The Doomsday Economics of ‘Proof-of-Work’ in Cryptocurrencies

Yves here. An important post, in that it describes fundamental limits of cryptocurrencies, namely, the high cost of transaction verification, which is destined to reduce their liquidity.

By Raphael Auer, Principal Economist, Bank for International Settlements. Originally published at VoxEU

Bitcoin and related cryptocurrencies are exchanged via simple technical protocols for communication between participants, as well as a publicly shared ledger of transactions known as a blockchain. This column discusses research on how cryptocurrencies verify that payments are final, that is, that they are irreversible once written into the blockchain. It points to the high costs of achieving such finality via ‘proof-of-work’ and to a crucial externality in the transaction market, and argues that with the current technology, the liquidity of cryptocurrencies is set to shrink dramatically in the years to come.

Much of the allure surrounding Bitcoin and related cryptocurrencies stems from the facts that no government is needed to issue them, and they can be held and traded without a bank account. Instead, they are exchanged via simple technical protocols for communication between participants, as well as a publicly shared ledger of transactions (a blockchain) that is updated by a decentralised network of ‘miners’ via costly computations (i.e. ‘proof-of-work’) (see Figure 1).

What is the economic potential of this new means of exchange? In this column, I analyse the underlying economics of how Bitcoin achieves payment finality – i.e. how it seeks to make a payment unalterable once included in the blockchain, so that it can be considered as irrevocable. I then discuss the future of this type of cryptocurrency in general.1

The key innovation of Nakamoto (2008) is to balance the cost and reward for updating the blockchain by creating incentives to ensure that updates are correct. The updating process deters forgeries by imposing a cost on updating the blockchain. At the same time, accurate updating of the blockchain confers a reward on the so-called miners who do the updating. Miners, or their computers, effectively compete to solve a mathematical problem. Presenting a solution proves that they have done a certain amount of computational work. Such ‘proof-of-work’ allows a miner to add a block of newly processed transactions to the blockchain, collecting fees from the subject transactions as well as ‘block rewards’ – newly minted bitcoins that increase the outstanding supply.

Figure 1 Cryptographically chained, valid blocks of transactions form Bitcoin’s blockchain


Notes: The publicly available ledger is updated in bunches of transactions, and each update is termed a ‘block’. Blocks, in turn, are chained to each other sequentially, thus forming a ‘blockchain’. The blockchain is updated much like adding individual pages with new transactions to a ledger, with page numbers determining the order of the individual pages. Each block is a small file that includes a number of payment transactions, stating the amount, the payer and the payee, and also the transaction fee. The original Bitcoin protocol restricts each block to a maximum file size of 1 MB, which in practice implies that around 2,000 transactions can be included in each block. Only transactions including the valid digital signature associated with the transferred funds are accepted into a block. A new block is added to the blockchain only about once every ten minutes. Adding a block to the existing block chain requires a valid proof-of-work (also called a ‘nonce’), which involves a hash function that takes a random text input and produces from this an output according to set rules. The key property of the SHA256 hash function used in the Bitcoin protocol is that the output is unpredictable – to get a desired result, the only solution is thus to try many starting values randomly, which creates a computing cost. Cryptographic chaining of blocks is achieved by including summary information from the previous block in the proof-of-work of the current block.
Source: Auer (2019).

The costs and rewards of Nakamoto’s updating process are the focus of my discussion (see also Auer 2019). Two questions are raised. First, how efficient is the fundamental architecture of deterring forgeries via costly proof-of-work? And second, can the market for transactions actually generate rewards that are valuable enough to ensure that payment finality is really achieved?

Analysing these two elements uncovers fundamental economic limitations that cloud the future of cryptocurrencies based on proof-of-work. In sum, with the current technology, it is not even clear whether such cryptocurrencies can keep functioning as they do at the time of writing. This statement is unrelated to well-known restrictions on the scale of such payment systems or the volatility of cryptocurrencies.2 Rather, it concerns the fundamentals of Nakamoto’s updating process, which has two limitations that interact in a fateful manner.

