Jae Kwon on other economic attack challenges

Apropos the responses of BINO and the other responses to Downplaying Risks, Jae Kwon (author of the Tendermint protocol) pointed to an interesting thread on Reddit:

How to double spend PoW coins for fun and profit.

You don’t even need major pools to subvert the security of the blockchain and double spend.

Let’s say that you want to doublespend a transaction that was included at height H. Simply put out a bounty for more than the mining reward for the first miner to mine an alternative block at height H. Then, you reward the (traitor) miner on the existing blockchain. As long as the instigator is trustworthy, rational greedy miners would switch because the expected reward is higher. Then you do the same for height H+1 and so on, until the fork wins.

Jae also had some more comments related to blockchain forks and he gave me permission to have them reposted:

I actually wrote a prototype of an exchange engine, and the hardest part was dealing with logic pertaining to block chain forks.  It’s just so easy to get wrong, and it’s not even clear when a transaction should be deemed “irreversibly committed”.  So I ended up having to write tricky edge cases, where, I can imagine bugs can emerge.  This isn’t something that will connect with most users, so I doubt that people will even “get it”, but my assessment is that Bitcoin has these fundamental design issues that may end up hurting its adoption rate compared to other designs..

Another thought is that we probably want  to see a multi-coin future where no single coin has global dominance.  If you want a future with many multiple competing cryptocurrencies, then you probably want to get away from a consensus algorithm that relies on energy.

And in terms of the speculation surrounding the Ethereum team working together with the BitShares team and potentially using Delegated Proof of Stake (DPOS), Jae thinks that:

I don’t know enough about BitShare’s DPOS scheme to list specific vulnerabilities, but here’s a rule of thumb that I use to evaluate consensus algorithms:

The amount of value at stake that is lost in the event of a fork is roughly the amount of security afforded.

In the PoW vulnerability that I mentioned, what is at stake is the electricity spent mining blocks.  Large transactions need to be vetted by waiting a proportional amount of confirmations, potentially much longer than the original 6 confirmations as cited in Satoshi’s paper for transactions over hundreds of BTC.

In any delegated PoS model, if Carl can delegate his stake to someone without the risk of losing that stake, then Carl can be bribed by Malory to delegate his stake to Malory’s puppet account.  On the other hand if Carl can lose his stake in the event that the delegated signer does something bad (e.g. enable a double spend by forking the blockchain), then Carl probably wouldn’t want to delegate his stake to anyone, and instead would opt out of the consensus process or become a validator himself.  For this reason I don’t find delegation models to be very interesting.  It may provide some utility as long as delegated coins are “at stake”, but the foundational consensus algorithm (minus the delegation part) must be secure first.  Delegation cannot fix a broken algorithm.

Lastly, Peter Todd suggested that I emphasize that there is a difference between hard forks, soft forks and SPV soft forks.  Last fall Todd wrote an overview on this titled On soft-forks and hard-forks.

Send to Kindle

Robert Sams on rehypothecation, deflation, inelastic money supply and altcoins

The Bitcoin Foundation held a conference in Amsterdam back on May 15-17.  The video of the events was not uploaded until recently.  The one below covers the panel on economic theory.

Panel: Robert Sams (Founder, Cryptonomics) Robin Teigland (Associate Professor, Stockholm School of Economics) Peter Surda (Economist, Economicsofbitcoin.com) Konrad Graf (Author & Investment Research Translator) and moderator Jon Matonis (Executive director of the Bitcoin Foundation)

Over the past several months, Robert Sams has helped act as a non-partisan sounding board to discuss these issues as I did research on these topics.  He also recently launched a start-up in this space called Swiss Coin Group which acts as a liquidity counterparty (see also SCG’s announcement video from Coinsummit last month).

I finally had a chance to watch the panel on economic theory of Bitcoin (above) and below are some transcribed portions of comments by Robert Sams.

Regarding the ‘regression theorem‘:

The idea that something needs to have some underlying use value before it can gain liquidity and become a medium of exchange, first of all it has always struck me as not a derivation of logic and therefore not a theorem but an empirical hypothesis and one that I think that the very existence of Bitcoin has conclusively falsified.

On competing altcoins being sorted out:

I think eventually there is only room for a handful, 3, 4, 5, maybe ten competing cryptocurrencies.  Each filling a niche that satisfies some area of demand, some might have a richer scripting function for smart contracts, one might be embedded in a different kind of protocol.  So there is definitely room for multiple currencies but the very nature of hash-based proof of work, where the security of the network is arrived at by people literally burning money is one that can’t be evenly distributed over a large number of alternative cryptocurrencies.  It’s what you see, eventually most of the altcoins will fail and people will stop mining them, they won’t have any exchange value.  But there will still be room for quite a few.  And you already see it in the distribution of the market capitalization of these things, they follow a power law and I would expect that to continue.

What about altcoins in local communities?

That’s an interesting question.  I think the more local the currency becomes the harder I think it is to use hash-based proof of work as a solution.  Although other types of distributed consensus mechanisms could be used.  Because if as a community currency the overall monetary value of that thing is going to be much much lower, so the amount of seigniorage that comes from the mining award to reward the miners is much lower, so the amount of electricity that is spent securing it, it is something that will be alot easier for someone on the outside to attack it if they wanted to.  On the other hand, the incentive of attacking some small community currency might not be there, so not much of an issue.  So it’s an open question.

Thoughts on fractional reserve banking with bitcoin:

I don’t think it is actually possible to construct fractional reserve banking within Bitcoin.  Because fractional reserve banking, especially in the modern era, it’s one of the great scandals of modern finance is based on an illusion — this 1:1 fungibility between bank deposits and cash.  And you can do that in the conventional analog world because you have this whole institutional framework of deposit insurance, lender of last resort function of the central bank, you can bail out the banks if they fail in order to maintain this illusion that a loan to the bank — an unsecured loan to the bank which is basically what a bank deposit is — is the same thing as cash, and they are not.  And there is not anyway within the crypto space to express such an arrangement.  Sure there will be lending done in Bitcoin, I was talking to a guy last night who is doing just that, that’s fantastic.  But the relationship between the lender and the borrower isn’t one of “well I had some ownership of a pool of loans to people” — that’s something that has a floating net asset value.  It is not treated as a cash equivalent, I can’t use it as a medium of exchange or maybe I could but it would be a medium of exchange that trades like a credit instrument rather than risk free cash.  So I don’t think its even possible to express fractional reserve banking in bitcoin and I think that’s a good thing.

