The 184 billion BTC overflow bug is a reminder that even “immutable” code is only as trustworthy as its review process. The real miracle isn’t that a bug happened, but that Satoshi patched it in hours and the network agreed to roll back. Decentralization is great, but consensus is everything
BTC has occasionally obtained community driven patches by distributed consensus rather than a centralized approach (as recently as 2021 with the Taproot soft fork). When Quantum Computing finally becomes a threat to BTC, there will almost certainly be a distributed consensus to update the protocol again. Now what happened with Ethereum could be argued as not so decentralized since the organization (Ethereum Foundation) has extremely strong political influence over the corporations that support it.
I really hate the “someone will certainly solve this problem!” mentality.
You can’t just magically update the protocol to work around the ability of someone to break elliptic curve cryptography. That not how this works. It’s not how any of this works.
Once people catch wind of bitcoin being moved from secure places, nodes will cease processing transactions, quantum capable thieves will be frozen
Network will upgrade if it hasnt already, nodes will only process transactions on the network with the most other nodes
They might even resume from a few block back. No different than branching from an old commit
If this doesnt match your philosophy of legitimacy, you can try continuing in the orphanage chain and get other nodes to join you. May the longest chain win!
This has all been theorized before and has subsequently happened before and the resolution has given confidence to attract more capital.
And what happens to all those cold wallets where people can recover the secret key or forge signatures for it? They money is just gone, either by thieves or the network disallowing them to be spent.
It helps build a new system, but all existing wallets would be hackable until they migrate. And we expect everyone to have the time and resources to do that? For a “store of value” system?
All of my hardware wallets are now worthless? All of the hardware security modules used for wallets managed by corporations no longer work?
It's an absolute mess for so many reasons that a "protocol fix" just doesn't cover.
> all existing wallets would be hackable until they migrate
Not necessarily. See "Discussion of Guy Fawkes signatures to protect some current bitcoins against quantum theft" and "Commit/reveal function for post-quantum recovery of insecure bitcoins" sections of the Optech page.
How would you protect all the old stuck or stale BTC wallets that used the original crypto? An awful lot of cold-stored or presumed-lost BTC would be hard or impossible to migrate to post-quantum protection, no? A quarter of mined BTC? Half?
More of an economic than technical puzzle these days. But wouldn't you need users to protect their wallets post-fork?
You tell people that value their bitcoin to migrate to new wallets. Bitcoin is self sovereignty and self-ownership. You are responsible for securing your own wallet.
The bitcoin that has been lost doesn't matter, because it's lost. That becomes fair game to whoever can find the computational resources to crack the cryptography of the wallets to get to it. At that point BTC will probably be $500k-$1M in price, and it might just be the driving force behind mainstream adoption of quantum computing.
Bitcoin (et al) is/are not fully decentralized in the sense that a core development team actively maintains and proposes changes, even minimal ones. While it's true that major updates require broad consensus and may be rejected by nodes if controversial, we should acknowledge that certain points of centralization exist, particularly around development and decision making. These often overlooked aspects now carry more financial consequences, especially as Bitcoin becomes more intertwined with regulated financial instruments and political power.
For example, now, many L2s around Bitcoin are fully depending , and influencing on a future change: enabling again the OP_CAT opcode [1].
One of the biggest points of failure I can see happening is self hosted node packaged software services like umbrel. Where they are just updating your node for you.
What Ethereum did after DAO was way more sinister. At least with the Bitcoin "roll-back" there were no transactions reversed. The miners just got together and started mining from a previous point in the Blockchain, and eventually the new chain had more work done and was validly accepted by even outdated nodes. Ethereum just went ahead and added this to their protocol: "ummm this transaction stands reversed, you don't need to verify signature for this particular transaction". This blot will stay in the protocol for ever.
Yeah that's a great example. I think sometimes people take "code is law" too seriously, when it is clear to me the code is just a deterministic way to form a consensus that works 99% of the time and the other 1% you get forking.