The first limitation is that proof-of-work axiomatically requires high transaction costs to ensure payment finality. Counterfeiters can attack bitcoin via a ‘double-spending’ strategy: spending in one block and later undoing this by releasing a forged blockchain in which the transactions are erased. I analyse the concept of ‘economic payment finality’ in a blockchain. That is, a payment can be considered final only once it is unprofitable for any potential adversary to undo it with a double-spending attack.3 If the incentives of potential attackers are analysed, it is clear that the cost of economic payment finality is extreme (see also Budish 2018 on this issue). For example, for finality within six blocks (roughly one hour), back of the envelope calculations suggest that mining income must amount to 8.3% of the transaction volume – a multiple of transaction fees in today’s mainstream payment services.

The underlying intuition is simple: double-spending is very profitable. In fact, attackers stand to gain a much higher bitcoin income than does an honest miner. While honest miners simply collect block rewards and transaction fees, counterfeiters collect not only any block rewards and transaction fees in the forged chain, but also the amount that was double-spent (i.e. the value of the voided transactions). This ‘attacker advantage’ ultimately translates into a very high required ratio for miners’ income as compared with the transaction volume (the amount that can be double-spent).

The second fundamental economic limitation is that the system cannot generate transaction fees in line with the goal of guaranteeing payment security. Either the system works below capacity and users’ incentives to set transaction fees are very low, or the system becomes congested.4Underlying this is a key externality: the proof-of-work, and hence the level of security, is determined at the level of the block one’s transaction is included in, with protection also being provided by the proofs-of-work for subsequent blocks. In contrast, the fee is set by each user privately, hence creating a classical free-rider problem, amounting to a veritable ‘tragedy of the common chain’. While each user would benefit from high transaction fee income for the miner, the incentives to contribute with one’s own fee are low.

My key takeaway concerns the interaction of these two limitations: proof-of-work can only achieve payment security if mining income is high, but the transaction market does not generate an adequate level of income.5 As a result, liquidity is set to deteriorate substantially in years to come.

The backdrop is that the bulk of miners’ current income consists of block rewards (Figure 2, left-hand side). But block rewards are being phased out (e.g in Bitcoin and many of the clones that have ‘forked’ from it, the next time block rewards will halve is in 2020). Whenever block rewards decrease, the security of payments decreases and transaction fees become more important to guarantee the finality of payments. However, the economic design of the transaction market fails to generate high enough fees. A simple model suggests that ultimately, it could take nearly a year, or 50,000 blocks, before a payment could be considered ‘final’ (Figure 2, right-hand side).

Given these considerations, I conclude with a discussion of how technological progress is set to affect the efficiency of Bitcoin and related cryptocurrencies. So-called second-layer solutions such as the Lightning Network that mount further layers of exchange on the blockchain can improve the economics of payment security. However, while they are seeing some adoption (Figure 3, left-hand side), they are no magic bullets, as they face their own scaling issues.

Figure 2 Block rewards have made up the bulk of mining income


Notes: All bitcoins in existence have been issued via ‘block rewards’. Every new block added to the block chain increases the total supply, with the newly created bitcoins being credited to the miner who adds the block. Block rewards were set to 50 bitcoins per block initially and are halving every 210,000 blocks (see left-hand panel), a formula ensuring that the total supply of bitcoins will be 21,000,000. Miners’ income is made up of block rewards and transaction fees (also see left-hand panel). The lines displayed in the right-hand panel show the implied waiting time (number of block confirmations before merchants can safely assume that a payment is irreversible) required to make an economic attack unprofitable: the attacker rents mining equipment on a short-term basis and executes a change-of-history attack. Calculations of the implied waiting times are based on equation (7) in Auer (2019) and assume transaction fees of 0.18 bitcoin per block, which corresponds to average transaction fees during the period 30 Apr 2018–31 Oct 2018. Dashed pattern indicates predicted values.
Source: Auer (2019).

