34 comments

[ 2.6 ms ] story [ 46.1 ms ] thread
According to ChatGPT, Bitcoin market cap is $2T while the cost to carry out a 51% attack is $4B. If correct, it seems a little imbalanced.
That market cap would quickly collapse if there was a 51% attack.
First, that figure is way off. Marathon alone has a market cap over $4B and controls less than 5% of the total hash rate.

Second, the system only seems vulnerable if you ignore economic incentives. A 51% attack isn't just technically difficult - it's economically irrational. Pulling it off would cost billions, and even then, there's no clear way to profit from it. The only scenario where it makes sense is a non-economic actor (e.g. a hostile government) aiming to disrupt Bitcoin. But even then, that investment could be neutralized by a fork that tweaks the mining algorithm, instantly rendering the attacker's hardware obsolete.

Claude deep research estimates that it would cost 20-40b and "vastly exceeds the rational economic gain". Ideological/nation-state motivation would be the only reason to do this.
I see your ChatGPT generated argument and raise you my DeepSeek generated rebuttal:

1. The $4B "Cost" Is Fundamentally Misinterpreted:

* It's Not a "Cost" Like Buying an Asset: The $4B figure (if accurate) typically refers to the theoretical short-term cost to rent sufficient hashrate to perform a temporary attack. This does not mean you can "buy" control of Bitcoin for $4B.

* Acquisition Cost vs. Rental Cost: Actually acquiring the hardware (ASICs) and infrastructure (data centers, power contracts) needed to permanently threaten the network would cost orders of magnitude more – potentially tens or even hundreds of billions of dollars – and take years. This hardware market is finite and competitive.

* Sustained Cost Ignored: A meaningful attack requires sustained hashrate dominance for a significant time (days/weeks), not just a single block. The ongoing electricity and operational costs for this would be astronomical, likely exceeding the initial "rental" figure many times over during the attack period.

2. Market Cap Does Not Equal "Cost to Attack":

* Apples vs. Oranges: Comparing market cap (the total value of all coins) to attack cost is invalid. Market cap reflects speculative value based on future utility and scarcity. Attack cost is a technical and operational expenditure.

* You Don't "Steal" the Market Cap: Successfully executing a 51% attack does not grant the attacker control over the $2T in Bitcoin. At best, it allows double-spending their own coins or censoring some transactions temporarily. The vast majority of coins remain secured in wallets the attacker cannot access.

* Attack Destroys Value, Not Captures It: A successful attack would catastrophically undermine confidence in Bitcoin, causing its price (and thus market cap) to collapse rapidly. The attacker would destroy the very value they supposedly spent $4B to "access," making the attack economically irrational unless motivated by non-financial reasons (e.g., state-level sabotage).

3. Game Theory & Miner Incentives Are Ignored:

* Miners are Deeply Invested: Miners have billions invested in hardware, facilities, and operations. Their business model relies on Bitcoin having value. Deliberately attacking the network destroys their investment and future income. Honest mining is vastly more profitable long-term.

* Community Defense: The Bitcoin community would detect an attack in progress. Exchanges, businesses, and node operators would coordinate to reject the attacker's chain via a "hard fork," rendering the attack useless and isolating the attacker's resources. The attacker loses everything.

* Security Scales with Value: Bitcoin's security model is designed so that as the value (and thus reward for attacking) increases, the cost of attacking increases even more due to competition driving up hashrate and hardware costs. The $4B figure is a snapshot; a rising price attracts more miners, pushing attack costs higher.

4. Practical Realities Make It Near-Impossible:

* Hashrate Distribution: Bitcoin's hashrate is geographically distributed across thousands of entities and jurisdictions. Coordinating or coercing enough miners to collude for an attack is logistically and politically infeasible.

* Resource Mobilization: Amassing the physical resources (ASICs, power, data centers) secretly and quickly enough to launch a surprise attack without alerting the network is practically impossible at Bitcoin's scale.

* State Actor? Even if a powerful nation-state attempted this (ignoring cost), the detection risk is high, the economic fallout would be global, and the community fork defense would likely succeed, making it a costly failure.

Conclusion: The comparison between Bitcoin's market cap and a theoretical, misinterpreted attack cost fundamentally misunderstands Bitcoin's security model, economics, and game theory. The $4B figure drastical...

