A Review of Budish’s 51% Attack Theories - What is the Fair Price of An Old ASIC?
Eric Budish, a Professor of Economics at the University of Chicago, recently published a working paper called “The Economic Limits of Bitcoin and the Blockchain,” in which he argues that the theoretical threat of a majority attack (a.k.a. 51% attack) in Bitcoin is much higher than we believe.
The paper describes a number of scenarios where an attacker could cheaply acquire majority hash rate & bring about the destruction of the Bitcoin network. I believe these scenarios are either unrealistic or built on an inaccurate pricing model.
The paper also describes one scenario where an attacker could not cheaply acquire majority hash rate, but still do it anyway since his goal is to either profit from short-selling, or purely sabotage. I also believe this scenario is highly improbable.
I will explore these in-depth below.
I want to say that regardless of the validity of these hypothetical scenarios, the paper raises a very important topic. It forces us to look deeper into Bitcoin’s security model & likely develop better pricing models. It’s a conversation worth having & further research is warranted in this area.
One of the paper’s main arguments is that under certain scenarios, the cost of a majority attack can be reduced to merely a “flow” component, as opposed to a much costlier “stock” component (or to be precise, stock plus flow).
Flow: defined as the reward to the miners (block reward plus transaction fees initially; purely transaction fees later).
Stock: defined as sunk-cost investment in mining hardware.
(For a more detailed explanation of stock vs. flow in Bitcoin, go here.)
When we say the cost of attack is primarily flow not stock, it means that the attacker pays next to nothing for the mining hardware, and still be able to get majority hash rate. The paper argues that this is possible by listing four future hardware scenarios under which it believes flow-based accounting is appropriate.
However, three of the flow-based scenarios are highly unrealistic. The fourth uses an extremely simplistic pricing model that fails to properly account for real world factors.
Let’s go through them one-by-one, starting with the most improbable/least interesting.
“Case #1: The most efficient chips for mining the blockchain in question are repurposable for other uses.”
If this were true, an attacker could rent hash rate from someone else & avoid paying for the hardware investment.
However, this has not been true for a long time. It is definitely not true for SHA256, and probably not true for any other hash functions (including the so-called “ASIC-resistant”). It is now commonly accepted that Satoshi’s initial idea of “one CPU, one vote” was naive.
“Case #4: The most efficient chips are specialized, there are neither reasonably efficient repurposable chips nor older generation specialized chips, but the attack does not cause a decline in the value of mining equipment.”
This is just impossible, no matter how you think about it. An “attack”, if works, has to reduce the market value of Bitcoin, which will directly impact mining equipment’s bottom line - especially as this equipment has no other purposes beyond mining Bitcoin.
“Case #2: The most efficient chips are specialized, but there are repurposable chips that are efficient enough for the purpose of an attack.”
I don’t think this will ever happen. General-purpose computing trades off a significant amount of efficiency for flexibility. As a result, historically single-purpose designs have always been orders of magnitude more efficient than general-purpose designs. This is simply a physical constraint & not something you can hack around. The big gap between general-purpose computing & ASIC will likely remain regardless of what technology you use, including FPGA.
Let’s now turn to Case #3 and Case #5, which are more interesting.
“Case #3: The most efficient chips are specialized, and there exist previous-generation specialized chips that are not economically efficient for mining but are efficient enough for the purpose of an attack, and exist in large quantity.”
What does this mean exactly? The paper explains:
“The new chip improved on the energy efficiency of the old chip by enough that it would be inefficient to use the old chip for mining even if it were free. The market price of the old chips will therefore be negligible.”
“If e ̃ [energy cost of old chip] is within a reasonable factor of e∗ [energy cost of new chip] and there are a large enough number of the previous-generation chips available to amass N∗ of computational power, then the flow cost approach is appropriate.”
Intuitively, these 2 statements above seem to contain a contradiction. Surely a chip cannot be at once:
- So inefficient to be useless (and free)
- Efficient enough that they can be practically used for mining computation?!
To understand this better, we need to first answer a fundamental question (and the title of this article):
What is the fair price of an old ASIC?
Using energy efficiency to model hardware price, as the paper did, is insufficient, because energy efficiency is only one part of what goes into the price. There’re a number of other factors:
Price Factor #1: Differences in electricity cost will persist due to geographical & political reasons. A number of areas on Earth will enjoy cheaper electricity rates thanks to their natural advantages or local subsidies. There will be no monopoly on electricity.
This means that there will always be some miners at these low-cost-electricity locations, who could take advantage of the older ASICs that are not profitable for others, and this will create a healthy resale market for older ASICs.
In the extreme case, electricity could become so abundant that it’s practically free. In fact, electricity is already free at some locations in the world. As more locations offer free electricity, demand for all generations of ASICs would increase, subsequently raising their price.
We have the evidence to support this: the Antminer S7, as well as the S5 & S3, have retained value extremely well, despite the S9’s two-year dominance and huge efficiency gains: ~250% over S7, ~510% over S5 and ~780% over S3.
Price Factor #2: Older ASICs could still retain their value because the supply of new, state-of-the art ASICs is finite.
A rational miner will deploy all new ASICs he can get his hands on first. And then deploy his older ASICs that are still profitable.
