Bitcoin is Decentralised

• Making changes to the Bitcoin software is trivial, however, if a modified version violates certain consensus rules, it will become incompatible and leave subscribing users to operate an alternative asset and transaction record.

• Mining pools do not enjoy custodial controls over the hashrate produced by the miners they engage with. This, along with the economic interests of both miners and pools, diminish the practical threat of any pool(s) related attacks.

• Measuring the distribution of wealth across bitcoin holders should consider, among other intricacies, that singular exchanges, custodians and ancillary networks represent many individual investors.

• Effectively isolating a member of the Bitcoin network requires fully controlling each of its connections, as well as simulating valid network activity akin to the recognisable condition. These challenges are not practical.

• If a change is made to the Bitcoin software, it does not necessarily mean that users will choose to update their software and enforce those changes. This is a meaningful difference that the report did not account for.

This document is intended to respond to the high profile report prepared by Trail of Bits in correspondence with the Defense Advanced Research Projects Agency (DARPA), provided for your consideration.

Unfortunately, the report is premised on several misconceptions about Bitcoin, which have previously been debunked or conflate network participants and their responsibilities. We have highlighted specific sections of text published in the report that we will address below.

This is a sharply incorrect and muddling claim. It is categorically trivial for anyone to modify the “semantics” of Bitcoin, this is inherent to being open-source software that is both publicly available and freely downloadable. In fact there is no shortage of instances where individuals have modified Bitcoin’s software in the process of creating alternative blockchain ecosystems (see here, here). However, to change such code and remain in consensus with the existing Bitcoin network on the same transaction record means that any and all changes to the codebase cannot violate specific rules (called consensus rules, viewable here or more human readable, here).

In the event those rules are violated, the users running the modified software will no longer be compatible with those running the canonical versions of Bitcoin. To be clear, this means users running the modified software will effectively be members of an entirely different network, abiding by a decidedly different transaction record, and exchanging a distinctly different digital asset.

Furthermore, the changing of past transactions would by definition create an alternative version of the blockchain which, in order to be valid according to the existing Bitcoin ruleset, would require (1) all altered transactions to be authored by the owner of the correct private keys as well as (2) all blocks to contain valid proofs of work.

Even in this most unlikely scenario, members of the existing Bitcoin network would, by explicit design, abide by the chain with the most accumulated proof of work (stacked over 740k blocks, currently). It cannot be understated how difficult this would be, requiring inexplicable amounts of time and investment to procure and operate specialised hardware and software, energy infrastructure, electricity and physical property, which could ultimately be a waste in the event the Bitcoin community changes its hashing algorithm, ostracises the attacker’s traffic, or physically harms their mining operations.

Therefore, in the event an entity, of any size or role, changes past transactions, their modified transaction history would almost certainly be in direct violation of Bitcoin’s software rules, and thus, the changed transactions will definitively be ignored by existing members of the Bitcoin network.

It is greatly misleading to sensationalise the top four mining pools having over 50% of network hashrate when it is the status quo throughout the history of Bitcoin — and its zero instances of the aforementioned 51% attack. In reality, the concentration of mining activity among pools has generally decreased throughout Bitcoin’s history, to the extent that today, the distribution of block creation among pools has never been more dispersed. A more careful look at the mining pool landscape (available here) would conclude a wide variety of players are involved with relatively high turnover, and an inconsistent ranking as to which pool has the largest market share.

In addition to historical precedent, such an attack is logistically unconvincing and squarely against the economic interest of mining pools.

The ownership of the machines providing work always remains with miners rather than being transferred to a pool. Meaning, the machines that actually produce the hashrate necessary to create new blocks are owned and operated by miners regardless of which pool they engage with. This limits the counterparty risk associated with pooled mining, and enables miners to verify which chain they are contributing to and whether or not they are breaking any of Bitcoin’s protocol rules.

The fully digital and independent nature of miners’ work also lowers the barriers to switch between pools, whose business remains fully dependent on miners’ successfully producing them new blocks. In reality, there is significant bargaining power on the side of miners, and the fact that both pools and miners receive bitcoin-denominated rewards generally aligns their incentive to support the network. Miners, having pre-purchased future bitcoin production via their specialised machinery can only hurt themselves by harming the bitcoin price, and pools, being a pure service provider in a highly relationship-driven industry would almost certainly destroy themselves if they harmed their clients’ interests.

