Trust at Scale: The Economic Limits of Cryptocurrencies and Blockchains^*

Abstract

Satoshi Nakamoto (2008) invented a new kind of economic system that does not need the support of government or rule of law. Trust and security instead arise from a combination of cryptography and economic incentives, all in a completely anonymous and decentralized system. This article shows that Nakamoto’s novel form of trust, while undeniably ingenious, is deeply economically limited. The core argument is three equations. A zero-profit condition on the quantity of honest blockchain “trust support” (work, stake, etc.) and an incentive-compatibility condition on the system’s security against majority attack (the Achilles heel of all forms of permissionless consensus) together imply an equilibrium constraint, which says that the “flow” cost of blockchain trust has to be large at all times relative to the benefits of attacking the system. This is extremely expensive relative to traditional forms of trust and scales linearly with the value of attack. In scenarios that represent Nakamoto trust becoming a more significant part of the global financial system, the cost of trust would exceed global GDP. Nakamoto trust would become more attractive if an attacker lost the stock value of their capital in addition to paying the flow cost of attack, but this requires either collapse of the system (hardly reassuring) or external support from rule of law. The key difference between Nakamoto trust and traditional trust grounded in rule of law and complementary sources, such as reputations, relationships, and collateral, is economies of scale: society or a firm pays a fixed cost to enjoy trust over a large quantity of economic activity at low or zero marginal cost.

I. Introduction

Economists have long widely agreed that the market system requires some form of government and rule of law for support. This is uncontroversial among even the most free-market-oriented thinkers. Adam Smith (1776) mostly argues for reducing government interference in markets, but he does not go all the way to zero, writing that “commerce and manufactures can seldom flourish long in any state” without a legal system, property rights and contract enforcement, as well as certain public goods. Hayek (1960) grapples at length with the paradox that to maximize freedom—which he defines as the absence of coercion—it is necessary to have a government with the power to coerce. Friedman (1962) famously described the government’s role establishing the “rules of the game” for the market system and acting as its “umpire.” There is significant debate in modern economics about what government should do beyond these basic supports for the market system (e.g., social insurance, correcting externalities), but that there is some role for government and rule of law is essentially taken for granted.

Satoshi Nakamoto (2008) invented a new kind of economic system that does not need the support of government or laws.¹ Trust and security instead arise from a combination of cryptography and economic incentives, all in a completely anonymous and decentralized system. Computer scientists call the innovation “permissionless consensus”: a large, anonymous, freely entering and exiting set of participants around the world is incentivized to collectively maintain a common data set, enabling trust in the data set without the need for rule of law or any specific trusted party. This invention enabled cryptocurrencies, including Nakamoto’s own creation, Bitcoin. The data structure maintained by the large set of participants is called a blockchain.²

It is no understatement to say that Nakamoto’s invention captured the world’s attention. One oft-cited figure is the $3 trillion of market capitalization of Bitcoin and other crypto assets at their peak, but even this figure seems to understate the amount of cultural, political, and commercial attention that has been paid to blockchains and cryptocurrencies. At the same time, the economic usefulness of Nakamoto’s invention remains an open question. To date, the majority of cryptocurrency volume appears to be speculative, with the other most widely documented use case being black-market transactions (Makarov and Schoar 2021; Gensler 2021; Buterin 2022).³ Moreover, the majority of this speculative volume has been through cryptocurrency exchanges—which are (at least in principle) centralized, trusted financial intermediaries.

This article studies the economics of Nakamoto’s novel form of trust. Is it economically viable as an alternative to the traditional market system supported by rule of law? What are the fundamental economics of the fundamental computer science innovation in Nakamoto (2008)?

I find that—at least in its pure form, without any implicit protection from rule of law—Nakamoto’s novel form of trust faces serious economic limits. It is unusually expensive in absolute terms relative to the stakes involved, and its expense scales linearly with the stakes involved. These results have an if-then implication: if permissionless consensus in its pure form were to become a more important part of the global economic and financial system than it has been to date, then the costs of securing the trust would become preposterous—more than global GDP in some scenarios. The analysis may also sharpen our conceptual understanding of what is special about traditional forms of trust that are grounded in rule of law and other complementary sources, such as reputations, relationships, and collateral. The key distinction will prove to be economies of scale in the production of trust.

The core of the argument is three simple equations. The first equation is a zero-profit condition that describes the quantity of “trust support” devoted to maintaining permissionless consensus as a function of the compensation paid by the protocol for trust support, assuming that all participants behave honestly. Trust support can take the form of providing computational work as in Bitcoin (“proof of work”), providing other kinds of computational resources as in proof-of-storage or proof-of-memory protocols, or posting cryptocurrency coins in a proof-of-stake protocol, such as Ethereum.⁴ For a sense of magnitudes, in recent years the compensation to Bitcoin trust support (known as miners) has averaged about $250,000 per block of data, or about $36 million a day, and Bitcoin miners performed an average of about 200 million trillion calculations per second as an equilibrium response to this compensation. The computer science details behind this process are complicated (see Section II), and vary to some extent by blockchain protocol, but the economics is standard free-entry logic. Variations of this first equation have appeared in numerous other prior papers.

The second equation is an incentive-compatibility condition: how much security does a given level of trust support produce? The Achilles heel of permissionless consensus is that it is vulnerable to “majority attack”: Nakamoto (2008) and subsequent methods for creating an anonymous, decentralized consensus about the state of a data set rely on a majority of the resources devoted to maintaining the data set to behave honestly. This is not an obscure point; it is in the abstract of the famous Nakamoto (2008) paper and has been understood to be an issue more generally with distributed consensus systems since famous computer science research in the 1980s. Intuitively, permissionless consensus, whether in the form invented by Nakamoto or other variations such as proof of stake, always relies on some implicit version of majority or supermajority voting to adjudicate what the state is in case of a dispute. The second equation captures that it must not be economically profitable for a potential attacker to provide a majority of the total trust support and manipulate the state.

It is worth briefly contrasting the approach to security taken in my equation (2) with the approach taken in the prior computer science literature. Famous early research on distributed consensus, such as Pease, Shostak, and Lamport (1980), Lamport, Shostak, and Marshall (1982), and Dwork, Lynch, and Stockmeyer (1988), stated results of the following form: as long as less than proportion |$\rho$| of the servers maintaining consensus are faulty (Byzantine), then the consensus protocol has good properties of safety (transactions, once confirmed, will not be reverted) and liveness (transactions are confirmed within a reasonable amount of time). Nakamoto (2008) gives results of the same form—indeed, with an improvement from |$\rho =\frac{1}{3}$| to |$\rho =\frac{1}{2}$|⁠. However, the early computer science literature was studying what are now called permissioned consensus systems, for example, a company keeping its database servers in sync with each other. Treating security as a 0–1 property that holds if and only if an attacker is less than some bound |$\rho$| seems reasonable for permissioned consensus—for example, it would tell a company to use enough redundant hardware and enough overlapping security measures that the risk of proportion |$\rho$| of its servers failing at the same time is sufficiently small. In contrast, Nakamoto (2008) and subsequent blockchain researchers are studying permissionless consensus protocols, in which anybody can freely enter and exit the system at any time, anonymously, without protection from rule of law. As soon as the system is permissionless, one has to ask what is an attacker’s incentive to acquire proportion |$\rho$| of the total system resources. This rethink of the economic security of a permissionless consensus protocol that I introduce applies to proof of work, proof of stake, or any other approach to permissionless consensus. They are all vulnerable to some form of majority attack, so they all need to be studied with both a free-entry condition like my equation (1) and an incentive-compatibility condition like my equation (2). In effect, this article argues that Nakamoto (2008) made an error conceptualizing security in the same way as the 1980s consensus literature and not as an economic incentive-compatibility constraint.⁵

My third equation is an equilibrium constraint that connects equations (1)  and (2), that is, connects the zero-profit condition to the incentive-compatibility condition. The reason these equations can be linked is that the amount of honest trust support appears in both. In equation (1), the amount of honest trust support reflects the recurring payments to this trust support. In equation (2), the amount of honest trust support determines the cost of majority attack. Equation (3) tells us that the recurring payments to the honest trust support in the zero-profit equilibrium must be large relative to the value of attacking the system.

This is a very expensive form of trust! The recurring payments to trust support are a “flow,” so equation (3)  tells us that the flow costs of maintaining the trust must exceed the value of attack at all times.⁶ Moreover, this required flow cost scales linearly with the value of attack. An intuition is that Nakamoto trust is memoryless—it is as secure at a moment in time as the amount of trust support at that moment. Under idealized attack circumstances (assuming away several reasonable frictions), I obtain an even stronger result, which is that the net cost of attack is zero—because the attacker also earns the trust-support compensation that would have gone to the honest participants.

The essential difference between the Nakamoto trust model and the traditional model grounded in rule of law is shown in Figure I. A criminal is thinking of robbing a bank. In the traditional model, the criminal must consider how many security guards he will need to overcome. Then he will have to take into account that the bank will call in reinforcements from police, and that, if caught, he will go to jail. Similarly, consider a country thinking of whether to invade another country. They will have to consider the soldiers at the border (analog of security guards) but also that the invaded country will call in military reinforcements (analog of police) and that the invaded country may launch a counterattack (analog of Beckerian deterrence from courts).⁷ In contrast, the Nakamoto model is just to have a very large number of security guards at the bank or soldiers at the border. This works, but it is very expensive and scales terribly with the stakes.

Notice two sources of scale economies in the traditional model. First, the police do not have to be present at the particular bank to provide security—they can provide security to many locations at once as long as they are not all attacked simultaneously. Second, the courts can deter crime with just the credible threat to prosecute and imprison—a fixed-cost investment in court capacity can deter a large quantity of potential criminal activity. This is the essence of Becker's (1968) model of optimal deterrence, and is central to Hayek's (1960) resolution of the paradox noted above that freedom requires a government with the power to coerce.⁸

Notice as well a subtle additional source of inefficiency in the Nakamoto trust model—the full scale of the trust support is present for all transactions, whether for large sums or small. This is like having the same number of security guards outside the local bank branch as outside Fort Knox or the Federal Reserve.