Konrad makes a really interesting point about trusted fourth parties and trusted fifth parties.  You know, it’s not just about being fractional reserve banking, the bank deposit versus cash, it’s about all assets within the financial system: the clearing banks, custodians — also play a fractional reserve-like role.  Most people don’t realize that.  Securities that are on deposit with a custodian bank can be lent out to those who want to sell them short; bonds, the same thing happens.  So that something that is called rehypothecation, these assets get lent and relent and relent, they multiply throughout the system.  So like some particular bond that’s in the system, there might be $2 billion of it outstanding, but the actual quantity of people who own that bond on their balance sheet is like a factor of 10 times that.  It’s just like the multiplication of base money in the banking system and the whole thing creates a systemic instability because the lack of clarity about this relationship between the guy who is entrusted his assets for safe keeping in some clearing bank and exactly do what that clearing bank can do with it.  Now the theory you think that it is governed by the law and the like but when Lehman bankrupt, there were a lot of fund managers and hedge fund managers who didn’t actually realize that their clients money which was supposed to be in a segregated client account was actually rehypothecated and they had to queue up in the bankruptcy courts in order to recover that money.  And one of the things that crypto does is make the sure technical nature of the transference being done by digital signature means that there is no way that you can create these rehypothecation arrangements without making them explicit.  And I think that is great.

Would you take out a 5 year loan in bitcoin knowing you had to pay it back in bitcoin?

No.  Well, it depends, I guess if I were selling it short.  But no.  If there was a lending market in bitcoin its most likely to flourish initially as being something that’s denominated in fiat money rather than nominal bitcoin.  Unless the borrower is using it as a vehicle to speculate on a climb in the exchange rate.

On deflation:

I think the deflation criticism of Bitcoin is usually misguided, it usually comes from the economics profession.  The arguments that are made don’t really apply because, the arguments about sticky prices (good’s prices fall faster than wages), about balance sheet effects of debtors being punished because an increase in the purchasing power, none of those really apply in Bitcoin because bitcoin isn’t yet a unit of account.  Contracts and prices are still priced in the fiat currency and expressed in bitcoin by reference to some exchange rate.  So the traditional arguments like, “is deflation is a bad thing” don’t really apply in a bitcoin world.

There is a different reason for why we maybe should be concerned about the appreciation of the exchange rate because whenever you have an economy where the expected return on the medium of exchange is greater than the expected return of the underlying economy you get this scenario, kind of like what you have in Bitcoin.  Where there is underinvestment in the actual trade in goods and services.  For example, I don’t know exactly how much of bitcoin is being held as “savings” in cold storage wallets but the number is probably around $5 billion or more, many multiples greater than the amount of venture capital investment that has gone into the Bitcoin space.  Wouldn’t it be a lot better if we had an economy, where instead of people hoarding the bitcoin, were buying bitshares and bitbonds.  The savings were actually in investments that went into the economy to fund startups, to pay programmers, to build really cool stuff, instead of just sitting on coin.  I think one of the reasons why that organic endogenous growth and investment in the community isn’t there is because of this deflationary nature of bitcoin.  And instead what we get is our investment coming from the traditional analogue economy, of venture capitalists.  It’s like an economy where the investment is coming from some external country where Silicon Valley becomes like the Bitcoin equivalent of People’s Bank of China.  And I would much prefer to see more organic investment within the cryptocurrency space.  And I think the deflationary nature of bitcoin does discourage that.

What about issuing coins after 21 million limit, that would be called Keynes coin?

I wouldn’t call it Keynes coin, not just because of the marketing but conceptually I don’t think it would be either.  This is controversial and difficult.  There are algorithmic, distributed ways of working within cryptocurrency protocol to change the money supply in proportion to the change in its exchange value.  And that can be done, it doesn’t require a central bank, it doesn’t require some cabal of guys deciding what the monetary policy can be, it can be done completely anarchic and distributed way and it would have the property of stabilizing the price of cryptocurrency.

I think the issue if should you have more elastic supply or not it just really comes down to the fact that if you have a fixed supply of something, the only way that changes in demand can be expressed is through the change in price.  And people have expectations of increased demand so that means those expectations, expectations of future demand get translated into present day prices.  And the inelastic supply creates volatility in the exchange rate which kind of undermines the long term objective of something like cryptocurrency ever becoming a unit of account.  And forever it will be a medium of exchange that’s parasitic on the unit of account function of national currencies.  So I do think the issue does need to be addressed.

Audience question on 100% reserve versus fractional banking:

There is a movement underway in the economics profession called limited purpose banking or 100% reserve banking.  It’s not just in the cryptocurrency world that we criticize fractional reserve.  Even Mervyn King before he left his chairmanship with the Bank of England he suggested that this is something that we should look into.  So yes, it is quite possible, there could be consensus — broad base consensus — around taking away the banks ability to create private money.  What do we use to replace that, one side of the argument is going to be that the banks should take the role of issuing the currency they just have to have 100% reserves and ‘gosh those things should be risk free government bonds.’  I think there is an alternative argument that can be made from the cryptocurrency space is that we don’t actually need the banking system to fulfill those functions at all.  And the demand for some medium of exchange in the absence of bank created money will be met spontaneously within the cryptocurrency space.

Audience question, does buying bitcoin and holding them benefit the community?

It’s an interesting question.  I don’t think so.  You could argue indirectly the fact that people buy and hold bitcoin, the price goes up and that attracts all the interest into this space and to some extent that’s true.  So yes, it does provide some investment.  But I think it doesn’t provide as much investment as would be the case in the alternative world where Satoshi implemented the exact same thing but had a different money supply rule.  My view counterfactual is that we would actually see a lot more underlying economic activity in the cryptocurrency space and a lot more investment.

Send to Kindle

Cryptocurrency in the news #21

Closing tabs.  Links do not constitute an endorsement of the service or coin.

