Bitcoin Has a Population Problem — And We Can Prove It
The security assumption everyone takes for granted has an expiry date. It's not a conjecture. It's a theorem.
Every time someone sends Bitcoin, they trust a single assumption: that the honest miners control more computing power than the attackers. This is called the honest majority assumption, and it is the load-bearing wall of the entire structure. Remove it, and the building does not merely weaken — it collapses.
For sixteen years, this assumption has been treated as a given. A parameter to be plugged in. An article of faith dressed up as an input to a theorem. The formal proofs say: if honest majority holds, then the ledger is safe. They never ask whether it holds, or when it stops holding.
A new paper asks that question and proves the answer is uncomfortable.
What the formal proofs actually say
In 2015, Garay, Kiayias, and Leonardos published the first rigorous security analysis of Bitcoin’s protocol — what they called the backbone protocol. The definitive version appeared in the Journal of the ACM in 2024. It is the foundation that every subsequent formal analysis builds on. Pass, Seeman, and shelat extended it to partially synchronous networks. Ren simplified the random-walk argument. Gazi, Kiayias, and Russell proved tight bounds. Every one of these papers starts from the same place: assume honest majority, then derive consequences.
Their result has two parts, and the distinction between them is the entire point.
Part one: the honest majority assumption. The adversary’s hashrate β must satisfy β ≤ (1−δ)γ, where γ is the honest hashrate and δ is a margin that depends on the block rate. Additionally, the block rate f must be small enough that 3f + 3ε < δ, where ε is a concentration parameter. Together, these form what the paper calls HMA — the Honest Majority Assumption. The condition is not merely “honest miners have more hashrate.” It is quantitative: honest miners must have enough more hashrate, with the margin determined by how fast blocks are produced relative to network propagation delay.
Part two: three backbone properties. Under HMA, in any “typical execution” (one where random variables don’t deviate too far from their means — and typical executions occur with overwhelming probability), three properties hold simultaneously:-
Common Prefix: If you prune the last k blocks from one honest miner’s chain, the result is a prefix of any other honest miner’s chain. This is safety — it means confirmed transactions don’t get reversed.
-
Chain Growth: Every honest miner’s chain grows by at least (1−ε)f blocks per round. The ledger makes progress.
-
Chain Quality: In any sufficiently long stretch of an honest chain, at least a fraction μ of the blocks were produced by honest miners. The adversary can’t silently dominate the chain.
From these three properties, GKL derive the two properties that matter for Bitcoin as a payment system: Persistence (once a transaction is confirmed, it stays confirmed forever) and Liveness (every valid transaction eventually gets confirmed).
This is an extraordinary result. It takes a 9-page whitepaper and a proof-of-concept codebase and turns it into a mathematically certified protocol with quantified security bounds.
But it has a blind spot the size of a planet.
The blind spot
The GKL theorems are sufficiency results. They say: if HMA holds, then security follows. They do not say what happens when HMA fails. And they certainly do not say why it would fail, or when.
Every paper that builds on GKL inherits this blind spot. The honest/adversarial hashrate partition — the single most important parameter in the entire security model — is treated as exogenous. It arrives from outside the model, fully formed, and the theorems take it from there.
This is like a structural engineer proving that a bridge can hold 10,000 tonnes, then never asking how many lorries are likely to cross it.
The new paper fills this gap. It asks: given the economics of mining — block rewards, operational costs, the cost of security — what determines the honest/adversarial hashrate split? And at what population does honest majority fail?
The economic model
The core insight is simple. Miners are funded by block rewards. Each miner must spend some of that revenue on operational security: patching systems, managing cryptographic keys, monitoring for intrusions, physically protecting facilities. Call this minimum security cost σ.
A miner whose revenue exceeds σ can afford to be honest. A miner whose revenue falls below σ cannot — they become vulnerable to compromise by an external adversary. Not because they choose to be malicious, but because they literally cannot afford the defences needed to resist attack.
Now consider what happens as the mining population grows.
Block rewards are fixed (at any given epoch). More miners means less revenue per miner. As per-miner revenue shrinks, it eventually drops below σ for the marginal miners — the smallest operations. Those miners become compromised. Their hashrate transfers to the adversary.
The honest hashrate γ(n) increases as fundable miners join, then plateaus once all miners above the security threshold are active. The adversarial hashrate β(n) starts at some baseline β₀ (the adversary’s own resources) and grows with each additional underfunded miner.
These two curves must cross. The honest hashrate is bounded. The adversarial hashrate is unbounded. The only question is where.
