Current and Future Threats to Bitcoin

[Dogedegen]

Is this really the direction that we want to take or do we have no other choice? I think I have seen some altcoins proclaim themselves to have solved scaling, but they have implement something similar but probably less comprehensive. They just keep some part of the blockchain history, and only a few archival nodes contain the rest. What are your observations on that, have you seen developers indicating that they would like this future or not?

Well there are two possible approaches:
- not keeping anything about the old history, only the UTXO set and a few days or weeks of current blocks. Such as the mini-blockchain scheme or Kaspa.
- keeping a record of the old history, but in a very compressed form. This is how I understand the ZeroSync approach.

The first option indeed isn't what I would like for Bitcoin. And if we advance into systems like Utreexo where the UTXOs are normally kept by the involved parties, some nodes that know about the old history should still exist if the UTXO get lost. While you could argument that you should keep your UTXOs safe like your private keys, it's practically different above all for offline storage, as UTXOs would have to be stored too, alongside seed phrases or raw keys. You would have to print or annotate a lot of data on your paper offline storage.

This is what I was looking for, a simple description of the two major ways of doing this. I do not like what Kaspa is doing, and this is not something that I would like to see in Bitcoin because it would be quite different from what it is today and it would work under entirely different assumptions. I am more interested in the ZeroSync approach. What are the disadvantages of it or risks? Sorry if we have been over some questions or topics before, since we don't post here so frequently I forget some of the details. A lot of this is new so it takes a lot time to integrate into my knowledge.

But what I think I can assure is that there's no "systemic" need for archival storage of data outputs (OP_RETURN and fake public keys). So even the archival nodes that only want to "help Utreexo users who lost their UTXOs" can discard a lot of data, and just the data which may be "risky" if they fear to store any illegal stuff.

However the good thing is that the Bitcoin blockchain grows slowly and thus storage costs even for the whole chain are not high. While we have currently a SSD bubble due to AI demand, I guess in 1-2 years the prices for storage will again go down. Many nodes could opt to sync with ZeroSync but later re-download the whole blockchain, just to stay even safer. And if there's really scarcity of archival nodes eventually, they could take money for the service (i.e. for those Utreexo users who lost the UTXOs) and that would again ensure incentives are there.

I don't think storage is a really big issue, you can find a 2 TB SSD right now for like $200 which would be enough for a long time with the current capacity of Bitcoin. I don't think we need to be maximalists in node costs that is try to make it crazy inexpensive when everything in the world is very expensive these days. Depending on the region just a single Netflix subscription will almost cost the person the same amount as this SSD. I don't think we need to be extreme in this anymore, but a reasonable low cost is good enough. If you look at the other side at things like Solana, the costs to run it are maybe 1000 times higher. It is crazy!

I also don't think we should "suffocate" Layer 1 by "ossifying" the 4MB blocks. However, as I wrote in the previous paragraph, it's a blessing that Bitcoin's full storage requirements grow only slowly, so archival nodes would never be too expensive.

I agree with this because I know that in Ethereum and Solana the situation is very bad in requirements. I have never met a single person who holds these coins and runs nodes at all, or a fully synced client. With normal hardware it is not possible at all and these chains are quite younger. It is a blessing what we have here, with good hardware one can sync Bitcoin in a few hours without any tricks of skipping some checks like some shitcoins do.

So my take on this is: If we see another congestion phase, increase the block size slowly, but via softforks (witness discount increase). 8 MB or 16 MB could be the target value for 2050 indeed. Bitcoin is 17 years old now and we saw only one block size increase (a x2 in Segwit). In 17 more years we have 2042. Until then, 1-2 similar increases like Segwit could take place. Then we have technologies like Cross-Input signature aggregation which would allow further optimizations, above all for CoinJoins (don't know if I already mentioned this in this thread).

Wait a minute, I thought that the Segwit thing was a one off. I didn't think that there was more room to increase the space using the same method more. Is there a limit to the amount of block space that can be generated this way so to say? Put other scaling limitations aside, I am interested simply in the limits of this method please. Also where do we stand on cross-input signature aggregation? I have seen this mentioned for many years now but I don't hear often of it?

I made a Dune query for OP_RETURN. I've currently no data for fake pubkeys and such methods.

A quick look had as a result 940 MB of OP_RETURN data in 2025. That's honestly much less than I thought, as the blockchain grew from 627 GB to 710 GB in the same timeframe (by 83 GB), so it's a little bit over 1%. This is only the size of the outputs, but it doesn't make sense to add the change output and signature because these have to be stored for the blockchain state (the 5-30% I mentioned earlier was based on the size of the whole data transactions in mempool.space including inputs and outputs of OP_RETURN txes, but they included Taproot envelopes and other stuff).