Send to Kindle

Downplaying statistically possible double-spending risks

My LTB article yesterday spawned a number of comments.  A few notable ones are discussed below.

One interesting proposal came from Zooko Wilcox O’Hearn (inventor/innovator/guru):

One thing that you could do to strengthen this argument is to broaden the discussion of “things a Dominant Miner (or coalition of miners) could do” from just double-spending.

From the perspective of a Dominant Miner who wants to maximize profits, there are a lot of downsides to double-spending as a strategy. To double-spend profitably requires victim-specific manipulation surrounding the double-spent transaction itself. Double-spends are eminently detectable by the public. They defraud a particular set of victims, who are motivated to defend and retaliate. Finally, double-spends also dramatically demonstrate to everyone else that they are in danger of being defrauded in the same way. This could galvanize opposition.

What else could you do if you were a Dominant Miner or a coalition that collectively has dominance? (Note: I’m saying “Dominance” instead of saying “51%” here because of the “self mining attack” from Sirer et al. which allows effective dominance at 34% with some assumptions.)

Another possibility would be to start giving a 50ⓑ reward to the miner instead of 25ⓑ (or 12.5ⓑ), every 10th block. This would increase the rate of wealth transfer from all holders of Bitcoin to the miners, but it would be a small cost against any individual holder of Bitcoin, thus taking advantage of the “dispersed costs and concentrated benefits” effect to blunt opposition.

It would also be hard to oppose this with any patch to the protocol. Instead, the opposition would probably simply have to effectively abandon the concept of mining and adopt a centralized+federated model, like Ben Laurie’s design for a Bitcoin alternative (http://www.links.org/files/dis… ), the “Sovereign Keys” design from Peter Eckersley (https://www.eff.org/sovereign-… ), the “Agile Tokens” idea from Joe Bonneau (https://docs.google.com/docume… ), etc.

Basically, a handful of the largest Bitcoin companies (in terms of number of users and in terms of amount of Bitcoin controlled) would agree to form a coalition to sign the blockchain, to refuse to sign blocks that violate certain rules (such as the size of the block reward differing from the original Satoshi plan), and to use Bitcoin clients that treat signatures from a majority of that coalition as over-riding the “longest chain” rule.

This is perhaps the protocol-layer change that matches the business and governance layer change which you’re suggesting (embracing the trusted third parties who represent large numbers of users).

If the opposition couldn’t muster that massive, system-wide change and bring a critical mass of the economy along with them, then instead the Bitcoin (BINO) economy would settle into the “new normal” where miners effectively get to choose the rate at which they siphon wealth from Bitcoin holders.

There are even subtler attacks that a Dominant Miner could do. Here’s one that is so subtle that it may even be below the threshold of unambiguously detectable: start requiring an extra “transaction fee” as a side-payment directly to you (not to “whoever mines this transaction first”), and discriminate against payers who refuse to play ball. Your discrimination could even include small forks, e.g. starting a fork one block back from the current head because the current head has a transaction from one of your intended victims who didn’t pay you the side payment. Those are more detectable, but you may be able to do only a few of them to prove the point to your victims without exposing your existence to the world.

You might be able to get away this while staying completely under the radar — effectively extorting a few of the richest and most vulnerable payers while maintaining deniability or even secrecy from the public. You can layer on the secrecy and extortion by punishing your victims if they try to expose you, or if you detect that they have attempted to evade your net by submitting their transactions directly to other miners (not part of your coalition) without first paying you your extortionate extra transaction fee.

Ghash.io appears to have indicated a possible future strategy that would be compatible with this extortion, when they announced escrow, micro-payment aggregation, and low- or no- confirmation transactions in the same breath as admitting to controlling 51% of the mining power: https://ghash.io/ghashio_press…

I haven’t spent that much time trying to figure out all the evil things that a Dominant Miner could do, so there may well be other strategies available beyond these ones.

P.S. I got the “big players sign the blockchain” idea from L.M. Goodman. The Tezos inventor, not the journalist.


Stephen Gornick (@bitcoinminer), who actually emailed me a few things back in April about ArtForz, disagreed with my position stating:

Tim, you ignorant slut.

That’s like saying that to rob a bank you simply just get yourself inside the bank vault, stuff your bag full of the loot, and voila — you’ve robbed a bank! Double spending of confirmed transactions, too, is just not that simple.

Just having 51% of all mining capacity that exists doesn’t help you until you apply that capacity to a separate, private fork of the Bitcoin blockchain. Additionally to succeed a number of conditions need to exist and certain actions taken need to have a successful outcome.

To begin with, let’s consider that a pool (or cartel of pools) wants to attempt this attack. Doing so will be something nearly instantly obvious to anyone observing the blockchain. Suddenly blocks on the Bitcoin blockchain begin taking at least twenty minutes (as at least 50% of the hashing capacity has stopped mining on the public blockchain) and, coincidentally, none of the new blocks solved will be solved by the attacking pool (or cartel members). This is because the hashing capacity they have available will be used for mining on the private fork.

Now with most medium and larger Bitcoin businesses (e.g., exchanges, payment processors, hosted E-Wallets, etc.) there are business rules that complicate things for the attacking pool (or cartel). What the attacker wants is to be able to succeed at double spending. This is attempted by sending one transaction on the public Bitcoin blockchain and including a double spend of that transaction on the attacker’s private fork of the blockchain. The attacker would need to do this, upon commencing the mining on the private fork, immediately by sending transactions on the public Bitcoin blockchain with large amounts of coins going to exchanges, E-Wallets, and other targets. This attack only works if these exchanges, E-Wallets and other targets actually credit the attacker’s account for those Bitcoin deposit transactions once they confirm and then in turn also allows those newly deposited funds to be withdrawn in another form of value that too is non-reversible. So after the attacker broadcasts the first transactions a waiting game begins. With less than 50% of the hashing capacity remaining on the public Bitcoin blockchain, more than two hours will pass before the attacker’s transactions will confirm (assuming six block confirmations).

So, for this attack to be successful:

- Individuals and organizations doing the hashing work for the attacking pool (or cartel) need to continue doing the hashing work even though the signature of an attack underway is apparent (due to blocks slowing to 20 minutes each and none of them are from the leading pool or cartel members).

