Bitcoin just had an “inflation bug” and no, it is not dying

A responsible disclosure is not fun. Especially if the stakes are high and the timeline tight.

 

On 17th of September a vulnerability was found that could, in the very worst case, have led to a real on-chain double spend. I will not go into the nature of the bug, how it was found and who resolved it (although that story is great and an amazing example of efficiency). Instead, I will focus on what it would take (or rather have taken) for an attacker to actually exploit the vulnerability and what he would stand to gain from it. There is a lot of misinformation about this in the media right now.

The attacker has to be a miner and he would have to create a block that includes a specially crafted transaction that spends the same input twice in the same transaction.  This transaction cannot be one that he picked up from the network, where such a transaction would not propagate. Think of it as handing over the same twenty Swiss Francs bill twice in one payment at the grocery store. The grocery store actually received forty Swiss Francs even though you only spent one twenty Swiss Francs bill. The total monetary supply just increased by twenty Swiss Francs. This is why the bug is often dubbed as an ‘inflation bug’. The bug originated in the bitcoin core node software – this is run by companies dealing with or accepting bitcoin as well as individuals or developers in order to independently verify the information that they get from the blockchain. Since version 0.15.0 (September 2017) it no longer recognized such transactions as invalid.

After the bug was found, only few hours passed before version 0.16.3 was released and as of now already 19% of publicly visible nodes run on that version[i].

A miner running such an attack however runs the risk that despite many nodes not noticing the creation of money, other players will. He runs the risk that the betrayal of the network rules is picked up by humans instead of nodes. If this happens quickly enough, the operators of nodes, especially of economically relevant ones at exchanges will manually override and ignore this block. All it takes for this is one input in the bitcoin core node terminal. All preparations for such a step are taken. This would subsequently lead to a split in the blockchain, where nodes with observant operators follow a different chain than those nodes that do not. However, there is still a risk that the attacker can get his unjustly gained coins to an exchange, sell them there and withdraw the proceeds in fiat or a different cryptocurrency before the exchange notices the split and freezes operation. Given the mentioned efficiency and careful observation of certain individuals, the risk of such an attack, especially in economically damaging amounts, is very low.

It all comes down to two things. Firstly, what does the attack cost the attacker and secondly, how fast is the network likely to notice the anomaly and work around the culprit before he can take his profit.

Since the attacker has to be a miner and put his inflating transaction into a block which would otherwise have been valid, he is losing out on the reward for the block, yet still has to cover the production cost of that block. If the attack is unsuccessful, he just lost 12.5 BTC (plus fees), or at current rates roughly CHF 80k. This represents his investment.

To the second point, for the likelihood of discovery, that very much depends on the level of automation. Above, I only mentioned the manual, human means of discovery, but this is certainly not all. Projects like Statoshi or Bitcoin Optech continually monitor all possible network parameters. Fork monitors run different node software to determine any deviations. Developers do that to notice deviations between their software to bitcoin core and actually any bitcoin node will notify its operator if it determines that it is running on a minority chain, i.e. if there is a chain that is at least six blocks longer, but the node determines that chain to be invalid.

There are mechanisms in place to monitor the network for inconsistencies. In that context, the fact that the commit that enabled this bug only happened last September is very good news. Older versions are therefore not affected.

As of right now, 64% of nodes are secure, only 31% are vulnerable and 5% of publicly visible nodes do not send a standard version identifier, which means that it is unknown if they are affected or not. Those numbers obviously come after 19% of nodes have already updated to 0.16.3, but even if we assume that all of those have previously been on an affected version 0.15.0 to 0.16.2, this means that in the worst case scenario, there are still 31% of nodes that have not been vulnerable at the time of disclosure.

This rather high number, together with tools that monitor anomalies in the network, make it very unlikely that an attacker would be able to successfully spend his unjustly gained coins before the community notices and self-adjusts.

As a corollary to this: We do know that this exploit has not been executed in the past. For the very simple reason that pre-vulnerability nodes, running lower versions are purposely still up, running and in sync with the vulnerable ones.

Above considerations are valid for BTC. Smaller networks skew the numbers significantly. If it is cheaper to create a block, or rather if the opportunity cost of missing out on one, is smaller, the investment for the attacker goes down. Moreover, if there are fewer nodes and fewer developers monitoring the network, the likelihood of success goes up massively.

[i] For this and the further number of nodes, I source the information from https://coin.dance/nodes. This gives an indication about the network. Getting exact numbers is impossible though, since many nodes do not publicly advertise their existence.

The BIS report – a rebuttal

Just a few years ago, every mentioning of cryptocurrencies in publications of the established financial systems was celebrated for the recognition that the young community received. These early days are clearly over. When the Bank for International Settlements (BIS) published a chapter about cryptocurrencies in their 2018 annual report, the community’s reaction was far from positive. The responses on twitter were of a form that we don’t intend to reproduce here. So this might generate some heat from the community as well: The report is actually fairly good. The technological valuation is sound, the economic critique is warranted. So where does this discrepancy originate? The BIS report fell short on only two aspects: It evaluated the technology for what it was a year ago and it criticizes cryptocurrencies for failing to be something that they do not aim for.

