176 comments

[ 2.9 ms ] story [ 233 ms ] thread
This is great research and if anything understates the case for alarm; Bitcoin is one of the more-decentralized projects, and PoW generally has some incentives for diverse hosting (if not network layer). PoS systems often end up on AWS specifically, and sometimes depend on some of the more niche AWS services -- an outage (engineered or accidental) in those could cause easy degradation and facilitate takeover.
Actually, no. It isn't that great. A lot of people are correcting specific points here in the comments.

> More than one in five Bitcoin nodes are running an old version of the Bitcoin core client that is known to be vulnerable.

This is brought out as an issue, but it really doesn't matter. Being a large decentralized systems means that having nodes which are at all sorts of different versions, can still work. This is like saying that everyone has to be at the same web browser version for websites to work.

The thing that matters is that the nodes that are used for forming blocks (ie: the nodes the pools are running), are updated.

I would love to see a follow-up that addresses emergent centralization due to winner-take-all or winner-take-most dynamics. This is how we end up with monopolies/duopolies elsewhere in the tech sector, and I suspect the same would hold for blockchain.
>>Key Findings

>>The number of entities sufficient to disrupt a blockchain is relatively low: four for Bitcoin, two for Ethereum, and less than a dozen for most proof-of-stake networks.

then why we haven't seen a Bitcoin hack before ? Maybe it is the most secured system.

From the report,

> Even though these Nakamoto coefficients are relatively low, some might argue that exploiting them to attack a blockchain would be prohibitively expensive. While this may be true for individuals, the actors incentivized to perpetrate these attacks include operators of competing currencies and nation-states who have the requisite resources. Perverse incentives can exist with blockchains in the same way that the relative values of fiat currencies can be manipulated.

Competing currencies are unlikely to profit from Bitcoin’s downfall in this scenario, given how much the entire space relies on its reputation.

Nation-states, on the other hand, are the more credible threat. Just because none of them has yet found it a big enough threat to expend the required resources, doesn’t mean it can’t happen.

I feel like the more Bitcoin is used for its original intended purpose rather than merely speculation, the more likely it is to be attacked by such actors.

I think it's more complex than the report poses it.

It's not as if those mentioned entities always have complete control over their mining hardware as those entities include pool miners.

I think there's more that prevents an attack than just being "prohibitively expensive".

They are talking here about mining pools I suppose since the biggest 4 mining pools account for more than 50% of validated blocks.

Also the word is "disrupt" so it means some time of chaos, the mining pools never tried to disrupt Bitcoin because they have no incentive to do so.

it is nothing about incentive. Let's say a mining pool wants to disrupt the bitcoin network, do you think that pool will keep its hashrate ? I don't think so.
Disrupt is creating chaos short term, I don't imagine it to last more than 1 hour, but that's enough to call it disrupt.
That assumes they are economically motivated. As we've seen in recent attacks on other coins, if its a possibility for someone to burn the system down out of spite/malice then the economic incentive doesn't matter.
1. If half of Bitcoin users (hashrate-wise) wanted to disrupt the network out of malice ignoring their economic wellbeing, say a movement similar to GME/WSB, then they can disrupt it.

2. We can go into lower levels and find a number of ISPs specially level 1 ones being able to disrupt the Bitcoin network. Some other single points of failure I can imagine are common routers firmware.

Can Bitcoin never be disrupted? no, does it have mechanisms in place that make it unlikely to be disrupted? yes.

It really isn't, but that debate will quickly end up in a discussion about the definition of 'secure'.

My take; people and organizations / exchanges have lost billions. Maybe not on the blockchain itself, but a system is only as strong as its weakest link, and the whole Bitcoin / cryptocurrency system has a lot of weak links and little backups.

I mean if my bank goes bankrupt the money I have in their savings accounts is reimbursed. If my bank card gets stolen to the point where they can withdraw money from it - or if I'm made to withdraw money at gunpoint - I'll get the money back.

This is interesting research and I encourage everyone to go read the article. But, on the assumption that a lot of people will just read the headline and comments I'm going to preemptively talk about the question there ...

People misunderstand decentralisation in practice. Computer types, when they talk about decentralisation, usually mean a relatively large number of homogeneous nodes acting as peers. Which is cool but not how decentralised systems work in practice out in the meaty reality we all live in.

In reality, we have an economy that quickly works out who is the best (say, Samuel is the best) at something (say, mining bitcoin) and routes most of the resources available for hashing to Samuel. The situation is still decentralised, because if Samuel stops being the best at calculating hashes then resources will be reallocated to someone else. But in the short term all the resources will go to Samuel and he could do a lot of damage to the network.

People keep thinking that because the economy picks out a few winners that means that the system is now locked in stone - that isn't the case. The economy is perfectly happy to change things up radically when the situation changes. At least until a government steps in and regulates the ability to change flexibly out of the system.

Except that Samuel wants to keep his place. So he will do whatever he can to leverage his current centrality to continue. His hope is to be in control when the hammer falls and flexibility stops. One way of doing that is to force the issue. Those in central positions within a dynamic market eventually seek to kill that market, leaving them in the monopoly position (amazon, google, facebook etc). To maintain decentralization in the long term such leaders need to be periodically culled, hopefully though market forces prior to them killing the market. In bitcoin, that might mean periodic removal of the largest commercial actors, perhaps by periodic price crashes that favor niche setups.
> (amazon, google, facebook etc)

I'm not sure where I sit on your major point, but these 3 just are not monopolists and this is a mistake that keeps getting made. All 3 of these are in cut throat markets where they compete by selling really great products (AWS, Google Search and Facebook respectively).

A lot of individuals don't like them (I refuse to use Google, for example) but that doesn't change the fact that they get market share by being great at what they do.

Aren't Goog/ Ama/ Fbook known for swallowing up smaller companies who might be potential threats/ competitors, and "kill them off" via this method? Seems like it's common practice for such entities.
Wow... and you really believe that? It's just like with Microsoft. Once they've got enough money and market share they destroyed their competition through various monopolistic tactics: i.e acquisitions, dumping, lockin etc
Making great products isn’t incompatible with being a monopolist, is it? For example, Google isn’t the default search provider for Firefox just because it’s a great product. They pay Mozilla more than any new competitor could afford.

By the way: I’m not an economist, so I read this article to see if my claim makes sense: https://stats.oecd.org/glossary/detail.asp?ID=3262

I know less about AWS and Good ads, but Facebook has bought each and every social network it could afford to prevent any chance of havjng competition - most notably Instagram and WhatsApp. That is the very definition of monopolistic practices.
Google is very much a monopolist in search. They have more than a 80% usage share of the space (most places I look at say 90% today), and have had that much share for more than a decade. (On a separate note they are in a duopoly with Apple in the Phone OS market and a borderline monopoly in the web browser market, giving them a lot of power to throw around in general.)

Facebook I go back and forth on. They are undoubtably the biggest player in the social media space, but if you count all social media (reddit, twitter, Pinterest) they are large but definitely not monopoly level. On the other hand, when it comes to real name interaction and local community organization they are completely dominant over the other players. Ultimately I consider the acquisition of instagram to have been over the line enough to consider them deserving of the treatment of a monopoly, but it’s not as obvious a case a google. Their space also isn’t as cut-throat as you would expect due to network effects, and there are other countries where they are in fact locally a completely dominant monopoly.

Amazon is definitely not a monopoly by any reasonable definition. All of the fields they are in have multiple other major players as well that they are in fierce competition with.

> Amazon is definitely not a monopoly by any reasonable definition. All of the fields they are in have multiple other major players as well that they are in fierce competition with

I can't agree with that.

1) Amazon self-preferences their own products

2) Amazon makes knock-offs of third-party products that succeed

3) For third-party sellers, Amazon is just about the only marketplace that matters. The rest combined don't come close to matching it.

John Oliver covered all of this recently.

https://www.rollingstone.com/tv/tv-news/john-oliver-tech-mon...

https://fossbytes.com/watch-john-oliver-tear-apart-big-tech-...

1 and 2 are anti-competitive (and anti-competitive practices on that level are 100% a reason to bring an anti-trust case again them), but that doesn’t make them a monopoly. From a buyers perspective, there are plenty of other places to go buy everything they sell.

3 is an interesting point though. I’m having trouble finding good numbers on exactly how dominant they are as a platform for third party sales but they have at least 3-4 times the GMV of their next largest competitor, Ebay. Best I can find is that, in the US, there was about 900 Billion in online marketplace in 2021, of which Amazon represented about 400 Billion. Being 44% of the market is probably bordering on monopoly level.

(And to the first points, about half of their sales were their own products on their own marketplace, so I’d definitely be in support of an anti-trust investigation at the least here)

It may just be that we need to update our definition of what a Monopoly is.
Personally I’d rather monopoly keep its meaning (a commodity or market sector controlled by a single party) and people use other words to describe the other ways a large company can be anti-competitive. But languages do often evolve to take a word specifying thing A that is a subclass of B and start using it to just refer to the entire Subclass B, so wouldn’t be unusual for that to happen.
Google is, and acts exactly like a monopoly in search. They intentionally degrade the effectiveness of their search to support their otyer business. Even when they are trying, they have been getting progressively worse at finding the real content, and many times put the same 5 garbage spam sites into the top 5 positions for a huge variety of searches. They even use their monopoly position to bully the entire world into degenerating all online content into a homogeneous soup of gpt-3 generated gibberish and to push products like amp.

