A recent TokenAnalyst report claims a single entity could be in control of around 50 percent of bitcoin’s hashrate. The observation is based on the fact that five large mining pools have launched a new cloud mining service as a joint venture.
“In 2020, bitcoin has […] become a highly centralized system that places an increasing amount of trust in a small number of large entities. Any centralization of bitcoin network hash power should be of concern as it erodes the trustless model of the network,” TokenAnalyst, a cryptocurrency research firm, says.
Its strong language is consistent with the folk theorem that bitcoin (BTC) relies on the decentralization of hash power to be secure. But is it also correct?
Concentration is inevitable
It is certainly true that one miner with 100 percent of the hash power would have more control over the network than miners with 10 percent hash power. A majority miner can reorganize the blockchain to double-spend his own transactions or even block any unwanted transactions from making it into the blockchain.
If a majority miner can misbehave and hurt users, does that mean users should try whatever they can to prevent centralization in hash power?
Former Bitcoin Core developer Greg Maxwell sees that as a futile task, given that “[an attack] doesn’t even depend on a single person having too much of the hash power. The attack would work just as well if there were 100 people each with an equal amount and a majority of them colluded to dishonestly override the result.”
This insight is important because it shows we can not rule out concentration, ever. Miners can always collude with each other and act as a single entity. It would be ludicrous to trust a system that can collapse after a single conference call – that’s all it would take to coordinate the behavior of the largest mining pools. And if miners could make more money by colluding with each other, we should expect that they will.
And – according to Maxwell – this problem might not have a solution because “any mechanism that would let you prevent one party (much less secret collusion) from having too much authority would almost certainly let you just replace mining entirely.”
So if the concentration of hash power in proof-of-work (PoW), or of stake in proof-of-stake, is inevitable, why am I not worried?
Concentration is harmless
The answer is that bitcoin’s design doesn’t assume mining power is widely distributed. It’s simply not a requirement. Instead, it only assumes miners are rational, which is something completely different. Rationality means agents do what is best for them, even if that means colluding with other miners to attack the system.
Satoshi addressed this matter directly in the white paper:
The incentive may help encourage nodes to stay honest. If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins. He ought to find it more profitable to play by the rules, such rules that favor him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth.
Let’s unpack this a bit. It is the incentive in the form of new coins and transaction fees that motivate the majority to “stay honest.” Satoshi realized the only way to prevent a “greedy attacker” from taking over is to make it more profitable to play by the rules than to attack the system.
This is the key to bitcoin’s assurances and at the same time the most widely misunderstood aspect of bitcoin’s design.
Economist Paul Sztorc even says he is “most comfortable just assuming that everyone is always in perfect collusion with everyone else. Specifically, that all of the hash power is actually owned and operated by one guy, whom we might call ‘Mr. Greed.’ […] Why doesn’t Mr. Greed double spend, you ask? (He can reorganize the chain at any time.) Well, Mr. Greed prefers to keep all of the new coins for himself, rather than undermine the system (and the validity of his own wealth).”
I must admit, I was not comfortable with what I perceived bitcoin’s security model to be initially. If bitcoin were vulnerable the moment a group of colluding miners obtains 51 percent of hash power, how could we possibly monitor – let alone prevent – this? Moreover, why are smaller forks like [bitcoin cash] BCH and [bitcoin SV] BSV not constantly under attack, given that several individual mining pools in BTC control more hash power than their entire networks?
The dissonance disappeared when I realized that hash power concentration doesn’t actually matter. Bitcoin is secure not because it is impossible to attack, but because it is costly to attack.
The real cost of attack
The cost of an attack is directly related to how much hash power the attacker owns. That is the key finding of a paper I released with Curtis and Prestwich in 2019. In a simplified model, we estimated the present value of all mining operations in bitcoin at around 658,800 BTC or $6 billion at current bitcoin prices. (Consequently, 60 percent of hash power is worth around 395,000 BTC or $3.6 billion, and so on.)
The present value of these miners depends on the value of the network because their future profit is exclusively from block rewards. They are priced in bitcoin’s native token, BTC. If something happened to bitcoin that would make users lose trust in the system, these 658,800 BTC could lose their value in real terms, incurring a large opportunity cost.
Let’s say an attacker with 60 percent hash power decided to attack the network. If the attack depresses the price of bitcoin by only 10 percent, a rather conservative guess, he would lose $360 million in future profit. This is the opportunity cost of his attack.
This number – also called security margin – gives us an idea of how much an attacker has to be able to gain just to break even with his attack. And it does not yet include the ability for the other 40 percent of hash power to push back, or the ability of users to respond with their own nuclear option of changing the PoW algorithm.
The same logic has been replicated in the recent paper “Too Big to Cheat: Mining Pools’ Incentives to Double Spend in Blockchain Based Cryptocurrencies” by Savolainen and Soria. The authors conclude that “the historically observed pool concentration does not indicate a higher risk of double-spending attacks. […] This result demonstrates the well-known economic insight that feasibility does not imply desirability.”
Mining concentration is inevitable. Mining concentration is also harmless as attacks on bitcoin incur an opportunity cost that scales with the amount of hash power an attacker controls. An attacker with a lot of hash power would incur a large cost.
As a result, the system ensures miners with more control have a stronger vested interest in its protection as well.
Thanks to their feedback to Su Zhu, Nic Carter, Eric Wall, Mike Co and Loomdart.
Image by Christos Palios