- Exchanges, payment processors, and hosted E-Wallets actually credit the attacker’s accounts with these large deposits, allow these funds to be converted to some other form of value, and then the value post-conversion be withdrawn (e.g., sell bitcoins, buy litecoins and then withdraw them).

If the attacker can’t get the non-reversible funds out of the exchanges, payment processors, E-Wallets, etc. then ultimately that’s a failed double spend attempt — regardless of how many confirmations the Bitcoin transactions that were “reversed” had gotten. That’s probably why Gavin Andresen suggested 120+ confirmations as the number necessary for a “huge amount of value” [where you don't have recourse]: http://thegipster.blogspot.com…

A response to Gornick

Generally speaking today, Gornick is correct: executing a double-spend attack is not a trivial task and on the surface might not be economically feasible (this is assuming that an attack costs more than what will be gained).

However, economic feasibility is a floating target: an attacker might execute it at a loss, because a target’s competitor compensated for the difference.  An attacker might also execute it to create market panic, while holding leveraged short position in BTC.
I am not saying that the double-spend problem is a mortal blow to the Bitcoin model, it is just one of many things that are downplayed by some Bitcoin proponents (as an aside, three months ago, Gornick incidentally argued that 51% attacks on Dogecoin were relatively trivial).  Yet as Zooko pointed out above, having more than 25% of the hash rate is a problem (which I discuss at length in chapter 6).

It also bears mentioning that in that same article I actually did mention a long wait workaround (tens of confirmations), and that actual attack with small number of confirmation actually happened at least once, when a user on GHash.io attacked Satoshi Dice last November.

Additionally, even with 5-6 confirmations, a double-spend is still possible with non-negligible success rate with something like 30% of hash rate.  For instance, in chapter 14, I point out that Greg Maxwell, a Bitcoin core developer, created a probability of attack success calculator that illustrates the concern of one entity having certain large portions of the hashrate and its ability to successfully conduct a double-spend attack:

  • 40% of hashrate, successful probability of ~50%
  • 49% of hashrate, successful probability of ~96%
  • 51% of hashrate, successful probability of 100%

And a hash rate failure of 30% will not be immediately visible on short intervals because block timings deviate.  So basically if I make a series of deposits and withdrawals, and my fees are negligible, there could be a non-negligible amount of profit (though in a 30% attack, and 13.2% success rate, the cost of lost opportunities might be higher).

Most businesses have some mitigation mechanisms in place (e.g. multiple confirmations).  These mitigation’s hopefully lower the risks enough, for these businesses to exist.  Yet the attack is probabilistic by definition, Gornick implies that in his current situation this attack will not make money for an attacker.  But this is not so straight forward.  Let us assume that Bob can double-spend and that it will cost him 1000 BTC, but Bob will only recover 800, so he is at a 20% loss if this attack plays out.  However, he could find another party (Alice) that wants to inflict a 1000 BTC damage to Bob’s target, and pay Bob 200 BTC (e.g., if Bitfinex wants to ‘attack’ BTC-e, they could spend 200 bitcoins to inflict 1000 bitcoins in damage).

If and when bitcoin-based ETFs are approved, short-term sabotage and other types of economic attacks on network participants (pools, exchanges, large merchants) could
be executed if there was an option to create a short big enough with a reliably trusted counterparty.  It could even become formalized through multisig and smart contracts — a “51% attack contract” (to my knowledge, Virgil Griffith is the one who suggested this first).

Other comments

Anton Bolotinsky (a developer) suggested that “Proof of Idle” probably has at least one vulnerability:

The part with “I’ll pay you if you don’t mine” is exploitable by unrelated miner which starts mining and invalidates payout for others. And proof if mining capacity: me and my friend collude, and we both show twice the capacity we actually have. If I have a lot of friends, we show enormous hashing capacity together. Basically, if my friends and I, each has 1Th/s, I show 1*number of friends, and each of my friends show 1*number of friends. To disprove, system will have to force us to mine in parallel.

Jae Kwon, author of the Tendermint whitepaper, posted another possible attack on a blockchain such as Bitcoin:

You don’t even need major pools to subvert the security of the blockchain and double spend. Let’s say that you want to doublespend a transaction that was included at height H. Simply put out a bounty for more than the mining reward for the first miner to mine an alternative block at height H. Then, you reward the (traitor) miner on the existing blockchain. As long as the instigator is trustworthy, rational greedy miners would switch because the expected reward is higher. Then you do the same for height H+1 and so on, until the fork wins.

A few readers may also be interested in a short debate between myself and Peter Todd on Twitter yesterday that covers economies of scale and killer apps.

Send to Kindle

Why do prices fluctuate?

Yesterday I was asked by CoinDesk for some comments on the recent drop in bitcoin prices.  At first I referred them to a good friend, Raffael Dannielli, who I worked with in China and who helped me on all three of my books.  Raffael wrote a very interesting post yesterday about margin trading squeezes: Bitfinex: cascading margin calls resulting in flash crash

Later I sent CD some comments for a new article they published moments ago.  They were not used, but may be of interest to readers here.

Why did prices fluctuate?  Making a testable hypothesis with prices is a crap shoot.

For example:

Hypothesis: “Prices declined because of negative news”
Test: “Look around for negative news”
Falsifiable: “Yes”
Potential falsification: “Finding bad news”
Truth status: “False” (there is bad news)

But it’s unclear if the news itself is leading it because it is hard to quantify and qualify; how do we know it is not manipulated via coordination by whales, Willy bots or exchanges?  And complicating matters, in the example above, you could do the same kind of “test” with good news.

Prices fluctuate and then news organizations try to make sense out of it by assigning news events to it to justify the movement, thereby ignoring that at the point of the price fluctuation there is often contradicting news.  However, in retrospect due to time constraints news organizations are left with presenting the news that “makes sense” to justify the price movement.  This does not mean that news has no influence, it is just that the market moves really fast in incorporating events. Even events that have not been reported in the news or are out of the spotlight for some reason.