Figure 3 Looking ahead: Can new technologies counter the deterioration of Bitcoin liquidity?


Notes: The left-hand panel shows the volume of bitcoins that have been committed to the Lightning Network (mainnet) as well as the number of active nodes. The right-hand panel shows the impact on the required waiting times (number of block confirmations before merchants can safely assume that a payment is irreversible) in the case that social coordination is used to undo a double-spending attack. Calculations are based on equation (7) in Auer (2019), assuming that block rewards are zero. The horizontal axis denotes the probability that the network of bitcoin users will coordinate and undo any double-spending attack. The vertical axis shows the resultant required waiting times for various levels of transaction fees.
Source: Auer (2019).

In order to prevent liquidity from ebbing away, Bitcoin and other cryptocurrencies would need to depart from using proof-of-work – a system that is not sustainable without block rewards – and embrace other methods for achieving consensus on blockchain updates. Among many proposed developments, the most prominent is ‘proof-of-stake’ – a system in which coordination on blockchain updates is enforced by ensuring that transaction verifiers pledge their coin holdings as guarantees that their payment confirmations are accurate. Yet, because such a system lacks the solid grounding offered by proof-of-work (which proves actual offline activity), its success may rest on additional overarching coordination mechanisms (i.e. some degree of implicit or explicit coordination by an institution).

Judging based on the current technology, the overall conclusion is that in the digital age too, good money is likely to remain a social rather than a purely technological construct (e.g. Carstens 2018, Borio 2018). That cryptocurrencies might in future profit from social coordination or institutions is also highlighted by the very same algebra that shows the doomsday economics of pure proof-of-work. The point is that their payment efficiency could be greatly improved by introducing an institutional underpinning to undo double-spending attacks should they occur (see Figure 3, right-hand side). In this light, one key question for future research is whether and how technology-supported distributed exchange could complement the existing monetary and financial infrastructure.

Editors’ note: This column is taken from the VoxEU eBook “The Economics of Fintech and Digital Currencies”, available to download here. The views expressed here are those of the author and should not be attributed to the Bank for International Settlements.

See original post for references

Print Friendly, PDF & Email


  1. GramSci

    I’m glad the moderator censored my first, bleary-eyed comment on this post. On re-reading, the post still misses the worst aspects of proof-of-work: the concentration of power it confers on deep-pocketed miners who can build and deploy custom ASICs to win the race to control Bitcoin-like currencies (while destroying the planet with insane demands for electricity).

    However on re-read can’t presume that Auel describes fundamental limits of cryptocurrencies, namely, the high cost of transaction verification, which is destined to reduce their liquidity. Only proof-of-work currencies like Bitcoin suffer from this (additional) downside.

    What I find more significant in the post is that the BIS appears to be signaling approval of proof-of-stake cryptocurrencies. I think that Auel is recognizing and approving these cryptocurrencies because they can and likely will evolve to behave like the institutions we have all come to know and love, like the BIS.

    And Panama, and the Caymans. And Delaware. My question is why should blockchain currencies be crypto? So we, the people, can’t know who has stolen what and stashed it where?

  2. Joe Well

    I was curious how Ethereum dealt with this and it seems to illustrate both the problem and a solution. Also I’m wondering why the author didn’t mention Ethereum explicitly.

    E started out using proof of work and then forked the blockchain to make a new one that uses proof of stake. The original continued as “Ethereum Classic.”

    At the beginning of January, E Classic experienced a “51% attack” which seems to be exactly the risk the author described. The attack was supposedly easily thwarted on the newer Ethereum.

    So if I understand this correctly, and I am not versed in this at all, Bitcoin is doomed because any reform would require a fork which is unlikely to succeed, because BTC already forked into the famous BTC and Bitcoin Cash, which is worth a lot less. My outsider impression is that BTC gets much of its value from its pedigree and fame and so any fork would be perceived as New Coke.