There are many other sources of trust that are familiar to economists besides rule of law, such as reputations, brands, relationships, collateral, and cultural or organizational norms.⁹ The contrast versus Nakamoto trust is similar: in each case the trust is more secure than the flow level of investment (e.g., a brand is more trustworthy than its advertising expenditure in the past 24 hours). It bears emphasizing that these sources of trust often work in conjunction with rule of law, sometimes implicitly. For example, a customer trusts Starbucks to provide good coffee because of its brand but also because it is illegal for a different entity to impersonate Starbucks’ name and imagery. In a Levin (2003) relational contract, the employee trusts that if they put in high effort they will get paid a performance bonus, but in the background, it is also the case that the employee knows the employer will pay at least the promised minimum because of rule of law, and the employer trusts the employee not to rob the company because of rule of law.¹⁰

A blockchain would be significantly more economically secure than described so far if both (i) the capital used to maintain the permissionless consensus is specialized, and (ii) an attack causes the attacker’s specialized capital to lose its value or be confiscated. The first condition is satisfied for many major blockchains (e.g., Bitcoin ASICs or stake for proof-of-stake protocols). If the second condition obtains as well, the attacker’s cost is not just the flow cost of conducting the attack but the stock value of their specialized capital—analogously to how a firm that cheats its customers loses the stock value of its reputation or brand. A modified version of the incentive-compatibility condition equation (2)   and some simple calculations suggest that the potential economic security improvement is three to four orders of magnitude. This difference is large enough to plausibly explain why major blockchains such as Bitcoin and Ethereum have not been majority attacked to date.

However, how exactly does the attacker lose their capital? One possibility is that the value of the cryptocurrency collapses because of the attack, and as a result the value of specialized capital collapses, too. But vulnerability to collapse is itself a serious problem—hardly a reassuring foundation for a novel economic system—and raises the possibility of an attack motivated by this collapse per se. A second possibility is legal punishment, which certainly would work but concedes that Nakamoto trust fails without support from rule of law. A third possibility is that the protocol could algorithmically confiscate or block the attacker’s capital in a targeted punishment, while leaving honest participants’ capital untouched. In a companion computer science paper (Budish, Lewis-Pye, and Roughgarden 2024) we show that this approach (i) is impossible for a broad class of permissionless consensus protocols that includes Bitcoin’s; (ii) is possible for a class of permissionless consensus protocols that includes proof-of-stake Ethereum’s, but only under a strong assumption about network reliability and only if the attacker is less than proportion |$\rho =\frac{2}{3}$| of the total. Hence, the current article's framework is a lens through which we can understand the economic goals of Ethereum’s recent adoption of proof of stake and also its economic limits—for attackers of size less than |$\rho =\frac{2}{3}$|⁠, an attack costs a stock not a flow, but if an attacker is incentivized to exceed |$\rho =\frac{2}{3}$| then some external source of trust is required for security, such as rule of law.

The remainder of this article is organized as follows. Section II provides a description of Nakamoto (2008) and related concepts. Section III presents the heart of the economic critique of Nakamoto’s novel form of trust, equations (1) –(3). Section IV uses the model to quantify the cost of keeping Nakamoto (2008)’s specific blockchain design secure against double-spending attacks. Section V analyzes the case of specialized capital that can lose its value because of the attack. Section VI contrasts Nakamoto trust with traditional trust grounded in the rule of law. Section VII concludes. Online Appendix A discusses responses to this article's argument since it first circulated in 2018. Online Appendix B provides technical results in support of the double-spending attack analysis. Online Appendix C compiles lists of cryptocurrency majority attacks, thefts of cryptocurrency financial institutions, and collapses of cryptocurrency financial instutions.

II. Overview of Nakamoto (2008) and Related Concepts

Sections II.A–II.D provide an overview of Nakamoto (2008). Some of the detail is specific to Bitcoin and Nakamoto’s specific form of permissionless consensus, longest-chain proof of work, while also trying to describe the key ideas at a more conceptual level. Section II.E discusses three related concepts: permissioned blockchains, smart contracts, and proof-of-stake consensus. The overall goal of this section is to provide an overview of the relevant computer science concepts that is self-contained and at a sufficient level of detail to justify the economics analysis in the rest of the article.¹¹ Readers already familiar with this material may skip this section without much loss.

II.A. Transactions

The first step in describing Nakamoto (2008) is to describe transactions and the limitations of other methods of keeping track of transactions.

1. Elements of a Transaction

The key elements of a cryptocurrency transaction are the sender of funds, the receiver of funds, the transaction amount, and a cryptographic signature. The sender and receiver are represented as alphanumeric strings called addresses; addresses are somewhat analogous to account numbers. The cryptographic signature uses standard ideas from public-key cryptography to prove that the transaction was initiated by the sender; that is, the signature could only be created by someone who knows the sender’s private key for that address. The cryptographic signature also encodes the other transaction details, including the receiver and the transaction amount; it is like not only signing a check but also signing the seal of the envelope that contains the check, so the recipient and amount cannot be subsequently altered.

2. Limitations of a Shared Public Spreadsheet of Transactions

Imagine keeping track of such transactions on a shared public spreadsheet, such as a Google Doc. The cryptographic signature provides a certain level of trust in the data, in that only Alice, or someone in possession of Alice’s private key, can add correctly signed transactions in which Alice is the sender of funds. However, there are three vulnerabilities:

• Alice could add a transaction in which she sends money she does not have.

• Alice could add multiple transactions at the same or similar time, in which she sends money she does have but to multiple parties at the same time.

• Alice could delete previous transactions from the shared public spreadsheet; either her own or others’.

Thus, while a shared public spreadsheet of transactions could be used among parties that trust each other—for example, a modern version of the babysitting co-op parable in Krugman (1998)—this system is not suitable for tracking transactions among parties that do not have such a level of trust.

3. Limitations of a Trusted Party

Imagine keeping track of transactions through a widely trusted party that keeps track of balances, such as a central bank (e.g., a Central Bank Digital Currency or CBDC). This approach addresses the three vulnerabilities described above with respect to the shared public spreadsheet: the trusted party can ensure that only valid transactions are added to the ledger and that previous transactions are not deleted. However, the limitation is that it requires such a trusted party. The central goal of Nakamoto (2008) is to have a trusted ledger of transactions that does not require any specific trusted party.

II.B. What is the Nakamoto Blockchain?

This section describes the Nakamoto (2008) blockchain (i.e., proof-of-work longest-chain consensus) in four steps.

1. Pending Transactions List

Users submit transactions to a pending transactions list, called the mempool. One can think of the mempool as the shared public spreadsheet discussed already. Transactions in the mempool are not considered official yet.

2. Valid Blocks

Any computer around the world can compete for the right to add transactions from the mempool to a data structure called the blockchain. The computational competition is described in the next step.

The word “blockchain” references that transactions are added in blocks (for Bitcoin, consisting of about 1,000–2,000 transactions), and each block of transactions “chains” to the previous block by including a hash of the data in the previous block (see Figure II). This use of hashes to chain together a sequence of blocks of data was invented by Haber and Stornetta (1991) and Bayer, Haber, and Stornetta (1993). Since the hash of the current block depends on the data in the previous block, which in turn includes its hash of the block before that, and so on, any change to any element in the history of transactions affects the value of the hash of the current block.

For a block of transactions to be valid, the following three criteria must all be true:

• Each individual transaction must be properly signed: the cryptographic signature could only be generated by a user in possession of the sender’s private key.

• Each individual transaction must be properly funded: given all transactions in previous blocks in the chain, the sender must be in possession of the cryptocurrency she or he is sending.

• The transactions in a block must not contradict each other: there cannot be two or more transactions in a block in which a common sender sends the same cryptocurrency to multiple receivers.

3. Bitcoin Mining Computational Tournament

In Nakamoto (2008), the competition to add new blocks boils down to a massive, brute-force search for a lucky random alphanumeric string. More precisely, Bitcoin miners—where “miners” is just the terminology for computational power that attempts to add new blocks of transactions to the Bitcoin blockchain—choose a valid block of Bitcoin transactions from the mempool that they want to chain to the previous block of transactions and search for an alphanumeric string (called a nonce) such that when that alphanumeric string, in combination with all of the other data in the block they are trying to add, is all hashed together using the hash function SHA-256, the result has a very large number of leading zeros.

For readers unfamiliar with hash functions, it is highly recommended to go to a website like https://www.movable-type.co.uk/scripts/sha256.html to get a feel for how they work. For example, the hash of the title of this paper is 09b23bf1eb4b7cda..., which has one leading zero. A block added to the Bitcoin blockchain in January 2024, block 824601, has the hash

which has 19 leading zeros. Because each digit in the hash can take on values 0–9 and a–f, and the SHA-256 hash function is pseudo-random, the likelihood of finding an alphanumeric string that produces a hash with 19 leading zeros is 1 out of |$16^{19}$|⁠, which is about 1 out of 75 billion trillion. The number of leading zeros required is calibrated by the Bitcoin system every roughly two weeks, based on the current amount of computational power devoted to Bitcoin mining, to ensure that blocks are successfully mined on average every 10 minutes. (This calibration can be finer than is possible using just zeros, e.g., 19 leading zeros and a 20th digit weakly less than 7.)

When a miner finds a lucky alphanumeric string, they publicly broadcast their block to all of the other Bitcoin miners. Other Bitcoin miners can quickly check whether the block is valid; that is, whether the set of transactions in the block meet the criteria listed above in step 2, and whether the alphanumeric string indeed produces a valid hash with enough leading zeros. Critically, while finding a lucky alphanumeric string is extremely computationally intensive, checking the validity of a given block is computationally trivial. For this reason, a valid block is “proof of work”—proof that the miner who found the block did a large amount of computational work in expectation.

The lucky miner who broadcast the valid block gets compensated in two ways. First, the miner is compensated with new Bitcoins. This is called the “block reward,” which was originally 50 Bitcoins per block, and halves every roughly four years, most recently in April 2024 to 3.125 Bitcoins per block. Second, the miner earns transactions fees associated with the transactions they included in their block. The economics of these transactions fees are considered in depth in Huberman, Leshno, and Moallemi (2021); users who place a high value on getting their transaction added to the blockchain quickly can ensure faster service by offering a larger transaction fee, so there is an auction-theoretic flavor to the fees, as well as queueing and congestion issues.

4. Longest-Chain Rule

Once a valid block is broadcast and the other miners have checked its validity, miners are supposed to move on to mining the next block. To induce this behavior, Nakamoto (2008) proposed the longest-chain rule—the rule that if there are multiple chains of blocks, the longest chain, as measured by the amount of computational work, is the official consensus record of transactions.