Thus in the unlikely scenario a pool attempts to use miners’ hashrate to censor transactions or spend an invalid transaction, it would be alarmingly clear to the miners and incentivise them to redirect their hashrate to an alternative pool, which would trivially be the push of a few keys.

Lastly, it should be noted that the mentioned ‘Nakamoto coefficient’ is not a precise measure of decentralisation, nor is it typically applied properly, as is the case here. Curious readers should consider the cheapness of running a full node as a better proxy for decentralisation, best described by Paul Sztorc (here).

While we find many of the claims made in this report deceptive, this is perhaps the most reprehensible. It conflates the roles of Bitcoin network participants, and naively ignores a common critique about the power of mining pools that has been well documented since 2011.

While we disagree with this statement, we also find it is providing a distorted measure of wealth among bitcoin holders. The methodology used in measuring the supply distribution of bitcoin involves clustering addresses used as inputs in the same transaction to identify the balances of distinct entities. This unfortunately doesn’t take into account multisignature or CoinJoin transactions, as well as misleadingly considers exchanges and custodians as single Bitcoin holders, who in reality are service providers acting on behalf of many investors. Specific examples of entities that likely represent a broader set of bitcoin holders are Grayscale, Coinbase, and Bitgo. It may similarly be the case that those entering and exiting the Liquid and Lightning networks are also inappropriately represented when using multisignature techniques.

However, beyond citing a statistic that we find is likely flawed, the report also ceases to mention the economic concentration of alternatives to provide relative comparison. For example, the share of net worth held by the top 1% of individuals in each of the United States, China, and Russia is reportedly over 30%, and worse, the global average is just shy of 45%.

The statement above simplifies the ease of executing a highly complicated attack and misunderstands the nature of a network chain split.

In the reported scenario, a network participant is isolated from all honest peers but remains connected to at least one malicious peer. Without any connections to honest peers, the “eclipsed” node will not receive the latest blocks on the blockchain with the most accumulated proof of work, and thus begin to abide by an alternative — and “forked” — blockchain susceptible to the whims of the attacker.

However, the report indicates that the effect of this fork would lower the amount of hashrate necessary to execute a 51% attack, making the inappropriate assumption that hashrate must eventually diverge in the event of a fork. In reality, there is no automatic split to a miner’s hashrate in the event of a fork, nor will any general network node following an alternative blockchain directly affect where a miner’s hashrate is deployed.

As mentioned previously, the ownership of the machines providing hashrate always remains with miners, enabling them to verify which chain they are contributing to and whether or not they are breaking any of Bitcoin’s protocol rules. Thus, in the event general Bitcoin nodes begin to follow a fork, there is no guarantee a miner will make the conscious effort to migrate their hashrate and lower the amount necessary to execute a 51% attack on the canonical, unforked chain.

As profit-seeking businesses, miners are actually encouraged to work on the chain with the economic majority of nodes, who provide the greatest opportunity for transaction fee revenue. To encourage miners to migrate to the attacker’s chain, and thus decrease hashrate on the former, it may be necessary to eclipse over half the network of Bitcoin nodes and consistently relay the same misinformation of blocks and transactions from a fleet of intentionally positioned, malicious nodes. The attacker would then also need to operate enough hashing power to present blocks with valid proofs of work to be accepted by the isolated nodes, which, again, is an undoubtedly time consuming, expensive task with indeterminate results.

To be frank, when considering the challenges of eclipsing a network node, it becomes clear this attack is nothing more than an academic illusion. To convincingly isolate a member of Bitcoin’s network, the attacker must maliciously control each connection made by the node, successfully employ an amount of hashpower on the magnitude of the entire Bitcoin mining network, and simulate valid blocks and transactions according to the existing ownership of coins. It also may be necessary for the network member to passively run their targeted node, refraining from either conducting transactions with known entities or cross-checking their activity with credible block explorers.

Lastly, there are defences in place to protect against eclipse and general denial of service (DOS) attacks in the Bitcoin software itself (see here). The most glaring being that a Bitcoin node can whitelist one or many IP addresses to specifically connect with, which, assuming they connect to at least one honest peer, would fully mitigate the ability to execute an eclipse attack.