Three security regimes
The paper proves that the mining population divides into three regimes, separated by two thresholds.
The safe region (n ≤ n).* Both parts of HMA hold. The GKL backbone properties guarantee safety and liveness. Bitcoin works as advertised. Six confirmations suffice for practical security.
The margin region (n < n < n_eq). The GKL sufficient condition fails. The honest miners still have more total hashrate than the adversary (γ > β), but not enough margin for the formal guarantees to hold. The overtake probability — the chance that an attacker can reverse a confirmed transaction — is approximately (β/γ)^k. This is bounded away from zero for any practical confirmation depth k. The system is not formally broken, but it is not formally safe either. And the number of confirmations needed for any given security level diverges as n approaches n.
The majority-loss region (n ≥ n_eq). The adversary controls at least as much hashrate as all honest miners combined. The private-chain attack succeeds with probability 1 for any confirmation depth. A censorship attack can prevent any targeted transaction from ever being confirmed. Both Persistence and Liveness — the two properties that make Bitcoin function as a payment system — are violated.
The critical threshold n* is determined by a closed-form expression:
n* = B/σ − β₀/((1−δ)ησ)
where B is the total block reward, σ is the security cost, β₀ is the adversary’s exogenous hashrate, η converts budget to hashrate, and δ is the GKL margin parameter. Every variable is observable or estimable. This is not a conjecture — it is a derived quantity.
The confirmation depth death spiral
The most viscerally disturbing implication is what happens to confirmation depth as n approaches n*.
At n = 50 (well within the safe region, using the paper’s illustrative parameters), the required confirmation depth for a one-in-a-million double-spend probability is 6 blocks — roughly one hour. This matches Bitcoin’s conventional practice.
At n = 85, it rises to 13. At n = 90, to 20. At n = 92 (the threshold n*), it hits 30 — five hours of waiting for a single confirmation to be considered safe.
One step further, at n = 93, the GKL condition fails entirely. The formal guarantees evaporate. You can wait forever and never get a mathematically certified confirmation.
This is not a cliff — it is a ramp. The system degrades smoothly and then discontinuously. Long before outright failure, Bitcoin becomes impractical. A payment system where confirmations take five hours is not a payment system.
What makes this different from prior work
This is not the first paper to observe that Bitcoin’s security depends on economic incentives. Budish (2025, Quarterly Journal of Economics) proved that the cost of a majority attack is bounded by the flow of mining rewards. Carlsten et al. (2016) showed that declining block rewards create strategic instability. Abadi and Brunnermeier (2022) modelled the trust-verification tradeoff.
What distinguishes this paper is the composition. It is not enough to observe that economics affects security. You have to connect the economic model to the protocol-level guarantees — the actual GKL theorems — and show that the same formal properties that are proved to hold below n are proved* to fail above n_eq.
The paper does this through three layers:-
Imported sufficiency. The GKL backbone theorems, cited with specific theorem numbers from the JACM 2024 publication, are imported as black-box results. Common prefix (Theorem 15), chain growth (Theorem 13), chain quality (Theorem 16), persistence (Lemma 24), liveness (Lemma 25). These give the “if HMA, then security” direction.
-
Native attack constructions. A private-chain attack (proving safety failure) and a censorship attack (proving liveness failure) are constructed directly in the GKL round-based execution model. These are not contrapositives of the sufficiency theorems — they are direct proofs that specific attacks succeed when β ≥ γ. The private-chain attack proof handles three cases: strict majority (positive drift), equal hashrate with multiple honest miners (fragmentation drift), and equal hashrate with one honest miner (symmetric random walk recurrence). All three yield overtake probability 1.
-
Economic composition. A heterogeneous budget model derives γ(n) and β(n) as functions of the mining population. A monotonicity lemma proves that the honest-majority surplus Γ(n) = (1−δ)γ(n) − β(n) is non-decreasing up to the last fundable miner, then strictly decreasing. This gives a unique threshold n* where HMA fails.
No step in the argument uses the contrapositive of a sufficiency theorem. No step imports results from a different model. The entire proof lives in the GKL round-based framework.
The halving problem
Bitcoin’s block reward halves every four years. The formula for n contains B (total reward) in the numerator. Halve B, and n drops by B/(2σ). If transaction fees don’t compensate, the maximum safe mining population contracts.
