no. Sure, it boosts dollar-denominated revenues for miners. But:

1. An environment where fees don't catch up with a block subsidy halving every 4 years means Bitcoin's price needs to double to maintain a constant security budget. Assuming this happens, an ever rising market cap will in fact decrease Bitcoin's $S^{\mathsf{factor}}$: we will end up with increasingly less money to secure increasingly more value. And we aren't even factoring in larger threats if Bitcoin were to reach such market cap levels.

2. Bitcoin's market cap is tightly correlated to attracting additional hashrate on the network, this additional hashrate would in fact result in a decreasing hashprice ("the expected value of 1 TH/s of hashing power per day."): when Bitcoin's hashrate increases, difficulty increases too and the cost of each mined Bitcoin increases, cutting in miners' profit.

Attacking Bitcoin

Starting from the naive 51% attack

Let's try to estimate the cost of a naive attack which consists in deploying the equivalent of 51% of Bitcoin's current hashrate.

The Bitmain S23 achieves a 10^15 H/s hashrate and costs 29k$: we get a price of 10^12 H/s@29$. This number, ignoring economies of scale and buyer discounts, isn't far from Riot's 2023 report. There, they claim to have placed an initial order of 33,280 miners for its Corsicana facility at a rate of 10^12 H/S@21$. In fact, Riot states in that same report that they have been able to buy 10^12 H/s@16$.

So let's price our hashrate at the slightly higher, pessimistic, rate of 10^12 H/s@20$. Today, Bitcoin feats a total hashrate hovering around 900 * 10^18 H/s. This prices our naive malicious miner infra at ~$18 billion in hardware costs - something akin to Justin Drake's initial estimates.

On the energy side, I believe we can end up with a 2x more energy efficient setup than what Justin suggests. One Bitmain S23 consumes 11kW. Factoring in cooling (air or more recent immersion cooling technology) and power management setups, this places us at an approx ~10-12GW center. This is, give or take, what OpenAI is planning for what "economically" transformative AI models will require.

On the manufacturing side, using the latest miner setup requires our naive attack to purchase or produce ~1m ASICs. Today, taking an average ASIC hashrate floating between 300 to 400 TH/s, we should have between 2 to 3 millions ASICs contributing to Bitcoin's security. Thus, the 1m figure is a number I would deem possible. And you can always acquire and overclock additional ASICs, something we talk about below.

So yes, a naive 51% attack looks today in the realm of the feasible for a somewhat rich and determined nation state - or a coalition of them. And this is without the potential improvements we will now discuss.

There are hardware or energy based improvements that can help improve the naive 51% attack. Combined with a credible commitment to carry them out¹, such improvements could sizeably contribute to decrease the cost of the above described setup.

Overcloking ASICs

The first route an attacker can take is overclocking ASICs. While overclocking temporarily reduces the attacker's energy efficiency, the large blow to the trust behind Bitcoin and the profit the attacker could make out of it should be enough to motivate overcloking.

In general, you can expect between a 10-15% improvement in hashrate from overclocking. So, in a conservative scenario, the attacker might be able to save up on ~100k ASICs on the naive attack explained above.

Squeezing miners with a decreasing hashprice

While hashprice is positively related to Bitcoin's price and block rewards, it is negatively related to the Bitcoin's network difficulty and the supply of hash power, since both increase miners' required hashrate. Thus, miners are long hashprice: they profit from it rising.

That's why the naive attack, consisting in supplying large amounts of hashing power, has the side effect of decreasing hashprice and squeezing out existing miners. It will in turn result in large, discounted, amounts of ASICs sold on the market, further facilitating the acquisition of hashing power and decreasing the required hashpower for a 51% attack.

Acquiring miners

Acquiring miners would further decrease the scale of ASICs manufacturing. There already exists large mining operators concentrating some important amounts of hashing power on the Bitcoin network. Riot has outlined a plan to reach around 100 EH/s in self-mining capacity, which would represent an amount slightly higher than 10% of today's Bitcoin hash rate².

And miners consolidation happen. Some recent example has been Riot's acquisition of Block mining in 2024.

Take down attacks

Another potential option is to reduce the amount of supplied hashpower by cracking down on miners. This has happened in the past, at a large scale. For instance, in 2021, China engaged into a nationwide operation, shutting down major mining facilities. This resulted in a ~40% decrease in Bitcoin's hashrate.

Mining infra also has single failure points. Attacks can adopt aggressive stances consisting, for instance, in disrupting power deliveries. This isn't far-fetched, since things like intentional pipeline sabotages are a rather frequent, documented practice in the context of high-stakes conflicts.

Conclusion

There are concerning signals with respect to Bitcoin's security budget and security factor. The crypto industry would benefit from the Bitcoin community avoiding wishful thinking regarding fees. Some options include revisiting Bitcoin's emission curve or consensus. But what do I know. It will be interesting to see how this plays out in the coming years, up until the next halving, scheduled for 2028.

Footnotes

1. A credible commitment consists in allocating a significant amount of resources, signalling the seriousness and plausibility of an attack. Credible commitments is a common strategy in nation states' conflict toolboxes. They can have sizeable impact on stock prices. Some good examples include the U.S. buildup to the Iraq war or Ukraine's war prelude. ↩

2. Thanks to Justin for pointing out that "this is part of it, but there's a double wammy. For every 1% acquired by the attacker the amount of ASICs to manufacture decreases by 2%! The reason is that the attacker is +1% and honest miners are -1%, so it's net +2% for the attacker." ↩