    As an aside, Botcoin is already useless for transactions so speculation provides it its only value. It is an ecological disaster so the faster it is destroyed the better.

  3. prodigalson

    In good news, if you haven’t yet lost money on crypto there’s still time! You can still lose money on crypto today! Not to brag, but if you’d like to lose money on crypto…i’m something of an expert. #humble So if you need help losing money on crypto, let me know. #notafinancialadvisor

  4. Wukchumni

    I’m pleased to announce the launch of bitchin’coin, dude.

    The valuation goes up and down depending on wave sets and board meetings.

    I guess i’m amazed that cryptocurrencies still have value, bitcoin was $20 a few years back and now is around $3500. It’d be as if a $20 FRN was worth 175x as much as face value 5 years later, why?

  5. milesc

    This paper was published by the BIS in January, but I’m glad it has come up again because it’s actually a good read.

    I do have some criticisms, however. In no particular order:

    – the paper does not introduce anything that has not been raised and discussed on open public forums before, which makes me think the author did not engage with anyone, or request any sort of peer review, when writing the paper
    – there are some odd assumptions to support certain scenarios (for example, that transaction fees are a % of transaction value)
    – the paper suggests people will be caught out by sudden drops in hash rate (with substantially longer confirmation times) due to reward halvings; historically this has not been the case and the block reward will slowly reduce to zero over a period of more than 100 years
    – it assumes no increase in the number of transactions per block (reminder: Bitcoin is constantly evolving and this particular metric has changed relatively recently)
    – it describes attacks on Bitcoin as “inherently profitable” but does not describe how, why or when, and there’s no explanation as to why such attacks have not already occurred
    – it favours modified proof of stake as an alternative to proof of work, which is inexcusable, with “additional overarching coordination mechanisms (i.e. some degree of implicit or explicit coordination by an institution)” — but of course! This ties in with the paper’s all too obvious conclusion: “[fixing Bitcoin] would probably require some form of social coordination or institutionalisation”, where the focus “[shifts away] from the issue of whether the technology can replace traditional sovereign money and financial institutions” (would anyone expect the BIS to conclude differently?)

    I am reminded of BIS Chief Carsten’s comments last year: “So my message to young people would be: stop trying to create money. Young people should use their many talents and skills for innovation, not reinventing money.”

    But again, I encourage everyone to read the paper. The author is clearly very interested in the technology and it’s great that the BIS is exploring it in depth.

  6. eg

    These things aren’t currencies, they are commodities.

    The ongoing public confusion between what constitutes a currency and what does not is an embarrassment.

    1. Wukchumni

      I had a candy bar the other day, and for whatever reason, written on the label in flashy text it proclaimed: “limited edition’, and as things played out, it was.

    2. Susan the Other

      I think that is correct. And questionable commodities at that. One trader commented a while back that he just didn’t understand the value of “manufactured scarcity.” So there’s that too. Smoke and mirrors. No wonder the crypto system is having trouble proving transactions. That’s almost funny. Poetic justice.

    3. Yves Smith Post author

      Yes, I agree, and I should have said something like that in the intro. The IRS treats cyrptocurrencies as property, not money, so every transaction is subject to capital gains treatment.

      1. milesc

        Yes, it’s ugly (in the US at least).

        Representations have been made for a de minimis exemption to apply (e.g. by the AICPA, and in a bill introduced in the House of Representatives in December), but no sign of any imminent change.

    4. rd

      Still puzzling over what happens to the crypto-funds when the key codes are lost or unknown. Banks and storage units will open up safety deposit boxes and storage units and auction them if the rent isn’t paid and the box/unit isn’t cleaned out. Governments have unclaimed funds units where you can look for something if you suddenly remember you had that account. But there seem to be a lot of stories out there of people who have crypto-funds and can’t find their key code…..or they die and nobody knows what/where the key code is, or even if they had something to begin with.