Intuitively, Nakamoto’s longest-chain rule provides a decentralized way to coordinate miners’ efforts. If miners focus their attention on the current longest chain, and they find a lucky alphanumeric string and mine a block, then their new block will be part of the new longest chain, and hence new official record, and the miner will earn the block reward. Nakamoto (2008) shows formally that as long as a majority of computational power follows the longest-chain rule, then the longest chain will outpace attackers with probability that converges to one exponentially in the honest-majority’s share and the deficit the attacker must overcome.

A related intuition is that the longest-chain rule provides a decentralized way to adjudicate disputes—computational power “votes” on the true state, and the majority rules.

The game-theoretic validity of longest-chain consensus has received considerable scholarly attention. The most general treatment to date is Biais et al. (2019), who show that honest mining on the longest chain is indeed a Nash equilibrium, although there can be other equilibria as well. Carlsten et al. (2016) show that longest-chain consensus is an equilibrium only if the block reward component of miner compensation is large enough. Kroll, Davey, and Felten (2013) provide credible intuition for why longest-chain consensus is a Nash equilibrium, though without a formal game-theoretic model.

However, these analyses explicitly assume that all miners are “small”—that is, they assume away the possibility of majority attack. Majority attack, discussed next, is at the heart of this article's analysis.

II.C. Vulnerability to Majority Attack

Nakamoto’s blockchain is vulnerable to attack by an adversary with 51% or more of the computational power. This is because the adversary, whenever they like, can create an alternative chain of blocks that will outpace the honest chain of blocks with probability one, and hence become the new consensus. This vulnerability is widely understood—it is even in the abstract of the Nakamoto (2008) paper (excerpted below). Moreover, that Nakamoto’s blockchain is vulnerable to attack is not surprising to computer scientists in the sense that previous approaches to distributed consensus, based on the Byzantine fault tolerance (BFT) paradigm, were also vulnerable to attack by a too-large adversary except under very restrictive assumptions (Pease, Shostak, and Lamport 1980; Lamport, Shostak, and Pease 1982; Dolev and Strong 1983; Fischer, Lynch, and Paterson 1985; Dwork, Lynch, and Stockkmeyer 1988).¹²

The canonical attack Nakamoto (2008) worried about is called a double-spend: the attacker sends Bitcoins in transactions on the original honest chain, and then deletes those transactions from the consensus record with their alternative chain, allowing them to spend the same currency twice. Section IV will describe double-spending attacks in detail and analyze their economic implications.

Eyal and Sirer (2014) show that Bitcoin is also vulnerable to a form of minority attack, in which a large-enough miner can sometimes profit, in expectation, from holding back a solved block so that they can work on extending it in private, while other miners therefore focus their attention on what is probabilistically not the longest chain. However, the purpose of the Eyal and Sirer (2014) minority attack is more circumscribed in that its goal is to obtain a disproportionate share of mining rewards, not manipulate the blockchain to double spend. A somewhat analogous issue arises with longest-chain proof-of-stake consensus (Saleh 2021).

II.D. Nakamoto (2008): Summary

The abstract of Nakamoto (2008) succinctly summarizes the accomplishment and its vulnerability:

A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network. The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. The longest chain serves not only as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they’ll generate the longest chain and outpace attackers. The network itself requires minimal structure. Messages are broadcast on a best effort basis and nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone. (p.1, emphasis added)

The accomplishment is a “purely peer-to-peer version of electronic cash” without the use of a “trusted third party.” Trust in the integrity of the data emerges from the hash-based proof-of-work, conducted by an unstructured network with free entry and exit. The longest chain is the official record of “what happened”—that is, the (permissionless) consensus.

The vulnerability is majority attack—the construction relies on the assumption that “a majority of CPU power is controlled by nodes that are not cooperating to attack the network.”

II.E. Clarifications and Discussion

1. Permissioned Blockchains

As interest in Bitcoin and Nakamoto’s blockchain surged, many started to use the phrase “blockchain” to describe similarly architected databases maintained by known, trusted parties—that is, without the central scientific innovation of Nakamoto (2008). This concept is sometimes known as a permissioned or private blockchain, or sometimes as distributed ledger technology (see Bakos and Halaburda 2023). An IBM marketing campaign called it “Blockchain for Business.” Goldman Sachs called such blockchains “The New Technology of Trust” (Goldman Sachs 2018).

Many researchers and observers view this use of the phrase “blockchain” as hype for what is in essence just an append-only distributed database with well-defined permissions, and with cryptography to protect against data tampering as in Haber and Stornetta (1991). Financial columnist Matt Levine memorably wrote:

If you announce that you are updating the database software used by a consortium of banks to track derivatives trades, the New York Times will not write an article about it. If you say that you are blockchaining the blockchain software used by a blockchain of blockchains to blockchain blockchain blockchains, the New York Times will blockchain a blockchain about it. (Levine 2017)

As should be clear, this article’s critique is of blockchains and permissionless consensus in the sense of Nakamoto (2008), not of distributed databases with trust grounded in traditional sources. It should be uncontroversial that well-architected databases are economically useful, even if there is debate about what to call them. See Budish and Sunderam (2023) for discussion of the potential value of the blockchain data structure in the context of traditional finance.

2. Smart Contracts

Notice that Nakamoto’s novel form of trust is not specific to currency transactions. One can replace “Alice sends Bob 10 Bitcoins, signed by Alice” with any executable computer instruction signed by Alice. This idea is often called a “smart contract” (see Buterin 2014a).

The analysis framework of this article applies analogously to blockchains that allow smart contracts though the attack possibilities may differ.

3. Proof of Stake

The computational work Bitcoin miners must perform to add a new block serves the role of sybil resistance, that is, making it expensive to add new identities to the permissionless system. Without sybil resistance, an attacker could create infinitely many identities.

Since Nakamoto (2008) there have been several other approaches taken to sybil resistance for permissionless consensus, the most prominent of which is proof of stake. Roughly, instead of voting for the correct chain with computational work, participants vote for the correct chain with stake in the cryptocurrency. Ethereum, the second-most valuable cryptocurrency project after Bitcoin, switched from proof of work to proof of stake in fall 2022, and its founder has been discussing the potential benefits of proof of stake since as early as 2014 (Buterin 2014b, 2016).

One motivation for proof of stake over proof of work is to reduce environmental externalities. The computational work that powers Bitcoin consumes on the order of 0.3%–0.8% of all global electricity, which is a fairly astonishing figure.¹³ As will become clear, the environmental issue is orthogonal to the economic security concerns raised herein about Nakamoto (2008)—whether the cost of trust support is the cost of computational power or the opportunity cost of holding stake the arguments in Section III go through unchanged.

The more important aspect of proof of stake for the purpose of my argument is that stakes are not as memoryless as computational work: stakes can be locked up on chain for a period of time, like collateral, and observably persist for the time they are locked, like reputation. This opens up the possibility of punishing attackers by confiscating their locked stakes (slashing), which makes attacks more expensive and hence the blockchain more secure. Intuitively, this is an attempt to algorithmically mimic the traditional trust that is created by law in combination with financial collateral (Buterin 2014b, 2016; Buterin and Griffith 2019). The analysis in Section V shows that if slashing works, it can improve the cost of security by several orders of magnitude.

However, recent research suggests that this approach to security, while intuitively compelling, faces its own limitations. Tas et al. (2023) show as their Theorem 1 that it is impossible to guarantee that a large-enough attacker can be successfully slashed by any positive amount before the attacker is able to withdraw their stake. Budish, Lewis-Pye, and Roughgarden (2024) derive a possibility result for slashing the attacker’s stake without punishing honest participants, but the result requires a strong assumption about the nature of the networking environment and the assumption that the attacker’s majority is smaller than |$\frac{2}{3}$| of the total locked-up stake. If the attacker is too large, then the attacker can circumvent the punishment; a rough intuition is that a large-enough attacker controls the protocol’s legal system.¹⁴ An interpretation of these results is that a proof-of-stake blockchain can successfully mimic traditional trust to deter sub-|$\frac{2}{3}$| attackers, but that rule of law must step in in the case of a large-enough attacker. See further discussion in Section V.B.

Proof of stake also raises a wide variety of implementation complexities that in turn can create protocol-specific opportunities for dishonest play other than the majority attacks that are central to this article (and universal across all forms of permissionless consensus). See Roughgarden (2023), lectures 12.1–12.24, for detailed discussion of the potential issues and how they are addressed in various protocols. Of special note, the earliest versions of proof of stake used a version of Nakamoto longest-chain consensus and faced a problem called “nothing at stake,” under which forks might persist indefinitely in Nash equilibrium even with only small participants; see Saleh (2021) for a careful analysis.

III. Nakamoto Trust: A Critique in Three Equations

Sections III.A–III.C present the three-equation critique of Nakamoto’s novel form of trust. Section III.D presents a result that shows that the net cost of attack of Nakamoto trust may be zero under strong assumptions. Section III.E presents a one-shot game version of the analysis that captures the essence of the critique of Nakamoto trust while abstracting from many details. Section III.F compares Nakamoto trust to trust from repeated interaction.

III.A. Zero-Profit Condition (Honest Play)

Our conceptual question here is: how much “trust support” will maintain the permissionless consensus if we restrict all participants to behave honestly?

Let there be a large finite number I of honest participants who follow a given permissionless consensus protocol automatically. We may think of I as representing all people who could potentially provide part of the decentralized support for Nakamoto trust. For example, I is the number of people connected to the internet around the world.

Each player i chooses a quantity of “trust support” |$x_{i}\in \mathbb {R}^{+}$|⁠, which we may think of as their quantity of computational work in a proof-of-work blockchain, or their quantity of some other costly action in another blockchain such as stake, storage, and memory. Let |$N=\sum _{i=1}^{I}x_{i}$| denote the total quantity of trust support. A player can choose a quantity of zero if they like, which is how we can think about people not participating in the decentralized trust. Our equilibrium concept for N will be a zero-profit condition. This is meant to capture the permissionless, free-entry/free-exit nature of Nakamoto trust. Nash equilibrium is studied in the one-shot game analysis of Section III.E and is very similar.

Let c denote the cost per unit time to supply one unit of trust support. For example, for proof of work, this is the cost per unit time to run one unit of computational power, including variable costs such as electricity and a rental cost of capital for capital equipment. We sometimes use the notation |$c=rC+\eta$|⁠, where |$rC$| is the rental cost of capital and |$\eta$| is the variable cost of electricity. For proof of stake, c is the opportunity cost per unit time to supply one unit of stake.

