Ryan Calloway

The infrastructure that matters is regulatory plumbing and network economics, not coin prices or narrative cycles.

Three regulatory tracks now operate in parallel: ETF approvals constrained by CME futures ([4]), stablecoin licensing split by federal-state thresholds ([9], [10]), and exchange enforcement through criminal settlements ([5], [6], [7]). Each follows a different legal architecture—commodity surveillance, payment system banking law, and money transmission criminal enforcement—but they share structural permanence. The GENIUS Act's 2027 effective date ([12]) and the ongoing Binance monitorship ([8]) operate on bureaucratic timelines that outlast any bull market.

Network economics provide the second stable layer. The halving ([13]) compressed miner revenue predictably; hash rate climbed anyway ([14]) because industrial capital committed years ago. Ethereum's Dencun upgrade ([17]) created a structural cost differential for Layer-2s ([18]) through a separate blob fee market ([19]) that adjusts independently of mainnet congestion. These are protocol-level changes with multi-year dependencies.

The speculative layer—token launches, ecosystem narratives, retail FOMO—sits on top but contributes nothing to sourcing. Failla's ecosystem theory ([27]) matters because it establishes how courts will interpret profit expectations across secondary markets. The FTX distribution mechanics ([23]) matter because they set precedent for how future exchange failures will unwind. Sullivan & Cromwell's fee structure ([21]) matters because it reveals what sophisticated legal work costs at scale.

Report from the layer that doesn't move with sentiment. When infrastructure changes, the speculative layer reprices eventually. The reverse is not true.

The crypto infrastructure layer distinguishes itself not by discovering truth but by making claims auditable. This matters because the asset class operates in a regulatory grey zone where institutional capital requires procedural legitimacy even when substantive verification remains impossible.

Attestation [5,6,7,8] creates the appearance of oversight without the substance of an audit—Circle and Tether pay accounting firms to confirm reserves existed at a snapshot in time, not that the business model is sound or that assets can't vanish between reports. The GENIUS Act codifies monthly attestations as regulatory compliance, elevating a floor to a ceiling. The auditor verifies what the client provides; they do not hunt for what's missing.

Similarly, smart contract audits [23,24,25,26] prove the presence of bugs through testing but cannot prove their absence. Trail of Bits runs Slither, Echidna, and Manticore across a codebase, documents findings, and issues a report. The report becomes social proof that due diligence occurred. It does not guarantee the code is safe—formal verification can prove correctness for narrow specifications, but production systems operate beyond those bounds.

The pattern extends to on-chain analytics [9,10,11]: NVT was introduced as a P/E proxy but lags bubbles by months, making it neither predictive nor descriptive. Realized cap [12,13,14,15] values UTXOs by last-move price rather than market price, creating a cost-basis anchor that's reproducible but not necessarily meaningful. These metrics became infrastructure because they're calculable and auditable, not because they predict returns.

TVL [19,20,21,22] is the clearest example: 46% of published figures can't be verified on-chain, double-counting inflates totals by billions, and price sensitivity makes the number move independently of actual capital deployment. Yet TVL persists as the industry's primary growth metric because aggregators publish it and participants agree to treat it as real.

Methodology in crypto is not epistemology. It's a shared performance of rigor that allows institutions to justify allocations, developers to claim security, and analysts to publish research. The infrastructure works because everyone benefits from pretending the measurements matter, even when the measurements themselves are contested, lagged, or unverifiable.

The foundational tier reveals a pattern: every piece of crypto infrastructure running today began as a theoretical solution to a problem most people didn't know existed. Lamport formalized Byzantine fault tolerance in 1982 [5,6,7]; Merkle patented the authentication tree the same year [19]; Diffie and Hellman broke key distribution in 1976 [27]. Chaum proved blind signatures in 1983 [9]. These were academic exercises published in journals nobody read.

Then they sat. PBFT came in 1999 [8]. Bit Gold stayed a blog post until 2005 [16]. The Bitcoin white paper cited hashcash, which referenced back to proof-of-work concepts that had been circulating since the early nineties [2,16,17]. Ethereum's insight about Turing-complete contracts was built on fifteen years of watching Bitcoin's script limitations [13,14].

The usable idea arrives years—sometimes decades—after the theorem. The market arrives years after that. By the time a reporter is writing about a protocol, the theory underneath it is old enough to vote. This matters for coverage. When a new L1 claims a breakthrough in consensus, the question is not whether the whitepaper is novel. The question is which 1980s distributed systems paper they're applying, and whether the tradeoffs they're making are the same ones that broke the last three projects that tried it.

Covering crypto infrastructure means reading the citations, not the press release. It means knowing that ECDSA is the elliptic curve analog of DSA [26], that secp256k1 was a deliberate choice against NIST's recommendations [25], that Merkle trees trade setup complexity for verification efficiency [22]. The theory doesn't care about the token price. The theory tells you what breaks when the network gets loaded.

Crypto coverage at Palanor is the discipline of reading the system without the priors of either the believer camp or the dismissive camp.

Three commitments:

1. Name the protocol. Name the version. Name the validator economics. Generic crypto coverage is useless coverage.
2. On-chain activity is the leading indicator. Derivatives positioning is the dispersion. OTC flow is the confirm. Three reads, every cycle.
3. The bridge collapse was the trade. I write the structural call when the system tells me the structural call. I don't write it when the room is excited.

I will not use HODL, NGMI, WAGMI, diamond hands. I write the system in the system's vocabulary.

Read 1 — On-chain activity. Gas + transaction count + active addresses by L1 + L2. I track the named cohort.

Read 2 — Derivatives positioning. CME + Binance + OKX + Bybit open interest, funding rates, options skew. The leveraged positioning is the dispersion under the spot price.

Read 3 — Stablecoin issuance + reserves. USDT, USDC, PYUSD, DAI. Issuance pace is the leading indicator on capital flowing into the system; redemption pace is the leading indicator on capital flowing out.

Read 4 — Regulatory perimeter. Stablecoin legislation, named enforcement, ETF approvals. Cross-check with James.

Daniel Khoury and I cross-check whenever the macro overlay routes into crypto positioning.

• Stablecoin perimeter — US + EU + APAC. The GENIUS Act + MiCA implementation + the state-level competition. Issuer concentration is the structural read.
• CME ETH futures open interest as a leading indicator on institutional positioning vs. the retail-dominated alt-L1 markets.
• Solana validator economics post-Firedancer rollout. The performance ceiling matters less than the cost-floor implications for staking yields.
• Spot-ETF flow data — BTC + ETH approved; the next-tier products in the queue. The flow read is the institutional adoption read.

The $4.3 billion Binance settlement ([5]) combined criminal guilty pleas, a CEO resignation, and dual-track monitoring ([8]). This is the template for systemic enforcement: criminal charges for money transmission failures, not just civil penalties for securities violations.

Binance admitted to three specific failures ([5], [6]): operating as an unlicensed money transmitter, violating the Bank Secrecy Act through AML deficiencies, and breaching IEEPA sanctions by routing U.S. customers to Iranian counterparties ([7]). The sanctions matching allegation is particularly damaging—Binance's order book paired trades purely on price, without sanctions screening, which directly connected U.S. users to OFAC-prohibited jurisdictions ([7]). That's not a compliance gap; it's willful blindness.

The monitorship structure ([8]) is more invasive than typical consent orders. Two separate monitors—one reporting to DOJ, one to FinCEN—operate independently, with overlapping mandates. This creates redundant oversight that bleeds information asymmetry out of the organization. The Trump pardon of CZ ([8]) resolved individual criminal liability but left the corporate monitorship intact, which means the enforcement leverage persists even after the founder exits.

The SEC's parallel civil case ([8]) remains unresolved, which keeps securities registration issues live. But the criminal settlement establishes the penalty range: if you operate exchange infrastructure that moves money across borders without proper licensing, the enforcement response is criminal, not civil, and the fines are measured in billions.

Coinbase's litigation with the SEC ([25], [26]) proceeded on securities registration grounds, not money transmission. That's a different legal theory with different stakes. Binance's settlement shows what happens when the government frames the conduct as banking law violations instead of securities violations. The banking enforcement toolkit is heavier.

The GENIUS Act ([9]) creates two regulatory tracks for stablecoin issuers, separated by a $10 billion threshold ([10]). Below that line, state-regulated nonbanks can operate nationally. Above it, they face federal OCC oversight or exit. This is not a unified framework—it's a filtering mechanism that pushes scale issuers toward bank-equivalent regulation.

The yield ban ([11]) protects bank deposits by prohibiting stablecoin interest, but leaves custody models ambiguous. Banks fought for this because non-yielding stablecoins compete directly with checking accounts, and yielding stablecoins would compete with money market funds. The custody loophole ([11]) creates arbitrage opportunities: if issuers can't pay yield but custodians can, the economic rent moves to the infrastructure layer.

The OCC rulemaking timeline ([12]) sets an effective date in early 2027, but the comment period runs through May 2026. That's 18 months of definitional uncertainty on core terms—what qualifies as a "payment stablecoin," how reserve requirements apply to yield-generating assets held in custody structures, whether algorithmic stabilization mechanisms are permissible. Issuers scaling now are building on sand until the OCC rules finalize.

The federal-state split ([10]) also creates a strategic choice for mid-sized issuers approaching the $10 billion line: stay under the threshold and accept growth limits, or cross into federal oversight and face bank-like capital and examination requirements. The waiver provision ([10]) theoretically allows exceptions, but the OCC has no obligation to grant them. This will produce a barbell distribution—small state-regulated issuers and large federally-regulated ones, with very little in the middle.

Circle and Paxos are already positioning for federal oversight. Tether, operating offshore, ignores the framework entirely. The Act doesn't resolve that asymmetry; it formalizes it.

Bitcoin and Ethereum ETFs exist because of legal coercion and CME futures surveillance, not regulatory philosophy. The path stays closed for everything else.

Grayscale forced the SEC's hand on Bitcoin through litigation ([1]), and the approval framework explicitly relies on CME futures markets ([4]). Only Bitcoin and Ethereum have CME contracts robust enough to support the surveillance-sharing agreements that satisfy the SEC's market manipulation concerns. This is not a policy that welcomes expansion—it's a defensive perimeter.

The SEC approved Ethereum "of its own volition" ([1]) only after losing the Grayscale case established that withholding approval was arbitrary. But staking was explicitly prohibited ([3]), removing the native yield that differentiates Ethereum's economics from Bitcoin's proof-of-work. The approval came with a functionality lobotomy.

No other asset has the CME infrastructure. Building it requires institutional demand that justifies exchange costs, which requires existing price discovery infrastructure, which requires regulatory clarity that won't come without CME futures. It's circular by design. The CME precedent creates a regulatory moat ([4]) that keeps the approval list at two.

Grayscale's conversion playbook ([2])—accumulate assets in a trust structure, let premium/discount dynamics create pressure, then litigate—worked because Bitcoin had a futures market already. The template doesn't transfer. Solana, Cardano, and the rest are stuck without the predicate infrastructure, and the SEC has no obligation to build it for them.

The brokerage access story ([3]) matters for distribution, but the bottleneck is upstream. If you can't get a CME contract, you can't get an ETF. If you can't get an ETF, institutional allocators stay out. The on-ramp is controlled and will stay controlled.

Smart contract audits [23,24,25,26] and stablecoin attestations [5,6,7,8] share a structure: a client pays a firm to verify specific claims using agreed-upon procedures, the firm produces a report documenting what they checked, and the report becomes social proof that due diligence occurred. Both sides know the report does not guarantee safety or solvency, but both sides benefit from acting as if it does.

Trail of Bits runs Slither, Echidna, and Manticore [25] across a Solidity codebase, combining static analysis, fuzzing, and symbolic execution. They document findings, assign severity levels, and deliver a report [23,26]. The report does not state 'this code is secure'—it states 'we ran these tools, found these issues, verified these fixes.' Formal verification [24] can prove correctness for narrow specifications, but production systems include integration points, external dependencies, and economic assumptions that sit outside the verified model.

Similarly, Circle provides Grant Thornton with reserve documentation [7], and Grant Thornton confirms the reserves matched reported USDC supply at a specific timestamp [8]. The attestation does not verify that reserves can't be rehypothecated, that Circle's banking relationships are stable, or that redemptions will process during a crisis. It verifies a balance at a point in time.

The GENIUS Act [6] codifies monthly attestations as regulatory compliance, making the floor the ceiling. Issuers now have a legal safe harbor: if they produce the monthly report, they've met their obligation, regardless of what happens between reports.

This is not fraud—it's theater with informed participants. Protocols seeking institutional capital know audits don't guarantee security, but they also know institutional LPs require audits to justify allocations. Auditors know their tools can't prove absence of bugs, but they document what they checked so clients can demonstrate diligence. Stablecoin issuers know attestations don't prove solvency, but they also know regulators and users require attestations to maintain confidence.

The theater works because both sides need it to work. The client needs the legitimacy credential; the auditor needs the revenue and liability limitation. The market needs to believe due diligence occurred so capital can flow. Everyone understands the script, and everyone agrees to perform it.

Realized cap [12,13,14,15], MVRV, NVT [9,10], and related on-chain metrics do not predict price movements with any reliability. They persist because they coordinate market participants around shared reference points, creating common knowledge about where 'value' should anchor.

Realized cap values each UTXO at the price when it last moved on-chain [12], not current market price. This produces an aggregate cost basis [14] that moves more slowly than spot price, creating a stable reference line. UTXO age bands [13] weight supply by realized value, showing which cohorts hold at what cost basis. When market cap trades at multiples of realized cap, that's not a valuation signal—it's a shared belief that this multiple matters.

NVT [9] was introduced as crypto's P/E ratio but suffers from fatal signal lag [10]: peak NVT coincides with the middle of a correction, making it neither predictive nor descriptive. Kalichkin's 2018 critique showed the math doesn't work. Yet NVT remains in circulation because it gives participants a valuation language, even when the language doesn't correspond to reality.

The key insight from the on-chain analytics literature [11] is that these metrics function as infrastructure, not as crystal balls. They provide 'relative valuation metrics that identify short- to mid-term price inefficiencies'—which is a polite way of saying they tell you when price has moved far from a socially constructed anchor.

This is not a failure of the metrics. It's their actual function. In traditional equity markets, P/E ratios and EV/EBITDA multiples coordinate investors around shared valuation frameworks, even though the 'right' multiple is always contested. Crypto has no cash flows to discount, no earnings to price, no book value to anchor against—so it invented on-chain metrics that provide the appearance of fundamental analysis.

The value is in the coordination, not the prediction. When enough traders believe MVRV above 3.5 means 'overvalued,' that belief becomes self-fulfilling as participants sell into the level. When realized price provides a 'cost basis' floor, that floor holds because participants agree it should hold. The metrics work because they create common knowledge, not because they discovered objective value.

The crypto market has developed world-class microstructure measurement tools [1,2,3,4,27,28,29,30] while the macro regulatory environment remains unresolved. This is not coincidental—it's a substitution.

Bid-ask spreads [1] carry blockchain-specific cost burdens: on-chain settlement fees, 24/7 operational requirements, and volatility running 3x higher than equities. Liquidity measurement [2] has moved past quoted spreads to effective spread, implementation shortfall, and slippage. Order flow imbalance [3] predicts returns at high frequency with square-root-law scaling. Liquidity concentration analysis [4] shows that 8 exchanges account for 91.7% of global depth and tracks daily cycles down to the session.

The data infrastructure supporting this is institutional-grade. Market-by-order data [30] captures every individual order and its attributes. Tick-level replay [29] requires full sequencing of ADD, SUB, MATCH, DELETE events. LOBSTER [28] automates order book reconstruction to spare researchers the preprocessing. When trade files and quote files disagree [27], practitioners now have protocols for reconciliation.

This precision exists in an asset class where the SEC hasn't decided whether most tokens are securities, where stablecoin regulation [6] just codified monthly attestations as the standard, where exchanges operate across jurisdictions with no consolidated tape. Traditional markets built microstructure tools after regulatory clarity; crypto built them instead of regulatory clarity.

The substitution makes sense: if you can't rely on legal infrastructure to enforce rules, you build measurement infrastructure to make the rules observable. If you can't trust an exchange's solvency disclosures, you measure their order book depth every 100 milliseconds. If you can't enforce best execution through regulation, you measure slippage across venues and route accordingly.

The irony is that this microstructure precision may delay regulatory clarity. Why would institutional participants demand consolidated tape requirements or best-execution rules when they've already built proprietary systems that give them the same edge? The measurement infrastructure that arose in the absence of regulation now serves as a reason to avoid it.

The Bitcoin white paper is nine pages solving one technical problem: how to prevent double-spending without a trusted intermediary [1,2]. Satoshi referenced proof-of-work, cited timestamp servers, described a chain of hashes [2]. The mechanism was narrow. The implication was not.

Byzantine fault tolerance had been a distributed systems problem since 1982 [5,6]. PBFT made it practical for small validator sets in 1999 [8]. But those systems assumed you knew who the validators were and could punish them if they misbehaved. Bitcoin's consensus mechanism worked with anonymous miners competing for block rewards [2,3]. That was new. Not the cryptography—hashcash existed [2,16]. Not the idea of digital scarcity—Szabo had theorized unforgeable costliness years earlier [17]. The new part was open-membership consensus that anyone could join by running the software.

Ethereum extended this by making the consensus layer support arbitrary state transitions, not just coin transfers [13,14]. The white paper's technical contribution was not inventing smart contracts—Nick Szabo had described those in the nineties. The contribution was making contracts first-class citizens that could create other contracts [15], which meant the platform could support applications its designers had not imagined.

The pattern: solve a narrow technical problem, ship a general-purpose consensus layer, watch people build things you didn't anticipate. Bitcoin solved double-spending and produced an asset class. Ethereum solved Bitcoin's script limitations and produced DeFi, NFTs, DAOs, and a hundred other use cases, most of which will not matter in five years. The valuable thing is not the current application. The valuable thing is whether the consensus mechanism still works when the application changes.

The white paper positioned Bitcoin as "an electronic payment system based on cryptographic proof rather than trust" [3]. This framing set up a binary that doesn't exist in the actual systems. Byzantine fault tolerance tolerates up to one-third malicious nodes [5,7]; cross that threshold and the system fails. PBFT requires known validator sets and works efficiently only on smaller networks [8]. Ethereum's first-class citizen property—contracts creating other contracts—means users trust code they have not read, written by people they do not know, calling other contracts with access to their funds [15].

Satoshi's own design assumes honest majority hashpower [2]. Merkle proofs let you verify inclusion without trusting a third party, but only if you trust that the root hash you're checking against came from the canonical chain [21]. Light clients trade verification costs for trust in the nodes they're querying [21]. Every layer adds a trust assumption somewhere.

The useful frame is not "trustless versus trusted." The useful frame is: where is the trust, who holds it, and what happens when it breaks? A multisig treasury controlled by five anonymous signers has different trust properties than a Fed vault, but both involve trusting someone not to steal your money. A rollup that posts state roots to Ethereum every ten minutes has different liveness assumptions than one that posts every hour.

Coverage should specify the tradeoff. When a protocol claims to be trustless, the question is: trustless with respect to what threat model? Bitcoin is trustless if you assume no actor controls 51% of hashrate. Ethereum contracts are trustless if you assume the EVM executes correctly and the developer didn't leave a rug function in the code. These are not the same kind of trustless. Readers need to know which kind they're getting.

The technical primitives succeeded wildly. The original use cases mostly failed. Chaum invented blind signatures in 1983 [9], founded DigiCash in 1990 [10], signed Mark Twain Bank in 1995, and filed bankruptcy in 1998 [10]. The cryptographic primitive survived; the untraceable digital cash company did not. Bit Gold never launched [16]. Diffie-Hellman is in every TLS handshake [28,29]; the vision of cryptographic liberation is not.

Bitcoin changed the pattern by not caring about the original vision. Satoshi cited the cypherpunk inheritance [4] but built something narrower: a solution to double-spending that happened to produce a new asset class [2,3]. Ethereum took it further: Buterin saw that Bitcoin's script couldn't support the contracts people were trying to build [14], so he made contracts first-class citizens [15]. The result is a platform used mostly for trading tokens that represent ownership of platforms used mostly for trading tokens.

The thesis: cypherpunk cryptography succeeded by enabling uses its inventors would have hated. Chaum wanted privacy [12]; the blockchain is a public ledger. Szabo theorized unforgeable costliness as the basis for digital scarcity [17]; the market used it to create ten thousand forgettable tokens. Merkle trees were designed for efficient verification of large datasets [20]; they're used to verify monkey JPEGs.

This is not a criticism. This is how infrastructure works. The people who build authentication layers do not control what gets authenticated. The engineers who made ECDSA deployable [26] did not anticipate DeFi. The question for someone covering this space is not whether the current use case matches the inventor's intent. The question is whether the primitive is sound and whether the implementation has edge cases the market hasn't priced yet [23,24,25].

<cite index="23-4,23-8">Judge Failla rejected Coinbase's comparison to real estate transactions—which have been found not to be securities under Howey—because real estate has inherent value, whereas a crypto-asset will generate no profit absent an ecosystem that drives demand</cite>. This reasoning became a centerpiece of the SEC's position. <cite index="17-7,17-8,17-9">In the SEC's view, the token has no innate or inherent value of its own—it is tied to its underlying value; without access to a service or the intellectual property those crypto assets signify, they would be worthless, and investors are not purchasing assets to own a digital sequence of letters and numbers</cite>.

<cite index="23-2,23-6">The Court concluded that the SEC had plausibly alleged horizontal commonality among token issuers, developers, and promoters to further develop the tokens' ecosystems</cite>. <cite index="19-3,20-3">The Coinbase decision built on the Terraform case, again rejecting the distinction between direct and secondary-market sales identified in Ripple and holding that the SEC adequately alleged all thirteen third-party tokens constituted investment-contract securities</cite>. <cite index="19-10,20-10">Because the action concerned a third-party exchange rather than narrower token-issuer cases, the decision raised the risk profile for other institutions that perform similar functions</cite>.

Sources:

• https://www.skadden.com/-/media/files/publications/2025/02/inside-the-courts/sec-and-exch-commn-v-coinbase-inc.pdf
• https://freemanlaw.com/sec-v-coinbase-an-update-and-summary/
• https://www.fintechanddigitalassets.com/2024/04/ruling-for-sec-clears-path-for-continued-litigation-in-sec-v-coinbase/
• https://www.lexology.com/library/detail.aspx?g=d23aa31c-929d-4e9d-aeed-12237de45df7

Coinbase tried two structural arguments to block the SEC. <cite index="13-7,16-8">The major questions doctrine is a rule of statutory construction that disfavors agency interpretations that result in significant economic or political impact absent clear congressional authorization</cite>. <cite index="13-2,16-2,16-5">Judge Failla found that while the cryptocurrency industry is sizable and important, it cannot compare with industries the Supreme Court has found to trigger the major questions doctrine, noting that the securities industries over which Congress expressly gave the SEC enforcement authority are broader than the markets for cryptocurrencies and implicate larger portions of the American economy</cite>. <cite index="16-5">Failla also suggested that enforcement actions are less likely to implicate the doctrine than other agency conduct, noting that the concept of enforcement actions evidences the Commission's ability to develop the law by accretion</cite>.

Coinbase also argued <cite index="13-6,16-7">that the SEC had not pled the existence of any contractual relationships between third-party token issuers and secondary buyers on Coinbase, which they said was necessary to establish investment contracts under Howey</cite>. <cite index="15-2,15-7">Failla rejected the argument that securities should include a formal investment contract</cite>. She also <cite index="15-9,15-10">disagreed that the SEC violated Coinbase's right to due process by not providing fair notice, arguing that the SEC had provided proper notice through written guidance, litigation, and other actions</cite>.

Sources:

• https://www.fintechanddigitalassets.com/2024/04/ruling-for-sec-clears-path-for-continued-litigation-in-sec-v-coinbase/
• https://www.lexology.com/library/detail.aspx?g=d23aa31c-929d-4e9d-aeed-12237de45df7
• https://fortune.com/crypto/2024/03/27/coinbase-sec-gary-gensler-lawsuit-brian-armstrong-failla-dismiss/
• https://finance.yahoo.com/news/judge-rejects-coinbase-major-questions-155248844.html

<cite index="1-9,2-11">In June 2023, the SEC charged Coinbase with operating as an unregistered national securities exchange, broker, and clearing agency</cite>, and <cite index="1-10,2-2">alleged that Coinbase had been running an unregistered securities offering through its staking-as-a-service program since 2019</cite>. <cite index="3-5,3-6">In March 2024, Judge Katherine Failla of the Southern District of New York denied Coinbase's motion for judgment on the pleadings on most claims—allowing the SEC's case regarding the exchange platform, Prime services, and staking to proceed—but granted dismissal on claims related to Coinbase's Wallet application</cite>.

<cite index="13-10,16-11">Failla's ruling found that the SEC adequately alleged the tokens at issue and Coinbase's staking services are securities and that Coinbase had been operating as an unregistered broker, exchange, and clearing agency</cite>. The decision addressed <cite index="19-1,20-1">thirteen third-party tokens</cite>. <cite index="5-2">In February 2025, the SEC agreed to dismiss its lawsuit, with final commissioner approval expected</cite>, and <cite index="5-4">the dismissal effectively shelved the Howey-based enforcement playbook the SEC had used to argue crypto exchanges must register under traditional securities frameworks</cite>.

The case mattered because <cite index="8-2,8-8">it was closely watched as a bellwether for how cryptocurrency, tokens, and other digital assets would be classified—as securities subject to SEC regulation or otherwise</cite>.

Sources:

• https://www.sec.gov/newsroom/press-releases/2023-102
• https://www.sec.gov/enforcement-litigation/litigation-releases/lr-25751
• https://www.sec.gov/Archives/edgar/data/0001679788/000119312525031346/d857645d8k.htm
• https://www.fintechanddigitalassets.com/2024/04/ruling-for-sec-clears-path-for-continued-litigation-in-sec-v-coinbase/
• https://www.manatt.com/insights/newsletters/client-alert/sec-strategy-shift-coinbase-case-collapse-binance-stay-mark-crypto-regulatory-turning-point
• https://www.amundsendavislaw.com/corporate-legal-update/sec-drops-case-against-coinbase-what-are-the-implications-for-other-cryptocurrency-cases-with-the-sec

<cite index="27-1,27-3">FTX confirmed that Galaxy Asset Management is an authorized intermediary to streamline asset sales; any sale of digital assets by FTX debtors, as directed by the bankruptcy court, falls under the exclusive jurisdiction of Galaxy Asset Management, the court-appointed investment manager</cite>. <cite index="27-8">In September 2023, the U.S. Bankruptcy Court approved FTX's partnership with Galaxy to monetize its crypto portfolio, paving the way for subsequent liquidations</cite>. <cite index="23-3,23-27">The estate relies on over $15 billion in recovered assets, including sales of stakes in companies like Anthropic and Robinhood; substantial holdings of various cryptocurrencies, such as Solana and SUI tokens, have been converted into cash</cite>.

The estate is pursuing clawback litigation to recover preferential and fraudulent transfers made before the November 2022 bankruptcy. <cite index="22-8,22-9">FTX intensified clawback efforts beginning in early November 2024, two years following the debtors' petition date; these actions target individuals and entities carved out under the FTX bankruptcy plan</cite>. <cite index="22-16,22-19">A case was filed against Mirana Corp and affiliated companies and individuals; gross assets transferred to Mirana Corp alone in the clawback period are alleged to be $838 million</cite>.

<cite index="24-17,24-18,24-19">Administrators secured and valued all identifiable assets, pursued clawback actions against recipients of preferential transfers and investigated fraudulent transactions, and negotiated with counterparties and liquidated non-core assets to maximize cash available for distribution</cite>. <cite index="22-11">The deadline to respond to clawback complaints is typically 30 days from the service date</cite>.

Sources:

• https://crypto.news/ftx-galaxy-asset-management-intermediary-bankruptcy/
• https://cryptoresearch.report/crypto-research/ftx-repayment-plan-billions-due-to-creditors-in-2025/
• https://www.morrisjames.com/p/102jou0/claw-back-litigation-in-ftx-bankruptcy-faqs-an-update/
• https://www.bitget.com/academy/ftx-bankruptcy-payou

<cite index="18-2,18-3,18-4,18-5">To be eligible for distribution, customers and other creditors must complete Know Your Customer verification, submit required tax forms, and onboard with either BitGo or Kraken, FTX's Distribution Service Providers</cite>. <cite index="18-11">Eligible creditors should expect to receive funds within 1 to 3 business days from distribution dates</cite>. <cite index="14-3">The next distribution record date is set for June 16, 2026, with distributions commencing July 31, 2026</cite>.

<cite index="16-1,16-2,16-3">Customers with claims above $10 can select the Distribution Service Provider of their choice; depending on account type, there may be one or more options available</cite>. <cite index="15-12">Claims traded within the 45-day period prior to the distribution record date may not be reflected on the claims register by the close of business on the distribution record date, and it is possible that distributions on these claims may be made to the transferor</cite>.

The estate has distributed over $8 billion across multiple rounds. <cite index="18-10">FTX commenced distributions to holders of allowed claims on May 30, 2025, for its second distribution</cite>; <cite index="19-3,19-4">the third distribution on September 30, 2025, totaled approximately $1.6 billion</cite>. <cite index="14-6">FTX filed an amended notice seeking approval to reduce the disputed claims reserve by approximately $600 million, decreasing the reserve from $2.4 billion to $1.8 billion</cite>, freeing additional cash for payouts.

Sources:

• https://www.prnewswire.com/news-releases/ftx-recovery-trust-to-distribute-more-than-5-billion-to-creditors-in-second-distribution-on-may-30-2025-302456976.html
• https://www.prnewswire.com/news-releases/ftx-recovery-trust-to-distribute-approximately-1-6-billion-to-creditors-in-third-distribution-on-september-30--2025--302561856.html
• https://cryptonews.net/news/market/32928327/
• https://support.ftx.com/hc/en-us/articles/19519576531476-Using-the-Customer-Claims-Portal
• https://www.prnewswire.com/news-releases/ftx-provides-update-on-upcoming-timeline-for-creditor-and-customer-distributions-302313274.html

<cite index="2-4,2-8">Sullivan & Cromwell negotiated settlements with governmental authorities and non-U.S. insolvency trustees, clearing the way for FTX to return to all non-governmental creditors substantially more than 100 percent of the amount normally due under the Bankruptcy Code</cite>. <cite index="2-14">The firm settled the $24 billion IRS claim for a $200 million cash payment and a $685 million subordinated claim, reached agreements with the CFTC and state attorneys general to subordinate their claims, negotiated with the DOJ over how $1.2 billion of forfeiture proceeds may be distributed, and secured an $875 million settlement with BlockFi</cite>.

<cite index="17-19,17-20">U.S. customers received an additional 40% of their claims in the September 2025 payout, bringing total recovery to 95%; Dotcom customers received a further 6% distribution, raising cumulative recovery to 78%</cite>. The <cite index="11-1,11-4">convenience class—smaller creditors paid at 120% of claim value</cite>—saw the highest percentage return.

The headline figures mask creditor anger. <cite index="23-5">Claims are valued using November 2022 crypto prices, which some creditors argue undervalues their claims compared to current market rates</cite>. <cite index="26-16,26-17">Customers will not benefit from subsequent price appreciation; someone who held Bitcoin worth $16,000 in November 2022 will receive approximately $16,000-$18,880 in cash, even though Bitcoin's value increased substantially afterward</cite>. <cite index="25-2,25-3">Analysis reveals the FTX estate would hold an estimated $114 billion portfolio today if it had avoided liquidating assets during bankruptcy, driven by Solana's recovery and the Anthropic stake's valuation surge</cite>.

Sources:

• https://www.sullcrom.com/About/Rankings/2025/January/FTX-Emerges-Bankruptcy-Under-14-Billion-Plan
• https://cryptoresearch.report/crypto-research/ftx-repayment-plan-billions-due-to-creditors-in-2025/
• https://cryptoresearch.report/crypto-research/ftx-repayments-understanding-the-1-6-billion-payout-to-creditors/
• https://www.bitget.com/academy/ftx-collapse-recover
• https://cryptorank.io/news/feed/82a3b-ftx-bankruptcy-114-billion-portfolio

<cite index="2-1,2-3">FTX emerged from Chapter 11 in January 2025 under a reorganization plan exceeding $14 billion</cite>, and <cite index="1-4">Sullivan & Cromwell received roughly $232 million in attorney fees and costs over the course of the case</cite>. <cite index="1-7">Alvarez & Marsal collected approximately $284 million</cite>. <cite index="1-1">Total fees and expenses paid by the FTX estate approached $1 billion</cite>.

The firm's appointment drew scrutiny from the start. <cite index="3-3,3-4">Sullivan & Cromwell began handling FTX matters in summer 2021 after the U.S. arm hired partner Ryne Miller as general counsel, and the firm worked on 20 legal matters for FTX and a related hedge fund</cite>. <cite index="5-8">A bipartisan group of four Senators argued in January 2023 that the firm had a conflict of interest as bankruptcy counsel due to its significant pre-bankruptcy work</cite>. <cite index="4-17,4-19">The US Trustee pushed for an outside probe from the onset; the Third Circuit reversed a lower court ruling that had rejected the request, citing some of the conflicts questions raised by Sullivan & Cromwell's role</cite>.

<cite index="5-10">In October 2024, a class-action lawsuit brought by FTX investors against Sullivan & Cromwell was voluntarily dismissed after a U.S. Bankruptcy Examiner found the firm had neither participated in fraud nor overlooked warning signs</cite>. <cite index="2-9">Judge Dorsey described the case as a "model case for how to deal with a very complex Chapter 11 bankruptcy proceeding"</cite>, commending the team that coordinated dozens of governmental investigations, hundreds of litigation disputes, and millions of international creditor claims.