Comsent by whom? In most "decentralized governance" projects I've heard about, all you need is for the holders of 51% of the tokens to agree, and the holders of the other 49% have no recourse but to leave.
No, that's completely different thing. Mining power only "decides" about the blocks in the blockchain. 51% is only relevant in the context of taking over the blockchain by 51% attack.
Software versions and updates require social / economic consensus and have nothing to do with mining power. Bitcoin is open-source protocol / software and everyone can use whichever version they like. But there's also economic incentives to use the most used version and to make sure that it will keep being the most used version, i.e. forks are bad and should be avoided, therefore it's in everyone's interest to reach consensus.
So there are two different places that a coup against bitcoin could occur? Processing and Software.
With something like 45% of processing controlled by entities in Iran, China, and Russia, it seems like an absolute fools game to put any significant wealth in Bitcoin. All it would take is a significantly effective worm to destroy bitcoin. But hypers gonna hype.
It's the same as any currency. If the place you want to spend it only accepts currency y then you must trade for currency y to spend money there.
Since Bitcoin is software anyone can fork it and create a currency y with the same ledger up to the fork but few people do because convincing other people to trade for it without a very strong argument is hard.
Yes, but I was talking about "decentralized leadership" in all the projects following Bitcoin, which often use 51% of stake instead of 51% of mining capacity, under the social theory that the biggest stakeholders will be the most invested in the outcome of the project.
Those with at least 51% of the sustained hash power can already redefine “Bitcoin” to be whatever they want… At any time whatsoever? (assuming they stay cohesive enough as a bloc)
That statement is a bit misleading. The damage an attacker can do through a 51% attack is much more limited than that. It allows an attacker to censor transactions or perform double spends, but it does not allow them to "redefine Bitcoin" (e.g. change consensus rules, arbitrarily reassign coins, etc.).
Anyone can do that, it doesn't require 51% of the hash power. And it's already been done hundreds, if not thousands, of times (the more technical term for them is "shitcoin").
Indeed. Permissionless blockchain is much less of a technological innovation, but more of a governance innovation, specifically an accountability sink, where instead of a named entity (corporation, institution, person) being in charge, you have this amorphous blob in charge that does come together if its interests are affected (this 184 bn Bitcoin bug, the DAO hack, etc.), but otherwise even in the presence of heinous crimes shrugs and says: "who, me? what can I do?"
I don't understand why that's so attractive to so many participants - possibly because the enormous negative externalities of such a thing more often than not don't fall on themselves, but other, more vulnerable people.
(Not always though: when 200 Bitcoin were stolen from ultra-libertarian Bitcoin developer Luke Dashjr, he came crying for help from the bad bad centralized FBI rather quickly...)
> ...until someone exploited a code defect and took the founders' money, then they re-write history and ignored the hypocrisy.
Not everybody agreed - and so the Ethereum Classic blockchain was created, causing all the problems that go hand in hand with having different, forked blockchains:
That's different because in Bitcoin's case there was a clear violation of the specification, of how it supposed to work. So the bug was fixed to make the software working as it intended to be. If there were two node implementations then one would just stop to work until fixed.
In Ethereum's case there were no violation of any specification. In fact there were no bug in the blockchain itself. Just someone took founder's money, they didn't like it and so they decided to get them back. And note that after that, there were bugs in the nodes code that were breaking the spec (which you should compare to the bitcoin's bug), but because of multiple node implementations only some of the nodes stopped and so we don't care about those issues.
That's probably more important than worrying about bugs in the code. There will be bugs, the concern is what are the rules for rectifying the damage done by those bugs. Plus, where do I go to appeal if I disagree with the decision?
It’s based on a social consensus only, the rest (Nakamoto Consensus, PoW, longest chain, difficulty adjustment, block halving, artificial limited supply, decentralization, censorship-resistant P2P network, open source, etc.) is a combination of a Rube Goldberg machine & crypto bros LARPing.
