It is imperative to ensure the foundation of Bitcoin is built with great care and diligence. Every change should be made with extreme caution.
The Great Pyramid of Egypt held the record for tallest man-made structure for at least 3,800 years, and its 2.3 million blocks weigh 6 million tonnes. The massive granite blocks forming chambers at its core weigh up to 80 tonnes each and are situated over 40 meters above ground level. It is at the very least 4,500 years old, and even that barely conceivable age is based on surprisingly thin evidence: The realistic possibility exists that it is significantly older (do your own research, Bitcoiner — don’t trust, verify).
Whoever and whenever the builders were, the physical achievement of the pyramid is undeniable. Still, the people who designed and built it are long dead. The civilization in which those individuals lived their entire lives ended millennia ago. It was ancient even to Herodotus, the Greek historian, when he wrote about visiting it in 500 BC. Countless empires of man have risen and fallen on Earth during the silent reign of this colossal proof of work. Still, it stands.
The Great Pyramid is an artificial mountain and everything about its engineering design is oriented to resilience. The tapering shape from a wide base, large block size and solid construction throughout is a recipe to provide ultimate stability, allowing the great height to be achieved — and held as mankind’s tallest structure for so long. Other buildings have failed in tiny fractions of its time frame. Wind, sand and rain bounce harmlessly off its flanks. Even thousands of years of earthquakes have at worst only dislodged some outer casing stones, which themselves had already been pillaged for building materials in more modern times. The interior rooms and passageways — the key functional elements, the purpose for the whole structure — have been preserved intact.
With Bitcoin, we are also building something that we hope will outlive all of us, to withstand countless assaults from man and nature. We understand the goal of providing a new global monetary system, open to all. The scope of the project and its ramifications are even more momentous than the pyramid. Instead of stone, we have code and consensus. We build in cyberspace rather than the physical world. Our monument is everywhere and nowhere, bringing unique protections but also different kinds of vulnerabilities for which we must be vigilant and shore up where possible. The engineering design is simultaneously incredibly open (anyone can contribute to the code) and incredibly private (nobody can force a change onto anyone else). This deliberately messy and entirely voluntary system both supports and demands a social layer on top to coordinate any global-scale changes moving away from the status quo. If the inner functionality is to survive the harsh trials sure to come, we must orient both the code layer and the social layer for unprecedented resilience. Anything else risks failure.
The recent controversy around Jeremy Rubin’s BIP119 (CTV) should alarm everyone. In principle, it is fairly innocuous: A new operation within the Bitcoin protocol, allowing users to define strict conditions for how their own coins can be spent, potentially enabling greater security for some users and flexibility for others. As a soft fork, it is theoretically opt-in, only affecting users that choose to use the new functionality. The code itself hasn’t raised any eyebrows among developers. The objections are from the social layer — and it is just as important as the code layer. Though Rubin’s intentions are most likely honorable, because Bitcoin must be built to last, we must think of all suggestions for change as if they were attacks.
CTV is one proposal out of many that add similar functions, and the technical discussion is far from over for which one is the best candidate to incorporate into the code. The market has not expressed strong demand for features that might be enabled by something like CTV. There is no critical security flaw that CTV solves. Despite this, its advocates have pushed hard for its activation, arguing that — if there are no technical objections — it should go ahead, trying to imbue a sense of urgency, that the correct path to achieving social consensus is unclear and that certain people are acting as gatekeepers. Most dubious of all, a suggestion to use miner signaling to activate the soft fork puts more control into the hands of a part of the ecosystem that has almost no relevance to the debate.
A genuine attacker could use a very similar strategy to infiltrate a vulnerability into Bitcoin. In the future, they will look back at how BIP119 was received and learn from it. For this reason, we must act as if it were a covert attack, regardless of the reality. The strength of Bitcoin to date is owed to the prevalence of the adversarial mindset. We must anticipate a future opponent’s moves before he has even played his first piece. The price of security is permanent vigilance.
Bitcoin as it exists today works, and there is always room to improve further. Construction of this monument is not yet finished, but if we want it to last — as long as we hope it will — we cannot afford to compromise. Change proposals come and go. There will be good proposals and bad ones. There will be bad actors behind proposals as well as good ones. Change should be taken as seriously as medical surgery. A harsh assessment must be made of every proposal about the real need to undergo the risk, the benefits brought by success, the relative urgency, the details of the execution. Anything less than an extremely strong reason in favor is insufficient. Extensive debate is good and healthy, but questions, uncertainties and dissatisfaction in any area should be cause for alarm — and a signal to step back. We must consider this system with the possibility it will exist for centuries, if not more. Every change threatens the uneasy balance and brings new maintenance costs; we should bear in mind these costs will need to be paid in perpetuity by those who come after us.
One day, inevitably, a malicious actor will seek to undermine Bitcoin from within through social engineering. This could take many forms, such as creating a code change with obscure, unexpected effects, or a purely social effort to underhandedly turn the community against its own interests. The code is easier to audit, though those with the necessary skills must remain vigilant and those with the capability to learn should do so. The social layer is the immune system and the choices made by node operators on the consensus rules they enforce represent the very last line of defense.
The system today is functional, securing and transacting billions of dollars in value for millions of participants. Meanwhile, the fiat world is accelerating toward the cliff edge. Bitcoin is the lifeboat, for us and for the rest of the world who don’t yet realize it. The risk of making alterations to the lifeboat ought only be taken on when the change is near essential, the proposal near bulletproof, and receiving near-universal support. The stakes are so great. We may not get a second chance.
The Egyptians did not build their monument while their civilization crumbled. We do not have that same luxury.
This is a guest post by Owen Kemeys. Opinions expressed are entirely their own and do not necessarily reflect those of BTC Inc. or Bitcoin Magazine.