Sources:

• https://www.securitiesdocket.com/2026/01/23/sullivan-cromwell-claims-largest-share-of-ftxs-nearly-1-billion-fee-payout-law-com/
• https://www.sullcrom.com/About/Rankings/2025/January/FTX-Emerges-Bankruptcy-Under-14-Billion-Plan
• https://www.abajournal.com/news/article/sullivan-cromwells-history-with-ftx-draws-scrutiny-as-it-racks-up-bankruptcy-fees
• https://news.bloomberglaw.com/business-and-practice/ftx-probe-advances-to-test-sullivan-cromwells-limited-role
• https://en.wikipedia.org/wiki/Sullivan_&_Cromwell

<cite index="11-2">EIP-4844 was always designed as a stepping stone toward full Danksharding, the long-term plan to give Ethereum massive data bandwidth through data availability sampling.</cite> <cite index="4-6">In proto-danksharding, the data bandwidth is targeted to be 1 MB per slot instead of 16 MB, since validators and clients still need to download complete blob contents.</cite> <cite index="12-9,12-10">EIP-4844 represents a pivotal step in Ethereum's roadmap toward full sharding, a technique that will eventually enable Ethereum to process thousands of transactions per second by splitting the network into smaller units, or shards, that can process transactions in parallel; proto-danksharding is a precursor to full sharding, offering immediate improvements in scalability by focusing on data availability without introducing the full complexity of shard chains.</cite>

<cite index="9-12,9-14">EIP-4844 represents a tangible and important step in Ethereum's journey to scale in a decentralized way; through its blob-carrying transaction format, EIP-4844 improves Ethereum's scalability, preserves decentralization, and sets the stage for more complex and impactful scalability upgrades.</cite> <cite index="18-1,18-2">The Ethereum EIP-4844 upgrade aims to alleviate the scalability issue by introducing the blob, a new data structure for Layer-2 rollups; instead of using expensive blockchain storage, blobs provide a cheaper, separate data layer with its own fee market, which drastically lowers data availability costs.</cite>

Sources:

• https://www.datawallet.com/crypto/eip-4844-explained
• https://www.quillaudits.com/blog/ethereum/eip-4844-explained
• https://ietresearch.onlinelibrary.wiley.com/doi/10.1049/blc2.70014
• https://consensys.io/blog/ethereum-evolved-dencun-upgrade-part-5-eip-4844
• https://arxiv.org/pdf/2411.03892

<cite index="11-9">Blobs use their own EIP-1559-style pricing, with a base fee that adjusts based on whether the previous block was above or below target.</cite> <cite index="15-3,15-4,15-5">The costs for blob transactions from one block to the next can increase or decrease by up to 12.5%; the degree to which these price movements approach +/- 12.5% per block is calculated by the total amount of gas used by all attached blobs, which necessarily scales with the increase in blobs, since all blobs will be 128KB in size regardless of whether they are completely filled or not; if blocks consistently host more than 3 blobs, the price will continually increase.</cite>

<cite index="10-5">The blob fee market dynamically adjusts based on demand, as seen when inscription blobs ("Blobscriptions") pushed average blobs per block above the target of 3, temporarily spiking fees to $27 before returning close to $0.</cite> <cite index="11-10,11-11,11-12">Blob pricing now always reflects the actual computational cost of verifying KZG proofs, with the floor set at 1/15.258 of L1 gas; the mechanism does not affect rollups during periods of genuine demand, since the equilibrium fee in those moments sits well above the floor; what it prevents is the price collapsing to nothing when L1 gas is cheap.</cite> <cite index="11-15,11-16">Industry estimates suggest blob fees could contribute 30-50% of total ETH burn by 2026, depending on how L2 activity scales; blob revenue is becoming a real product line for Ethereum rather than a subsidized service for rollups.</cite>

Sources:

• https://www.datawallet.com/crypto/eip-4844-explained
• https://consensys.io/blog/ethereum-evolved-dencun-upgrade-part-5-eip-4844
• https://coinmetrics.substack.com/p/state-of-the-network-issue-262

<cite index="19-2,19-8">Jesse Pollack, a contributor to Base, reported a reduction in network transaction fees from $0.31 to $0.0005 following the Dencun upgrade.</cite> <cite index="20-6">Median gas fees on Base fell from around $0.5 on March 13 (right before Dencun went live) to about $0.0012, according to on-chain data aggregated by Marcov on Dune.</cite> <cite index="23-10">On Starknet, just before it enabled blobs, the median transaction cost was about $1.35; afterward, it dropped to $0.0196—a 98% decrease.</cite> <cite index="24-9">The average cost of transactions on Optimism dropped to nearly 4 cents, down significantly from the recent average of around $1.4.</cite>

<cite index="10-3,10-4">Since the launch of EIP-4844 on March 13, several Layer-2 solutions including Arbitrum, Base, and Optimism adopted blob transactions, with over 950,000 blobs posted to Ethereum; adoption of blobs significantly reduced operational costs for Layer-2s, with median blob fees dropping to as low as $0.0000000005.</cite> <cite index="21-8">Karl Floersch, the CEO of OP Labs and co-founder of Optimism, said Dencun would reduce layer-2 transaction costs by at least 90%.</cite> <cite index="6-3,6-4">Blob transactions cut data posting costs by 10–100x compared to calldata; for example, L2 rollup Base saw a 224% transaction volume increase post-Dencun due to lower fees.</cite>

Sources:

• https://cryptoslate.com/blobs-successfully-slash-layer-2-fees-as-ethereum-dencun-upgrade-aims-to-increase-adoption/
• https://www.theblock.co/post/282417/ethereum-layer-2s-show-dramatic-drop-in-transaction-fees-after-dencun
• https://www.dlnews.com/articles/defi/ethereums-dencun-upgrade-cuts-layer-2-fees-as-much-as-98/
• https://www.coindesk.com/markets/2024/03/14/layer-2-blockchains-become-cheaper-after-ethereums-dencun-upgrade
• https://medium.com/@ankitacode11/eip-4844-proto-danksharding-and-ethereums-scalability-leap-a11e6a1398e2
• https://coinmetrics.substack.com/p/state-of-the-network-issue-262
• https://thedefiant.io/news/cefi/ethereum-activates-dencun-upgrade-ushering-new-era-for-layer-2-scalability

<cite index="1-2,5-3">The Dencun upgrade, which activated on March 13, 2024, introduced EIP-4844—proto-danksharding—authored by Ethereum researchers Dankrad Feist and Proto Lambda.</cite> <cite index="2-5,2-6">Before the upgrade, rollups used calldata to commit transactions to Ethereum, and that calldata cost made up more than 90% of rollup expenses because calldata is permanently stored and directly accessible by the execution layer.</cite> <cite index="1-3,1-4">Proto-danksharding introduces blob-carrying transactions, which allow data to be posted to Ethereum more cheaply; blobs are sidecars of data used primarily by the sequencers of Ethereum layer-2 rollups to contain batched transactions executed on those rollups.</cite>

<cite index="1-6,11-4">Blobs are designed to remain available for exactly 4,096 epochs—roughly 18 days—before being pruned.</cite> <cite index="11-6,11-8">Every blob holds up to 128 KB of data, regardless of whether it is fully utilized, and smart contracts only see a versioned hash of the blob, which keeps execution-layer costs low.</cite> <cite index="16-3">Historically, rollups used calldata to post data to L1, which cost $1,000/MB and was stored forever, even though rollups only needed data temporarily.</cite> <cite index="26-1,26-9">Vitalik Buterin estimated a 60x cost reduction, with 125 kilobytes of calldata costing around 0.06 ETH ($200.45) compared to a predicted 0.001 ETH ($3.34) for a similar-sized blob.</cite> <cite index="2-15">The upgrade was expected to reduce calldata costs by at least 10 times.</cite>

Sources:

• https://docs.teku.consensys.io/concepts/proto-danksharding
• https://www.ledger.com/academy/danksharding-and-proto-danksharding-explained
• https://blog.quicknode.com/ethereum-dencun-upgrade-2024-proto-danksharding-and-the-surge-era-begins/
• https://www.datawallet.com/crypto/eip-4844-explained
• https://medium.com/@ankitacode11/eip-4844-proto-danksharding-and-ethereums-scalability-leap-a11e6a1398e2
• https://cointelegraph.com/learn/articles/ethereum-dencun-upgrade-proto-danksharding-and-layer-2-scalability

<cite index="2-5,2-11">The halving could reduce profitability margins, leading to consistent BTC sell pressure from miners and further consolidation in miners and mining pools, with thinner margins resulting in forced selling to meet fixed operational and financing costs</cite>, Coinbase institutional research wrote pre-halving. <cite index="9-5">The mining industry is adapting through mergers, improving operational efficiency, and diversifying revenue streams, with well-capitalized firms better positioned to thrive</cite>.

<cite index="11-6">Facing reduced block reward revenue and high production costs, miners prepared by raising funds through equity/debt issuances and selling reserves, in an attempt to mitigate short-term financial strains</cite>. <cite index="1-3,1-4">Larger miners had been expecting and pricing the halving into their projections for years</cite>, said an industry source to Cointelegraph pre-halving. <cite index="1-6">Sophisticated mining firms have done in-depth calculations to factor in the potential effects of the halving, which historically involved hash rate drops and some miner capitulation</cite>.

The halving accelerated hardware replacement cycles. <cite index="14-20,14-21,14-22">Several advancements had been made in mining technology ahead of April 2024 halving—newer rigs such as the Antminer S21 and Whatsminer M60 are tailored to have higher hash rates and energy efficiency, allowing miners to process more transactions with less power</cite>. Efficiency became binary: miners with access to sub-$0.05/kWh power and latest-generation ASICs maintained positive cash flow; those without either advantage faced shutdown or sale.

<cite index="1-8">The difficulty adjustment exists so that if Bitcoin becomes unprofitable to mine for most miners, they will turn off their rigs, hash rate will drop, the difficulty will follow suit, and then it becomes more profitable to mine for the miners who are left</cite>. The protocol's design creates consolidation pressure by rewarding marginal efficiency gains at industrial scale.

Sources:

• https://www.coinbase.com/en-gb/institutional/research-insights/research/market-intelligence/bitcoin-halving-and-miner-economics
• https://www.wisdomtree.com/investments/blog/2024/07/22/bitcoin-halving-and-mining-update-mid-2024-perspective
• https://research.grayscale.com/reports/2024-halving-this-time-its-actually-different
• https://cointelegraph.com/news/bitcoin-halving-2024-miners-predict-potential-outcomes-of-reduced-btc-rewards
• https://bitcourier.co.uk/news/bitcoin-halving-aug2024

<cite index="16-1,16-7">Following the 2024 halving, transaction fees briefly soared to record highs, largely due to the launch of the Runes protocol, which increased demand for block space</cite>. <cite index="6-8,19-15">Some blocks mined during the April 2024 halving event and the Runes launch contained fees exceeding 10 BTC, far above the 3.125 BTC subsidy</cite>. <cite index="21-23">On April 20, 2024, miners earned over $80 million in transaction fees in a single day, surpassing the $26 million earned from block rewards</cite>.

The windfall proved temporary. <cite index="16-8,16-9">Since then, BTC miner fees have declined and stayed mainly below the block reward, and miner fee growth has been notably subdued since the fourth halving</cite>. <cite index="16-11">In the year since the 2024 halving, just over 8,000 BTC have been paid in transaction fees, compared to 37,000 BTC in fees during the first year after the third halving</cite>, per Kaiko.

<cite index="19-12,19-13">Historically, fees have constituted a small fraction of total miner revenue, and during quiet periods fees might represent 1% to 5% of the total coinbase transaction reward</cite>. <cite index="24-1,24-2,24-5,24-6">Transaction fees have historically been a relatively small percentage of the reward received by miners compared to the block subsidy, but with renewed activity from Ordinals-related activity and the subsidy value halving, transaction fees will be increasingly important for miners going forward</cite>, The Block noted at the halving.

The subsidy schedule forces a structural pivot. <cite index="19-9,19-10">As the block subsidy decreases, transaction fees must eventually become the primary revenue source for miners—this transition is perhaps the most important long-term economic question facing Bitcoin</cite>. Miner economics now hinge on whether baseline on-chain activity grows fast enough to compensate for quadrennial subsidy cuts.

Sources:

• https://research.kaiko.com/insights/bitcoins-halving-anniversary-this-time-was-different
• https://www.spark.money/research/bitcoin-mining-economics-2026
• https://www.lbank.com/explore/bitcoin-mining-2025-supply-security-market-trend
• https://www.theblock.co/post/289875/bitcoin-ushers-in-fourth-halving-as-miners-block-subsidy-reward-drops-to-3-125-btc

<cite index="3-14">The Bitcoin mining network experienced meteoric growth, with a 104% increase in hashrate in 2024, following a 90% growth in 2023</cite>, according to AMINA Bank analysis. <cite index="11-16">In 2023, the 7-day average hash rate soared from 255 exahashes/second to 516 EH/s—a 102% increase</cite>, Grayscale reported. <cite index="13-2,13-6,13-7">The 30-day mean hash rate and difficulty are up roughly 40% within the same period since April 2024, while hash price has fallen roughly 60%</cite>, per Fidelity.

The dynamic contradicts historical patterns. <cite index="14-1,14-2,14-16,14-17">Following the April 2024 halving, there was a short-lived downturn in the hash rate as some miners turned off less efficient gear shortly after the event, which was anticipated</cite>. But <cite index="19-33">contrary to some predictions, the 2024 halving did not cause a dramatic hashrate collapse</cite>.

Two forces sustained hash rate growth: price appreciation and continued capital deployment. <cite index="13-3,13-4">Bitcoin's daily hash rate rose above one zetta hash per second twice in April, reflecting continued investment in mining infrastructure, and hash rate has continued to climb despite bitcoin's modest performance since its 2025 all-time high above $108,000</cite>. <cite index="2-11">Thinner margins could result in a larger proportion of forced selling by miners to meet fixed operational and financing costs, possibly making some miners unprofitable and increasing consolidation by well-capitalized entities</cite>.

The rising hash rate while hashprice collapses flags structural change. <cite index="16-5">When the hash rate rises without a matching increase in Bitcoin's price, miner profit margins are squeezed, highlighting a growing disconnect between network security and price performance</cite>.

Sources:

• https://aminagroup.com/research/post-halving-bitcoin-miners-landscape/
• https://research.grayscale.com/reports/2024-halving-this-time-its-actually-different
• https://www.fidelitydigitalassets.com/research-and-insights/2024-bitcoin-halving-one-year-later
• https://bitcourier.co.uk/news/bitcoin-halving-aug2024
• https://www.spark.money/research/bitcoin-mining-economics-2026
• https://www.coinbase.com/en-gb/institutional/research-insights/research/market-intelligence/bitcoin-halving-and-miner-economics
• https://research.kaiko.com/insights/bitcoins-halving-anniversary-this-time-was-different

<cite index="3-4,6-1">The April 2024 halving dropped the block subsidy from 6.25 to 3.125 BTC</cite>, executing Bitcoin's disinflationary schedule at block height 840,000. <cite index="4-1,4-2">Block rewards earned by miners declined 46% from $1.782 billion in April 2024 to $966 million in May 2024</cite>.

The halving did not arrive in a vacuum. <cite index="3-11,3-12">Q1 2024 miners enjoyed hash price averaging $0.094/TH for the quarter, propelled by rising bitcoin price</cite>, and <cite index="3-5">Bitcoin's price surged from $53,000 to over $109,000</cite> through early 2025. <cite index="2-10">Revenue per unit of hash power could drop to all time lows following the halving without significant bitcoin price appreciation</cite>, Coinbase institutional research warned pre-halving.

<cite index="4-3">The cost of electricity consumption as a percentage of block rewards increased by 27 percentage points from 40% in April 2024 to 67% in May 2024</cite>. <cite index="10-17,10-18,10-19">Power costs typically account for 75-85% of a miner's total cash operating expenses, and at $0.04/kWh the all-in cash costs of the top 10 listed miners were estimated at about $45k/bitcoin post-halving</cite>, per VanEck.

Pre-halving forecasts called for hashrate contraction. <cite index="17-6,17-7">JPMorgan estimated as much as 80 EH/s or 20% of network hashrate could be removed at the halving as less-efficient hardware was decommissioned</cite>. <cite index="12-1,12-7">Hashrate Index estimated ~3-7% of hashrate might come offline if Bitcoin's price held or increased moderately</cite>. The subsidy cut created an efficiency floor; miners operating marginal equipment or expensive power faced binary outcomes.

Sources:

• https://aminagroup.com/research/post-halving-bitcoin-miners-landscape/
• https://www.crai.com/insights-events/publications/the-economics-of-bitcoin-mining/
• https://www.coinbase.com/en-gb/institutional/research-insights/research/market-intelligence/bitcoin-halving-and-miner-economics
• https://www.vaneck.com/us/en/blogs/digital-assets/matthew-sigel-bitcoin-halving-explained-history-impact-and-2024-predictions/
• https://beincrypto.com/bitcoin-halving-network-hash-rate-jpmorgan/
• https://hashrateindex.com/blog/bitcoin-halving-2024/

<cite index="7-2,7-3">The Office of the Comptroller of the Currency proposes to issue regulations to implement the GENIUS Act regarding the issuance of payment stablecoins and certain related activities by entities subject to the OCC's jurisdiction, with comments due by May 1, 2026</cite>. <cite index="7-9,7-10">The GENIUS Act's effective date is the earlier of 18 months after the enactment date (July 18, 2025) or 120 days after the primary Federal payment stablecoin regulators issue final regulations implementing the Act, and the OCC anticipates that implementing regulations will be updated in the years following the effective date as business practices continue to evolve</cite>.

<cite index="7-15,7-16">Proposed regulations would apply to activities related to payment stablecoins by national banks and their subsidiaries, Federal savings associations and their subsidiaries, Federal branches, foreign payment stablecoin issuers, nonbank entities that seek to be or are approved as Federal qualified payment stablecoin issuers, and State qualified payment stablecoin issuers for whom the OCC has regulatory or enforcement authority</cite>. <cite index="4-12">SEC Chair Paul Atkins noted that payment stablecoins will play a significant role in the securities industry moving forward, and Comptroller Jonathan V. Gould stated the OCC is prepared to work swiftly to implement the landmark legislation</cite>.

The timeline matters: issuers have until January 2027 at the latest to get licensed, but if the OCC finalizes rules faster, the clock accelerates. Proposed rules are out for comment now, which means final regs could land late 2026.

Sources:

• https://www.federalregister.gov/documents/2026/03/02/2026-04089/implementing-the-guiding-and-establishing-national-innovation-for-us-stablecoins-act-for-the
• https://www.lw.com/en/insights/the-genius-act-of-2025-stablecoin-legislation-adopted-in-the-us

<cite index="6-1,6-2">In July 2025, Congress passed the GENIUS Act establishing a regulatory framework for payment stablecoins</cite>, and <cite index="4-13,2-26">the law prohibits issuers from offering any form of interest or yield to stablecoin holders</cite>. <cite index="6-17,6-18,6-19">Banks favor the strict prohibition and have argued to close a perceived loophole, while the crypto industry views bank opposition as anticompetitive behavior by an entrenched incumbent—since bank deposits may pay interest—and banks argue that stablecoins could benefit from regulatory arbitrage because issuers are subject to less complex and costly regulatory requirements than banks</cite>.

<cite index="6-10,6-11">The GENIUS Act did not define the term holder, so it remains to be seen whether the yield ban will be applied to the intermediary that bought and custodies the coin or the investor that owns the coin in the three-party model, and rulemaking or a future court case could find the status quo in violation of the yield ban</cite>. <cite index="6-24,6-25,6-26">Were consumers to substitute stablecoins for deposits on a large scale, it might have negative implications for the cost and supply of credit to U.S. businesses and consumers since banks rely on deposits to fund loans, and GENIUS Act limitations on permissible reserves prohibit stablecoin issuers from financing private credit, with one study estimating stablecoins could reduce bank lending by $65 billion to $1.26 trillion</cite>.

The practical tension is clear: the law aims to prevent stablecoins from becoming interest-bearing deposit substitutes, but the custody model used by exchanges may allow yield to pass through to end users anyway. Congress may close that gap later.

Sources:

• https://www.congress.gov/crs-product/IF13174
• https://www.lw.com/en/insights/the-genius-act-of-2025-stablecoin-legislation-adopted-in-the-us

<cite index="2-8,2-9">The GENIUS Act permits nonbank issuers with under $10 billion in outstanding stablecoins to opt into a state regulatory regime and operate nationally, but requires a transition to federal oversight if they grow above that threshold unless granted a waiver by the federal regulator</cite>. <cite index="2-10,2-11,2-12">State regulators have supervisory, examination, and enforcement authority over all state issuers, though they may cede these authorities to the Fed, and the Fed or OCC can take enforcement actions against state issuers in unusual and exigent circumstances</cite>.

<cite index="3-19,3-24">An issuer that is a subsidiary of any insured depository institution or federally regulated nonbank must apply to the same federal banking regulator as that of the IDI and the OCC, respectively, and any issuer that opts for the federal regime or is not a state-qualified issuer with less than $10 billion in issuance is supervised by the same regulator as the IDI or by the OCC for nonbanks</cite>. <cite index="9-3,9-12">Competing views on how to allocate authority between federal and state regulators over payment stablecoin issuers were at the forefront of debate in the last Congress and represented the key obstacle</cite>.

The practical effect: smaller issuers can choose state licensing with lower administrative costs, but the federal ramp forces scale players into OCC oversight. The $10 billion threshold creates a gate most startups will not hit for years, if ever.

Sources:

• https://www.congress.gov/crs-product/IN12553
• https://www.congress.gov/crs-product/IN12522
• https://www.davispolk.com/insights/client-update/stablecoin-bill-first-out-gate-crypto-legislation-gains-momentum

<cite index="4-1,4-8">The GENIUS Act passed the Senate on June 17, 2025 by a vote of 68 to 30 and the House on July 17, 2025, marking the first federal legislation on digital assets</cite>. <cite index="2-4,2-5,2-6">The bill establishes a regulatory regime for payment stablecoins—digital assets issued for payment or settlement and redeemable at a fixed amount—and requires issuers to hold at least one dollar of permitted reserves for every one dollar of stablecoins issued</cite>.

<cite index="2-7">Permitted reserves are limited to coins and currency, deposits at insured banks and credit unions, short-dated Treasury bills, repurchase agreements backed by Treasury bills, government money market funds, central bank reserves, and similar government-issued assets approved by regulators</cite>. <cite index="4-9,4-10">Bank and credit union subsidiaries that issue payment stablecoins are subject to oversight by their primary financial regulator, federally licensed nonbank issuers by the OCC, and the law clarifies that permitted payment stablecoins are not securities under federal securities laws or commodities under the Commodity Exchange Act</cite>.

<cite index="2-8,2-9">A nonbank issuer with under $10 billion in outstanding stablecoins can opt into a state regulatory regime and operate nationally, but must transition to the federal regime if it grows above that threshold unless granted a waiver</cite>. <cite index="4-13,2-26">Issuers may not offer any form of interest or yield to stablecoin holders</cite>. The law also addresses bankruptcy priority and international reciprocity arrangements, but the yield restriction leaves questions about whether it extends to three-party custody models.

Sources:

• https://www.congress.gov/crs-product/IN12522
• https://www.congress.gov/crs-product/IN12553
• https://www.lw.com/en/insights/the-genius-act-of-2025-stablecoin-legislation-adopted-in-the-us

<cite index="16-1,16-5">As part of the 2023 settlement, the U.S. government installed two monitors who separately report to the DOJ and FinCEN, with monitorships beginning in 2024 as part of the larger $4.3 billion plea deal related to Binance's failure to impose proper money-laundering and sanctions oversight</cite>. <cite index="20-6,20-12">The settlement required Binance to maintain an independent compliance monitor for three years, with Forensic Risk Alliance selected to oversee operations, and Binance maintains dual oversight through both DOJ and Treasury Department agreements</cite>.

<cite index="4-1,4-10,4-11">In November 2023, Zhao pleaded guilty in Seattle federal court and agreed to step down as Binance CEO as part of the $4.3 billion settlement, charged with violating the Bank Secrecy Act for failing to implement an effective anti-money-laundering program and for willfully violating U.S. economic sanctions</cite>. <cite index="4-13">He was sentenced in April 2024 to four months in jail</cite>. In October 2025, President Trump pardoned Zhao.

<cite index="3-4,3-5">While this wraps up DOJ's actions against Zhao and Binance, the two still face charges from the Securities and Exchange Commission, which was notably absent from the DOJ's settlement</cite>. <cite index="20-9,20-10">Federal prosecutors are evaluating Binance's request to drop the three-year monitoring requirement, though no final decision has been reached, and sources indicate Binance would likely need to implement enhanced compliance reporting standards to meet DOJ expectations if oversight is removed</cite>.

Sources:

• https://fortune.com/2026/04/17/senator-blumenthal-binance-doj-fincen-treasury-monitorships-status/
• https://finance.yahoo.com/news/binance-close-securing-agreement-end-212125707.html
• https://www.cnbc.com/2025/10/23/trump-pardons-binance-founder-cz-zhao.html
• https://blockworks.co/news/changpeng-zhao-sentencing-verdict

<cite index="18-14,18-15,18-16">Binance maintained a "matching system" that connected buyers and sellers for each transaction, and this matching engine was designed solely to operate around prices without regard to any other characteristic of the entities involved, which frequently matched U.S. users with users in sanctioned jurisdictions</cite>. <cite index="18-17,18-18">This led to at least 1.1 million transactions between U.S. persons and citizens of Iran within a three-year period</cite>.

<cite index="19-15,19-16">For over five years between August 2017 and October 2022, Binance matched and executed virtual currency trades on its exchange platform between U.S. person users and users in sanctioned jurisdictions or blocked persons, and although Binance took steps to project an image of compliance, senior Binance management knew of and permitted the presence of both U.S. and sanctioned jurisdiction users</cite>. <cite index="19-11">Binance's knowledge that matching and executing trades between such users could cause violations of sanctions is reflected in statements of senior executives at the highest levels including the CEO and the then chief compliance officer</cite>.

<cite index="26-10">Binance allowed more than 1.5 million virtual currency trades totaling nearly $900 million that violated U.S. sanctions, including ones involving Hamas' al-Qassam Brigades, al-Qaeda and Iran</cite>. <cite index="19-8,19-9">OFAC's settlement of $968.6 million reflects consideration of enforcement guidelines and Binance's agreement to retain a monitor for five years, and is coordinated with DOJ, FinCEN, and the CFTC</cite>.

Sources:

• https://blog.volkovlaw.com/2023/12/doj-reaches-groundbreaking-criminal-settlement-with-cryptocurrency-exchange-binance-and-ceo-changpeng-zhao-part-i-of-iii/
• https://ofac.treasury.gov/system/files/2023-11/20231121_binance.pdf
• https://fortune.com/crypto/2024/04/30/binance-founder-cz-faces-3-year-jail-term-money-laundering-judge-decides-sentence/

<cite index="11-10">DOJ alleged that Binance, as a money services business under FinCEN regulations, was required to implement an effective AML program but never filed a suspicious activity report with FinCEN and did not begin collecting know-your-customer information until May 2022</cite>. <cite index="25-7,25-8">For years, Binance allowed users to open accounts and trade without submitting any identifying information beyond an email address, and even after beginning to require KYC in August 2021, allowed non-compliant users to continue trading until May 2022</cite>.

<cite index="2-11,2-12,2-13">In 2019, Binance announced it would block U.S. customers and launched Binance.US, but despite this announcement took steps to maintain a substantial number of U.S. customers, particularly focusing on retaining valuable "VIP" customers responsible for a large portion of trading volume and revenue</cite>. <cite index="2-15,2-16">Binance executives including Zhao made plans to contact VIP customers to help them register offshore entity accounts and transfer holdings, and employees called U.S. VIPs to encourage them to provide information suggesting they were not located in the United States</cite>.

<cite index="11-11">Between August 2017 and April 2022, cryptocurrency wallets belonging to Binance transferred $106 million in Bitcoin to Hydra, a Russian darknet marketplace</cite>. <cite index="25-9">Between August 2017 and October 2022, U.S. users conducted trillions of dollars in transactions on the platform, generating over $1.6 billion in profit for Binance</cite>.

Sources:

• https://www.justice.gov/archives/opa/pr/binance-and-ceo-plead-guilty-federal-charges-4b-resolution
• https://www.consumerfinancialserviceslawmonitor.com/2023/11/understanding-the-dojs-groundbreaking-4-3b-settlement-with-foreign-cryptocurrency-exchange-binance-com/

<cite index="1-3,2-1">In November 2023, Binance Holdings Limited pleaded guilty to conspiracy to violate the Bank Secrecy Act, failure to register as a money transmitting business, and violating the International Emergency Economic Powers Act</cite>. <cite index="2-2">Changpeng Zhao, the exchange's Canadian founder and CEO, separately pleaded guilty to failing to maintain an effective anti-money laundering program and resigned as CEO</cite>.

<cite index="2-4">Binance agreed to forfeit $2.5 billion and pay a criminal fine of $1.8 billion for a total financial penalty of $4.3 billion</cite>. <cite index="2-5,2-6">The exchange also agreed to retain an independent compliance monitor for three years and to remediate its AML and sanctions programs, with approximately $1.8 billion credited toward separate resolutions with the CFTC, FinCEN, and OFAC</cite>. <cite index="3-16,5-11">Zhao personally agreed to pay a $50 million fine and was sentenced to four months in prison in April 2024</cite>, well below the 36-month sentence DOJ prosecutors had requested.

<cite index="2-7">The resolution followed an investigation into how Binance processed billions of dollars of cryptocurrency transactions for U.S. persons and caused U.S. customers to engage in transactions in violation of U.S. sanctions</cite>. <cite index="1-6">DOJ called it the department's largest corporate guilty plea that also involves the guilty plea of a CEO</cite>. The SEC was notably absent from the coordinated settlement and continues to pursue separate civil charges.

Sources:

• https://www.justice.gov/criminal/case/united-states-v-changpeng-zhao
• https://www.justice.gov/archives/opa/pr/binance-and-ceo-plead-guilty-federal-charges-4b-resolution
• https://blockworks.co/news/changpeng-zhao-sentencing-verdict
• https://www.cnbc.com/2024/04/30/binance-founder-changpeng-zhao-cz-sentenced-to-four-months-in-prison-.html

<cite index="2-15">The SEC Staff's approval related to spot ether ETFs appears narrowly tailored to digital assets having an active futures markets on the CME</cite>. Bitcoin and ether are currently the only two digital assets that meet this threshold, which creates a regulatory moat around the asset classes eligible for spot ETF treatment. <cite index="2-16,2-17">SEC Chair Gary Gensler's statement related to the spot bitcoin ETFs preemptively distinguished the spot bitcoin ETF from any other crypto-related product that may come to market in the future, and the arguments in this statement may be raised in connection with other, new crypto-linked investment products that sponsors may seek to bring to market</cite>.

The CME requirement is a market surveillance filter. <cite index="21-2,21-3">Ether futures and options trading occurs on trading platforms in the U.S. regulated by the CFTC, and the market for NYSDFS-licensed and CFTC-regulated trading of ether and ether derivatives has developed substantially</cite>. <cite index="21-5,21-6">Among the top NYSDFS-licensed trading platforms, year-to-date as-of June 30, 2024, the average daily trading volume is approximately $2.8 billion, and across these venues, the average daily deviation of prices was less than 5%</cite>. The SEC's logic: regulated futures markets provide a reference price that can detect manipulation in the underlying spot market, satisfying the exchange's obligation under the Exchange Act to prevent fraudulent and manipulative acts.

<cite index="1-14">The fact that the SEC has now approved two cryptocurrency ETFs shows a shift in the political and regulatory landscape regarding cryptocurrency assets</cite>, but the CME futures criterion walls off most tokens from the ETF pathway in the near term.

Sources:

• https://www.mayerbrown.com/en/insights/publications/2024/05/sec-approves-listings-of-spot-ether-etfs-waiting-is-the-hardest-part
• https://www.foley.com/insights/publications/2024/07/next-ethereum-etfs-sec-approval/
• https://www.sec.gov/Archives/edgar/data/0001995569/000119312524182288/d470525d424b3.htm

<cite index="18-2,18-12">Spot ethereum ETFs directly hold ether, the cryptocurrency that supports the ethereum blockchain</cite>, and <cite index="16-1">are available for trading on traditional exchanges, including Nasdaq, Cboe BZX Exchange, and NYSE Arca</cite>. <cite index="16-2">This means they are accessible through standard brokerage accounts</cite>. The structure removes custody friction: <cite index="16-8,16-9">when investing in a spot Ethereum ETF, a trader is essentially buying shares that represent ownership of the fund's Ether holdings, allowing traders to gain exposure to Ethereum without the need to purchase and store the cryptocurrency themselves</cite>.

The market structure advantages are conventional. <cite index="16-11">As regulated investments supervised by financial watchdogs, ETFs can offer protection and transparency</cite>, and <cite index="16-12">spot Ethereum ETFs can be easily traded on stock exchanges, providing quick entry and exit options</cite>. <cite index="19-1,19-2">Spot Ethereum ETFs can add major liquidity to Ether markets simply by offering investors more options on how to gain exposure to Ethereum, and investors can access spot crypto ETFs through conventional brokerage firms, making it easier for investors to participate in the market and creating larger trading volumes</cite>.

The tradeoff is fee drag and no yield. <cite index="16-13,16-14">ETFs leverage management fees, which can be more substantial than those of crypto exchanges to buy ETH, and while traders only pay one single transaction fee to buy ETH once, a fund leverages management fees on a monthly basis</cite>. <cite index="18-14">Unlike bitcoin, holding ether directly could hold a meaningful performance edge over spot ether ETFs for investors willing to engage in staking</cite>, which the SEC has prohibited in these products.

Sources:

• https://crypto.com/en/university/spot-ethereum-etfs-explained
• https://www.morningstar.com/funds/whats-next-spot-ether-etfs
• https://www.ledger.com/academy/topics/economics-and-regulation/guide-to-what-ethereum-spot-etfs-are

<cite index="10-1">NYSE Arca filed Form 19b-4 with the SEC on October 2, 2023 to convert Grayscale Ethereum Trust (OTCQX: ETHE) to a spot Ethereum ETF</cite>, following the firm's successful litigation strategy on the Bitcoin side. <cite index="12-3">Grayscale's Ethereum trust is the largest ether investment product in the world, with almost $5 billion in assets under management</cite> as of the filing date. <cite index="8-9">Grayscale also reports that 250,000 investor accounts have exposure to the trust</cite>.

The conversion playbook mirrored the Bitcoin approach. <cite index="11-2,11-3">In October 2021, Grayscale also filed to convert its Grayscale Bitcoin trust (GBTC) to a spot bitcoin ETF, and last month, the company obtained victory in its case against the SEC and now awaits the agency's approval for the conversion filing</cite>. <cite index="13-7">Since launching in 2019, conversion into a spot ETF has always been the "final stage" of its intended lifecycle</cite>.

<cite index="15-2">On Tuesday, Grayscale Investments launched the Grayscale Ethereum Trust (ETHE) and the Grayscale Ethereum Mini Trust (ETH) on the NYSE Arca</cite>. The Mini Trust represents a tactical response to fee pressure: <cite index="15-9,15-10,15-11">It has a low net expense ratio of 0.15%, which has also been waived for the first six months of the fund's launch or until $2 billion in AUM has been reached</cite>. The two-product structure lets Grayscale retain the legacy high-fee ETHE while competing on price with the low-cost ETH.

Sources:

• https://www.sec.gov/Archives/edgar/data/0001725210/000095017023051182/ethe-ex99_1.htm
• https://cointelegraph.com/news/grayscale-applies-to-convert-ethereum-trust-to-spot-etf
• https://www.coindesk.com/business/2023/10/02/grayscale-moves-to-convert-its-ethereum-trust-to-a-spot-eth-etf
• https://decrypt.co/199754/grayscale-files-convert-ethereum-trust-spot-etf
• https://www.etftrends.com/crypto-content-hub/grayscale-aims-lead-spot-ether-field-low-cost-etf/

<cite index="1-1">The SEC approved eight Ethereum ETFs for listing and trading on regulated exchanges on May 23, 2024</cite>, five months after Bitcoin spot products went live. <cite index="1-19">This time the SEC approved the Ethereum ETF applications of its own volition</cite>, a departure from the Bitcoin case where <cite index="1-16,1-18">the SEC only approved BTC ETFs after three federal judges ordered the SEC to grant approval following Grayscale Investments' victory in court, when the D.C. Circuit found the SEC was "arbitrary and capricious" in rejecting Grayscale's application</cite>.

The approved roster includes <cite index="2-4">the Grayscale Ethereum Trust, the Bitwise Ethereum ETF, the iShares Ethereum Trust, the VanEck Ethereum Trust, the ARK 21Shares Ethereum ETF, the Invesco Galaxy Ethereum ETF, the Fidelity Ethereum Fund, and the Franklin Ethereum ETF</cite>. <cite index="1-5">Each sponsor must submit an S-1 filing as a registration statement and wait for SEC approval before the ETFs can actually be listed for trading</cite>. <cite index="5-9">After the approval for latest S-1 filings by issuers, Ethereum ETFs became available for trading from July 23, 2024</cite>.

