Bitcoin’s 21 million coin cap is not guaranteed

5th October 2021

Leif Cussen

BitWish2.jpg
 

Bitcoin’s security costs are funded through the minting of new bitcoin. The current annual inflation rate is 1.75%. With bitcoin at $50,000, this equates to $45m of new bitcoin issued each day, which subsidises the cost of securing the network.1

Bitcoin issuance is scheduled to halve every 4 years. The schedule eventually caps issuance at 21 million bitcoin, eliminating all monetary inflation. This will increasingly place the burden of funding network security on any transaction fees that users may choose to pay.

The move from a regime where security is funded through predictable monetary inflation, to one where security is funded from unpredictable voluntary transaction fees, is untested. Will it work?

The 21 million bitcoin limit is often portrayed as being immutable;

“...there can only ever be 21 million bitcoins in existence. There is no technical possibility for increasing the supply..."
The Bitcoin Standard, 2nd Edition.

This is not the case.

Capped supply has always been central to Bitcoin’s narrative; but what if future reductions in issuance break Bitcoin’s security model? Could users be forced into removing the cap, via a hard fork, or risk facing a total failure of network security?

In this article I aim to clearly explain:

  • How inflation currently funds security
  • Why this model will soon change
  • How this could potentially break network security
  • The importance of futures market depth in enabling attackers to take large short positions
  • Why bitcoin going up in value isn’t a panacea
  • Popular proposed solutions

Contents

  1. The current model - Inflation funded security
  2. The block reward
    1. Block subsidy - Reduction schedule
    2. Transaction fees - What drives fee levels?
  3. Staying secure - How big does the block reward need to be?
    1. Cost of attack
    2. Attack profitability
  4. Popular proposed solutions
  5. Conclusion
  6. Further reading

The current model - Inflation funded security

Securing the bitcoin network is, by design, resource intensive and costs money. Let’s briefly remind ourselves why. There are two main elements to bitcoin network security:

  • Public/private key signing algorithm

    This ensures that no user can spend a wallet’s balance without signing with the corresponding private key.


  • Proof-of-work consensus mechanism (mining + longest chain rule)

    This allows the network to reach consensus on the correct ordering of valid transactions, in a trustless and decentralised manner. Secure consensus is important to ensure that nobody can double spend or censor transactions on the network.

The consensus mechanism works as follows: miners compete to add the next block of unconfirmed transactions to the end of the blockchain. Approximately every 10 minutes miners compete to find an acceptable SHA256 hash2 of a candidate block of transactions.

The winning miner adds their proposed block of transactions to the end of the blockchain and collects the block reward.

As there is no central authority, when there are multiple competing chains being broadcast on the network, the longest chain (that with the most work spent on it) is deemed to be the valid chain of transactions.

 
 

It is this proof-of-work consensus mechanism that is resource intensive. Mining requires specialist hardware and significant electricity consumption. These resources are used to calculate SHA256 hashes, the ‘proof-of-work’ used to securely implement decentralized consensus.

The amount of resources miners allocate to the mining process is important for security. To attack the consensus mechanism, an attacker needs to control over 50% of the total mining power (hashing power) on the network. Outspending existing miners to do this becomes more expensive as miners allocate more resources.

How do miners decide how much to spend? In aggregate, miners should be spending close to the expected value of the block reward in costs. If they are spending more, mining will be unprofitable, if they are spending less, new miners can join and earn higher profits.

The expected size of the block reward impacts the amount of resources miners are willing to allocate to secure the consensus mechanism.

It follows that the size of the block reward is important because;

Larger block reward = larger miner spend = more expensive for an attacker to control over 50% of total mining power

The block reward

The block reward is composed of two elements:

  • The block subsidy - newly minted bitcoin.

  • Voluntary transaction fees - paid by users to incentivise miners to include their transactions in the next block.

Almost all of the block reward is newly minted bitcoin. Taking the last thirty days as an example, the block subsidy made up over 98% of the daily block reward:

 
 

Looking back further, we can see that newly minted coins have historically made up almost the entire block reward:

 
BlockRewardTS.png
 
The block subsidy is monetary inflation. The security of the network is currently, and has always been, almost entirely funded through monetary inflation.