The report once again fails to recognise Bitcoin is an open-source software, which means the codebase exists in many different versions and is maintained by a group of loosely coordinated people. There is no centralised line of command, roadmap or specific targets in Bitcoin — the community of developers and users determine how the codebase evolves (for more on how upgrades occur, see here).

The most predominantly run version of Bitcoin, Bitcoin Core (referred to as the reference implementation), is maintained on Github by a set of nominated or appointed developers responsible for general moderation and addition of proposed contributions. However, in terms of structure, there are no specially privileged participants in Bitcoin development as anyone is welcome to contribute, test, and review its codebase.

In no way do the developers of Bitcoin Core have the ability to make overt software changes that would forcefully modify the state of the blockchain for anyone outside of themselves. Users voluntarily abide by the rules of the software version of Bitcoin that they choose and may specifically forgo any changes the maintainers instantiate into Bitcoin Core by developing or downloading an alternative and compatible version.

It is also perhaps worth noting, as we did previously, that alternative versions of the Bitcoin blockchain will explicitly be invalidated by existing network participants unless all transactions are authored by the owner of the correct private keys and all blocks contain valid proofs of work. In such an instance when there are two competing chains, both of which are valid, the chain with the most accumulated proof of work will be accepted. The real-world and ongoing costs associated with fabricating an acceptable version of the Bitcoin blockchain, which are quickly and cheaply verifiable, have consequently provided an exorbitant barrier that has never been breached, to our knowledge.

The information contained in this document is for general information only. Nothing in this document should be interpreted as constituting an offer of (or any solicitation in connection with) any investment products or services by any member of the CoinShares Group where it may be illegal to do so. Access to any investment products or services of the CoinShares Group is in all cases subject to the applicable laws and regulations relating thereto.

This document is directed at professional and institutional investors. Investments may go up or down in value and you may lose some or all of the amount invested. Past performance is not necessarily a guide to future performance. This document contains historical data. Historical performance is not an indication of future performance and investments may go up and down in value. You cannot invest directly in an index. Fees and expenses have not been included.

Although produced with reasonable care and skill, no representation should be taken as having been given that this document is an exhaustive analysis of all of the considerations which its subject-matter may give rise to.This document fairly represents the opinions and sentiments of CoinShares, as at the date of its issuance but it should be noted that such opinions and sentiments may be revised from time to time, for example in light of experience and further developments, and this document may not necessarily be updated to reflect the same.

The information presented in this document has been developed internally and / or obtained from sources believed to be reliable; however, CoinShares does not guarantee the accuracy, adequacy or completeness of such information. Predictions, opinions and other information contained in this document are subject to change continually and without notice of any kind and may no longer be true after the date indicated. Third party data providers make no warranties or representation of any kind in relation to the use of any of their data in this document. CoinShares does not accept any liability whatsoever for any direct, indirect or consequential loss arising from any use of this document or its contents.

Any forward-looking statements speak only as of the date they are made, and CoinShares assumes no duty to, and does not undertake, to update forward-looking statements. Forward-looking statements are subject to numerous assumptions, risks and uncertainties, which change over time. Nothing within this document constitutes (or should be construed as being) investment, legal, tax or other advice. This document should not be used as the basis for any investment decision(s) which a reader thereof may be considering. Any potential investor in digital assets, even if experienced and affluent, is strongly recommended to seek independent financial advice upon the merits of the same in the context of their own unique circumstances.

This document is directed at, and only made available to, professional clients and eligible counterparties. For UK investors: CoinShares Capital Markets (UK) Limited is an appointed representative of Strata Global Limited which is authorised and regulated by the Financial Conduct Authority (FRN 563834). The address of CoinShares Capital Markets (UK) Limited is 82 Baker Street, London, W1U 6TE. For EU investors: Napoleon AM (napoleon-am.com) is a French asset management company regulated by the Autorité des Marchés Financiers (AMF), registered under number GP-19000015 since 27/03/2019. Its office is located at 11 rue Paul Lelong, 75002 Paris, France.

The CoinShares Astronaut is a trademark and service mark of CoinShares (Holdings) Limited.

Copyright © 2022 CoinShares. All rights reserved.