This is one of the reasons why Coinometrics is trying to spearhead the Compare The Exchange (CTE) transparency effort, by surveying exchanges to find out what kind practices they implement.  Despite enormous amounts of scams and thefts over the past several years, the counterparty risk for Bitcoin exchanges is huge.  In one study published last year, between 2010-2013, 18 out of 40 exchanges shut down, some of which absconded with customer funds. And it does not seem to go away by itself: as long as an exchange has volume people will go there to trade and the exchange will have no incentive to improve.  One example is BTC-e, even though its management is obscure, people go there because of the volume.  As long as people still trade at them, exchange managers have no incentive to change.

While it is unclear what immediate impact regulatory compliance proposals such as Bitlicenses from New York may have on exchanges (e.g., are all fiat-based exchanges depository institutions?), in the long-run the first two generations of exchanges may be living on borrowed time. That is to say, if the first generation was Mt. Gox and, 2nd generation exchanges are Bitfinex and Bitstamp, then the rise of a 3rd generation, potentially regulated or consortium of “self-regulated” exchanges, could eventually implement some of the suggested CTE “best-practices.”

Send to Kindle

Cryptocurrency in the news #20

Closing tabs, below are some stories and links that at least tangentially intersect with this space.  Also, great post by Richard Brown: A simple explanation of fees in the payment card industry

Send to Kindle

Bitcoin’s PR challenges


Source: agmarketing.com.au

What kind of feedback has my book received over the past week?  Here are a few threads on reddit:

I am called any number of names on these threads and stylistically was equated with “Gish Gallop” and a “word soup” thesauri.

Hass McCook (“Bit_by_Bit”) weighs in at one point in the first thread saying that these claims are only valid in August 2014.  McCook had similar sentiments as noted in Chapter 3.  However, no word on the MV=MC issue that was brought up in that same chapter, it will always apply no matter what the efficiency of the mining equipment.  This cost basis was also independently confirmed by a miner.

Today a friend pointed to a new post by Mircea Popescu which takes aim at me (not my book): “No, you don’t have something to say on the topic.”  In it he claims I am a “boneheaded teenaged male approach to learning.”  Not a word about the marginal costs of mining.  In fact, he also claims that there is no data “per se” in the book which is curious since there is actually a lot of data in the book.

This is a common rejoinder; some vocal advocates not looking at actual data from the blockchain.  In some ways their timeline looks like this:

  • 2007: First lines of BTC code written
  • 2008: Whitepaper revised and published
  • 2009: Blockchain put into production
  • 2009 – 2014: data created, but the only valid data is fiat prices, the rest is not real data “per se”

Other responses

Aside from the ad hominem’s above what has been the criticism?

Peter Surda, a researcher, disagreed with my points on inelastic versus elastic money supply but didn’t go into many details in a short email exchange.

I received a number of encouraging emails from a variety of readers and was named one of thirteen “Big Thinkers” in this space, though I doubt some of the other candidates would like me to remain in company with them.

I have had some responses with a couple others, including L.M. Goodman (creator of Tezos), on Twitter this past weekend — though this is largely unrelated to the book itself.

What does this mean?

Partisanship may be impacting scholarship, especially the Myth of Satoshi variety.

No, Leah Goodman did not uncover who Satoshi was.  But one thing was clear from that episode in February was that some partisans do not want the individual who created Bitcoin to be taken down from the pedestal they have put him on; they want their caricature to be immutable.  Just like some historians have tried to revise history to make their heroes look impeachable, so to has the veneration of Satoshi.  If Bram Cohen had anonymously released BitTorrent a decade ago, would BitTorrent have had a similar following due to its mysterious beginnings?

I hold no ill-will to the person or group that comprised Satoshi, but it is clear from the evidence cited in chapters 9 and 10 that he, she or they did not consult an actual economist or financial professional before they created their static rewards and asymptote money supply.  This is a mistake that we see in full force today in which the quantity of money available has shrunk due to theft, scams, purposeful burning, accidental destruction, etc.  Satoshi recreated a deflationary inelastic economy and much to the chagrin of the self-appointed purity police, it is not being used the way he expected it to (actual commerce) and is instead being used for things it is relatively useful for (e.g., donating to Wikileaks, gambling).

What other economic and environmental issues are still being ignored?

Jake Smith, creator of Coinsman recently published a new article on mining in China.  Yet despite being, in his own words, a “true believer” and interviewing other “true believers” in the mining space, he missed the unseen calculation, the economics of extracting and securing rents on this ledger unit which consume scarce resources from the real economy.  This is not something that it is unknown, there is an economic formula to explain it: MV=MC (as described copiously in Chapter 3).  There is nothing magical or mysterious about mining as other people in the reddit thread point out how mining is currently an environmental albatross or as Fred Trotter dubs it, a “black hole.”

Moving forward

Today the Consumer Financial Protection Bureau (CFPB) issued its Consumer advisory: Virtual currencies and what you should know about them.  The advisory (PDF) gives a cursory look, in layman’s terms of what are the challenges and risks of participating in this space.

What does this mean?

While it is unclear as to the motivations of some of the “true believers” are, they collectively did underestimate the costs of consumer protection and/or did not put it as a top priority for mass consumer adoption.  But why would they?  Consumer protection is usually expensive, its unglamorous and its centralized (which apparently is a “no-no”).

For example, generally speaking, most people do not like having their possessions stolen.  And in the event something is stolen, in practice, individuals prefer to take out insurance and even sue those responsible for damage (torts). If instead of promoting and building illicit markets (like Dark Market and Dark Wallet), these same developers and early investors had funded a start-up that helped track down these stolen funds, or start a non-profit to help get stolen coins, it would have been an amazing public relations coup.

To be balanced, theft takes place across the spectrum of services.  It also happens on the edges of Visa’s network. The difference is Visa offers insurance which is built into their cost structure (highly recommend reading Richard Brown’s recent post).  Insurance alone is just another product and has nothing to do with the protocol.  And this specific point (for the individual user) could be resolved sooner or later (e.g. Xapo already offers some home-made insurance).  However, insurance does not change the economics behind Bitcoin, especially since lost coins are permanently and constantly removed from the money supply.

