Bitcoin: Fee-Based Security Modeling

Over the past decade, the Bitcoin network has been the most secure public blockchain.

This is because it has by far the highest market capital­iza­tion and hash rate in the asset class, along with customized hardware required to mine it, meaning that the cost for a poten­tial attacker to try to control 51% of the hash rate for a lengthy period (which would allow for double-spending attacks and other security disrup­tions) is relatively high.

However, in the decade ahead, Bitcoin will gradu­ally shift from paying miners primarily through Bitcoin block rewards to paying miners primarily through Bitcoin trans­ac­tion fees. So it has to navigate a gradual change in its security model.

Some Bitcoin bears consider it inevitable that Bitcoin will fail in this transi­tion and encounter security problems. Many Bitcoin bulls consider the risk to be a non-issue.

Like most things in life, in my analysis, I find the transi­tion to be middling in terms of risk poten­tial. It’s something to think about and monitor to see how it develops over time as one of Bitcoin’s final tests on its way to maturity, but not something that has insur­mount­able economic or technical issues.

This article dives into some of the nuances, where I analyze the topic mainly from an economic point of view rather than a technical point of view.

How Bitcoin Manages Security

Bitcoin’s blockchain is a public and immutable ledger of past trans­ac­tions stored by count­less devices worldwide.

Every ten minutes on average, another block is added to the blockchain by a miner that solves a puzzle from the previous block. In doing so, it processes up to a few thousand bitcoin trans­ac­tions and adds them to the blockchain, encased in that new block. Once several more blocks have been built on top of that block, the trans­ac­tions in that block become effec­tively perma­nent. As of this writing, there are over 670,000 blocks on the Bitcoin blockchain since its genesis in 2009.

The primary reward for the miner who adds the block is a number of newly-gener­ated Bitcoins. That’s the only way that new Bitcoins are created. During the first 210,000 blocks (approx­i­mately 4 years), the reward was 50 new Bitcoins per block to the successful miner. During the next 210,000 blocks, the reward was 25 new bitcoins per block. It keeps getting cut in half every 210,000 blocks and is currently 6.25 new bitcoins per block. This process asymp­tot­i­cally approaches a total number of 21 million coins in existence sometime after 2100, although by 2030, the vast majority will have been mined.

The secondary reward is trans­ac­tion fees. Users can add fees to their trans­ac­tions to incen­tivize miners, which during busy times (meaning too many trans­ac­tions trying to clear vs. the amount of avail­able block space) helps miners prior­i­tize high-impor­tance trans­ac­tions. If you’re trying to settle a $10 million trans­ac­tion, for example, you’ll be willing to pay a higher fee than someone trying to settle a $1,000 trans­ac­tion. This dynamic helps get the most trans­ac­tion value settled per block in a free market way. The fees are denom­i­nated in fractional bitcoins and paid by the sender as part of the transaction.

Here’s an annual history of block rewards and fees for miners, in terms of dollar value, from back in autumn 2020:

The numbers in this chart repre­sent the annual security and processing budget for the store of value and payment settle­ment network.

As Bitcoin’s price has increased over time, miner revenue has increased, even though the block reward was cut in half every 4 years. In other words, miners receive fewer coins for their efforts but a higher dollar amount worth of coins and a small but growing amount of fees. Fees tend to spike during congested periods, in addition to having a struc­tural growth trend.

Here in 2021, there will be about 330,000 bitcoins rewarded to miners as block rewards. At an average Bitcoin price of $40,000 as an example, the total amount of block rewards to miners would be approx­i­mately $13 billion. Fees would be added to that. We won’t know the total security budget until the end of the year, based on average prices and fees. Until then, we can monitor it over time.

Looking back over the past decade, this chart shows the average market capital­iza­tion of Bitcoin, the annual security spend, and the percent of market capital­iza­tion spent on security:

For the first two months of 2021, the average market capital­iza­tion was $740 billion, with an annual­ized security spend rate of $15.3 billion, repre­senting 2.0% of the market capital­iza­tion. This continued the trend of higher absolute security with a smaller percentage of market capital­iza­tion spent on security.

Impor­tantly, the market decided how much security there would be, rather than some central authority. As bitcoin followed its algorithm, including diffi­culty adjust­ments and supply flow halvings, users purchased or sold bitcoin based on the prices they wanted, and miners allocated capital to mining based on risk/reward assess­ments. Miners could have mined other blockchains, or they could have done something entirely different with their capital.

