Bitcoin's security model faces a fundamental challenge: the block subsidy that currently funds most mining operations is designed to eventually reach zero. This creates what critics, most formally Eric Budish (2018) and Raphaël Auer (2019), call the "security budget problem": will transaction fees alone provide sufficient incentive for miners to secure the network? This chapter examines the mathematics, economics, and game theory of Bitcoin's long-term security budget, analyzing whether the network can sustainably protect trillions of dollars of value with fees alone.
Remark 38.1 (The Core Tension)
Bitcoin's fixed supply (21 million coins) is fundamental to its monetary properties, but it also means that miner revenue from new coins will eventually end. The network must transition from subsidy-funded security to fee-funded security.
38.1 The Subsidy Decline
Definition 38.1 (Block Subsidy Schedule)
Bitcoin's block subsidy halves approximately every four years (210,000 blocks). The subsidy at block height h is
subsidy(h) = (50 × 10⁸ satoshis) >> ⌊h / 210,000⌋
where >> denotes a right bit shift (each shift is one halving) and 210,000 blocks ≈ 4 years.
| Halving | Year | Block Reward | Daily Issuance | Annual Inflation |
|---|---|---|---|---|
| Genesis | 2009 | 50 BTC | 7,200 BTC | N/A |
| 1st | 2012 | 25 BTC | 3,600 BTC | ~12.5% |
| 2nd | 2016 | 12.5 BTC | 1,800 BTC | ~4.0% |
| 3rd | 2020 | 6.25 BTC | 900 BTC | ~1.8% |
| 4th | 2024 | 3.125 BTC | 450 BTC | ~0.83% |
| 5th | ~2028 | 1.5625 BTC | 225 BTC | ~0.4% |
| 10th | ~2048 | ~0.049 BTC | ~7 BTC | ~0.01% |
| Final | ~2140 | 0 BTC | 0 BTC | 0% |
Proposition 38.1 (Subsidy Termination)
The block subsidy is exactly zero for every block height h ≥ 6,930,000 (around the year 2140).
The initial subsidy is 50 × 10⁸ = 5 × 10⁹ satoshis, and 2³² < 5 × 10⁹ < 2³³. A right shift by 32 therefore leaves ⌊5 × 10⁹ / 2³²⌋ = 1 satoshi (the final non-zero subsidy era, beginning at height 32 × 210,000 = 6,720,000), and a right shift by 33 yields 0. Hence subsidy(h) = 0 for all h ≥ 33 × 210,000 = 6,930,000.
By 2032 the block subsidy will be 0.78125 BTC per block, less than the total fees a single block has sometimes collected during high-demand periods. The transition to a fee-based security model is scheduled, and its first-order effects are already measurable in the fee share of miner revenue (Remark 38.3).
38.2 Defining the Security Budget
Definition 38.2 (Security Budget)
The security budget is the total revenue available to miners, which determines how much they can profitably spend on mining equipment and electricity:
Security Budget = (Block Subsidy + Transaction Fees) × Blocks per Year
With ~52,560 blocks per year, the annual calculation is
~52,560 blocks × (subsidy + average fees) = Annual Miner Revenue
The security budget determines:
- Attack Cost: How expensive it is to mount a 51% attack
- Hashrate Level: Total computational power securing the network
- Miner Decentralization: Whether mining remains profitable for diverse participants
- Finality Confidence: How many confirmations users need for security
Remark 38.2 (Attack Cost Heuristic)
As a first approximation, the cost of a hashrate-majority attack scales with the security budget:
Attack Cost ≈ Security Budget × Attack Duration / 365
A network with a $10 billion annual security budget costs approximately $27 million per day to attack at the 51% threshold. If the security budget drops to $1 billion, attacks become 10x cheaper.