There is a huge scientific merit of the algorithms for reaching a distributed consensus when not all participants can be trusted (including the fact that the Bitcoin paper uses game theory to give evidence why malicious entities attempting to create another fork will by the mere design of the algorithms have a hard time).
What is, of course, social consensus are some aspects about what it "socially" means that there exists this concrete consensus in the blockchain. By the design of the protocol and its data structures, there do exist boundaries concerning possible "social interpretations" of this consensus, but a lot of aspects are up to different interpretations.
> There is a huge scientific merit of the algorithms for reaching a distributed consensus when not all participants can be trusted
Not quite. Distributed consensus had been solved in the 1980's theoretically and the 1990's practically, even in the presence of byzantine nodes. What Nakamoto consensus was first in was to extend this to the permissionless setting (at enormous expense & inefficiency, and with no benefits, in my view; though enabling large scale rule breaking or "censorship resistance", which some see as a benefit).
Bitcoin didn’t solved a forkability and finality problems. Blockchain (or more properly hashchain) is a linked list of hashpointers, and since anyone can create a hashpointer pointing to the head of the hashchain - it means anyone can fork it. And indeed Bitcoin was forked multiple times, and the solution to forks was almost always either centralized and/or social.
IMO PBFT consensus algos have a niche applications anyway, and not required for Electronic Cash implementation, only for decentralized and/or disintermediated Systems-of-Record, but that’s a complete opposite of bearer instruments like electronic cash.
Bitcoin is the OG Birkin Handbag. Valuable for the story. People compete to own a bit of it for that. You can create your own Bitcoin clone and own all of it! But no story, no value.
> Yes, they existed a long time ago and aren't wasteful as a way to generate "value".
Can you give me a literature reference for such a result, because this claim surprises me.
Of course Merkle trees existed long before - but they are just "cryptographically signed data structures", and thus don't solve the distributed consensus problem.
Of course eCash existed long before - but it depended on some central authority.
Of course distributed consensus algorithms existed long before - but they depended on the fact that all participants are trustable.
Thus, in my opinion Satoshi Nakamoto indeed made a really important scientific contribution for a quite specific algorithmic problem.
> Of course distributed consensus algorithms existed long before - but they depended on the fact that all participants are trustable.
No. They depended on the fact that all participants were known (in other words, the permissioned setting). Among those known ones, some (less than n/3) could go bonkers, all the way byzantine, and the honest nodes would still be guaranteed to find consensus (with consistency and availability).
Depending on the networking assumptions, of course there is. That's the whole point of SMR: under certain assumptions, you can attain availability and consistency.
The basic results of SMR theory are as follows, where "sync", "async" and "partially sync" refer to specific network models; PKI is public key infrastructure (that is, each node knows all the other nodes and has their public keys); "f" is the number of failed/dishonest/byzantine nodes (out of n total nodes); and only deterministic protocols are considered.
1) Permissioned, Sync, PKI: SMR possible, any f (!), Dolev-Strong (1983, [-5])
2) Permissioned, Sync, no PKI: SMR impossible if f >= n/3, PSL (1980), FLM (1985) (the hexagon proof, [-4])
3) Permissioned, Async: SMR impossible even with f=1 (!), FLP (1985) ("endless bivalent", [-3])
4) Permissioned, partially sync: SMR with "eventual availability" impossible if f >= n/3 [-2], possible otherwise (eg Tendermint [-1], Byzantine Paxos, PBFT)
In setting 4), PBFT-type protocols such as Tendermint guarantee consistency (among the "honest" nodes following the protocol as intended - you can't make any guarantees wrt to faulty or byzantine nodes) and eventual availability (that is, all requests sent by clients will "sooner or later" be dealt with) once network functionality is resumed.
That is consensus, for all intents and purposes, given that more consensus isn't really possible due to 2), 3). And arguably better consensus than Nakamoto consensus, which improves the boundary in 4) to n/2 (without selfish mining) at the cost of being stochastic, not deterministic, but replaces "consistency always, availability eventually" with "consistency eventually, availability always", arguably the wrong choice for financial applications.