They are a duopoly in mobile OS, and a monopoly on browsers -- which they use to bully the world into altering the internet to their benefit and reduce the effectiveness of ad and tracking blockers.

Facebook have such domination over the social graph, that they intentionally sever vertices, and then charge for the privilege of having them reconnected. The precise opposite of what they claim their service is for.

AWS has competitors for now, but google and microsoft are only able to half-compete by leveraging their other monopolies.

(comment deleted)
However, in praxis, not every participant in an economic system is a perfect player in the sense of game theory. Take for instance the history of the London Underground and its rivaling companies and directors. There are several instances, where a player maintained a position detrimental both to their own economy (as in profits and strategic position) and to the entire system (as in gains that may be secured in the future), as other motives take over. (E.g., hurting another player gains top priority, even if the damages inflicted to the respective own position exceeds the damages inflicted to the competing player. Even to the extent of losing that position altogether, as in being fired as the director.) Notably, this was a system with multiple controlling parties, as directors and boards, acts of parliament, financiers, etc, still, this couldn't stop this kind of behavior. (E.g., blocking closing the circle line is a prime example.)
Apparently, this (or the intent of this) requires an explanation. This is a comment on the factuality of statements like, "Except that Samuel wants to keep his place," and a reminder that game theory is an interesting thought experiment, but not an accurate description of human social behavior. There's nothing in the rules or the setup of a "game" that would determine moves as actually observed and about anything may happen. Including even worse outcomes than pictured here. At best, it describes an inherent tendency.
> Which is cool but not how decentralised systems work in practice ... In reality, we have an economy that quickly works out who is the best .. and routes most of the resources available for hashing there

I disagree, somewhat. It depends on the purpose of the decentralisation. If your aim is "best" which I think also means "cheapest" then yes, you have described what could happen.

But decentralisation can also have "resilience" as the goal, even at the expense of the best performance.

These goals might even be in conflict. What if Samuel, as noted "wants to keep his place". What if Samuel wants all the traffic to go him so that at some time, he can subvert it in some way. He may only need 51% of the traffic. He may be willing to take a loss for a while to get into this position. He may even have a government backer willing to spend a lot on outcomes and not be seeking a profit in itself.

And as noted, when Samuel is suddenly no the "best" after a long time in that position, chaos could ensue.

I hear "resilient" when "decentralised" is said. Many others will too. You're showing how this may be very misleading.

By this definition, the current financial system is also decentralised. After all, if one bank fails, a new bank could very easily take its place. Even our system of central banks consists of a relatively large number of more or less equal peers. If the US central bank fails, I'm sure "the economy" will be more than happy to change things up radically and reassign some of the global influence on the financial system that the fed currently has to competing nations' central banks.
It is, from a different perspective.

Pre-Fed, we routinely had depressions and bank failure cycles because the private markets weren’t resilient enough to withstand different types of shocks.

> People keep thinking that because the economy picks out a few winners that means that the system is now locked in stone - that isn't the case. The economy is perfectly happy to change things up radically when the situation changes. At least until a government steps in and regulates the ability to change flexibly out of the system.

This flexibility and survival of the fittest mentality is costing people billions; of course a government would step in, because clearly the economic techno-libertarians aren't able to come up with a secure and stable system.

At some point, cryptocurrencies and blockchain technologies sounded like We The People taking power back from the big bad government and banks. In practice, it turns out - to everyone's sarcastic surprise - that a handful of people got very rich off it and shat on those lofty goals.

I'm not buying it. Never did. Yeah I missed the boat on getting rich and I am salty about it, so it exceeded my initial cynicism, but it's still inherently broken. Unregulated finance attracts conmen. So does regulated finance but at least they can be tracked down.

> At least until a government steps in and regulates the ability to change flexibly out of the system.

Just as often, the government is the only one who can keep the flexibility and ensure free competition. E.g. https://en.wikipedia.org/wiki/Sherman_Antitrust_Act_of_1890

The US economic policy in the 10s and 20s is a candidate for the cause of the crippling depression in the 30s. I note from the wiki article that once the 30s roll around they all but stopped having notable anti-trust cases.

The US's industrial policy for the last 50 years has successfully pushed a lot of manufacturing out of the country to the point where the US is arguably being out-competed by communists. It isn't obvious that US government economic policy in living memory is succeeding in promoting a healthy market. The argument for why that is going to change and their intervention will help needs to be more clearly articulated.

> The US economic policy in the 10s and 20s is a candidate for the cause of the crippling depression in the 30s

Or too little regulation. Or too the wrong kind. Or something else. I'm not arguing for or against current US economic policy.

This is the theory: Without any regulation, one or a few actors can grow large and stifle any competition and innovation.

This theory seems to be proven by history.

Some might say: "that wasn't a *real* free market". Just like some might say: "that wasn't *real* communism". These both need some strong arguments to back them, or they come off as No true Scotsman (https://en.wikipedia.org/wiki/No_true_Scotsman)

The US is the 2nd largest manufacturing economy in the world, and is much higher than China (no. 1) on a per capita basis. Also, Let's not pretend for a second that China is actually communist when it comes to manufacturing
> US is arguably being out-competed by communists.

I mean if you mean communist by countries that give no shits about how they treat their population, where they dump pollution, and the absolute drive to monopolize commerce, then yea we can use your definition of communists.

Of course, feel free to go live in those conditions if that sounds like a great work environment to be in.

The royal family of Britain has occasionally changed over time. Is it decentralized?
By your definition of decentralization (a central entity could theoretically be replaced) everything from the Roman Empire to North Korea is decentralized - nothing is guaranteed to have its place forever. A definition that applies to every imaginable instance is pointless, but more importantly, it's far from how people commonly use the word.
Is there a central authority that decided it was time for the Roman Empire to go away but that North Korea is still good to keep going? No. From an external perspective, states are decentralised. They compete viciously too, there are a lot of deaths.

If you want them to be centralised, note that a thing can't be the thing centralising itself - because then no system could be decentralised.

I am always impressed with Trail of Bits work.
Some issues with this report:

> The challenge with using a blockchain is that one has to either (a) accept its immutability and trust that the programmers did not introduce a bug, or (b) permit upgradeable contracts or off-chain code that share the same trust issues as a centralized approach.

This paints the issue as binary, although there is more to it. Look at the WETH contract in which we both (a) accept its immutability and trust there are no bugs, but also (c) can migrate to a fork at a later point if desired through social consensus. There is another option (d) which is a less developed area: governance models that are not entirely centralized, see Uniswap and Aave.

> The number of entities sufficient to disrupt a blockchain is relatively low: four for Bitcoin, two for Ethereum, and less than a dozen for most proof-of-stake networks.

The Nakamoto coefficient relates to validator pools colluding to form a 51% attack. In Ethereum PoS this count is a bit higher, around 25-35[1]. Important to note the extreme costs of these attacks, and the defense mechanisms of PoS. If enough validators collude to 51% attack a PoS chain, users can follow a fork and have the attackers coins burned. Attacker would have to continually re-purchase coins to re-attack the new soft forks.[2]

> For a blockchain to be optimally distributed, there must be a so-called Sybil cost. There is currently no known way to implement Sybil costs in a permissionless blockchain like Bitcoin or Ethereum without employing a centralized trusted third party (TTP). Until a mechanism for enforcing Sybil costs without a TTP is discovered, it will be almost impossible for permissionless blockchains to achieve satisfactory decentralization.

This is based on the Kwon paper which defines "full decentralization" as a set of specific numerical constraints, and demonstrates that it is theoretically impossible for any permissionless system currently known to mankind to satisfy these constraints. Kwon makes no claims about whether this degree of decentralization is "satisfactory" or even necessary for a blockchain. A system that is distributed across thousands of nodes and highly resistant to 51% attacks and collusion is likely enough for it to be considered "decentralized" for practical purposes.

[1] https://shsr2001.github.io/beacondigest/notebooks/2021/07/19...

[2] https://vitalik.ca/general/2020/11/06/pos2020.html

I found it interesting reading the blog post, but delving into the report, some areas didn't seem as straightforward.

I expect to get some flak for saying this, and I don't mean to be cynical, but it's interesting how the table on p. 9 of the report lists Solana with a relatively high Nakamoto coefficient (19 to Bitcoin's 4), given the recent events with Solana [0].

From p. 1 of the report, emphasis my own:

> Trail of Bits also operates a center of excellence for blockchain security. Notable projects include audits of Algorand, Bitcoin SV, Chainlink, Compound, Cosmos, Ethereum 2.0, MakerDAO, Matic, Polkadot, Solana, Uniswap, Web3, and Zcash.