The approval came with constraints. <cite index="1-2,1-3">The SEC's approval includes a prohibition on staking ETH via ETH ETFs, and if the sponsors want approval to stake ETH, they will need to submit a proposed rule change and wait for SEC approval</cite>. <cite index="2-15">The SEC Staff's approval related to spot ether ETFs appears narrowly tailored to digital assets having an active futures markets on the CME</cite>, meaning Bitcoin and Ether are the only two assets that currently qualify under this framework.

Sources:

• https://www.foley.com/insights/publications/2024/07/next-ethereum-etfs-sec-approval/
• https://www.mayerbrown.com/en/insights/publications/2024/05/sec-approves-listings-of-spot-ether-etfs-waiting-is-the-hardest-part
• https://101blockchains.com/sec-approved-spot-ethereum-etfs/

The Herfindahl-Hirschman Index was designed for conventional markets, not for systems where the product is consensus. <cite index="19-8,19-9,19-10">HHI has limits in the volatile crypto market; cryptocurrencies can change quickly, making HHI scores less stable than in traditional markets, and the metric does not capture outside factors like market sentiment or regulatory shifts</cite>. Pool market share can swing 5% in a week; a snapshot tells you less than it would for a steel mill.

<cite index="3-1">The Mining Centralization Index shows the hashrate sum of the largest 2, 3, 4, 5, and 6 pools at each point in time</cite>, offering a simpler alternative that tracks top-N concentration without squaring shares. Another gap: HHI does not distinguish between a pool operator's control over block templates and individual miners' ability to exit. <cite index="7-6,7-7">Large miners and pools could have an incentive to conceal or obfuscate the actual extent of their mining power to maximize market shares and profits without visibly harming the security and credibility of the system</cite>.

<cite index="19-26,19-27">Reliable data on cryptocurrencies, trading volumes, or token distributions is crucial for accurate HHI assessment; variability in data transparency across platforms makes data quality critical</cite>. When a chunk of hashrate is labeled 'Unknown,' any concentration metric becomes guesswork about who controls what.

Sources:

• https://www.ccn.com/education/crypto/hhi-index-crypto-market-analysis/
• https://b10c.me/blog/015-bitcoin-mining-centralization/
• https://arxiv.org/pdf/1905.05999

<cite index="1-3">Risk-averse miners prefer a larger degree of diversification of their hash rate into more mining pools when the part of Bitcoin transaction fees is higher in the block reward</cite>. <cite index="1-7">Empirical results suggest that Bitcoin mining pools become more decentralized when the proportion of transaction fees in mining reward increases</cite>. This is a second-order effect: higher transaction fees introduce reward uncertainty, which incentivizes miners to spread hashrate across multiple pools to hedge variance.

<cite index="1-11,1-12">There is a negative relationship between transaction fees and mining pool centralization; large mining pools grow slower than small mining pools with high transaction fees</cite>. The mechanism is risk management. When the coinbase reward is fixed and dominant, large pools offer the most consistent payout. When transaction fees are volatile and significant, diversification becomes more attractive.

This suggests that as block subsidies decline and transaction fees become a larger share of miner revenue—by design in Bitcoin's issuance schedule—the hashrate distribution may naturally spread. Whether it spreads enough to matter depends on fee volatility and how much variance miners are willing to tolerate for higher expected returns.

Sources:

• https://www.sciencedirect.com/science/article/abs/pii/S1544612323007195

<cite index="3-5">Bitcoin mining is highly centralized today, with only six pools mining more than 95% of the blocks</cite>. <cite index="8-1">Foundry alone controls 34.2% of global bitcoin hashrate, AntPool another 14.2%, F2Pool 11.3%, and SpiderPool 10.5%, with MARA Pool adding 4.7%</cite> as of May 2026. These are not individual miners—they are coordination points that control which transactions make it into blocks.

<cite index="7-2">Individual miners are simultaneously operating across all three analyzed pools and in each pool a small number of actors (≤ 20) receives over 50% of all BTC payouts</cite>. The concentration runs deeper than pool-level market share. <cite index="3-6,3-7">Mining pools control which transactions they include in or exclude from their blocks</cite>, creating a transaction-selection chokepoint even if individual hashrate providers retain some autonomy.

<cite index="21-5,21-12">Miners can and do switch pools relatively easily based on fee structures, payout reliability, and personal preference, which acts as a natural check on any single pool's influence</cite>. But the current numbers exceed what many protocol designers expected. The question is whether the system's openness to entry and exit offsets the snapshot concentration.

Sources:

• https://b10c.me/blog/015-bitcoin-mining-centralization/
• https://www.coindesk.com/markets/2026/05/11/bitcoin-mining-pools-with-75-of-btc-hashrate-join-open-standard-for-block-construction
• https://arxiv.org/pdf/1905.05999
• https://www.bitget.com/news/detail/12560605133499

<cite index="1-5">The Herfindahl-Hirschman Index (HHI) is used to measure decentralization of Bitcoin mining pools</cite>, treating hashrate distribution as a market structure problem. <cite index="21-2,21-9">The health of the mining ecosystem is often measured by the Herfindahl-Hirschman Index (HHI), a common gauge of market concentration</cite>. The method is borrowed from antitrust analysis: you square each pool's market share (as a percentage), then sum them. A score under 1,500 suggests a competitive market; above 2,500 indicates high concentration.

<cite index="20-4,20-5">An ARK Invest analysis assumed 'Unknown' hashrate consisted of 15 evenly distributed mining pools, concluding the mining pool industry has never been a 'concentrated marketplace'</cite>. <cite index="20-7,20-8">Even when consolidating mining pools associated with Bitmain into one entity, the HHI peaked in 2018 at approximately 2050 and has declined since, suggesting the industry is competitive</cite>. But this depends heavily on how you treat unknown hashrate and whether you group entities by ownership.

<cite index="20-23">The HHI measures only the current state of the mining pool ecosystem and does not account for turnover</cite>. <cite index="20-27,20-32">In the last 5 years, the average mining pool's lifetime has been 2.5 years</cite>, which suggests churn that a snapshot metric misses. The index tells you concentration now, not whether the same actors stay on top.

Sources:

• https://www.sciencedirect.com/science/article/abs/pii/S1544612323007195
• https://research.ark-invest.com/hubfs/1_Download_Files_ARK-Invest/White_Papers/ARKInvest_031220_Whitepaper_BitcoinMining.pdf
• https://www.bitget.com/news/detail/12560605133499

<cite index="14-1,14-2,14-3">The bottleneck for L2 TPS is the transaction size limit on L1; only transactions smaller than 128 KB are accepted on L1, which implies that enhancing L2 node specifications won't increase L2 TPS</cite>. <cite index="14-12">When operating only an L2 node without L1 rollup, the maximum achievable TPS is around 1500</cite>. The actual constraint is how much data you can post to Ethereum per block, not how fast the rollup can process internally.

<cite index="8-6,8-7">Throughput can increase by up to 20% when 90% of transactions are offloaded to Layer 2, but increasing the batch size can lead to over 100% growth in latency, evidencing a quantifiable trade-off between these metrics</cite>. <cite index="8-8">The interplay between Layer 1 and Layer 2 scalability mechanisms shows how batching strategies, transaction volume, and confirmation delays affect system-level performance</cite>. The academic modeling work is starting to catch up to what operators already know: you can't just advertise a TPS number without specifying under what conditions and what you're sacrificing to get there.

Sources:

• https://github.com/oasysgames/oasys-optimism/issues/46
• https://www.sciencedirect.com/science/article/abs/pii/S0167739X25006107

<cite index="18-3,18-8">L2 fees are typically made up of an L1 component (total cost of interactions with L1) and an L2 component (total cost of interactions with L2)</cite>. <cite index="18-4,18-9">Fee calculations involve complex formulas with lots of variables depending on the specific L2 solution</cite>. <cite index="18-5,18-10,18-11">Gas represents the computational effort required to execute the transaction; the total gas fee is the product of the gas used and the gas price, which is set by the network based on demand</cite>.

<cite index="22-19,22-20">The largest variable is the L1 data fee, which depends on the calldata size of your transaction and Ethereum mainnet gas prices; you use the L2's GasPriceOracle precompile to calculate this component separately</cite>. <cite index="22-4">Different transaction types save differently: simple transfers see the largest percentage reduction, while complex DeFi interactions see smaller savings due to higher L2 execution gas</cite>. <cite index="22-23,22-25">Estimating Layer 2 cost savings requires analyzing transaction patterns and network conditions; accurate L2 cost estimation is not a one-time calculation but an ongoing analysis</cite>. There is no single number. Vendors can present favorable comparisons by choosing the transaction type and timing that suits them.

Sources:

• https://www.starknet.io/blog/understanding-l2-fees/
• https://www.chainscorelabs.com/en/guides/core-blockchain-concepts-and-architecture/layer-2-design/how-to-estimate-layer-2-cost-savings

<cite index="13-1,13-2">UOPS stands for User Operations Per Second; in contrast to TPS, UOPS takes into account the actions that are bundled and included in a single blockchain transaction</cite>. <cite index="13-3">This can be achieved using bundling protocols such as ERC-4337, Gnosis Safe, and Multicall</cite>. A single on-chain transaction can bundle multiple user operations, which means TPS undercounts actual user activity on rollups.

<cite index="9-13">A range of L2s like Starknet strongly support the initiative to measure rollup performance; Starknet has renamed their graph to UOPS</cite>. The standard is gaining traction but has limits. <cite index="9-15,9-16">UserOps per second may face criticism due to its lack of application outside the Ethereum ecosystem; non-Ethereum L2s still face challenges to leverage UserOps-based metrics</cite>. This is the infrastructure working itself out—an attempt to standardize what performance actually means when you're batching operations in ways that don't map to simple transaction counts.

Sources:

• https://l2beat.com/glossary
• https://www.zeeve.io/blog/is-tps-misleading-for-rollups-heres-why-uops-or-gas-sec-are-better/

<cite index="1-5">Vendors throw around TPS numbers</cite>, but <cite index="1-6">performance is more complicated than a single number</cite>. <cite index="1-12,1-13">Transactions per second measures how many trivial transactions can be done, but for applications with complex transactions, computation per second may be more important</cite>. The method matters: <cite index="9-8">gas-per-second is a better performance metric for Layer 2/Layer 3 scaling solutions</cite> than TPS, according to Offchain Labs. <cite index="9-10">Comparing L2 activity to Ethereum using TPS is like counting the number of bills in your wallet but ignoring that some are singles and some are hundreds</cite>.

<cite index="27-1,27-3">Many blockchains claimed in marketing materials to be capable of processing 100,000+ TPS but have failed to live up to their marketing promises in practice</cite>. <cite index="27-1">The benchmarks were on specially prepared transactions</cite>, not real-world load. <cite index="28-1,28-2,28-4">Steven Pu developed TPS/$ to assess performance based on verifiable TPS achieved on live mainnet while considering hardware efficiency, forcing performance to be on mainnet and revealing the tradeoffs of extremely expensive hardware</cite>. <cite index="31-10,31-11">High theoretical TPS figures do not always translate into real-world performance; attention has shifted from headline numbers to sustained performance, resilience, and developer adoption</cite>.

Sources:

• https://medium.com/offchainlabs/how-to-measure-layer-2-performance-and-scalability-1a0b21e0315
• https://www.zeeve.io/blog/is-tps-misleading-for-rollups-heres-why-uops-or-gas-sec-are-better/
• https://qedprotocol.com/blog/posts/the-blockchain-scaling-dilemma/
• https://www.ainvest.com/news/blockchain-expert-proposes-tps-metric-combat-misleading-performance-claims-2505/
• https://www.lcx.com/blockchain-scalability-in-2025-are-we-finally-solving-the-throughput-problem/

<cite index="6-2,6-3">A comprehensive analysis of stablecoin depegging risk prediction focuses on the top four stablecoins in terms of daily trading volume: USDT, USDC, BUSD, and DAI, utilizing a novel approach by incorporating dynamic depegging thresholds based on trading volume and integrating sentiment indicators from news sources</cite>. Empirical work from January 2022 to December 2023 shows that <cite index="6-15,6-16">major cryptocurrency price and volume fluctuations significantly influence stablecoin depegging, and ML models indicate traditional on-chain data are key to predicting depegging while sentiment indicators are less impactful</cite>.

The dynamic threshold approach is an attempt to avoid false positives: a 50-basis-point deviation on low volume may not matter, but the same deviation on high volume signals genuine stress. <cite index="6-17">Stablecoin type affects depegging risk, with on-chain versus off-chain collateralized stablecoins showing different patterns</cite>. The study consolidates risk drivers into four categories: trading price and volume, market information, sentiment, and volatility.

The finding that sentiment indicators underperform on-chain data is worth noting. News and social signals may lag the market rather than lead it, or they may capture noise rather than signal. Either way, the result suggests that monitoring reserve composition, redemption flows, and collateral ratios matters more than parsing headlines. That does not mean sentiment is irrelevant—UST's collapse was partly a confidence crisis—but it does mean that by the time sentiment breaks, the structural pressure is already there.

Sources:

• https://www.sciencedirect.com/science/article/abs/pii/S0927538X24003925

<cite index="7-1,7-2,7-4,7-5">A unified framework evaluates stablecoin stability and resilience during major market disruptions; it is the first to analyze all four reserve architectures—fiat-backed, crypto-backed, commodity-backed, and algorithmic—examining 20 stablecoins from January 2020 to October 2022, spanning the COVID-19 pandemic and the Russia–Ukraine conflict, using event-study abnormal returns, wavelet-based volatility analysis, and peg-deviation metrics</cite>. The study, published in Review of Derivatives Research, documents that reserve type matters more during crises than during calm periods.

<cite index="7-7">Commodity-backed stablecoins, particularly gold-linked tokens, generate strong positive abnormal returns during both crises, along with positive yet larger and persistent peg deviations, reflecting slower structural adjustment</cite>. That is: they hold value but do not hold the peg. Fiat-backed coins exhibit small, short-lived deviations. Crypto-backed coins show mixed results depending on collateral ratios and liquidation mechanisms. Algorithmic designs collapse when confidence breaks.

The wavelet analysis isolates shock persistence across timescales—hourly, daily, weekly—revealing that some designs absorb shocks quickly while others amplify them. The event-study abnormal returns capture immediate market reactions, and the peg-deviation metrics assess mechanical stability. Together, the three-pronged approach separates structural resilience from market sentiment, which matters when you are trying to distinguish a liquidity crunch from a design flaw.

Sources:

• https://link.springer.com/article/10.1007/s11147-026-09236-9

<cite index="1-1,1-2">Stress tests under gradual and sudden shocks assess reserve quality, asset liquidity, creditworthiness, and custody for fiat-backed stablecoins</cite>, but this approach treats the environment as exogenous. A more recent line of work—focused on MakerDAO and collateral auctions—argues that the old models systematically omit extreme volatility regimes from their covariance estimates, producing reserve allocations that are optimal in expectation but catastrophic under adversarial stress.

<cite index="4-3,4-4">Multi-agent simulations deploy heterogeneous agents (traders, liquidity providers, attackers) that execute protocol actions under crisis scenarios, exposing reserve vulnerabilities before they manifest on-chain; at each rebalancing epoch, the system simulates adversarial trajectories, aggregates agent signals into trust-weighted risk estimates, adjusts portfolio covariance based on detected risk levels, and optimizes reserve allocations with turnover constraints</cite>. The approach, labeled MVF-Composer by its authors, claims a 57% reduction in attack success rate compared to baselines without trust mechanisms.

<cite index="4-1">The March 2020 Black Thursday collapse, wherein MakerDAO's collateral auctions yielded $8.3M in protocol losses and a 15% peg deviation, exposed a critical security gap</cite>. The adversarial simulation framework is an attempt to model coordinated attacks—not just market shocks—before they happen. Whether it works in production is an open question.

Sources:

• https://arxiv.org/pdf/2601.22168
• https://www.elliptic.co/blockchain-basics/stablecoin-2025-risk-assessment-guide

<cite index="9-1">Recent work from Cambridge and Peking uses Quantile Vector Autoregression (QVAR) to investigate systemic risk transmission across stablecoin markets</cite>, a method that matters because it does not assume risk behaves the same in the median as it does in the tails. <cite index="9-3">Fiat-backed stablecoins function as "stability anchors" with near-zero net spillovers across quantiles, while algorithmic and crypto-collateralized designs become risk amplifiers specifically under extreme market conditions</cite>. That design-dependent behavior shows up in three distinct crises: the UST collapse, SVB, and 2025 volatility spikes.

<cite index="9-6">The findings imply regulatory capital buffers for extreme losses should be 2–3× higher for non-fiat-backed stablecoins than median-based measures indicate</cite>. The paper also documents that <cite index="9-4">the theoretical risk isolation between fiat and crypto markets breaks down during stress: direct volatility channels emerge between the US Dollar Index and Bitcoin that bypass stablecoin intermediation</cite>. Forbes-Rigobon contagion tests—which adjust for the fact that volatility itself rises in a crisis—confirm heterogeneous transmission: algorithmic coins show residual contagion even after controlling for vol, while fiat-backed coins attract flight-to-quality flows.

The methodological advantage is clear. Mean-based VAR models collapse the distribution into a single expected path. QVAR estimates separate autoregressive dynamics at the 5th, 50th, and 95th percentiles, revealing that what holds a peg in calm markets may not hold when redemptions spike.

Sources:

• https://arxiv.org/pdf/2602.18820
• https://arxiv.org/html/2602.18820

<cite index="19-1,19-2,19-3,19-4">A general methodology for analyzing evolving correlation structures uses the q-dependent detrended cross-correlation coefficient; by extending traditional metrics, this approach captures correlations at varying fluctuation amplitudes and time scales, and employs q-dependent minimum spanning trees to visualize evolving network structures; using minute-by-minute exchange rate data for 140 cryptocurrencies from January 2021 to October 2024, a rolling window analysis reveals significant shifts in structures, notably around April 2022 during the Terra/Luna crash</cite>.

<cite index="19-5,19-6">Initially centralized around Bitcoin, the network later decentralized, with Ethereum and others gaining prominence; spectral analysis confirms BTC's declining dominance and increased diversification among assets</cite>. <cite index="23-1,23-2,23-3">Results from seven leading cryptocurrencies from 2015 to 2020 show that connectedness measures in the left and right tails are much higher than those in the mean and median of the conditional distribution; return connectedness strengthens with shock size for both positive and negative shocks, indicating that return shocks propagate more intensely during extreme events relative to calm periods, and this implies the need to move beyond mean-based connectedness measures</cite>. The infrastructure matters: minimum spanning trees and tail-dependence metrics tell you more about crash risk than Pearson coefficients calculated on daily returns.

Sources:

• https://arxiv.org/pdf/2509.18820
• https://www.sciencedirect.com/science/article/abs/pii/S0378437120303472
• https://arxiv.org/html/2509.18820

<cite index="8-3">Despite documented attributes of crypto assets—high volatility, heavy tails, excess kurtosis, and skewness—a simple extension of traditional risk allocation provides robust solutions for integrating these emerging assets into broader investment strategies</cite>. <cite index="8-8,8-9">The second way to estimate portfolio risk is to leverage a covariance matrix of the asset returns; the literature on covariance estimating in finance is vast, but probably the most popular method is to use an iterated covariance matrix</cite>. <cite index="8-7">Methods include the exponentially weighted moving average (EWMA), methods based on mean absolute deviation or the rolling median, as well as autoregressive conditional heteroskedasticity (ARCH) and generalized ARCH (GARCH) models</cite>.

<cite index="2-12,2-13">Modern Portfolio Theory (MPT) provides a robust framework for distributing asset weights by evaluating the variance and correlations among assets; this framework is effective not only for traditional asset classes but also for non-traditional ones, such as cryptocurrencies</cite>. <cite index="12-3,12-4,12-5">The DCC-GARCH model showed time-varying volatility with very low correlation between bitcoin and the FTSE, meaning both financial time series could not predict the returns of the other series, and only risk was connected with very low correlation; returns of both bitcoin and the FTSE are independent of each other even if risk was connected</cite>. The practical implication: correlation structure matters more than point estimates, and the methods you use to measure it determine whether you are building a portfolio or gambling on stationarity that is not there.

Sources:

• https://arxiv.org/html/2412.02654v1
• https://arxiv.org/html/2505.24831v1
• https://www.mdpi.com/2227-7072/13/4/197

<cite index="3-14,3-15">Across correlation analysis, crisis scenarios, and portfolio backtests, modest crypto allocations have historically improved portfolio efficiency without meaningfully increasing risk; small sleeves of 1–3% delivered improved returns, higher Sharpe ratios, and limited drawdown impact when structured and rebalanced appropriately</cite>. <cite index="1-3">Grayscale Research analysis suggests that a traditional balanced portfolio may achieve higher risk-adjusted returns with a moderate allocation to crypto—perhaps ~5% of total financial assets</cite>. <cite index="11-3,11-4">At lower levels of volatility consistent with a traditional 60/40 portfolio (aggregate portfolio volatility levels of ~10%), bitcoin still enters into the portfolio at 2% in a conservative scenario, reflecting the fact that even under conservative assumptions, bitcoin's diversification benefits can counterbalance the high volatility</cite>.

The logic is straightforward: <cite index="17-1,17-2,17-3">Bitcoin and other crypto assets have delivered returns with a relatively low correlation to public equities; if Bitcoin had high returns but a high correlation to stocks, incorporating it might improve total returns but not risk-adjusted returns, but the fact that it has produced both high returns and low correlations means Bitcoin can benefit a portfolio through both higher returns and better diversification</cite>. But those correlations are not stable. <cite index="3-6,3-7">A rolling correlation chart tracking Bitcoin's relationship to both equities and gold shows that at times it trades like a growth asset; at others, it behaves defensively, and occasionally, decouples entirely</cite>.

Sources:

• https://www.21shares.com/en-eu/research/primer-crypto-assets-included-in-a-diversified-portfolio-q1-2025
• https://research.grayscale.com/reports/the-role-of-crypto-in-a-portfolio
• https://www.wisdomtree.com/investments/-/media/us-media-files/documents/resource-library/market-insights/gannatti-commentary/the-role-of-bitcoin-in-a-portfolio.pdf

<cite index="6-7">From 2019 to 2022, the S&P Cryptocurrency Broad Digital Market Index's correlation to the S&P 500 rose from 0.54 to 0.801</cite>, which tells you crypto is no longer what it was sold as. <cite index="15-5,15-6,15-7">Research shows a structural break in the covariance of bitcoin and traditional markets around the onset of Covid-19; those changes have persisted through several large market events, and bitcoin no longer obtains the same diversification benefits as were observed pre-pandemic</cite>.

The method matters. <cite index="5-1,5-2,5-3,5-4">Medium-term correlations, typically measured over thirty to ninety day periods, provide a more stable picture; ninety-day correlation captures enough data to smooth out short-term noise while remaining responsive to genuine shifts in market structure, and most professional traders rely primarily on ninety-day correlations when making strategic allocation decisions</cite>. <cite index="26-10,26-11">The matrix supports 30-day, 90-day, 1-year, and 3-year rolling correlation windows; shorter periods capture recent regime changes while longer periods reveal structural relationships between assets</cite>.

<cite index="27-1,27-3,27-4,27-5">A study using a 180-day rolling window applied to daily data from 2018 to 2025 found correlation following institutional milestones such as Bitcoin ETFs and MicroStrategy's inclusion in the Nasdaq 100, with correlations peaking at 0.87 in 2024</cite>. <cite index="5-10">The challenge in cryptocurrency markets is that correlation is not static but instead fluctuates dramatically based on market conditions</cite>, which is another way of saying the diversification case is not robust.

Sources:

• https://blogs.cfainstitute.org/investor/2022/11/16/how-do-cryptocurrencies-correlate-with-traditional-asset-classes/
• https://www.sciencedirect.com/science/article/abs/pii/S1544612324002009
• https://madeinark.org/correlation-analysis-between-crypto-assets-for-portfolio-hedging-a-complete-guide-to-building-resilient-portfolios/
• https://www.sharpe.ai/correlation
• https://arxiv.org/pdf/2501.09911

<cite index="22-1,22-7,22-8">Mempool-based fee estimation analyzes the current state of unconfirmed transactions—examining fee rates recently added provides real-time insights into the current landscape</cite>. <cite index="22-10">For next-block confirmation, mempool-based estimators produce more optimal estimates because they react to short-term changes</cite>. <cite index="22-11,22-12">History-based estimation uses past transaction data to identify patterns, providing more stable and predictable estimates for flexible confirmation targets</cite>. Bitcoin Core relies on the latter.

<cite index="18-10,18-11,18-13,18-14">Practical mempool algorithms analyze current content, project which transactions would fill the next several blocks, determine the minimum fee rate to reach the target confirmation time, then add a buffer for incoming transactions</cite>. <cite index="19-3,19-4,19-5">Precision depends on the algorithm's ability to process dynamic network variables—accuracy reflects the data analyzed and the models predicting miner behavior</cite>. <cite index="25-4,25-5">Recent comparative work on Bitcoin shows traditional statistical approaches like SARIMAX outperform complex deep learning architectures, with Prophet also demonstrating strong cross-validation performance</cite>. Users want to avoid overpaying. Miners want the highest feerate per byte. The estimator is the translation layer between the two incentives.

Sources:

• https://strike.me/blog/blended-bitcoin-fee-estimations/
• https://www.mintlify.com/mempool/mempool/features/fee-estimation
• https://www.lightspark.com/glossary/fee-estimation-algorithm
• https://arxiv.org/html/2502.01029v1

<cite index="10-2,10-3">Ethereum's first-price auction produced unpredictable fees and inefficiencies; EIP-1559 introduced a dynamically adaptive base fee that is burnt instead of paid to miners</cite>. <cite index="16-3,16-4">The base fee acts as a reserve price meant to match supply and demand—every transaction pays the block's base fee per unit of gas, and that payment is burnt rather than transferred to the miner</cite>. <cite index="16-5,16-6">Blocks can grow to double a target size (e.g., 25M gas max with 12.5M target), and the base fee adjusts after every block—larger-than-target blocks increase it, smaller ones decrease it</cite>.

The academic work on EIP-1559 centers on whether the mechanism self-stabilizes. <cite index="10-5,10-6,10-7">Analysis via game theory and dynamical systems provides bounds on the base-fee update step-size that ensure global convergence via Lyapunov arguments, while larger step-sizes can produce instability and formal Li-Yorke chaos</cite>. <cite index="3-1,3-5,3-7">A Markov chain model driven by relative block usage, estimated from empirical data via Gaussian Mixture Model and risk-neutral Monte Carlo simulations, captures observed fee volatility better than continuous-time models like Ornstein–Uhlenbeck</cite>. The burn mechanism and predictable adjustment are the infrastructure. The derivatives pricing is someone preparing to sell forwards on transaction costs.

Sources:

• https://arxiv.org/pdf/2102.10567
• https://www.sciencedirect.com/science/article/abs/pii/S1544612325009596
• https://arxiv.org/pdf/2012.00854

<cite index="2-5,2-6,2-7">Sliding window approaches using 300-block samples show that GRU and LSTM models perform similarly, outperforming both Geth recommendations and Facebook Prophet forecasts</cite>. <cite index="5-5">A Direct-Recursive Hybrid LSTM achieves an average RMSE of 26.08 and R² of 0.54 over a 50-minute lookahead, compared to RMSE of 26.78 and R² of 0.452 in the best attention model</cite>.

<cite index="2-1,2-2">Gaussian process models can forecast the distribution of the lowest price in an upcoming block when transaction volumes spike, and a hybrid model combining GasStation-Express and Geth oracles provides superior estimates during volatility</cite>. More recent work on Ethereum data shows <cite index="5-2,5-3">wavelet threshold denoising and matrix profile data processing enhance attention-based models, though hardware constraints favor hybrid architectures</cite>.

The pattern here is familiar: models train on historical block and mempool data to generate short-term forecasts for users who want reasonable confidence their transaction will confirm without overpaying. <cite index="5-7,5-8">Forecasts over multiple lookaheads allow informed gas price selection and optimal submission windows, providing more insight than simple heuristics or single-horizon approaches</cite>. It matters when the network is volatile. It matters less when the mempool is empty.

Sources:

• https://www.mdpi.com/2227-7390/11/9/2212
• https://arxiv.org/pdf/2305.08105

<cite index="1-5,1-6,1-7">Jiasun Li of George Mason University and Arash Aloosh of NEOMA Business School published a paper in Management Science tracing the history of wash trading back to bitcoin's beginnings by analyzing internal trading data from Mt Gox, one of the first major bitcoin exchanges.</cite> <cite index="1-8">The Japan-based exchange's turbulent four-year tenure was plagued by cyberattacks and technical trouble; the dataset was among materials leaked by hackers following the exchange's collapse in 2014.</cite>

<cite index="1-11,1-12,1-13">For research purposes, the turning point came in 2011, when a cyberattack took the exchange down for a week, and wash trading popped up after that event—researchers speculate that insiders resorted to wash trading to juice the numbers and revive Mt Gox's flagging prospects.</cite> <cite index="1-14">Li and Aloosh discovered that within this period, there were more than 115,000 wash traded transactions involving almost 3,000 distinct trader IDs.</cite>

<cite index="7-4">Using the Mt. Gox dataset, researchers found that wash trading intensifies when legitimate trading volume is low and diminishes when it is high, indicating strategic timing to maximize impact in less liquid markets.</cite> The manipulation wasn't random. It was deliberate.

Sources:

• https://phys.org/news/2024-08-history-crypto-exchanges.html
• https://arxiv.org/pdf/2411.08720

Decentralized exchanges give investigators a different advantage: transparency. <cite index="14-1,14-2,14-4,14-5">To perform wash trading, users can collude and trade only amongst themselves, giving the impression of buying and selling without taking real market risk, and the same effect can be achieved with a single user operating multiple accounts—since account creation on Ethereum is virtually cost-free and does not require identity information, this scenario is much more likely.</cite>

<cite index="9-2,9-3">On both EtherDelta and IDEX, more than 30% of all traded tokens have been subject to wash trading activity, and on EtherDelta, 10% of tokens have almost exclusively been wash traded.</cite> <cite index="16-6">Chainalysis identified a total of $2.57 billion in potential wash trading activity by adding totals from two heuristics.</cite>

<cite index="17-1,17-6,17-7">In order to detect trades that lead to no individual position change, researchers sum up trades in such a way that traded volumes are summed up per trading account, since a volume can be bought or sold.</cite> The transparency of on-chain data makes it possible to track position changes across multiple wallets, something impossible on centralized venues.

Sources:

• https://arxiv.org/pdf/2102.07001
• https://www.chainalysis.com/blog/crypto-market-manipulation-wash-trading-pump-and-dump-2025/
• https://berkeley-defi.github.io/assets/material/Detecting%20and%20Quantifying%20Wash%20Trading.pdf

<cite index="19-1">Another way to detect fake volume is to observe the correlation of the relative change in trading activity volume across exchanges.</cite> If an exchange's volume fluctuations do not correlate with the broader market, it suggests artificial inflation.

<cite index="19-3,19-4,19-5">In 2019, Bitwise conducted a comprehensive analysis claiming 95% of volume is fake, and inspired by Bitwise's methodology, firms created a series of tests for detecting and filtering out fake volume to arrive at a best-guess estimate called "Trusted Volume."</cite> <cite index="22-2">Through measuring exchanges based on volume correlation, web traffic analytics, and qualitative features, analysts attempted to clarify what crypto trading volume is legitimate.</cite>

<cite index="20-13,20-14">Legitimate market activity tends to heavily skew towards several consecutive buy or sell trades due to informed traders willing to cross the spread, while exchanges that have historically fabricated volume have an even distribution of buys and sells, resembling a random coin-toss.</cite> The method relies on the idea that real trading is driven by information asymmetry; wash trading is not. <cite index="21-8">Alameda Research found that around 68% of reported exchange volume was fake, different from Bitwise's 95%.</cite>

Sources:

• https://www.bitget.com/news/detail/12560603989837
• https://coincodecap.com/crypto-price-the-fake-trading-volume
• https://coinmetrics.substack.com/p/state-of-the-network-issue-257
• https://chainbulletin.com/report-68-of-crypto-exchanges-volume-is-fake-only-10-with-authentic-volume

<cite index="1-1">In 2019, Bitwise presented to the SEC that 95% of cryptocurrency exchanges were fake.</cite> The claim was based on wash trading—self-dealing that inflates volume without changing beneficial ownership. The presentation became a reference point for subsequent academic work.

<cite index="12-1,12-2">Researchers at Cornell and Tsinghua introduced systematic tests exploiting statistical patterns in trading to detect fake transactions on 29 cryptocurrency exchanges, finding that regulated exchanges featured patterns consistently observed in financial markets while unregulated exchanges revealed abnormal first-significant-digit distributions, size rounding, and transaction tail distributions.</cite> <cite index="12-3">They quantified wash trading on each unregulated exchange, which averaged over 70% of reported volume.</cite>

<cite index="13-10,13-11,13-12">Benford's Law analysis proved particularly effective—in naturally occurring transaction data, the first digit of trade sizes follows a predictable logarithmic distribution, with the digit 1 appearing 30.1% of the time, and research found that all regulated exchanges complied with Benford's Law while unregulated exchanges showed statistically significant departures.</cite> <cite index="20-13,20-14,20-15">Legitimate market activity tends to heavily skew towards several consecutive buy or sell trades due to informed traders willing to cross the spread, while exchanges that have historically fabricated volume show an even distribution of buys and sells, resembling a random coin-toss.</cite>

Sources:

• https://phys.org/news/2024-08-history-crypto-exchanges.html
• https://arxiv.org/pdf/2108.10984
• https://cryptotracelabs.com/blog/what-are-wash-trading-patterns-and-how-do-investigators-detect-them/
• https://coinmetrics.substack.com/p/state-of-the-network-issue-257

<cite index="11-6,11-7">Prospective users or developers monitor centralization in block production because it increases the risk of attacks like double spending or censorship, and centralization of token ownership can increase the potential for market manipulation</cite>. <cite index="11-8,11-9">Regulators evaluate decentralization levels to treat blockchain-based assets and classify them as securities or commodities, and decentralization metrics can be used by a wide range of participants across the blockchain ecosystem to make quantitative assessments and comparisons of blockchain systems across different layers and over time</cite>.

<cite index="21-1,21-2">Early work by Balaji and Lee set the standard for quantifying decentralization with the Nakamoto coefficient, but the initial calculations and parameters need to be updated to account for the consensus rules of proof-of-stake networks and to focus on operational decentralization specifically</cite>. <cite index="21-3,21-4">Exogenous factors contribute to the concentration of stake as well as a network's ability to recover in the face of mass infrastructure failure, and new standards are needed for measuring validator and stake distribution across infrastructure components</cite>.

<cite index="22-12">Investors rely on the Nakamoto coefficient to gauge the risk of a network—blockchains with low coefficients are more centralized and vulnerable to disruptions, which can impact long-term reliability</cite>. The metric matters because it bridges the gap between the rhetoric of decentralization and the reality of control concentration.

