The hole in Bitcoin
4th November 2013 (updated 15-Nov-2013)
Over the past few weeks, our more observant readers may have noticed
increasing media coverage of
decentralised cryptocurrency designed (or should we say, "coined") by a clever
developer known pseudonymously as Satoshi Nakamoto (anagram solutions welcome).
We've yet to find an article which combines a grounding in the technology and
economic analysis that a layperson can grasp, so this is our attempt to explain
what all the fuss is about, and why you are probably looking at one big,
The domain bitcoin.org was registered on 18-Aug-2008. According to the
history on the
Bitcoin wiki, the original
Bitcoin was published on 31-Oct-2008. The first chunk of Bitcoins (the "genesis
block") was "mined" on 3-Jan-2009. The earliest
capture of the bitcoin.org web site in the internet archive is on
31-Jan-2009. It contains fluent English text written in the first person,
indicating this is likely the work of a single developer rather than a group,
and probably a native-English speaker.
Concept & method
The concept of Bitcoin is to create a digital currency not issued by any
Government, and with no central registrar to authorise its issuance or keep
track of transactions - both of those functions are distributed across a network
of computers. The key features are:
- Bitcoins are created, or "mined", by computers or nodes,
all competing to solve a mathematical problem based on a block
of data, with Bitcoins as a reward for the first node to find a solution.
This is known as a
- When a node finds a solution to a block, this is broadcast to the other
nodes, which quickly verify the result and add the block to the
blockchain, which includes all previous blocks. Each of those nodes
then starts working on the next block, incorporating the result of the
- Once coins enter circulation, transactions occur by the payer
sending coins to the payee using public key cryptography. The payer
digitally signs the coins with her private key, and encrypts the coins using
the payee's public key. The payee verifies the coins with the payer's public
key, and he can spend them using his own private key. This is the same
technology behind digitally signed and encrypted e-mails. Fractions of coins
can be sent and received in change.
- To prevent a holder spending the same coin twice, the transactions
are broadcast to all the nodes, and are incorporated into the next block
that a node works on, and hence the sequence in which a coin is passed
around becomes part of the blockchain. If a coin is spent twice by the same
person, the first transaction to enter the blockchain and survive prevails.
Each block consists of one special coinbase transaction to
create the coins for the winning miner, plus the bundle of reported
- Two (or more) nodes could
find solutions to a block at practically the same time, sending their result
out to other nodes and resulting in two or more competing blockchains (known
as a "fork" in the chain), but the nodes will always work on the longest
blockchain, so the one which gets extended first in the next round will get
broadcast to all the other networks, will prevail and the other one(s) will
be dropped. For that reason, it is wise to wait for a few blocks to be added
to the chain as "confirmations" before you can be very confident that a
transaction will remain valid.
- The difficulty of the proof-of-work problem is automatically adjusted
after every 2016 blocks to target a constant block solution rate of 1 block
per 10 minutes, based on the time it took to solve the previous set, so in
theory, the rate is adjusted every 2 weeks (20,160 minutes), although this
happens faster if processing power is added to the network during the
- The mining reward, which started at 50 Bitcoins or BTC
per block, is halved after every 210,000 blocks, corresponding to a 4-year
mining period. In fact, after a slow start, the first cut at block 210,000
achieved a month early on 28-Nov-2012. So there were 10.5m BTC from the
first tranche, and there will never be more than 21m in total.
- Miners can get
transaction fees for the transactions recorded in the block they solve,
but these fees currently only account for a small proportion of the reward,
at about 0.07 BTC per block, or 0.28% of the total.
An attacker could try to alter the history, retrieving his spent Bitcoins by
altering the blockchain and paying the Bitcoins to himself. However, to do this,
he would need enough processing power to extend the blockchain faster than the
rest of the network and, in the case of older transactions, to catch up with the
growth of the blockchain. This is commonly known as a "51% attack", because if
you have over 50% of the power then you can certainly do this given enough time.
However, the attacker would still stand a chance of achieving dominance with a
smaller share of global processing power, if his machines solved the problems
faster than average. As the network grows, it becomes more expensive to achieve
this, unless he is able to somehow hijack other machines.