DdmrDdmr had made a similar graph for the Ordinals Taproot envelopes here. I have updated at least the query for the weight (not sizes) by day. I will probably fork that query to have data per day and also data for the real size in MB/GB.

That is pretty low actually. Even if we considered all OP_RETURN to be complete spam which is questionable but lets go with that, then all the spam drama of last year was pointless. It  has no real impact on Bitcoin at all at this time.

[d5000]

I am more interested in the ZeroSync approach. What are the disadvantages of it or risks?

According to what I found about the topic, the main disadvantage seems to be that the ZK proof generation is computationally intensive, which would put more CPU burden on the nodes who build these proofs.

And there's the risk that less nodes would store the whole blockchain. However, I think if this resource became too scarce, it could develop into a business model, i.e. some nodes could sustain themselves requiring a fee for complete and fast blockchain access, while free access would be restricted. Thus I don't think that the archival nodes would really reach extremely low figures.

Peter Todd has also mentioned the risk that if ZeroSync becomes an alternative implementation alongside Core, then that could increase the risk for incompatibilities and possible forks if these incompatibilities persist (see the mailing list thread below). However, that's not a ZeroSync-only problem, and normally an open project like Bitcoin should be able to deal with this. He also mentioned that it could become problematic if miners rely too much on ZeroSync, as they could lose access to historic block data, and thus some could not be able to verify transactions going back to old blocks. This would afaik be mainly a problem if Utreexo became the standard and the UTXO set is not stored completely but as a series of hashes. The argument I could come up against that risk is however that miners who do that "cheap mining trick" would lose income in forms of fees, and thus there is a natural incentive for them to keep the history.

BTW, if you want to know about expert opinions on ZeroSync there are some on the Zerosync website, see https://zerosync.org/#media.

That's the original thread on the Bitcoin mailing list: https://gnusha.org/pi/bitcoindev/8DFE4646-9E8B-4A92-BBA2-EBD4A785C1D3@zerosync.org/T/

Wait a minute, I thought that the Segwit thing was a one off. I didn't think that there was more room to increase the space using the same method more. Is there a limit to the amount of block space that can be generated this way so to say?

It's not as easy as just updating the witness discount, and the "anyonecanspend" trick (tricking old nodes into accepting txes without signatures) was already used by Segwit and this specific stategy indeed seems to be an one-off option. But you could add another field to the blocks for the transactions or parts of them like the signatures (or other data structures you'd want to give an additional discount), which would be similar to an extension block, which was successfully applied in Litecoin. This practically would mean that these upgrades shouldn't occur too often. Otherwise the block structure could become too complex (which increases the maintainance cost of the code). An alternative, if further block size increases are envisioned, would be to directly integrate a discount upgrade mechanism. But that would be controversial, I think, as this would "open the door" for big blocker miners to apply block size upgrades at will.

Theoretically as far as I understand there are no limits but from the practical/political point of view there are. Such an upgrade thus should be planned carefully, with simulations about the fee market. However, if the block size was expanded too much making transactions too cheap, it can always be restricted via softforks (but then it would be complicated to re-expand them, so this should be only an emergency measure).

Also where do we stand on cross-input signature aggregation? I have seen this mentioned for many years now but I don't hear often of it?

Progress seems indeed to be slow but there were some research articles last year (2025). See https://bitcoinops.org/en/topics/cross-input-signature-aggregation/

That is pretty low actually. Even if we considered all OP_RETURN to be complete spam which is questionable but lets go with that, then all the spam drama of last year was pointless.

I agree here. However, I understand a bit the fear of node operators to store illegal data. There is also the possibility of Taproot rules being restricted eventually (perhaps as a compromise to the so-called "BIP-110") and this could lead to the Ordinals technique (based on Taproot) being abandoned for NFTs and OP_RETURN used instead. So I consider it still important to develop strategies how OP_RETURN data could be segregated from the rest of the blockchain, and "intermediate" nodes (neither light nor full nodes) being "allowed" to delete them keeping only a hash.

[dezoel]

Aside from 51% attack, quantum, and government overreach we have nothing else I can think of. Those are the three that would matter the most and I am sure that we are going to see them matter a lot. I am not saying that we should not be considering them important, of course they are important but we should be considering them very much not on the plans for right now.

Quantum is at least a decade away, miners are not that much one sided by anyone because no big mining company is that powerful at the moment, and governments are all looking fine about it at the moment.