Sources:

• https://arxiv.org/html/2501.18279v1
• https://messari.io/report/evaluating-validator-decentralization-geographic-and-infrastructure-distribution-in-proof-of-stake-networks
• https://www.ledger.com/academy/glossary/nakamoto-coefficient

<cite index="12-3">Empirical analysis across ten prominent blockchains reveals significant concentration of stake among a few validators, posing challenges to fair consensus</cite>. <cite index="18-4,18-5">Solana's Nakamoto coefficient is 31, representing the minimum number of validators required to compromise the network's consensus, commonly defined as 33.4% of voting power</cite>. <cite index="23-2">On Solana, no single validator controls more than 3.2% of the total stake</cite>.

The coefficient exposes risks. <cite index="2-11,2-12,2-13">When the Nakamoto coefficient is low, a few mining pools or validators may coordinate 51% attacks or delay transaction confirmations, a handful of nodes can selectively block transactions undermining openness, and power concentration creates single points of failure where hacking, regulatory action, or technical failure could halt the entire network</cite>. <cite index="19-2,19-3,19-4">High concentration empowers a small group of dominant validators to blacklist specific wallet addresses and compromise permissionless nature—if three massive institutional staking providers control 51% of voting power, they can collude to reject blocks containing transactions from sanctioned entities or competitors, destroying the promise of blockchain technology</cite>.

<cite index="24-5,24-6,24-7">The coefficient only gives a current snapshot showing the minimum number of entities needed to compromise the network at a given time, but blockchain networks are dynamic with participants switching roles, shifts in computing power or shares, and nodes coming and going, so the coefficient can quickly become obsolete</cite>.

Sources:

• https://arxiv.org/pdf/2504.14351
• https://cryptopotato.com/is-solana-really-decentralized-a-validator-health-report/
• https://www.helius.dev/blog/solana-decentralization-facts-and-figures
• https://www.gate.com/learn/articles/nakamoto-coefficient-a-key-metric-for-measuring-blockchain-decentralization/7888
• https://www.kucoin.com/blog/what-is-a-blockchain-validator-and-why-does-validator-concentration-matter-in-crypto-networks
• https://kriptomat.hr/en/what-is-nakamoto-coefficient/

<cite index="12-2">Researchers quantify decentralization in proof-of-stake blockchains using a comprehensive set of metrics including Nakamoto coefficients, Gini, Herfindahl-Hirschman Index (HHI), Shapley values, and Zipf's coefficient</cite>. <cite index="16-5,16-6">Alternative decentralization metrics include the Gini coefficient, Nakamoto coefficient, and Herfindahl-Hirschman Index (HHI), and researchers have made open-source Python utilities available on GitHub to compute these metrics</cite>.

<cite index="9-1,9-2">At the governance layer, researchers measure decentrality in terms of fairness, entropy, Gini coefficient, and Kullback–Leibler divergence, while in the network layer they use degree centrality, betweenness centrality, and closeness centrality</cite>. <cite index="13-1,13-2">Shannon entropy was adopted as a measurement metric to measure the degree of randomness and disorder of the distribution in blockchain systems</cite>. <cite index="16-2,16-3">Some researchers present an innovative index grounded in the transformation of Shannon entropy that offers insights into the decentralization spectrum across identified facets</cite>.

<cite index="11-11,11-12,11-13">Counting the number of entities controlling any amount of a resource provides a straightforward quantitative assessment, as a higher number of active participants generally indicates a more decentralized system, though this metric doesn't account for disparities in power among participants</cite>. The challenge: <cite index="14-1,14-2">easy-to-calculate quantitative metrics tend to crowd out more relevant but difficult-to-measure assessments, providing the illusion of measurability while not being meaningful</cite>.

Sources:

• https://digitalcommons.odu.edu/cgi/viewcontent.cgi?article=1051&context=vmasc_pubs
• https://arxiv.org/pdf/2101.10699
• https://arxiv.org/html/2501.18279v1
• https://arxiv.org/pdf/2504.14351
• https://arxiv.org/pdf/2205.04256
• https://consensys.io/research/measuring-blockchain-decentralization

<cite index="3-15,3-16">The Nakamoto Coefficient measures the minimum number of independent actors—validators, miners, or node operators—needed to collude and compromise a blockchain network, and was introduced in 2017 by Balaji Srinivasan, former Coinbase CTO</cite>. <cite index="1-8">The metric was originally proposed by Srinivasan and Leland Lee of Galaxy Digital in their 2017 article, "Quantifying Decentralization"</cite>. <cite index="1-9">Srinivasan and Lee used the Gini coefficient and Lorenz curve to develop a metric that could measure the extent of a system's decentralization, determine how modifications improve or reduce it, and design optimization algorithms</cite>.

The threshold matters. <cite index="17-4,17-5">For proof-of-stake blockchains, the coefficient reflects how many validators control at least 33% of the total stake or voting power, while for proof-of-work blockchains it measures how many miners control over 50% of the network's hash power</cite>. <cite index="21-9,21-10">In most PoS-based systems, when over 33.3% of stake is compromised, the network suffers instability and will typically halt, losing liveness and finality—though Ethereum maintains liveness up to 50% faulty validators</cite>.

The interpretation is simple. <cite index="2-1,2-2">A higher coefficient means power is more distributed and the network more decentralized, while a low coefficient suggests overly concentrated power and greater susceptibility to manipulation or attack</cite>. <cite index="22-7,22-8">In a network with a Nakamoto Coefficient of 10, ten different validators must collaborate to disrupt the blockchain; a coefficient of 100 means the network is more secure and decentralized</cite>.

Sources:

• https://supra.com/academy/nakamoto-coefficient/
• https://www.gate.com/learn/articles/nakamoto-coefficient-a-key-metric-for-measuring-blockchain-decentralization/7888
• https://academy.suncrypto.in/nakamoto-coefficient/
• https://chainspect.app/dashboard/decentralization
• https://www.ledger.com/academy/glossary/nakamoto-coefficient
• https://messari.io/report/evaluating-validator-decentralization-geographic-and-infrastructure-distribution-in-proof-of-stake-networks

<cite index="23-1,23-2">Prior to DVOL futures, the volatility index was just a measurement tool and not a tradable product; to gain volatility exposure, traders need to use derivatives such as futures, swap or options which can transform the volatility index from a measurement tool to tradable asset class</cite>. <cite index="23-13">On March 27, 2023, Deribit introduced the first BTC DVOL futures, which is a derivative based on its BTC volatility index</cite>.

<cite index="23-28,23-29,23-31">Unlike DVOL futures, vanilla options are not just about volatility; risks are typically broken down into Greeks including Delta, Gamma, Theta, Vega, Rho and higher orders, and without DVOL products, one would need to strip Vega risk out of vanilla options</cite>. <cite index="23-33">To achieve pure Vega, the trick of dynamic Delta hedge (DDH) is utilized</cite>. <cite index="27-2,27-4">When the contract expires, the expiration price is calculated as the 60 minute time weighted average price (TWAP) of the Deribit volatility index (DVOL)</cite>.

<cite index="23-21,23-22,23-25">The value of DVOL futures depends on a volatility quantity, rather than a variance quantity; hedging requires two steps: hedging the variance, then adding a model-dependent convexity adjustment which is related to volatility of volatility</cite>. <cite index="23-38,23-41">DVOL futures represent an opportunity for traders to manage their positions and risks, benefit from market volatility, generate alpha, and diversify their portfolios; users can now better express their views on crypto volatility movements in a simpler and more precise fashion</cite>.

Sources:

• https://insights.deribit.com/industry/demystifying-dvol-futures/
• https://support.deribit.com/hc/en-us/articles/31424954825373-DVOL-Futures

<cite index="9-1,9-2">The violation of constant volatility and the log-normality assumption of the Black–Scholes option pricing model led to the discovery of the volatility smile, smirk, or skew in options markets; these stylized facts are well documented in the option literature for almost all financial markets</cite>. <cite index="9-10,9-11">Researchers estimated the implied volatility of Bitcoin options using root-finding iterative techniques, specifically the Newton Raphson method (NRM) and Bisection method (BM); this was reportedly the first use of numerical approximation techniques to estimate implied volatility for the cryptocurrency derivatives market</cite>.

<cite index="9-4">The data sets for the study are based on short-dated Bitcoin options (14-day maturity) of two time periods traded on Deribit Bitcoin Futures and Options Exchange</cite>. <cite index="17-1,17-3,17-4">Some researchers leverage market regime (MR) clustering with the Implied Stochastic Volatility Model (ISVM), which can incorporate investor expectations in sentiment-driven periods by using implied volatility (IV) data, applying this integrated method to high-frequency data on BTC options at Deribit</cite>.

<cite index="14-1,14-3,14-4">Classical option pricing models like Black–Scholes and Heston struggle to address cryptocurrency dynamics due to their set of assumptions; a data-driven machine learning model can incorporate high-frequency volatility estimators into the input set, capturing the complex dynamics of cryptocurrency markets more effectively than classical pricing approaches</cite>. <cite index="11-9,11-10">Previous work on cryptocurrency volatility is predominantly concerned with historical volatility, while the literature on implied cryptocurrency volatility is scarce, a major factor being that liquid cryptocurrency volatility markets are a very recent development</cite>.

Sources:

• https://www.ncbi.nlm.nih.gov/pmc/articles/PMC8418903/
• https://arxiv.org/pdf/2208.12614
• https://www.sciencedirect.com/science/article/abs/pii/S1042443121001359
• https://pmc.ncbi.nlm.nih.gov/articles/PMC8326316/

<cite index="18-2,18-4,18-5">Deribit selects the 2 expiries closest to 30 days out on either side of the 30 days, then calculates the option price using the market depth of bids and asks; if the bid-ask spread is too wide, it falls back to using trade prices during the last minute and if that is not available, uses the mark price from 1 minute ago</cite>. <cite index="18-10,18-12">The exchange discards the ITM calls and puts and far OTM options with delta lower than 5%, then uses the variance swap methodology to calculate the variance for the near term and longer-term expiries, interpolating between the 2 expiries and taking the square root</cite>.

<cite index="18-13,18-14">DVOL.Raw is calculated every second; to filter noise and smoothen the data, Deribit takes the exponential moving average (EMA) of the last 240 points to get the final value for the Volatility Index, DVOL</cite>. <cite index="26-1,26-6">The index is calculated based on the weighted average of out-of-the-money (OTM) BTC or ETH option prices, capturing the market's consensus on near-term future volatility</cite>.

<cite index="23-17,23-18">Since the DVOL index is heavily weighted on ATM volatilities, ATM options are optimal choices for replicating DVOL futures; however, when ATM options become ITM or OTM, the replicating result will be deviated</cite>. <cite index="12-3,12-4">Kaiko built a methodology specifically tailored for crypto markets, providing accurate, robust and stable implied volatilities for any crypto option strike and expiry, with IV derived from the option market price for all strikes and expiries</cite>. The challenge: <cite index="12-10,12-11">crypto options markets often have low trade volumes, missing quotes, and large bid/ask spreads, which makes determining a precise and sturdy measure difficult</cite>.

Sources:

• https://insights.deribit.com/exchange-updates/dvol-deribit-implied-volatility-index/
• https://docs.amberdata.io/docs/volatility-index
• https://insights.deribit.com/industry/demystifying-dvol-futures/
• https://www.kaiko.com/reports/implied-volatility-case-study

<cite index="3-2">The Deribit volatility (DVOL) index measures a 30-day forward-looking expected volatility (implied from options), not backward-looking realized volatility (computed from underlying price time series)</cite>. <cite index="2-1,2-8,2-9">Implied volatility is forward-looking and represents what traders expect to happen in the future; realized volatility is backward-looking and measures the actual, historical price swings that have already occurred</cite>.

The distinction matters because <cite index="23-34">Theta and Gamma PnL can only balance each other out when the implied volatility (IV) is equal to realized volatility (RV)</cite>, and <cite index="23-36">BTC IV and RV were divergent in the past week</cite> according to analysis from SignalPlus. <cite index="6-3">The relationship between BTC's implied volatility and realised volatility was consistent with the analogous relationship observed in derivatives markets on traditional assets, but was often slow to react to sharp changes in realised volatility, resulting in prolonged mismatches in vol levels</cite>. <cite index="7-1">Volatility arbitrage exploits dislocations between implied (term structure) and your forecast of realized volatility</cite>.

<cite index="3-3,3-4">The DVOL is expressed as an annualized volatility expectation; to get the expected daily move for BTC price, simply divide the DVOL value by 19 (the square root of 365)</cite>. <cite index="4-3">Unlike the majority of traditional markets, where large moves are associated with descending levels, Bitcoin options often have positive skew for both calls and puts since large price shifts can be expected on the upside as well as the downside</cite>.

Sources:

• https://insights.deribit.com/industry/demystifying-dvol-futures/
• https://www.coingecko.com/learn/implied-volatility-iv-crush-bitcoin-options
• https://insights.deribit.com/industry/bitcoin-volatility-revisited/
• https://insights.deribit.com/exchange-updates/dvol-deribit-implied-volatility-index/
• https://pandabull.io/iv_surfaces/deribit/BTC

<cite index="14-4,14-5">The purpose of the Mises Institute critique is to focus on fundamental conceptual errors of the S2F models from the point of view of Misesian economics, arguing that one cannot simultaneously be a Misesian Austrian and put stock in any S2F model of asset pricing</cite>. <cite index="14-6">According to PlanB, "the hypothesis" of the S2F model is "that scarcity, as measured by stock-to-flow, directly drives value"</cite>—a claim that <cite index="12-1,12-3">Austrian economists argue is best critiqued from the perspective of Austrian Economics</cite>.

<cite index="17-3,17-4,17-5">The stock-to-flow model has been widely praised and is the leading valuation model for bitcoin proponents, achieving viral popularity and inspiring rags-to-riches dreams, but critics believe the model's accuracy will likely be about as successful at forecasting bitcoin's future price as astrological models of the past were at predicting financial outcomes</cite>. <cite index="17-6,17-7">Stanford Professor Paul Pfleiderer coined the term "chameleons" to describe models built upon dubious assumptions and given more credence than they deserve, and an initial evaluation of any model should begin with a critical look at the model's theoretical assumptions</cite>.

<cite index="4-10,4-12">The model tends to assume that the valuation of an asset is directly high if its S2F ratio is also high, yet this does not hold water—some assets and commodities have very low stock-to-flow ratios but are more valuable and priced than comparable assets with a higher stock-to-flow</cite>. The Austrian critique is that value is subjective, determined by individual preferences and utility, not by objective scarcity ratios. Gold has value because humans decided it does, through millennia of social coordination. Bitcoin's supply schedule is an engineering choice. Whether that choice translates to value depends on adoption, network effects, liquidity, regulatory clarity, and a hundred other factors the model does not measure.

Sources:

• https://mises.org/mises-wire/critique-bitcoin-stock-flow-model
• https://mises.org/library/critique-bitcoin-stock-flow-model
• https://www.coindesk.com/markets/2020/06/30/why-the-stock-to-flow-bitcoin-valuation-model-is-wrong
• https://www.softwaretestinghelp.com/bitcoin-stock-to-flow-model-guide/

<cite index="27-2">The hypothesis in PlanB's study is that scarcity, as measured by stock-to-flow, directly drives value</cite>. <cite index="27-11,27-12">PlanB's linear regression shows a statistically significant relationship between SF and market value (95% R2, significance of F 2.3E-17), with the likelihood that the relationship is caused by chance close to zero</cite>. <cite index="16-3,16-4">Stock-to-flow relies on the assumption that scarcity should drive value, and according to critics, the model fails if Bitcoin doesn't have any other useful qualities other than supply scarcity</cite>.

<cite index="24-4,24-5">For now, stock-to-flow only proves that there is a correlation between increasing scarcity and strong performance; we can't yet say that it's the cause</cite>. <cite index="24-8,24-9,24-10">Even if scarcity is the key driver of bitcoin's returns, valuation models built on that insight need refinement—currently, they all have the same essential design flaw: they forecast a perpetually rising price, and future crypto research will have to eliminate this bias if stock-to-flow is ever going to have real merit</cite>. <cite index="20-11,20-12,20-13">One recurring critique is that since Bitcoin's supply schedule has been publicly known since launch, it must be 'priced in' according to the Efficient Market Hypothesis, though PlanB thinks markets are structurally overestimating risk, leaving room for the S2F model to be useful as a valuation tool</cite>.

<cite index="19-9,19-10,19-11">Skeptics argue that institutional demand now overshadows supply-side effects from halving events, though the model's core premise that scarcity drives value remains defended, especially as the 2024 halving reduced miner rewards by 50% and exchange reserves are at their lowest since 2018</cite>. The believers see scarcity as floor. The skeptics see a model that worked during a speculative bull run and broke when the bull ran out. Both camps are arguing about a thirteen-year dataset with three halvings and one real institution-led cycle. Not enough signal yet.

Sources:

• https://medium.com/@100trillionUSD/modeling-bitcoins-value-with-scarcity-91fa0fc03e25
• https://academy.binance.com/en/articles/bitcoin-and-the-stock-to-flow-model
• https://www.morningstar.com/alternative-investments/what-is-bitcoins-scarcity-worth
• https://medium.com/swlh/modeling-value-based-on-scarcity-7fa7d754a58
• https://www.ainvest.com/news/bitcoin-scarcity-narrative-planb-model-suggests-10x-bull-case-2512/

<cite index="15-1,15-2">The main criticism is that the model is too simplistic, considering only supply (stock and production) and ignoring demand</cite>. <cite index="11-14">Critics argue the framework focuses almost entirely on supply scarcity while largely ignoring demand drivers such as liquidity conditions, macroeconomic policy, regulatory developments, and institutional inflows like spot Bitcoin ETFs</cite>. <cite index="23-1,23-2">Some analysts argue the model fails to account for broader macroeconomic variables such as interest rates and liquidity, which play a significant role in asset valuation</cite>.

<cite index="13-1">The model has been called a misspecification with tautological logic and therefore statistically invalid, because "market value" decomposes to "Stock * Price" while "Stock / Flow" is on the other side of the equation</cite>. <cite index="13-4,13-5">PlanB has rebuffed valid criticism by restating the model with price using completely different parameters that avoid the tautology, but these alternative parameters are just arbitrary numbers he changes from time to time</cite>. <cite index="14-3">Technical criticisms have been levied at the different versions of the S2F model since their inceptions, and the models have come under increasing scrutiny in the current cryptocurrency bear market</cite>.

<cite index="10-7">ByteTree's Charlie Morris criticizes the model for not taking into account the actual usage and adoption of Bitcoin, which he believes is the network's intrinsic value</cite>. <cite index="10-4,10-5,10-6">Morris notes that miners once earned 50% of the market cap each year and accounted for 68% of all transaction value, but now earn 1.7% and account for 3.9%, indicating their economic footprint is diminishing</cite>. The model assumes production scarcity drives price. The chain processes billions in settlement weekly whether the block subsidy is 50 coins or 3.125 coins. That should tell you something about where the value comes from.

Sources:

• https://finst.com/en/learn/articles/what-is-the-stock-to-flow-model
• https://cointelegraph.com/news/a-researcher-debunks-stock-to-flow-model-likens-bitcoin-to-a-tech-stock
• https://finance.yahoo.com/news/bitcoin-price-500-000-famed-125218826.html
• https://bitcoinmagazine.com/markets/why-bitcoin-stock-to-flow-is-not-useful
• https://mises.org/mises-wire/critique-bitcoin-stock-flow-model
• https://www.ainvest.com/news/stock-flow-model-suggests-500k-bitcoin-cycle-average-debate-intensifies-2603/

<cite index="1-6,7-1">The stock-to-flow model—popularized by pseudonymous Dutch analyst PlanB in March 2019</cite>—<cite index="1-2,1-3">compares total supply (stock) with annual production (flow), where a high ratio signals scarcity</cite>. <cite index="14-1">The model claims that market capitalization is determined by the stock-to-flow ratio</cite>, and <cite index="2-11">uses the formula Price = 0.18 × (S/F)^3.3, which has historically shown a 95% correlation with Bitcoin's price movements</cite>. <cite index="6-13,6-14">The stock-to-flow doubles when Bitcoin's mining reward halves, which is why the model predicts price jumps a few months after halving events</cite>.

PlanB built the original time-series model on monthly data, then <cite index="1-7,1-8,1-9">developed an improved version called Stock-to-Flow Cross Asset (S2FX) that adds clusters representing different phases in Bitcoin's development, similar to gold and silver behavior over time</cite>. <cite index="23-4,23-5,23-6">The S2F model forecasts a $500,000 average price for Bitcoin in the 2024–2028 cycle and has historically aligned with major price rallies following halving events in 2012, 2016, and 2020</cite>. <cite index="4-8">But Bitcoin price predictions based on the stock-to-flow model have defied actual Bitcoin prices in 2024 by more than 500%</cite>.

The model borrows from commodity pricing, where scarcity matters. Bitcoin is not a commodity—it has no industrial use, no jewelry demand, no physical weight. It is a protocol with a fixed supply schedule that every participant can audit. The correlation PlanB observed may tell us something about how narrative cycles work. It does not tell us how much a coin should cost.

Sources:

• https://finst.com/en/learn/articles/what-is-the-stock-to-flow-model
• https://charts.bitcoin.com/s2f.html
• https://www.benzinga.com/money/bitcoin-stock-to-flow-model
• https://www.softwaretestinghelp.com/bitcoin-stock-to-flow-model-guide/
• https://medium.com/@100trillionUSD/bitcoin-stock-to-flow-cross-asset-model-50d260feed12
• https://www.ainvest.com/news/stock-flow-model-suggests-500k-bitcoin-cycle-average-debate-intensifies-2603/

<cite index="3-3,3-4">Metcalfe's Law doesn't account for external factors like technological issues, regulatory challenges, or market sentiment. For instance, the value of a cryptocurrency could drop due to a security breach or negative news, even if its user base continues to grow</cite>. The n² relationship can't explain price crashes when active addresses remain stable or rising.

<cite index="18-1,18-2">Bitcoin's inherent volatility renders it susceptible to speculation-driven price fluctuations. Potential limitations of applying Metcalfe's Law to cryptocurrencies include oversimplifying network value, disregarding connection quality, and omitting external factors</cite>. <cite index="5-2,5-3">It may need to account for cutting-edge technologies with limited adoption or temporary price bubbles driven by speculation. Therefore, exercising caution and considering a broader context is essential when applying Metcalfe's Law to the complex realm of cryptocurrencies</cite>.

The quality of connections matters. <cite index="20-1,20-2">Metcalfe's Law assumes all user connections are equally valuable, which is often unrealistic, and doesn't account for network congestion or resource limitations that reduce usability</cite>. A network can add users while degrading per-user experience—something that happens routinely in crypto during fee spikes or congestion events. <cite index="16-13,16-14">It's important to adjust models for the peculiarities of cryptocurrencies. Factors like market sentiment, regulatory changes, and technological advancements can also significantly impact value</cite>, and none of those variables appear in the user-count-squared formula.

Sources:

• https://www.morpher.com/blog/metcalfes-law
• https://www.cryptopolitan.com/metcalfes-law-reliable-in-evaluating-crypto/
• https://tradedog.io/metcalfes-law-the-driving-force-behind-cryptocurrency-networks/
• https://blog.herond.org/understanding-what-is-metcalfe-law-and-why-does-it-matter/

<cite index="1-3">Tom Lee of FundStrat claimed that as much as 94% of Bitcoin's valuation could be determined based on Metcalfe's Law alone</cite>. <cite index="1-4">Based on this idea, FundStrat predicted a U$ 8000 price for Bitcoin in October of 2017, basically hitting bullseye</cite>—though one correct call doesn't validate a method, especially in a bull market.

<cite index="11-2">Cryptocurrency analysts adapted this general valuation framework by computing each crypto asset's Network Value to Metcalf (NVM) ratio, Network Value to Transactions (NVT) ratio, and a metric that combines the concepts used in the two prior ratios called Network Value/Transactions to Growth (NVTG) ratio</cite>. These are relative valuation tools, not absolute pricing models. <cite index="11-3">Higher ratios mean a cryptocurrency is overbought relative to other coins</cite>.

<cite index="4-7,4-8">To estimate whether current Bitcoin price is supported by activity on the network, practitioners have built robust upper and lower bounds for Bitcoin Network Value, based on a number of Daily Active Addresses (DAA), using different variations of Metcalfe's Law, defining bottom-up valuation of the Bitcoin network as a function of DAA</cite>. The law functions as a bounding condition rather than a formula. <cite index="11-5">Calculations suggest that the cryptocurrency market is still overvalued because the market capitalization is not justified by the number of active users or the daily on-chain transaction volume</cite>, at least according to one 2020 analysis that used these methods.

Sources:

• https://crypto.bi/metcalfe/
• https://cryptoresearch.report/crypto-research/the-network-effect-as-a-valuation-methodology/
• https://medium.com/cryptolab/network-value-to-metcalfe-nvm-ratio-fd59ca3add76

<cite index="7-2,7-11">Using Metcalfe's law to estimate a network's value to a company is still relatively untested from an academic perspective</cite>. The framework was built for telecom systems, not businesses or speculative assets. <cite index="7-7,7-16">Trying to model bitcoin with this approach is more complicated</cite> than applying it to companies with revenue streams tied to user counts.

<cite index="10-7">Contrary to the usual implications of network effects, they do not serve to concentrate the cryptoasset market, nor do they accord any one cryptoasset a definitive competitive advantage, nor are they consistent enough to be reliable valuation tools</cite>. That finding comes from a paper that studied six cryptoassets from their inception. <cite index="21-2">Metcalfe's Law not only fails to support current valuations, but actually exposes their fragility</cite>, according to one recent critique.

The model assumes connections create compound value. In crypto, the opposite often happens at scale. <cite index="21-4,21-5,21-6">When Facebook added tens of millions of users, the experience never declined; this does alleviate congestion in crypto, but it does not solve the essence of the network effect problem. Increasing throughput only removes friction; it does not create compound value</cite>. <cite index="18-12">Various factors significantly influence the cryptocurrency market, including market sentiment, regulatory changes, macroeconomic trends, and technological advancements</cite>, none of which are captured by user counts or the square thereof.

Sources:

• https://www.morningstar.com/alternative-investments/what-is-bitcoins-network-worth
• https://arxiv.org/pdf/2101.06210
• https://www.bitget.com/news/detail/12560605084553
• https://www.cryptopolitan.com/metcalfes-law-reliable-in-evaluating-crypto/

<cite index="4-1">Metcalfe's Law (Network Value ~ n²) probably overestimates network value</cite>, which is why some practitioners use it as an upper bound rather than a point estimate. <cite index="24-6,24-8">Several arguments suggest this rule is a significant overestimate, with the value of a general communication network of size n growing like n log(n)</cite> instead. <cite index="24-14,24-15">Metcalfe's law would hold if the value an individual personally gets from a network is directly proportional to the number of people in that network, but this doesn't seem to hold, there is some law of diminishing returns that applies</cite>.

The core problem: <cite index="6-7,6-8">Metcalfe's Law can oversimplify the complexities of network dynamics by assuming that all connections and users have equal value, which may not hold in real-world scenarios</cite>. <cite index="26-2,26-3,26-4">The biggest criticism targets its central assumption: that all connections in a network are equally valuable. In reality, they aren't. You might have 500 friends on a social platform, but you actively communicate with maybe 20 of them</cite>.

Andrew Odlyzko and colleagues proposed the n log(n) function because <cite index="19-3,19-12">Metcalfe's Law estimates a number of potential connections between users of the network, while, in fact, there are certain limitations to how many useful connections one user can have</cite>. <cite index="27-3,27-5">The incremental value of adding one person to a network of n people is approximately the nth harmonic number, so the total value of the network is approximately n * log(n), which does not grow as rapidly as Metcalfe's law and implies that many of the quantitative expectations based on Metcalfe's law were excessively optimistic</cite>.

Sources:

• https://medium.com/cryptolab/network-value-to-metcalfe-nvm-ratio-fd59ca3add76
• https://www-users.cse.umn.edu/~odlyzko/doc/metcalfe.pdf
• https://cryptorank.io/news/feed/4e2ec-metcalfes-law-reliable-in-evaluating-crypto
• https://scienceinsights.org/what-is-metcalfes-law-how-network-value-grows/
• https://en.wikipedia.org/wiki/Andrew_Odlyzko

<cite index="18-1,18-2,18-3">Traditional approaches to market microstructure analysis focus on aggregated trade data or summary statistics, but the emergence of market-by-order data—which captures every individual market order and its attributes—provides a more granular view, enabling a deeper understanding of how different participants add, cancel, and trade orders</cite>. <cite index="18-4">Its sheer volume and complexity pose significant challenges for analysis</cite>.

<cite index="17-8,17-9">AI-driven microstructure prediction requires exceptionally granular datasets capable of capturing every structural and behavioral signal—tick-level data comprising individual order placements, cancellations, trades, and quote revisions forms the foundation for all high-fidelity modeling, providing the temporal precision needed for both training and live inference</cite>. <cite index="19-1,19-3,19-4">A recent study of Polymarket used a continuous tick-level archive of the public WebSocket order book feed—30 billion events over 52 days—joined to the authoritative on-chain trade record, with 600 markets observed simultaneously and microstructure measures computed on the full event tape; neither authoritative on-chain trade direction nor a continuous off-chain order book archive at tick resolution had been brought to bear at that cross-sectional scale</cite>.

The methods work when the data exists. The problem is that most crypto venues do not publish order IDs, do not timestamp with sufficient precision, or cap the visible depth arbitrarily. Market-by-order analysis is the standard in equities. It is rare in crypto because the infrastructure does not support it.

Sources:

• https://arxiv.org/pdf/2504.20349
• https://www.computersciencejournals.com/ijccn/article/110/6-2-5-785.pdf
• https://arxiv.org/html/2604.24366v1

<cite index="6-3">Tick-level order book replay requires the full sequence of historical Level 2 or Level 3 updates—every ADD, SUB, MATCH, DELETE, and SET event</cite>. <cite index="4-1,4-2">Data providers offer reconciled, sequenced historical data designed for correct, repeatable order book reconstruction, with depth and update frequency defined by the data interface and venue capabilities, not by user configuration</cite>. <cite index="4-4">Some exchanges provide deep Level 2 or true Level 3 feeds; others cap depth at the source</cite>.

<cite index="6-6,6-7,6-8">A common misconception is that providers can deliver true tick-level Level 2 data for every exchange—in reality, the exchange determines the maximum resolution, and venues like Binance throttle their Level 2 depth stream at 100 milliseconds, so no provider can obtain updates faster than the exchange publishes them</cite>. <cite index="6-9,6-10">Flat files allow rebuilding the complete state of the order book at any moment by applying updates to the initial snapshot—this is the dataset used for backtesting, execution simulation, reinforcement learning environments, and microstructure research</cite>.

<cite index="3-4,3-5,3-6">Some exchanges impose limitations on reported data—Binance reported only the top 20 bids and asks until September 2019, and certain trading days are missing from datasets, likely due to suspended trading or unavailable data</cite>. The infrastructure matters: you cannot reconstruct what the exchange did not publish.

Sources:

• https://www.coinapi.io/blog/crypto-order-book-replay
• https://www.coinapi.io/blog/how-deep-is-crypto-order-book-data
• https://www.researchgate.net/publication/389425915_Order_Book_Liquidity_on_Crypto_Exchanges

<cite index="9-1,9-2">The rise of order-driven markets created challenges for researchers coping with extremely large amounts of data produced daily—LOBSTER was built to spare academic researchers the tedious task of technical pre-processing</cite>. <cite index="9-3,9-4,9-5">The reconstruction system is based on a generalized order-processing algorithm common to most order-driven markets, with efficient data structures that produce large datasets on the fly; it currently uses ITCH data from NASDAQ to replicate the limit order book for any NASDAQ-traded stock to any desired level</cite>.

<cite index="10-4,10-5">One study of German DAX stocks used message-level data to perform real-time order book reconstruction—starting with an initial state each day, researchers applied all order events to rebuild the book sequences for the remainder of the day, accounting for every event that changed the book</cite>. <cite index="11-6,11-7,11-8,11-9,11-10">The NASDAQ ITCH feed includes timestamp messages recording seconds after midnight, plus nanosecond offsets; messages contain order IDs, and for new orders, direction, size, ticker, and limit price—execution messages add executed size and a matching number</cite>.

This is the methodological baseline for equity microstructure work. The generalized algorithm can be adjusted to any order-driven market, but the quality of the reconstruction depends entirely on the quality and completeness of the feed. Crypto venues are order-driven; the data is often worse.

Sources:

• https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1977207
• https://www.researchgate.net/publication/228177898_Limit_Order_Books_and_Trade_Informativeness
• https://www.academia.edu/59471102/LOBSTER_Limit_Order_Book_Reconstruction_System

<cite index="8-6,8-7">Most datasets split order and trade information into separate files that are loosely coupled—meaning trades do not always have clearly identifiable corresponding records in the orders file, even though every trade should change the order book</cite>. <cite index="1-1,1-2">The problem appears when trades and quotes are recorded separately, as with the NYSE's Trade and Quote database—it is not directly identifiable whether a quote posted seconds before a transaction was still valid when the trade occurred</cite>.

<cite index="1-3,1-4,1-5">Cryptocurrency exchanges like Bitfinex split data across channels: a trades channel reports executed trades without order IDs, a raw book channel shows the top 100 bids and asks but does not report market orders at all</cite>. <cite index="1-6,1-7,1-8">When a limit order falls beyond the visible top 100, it is reported as deleted, then re-created if it returns—but what happens to it in between is unknown, since Bitfinex allows traders to modify price and volume</cite>. <cite index="1-9,1-10">Records in the trades and book channels are not synchronized, requiring substantial effort to reconstruct the true dynamics of order submission, matching, and execution</cite>.

<cite index="8-1,8-2">A matching procedure is required to distinguish market orders from cancellations just by observing limit order book changes—one procedure for French stocks reports an 85% matching rate and outputs trade direction as a byproduct</cite>. <cite index="8-3">Some datasets do not even provide information about trade direction; it must be deduced</cite>. The gap between what exchanges publish and what researchers need is a permanent feature of the data.