Addendum, 6-Nov-2013: when we said that
an attacker could achieve dominance with less than 50%, this was a reference to
Byzantine Generals' Problem, which says that a group of N separate generals
who communicate by messages that may be corrupted by treacherous generals, can
only agree on when to attack the fort if the number of traitors T among them is
less than one third, that is, N > 3T+1. This problem was explained in a
1982 paper by Leslie Lamport, Robert Shostak and Marshall Pease.
The problem was actually mentioned on the
original Bitcoin site. Coincidentally on the day this article was published two professors
published an article noting, via a different approach, the same vulnerability, which can only be
mitigated by tweeks, not removed. Also, with reference to Robert
Shostak, who is now CEO of
Vocera Communications, we note that Satoshi Nakamoto is an anagram of "I am
onto a Shostak". Make of that what you will, if anything.
Addendum, 15-Nov-2013: Robert Shostak
kindly responded to a Webb-site query as follows: "The relationship of Bitcoin
to the original Byzantine problem is very cool. That paper, incidentally,
recently won the
Jean-Claude Laprie Award in dependable computing – unfortunately, Marshall
Pease, a colleague of mine at SRI who co-authored the paper and proved the hard
direction of the main result, passed away long before he received any
recognition for it... your anagram is brilliant, even if totally coincidental."
So the hunt for Satoshi Nakamoto continues.
What the mining machines are doing is performing a "hash"
calculation with a
block of transaction data (including the coinbase transaction) plus a chosen
number as the input. For a given block, the result of that calculation depends on
the chosen number, and the chosen number cannot be found from the result without
a "brute force" trial-and-error effort, rather like trying to guess the
combination number of a safe by trying repeatedly. Bitcoin uses
"Secure Hash Algorithm" designed by our friends at the NSA, which produces a
256-bit result. In decimal, that is a range from zero up to about a 1 followed
by 77 zeroes. There are only about 10^80 atoms in the universe, to give you some
idea of how big that number is.
The "difficulty" in Bitcoin mining is set by requiring that the hash result
be below a certain "target" threshold in the range of possible results. The
lower the threshold, the lower the chance of any given input producing a hash
below that threshold, so the more hashes you have to try before you find an
input that works. Difficulty is expressed as the ratio of the maximum target to
the current target. In the early days, these were the same, so the
"difficulty" was 1. The maximum target has 32 leading zeroes in binary, and so
on average it required 2^32 or about 4.3 billion hashes to find a winning
solution. That was probably chosen based on the estimated hashing power of the
developer's single PC over 10 minutes.
The difficulty did not begin to increase until
on 30-Dec-2009, so it is fair to assume that until the middle of December 2009,
there was only one miner mining, probably the founder. Up to that point,
1,612,800 Bitcoins had been mined. The
adjustment to difficulty was on 26-Oct-2013, when the difficulty was set at
390,928,787.64. That, plus the fact that each block only earns coins at half the
original rate, means that it now takes about 782 million times more hashes to
produce a Bitcoin than it originally did.
The arms race
Originally, miners were using the CPUs in normal PCs, but it wasn't long
before they were overtaken by
Graphics Processing Units running the same algorithms much faster. Then they
moved on to
Field Programmable Gate Arrays, which can be configured to run the
algorithm, and recently, these are being overtaken by
Application Specific Integrated Circuits which are hardwired in the foundry
to carry out the algorithm, and so are even faster. Such is the state of this
crypto-arms race that firms are taking pre-orders of products they cannot yet
ship. Brands include Avalon,
Virtual Mining Corp.
The key point to note on this is that the more machines are plugged into the
network, the greater the competition to win the next block, and therefore the
higher the difficulty must be set, and the more hashes it will take (on average)
to discover a solution to each block. At a given level of technology, each hash
will take a certain amount of energy to calculate, and as the technology
improves, the difficulty will also be raised to ensure that steady output of 1
block every 10 minutes. There is a virtual gold rush going on for people to plug
in mining machines and grab a diminishing share of the return.
