How Decentralized Is Bitcoin?

Thesis

Bitcoin (BTC-USD) is decentralized enough that a 51% attack that could come from a lack of decentralization isn’t a realistic threat outside of major black swan events. However, Bitcoin is not completely trustless, as investors have to trust that the largest miners will continue to collectively act in the best interest of the network. Fortunately, that usually means acting in their own best interest.

Background

An academic study was recently published claiming that “between launch (January 3rd, 2009), and when the price [of Bitcoin] reached $1 (February 9th, 2011), most bitcoin was mined by only sixty-four agents.” The study claims that at certain points in time, only a single digit number of these agents were active, and that there were points when a single agent had over 50% of the mining power.

It also provided the following commentary on these findings, essentially implying that Bitcoin is not decentralized enough, at least in its early days: “Although bitcoin was designed to rely on a decentralized, trustless network of anonymous agents, its early success rested instead on cooperation among a small group of altruistic founders.”

Although the study hasn’t been published in a peer-reviewed journal yet, it received significant attention, thanks in part to this New York Times article covering it.

The study’s methodology analyzed a modified version of the raw data available on-chain, as according to the New York Times it “leveraged human lapses such as insecure user behavior; exploited operational features inherent to Bitcoin’s software; deployed established techniques for linking the pseudonymous addresses; and developed new techniques.”

Given the many data processing techniques used and the lack of peer review at this point, it’s possible that the findings are inaccurate. Matching distinct addresses to assume that they’re the same person certainly leaves some room for error. However, in this article, I’m going to assume that the findings are accurate and consider what that would mean for Bitcoin.

The 51% Attack

The study’s findings are interesting because if a single agent controls over 50% of the mining power, they can launch a 51% attack. The role of miners in the Bitcoin ecosystem is to validate transactions, and each miner is essentially given a vote weighted based on its computing power. Thus, if a single miner has over half the computing power, their vote on whether a transaction is valid is the only vote that matters.

Miners’ power is limited in the Bitcoin ecosystem, so even a successful 51% attack probably couldn’t do things like take control of Bitcoin’s source code, create new coins, reverse very old transactions, or steal coins that aren’t actively being used in transactions. I’ve discussed the relationship between Bitcoin miners and the rest of the Bitcoin ecosystem in my past article about Bitcoin’s supply.

Miners primarily exist to solve the “double spend” problem, in which somebody spends their Bitcoin, then reverses or cancels the transaction and spends it again somewhere else. Thus, an attacker could freely spend their Bitcoin over and over as long as they controlled the network. So, while a 51% attacker wouldn’t be all-powerful, they could steal coins, doing serious damage to other members of the Bitcoin network and Bitcoin as a whole.

The study claims that Bitcoin survived early 51% attacks because the agents who briefly had control of the network acted altruistically for the benefit of the overall Bitcoin ecosystem. However, I think there’s more going on here. Apple’s board has seven members and they could decide to stop manufacturing new iPhones, opting to sell $1000 pictures of sheep instead. But nobody would say that the board is acting altruistically by choosing not to do this. Rather, they’re acting to maximize revenue and profit (and avoid a barrage of shareholder lawsuits).

It’s a similar story for Bitcoin miners. Somebody who controls 51% of the mining power would have invested a lot of money in mining equipment and would be making a lot of money by simply mining Bitcoin without attacking the network. If they instead started attacking the network, other users of Bitcoin would become reluctant to transact in it because they would lose faith in the integrity of the network. This would almost certainly lead to a collapse in Bitcoin’s price and the attacker would then bring in less mining revenue. So, rather than acting altruistically, a theoretical attacker must simply act in their own long term economic interest to avoid harming the network.