38.3 Historical Fee Analysis
Remark 38.3 (Historical Fee Revenue)
Transaction fees have historically been a small fraction of miner revenue:
| Year | Avg Fee (BTC) | Total Fees (BTC) | Fee % of Revenue |
|---|---|---|---|
| 2015 | 0.00018 | ~8,200 | 0.6% |
| 2017 | 0.00096 | ~100,000 | 13% |
| 2021 | 0.00022 | ~21,000 | 6.0% |
| 2023 (Ordinals) | 0.00015 | ~23,000 | 6.5% |
| 2024 (Runes, halving) | 0.00008 | ~15,000 | 6.6% |
Remark 38.4 (Fee Spikes)
Fees have spiked dramatically during periods of high demand:
- December 2017: $55 average fee during bull market peak
- April 2021: $62 average fee during institutional adoption wave
- May 2023: $31 average fee during the BRC-20 inscription demand surge
- April 2024: $127 peak fee during Runes launch
Remark 38.5 (The Volatility Problem)
Fee revenue is highly volatile, spiking 100x during demand surges and collapsing during quiet periods. This makes it difficult for miners to plan long-term investments in hardware and infrastructure.
38.4 Fee Market Dynamics
Definition 38.3 (Fee Market)
Bitcoin's fee market is a first-price auction in which users bid for limited block space. Users set a fee rate (sat/vB), miners sort transactions by fee rate and include the highest bidders first, and the market clears at the marginal transaction.
Block Space Supply (per block): ├── Weight limit: 4,000,000 weight units ├── Typical capacity: ~2,500-4,000 transactions └── Daily capacity: ~360,000-576,000 transactions Fee Determination: ├── Users set fee rate (sat/vB) ├── Miners sort by fee rate ├── Highest bidders included first └── Market clears at marginal transaction
Demand for blockspace comes from multiple sources:
- High-value transfers: Exchanges, institutions, large holders (price insensitive)
- Time-sensitive payments: Commerce, payroll (moderately price sensitive)
- Consolidation: UTXO management (price sensitive, can wait)
- Data inscription: Ordinals, BRC-20 (highly variable demand)
- Layer 2 settlements: Lightning channel opens/closes (batched, price sensitive)
The critical question is whether demand for on-chain transactions will scale proportionally as Bitcoin's value increases.
Remark 38.6 (The Scaling Paradox)
If Bitcoin succeeds as a global reserve asset, most transactions will occur on Layer 2 solutions. This increases Bitcoin's value but potentially reduces on-chain fee revenue. Success could undermine the security budget.
38.5 Economic Models and Projections
Definition 38.4 (Model 1: Linear Fee Growth)
The linear fee growth model makes the optimistic assumption that fee revenue grows proportionally with Bitcoin's market cap, so the security budget remains a fixed percentage of the value secured.
Example 38.1 (Model 1 at a $10 Trillion Market Cap)
If Bitcoin reaches a $10 trillion market cap:
Required security budget: ~1% = $100 billion/year
Required fee revenue: ~$274 million/day
Required fee per block: ~$1.9 million
At 2,500 tx/block: ~$760 per transaction
This model requires average fees of hundreds of dollars, sustainable only if Bitcoin is used exclusively for high-value settlement.
Definition 38.5 (Model 2: Constant Dollar Security)
The constant dollar security model makes the conservative assumption that the security budget stays constant in dollar terms after the subsidy ends.
Example 38.2 (Model 2 at $15 Billion per Year)
If the security budget stays at ~$15 billion/year:
Post-subsidy fee requirement: $41 million/day
Required fee per block: ~$285,000
At 2,500 tx/block: ~$114 per transaction
Definition 38.6 (Model 3: Security Percentage Decline)
The security percentage decline model extrapolates the historical observation that security spending as a percentage of market cap has steadily declined.
Example 38.3 (Historical Security Percentage)
| Year | Market Cap | Security Budget | Security % |
|---|---|---|---|
| 2015 | $4B | $350M | 8.75% |
| 2018 | $130B (avg) | $5.5B | ~4.0% |
| 2021 | $1T | $17B | 1.7% |
| 2024 | $1.3T | $15B | 1.15% |
If this trend continues, security as a percentage of value secured could fall below 0.5%, potentially inadequate for a global reserve asset.