ChatGPT famously can't do math. A pocket calculator can give you the right answer here
Just for the energy: Current hash rate is around 995m TH/s[1]. The best off the shelf miner on the market is the S21 which can hash at ~200 TH/s [2]. Assuming all of the hash rate comprised of S21s without operational inefficiency, we would have ~4,975,000 S21s hashing on the network. They also use up about 16.67 J/TH , which is 3334 J for 200TH. This is what’s expended per second.

The average time to mine a block is 10 minutes so let’s convert our J spent per block for one miner : 33346010 ‎ = 2,000,400. With about 4m of these, that’s about 8 trillion joules per block. Now if we divide that by 3.6m to get kWh, we’re back around ~2m kWh per block. Texas is about 15 cents per kWh so we get about $300k spent per block.

To 51% attack, we’d need to spend a little bit more than that. With full competition, and an attempt to mine empty blocks, it would take about $48m to attack the network for a day (144 blocks). And that’s just back of the envelope math.

Realistically, not everyone has the latest and greatest in mining equipment and probably burn more money with less efficient miners.

And all this is on top of the capex required to acquire 4m S21s, which would be around $10B at around $3k a pop.

[1] https://ycharts.com/indicators/bitcoin_network_hash_rate

[2] https://hashrateindex.com/rigs/bitmain-antminer-s21+

This page's design is great and what I thought tufte-ian journalism would have led to. Using the presentation of quasi-mathematical facts in relatively grokkable formats to explain the state of the world in a way that can update itself several months or years later.

Specifically some of the political discussions lately feel like they could use better dashboards. The call to action at the end of this article with three main solutions called out now has some context in several dimensions (time, space, monetary).

The doge.gov website for instance would've been a prime candidate for that, like some sort of observablehq.com ability slice and dice a data dashboard. But then you also have to be able to trust the data I suppose.

Wow, its almost like deflationary currency isn't a good idea. Who would have thought? Certainly, uh, most economists.
This article has nothing to do with the inflationary or deflationary nature of the currency, this is a problem solely caused by the block size limit, which other cryptocurrencies are free from and don't worry about.
The whole point of restricting the block size was to ensure space in the blockchain was scarce to drive the price of fees up, better securing the network. Well, that and keeping the blockchain total size small enough to be processed on an regular user's PC for decentralization sake. While a loss of some decentralization is non-ideal, increasing the block size dynamically, similarly to how difficulty is handled, would be a reasonable compromise to ensure the security of the network long term.
Monero does dynamic block size. It works fine. There is a penalty for large swings in size and that controls the fee which allows the fee to be appropriate during swells and luls in volume.
Bitcoin: lets make it so a medium grade computer and internet connection by 2008’s midrange standards works. Forever.

Solana: let’s make it so that enthusiast grade computers and internet connectivity by 2024’s high range standard works. Sometimes. But keep pushing.

That wasn't the reason to restrict block size. There is no way to scale the number of transactions on the main layer to anywhere near the level required to cover daily transactions. The bitcoin main layer was always destined to be for settlements between financial institutions anyway. Making any accommodations for use cases that are fundamentally unsustainable never made sense. Buying coffee was always going to have to be on a second or third layer, so restricting the block size introduces an incentive to develop those layers that are needed anyway.
This big block propaganda piece fails to address the most obvious issue with their proposal: that increasing block sizes will just increase fees linearly. No one will pay more in fees per transaction because there will be a lot of space left in blocks, so people will keep paying $0.20 per transaction, which today gets us $400, so now we'll get $800? That if increasing the block size doesn't reduce the base $0.20 to some smaller average.

The actual solution to the security budget is to make a ton of payments in a (blindly) merge-mined sidechain and ensure those transactions there pay lower fees but those lower fees get aggregated into a single high-fee paid on Bitcoin. That is the Drivechain proposal: https://drivechain.xyz/.

Yes, but there will be far greater total demand for transactions because the costs will no longer be prohibitive to certain types of commerce (which has network effects).

Drivechain is an idiotic proposal to just give total control of the network to miners. Atomic swaps already enable the same thing, except without a wealth transfer to miners.

You have demonstrated you have no idea of what Drivechain is, you probably never spent the time to learn how it works, and yet you feel entitled to call it "idiotic".

I get it, it's fine to not want to learn things, but that comes with the burden of not being allowed to comment on it.

Apparently you have not carefully read my criticism of the big block proposal above. I've included some numbers. A proper response would have to address those. But thank you for trying.