This chart shows what the average cost of trans­ac­tion was since incep­tion of the data, along with the fee portion of that cost:

A Closer Look at 2020

If I take a snapshot of the full-year 2020, we can dig a little deeper and firm up the numbers of what a given year looked like.

307,439 trans­ac­tions were settled per day on average:

Since a single trans­ac­tion can send to multiple addresses, the total number of individual payments was higher, at over half a million.

The average cost per trans­ac­tion was over $44, which includes fees and block rewards to miners:

With 366 days in the leap year, that gives us a total of well over 100 million trans­ac­tions and over $5 billion in miner revenue.

The average market capital­iza­tion was $203.53 billion:

So, Bitcoin spent about 2.5% of its average market capital­iza­tion on security and processing that year.

However, the vast majority of the cost per trans­ac­tion was in the form of block rewards, which is a form of infla­tion that doesn’t affect the sender directly, and instead affects the whole network. In terms of fees for the sender, the average trans­ac­tion took just $2.86 in fees:

The mean trans­ac­tion size was several thousand dollars, while the median trans­ac­tion was much smaller.

Special thanks to Nic Carter for the Coin Metrics chart and his previous work on the subject of Bitcoin fees. He gave a talk at MIT in 2019 about this topic that remains relevant today.

Overall, nearly $1 trillion in USD value was settled on the Bitcoin blockchain during the 2020 year. That’s impor­tant to note; annual settle­ment value was much higher than Bitcoin’s average market capital­iza­tion, and that’s true for prior years as well.

If Bitcoin were running on a fee-driven model in 2020, with, say, $40 in fees per trans­ac­tion, the average $8,000-sized trans­ac­tion would have a relatively low fee (~0.5%). Still, many of the median-or-smaller trans­ac­tions would no longer make sense. Most folks wouldn’t want more than, say, a 1 — 2% trans­ac­tion fee, and so trans­ac­tions under $4,000-$8,000 would be less attrac­tive to do as a matter of normal operation.

Bitcoin, there­fore, would be a base settle­ment layer rather than a frequent payment network. Payment networks can be built on top of it, as some appli­ca­tions are already done via the light­ning network and other solutions. This should work well if Bitcoin’s adoption continues to increase in the decade ahead.

Incentives Against Attacks

Small blockchains are often the victims of 51% attacks. With little hash power, few nodes, and small devel­oper commu­ni­ties, they have limited resources to deal with an attack. A profit-driven entity can invest a manage­able sum of money and perform a double-spend attack to steal millions of dollars worth of tokens.

Bitcoin, however, is extremely resis­tant to 51% attacks, because the amount of dedicated hardware and electricity that an entity must acquire to attempt one is massive.

In the early days, mining rigs believed to belong to Satoshi Nakamoto controlled over half of the bitcoin network, but he had no incen­tive to under­mine his own creation, and as the network prolif­er­ated, these rigs became less impor­tant and eventu­ally ceased. And in 2014, a mining pool came rather close to the 51% threshold, but seemingly without intent to attack it. As bitcoin has grown larger, there haven’t been any more instances of entities coming near the 51% threshold.

Besides the consensus node network, rational self-interest is basically the backup defense for a 51% attack. Miners invest a ton of capital into their rigs and gener­ally own a lot of coins; if they were to achieve a successful 51% attack on bitcoin and threaten the security of the system, it would likely damage the market capital­iza­tion of the network, resulting in a reduc­tion in their income and net worth, even if they were able to steal some coins in the attack. And the resulting pushback from the rest of the ecosystem in the wake of such an attack against them would be immense.

As the network has grown larger and larger, and the Bitcoin network consumes as much electricity as a small country, the cost for coming anywhere close to a 51% attack threshold and holding it persis­tently is out of the reach of most entities. Only an extremely well-capital­ized attack, such as a consor­tium of state actors, could poten­tially be incen­tivized to attempt a credible attack of that magnitude.

A Hypothetical State Attack

For a sophis­ti­cated state entity to attempt an attack on Bitcoin in its current form (most likely for reasons other than profit, although they could also short the protocol to recoup costs and poten­tially make a profit), they’d have to do a bunch of things.

First, they’d have to acquire the majority of dedicated ASIC hardware for Bitcoin mining. These are often in short supply. If they tried to buy up a signif­i­cant portion of new mining rigs from manufac­turers and old mining rigs from the second-hand market, they’d likely be unable to, and the market would notice. As I write this, new mining rigs are sold out months in advance.

