It’s the settlement assurances, stupid

How to evaluate blockchains

What is the time to finality on major blockchains? How long should I wait before considering a Bitcoin transaction settled? What are the risk factors which might cause me to demand additional confirmations? How do confirmations affect settlement?

Surprisingly, none of these questions have good answers, even in 2019, over 10 years after the first Bitcoin block was mined. Rigorous investigation into the properties of proof of work has been hampered both due to a perception that it’s just a temporary staging ground for some future, superior consensus/sybil resistance mechanism, and due to a belief among Bitcoiners that its quality is inviolate.

But these questions are fundamental. If you believe that public blockchains with open validator sets and distributed convergence mechanisms will persist and mediate value transfer for the foreseeable future, they are worth pondering. And if you are an exchange and your livelihood depends on correctly assessing the number of required confirmations on a variety of blockchains, these questions are critical. First, let me explain why I think settlement assurances are the primary thing worth contemplating about any public blockchain.

What’s the interesting thing about Bitcoin?

This is a surprisingly difficult question to answer. Ask ten different Bitcoiners, and you’ll get a dozen different responses. Disagreements about what what Bitcoin is for, its teleology, nearly tore the community asunder in the 2014–17 period. Hasu and I tried to chronicle these competing visions in a piece a while back. Others have noticed this and have covered it in detail. I particularly like Murad Mahmudov and Adam Taché’s take. Daniel Krawisz covered the topic ably in 2014.

In Krawisz’ piece, he posits that Bitcoin is understood very differently by two major tribes: the investors and the entrepreneurs. The investors, he posits, believe that Bitcoin is a new form of high-powered money which primarily upholds the sovereignty of the individual. The investors tend to believe that Bitcoin will catch on because of the innate strength of its monetary properties. For them, evangelism is pointless: price is the best evangelist. The ‘entrepreneurs’, as he dubs them, are more interested in Bitcoin as a global payments system, and emphasize its use in commerce. As anyone who paid attention in 2015–17 knows, these two sides fought a bitter civil war over Bitcoin’s telos (purpose) with the block size being the main battleground.

Perhaps these views can be harmonized. I tend to believe that the interesting thing about Bitcoin is its capacity to facilitate the transfer of value through a communications medium with extremely strong assurances. (I made an effort to disentangle and evaluate those assurances here.) I think that Bitcoin is a novel institutional technology — high-assurance wealth storage and transfer without reliance on the State or a financial system — which will unlock new modes of human organization and will enable productive commerce in places where property rights are poorly enforced.

So if the assurances you get around settlement are the most interesting thing about the system, how can we evaluate them? And how do we make consistent comparisons between Bitcoin and other systems with open validation?

Evaluating settlement

So what are settlement assurances exactly? They refer to a system’s ability to grant recipients confidence that an inbound transaction will not be reversed. Wire transfers using a messaging system like SWIFT are popular in part because they are practically impossible to reverse. They are considered safe for recipients because originating banks will only release the funds if they are fully present in the sender’s account.

This is why the thieves behind the $1b Bangladesh bank robbery used SWIFT and bank wires; they wanted to leverage their settlement assurances. In other words, they chose to use a system for the theft which they knew would be hard to reverse. Ultimately, $61m from that heist remains unaccounted for. Far from being evidence of a failure of SWIFT + bank transfers, this demonstrates the system’s strengths. Even in this case, where virtually everyone involved wanted to reverse the transaction, they could not. The system is resistant to rollbacks, discretion, and post-hoc edits. This doesn’t make it a bad system. This makes it a system that gives counterparties a good deal of reassurance that a transaction will be final.

In a similar manner, Bitcoin is a useful system because it provides users powerful settlement assurances. Just how good, we don’t know exactly. LaurentMT wrote probably the most scientific exploration in his excellent Gravity series. Generally though, the properties of Bitcoin’s PoW have not been fully explored. It has suffered a few reorgs in its history, but, as far as we know, no deliberate, adversarial reorganizations where money was stolen. And we know that miners allocate a staggering amount of real-world resources into mining transactions. This means that recipients of a Bitcoin transaction can have extremely high confidence that, once buried under a few blocks, a transaction is unlikely to be reversed.

However, this isn’t the case for many competing cryptocurrencies. While they look cosmetically similar to Bitcoin in many cases, none have the same settlement assurances. This isn’t necessarily because of any design flaw, but simply because Bitcoin’s block space has more accumulated costliness — and hence cost to attack — per unit time, and because Bitcoin is a near-monopolist on its hash function and has dedicated hardware. Somewhat surprisingly, many weaker chains haven’t been exploited, even if the cost to do so has been low. This is likely to due to the fact that monetizing a 51% attack requires exploiting an exchange, which introduces additional complexities. And quite frankly, most smaller coins aren’t worth much in the first place (and don’t have any liquidity on the short side), capping the yield from an attack.

To get an idea of just how vulnerable many cryptocurrencies are, take a cursory look at crypto51.app. The methodology somewhat unrealistically assumes an attacker can rent sufficient hardware on Nicehash, but it still nicely depicts a lower bound of the cost to attack these systems.

So what are the key variables for evaluating settlement in a public blockchain system? Let’s divide them into to the easily quantifiable ones and the harder-to-quantify variables.

Before we jump in, let’s pause for a tiny literature review to credit some prior work in the space:

Quantifiable settlement variables

Ledger costliness

Ledger costliness is the most profound and direct variable available to us to evaluate a blockchain’s settlement guarantees. Put simply, it is equivalent to the amount paid to validators/transaction selectors per unit of time. In Bitcoin, miners receive a per-block subsidy and transaction fees as an incentive to stay honest and “play by the rules.” In proof of work, miners attach an unforgeable proof that they have burned some energy and hence incurred a cost to each block proposed. At the time of winning a block, the miner necessarily has to have burned resources roughly equivalent to the value of the block (typically with a small margin), unless they are extraordinarily lucky. Because of this, miners are incentivized to create valid and rule-following blocks.

Think of it as a bit like a school project where you had to read a book and produce a book report. You need to prove to your teacher that you read the book, so you produce a book report (a valid block hash with a sufficient number of leading zeroes) which you could only have created if you actually read the book (computed sufficient hashes). Because your teacher is a stickler for style, you also have to format your book report correctly (produce a well-formed and valid block). It would be a tragedy to read the whole book, only to present a digest which is malformed and ends with you getting an F. Proof of work is the same: the work is upfront, with the payoff only coming later. You’ve incurred a real cost, and your business depends on you carrying out the final bureaucratic steps to collect your reward, so you do your best not to screw that part up. Recently, a miner did all the requisite work to be eligible for a block but fell at the last hurdle by creating an invalid block.

For a more complete description of how the PoW incentive works, read Hugo Nguyen’s piece:

So why does more ledger costliness per unit time mean more security for transactors? Because a greater salary to miners (who are presumed honest) means you need a larger army of mercenaries to defeat them. These resources have to come from somewhere: you need to marshal resources and hardware capable of producing hashes, electricity, and so on. (There’s an argument out there that since attackers collect the subsidy when 51% attacking, only fees provide security in PoW. I don’t have the space here to engage with this fully here—for now I’ll just maintain that the subsidy, especially with dedicated hardware, is itself an enormous cliff which must be scaled before 51% scenarios can be theorized.)

To sum up, outbidding the set of honest miners dutifully producing blocks on Bitcoin is very expensive. They collectively take a salary of $6.9 billion dollars per year right now, and many of them have presumably invested in their businesses in anticipation of future cashflows (meaning that the hardware active on the network might be even higher than current miner revenue would imply).