Then again, there is a built in incentive to allow this theft to occur — stolen coins need mixers and exits which could potentially benefit developers and investors of those services; and simultaneously as more coins drop out of circulation this increases the value for those holding the remaining supply.

In addition, a vocal group of these “true believers” do not think Bitcoin has an image problem.  Yet it has a massive PR problem, for similar (albeit smaller) reasons that Tylenol had in 1982: customers and their families do not like getting burnt.  The only group I am aware of that tried to immediately help the victims of the Mt. Gox debacle was Goxcoin (here’s the LTB interview of it).  In contrast, thread after thread on reddit was filled with bullies saying “no big deal.”   It is a big deal to normal people with real responsibilities beyond downvoting skeptics on reddit and pumping stories about Bitcoin curing cancer and ending wars.  And Mt. Gox liabilities won’t be resolved for at least another year.  Instead of cyber bullying merchants into adopting bitcoin payments, these same hectors could have created a company catering towards recovering stolen property (e.g., loss recovery specialists).  It was a lost opportunity.

my wallet transaction volume

Source: Blockchain.info

In contrast, Blockchain.info has a mixing service called SharedCoin based off the CoinJoin feature from Greg Maxwell.  Blockchain.info recently crossed the 2 million ‘My Wallet’ mark but as I noted in Chapter 4, the vast majority of these likely go unused.  This past spring, one of their representatives claimed that they receive about 15 million visitors a day, but what this actually is, is largely API traffic (external websites pulling charts from their site). They probably do not have close to 2 million users let alone 15 million visitors.

How few?  We have an idea based on their own internal numbers, MyWallet transactions is flat over the past 12 months.  If there were 2 million or 15 million users, we would probably see a gigantic uptick in usage elsewhere on the blockchain (e.g., TVO would skyrocket, tx fees to miners would skyrocket, etc.).

What this all means is that, while they do not release actual user numbers, that at least a minority of wallets are probably ‘burner wallets,’ dumped immediately by individuals wanting to mix coins.  This is great for those who need to mix coins but not so great for consumers who just had their coins stolen.  How to resolve this going forward?

Incidentally in May, Roger Ver (an angel investor including in Blockchain.info) was extorted by a hacker who had figured out a vulnerability in Ver’s security.  Ver put a 37.6 bitcoin bounty on the hacker and the hacker eventually backed down; Wired and CoinDesk each did an article on it.  Yet during the same month, coins were stolen from others and when the users came to reddit for help, they were ridiculed for not having done the 27 steps to make a paper wallet.  No Wired article was written for them and in turn — speculatively — their coins could have been mixed on a site like Blockchain.info.  As a result, why would normal consumers ever want to use Bitcoin after that experience?

Perhaps user behavior and therefore the data will change in the future.  Consequently blockchains in general will probably find other niches beyond what Bitcoin is being shoehorned to do today.  This includes, other chains and platforms that may be able to help firms like Wageni Tech accomplish its goals in Kenya by helping farmers move, manage and track produce to market in an attempt to bypass middlemen and introduce transparency.  Bitcoin may be able to do that one day, but maybe not at the current $40 per transaction cost structure.  Start-ups such as Pebble, Hyperledger, Tezos, Tendermint, Dogethereum (Eris), Salpas, SKUChain, Stellar and several other funded projects in stealth mode may be able to as well (remember, Google was the 15th search engine and the iPod was at least the 9th MP3 player).

This is not to say that “Bitcoin” has collapsed or will collapse, nor is this to single out Ver (he has done a lot to try and create value in this space and even donated 1,000 bitcoins to FEE last year).  Instead it may continue to evolve into is something called Bitcoin-in-name-only, (or BINO as I refer to it in chapter 16) and it probably will continue to be used for what most risk-tolerant consumers use it for today: as a speculative commodity and as a way to pay for things that credit cards cannot be used for.

Send to Kindle

Cryptocurrency in the news #19

sunny-gaspricesClosing a bunch of my tabs, I only posted a few of these links in my book.

First link must have been inspired from the picture by Mac in It’s Always Sunny in Philadelphia.

Thanks to Dave Harrison and others for a couple links below:

Send to Kindle

My thoughts on Stellar

Yesterday Wired magazine asked me a few questions for an article they ran this afternoon about Stellar, a new startup (non-profit) in San Francisco: New Digital Currency Aims to Unite Every Money System on Earth

I suspect for brevity they had to boil down everyone’s comments to a few nuggets, which is an unenvious job to have, after all, most readers don’t have time to read hundreds of pages each day.

For those that are interest, here are the comments I provided them:

My interactions with people on the Stellar team has been positive, they are competent, knowledgeable and passionate.

I think the major limitation long term, and this is what Bitcoin startups continually run into, will be establishing relationships in the banking and financial industries as well as complying with whatever digital currency licensing requirements each jurisdiction has.  Those are not going away.  Stripe, its lead investor, has been very successful as a payments processor, but financial relationships take months and years to build — it is not something that can be replicated with a viral link that is upvoted or emailed.

I think the fact that they decided to go with a consensus ledger instead of proof-of-work was a wise but double-edged decision.  On the one hand it avoids the Red Queen treadmill and environmental issues that Bitcoin and its progeny have. And is a vote of confidence in the code base that Jed and his cofounders at Ripple put together.  But on the other hand identity fraud and preventing Sybil attacks are a hard nut to crack for distributing coins; incidentally proof-of-work was one way to resolve that (though not the only way to do so).

For instance, while it is still early on, one challenge they are currently facing is fighting identity abuse.  KYC is essentially done through Facebook, which is clever way to also distribute tokens but is vulnerable to fake accounts from Mechanical Turk; Everett Forth racked up 2 million stellar in one day alone. It’s worth pointing out that this is a problem that Ripple Labs tried to solve with Computing For Good, but botnets abused this faucet and Ripple Labs shut it down at the end of April.

Consumer facing products in retail will be hard to do in the developed world, in the OECD because of the competitive forces from Visa and Mastercard.  It’s very capital intensive and hard to compete against their POS integration and margins (Richard Brown has good article about this hurdle).

Yet, the more competition, the merrier.  Consumers globally will have more choices — the market will end up deciding the best solution and we will all be better off.