Some of those notable projects are fervently anti-bitcoin, so while some criticisms and concerns may appear to be valid at a first glance, I don't think it can be said to be without bias.

[0]: https://www.coindesk.com/tech/2022/06/19/solana-defi-platfor...

There are very good reasons to be fervently anti-BTC given its history since 2017.
That was Solend, not Solana. The concern was just that a liquidation of that scale would significantly move the market.
Trail of Bits has no pro- or anti- position when it comes to various cryptocurrency projects. Moreover, this research was entirely funded by DARPA, and was not assisted by any project. Finally, the results only address decentralization, and not the myriad other ways in which these schemes can be economically, politically, or cryptographically unsound.

FD: My employer.

> FD: My employer.

Oh, that's interesting.

Did you write this blog post too?

You've been pretty anti-crypto in previous comments here.

> Did you write this blog post too?

No. I also did not work on the research in the post.

My positions on cryptocurrencies don't necessarily reflect my employer's opinions. I don't work on cryptocurrencies, have no professional or hobbyist interest in them, and have neither direct nor derived financial positions in/against them.

How come the paper doesn't provide similar disclosures for the list of preparers?
What the article is missing is the incentive structure.

For example: "The number of entities sufficient to disrupt a blockchain is relatively low: four for Bitcoin".

This probably refers to the 4 largest mining pools.

Yes, they could temporarily annoy some people by not processing their transactions. But it would come at a giant cost to them. They would be out of business quickly as miners can switch to a different pool in minutes.

That is like saying the US economy is brittle because if Walmart, Apple, Amazon and ExxonMobil would just send everybody home and set their premises on fire, there would be a problem.

It would be easier even than that, observe what happened in 2017. Bitfinex said they would allocate the BTC ticker to the present BTC chain no matter what the hash power indicated was the actual canonical chain and that was the end of it.

Contrary to popular belief, miners aren't choosing anything when it comes to BTC. They're rubber stamping the decisions of the BTC core developers, who are blessed by the exchanges such as Bitfinex, and they are collecting fees on that rubber stamp.

That sounds like the right thing to do?

Why would the hash power decide what is called BTC? If Dogecoin some day attracts more hashing power than Bitcoin, then Bitfinex is supposed to assign the BTC ticker to Dogecoin?

We and a group of partners run a restaurant together. One day you decide to turn it into an apothecary for the dispensation of poisons, and keep the name and pretend that it's still a restaurant.

Any mechanism which rubber stamps the above process as legitimate and collects a fee for doing so is corrupt, letalone over the objections of an enormous fragment of both customers and partners in the restaurant in question. Lack of objection or approval from those whom the change is in the interests of, or who are simply too ignorant to understand what is going on, don't change that.

That is effectively what happened with BTC.

The way that it was supposed to work would be that the hashpower would choose the canonical tip of the chain if there were two conflicting ideas about what the chain should actually be. BCH stuck to that ideal and through two contentious and many more peaceable forks proceeded according to it. BTC did not.

Hash power in the context of potential forks in the BTC chain, not a different coin.
You're both already explaining the reasoning through your wording, "present BTC chain" and "potential forks". If you fork a project, even if yours becomes more popular, that doesn't mean you get to take over the original name.
> If you fork a project, even if yours becomes more popular, that doesn't mean you get to take over the original name.

That's exactly what happened with BTC. And yet almost everybody calls it Bitcoin.

BCH changed the blocksize and thus became incompatible with the original network. If you're claiming that the project that kept the blocksize the same and remained backwards compatible is the fork, then I'm done here and I wish you the best of luck.
It was the original plan to change the blocksize all along.

Satoshi said in 2009: "The existing Visa credit card network processes about 15 million Internet purchases per day worldwide. Bitcoin can already scale much larger than that with existing hardware for a fraction of the cost. It never really hits a scale ceiling. If you're interested, I can go over the ways it would cope with extreme size."

Some latecoming BTC core devs cancelled that plan, with zero justification, changed the consensus mechanism for the chain from hashpower to fiat declaration by fraudulent centralised exchange running a pump and dump scam with fake money, and sabotaged the entire project in the process into complete uselessness, and to this day we're stuck with people who believe a fundamental financial revolution is going to take place on a chain that was forced to 4tx/second and get very angry, confused or surprised when you point out that such a change is clear and obvious sabotage.

If you're claiming otherwise, then I'm done here and I wish you the best of luck.

I think you're missing some context about (what is now called) Bitcoin Cash.

Look up the debate between big blockers and small blockers if you're interested in learning more; a quick summary, many people wanted larger block size so bitcoin could process more transactions.

I believe several newer core developers staged a coup to prevent this from happening, despite several of the longer-term contributors being in favour of it. The original contributors (sans satoshi, who was mostly inactive at this point), had their access to the git repositories revoked.

This video goes into a bit more detail (https://www.youtube.com/watch?v=XfcvX0P1b5g) but basically the people opposing a larger blocksize had financial incentives.. a lot were in bed with a company called Blockstream which benefits from their development on sidechains (now the lightning network). Had the block-size been increased, Bitcoin would be much more useful as a means of exchange (more transactions would be processed, and they would be cheaper).

This is where Bitcoin Cash is now, but it doesn't get the BTC ticker symbol because Bitfinex and other CEXes have a lot of influence as well.

> Had the block-size been increased, Bitcoin would be much more useful as a means of exchange (more transactions would be processed, and they would be cheaper).

Of course the flipside of this is that it would become very expensive to run a node. Bitcoin's blockchain is ~400 GB after 13 years. BCH has a 32x larger blocksize cap, so we can extrapolate that if anyone actually used that fork, it would grow a 12 TB blockchain over that same period. As a result running a node would become expensive and the network would become much less decentralized (the very thing people are complaining about in this thread!)

This would be true if the number being 32x'd was actually high, but that is not true. It was 1 megabyte. 32 megabytes over ten minutes is not even 512kbps. Other chains that process much more throughput, as well as BCH itself, has been benchmarked on very modest hardware pushing that boundary and higher.

Simple fact of the matter is that the whole justification for the permanent 1mb limit was an outright indefensible lie, pushed on idiots, and supported by censorship. Nothing more, and nothing less.

You're completely right.

Hashpower between chains is only relevant if they are compatible (same consensus rules), as the accumulated proof of work is used as an indicator of which chain should be followed. Once a chain hard forks to alter the consensus rules like Dogecoin, Bitcoin Cash, etc, there is no amount of additional hashpower that would make up for the incompatibility -- a node will simply ignore the invalid blocks.

Yes they’re incentivized not to, but when push comes to shove, they can basically choose their own form of “truth” and ignore/disrupt/revert transactions and others would need to fork the chain. It’s not a given which would succeed.

This has happened before

No need to fork the chain. Miners can just switch pools.
Valid transactions are enforced by nodes, not miners (there are WAY more nodes than mining pools). All of a miner's incentives persuade them to mine on the longest chain, lest they lose out on potential profits. A group of nodes and miners can certainly fork if they please, but the network simply won't care. e.g. BCH/BTC
But those companies only exist because the US regulatory framework allows them to exist as long as they follow the rules. If the CEO of Walmart sent out an email saying that everyone was fired and that all stores should be demolished, he would be fired by the board of directors within hours. Also other executives would respond to the email telling everyone to ignore the previous email while they see if the CEO was hacked.

The entire point of crypto is to bypass the regulatory framework. In some cases that may make for a more robust system in some cases it may not.

Completely agree. It's impossible to inspect any aspect of Bitcoin's design without considering its incentive structures. They are the innovation in my mind. Every blockchain/crypto/Dao/<insert buzz word> forgoes one of Bitcoin's perfectly balanced incentive structures in favor of some "innovation" (speed, programability, founder/VC enrichment) which always inevitably leads to centralization and exploitable risk somewhere in the system.

Every time it happens it hardens my opinion that a L1 should be like the foundation of a building - it should have one job (be hard money), it should be simply and elegantly designed, it shouldn't have any cracks (a.k.a misaligned incentive structures), it should evolve very slowly if at all, and it should be designed to be built on top of. L1 exists to anchor L1+N to the real world and that's it.

> simply and elegantly designed

I don't think Bitcoin qualifies as such. Sure, projects like Ethereum are far more complex, but there are projects that significantly improve on Bitcoin in simplicity and elegance. Bitcoin script in particular is not that simple and full of warts.

I think by definition it does, which is to say, its popularity proves it. I just think there's a hindsight thing going on.

I liken Bitcoin to e.g. the Model T or the first grey brick cellphones. It changes everything forever because it works very well, but also is quickly improved upon and thus eventually won't be that popular.

No other system/project anchors a digital currency to the physical world as effectively as Bitcoin. But I do agree, eventually L2+ will be much more popular, in so far as much more people will interact with them. That's kind of the idea. L2s will still always rely on L1 for its anchor to the physical world (and thus physics).
I'm unfamiliar with L1 and L2 as presented here. Do these both refer to the Bitcoin blockchain?