Let |$p_{block}$| denote the economic reward paid to a participant who successfully adds a new block of transactions, that is, wins a computational tournament in the case of proof of work. We treat |$p_{block}$| as exogenous and derive constraints on it below. Participants’ probability of winning the next reward |$p_{block}$| is equal to their share of trust support. Specifically, player i wins the next reward with probability |$\frac{x_{i}}{N}$|⁠. For the present purposes, we consider the compensation to providers of trust support in aggregate, without distinguishing between whether this compensation is in the form of newly issued cryptocurrency (which are a form of seignorage tax on holders of the currency) or transaction fees.

Let D denote the block difficulty level, defined as the number of units of trust-support-time needed, in expectation, to add one new block. For proof of work, we may assume that new blocks arrive Poisson. That is, if there are N units of trust support, blocks are solved according to a Poisson point process with mean |$\frac{D}{N}$|⁠. For some proof-of-stake protocols, blocks arrive deterministically at interval |$\frac{D}{N}$|⁠.¹⁵

Note a potential source of confusion is that costs c are incurred per unit time, whereas rewards |$p_{block}$| are earned per block. The next two concepts help map between objects that are per unit time and objects that are per block. First, we can define profits per unit of trust support per unit time as

because some unit of trust support solves a block every |$\frac{D}{N}$| time in expectation and each of the N units is equally likely to be the winner.

Second, define honest equilibrium as follows:

   

Proposition 1 is widely known and is the standard characterization of a rent-seeking tournament: the prize in the tournament, |$p_{block}$|⁠, is dissipated by expenditures aimed at winning the prize, |$N^{^{*}}c$|⁠.¹⁶  Prat and Walter (2021) provide empirical support that equation (1) describes actual equilibrium behavior in the Bitcoin mining market, with some additional nuances related to capital adjustment costs.

III.B. Incentive Compatibilty Condition (Majority Attack)

Our conceptual question here is: how much security is generated by the amount of honest trust-support characterized in equation (1)? As discussed in Section II.C, it is widely understood that an agent who provides a majority of the trust support could successfully attack Nakamoto (2008)’s blockchain, for example, by double spending. This is an issue more generally with all forms of permissionless consensus: intuitively, the decentralized trust support “votes” on the true state of the blockchain, and the vote can be manipulated by a majority or supermajority. In this subsection, we focus on the direct costs of attacking a permissionless consensus protocol. In Section V we will consider the possibility that as a post-attack consequence of the attack, the attacker’s trust-support capital loses its value or is confiscated.

Consider an additional player, the attacker, not restricted to honest play. This player can attack by choosing |$AN^{*}$| units of trust support, |$A\gt 1$|⁠, for an |$\frac{A}{A+1}$| majority at cost |$AN^{*}c$| per unit time. Denote the expected duration of the attack by |$t(A)$|⁠; the timing details of attacks will vary by protocol, and we derive a closed form for |$t(A)$| for longest-chain proof of work in Section IV. Call |$AN^{*}c\cdot t(A)$| the gross cost of attack. The attacker can choose A to minimize |$A\cdot t(A)$|⁠. Call this optimum |$A^{*}\cdot t(A^{*})$|⁠; Online Appendix B studies this optimum numerically for longest-chain proof of work.

Let |$V_{attack}$| denote the value of attack. For now, let us think about this value of attack in the abstract but have in mind that the value of attack grows as the blockchain’s economic usefulness grows.

 

Two brief remarks are required. First, condition (2)  is the IC constraint for an outside attacker, but an attack could also come from an insider, that is, part of the current honest trust support |$N^{*}$|⁠. The outside attacker IC condition (2)   seems more attactive conceptually, because it treats the honest participants as small and dispersed per the Nakamoto ideal and in equilibrium with the level of compensation |$p_{block}$|⁠. That said, an inside attacker might be more realistic in practice; for example, for Bitcoin there is evidence that mining is concentrated (Makarov and Schoar 2021; Cong, He, and Li 2021). Second, the left side of condition (2)  is the gross cost of attack. However, the attacker would earn rewards for the blocks in their new chain, which subsidizes their attack. We come back to the distinction between gross and net costs of attack in Section III.D.

III.C. Equilibrium Constraint

In the hoped-for equilibrium in which participants are honest, the amount of trust support devoted to maintaining the blockchain is characterized by the zero-profit equilibrium (1).¹⁷ The IC condition (2)  relates this amount of trust support to the level of security generated. Since |$N^{*}c$| appears in both the zero-profit condition (1)  and the IC condition (2), we can combine the two equations:

  

Economically, this is a very expensive form of trust. Imagine if users of the Visa network had to pay fees to Visa, every ten minutes, that were large relative to the value of a successful attack on the Visa network. Imagine a brand was only as trustworthy as its flow investment in advertising. Imagine that a country were only as secure as its flow expenditure on soldiers at the border.

Another contrast is trust that is supported by rule of law. In such cases, the cost of cheating to the cheating party is related not to the direct costs of conducting the crime but to the costs of potentially getting caught and punished (Becker 1968). A government able to credibly impose large punishments (the parameter f in Becker’s model) can deter large attacks or crimes at comparatively low cost. As emphasized, the ingenious aspect of the Nakamoto (2008) form of trust is that it is completely anonymous and decentralized, without any reliance on the rule of law, relationships, or other traditional sources. This aspect also makes the Nakamoto (2008) form of trust much more expensive.

From a computer security perspective, the key thing to note about constraint (3)  is that the security of the blockchain is linear in the amount of expenditure on trust support. For instance, if attacking the system grows 1,000 times more attractive, then the cost of securing the system must grow 1,000 times as well. In contrast, in many other contexts investments in computer security yield convex returns, such as traditional uses of cryptography—analogously to how a lock on a door increases the security of a house by more than the cost of the lock. It is much more expensive to break modern cryptography than it is to implement it!¹⁸ Imagine if the cost of attacking Visa was that you had to have as much computational power as Visa for a few hours.

A blog post by Ethereum founder Vitalik Buterin (2016) deserves credit for an early informal statement of this equilibrium constraint:

Because proof of work security can only come from block rewards, and incentives to miners can only come from the risk of them losing their future block rewards, proof of work necessarily operates on a logic of massive power incentivized into existence by massive rewards. Recovery from attacks in PoW is very hard: the first time it happens, you can hard fork to change the PoW and thereby render the attacker’s ASICs useless, but the second time you no longer have that option, and so the attacker can attack again and again. Hence, the size of the mining network has to be so large that attacks are inconceivable. Attackers of size less than X are discouraged from appearing by having the network constantly spend X every single day. I reject this logic because (i) it kills trees, and (ii) it fails to realize the cypherpunk spirit—cost of attack and cost of defense are at a 1:1 ratio, so there is no defender’s advantage. (emphasis added).

Buterin’s language can be translated into the formal analysis of this article by dollarizing both uses of X: “Attackers of size less than X” can be interpreted as attackers with an attack opportunity worth less than |$V_{attack}$| (not as the size of the attacker’s computational power, or else the two X’s are not comparable). “Having the network constantly spend X every single day” can be interpreted as assuming that an attack takes one day, that is, |$A^{*}\cdot t(A^{*})$| is one day's worth of block-compute costs, and then requiring for security that |$A^{*}\cdot t(A^{*})\cdot p_{block}\gt V_{attack}$|⁠, that is, equation (3).

III.D. Zero Net Attack Cost Theorem

What we may call the net cost of attack can differ from the gross cost of attack, modeled above, for three potential reasons: block rewards, attacker cost frictions, and effects of the attack on the value of the cryptocurrency itself.

First, the attacker earns block rewards from their attack. That is, after the attacker’s alternative chain replaces the honest chain, the attacker earns the block rewards associated with the blocks in the new longest chain. These block rewards in effect subsidize the attack. An A attacker who attacks for t time performs |$At\cdot N^{*}$| units of trust support. If the difficulty stays constant at |$D^{\prime }=D^{*}=N^{*}$|⁠, then this corresponds to |$At$| block rewards in expectation. If the difficulty on the attacker chain adjusts upward, that is, |$D^{\prime }\gt D^{*}$|⁠, then the attacker will earn |$At\cdot \frac{N^{*}}{D^{\prime }}\lt At$| block rewards.

Second, the attacker may face frictions relative to the cost of honest trust support. For example, in proof of work, the attacker’s compute power might be less energy efficient than the honest miners’ compute power. In either proof of work or proof of stake, there might be frictions associated with starting and stopping the attack. Let |$\kappa \ge 0$| parameterize the attacker’s cost inefficiency relative to honest mining, such that their total cost of attack is |$(1+\kappa )At\cdot N^{*}c$|⁠.

Third, the attack may harm the value of the cryptocurrency. This reduces the value of the attacker’s block rewards and reduces the value of the cryptocurrency the attacker is left with after double spending. If we let |$\Delta _{attack}\ge 0$| parameterize this decline, this reduces the value of the attacker’s block rewards by |$\Delta _{attack}At\cdot N^{*}c$| and reduces the benefit of a double-spending attack originally worth |$V_{attack}$| by |$\Delta _{attack}V_{attack}$|⁠. If the attacker’s capital is specific to the attacked cryptocurrency (e.g., ASICs, stake), then the attack would reduce the value of the attacker’s capital as well; we return to this issue in Section V.

In the ideal case for the attacker with respect to these three sources of cost difference, we have the following remarkable conclusion:

  

The intuition behind this result is that the attacker is fully compensated for their trust-support costs for the same reason that honest participants are fully compensated for their trust-support costs under honest play. In effect, permissionless consensus treats the attacker as if they are an honest participant, because the majority determines the truth.

Tabarrok (2019), Auer (2019), Moroz et al. (2020), and Jacob Leshno (personal communication) derive similar results to Theorem 2 building off of Budish (2018).¹⁹Bonneau (2016)’s analysis of “bribery” attacks deserves early credit for the intuition that the net cost of attacking Bitcoin might be very small because of the block rewards subsidy, as does a blog post by Buterin (2017) who stated the idea in a footnote. Recent work of Gans and Halaburda (2023) generalizes the zero net attack cost result and, by incorporating transaction fees into their model, shows that it is possible for an inside attacker to have a slighty negative net attack cost.

To be clear, zero attack frictions seems unrealistic. But zero friction is often useful as a benchmark case, and the result does reinforce that Nakamoto trust is economically implausible when taken literally.