I've said it before but really feels like a flaw that the halvings are discrete and happen suddenly every four years, instead of gradually each block. As far as I can tell the only advantage to it is that it makes the math simpler. The disadvantage is that it creates weird market dynamics in which large amounts of mining capacity are plunged into unprofitability in one instant. If I wanted to run a 51% attack, I'd look to buy up suddenly-unprofitable capacity immediately after a halving.
Lol total garbage people have been whining about the blocks regularly being EMPTY now, a huge % of transactions just occur off chain on exchanges/lightning/etc. There are no 100 dollar fees you can basically do everything for basically free. https://mempool.space/ look, you can see how many blocks aren't filled lol. This piece is literally just garbage. Big blockers are scam artists.
fair challenge to their proposed solution, but it doesn't negate the security premise does it? what do you think is a good alternative?
Nation states and large companies or individuals with significant stake in BTC running mining softwar thing seems obviously how it will inevitably end up. I don't really care what big blockers thing this isn't a "new thing" they've been running their mouths about this for a decade and every time they do something it ends up just being a way to push a scam where they control it and make money. Check the bcash/btc pair.

Profit driven mining companies are honestly kind of not a very good force and push for lots of weird scams to encourage mining like memecoins on BTC or "dog pictures", and also regularly mine just pump and dump alts (including the biggest BTC miners).

Mining should just be as distributed as possible and integrated into stranded power likely generating a small if any profit.

On the lightning network, fees are distributed to rent-seeking intermediaries instead of miners, yet the network is still dependent on the security from the miners. The lightning network is parasitic to bitcoin.

Blocks are empty because people decided that bitcoin was not a feasible means of transaction nearly a decade ago during the blocksize war.

The 100$ fee per transaction is what it would cost to sustain current miner revenue without mining reward (ie. mining revenue derived somewhat invisibly from money supply increase).

The piece is not garbage, but a thoughtful introduction to a problem that's approaching inexorably.

I think switching to something like proof of stake where bad actors can be punished is the best way forward to avoid honest nodes betraying the network.

Trying to maximize mining profit is adversarial with the end users and makes using bitcoin unattractive.

So the two questions that I cannot see answered there.

How much does the security budget need to be?

When is it projected to drop below that?

The closest they come to addressing that seems to be a quote saying "We might have only two halvings left before this becomes a serious issue."

So 8 years-ish?

The original intention was to fund the network entirely off fees eventually. I don't think there was a stated expectation of block size, but it was intended to be made larger at some point.

Before coming up with specific solutions to the cost of securing the network I would think that evaluating what the acceptable range of cost/security should be would be the first starting point.

I feel they also neglect a realistic evaluation of the likelihood of a 51% attack. As soon as someone interferes with the network by 51% attack, everybody knows that it has happened. What countermeasures might be deployed?

While a miner confirming a block is like a rubber stamp from an auditor, there is nothing to stop other people from checking their work. If there are shenanigans they can be spotted, if a genuine 51% attack were to happen people would be highly motivated to counter it. That may involve bringing more compute to the network, or even changing the protocol. Ultimately the network is decided by the consensus of the users. Accepting signed blocks is the consensus. Because of the scale required to do a 51% attack on BitCoin it would almost certainly be detectable who was doing it. Under an attack people would be prepared to swiftly agree to some rule to exclude the attacker, the alternative is just two severe. You could think of it as a fork or you could think of the attackers version as the fork. You could have anything from, 'Today we stop accepting blocks from that pool over there', to 'From now until this mess is resolved, Kate confirms all blocks with her private key, We trust Kate, she's nice' The mitigation could be prosaic or fantastic, it doesn't matter, the thing that people agree upon will be the new chain. A fallback proof of work algorithm that requires more generalised hardware would work well. In case of attack, switch back to GPUs and a lower hash rate on a newer algorithm. ASICs become redundant and the network redistributes to whoever is supplying the GPUs. Then to do a 51% attack the attacker must not only have enough to 51% the ASIC hash rate, but have in reserve more GPUs than the rest of the world can bring to bear at short notice to 51% the fallback method.

>How much does the security budget need to be?

I don't know but I expect it to be proportional to market cap, not getting cut in half forever.

>The original intention was to fund the network entirely off fees eventually.

I think this was a half-baked idea from satoshi. My theory is that the bitcoin distribution was chosen to avoid having to decide on any "arbitrary" emission schedule. Bitcoin basically acts an experiment to determine what level of coinbase reward is safe, through bisection.

>if a genuine 51% attack were to happen people would be highly motivated to counter it. That may involve bringing more compute to the network, or even changing the protocol.