Block subsidy - reduction schedule

New bitcoin is minted according to a predefined schedule that dates back to the launch of bitcoin.3

When the network was first launched, the winning miner of each transaction block was entitled to a block reward of 50 newly minted bitcoin (BTC), plus any transaction fees.

blockTable.png

Every 210,000 blocks (approximately every 4 years), the block subsidy portion of the block reward is halved. It now currently stands at 6.25 BTC per block, or 900 BTC per day.

The chart below shows how the block subsidy is currently scheduled to shrink. Around the year 2140 the last bitcoin is issued and the supply is capped at 21 million BTC.

 
BlockSubsidyHalvingSched.png
 

As the block subsidy reduces, transaction fees will make up a progressively larger proportion of the block reward, until the block reward is composed of transaction fees alone.

The current hope is that, as the block subsidy shrinks to zero, transaction fees, and therefore the block reward, will be high enough to keep the network secure. It is essential that the value of the block reward remains high enough to stop an attack.

The smaller the value of the block reward, the easier it becomes to attack the network.

The unanswered question is, will the transaction fees paid be high enough to keep the network secure, and consistently so?

Transaction fees - what drives fee levels?

The transaction fee portion of the block reward is volatile.

To understand why, it is worth reminding ourselves why bitcoin users choose to pay voluntary transaction fees.

  • Miners get to keep any fees attached to the transactions they include in the blocks that they mine.
  • Users pay transaction fees to incentivise miners to include their transaction in the next block.

The transaction processing capacity of the bitcoin network is limited. Approximately every 10 minutes the network processes a new block that can contain up to ~2700 transactions.

If the pool of unconfirmed transactions is small (or even empty), there is little to no competition between transactions to get included in the next block. In this case a very low transaction fee will suffice.4

If the pool of unconfirmed transactions is large, this creates competition among transactions to be included in the next block. Users effectively bid against each other, paying higher transaction fees to be prioritised for inclusion in the next block.

Lower demand for blockspace = lower transaction fee levels.

The below chart shows, when demand for blockspace is low, transaction fees can collapse to relatively low levels, for extended periods of time:

 
dailyTransactionFeesChart.png
 

It is hard to argue that transaction fees have exhibited any secular growth, they appear cyclical in nature. Over the last three years the mean daily transaction fees paid have been approximately 60 BTC/day.

Over extended periods of limited transaction backlog, the total fees collected can be below 15 BTC/day. Indeed, in September 2021 they have averaged below 15 BTC/day.

Most of the time the transaction pool is uncongested, leading to lower fees. As the pool becomes congested, transaction fees can spike. These spikes lead to a positively skewed distribution of transaction fee levels:

 
TFeeHist.png
 

Is the small size of transaction fees, relative to the current block subsidy, something to worry about?

Staying secure - How big does the block reward need to be?

How high does the expected block reward need to be to keep the network secure from consensus attacks?

Let's look at an example of how the cost of attacking the network shrinks with a declining block reward.

We’ll estimate the cost of an attack and then look at attack profitability.

Cost of attacking the network

To attack the bitcoin network an attacker needs to control more than 50% of the hashing power on the network. This is commonly known as a 51% attack.

Under Bitcoin’s consensus rules, the longest chain is deemed to be the valid transaction history of the network. If an attacker controls over 50% of the hashing power they can mine blocks faster than every other miner combined, controlling what valid transactions make it into the longest chain.

This allows an attacker to:

  • Double spend attack - Double spend money from wallets the attacker controls by removing previously confirmed transactions.

  • Sabotage + shorting attack - Censor or block any/all transactions on the network. Combined with taking short positions in Bitcoin, this could be significantly more profitable for an attacker than a simple double spend attack.

Discussions of 51% attacks usually focus on double spend attacks.5 With the ability to build extremely significant short positions via the futures market, sabotage + shorting attacks deserve much more attention.6

Let us estimate the cost of attacking the network, which is a function of the size of the block reward.7 While this is only a rough estimate, it can serve to give a sense of the magnitude of the cost of an attack.