[Furball808]

Aside from 51% attack, quantum, and government overreach we have nothing else I can think of. Those are the three that would matter the most and I am sure that we are going to see them matter a lot. I am not saying that we should not be considering them important, of course they are important but we should be considering them very much not on the plans for right now.

Quantum is at least a decade away, miners are not that much one sided by anyone because no big mining company is that powerful at the moment, and governments are all looking fine about it at the moment.

Governments used to be against bitcoin that they were seen as a threat but as we can see governments are actually siding with bitcoin now because they have seen what it can do. Right now, I would say FUD and misinformation are just one of the few threats that might put bitcoin in danger.

[nemesis_incarnate]

Governments used to be against bitcoin that they were seen as a threat but as we can see governments are actually siding with bitcoin now because they have seen what it can do. Right now, I would say FUD and misinformation are just one of the few threats that might put bitcoin in danger.

They see the potential profit, but they still mostly look at it as a tool, not as something good for their own citizens.

[ZAINmalik75]

This is a detailed and well structured breakdown of the threats that bitcoin faces and I think all of them are valid and worth our time to be given because if we are in crypto and we are not aware of these threats then we should not say we are bitcoiners because knoweldge of one thing takes us more close to that thing if we don't want to go away from it.

From the list, the most underrated one I found is the fee market collapse because you are right, if there will be l2 solutions, the fee on the main network will be too low that it won't generate enough money for the miners and the incentive is what motivates everyone to do it, even right now out of 100, 90 are not mining even they read and know about mining, they don't do it because of the risk, but I think they are just lazy.

The ECDSA quantum threat can be real, I am not sure, but I agree that it is not immediate, so nothing to worry about, the issue is only be faced by p2pk protocol-based addresses like the one Satoshi is holding his funds in.
On the social side, user apathy is really scary, like what if 80% of us stop believing in Bitcoin and won't care about it. We will be doomed then.

[Alone055]

1) User Anxiety: One major concern under this group is user anxiety surrounding different matters related to Bitcoin. Users are constantly bombarded with biased media narratives, influencers and others who abuse online information spreading and create exaggerated warnings about Bitcoin-related risks and vulnerabilities. This fuels a dangerous culture of fear and overreaction. When people are feeling the effects of anxiety they tend to act on impulse, often trading long-term vision for short-term crisis management. This type of anxiety is not only dangerous to the user itself but it is harmful to the group consensus, it can lead to misguided calls for drastic changes to different aspects of Bitcoin. These very changes that could be demanded could harm the core principles that Bitcoin stands for such as immutability and decentralization.

Panic selling exists even right now, but we should ask ourselves, does that actually affect Bitcoin in the long run? The answer is no, it doesn't, and it's only a negative thing for those who do that because they fail to make any profits from it, and the market eventually recovers because not the whole population will do that, not to mention industrial investors who would grab any opportunity to get some cheap sats.

2) User Apathy: I've seen this discussed in different ways in different topics. What if fewer and fewer people care about self-custody, decentralization and privacy as time goes on? I don't think anyone is trying to do this as a targeted attack yet but they can make this worse by trying to persuade people against these things. Combined with regulatory pressure this could become very dangerous. The main features of this network such as its censorship resistance are only possible because so many participating parties care deeply about the aforementioned things. The cypher punk spirit must stay alive in Bitcoin.

Again, I believe those who don't use self-custody are only going to make things difficult for themselves, and people will slowly understand this, and even if the majority don't, decentralization will still exist and there will be people who will read about Bitcoin and understand what it was actually created for.

3) Social attacks through narratives and disinformation: On its own this is no longer effective. There are hundreds if not thousands of obituaries for Bitcoin already. Everything from Bitcoin being for criminals to its a ponzi. They have tried all kinds of arguments and narratives and none of it ultimately work, but I think it could come back in a combined attack. One must keep in mind that the situation regarding enemies is not like there is just 1 group waiting to attack Bitcoin. There are many different groups, some of which work together and others who are on their own. Some have similar reasons to attack Bitcoin others have very different ones. They may be waiting for a good opportunity to do something, and if there is one kind of attack effectively in progress they may join with their own attack for their own reasons.

Tried in the past, the attackers failed miserably over time, and the same thing will happen in the future, with a better ratio of failure for the attackers.

[serjent05]

Governments used to be against bitcoin that they were seen as a threat but as we can see governments are actually siding with bitcoin now because they have seen what it can do. Right now, I would say FUD and misinformation are just one of the few threats that might put bitcoin in danger.

The government is just riding the wind, since people can't be stopped from engaging with Bitcoin investment, they will just go along with it to take profit by setting rules and regulations specifically on taxing Bitcoin holders.

