A Blogger user going by the handle Satoshi [1] pointed out that I made a major mistake in my analysis of rental attacks on Bitcoin. The numbers I was using for the hash rate were off by six orders of magnitude. But that turns out not to matter because, by sheer luck, I made a second mistake that almost exactly offset the effect of my first mistake. I've since re-done the math, had it reviewed again by a community of bitcoin enthusiasts, and the upshot is that rental attacks are even *less* expensive than I originally concluded.

So how did I manage to do such a spectacular double-screwup? Well, I got my hash rate numbers from a chart that I found on blockchain.com. It looked like this:

Notice that the scale on the left is labelled "TH/s". But then also notice that the numbers all have an "M" after them. I missed those M's.

Happily for me, my analysis also relied on a number that I got from a mining rig rental site that turned out to be wrong in much the same way, but that number appeared in the denominator of the math and so the two errors more or less cancelled each other out.

For the record, here is the corrected math.

I chose whatsminer.com as a source of data for the performance numbers on current mining rigs not for any particular reason (I have never mined bitcoin so I don't really know much about the state of the art), but the site looked professional, so I assumed that its products are probably legit and competitive. The key number from that site is that the base efficiency of their hardware is 30J/TH.

The price of electricity varies from about $0.10/kwh in China and $0.18 in the US.

The current difficulty is 48T.

The formula for converting difficulty to hashes/block is:

D * 2**256 / (0xffff * 2**208)

Setting D to 48T yields:

Python 3.8.9 (default, Mar 30 2022, 13:51:16)i.e. a hash rate of roughly 340 million TH/s, which is as expected.

[Clang 13.1.6 (clang-1316.0.21.2.3)] on darwin

Type "help", "copyright", "credits" or "license" for more information.

>>> D=48

>>> D * 2**256 / (0xffff * 2**208)

206161575984.00073

>>> _/600

343602626.64000124

The energy cost of maintaining this hash rate is:

340 M-TH/s * 30 J/TH = 10,200 MJ/s = 10 GW

Or, converting to dollars assuming low-cost electricity:

10 GW * $0.10/kWh = $1M/hr

The current block reward is 6.25 BTC/block with a market value of $180k/block ~= $1M/hr.

So this calculation passes basic sanity checks.

For completeness, let's calculate the capital costs. Browsing mining hardware on Amazon yields a range of about $2k–$5k/100TH/s. It is a little surprising to see such a big spread (2.5x) for what should be a commodity. But be that as it may, the bottom line is that hardware acquisition costs are about $20-50/TH/s. So 340MTH/s would cost 7-17 billion dollars. This seems like a plausible number because the block reward generates 364*24*$1M/hour = $9B/year, which yields a reasonable return on a O($10B) investment if you can get the operating costs low enough.

But the crucial number is the $1M/hr current run/reward rate. For a hashing rig owner, the capital expenditure is a sunk cost, and so if they can make more money by renting than it costs to run the rig and more than they can expect to make by mining themselves, the rational choice (in the sense of economic rational actor theory) is to rent.

Note that this number is an order of magnitude *less* than my initial calculation, making the attack all that much *more* feasible. I suspect that this is due to the fact that one of the inputs to my original calculation was a questionable data point from MiningRigRentals, and that if you crunched the numbers on their rental rates they would turn out to be (once you got your units straight) 10x what rational choice theory says it should be. In fact, their help page includes this disclaimer:

"Bitcoin mining is ... not profitable for everyone. Therefore we strongly encourage anyone interested in mining to do his/her own research and make the calculations before investing any money to the operation. Here at MiningRigRentals most people are speculating on the price of their mined coins..."

It seems to me that there is something very hinky about all this. If mining is not profitable, that means you can buy coins for less than it costs to mine them, so why not just do that if you want to speculate on future price? And that applies not just to renting, but to regular mining as well. The operating costs of mining appear to be just about break-even even with cheap electricity and ignoring capital costs. So why would any rational actor choose to mine? Mining is either immediately profitable or it is not. If it is not, then a rational actor would either rent their hardware to a greater fool, or, if market rates didn't cover the operating costs, pull the plug and use the savings on their utility bill to buy coins instead. Any long-term deviation from this equilibrium cannot be the result of rational actors, so either rental attacks are plausible, or bitcoin's long-term security depends on systemic deviation from selfish rationality.

---

[1] When I looked up Satoshi yesterday his (her?) profile indicated that they had been on Blogger since 2012 but their profile had only four views. (Today they are up to 23.) That is an extraordinarily long run of stealth. It is extremely unlikely, but not entirely implausible, that this person might actually be Satoshi Nakamoto.

## No comments:

Post a Comment