      1. milesc

        Bitcoins have spending conditions attached to them (usually that the transaction purporting to spend the funds must be signed by one or more particular private keys). If no one can satisfy those spending conditions, the bitcoins sit there, unspent, forever. You can see them in the public ledger, allocated to whatever public address. It must be incredibly frustrating for anyone who loses access to their money in this way.

        People estimate that ~4 million bitcoins have been irretrievably “lost”. And sometimes people do it on purpose! Consider this “proof of burn” address: 1CounterpartyXXXXXXXXXXXXXXXUWLpVr. In this case, people funded the Counterparty project, and acquired tokens, by “burning” BTC (sending BTC to an address _not derived from a private key_ i.e. effectively attaching spending conditions to those funds that could never be met, because the odds of finding the relevant private key are for all intents and purposes zero).

        On the plus side, each “lost” bitcoin could effectively increase, ever so slightly, the value of all remaining bitcoins.

  7. Matthew G. Saroff

    I have a modest proposal, in the tradition of Jonathan Swift:


    It is a crypto currency based on pre-decimalization British currency.

    I thought about it, and decided that if this were to be done, it would have to be limited to currencies widely used in the UK in the 20th century, thought having the Groat(4 d) would be epic, and that it would have a minimum denomination, which would self-limit speculative price increases, because at some point you could not use it for purchases if it got too expensive.

    Additionally, all transactions would have to be entered in £ s d format, so 5.898958333 BitQuid must be represented as £5 17s 11-3/4 d (“Five pounds seventeen and 11 three farthing”).

    It’s a way to “Make British Currency Great Again”.

    In order to make this work, I need to :

    * Prevent transactions of less than a farthing.
    * Require all transactions be entered in a non-decimal format.
    * Come up with a way of pegging it to a dollar value of $2.50.

    1. Wukchumni

      Truly inspired, but go deeper, as there were 1/3rd farthings once upon a time, so as to add another layer of confusion.

      1. Matthew G. Saroff

        I decided not to include anything that was not present in the 20th century, hence no groats.

  8. bruce

    The thing I’ve never understood about the sustainability of BTC…the miners are the same people responsible for updating and administering the blockchain, and they get rewards in BTC for doing this, but the system is designed to create fewer and fewer coins over time, and the rewards per block are designed to shrink, so, won’t the transaction fees have to rise (astronomically), at least enough to pay the miners’ electric bills or else people will simply stop mining?

    1. milesc

      The current thinking (nothing is certain; Bitcoin is evolving) is that smaller value, day-to-day transacting (and perhaps machine to machine transacting) will occur on public and private layers built atop Bitcoin (the linked article talks about one such protocol, the Lightning Network), with the base layer (Bitcoin as most people think of it) being used only for higher value settlement transactions. In that case, a hefty transaction fee on a “layer 1” transaction will represent hundreds or thousands or even millions of “layer 2″+ transactions.

      There will be improvements in block space efficiency too (i.e. squeezing more fee paying transactions into each block — remembering that transaction fees are determined by transaction sizes _in bytes_), but it is generally acknowledged that overall block size should be limited to prevent centralisation and to encourage the development of a fee market (i.e. for block space scarcity).

      Whatever the case, we have already seen very high demand for very expensive Bitcoin transactions; in late 2017/early 2018, a period of peak demand (or congestion), average transaction fees were in the 10s of US dollars! Fees alone could have maintained much of Bitcoin’s hash rate at the time.

      We’ve had two “halvings” (the mining subsidy dropped from 50 BTC to 25 BTC in 2012 and then from 25 BTC to 12.5 BTC in 2016), so you might say we are in the third era of mining. The fourth era is due to start in the late afternoon of 24 May 2020, a little over one year from now. The subsidy will drop from 12.5 BTC per block to 6.25 BTC per block. Let’s see what happens.

      After that, there are another 30 eras – over 120 years – before the block subsidy is 0. So that transition from subsidy+fees to fees alone is a long one.

Comments are closed.