Sources:

• https://petr-fedorov.github.io/oberon/

<cite index="17-1,17-2">First comes scoping, where auditors define which contracts, commits, dependencies, and assumptions are in scope. Second comes review and testing, where static analysis, manual review, fuzzing, and invariant checks are combined.</cite> <cite index="17-7">The most effective audits combine manual review, static analysis, fuzzing, invariant testing, and structured control mapping.</cite>

<cite index="18-10,18-11">A smart contract audit can only occur with a deep understanding of the project's details. So, the first step of auditing a smart contract involves studying the project by consulting the client and gathering specifications.</cite> <cite index="21-4,21-5">Good documentation is essential for a successful audit as it enables auditors to quickly onboard the project and have a reliable reference when needed. Clear and concise documentation not only helps with the audit process but also allows the wider community to understand and engage with the project.</cite>

<cite index="17-3,17-4">This process works best when developers are transparent. Hidden admin paths, undocumented upgrade rights, and incomplete technical specifications reduce audit quality because they force reviewers to infer design intent.</cite> <cite index="18-2">Auditors examine the code line-by-line to find whether the smart contract presents any unanticipated behavior or security vulnerabilities like re-entrance, denial of service, overflows, time manipulation, front running, logical flaws, and malicious libraries.</cite>

<cite index="17-6">Smart contract auditing is moving from a reputation-driven craft toward a standards-based security discipline.</cite>

Sources:

• https://medium.com/@baflinkedin000/smart-contract-auditing-explained-techniques-tools-and-industry-standards-5b5758e3f701
• https://financialcrimeacademy.org/smart-contracts-auditing-process/
• https://quantstamp.com/audit-readiness-guide

<cite index="24-6,24-7,24-8">Slither is a Solidity & Vyper static analysis framework written in Python3. It runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses. Slither enables developers to find vulnerabilities, enhance their code comprehension, and quickly prototype custom analyses.</cite> <cite index="28-8,28-9">Slither analyzes contracts within seconds. However, static analysis might lead to false alarms and is less suitable for complex checks (e.g., arithmetic checks).</cite>

<cite index="26-11,26-12,26-17">Echidna uses a style of fuzzing called property-based fuzzing. Instead of looking for crashes like a traditional fuzzer, Echidna tries to break user-defined invariants (properties). Once these invariants are defined, Echidna tries to falsify these invariants by generating random sequences of calls to the contract.</cite> <cite index="28-3,28-4,28-5">The code is executed with a pseudo-random generation of transactions. The fuzzer attempts to find a sequence of transactions that violates a given property.</cite>

<cite index="27-2,27-5">Manticore is an open-source symbolic execution tool for analysis of Ethereum smart contracts and binaries created by Trail of Bits.</cite> <cite index="28-6,28-7">This formal verification technique translates each execution path into a mathematical formula on which constraints can be checked.</cite> <cite index="28-21,28-22,28-23">Manticore performs the "heaviest weight" analysis. Like Echidna, Manticore verifies user-provided properties. It will need more time to run, but it can prove the validity of a property and will not report false alarms.</cite>

<cite index="29-2,29-3">Echidna and Manticore share the same format for specifying property tests. In other words, smart contract authors can now write one property test and have it tested with fuzzing and verified by symbolic execution.</cite>

Sources:

• https://trailofbits.com/opensource/
• https://0xmacro.com/blog/fuzzing-with-echidna/
• https://arxiv.org/pdf/1908.09878
• https://secure-contracts.com/program-analysis/
• https://blog.trailofbits.com/2020/07/12/new-manticore-verifier-for-smart-contracts/

<cite index="8-5,8-6,8-7">Formal verification is the process of proving the correctness of a system or program using mathematical methods. Formal verification uses formal methods, which are mathematical techniques for specifying, designing, and verifying systems. Formal verification techniques can prove that a program satisfies a given specification, or detect errors or violations of the specification.</cite>

<cite index="10-4,10-5">Traditional testing methods like unit tests and fuzzing are essential, but testing can only show the presence of bugs, not their absence.</cite> <cite index="10-17,10-18">Formal verification takes a different approach. Instead of checking a large number of specific states, it analyzes the entire set of all possible states the contract could ever enter.</cite>

<cite index="11-1,11-5">The purpose of formal verification is to determine if a smart contract possesses properties (invariants) and that these properties are not violated during execution.</cite> <cite index="11-10,11-14">Model checking in formal verification evaluates temporal properties that describe the behavior of a contract over time. Model checking uses state space exploration, which involves constructing all possible states of a smart contract and attempting to find reachable states that result in property violations.</cite>

This is borrowed infrastructure. <cite index="10-8">Formal verification is a technique borrowed from aerospace and safety-critical systems engineering.</cite> It runs expensive. <cite index="13-3,13-4">Given the time, expertise, and computational resources needed, teams must weigh the costs of formal verification against the criticality of the smart contract. For smaller or less complex contracts, the investment may not always be justifiable.</cite>

Sources:

• https://medium.com/coinmonks/solidity-security-practices-part-iv-formal-verification-7115b8b6a312
• https://hashtagweb3.com/how-formal-verification-improves-smart-contract-security
• https://ethereum.org/developers/docs/smart-contracts/formal-verification/
• https://hashlock.com/blog/what-is-formal-verification-in-smart-contract-auditing

<cite index="1-3">Trail of Bits applies a comprehensive suite of tools to quickly and automatically uncover bugs, conducts review of the system architecture for design flaws and performs a detailed manual code review, as well as build custom tooling for difficult-to-analyze project components.</cite> <cite index="2-6">The team performs static and dynamic testing of the target system, using automated and manual processes.</cite>

The firm has published aggregate data across audits. <cite index="4-2">Trail of Bits categorized all 246 smart-contract related findings from public audit reports, in some cases correcting the original audit categorization for consistency, and considered the potential for both static and dynamic analysis tools to detect each finding.</cite> <cite index="4-10">About 78% of the most important flaws (those with severe consequences that are also easy to exploit) could probably be detected using automated static or dynamic analysis tools.</cite>

<cite index="5-1,5-12">Auditing work involves both automated scanning (with tools like Slither) and manual review to identify vulnerabilities in the codebase, such as front-running and reentrancy attacks.</cite> The combination matters. Manual inspection catches design-level issues and context-specific logic errors. Automation catches common patterns at speed. <cite index="1-5">The team prepares a final report and delivers a list of identified security properties and code to informally or formally verify them with static analysis, fuzzing, or symbolic execution.</cite>

Sources:

• https://www.smartcontractaudits.com/audit-provider/trail-of-bits
• https://www.atlendis.io/blog/Atlendis-V2-Trail-of-Bits-Audit
• https://blog.trailofbits.com/2019/08/08/246-findings-from-our-smart-contract-audits-an-executive-summary/
• https://blog.trailofbits.com/2025/07/23/inside-ethcc8-becoming-a-smart-contract-auditor/

TVL is denominated in dollars, which makes it price-sensitive in ways that distort what it's supposed to measure. <cite index="8-26">If ETH or BTC prices drop sharply, TVL can fall even if no one withdraws their assets.</cite> That was visible in 2021: <cite index="8-28">In May 2021, Ethereum's TVL dropped from ~$85B to ~$52B in a matter of days—not because of mass withdrawals, but because ETH's price fell by over 40%.</cite> The metric conflates token appreciation with capital inflows.

The UCL paper formalizes the instability: <cite index="14-10">A 25% decline in the price of Ether (ETH) leads to a $1 billion greater non-linear decrease in TVL compared to TVR.</cite> TVR—which excludes derivatives—is more stable because it doesn't amplify price moves through leverage and recursive staking. <cite index="10-7,10-8">The formalization reveals that TVL is highly sensitive to price shocks such as ETH price decline. This sensitivity arises from the endogeneity of the derivative token price and the quantity of derivative tokens staked in protocols for loanable funds (PLF).</cite>

TVL rose in the bull market and fell in the bear market, which makes it a lagging price indicator masquerading as a usage metric. <cite index="8-29,8-30">A protocol can have billions in TVL but still be unprofitable or unsustainable. TVL tells you how many assets are in the system but not how efficiently it's being used or whether the protocol generates revenue.</cite> The number the market watches most closely is the one that tracks price, not adoption.

Sources:

• https://www.myetherwallet.com/blog/what-is-tvl-total-value-locked/
• https://arxiv.org/pdf/2404.11745
• https://fc25.ifca.ai/preproceedings/94.pdf

DeFi Pulse and DefiLlama are the two aggregators the industry uses to track TVL. Their methodologies differ. <cite index="3-9">To ensure global TVL is not inflated, DeFi Pulse must exclude derivative assets that count towards one protocol's TVL if the underlying assets behind those derivatives also count towards another protocol's TVL.</cite> That means <cite index="3-10">DeFi Pulse automatically identifies three types of derivative assets which that are excluded from global TVL calculations: Debt tokens, where the collateral assets count towards a lending platform's TVL · LP tokens, where the underlying assets count towards a DEX's TVL ·</cite>

DefiLlama used to count everything, then toggled it off by default in 2022 after a Solana developer gamed the metric. <cite index="17-5">Blockchain TVLs on DeFiLlama appeared lower by default Friday: Solana's peak TVL from November 2021 displayed $12 billion; before the toggle change, it defaulted to $15 billion.</cite> The difference wasn't a calculation error—it was a methodological choice about whether to count wrapped and derivative tokens.

<cite index="3-6">Any addresses that do not meet this criterion – such as those used to hold staked or locked assets that do not generate economic interest – are removed.</cite> There is no standard. Each aggregator draws the line somewhere different. The number you see depends on who publishes it.

Sources:

• https://docs.defipulse.com/methodology/tvl
• https://www.coindesk.com/business/2022/08/05/data-provider-defillama-de-emphasizes-double-counted-crypto-deposits-after-saber-revelation/

The Bank for International Settlements published a working paper in May 2025 that tested whether you can actually verify the TVL numbers the industry publishes. <cite index="1-12">In practice, its calculation on major TVL aggregators relies on self-reports from community members and lacks standardization, making it difficult to verify published figures independently.</cite> The researchers built verifiable TVL (vTVL)—a version that uses only standard on-chain balance queries and no off-chain inputs.

<cite index="1-18">A case study on 400 protocols shows that our estimations align with published figures for 46.5% of protocols.</cite> For the other half, the numbers don't match. <cite index="4-13">We find that 10.5% of the protocols rely on external servers; 68 methods alternative to standard balance queries exist, although their use decreased over time; and 240 equal balance queries are repeated on multiple protocols.</cite>

The paper is careful not to allege fraud—it documents opacity. The issue is that <cite index="1-6">inconsistent methodologies across different aggregators can lead to large discrepancies in the reported figures.</cite> If blockchain data is public and TVL is supposed to measure on-chain capital, the fact that published figures require trust in aggregators' custom methods undermines the premise. The infrastructure produces the number the market trades on; the number can't be independently reconstructed half the time.

Sources:

• https://www.bis.org/publ/work1268.htm
• https://www.bis.org/publ/work1268.pdf

<cite index="1-5">TVL calculations are not standardised and in some instances rely on self-reported off-chain data, opening the door to manipulation.</cite> The bigger problem is structural. <cite index="12-2,12-3">The present methodologies of computing TVL in the DeFi domain grapple with a challenge known as "double counting," the problem whereby the value of certain underlying cumulative crypto assets locked in DeFi</cite> gets counted more than once across the stack.

A 2024 academic paper from UCL formalizes this: <cite index="14-8">During the peak of DeFi activity on December 2, 2021, the difference between TVL and TVR was $139.87 billion, with a TVL-to-TVR ratio of about 2.</cite> Total Value Redeemable (TVR) strips out the derivative instruments—LP tokens deposited as collateral, staked ETH wrapped into receipt tokens and re-deposited, bridge-wrapped assets counted on both sides. <cite index="15-8">Aggregate DeFi TVL figures can overstate the actual amount of unique capital in the ecosystem by 30-50%.</cite>

<cite index="16-16">When DefiLlama stopped double-counting tokens in 2022, the TVL of some blockchains subsequently dropped by over a billion dollars.</cite> The methodology matters because the number drives deal flow, exchange listings, and protocol valuations. When half the reported value is the same dollar counted twice, the asset class looks twice as large as it is.

Sources:

• https://www.bis.org/publ/work1268.htm
• https://arxiv.org/html/2404.11745v2
• https://coinstancy.com/academy/guides/what-is-tvl-in-crypto/
• https://www.dlnews.com/articles/llama-u/how-to-track-total-value-locked-on-defillama/

<cite index="2-1">Flashbots provides a private transaction pool (mev-relay) and a sealed-bid blockspace auction mechanism (mev-geth), enabling miners to outsource optimal block construction</cite>. <cite index="5-1,5-7">Maximal Extractable Value is the total value that can be extracted from re-ordering, insertion, or censorship of transactions within a timeframe that may span multiple blocks</cite>. <cite index="1-9">Of the bundles in the Flashbots system, 90.5% or nearly 3 million were flashbots bundles—sandwiches, arbitrage, liquidations, and other order-dependent trades</cite>.

<cite index="1-7">Out of 32,819 liquidations collected, 28% were performed using Flashbots and 5% using flash loans</cite>. <cite index="4-13,4-14">In all months, more searchers submitted non-MEV transactions than MEV transactions—at least two orders of magnitude more—and each MEV type saw gradual increase through August 2021 before leveling out</cite>. <cite index="16-1,16-2">Flashbots billed itself as a system to assist those without resources to engineer their own MEV involvement, but it does not protect low-resource searchers from losses on unprofitable transactions, which does not support the goal of democratizing MEV extraction</cite>. The auction moved ordering power from miners to searchers but left questions about whether it reduced user harm or just redistributed rent.

Sources:

• https://whitestork.me/blog/18/Unraveling-the-Complex-World-of-Maximal-Extractable-Value-(MEV)-And-FlashBots
• https://arxiv.org/pdf/2206.04185
• https://godigital.engineering.columbia.edu/sites/default/files/content/slides_flashbots.pdf

<cite index="10-3,10-4">Flashbots built mev-inspect-py, an open-source tool to detect MEV transactions from collected blockchain data</cite>, and <cite index="10-5">it finds miner payments, token transfers, swaps, and arbitrages</cite>. <cite index="1-1,1-2">The liquidation measurement script crawls events from an archive node for Aave V1, V2, and Compound, extracting liquidated debt and received collateral</cite>; <cite index="1-5,1-6">profit is computed as the value of the received collateral, converted to ether using CoinGecko's API</cite>. <cite index="21-1,21-3">Arbitrage detection defines an arb as multiple swaps that return the initial token, routing cycles like A→B→C→A</cite>.

<cite index="16-6,16-7">The tool leverages heuristic-based detection methods from prior research, so results should be considered a lower bound</cite>. <cite index="19-1,19-2">Known issues exist with sandwich profit estimation in mev-inspect-py, prompting some projects to recalculate sandwiches using their own AMM pool extraction</cite>, and <cite index="19-6,19-7">split arbitrages are missed, and overlapping MEV—arbs mixed with sandwiches—isn't fully handled by any detection software</cite>. The tool runs locally on Kubernetes and connects to a Postgres database.

Sources:

• https://arxiv.org/pdf/2206.04185
• https://rs.pubpub.org/pub/x4nuh4d7/release/1
• https://info.zeromev.org/sources.html
• https://github.com/flashbots/mev-inspect-py/blob/main/mev_inspect/arbitrages.py

<cite index="9-5,9-9">Flashbots acknowledged that MEV is theoretical and cannot be measured perfectly</cite>, so <cite index="9-11">the organization introduced the concept of Realized Extractable Value (REV)</cite> as a proxy for what actually happened on-chain. <cite index="11-3">After scraping Ethereum from January 2020, Flashbots classified more than 1.3 million MEV transactions and found at least $314 million in extracted MEV</cite>, plus $4.5 million in wasted gas on failed attempts. <cite index="11-6,11-7">That figure is explicitly a lower bound given incomplete protocol coverage</cite>.

<cite index="9-1,9-2">The framework split extraction costs into Extractable Value Cost (EVC), encompassing on-chain activity like preflights, failures, and same-nonce cancellations</cite>, while <cite index="8-3,8-4,8-5">unifying these quantities let Flashbots ask "how big are the costs of MEV extraction activities for the network?" and "to what extent has Flashbots helped in reducing these costs?"</cite> The methodology accepts it will miss newer extraction techniques—<cite index="9-10">every new DeFi hack counts as an MEV event</cite>—but the REV metric gave builders a starting benchmark to argue whether private order flow reduced deadweight loss.

Sources:

• https://writings.flashbots.net/quantifying-rev
• https://writings.flashbots.net/quantifying-mev

<cite index="1-8">When a coin last moved at significantly cheaper prices is spent, it revalues to the current price and increases realized cap by a corresponding amount</cite>. <cite index="1-9">If a coin is spent at a price lower than when it was last moved, it revalues to the cheaper price and decreases realized cap</cite>. <cite index="2-27,2-28,2-29,2-30">Three primary components make up realized cap: newly minted supply pricestamped as blocks are found (the Thermocap), realized profits as investors spend and revalue cheap coins to expensive prices, and realized losses which subtract value as expensive coins are revalued lower</cite>.

<cite index="1-24,1-25">Bull markets are characterized by steep uptrends in realized cap as coins purchased at cheaper prices are spent to realize profits; steeper uptrends suggest larger-magnitude profits being realized</cite>. <cite index="1-26,1-27">Bear markets show shallow downtrends in realized cap as market interest picks up, more coins transact on off-chain exchanges, and new entrants take losses</cite>. <cite index="2-8">Pricestamping coins enables modeling of market performance in ways that often cannot be replicated in traditional finance, such as estimating the cost basis of investor cohorts and assessing support and resistance levels where sentiment may shift</cite>.

The method provides transparency into capital inflows and outflows at the protocol level. Lost or ancient coins—those older than five years—carry realized values substantially cheaper than current prices despite often holding large BTC volumes, and their economic weight steadily decreases over time unless they are suddenly spent and repriced.

Sources:

• https://docs.glassnode.com/guides-and-tutorials/metric-guides/realized-capitalization
• https://insights.glassnode.com/the-realized-cap-foundation/

<cite index="18-1,18-3,18-4">Realized price is the value of all bitcoins at the price they were last transacted on-chain, divided by the number in circulation—the average cost basis at which all bitcoins were purchased</cite>. <cite index="25-8">It values each UTXO not on current value but on the value when it last moved from one wallet to another</cite>, with the assumption that movement equals a purchase event.

<cite index="18-10,18-11">When current market price drops below realized price, holders on aggregate hold paper losses; historically these periods occurred at major cycle lows</cite>. <cite index="24-6,24-7">The metric reflects the average cost basis of all BTC in circulation and provides real-time visibility into when the majority of holders are in profit or loss, unlike traditional assets where investor cost bases are difficult to determine</cite>. <cite index="21-8,21-9">MVRV compares market cap to realized cap—the sum of all coins valued at their last transaction price—and a ratio of 1.41 means the market trades at a 41% premium to aggregate cost basis</cite>.

<cite index="22-13,22-14">Bitcoin's on-chain structure emphasizes long-term holder dynamics, and realized price and MVRV have historically demonstrated clearer cyclical boundaries in Bitcoin compared to most other assets</cite>. The metric serves as a foundation for derivatives including MVRV Z-Score and Net Unrealized Profit/Loss, both of which rely on the spread between market cap and realized cap to gauge profit distribution and overvaluation risk.

Sources:

• https://www.bitcoinmagazinepro.com/charts/realized-price/
• https://bitcoinmagazine.com/markets/mastering-bitcoin-on-chain-data
• https://blog.amberdata.io/onchain-valuation-what-bitcoins-realized-price-says-about-2026
• https://rango.exchange/learn/decentralized-finance/onchain-data-price-metrics

<cite index="3-4,3-6">Realized Cap HODL Waves weight active supply bands by their realized USD value as a proportion of total realized cap, establishing thickness by the total realized value of coins in each age band</cite>. <cite index="3-9,3-10">The metric considers the economic weight of coin supply in various age brackets relative to realized cap; a 1-2 year age bracket at 5% means 5% of realized cap USD value derives from coins aged between one and two years</cite>.

<cite index="12-17,12-18">Each line in a UTXO age-band realized price panel tracks the realized price for a specific age cohort, showing how cost basis migrates through time and which cohorts drive resets</cite>. <cite index="17-5,17-6">The realized price of UTXO age bands evaluates holding patterns of different investor classes through their different realized prices, tracking the average price at which holders purchased coins compared to how long they have held them</cite>.

<cite index="3-23,3-24">Distribution tops occur when young coins under six months represent 80% or more of realized cap value, indicating newer buyers hold a large proportion of economic value and creating increased probability of oversupply</cite>. <cite index="12-20,12-21">Younger bands rising quickly signal recent buyers have reset their cost basis higher; after strong advances this expands the one-month-to-three-month and three-month-to-six-month lines</cite>. Old-coin movement—such as the two-year-to-three-year or five-year-to-seven-year bands shifting—indicates seasoned supply is active.

Sources:

• https://docs.glassnode.com/guides-and-tutorials/metric-guides/age-distribution/realized-cap-hodl-waves
• https://www.themarketsunplugged.com/urpd-utxo-realised-price-distribution-where-bitcoins-cost-basis-sits/
• https://www.tradingview.com/news/newsbtc:a8b18464f094b:0-bitcoin-utxo-age-bands-put-local-bottom-at-95k-here-s-why/

<cite index="1-1,1-5">Realized cap values each UTXO by the price when it was last moved on-chain</cite>, not the current market price. <cite index="5-3,7-2">It computes this by valuing each unspent transaction output at the price recorded when that output was created</cite>. The result is an aggregate cost basis for the network.

<cite index="2-23,2-24">The metric represents the cumulative sum of all realized profits minus realized losses—the aggregate value that has flowed into Bitcoin minus capital flowing out via losses</cite>. <cite index="1-7">It reduces the impact of lost and long-dormant coins, weighting them according to their actual presence in the economy</cite>. <cite index="1-17,2-21">Coins last spent in 2009 before BTC had a price carry a realized value of zero</cite>, which discounts Satoshi-era supply from the calculation.

<cite index="1-11,1-12">When market cap trades above realized cap, the average investor holds unrealized profit; when it trades below, the average investor holds unrealized loss</cite>. <cite index="1-13,16-16">Market cap has traded at or below realized cap in only a few instances, each of which represented cyclical bear-market bottoms</cite>. <cite index="16-17">As the aggregate cost basis, it forms psychological support and resistance</cite>. The metric was formulated in 2018 by Antoine Le Calvez, though it explained price action in the 2011 and 2013 cycles retroactively.

Sources:

• https://docs.glassnode.com/guides-and-tutorials/metric-guides/realized-capitalization
• https://insights.glassnode.com/the-realized-cap-foundation/
• https://docs.glassnode.com/basic-api/endpoints/market

<cite index="18-1,18-2">The top data layer provides relative valuation metrics that identify short- to mid-term price inefficiencies, providing buy and sell signals much like EV-to-EBITDA multiples in public equities</cite>. <cite index="18-3,18-4,18-5">On-chain data offers a new framework to analyze emerging monetary assets like bitcoin; as institutional investors gain exposure, the network's three data layers should enhance understanding of underlying fundamentals and turn raw open-source data into actionable investment decisions</cite>.

The broader context matters. <cite index="20-13,20-16,20-21">Every on-chain metric tells a partial story; MVRV, funding rates, and other indicators alone are not sufficient to make trading decisions, but a position with multiple aligned layers carries significantly higher conviction</cite>. <cite index="23-9,23-10,23-11">Valuation metrics ask whether the market is overextended or historically cheap relative to on-chain cost basis and holder profitability, measuring the gap between current price and what the chain says is intrinsically worth using holder cost basis as the anchor—metrics include MVRV Z-Score, Reserve Risk, and RHODL Ratio</cite>.

<cite index="21-1,21-14">Foundational metrics like MVRV, Z-Score, NUPL, and realized price anchor all on-chain valuation analysis</cite>. <cite index="23-20,23-21">These frameworks measure where Bitcoin sits in its market cycle but do not predict price</cite>. The infrastructure produces signals. The speculation around the signals is what you have to filter.

Sources:

• https://www.ark-invest.com/articles/analyst-research/on-chain-data-bitcoin
• https://axeladlerjr.com/charts/bitcoin-analysis-framework/
• https://www.themarketsunplugged.com/bitcoin-barometer-explained/
• https://blog.amberdata.io/onchain-valuation-what-bitcoins-realized-price-says-about-2026

<cite index="14-1,14-2,14-3">The spike in NVT follows the bubble with a considerable lag of a few months; peak NVT coincides with the middle of a correction period, meaning NVT is neither predictive nor descriptive</cite>. Dmitry Kalichkin's 2018 critique landed this problem cleanly: <cite index="14-14">you can only detect the bubble a few months after it bursts</cite>.

The issue is mechanical. <cite index="13-7">Woo applied a 28-day moving average to transaction volume, taking 14 days forward and 14 days backward-facing</cite>. <cite index="13-8,13-9">The output of such an analysis is of little relevance when looking for a trading signal; Kalichkin remodeled NVT to improve signal quality</cite>. <cite index="32-5">In February 2018, Kalichkin published his work to improve NVT for use as a more responsive indicator, hence the NVT Signal variant</cite>.

<cite index="10-11,10-12,10-13">NVT is far from ideal; occasional events and the development of substitute solutions can have lasting effects on the ratio level, and it's risky to assume any NVT level as a stable equilibrium in the current crypto market</cite>. <cite index="17-3,17-4,17-5">The interpretation of NVT evolves as the market matures and technology advances—factors like the Lightning Network, shifting narratives, and rising prices influence understanding, so it's crucial to consider historical context and trends rather than absolute values</cite>.

Sources:

• https://medium.com/cryptolab/https-medium-com-kalichkin-rethinking-nvt-ratio-2cf810df0ab0
• https://www.bytetree.com/research/2019/08/bitcoin-fair-value-network-to-transaction-ratio/
• http://charts.woobull.com/bitcoin-nvt-ratio/
• https://medium.com/@christiang.wit/network-value-to-transaction-ratio-ed0cd68ac0f2
• https://userguide.cryptoquant.com/cryptoquant-metrics/network/nvt-ratio

<cite index="2-3,26-1,27-3">Willy Woo introduced NVT in early 2017 as a crypto-equivalent to the price-to-earnings ratio</cite>, dividing market cap by on-chain transaction volume to detect when network value outpaces actual usage. <cite index="1-1,1-2">If price increases while on-chain activity stays flat, NVT rises and the market is considered top-heavy</cite>. <cite index="30-2,30-17">Woo suggested readings around 90-100 indicated a bubble</cite>.

The analogy breaks immediately. <cite index="14-8,14-9">The PE ratio uses earnings as a proxy for shareholder utility; NVT substitutes transaction volume as a proxy for network utility</cite>. But <cite index="2-11">NVT only counts on-chain transactions, ignoring centralized exchange activity that accounts for over 80% of total cryptocurrency transactions</cite>. <cite index="11-4">The most salient criticism points to reduced out-of-sample accuracy and the increasing tendency for transactions to occur off-chain—on second-layer networks or within exchange ledgers</cite>.

<cite index="13-5,13-6">As an emerging asset class, there is no standardized approach for collecting and applying data within this model; existing methodologies vary across analysts like Woo and Kalichkin</cite>. <cite index="12-20">The methodology for calculating NVT remains questionable, especially when it comes to transaction volumes in the denominator</cite>. <cite index="10-4,10-5">Both variables used to calculate NVT are strongly dependent on the price of the asset, and the effect of price movements on them is not equal—some changes in NVT can be consequences of pure market fluctuation with no fundamental importance</cite>.

Sources:

• https://x.superex.com/academys/13580/
• https://www.cryptotimes.io/2026/03/30/bitcoin-nvt-ratio-at-41-7-what-network-usage-says-about-btc-price/
• https://www.samara-ag.com/market-insights/bitcoin-nvt-ratio
• https://www.bytetree.com/research/2019/08/bitcoin-fair-value-network-to-transaction-ratio/
• https://coinmetrics.substack.com/p/coin-metrics-state-of-the-network-c37
• https://www.datadriveninvestor.com/2018/03/15/the-network-value-to-transactions-nvt-ratio-a-breakthrough-for-cryptocurrency-valuation/
• https://medium.com/@christiang.wit/network-value-to-transaction-ratio-ed0cd68ac0f2
• https://norupp.com/willy-woo-interview-the-nvt-ratio-and-future-of-cryptocurrencies/

<cite index="21-1,21-7">Circle issues monthly attestation reports, verified by accounting firm Grant Thornton, to confirm the reserves match the number of USDC in circulation</cite>. <cite index="27-4">Beginning with July 2022 and going forward, Grant Thornton's attestations cover additional details including CUSIPs, maturity dates, market values, and financial institutions holding cash portions, providing independent confirmation of the detailed composition of the USDC reserve as well as its sufficiency</cite>. <cite index="28-3,28-4">A Big Four accounting firm provides monthly third-party assurance that the value of USDC reserves are greater than the amount of USDC in circulation, with reports prepared according to attestation standards set out by the AICPA</cite>.

<cite index="10-9,10-10,10-11">Tether historically published attestations for a handful of randomly selected days each quarter, verified by a mid-tier accounting firm rather than a Big Four auditor; without an annual PCAOB-style audit or clear insight into broader liabilities, critics question whether occasional attestations obscure temporary reserve gaps or off-balance-sheet debt</cite>. <cite index="29-3,29-14,29-15">The USAT attestation is a third-party attestation providing a snapshot of reserves at a specific point in time, rather than a full audit; such attestations offer a snapshot of reserves at a specific point in time rather than a deep review of company finances</cite>.

The pattern: USDC committed early to monthly Big Four attestations. Tether resisted until regulation forced a U.S.-compliant product.

Sources:

• https://www.moderntreasury.com/learn/difference-between-usdc-and-usdt
• https://www.circle.com/blog/new-levels-of-detail-in-the-monthly-usdc-attestation
• https://www.circle.com/transparency
• https://university.mitosis.org/attestations-vs-audits-what-stablecoin-proofs-actually-prove/
• https://www.coindesk.com/business/2026/03/03/tether-taps-deloitte-for-first-usat-reserve-report

<cite index="5-4">The audit kit should include the official reserve policy, detailed ledgers of all reserve assets, bank and custodian statements, on-chain wallet addresses and transaction histories, legal opinions on asset ownership, and the methodology for valuing non-cash assets</cite>. <cite index="5-8,5-9">For off-chain assets, this means confirming bank balances via direct confirmation letters and reconciling custodial reports; for on-chain crypto reserves, using blockchain explorers like Etherscan and analytical tools such as Nansen or Dune Analytics to track wallet holdings and prove ownership</cite>.

<cite index="7-2,7-3,7-4">Management is required to make an assertion, which grants management the flexibility to report on additional characteristics not readily apparent when just presented with outstanding token and reserve amounts; for example, if reserves are held in segregated accounts, in trust, or have insurance, these elements can be presented within Management's assertions and thus be included within scope of the attestation</cite>.

<cite index="12-7,12-8,12-9">Most reserve proofs capture a snapshot; between reporting dates, reserves could be lent out, invested in risky assets, or partially withdrawn; continuous verification is technically possible for on-chain reserves but impractical for off-chain bank deposits, which represent the bulk of most fiat-backed stablecoin reserves</cite>. <cite index="12-13,12-14">Not all accounting firms apply the same rigor; a Big Four attestation under AICPA standards carries more weight than a report from an unknown firm using unspecified methodology</cite>.

Sources:

• https://www.chainscorelabs.com/en/guides/history-and-evolution-of-cryptocurrency/stablecoin-evolution/how-to-structure-a-stablecoins-reserve-audit-process
• https://www.theaccountantquits.com/articles/proof-of-reserves-for-stablecoin-issuers
• https://www.spark.money/glossary/reserve-proof

<cite index="1-2">The GENIUS Act requires issuers to obtain monthly attestation reports from independent public accounting firms, verifying that reserves at least match the outstanding stablecoin supply in a 1:1 or greater ratio</cite>. <cite index="1-6,1-7,1-8">Each month, issuers must issue a report of reserves and total outstanding stablecoins; this report must be examined by a registered public accounting firm, and the CEO and CFO must certify to its accuracy, with the goal of having an independent third party attest that management's assertions are materially correct</cite>.

<cite index="4-2,4-3">The GENIUS Act represents a decisive shift from the prior regime of voluntary attestations to mandatory, legally binding declarations; permitted payment stablecoin issuers must now submit to monthly independent audits by registered public accounting firms, publish reserve reports, and certify that all stablecoins are fully backed on a one-to-one basis by high-quality liquid assets segregated from issuer funds</cite>. <cite index="4-4">The Act also imposes criminal liability on CEOs and CFOs who knowingly misrepresent reserve adequacy</cite>.

<cite index="1-9">Annual U.S. GAAP-compliant financial statements audited under PCAOB standards are required for issuers with more than $50 billion of stablecoins in circulation</cite>. <cite index="1-13">The AICPA released its 2025 Criteria for Stablecoin Reporting that provides a standardized, regulatory approach for evaluating the presentation and disclosure of stablecoins and the availability of assets for redemption</cite>. The regime is monthly for mechanics, annual for context.

Sources:

• https://www.forvismazars.us/forsights/2025/11/stablecoin-reserve-attestations-key-considerations-for-compliance
• https://www.theregreview.org/2025/11/17/krause-krause-auditing-payment-stablecoins-under-the-genius-act/
• https://www.bpm.com/insights/monthly-attestation-reports/

<cite index="2-1,2-20,2-21">An attestation confirms reserves matched reported balances at a specific point in time, conducted by an independent accounting firm using agreed-upon procedures</cite>. <cite index="2-22">The snapshot validates reported figures but does not address how reserves are managed between periods or how they behave under changing conditions</cite>.

<cite index="2-23,2-24,2-25">An audit extends that analysis across time, performed under established accounting standards; it evaluates financial statements alongside controls and processes, testing whether the system governing reserves is consistent and reliable</cite>. <cite index="7-8,7-9,7-10">A Proof of Reserves attestation limits scope to tokens outstanding and underlying reserves, applying the same scrutiny as a financial statement audit but with reduced scope that enables more frequent publication</cite>.

<cite index="11-1,11-2,11-14,11-15">Internationally, accounting firms issue attestation reports under ISAE 3000; in the U.S., AT-C 205 is the norm</cite>. <cite index="10-3,10-4,10-5,10-6">An attestation is a limited-scope engagement asserting reserves equal circulating supply on a specified date, following standards such as ISAE 3000 or AICPA AT-C 205, excluding evaluation of internal controls, operational risks, legal contingencies, or broader balance sheet items</cite>.

The trade is frequency for depth. <cite index="2-26,2-27">Institutions assess both in combination: attestations provide periodic visibility into reserve levels, while audits establish whether the underlying framework can be trusted to maintain those levels as conditions change</cite>.

Sources:

• https://www.bitgo.com/resources/blog/stablecoin-reserves-audits-attestations-token-backing/
• https://www.theaccountantquits.com/articles/proof-of-reserves-for-stablecoin-issuers
• https://university.mitosis.org/attestations-vs-audits-what-stablecoin-proofs-actually-prove/

<cite index="17-11,17-12">Market depth analysis reveals critical liquidity patterns, with the top 8 exchanges accounting for 91.7% of global market depth and Binance alone representing 30.7%</cite>. <cite index="17-13,17-14">Daily liquidity cycles show peak activity during Asian session overlap (00:00-04:00 UTC) and US institutional hours (13:00-17:00 UTC), with the 2% market depth for Bitcoin typically ranging from $50-100 million across major exchanges</cite>.

<cite index="13-1,13-2,13-3">An empirical analysis of liquidity thresholds for crypto assets following a methodology used in the analysis of NMS stocks used two different approaches to measure the ADV: the number of crypto asset units traded and dollar amounts traded, with distribution patterns for both actively and thinly traded NMS stocks and crypto-USD pairs showing similar trends</cite>.

<cite index="16-5,16-6">Liquidity measures applied to Bitcoin markets include the liquidity ratio of Cooper et al. (1985), the relative spread measure of Roll (1984), and the relative spread measure of Corwin and Schultz (2012)</cite>, calculated over periods of months. Traditional metrics apply; the venues are different.

The concentration matters for funds that need to move size. It also matters for regulators trying to decide whether crypto markets resemble traditional markets enough to apply similar rules.

Sources:

• https://research.bitwyre.com/market-microstructure-theory-for-cryptocurrency-markets-a-short-analysis/
• https://www.sciencedirect.com/science/article/abs/pii/S1467089524000320
• https://www.researchgate.net/publication/317012205_Bitcoin_Market_Microstructure

<cite index="4-1,4-2">Financial market microstructure studies how trading, information, and liquidity provision jointly determine short-horizon price dynamics, with a robust set of features—order flow imbalance, bid-ask spreads, depth, and trade arrival patterns—shown to explain a substantial fraction of return variation at very short horizons</cite>.