If they were to build their own mining rigs in some covert way, down to custom chips via their own foundry (and very few countries have sizable foundries), it would be a long and challenging process and require avoiding infor­ma­tion leaks. This would be a multi-billion dollar long-term effort in secret.

If over half of the mining capacity exists within a single country, the govern­ment could theoret­i­cally confis­cate enough mining rigs to reach a 51% attack threshold without buying new rigs.

The only country where this is a possi­bility is China due to their large hash rate exposure, although it’s only an estimate that China has over half of the hash rate. However, miners often keep their locations relatively secret because finding cheap sources of electricity is a key business advan­tage over competi­tors.

In addition, many miners are mobile; they move around to wet seasons where hydro­elec­tric overca­pacity exists or to stranded shale energy. And if miners start getting confis­cated system­i­cally, the remaining miners would disap­pear. It would be exceed­ingly diffi­cult for the Chinese govern­ment to locate and simul­ta­ne­ously seize the vast majority of mining that occurs in its juris­dic­tion. And over time, if mining becomes more diver­si­fied across geogra­phies, it would take that unlikely mass-confis­ca­tion option off the table entirely.

That’s the hardest part of doing a 51% attack on Bitcoin; getting the dedicated hardware. Folks often calcu­late the cost of a hypothet­ical attack based on electricity or per-hour rates, but the sheer amount of hardware that would have to be acquired is immense. This is unlike GPU-based blockchains where a user could conceiv­ably rent cloud GPU time (a use-case of gener­al­ized hardware rather than dedicated hardware) to perform an attack.

Second, once they have this in place somehow, either through buying it, building it, or confis­cating it, the state actor (s) have to concen­trate more electricity than Singa­pore consumes and channel it at the Bitcoin blockchain through their dedicated ASIC hardware to try to do a constant series of double-spend attacks or other disrup­tive efforts. With their massive covert invest­ment, they could very well be successful at messing up a few blocks and performing double-spend attacks or similar disrup­tions.

They could, for example, send an entity some bitcoins in exchange for money and then use their majority hash power to reverse that trans­ac­tion and keep the Bitcoins. They’d have to sustain this multiple blocks deep for it to have a sizable impact on trans­ac­tions that were thought to be fully confirmed.

At that point, it would become a battle between nodes and the majority miner, with the possi­bility of nodes changing to another algorithm or taking other major steps to avoid the ongoing assault. A 51% attack does not undo the full blockchain; it reorga­nizes a few blocks deep or disrupts the process of ongoing blocks added to the blockchain, which gives time for counter­mea­sures. It would be one of the biggest tests that Bitcoin has ever faced.

The diffi­culty and cost for this type of attack are why so far it has not occurred for Bitcoin and why only a large state actor, or collec­tion of state actors, who are partic­u­larly hostile to bitcoin’s existence and not concerned with the poten­tially unprof­itable nature of the attack, could conceiv­ably attempt it.

The more broadly that Bitcoin spreads, including to a state’s own citizens, the more self-destruc­tive such an effort would be even if successful, which deters this “James Bond villain” secre­tive level of capital and effort the state would have to go through to attempt it.

However, if it’s going to remain as successful as it has been, Bitcoin does have to grow a sustain­able fee market to keep those attacks very expensive.

Determining an Appropriate Security Model

As Bitcoin’s market capital­iza­tion has grown, the absolute amount spent on security has grown as well, but the percentage of the market capital­iza­tion spent on security has diminished.

Indeed, that’s what we should expect to occur over time. Paying a huge percentage of the market capital­iza­tion in security each year made sense in the begin­ning when the protocol was small, vulner­able, and highly infla­tionary, but in the long run, from a large market size and low issuance rate, something more like 0.5% to 1.5% of market capital­iza­tion spent on security would probably be appropriate.

And remember, bitcoin’s annual settle­ment value is a few times larger than its market capital­iza­tion. Relatively small fees on trans­ac­tions can poten­tially result in a sizable percentage of Bitcoin’s market capitalization.

Ideally, the security spending rate should be large enough in absolute terms to deter most realistic attacks and large enough as a percentage of the market cap or annual settled value to make attacks uneco­nomic while not so large as to make normal settle­ment trans­ac­tions uneco­nomic due to needlessly high fees.

The challenging thing is that there’s no firm number on what level would be appro­priate; it’s all an approx­i­ma­tion.