By using the centralized exchange, the government implements KYC to monitor the cash flow of the exchange users.  From that, they can easily track people who need to pay tax and go after them.

Another threat is the government exercising its full authority by forcing Bitcoin developers and miners to modify Bitcoin code and network according to its liking.  So far this is the greatest threat to bitcoin in my opinion.

[SeriouslyGiveaway]

Another threat is the government exercising its full authority by forcing Bitcoin developers and miners to modify Bitcoin code and network according to its liking.  So far this is the greatest threat to bitcoin in my opinion.

They can not do this because Bitcoin project is a decentralized project from technical developments to network operations, block mining, relay and transaction confirmations.

In the past, there is MARA mining pool wanted to filter and censor Bitcoin transactions for OFAC compliance but many months so far they did not gain success.
Obsevering Bitcoin mining pools.
You can read more details with two press releases from MARA.
https://ir.marathondh.com/news-events/press-releases/detail/1233/correction-marathon-digital-holdings-to-launch-the-first
https://ir.marathondh.com/news-events/press-releases/detail/1239/marathon-digital-holdings-becomes-the-first-north-american

[Dogedegen]

I am more interested in the ZeroSync approach. What are the disadvantages of it or risks?

According to what I found about the topic, the main disadvantage seems to be that the ZK proof generation is computationally intensive, which would put more CPU burden on the nodes who build these proofs.

How much more computationally intensive though? If that is the only disadvantage and if it is not too significant I do not see a big obstacle with that. CPU capability keeps steadily increasing, and if I understand this correctly these cost increases are one off. With that I mean if it jumps let's say by a factor of 2 when we move to this, it is not like it is going to jump again by 2 in a few years. Is that right?

And there's the risk that less nodes would store the whole blockchain. However, I think if this resource became too scarce, it could develop into a business model, i.e. some nodes could sustain themselves requiring a fee for complete and fast blockchain access, while free access would be restricted. Thus I don't think that the archival nodes would really reach extremely low figures.

A reduction is expected as a consequences of this in my view, but as long as it is not too much I don't see it as a big issue. I don't believe that the current storage situation is an issue at all. Storage has become pretty cheap even fast storage.

Peter Todd has also mentioned the risk that if ZeroSync becomes an alternative implementation alongside Core, then that could increase the risk for incompatibilities and possible forks if these incompatibilities persist (see the mailing list thread below). However, that's not a ZeroSync-only problem, and normally an open project like Bitcoin should be able to deal with this. He also mentioned that it could become problematic if miners rely too much on ZeroSync, as they could lose access to historic block data, and thus some could not be able to verify transactions going back to old blocks. This would afaik be mainly a problem if Utreexo became the standard and the UTXO set is not stored completely but as a series of hashes. The argument I could come up against that risk is however that miners who do that "cheap mining trick" would lose income in forms of fees, and thus there is a natural incentive for them to keep the history.

I am a bit familiar with that problem, he is right and I mention something like that in my recent thread https://bitcointalk.org/index.php?topic=5573796.msg66384028#msg66384028. So maybe it would be best to have it part of Core but with a switch to decide how you want to use it, maybe default to full node with the option to run it as pruned or ZeroSync? This would avoid the problem and not create over reliance on ZeroSync nodes. What do you think?

BTW, if you want to know about expert opinions on ZeroSync there are some on the Zerosync website, see https://zerosync.org/#media.

That's the original thread on the Bitcoin mailing list: https://gnusha.org/pi/bitcoindev/8DFE4646-9E8B-4A92-BBA2-EBD4A785C1D3@zerosync.org/T/

Thanks.

Wait a minute, I thought that the Segwit thing was a one off. I didn't think that there was more room to increase the space using the same method more. Is there a limit to the amount of block space that can be generated this way so to say?

It's not as easy as just updating the witness discount, and the "anyonecanspend" trick (tricking old nodes into accepting txes without signatures) was already used by Segwit and this specific stategy indeed seems to be an one-off option. But you could add another field to the blocks for the transactions or parts of them like the signatures (or other data structures you'd want to give an additional discount), which would be similar to an extension block, which was successfully applied in Litecoin. This practically would mean that these upgrades shouldn't occur too often. Otherwise the block structure could become too complex (which increases the maintainance cost of the code). An alternative, if further block size increases are envisioned, would be to directly integrate a discount upgrade mechanism. But that would be controversial, I think, as this would "open the door" for big blocker miners to apply block size upgrades at will.

Theoretically as far as I understand there are no limits but from the practical/political point of view there are. Such an upgrade thus should be planned carefully, with simulations about the fee market. However, if the block size was expanded too much making transactions too cheap, it can always be restricted via softforks (but then it would be complicated to re-expand them, so this should be only an emergency measure).