Yes, but no. The Rube Goldberg of PoW isn't just for show, it's a protection from Sybil attack (not that it makes the economics of it any less of a disaster).
You cherry picked one thing from the list, and even there made a mistake.
In Bitcoin PoW used as a method for leader election of the node composing the list of validated transactions on the ledger (aka block), or even an empty list of transactions (aka Nakamoto-style Consensus).
But without all the Rube Goldbergian nonsense it’s simply an illegal/unlicensed lottery where the participants pay with electricity for the right to earn records on the longest chain (aka UTXO with mining block rewards).
> The Rube Goldberg of PoW isn't just for show, it's a protection from Sybil attack
he cherry picked PoW
no, Nakamoto-style consensus is not the same thing as PoW, or even PoW+LCR, not even the same thing as Bitcoin consensus.
Nakamoto-style consensus simply means that we're doing a leader election, and the leader does the transaction validation (aka mining a block in Bitcoin-speak).
The novelty of Nakamoto-style consensus is how we're doing this leader election, i.e. using PoW, PoW+LCR, PoS, PoET, PoA, Proof-of-X, etc.
> 5. Nakamoto consensus refers to the pairing of longest-chain consensus with proof-of-work
sybil-resistance.
> 6. Lecture 8 shows that the only ingredient missing from a permissionless version of
longest-chain consensus with provable consistency and liveness guarantees is a permissionless node selection subroutine that selects honest nodes more frequently than
Byzantine ones.
Fair enough, this is just one definition. There are others. Some even piling the entire bitcoin protocol under Nakamoto Consensus umbrella (including 21M BTC cap).
I was talking about Nakamoto-style Consensus not specific to Bitcoin, more like in (6).
That "rube goldberg machine" is what makes social consensus possible in a distributed system where everyone is anonymous and there's no single centralized authority.
How could it? PBFT is an algorithm, not a problem to be solved. Bitcoin is byzantine fault tolerant though.
> Bitcoin didn’t solved a forkability and finality problems.
There's no such thing as a "forkability problem" and Bitcoin solves finality through PoW.
> And indeed Bitcoin was forked multiple times, and the solution to forks was almost always either centralized and/or social.
That's wrong. The vast majority of forks are resolved algorithmically. There were only 2 or 3 unintentional hard forks in the early days that were due to bugs. This hasn't happened since 2013.
The only real "social" aspect of Bitcoin is what value people decide to assign to the coins.
I was at Bitcoin scene since 2011, I think that I can distinguish LARPing from the real thing. It's not me who created a dychotomy between fiat and crypto, between HODLers/coiners and noicoiners, between Traditional Finance and Crypro Finance, between CeFi and DeFi, between IPOs and ICOs, etc. Crypto always looked like a Pinoccio who want to become a "real boy".
> "it’s simply an illegal/unlicensed lottery"
yes, the PoW-based mining is litterally called a puzzle solving or a lottery. How do you call a game where everyone buys a ticket with electricity, but only one at a time wins a block reward?
> How could it? PBFT is an algorithm, not a problem to be solved. Bitcoin is byzantine fault tolerant though.
OK, BFT (not PBFT algo) is a class of problems with many proposed solutions, but none is good enough if you need scalability. Bitcoin is a partital solution under multiple constraints, even 1/3 of malicious nodes can undermine it. Internet backbone (BGP) should be trusted. Governments should allow it. etc.
> There's no such thing as a "forkability problem" and Bitcoin solves finality through PoW.
the on-chain Bitcoin transactions are never final. Everyone have their own heuristic how many blocks to count depending on the amount transacted. Protocol only defines how many blocks gamblers (miners) need to wait before they can spend their lottery winnings (block rewards).
> That's wrong. The vast majority of forks are resolved algorithmically. There were only 2 or 3 unintentional hard forks in the early days that were due to bugs. This hasn't happened since 2013.
There were many more than 2-3 both intentional and bugs, but why argue? Even 2-3 hard forks are enough to show that it's bad design. Forks should be impossible by design.