In practice, Bitcoin doesn’t optimize itself for security, but rather security is a natural byproduct of the incen­tive mecha­nism for mining, which means there could conceiv­ably be times where security is quite high or relatively low compared to credible threats. Bitcoin’s network is not doing a quali­ta­tive or quanti­ta­tive assess­ment of the threat landscape and adjusting fees accordingly.

After the next supply halving in 2024, bitcoin’s infla­tion rate will be less than 1% per year. It will continue dropping every 4 years from there asymp­tot­i­cally toward zero, so to maintain something like a 0.5%-1.5% ongoing security rate as a percentage of market capital­iza­tion, it’ll need to develop a sizable and persis­tent fee market.

This chart shows the amount of fees per year and the percentage of the average market capital­iza­tion that the fees made up each year:

For the first two months of 2021, the average market capital­iza­tion was $740 billion, with an annual­ized fee spend rate of $1.85 billion, repre­senting 0.25% of the market capitalization.

Inflation vs. Fees

If security is paid for primarily through block rewards, then the holders of the coins are the ones primarily paying for it in the form of inflation.

If security is paid for primarily through fees, then the senders of the coins are the ones primarily paying for it, in the form of the miner taking a cut from their transactions.

So, over time, Bitcoin’s security model is programmed to shift primarily from charging the holders to those who transact.

If, in some alter­na­tive design, bitcoin eventu­ally reached a point after a certain number of halvings where it had a constant issuance, like, say, 0.5% per year perpet­u­ally, then along with fees that senders pay, it would have a situa­tion where both holders and senders continue to pay for a base level of security. But as it was designed, bitcoin shifted over time to put all of the emphasis on sender fees for security, with holders paying virtu­ally nothing.

Whether that’s good or bad is up for debate. On the one hand, it’s sensible to argue that both holders and senders should contribute to security since they both benefit from it.

On the other hand, the hard supply limit has been a main selling point for people to buy system units. It likely increased its adoption rate and attrac­tive­ness as a store of value. A shift from a hard cap to low perpetual issuance would be the last resort among the commu­nity, so navigating to a fee model will be impor­tant for the ongoing success of the protocol.

A Spectrum of Security

This table shows the amount of money that would need to be spent on security to achieve a certain percentage of market capital­iza­tion for various market capitalizations:

Bitcoin, in its current form, can settle 120+ million trans­ac­tions per year on the base layer. Let’s call it 100 million as a round number since we’re talking orders of magni­tude here. And impor­tantly, a trans­ac­tion can send Bitcoin to multiple addresses, so you can batch multiple payments into a trans­ac­tion. So, the number of payments is realis­ti­cally up to a few hundred million per year.

If Bitcoin reaches a state where the average trans­ac­tion fee is about $10, it will trans­late into $1+ billion per year for miners. If we add a zero, and the average trans­ac­tion fee gets to about $100, it would trans­late into $10+ billion per year towards miners. For refer­ence, as of the first couple months of 2021, the fee has been up to $20+.

For payments of $10,000 or more, $100 or less in fees trans­lates into 1% or less of the trans­ac­tion value. So, the base layer would remain attrac­tive for large settle­ment trans­ac­tions but would be unattrac­tive for small payments. Bitcoin, in that sense, becomes something like a decen­tral­ized and permis­sion­less Fedwire system, relying on secondary layers to improve trans­ac­tion throughput for smaller users.

We can also compare it to gold as a store of value. If you buy physical bullion, you would expect to pay a 2 — 10% or more markup over the spot price for your trans­ac­tion, depending on whether you’re buying coins or bars, and sometimes more during supply short­ages. And then you have to protect it yourself or pay a vault to store it safely.

Payment Scaling Solutions

If we look at the current finan­cial system, it consists of layers.

There are deep settle­ment layers like Fedwire at the base, which process relatively low numbers of irreversible seven-figure trans­ac­tions between banks.

On top of those deep layers, some layers optimize for more frequent and smaller consumer trans­ac­tions, which are reversible. When you spend with your Visa card, for example, that’s not a final settle­ment irreversible payment in and of itself; that’s merely a trans­ac­tion that the bank will later batch into a larger Fedwire payment with another bank.

This is why the “Bitcoin doesn’t scale; it processes only a fraction of what Visa can do” argument is like comparing apples to oranges. Or, more specif­i­cally, it’s like comparing a whole­sale distrib­utor of apples to a retail apple-selling stand.

The Bitcoin network has a trans­ac­tion count throughput capacity similar to Fedwire; when and if more and cheaper trans­ac­tions than that are needed, that’s what secondary layers are for.