First of all, we need to buy mining hardware. Current estimates are that miners spend about two-thirds of their costs on capital costs (mining hardware) with the remainder on ongoing costs (electricity, etc).8 Assuming mining hardware has a useful life of approximately 2 years9 we can estimate that the total cost of mining hardware required will be:

Cost of mining hardware = 2 years of block rewards * ⅔

Let's assume the block reward is currently worth ~960 BTC a day. (900 BTC block subsidy plus average daily transaction fees of 60 BTC)

2 years of block rewards = ~960BTC * 365 days * 2 years
2 years of block rewards = 700,800 BTC
Cost of mining hardware = 657,000 BTC * 0.67 = 467,200 BTC

At a BTC price of $50k:

Cost of mining hardware = 467,200 BTC * $50K = $23bn

So we estimate that to obtain enough mining hardware to control more than 50% of the hashing power of the network we would have to spend $23bn. What would this look like?

Bitcoin is primarily mined using ASICs.10 These are processors designed with the sole purpose of calculating SHA256 hashes as efficiently as possible. The current state of the art Bitcoin mining hardware is the Bitmain ANTMINER S19j Pro. It can calculate 100 trillion SHA256 hashes per second:

antminer.png

These cost approximately $10k each, retail. Our $23bn will buy us 2.3 million of these.11 (It is worth noting that if you order 2.3 million of these from Bitmain, they are going to struggle to fulfil your order in a timely manner).

Once we have our $23bn of mining hardware we now need to power them.

If miners spend one third of their costs on energy (plus other ongoing costs) then we can estimate required ongoing costs to be in the region of $16m/day:

Daily cost of attack = 960 BTC * 0.33 = $16m/day

If we are being conservative we should assume that as soon as an attack is launched, the bitcoin network will move away from SHA256 based proof-of-work to another hashing algorithm. This will immediately render all mining hardware useless, including our $23bn worth.

Miners would then switch to mining the newly chosen proof-of-work algorithm using commodity hardware (if no algorithm-specific ASICs have yet been manufactured12). We would expect miners to start paying 100% of the block reward on hiring processing power and energy costs combined. To maintain over 50% of hashing power we would need to spend:

Daily total attack cost post-algorithm switch = 960 BTC * 1 = $48m/day

To sum up, we conservatively estimate that at the current block reward size a 51% attack would cost $23bn initial outlay + $48m a day. And that is assuming we could actually obtain $23bn worth of ASICs.13

To recap, our attack cost estimate is:

One-off setup cost of attack = (Daily Block Reward * 365 days * 2 years * ⅔)
Ongoing daily cost of attack = (Daily Block Reward * 1)

We can project how the attack cost might change as the block subsidy decreases over time. In the below table we roughly estimate the cost of maintaining a sabotage attack for 3 months with both average daily transaction fees (60 BTC/day) and typically uncongested pool transaction fees (15 BTC/day):

 
 

It is worth noting that, although the block subsidy doesn’t end until the year 2140, it will have already reduced by over 98% in the next 23 years, by the year 2044.

Assuming transaction fees of 60 BTC, by the year 2044 a 3 month attack would cost ~$2.1bn.14

Assuming a clear transaction pool and transaction fees of 15 BTC, an 3m attack would cost just ~$800m.

Attack profitability

For an attack to be worth attempting:

Expected reward from attack > attack cost
and
Expected reward from attack > expected return from honest mining

In the presence of liquid derivatives markets, sabotage attacks combined with short selling are potentially much more profitable for an attacker than a simple double spend attack.

The size of the short position that could be built is a function of the depth/liquidity of the Bitcoin futures markets. One proxy for this is the open interest across Bitcoin futures markets:

 
 

In the short term, the USD value of open interest is, in part, driven by the price of bitcoin.15

If the cost of attack is significantly below the profits obtainable from a short position, we can argue that the security model is broken.

Obtainable attack profit depends on:

  1. How large a short position an attacker can build
  2. How the price of bitcoin is impacted by a sustained period of sabotage

One way to look at this is the estimated cost of attack relative to futures open interest. We estimate attack cost with an uncongested transaction pool (15 BTC transaction fees/day), 3 year average transaction fees (60 BTC/day), and double the 3 year average (120 BTC/day): :

 
SabotageAttackChart.png
 

The larger the gap between total size of the futures market, and the cost of mounting an attack, the higher the risk that somebody successfully attempts such an attack.