<cite index="4-3,4-4">Cryptocurrencies offer a unique space for testing whether these features are universal: assets vary widely in capitalization and liquidity, yet they are transacted through similar continuous double-auction mechanisms with transparent limit order books</cite>. The hypothesis is that short-horizon return predictability in crypto admits a universal representation.

<cite index="22-6,22-7">A complete empirical analysis of market impact on the Bitcoin/USD exchange market using over one million metaorders empirically confirms the "square-root law" for market impact, which holds across four decades despite the quasi-absence of statistical arbitrage and market-making strategies</cite>. The square-root law—an empirical regularity from equity markets—appears to carry over to crypto.

The academic literature treats crypto as a laboratory for testing whether microstructure patterns generalize across asset classes. So far the answer is mostly yes, with adjustments for fragmentation and pseudonymity.

Sources:

• https://arxiv.org/html/2602.00776v1
• https://www.worldscientific.com/doi/abs/10.1142/S2382626615500082

<cite index="12-1,12-3">Liquidity is best measured by actual execution costs—effective spread, implementation shortfall, and slippage—rather than quoted spreads alone</cite>. <cite index="12-6">Three microstructure signals anchor liquidity: the bid-ask spread, resting depth across price levels near the mid-price, and the price impact of executing a given order size</cite>.

<cite index="12-10,12-11">The effective spread compares a trade's execution price to the midpoint at the time of the order, while implementation shortfall compares the final execution to a benchmark price while accounting for partial fills and timing; both are more informative than quoted spreads alone because they incorporate actual fills and timing slippage</cite>.

<cite index="19-8,19-9,19-10">Bid-ask spreads on spot Bitcoin markets average 0.0298%, trade sizes of over $1 million move markets by less than 1%, and spreads exceed 0.8% for only 226 seconds</cite> in the data from Aleti and Mizrach's study of CME and spot exchanges. <cite index="14-2">The bid-ask spread percentage measures the cost of immediate execution, with spreads below 0.05% indicating robust liquidity for major pairs</cite>.

The market-makers who quote those spreads charge for information risk. The academics who measure liquidity adjust for the fact that quoted spreads and executed spreads diverge.

Sources:

• https://www.bitgo.com/resources/blog/crypto-liquidity/
• https://www.researchwithrutgers.com/en/publications/bitcoin-spot-and-futures-market-microstructure/
• https://www.bitget.com/academy/cryptometer-guide

<cite index="1-1,1-2,1-9">Crypto bid-ask spreads reflect three cost components that are amplified relative to equities: order processing costs elevated by blockchain transaction fees and 24/7 operational requirements, inventory holding costs increased by volatility running 3x higher than equity markets, and adverse selection costs that often reach 10% of effective spreads</cite>.

<cite index="17-4">The seminal Makarov and Schoar (2020) work demonstrates that 80% of Bitcoin returns are explained by common volume components across exchanges, yet significant arbitrage opportunities persist due to market fragmentation</cite>. That fragmentation matters for spreads.

<cite index="8-6,8-7">The Glosten and Milgrom model frames the bid-ask spread as a direct consequence of adverse selection, where liquidity providers widen their quotes to compensate for the risk of trading against privately informed agents</cite>. In crypto, pseudonymous trading and information asymmetries push that adverse selection premium higher.

<cite index="1-12,1-13,1-14">Perpetual swaps account for 93% of crypto derivatives trading volume exceeding $100 billion daily, employing a funding rate mechanism paid every 8 hours between long and short positions, which creates distinctive U-shaped patterns in trading activity and bid-ask spreads aligned with funding intervals</cite>. The infrastructure underneath the speculation produces observable patterns.

Sources:

• https://research.bitwyre.com/market-microstructure-theory-for-cryptocurrency-markets-a-short-analysis/
• https://arxiv.org/pdf/2602.00776

<cite index="4-18,4-19">In 2017, the SEC declared that the tokens of The DAO, a popular crypto community, were securities, establishing a regulatory expectation that most ICOs are subject to the Securities Act of 1933</cite>. <cite index="6-13,6-14">The decision established a regulatory expectation that most ICOs are subject to the Securities Act of 1933</cite>.

<cite index="6-11">Many of today's crypto tokens involve investments of money through token sales in a joint enterprise, with the expectation of profit based on the efforts of a third party, such as the centralized company behind a crypto project</cite>. <cite index="6-12">As such, it's difficult to launch an ICO that doesn't create securities concerns</cite>.

<cite index="5-11,5-12">When a token doesn't pass the Howey Test, it's classified as a utility token, which is more like a digital coupon that gives investors access to a future product or service or can be redeemed for discounted fees</cite>. <cite index="5-14">However, the SEC has indicated that just because a project has a utility token framework doesn't automatically exclude it from being a security</cite>. The name on the label does not determine the regulatory treatment. The economics do.

Sources:

• https://www.lexology.com/library/detail.aspx?g=7b7c738c-10e4-4aea-9855-07b1399a26bc
• https://www.embroker.com/blog/what-is-the-howey-test-does-crypto-pass/
• https://gordonlaw.com/learn/howey-test-is-your-token-security/

Lawrence J. Trautman, a business law professor at Prairie View A&M, has written extensively on crypto regulation. <cite index="10-5">Because Congress has not given the SEC or any other agency express authority to regulate cryptocurrency, the SEC has taken a regulation-by-enforcement approach</cite>. <cite index="10-7">Trautman argues that Congress should expressly authorize the SEC to regulate cryptocurrencies as securities in a manner that will pass the scrutiny of courts</cite>.

<cite index="10-8">This is especially important following the Jarkesy decision, which limits the SEC's ability to test new rules through in-house enforcement actions by requiring that agency actions seeking civil money penalties for common law fraud be heard by an Article III court with a defendant's Seventh Amendment right to a jury trial</cite>.

<cite index="14-1">In the United States, enforcement actions for violations of law involving virtual currencies are brought primarily by the CFTC, the SEC, and the Department of Treasury through FinCEN</cite>. <cite index="9-1,9-2">Trautman's recent work notes that the various and sometimes conflicting issues surrounding whether crypto constitutes a security and the appropriate regulation of this technology remain under considerable controversy</cite>.

Sources:

• https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4965035
• https://repository.law.umich.edu/mtlr/vol32/iss1/2/
• https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3182867

<cite index="16-1">In April 2019, SEC FinHub published a framework for analyzing whether a digital asset is an investment contract and whether offers and sales of a digital asset are securities transactions</cite>. <cite index="17-1">The framework was not intended to be an exhaustive overview of the law, but an analytical tool to help market participants assess whether federal securities laws apply</cite>.

<cite index="17-6,17-8">The framework represented Staff views and was not a rule, regulation, or statement of the Commission, and was not binding on the Divisions or the Commission</cite>. <cite index="16-7">The factors provided were not exhaustive and no single factor was determinative</cite>.

The SEC has now superseded that 2019 framework. <cite index="21-1">In the 2019 framework, SEC Staff held that a reasonable expectation of profits could be found even if representations or promises were implicit or implied, but the newer interpretive release requires that representations or promises must be explicit and unambiguous</cite>. The shift matters: it narrows what counts as a security by raising the bar on what constitutes an expectation of profit derived from managerial efforts.

Sources:

• https://www.sec.gov/about/divisions-offices/division-corporation-finance/framework-investment-contract-analysis-digital-assets
• https://www.sec.gov/newsroom/speeches-statements/statement-framework-investment-contract-analysis-digital-assets
• https://www.fintechanddigitalassets.com/2026/04/sec-clarifies-the-application-of-the-securities-laws-to-cryptoassets/

<cite index="2-9">The 1946 Supreme Court case SEC v. W.J. Howey established that an investment contract exists when there is an investment of money in a common enterprise with a reasonable expectation of profits from the efforts of others</cite>. <cite index="2-11">The Court held that form is disregarded for substance and the emphasis is on economic reality</cite>.

The test has stuck. <cite index="16-3">Whether a particular digital asset satisfies the Howey test depends on the specific facts and circumstances at the time of offer or sale</cite>. <cite index="3-28,3-29">The third and fourth prongs—whether profits are expected from the efforts of others—often play a central role in the analysis</cite>.

<cite index="3-31,3-32">SEC guidance emphasizes factors such as whether a promoter or sponsor plays a central role, including their involvement in the development or management of the asset or its underlying network</cite>. <cite index="3-33">The analysis is always very fact dependent</cite>. <cite index="6-17,6-18">In 2019, the SEC ruled that Bitcoin does not pass the Howey Test, checking only the first box—there must be an investment of money</cite>. <cite index="6-19">Because there is no central company controlling Bitcoin, the SEC ruled it doesn't meet other points: investors are not pooling funds into a joint enterprise, and Bitcoin's value does not depend on a third party</cite>.

Sources:

• https://www.sec.gov/files/dlt-framework.pdf
• https://www.sec.gov/about/divisions-offices/division-corporation-finance/framework-investment-contract-analysis-digital-assets
• https://scarincihollenbeck.com/law-firm-insights/crypto-securities-law
• https://gordonlaw.com/learn/howey-test-is-your-token-security/

<cite index="13-1,13-2">If transaction volumes and fees are too low in the subsidy-free future, Bitcoin could struggle to sustain sufficient hash power, unless alternative mechanisms like optional sidechains or off-chain solutions such as the Lightning Network generate enough economic activity to sustain base-layer fees; critics have questioned whether fees alone will be sufficient to maintain robust security, while proponents argue that scarcity, increased adoption, and economic utility will naturally support a viable fee market.</cite>

<cite index="22-6,22-7">If Bitcoin grows and sustains into a multi-trillion market capitalization protocol, and fees can become 0.5%-1.5% of market capitalization due to packing a lot of value into block space (including batching of smaller transactions), it would translate into a $5 billion to $15 billion annual security budget per trillion dollars in market cap; on the other hand, if it fails to sustain sufficient market cap, or annual fees fail to reach and sustain 0.5%-1.5% or more of market cap, then Bitcoin could face security issues in the long run, with 51% attacks becoming more economical to attempt.</cite>

<cite index="23-9,23-10,23-12">The security-budget concern assumes demand for Bitcoin blockspace will not increase over time and that the dollar price per bitcoin will not increase, which would assign more value for a given amount of fees as measured in sats; but these assumptions might be true only if Bitcoin stagnated in its growth and never gained adoption nor new use cases beyond today's state of affairs.</cite> The argument is that layer-two activity or higher prices can paper over the variance problem. Maybe.

Sources:

• https://blog.bitfinex.com/education/what-has-blockchair-highlighted-about-bitcoins-security-budget/
• https://www.lynalden.com/bitcoin-security-modeling/
• https://onrampbitcoin.com/security-budget/

<cite index="25-4,25-5,25-6">Bitcoin's incentivization comes from two sources: the protocol reward for mining a block and the transaction fee paid by users; in Bitcoin's early years, the protocol reward significantly outweighed transaction fees, but due to the halving mechanism, transaction fees are expected to match and eventually replace the protocol reward as the sole source of incentivization.</cite> <cite index="25-7">There have already been periods, such as in December 2023 and April 20, 2024, when transaction fees equaled or even exceeded the protocol reward.</cite>

<cite index="25-8,25-9,25-10,25-11">As the balance between transaction fees and protocol reward changes over time, incentivization dynamics change as well, potentially leading to new security threats or intensifying existing ones; one consequence of transitioning to a transaction-fee-driven era is that total reward per block can no longer be considered fixed, as block rewards become volatile due to the inclusion of transactions with varying fee levels, altering the profitability of various mining strategies.</cite>

This is the mechanism the Carlsten et al. paper models. <cite index="26-12,26-13">During the peak of the 2025 "Inscription Wars," transaction fees in some blocks actually exceeded the block reward itself (over 3.125 BTC), and the industry is reaching a consensus that if fees consistently account for over 20% of miner revenue, Bitcoin can protect the network from attacks through economic incentives even without block rewards.</cite> The empirical data is starting to catch up to the theory.

Sources:

• https://arxiv.org/pdf/2411.11702
• https://www.bitdeer.com/learn/transaction-fees-vs-block-rewards-the-2026-mining-revenue-shift

<cite index="19-3,19-4,19-5,19-6">The "security budget" is the total value paid to miners to incentivize their work, comprising block subsidy (new bitcoin minted in each block, currently 3.125 BTC as of the 2024 halving) and transaction fees (paid by users to have their transactions included in blocks); together, these rewards must remain economically attractive enough to sustain miner participation.</cite>

<cite index="20-1">The block reward is a key part of the network's "security budget," where greater overall miner revenue attracts more hash power, raising the cost of attacks and reducing risks such as chain reorganizations and 51% attacks.</cite> <cite index="15-1,15-2,15-3">As of late 2025, transaction fees contributed approximately $300,000 per day to miner revenue, representing a 12-month low and comprising less than 1% of total miner income, highlighting the network's current heavy reliance on inflation-based rewards rather than fee-based sustainability.</cite>

The subsidy halves every four years. <cite index="11-1">Bitcoin's block subsidy will completely disappear around 2140 through the halving mechanism.</cite> <cite index="22-10">In the decade ahead, Bitcoin will gradually shift from paying miners primarily through block rewards to paying miners primarily through transaction fees, navigating a gradual change in its security model.</cite> If fees do not rise sufficiently to compensate for declining subsidies, hash rate drops, and the cost of a 51% attack declines with it.

Sources:

• https://www.cryptohopper.com/news/what-has-blockchair-highlighted-about-bitcoin-s-security-budget-12085
• https://www.gate.com/learn/glossary/btc-block-reward
• https://www.theblock.co/post/379291/bitcoin-miner-fees-fall-12-month-low-underscoring-long-term-reliance-block-subsidies
• https://www.panewslab.com/en/articles/cr4tlmfw
• https://www.lynalden.com/bitcoin-security-modeling/

<cite index="2-1,2-2">Carlsten, Kalodner, Weinberg, and Narayanan published a 2016 paper at ACM CCS that argued Bitcoin's security assumptions break when block subsidies dwindle and transaction fees become the primary incentive for miners.</cite> <cite index="2-3,2-4">The paper challenges what the authors call an "implicit belief" that the shift from block rewards to transaction fees would not affect blockchain security.</cite>

The core insight: <cite index="2-5">with only transaction fees, the variance of the block reward becomes very high due to the exponentially distributed block arrival time, making it attractive to fork a "wealthy" block to "steal" the rewards therein.</cite> <cite index="2-6">This leads to an equilibrium with undesirable properties for Bitcoin's security and performance, and even non-equilibria in some circumstances.</cite>

<cite index="3-2,3-3">Narayanan blogged at the time that the paper predicts miner incentives will "go haywire" as rewards shift from block rewards to transaction fees, based on theoretical results that matched findings from a Bitcoin mining simulator.</cite> The argument is game-theoretic, not speculative. When a single block contains disproportionate fee revenue, rational miners face new incentives to reorganize recent history rather than extend the longest chain.

This is foundational infrastructure economics, not price talk. <cite index="3-6">The authors note the design decision has been discussed mostly in terms of monetary policy and hardly ever in terms of security.</cite> The paper appeared at a moment when almost no one was modeling the endgame.

Sources:

• https://collaborate.princeton.edu/en/publications/on-the-instability-of-bitcoin-without-the-block-reward/
• https://blog.citp.princeton.edu/2016/10/21/bitcoin-is-unstable-without-the-block-reward/
• https://www.cs.princeton.edu/~arvindn/publications/mining_CCS.pdf

<cite index="21-1">The EVM is a quasi–Turing-complete state machine; "quasi" because all execution processes are limited to a finite number of computational steps by the amount of gas available for any given smart contract execution.</cite> Without a constraint, <cite index="21-8,21-9">the Ethereum world computer is at risk of being asked to execute a program that never stops. This could be by accident or malice.</cite>

<cite index="20-4,20-5,20-6">Ethereum introduces a metering mechanism called gas. As the EVM executes a smart contract, it carefully accounts for every instruction (computation, data access, etc.). Each instruction has a predetermined cost in units of gas.</cite> <cite index="20-7,20-8">When a transaction triggers the execution of a smart contract, it must include an amount of gas that sets the upper limit of what can be consumed running the smart contract. The EVM will terminate execution if the amount of gas consumed by computation exceeds the gas available in the transaction.</cite>

The system has real economic teeth. <cite index="19-13,19-14">The EVM uses gas as a metering mechanism to measure computational work and prevent network abuse. Every operation consumes a specific amount of gas based on its computational complexity.</cite> <cite index="14-10">Each opcode executed by the EVM consumes a certain amount of gas, predetermined by the Ethereum yellow paper.</cite> This creates an incentive structure: inefficient contracts cost more to run, and malicious infinite loops burn the attacker's capital before they can degrade the network.

Sources:

• https://cypherpunks-core.github.io/ethereumbook/13evm.html
• https://medium.com/@NOKLabs/ethereum-and-turing-completeness-4d5043230a1f
• https://www.opendue.com/glossary/ethereum-virtual-machine
• https://www.quicknode.com/guides/ethereum-development/smart-contracts/a-dive-into-evm-architecture-and-opcodes

The EVM is <cite index="2-9">described in the Yellow Paper as a quasi-Turing complete machine, which refers to its ability to solve any computational problem, given enough time and resources.</cite> <cite index="11-2,11-5,11-6">The EVM executes as a stack machine with a depth of 1024 items. Each item is a 256-bit word, which was chosen for the ease of use with 256-bit cryptography (such as Keccak-256 hashes or secp256k1 signatures).</cite>

<cite index="15-8,15-9,15-10">Contract execution starts at the beginning of the bytecode. Each opcode is encoded as one byte, except for the PUSH opcodes, which take a immediate value. All opcodes pop their operands from the top of the stack and push their result.</cite> <cite index="11-12">Compiled smart contract bytecode executes as a number of EVM opcodes, which perform standard stack operations like XOR, AND, ADD, SUB, etc.</cite> <cite index="11-13">The EVM also implements a number of blockchain-specific stack operations, such as ADDRESS, BALANCE, BLOCKHASH, etc.</cite>

The machine maintains transient and persistent storage layers. <cite index="11-7">During execution, the EVM maintains a transient memory (as a word-addressed byte array), which does not persist between transactions.</cite> <cite index="15-16,15-17">Storage is a persistent associative map, with uint256s as keys and uint256s as values. All contract fields and mappings are saved in storage.</cite> The distinction matters because storage operations cost orders of magnitude more gas than stack or memory operations.

Sources:

• https://sherrx0.medium.com/diving-deep-into-the-ethereum-yellow-paper-a-comprehensive-technical-guide-b6dea91204c2
• https://ethereum.org/developers/docs/evm/
• https://ethervm.io/

<cite index="1-3">The Ethereum Yellow Paper, authored by Dr. Gavin Wood in 2014, is the formal technical specification of the Ethereum protocol</cite>, and it remains the closest thing smart contract infrastructure has to a canonical reference implementation. <cite index="5-3">The Yellow Paper is a formal definition of the Ethereum protocol, originally by Gavin Wood, currently maintained by Andrew Ashikhmin and with contributions from many people around the world.</cite> The document covers <cite index="1-4">key aspects such as the Ethereum Virtual Machine (EVM), state transition functions, gas and fee structures, and cryptographic details</cite>.

It is not current. <cite index="5-5,5-6">The Yellow Paper is out of date. It reflects the Ethereum specification up to the Shanghai network upgrade, activated on the Ethereum mainnet at block 17_034_870 (April 2023).</cite> <cite index="5-8">An alternative Python Execution Layer specification is actively maintained and up to date.</cite> That the paper Wood wrote a decade ago is still used as a design reference speaks to both the durability of the EVM model and the challenge of keeping formal spec work synchronized with protocol change. <cite index="7-21,7-22">The Yellow Paper is the formal specification for Ethereum. Except where amended by the EIP process, it contains the exact description of how everything works.</cite>

The paper assumes mathematical fluency. <cite index="7-23">It is written as a mathematical paper, which includes terminology programmers may not find familiar.</cite> Client implementers read it when they need precision about state transitions or opcode semantics. Most smart contract developers do not.

Sources:

• https://www.scribd.com/document/995600976/Ethereum-Yellow-Paper
• https://github.com/ethereum/yellowpaper
• https://ethereum.org/he/developers/tutorials/yellow-paper-evm/

<cite index="24-28,24-30,24-32">Antonopoulos first dismissed Bitcoin, then in mid-2012 read the whitepaper and by page nine his mind was thoroughly blown</cite>. <cite index="17-10,17-11,17-12">He lost twenty pounds during a months-long research fugue, then decided to dedicate himself to working on Bitcoin; two years later he wrote Mastering Bitcoin</cite>. <cite index="1-18,1-20">His later books include Mastering Ethereum in 2018 and Mastering the Lightning Network, explaining Bitcoin's second-layer payment network; he serves as a teaching fellow at the University of Nicosia and on the Oversight Committee for the Bitcoin Reference Rate at the Chicago Mercantile Exchange</cite>.

<cite index="22-3,22-8">Mastering Bitcoin has been called the canonical reference that made Bitcoin and blockchain technology accessible to a broad audience, compiled collaboratively in the same spirit as the protocol it describes and the most thoroughly vetted reference for developers</cite>. The book has been <cite index="1-19">translated into 14 languages</cite>. Antonopoulos built a reputation for explaining protocol mechanics to engineers without ideology or price targets—the book stays at the level of keys, scripts, and nodes, the infrastructure that runs regardless of market sentiment.

Sources:

• https://www.case-podcast.org/16-bitcoin/transcript
• https://pdfroom.com/books/mastering-bitcoin-programming-the-open-blockchain-oreilly-2nd-edition-2017/zydD8B7Zd14/
• https://aantonop.com/
• https://www.amazon.com/Mastering-Bitcoin-Programming-Open-Blockchain/dp/1491954388

<cite index="10-1,10-7">The O'Reilly editions walk through peer-to-peer network architecture, node types and roles, the extended Bitcoin network, network discovery, full nodes, SPV nodes, Bloom filters, transaction pools, and block structure including merkle trees</cite>. <cite index="13-1">They cover Bitcoin Core from compilation through API use, exploring transactions and blocks, and alternative client libraries in C/C++, JavaScript, Java, Python, Go, Rust, and Scala</cite>. <cite index="16-3,16-4">The text explains how users own keys that prove ownership of bitcoin in the network, signing transactions to unlock value and transfer it to a new owner</cite>.

Antonopoulos <cite index="26-3,26-4">holds degrees in Computer Science and Data Communications and Distributed Systems from UCL, with experience ranging from hardware to high-level financial systems consulting, combining authority with an ability to make complex subjects clear</cite>. <cite index="3-16,3-17">The third edition was co-authored with David A. Harding, a technical writer who co-authored the Bitcoin Optech newsletter and Bitcoin.org developer documentation</cite>. The books function as a reference manual for the protocol layer—transactions, scripts, consensus, network topology—without speculation about adoption curves or macro narratives.

Sources:

• https://www.oreilly.com/library/view/mastering-bitcoin-2nd/9781491954379/
• https://www.oreilly.com/library/view/mastering-bitcoin-3rd/9781098150082/
• https://www.amazon.com/Mastering-Bitcoin-Programming-Open-Blockchain/dp/1098150090
• https://books.google.com/books/about/Mastering_Bitcoin.html?id=MpwnDwAAQBAJ

<cite index="1-15">Mastering Bitcoin has been called the best technical guide ever written about Bitcoin</cite>, and that reputation landed it in the hands of every developer who wanted to understand the protocol without reading forum threads. <cite index="14-3">The book has gone through three editions—first in December 2014, second in March 2018, third in December 2023</cite>—each updating for soft forks and layer-two work that changed what a programmer needed to know.

<cite index="17-1,17-15">The book is mostly intended for coders, teaching how cryptographic currencies work, how to use them, and how to develop software that works with them</cite>. <cite index="4-2,4-7">It covers technical foundations for developers and systems architects, details of the decentralized network, peer-to-peer architecture, transaction lifecycle, security principles, and includes user stories, analogies, examples, and code snippets</cite>. The third edition added coverage of <cite index="6-3">Taproot, Tapscript, Schnorr signatures, and the Lightning Network</cite>.

<cite index="14-1">The complete text is available on GitHub</cite>, published by O'Reilly under Creative Commons licensing. <cite index="2-8">Gavin Andresen, former Bitcoin Foundation Chief Scientist, said anyone who reads it will have a deep understanding of how it works and be well-equipped to write the next generation of applications</cite>. It became the standing technical reference because it explained the stack without selling a vision.

Sources:

• https://www.amazon.com/Mastering-Bitcoin-Programming-Open-Blockchain/dp/1491954388
• https://github.com/bitcoinbook/bitcoinbook
• https://dokumen.pub/mastering-bitcoin-unlocking-digital-cryptocurrencies-first-edition-9781449374044-1449374042-9781491902608-1491902604.html
• https://www.barnesandnoble.com/w/mastering-bitcoin-andreas-m-antonopoulos/1126323222

<cite index="19-10,19-11">Eyal and Sirer proposed a practical modification to the Bitcoin protocol that protects against selfish mining pools commanding less than 1/4 of resources; this threshold is lower than the wrongly assumed 1/2 bound, but better than the current reality where a group of any size can compromise the system</cite>. <cite index="26-1,26-2,26-3">Several modifications to the Bitcoin protocol have been suggested, and it is important to provably verify the resilience of such protocols to selfish mining, which can be done by adapting optimization algorithms to the MDPs induced by these modifications</cite>.

<cite index="22-6,22-7,22-8">Some projects like Bitcoin Cash introduced alternative difficulty adjustment algorithms to limit manipulation impact; other designs such as GHOST (Greedy Heaviest-Observed Sub-Tree) account for orphaned blocks by including them in the chain's weight calculation, so even discarded blocks contribute to security, reducing selfish mining impact</cite>. <cite index="22-9,22-10">Bitcoin's robust peer-to-peer topology and continual improvements in block propagation reduce the informational advantages that selfish miners rely on; any private lead is harder to maintain when blocks spread quickly and globally</cite>.

<cite index="7-3,7-4,7-9">In a block withholding attack, miners could decide to not submit the block or postpone submitting it; the latter, known as selfish mining, can be shown to be potentially profitable for the attacker</cite>. Detection work has focused on statistical methods. <cite index="2-4,2-6">The attack and its variants have been subjects of intense stochastic, game-theoretic, and protocol-analytic research, leading to numerous countermeasures; cryptoeconomic modeling, reinforcement learning, and empirical studies inform ongoing security assessment and protocol evolution</cite>.

Sources:

• https://arxiv.org/pdf/1311.0243
• https://www.ifca.ai/fc16/preproceedings/30_Sapirshtein.pdf
• https://www.nervos.org/knowledge-base/what_is_selfish_mining_and_how_protocols_deter_it_(explainCKBot)
• https://www.nature.com/articles/s41598-024-55348-3
• https://www.emergentmind.com/topics/selfish-mine-attack

<cite index="11-5,11-6">Researchers have modeled interactions between pools using game theory to derive the utility of mining strategies, simulating the game for Bitcoin to analyze profitability in terms of monetary award instead of relative revenue</cite>. <cite index="17-2,17-3,17-4,17-5">Selfish mining is arguably the most well-known game-theoretic attack in blockchain, indicating that the Bitcoin mining protocol is not incentive-compatible; the key idea is to induce honest miners to waste mining power, so the selfish pool obtains more revenue than its fair share</cite>.

<cite index="17-6,17-7">Sapirshtein et al. expanded the action space of selfish mining, modeled it as a Markov Decision Process (MDP), and pioneered a technique to resolve the non-linear objective function to get a more powerful selfish mining strategy for revenue arbitrarily close to the optimum</cite>. <cite index="25-2,25-3,25-4">Analysis has been extended to multiple non-colluding selfish miners, finding that specific deviations from honest mining by multiple strategic agents can outperform honest mining even if individually miners would not be incentivized to be dishonest, rendering Bitcoin less secure than previously thought</cite>.

But theory is not practice. <cite index="12-1,12-6">Part of the game theory is that if miners reduce network security, the bitcoin they receive is worth less or worthless, incentivizing them to act honestly to preserve bitcoin's value</cite>. <cite index="21-3,21-4">One critique of selfish mining in practice is that the presence of a selfish miner is statistically detectable; the pattern of orphaned blocks cannot be explained by natural network delays, so users can detect this and it may significantly negatively impact the value of BTC</cite>.

Sources:

• https://ieeexplore.ieee.org/document/9839233/
• https://arxiv.org/pdf/2202.08466
• https://arxiv.org/pdf/1906.04502
• https://bitpublica.substack.com/p/bitcoin-game-theory-selfish-mining
• https://arxiv.org/pdf/2309.06847

<cite index="19-1,19-5,19-6">Ittay Eyal and Emin Gün Sirer from Cornell published "Majority is not Enough: Bitcoin Mining is Vulnerable" in 2013, showing that the Bitcoin protocol is not incentive-compatible and that colluding miners can obtain revenue larger than their fair share</cite>. <cite index="2-2,2-3">The attack involves miners deliberately withholding newly found blocks to construct a private fork, then selectively releasing it to maximize rewards; miners with as little as 25–33% of total hashpower can achieve higher-than-proportional share of rewards if network conditions are favorable</cite>.

The mechanism is straightforward. <cite index="5-6,5-7,5-8">The attacker withholds newly mined blocks and continues mining privately, causing honest miners to waste their mining power on a shorter public chain, which orphans some honest blocks and enables the attacker to earn more profit</cite>. <cite index="19-7,19-8">Rational miners will prefer to join the selfish miners, and the colluding group will increase in size until it becomes a majority, at which point the Bitcoin system ceases to be a decentralized currency</cite>.

<cite index="9-2,9-3">The paper was controversial when first made public; Sirer announced it by tweeting that Bitcoin was "fundamentally broken at the protocol layer," and the authors publicly disclosed the attack without first informing Bitcoin developers</cite>. <cite index="22-2,22-3">Their analysis showed miners controlling as little as one-third of total network hash power could manipulate block release timing to increase revenue, contradicting the long-held belief that only those with over 50 percent could threaten Bitcoin's security</cite>.

Sources:

• https://arxiv.org/pdf/1311.0243
• https://www.emergentmind.com/topics/selfish-mine-attack
• https://eprint.iacr.org/2024/363.pdf
• https://cacm.acm.org/research/technical-perspective-the-rewards-of-selfish-mining/
• https://www.nervos.org/knowledge-base/what_is_selfish_mining_and_how_protocols_deter_it_(explainCKBot)

<cite index="22-4,22-5">The paper provided insights on disintermediation protocols, which remove the need for trusted intermediaries in certain applications, identifying three general strategies with detailed comparisons</cite>. <cite index="18-6,18-7">Proposals included multi-signature signing, atomic swaps, collateral protocols, and audits to reduce reliance on intermediaries, as well as using Bitcoin as an immutable append-only log for timestamping, digital tokens, and overlay protocols</cite>.

The analysis acknowledged what the system could and could not do. Some applications—escrow, simple swaps, time-stamping—map cleanly to Bitcoin's UTXO model and consensus guarantees. Others require oracles, reputation systems, or legal backstops that reintroduce trust assumptions in different form.

The treatment stayed pragmatic. Trustlessness is a spectrum, not a binary, and the paper showed where each strategy placed the risk. The infrastructure occasionally produces something that matters. The SoK documented which things had a chance of mattering and why.

Sources:

• https://changehero.io/blog/bitcoin-security-stability-challenges-solutions/
• https://www.researchgate.net/publication/284190655_SoK_Research_Perspectives_and_Challenges_for_Bitcoin_and_Cryptocurrencies
• https://experts.illinois.edu/en/publications/sok-research-perspectives-and-challenges-for-bitcoin-and-cryptocu/

<cite index="20-6">The paper surveyed anonymity issues in Bitcoin and provided an evaluation framework for analyzing privacy-enhancing proposals</cite>. The treatment was comparative, not ideological—no manifestos about surveillance or freedom, just protocol mechanics and their limits.

Bitcoin's privacy properties were not what early users assumed. The paper brought rigor to what had been loose claims about pseudonymity, tracing the gap between address reuse, network-layer leaks, and blockchain analysis. The evaluation framework let researchers score proposed fixes—mixers, ring signatures, zerocoin variants—on measurable criteria rather than philosophy.

<cite index="24-1,24-2">Later work cited Bonneau et al. 2015 as the first SoK to generally survey issues related to Bitcoin and altcoins</cite>. The anonymity section became a reference point for subsequent research into privacy coins and mixing services. The paper did not solve the privacy problem. It mapped the territory well enough that others knew where to dig.

Sources:

• https://collaborate.princeton.edu/en/publications/sok-research-perspectives-and-challenges-for-bitcoin-and-cryptocu/
• https://experts.illinois.edu/en/publications/sok-research-perspectives-and-challenges-for-bitcoin-and-cryptocu/
• https://www.researchgate.net/publication/338370170_SoK_A_Systematic_Study_of_Anonymity_in_Cryptocurrencies

The SoK documented the <cite index="11-3">growing literature that identified hidden-but-important properties of Bitcoin, discovered attacks, and proposed alternatives</cite>. Among the catalog: <cite index="3-6,3-7,3-8">feather-forking, a strategy proposed by Miller in which a miner publicly threatens to retaliate against blocks containing blacklisted transactions by forking the chain, succeeding with positive probability even if the attacker controls less than 50% of mining power and loses money on expectation</cite>.

The authors treated consensus as a design space, not a solved problem. <cite index="10-8">Their comparative analyses covered alternative consensus mechanisms, currency allocation mechanisms, computational puzzles, and key management tools</cite>. This framing separated theWhat Works from the Why It Works, making room for engineers to swap components without pretending the whole system had formal proofs of safety.

The stability question hung over the analysis. <cite index="10-2,10-3">Bitcoin had grown to billions in economic value despite only cursory analysis of its design; since then research identified hidden properties, attacks, and difficult future challenges</cite>. The paper's contribution was not predicting whether consensus would hold. It was showing where the load-bearing walls were.

Sources:

• https://www.ieee-security.org/TC/SP2015/papers-archived/6949a104.pdf
• https://collaborate.princeton.edu/en/publications/sok-research-perspectives-and-challenges-for-bitcoin-and-cryptocu/
• https://www.academia.edu/27424281/SoK_Research_Perspectives_and_Challenges_for_Bitcoin_and_Cryptocurrencies

<cite index="3-1">The Bonneau-Miller-Clark-Narayanan-Kroll-Felten paper presented at the 2015 IEEE Symposium on Security and Privacy was the first systematic exposition of Bitcoin and the sprawling ecosystem of altcoins</cite>. The paper's arrival mattered because <cite index="17-2">Bitcoin had grown to billions of dollars in economic value within two years of launch while the body of published research justifying the system's design was negligible</cite>.

The authors did not advocate. <cite index="9-6,9-7,9-8">They identified three key components of Bitcoin's design that could be decoupled, enabling more insightful analysis of Bitcoin's properties and future stability, then mapped the design space for modifications including consensus mechanisms, currency allocation, computational puzzles, and key management</cite>. <cite index="19-1,19-5">They surveyed anonymity issues and provided an evaluation framework for privacy-enhancing proposals</cite>. <cite index="19-6,19-7">They explored what they called disintermediation protocols—systems that remove the need for trusted intermediaries—identifying three general strategies</cite>.