There are not that many real miners right now…
This is not a prediction that Bitcoin will fail. It is a proof that the safe population shrinks with each halving, and that if the actual population doesn’t shrink proportionally, the system enters the margin region where confirmation depth diverges and eventually enters the majority-loss region where attacks succeed with certainty.
The market mechanism that should handle this is miner exit: unprofitable miners leave, the population contracts, per-miner revenue rises, and honest majority is restored. The risk is in the transition — the period between a halving and the exodus of marginal miners. During that window, the system may be formally unsafe.
The counterintuitive cost of cheap energy
One of the paper’s most striking results concerns equilibrium entry. In a competitive mining market, miners enter until profit reaches zero. The equilibrium population n_e = B/(σ + c_e), where c_e is the cost of electricity and hardware per miner.
For honest majority to be preserved at equilibrium, c_e must exceed a minimum:
c_e ≥ β₀σ / ((1−δ)ηB − β₀)
If energy is too cheap, too many miners enter, per-miner revenue drops below the security threshold, and honest majority erodes. Cheap energy is good for individual miners but harmful for system security, because it encourages excessive entry.
This is counterintuitive. The conventional wisdom is that cheap energy is unambiguously good for mining. The model shows it is good for miners and bad for the network — a classic externality.
What this is not
This paper is not an argument against decentralisation. It is not a claim that Bitcoin is insecure today. It is not a prediction of failure.
It is a proof that honest majority is an economic condition, not a free parameter. The GKL theorems tell you what happens given honest majority. This paper tells you when you have it and when you don’t.
The result is conservative in several ways. The threshold model (miners above σ are honest, below are compromised) gives the largest possible n — any probabilistic compromise model would give a smaller safe region. The static adversary model matches GKL exactly, avoiding composition gaps. And the paper explicitly catalogues what it does not* prove: no eclipse attacks, no timing attacks, no difficulty-adjustment manipulation, no game-theoretic adversary optimisation.
Every one of those omissions makes the real situation worse than the model predicts.
Mining pools shift the threshold, not the structure. A pool aggregates small miners into a single effective operation. If the pool’s combined budget exceeds σ, it is honest — even if individual members couldn’t afford security on their own. Pools therefore increase n* by consolidating underfunded miners into funded units. This is consistent with the empirical observation that mining pools professionalise operations and improve network security. The model predicts that ecosystems with greater pool consolidation tolerate larger populations before honest majority fails.
The Zipf case matters more than the equal-budget case. Real mining ecosystems don’t have equal budgets — they have heavy-tailed distributions where a few large operations and many small ones coexist. Under a Zipf distribution (the paper works an explicit example with 200 miners), the threshold n is much larger than the equal-budget case because large honest miners dominate γ, and many small compromised miners are needed to erode the surplus. But the qualitative structure is identical: there exists a unique n beyond which HMA fails, and the system degrades continuously before that point.
The bottom line
Bitcoin’s formal security guarantees are not unconditional. They hold below a budget-determined population threshold and fail above it. The threshold is calculable, the failure is provable, and the degradation is continuous — the system becomes impractical before it becomes broken.
The formula n = B/σ − β₀/((1−δ)ησ) says everything. Increase the block reward B and you can support more miners safely. Increase the security cost σ (better hardware security modules, mandatory audits, physical hardening) and each miner is more resistant to compromise — but fewer miners are supportable. Increase the adversary’s baseline hashrate β₀ and the safe region shrinks. Every parameter is a lever, and every lever moves n.
For smaller proof-of-work chains with lower block rewards, the numbers are far more alarming. A chain with B in the tens of thousands of dollars per epoch may have n* in the single digits. For such chains, the margin region is not a theoretical concern — it is the operating regime.
For protocol designers, the implication is that honest majority must be engineered, not assumed. Block rewards, security requirements, minimum bonds, and entry barriers are not merely economic parameters — they are security parameters, and they determine whether the backbone theorems apply.
For users, the implication is that the number of confirmations you need depends on the state of the mining ecosystem, not just the protocol specification. Six confirmations are sufficient when the system is deep in the safe region. They are not sufficient near the threshold.
For the field, the implication is that protocol security and mining economics are not separate subjects. They are the same subject, and treating them separately leaves a gap where the most important question — does the honest majority assumption actually hold? — goes unasked and unanswered.
This paper asks the question and proves the answer. The answer has a number, and that number has a formula. Whether you like the answer is beside the point.
The paper “Safety and Liveness Failure Under Budget-Constrained Mining: Composing Backbone Proofs with Endogenous Honest Majority” is authored by Craig S. Wright (University of Exeter).