As an example, if an attacker could build a $4bn BTC short position, mounting an attack that stops the bitcoin network functioning for 3 months, at a total cost of $1bn (plus initial margin), could be an attractive proposition.16

Popular proposed solutions

The risks associated with a declining block reward are often dismissed. It is worth briefly exploring some of the more commonly proposed solutions.

Transaction fees will rise to a sufficient level to keep the network secure17

If demand for blockspace climbs to a high enough level then transaction fees income for miners could be adequate to keep bitcoin secure. There are some issues to consider:

  • Demand for blockspace needs to grow significantly, and then remain high indefinitely. Any sustained periods of a clear/uncongested transaction pool could risk making an attack viable.
  • The transaction fee model allows long-term holders to ‘free-ride’ upon those making transactions to subsidise their security costs.
  • Ultimately, the level of security would be at the mercy of future unpredictable supply and demand for blockspace. We can’t, with any certainty, know what this will look like.

Layer 2 solutions (such as the Lightning network) could increase ‘economic density’18

By completing most transactions off-chain and only periodically settling ‘on-chain’, high transaction fees could be amortized across a large number of lower-fee layer 2 transactions:

 
lightningnetwork.png
 
This is often suggested as a solution to the high fees required by the loss of block subsidy. One obstacle is that a goal of many Layer 2 solutions is ‘reduced blockchain load'. 19 An effective layer-2 solution could actually reduce demand for blockspace and reduce transaction fees.

There is a tension between needing demand for blockspace to remain high enough to ensure high fees, and the potential for Layer 2 solutions to significantly reduce demand for blockspace at the same time.

The block subsidy doesn't end until 2140, we have well over 100 years to come up with a solution

As the block subsidy declines by 50% every 4 years, in 23 years it will be just 1.5% of the current level. If the declining block subsidy becomes problematic, it is likely to be so long before it is reduced to zero.

BTC price will rise, increasing the value of BTC denominated block rewards and the cost of an attack

Relying on the increasing value of an asset for integrity of its security is a very bad idea, but let’s assume for a moment that the USD value of BTC increases significantly. This doesn’t necessarily help us.

In the short-term, one of the key drivers of USD value of outstanding futures notional is the USD value of bitcoin. As the price rises, so does the size of the futures market. This is important. While the value of the block reward in USD terms goes up as the value of BTC rises, so does the potential profit from an attack.

An attack would be more expensive but an attacker would also stand to make higher profits.

Conclusion

If transaction fees are unable to keep the block reward at a secure level, the block subsidy (i.e. monetary inflation) may need to be sustained indefinitely.

The main threat is the combination of:

  • A significantly diminished block reward, lowering the cost of a sabotage + shorting attack
  • A deep derivatives market, allowing significant short positions to be established and increasing attack profitability
While limiting bitcoin issuance is clearly attractive to many, it comes at the potential cost of breaking the security model that has proven effective since Bitcoin’s inception.

It is not just that it could lead to an insufficient block reward, but that it links the level of security offered to an entirely unrelated process - the demand for blockspace.

In addition, it moves the cost of securing the network from being pro-rated across all beneficiaries (through monetary inflation) onto just those users that are making transactions. Would users be willing to accept this ‘free-riding’?

More broadly, would transaction-fee dependency deter improvements to network efficiency, in an attempt to keep fees high and the network secure?

If it does become necessary to make some level of block subsidy permanent this raises some interesting questions:

  1. What is the minimum level of block reward required to keep the network secure, and if this changes through time, how can it be adjusted in a decentralized manner?

  2. The minimum secure inflation rate may be a function of consensus mechanism efficiency. Will the value Bitcoin users place on proof-of-work consensus justify potentially higher inflation rates than theoretically more efficient, but more complex, proof-of-stake mechanisms?

It is not unreasonable to argue that transaction fees could rise to a level that keep the network secure, but we should also not ignore the danger that this won’t happen.