If so, no. I strongly predict Bitcoin, both the blockchain and the currency will nearly, if not fully, "die," as the Model T and grey phone have. Ethereum is already much better at it's core, and it's not hard to think even Ethereum will be improved upon.

In the long run, literally all bitcoin has is history and name recognition. Like the Model T, you will see it revered like something in a museum, and also just about nobody will actually use it.

> Ethereum is already much better at it's core

What you and many others seem to overlook is first mover advantage, network effects and most important: trust. Bitcoin is not Yahoo or Facebook, it is not a company product which has to improve and break things all the time.

In the long run Bitcoin is a store of value. That requires trust, which takes time. To gain trust over time it has to move slow and steady because there can be no mistakes.

When it comes to money and trust it is almost impossible to get a second chance (see Terra UST). Just one mistake could result in everyone distrusting Bitcoin.

What I think others overlook is that in practice (and despite what the retconners are trying to say about bitcoin is gold or some nonsense) -- is that Bitcoin was NOT designed to be a blockchain platform. It was designed to be fungible currency. And it's an excellent proof-of-concept...but with severe flaws that will kill it, especially in light of the fact that we're talking about *open source software, which begs to be forked, and effectively has been.

Your argument strikes me as very odd -- you seem to suggest that nothing can beat Bitcoin in theory, but Ethereum is already beating it in practice.

> Your argument strikes me as very odd -- you seem to suggest that nothing can beat Bitcoin in theory, but Ethereum is already beating it in practice.

In theory everything is possible. I do not follow the beating really. They can both exist with different use cases.

Bitcoin wants to be digital gold (and money) and Ethereum wants to be a smart contract world computer running dapps. They solve different problems.

But Ethereum is a technically superior option for both cases. It does what Bitcoin can't do, but it also does what Bitcoin does better, and has a roadmap to improvement beyond that. Bitcoin is still wildly slow and destroys the environment, and Ethereum is on track to mostly not do that, to say nothing of "post-Eth" projects like Pulsechain.

Now, I'm sure Bitcoin will enjoy name recognition for some time, but in my experience, always bet on the tech.

Bitcoin slow? I make virtually free, instant, micro-payments on Bitcoin hundreds of times every day (Podcasting 2.0). I also accept Bitcoin payments on my e-commerce site that settle instantly for fractions of a percent in fees. I also route hundreds of Bitcoin payments per day using a raspberry pi which draws an extremely low amount of energy. Not sure which "reality" you're referring to...
Man, your use case is one I hope I'm wrong about. I love the idea of microtransactions and tipping and such. But, I never much paid attention to Lightning given that the BTC price didn't really move when it came out, which strongly suggested to me that not enough people really cared.
It's impossible to consider Bitcoin without considering lightning. Two sides of the same coin. It's still early in its adoption curve for sure, but it has been gaining traction.

- Twitter uses lightning for its tipping mechanism

- The Podcasting 2.0 standard is all lightning based

- NCR is integrating lightning

- Blackhawk is integrating lightning

- Kraken has enabled lightning

- Robinhood is integrating lightning

- Square/block is investing heavily into lightning development and enablement

I'm probably missing some big ones...

I'd suggest doing more research before commenting about things you don't understand. Layered Money by Nik Bhatia would be a good place to start.

The concept of layered system design, especially in money and technology, is not new.

Ethereum is an inherently flawed system.

I'd suggest providing actual ideas, or better yet practice, instead of reading assignments?

The reason I know more about Ethereum than Layered Bitcoin stuff is that that is what more people (myself included) are actually using today to do cutting-edge stuff on.

Moreover, it's pretty easy to first-principle your way into why it's probably better; layered Bitcoin saddles you with a particular kind of technical debt -- you're literally trying to hack Bitcoin into something it wasn't intended for, and the Bitcoin code is of course mostly immutable. Ethereum, on the other hand,is built for it.

Sure, all software has problems, but a car built from the ground up is likely going to be better than a Model-T with addons.

(edit)

Bahaha, I checked out the guys book. He's a Bitcoin Maxi who apparently quotes -- Nassim Taleb aka the guy who thinks that BTC will go to zero. Not looking like a worthwhile thing.

Calling Lightning a "hack" is like calling TCP a hack of IP. First principles of protocol design literally dictate layered modular stacks.

Actual ideas:

Bitcoin is layer 1 of the internet of value. It only needs to be secure, decentralized, and stable. It has one job; enforce digital property rights while maintaining the above characteristics (Think the internet layer: IP)

Layer 2 (lightning, liquid, etc) build on top of the secure, decentralized, stable foundation of L1 Bitcoin and create standards/protocols for application/user comms (think the transportation layer: TCP, UDP)

Layer 3 (Strike, TBD, Sphinx, CashApp, etc) applications to fulfill specific use cases built on top of layer 2 (think the application layer: all the things you do on the internet)

Which projects are simply designed to be hard money?
That depends on what do you mean by hard money. A capped supply?
well, there are multiple factors, supply cap is one. Unchangeable issuance schedule (i.e. unchangeable monetary policy) is another gigantic aspect. No other project can guarantee the same immutability because no other network is defended by the bitcoin mining network.

Bitcoin is the only commodity on the planet who's supply is completely unaffected by demand.

I already see discussion on the bitcoin dev mailing list about how to deal "with block rewards being too low to maintain acceptable security" in the distant future [1]. We can expect more of such discussion as the block subsidy keeps halving while still dominating the tx fees [1].

An emission like 1 per second forever is much more immutable due to guaranteed miner incentives and lack of arbitrariness. And thus a better basis for hard money [2].

[1] https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022...

[2] https://john-tromp.medium.com/a-case-for-using-soft-total-su...

lol, new here? That discussion has been going on for YEARS. Discussion doesn't negate anything I said.
Bitcoin is a terrible foundation to build transaction processing on, since it is extraordinarily slow - it would fail to handle the needs of even a small village.

The "solution" of slapping something like LN on top of it is "let's completely forgo all of Bitcoin's guarantees and build something else; while still being hurt by Bitcoin's cripplingly slow speed when creating our network".

Also, the incentive structures being discussed are only meaningful as long as the miners believe that Bitcoin will keep increasing in value. If it looks like BTC is dying, they have every reason to try to squeeze the last few drops of value from it by running an attack on it and running away with what real money they can extract.

Fedwire is a terrible foundation to build transaction processing on, since it is extraordinarily slow - it would fail to handle the needs of even a small village.

The "solution" of slapping something like banks on top of it is "let's completely forgo all of the Fed's guarantees and build something else; while still being hurt by Fedwire's cripplingly slow speed when creating our network".

Also, the incentive structures being discussed are only meaningful as long as the Banks believe that the Fed will keep increasing the money supply. If it looks like USD is dying, they have every reason to try to squeeze the last few drops of value from it by running an attack on it and running away with what real money they can extract.

> completely forgo all of Bitcoin's guarantees

ah, he doesn't understand at all how lightning works. He's just repeating sound bites.

It's the other way around: I took a look how Lightning works, and understood that, unless you open and close channels constantly, you don't interact with Bitcoin at all. Repeating soundbites you've just heard without understanding the system would be saying "LN fixes Bitcoin's speed problem".

While a channel is still open, transactions happening on the channel aren't in any way protected by Bitcoin's guarantees (they get LN's guarantees, which are different). And those are the only transactions that have any speed boost.

That's fair enough, but I believe the paper stayed in its bounds; it is correct that given the means or the willpower control could be assumed. What you should be more worried about than blatant double-spends are all the hidden ways having 51% of network control allows you to cartel, centralize, and siphon funds away from smaller, newer players in the system.

https://saito.tech/the-double-spend-attack-is-not-the-same-a...

In July 2016, we created a simple spreadsheet [1] comparing different blockchains and security state of the art at that time [2]. There are things to review there but the theoretical attack to Bitcoin was relatively low for state actors and miners. Miners are not incentivized to do this or do it only as the latest option.

It is also important to know that new blockchain technologies such as Solana, Algorand, Avalanche don't have enough scientific peer reviews to make a strong claim in favor or against them now.

[1] https://blog.coinfabrik.com/wp-content/uploads/2016/07/Block...

[2] https://blog.coinfabrik.com/cryptocurrency/overview-of-block...

I think this misses the elephant in the room: the tech may have flaws, but there's far worse flaws.

Who is it that actually has control and influence in crypto?

1. The developers. 2. The miners. 3. Everyone else (very distant from the rest)

The developers aren't decentralized at all, they typically are a single, small team with some sort of leader. They can make a lot of decisions almost unilaterally.

Then very close below are the miners. The miners have serious economic concerns, so they can do things like refusing to run the software the developers provide. So we can expect devs and miners to be in close contact in most cryptocurrencies.

And very far below that is everyone else. You can run your "full node", but most nobody cares. Miners decide what goes or doesn't on the network.

And that's why Bitcoin is the way it is. Back when fees rose to $50/transaction because the capacity was overwhelmed...