Who? Just bitcoin users in general? There is no group that stands to gain, it's sort of a tragedy of the commons situation.

Bitcoin's security is tied to ASIC hardware. You can't just spin up a couple desktops at home to protect the network anymore.

>A fallback proof of work algorithm that requires more generalised hardware would work well.

I think monero already does this. Look up "RandomX" it is amazing to read about. But the problem is that these CPU-mined coins are even easier to attack because you can easily rent hardware or use a botnet to do a 51% attack. Whereas with bitcoin you need to buy a bunch of ASICs which would be devalued by such an attack.

>Ultimately the network is decided by the consensus of the users. Accepting signed blocks is the consensus.

I was going to write a long response to this, but in a nutshell classical consensus and PoS sucks.

> How much does the security budget need to be?

There's the famous paper "The Economic Limits of Bitcoin and the Blockchain" [0, 1] answering this question. Bottom line: huge.

> Nakamoto’s novel form of trust faces serious economic limits. It is unusually expensive in absolute terms relative to the stakes involved, and its expense scales linearly with the stakes involved. [...] if permissionless consensus in its pure form were to become a more important part of the global economic and financial system than it has been to date, then the costs of securing the trust would become preposterous — more than all of global GDP in some scenarios.

David Rosenthal has good introductory posts on this [2] in his excellent blog.

[0] Original 2018 version: https://www.nber.org/papers/w24717

[1] Updated 2024 version [pdf]: https://socialsciences.uchicago.edu/sites/default/files/2024...

[2] https://blog.dshr.org/2025/05/who-is-mining-bitcoin.html

https://blog.dshr.org/2018/06/cryptocurrencies-have-limits.h...

https://blog.dshr.org/2019/02/the-economics-of-bitcoin-trans...

https://blog.dshr.org/2024/05/fee-only-bitcoin.html

The big issue is the fork and fixing it represents a decision about who has and hasn't gotten paid so the fork is quite sticky for those who's transactions do not appear on the post attack branch to want to stick the the attacked branch. This was relatively easy when they did it in the early days of ETH after the DAO hack but AFAIK there's no on chain mechanism for a similar hard fork to happen to BTC. Even in ETH I'd be surprised if a similar response happened to a similar level of attack, voting power on EIPs was significantly more concentrated back in 2016.

Any way you slice it there's still a centralization of power of when to activate any of these defense mechanisms.

How much really has to be measured with respect to a motivated attacker. If no one wants to attack it, it could stay low for a long time. The ideal answer would be to keep the hash rate as high as possible for as long as possible. With the appreciation of the asset, people would think the risk of an attack is growing higher but an attacker can only do so much with 51%.

They can either double spend by reversing the chain (in which case they’d have to accumulate enough bitcoin for to make it worthwhile in the first place) or they can mine empty blocks and prevent any transactions from being processed.

I like that no one brings up the question that Bitcoin is not really decentralized. Most of the Core devs are paid by a company (iirc it was Blockstream but might've changed), and ultimately, the paycheck they receive dictates which direction the most used Bitcoin wallet should go, which dictates the direction of the project as a whole.

There were several attempts of merging important BIPs, which were rejected because some developers thought it wasn't in line with the direction their employer wanted.

the issue you are talking about just came up where core basically just did what mining companies want. The result was 14% of nodes now use bitcoin knots a fork of core that doesn't allow that. Core is just 1 github repo it only matters until it doesn't.
If you receive btc in a transaction, the question is, when you consider it to be settled. In other words, how much energy is enough for you to consider it infeasible for an attacker to rewrite recent blocks so that you no longer are the recipient of some btc.

One way to think about it is to relate the total fees to the value of your transaction. If fees in blocks with a block height above the block with your transaction total $10000 (the security budget) then an attacker might be willing to spend that amount on energy to rewrite the chain. Another way to think about it is to relate the security budget to all recent transactions, assuming the attacker is the counter party to all of them (worst case).

In either case, there is no obviously correct answer to how high the security budget has to be on a per-block basis. The question is how long you're willing to wait for the security budget to accumulate and cover your transaction. If the block subsidy decreases and fees don't rise to replace them, then settlement time increases. Don't hand out goods to a counter party if the value of your transaction hasn't at least been met by the security budget. No need to wait longer than the point at which the value of all transactions of the block which includes your transaction has been exceeded by the security budget. An attacker would be losing money at that point if they tried to scam you.