To spread their risk, rather like groups of people entering a lottery by
sharing tickets, there are
mining pools, where
miners share the reward if one of them comes up with a solution to the next
Rationally, however much money you have spent on your mining equipment, you
are not going to run it if your energy cost is greater than the market value of
Bitcoins you expect to produce. Some people are getting "free" electricity from
their parent's home, their college dorms or their office, and therefore can run
obsolete mining machines without caring about the energy consumption, but they
probably only have a small share of the overall hashing capacity. Currently the
global capacity is about 4 petahashes per second (4 x 10^15), and it has been
exponentially as new machines come online.
At 6 blocks, or 150 Bitcoins, per hour, with a current exchange value of
about US$220 per Bitcoin, the hourly supply is worth about US$33,000. If the
mining market is rational, people will keep adding capacity until the energy
cost is that much. Some will continue beyond the point when their machines are
uneconomic, because they haven't seen the size of their bill yet, or because
they are gambling on winning the block lottery for the next 25 Bitcoins
(currently worth about US$5500), even though they have a negative expected
return. That's the nature of lottery tickets.
If energy in the cheapest parts of the world (particularly the USA) is
about $0.12 per kWh, then a breakeven mining market would imply a power load of
about 275MW. That's enough to power about 214,000
average US households, or about two-thirds of households in
San Francisco City & County. The annual energy use would be 2.409 billion
kWh, equivalent to about 0.06% of US electricity consumption. That compares with
about 1.5%-2% for data centres, so it is equivalent to about 3-4% of data centre
Of course, if you live in a cold climate and were going to heat your home
anyway this winter, then at least for the next few months you could substitute
the heating by running Bitcoin mining machines, if you can tolerate the noise.
If (or rather, when) the value of Bitcoins collapses, miners will have to
switch off their machines and there will be a lot of redundant hardware around,
custom built with ASICs to do only one thing. At least those with GPUs can do
something more useful to society, like
running the SETI app
to keep you warm at night.
You can't lose digital Bitcoins down the back of your sofa or drop them
through a hole in your pocket, but if you lose your private keys, or forget the
password to access them, then you've achieved the same thing. The holder will be
unable to spend or transfer them. So people who rely on their hard drives or
their memory and don't have backups will gradually take some Bitcoins out of
circulation forever. Similarly, people who die with Bitcoins in their digital
wallet without divulging the password will also lose them. For that reason, if
Bitcoin survives, then the number of outstanding BTC will not reach 21 million,
but will start to decline when at some point they are being lost faster than
they are mined.
If Bitcoin survives, then virtual banks could be established which would
borrow your Bitcoins as "deposits", and lend them, at risk, to other people or
businesses, increasing the velocity of circulation of Bitcoins and broadening
the amount of economic activity that can be handled without necessarily
inflating the value of BTC. In the
quantity theory of money, the amount of money (M) multiplied by the number
of times it changes hands in a period (the velocity, V) is equal to the value of
all transactions T at their price P, that is MV=PT. So increasing V allows more
T. Indeed, one simulation of a BTC bank is already online at
For BTC banks to work, depositors (lenders) would have to transfer BTC to the
bank with no guarantee that they would get it back. BTC banks could credit
interest on deposits and charge it on loans, keeping a spread to cover loan
losses and profits. BTC banks could make bad loans, and BTC banks could go bust
- particularly if there is no oversight, no capital adequacy regime.
Banks could self-regulate and promise to keep a certain proportion of
Bitcoins on hand to cope with withdrawals, having their accounts audited
regularly and stacking up the virtual cash in their virtual window by displaying
an amount of BTC that bears their digital signature to deter bank runs. In the
real world, this is known as a "reserve" and the system is called
reserve banking, as a fraction of all deposits is kept in reserve rather
than lent out.
We doubt that the world's governments would allow Bitcoin banks to evolve
without bringing them under supervision to try to protect depositors, and they
would develop the same regulatory overhead costs as existing banks. If Bitcoin
survived, existing banks would also get in on the act, as they have
well-established infrastructures for assessing credit and making loans, which
start-up BTC banks would lack.
But, given a fixed supply of Bitcoins, and a given reserve ratio, there is
still a limit on the amount of Bitcoins plus deposits that can be created - for
example, at a 5% reserve ratio, the deposit base could not exceed 420m BTC, 20
times the maximum number of Bitcoins. And that brings us on to...