III.E. One-Shot Game Nash Equilibrium Analysis

The foregoing analysis uses a price-theoretic zero-profit equilibrium concept for honest play and contains several details that are helpful for mapping to the specifics of Nakamoto (2008) but are complex. As a complement to that approach, consider the following stylized one-shot game, which yields a Nash equilibrium solution and abstracts from some of the complexities.²⁰

There are I players. Each player i chooses a quantity |$x_{i}$| of trust support (work, stake, etc.) and a “posture” |$a_{i}\in \lbrace Honest,Attack\rbrace .$| Costs are c per unit of trust support. Define |$N=\sum _{i=1}^{I}x_{i}$|⁠. Payoffs are as follows. If there is a player i with |$x_{i}\gt \frac{N}{2}$| and |$a_{i}=Attack$|⁠, this player gets a payoff of |$V_{attack}$|⁠, gross of their costs. All other players get zero. Else, each player gets a payoff of |$\frac{x_{i}}{N}p$|⁠.

Our question is: under what conditions does there exist a Nash equilibrium, denoted |$\lbrace (a_{i}^{*},x_{i}^{*})\rbrace _{i=I}^{I}$|⁠, in which all players choose |$a_{i}^{*}=Honest$|? Call such a profile, if one exists, an honest equilibrium.

  

In words, this lemma tells us that the amount spent on trust support |$N^{*}c$| will be no greater than the compensation paid for this trust support p, analogously to equation (1).

    

An interpretation of the timing of this game is that p and c now represent, respectively, blockchain compensation and trust-support costs for an amount of time commensurate with the duration of an attack, that is, the analog of |$A^{*}\cdot t(A^{*})$| in equation (3). The result says that the cost of running the blockchain for an attack duration amount of time must exceed the value of attacking it.

Note that this simple model purposefully restricts attention to honest play or majority attack. Many prior game-theoretic analyses of blockchains assume that all players are small, eliminating the possibility of majority attack, but allow for a richer set of strategies for such small players than just honestly following the protocol (e.g., Eyal and Sirer 2014; Carlsten et al. 2016; Biais et al. 2019; Saleh 2021). Since Proposition 2 is a necessary condition for the existence of an honest equilibrium given the possibility of majority attack, the result still holds even with an enlarged strategy space including behaviors such as selfish mining in Eyal and Sirer (2014) or nothing at stake in Saleh (2021).

III.F. Comparison to Trust from Repeated Interaction

Since Schelling (1956) and Aumann (1959), economists have studied trust that is facilitated by repeated mutually beneficial interaction. Suppose two agents play a repeated prisoner’s dilemma game where each participant’s per period payoff from cooperation is |$\tau$| (for trust), a participant who defects while the other cooperates earns |$b\gt \tau$| (for betray), if both players defect they earn zero, and the discount factor is |$\delta$|⁠. In the well-known grim-trigger equilibrium, cooperation is possible if

that is, if the one-shot benefit of cheating is smaller than the net present value of the trusting relationship.

To compare this form of trust from repeated interaction, “Schelling trust,” to Nakamoto’s permissonless consensus, let us rewrite equation (4)  using |$V_{attack}\equiv b$| and |$V_{trust}\equiv \frac{1}{1-\delta }\tau$|⁠, and consider repeated play of the one-shot game we just analyzed in Section III.E. We thus have the comparison of incentive-compatibility conditions:

The reader will observe from expression (5)   that the first essential difference between Nakamoto (2008) trust and trust from mutually beneficial repeated interaction is on the cost-of-attack side. In Schelling (1956), the cost of attack is the loss of the net present value of the mutually beneficial relationship.²¹ The more valuable the relationship, the more value is secured against attack. In Nakamoto trust, by contrast, the repeated interaction among providers of trust support (e.g., miners) is zero profit, as if |$\tau =0$|⁠. Instead, the cost of attack comes from a different source, which is that for a short period of time (a single play of the game in Section III.E) an attacker has to be larger than the honest trust-support providers who are themselves playing a zero-profit game (in the limit as |$I\rightarrow \infty$|⁠). Put differently, in Schelling (1956) the cost of attack is a stock (the net present value of the relationship) whereas in Nakamoto (2008) the cost of attack is a flow (the recurring costs of honest trust support for a short period of time).

The second essential difference between these two forms of trust is the cost of honest play. In Nakamoto trust, honest play costs the same p per period as it costs to attack—that is the equilibrium cost to induce the zero-profit trust support on a continual basis. In Schelling (1956), conditional on an existing trust relationship, the recurring cost of honest play is zero. Of course, in many contexts, developing a trust relationship in the first place may take investment (e.g., investment in a brand), so one can think of the per period cost as the interest on this fixed cost investment.

Table I summarizes this comparison. It is also worth noting that Schelling trust on its own likely is not enough for high-value financial applications. In financial applications, one can think of |$\tau$| as the gains from trade in a transaction, and think of b as like the nominal value of the transaction (Budish and Sunderam 2023). So it takes a lot of repeated interaction to sustain trust for high stakes—it is helpful to have some support from the rule of law and collateral. We will return to this topic in Section VI (see especially Table VI).

IV. Analysis of Double-Spending Attacks

Equation (3)   tells us that the possibility of a double-spending attack places equilibrium constraints on Nakamoto’s novel form of trust. This section is an effort to understand these constraints quantitatively. For this quantification exercise, I focus specifically on Nakamoto (2008)’s proof-of-work longest-chain protocol. Section IV.A briefly describes the mechanics of a double-spend attack. Section IV.B analyzes the expected duration and cost of double-spend attacks. Section IV.C analyzes the implied equilibrium cost of Nakamoto trust using two related thought experiments for the value of attack. First, given a potential dollar value of |$V_{attack}$|⁠, what is the equilibrium cost of security in dollars and as a percentage of |$V_{attack}$|? Second, given a potential dollar volume of honest transactions using Nakamoto trust, denoted |$V_{honest}$|⁠, and an assumption that an attacker can double spend this honest volume for a period of time, what is the equilibrium cost of security as a percentage of honest transaction volume?

A caveat for this section is that there is no perfect way to model |$V_{attack}$|⁠. These thought experiments reflect my best attempt to analyze the equilibrium implications of the analysis in Section III as transparently as possible. Future research may improve on these efforts.

IV.A. Mechanics of a Double-Spend Attack

The canonical attack Nakamoto (2008) worries about is called a double spend, in which an attacker is able to spend the same currency multiple times by effectively deleting some of their transactions from the record. Such attacks are also called safety or consistency violations in the distributed-consensus literature. In a double-spending attack on a longest-chain consensus protocol, the attacker engages in the following actions in sequence:

• The attacker sends cryptocurrency in exchange for goods or assets, potentially in many transactions over many blocks.

• The attacker allows those transactions to be added to the blockchain in the usual way, described in Section II.B.

• The attacker works in secret to create an alternative longest chain that does not include the transactions in (i). Instead they send the cryptocurrency to other accounts they control.

• The attacker waits for any escrow periods to elapse, so they receive the goods or assets they transacted for in (i).

• The attacker releases their alternative longest chain. The attacker now has both the goods or assets they transacted for and their cryptocurrency.

See Figure III for an illustration.

IV.B. Duration and Gross Cost of Attack

The denominator of the right side of equation (3), |$A^{*}\cdot t(A^{*})$|⁠, is the cost of a double-spend attack in units of equilibrium per block trust-support costs |$N^{*}c$|⁠. It is possible to obtain a closed-form expression for the expected duration t of a double-spending attack as a function of the attacker majority A and other parameters that affect duration. Specifically, let e denote the escrow period, and let k denote the number of blocks in which the attacker places transactions that they will subsequently revert (i.e., the number of blocks in step (i) of the attack). Assume that honest participants produce new blocks as a Poisson process with arrival rate one and the attacker produces new blocks as a Poisson process with arrival rate A.

  

Prior work by Grunspan and Pérez-Marco (2018, 2022) derives closely related mathematical results for the analysis of an attacker with less than 50% of the total hash power. Expression (6)   can be understood as follows. In the attacker’s best case, their attack takes |$k+e$| time. This best case occurs if, as soon as the honest participants have produced |$k+e$| blocks and all of the assets the attacker has transacted for have been released from escrow, the attacker is ready with their alternative longest chain of at least |$k+e+1$| blocks. Suppose, on the other hand, that the attacker is behind the honest chain by |$i\ge 0$| blocks at the time the honest participants produce their |$k+e$| block. Given the Poisson arrival processes, it will take the attacker |$\frac{i+1}{A-1}$| of time in expectation to strictly surpass the honest chain. The last part of the expression gives the probability that the attacker’s deficit is i blocks.

Table II provides example calculations of duration t and the gross trust-support-cost term |$At$|⁠. For example, if |$k+e=12$| blocks (2 hours), then attacker majorities of |$A=1.2-1.5$| generate average attack durations of 13.4–19.7 blocks, or about 2–3.5 hours, and average gross costs of 20.1–23.6 times |$N^{*}c$|⁠. Notably, smaller majorities lead to significantly longer attack durations and higher costs. For example, if |$A=1.05$|⁠, which corresponds to a 51.2% attacker majority, the average duration is 56.6 blocks (9.5 hours) and the average gross cost is 59.4 times |$N^{*}c$|⁠.

As |$k+e$| grows larger, the average attack duration t gets proportionally closer to the best-case duration |$k+e$| for all values of A. The intuition for this is simple law of large numbers. However, even for very large values of |$k+e$|⁠, such as |$k+e=$| 1,008 which corresponds to a full week, the gross-cost-minimizing attacker majority is larger than 51%. It is true that a 51% majority is enough to ensure statistically that the attack will eventually succeed, but a cost-minimizing attacker will choose a somewhat larger majority.

Online Appendix B provides numerical analysis of the cost-minimizing attacker majority |$A^{*}$| and minimum gross costs |$A^{*}\cdot t(A^{*})$| as a function of |$k+e$|⁠.

IV.C. Implied Equilibrium Cost of Nakamoto Trust

1. Thought Experiment 1: What Is the Equilibrium Cost of Security for a Given Value of |$V_{attack}$|?

A majority attacker will not use their majority to double spend for a cappucino at Starbucks. They will use their majority to conduct transactions that are as large as possible given the current uses of cryptocurrencies, possibly using many different addresses over many blocks of transactions. |$V_{attack}$|⁠, therefore, can be understood as a statistic on the economic usefulness of Nakamoto trust. The higher the economic throughput of the blockchain for honest participants, the more value an attacker can double spend.²²

In this first thought experiment, I simply consider a wide range of dollar values for |$V_{attack}$|⁠. I use $1,000 as the low end of this range, representing Bitcoin’s early days when even buying a pizza was remarkable. I use $100 billion to represent the high end of this range. Although arbitrary, this seems a reasonable order of magnitude for a large-scale attack on the global financial system—for example, the U.S. financial system has daily transaction volume that conservatively exceeds $4 trillion (Budish and Sunderam 2023). This figure also represents about 7% of Bitcoin’s peak market capitalization.