Price Factor #3: Another thing to keep in mind is that older ASICs can be profitable in the future, even if they are not profitable today. Smart miners won’t give away older ASICs for free if they expect a future increase in Bitcoin price.
Due to these factors, price of older ASICs with non-trivial hash rate is not “negligible”, as the paper believes. It’s unlikely that there will be any ASICs that are simultaneously i/ so inefficient that they are free and ii/ efficient enough that they can be used for an attack. Therefore, for Case #3, the cost of attack must include a significant stock component.
A few other things the paper overlooked in Case #3:
- Wear & tear on old ASICs that reduces their effectiveness in an attack — this should contribute to stock cost
- Overhead of accumulating old ASICs, such as shipping/storage costs (remember, using older ASICs requires more physical units & potentially a lot more space than newer ones) — this should also contribute to stock cost
- There’s the risk of even newer ASICs coming out as the attacker accumulates old ASICs (now outdated by at least 2 generations) — the slower the accumulation, the higher the risk
- The paper also underestimates the difficulty of securing short-term electricity contracts with favorable rates. An attacker needs a massive amount of electricity — more than most countries produce — to perform & sustain a majority attack. He would need to strike a deal with local energy providers and be able to rent this electricity for a short term. This is a difficult task, to say the least.
The paper also gives one scenario where it thinks stock-based accounting is appropriate (meaning the attacker does need to incur a major cost in mining hardware):
“Case #5: The most efficient chips are specialized, there are neither reasonably efficient repurposable chips nor older generation specialized chips, and the attack is a sabotage. Importantly, case #5 seems to be the accurate case for Bitcoin circa spring 2018.”
(The paper believes this scenario captures the current situation in 2018. This is not quite accurate. As mentioned above, there currently exist a large number of older generation ASICs on the market.)
The paper correctly acknowledges that a majority attack in Bitcoin’s current state would cost an attacker somewhere on the order of $1.5Bn-$2Bn — a stock cost — back in April when the paper was written. (That number has now increased to ~$2.5Bn .)
However, the paper argues that this stock cost might not provide sufficient security  as it is simply “linear” in mining energy usage, and compares it to the supposedly-superior, “convex” security offered by some technology like a door lock or public-key cryptography. This is a common misconception. The “convex” security can be easily bypassed if the attacker manages to forcefully switch roles & becomes the owner of the key. In short, security offered by things like door locks & public-key cryptography is relative, while security offered by Bitcoin mining is absolute. (I elaborated on this here & here.) Saying Bitcoin security is “linear” is a red herring because for absolute security, there is nothing better than linear!
The paper reasons that if an attack can crash Bitcoin price to zero, then the cost-benefit analysis will be favorable to the attacker. For example, an attacker can spend $2Bn to acquire majority hash rate, pull off an attack while shorting Bitcoin on the side with leverage, and massively profit.
I believe this scenario is highly improbable, because there is absolutely no guarantee that the price will crash to zero. It’s impossible to predict how much the price will fall. Case in point: altcoins such as Bitcoin Gold, ZenCash & Verge have suffered majority attacks (Verge several times, in fact), but their price did not crash to zero or anywhere close to it (*Disclaimer: I am not arguing for the soundness of these projects, just observing them as market data points). The apt saying, “the market can remain irrational longer than you can remain solvent”, applies here. As such, the attacker would take on an unbelievable amount of risk by spending $2Bn on Bitcoin mining hardware, and potentially not making enough to make up for that sunk cost.
As for an attacker whose goal is pure sabotage, he also faces the same amount of stock cost. But keep in mind that $2Bn is the stock cost at the current price level. There’s still a lot of room for growth. The price of Bitcoin could very well 10x or even 100x over the next 10 years, raising the stock cost to an even more prohibitive number.
In summary, the paper presents four hardware scenarios where it argues the cost of a majority attack is flow, not stock. However, three of them are unrealistic, and the fourth employs an inaccurate pricing model. It follows that the paper’s conclusion that on-chain transaction fees must become extremely high (to make up for the theoretical lack of stock cost) is incorrect. (Transaction fees do have to rise, but nowhere near the same level the paper indicates.)
The paper also presents a hardware scenario where an attacker has to spend a large stock cost but would do it anyway. The paper argues that Bitcoin security is simply “linear”, and therefore might not provide sufficient security to guard against this scenario. However, this scenario is also highly improbable because there’s no guarantee that a successful attack will cause a big enough price drop for the attacker to even break even. The idea of better security than “linear” is also a misconception, because “convex” security is a relative concept that doesn’t apply to a public blockchain.
Special thanks to Steve Lee & Nic Carter for their extremely valuable feedback and additions to this article.
: Current network hash rate, as of August 9th, 2018, is around 46 EH/s. Current market price of Antminer S9 is around $750.
: “Security” is an ambiguous word. When I mention Bitcoin security in this article, I refer to Bitcoin’s ability to resist changes to the ledger.
Note: The paper also commented on Proof-of-Stake & seemed to favor Proof-of-Stake over Proof-of-Work. I highly disagree that PoS is anywhere as secure as PoW, and saying that PoW energy usage is “wasteful” misses the crucial point of this innovation. You can read my analyses on PoS [here], [here], and [here].