38.6 Game-Theoretic Considerations
In a low-subsidy environment, miners face new incentive challenges:
Fee-Only Mining Game Theory:
├── Fee Sniping
│ ├── Profitable to re-mine recent blocks
│ ├── If fees >> subsidy, orphaning becomes attractive
│ └── Can cause chain instability
│
├── Selfish Mining Amplified
│ ├── Fee variance increases block value variance
│ ├── Lucky blocks (high fees) worth attacking
│ └── Threshold for profitability may decrease
│
├── Transaction Withholding
│ ├── Miners may hold high-fee transactions
│ ├── Wait for own block to maximize revenue
│ └── Increases confirmation time variance
│
└── Empty Block Mining
├── In fee-only regime, empty blocks forfeit all revenue
├── Rare empty blocks are economically self-punishing
└── Frequent occurrence would indicate a structural problem
Remark 38.7 (Fee-Sniping Condition)
When fees dominate block rewards, re-mining the previous block becomes attractive. Sniping block n is attractive when
Fees(block n) − E[Fees] ≫ expected race-loss cost (∝ subsidy + E[Fees])
The sniper also collects the subsidy on the re-mined block, so the subsidy enters only through the cost of losing the race. In a mature fee market with minimal subsidy, blocks with unusually high fees become attack targets.
Remark 38.8 (Anti-Fee-Sniping Locktime)
Bitcoin Core includes fee sniping mitigation by default:
// Default locktime set to current block height
// Prevents transaction from being mined in re-org of recent blocks
nLockTime = chainActive.Height();
// Random offset to avoid fingerprinting
if (GetRandInt(10) == 0)
nLockTime = std::max(0, (int)nLockTime - GetRandInt(100));
This makes transactions invalid in any re-org attempting to steal fees from recent blocks.
38.7 Proposed Solutions
38.7.1 Rely on the Fee Market
The position most common among Bitcoin's long-term proponents:
- Bitcoin's value will increase enough that fees in dollar terms remain sufficient
- Blockspace is genuinely scarce; market will price it appropriately
- New use cases (Ordinals, etc.) demonstrate organic demand
- Layer 2 anchor transactions will provide steady base demand
Remark 38.9 (The Market-Sufficiency Argument)
On this view, Bitcoin has survived every challenge so far. The fee market, while imperfect, has functioned for more than fifteen years. As Bitcoin becomes more valuable, rational users will pay appropriate fees for the security they require.
A stronger version of the position disputes the premise of the models in Section 38.5 outright: what attack cost must exceed is the value an attacker can actually capture (the double-spendable flow of transactions), not Bitcoin's market capitalization (a stock). Combined with the hardware realities of Remark 38.13 (SHA-256 hashrate cannot be rented at scale, and an attacker's ASICs lose their value if the attack succeeds), the budget required for deterrence may be far smaller than any fixed percentage of market cap implies.
38.7.2 Increase Block Size
Increase transaction throughput to compensate for lower per-transaction fees:
Total Fees = Fee per transaction × Transactions per block
If the fee per transaction drops 90%, increase capacity 10x to maintain revenue.
Problems:
- Reduces node decentralization
- Contentious (see SegWit2x failure)
- May not solve problem: fees might drop proportionally
38.7.3 Tail Emission (Perpetual Inflation)
The most controversial proposal is to modify Bitcoin to have permanent low-level issuance.
Remark 38.10 (The Tail Emission Debate)
Monero implements tail emission (0.6 XMR per block forever). Some researchers—most prominently Peter Todd (2022), who argues that a fixed linear emission is asymptotically non-inflationary because coin loss offsets it—contend that Bitcoin needs something similar. This would fundamentally change Bitcoin's monetary properties and has attracted no meaningful support among Bitcoin developers or users to date; no BIP proposes it.
Arguments for tail emission:
- Provides predictable miner revenue forever
- Low inflation (0.1-0.5%) has minimal monetary impact
- Lost coins make true inflation even lower
- Security is more important than perfect scarcity
Arguments against:
- Breaks social contract of 21 million cap
- Sets precedent for further monetary changes
- The fee market is expected to price this; if it does not, that outcome itself would be informative
- Would require extremely contentious hard fork
38.7.4 Merged Mining
Miners earn revenue from multiple chains simultaneously:
Merged Mining Revenue Model: ├── Bitcoin block reward: 3.125 BTC ├── Namecoin (merged): NMC block reward (negligible value) ├── RSK (merged): fees from sidechain ├── Potential future chains: additional revenue └── Total revenue > Bitcoin alone
This supplements miner revenue without changing Bitcoin's protocol.