Table III presents results for a base case scenario in which |$k+e=12$|⁠. This corresponds to an escrow period of one hour (⁠|$e=6$|⁠), as is standard practice for Bitcoin, and an assumption that the attacker spreads their double-spend transactions over one hour’s worth of blocks (⁠|$k=6$|⁠).²³ To keep the Nakamoto blockchain secure in this base case requires a per block cost that is 5.00% of the value secured against a double-spending attack. This follows directly from equation (3), rewritten as |$\frac{p_{block}}{V_{attack}}\ge \frac{1}{A^{*}\cdot t(A^{*})}$|⁠, with |$t(A^{*})=13.99$| at the attacker-optimal choice of |$A^{*}=1.43$| (or 59%). Per transaction, assuming 2,000 transactions per block, the cost is 0.0025% of the value secured against attack.

These costs likely sound economically plausible. But consider how they scale with time and the amount of value secured. A cost of 5% per block amounts to 720% of the value secured against attack per day, and about 263,000% of the value secured against attack per year. For example, to secure the system against a $1 billion attack requires $2.63 trillion of annual security expense. To secure the system against a $40 billion attack requires $105 trillion a year, or all of 2023 global GDP per the World Bank.

The per transaction fee of 0.0025% likely sounds very small, but this is a percentage of the value secured against attack, not the size of the transaction. For example, if an attack could be worth $1 billion, then each transaction must pay 0.0025% of $1 billion which is $25,000 of security costs. The intuition is that every transaction has to implicitly pay for the costs of the large standing army—as if a transaction for a cappucino has the security required by Fort Knox.

Table IV presents a sensitivity analysis. As the escrow period e grows, and the number of blocks k it takes the attacker to execute their double-spend transactions grows, the cost of security declines. Whereas the cost of security is 5% of |$V_{attack}$| per block in the base case, the cost declines to 0.09% of |$V_{attack}$| if |$e+k$| amounts to a week (⁠|$e+k=$| 1,008). However, even in the scenario where |$e+k$| equals a week, the cost to secure against large attacks remains high. To secure against a $10 billion attack requires an annual security cost of $478 billion, which is more than the United States’ annual spending on prisons, courts, and police (see Section VI). To secure against a $100 billion attack requires an annual security cost of 4.5% of global GDP.

2. Thought Experiment 2: What Is the Equilibrium Cost of Security as a Percent of Honest Transaction Volume?

As a second thought experiment, assume that honest users of a cryptocurrency transact an average of |$V_{honest}$| of volume per block, and that a majority attacker can double spend exactly this average honest volume per block, for k blocks total. That is, |$V_{attack}=kV_{honest}$|⁠. This is a simple structural model in which the value of a majority attack grows with economic usefulness, as measured by the amount of honest transaction volume. I caution that this thought experiment has likely biases in both directions. It is conservative in that a majority attacker would seek to transact the largest possible amounts, not just average amounts.²⁴ It is aggressive in that a majority attacker would likely share block space with honest users whose transactions happen to be in the mempool at the time the attacker starts double spending.

Table V presents results for this thought experiment. In the base case in which the escrow period is one hour (⁠|$e=6$|⁠) and the attacker can double spend for one hour worth of blocks (⁠|$k=6$|⁠), that is, |$V_{attack}=kV_{honest}$| corresponds to one hour of average honest transaction volume, the equilibrium cost of security is 30% of |$V_{honest}$| per block.²⁵ This percentage cost increases with the number of blocks the attacker can double spend for and decreases with the escrow period. For example, if the attacker can double spend one hour of average honest transaction volume (⁠|$k=6$|⁠), but the escrow period is one day (⁠|$e=144$|⁠), then the required security cost is just 3.31% of honest transaction volume—roughly in line with the costs of credit card transactions in the traditional financial system. In the other direction, if the escrow period is the standard one hour (⁠|$e=6$|⁠) but the attacker can double spend one day’s worth of average honest transaction volume (⁠|$k=144$|⁠), then the required security cost is 79% of |$V_{honest}$| per block. For any fixed escrow period, the cost converges to 100% of |$V_{honest}$| as |$k\rightarrow \infty$|⁠.

IV.D. Discussion

The double-spending analysis is consistent with the modest early use cases of Bitcoin, in which Bitcoin was primarily used by hobbyists and for small-scale black market activity (e.g., online gambling, Silk Road). In these early days, the amount that could be gained in a double-spending attack was not very high, because there were not high-value transaction opportunities. If a double-spending attack could gain at most $1,000, then the implicit cost per transaction in the base case necessary to secure the trust is just $0.025.

The double-spending analysis is also consistent with larger-scale black market uses of cryptocurrencies, especially as black market users may be most willing to pay the high implicit costs. For example, if a double-spending attack could gain at most $10 million, then the implicit cost per transaction in the base case needs to be about $250. This is modest relative to the costs of transporting large amounts of cash (Rogoff 2017).

Where the analysis suggests greater skepticism is the use of cryptocurrencies and Nakamoto trust as a major component of the mainstream global financial system (again, considering its pure form without support from the rule of law). If cryptocurrencies and Nakamoto trust were to become more integrated with the mainstream global financial system, then it would be possible to move amounts of value that are ordinary in the scheme of global finance, and hence it would be possible to double spend for amounts of value that are ordinary in the scheme of global finance. The analysis suggests that this scenario is unrealistic because of the way the trust model scales. To secure the system against attacks of $1 billion—which is less than 0.2% of daily trading volume in the U.S. Treasury market alone—requires a per transaction security cost of $25,000 and an annual security cost of $2.6 trillion. To secure against attacks of $40 billion requires an annual security cost of all of global GDP. While market power and fees in traditional finance are clearly an important economic issue (Greenwood and Scharfstein 2013; Philippon 2015), and Huberman, Leshno, and Moallemi (2021) are careful to remind us to compare the costs of the Nakamoto trust model against the costs of market power in traditional finance, it is clear from these calculations that Nakamoto trust is very expensive relative to traditional trust. I return to this comparison between Nakamoto trust and traditional trust in Section VI.

A conceptual insight that is reinforced by the double-spending analysis is that blockchain security should be thought of not as a 0-1 variable that breaks at a threshold |$\rho$|⁠, as in the distributed consensus literature, but as more like a (high) percentage tax.

V. Specific Capital and Collapse

Nakamoto (2008) envisioned that ordinary computers would be used to maintain the Bitcoin blockchain, famously using the phrase “one-CPU-one-vote.” Since 2013, however, Bitcoin mining has been dominated by specialized computer chips called ASICs (application-specific integrated circuits). ASICs have the SHA-256 hash function etched directly onto hardware, which makes them extremely efficient at Bitcoin mining and useless for any other application that does not involve performing a large number of SHA-256 hashes.²⁶ Many of the other largest cryptocurrencies use a proof-of-stake consensus protocol, most prominently Ethereum since fall 2022. With proof of stake, the capital used to maintain the blockchain is intrinsically specialized to the blockchain, as the capital is literally units of the cryptocurrency.

If the capital used to maintain the blockchain is specialized (as opposed to repurposable), and a majority attack causes the attacker’s capital to lose its value or be confiscated, then the attacker cost model needs to be modified. In addition to charging the attacker the flow cost of the attack, we also need to charge the attacker the stock value of their loss of specialized capital. This makes an attack significantly more expensive.

Section V.A redoes the theoretical analysis of Section III under an alternative incentive constraint that includes the stock value of the attacker’s capital. Section V.B considers three logical possibilities for how an attacker might lose their capital value: collapse of the cryptocurrency, internal-to-protocol punishment without collapse, and external-to-protocol responses to the attack. Section V.C discusses the analysis.

V.A. Analysis if an Attacker Loses Their Capital

Let |$c=rC+\eta$| denote the cost per unit time to supply one unit of trust support, where C denotes the fixed cost of specialized capital (e.g., ASICs, stake), r denotes the rental cost of capital per unit time (risk-adjusted interest expense plus depreciation), and |$\eta$| denotes variable costs per unit time (e.g., electricity). The honest Nakamoto trust equilibrium condition (1)   can be rewritten:

An outside attacker would need at least |$N^{*}C$| worth of specialized capital to conduct the attack, whereas an inside attacker would need at least |$\frac{N^{*}C}{2}$| of capital.

For this subsection, let us focus on an outside attacker who loses all of their capital as a result of the attack, for example, because of a total collapse of the cryptocurrency—this is the case for which the cost of attack is highest. Given how small the flow costs of attack are, as analyzed in Section IV, let us ignore these and focus only on the stock cost of the specialized capital. This yields an approximate attack cost of |$N^{*}C$| and an approximate incentive compatibility condition of

We can compute |$N^{*}C$| as a function of |$p_{block}$|⁠. Let |$\mu =\frac{rC}{rC+\eta }$| denote the capital share of trust support. The honest equilibrium equation (7)  can be rewritten:

Hence we can derive a modified version of equation (3):

This is several orders of magnitude more secure than equation (3)  because r is the interest rate per unit time. Here is an example calculation for Bitcoin. Assume the capital share of mining is |$\mu =0.4$| (De Vries 2018; Digiconomist 2022), and the annual discount rate for ASICs is 50% (ASICs depreciate quickly and mining is risky), which implies that the per unit time discount rate is |$r\approx 0.0008\%$|⁠. This means |$\frac{r}{\mu }=0.002\%$|⁠. Now compare |$\frac{r}{\mu }$| on the right side of equation (10)  to the |$\frac{1}{A^{*}\cdot t(A^{*})}$| factor on the right side of equation (3). If we use the base case value of |$\frac{1}{A^{*}\cdot t(A^{*})}=5.0\%$|⁠, we have a roughly 2,500-fold improvement in the cost of security.

If we use these same values for |$\mu$| and r and use |$p_{block}$| of $250,000, then equation (9)  implies a capital stock of $12.5 billion, which about matches what is implied by current prices for state-of-the-art ASIC machines.²⁷ This suggests these magnitudes are reasonable.

V.B. Issue: How Does an Attacker Lose Their Capital?