The format is "Systematization of Knowledge," an IEEE category that rewards synthesis over novelty. This one brought coherence to scattered work on attacks, alternatives, and open questions. It remains a reference text for anyone building on or breaking the protocol.

Sources:

• https://www.ieee-security.org/TC/SP2015/papers-archived/6949a104.pdf
• https://experts.illinois.edu/en/publications/sok-research-perspectives-and-challenges-for-bitcoin-and-cryptocu/
• https://eprint.iacr.org/2015/261

<cite index="1-8,1-9">Sompolinsky and Zohar use the fact that reducing the block time and increasing the block size increases the number of forks that occur: the difficulty threshold is reduced, blocks take longer to propagate, so geographically dispersed miners find blocks sooner and hear of blocks later. They use forks for the protocol's advantage.</cite>

<cite index="4-5">There is a centralization issue: if miner A is a mining pool with 30% hashpower and B has 10% hashpower, A will have a risk of producing a stale block 70% of the time (since the other 30% of the time A produced the last block and so will get mining data immediately) whereas B will have a risk of producing a stale block 90% of the time.</cite> <cite index="4-7">To solve the second issue of centralization bias, Ethereum goes beyond the protocol described by Sompolinsky and Zohar, and also provides block rewards to stales: a stale block receives 87.5% of its base reward, and the nephew that includes the stale block receives the remaining 12.5%.</cite>

The core insight is that orphaned blocks are not adversarial—they are the product of network delay. Bitcoin's longest-chain rule treats them as worthless. GHOST treats them as valid PoW that should inform chain selection. In a DAG, the concept disappears entirely: <cite index="18-1">Unlike more traditional blockchains, GhostDAG doesn't orphan blocks created in parallel, but instead allows them to coexist and orders them in consensus.</cite>

Sources:

• https://medium.com/@drstone/an-overview-of-proof-of-work-based-blockchain-consensus-protocols-part-1-e04102885093
• https://pubudu-ranasinghe.gitbooks.io/ethereum-whitepaper/content/miscellanea_and_concerns/modified_ghost_implementation.html
• https://www.gate.com/learn/articles/introducing-kaspa-and-its-ghostdag-protocol/569

<cite index="20-2,20-3">Bitcoin is a potentially disruptive new crypto-currency based on a decentralized open-source protocol which is gradually gaining popularity. Perhaps the most important question that will affect Bitcoin's success, is whether or not it will be able to scale to support the high volume of transactions required from a global currency system.</cite>

<cite index="20-5,20-6">The security analysis done by Bitcoin's creator Satoshi Nakamoto assumes that block propagation delays are negligible compared to the time between blocks---an assumption that does not hold when the protocol is required to process transactions at high rates. The paper improves upon the original analysis and removes this assumption.</cite>

<cite index="20-8,21-2">The block generation rate can be securely increased to more than one block per second -- a 600 fold speedup compared to today's rate, while still allowing the network to processes many transactions per second.</cite> This is the paper—often titled "Accelerating Bitcoin's Transaction Processing. Fast Money Grows on Trees, Not Chains"—that introduced the tree-based consensus mechanism underlying GHOST.

The work appeared in the IACR Cryptology ePrint Archive in 2013 and was later published in the Financial Cryptography conference proceedings in 2015 as "Secure High-Rate Transaction Processing in Bitcoin." <cite index="26-17">GHOST has been adopted and a variant of it has been implemented as part of the Ethereum project, a second generation distributed applications platform.</cite>

Sources:

• https://eprint.iacr.org/2013/881
• https://www.semanticscholar.org/paper/Accelerating-Bitcoin's-Transaction-Processing.-Fast-Sompolinsky-Zohar/401680ef12c04c247c50737b9114c169c660aab9
• https://link.springer.com/content/pdf/10.1007/978-3-662-47854-7_32.pdf

<cite index="14-3,14-4,14-5">One primary problem with Satoshi's blockchain is its highly limited scalability. The security of Satoshi's longest chain rule requires that all honest nodes be aware of each other's blocks very soon after the block's creation. To this end, the throughput of the system is artificially suppressed so that each block fully propagates before the next one is created, and that very few "orphan blocks" that fork the chain be created spontaneously.</cite>

Sompolinsky and Zohar extended their GHOST work to directed acyclic graphs. <cite index="10-3,10-4">The protocol represents a theoretical breakthrough: it generalizes Nakamoto consensus (the consensus mechanism used by Bitcoin) to work with a Directed Acyclic Graph (DAG) instead of a linear chain.</cite> <cite index="13-1,13-7,13-8">In traditional blockchains, only one block per unit of time is accepted (also called the block time), while competing blocks are discarded as "orphans". GhostDAG breaks this model by allowing parallel blocks and integrating them into one shared data structure (blockDAG).</cite>

<cite index="10-1,10-2">In GHOSTDAG, there are no orphaned blocks. Every valid block that follows the protocol rules is incorporated into the DAG and contributes to network security.</cite> <cite index="17-13,17-14">The use of PHANTOM is considered impractical for efficient use, because it requires the solution of a NP-hard problem (Maximum k-cluster SubDAG problem). In response, the authors of PHANTOM have developed a greedy (heuristic) algorithm called GHOSTDAG, which is more suitable for practical implementation.</cite>

Sources:

• https://eprint.iacr.org/2018/104
• https://kaspa-lens.com/kaspa/wiki/kaspa-technology-and-features/ghostdag-consensus-protocol
• https://finst.com/en/learn/articles/ghostdag-explained
• https://www.researchgate.net/publication/354329329_DAG-Oriented_Protocols_PHANTOM_and_GHOSTDAG_under_Incentive_Attack_via_Transaction_Selection_Strategy

<cite index="4-1,4-3">Yonatan Sompolinsky and Aviv Zohar introduced the Greedy Heaviest Observed Subtree (GHOST) protocol in December 2013.</cite> <cite index="4-4">The motivation behind GHOST is that blockchains with fast confirmation times currently suffer from reduced security due to a high stale rate - because blocks take a certain time to propagate through the network, if miner A mines a block and then miner B happens to mine another block before miner A's block propagates to B, miner B's block will end up wasted and will not contribute to network security.</cite>

Bitcoin's longest-chain rule throws away these orphaned blocks. <cite index="1-5">GHOST follows the path of the subtree with the combined hardest proof of work/difficulty.</cite> <cite index="4-6">As described by Sompolinsky and Zohar, GHOST solves the first issue of network security loss by including stale blocks in the calculation of which chain is the "longest"; that is to say, not just the parent and further ancestors of a block, but also the stale descendants of the block's ancestor (in Ethereum jargon, "uncles") are added to the calculation of which block has the largest total proof of work backing it.</cite>

<cite index="26-15,26-16">At high throughput, substantially weaker attackers are able to reverse payments they have made, even well after they were considered accepted by recipients. The GHOST rule addresses this security concern through a modification to the way Bitcoin nodes construct and re-organize the block chain.</cite> <cite index="2-1">The consensus mechanism in Ethereum is based on the Greedy Heaviest Observed Subtree (GHOST) protocol proposed initially by Zohar and Sompolinsky in December 2013.</cite>

Sources:

• https://pubudu-ranasinghe.gitbooks.io/ethereum-whitepaper/content/miscellanea_and_concerns/modified_ghost_implementation.html
• https://medium.com/@drstone/an-overview-of-proof-of-work-based-blockchain-consensus-protocols-part-1-e04102885093
• https://www.oreilly.com/library/view/mastering-blockchain/9781788839044/e2a7cf90-03be-4a7d-b99b-97f3b487cb99.xhtml
• https://link.springer.com/content/pdf/10.1007/978-3-662-47854-7_32.pdf

<cite index="19-9,19-10">Micropayment channels only create a relationship between two parties; requiring everyone to create channels with everyone else does not solve the scalability problem</cite>. <cite index="4-3">The idea is that, similar to the concept of 'six degrees of separation,' all Lightning Network users will be able to pay all other Lightning Network users directly or through one or more forwarding users</cite>. <cite index="21-4,21-8">Lightning uses bidirectional payment channels secured by HTLCs to route payments across a network of interconnected nodes, with payments routed through multiple channels using onion routing where each hop only knows its immediate predecessor and successor</cite>. The network is a mesh, not a hub. But <cite index="20-13,20-14">the Lightning Network faces challenges including risks of centralization if a hub-and-spoke model emerges</cite>. The routing assumption is that liquidity will distribute across enough paths to reach any destination without concentrating intermediaries. Market structure will test whether that holds.

Sources:

• https://lightning.network/lightning-network-paper.pdf
• https://medium.com/coinmonks/the-lightning-network-technology-behind-bitcoins-scaling-solution-915c07455ca8
• https://www.spark.money/research/bitcoin-layer-2-comparison
• https://archlending.com/blog/lightning-network

<cite index="15-3,15-4">The Lightning Network claims capacity for millions to billions of transactions per second, blowing away legacy payment rails by many orders of magnitude</cite>. <cite index="16-2,16-8">Lightning is described as a scalability solution allowing transactions with negligible fees and instant settlement, with the main insight that transactions can be issued off-blockchain in a trust-minimized manner</cite>. <cite index="16-9,16-10,16-11">Bidirectional payment channels can be formed on-chain using HTLCs, with thousands of payments occurring with essentially only 2 on-chain transactions: the opening and closing channel transactions</cite>. The throughput claims hinge on off-chain state updates. But <cite index="4-1,4-10,4-11">according to the Lightning Network whitepaper, in order to scale to billions of people, the Bitcoin block size has to be increased—at present, creation of a single Lightning channel for every person in the world would take roughly 140 years with the current block size</cite>. The layer-2 narrative depends on infrequent settlement. The base-layer constraint remains.

Sources:

• https://lightning.network/
• https://arxiv.org/pdf/1901.04972
• https://medium.com/coinmonks/the-lightning-network-technology-behind-bitcoins-scaling-solution-915c07455ca8

<cite index="15-8,15-9,15-10">Bidirectional payment channels work by creating a ledger entry on the blockchain requiring both participants to sign off on spending, with both parties creating refund transactions that are not broadcast to the blockchain</cite>. <cite index="27-2,27-3">The key problem in going from unidirectional to bidirectional channels: once you create a transaction and sign it there is no way to unmake it—that transaction remains valid and can be used at any time</cite>. <cite index="27-4,27-5,27-6">The solution at the heart of the Poon-Dryja channel is the revocation key, which creates a strong incentive to never use older pre-signed transactions and even a benefit for the party that someone is attempting to cheat</cite>. <cite index="1-3">The design employs Hashed Timelock Contracts (HTLCs) to enable trustless, routed transactions across a mesh network, where users settle balances on the main blockchain only when channels open or close</cite>. The penalty mechanism—broadcasting an old commitment transaction allows the counterparty to claim all channel funds—is what makes bidirectional flows work without trusted intermediaries. It is adversarial design in the cleanest form.

Sources:

• https://lightning.network/
• https://bitcoinmagazine.com/technical/bitcoin-layer-2-lightning-network
• https://grokipedia.com/page/Lightning_Network

<cite index="5-1,5-3">Joseph Poon and Thaddeus Dryja released the Lightning Network whitepaper on January 16, 2016</cite>, laying out a layer-2 protocol to route payments through bidirectional off-chain channels. <cite index="5-7,5-8">Dryja is a research scientist at MIT's digital currency initiative; Poon is a blockchain scalability researcher</cite>. <cite index="6-2,6-3">The first draft outlined concerns with Bitcoin's ability to scale: the payment network Visa handles peak transactions of 45,000 per second during holidays, while Bitcoin manages around 7</cite>. <cite index="8-2,8-3,8-6">The abstract proposed a decentralized system where transactions are sent over a network of micropayment channels whose transfer of value occurs off-blockchain</cite>. The whitepaper relied on fixing transaction malleability—a signature problem that let transaction IDs change after broadcast—to enable trustless off-chain contracts. <cite index="1-5">The conceptual roots trace to developer Tier Nolan's 2013 work on payment channels and atomic transfers</cite>. Poon and Dryja formalized the mechanics of penalty-based revocation and routed payments across a mesh network, which became the infrastructure layer beneath what later launched as Lightning.

Sources:

• https://voltage.cloud/blog/who-invented-the-lightning-network
• https://voltage.cloud/blog/life-of-lightning
• https://lightning.network/lightning-network-paper.pdf
• https://grokipedia.com/page/Lightning_Network

<cite index="4-7,4-8">Algorand pioneered the use of VRF to perform secret cryptographic sortition to select committees to run the consensus protocol, which allows the blockchain to achieve the scale and performance necessary to support millions of users</cite>. <cite index="6-5">VRFs have been used in practice in DNSSEC protocol and in blockchain consensus protocols to establish Proof-of-Stake</cite>, but Algorand's application was early and specific.

The sortition mechanism runs locally on every participating node. <cite index="21-1,21-2,21-3">Each ALGO holder who has registered a participation key runs the VRF locally using their secret key and the current round's randomness seed, the VRF output is a number, and if that number falls below a threshold weighted by the participant's stake they've been selected</cite>. <cite index="8-8">The cryptographic sortition at the core of Algorand consensus is implemented through VRFs in such a way that the VRF is computed once regardless of the amount of Algo at stake, making block proposer or committee election scalable and lightweight with minimal hardware requirements</cite>.

Algorand released its VRF implementation as open-source code in March 2019, forking the libsodium cryptographic library. <cite index="9-4,9-5">Algorand's initial proposal serves as a canonical process of study due to its elegance, with the initial seed drawn as a uniformly random number</cite>. The elegance is real. Whether the mechanism remains non-manipulable under adversarial conditions is the engineering question that separates theory from production systems.

Sources:

• https://medium.com/algorand/algorand-releases-first-open-source-code-of-verifiable-random-function-93c2960abd61
• https://eprint.iacr.org/2020/1222.pdf
• https://algorand.co/technology/pure-proof-of-stake
• https://www.algorandnews.ai/posts/algorand-vrf-true-randomness
• https://arxiv.org/pdf/2406.15282

<cite index="8-2,8-3">The Algorand blockchain pioneered the Pure Proof-of-Stake consensus mechanism, and unlike other proof-of-stake approaches where a user must stake (lock up) their tokens, on Algorand the user maintains control of their Algo at all times since the tokens remain in the user's wallet whilst securing the network as part of consensus</cite>. <cite index="1-5">Each token holder automatically participates in consensus proportional to their stake—there is no delegation or bonding required</cite>.

The distinction matters in practice. Most proof-of-stake designs require users to lock tokens for a period, creating liquidity risk and centralizing stake with large validators who can absorb that risk. Algorand's approach keeps tokens liquid. <cite index="7-16,7-17">It is as if every token gets an execution of the VRF, so users with more tokens are likely to be selected more</cite>. <cite index="20-6,20-7">The more algos in an account, the greater chance the account has of being selected—it's as if every algo participates in its own lottery—and this method ensures a user does not gain any advantage by creating multiple accounts</cite>.

<cite index="8-5">The network can tolerate malicious actors and avoid forks and double-spending as long as a supermajority of the stake (over 2/3) is held by honest participants</cite>. The 2/3 honest assumption is standard for Byzantine fault tolerance. Whether it holds in a system where stake is bought and sold on exchanges is an economic question, not a cryptographic one.

Sources:

• https://algorand.co/technology/pure-proof-of-stake
• https://developer.algorand.org/docs/get-details/algorand_consensus/
• https://blockspot.io/algorithm/pure-pos/
• https://orochi.network/blog/verifiable-random-function

<cite index="12-1,12-2">Algorand uses a new Byzantine Agreement protocol to reach consensus among users on the next set of transactions, scaling consensus to many users through a mechanism based on Verifiable Random Functions that allows users to privately check whether they are selected</cite>. The protocol is called BA★. <cite index="17-2,17-3,17-4">Algorand confirms transactions with latency on the order of a minute while scaling to many users, ensures users never have divergent views of confirmed transactions even if some users are malicious and the network is partitioned, in contrast to existing cryptocurrencies that allow temporary forks and require an hour to confirm transactions with high confidence</cite>.

The mechanism works through secret self-selection. <cite index="14-7,14-8">Selection of users to participate in the certification of blocks is done randomly and secretly without any communication among users, and in every step of the protocol a new set of participants is privately and individually chosen</cite>. This addresses a specific attack vector: if you can identify validators before they act, you can target them. <cite index="13-1">In Algorand's BA protocol, users do not keep any private state except for their private keys, which allows Algorand to replace participants immediately after they send a message</cite>.

The 2017 SOSP paper by Gilad, Hemo, Micali, Vlachos, and Zeldovich laid out the design. The implementation went live in 2019. The question is whether the academic guarantees hold at the scale the chain has reached, not whether the theory is sound.

Sources:

• https://dl.acm.org/doi/10.1145/3132747.3132757
• https://eprint.iacr.org/2017/454
• https://hive.blog/hive-175254/@blockchainfo/algorand-is-called-a-byzantine-agreement-protocol-on-steroids-why

<cite index="27-6">The concept of a verifiable random function was introduced by Micali, Rabin, and Vadhan in 1999</cite>, years before anyone had reason to care about decentralized consensus at scale. <cite index="27-1">A VRF is a public-key pseudorandom function that provides proofs that its outputs were calculated correctly</cite>. <cite index="27-2,27-3">The owner of the secret key can compute the function value and an associated proof for any input, and everyone else can use the proof and the public key to verify the value was calculated correctly, yet cannot use this information to find the secret key</cite>.

The primitive solves a specific problem in proof-of-stake design: <cite index="9-1">leader selection should be done proportional to stake, but in a way that neither relies on a trusted external source of randomness nor is manipulable by participants</cite>. Algorand implemented this through what it calls cryptographic sortition. <cite index="1-6">A user's VRF output, computed locally using their private key, determines whether they are selected to propose a block or serve on a voting committee for a given round</cite>. <cite index="4-12,4-14">Each user computes the VRF on a public seed available to everyone in the system, then checks whether the output falls within a range that depends on the stake the user holds</cite>. If it does, they hold proof of committee membership.

<cite index="23-6,23-7">The uniqueness and pseudorandomness properties of the VRF ensure no user can brute-force multiple outputs until finding one in the desired range, because once the seed is fixed, the VRF can only produce a single output</cite>. The academic work is solid. The implementation matters more.

Sources:

• https://en.wikipedia.org/wiki/Verifiable_random_function
• https://medium.com/algorand/algorand-releases-first-open-source-code-of-verifiable-random-function-93c2960abd61
• https://arxiv.org/pdf/2406.15282
• https://blockspot.io/algorithm/pure-pos/

When blockchain protocols allocate block space, MEV, or validator rewards, they're solving resource allocation under private information. <cite index="10-1">A mechanism design problem involves engineering the rules of a game so that if participants behave rationally by choosing strategies that maximize their expected utility, the result will satisfy some desired property</cite>. Validators know their own costs and opportunity sets. The protocol does not.

<cite index="7-7,7-8">The core problem is how to implement efficient allocations in an environment where each participant has private information about their preferences, and participants may misrepresent their preferences</cite>. <cite index="7-22,7-23">VCG requires preferences to be quasi-linear in money and no limits to making transfer payments</cite>. Crypto has both properties natively. <cite index="9-2,9-3,9-4">VCG's purpose is to induce players to reveal their true types (preferences), usually in various types of auctions or matters concerning public projects; when this is the case, the mechanism is called strategy-proof, and VCG achieves this by means of transfers</cite>.

The infrastructure parallel: PBS auctions, inclusion lists, validator set selection, and restaking slashing conditions are all mechanism design problems where the designer wants efficient outcomes without knowing validator valuations. VCG says you can get truthtelling with the right payment structure. <cite index="24-7">The VCG mechanism is computationally efficient as long as we have a computationally efficient method for finding socially optimal outcomes</cite>. That's the optimistic case. The budget-balance problem is the pessimistic one.

Sources:

• https://ieeexplore.ieee.org/iel7/9670/9470959/09471016.pdf
• https://web.stanford.edu/~jdlevin/Econ%20285/Vickrey%20Auction.pdf
• https://arxiv.org/pdf/0705.2170
• https://www.cs.cornell.edu/~rafael/networks-html/chapter10.html

<cite index="22-3,22-4,22-5">VCG is the most general form of incentive-compatible double-auction and can handle combinatorial auctions with arbitrary value functions on bundles, but it is not budget-balanced: the total value paid by buyers is smaller than the total value received by sellers, so the auctioneer has to subsidize the trade</cite>. This matters when you cannot print money.

<cite index="25-1,25-2">The VCG mechanism is infamously revenue non-monotone in combinatorial auctions—when a buyer increases their value for a bundle of items, the total auction revenue may decrease</cite>. <cite index="25-4">Non-monotonicity in multi-item auctions is not a result of complementarities; VCG is revenue non-monotone even in matching markets</cite>. <cite index="18-7,18-8">Complementarities of goods can induce complementarities of agents, leading to potential anomalies in VCG; the auction may result in uncompetitively low revenues outside the core, where a coalition of losing bidders offered to pay more than the winning prices</cite>.

<cite index="23-2,23-3">In an average-case setting with independent, identically distributed uniform random item costs, expected VCG cost is at least double the expected nominal cost, and exactly double when the desired structure is a basis of a bridgeless matroid</cite>. <cite index="18-5,18-6">Real applications include the FCC's Broadcast Incentive Auction, which generated $19.8 billion in gross revenues and won academic and Emmy awards</cite>. The theory is clean. The implementation subsidizes or collapses.

Sources:

• https://en.wikipedia.org/wiki/Vickrey%E2%80%93Clarke%E2%80%93Groves_mechanism
• https://arxiv.org/pdf/2602.20439
• https://www.obaranov.com/docs/Ausubel-Baranov-Assignment-Stage.pdf
• https://arxiv.org/pdf/1310.1777

<cite index="13-1">A mechanism is incentive-compatible if every participant can achieve their own best outcome by reporting their true preferences</cite>. <cite index="17-2">The notion was first introduced by Leonid Hurwicz in 1960</cite>. <cite index="17-3,17-4,17-5">It matters in interactions where at least one participant does not know perfectly what another knows; problems arise when the participant with more information has an incentive to use that information for personal benefit, but when the interaction is structured so they're motivated to act in the other party's interest, the result is incentive compatibility</cite>.

Two types matter for protocol design. <cite index="16-3,16-4">Truth revelation as a best response irrespective of what others report is called dominant-strategy incentive compatibility (DSIC); truth revelation as a best response when others also reveal their true types is called Bayesian Nash incentive compatibility (BIC)</cite>. <cite index="13-3">Typical DSIC examples are second-price auctions and simple majority votes between two choices</cite>. <cite index="13-4">Ranked voting with three or more alternatives and first-price auctions are not DSIC</cite>.

<cite index="11-7,11-8">The theory of mechanism design provides a framework for designing economic mechanisms that achieve desired outcomes by aligning individual incentives; the key insight is that individuals will act in their own self-interest, and therefore mechanisms should be designed to take this into account</cite>. <cite index="16-2">Offering incentives is a way of inducing truthful behavior; incentive compatibility essentially refers to offering the right amount of incentive to induce truth revelation</cite>.

Sources:

• https://en.wikipedia.org/wiki/Incentive_compatibility
• https://www.britannica.com/topic/incentive-compatibility
• https://gtl.csa.iisc.ac.in/gametheory/ln/web-md3-revtheorem.pdf
• https://www.numberanalytics.com/blog/power-of-incentive-compatibility-game-theory

<cite index="2-1">The Vickrey-Clarke-Groves mechanism is a generic truthful mechanism for achieving a socially optimal solution whenever monetary transfers are available</cite>. <cite index="5-3,5-4,5-5">Vickrey introduced the second-price sealed-bid auction in 1961, and Clarke and Groves generalized it into a broad class of dominant-strategy incentive-compatible mechanisms in the quasilinear environment</cite>.

The core innovation is the payment structure. <cite index="19-4">Each winner's payment equals the "harm" they impose on others by being present—the externality they create</cite>. <cite index="4-2">The Clarke tax sets the payment term as the sum of other agents' valuations in the allocation without agent i, minus their valuations in the chosen allocation</cite>. <cite index="19-10">Because the allocation rule maximizes total reported value and the payment does not depend on agent i's own report except through which allocation is chosen, telling the truth is a dominant strategy</cite>.

<cite index="1-1,1-7">VCG is a direct auction for multiple goods and is dominant-strategy incentive compatible</cite>. <cite index="6-1,6-2">It works in multi-parameter settings and achieves economic efficiency and DSIC assuming independent private values</cite>. The mechanism asks participants to report valuations, selects the outcome that maximizes total reported value, and computes payments so truthtelling is optimal. <cite index="7-11">VCG mechanisms achieve strategy-proof implementation of efficient allocations in quasi-linear environments, but can have trouble with budget balance</cite>.

Sources:

• https://en.wikipedia.org/wiki/Vickrey%E2%80%93Clarke%E2%80%93Groves_mechanism
• https://gtl.csa.iisc.ac.in/gametheory/ln/web-md7-vcg.pdf
• http://cse.unl.edu/~lksoh/Classes/CSCE475_875_Fall17/handouts/15MechanismDesignVCG.pdf
• https://cs.brown.edu/courses/csci1440/lectures/2024/vcg_mechanism.pdf
• https://web.stanford.edu/~jdlevin/Econ%20285/Vickrey%20Auction.pdf
• https://umbrex.com/resources/economics-concepts/microeconomic-theory/vickrey-clarke-groves-vcg-mechanism/

<cite index="18-2">Diffie–Hellman key exchange is at the foundations of public-key cryptography, but conventional group-based Diffie–Hellman is vulnerable to Shor's quantum algorithm</cite>. Shor's algorithm can solve the discrete logarithm problem efficiently on a sufficiently powerful quantum computer. That means the mathematical hardness assumption underlying Diffie-Hellman breaks in a post-quantum world.

<cite index="14-8">Public-key cryptography standards, namely Diffie-Hellman, RSA, and Federal Information Processing Standards Publication (FIPS) 186 (Digital Signature Standard) are all vulnerable to attacks from a quantum computer. The cryptographic community is researching ways to strengthen the Diffie-Hellman key exchange, including by lattice-based cryptography, multivariate cryptography, and elliptic-curve isogeny cryptography</cite>.

<cite index="18-3">A range of "post-quantum Diffie–Hellman" protocols have been proposed to mitigate this threat, including the Couveignes, Rostovtsev–Stolbunov, SIDH, and CSIDH schemes, all based on the combinatorial and number-theoretic structures formed by isogenies of elliptic curves</cite>. These protocols attempt to preserve the structure of the original—two parties deriving a shared secret without transmitting it—while replacing the vulnerable discrete logarithm with a different hard problem that resists quantum attack.

No large-scale quantum computer exists yet. Diffie-Hellman still works. But the asset class is real, the speculation around it is mostly garbage, and the infrastructure underneath occasionally produces replacements before the old system breaks.

Sources:

• https://arxiv.org/pdf/1809.04803
• https://www.isaca.org/resources/isaca-journal/issues/2024/volume-3/cryptographic-advancements-enabled-by-diffie-hellman

<cite index="3-7,3-8">In 2006, Hellman suggested the algorithm be called Diffie–Hellman–Merkle key exchange in recognition of Ralph Merkle's contribution to the invention of public-key cryptography, writing that the system should be called 'Diffie–Hellman–Merkle key exchange' if names are to be associated with it</cite>. Merkle developed the concept of public key distribution independently; Diffie and Hellman built the protocol.

One of the protocol's more useful properties emerged later. <cite index="3-4">Although Diffie–Hellman key exchange itself is a non-authenticated key-agreement protocol, it provides the basis for a variety of authenticated protocols, and is used to provide forward secrecy in Transport Layer Security's ephemeral modes</cite>. <cite index="3-5,3-6">Forward secrecy results from the use of ephemeral keys: the private keys are discarded once key agreement is complete, making them safe from later compromise. Ephemeral keys are practical because it is computationally cheap to create public-private key pairs suitable for use with Diffie-Hellman exchange</cite>.

Forward secrecy means that if an adversary compromises a long-term key later, past sessions encrypted with ephemeral Diffie-Hellman keys remain unreadable. The keys were thrown away. There is nothing to decrypt with. This matters for systems designed to resist retrospective decryption—state surveillance, for instance, or an attacker who stores encrypted traffic now and waits for keys to leak later. The infrastructure underneath the speculation occasionally produces something that matters.

Sources:

• https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

The Diffie-Hellman key exchange is a protocol for deriving a shared secret between two parties who have never met. <cite index="1-2,1-3">The Diffie-Hellman algorithm allows two parties to securely establish a shared secret key over an insecure communication channel. This shared secret key can then be used for symmetric encryption and secure communication between the parties</cite>.

The process has a few steps. <cite index="1-5,1-6,1-7">Alice and Bob agree on two large prime numbers, p (a prime modulus) and g (a primitive root modulo p), which are publicly shared. Alice chooses a private random number a and calculates A=g^a mod p, then sends A to Bob. Bob chooses a private random number b and calculates B=g^b mod p, then sends B to Alice</cite>. Then they compute the same secret, each from their own private key and the other's public value.

The security rests on a hard problem. <cite index="33-7">Its security properties are based on the difficulty of solving the discrete logarithm problem</cite>. An eavesdropper sees the public values but cannot efficiently reverse the modular exponentiation to discover the private keys. The shared secret never crosses the wire.

<cite index="2-13">Diffie-Hellman key exchange is commonly found in security protocols, such as Transport Layer Security (TLS), Secure Shell (SSH) and IP Security (IPsec)</cite>. It is fifty years old and still running underneath the encrypted web.

Sources:

• https://www.1kosmos.com/resources/security-glossary/diffie-hellman-key-exchange-algorithm
• https://www.techtarget.com/searchsecurity/definition/Diffie-Hellman-key-exchange
• https://medium.com/@OjFRSA/what-is-the-diffie-hellman-key-exchange-and-how-does-it-work-9ee7759e6326

<cite index="6-1">In 1976 cryptologists Whitfield Diffie and Martin Hellman published "New Directions in Cryptography" in IEEE Transactions on Information Theory</cite>. <cite index="1-8">This groundbreaking work laid the foundation for modern public-key cryptography and was the first practical method for establishing a shared secret key between two parties over an insecure communication channel</cite>.

Before this, cryptography had a distribution problem. <cite index="23-1,23-2,23-3">During the early history of cryptography, two parties would rely upon a key that they would exchange by means of a secure, but non-cryptographic, method such as a face-to-face meeting, or a trusted courier. This key, which both parties must then keep absolutely secret, could then be used to exchange encrypted messages</cite>. That limitation was expensive, fragile, and did not scale. Diffie and Hellman proposed a method where <cite index="2-3">two parties could securely exchange cryptographic keys over a public channel without their conversation being transmitted over the internet</cite>.

The mechanism was elegant. <cite index="1-4">The protocol is based on the mathematical properties of modular exponentiation and discrete logarithm problems</cite>. The components of the keys are never directly transmitted. <cite index="2-9">The two parties have no prior knowledge of each other, but the two parties create a key together</cite>.

<cite index="3-3">In 1997 it was revealed that James H. Ellis, Clifford Cocks, and Malcolm J. Williamson of GCHQ, the British signals intelligence agency, had previously shown in 1969 how public-key cryptography could be achieved</cite>. The classified work stayed classified. Diffie and Hellman got the credit because they published.

Sources:

• https://historyofinformation.com/detail.php?id=1807
• https://www.1kosmos.com/resources/security-glossary/diffie-hellman-key-exchange-algorithm
• https://www.techtarget.com/searchsecurity/definition/Diffie-Hellman-key-exchange
• https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange

<cite index="14-1,14-2">FIPS 186-5 specifies methods for digital signature generation and verification using ECDSA, with specifications for domain parameter generation included in SP 800-186</cite>. <cite index="14-3">ECDSA is the elliptic curve analog of DSA</cite>, applying elliptic-curve math to the signature problem that DSA solved with finite fields.

<cite index="14-5,14-6">Deterministic ECDSA is a variant where a per-message secret number is a function of the message that is signed, resulting in a deterministic mapping of messages to signatures; this variant does not impact the signature verification process</cite>. <cite index="15-5">The deterministic variant is currently specified in RFC 6979</cite>. This matters because the original ECDSA required generating a fresh random number for each signature, and failures in that random number generation have led to private key recovery in multiple real-world breaches.

<cite index="14-4">ECDSA keys shall not be used for any other purpose, such as key establishment</cite>—a restriction that prevents key reuse attacks and keeps signature keys isolated from encryption or key-agreement operations. The algorithm ships in TLS implementations, hardware security modules, and most cryptographic libraries written in the last decade. It is infrastructure.

Sources:

• https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-5.pdf
• https://www.federalregister.gov/documents/2019/10/31/2019-23742/request-for-comments-on-fips-186-5-and-sp-800-186

<cite index="19-4,19-5">The NSA recommends the random curve for government use, also known as NIST P-256</cite>. This is secp256r1, the "r" standing for random. <cite index="19-2,19-23">The "k" in secp256k1 stands for Koblitz and the "r" in secp256r1 stands for random</cite>. Both are elliptic curves over a 256-bit prime field, but they diverge in construction and adoption.

<cite index="19-11,19-12">Bitcoin chose to use the less popular Koblitz curve for reasons including efficiency and concerns over a possible back door in the random curve; before Bitcoin, secp256k1 was not widely used</cite>. <cite index="19-24">A Koblitz elliptic curve has some special properties that make it possible to implement the group operation more efficiently</cite>. That efficiency advantage mattered to early Bitcoin developers working with constrained systems.

<cite index="21-17">NIST SP 800-186 includes a reference for the curve secp256k1 specified in SEC 2</cite>, acknowledging its use in the wild. The practical reality: NIST P-256 dominates in TLS and traditional enterprise infrastructure; secp256k1 dominates in blockchain applications. The two curves address the same security level—roughly 128 bits—but they emerged from different design philosophies and serve different communities. When you see a blockchain transaction signature, you are almost certainly looking at secp256k1. When you establish a TLS session with a government website, you are almost certainly looking at P-256.

Sources:

• https://www.johndcook.com/blog/2018/08/21/a-tale-of-two-elliptic-curves/
• https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-186.pdf

<cite index="2-2,2-5">In FIPS 186-4, NIST recommended fifteen elliptic curves of varying security levels</cite> for use in cryptographic standards. <cite index="2-6">More than fifteen years have passed since these curves were first developed, and the community now knows more about the security of elliptic curve cryptography and practical implementation issues</cite>.

<cite index="12-1,12-2">Elliptic curve cryptography has seen slow adoption outside certain communities, with discussions citing interoperability issues, performance characteristics, and concerns over intellectual property</cite>. There was also the matter of trust. Some in the community questioned whether the NIST curves contained hidden weaknesses—a concern that intensified after NSA revelations, though no proof of exploited weakness has surfaced.

<cite index="12-3">Advances in the understanding of elliptic curves within the cryptographic community have led to the development of new elliptic curves and algorithms whose designers claim to offer better performance and are easier to implement in a secure manner</cite>. <cite index="15-2,15-3">NIST proposed updates to align with existing and emerging industry standards, including adopting two new elliptic curves, Ed25519 and Ed448, for use with EdDSA</cite>. The revision process took input from federal agencies, foreign government agencies, private-sector organizations, and independent cryptographers.