Send to Kindle

Published new book: The Anatomy of a Money-like Informational Commodity: A Study of Bitcoin

After several weeks of editing, I have finished compiling all of my previous research from this past spring into a new book.  It also includes a considerable amount of new content as well.

It is all available for free in PDF and Scribd formats (there is also a Kindle version).

The Anatomy of a Money-like Informational Commodity

Send to Kindle

A non-head-in-the-sand explanation for why mining centralization occurs in Bitcoin

I have a new article up (and corresponding podcast) over at Let’s Talk Bitcoin talking about the economic incentives for centralized mining.  I touch on the Poisson process, variance, orphan blocks and the actual capital costs miners incur. I also mention what some very clever engineers have proposed as make-shift and in some cases, complete fixes and replacements to this current system.

Article:  Reasons for why centralization has occurred and potential solutions


Send to Kindle

How to avoid lawsuits in the era of appcoins and cryptoequity?

What originally began as a small post for this site ballooned into something much more informative and well-rounded.  I spoke with 5 lawyers for a new piece at CoinTelegraph: Mitigating the Legal Risks of Issuing Securities on a Cryptoledger

Send to Kindle

Cryptocurrency in the news #18

There is an excellent post from Richard Gendal Brown last week, “Why the payment card system works the way it does – and why Bitcoin isn’t going to replace it any time soon.”

Below are some other interesting links I have come across or were sent to me:

Send to Kindle

In what ways does Bitcoin resemble a command economy?

I have a new article up over at Let’s Talk Bitcoin which attempts to answer that question.

The feedback I have received so far (including the comments at LTB) makes it pretty clear that many adopters simply do not understand how, in general, economics or finance works or how developing countries struggle with credit expansion.  And that is fine, but can be disastrous when making what amounts to investment decisions.  Again, a vocal minority (majority?) of these adopters think they will be lounging on yachts and private islands because the price of bitcoin reaches $1 million.

And that likely will never play out for a variety of reasons that I have described in numerous articles.

Below is a list of pieces and papers that I have published covering these issues over the past three months in chronological order:

Send to Kindle

Ray Dillinger discusses block reward halving

Ray Dillinger has been around in the Bitcoin space for years, in fact, he was on the same cryptography mailing list that Satoshi announced Bitcoin back in 2008.

Over the years he has made a number of comments over at Bitcoin Talk.  Below are several related to the challenges facing this cryptoledgers especially related to the block rewards (seigniorage subsidies).  Recently he noted:

For what it’s worth, I’ve been looking at the question of mining (and premines, etc) a bit differently.

In my estimation, the block subsidies and transaction fees are what the investors (or holders) pay the miners to keep the blockchain secure.  If these payments get too low relative to the value secured, then the blockchain becomes insecure and you get 51% attacks etc.

In that light the “standard” model we’ve been pursuing of block subsidies halving as the value secured grows larger seems dangerous.  As the value we’re trying to secure grows larger, we intend to pay less for security.  We shall, in that event, GET less security. I’ve been watching alt chains with faster halving periods dying like flies, and I can tell you for sure that this is something that’s real.

That brings us to transaction fees.  We are paying to secure value, and we are not paying transaction fees relative to value.  We are paying transaction fees relative to space.  Space – which is to say hard drive sectors and network bandwidth – is not what secures our value; what secures our value is a monetary hardware investment in ASICs and powerplants.  Which we need in proportion to the value we’re trying to secure.  And which we will not get in proportion to the value we’re trying to secure by paying for space instead.

My conclusion is that if we want to keep the network at zero inflation and pay for security out of  transaction fees, we should be paying transaction fees relative to the value of each transaction.  And if we want to keep the network going without transaction fees that cost a percentage of the transaction, we should accept an inflationary model where each year the block rewards are, eg, 5% larger than they were the previous year.  So, in the long run that approaches 5% inflation.

Both of these options are not popular with the current crop of BTC holders.

Another germane, sobering comment:

Colored Coins etc. make it much harder to know how much value we need the blockchain to protect.  The fact that these values are essentially “hidden” from the protocol means we can’t tell what we need to do to maintain any kind of parity with them.

One popular (and possibly correct) view of things is that in the long run the cheapest available price of electricity times the amount of electricity spent per block, will approach the value of the block reward in a PoW system.

Right now we have a Bitcoin block reward worth approx. $12000.  If this view is correct, we should expect, worldwide, to see about $12000 worth of electricity (increasingly concentrated where electricity is cheapest) expended per block by hashing rigs.

Right now transaction fees are providing a very small percentage (one third of one percent?  I think?) of the block rewards.

At  some point in the future, moving to transaction fees as a primary source of mining revenue, implies that each kilowatt-hour of electricity invested in securing the blockchain will have to secure three hundred times as much value (relative to its own value) from attack as it does now.

I’m convinced that’s not really enough.  If we stick with Proof-of-work, we’re going to have to start charging transaction fees based on how much value is changing hands, because we want to buy security proportional to the value we’re trying to secure, not proportional to the amount of space it takes to store the transaction.  And that means the amount of value changing hands has to be visible, and that therefore Colored Coins etc will have to be more ‘transparent’ in terms of the protocol knowing how much they’re worth (and therefore how much security we need to buy to keep them secure).

The potential death of certain of proof-of-work altcoins:

The hash power devoted to securing altcoin chains is orders of magnitude smaller than the hash power devoted to bitcoin, and the cost of an attack in general is therefore orders of magnitude smaller.  Doge got a special mention because it was used as an example recently of the economic effects of reward halving on hash power distribution – the author of that paper made the point that every time doge cuts their block subsidy in half the hashing power devoted to securing their blockchain will also be cut in half.  Doge was mined too quick; its block reward is cut in half many times more often than Bitcoin’s.  But it isn’t the quickest-mined coin out there by any means; just one that’s a bit remarkable for the size of its current market cap.  All of the quick-mined coins have this problem, and many of them are already gone.  But that’s only the technical side of blockchain safety, and unfortunately that isn’t even the main type of risk.