Did the devs have a problem? No, because they had ideas how to sell add-on products to deal with that issue, and such products are much easier to sell when there's a problem that needs fixing.

Did the miners have a problem? No, because the network was still heavily used and they were reaping all those juicy fees coming their way.

Did the users have a problem? Yes, their experience sucked badly. But for both parties actually in control solving those problems would require losing money.

And thus crypto ends up being controlled by a small cabal of elites, while the normal users get screwed.

I was wondering how Ethereum founder Vitalik Buterin is able to walk around without a security detail, going on extensive backpacking trips, what if someone steals his keys?

He’d just fork the entire blockchain.

Normal users don’t have that luxury.

> He’d just fork the entire blockchain.

> Normal users don’t have that luxury.

Everybody else can fork the entire blockchain, too. The difference is that if a "normal user" does such a fork, hardly anyone does care. The central difference rather is that the trust and authority that Vitalik Buterin holds - if he does a decision, it is accepted by and large.

The question that you should rather ask is: why do so many people involved in Ethereum have so much trust in Vitalik Buterin's authority and decisions?

Main reason is Vitalik is one of the brightest minds in crypto. He's a 10 year veteran of the space and a genius.

But no, even Vitalik could not get a split off fork done unless it was something with major security implications for the whole Ethereum ecosystem.

So genius that both EVM and Solidity have huge unforced footguns that have caused gazillions of dollars in damage.
It's not that bad. Solidity does not protect against crypto economic errors. No language does.
Yeah but most languages don't handle things like exceptions, inheritance, and reentrancy so incredibly weirdly that people consistently write basic logical errors when using these concepts.
There are numerous instances where Buterin's suggestions have not been just accepted at face value. He's an influential voice, but is no dictator.
This is such an ignorant and factually wrong comment.
He literally did this after the DAO hack.
I'm as "fuck cryptocurrency/NFTs" as the next guy, but that's not accurate. As others have said, forks require community consensus, not just the decision of a single individual. Regarding the specific fork you're referring to (italicized emphasis is mine):

>It was initially unclear as to whether the fork would be executed. Though it was proposed by Ethereum developers, they did not have the unilateral power to implement the change. Miners, exchanges, and node operators also had to agree to update their software. After more heated debate in public forums, on July 20, 2016, at block 192,000, the Ethereum hard fork was implemented.

https://www.gemini.com/cryptopedia/the-dao-hack-makerdao#sec...

The crucial question, to me, is: would the fork have happened if Vitalik had not been part of the DAO? I don't think there's any chance he would have entertained that.

There have been many large ETH compromises since then, and the idea of forking for any of them would be considered outrageous.

One of the main reasons it went through is because there was 'only' one losing party - the hacker, and multiple winning parties (developers and investors in the DAO). A couple years later when the parity mutlisig was hacked such that the funds (150K eth from an ICO) were 'permanently locked', the proposal to unlock the funds via hardfork was rejected. More or less specifically because it would only benefit a very small subset of parties, while leaving the frozen funds in place meant the rest of the chain benefited from the effective reduction of eth supply. Since then no one else has seriously proposed forks to move funds out of protocol.
Vitalik was not part of the DAO, and the Ethereum Foundation took an extremely hands-off approach to the DAO hack.

This is pretty well documented in the Cryptopians book; the DAO hard fork was driven almost exclusively by people outside the EF.

What's crazy is they never "fixed" The DAO "bug." Reentrancy is a feature of Solidity. They just tell people to make sure to do exception checking for it. Which of course makes contracts bloated. Which in turn makes contracts cost more in gas fees. So every now and again a Defi will be attacked by the very, same, thing, that got The DAO, because they didn't put in expensive reentrancy checks. Couple of recent examples: https://ambcrypto.com/how-these-two-defi-protocols-fell-prey...
Yup. The combo of “this is hyper critical financial code” and “every extra instruction to check invariants is very expensive” are two fundamentally opposed ideas and will cause pain forever.
No. Any fork requires a consensus among the community. While it was possible to fork Ethereum for the DAO hack in 2016 (note the DAO hack had affected 30% of all ETH in circulation), a lot has changed in the Ethereum ecosystem since then and break-off forks do not happen willy nilly. Besides all of the applications that need consistent state to make sense (such as USD-backed stable coins), you need a coalition of developers, miners, and community members to back it. No one in their right mind carries their private keys on a backpacking trip.
Everybody who is insanely dissatisfied about the direction some blockchain develops into can drum up a following and do a hard fork of the blockchain if they desire.
This is theoretically true and in practice false. It comes up every time and every time no one has an answer for what the little guy can in-practice actually do that will be successful.
There are several facets of 'success', and they compete with each other. If a user defines success as cheap transactions, there are blockchains for that.
Great if transaction s are cheap ... but if you don't have anybody to receive transactions from kr sending to it isn't really useful. And the single person rarely has the ability to move a network of people over.
It doesn't really solve the problem satisfactorily.

Somebody still has to develop the software. The end result is a single download, produced by some form of authority. And typically there's one project, with one group controlling it.

And miners are more or less the same everywhere, they want to make a profit.

You can get somewhat better. You can find a dev group that aligns with your interests. Maybe you can even find a cryptocurrency where there are multiple independent implementations led by multiple groups with none being the clear winner.

But that's an unstable situation. The dynamics of a dev team can shift as people come and go. Balance is easily broken, if a project loses steam, or one becomes the default and gains overwhelming popularity, and you're back to having a single group in effective control.

You can migrate from one system to another, but any conversion has costs to it, both in terms of money and knowledge, attention and time resources.

This libertarian utopia seems very much like some sort of bureaucratic hell to me. To exist in such a society without getting royally screwed you have to invest immense amounts of your time to pay attention to everything and correctly and prompty react to it. You go on vacation for a couple weeks, and oops, suddenly the dev team is changing the rules from under you.

A properly decentralized project has multiple implementations, and a formal process for changing the consensus model. This requires the equivalent of an RFC (Request for Comments, or Bitcoin Improvement Proposal in case of Bitcoin) to be written, motivating and detailing the changes, followed by months long discussion to see if there is overwhelming support for, and few downsides to, the changes. Meanwhile, the changes need to be implemented on all existing clients with extensive documentation and tests and be exercised on test-nets to see if all goes well. Finally, a supermajority of miners as well as economic nodes (such as exchanges) need to be convinced the changes are for the better, and then an activation can be planned on main-net that could take several more months to lock in first. Chains where this process can be bypassed or severely shortened don't deserve to be called decentralized.
> a supermajority of miners as well as economic nodes (such as exchanges)

Is there a formal way of defining this?

Maybe it's possible to at least define "a supermajority X% of miners, weighted by blocks mined in the last Y days" (for values X and Y that have previously reached a consensus), but counting economic nodes in a way that is Sybil-proof and globally consistent, seems like it's just pushing the consensus problem somewhere else.

I think you are underselling the difficulty, especially if the goal is to out-compete the original chain, versus creating yet another worthless chain.
The premise is that at some point one of these chains will win. Forking btc will be no more meaningful than forking usd.
> You can run your "full node", but most nobody cares. Miners decide what goes or doesn't on the network.

Limiting myself to BTC, this is not how it works.

Miners can emit as much nonsense, noise, malformed information as they want. Full nodes perform validation: they decide what a compliant chain looks like, and only accept contributions from miners which have that shape.

This is why there was such a vicious fight about block size: the side which won the mindshare and economic value fought for a small blockchain so that running a full node remains feasible forever.

Validation is a huge problem with more profligate blockchains, some/many of which are de-facto centralized due to the excessive hardware requirements.

It is on an architecture and algorithm level a critical part of the decentralization of bitcoin, something I expect HN to get right regardless of their position on bitcoin's worth to civilization.

Edit for more detail: an object-level example is that miners cannot unilaterally start issuing larger blocks. These will fail validation by the full nodes, ergo, it is the full nodes which determine what Bitcoin is or isn't. Miners merely construct data which has that shape.

Sure, but it is very easy for the miners to also run full nodes and validate whatever they want - much easier than it is for someone running a full node to also mine (at any realistic hash rate). So miners can more or less trivially flood the network with full nodes that validate their preferred chains.

> This is why there was such a vicious fight about block size: the side which won the mindshare and economic value fought for a small blockchain so that running a full node remains feasible forever.

This is a tangent, but I wonder how this squares with the people claiming that Bitcoin's (terrible, horrible, no good, very bad) transaction rate is not limited by design, just by some temporary politics.

What you're describing is a fork, clearly.

The assertion that miners can unilaterally fork and get away with it hasn't been backed up in practice. The creation of a whole bunch of brand-new full nodes which do something besides validate Bitcoin is the creation of something other than Bitcoin. Happens with reasonable frequency, just not the way you've described it.

Right now the Bitcoin network consists of ~59,000 nodes (according to the article), running various versions of the Bitcoin software, implementing the same protocol.