Other solutions may be found, but if not, network security could be impacted to such an extent that it becomes an existential threat. This could force a change to the issuance schedule, via a hard fork, and the removal of the 21 million coin hard cap.20

To portray the ending of bitcoin inflation as an absolute certainty, rather than an understandably popular aspiration, is a risk ignored.

Further reading

If you interested in some of the topics raised in this article, I recommend the following further reading:

Proof-of-work consensus

An introduction: 3blue1brown - But how does bitcoin actually work?
More detail: Mastering Bitcoin - Mining and Consensus

Reducing block subsidy

Excellent overview from Hasu, J. Prestwich, and Brandon Curtis: A model for Bitcoin’s security and the declining block subsidy.

Sabotage + shorting attacks

Eric Budish's paper on The Economic Limits of Bitcoin and the Blockchains

Efficiency of Proof-of-work vs. Proof-of-stake

Vitalik Buterin's article Why Proof of Stake (Nov 2020)

Consensus and changes to the protocol

Jonathan Bier’s book The Blocksize War

  1. Issued bitcoin = 18,827,288. Annual issuance = 328,500. Annual issuance/Issued bitcoin = 1.75%

    900 BTC issued each day * $50k/BTC = $45m.

  2. 3Blue1Brown has an excellent introduction to SHA256 hashes and proof-of-work mining.

  3. The halving schedule can be found in the GetBlockSubsidy() function of the Bitcoin Core client.

  4. To visualise the current and historic state of the transaction pool see Johoe Hoenicke’s Bitcoin Mempool Statistics

  5. Satoshi Nakamoto's original Bitcoin paper does not cover sabotage attacks, focussing only on more traditional double spend attacks.

    “If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to [mine] new coins.”
    Satoshi Nakamoto, Bitcoin: A peer-to-peer Electronic Cash system

  6. Sabotage + shorting attacks are covered by Eric Budish in The Economic Limits of Bitcoin and the Blockchain (June 2018).

  7. I have used Vitalik Buterin's methodology from his article Why Proof of Stake (Nov 2020)

  8. Estimating capital costs: Ethereum Wiki

  9. Bitcoin mining hardware is effectively obsolete once it becomes unprofitable for mining. For estimates of current useful hardware life, see de Vries, A., and Stoll, C. (2021). Bitcoin’s growing e-waste problem.

  10. ASIC - Application Specific Integrated Circuit. For a history of Bitcoin mining hardware read The Evolution of Bitcoin Hardware (2017)

  11. Peak hashing power on the bitcoin network was ~179m TH/s. Each Bitmain ANTMINER S19j Pro can run at 100 TH/s. 2.3 million would provide ~230m TH/s. This would comfortably give an attacker over 100% of bitcoin’s peak existing hashing power.

  12. Bitcoin could also attempt to move to an established proof-of-work algorithm, with an existing installed base of ASICs mining other coins. It would then be competing with other coins for those ASIC mining resources.

  13. We almost certainly can’t. The largest ever order with Bitmain was for 70,000 ASICs delivered over 6 months.

  14. Attack cost assumes a price of $50k/BTC. A 3-month attack duration may be more than required for a successful attack.

  15. Over the longer term, open interest could be negatively impacted by increasing regulation, or positively impacted by increasing instituional and retail holdings of bitcoin via bitcoin futures products.

  16. Counterparty risk is also worth considering. While CME futures are centrally cleared, currently most futures volume is on non-CME exchanges. Counterparty risk would need to be taken into account by an attacker. In the event of a successful sabotage attack, counterparty risk would be elevated.

  17. See Dan Held's article Bitcoin’s Security is Fine

  18. See Nic Carter's MIT presentation '10 Years of Bitcoin'

  19. See Bitcoin Wiki - Lightning Network

  20. In such a situation, a hard fork would result in two coins:

    1. An unchanged 'Capped-supply Bitcoin'
    2. A new 'Permanent-subsidy Bitcoin'

    In the event of a total breakdown in network security of the 'Capped-supply Bitcoin' (and its associated collapse in value), we would expect users to deem the, still secure and therefore higher value, 'Permanent-subsidy Bitcoin' to be the 'true' Bitcoin going forward.