In Issue 8, I argued that Bitcoin's difficulty adjustment—not proof-of-work itself—is the system's most important innovation. It makes Bitcoin's scarcity invariant to the energy conditions of the civilization using it. Whether the network consumes 1 GW or captures a star, exactly the same number of coins come out.
But scarcity alone doesn't secure the network. Revenue does.
This issue examines what I think is Bitcoin's most pressing structural vulnerability: the declining block subsidy, the transaction fee market that's supposed to replace it, and the formal academic literature that says the transition may not work.
The Subsidy is Disappearing on Schedule
Bitcoin's security model runs on a simple equation: total miner revenue equals the block subsidy plus transaction fees, denominated in BTC and valued at market price. This revenue caps total mining expenditure—miners collectively won't spend more on mining than they earn. And mining expenditure is what makes the network expensive to attack.
The block subsidy has halved four times: from 50 BTC (2009) to 25 (2012) to 12.5 (2016) to 6.25 (2020) to 3.125 (2024). The next halving, expected around early 2028, will cut it to 1.5625 BTC per block. By 2032, it'll be 0.78125. By 2036, 0.39.
Currently, roughly 97–99% of miner revenue comes from the block subsidy, with transaction fees contributing approximately 1.25% as of early 2025 (per Blockchair data). That figure has a history worth noting. Fee share spiked above 50% briefly in May 2023 when BRC-20 tokens congested the network, and the April 2024 halving saw Runes-driven blocks where fees exceeded the subsidy for days. But each spike was temporary. By late 2024, The Block reported fees had fallen to a 12-month low. The trajectory is not encouraging: outside of speculative protocol launches, fee share has not shown a sustained upward trend across cycles.
The design intent is clear: the subsidy bootstraps the network, then transaction fees take over as the permanent funding mechanism. The question is whether that transition is viable—and the numbers at each halving make the scale of the challenge concrete.
Note on assumptions: Assumes ~432,000 transactions/day (current average) and that fees must compensate for the subsidy decline to maintain current total security spend of ~$30.6M/day. At $68K BTC, the 2032 halving requires fees to cover roughly $23M/day—about $53 per transaction. If BTC price doubles to ~$136K by then, the dollar-denominated subsidy stays roughly flat and the fee pressure is deferred. But that's a price assumption, not a protocol guarantee.
The Academic Literature is More Alarming Than Bitcoin Discourse Acknowledges
The foundational paper is Carlsten, Kalodner, Weinberg, and Narayanan's 2016 study "On the Instability of Bitcoin Without the Block Reward" (ACM CCS). Their key finding: in a fee-only regime, the variance of block rewards becomes very high, making it profitable to "fork wealthy blocks" to steal accumulated fees. The undercutting attack they describe—where a miner initiates a fork at a high-value block and offers slightly better terms to the next miner—requires only modest hash power to be profitable. They called the resulting equilibria "undesirable security properties."
Negy, Rizun, and Sirer (2020, FC), "Selfish Mining Re-Examined," found that Carlsten's simplifying assumptions somewhat inflate the attack's profitability in practice, but Bahrani, Neuder, and Weinberg (2025) demonstrated that even today, with subsidies still dominant, congestion events create exploitable windows—the August 2024 Babylon protocol launch caused fees to spike from 0.14 BTC to 9.52 BTC within two blocks.
More rigorous still is Eric Budish's paper "Trust at Scale: The Economic Limits of Cryptocurrencies and Blockchains" (Quarterly Journal of Economics 140(1):1–62, February 2025—the lead article in the journal with arguably the highest per-article impact in economics, with acceptance rates around 3%). Budish's core result: proof-of-work security requires perpetual, high flow payments to miners proportional to the transaction value being protected. Security isn't stored—it must be continuously repurchased.
The intuition is straightforward: an attacker needs to outspend honest miners to control the chain. Miners collectively spend roughly what they earn—so the cost of attack is bounded by miner revenue. But the value an attacker could steal (say, by double-spending a large exchange deposit) is bounded by the value of transactions being settled. If the value secured grows faster than miner revenue, the attack becomes cheaper relative to the payoff. Budish formalizes this into three simultaneous conditions and shows that for Bitcoin to secure value comparable to gold's market cap (~$18 trillion), the required annual mining expenditure would need to reach hundreds of billions of dollars—an order of magnitude beyond current levels and well past what any realistic fee market would sustain.
Every halving that reduces flow payments without a commensurate increase in fees or price weakens this attack-resistance guarantee. Gans and Halaburda (2024, Management Science) extend the analysis further, showing the net cost of attack can actually be negative when accounting for mining rewards collected during the attack itself.
The Fee Market Has a Structural Problem
The optimistic narrative assumes transaction fees will rise to fill the subsidy gap. The math is daunting. To replace the current 3.125 BTC subsidy with fees alone at Bitcoin's roughly 5 transactions per second, each transaction would need to pay about $72 at current prices. At 500 TPS (requiring significant scaling), this drops to a feasible $0.72 per transaction.