If the biggest mining pools were to launch ~100,000 nodes of their own, initially running the exact same software as the other 59k nodes (until they get some reputation) and then modifying the software to allow larger blocks, that they would start sending to the network as well, what would prevent them from effectively changing what Bitcoin is, leaving the current nodes as a legacy fork? Especially if they were doing this together with the Bitcoin devs?

Edit: more realistically, there are far fewer popular nodes, so the miners would have to create a much smaller number of nodes to achieve this effect.

What you would then have is 100,000 nodes running one piece of software, and 59k which are doing exactly what they were doing, and in your scenario, the 100k chain also has a higher hash rate.

What happens next is a social phenomenon. No one knows. But which chain is original is perfectly clear: it's the the 59k chain, which will still be mining blocks, and it all comes down to who wants to use which one more.

But it is emphatically not the case that a majority of validators can force a minority of validators to choose a new protocol. It's nothing like mining.

> But it is emphatically not the case that a majority of validators can force a minority of validators to choose a new protocol. It's nothing like mining.

Define "force".

Because to me - if you are on a chain that has no future (as in the fork has more resources, better hash rate, better social support) then while you can continue to use the original, the odds that it holds any value is basically zero.

Same is true in the inverse - creating a fork and then expecting to be able to move any significant value off the original chain, when the original chain holds better social support and more resources, is usually folly.

Take bitcoin cash - which is a great example of this.

They split in 2017 and began trading at ~240 USD to bitcoins ~2700 USD. So they started with the assumption that their fork had roughly 1/10 of the value of bitcoin. Today they trade at 119 USD, to bitcoins 21170 USD (and this is after the HUGE drop over the last month): Roughly 1/200th the price.

Further - I strongly suspect that the reason BCH is still worth anything at all is that we're well into a crypto bubble - there are FAR too many completely worthless coins floating around that serve absolutely no purpose and still trade at ridiculous nominal USD values. The fact that a usable chain forked from BTC for genuine technical reasons (and a social disagreement over segwit) drops so much value is a BAD sign for that group of original folks on the 59k chain.

They can certainly keep mining away on that chain, and if the goal is to still facilitate exchange only in that original chain, they're fine. The second they need to get off that chain and on to something else (whether it's another coin or USD) then they're probably fucked - their chain won't have held value, because value is a social construct, not a number on a chain.

>there are FAR too many completely worthless coins floating around that serve absolutely no purpose and still trade at ridiculous nominal USD values

Correction: No cryptocoins have any value or serve any purpose, besides gambling and fraud. It's scams and wash trading all the way down. I have still yet to see a single valid use for blockchains that actually requires this inbuilt mechanism, where the participants pump the value of some token that serves as payment access to the chain. The whole point of any of them using a blockchain is apparently to take something that serves no purpose and trade it at ridiculous values.

I mean - I mostly agree (I'm fairly clear about my distaste for the current crypto market in many of my comments).

That said - there is a floor value for a single coin that captures the dark market space. The original use-case for crypto is still there: There are folks who want to exchange stored value for black market goods, in a scope where government regulation is already assumed to be absent because the goods being exchanged are forbidden items.

This is basically what bitcoin was originally. It kept a fairly stable price point around the single dollar mark for use on the silk road ~2010/2011. The problem is that folks started noticing that any time the media talked about it, the price would spike. And that started the whole rollercoaster of speculation that I find absolutely immoral and greedy, that ruined the whole thing.

So basically - amend your comment to "besides gambling and fraud and dark market exchange" and I'd agree.

This is just your opinion, and wow is it a privileged take. Of course there is value in being able to trade with whoever you want, regardless of jurisdiction. Just because YOU do not see the value doesn't mean it's not there.
>being able to trade with whoever you want, regardless of jurisdiction

That has absolutely nothing to do with blockchains at all. Blockchains do not enable that, they have never enabled it. You can indeed build a service that does that with blockchains, but you can also build it without them. Black markets existed for a very long time before bitcoin was created.

If you're suggesting there is value in having totally unregulated unrestricted trade, then no, I would still have to say I don't see value in that. There is actually negative value in allowing people to trade illegal weapons, or trafficked humans, or counterfeit products, or contract murders, or tainted animal products that infect humanity with a plague, and so on... you get the picture. These things are actively destructive to a functioning society and market. It's even more of a privileged take to try and suggest that these things don't exist or won't happen if everyone can just trade whatever they want without any restrictions whatsoever.

Edit: I'm thinking about this a bit, and it's really insulting to be told I have a privileged take when in the past several years myself and my family members and friends have been actively harmed by ransomware and crypto scams. It's not nice to kick someone when they're down. In my case, the people evading jurisdictions were doing it entirely to harm me. I'm really not seeing how I'm supposed to be the privileged one.

You are misunderstanding the meaning and purpose of running a full node. Coinbase[0] runs a full node to validate transactions. If miners start mining blocks that Coinbase considers invalid, Coinbase will reject the transactions. The number of full nodes on the network is more or less irrelevant, what matters is your own node.

[0] You can replace Coinbase here with pretty much any Bitcoin participant, including individual users.

If the largest miners switch to emitting larger blocks, and Coinbase starts receiving almost exclusively invalid nodes, what will they do next?

What if Binance starts accepting these blocks, and now users have some BTC balance on Binance, and another on Coinbase?

We don't have to speculate, it has happened multiple times already[0]. What happens is the hard forks are either ignored or they are supported but under a different name to avoid confusion (e.g. Bitcoin Cash, Bitcoin SV, etc.). The only way I could imagine a hard fork succeeding (e.g. retain the "Bitcoin" name) is if it if it had an overwhelming community consensus, not only from miners but also from users (like Coinbase).

[0] https://en.wikipedia.org/wiki/List_of_bitcoin_forks

I don't think this clarified it at all. The crux: miners can decide to OMIT transactions, REORDER transactions within a block, or DELAY them for later. All of those actions pass "validation", because they cannot be detected by a validator. Miners do so at the expense of lost transaction fees, or with reordering, for free, or with delaying, with the possibility that some other miner will reap the transaction fee first. There is a lot of money in doing this, called 'miner extractable value' / MEV, which is bigger when you are processing complex smart contracts with funky clauses to exploit. They are not able to INVENT new transactions (as that would be caught by a validator, miners don't know your private keys and couldn't easily forge a transaction). A validator cannot detect a missing, silently dropped transaction. Nobody can detect such a thing except whoever submitted it and doesn't see it in a block. Nobody at all can detect a reordered or delayed transaction; you just have to assume the miners will act according to their own interests as much as possible.

The paper goes into this, of course. Miners are not even the only ones who can decide to omit transactions -- submitting a transaction is not secure, so any intermediaries between the transactor and the mining nodes also have a chance to silently drop it or MITM it for delay etc. It could have done more on high-end MEV though.

Which doesn't contradict a word I said. The things you describe are all on the miner side of the contract.

Most of the problems you are describing are less relevant on BTC, which doesn't support complex smart contracts in practice, but yes, the miners are the only entity which can generate data of the valid shape, and only when they get lucky.

So OMIT/REORDER/DELEY are privileges which a miner has to sweat to earn temporarily. If 80% of the hash rate hates you they can probably keep your transactions out indefinitely, presuming willingness to bear the cost, which y'know, war is hell, it could happen.

Yeah, I wasn't saying you were incorrect, your answer just didn't dig much deeper than "miners do whatever they like, validators check it". The matter of centralisation is answered by what miners can get away with, not the mere fact that validators exist. You must examine this because miners are the ones that are subject to centralisation through efficiencies of scale at buying electricity and computing power. So attacks are possible that are plausibly deniable as accidents, software glitches, dropped packets, etc., but in fact involve coordination by majority miners.

And further, MEV is a problem even if you ignore % of hash rate and centralisation of the mining market -- any single miner will exploit any opportunity you give them if they can, especially the undetectable/unprovable ones. So much of MEV is not a matter of adversarial voting but literally 100% of miners are incentivised to do it, independently and unanimously. It's just a matter of who figures out how to extract it, who has relevant conflicts of interest, or who has enough cash to snap up opportunities that arise. That's less about centralisation though.

And the scope of this discussion was never just bitcoin. TrailOfBits' paper is about the technology generally.

> Miners can emit as much nonsense, noise, malformed information as they want. Full nodes perform validation: they decide what a compliant chain looks like, and only accept contributions from miners which have that shape.

That highly depends on who the full node is. A random joe with $100 worth in the wallet can be safely ignored. If their node refuses to see the new blocks as legitimate, the owner doesn't get to use their money for anything anymore. The likes of Coinbase though would have a lot more influence.

There were plenty full node owners that were onboard with big blocks, but since they didn't have the pull, they didn't matter. They could reject validating the blocks all you like, but the network can keep on working fine without their approval.

> This is why there was such a vicious fight about block size: the side which won the mindshare and economic value fought for a small blockchain so that running a full node remains feasible forever.

No, the side that won is the side that wanted to make profit from selling L2 solutions and collecting fees. There's no technological reason for a 1MB limit that makes any sense.

Bitcoin started in 2009. Since then there have been 4 main generations of the Raspberry pi, disks went in size from ~1-2TB maximum to ~20TB maximum, gigabit internet became fairly commonplace, and CPUs also improved greatly.