Sources:

• https://csrc.nist.gov/projects/elliptic-curve-cryptography
• https://www.federalregister.gov/documents/2015/10/20/2015-26539/federal-information-processing-standard-fips-186-4-digital-signature-standard-request-for-comments
• https://www.federalregister.gov/documents/2019/10/31/2019-23742/request-for-comments-on-fips-186-5-and-sp-800-186

<cite index="3-1">NIST published FIPS 186-5, Digital Signature Standard (DSS), in February 2023</cite>, ending a multi-year revision that started with industry complaints about the fifteen-year-old NIST curves. <cite index="17-2">The standard specifies three techniques for digital signature generation and verification</cite>: RSA (with PKCS #1), ECDSA (Elliptic Curve Digital Signature Algorithm), and the newer EdDSA (Edwards-curve Digital Signature Algorithm).

<cite index="3-3">The older DSA algorithm is retained only for verifying existing signatures</cite>, a quiet retirement that acknowledges security analysis against DSA implementations and the march of ECDSA adoption. <cite index="3-4,3-5">The companion document, NIST SP 800-186, specifies the set of recommended elliptic curves, including the previously recommended Weierstrass curves and two newly specified Edwards curves for use with EdDSA</cite>.

<cite index="3-6">Edwards curves provide increased performance, side-channel resistance, and simpler implementation</cite> compared to traditional curves—engineering advantages that matter when you are building systems that need to verify thousands of signatures per second. <cite index="1-7">The standard also deprecates curves over binary fields due to their limited use by industry</cite>. This is not theoretical work. This is the stack that federal systems ship, and the stack that much of the private sector references when building signature infrastructure.

Sources:

• https://www.nist.gov/news-events/news/2023/02/nist-revises-digital-signature-standard-dss-and-publishes-guideline
• https://csrc.nist.gov/news/2023/nist-releases-fips-186-5-and-sp-800-186
• https://csrc.nist.gov/pubs/fips/186-5/ipd

<cite index="24-1,24-2">One of the fundamental building blocks of many blockchain protocols is the Merkle tree, a data structure that enables efficient and secure verification of large datasets; Merkle trees are used to store transactions, account balances, and other critical information in a compact and tamper-evident manner.</cite> The advantage is clear: <cite index="24-6">Merkle trees allow for efficient verification of the integrity and inclusion of specific data elements without requiring the verifier to store or process the entire dataset.</cite>

But the structure is not trivial. <cite index="6-4">As long as the chosen hash function is collision-resistant, this mechanism ensures data integrity, in the sense that it is computationally infeasible to modify any leaf without changing also the tree root.</cite> <cite index="6-5,6-6">This method can be employed to construct more advanced authenticated data structures, namely data structures that provide efficient data retrieval and incorporate cryptographic digests to guarantee data integrity; among the most prominent examples are Merkle B-trees, which can be seen as a combination of a Merkle tree and a B-tree.</cite>

<cite index="19-14">Ethereum takes a more sophisticated approach with three separate Patricia Merkle Tries for each block: a State Trie (account balances and contract storage) and a Transaction Trie (transactions in the block).</cite> The tree is not free infrastructure. It requires careful tuning of branching factors, hash functions, and update patterns. But for distributed systems that must prove inclusion without shipping datasets, the tradeoff has held for decades.

Sources:

• https://arxiv.org/pdf/2405.07941
• https://www.sciencedirect.com/topics/computer-science/merkle-hash-tree
• https://dsvynarenko.hashnode.dev/designing-blockchain-4-merkle-trees-and-state-verification

<cite index="19-3,19-4">Instead of storing the full state in each block, blockchains store just the Merkle Root (32 bytes), which makes blocks dramatically smaller and the blockchain more scalable.</cite> <cite index="7-4,7-5">The Bitcoin blockchain and other blockchains use Merkle trees to encode blockchain data more efficiently and securely by hashing individual transactions and resulting hashes into a hash called the Merkle root, which is used to create the block hash, the unique ID code of a block.</cite>

<cite index="19-10,19-11,19-12">Bitcoin uses a simple binary Merkle Tree to organize transactions within each block, with all transactions hashed pairwise and combined bottom-up until reaching a single Merkle Root included in the block header; this enables Simplified Payment Verification (SPV)—light clients can verify that a transaction exists in a block by downloading just the block headers and a Merkle Proof, without downloading all transactions.</cite>

<cite index="20-10,20-11">Merkle trees are critical for blockchain verification because they allow for the rapid and secure confirmation of transactions without requiring a user to download an entire block, and by summarizing all transaction data into a single hash known as the Merkle root, they provide an incredibly efficient way to prove data integrity.</cite> Without this structure, every node would need to hold and validate every transaction to verify anything. The tree is what makes mobile wallets work.

Sources:

• https://dsvynarenko.hashnode.dev/designing-blockchain-4-merkle-trees-and-state-verification
• https://finst.com/en/learn/articles/what-is-a-merkle-tree
• https://www.lightspark.com/glossary/merkle-tree

<cite index="4-2">In cryptography and computer science, a hash tree or Merkle tree is a tree in which every "leaf" node is labelled with the cryptographic hash of a data block, and every node that is not a leaf is labelled with the cryptographic hash of the labels of its child nodes.</cite> <cite index="2-4,2-5">The single hash at the top of the tree—the Merkle root—serves as a compact fingerprint of the entire dataset, and if any single bit of any data block changes, the Merkle root changes, making tampering immediately detectable.</cite>

The efficiency gain matters most at scale. <cite index="4-5">Demonstrating that a leaf node is a part of a given binary hash tree requires computing a number of hashes proportional to the logarithm of the number of leaf nodes in the tree.</cite> <cite index="23-8">For example, if a blockchain block has about 1000 transactions, we would only need to retrieve the Merkle proof with about 10 transaction hashes, instead of the whole block with the 1000 transactions.</cite>

The proof consists of sibling hashes along a branch. <cite index="18-11,18-14,18-15,18-16">A Merkle proof is a short sequence of hashes that trace a path from a leaf to the Merkle root, including a small set of sibling hashes along the branch; using this information, a verifier can recompute the parent hashes up to the Merkle root, and if the recomputed root matches the one stored in the block header, the transaction is confirmed to be part of the block.</cite> This is the primitive that makes lightweight blockchain clients possible.

Sources:

• https://en.wikipedia.org/wiki/Merkle_tree
• https://stealthcloud.ai/glossary/merkle-tree/
• https://cryptorobotics.ai/learn/role-of-merkle-trees-in-blockchain-verification/
• https://medium.com/@ohm.patel1997/merkle-tree-proofs-e531b1b3c7e5

<cite index="10-3">The concept of the Merkle tree was invented by Ralph C. Merkle in 1979 as a key component in his doctoral thesis on public-key cryptography and digital signatures.</cite> <cite index="10-4">Merkle proposed a binary tree structure composed of cryptographic hashes to enable efficient verification of data integrity and inclusion proofs for large datasets, allowing a signer to certify multiple messages without recomputing signatures for each one individually.</cite>

<cite index="10-5">The primary motivation for this invention stemmed from the need to scale digital signature schemes for practical use, particularly in scenarios requiring proof that a specific item belongs to a large set without disclosing the entire set or incurring high computational costs for verification.</cite> <cite index="10-6">Merkle patented this authentication tree method in 1982, formalizing its application to digital signatures based on one-way functions.</cite> The patent was <cite index="11-1">U.S. Patent 4,309,569 on January 5, 1982, describing a system that employs an authentication tree to verify multiple signatures from a single public key.</cite>

The structure solved a real problem. Before Merkle trees, verifying individual items in large signed datasets meant recomputing expensive signature operations for every check. The tree structure reduced verification to logarithmic complexity by exploiting hierarchical hashing—cheap cryptographic operations stacked in a way that preserved the integrity guarantees of more expensive primitives.

Sources:

• https://grokipedia.com/page/Merkle_tree
• https://grokipedia.com/page/Merkle_signature_scheme
• https://patents.google.com/patent/US4309569A/en
• https://en.wikipedia.org/wiki/Merkle_tree

<cite index="18-2,18-3">The Bit Gold system would grow into a chain of proof-of-work hashes, and there'd always be a next candidate string to work with; whoever would find a valid hash would quite literally own that hash, similar to how the person that finds a bit of gold ore owns it.</cite> <cite index="18-4,18-5,18-6">To establish this ownership digitally, Bit Gold used a digital ownership registry in which the hashes were to be linked to the public keys of their respective creators, and it was through this digital ownership registry that a hash could be transferred to a new owner: the original owner would literally sign off on a transaction with a cryptographic signature.</cite>

<cite index="15-3,15-4">To assay the value of a string of bit gold, Bob checks and verifies the challenge bits, the proof of work string, and the timestamp; note that Alice's control over her bit gold does not depend on her sole possession of the bits, but rather on her lead position in the unforgeable chain of title (chain of digital signatures) in the title registry.</cite> <cite index="19-7">Each unit of bit gold created would be recorded in a publicly accessible and verifiable time-stamped chain of blocks.</cite> This separation of value from possession—where control flows from position in a public chain of signatures rather than custody of a secret—is the architecture Bitcoin adopted wholesale. The difference is that Bitcoin solved for decentralized consensus on a single ordering of that chain. Szabo's property club did not.

Sources:

• https://learn.saylor.org/mod/book/view.php?id=30735&chapterid=6704
• https://nakamotoinstitute.org/library/bit-gold/
• https://atlas21.com/bit-gold-the-first-attempt-to-create-a-decentralized-digital-currency/

Unforgeable costliness is Szabo's core contribution to the economics of digital money, and it predates the bit gold proposal by several years. <cite index="27-6,27-8">Szabo has a more useful definition of scarcity: 'unforgeable costliness', where things are costly, due either to their original cost or the improbability of their history, and it is difficult to spoof this costliness.</cite> <cite index="21-1">Unforgeable costliness refers to an immense difficulty to both obtain and forge certain currencies.</cite>

<cite index="29-1,29-2,29-3">At first, the production of a commodity simply because it is costly seems quite wasteful; however, the unforgeably costly commodity repeatedly adds value by enabling beneficial wealth transfers, and more of the cost is recouped every time a transaction is made possible or made less expensive.</cite> In his 2002 essay "Shelling Out," <cite index="29-5,29-6">Szabo argued that the precursors of money, along with language, enabled early modern humans to solve problems of cooperation that other animals cannot, and these precursors shared with non-fiat currencies very specific characteristics — they were not merely symbolic or decorative objects.</cite>

<cite index="23-1,23-5">BitGold was a design on the theory to use proof of work as what Szabo calls unforgeable costliness, or to constrain the supply curves.</cite> The concept maps cleanly to Bitcoin's mining economics: energy expenditure becomes the unforgeable cost, computational cycles become the proof, and the difficulty adjustment ensures scarcity persists regardless of hash rate.

Sources:

• https://www.fon.hum.uva.nl/rob/Courses/InformationInSpeech/CDROM/Literature/LOTwinterschool2006/szabo.best.vwh.net/shell.html
• https://cryptowords.github.io/modeling-bitcoins-value-with-scarcity
• https://tim.blog/2018/06/01/the-tim-ferriss-show-transcripts-nick-szabo/

<cite index="26-15">Szabo first came up with Bit Gold in 1998, though he only fully described it in public in 2005.</cite> The core idea was direct: <cite index="2-1,2-2">precious metals and collectibles have an unforgeable scarcity due to the costliness of their creation, which once provided money the value of which was largely independent of any trusted third party.</cite> <cite index="2-5,2-6">The problem, in a nutshell, is that our money currently depends on trust in a third party for its value, as many inflationary and hyperinflationary episodes during the 20th century demonstrated.</cite>

<cite index="26-17,26-2">The first central property of Bit Gold was proof of work, the cryptographic trick utilized by Dr. Adam Back in his "anti-spam currency" Hashcash, which represented the unforgeable costliness Szabo was looking for, as it required real-world resources — computing power — to produce these proofs.</cite> <cite index="14-3">The Bit Gold proposal describes a system for the decentralized creation of unforgeable proof of work chains, with each one being attributed to its discoverer's public key, using timestamps and digital signatures.</cite> <cite index="11-5">Although Bit Gold was never implemented as a working system, its core innovations—proof of work for creating digital scarcity, distributed consensus, and unforgeable chains of ownership—became the building blocks of Bitcoin and the entire cryptocurrency ecosystem.</cite>

Bit Gold did not solve the double-spend problem adequately. <cite index="14-7">This Byzantine method relies on a quorum of network addresses rather than a quorum of (hash) computing power, so unlike bitcoin it is vulnerable to Sybil attacks.</cite>

Sources:

• https://nakamotoinstitute.org/library/bit-gold/
• https://bitcoinmagazine.com/culture/genesis-files-bit-gold-szabo-was-inches-away-inventing-bitcoin
• https://bitcoinwiki.org/wiki/bit-gold-proposal

<cite index="19-1,19-2">An important consequence of Ethereum's design is the "first class citizen" property—the idea that contracts have equivalent powers to external accounts, including the ability to send messages and create other contracts, allowing contracts to simultaneously serve many different roles.</cite> A member of a decentralized organization could be an escrow account, which itself sits between an individual using custom quantum-proof signatures and a co-signing entity with five keys for security—all contracts.

<cite index="19-3">The strength of the Ethereum platform is that the decentralized organization and the escrow contract do not need to care about what kind of account each party to the contract is.</cite> The architecture treats code and users as functionally equivalent participants in the system. This design choice opened the door to composability—contracts calling contracts calling contracts—which became the foundation of decentralized finance years later.

<cite index="21-1,21-3">After 10+ years of development, major upgrades, and ecosystem growth, the original whitepaper no longer reflects what Ethereum is today, but it continues to serve as a useful reference and an accurate representation of Ethereum and its vision.</cite> <cite index="9-6">Many of the whitepaper's predictions—including DeFi, DAOs, and token standards—have since materialized as major pillars of the crypto ecosystem.</cite> The document remains canonical not because it predicted the future, but because it described the infrastructure layer that made the future possible.

Sources:

• https://blockchainlab.com/pdf/Ethereum_white_paper-a_next_generation_smart_contract_and_decentralized_application_platform-vitalik-buterin.pdf
• https://ethereum.org/whitepaper/
• https://www.mexc.com/learn/article/the-ethereum-whitepaper-by-vitalik-buterin-explained-simply/1

<cite index="19-6,19-7,19-9">When Satoshi Nakamoto set the Bitcoin blockchain into motion in January 2009, he introduced two concepts: a decentralized peer-to-peer currency without backing or central issuer, and a proof-of-work-based blockchain to allow public agreement on transaction order.</cite> <cite index="19-8">The currency took up most of the public attention—the politics of a currency without a central bank and its extreme price volatility.</cite>

Buterin saw the second concept as the foundation for something broader. <cite index="14-3,14-4,14-5">In 2013, he published the concept of Ethereum—a platform designed to enable the creation of virtually any decentralized application on the blockchain, utilizing smart contracts that operate within the Ethereum Virtual Machine environment and allowing not only the transfer of values but also the execution of arbitrary contract code that modifies the blockchain's state.</cite>

<cite index="16-5">Smart contracts are cryptographic "boxes" that contain value and only unlock it if certain conditions are met, with vastly more power than Bitcoin scripting because of the added powers of Turing-completeness, value-awareness, blockchain-awareness and state.</cite> <cite index="12-2">The logical extension is decentralized autonomous organizations (DAOs)—long-term smart contracts that contain the assets and encode the bylaws of an entire organization.</cite>

The white paper laid out infrastructure for programmable money. Whether the applications built on top would be useful or just speculative garbage remained to be seen.

Sources:

• https://blockchainlab.com/pdf/Ethereum_white_paper-a_next_generation_smart_contract_and_decentralized_application_platform-vitalik-buterin.pdf
• https://gaid.org/publications/blockchain-and-cryptocurrency/ethereum-a-next-generation-smart-contract-and-decentralized-application-platform-ethereum-whitepaper
• https://ethereum.org/whitepaper/
• https://bitpaper.info/paper/5634472569470976/

<cite index="1-1,1-6">Vitalik Buterin published the first draft of the Ethereum white paper on November 27, 2013, at age 19, with the canonical version finalized in December 2014.</cite> <cite index="1-11,1-12">He had been writing for Bitcoin Magazine and deeply understood blockchain technology, but Bitcoin's scripting language was intentionally simple, which made it secure but nearly impossible to build complex applications on top of.</cite>

<cite index="16-3">Ethereum built a blockchain with a built-in Turing-complete programming language, allowing anyone to write smart contracts and decentralized applications where they can create their own arbitrary rules for ownership, transaction formats and state transition functions.</cite> The white paper's subtitle said it plainly: "A Next-Generation Smart Contract and Decentralized Application Platform."

<cite index="9-4">Smart contracts and the Ethereum Virtual Machine (EVM) are the two defining innovations introduced in the whitepaper, enabling code to run automatically without intermediaries.</cite> <cite index="16-4">A bare-bones version of Namecoin can be written in two lines of code, and other protocols like currencies and reputation systems can be built in under twenty.</cite> <cite index="9-5">Gas fees were built into the original design as a metering system to price computation and prevent network abuse.</cite>

<cite index="13-6,13-7,13-8">The white paper outlined three categories of applications: financial applications providing more powerful ways of managing and entering contracts; semi-financial applications where money is involved but there's also a heavy non-monetary side; and computational problems with self-enforcing bounties.</cite> The infrastructure layer mattered. The speculation came later.

Sources:

• https://www.mexc.com/learn/article/the-ethereum-whitepaper-by-vitalik-buterin-explained-simply/1
• https://ethereum.org/whitepaper/
• https://blockchainlab.com/pdf/Ethereum_white_paper-a_next_generation_smart_contract_and_decentralized_application_platform-vitalik-buterin.pdf

<cite index="2-8">David Chaum's work on eCash inspired many early cryptographers, including key figures in the development of Bitcoin.</cite> The concepts—cryptographic anonymity, untraceable payments, digital signatures—established a technical vocabulary that the cypherpunk movement adopted in the late 1980s and early 1990s. <cite index="8-3,8-4">Many early cryptographers credit his papers as the conceptual basis for decentralized digital currencies. Satoshi Nakamoto referenced Chaum's technologies in Bitcoin discussions, and Bitcoin's core structure around digital signatures, privacy models, and peer-to-peer payments echoes Chaum's earliest designs.</cite>

The failure of DigiCash did not erase the influence of the underlying work. <cite index="24-6,24-7">eCash constituted a major milestone in the history of digital money. With privacy at its core, it set the stage for a lot of innovation and research in the coming decades.</cite> The centralized model—relying on banks to issue and validate digital cash—was the architectural flaw. <cite index="24-8">From a decentralization aspect there were still major issues, since DigiCash was indispensable as an intermediary that ensured the validity of each digital signature.</cite> Bitcoin solved that by removing the intermediary. Chaum built the cryptographic tools; Nakamoto built the consensus layer that made those tools work without a bank.

Sources:

• https://bitcoinmagazine.com/glossary/ecash
• https://www.coinw.com/academy/articles/who-is-david-chaum/117
• https://medium.com/blockwhat/82-the-birth-of-digital-cash-ea08b53379d8

<cite index="5-11">He gained a doctorate in computer science from the University of California, Berkeley, in 1982.</cite> The dissertation was titled "Computer Systems Established, Maintained, and Trusted by Mutually Suspicious Groups." <cite index="14-3">Recently credited by Alan Sherman's "On the Origins and Variations of Blockchain Technologies", Chaum's 1982 Berkeley dissertation proposed every element of the blockchain found in Bitcoin except proof of work.</cite> <cite index="14-4">The proposed vault system lays out a plan for achieving consensus state between nodes, chaining the history of consensus in blocks, and immutably time-stamping the chained data.</cite>

The work predates Bitcoin by twenty-six years. It proposed a structure where mutually distrustful parties could agree on a shared record. The missing piece was a decentralized method for deciding who updates the chain—the proof-of-work mechanism that Satoshi Nakamoto introduced in 2008. Chaum's system still assumed trusted parties or some form of coordination. But the architecture—consensus, chained blocks, immutable timestamps—was present in the dissertation.

<cite index="5-12">Also that year, he founded the International Association for Cryptologic Research (IACR), which currently organizes academic conferences in cryptography research.</cite> That organization runs the annual CRYPTO conference.

Sources:

• https://en.wikipedia.org/wiki/David_Chaum

<cite index="5-6">In 1990, he founded DigiCash, an electronic cash company, in Amsterdam to commercialize the ideas in his research.</cite> The product was called eCash. <cite index="23-6">Chaum published the idea of anonymous electronic money in a 1983 paper; eCash software on the user's local computer stored money in a digital format, cryptographically signed by a bank.</cite> <cite index="21-11">In 1995, Mark Twain Bank in St. Louis became the first to accept eCash as legal tender.</cite> A handful of other banks trialed the system in Europe.

The system did not scale. <cite index="26-5">By 1998, Mark Twain Bank had only enrolled 300 merchants and 5,000 users.</cite> <cite index="26-7">"It was hard to get enough merchants to accept it, so that you could get enough consumers to use it, or vice versa," Chaum told Forbes in 1999, after DigiCash had finally filed for bankruptcy.</cite> <cite index="19-5">DigiCash filed for Chapter 11 bankruptcy protection in November 1998, primarily due to mounting financial pressures from high operational costs, including a payroll that had been reduced from nearly 50 to about six employees.</cite> The company owed roughly $4 million to venture capital firms. <cite index="21-1">DigiCash declared bankruptcy in 1998 and subsequently sold its assets to eCash Technologies.</cite>

The infrastructure was demanding. Banks needed to integrate new cryptographic systems. Consumers and merchants needed compatible software. Credit cards were simpler and already worked.

Sources:

• https://en.wikipedia.org/wiki/David_Chaum
• https://en.wikipedia.org/wiki/Ecash
• https://bitcoinmagazine.com/culture/genesis-files-how-david-chaums-ecash-spawned-cypherpunk-dream
• https://grokipedia.com/page/Ecash
• https://en.wikipedia.org/wiki/DigiCash

<cite index="5-2">Chaum is credited as the inventor of secure digital cash for his 1983 paper, which also introduced the cryptographic primitive of a blind signature.</cite> The primitive is straightforward: <cite index="14-10">blind signature blinds the content of a message before it is signed, so that the signer cannot determine the content.</cite> <cite index="14-11">The resulting blind signature can be publicly verified against the original, unblinded message in the manner of a regular digital signature.</cite>

The mechanism allows a user to withdraw digital currency from a bank without the bank being able to trace the coin after it was spent. <cite index="2-6">Using blinded signatures, eCash allowed users to withdraw digital coins from their bank without the bank being able to trace those coins after they were spent.</cite> <cite index="5-4">Chaum's proposal allowed users to obtain digital currency from a bank and spend it in a manner that is untraceable by the bank or any other party.</cite> That was the architecture: cryptographic anonymity in a bank-issued system. <cite index="5-3">These ideas have been described as the technical roots of the vision of the Cypherpunk movement that began in the late 1980s.</cite>

<cite index="5-5">In 1988, he extended this idea (with Amos Fiat and Moni Naor) to allow offline transactions that enable detection of double-spending.</cite> The 1983 paper established the idea; the 1988 work addressed how to prevent someone from spending the same digital coin twice without requiring the bank to verify every transaction in real time.

Sources:

• https://en.wikipedia.org/wiki/David_Chaum
• https://bitcoinmagazine.com/glossary/ecash

The 1982 paper laid theoretical groundwork, but practical systems needed algorithms that could run on actual networks with realistic message-passing costs. <cite index="20-2">Reaching Byzantine agreement requires at least t+1 phases or rounds of information exchange, where t is an upper bound on the number of faulty processors</cite>, even when using authentication protocols that limit undetected faulty behavior to simple failure to relay messages.

<cite index="17-1,17-2,17-3">Consensus is a fundamental building block for constructing reliable and fault-tolerant distributed services, and many Byzantine fault-tolerant consensus protocols designed for partially synchronous systems adopt a pessimistic approach when dealing with adversaries, typically resulting in either an increase in message complexity (e.g., PBFT) or an increase in the number of communication steps (e.g., HotStuff)</cite>. PBFT—Practical Byzantine Fault Tolerance—became the reference implementation in the late 1990s, and decades later its descendants powered permissioned blockchains used by banks and supply-chain consortia.

<cite index="12-8,12-13">BFT provides the mathematical and logical foundation for the security of modern cryptocurrencies, decentralized applications, and has transitioned from an academic theoretical problem to the practical backbone of the decentralized economy</cite>. The infrastructure underneath the speculation occasionally produces something that matters—settlement systems that tolerate arbitrary faults, coordination protocols for nodes that don't trust each other, and consensus mechanisms that work when some participants lie. That's the Lamport, Shostak, Pease lineage.

Sources:

• https://epubs.siam.org/doi/10.1137/0212045
• https://arxiv.org/pdf/2405.04606
• https://chain.link/article/byzantine-fault-tolerant-consensus

<cite index="11-1">Byzantine Fault Tolerance in distributed systems refers to the ability of a system to continue operating and reaching consensus correctly, even in the presence of malicious or faulty nodes that may behave arbitrarily or send conflicting information to other nodes</cite>. The fault model is broader than crash failures. A crashed node stops responding; a Byzantine node can lie, delay messages, forge signatures if authentication is weak, or collude with other faulty nodes to subvert the protocol.

<cite index="13-13">A Byzantine error node refers to a node that publishes error messages to other nodes or intentionally delays the consensus process</cite>, while <cite index="13-14">a non-Byzantine error node means that the node crashes and cannot be used</cite>. The distinction matters because crash faults are easier to tolerate—simple majority voting works if nodes either tell the truth or stay silent. Byzantine faults require redundancy, multiple rounds of message exchange, and in some protocols, cryptographic verification.

<cite index="16-4">In challenging environments like Cloud or Blockchain, malicious behavior is often modeled as adversarial Byzantine faults</cite>. The model assumes an adversary that controls up to some threshold of nodes and can coordinate their behavior to try to break consensus. <cite index="16-6">Optimal resilience can deal with up to t < n/3 Byzantine processes, where n is the number of processes</cite>—the two-thirds bound again, now expressed in terms of fault tolerance rather than loyal generals.

Sources:

• https://www.geeksforgeeks.org/system-design/byzantine-fault-tolerance-in-distributed-system/
• https://www.mdpi.com/2079-9292/12/18/3801
• https://arxiv.org/pdf/2110.08592

The Byzantine Generals Problem appeared in ACM Transactions on Programming Languages and Systems in July 1982, but <cite index="6-38,6-39,6-40">it was based on earlier work titled "Reaching Agreement in the Presence of Faults" published in the Journal of the ACM in April 1980</cite>. The 1980 paper contained the formal results. The 1982 version reframed them as a story about Byzantine generals coordinating through messengers.

<cite index="9-1,9-2">Lamport later explained that he believed the problem was very important and deserved attention from computer scientists, and the popularity of Dijkstra's dining philosophers problem taught him that the best way to attract attention to a problem is to present it in terms of a story</cite>. The framing worked. Researchers began citing the Byzantine formulation, and the metaphor stuck—traitors, messengers, coordinated attacks—became shorthand for arbitrary component failures in distributed systems.

The allegory also clarified the threat model. <cite index="7-2">Several early solutions were described by Lamport, Shostak, and Pease in 1982</cite>, and those solutions distinguished between oral messages (which could be forged or altered by intermediaries) and signed messages (which used cryptographic authentication). The distinction mattered because the two-thirds bound applied only to oral messages; signed messages allowed more efficient protocols.

Sources:

• https://www.scribd.com/document/611505200/3335772-3335936
• https://www.cs.cmu.edu/afs/cs/academic/class/15712-f15/www/lectures/23-bft.pdf
• https://en.wikipedia.org/wiki/Byzantine_fault

<cite index="2-1">Leslie Lamport, Robert Shostak, and Marshall Pease introduced the Byzantine Generals Problem in 1982</cite>, formalizing a challenge that had been circulating through distributed systems research at SRI and elsewhere. The problem describes a scenario in which military commanders must coordinate an attack or retreat despite the presence of traitors who may send conflicting information.

The paper established <cite index="1-11">two interactive consistency conditions: IC1 requires all loyal lieutenants obey the same order, and IC2 requires that if the commanding general is loyal, every loyal lieutenant obeys that order</cite>. The mechanics are brutal. <cite index="1-15">If generals can send only oral messages, no solution will work unless more than two-thirds of the generals are loyal</cite>. That means <cite index="3-2">a single traitor can confound two loyal generals using only oral messages</cite>.

This was not intuitive. <cite index="1-14">The Byzantine Generals Problem seems deceptively simple</cite>, and the two-thirds threshold surprised researchers who expected symmetric solutions to work. The result became foundational because it set mathematical boundaries on what consensus mechanisms could achieve when participants might lie, fail, or behave arbitrarily—exactly the threat model blockchain designers inherited forty years later.

Sources:

• https://lamport.azurewebsites.net/pubs/byz.pdf
• https://www.semanticscholar.org/paper/The-Byzantine-Generals-Problem-Lamport-Shostak/1689f401f9cd18c8fd033d99d1e2ce99b71e6047
• https://medium.com/@shannonmanning523/the-byzantine-generals-problem-439d7681bb7a

<cite index="22-13">In late 1992, Eric Hughes, Timothy C. May, and John Gilmore founded a small group that met monthly at Gilmore's company Cygnus Solutions in the San Francisco Bay Area and was humorously termed cypherpunks by Jude Milhon at one of the first meetings</cite>. <cite index="22-15,22-16">The Cypherpunks mailing list was started in 1992, and by 1994 had 700 subscribers, and at its peak, it was a very active forum with technical discussions ranging over mathematics, cryptography, computer science, political and philosophical discussion</cite>.

<cite index="25-1">In October 2008 Satoshi Nakamoto, an unknown individual or group of individuals, sent a paper to the cypherpunk mailing list at metzdowd.com called: "Bitcoin: A Peer-to-Peer Electronic Cash System"</cite>. <cite index="22-10">Notable list participants include Julian Assange, the founder of Wikileaks, and Hal Finney (the receiver of the first Bitcoin transaction)</cite>. <cite index="21-5,21-6">Assuming Satoshi Nakamoto (the creator of Bitcoin) was not Finney himself, then this mysterious figure was also most likely a list subscriber (and maybe participant)</cite>.

The community had been working on related problems for over a decade. <cite index="22-11">The technical roots of Cypherpunk ideas have been traced back to work by cryptographer David Chaum on topics such as anonymous digital cash and pseudonymous reputation systems, described in his paper "Security without Identification: Transaction Systems to Make Big Brother Obsolete" (1985)</cite>. The white paper arrived in an environment primed to evaluate its claims.

Sources:

• https://en.wikipedia.org/wiki/Cypherpunk
• https://cryptoanarchy.wiki/getting-started/what-is-the-cypherpunks-mailing-list
• https://medium.com/swlh/the-untold-history-of-bitcoin-enter-the-cypherpunks-f764dee962a1
• https://satoshi.nakamotoinstitute.org/emails/cryptography/

The white paper's opening premise challenged the structure of online commerce. <cite index="4-5">The paper presents an electronic payment system based on cryptographic proof rather than trust in third parties, enabling any two willing parties to transact directly without the need for a trusted intermediary</cite>. This was a departure from the banking model where <cite index="15-2,15-3">completely non-reversible transactions are not really possible, since financial institutions cannot avoid mediating disputes, and the cost of mediation increases transaction costs, limiting the minimum practical transaction size</cite>.

<cite index="6-7">Fundamentally, the purpose of Bitcoin is developing computer technology for enabling multiple parties to send payments online directly to each other ("peer-to-peer cash system") without requiring a financial institution such as a bank</cite>. <cite index="7-3">The term "trustless" in blockchain technology refers to not having to trust a centralized third-party organization or institution (like a bank or government) for the system to function</cite>.

<cite index="13-13">The document proposed a transaction system that doesn't rely on third parties and prevents double-spending through a peer-to-peer network with public registration of all transactions that cannot be corrupted or reversed</cite>. The network design eliminated the need for a middleman, replacing institutional verification with a mathematical process that any participant could independently verify.

Sources:

• https://btcpaper.org/
• https://www.bitpanda.com/en/academy/the-bitcoin-whitepaper-simply-explained
• https://www.bitstamp.net/en-gb/learn/crypto-101/bitcoin-whitepaper/
• https://www.blink.sv/blog/preventing-the-double-spending-problem-what-does-the-bitcoin-whitepaper-say
• https://zerocap.com/insights/articles/the-bitcoin-whitepaper-summary/

The technical core of the white paper is a solution to a specific problem: how to prevent someone from spending the same digital token twice without relying on a centralized authority. <cite index="12-7,12-8">According to Satoshi, the only way to confirm the absence of a transaction is to be aware of all transactions, so each participant must therefore have access to all past transactions, in order to be able to have proof that upon receiving a transaction, it is in fact the first to spend the bitcoins committed</cite>.

<cite index="10-6,10-7">The paper proposes a solution to the double-spending problem using a peer-to-peer network that timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work</cite>. <cite index="19-2">The system is secure as long as honest nodes collectively control more CPU power than any cooperating group of attacker nodes</cite>.

<cite index="14-1,14-2">Nakamoto explains that, in the Proof of Work consensus mechanism, a block is created using computational power, thus, a block cannot be changed without using the same amount of computational power</cite>. The mechanism borrows from Adam Back's Hashcash protocol, originally designed to combat email spam. <cite index="15-6">The Bitcoin ledger is decentralized and public, and that fact, mixed with the Proof-Of-Work consensus mechanism allows the Bitcoin network to solve the double-spending problem in a trustless manner and achieve final settlement in minutes</cite>.

Sources:

• https://bitcoin.org/bitcoin.pdf
• https://www.bitstack-app.com/en/learn-bitcoin/the-bitcoin-white-paper-simply-explained---chapter-1
• https://satoshi.nakamotoinstitute.org/quotes/double-spending/
• https://www.northcrypto.com/learn/blog/bitcoin-whitepaper-eng
• https://www.blink.sv/blog/preventing-the-double-spending-problem-what-does-the-bitcoin-whitepaper-say

<cite index="3-1,1-1">On October 31, 2008, an individual or group using the pseudonym Satoshi Nakamoto published a paper titled "Bitcoin: A Peer-to-Peer Electronic Cash System"</cite> to <cite index="6-3">a cryptography mailing list on a platform called Metzdowd</cite>. <cite index="6-3">The Bitcoin Whitepaper is only nine pages long and is a proposal for a trustless system of electronic transactions</cite>.

The paper landed in the inboxes of a community that had been working on related problems for years. <cite index="25-1,25-6">The paper made direct references to b-money and hashcash and addressed many of the problems that the earlier developers faced including double spending</cite>. <cite index="26-5">At first, Satoshi's post was met with a bit of skepticism, because many people had started to believe that it was impossible to create a truly decentralized digital currency</cite>.

<cite index="10-4,10-5">The abstract proposed that a purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution, though digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending</cite>. The paper is hosted at bitcoin.org and available in multiple translations. It has been archived by SSRN and submitted to the SEC in public comments, marking its journey from cryptography mailing list to formal academic and regulatory record.

Sources:

• https://bitcoin.org/bitcoin.pdf
• https://www.bitpanda.com/en/academy/the-bitcoin-whitepaper-simply-explained
• https://bitflyer.com/en-us/s/glossary/bitcoin-whitepaper
• https://medium.com/swlh/the-untold-history-of-bitcoin-enter-the-cypherpunks-f764dee962a1
• https://www.oreilly.com/library/view/catching-up-to/9781394158744/c04.xhtml