Bitcoin miners are not mining to 'discover' bitcoins as in the popular imagination, they are competing to be the bookkeepers of the bitcoin ledger, something for which they are rewarded with bitcoins.
Bitcoin's central technical breakthrough is that these bookkeepers do not need to know or trust each other and, so long as one party does not account for more than 50% of the computing power in the bookkeeping network, the ledger is safe from monkey-business. Safer, in fact, than any ledger ever previously created by man - it is distributed on hundreds of thousands of computers throughout the world and it is mathematically impossible to reverse it.
As in most human systems, once one party gains more than 50% of the computing power of the network, then the story changes -- they pick up some level of control over the ledger as follows:
Things that they STILL can't do even in a 51%+ scenario:
- Spend money out of any account other than their own
- Reverse past transactions
Things that they CAN do (not certainly, but probabilistically):
- Block certain transactions from entering the system going forward
- Reverse transactions going forward and use that as an opportunity to try to double spend their own coins.
In other words, spend them at one merchant, get the goods, reverse the charge and re-spend them somewhere else (before anyone notices because as soon as the attack becomes known bitcoin values will plummet and everyone will stop honoring bitcoin transactions until it shakes out).
To put in in conventional terms, from the time a miner has 51% control of a cryptocurrency, they can:
- Deny transactions from anyone
- Chargeback their own transactions
So the 51% controller becomes something like Visa or Mastercard, but more limited in his or her powers.
There is no doubt that a 51% scenario in the bitcoin change would be very problematic and hurt trust in the system.
I am going to argue that it is unlikely for an *economically motivated* (as opposed to a politically motivated) miner to be incented to execute such an attack.
The logic is as follows:
(1) A miner that is controlling around 50% of the network, is earning about 75 bitcoins an hour or 1,800 bitcoins per day. At today's prices of about $800 per coin that is $1.44M per day or $525M per year
(2) I don't know exactly what capitalization rate to put on those earnings but it is obviously an immensely valuable franchise and one that would collapse in value if one executed the attack. Even if you only valued it at 3 months worth of revenue, that is over $100M coming in the door. If you can maintain that position for a couple of years, it is over $1B.
UPDATE: What about costs that would reduce the value of this franchise? Mining hardware, electricity, etc. From the perspective of executing the attack, hardware is a sunk cost not relevant. Electricity is fair to be counted against the revenues, but I don't think it changes the analysis at an order-of-magnitude level. H/T @gendal for raising the question.
(3) In order for a double spend attack to be worth MORE than that franchise, someone has to sketch out a plausible scenario where you could extract more than that in double-spending. Let's be really conservative and try to double spend $100M in bitcoins (about 3 months of mining revenue).
(a) First condition: We have to already be holding $100M in bitcoins and have decided that, even though we are bitcoin enthusiasts, that it isn't easier to just hold them and hope for price increases *in addition* to our super mining franchise.
(b) Second condition: What are we going to spend them on? Obviously products are out of the questions. You are not going to double-spend $100M on sheets from Overstock. Real estate is also out of the question. Double-spending is still regular old garden-variety fraud so if you execute this scam and end up with a mansion, it will be very easy for the authorities to show up at your door.
UPDATE: In the future, individual colored coins that represent assets might be individually very valuable and might provide a mechanism to double-spend. H/T @kentindell for raising the point. Counter-point: By then, a 50% position on the blockchain will be even more valuable
(c) Third condition: You need to be able to do the transaction, particularly the second one, FAST. People will quickly realize the reversal and start not honoring transactions. And if you don't do a second transaction, you are not double-spending, you are single-spending (again, bitcoins will collapse in value if an attack like this was actually implemented).
(d) Realistically, the only candidate for this is cash. But $100M is close to the total daily volume of all exchanges worldwide. None of them can cash out $100M, let alone $100M x 2, let alone $100M x 2 quickly, let alone $100M x 2 to your bank account without leaving a very clear record that will send you to jail.
Not So Fast
There was a small sleight of hand in the above. Most large miners are actually pools which means the mining pool operator is not capturing all the revenue. So perhaps an individual controlling employee of the mining pool might be incented to try this stunt, even if the pool is not.
Still - even if you cut the target double spend to $30M, it still very hard to imagine that you could pull this off in the real world. You would still be trying to cash out via exchanges and that is a lot of liquidity to pull out -- close to their daily volumes
Real World and Conclusions:
A few weeks ago, a mining pool reached 41% of the computational power. As the theory would predict, the miners in the pool started pulling out out of the pool and the pool operators made a statement that they would voluntarily limit their share. Everyone in the ecosystem has much more to lose by going over 50% than they have to gain.
Now, I am not a pollyanna. A malicious operator who would want to damage the network could try to execute a 51% attack and not care about the economic rewards.
At this stage though for bitcoin, that would require spending or giving up hundreds of millions of dollars a year to do so, so that is really in the range of malicious nation-states only.
The answer, of course, is (a) pulling more mining power to the network to make it even more cost prohibitive for anyone to attack it and (b) building in logic to mining clients to automatically pull away from pools that pass a certain concentration threshold.
Note, fans of alternative cyptocurrencies -- this is one of the strongest cases for consolidation around the bitcoin blockchain. The small alt-coins are very vulnerable to these attacks -- someone could attack a top 20 coin with far far smaller investment and that will be painful day for alt-coins. For coins that are moving real economic value, I suspect we will consolidation of mining power on one blockchain or, at most, a small number of blockchains and with additional coin 'features' built on top of those more secure chains.