The technological criticism

Granted, it would not be prudent to take into the equation technology that does not exist yet. To trust that something will be around to save the day. Any prediction that something does not work is dangerous because some technological advancement might come along and render the counter-arguments invalid. But for the same reason a prediction that something does work can only rely on the current state of technology, not the hope for some breakthrough. The by far most famous example of such a misguided prediction is The Times newspaper’s prediction of 1894 that “In 50 years, every street in London will be buried under nine feet of manure”. Understandable at the time but obsoleted by the invention of the car. If an analogue prediction had been made in the
1920s, when the number of horses in London was even higher than in 1894, the prediction would seem negligent now instead of being a quirky anecdote of a time preceding the invention of the car. Analogously for the case of cryptocurrencies, when evaluating the scalability of the system, it is negligent to base this evaluation on the state of technology as of a year ago and discarding the technological breakthroughs that already happened. The BIS report does acknowledge the existence of proper scaling solutions, but hides this in a footnote, which does not acknowledge its relevance. So here it is:

Proposed solutions for the scaling problem include the Lightning Network, which essentially shifts small transactions off the main blockchain and into a separate pre-funded environment.

The Lightning Network is live and working. Indeed it still needs to increase adoption and for political reasons might fail to do so, but the technology is a settled thing. Instead of communicating every transfer to every participant of the network (if a cryptocurrency would reach global levels of adoption potentially billions of redundant copies of the same load of data), the Lightning Network communicates a transaction directly from the sender to the recipient or via up to 20 hops along the edges of the network. No permanent record is required beyond the closing of that particular channel, which might happen once every few months. Further improvements are also already in great progress, but since those are not live yet, it is fine to ignore them for the time being. Such a network topology does not “bring the internet to a halt”, as the BIS report put it. Even on today’s hardware and today’s global network infrastructure.

The second major infrastructure criticism is the ‘mining’ of cryptocurrencies. Here again, the BIS report is doing an exceptional job at analyzing the process. The description is among the most understandable and accessible that I’ve seen so far. It correctly identifies it as the “mathematical evidence that a certain amount of computational work has been done, in turn calling for costly equipment and electricity use”. This leads to the often made (and true) statements that “At the time of writing, the total electricity use of bitcoin mining equalled that of mid-sized economies such as Switzerland”.

What the report does not take into consideration however, as do most other criticisms, is how the electricity usage scales with the growth of the network. Not at all. Whether a block validates 1000 transactions or 2000 transactions or zero. The amount of electricity is the same. Arguments starting from the current electricity usage and extrapolating to a more widespread usage are invalid. The electricity consumption scales not with the use but with the desire for security in the system. Given an equilibrated system the electricity consumption will be close to the expected monetary reward. If that leads to fees that some use-cases of the system are not ready to pay because they do not require that level of security, then those use-cases will move to other systems, e.g. the still trustless Lightning Network. What remains on-chain is the desire for the native security. This mechanism is currently (at least in Bitcoin) still offset by the ‘block subsidy’ an extra reward of freshly mined coins that does not originate from fees that somebody pays for security. The desire for security might still increase, the block subsidy decreases. In net effect, the electricity consumption will probably rather decrease in the long run or stay roughly the same, even when faced with a much higher use.

The economic criticism

Cryptocurrencies do not aim to be easily adaptable to changing economic situations. They are not suitable as a replacement for the central bank money. On the contrary, they aspire to create stability by predictability. The future supply of most cryptocurrencies is predetermined (Ether is a notable exception of this). This is not to say that they do not have a place in the mission of a central bank.

The Swiss National Bank holds 1040 tonnes of gold. It does not do so because it thinks that gold would make a great payment system. To set it in context to the explicit goals and responsibilities of the Swiss National Bank, room for cryptocurrencies are not in the primary goal, the ‘price stability’, but rather in the ‘asset management’ task. In contrast to that, the BIS has been looking at cryptocurrencies only in the context of a form of ‘cash supply and distribution’, where it miserably fails, as the BIS correctly concluded. Precisely due to its highly predictable supply.

 

Figure 1: Source: BIS annual report 2018

The BIS coined the ‘money flower’ for characterizing forms of money based on discrete criteria. The central element of that, checking all boxes, is the ‘Central bank digital currencies (retail)’. In this taxonomy, the only difference between that and ‘Cryptocurrency (permissionless DLT)’, under which the BIS also counts Bitcoin and others, is the checkbox for ‘Central bank-issued’. If this is a benefit or drawback strongly depends on the use-case at hand.

(It is almost ironic at this point that – in this admittedly very simplified visualization of the already simplified reproduction of the original arguments – the only difference between ‘bank deposits’ and ‘virtual currencies’ is the wide accessibility. To make no mistake about the meaning, the prototypical example of a ‘virtual currency’ mentioned in the BIS report is World of Warcraft gold. While indeed more people currently use Bank deposits than WoW gold, the criteria for accessibility to the latter literally only requires internet access and a local shop selling a copy of World of Warcraft, while 31% of the adults do not have access to any financial services. So arguably, ‘bank deposits’ and ‘virtual currencies’ do not differ in this simplified characterization of the money flower.)

The mandate of a central bank is indeed incompatible with using a decentralized cryptocurrency. A central bank issued currency sources trust from its sound reaction to economic conditions, resulting in price stability in the day-to-day life of its users. Decentralized cryptocurrency without room for any political or monetary decisions sources trust from its non-reaction to economic conditions, resulting in value stability independent of day-to-day whims and fluctuations.

“Strong oversight and central bank accountability both help to support finality and hence trust” says the BIS report. This is probably the starkest difference between the view that the BIS holds on transactions and what the cryptocurrency community sees in that technological advancement: The BIS achieves trust through finality. Cryptocurrencies achieve finality through trust.