Granted, smaller cryptocurrencies have suffered 51% attacks in the past, so it’s not like they can’t happen. But I’m not aware of any 51% attack that made its attackers extremely rich. For example, this article about an attack against Bitcoin Gold in early 2020 indicated that the attacker stole about $70,000, but estimated that the attack cost about that much to execute. That wasn’t the first 51% attack against Bitcoin Gold, either. It’s also important to note that the price of Bitcoin Gold is higher today than it was before any of the attacks, so a 51% attack hasn’t been enough to permanently ruin a coin in the past.

Bitcoin Today

My other criticism of the study is that it only focuses on the 2009-2011 period. At this time, very few people used Bitcoin. 64 agents controlling the network is not a lot, but if only 64 people use the network, then it’s a reasonable number. That is to say, the more people who use and mine Bitcoin, the more decentralized it can become. Just like I wouldn’t sell Apple today because their iPhone sales were low in 2007 when the product was first released, I don’t think it makes sense to sell Bitcoin today because it was less decentralized at a past time when it was much less popular.

Today, Bitcoin’s hash rate is many orders of magnitude higher than it was in 2009-2011. 51% of today’s hash rate would be over 100m terahashes per second, which is a massive number that’s difficult to visualize. For some perspective, with the current level of energy efficiency, this accounts for over 0.5% of the world’s energy usage. So for a single entity to launch a 51% attack, they’d have to start by using over 0.25% of the world’s energy. That cost eliminates most potential attackers, especially considering that you also need specialized hardware to make effective use of the energy.

Another way to understand the difficulty of launching a 51% attack is to look at the market share of mining by country. As recently as 2019, Chinese miners had over half the hash rate. However, the network is much healthier today, with no country accounting for more than 38% of the hash rate. This means that miners in multiple countries would have to work together to collectively launch a 51% attack, which reduces the likelihood of one happening.

And that’s not even considering that each country has multiple miners, who each have their own goals. For example, leading miner Riot does 4.6m terahashes per second, less than 2.5% of the overall hash rate and not even 10% of the hash rate coming from the USA.

An Academic Exercise

The previous section demonstrates that it would be difficult to launch a 51% attack today. In practice, this isn’t something that investors have to be worried about barring a black swan event like massive global power outages or a widespread regulatory clampdown.

But is that enough to say that Bitcoin delivers on its promise of decentralization? According to a Google search, decentralized simply means “controlled by several local offices or authorities rather than one single one.” By that definition, Bitcoin is certainly decentralized.

But then what makes Bitcoin different from, say, a pizza chain where different franchise owners each control a few stores? Or the various companies like Atlassian and Netflix that have multiple CEOs? Some could argue that these entities also meet the definition of decentralized.

In my view, what makes Bitcoin different is that anyone can become a miner if they have the right equipment and access to enough energy. Even if I have a lot of money, I can’t become a franchise owner unless the company’s executives allow me to. And I can’t become an executive without getting permission from other executives and board members. On the other hand, there’s no need to ask permission to participate in the Bitcoin network.

Of course, with today’s mining happening at a massive scale, there are barriers to entry when it comes to obtaining the equipment and energy necessary to participate. As with most businesses, there are size advantages in mining, so the largest miners now will likely continue to box out smaller players.

Thus, while Bitcoin may be decentralized, it isn’t completely trustless; to some extent you have to trust the largest miners to collectively act in the best interest of the network, which fortunately means acting in their own long-term best interest as well. In my view, that’s not very different from trusting companies’ executives to continue to act in the long-term best interest of their companies when you invest in the S&P 500.

Conclusion

Bitcoin today is very secure. I believe that Bitcoin is decentralized enough now that investors don’t have to worry about a 51% attack, regardless of whether one was possible in the 2009-2011 period.

Although this article didn’t focus on Bitcoin’s overall bull thesis as I’ve covered that extensively in past articles, it’s worth noting that in past cycles Bitcoin didn’t fall below the previous cycle’s peak. With Bitcoin near $21,000 today, it’s very close to the previous cycle’s peak and looks like it may even break below it. So, based on the trend in previous cycles, I think that now is a good time to be adding to Bitcoin and other cryptocurrencies again.