Raphael Auer is principal economist in the Innovation and Digital Economy unit at the, Bank for International Settlements (BIS). His research focuses on issues related to cryptocurrencies, stablecoins and central bank digital currency. The views expressed here are his and do not necessarily reflect those of the BIS.
The imminent halving of the “block subsidy” exposes a fundamental threat to Bitcoin. Whenever a new block is added to the blockchain, a quantum of new bitcoins is created and paid to the miner adding the block. As miners compete for this subsidy, they drive up the system’s difficulty, making it harder for so-called 51% attacks to succeed. But the subsidy is set to diminish over time, halving very soon to 6.25 bitcoins per block, so that the total supply of coins will eventually reach 21 million. And as the subsidy shrinks, Bitcoin could fall victim to 51% attacks, just as smaller cryptocurrencies already have.
Yet, a future in which Bitcoin is plagued by 51% attacks is just one of the possible outcomes. In this column, I introduce the notion of a “security trilemma” to illustrate how the Bitcoin ecosystem could evolve as the subsidy falls. This trilemma refers to trade-offs that influence how well Bitcoin can function without the block subsidy.
See also: Bitcoin Halving, Explained
Put simply, “you can’t have it all,” and, once the subsidy shrinks beyond a certain point, users will have to accept compromises along at least one of three dimensions. In the future, Bitcoin will either become more centralized (i.e. rely on institutions to function), or its liquidity could dry up, or its supply needs to grow beyond the originally envisioned 21 million coins.
The role of the block subsidy for payment security
The extent to which Bitcoin depends on the block subsidy to function cannot be overstated. Looking at this issue in a BIS working paper, I showed a cryptocurrency that relies on proof-of-work to ensure payment finality is subject to two economic limitations.
The first lies in the extreme costs of ensuring payment finality within a reasonable space of time. For a start, miners’ income needs to be very high to deter 51% attacks. According to my calculations, for payments to be made irreversible within six blocks (i.e. roughly one hour), a miners’ income must amount to 8.3% of the transaction volume – a multiple of the transaction fees currently levied in today’s conventional payment services.
The second limitation is that Bitcoin transaction fees alone cannot generate an adequate level of income for miners. Today, users pay an average fee of less than $1 per transaction. Each block can include up to about 3,500 transactions, but total fee income still adds up to only a fraction of the value of the block subsidy. In fact, the subsidy typically makes up over 99% of the total income (see Graph 1 below, left-hand side).
The paltry level of fees adds up to a classical “free-rider problem”: for any given transaction, the proof-of-work, and hence the security level, is determined at the level of its block. In contrast, the fee is set by each user privately. While each user stands to benefit if the miner reaps a high income, users have no incentive to contribute to that income with the fees they each pay. Taken together, these observations suggest that the liquidity of Bitcoin is set to deteriorate substantially with every halving.
As miner income falls, so does the system’s difficulty, and users will have to wait longer and longer before they can safely assume that a payment has gone through. The number of required confirmations will have to increase. My research (Graph 1, right-hand panel) indicates that, towards the end of this decade, it could take several hours or even days for payments to become irreversible. Eventually – i.e. once the block subsidy is phased out completely – waiting times could lengthen to months.
The security trilemma: in search of a Plan B for Bitcoin
Bitcoin will start to function differently as the block subsidy falls. One option, simulated above, is that transactions will require more and more confirmations. But this is not the only possible outcome. The range of scenarios can be visualized by adapting Vitalik Buterin’s “Scalability Trilemma” to the specific outlook for Bitcoin.
Bitcoin faces a “security trilemma” and a range of possible outcomes (see Graph 2). This trilemma means that, of the three properties that today make Bitcoin desirable to its fans (scarcity, decentralisation, and a liquid blockchain trading market), compromises will have to be made in at least one dimension. Bitcoin could become less liquid, or its protocol could be changed so that supply will eventually exceed 21 million, or it could become more centralized.
Scenarios involving lower liquidity
Scenarios involving lower liquidity mean that on-chain bitcoin trading will either be much slower or subject to much higher fees than is the case today. The most straightforward scenario is that the system remains unchanged and fees continue to be low, but that more confirmations are needed, as discussed above.