But there's a structural problem buried in the fee market optimism. Huberman, Leshno, and Moallemi (2021, Review of Economic Studies) prove formally that Bitcoin's fee revenue requires congestion—the system must be capacity-constrained to generate meaningful fees. This creates a tension that has no clean resolution: scaling solutions that reduce congestion also reduce security funding. A Bitcoin that successfully scales to high transaction throughput may inadvertently undermine the fee market that's supposed to replace subsidies.
A further complication comes from fee mechanism design. Roughgarden (2024, Journal of the ACM 71(4)) proves that for any transaction fee mechanism simultaneously satisfying user incentive-compatibility and collusion-resistance between miners, all proceeds must be burned rather than paid to miners. This is the formal result that motivated Ethereum's EIP-1559 base-fee burn. Applied to Bitcoin's security budget, it suggests that optimally designed fee markets actually direct fees away from miners—potentially worsening the security budget even as on-chain fee volume grows.
There's a further revenue gap that Bitcoin's architecture largely forecloses. On Ethereum, maximal extractable value (MEV)—profit from reordering, inserting, or censoring transactions—has become a significant additional revenue stream for validators. Daian et al.'s "Flash Boys 2.0" (IEEE S&P 2020) documented the phenomenon, and MEV revenue now supplements Ethereum staking yields. Bitcoin's simpler UTXO model and lack of expressive smart contracts offer far less surface area for MEV extraction. This is arguably a feature from a fairness perspective, but from a security budget perspective, it means Bitcoin miners lack a revenue source that PoS validators can access.
There's also a tension that's rarely discussed: the Lightning Network routes small transactions off-chain specifically to avoid L1 fees. Sub-$1,000 transactions constitute over 27% of current mining fee revenue, per Messina, Taghia, and Müller's analysis of Bitcoin transaction data from 2014–2023 ("On the Impact of the Lightning Network on Bitcoin Transaction Fees and Network Value," IEEE International Conference on Blockchain and Cryptocurrency, 2024). If LN successfully scales to serve this segment, it removes a meaningful share of the fee market that the security budget depends on. The bull case is that LN drives adoption, which drives BTC price appreciation, which offsets the fee loss—but this argument substitutes a price forecast for a structural mechanism. It may prove correct, but it's a bet, not a protocol guarantee, and it remains unmodeled in the published literature.
How Expensive is an Attack Today?
Currently, a one-week 51% attack would cost approximately $6 billion according to Professor Campbell Harvey of Duke University (SSRN #5530719, October 2025)—roughly $4.6 billion in hardware, $1.34 billion in data center construction, $130 million per week in electricity. Harvey calculated this when BTC traded around $114,000 (the October 2025 average), putting the attack cost at about 0.26% of Bitcoin's then $2.3 trillion market cap. At current prices ($68,000, market cap ~$1.35 trillion), that same $6 billion represents a larger share—roughly 0.44%—though the hardware and infrastructure costs may also have shifted. Either way, most analysts consider this adequate for now.
But the security budget is declining in real terms. Bitcoin Core developer James O'Beirne has warned in widely discussed posts that the critical window falls around the halvings of 2028 and 2032, as the subsidy drops from 1.5625 to 0.78125 to 0.39 BTC per block. As the projection table above illustrates, by 2032 each transaction would need to pay over $50 in fees—at current prices and throughput—just to maintain today's security spend.
Budish's framework makes clear that this is not just a cost question: the ratio of mining revenue to the value of transactions that could be attacked is what determines the attack-resistance guarantee. As the subsidy declines and the value secured by the network grows, that ratio deteriorates unless fee revenue grows proportionally.
The Competitive Alternative
There's one more dimension to this problem that the Bitcoin community largely ignores: the competitive alternative. Budish, Lewis-Pye, and Roughgarden (2024, ACM EC) prove formally that algorithmic targeted punishment—specifically, slashing staked assets as penalty for detected attacks—is impossible for proof-of-work protocols but achievable under proof-of-stake with strong assumptions.
This is not a theoretical curiosity. Ethereum's post-Merge implementation provides the best real-world comparison: approximately 34–35 million ETH staked (roughly 28–30% of supply, ~$100–150 billion in economic security), over one million validators, and slashing conditions such that reverting a finalized block requires controlling and risking loss of ≥1/3 of total stake. To attack Ethereum's finality would require putting tens of billions of dollars at risk of permanent destruction. Saleh (2021, Review of Financial Studies) provides the formal model showing that under sufficient stake concentration the nothing-at-stake problem resolves.
This is worth acknowledging directly: the security budget problem is existential for the specific design choice of proof-of-work. Alternative consensus mechanisms address it structurally. That doesn't mean PoS is better in all respects—its decentralization properties are debated, its track record shorter, and Ethereum itself faces centralization concerns with Lido controlling ~24–25% of staked ETH.
There's also a dimension I flagged in Issue 8 that cuts the other way: censorship resistance. In PoW, the cost of censoring a transaction is the cost of maintaining majority hash rate indefinitely—economically prohibitive even for state actors as long as mining is geographically distributed. In PoS, validators are identifiable by their staked addresses, and regulatory pressure can be applied to large staking providers directly. After Ethereum's Merge, OFAC-compliant block production briefly exceeded 70% of blocks in late 2022 (per MEV Watch data), a concentration that would be structurally difficult to replicate in PoW. This doesn't resolve the security budget problem, but it's the strongest case for why PoW's higher security cost might be justified—you're paying for a specific property that PoS doesn't guarantee to the same degree.