38.7.5 Fee Smoothing Mechanisms
Protocol changes to reduce fee variance:
- Fee averaging: Distribute fees across multiple blocks
- Fee burning: Remove portion of fees from circulation (deflationary pressure)
- Fee futures: Allow pre-payment for future block inclusion
These reduce miner incentive problems but require consensus changes.
38.7.6 Layer 2 Dependency
Accept that most transactions occur off-chain:
Layer 2 Fee Model:
├── Lightning Network
│ ├── Channel opens/closes: high fees acceptable
│ ├── Millions of transactions per channel lifetime
│ └── Amortized fee per payment: near-zero
│
├── Ark/Statechains
│ ├── Periodic on-chain settlements
│ └── Batch many users into single transactions
│
└── Sidechains
├── Peg-in/peg-out transactions
└── Independent fee markets on sidechains
If each Lightning channel represents 10,000 off-chain payments, users can justify $100+ fees for channel management.
38.8 How Much Security Is Enough?
Remark 38.11 (Threat Models)
Security requirements depend on the threat model. Suppose the attacker must sustain a 51% attack for two weeks (14 days) to profit. By the heuristic of Remark 38.2, such an attack costs approximately Budget × 14/365 ≈ Budget/26, so deterring an attacker willing to commit resources R requires an annual security budget of roughly 26R. Taking the upper end of each resource range:
| Attacker | Resources committed | Deterrent budget (≈ 26 × resources) |
|---|---|---|
| Individual criminal | $1-10M | ~$260M/year |
| Criminal organization | $10-100M | ~$2.6B/year |
| Corporation | $100M-1B | ~$26B/year |
| Nation state | $1-100B | beyond this heuristic (Remark 38.12) |
The figures inherit every limitation of the heuristic: in particular, they ignore the hardware-acquisition and opportunity costs of Remark 38.13, which raise the effective cost of attack.
Remark 38.12 (Nation-State Resistance)
If Bitcoin becomes a global reserve asset holding $10+ trillion in value, it must resist nation-state attacks. Deterrence against a state actor requires the attack cost to be large relative to the resources such an actor would commit, a quantity that is political rather than computable. Published estimates of the budget required for state-level deterrence vary by more than an order of magnitude.
Remark 38.13 (Opportunity Cost Defense)
The cost of attack includes more than just hardware:
- Hardware acquisition: Buying/building 51% of hashrate
- Opportunity cost: Revenue foregone by attacking instead of mining honestly
- Retaliation cost: Network response (PoW change, social coordination)
- Value destruction: Attacker's own holdings lose value
These multipliers mean effective security may be higher than raw budget suggests.
38.9 Ordinals and the Fee Market
The emergence of Ordinals, BRC-20 tokens, and Runes has substantially affected the fee market:
| Period | Protocol | Fee Impact |
|---|---|---|
| Q1 2023 | Ordinals inscriptions | Fees spike 5-10x |
| Q2 2023 | BRC-20 demand surge | $30+ average fees |
| Q2 2024 | Runes launch | $100+ fees, miners earn 4x normal |
Remark 38.14 (Demand Is Unpredictable)
No one predicted Ordinals. New use cases can emerge that sharply increase blockspace demand. The fee market may be more robust than models assuming only monetary transactions.
Counter-arguments:
- Inscription demand is speculative, not sustainable
- May represent temporary fad, not permanent demand
- Competes with monetary use cases, potentially pricing them out
38.10 The Transition Timeline
When does this become critical?
Security Budget Timeline:
│
├── 2024-2028: Subsidy = 3.125 BTC
│ ├── Fees typically 5-15% of revenue
│ ├── Substantial margin remains
│ └── Problem visible but not urgent
│
├── 2028-2032: Subsidy = 1.5625 BTC
│ ├── Fees need to be 20-30% of revenue
│ ├── Fee market becomes more important
│ └── First real test of fee sustainability
│
├── 2032-2040: Subsidy < 1 BTC
│ ├── Fees must dominate revenue
│ ├── Sustained six-figure BTC prices help
│ └── Fee sniping becomes real concern
│
└── 2040+: Subsidy negligible
├── Fees are ~100% of revenue
├── The theoretical concerns of Section 38.6 become operative
└── By this point the network has adapted, or the concerns have materialized
Remark 38.15 (The Graduation Test)
Each halving is a test: can the network maintain security with reduced subsidy? So far, Bitcoin has passed each one:
- 2012: First halving, hashrate continued growing
- 2016: Second halving, hashrate 10x higher than pre-halving
- 2020: Third halving, hashrate reached a new all-time high within months
- 2024: Fourth halving, network remains secure
This track record provides evidence—but not proof—that future halvings will be manageable.