1. Collapse of the Cryptocurrency

One way the attacker can lose their capital value is if the majority attack causes a significant decline in the value of the cryptocurrency. For example, a majority attack on a major cryptocurrency would be widely reported and might cause a market crash.

Mathematically, suppose the majority attack causes a proportional decline in the value of the cryptocurrency of |$\Delta _{attack}$|⁠. If the specialized capital is stake, and the attacker is unable to withdraw their stake before the decline occurs, then their stake declines in value by |$\Delta _{attack}N^{*}C$|⁠. If the specialized capital is hardware, and the attacker is unable to liquidate their hardware before the decline occurs, then the decline can be faster than rate |$\Delta _{attack}$|⁠. Specifically, if we assume that the market is in equilibrium (7)  before the attack and we assume that the postattack equilibrium value of specialized capital reflects a permanent decline in block rewards of |$\Delta _{attack}$|⁠, then the specialized capital declines in value by proportion |$\max (1,\frac{\Delta _{attack}}{\mu })$|⁠.²⁸

Thus, if |$\Delta _{attack}$| is large, this significantly increases the attacker’s costs. The Bitcoin Wiki classifies the majority attack into its “probably not a problem” category for this reason (Bitcoin Wiki 2020).²⁹ However, vulnerability to collapse is undesirable for two related reasons. First, collapse harms honest holders of the cryptocurrency and the specialized capital. Second, there is the possibility of an attack motivated by this harm per se, that is, a sabotage attack. The possibility of a sabotage attack was first raised by Rosenfeld (2014).³⁰

What is the value of a sabotage attack on a significant cryptocurrency such as Bitcoin or Ethereum? It is hard to say, of course, but easy to imagine that the magnitudes are already large and would be larger still if cryptocurrencies become more significantly integrated into the global financial system. Open interest in CME Bitcoin futures as of April 2024 is about 28,000 contracts, each tracking five Bitcoins, worth about $9 billion at current prices. According to data from The Block, open interest in Bitcoin futures aggregated across the major crypto exchanges is about $24 billion as of April 2024 and about $9.5 billion for Ethereum futures.³¹ These figures give a sense of magnitudes for what could be made from a short-selling attack.

The market capitalization of cryptocurrencies gives another sense of magnitudes for the amount of economic harm an attacker could cause. Bitcoin’s market capitalization has been as high as about $1.4 trillion and Ethereum’s as high as about $500 billion. Across all crypto assets tracked by CoinMarketCap, market capitalization peaked at about $3 trillion. Paypal co-founder Peter Thiel (2022) recently predicted that Bitcoin will be worth more than $100 trillion.

Last, Ethereum founder Vitalik Buterin described a future in which it is “just considered normal for there to be trillion dollar assets that are managed on Ethereum” (Klein 2022, emphasis added). If indeed assets of that magnitude are managed on Ethereum or other blockchains, without implicit or explicit protections from the rule of law, then the value and risk of sabotage would be large.

2. Internal-to-Protocol Punishment without Collapse

It would be very attractive to get the security benefits of an attack costing a stock not a flow, that is, an attack that costs |$O(N^{*}C)$| yielding equilibrium constraint (10)  rather than costing |$O(N^{*}c)$| yielding equilibrium constraint (3), without needing the cryptocurrency to collapse. This is what Ethereum proof-of-stake consensus with “slashing” is trying to accomplish.

Slashing relies on two distinct departures from Nakamoto (2008)’s version of permissionless consensus. First, the trust-support capital is stake that exists on-chain, as opposed to computational equipment that exists in the physical world off-chain. Second, Ethereum’s consensus protocol requires, roughly speaking, at least |$\frac{2}{3}$| of all of the trust-support capital to sign a block before it is added to the record, in what is known as the BFT paradigm. These features together mean that in the event of a double-spending attack, the attacker will leave cryptographic proof that they have violated the protocol. If blocks A and |$A^{\prime }$| conflict each other (e.g., send the same currency to two different places), then for both to be confirmed, at least |$\frac{2}{3}$| of all of the stake has to have signed A and |$\frac{2}{3}$| has to have signed |$A^{\prime }$|⁠, so at least |$\frac{1}{3}$| of all of the stake has to have signed both conflicting transactions. The idea of slashing is simply to confiscate the stake that has signed conflicting transactions—to “slash” it from the record. See Figure IV.

Intuitively, slashing is trying to mimic the traditional trust combination of collateral plus rule of law. A counterparty posts collateral, and if they cheat the legal system can seize the collateral. The difficulty is that a large-enough attacker can effectively control or stall the protocol’s legal system. An impossibility result of Tas et al. (2023) (Theorem 1) shows that is is impossible for a proof-of-stake protocol to achieve any positive amount of what they call “slashable safety,” meaning confiscating any positive amount of the attacker’s stake, if the attacker can be large enough. The proof shows that a large-enough attacker (specifically, with at least |$\rho =\frac{2}{3}$|⁠) can always withdraw all of the capital that signed conflicting transactions before the confirmation of any transactions that slash their stake.

Budish, Lewis-Pye, and Roughgarden (2024) provide a possibility result for proof of stake with slashing to successfully confiscate the attacker’s capital that signed conflicting transactions if both (i) the attacker is strictly less than |$\rho =\frac{2}{3}$| of the total stake, and (ii) there is a known finite bound on the maximum possible network delay.³² The protocol used to prove the result has a lock-up period for stake that is long relative to the maximum possible honest network delay and constructs an in-protocol recovery from attack procedure that a sub-|$\frac{2}{3}$| attacker cannot thwart. A rough intuition for how recovery is possible is that an attack requires at least |$\frac{1}{3}$| of the total stake to sign conflicting transactions (per Figure IV), so a sub-|$\frac{2}{3}$| attacker is thus left with |$\lt \rm {\frac{2}{3}-\frac{1}{3}=\frac{1}{3}}$| of stake that is not accused of attack, which is less than 50% of the total nonaccused stake.

A separate issue with BFT-style consensus is what are known as liveness attacks. Because |$\frac{2}{3}$| of all stake has to sign each block, an attacker with greater than |$\rho =\frac{1}{3}$| of the total stake can effectively halt transactions for a significant period of time.³³ If Ethereum were to become more integrated into the traditional global financial system, this would seem to be a significant source of attack risk. Unlike for a safety violation as depicted in the figure, a liveness attack does not leave any cryptographic proof of the attacker’s malfeasance. The silent stake could be having a legitimate network outage or computer failure. For these reasons, Ethereum does slash stake that is silent for a long period of time, but very slowly. By my calculations, one could halt Ethereum for a day at a cost of 0.09% of the total honest stake, two days at a cost of 0.37% of the honest stake, a week at a cost of 4.68% of the honest stake, and two weeks at a cost of 20.53% of the honest stake.³⁴

I conclude that Ethereum proof of stake with slashing achieves a security improvement over Bitcoin that can be understood through the lens of this article’s analysis: a sub-|$\frac{2}{3}$| double-spend attacker incurs costs that are |$O(N^{*}C)$| even if |$\Delta _{attack}=0$|⁠. However, to deter |$\gt \frac{2}{3}$| attackers or to deter liveness attacks in the event Ethereum becomes more integrated with global financial markets likely requires a source of trust support external to the protocol, such as the rule of law.³⁵

3. External-to-Protocol Punishment

The third logical possibility for how an attacker could lose their capital value is by a punishment external to the blockchain protocol. For example, an attacker who engaged in the short-selling attacks discussed above might face legal consequences, which could include prison and significant financial penalties. This would certainly work in the sense of getting the security benefits of equilibrium constraint (10)   rather than equation (3), but the whole question of this article is whether Nakamoto’s novel form of trust works economically without government and the rule of law.

V.C. Discussion

The theoretical analysis of Section V.A shows that if the attacker loses their capital as a result of the attack, permissionless consensus becomes significantly more economically attractive. A 2,500-times improvement in the cost of trust is enough to transform Nakamoto’s novel form of trust from being extremely expensive relative to traditional forms of trust to competitive with traditional trust. For example, referring to Table III, the cost to secure against an attack of $100 billion goes from about 2.5 times global GDP to just over $100 billion a year, which is the same order of magnitude as spending on police, courts, and prisons in the United States (see Section VI). Or, referring to Table V, if we assume an attacker can double-spend for |$k=6$| blocks of honest volume and the escrow period is |$e=6$| blocks, then the cost to secure against attack goes from a 30% tax on honest transaction volume to just 0.012% of honest transaction volume, which is cheaper than most payment fees.

The difficulty is how the attacker loses their capital. Collapse risk does not seem like a plausible foundation for a novel economic system, especially when one considers the possibility of sabotage. In-protocol punishment without collapse would be very attractive but faces impossibility theorems that suggest it is only a partial solution. External-to-protocol punishment certainly could work but begs the question of what is accomplished if permissionless consensus is ultimately reliant on traditional rule of law.

VI. Comparison of Nakamoto Trust and Traditional Trust

In this section, I return to the contrast discussed in the introduction between Nakamoto trust and traditional trust supported by the rule of law and complementary sources, such as reputations and relationships. The essential difference is economies of scale.

VI.A. Beckerian Deterrence as an Economy of Scale

For concreteness, consider a financial transaction between two parties of size V, but where one of the parties has an opportunity to cheat and steal the other party’s assets. Specifically, Party 1 chooses an action from the set |$\lbrace Engage,\ Don^{\prime }t\ Engage\rbrace$|⁠; Party 2 chooses an action from the set |$\lbrace Honest,\ Cheat\rbrace$|⁠. If the players choose |$Engage$| and |$Honest$|⁠, then both parties get a payoff of |$\tau \gt 0$|⁠, representing the net benefit of an honest transaction; but if Party 1 chooses |$Engage$| and Party 2 chooses |$Cheat$|⁠, then Party 2 gets a payoff of V and Party 1 gets a payoff of |$-V$|⁠, representing that Party 2 has stolen Party 1’s assets. If Party 1 chooses |$Don^{\prime }t\ Engage$|⁠, then both parties get a payoff of zero. Clearly, in the game as described so far, the only equilibrium is for Party 1 to choose |$Don^{\prime }t\ Engage$|⁠, so the parties will forgo the benefit of transacting. (See Dixit 2004 for analysis of similar game forms.)