Altcoins, in general, are a cesspool right now.  In fact it would not be too much to say that the *AVERAGE* altcoin is a scam.  Exchanges are openly taking bribes to list altcoins regardless of merit. Some of them are even developing their own altcoins in house for the sole purpose of trading fraud.  Other people are more or less openly accepting payments to hype coins on Reddit, Twitter, etc, then engaging in blatant price manipulation in order to drive prices up on a particular day so scammers can sell their premines at maximum profit. Several coins a week that are doing “crowdfunding” or “IPO” to sell their initial distribution of coins are simply scammers who then disappear with the money.

If you even consider investing in altcoins, you should first have a definite reason to believe that the one you’re investing in isn’t a scam.  You should second have legal recourse (meaning, you know AND CAN PROVE exactly who the scammers are and where they live) if it does turn out to be a scam.  If you have trouble following that second rule, it’s not because it’s an unreasonable rule; it’s because scams ARE THE NORM in the altcoin world and scammers will not give you enough information for legal recourse.  While some non-scam coins exist, they are rare exceptions.  Nobody in that business is entitled to the benefit of a doubt.

That’s a completely separate issue from chain security w/r/t large (or small) transactions – but once again, if you don’t fully understand why a blockchain is (or isn’t) secure and what resources are required to attack it – then you don’t know enough to even evaluate the security of an altcoin that’s operating with different rules, and if you can’t evaluate the security of its blockchain, then you shouldn’t be investing in it even if it’s a non scam.

On the possibility of failure for a variety of “coins” (including appcoins):

A coin which can survive has at least the following properties.

1.  The dev is not anonymous.  If a coin has an anonymous dev, it’s about three times more likely to be a scam than not. Further, if the dev is not anonymous, there are things you can legally do if it does turn out to be a scam and if the dev is anonymous there aren’t.

2.  It doesn’t halve its remaining coin supply more often than it can double its value.  That’s kind of hard to predict, but at this point I think the double-value time for cryptourrency is up to about a year, maybe two.  It’ll get longer until it catches up to double-value period for the rest of the economy, which is 7 to 15 years depending on the industry.    This is important because whenever the block reward goes down, the hash rate goes down in the same proportion; and when the hash rate gets too low, the blockchain becomes vulnerable to an attack which can destroy its value completely.  Expect any coin that mines out its coin supply too fast, to collapse.  I think even Bitcoin is going to be too fast in the long run; there’ll come a point when its double-value time is slower than its block-reward halving time and alts will start sucking up the hashing power making bitcoin vulnerable to attacks.

3.  It isn’t an IPO where you’re supposed to “buy” coins for some other form of money.   A few of those are honest, but most turn out to be scams.

4.  The dev actually knows how to fix problems in the software.  This is hard to judge straight out of the gate.

5.  There’s a point.  To put it gently, in order for it to be reasonable for someone who’s not scamming to release an altcoin, there has to be something wrong with Bitcoin and they have to believe that they can do better.  In order to believe any altcoin has a long-term future, there has to be something wrong with Bitcoin and that altcoin has to be able to survive where Bitcoin cannot.  Anytime there’s an alt, ask what it does that bitcoin cannot do.  Then ask, does that enable it to survive where bitcoin cannot?

6.  Don’t be taken in by talk of philanthropy.  Money, when functioning as money, has no morals whatsoever, good or bad.  It flows in the reverse direction of the profitable allocation of resources.  Any money that attempts to do anything else will cause market distortions that cripple the economy it’s working in and ultimately cause it to function less well than its competition.

7.  If there’s a premine, be sure that the devs are absolutely honest about the premine.  If they claim that it’ll be used for the good of the community, then the community is entitled to know how every last dime of it gets spent.

8.  If there is any difference at all between the block reward structure they advertise and the one they implement, stay away.

On Nicolas Courtois’ paper (self-termination chains):

It’s true that we don’t know how to implement some of the author’s proposed solutions, but he has a pretty good grasp of some very serious problems.

In particular, he has a good point about what happens when block rewards are multiplied by half.

There’s an investment (in ASIC mining equipment) constantly seeking its most profitable allocation.  That allocation is an equilibrium in which each option pays identically.

At the point where there’s a block reward halving, one of the allocation options has its return cut in half, and the equilibrium has to find a new balance point.

If you’re UNO, and you cut your block reward in half, the total rate of return is hardly affected at all because you represent such a tiny fraction of the total available income.  The allocation of that investment to mining your blockchain, though, gets cut approximately in half, because that’s the point at which the return for mining it remains competitive.

If you’re BTC, and you cut your block reward in half, the total rate of return is cut by almost half.  Suddenly, every *other* allocation opportunity is suddenly worth twice as much of the miner’s remaining hash power investment as it was before, because that’s the rate at which the return for mining it stays competitive with BTC.

Of course, the latter doesn’t account for mining rigs that are no longer profitable to run at all….

Send to Kindle

Gandal & Halaburda paper: Competition in the Crypto-Currency Market

Over the past several months, there have been a near infinite amount of conversations about the continual existence of altcoins — especially as it relates to prices (i.e., rising tide lifts all boats).  Some new preliminary research from Neil Gandal and Hanna Halaburda suggest that cryptocurrencies are not a winner-take-all scenario.  It should be noted that their time scale and usage of a select few exchanges may not be adequate for generalizations yet but some food for thought.

(Paper) (Slides)


We analyze how network effects affect competition in the nascent crypto-currency market. We do so by examining the changes over time in exchange rate data among crypto-currencies. Speci fically, we look at two aspects: (1) competition among different currencies, and (2) competition among exchanges where those currencies are traded. We fou nd that early in the market as Bitcoin becomes more valuable (against the USD), other crypto-currencies become less valuable against Bitcoin. This trend is reversed in the later period. Some of the other crypto-currencies lost most or all of their value. On the other hand, the values of some of the successful currencies increased in price against the USD, and at the faster rate than Bitcoin. The data in the latter period are consistent with the use of crypto-currencies as financial assets (popularized by Bitcoin), and not consistent with \winner-take-all” dynamics. For exchanges, we found little if any evidence of arbitrage opportunities. With no arbitrage opportunities, it is possible for multiple exchanges to coexist in equilibrium despite two-sided network effects.

Send to Kindle