Plus, the modern BTC is pretty much useless for small transactions anyway -- if you have any use for it, you can certainly afford decent hardware.

>There's no technological reason for a 1MB limit that makes any sense. Bitcoin started in 2009. Since then there have been 4 main generations of the Raspberry pi, disks went in size from ~1-2TB maximum to ~20TB maximum, gigabit internet became fairly commonplace, and CPUs also improved greatly.

Increasing the block size from 1MB to say... 20MB ... will inevitably reduce the number of participants able to run full validating nodes. Consider various discussions on network traffic patterns for existing 1MB blocks: https://bitcointalk.org/index.php?topic=3286296.0

So the question is: Is the reduction of participants from the higher technical requirements significant enough that it weakens Bitcoin? (I honestly don't know.)

I guess someone can put together a spreadsheet model with some "reasonable" guesses for the ripple effects of a hypothetical 20MB block size and try to predict game theory of what might happen. Has anyone done such a math exercise?

Sure, many participants already processing 1MB blocks today can easily switch to bigger 20MB blocks with no problems. But many can't and we don't seem to have a consensus prediction on what the percentage is.

> Increasing the block size from 1MB to say... 20MB ... will inevitably reduce the number of participants able to run full validating nodes. Consider various discussions on network traffic patterns for existing 1MB blocks: https://bitcointalk.org/index.php?topic=3286296.0

That discussion is from 2018, that was 4 years ago. Surely things have improved somewhat since then.

> So the question is: Is the reduction of participants from the higher technical requirements significant enough that it weakens Bitcoin? (I honestly don't know.)

No, that's far too simple of a question. A better is: where do you find the balance between technical requirements for the network and the usability of the network for end user?

It makes perfect sense that as the usage grows, the network will become more expensive to operate. More users is more data, and more bandwidth. If you just refuse to increase the requirements an inch, you're refusing to support the growing userbase.

Many other projects have to make such decisions. Your space sim gets more popular -- that costs more bandwidth, requires more polygons on the screen. Do you bump up the system requirements, or do you stall your growth to allow 10 year old hardware to be usable? And pretty much all of them bump the requirements. You can't play modern games on a 386.

You're optimizing for the wrong thing here IMO. You should optimize for decentralization. Without it, there is no point to Bitcoin (or any cryptocurrency for that matter). Increasing the block size won't solve the inherent problems with scaling the bitcoin blockchain. The only thing it will end up doing is push the can down the road and result in less full nodes running on the network.

The solution is of course to not increase the block size but to scale in other ways, like for example the Lightning Network.

The size of the blockchain right now is 390GB. It grows at 144MB/day. You can get a 2TB hard disk for $50 right now, and it'll be enough for 30 years more.

1 MB blocks take 2 minutes and 30 seconds on at 56 Kbps, which means you can keep up with the blockchain on a freaking dial-up modem.

I'm not seeing exactly where the problem is here, and in what scenario would somebody go "Gee, I'd love to run a full node, if only it took something less amazing than a computer I can find lying in the garbage for free".

If you want more nodes what you need instead is incentives to run a node. Give people some reason to run one other than that it provides some nebulous benefit to the network, and so it's a good thing to run this out of the goodness of their hearts.

You also don't have to store the entire history. Technically keeping a day's worth of blocks is sufficient to run validation.
Your analysis seems correct in theory -- but in practice, in terms of "the things that actually affect people," you're overwhelmingly missing that group that is in "3" that's easily number one -- which is the whales who control the price?
Ethereum has five independent execution clients, five independent staking clients, and an open community of researchers.
And one Infura node to bind them all
Any Ethereum node can talk to the network, and runs on a modest home computer. Infura is popular but not everyone uses it, and it's easy to replace.
Not even Vitalik runs a full node lol. He checks Infura nodes to verify shit. That was a hilarious moment
> The developers aren't decentralized at all, they typically are a single, small team with some sort of leader. They can make a lot of decisions almost unilaterally.

That's painting everyone with the same brush...

It may be true for many projects, but the second largest blockchain (by marketcap), Ethereum, has like 10 independent client teams and a strong concentration on client diversity [1].

The media likes to paint Vitalik (one of the original founders) as the "leader" of Ethereum, but everyone that's actually working in Ethereum knows that he's at best an advisor these days, and has intentionally taken a back seat in terms of leadership to avoid the very effect you are describing.

> And very far below that is everyone else. You can run your "full node", but most nobody cares. Miners decide what goes or doesn't on the network.

> And that's why Bitcoin is the way it is. Back when fees rose to $50/transaction because the capacity was overwhelmed...

That is not why transaction fees are high... and miners do not decide what goes or doesn't on the network. That's a huge misconception.

Transaction fees are driven by demand, plain and simple. Demand is high in a scarce blockspace, so the fee goes up to keep the network stable.

Also, miners can't decide to just change the rules, that's a big misconception of the Sybil problem further driven by popular media. The rules are the rules, if miners don't follow them, clients (full or light) won't follow that chain, period.

Even if 50%+ of miners colluded, all they could do is prevent a consensus from forming (called "censorship"), so basically a DDoS. They cannot change the rules and "trick" clients into following them, as it is often portrayed!

If you're referring to miners having influence on what the rules are, as in influence over development, that's been tried and failed multiple times on multiple networks. In reality, devs and companies/user sentiment drives the majority of "social consensus".

If you need evidence of that, Ethereum's switch to PoS will eliminate mining, and yet it's still happening. For a past example, EIP-1559 was opposed by many large mining pools, still happened (because it improved user experience by making gas fees more predictable / reducing failed transactions -- in direct contradiction to your point).

[1] https://clientdiversity.org/

>> If you need evidence of that, Ethereum's switch to PoS will eliminate mining, and yet it's still happening.

This has been delayed, and sometimes people say it is delayed because the miners are against it. It seems very important to people who are thinking about doing projects with Etherium because it will be based on PoS. Hoenstly, I don't know anything about this.

Here is my question(s) to the smart people on HN: Could miners or others with financial interest slow the switch to PoS for Etherium? How would I be able to judge if that is happening?

No.

The switch to POS is entirely a socially initiated hard fork being built by Eth holders, users and developers. The miners who don't want to play along are effectively being fired. And there is a lot of economic incentive to get that fork done - mining is a really expensive way to generate consensus on a blockchain. What miners earn via block rewards is coming out of the pockets of other eth holders because of the coin's inflation. Ethereum will be able to reduce it's issuance/inflation by roughly 10x in the switch.

The starting point was launching the beacon chain back in December 2020, a separate chain designed to provide consensus and validation of mainnet ethereum in the (hopefully near) future, whose validating participants fund their deposits through what is just a normal contract on mainnet ethereum. From there that beacon chain has been refined and built into a protocol with multiple implementations, and had its stability monitored and tested.

From here, it's just a matter of forking mainnet ethereum into using the beacon chain as its consensus provider and ignoring the miners. And that step is pretty deep into the final testing phases using ethereum's long running testnets to run through the 'merge' at it is called.

> This has been delayed, and sometimes people say it is delayed because the miners are against it.

They can say that all they want, there's 0 actual evidence of that. It's been delayed a bunch because it's an incredibly difficult thing to do for a network operating trillions of $ in transaction value.

All indications are at the moment that it will happen around September, but definitely this year. The big test (doing the PoS switch on the most similar testnet) was completed successfully last week!

> Could miners or others with financial interest slow the switch to PoS for Etherium? How would I be able to judge if that is happening?

There are theoretical ways, but in practice it's not all that practical, because ultimately what matters is the "fork" developers and users want to follow. There's a negative incentive for miners to do anything disruptive because it could have an effect on the value of the tokens they already hold.

Additionally, Ethereum has a built-in "difficulty bomb", which basically ensures that a network upgrade happens at a certain cadence, which gives impetus for miners to follow new upgrades or no new ETH will be generated anyways past a certain point.

Financial interests push heavily towards PoS. Ten percent of all ETH is already deposited in the PoS network (currently running in parallel), and can't be withdrawn before the merge happens. The development teams were granted staked ETH by the EF, and can't withdraw it before the merge happens. All ETH holders are likely to benefit from the PoS merge, which will reduce issuance to the point where the ETH supply will begin to shrink because 90% of the fees are burned.
This is assuming the developers are willing to act in the way you are describing but with our ability to audit their work I am not convinced that will necessarily happen.
Yanis Varoufakis recently called crypto currencies “oligarchic” which is very fitting. Quote:

“I do not believe that the… ‘oligarchic,’ by definition, cryptocurrency like Bitcoin is ever going to replace [conventional currency]. It shouldn’t, it can’t, and it would be a nightmare if it did.”

Full interview in which he also discusses his proposal for cryptocurrencies run by central banks and why that’s (according to him) the way to go: https://www.kitco.com/news/2022-05-27/Gold-and-Bitcoin-won-t...