38.11 Future Scenarios
These are scenarios, not forecasts (the convention of Chapter 40).
38.11.1 Scenario 1: Fee Market Success
The optimistic path:
- Bitcoin reaches $500K+ per coin
- Layer 2 grows to millions of users, anchor transactions valuable
- Average fee of $50-100 is acceptable for settlement layer
- Ordinals/smart contract demand provides additional revenue
- Security budget maintains nation-state resistance
38.11.2 Scenario 2: Gradual Decline
The concerning path:
- Bitcoin becomes store of value with minimal transactions
- Layer 2 captures 99% of activity, few anchor transactions
- Fee revenue insufficient, hashrate declines
- Network remains functional but vulnerable to well-funded attacks
- Users accept longer confirmation times, higher confirmation requirements
38.11.3 Scenario 3: Crisis and Adaptation
The transformative path:
- Security budget drops to dangerous levels
- Attack occurs, demonstrating real risk
- Community faces difficult choices
- Either: tail emission debate revived, or new demand sources emerge
- Crisis forces innovation or fundamental change
38.12 Active Research
38.12.1 Fee Market Design
Researchers are studying improved fee mechanisms:
- EIP-1559 style: Base fee + tip, smoother pricing
- Fee futures: Pre-commit to future block inclusion
- Batch auctions: More efficient price discovery
38.12.2 Alternative Security Models
- Proof of Stake: Different security economics (no serious proposal exists to adopt it for Bitcoin)
- Hybrid models: PoW + PoS combinations
- Checkpointing: Social consensus as security layer
38.12.3 Layer 2 Economic Integration
- How do Layer 2 fees contribute to Layer 1 security?
- Optimal channel lifetime vs. on-chain settlement frequency
- Coordinated defense against Layer 1 attacks
38.13 Summary
- Bitcoin's block subsidy will effectively end within 20-30 years
- Transaction fees must eventually fund 100% of mining revenue
- Historical fee revenue has been volatile and often insufficient
- New demand sources (Ordinals) suggest market may be more robust than expected
- Game-theoretic challenges (fee sniping) emerge in a low-subsidy environment
- No consensus on whether intervention is needed or what it should be
- Each halving provides real-world data on fee market resilience
The security budget problem is among Bitcoin's most significant long-term uncertainties. It is economic rather than cryptographic: no signature scheme supplies miner revenue. The next two decades will determine whether Bitcoin's fee market can support a global settlement layer, or whether more fundamental changes become necessary.
Exercises
Exercise 38.1
After the 2028 halving, the block subsidy will be 1.5625 BTC. Assuming 144 blocks per day, compute the daily issuance in BTC and the annual issuance in BTC. Check your daily figure against the table in Section 38.1.
Exercise 38.2
Using the formula in Definition 38.1, compute the block subsidy in BTC at height h = 1,050,000. Then use the argument of Proposition 38.1 to find the first block height at which the subsidy is exactly zero.
Exercise 38.3
Using the heuristic of Remark 38.2, compute the approximate cost per day of a 51% attack against a network with a $10 billion annual security budget, and against one with a $1 billion annual budget. Verify the claim that the second attack is 10x cheaper.
Exercise 38.4
Recompute Example 38.1 (Model 1) for a $20 trillion market cap: find the required annual security budget at 1%, the required daily fee revenue, the required fee per block (using 52,560 blocks per year), and the required fee per transaction at 2,500 transactions per block.
Exercise 38.5
A Lightning user pays a $100 on-chain fee to open a channel and another $100 to close it. If the channel carries 10,000 off-chain payments over its lifetime, what is the amortized on-chain fee per payment?
Exercise 38.6
Extend Example 38.3: if Bitcoin's market cap grows to $5 trillion while the security budget stays at $15 billion per year, what is the security percentage? Compare your answer with the 0.5% level the chapter flags as potentially inadequate.