The security budget problem is not a universal feature of all blockchain systems. But the property that makes it expensive may also be the property that makes it worth paying for.
Where I Might Be Wrong
I should flag the strongest counterarguments to my concern.
First, fee markets might develop in ways I'm not anticipating. The Ordinals and Runes episodes showed latent demand for blockspace that nobody predicted. It's possible that Layer 2 protocols, new use cases, or applications we haven't imagined yet will generate enough fee revenue to sustain security indefinitely. The August 2024 Babylon launch saw fees spike from 0.14 BTC to 9.52 BTC within two blocks—proof that when demand for blockspace is acute, the fee market works. My skepticism is about whether that demand is sustainable, not about whether it's possible.
Second, Bitcoin's price could rise enough to compensate for the declining subsidy. If BTC price doubles with each halving cycle, the dollar-denominated security budget stays roughly constant even as the BTC-denominated subsidy shrinks. This has historically been true—but treating historical price appreciation as a security assumption is a different kind of bet than a protocol guarantee.
Third, Peter Todd has argued in "Surprisingly, Tail Emission Is Not Inflationary" (petertodd.org, July 2022) that a permanent, fixed block reward—essentially ending the halving schedule—could solve the security budget problem without meaningfully compromising Bitcoin's monetary properties, because the percentage dilution from a fixed tail emission approaches zero over time. This is elegant in theory but would require a consensus change that the Bitcoin community has shown zero appetite for.
I'm genuinely uncertain about the timeline and severity of this problem. But the formal literature—Budish in QJE, Carlsten et al. in CCS, Huberman et al. in RES, Roughgarden in JACM—is more concerned than Bitcoin discourse typically reflects.
The Thermostat Needs Fuel
Issue 8 showed that the difficulty adjustment makes Bitcoin's scarcity invariant to energy conditions. This issue shows the other side: the difficulty adjustment can't function without revenue to attract miners.
The security budget problem is not about energy. It's about economics. A Dyson sphere pointed at Bitcoin mining doesn't help if there isn't enough revenue to justify running the miners. The difficulty adjustment is an extraordinary piece of engineering—it converts any amount of energy input into security without producing additional coins. But it's a thermostat, not a perpetual motion machine. It needs fuel.
The fuel is miner revenue. The block subsidy is the dominant source. It's declining on a fixed schedule. And the academic literature raises serious questions about whether the replacement—transaction fees—can fill the gap.
The next issue will examine what happens when a higher-value use for energy emerges alongside this revenue pressure: the AI displacement of Bitcoin mining.
Sources & Further Reading
Security budget
- Carlsten, Kalodner, Weinberg & Narayanan, "On the Instability of Bitcoin Without the Block Reward," ACM CCS (2016)
- Negy, Rizun & Sirer, "Selfish Mining Re-Examined," Financial Cryptography (2020)
- Bahrani, Neuder & Weinberg, "Selfish Mining Under General Stochastic Rewards," AFT (2025)
- Eric Budish, "Trust at Scale: The Economic Limits of Cryptocurrencies and Blockchains," Quarterly Journal of Economics 140(1) (2025)
- Budish, Lewis-Pye & Roughgarden, "The Economic Limits of Permissionless Consensus," ACM EC (2024)
- Gans & Halaburda, "'Zero Cost' Majority Attacks on Permissionless Proof-of-Work Blockchains," Management Science 70(6) (2024)
- Huberman, Leshno & Moallemi, "Monopoly Without a Monopolist: An Economic Analysis of the Bitcoin Payment System," Review of Economic Studies 88(6) (2021)
- Roughgarden, "Transaction Fee Mechanism Design," Journal of the ACM 71(4) (2024)
- Saleh, "Blockchain Without Waste: Proof-of-Stake," Review of Financial Studies 34(3) (2021)
Fee market & revenue
- Messina, Taghia & Müller, "On the Impact of the Lightning Network on Bitcoin Transaction Fees and Network Value," IEEE International Conference on Blockchain and Cryptocurrency (2024)
- Daian, Goldfeder, Kell, Li, Zhao, Bentov, Breidenbach & Juels, "Flash Boys 2.0: Frontrunning, Transaction Reordering and Consensus Instability in Decentralized Exchanges," IEEE S&P (2020)
- MEV Watch OFAC compliance data (2022–2023)
Attack cost & security analysis
- Professor Campbell Harvey, "Gold and Bitcoin," SSRN #5530719 (October 2025)
- James O'Beirne, security budget blog posts (2024)
- Peter Todd, "Surprisingly, Tail Emission Is Not Inflationary," petertodd.org (July 2022)
- Blockchair fee data (2025)
- The Block, Runes fee reporting (2024–2025)
Geo Nicolaidis
Builder, TrailBit.io
If you found this useful, subscribe to get the next issue in your inbox. Each issue breaks down a different heuristic used in Bitcoin forensics — what it assumes, where it breaks, and why it matters.