There's not really a word for it that I'm aware of, but Crypto IMO is best described as an "Initialarchy", or rule by the first people on the scene. Since almost every crypto project starts with dirt cheap prices, the first people who create or invest end up controlling the entire project given that they have millions of coins or access to the devs.

Being first to the next hot project is almost all the matters in the Crypto world.

People that have billions of dollars can always break in. And the first adopters also happen to have billions of dollars. So oligarchy seems fitting.
> More than one in five Bitcoin nodes are running an old version of the Bitcoin core client that is known to be vulnerable.

Patching software that is remotely accessible is a pretty basic security measure. I suppose the risk of a hacked node is fairly low, maybe about the same as a node that's run by a malicious owner. Although exploiting nodes would extend the reach if a malicious party.

Yup, I've come to realize that the word(s) "centralized/decentralized" are doing way too much heavy-lifting in these discussions, and that examining the details is very important.

When you use one of these words, you have to immediately ask -- "the power to do WHAT, exactly?" As in, compare to the question e.g. "Is Tesla centralized w/r/t Elon Musk?" You can't meaningfully answer the question with yes or no, and this gets even more complicated with many things in crypto, especially with (the extremely stupidly named) "Smart Contract" as a part of the game.

I've had the same realization illuminated to me as well. "Decentralized," is just the shape of the network - what people really care about are what the opportunities to control the network look like and how preventable central power is. Its unintuitive but the network can have a centralized topology while still possessing the positive traits people actually seek when they use the work 'decentralized.'

https://www.youtube.com/watch?v=C81D6B9sgH8

> Tor is now the largest network provider in Bitcoin; just about 55% of Bitcoin nodes were addressable only via Tor (as of March 2022). A malicious Tor exit node can modify or drop traffic.

I'm not sure if I understand this criticism. Is it not true that if something is ONLY available via Tor, then exit nodes are NOT used at all when accessing it, and all of the traffic is encrypted with Tor's encryption layer?

You are correct, the researchers just did not realize this.
Honestly there’s a lot of valid points to be made here but the actual report reads as if their intention was to prove blockchains are insecure and centralized.

That is true for a lot of them, but true Nakamoto consensus is not quite as fragile as they suggest it is.

They don’t provide an analysis of the true cost of launching a 51% attack.

Their assertions about the security risk of “altering the software that nodes run” fail to mention how this is a voluntary process which all node operators choose to undergo. If a consensus emerges on the network or a subset of the network that the changes are problematic, these dissenting node operators can choose to hard fork. There will be few supporters of an obviously malicious attack in the network, so it would be unable to gain traction.

Their point about the number of entities in control of Bitcoin is technically correct, because of the way that pooling works in Bitcoin: many nodes send any propfs they find to one node, and that one node writes to the blockchain. So, there is a definite concentration of power. There are some in depth game theoretical analyses of why this is unlikely to become a problem but in general it is easy to imagine that, for instance, the US treasury would not want to destroy trust in the USD.

Interestingly, Chia, a new proof of work blockchain which launched a year ago, developed by Bram Cohen, has a unique and innovative solution to pooling which does not result in concentration of power: individual node operators submit proofs to the network, not to the pool, and the pool receives a fraction of the reward for minting a new block. Chia also has more full nodes than any oher blockchain, including Bitcoin. At this point it’s relatively unknown however.

The subtext of the DARPA funding makes me think the purpose of this paper is to analyze whether governments can disrupt, block, or compromise cryptocurrencies. The conclusions make some more sense in that light. Still, I think they fail to address several mitigating factors for each of the issues, which weakens the overall message:

(1) Mining pools are not even remotely static. In fact, they gain/lose marketshare very quickly, and when problems are discovered, miners actually move. Therefore, it would have to be shown that these pools can be disrupted clandestinely, otherwise an attempted takeover/51% attack would just cause a rebalancing of the pools. To better understand this, it's good to visualize it; here's a graph of changes to miner pool distribution over time: [0]

(2) 51% attacks permit double-spend, but many guarantees persist in the light of 51% attacks - nobody can invent coins they don't have with a 51% attack; they can just undo transactions that were assumed to be settled [1].

(3) Software centralization and the implied lack of immutability is subject to the voting influences of node operators; maintainers can't just do whatever they want (in other words, backdoors would probably need to be bugdoors, else they would not be deployed and therefore de facto rejected). Taking Bitcoin as an example, many BIPs have been withdrawn or rejected, either early in the development process or later by the community refusing to adopt releases they don't support: [2]. And you can see this process at work in the block size debates and ultimate resolution [3].

ISP centrality and the vulnerability of the network to malicious Tor exit nodes is the most interesting point to me. Miners can go switch pools, and node operators can band together & refuse to update to new software that does things they disagree with. But can node operators/miners switch ISPs quickly and easily? Not really. There's virtually no free market competition among ISPs, so people can't freely switch ISPs if theirs starts inserting arbitrary latency into Bitcoin traffic. We probably need some ways to operate nodes/miners that are less sensitive to corrupt ISP disruption.

Encrypting BTC P2P traffic and developing strategies for operating nodes/miners behind anti-censorship software like ShadowSocks should be high-priority.

[0]: https://public.flourish.studio/visualisation/2879848/

[1]: "Even a 51% attacker cannot propose a block that takes away your ETH, because such a block would violate the protocol rules and so it would get rejected by the network. Even if 99% of the hashpower or stake wants to take away your ETH, everyone running a node would just follow the chain with the remaining 1%, because only its blocks follow the protocol rules. More generally, if you have an application on Ethereum, then a 51% attack could censor or revert it for some time, but what comes out at the end is a consistent state." - Vitalik, https://old.reddit.com/r/ethereum/comments/rwojtk/ama_we_are...

[2]: https://en.wikipedia.org/wiki/Bitcoin_Improvement_Proposals#...

[3]: https://en.bitcoin.it/wiki/Block_size_limit_controversy

I think this is the answer - everyone is saying that DARPA is biased and government funded and thus trying to steer people away from Crypto - but I think this is a good read. If a few big ISP control a huge portion of the traffic (normally big competing entities) and we know that many (maybe most) big ISP's are subservient to the governments they run under then it follows that a government could potentially majorly disrupt/control cryptocurrencies.
> They don’t provide an analysis of the true cost of launching a 51% attack.

Andreas Antonopoulos has done this many times already.

https://www.youtube.com/watch?v=ncPyMUfNyVM (one of my favorites and only a couple minutes long)

https://www.youtube.com/watch?v=-ZTGmTjqXEU

https://www.youtube.com/watch?v=N-La8gyNVCI

https://www.youtube.com/watch?v=JDZVW4hri2g

From the first link: "Bitcoin has achieved a level of comput[ational power] that no single nation state can overthrow it through computation alone. The effort to do so would require a massive covert operation of chip fabrication. Then, the coordinated assault would give them over the next block for 10 minutes, until we kick those bastards off the network... they would be revealed, they would have lost billions of dollars doing this, and all they would have got was a double spend"
How are you going to "kick them off the network"? There's no way to tell where the hashpower is coming from.
Yeah it’s a pretty glib answer. Not clear at all how you kick them off the network.

Perhaps he’s conflating some kind of protocol exploit that could be patched against with a 51% attack.

"On October 25, 2021, a vulnerability in all prior versions of Geth was discovered that permitted a carefully crafted peer-to-peer message to inflict a denial-of-service attack on the receiving node. 42 From our crawls of the Bitcoin network, we observe that 21% of Bitcoin nodes are running an old version of the Bitcoin Core client that is known to be vulnerable."

The beginning of this excerpt is talking about Geth, and how unpatched Geth resulted in a fork of Ethereum. Then, out of nowhere they indicated 21% of Bitcoin nodes are vulnerable and running an old version of the bitcoin core client, and they bold it. They didn't say anything about this vulnerability in the preceding paragraph. Vulnerable to what? Certainly not vulnerable to the same thing that Geth exploit took advantage of.

I found this information about the DARPA contract that funded this research: https://govtribe.com/award/federal-contract-award/definitive...
Interesting they are totally different. ZK proofs are used in cryptocurrency, but they can also be used totally separately just as mathematical objects on their own. I don’t see how ZK proofs for defense "capabilities" relates to centralization risk in cryptocurrency networks.
(comment deleted)
The article doesn't say the research pointed out that many users aren't decentralized at all.

They don't run full-node. They relies on somebody else's SaaS.

> Tor is now the largest network provider in Bitcoin; just about 55% of Bitcoin nodes were addressable only via Tor (as of March 2022). A malicious Tor exit node can modify or drop traffic.

Tor's onion services are end-to-end encrypted and do not use exit nodes.

> "For a blockchain to be optimally distributed, there must be a so-called Sybil cost. There is currently no known way to implement Sybil costs in a permissionless blockchain like Bitcoin or Ethereum without employing a centralized trusted third party (TTP). Until a mechanism for enforcing Sybil costs without a TTP is discovered, it will be almost impossible for permissionless blockchains to achieve satisfactory decentralization."

https://saito.tech/wolves-and-sheep/