Suppose you wanted to bet on the outcome of a future bitcoin hard fork, how would you go about doing that?
That very question came up last spring on BitcoinTalk when Roger Ver, the controversial investor and proponent of a particular brand of bitcoin scaling, gave a nod to a challenge from another investor. The wager? Which of two blockchains would be more valuable if bitcoin were to split.
The challenge sought to speculate on the future of Bitcoin Unlimited (BU), a proposal for removing the bitcoin block size limit. (This was before SegWit2x came into play, although both protocol upgrades propose bigger blocks and require a hard fork to implement.)
Intrigued by the bet, and the amount of money Ver was willing to put on the table ($120m-worth of bitcoin at the time), researchers Patrick McCorry at University College London and Ethan Heilman at Boston University, along with Andrew Miller, assistant professor at University of Illinois, put their heads together to figure out a solution.
And to that end, they have released a paper outlining the technical details needed to carry through with the wager.
Before explaining how that protocol works, though, let's go back to the bet.
Back in March, "Loaded," a pseudonymous investor who holds a substantial bag of bitcoins, put forth a challenge to Ver, who, at the time was pushing hard for BU.
"@RogerVer let's make a deal, 1 for 1 trade. At least 60k, possibly up to 130k, my BTU for your BTC," Loaded wrote
"The offer is open to [Bitmain CEO] Jihan Wu as well," he followed, noting the mining magnate Ver was said to be working closely with at the time. "Consider it primarily as a vote of no confidence in the Bitcoin Unlimited software and development team as it currently stands."
While Wu remained silent, two days later, to the surprise of many in the bitcoin community, Ver responded:
And, since then, the developer community has been kicking around ideas on how exactly to handle the technical details of the swap.
Adding to the urgency is an increasing likelihood that a hard fork could occur. Currently, 85% and 42% of miners are signaling their readiness for SegWit2x and Bitcoin Unlimited, respectively.
As in any hard fork, if the bitcoin blockchain splits into two competing networks, the result will be two types of digital assets, as well. So, in the case of a BU hard fork, a person holding bitcoin on the original chain would end up with an equal amount of BU bitcoin, or BTU, on the alternate chain.
Over time, those coins would develop different market values, depending on the chain more users gravitated to. The situation would be similar to the aftermath of ethereum's DAO hard fork, which resulted in two assets: ether and ether classic.
To better understand the problem that McCorry, Heilman and Miller were striving to solve, it helps to take a closer look at how the deal between Loaded and Ver would unfold.
First, each party would need to put aside 60,000 BTC prior to the split. Once the split into two chains occurs, both parties will end up with coins on both blockchains, leaving each with 60,000 BTC and 60,000 BTU.
At that point, Loaded would trade 60,000 of his BTC on one chain with 60,000 of Roger's BTU on the other. Once the trade was completed, Loaded would walk away with 120,000 BTC and Roger with 120,000 BTU.
And, the gamble is, who will be the richer man as a result?
The scheme is a tough one to pull off, however. Although atomic cross-chain swaps are the most obvious way to handle the trade, that solution would only work after the hard fork when there would be two chains. Before the hard fork, there will only be one chain.
So, the trick is finding a way for both parties to commit to the trade prior the fork and then swap after the fork. And, because bitcoin has not yet activated the SegWit upgrade, the solution also needs to account for transaction malleability, a problem that adds several extra steps to the setup.
But Heilman and McCorry, who spoke to CoinDesk about their paper, said they've had a good time trying to arrive at a solution and see malleability as bringing more to the party.
"It's way more complicated, but it’s also more fun," said Heilman.
How it works
The solution set forth by the researchers is a modified version of an atomic swap protocol that relies on two bitcoin transaction encumbrances: CheckTimeLockVerify (CTLV) and hashlocks. CTLV sets transactions at a future point in time, while hashlocks require a "secret" (pre-image of a hash) to unlock a transaction output.
It's also worth noting that the protocol will work not just on a BU hard fork, but any hard fork that has what's called "replay protection," a way of ensuring that a transaction occurring on one blockchain after a split does not get repeated on the other.
Explaining the swap as it relates to Ver ('Alice') and Loaded ('Bob'), the setup goes something like this:
First, Alice computes a "secret" (pre-image) and hashes it. After that, three transactions (see below) need to be created and signed by both parties prior to the fork. This way, when the blockchain splits, Alice and Bob only have to broadcast their transactions to get their deposits.
To commit to the trade, Alice and Bob each deposit 60,000 BTC into a "funding transaction." That transaction has three outputs.
One output is linked to Alice's coins, the other to Bob's coins, and a third acts as a fail-safe, allowing Bob to cancel if Alice neglects to sign any of the off-chain transactions required to set up the entire trade. To ensure the money is held safely until after the fork, each output has a time lock.
Now, with the money safely set aside, both parties can move on to add their digital signatures to two more transactions. These will determine how the money in the funding transaction will be spent after the fork.
The "swap transaction" is actually a pair of transactions. When triggered, one transaction takes 120,000 BTU from the BU fork and sends it to Alice, while the other takes 120,000 BTC from the BTC fork and sends it to Bob.
And, to ensure each transaction only works in its intended chain, the protocol calls on the replay protection already included in the hard fork protocol upgrade. This way, for instance, Alice cannot claim coins on both chains.
When the time comes, it will be up to Alice to trigger the swap. To claim her funds on the BU fork, she has to reveal the secret created at the beginning of the setup. And, with that secret, Bob is able to automatically (and atomically) grab all of his funds on the BTC fork.
But, there is a catch. Alice (who, once again, represents Ver) may decide to wait and see what the market is doing first. If the BU chain looks like it's not doing so well, she may renege, and not want go through with the trade after all. And, to guard against that, there is one more transaction to make.
To give Alice an added incentive to "push the button," so to speak, a third "forfeit transaction" is also set up in advance. By signing the forfeit transaction, Alice grants all the coins to Bob in the event she does not trigger a swap.
So, essentially, the question posed at that theoretical point is: "What will it be, Alice? Do you want the lesser valued coins, or none of the coins?"
If Alice does not sign that transaction in advance, Bob will use the fail-safe set up in the funding transaction to cancel the entire deal, as Alice is not acting in good faith.
But once again, all of these transactions need to be setup and signed before the fork.
Place your bets
In the event of a BU hard fork, Ver, who has been pushing for bigger blocks for some time now, likely thinks the BU chain would come out on top. But, is he ready to stand by the deal he made with Loaded?
If so, McCorry and Heilman say they will be more than happy to set up the transaction. And, they feel confident other developers will pitch in to help out as well. So, with the stage set, all the players ready, what’s next looks like a wait-and-see game for now.
"Loaded asked the community for an atomic trade protocol suitable for the bet, and we have provided him with it," said McCorry.
"I'm not hoping for a bitcoin hard fork, but now, at least if it happens, we will have something to look forward to."
Disclosure: CoinDesk is a subsidiary of Digital Currency Group, which acted as organizer for the SegWit2x proposal.