Now add a legal system with the power to enforce contracts. Specifically, if Party 2 plays |$Cheat$|⁠, Party 1 can pay a cost |$c_{l}$| to adjudicate the transaction in court, and the court can perfectly observe whether Party 2 played |$Cheat$| or |$Honest$|⁠. If the court observes that Party 2 played |$Cheat$| it can compel Party 2 to return Party 1’s assets and punish Party 2 with a large fine f. In this scenario, Party 1’s payoff is |$-c_{l}$|⁠, the cost of bringing the matter to court, and Party 2’s payoff is |$-f$|⁠, the cost of the fine.

Clearly, the legal system makes it an equilibrium for the parties to transact honestly; the credible threat of a large fine deters Player 2 from cheating. Since the players will transact honestly on the equilibrium path, the court need not even involve itself with most transactions in the first place. This is the point emphasized in the introduction about the economies of scale in traditional trust that is implicit in Hayek (1960) and Becker (1968). The key insight is: a society that pays a fixed cost of operating a court system can facilitate honest transactions that have zero marginal cost of security because of the deterrence effect. This is a scale economy for traditional trust.

We can translate this conceptual point about scale economies for traditional trust into the language of our earlier analysis. Consider the stripped-down model of Section III.E augmented in two ways. First, as in Section IV.C, add a parameter |$V_{honest}$| that represents the average volume transacted per period by honest users of the system if trust is secured. Second, model traditional trust as costing a fixed cost F plus a variable cost per unit transacted of c, such that society’s cost of traditional trust is |$F+cV_{honest}$| per period. In Figure I, the c can be interpreted as the cost of the security guards outside the bank and the F can be interpreted as society’s cost of police and courts.

The two trust models’ cost per unit volume are thus:

Traditional trust has scale economies to the extent that fixed costs F that support trust can scale over a large quantity of transaction volume |$V_{honest}$|⁠. Beckerian deterrence of crime is a leading example. Similar scale economies of trust arise in the private sector from fixed-cost investments in brands, reputation, relationships, or collateral. Often such investments work in conjunction with societal fixed-cost investments in rule of law. For example, a firm’s brand, reputation, or relationships can serve as a credible commitment to provide high quality on those dimensions of quality that are not contractible (Nelson 1974; Fudenberg, Levine, and Maskin 1994; Tadelis 1999; Baker, Gibbons, and Murphy 2002; Levin 2003), while laws or contracts can cover the dimensions that are contractible.

Collateral is a particularly important example to discuss in our context. Imagine that a bank intermediates the transaction above between Party 1 and Party 2 and has general-purpose collateral on its balance sheet that exceeds the value of the transaction. The bank can be trusted not to abscond with the parties’ assets, without any appeal to reputation or brand, if a court can compel it to compensate the parties out of its general-purpose collateral if it cheats. Moreover, the cost of general-purpose collateral as a source of trust support is low because collateral earns a market rate of return. Under the assumptions of the Modigliani and Miller (1958) theorem, the cost of collateral as a source of trust support is zero. Estimates from the empirical literature on the magnitudes of violations of the Modigliani-Miller theorem find that the cost of collateral is not literally zero but is less than 1% per year of the collateral amount, which likely translates to less than 0.01% of transaction volume (see Budish and Sunderam 2023). That is, |$\frac{F}{V_{honest}}\lt 0.0001$| for collateral.

Nakamoto trust, by contrast, only enjoys economies of scale with transaction volume if the scope for attacking the system |$V_{attack}$| does not grow with the system’s usefulness for honest participants |$V_{honest}$|⁠, which seems unlikely without support from the rule of law. In the stylized financial transaction, the size of the attack opportunity equals the size of the honest transaction, that is, |$\frac{V_{attack}}{V_{honest}}=1$|⁠. Indeed, the ratio |$\frac{V_{attack}}{V_{honest}}$| could easily exceed 1, as a majority attacker will engage in large transactions whereas |$V_{honest}$| measures the size of average transactions.

Table VI presents a summary comparison of these different forms of trust.

VI.B. Sense of Magnitudes for Finance

Total annual spending on police, prisons, and courts, at the state, local, and federal level, is about $300 billion a year in the United States (Urban Institute 2023). Real value added in the U.S. financial industry is about $800 billion a year.³⁶ So we could use $1 trillion a year as a conservative upper bound for the cost of trust in the U.S. financial sector, since the former figure includes spending that is unrelated to finance and the latter figure includes spending that is unrelated to trust.³⁷ We can use $1 quadrillion a year as a conservative lower bound for transaction volume in the U.S. financial sector (Budish and Sunderam 2023). We can thus upper bound the cost of trust support |$\frac{F}{V_{honest}}+c$| in traditional finance by 0.1% of transaction volume. Clearly this is just a rough ballpark. Many fees in traditional finance, especially for large transactions, are on the order of 0.01% or less of transaction volume.³⁸

VII. Conclusion

Nakamoto (2008)’s novel form of trust—a completely anonymous and decentralized permissionless consensus, without any support from government or trusted intermediaries—is ingenious but expensive. Equation (3)  says that for the trust to be meaningful requires that the flow cost of maintaining the trust must be large relative to the one-shot value of attacking it. This is like a very large implicit tax. Moreover, the cost of Nakamoto trust scales linearly with the value of the attack—for example, securing against a $1 billion attack is 1,000 times more expensive than securing against a $1 million attack. This equilibrium constraint suggests that if cryptocurrencies were to become a more significant part of the global financial system than they have been to date, then their costs would have to grow to absurd levels (absent implicit support from rule of law). In the base case analysis considered in Section IV, it would take all of global GDP to secure the system against a $40 billion attack. Traditional trust, whether from rule of law, reputations, relationships, collateral, and so on, is by no means perfect but is a bargain relative to Nakamoto (see Section VI).

A conceptual insight of this article for computer science is that the economic security of a permissionless consensus protocol should be thought of not as a 0-1 variable that simply breaks at a threshold |$\rho$|⁠, as in the classic distributed-consensus literature (e.g., Lamport, Shostak, and Pease 1982; Dwork, Lynch, and Stockmeyer 1988), but as an incentive-compatibility constraint. This is what allows for if-then equilibrium reasoning about the plausibility of permissionless consensus at scale.

Nakamoto trust would be a lot more economically attractive if an attacker lost the stock value of their capital in addition to paying the flow cost of attack, as considered in Section V. However, this requires either that security rests on the possibility of outright collapse, or that the blockchain is ultimately reliant on an external source of trust support if there is a large-enough attacker, such as rule of law.

It bears emphasis that the article's analysis is consistent with the continued use of cryptocurrencies and blockchains for black market purposes, and more generally in use cases where users are willing to pay the high implicit costs of anonymous, decentralized trust.

This study’s analysis is also consistent with the usefulness of the blockchain data structure without  Nakamoto (2008)’s novel form of trust. This is often called distributed ledger technology or a permissioned blockchain (see footnote 2 and Section II.E). Indeed, what this article highlights is that it is exactly the aspect of Nakamoto (2008) that is so innovative relative to these kinds of distributed databases—the anonymous, decentralized trust—that is the source of its economic limits. As one specific example, it is completely consistent with the present analysis that central bank digital currencies (CBDCs) could be of high economic value. CBDCs take some technical inspiration from cryptocurrencies but are anchored in traditional trust from rule of law and the reputation of central banks, and thus do not face the scaling problem of Nakamoto trust highlighted here.

At a broader level, this article builds on the view tracing all the way back to Adam Smith that government and laws are essential ingredients for the market system. A central point this article has tried to emphasize is a fairly simple one implicit in Hayek (1960) and Becker (1968), though I have not seen it stated explicitly in this language, which is that traditional trust supported by the rule of law enjoys economies of scale. Society pays the fixed cost of the apparatus of the rule of law, or firms pay the fixed cost of building a brand or reputation or holding collateral (each of which works in conjunction with laws), and these fixed-cost assets can provide trust over a large number of economic activities at low or zero marginal cost.

VII.A. Directions for Future Research

I highlight two directions for future research. First and most directly, is there a “solution” to this paper’s critique of Nakamoto trust? Informally, is there a way to generate trust in a public data set (or specifically a cryptocurrency) that has some of the anonymity and decentralization aspects of Nakamoto (2008) while being signficantly less economically constrained by the arguments in this article?³⁹  Online Appendix A describes several of the responses this study has received since it first circulated in 2018. The most promising responses combine blockchain-based trust with traditional trust in some way. For example, Ethereum’s new protocol algorithmically mimics the combination of collateral plus rule of law to punish sub-|$\frac{2}{3}$| attackers but must rely on some external source of trust support to punish large-enough attackers. If large sums of money were in dispute, it seems likely that this external source of trust support would involve the rule of law. Another interesting response is to concede that blockchain trust is intrinsically very expensive, per my argument, but only use it for occasional large transactions with long escrow periods (Layer 1), while most transactions are conducted off-chain (Layer 2), supported by external sources of trust. The idea of Bitcoin as a “digital gold” held by traditional institutional investors also fits this paradigm. Bitcoin exchange traded funds have over $1 billion of volume per trading day, traded on traditional regulated stock exchanges and managed by institutions like Blackrock and Fidelity. An open conceptual question about these responses is what the permissionless consensus part adds given the ultimate reliance on external sources of trust support. Are these combinations of permissionless consensus and traditional sources of trust superior to existing alternatives? Does permissionless consensus expand the production possibilities frontier for trust?

The second direction for research is a broader conceptual question. How should economists and computer scientists model trust that comes from a combination of technology and rule of law? More generally, how should researchers understand trust when it comes from multiple sources in the same transaction that work in complement?⁴⁰ This is often the case in practice, with trust arising from some combination of the rule of law, reputations, relationships, brands, collateral, norms, technology, and so on, often implicitly and without drawing notice. For example, a large financial institution like JP Morgan is trusted in a particular transaction because of its reputation and relationships, its balance sheet collateral, its technology, and ultimately the protection that comes from the legal system. Even the most ordinary of transactions, like buying a cup of coffee at the local coffee shop, enjoys trust from multiple sources. The consumer trusts the coffee shop to provide quality coffee because of reputational incentives and perhaps implicitly food safety laws. The coffee shop trusts the consumer’s payment if cash because counterfeiting is technologically complex and illegal, and if electronic because of traditional cryptography and because the financial intermediary has reputational, relational, and legal reason to follow through. The employee trusts their employer to follow through with promised compensation because of laws and the implicit relational contract. The customer and the employee trust the other not to rob them because of laws and social norms. All this trust for a cup of coffee! These multiple layers of trust that work together for even the most ordinary of economic transactions are likely part of what makes the traditional market system so robust and, dare I say, beautiful.

Footnotes

References