> The only real "social" aspect of Bitcoin is what value people decide to assign to the coins.
IMO there are many more social aspects here beside price discovery of UTXO records and social consensus. Bitcoin core governance, Mining centralization in China. Cypherpunks. LARPing.
> Bitcoin is a partial solution under multiple constraints, even 1/3 of malicious nodes can undermine it. Internet backbone (BGP) should be trusted. Governments should allow it. etc.
This is wrong on multiple counts. Bitcoin's security model does not assume BGP is trustworthy, nor does it rely on government permission. And the claim that 1/3 malicious nodes can undermine it misapplies BFT theory. Bitcoin doesn't use a quorum-based consensus like PBFT, so thresholds like 1/3 aren't the relevant failure mode. Instead, the attack vector is hashrate-based, and even a 51% attack doesn't let you rewrite history arbitrarily, just temporarily reorder recent blocks.
> The on-chain Bitcoin transactions are never final.
This is misleading. Bitcoin finality is probabilistic, like nearly everything in cryptography. It's final in the same sense that cryptographic signatures are unforgeable: with extremely high probability. The six-confirmation rule of thumb reflects the difficulty of deep chain reorgs which have never exceeded two blocks in practice on Bitcoin mainnet.
> There were many more than 2-3 [hard forks]... even 2-3 are enough to show it's bad design.
This conflates implementation bugs with protocol design flaws. The forks were caused by programming errors, not bad design.
> Bitcoin is a lottery.
You could argue that Bitcoin mining is because it's is probabilistic and there's a reward. But unlike a lottery, it serves an important role: securing the Bitcoin network.
Honestly, your critique reads more like cope than a technical argument.
> Bitcoin finality is probabilistic, like nearly everything in cryptography.
Yes, Bitcoin finality is probabilistic, and practically good enough after half a day or so (though 20 blocks were rolled back on at least 2 occasions).
However, many things in cryptography are not probabilistic. And in BFT-type consensus, every block is immediately final; the question of finality doesn't even arise (which is why the concept only gained prominence with Nakamoto consensus).
Regarding forks, there was BCH, BSV, etc. - those were not programming errors.
> though 20 blocks were rolled back on at least 2 occasions
Do you mean because of the bugs mentioned earlier or during the normal course of operations? Curious to read more about that.
> Regarding forks, there was BCH, BSV, etc. - those were not programming errors.
That's a different kind of "fork" though and those are arguably not Bitcoin. They're basically just competing cryptocurrencies that happened to use an existing blockchain to get started.
What's incredibly pedantic is insisting that Bitcoin is based on "social consensus." That’s only true in the most superficial or tautological sense - like saying anything people agree to use is based on "social consensus". It doesn't explain at all how the Bitcoin protocol actually achieves consensus (proof of work).
Calling it social consensus isn't an attempt to describe how the protocol works because you are talking about two different things. The consensus on which protocol to use, and the workings of the protocol itself.
You're response to me was to just verbatim repeat yourself while putting "no" in front of what I said. Incredibly pedantic discussion.
1. 1/3 malicious nodes under some conditions and BGP
This is backed by academic papers. Ask google or GhatGPT. You may argue that these papers are wrong or outdated, but then you need to tell this to the researchers who wrote them, not to me.
2. finality is binary, probabilistic finality is an oxymoron
3. > This conflates implementation bugs with protocol design flaws.
there is no formal spec for Bitcoin, there is a short informal whitepaper and a reference C++ implementation. Anyway the paper named "Bitcoin: A Peer-to-Peer Electronic Cash System", and for this specific purpose design is flawed, without regards to bugs.
4. > Bitcoin is a lottery.
Now you're hallucinating quotes I never wrote.
> Honestly, your critique reads more like cope than a technical argument.*
Pretty much all your comments here amount to twisting definitions, misapplying technical concepts, and nitpicking in search of "gotchas." Not to mention all the "LARPing" comments. It screams how to cope with having missed out, which, to your credit, you more or less admitted.