However, there is also another scenario involving lower liquidity, which is to create higher fees. This could, for example, be achieved via deliberately creating congestion. When newly added blocks are already at the maximum size permitted by the protocol, the system congests and transactions go into a queue. Users who want to have their transactions processed immediately start setting higher fees. During the peak crypto-hype in late 2017, transaction fees spiked to more than $50 per transaction in this way (see Graph 1, left-hand side). In the future, such congestion could also be created artificially, by adjusting the maximum number of transactions that Bitcoin can process.
Scenarios involving less scarcity
A very controversial scenario involves a substantial departure from Nakamoto’s initial design: continued supply growth. For example, one of the options discussed by researchers Hasu, Prestwich and Curtis is to change the protocol so that the supply of bitcoin will continue to grow beyond 21 million – for example by 1% annually. This would address the problem of the declining block subsidy head-on. However, as Hasu and colleagues note, such proposals have been met with scepticism for a number of reasons. A primary one is that many now see digital scarcity as Bitcoin’s prime virtue. Thus, while it remains a theoretical option, expanding the supply beyond 21 million would seem an unlikely scenario.
Scenarios involving less decentralization
A third set of possible outcomes involves less decentralization and some institutionalization. This could take several forms, including mining cartels. Even today, mining is dominated by a small number of large players. This can be a big issue when it comes to censorship resistance, but the upshot is that these large players have strategic incentives to guard transactions and thus protect their investment in mining equipment.
In the future, it is possible that miners might form cartels that would coordinate with each other to respond against any 51% attacks. MIT researchers Moroz, Aronoff, Narula and Parkes have analyzed the potential for double-spend counterattacks in the case of a single miner. If several miners were to be involved, this would require some kind of institutionalization – i.e. an agreement to ensure that the cooperation between the miners would work smoothly.
But institutionalization could also take other forms. For example, it might involve “proof-of-stake,” i.e. replacing costly proof-of-work computations with an essentially resource-free betting game. Why should this involve institutionalization? With proof-of-work, miners will normally follow the longest chain when choosing between blockchains, should these ever conflict. With proof-of-stake, the absence of an actual cost opens the door to so-called long-run attacks.
This is a problem that Buterin termed “weak subjectivity.” It implies that successful proof-of-stake implementations might need to rest on some central contact point that guides newcomers to the “honest” blockchain. It remains to be seen how well such arrangements might work.
The last option for institutionalization involves custody and off-chain trading on regulated exchanges. For years, bitcoin has traded on specialized exchanges such as Coinbase or Kraken. More recently, some trading activity has developed on Bakkt, a subsidiary of Intercontinental Exchange, the owner of the New York Stock Exchange. In the future, an increased share of trading could migrate to such regulated market places.
Of course, any such development would come with regulatory issues similar to those in standard financial markets. Starting with Mt. Gox, billions of dollars’ worth of cryptocurrencies have been lost or stolen in recent years, as unregulated exchanges turned out to be fraudulent or simply incompetent. The industry could benefit from better regulation. That imminent regulation is not always bad news for cryptocurrencies, according to BIS research, adds to this case.
And regulation can also be adapted to the technology of cryptocurrencies, as I have outlined in another BIS working paper. The idea of “embedded supervision” is that the financial supervisor ensures that funds deposited with an exchange are fully backed by on-chain bitcoin holdings. Data delivery is automated, with the financial supervisor directly reading the ownership balances in the Bitcoin blockchain. In this way investors are protected, and the administrative burden on the crypto-exchange is kept to a minimum.
The road ahead: If not money, then what?
As the block subsidy falls, the Bitcoin ecosystem will need to change – not to grow, but just to limit the fallout. The future is likely to entail a steady transition to regulated exchanges, with fewer anonymous trades on the blockchain, and miners playing a lesser role.
As this is a far cry from the proclaimed revolution, the core value proposition of Bitcoin may well need to be re-evaluated. In all likelihood, Bitcoin’s long-run outlook will depend on the applications that can be made to run on top of it, and how well such applications get traction and generate revenue. In this, Bitcoin’s core asset may well turn out to be less the original proof-of-work-based technology than its large community of fans and developers, as well as the penumbra of media attention it continues to attract.
Only a few years ago, bitcoin was hailed as the future of money. But its manifold limitations have eroded this claim. Nowadays, a common narrative is that it is the digital equivalent to gold. But people will continue to trade gold for millennia, while few would dare to make such a claim for Bitcoin. Instead, the danger is that the cryptocurrency turns out to be the digital equivalent of sand slipping slowly through your fingers.