Securing Bitcoin #1: Voluntary transaction fees will never fund network security

Mike
6 min readFeb 22, 2015

--

This is the first in a series examining how Bitcoin’s security might be funded in the long-term. Please note that, for the purposes of this analysis, a system whereby blocksize limits create competition for blockspace is not considered voluntary.

Once a predetermined number of coins have entered circulation, the incentive can transition entirely to transaction fees and be completely inflation free.

~ the whitepaper

Introduction

The promise of an inflation-free currency, limited forever to a hard cap of exactly 21 million units, is one of Bitcoin’s greatest attractions. Currently however, Bitcoin is in its inflationary era, and this inflation plays a critical role. Every time a miner solves the hash problem for a block, they are awarded 25 brand new bitcoins. At one block per ten minutes, and ~USD245 as of 22/03/2015, that equates to a yearly payout to miners of roughly USD300 million, an effective inflation rate of 10% of the value of all extant bitcoin. This creates a strong incentive for miners to compete to solve blocks, increasing the difficulty of the hashing problem and therefore the associated costs for a hostile entity to attack the network.

But the inflation-derived block reward is hardcoded to decrease with time, until it eventually disappears altogether. What will replace this system? How will the network continue to pay for its security? One particularly popular idea holds that, as Bitcoin usage accelerates, voluntary transaction fees will rise too, developing into an effective replacement. Satoshi themself seems to have suggested exactly this in the original whitepaper. But this belief is wrong. Purely voluntary transaction fees will never form a sustainable foundation for network security.

The equilibrium transaction fee is minute

When miners work to solve blocks, they draw from the pool of unconfirmed transactions, construct a valid block, and then proceed to search for the block’s correct hash, racing the rest of the network to obtain the reward for the first solution. Given that the block reward remains constant regardless of which and how many transactions the miner includes, what determines a miner’s decision to include any given transaction?

All transactions must be received, stored on disk, cryptographically verified, and then transmitted with the successful block. Therefore it always costs a miner something to include a transaction. This expense may be extremely low, especially in comparison to hashing, but it is still a cost. The rational, profit-maximising miner should therefore be willing to include at a minimum any transaction whose fee equals or exceeds the cost of its inclusion. All other transactions would be a net cost to the miner.

On the other side of the equation, is there any reason then for a user to voluntarily pay a higher transaction fee than that required to ensure a reasonable proportion of miners will be willing to include it in their blocks? No. From a Bitcoin user’s perspective, as long as there is no competition for space in a block, there is no reason to pay a higher fee. Miners cannot prevent their peers from including transactions, and so they can exert no upwards pressure on transaction fees. Miners know that if they do not include a profit-making transaction, their peers will, and thus they would be simply throwing away money.

The dominant strategy for a miner is therefore to include all transactions with adequate fees, and the dominant strategy for a user is to pay a miner just enough to ensure inclusion. A user who voluntarily pays anything more receives no direct benefit, because the benefit of security is a common good, distributed evenly to the entire network.

Voluntary fees cannot pay for network security

Consider a scenario in which the Bitcoin community has agreed to pay a minimum fee of 0.005 bitcoin per transaction, to maintain a block reward equal to 5% of network value per year. The incentive for any given user to defect from such an arrangement, in the absence of a system of compulsion, would be extreme. Every user would know that they could underpay their fee, and the individual impact of their defection upon the network would be insignificant.

Obviously such a scenario would be unstable. Right away a large slice of users would cheerfully defect. Those remaining would thus have to pay more to maintain the same level of network security, making them feel taken advantage of, increasing the pressure on them to defect too. Within a short time this positive feedback loop would reduce the stable equilibrium price for transactions down to where we started: the bare minimum to ensure block inclusion.

The users of the resulting network pay no premium for any extra computing power beyond that required to verify and include their transactions. Even an incredibly popular network processing myriad transactions would be no solution, for the same calculus holds true no matter whether the network processes 10 transactions per second or 10 thousand: each given transaction pays for its direct costs and no more. Larger blocks would reap more in fees, but cost equally more in processing, and there would still be no premium for network security.

No miner in such a network would be able to recoup the cost of computation for hashing, inherently a cost additional to that of including transactions. Without any security premium paid by transactions, over time the network would trend towards zero hashing power. Unable to profit from hashing, miners would strip back their hardware installations to solely what was required to receive, validate, encapsulate and propagate transactions and blocks.

Even before hashing power had completely evaporated, the rewards available to attackers to subvert the network would have long eclipsed the costs of mounting an attack, and the network, incapable of securing the value of its users’ assets, would collapse. The value of bitcoin as a token would be completely destroyed.

What about assurance contracts?

Assurance contracts are arrangements where multiple parties agree to contribute a certain amount to a target payout if it is shown that the payout will be reached. Kickstarter is an example of assurance contracts in action, each user nominates their payment level, and, if the pledges reach the target, payment occurs, otherwise no payments are made.

Core developer Mike Hearn has argued that assurance contracts could be used to fund network security in the future. Large entities (eg. crypto-banks, payment processors, technology firms) who collectively benefit from and depend upon the Bitcoin network for their business would contract with each other to pay for network security. Increasing the allure and seeming relevance of the proposal, these contracts could even be facilitated trustlessly through cryptographic signatures.

Behind the tech appeal of Hearn’s proposal, assurance contracts are a non-starter. Instead of every user paying in proportion to their usage of the network, a system reliant on assurance contracts requires large entities to negotiate between themselves to work out exactly how much is “fair” for each firm to pay, a hopelessly complicated task. Such a system cannot scale, as the further we try to reach down the economic ladder to smaller and smaller firms, the greater the cost of formulating and maintaining the agreements relative to the funding obtained. Past a certain point the contracts will not be obtained. The end result must be a system which requires the largest entities to voluntarily massively overpay their share to outbalance its own inefficiencies.

More pressingly, pinning our hope on assurance contracts ignores the fundamental reality that all firms can only exist in the long run through the continued choice of their customers to purchase their products. The funding contractors will inevitably face competitors who choose not to join or conspire to underpay the contracts, and who are able to offer cheaper prices to their customers as a result. Altruistic firms will therefore face potential outcompetition, not to mention intense pressure from shareholders who feel the company is being mismanaged and their money wasted. A firm may be convinced to donate money to the network, but can all of its customers be convinced to pay the resulting higher prices?

Ultimately, assurance contracts are a way of dumping the problem of network funding onto entities whose financial capacities are so relatively enormous that to the average person, oblivious to the myriad and urgent obligations and pressures these firms face, believing that somehow normal laws of sound investment and limited resources do not apply to economic giants, they seem infinite and omnipotent. In a way it is a perpetuation of a basic form of class prejudice, the misunderstanding of the great by the small. A Bitcoin network dependent upon assurance contracts would be riven by acrimonious class politics, and as a result would be critically unstable. Reliance on assurance contracts is at heart a thin disguise for voluntarism pushed to its last resort.

Conclusion

Developing a stable, reliable system for ensuring a sufficient level of hashing power to protect the value of the Bitcoin network is one of the key requirements for the long-term success of Bitcoin. A system of purely voluntary transaction fees would fail comprehensively in this regard. Subsequent posts will examine the different options available to the Bitcoin community for meeting this need.

Part 2: Altruism.

--

--