The hole in Bitcoin
We love the science behind Bitcoin (your editor is a mathematician and
programmer of the 1980s era, so it brings out his inner geek), but here is the
biggest flaw: the economics of it. For Bitcoin to succeed, it has to become a
transaction currency, widely-accepted by the real world for goods and services.
With a cap of 21 million Bitcoins, the accepted wisdom driving prices is that
spreading the limited supply of Bitcoins over all these real-world transactions,
even with fractional reserve banking, would necessitate a high valuation per
Unfortunately, most of the people getting into Bitcoin, either with
cash, goods and services or by buying and running mining rigs, are just hoarding
the Bitcoins, either expecting the price to go up because they believe in this
transactional utility, or expecting the price to go up because other people will
- people like the
Winklevoss twins, who proposed setting up an ETF to hoard Bitcoins (SEC
filing), rather like the
SPDR Gold Trust.
The flaw then is that most Bitcoin owners are hoarding something which they
expect to become a widely-used transaction currency, and if everyone holds on to
their Bitcoins, then it won't become a transaction currency. Eventually, enough
participants will look around the room, see that nobody is spending anything,
and head for the exit, seeking to cash out. This will crash the price of BTC,
and destroy any confidence in it as a transactional currency, taking it to zero
- worthless bits on a disk. At least with Gold you can turn it into jewellery or
use it in electrical contacts, and it is shiny. Don't ask us to predict the
timing of this; avalanches cannot be predicted, but right now, the entire stock
of Bitcoins is valued at about US$2.6bn - that's an awful lot of snow on the
Very few vendors are accepting Bitcoins for real goods or services, other
than as promotional gimmicks. Those who sell mining rigs for BTC are converting
the cash it cost to build the rigs into Bitcoins. Those who run the mining rigs
are converting the cost of energy into Bitcoins. A certain amount of real cash
is exchanged for Bitcoins outside of traditional payment networks, by people
meeting offline (see
LocalBitcoins.com for example), sucking people into the scheme, but
that could be brought to a near-halt if governments start applying existing
legislation governing money-changing to individuals who are doing this as a
In the US, the Treasury's Financial Crimes Enforcement Network (FinCEN)
Guidance Note on 18-Mar-2013 warning that exchange services such as
MtGox, a Japan-based firm
which was accepting real money in the US, are Money Services Businesses. This
was followed in May by the
seizure of US$5m of balances held by a subsidiary of MtGox in the US banking
system. MtGox, you should note, claims to be "the world's largest Bitcoin
exchange!" so goodness knows what the others are like.
There are so many well-established and potential future ways to pay for
things online. Paypal lets you
send money to pals without charge, although they charge fees to merchants.
Outfits like Amazon, Apple, Google and Microsoft all have the capacity to set up
payment networks between users, denominated in real-world currencies such as the
US dollar, and linked to bank accounts. Google has done this for the USA with
Transaction fees - the second hole
Even if we are wrong and Bitcoin becomes a widely-accepted transaction
currency, the second flaw in Bitcoin is this: when the rate of coin production
is reduced towards zero, the only economic incentive the nodes will have to
convert electricity into blocks (and heat and noise) is the transaction fees. So
far, these are very low, but if the people who control the
don't increase the fees to a commercial level then the amount of machines
running the algorithm will plunge for lack of reward, and it will become much
less expensive to take control of the network by holding more than 50% of the
hashing power. However, if fees become a significant part of transaction values,
then a lot of users (not seeking illegal goods and services) will wonder why
they don't just use traditional payment networks denominated in real currencies.
So there's the conundrum: charge too little, and someone will put in enough
capital to take over the network and turn it, in effect, into just another
MasterCard, Paypal or Visa. Charge too much, and people will use other payment
This problem is inherent in Bitcoin's design to use a proof-of-work
distributed system rather than a central registrar. The system depends on the
proof being expensive enough, and hence the fees being high enough, that nobody
will find it worthwhile to take control.
Miners are currently generating about US$33k per hour in value of new
Bitcoins; that's US$289m per year. Is the world willing to pay that much per
year, or more, to settle Bitcoin transactions?
© Webb-site.com, 2013