The various Bitcoin forks that attempted to increase trans­ac­tion throughput on the base layer didn’t work out well so far; they split the commu­nity, still didn’t achieve throughput anywhere near that of Visa, and sacri­ficed too much (acces­si­bility and decen­tral­iza­tion of node operation).

Bitcoin Secondary Layers

Not all or even most bitcoin trans­ac­tions have to settle on the base layer of the protocol. The base layer is ideal for final settle­ment for large trans­ac­tions, especially as trans­ac­tion fees grow as a percentage of the security budget.

Above the base layer are various scaling solutions for higher-frequency trans­ac­tions, and they can be either trusted or trust­less or somewhere in the middle.

For a trusted example, every central­ized exchange is basically a scaling mecha­nism. When you trade Bitcoin or various altcoins on an exchange, those aren’t on-chain trans­ac­tions. Those are trans­ac­tions within the internal ledger of that exchange. In other words, many trans­ac­tions occur back and forth, and some of the value is settled on-chain eventu­ally when entities withdraw or deposit coins. The custo­dian acts as a way to increase significantly trans­ac­tion volume since those intra-exchange trans­ac­tions are settling off-chain with occasional batching into bigger trans­ac­tions to actually move coins.

For a trust­less example, there’s the Light­ning network. The Light­ning network lets users open multi-signa­ture channels with each other, and from there, they can send fractions of bitcoins back and forth without the cost of an on-chain settle­ment. If one of them wants to settle at any point, they can close the channel and settle back on the base layer with an on-chain trans­ac­tion. There­fore, you can fit many trans­ac­tions, for a nearly free cost, into one fee-driven large settle­ment. Impor­tantly, you don’t need a channel open with the person you’re trying to transact with. You only need to have a path from node to node to node that eventu­ally links to that person.

The limita­tion of the Light­ning network is liquidity. If you don’t want to open a private channel with someone, you have to send fractional Bitcoins around from node to node to node to reach the target, and that means there has to be a sizable amount of channels between you and the target to make that possible, and there have to be suffi­cient tools to automate it. Public node opera­tors can place some Bitcoins on their channels and sell access to those channels for a tiny fee, thus earning a small ongoing yield on their Bitcoins.

Light­ning Labs and other devel­opers continue to build tools to help apps and users enhance liquidity and usability on the network. The Light­ning network itself, like the under­lying base layer of Bitcoin, is owned by no one. If it continues to grow larger and larger, liquidity becomes less of a constraint, and usability increases.

And then there are mixed solutions. 

Some trusted proto­cols can use a set of private channels in the Light­ning network to provide fiat-to-BTC-to-fiat payment solutions to customers that don’t neces­sarily even know that they are using the Light­ning network, like with the Strike and Bottlepay apps. The total address­able market for that, partic­u­larly concerning small domestic and inter­na­tional payments, is enormous.

Micro­pay­ments on the internet, such as through Sphinx Chat (which uses the Light­ning network), open up all sorts of revenue models for online businesses, as well as anti-spam measures in chat inter­faces (via a tiny but nonzero cost to post a message).

Other Uses of Block Space

Block space in Bitcoin’s blockchain is just infor­ma­tion; it doesn’t all have to be used purely for payment trans­ac­tions. Messages can be and have been included in various trans­ac­tions within blocks, including by Satoshi Nakamoto in the Genesis block.

A given block on the Bitcoin blockchain, as an immutable distrib­uted public ledger, can be considered virtual real estate, and only 144 blocks are avail­able daily on average. Most uses are for settling Bitcoin payments, but the space within a trans­ac­tion can be used for other purposes, too, because any infor­ma­tion you put there becomes perma­nent and publicly available.

There’s poten­tially a use-case for that because you can put something there as a matter of public record, as an arbiter of truth stored on count­less devices around the world that can never be changed once it’s buried under more blocks.

Over time, various services have been willing to pay trans­ac­tion fees to secure messages inside the Bitcoin blockchain. Veriblock, for example, has a service that allows weaker blockchains to “inherit” Bitcoin’s security using the OP Return operator. Veriblock and similar solutions accounted for a double-digit percentage of Bitcoin’s ongoing trans­ac­tions for a couple years, although in recent years, this practice has tapered off.

Overall, non-trans­ac­tional messages are no longer a big portion of Bitcoin’s block space usage, but in the future, this could conceiv­ably pop up again if new use cases are identi­fied. Many of the previous use cases have migrated to become Ethereum tokens, trading around in that space instead.