A little while back, @benthecarman posted about the concern that in the case of a cryptographically relevant quantum computer, miners would continually 51% attack the network in an attempt to get Satoshi's coins, reorging out previous transactions that may have moved Satoshi's coins (#1476783).
Earlier today on X, @lopp referenced a 2024 MIT paper about a similar dynamic (not involving quantum attack, but thinking through how miners might behave in a world with some transactions that have dramatically higher fee value than others).
The paper (linked above) is by Claire Bao with mentorship from Neha Narula and Tadge Dryja:
Our research found that the blockchain is safe from undercutting attacks when the block size limit is small relative to the number of transactions, but the blockchain becomes more susceptible to undercutting attacks if transactions with much higher fees enter the mempool infrequently even for smaller block size limits. Moreover, we extend the logic of undercutting attacks from the original paper to show that, if the mempool dynamics are such that the undercutting occurs long-term, the tangible impact on users is that very little progress will be made as fully rational miners will end up only including one transaction per block, regardless of the total amount of available transactions.
If miner rewards for some blocks are dramatically higher than for other blocks, it seems like we would see attempts by miners to reorganize the chain to build on a block in which they mine a particularly valuable transaction rather than building on a competing miner's block containing that valuable transaction.
if a fee gradient exists and high fee transactions with significantly higher fees enter the mempool infrequently, then undercutting occurs and is profitable long-term.
It seems likely that in the potential world where someone controls a cryptographically relevant quantum computer, they will work closely with a large miner or offer very a transaction with a very large fee to move some large pile of quantum vulnerable coins.
Bao models this behavior out and concludes:
By extending the reasoning from the original paper, we explained that the blockchain will end up being long chains of blocks with the minimum possible transactions and values as miners attempt to avoid having their own blocks undercut, thereby resulting in very slow chain progress and very few of the user transactions being confirmed. In other words, if the transaction fee dynamics result in undercutting attacks being profitable and frequent long-term, the blockchain’s progress, in terms of transactions being confirmed in each block, will slow down drastically and hurt the overall stability and usability of Bitcoin.
The paper suggests that Carman's concerns about the risks of not confiscating Satoshi's coins should be investigated further.
I'm still not sure how to think about this. Especially if we figure that coalitions of miners might form. It also feels to me like we would need to be much more certain that this chaotic mining environment would actually materialize and that it would last for a significant period before we entertain the concept of confiscating coins in order to avoid it.
It's a test. The test has a very simple assertion it aims to prove:
Under pressure of NgD FUD, Bitcoiners will embrace communism.Under pressure of NgD FUD, Bitcoiners will embrace communism.
Feel free to agree with lopp, commies.
I don't like the idea of confiscating anyone's coins for any reason.
No matter how chaotic the potential reorgs might get, it seems like all miners have an incentive to eventually move on because otherwise they're just burning their money. So I could see this sort of reorg battle playing out for a little while, but I imagine after a few days or weeks, it starts to be too expensive to keep bothering with such attempts.
I wonder if I am missing something though? Is it possible that having such a large pile of bitcoin that could be fought over might truly distort miner incentives?
Yes it can. But - as you imply - it will be a race to the bottom as hashing isn't free. At one point, the cost will outweigh the rewards. And this will happen faster when NgD happens properly (as it should.)
All confiscation implies is that you're willing to break with a thing from the whitepaper:
If something gets confiscated without a signature, then how is the chain of ownership verified?
I'd say it's a new chain with a genesis block at whichever point the confiscation happened.
That's usually what happens here. Remember though: exactly this scenario played out on Ethereum, and the non-fork without confiscation did not catch up to the hardfork. So it's not a given that the "moral" chain will be the most successful one.
Good point. I hadn't checked out the price of ethereum classic lately. ~$9 a coin.
The fiat price is simply a reflection of the fact that the number of people that are willing to stick to principles over profits and not staying where the masses are is not only small to begin with, but shrinking over time.
Talking about confiscating Satoshi’s coins to save the mempool?
That escalated quickly.
uh, i don't think it has anything really to do with "saving" the mempool.
This has been the conversation since at least middle of last year. Back then it was burn vs steal. Now it's freeze vs steal. I use the word confiscate instead of freeze because I think it's better to call it what it is.
I'm pretty much entirely in the camp of whoever has the keys has the coins, and so if someone is able to crack satoshi's keys, I guess they now get those coins. But, this argument about what the ability to derive satoshi's keys with a quantum computer does to mining incentives is worth thinking through.
Calling it confiscate is correct, let's not sugarcoat. Freeze is just confiscation with extra steps and drama. I'm also team keys = coins, but the quantum discussion is healthy.
There's also a Youtube talk:
Not really. ahah
I didn't link directly to the pdf because I loathe them, but there is a button to the pdf on the link in the OP. Were you not able to access it?
gotcha. Thought you forgot!
Download PDF
https://twiiit.com/lopp/status/2052394018122969481