That is very interesting, I thought that only the block size could be increased more with a hard fork and that this is the reason why it is probably not going to be done. It is good to have this as an alternative way. Even if I love LN, I also don't think that we should stick to such low blocks or on chain TPS forever. A hard fork is always going to create more obstacles and issues compared to these options that you have described here.

Progress seems indeed to be slow but there were some research articles last year (2025). See https://bitcoinops.org/en/topics/cross-input-signature-aggregation/

Thanks for this one too.

That is pretty low actually. Even if we considered all OP_RETURN to be complete spam which is questionable but lets go with that, then all the spam drama of last year was pointless.

I agree here. However, I understand a bit the fear of node operators to store illegal data. There is also the possibility of Taproot rules being restricted eventually (perhaps as a compromise to the so-called "BIP-110") and this could lead to the Ordinals technique (based on Taproot) being abandoned for NFTs and OP_RETURN used instead. So I consider it still important to develop strategies how OP_RETURN data could be segregated from the rest of the blockchain, and "intermediate" nodes (neither light nor full nodes) being "allowed" to delete them keeping only a hash.

Yeah I am in favor of having options, even more in cases where nobody is being harmed here by exercising their choice. If someone does not want to store this or has fears of doing this they should be able to do it.

Panic selling exists even right now, but we should ask ourselves, does that actually affect Bitcoin in the long run? The answer is no, it doesn't, and it's only a negative thing for those who do that because they fail to make any profits from it, and the market eventually recovers because not the whole population will do that, not to mention industrial investors who would grab any opportunity to get some cheap sats.

Panic selling in the short term is only one example of user anxiety. You are right to bring it up but your conclusion does not seem accurate here. We do not have a way to estimate the real cost of how much damage anxiety of all kinds have caused. It is definitely a big number. Many people were actually put off from entering Bitcoin because of the bombardment of news and propaganda, they became anxious or even dumped it. There are always concerns that are abused to cause anxiety, last year was full of OP RETURN and quantum lies. Many people who were fine became skeptical and scared of the near future. Read the posts of gmaxwell that brought this up first here, I added it because of his suggestion. 

Again, I believe those who don't use self-custody are only going to make things difficult for themselves, and people will slowly understand this, and even if the majority don't, decentralization will still exist and there will be people who will read about Bitcoin and understand what it was actually created for.

I don't think we could frame it this simply. One could say that certain groups of users are actually making things easy for themselves by not doing it, because they don't have to learn how to use Bitcoin so much or how to protect it so they are offloading this part to someone else. They are trading this for more other risks, such as exchange default. Also they don't only make things difficult for themselves, but they are creating risks for everyone else and reducing decentralization too. If most people did self-custody, there would never be a big risk from a large exchange hack. We would be fewer big issues since there would be no big targets to hack.

Tried in the past, the attackers failed miserably over time, and the same thing will happen in the future, with a better ratio of failure for the attackers.

Failed is not the right way to frame this point too. Failed how? An attack that manages to hurt Bitcoin even a bit and its goal was to hurt it is a success attack. Only if the objective is to fully kill Bitcoin can we consider them to have failed. If social attacks were not effective then they would stop doing them because it costs money and resources to deploy this. Because they persist even today that means that they have some success. What changes is mostly what the disinformation is about and maybe how much of it is being pushed. The regulations and legislation in the USA have helped to reduce this a bit but we are still not out of the water.

[d5000]

How much more computationally intensive though? If that is the only disadvantage and if it is not too significant I do not see a big obstacle with that. CPU capability keeps steadily increasing, and if I understand this correctly these cost increases are one off. With that I mean if it jumps let's say by a factor of 2 when we move to this, it is not like it is going to jump again by 2 in a few years. Is that right?

Yes, I agree here. It's a slight disadvantage but as it only affects a subset of nodes (those that actually enable the ZK proof generation) it shouldn't be problematic at all.

I am a bit familiar with that problem, he is right and I mention something like that in my recent thread https://bitcointalk.org/index.php?topic=5573796.msg66384028#msg66384028. So maybe it would be best to have it part of Core but with a switch to decide how you want to use it, maybe default to full node with the option to run it as pruned or ZeroSync? This would avoid the problem and not create over reliance on ZeroSync nodes. What do you think?

Ah, nice thread, I'll probably comment there too

I am a bit divided about this. I am in reality strongly in favour of a landscape where many clients can compete as long as they use the same consensus rules. But of course I acknowledge the problem Todd mentions. Perhaps a solution would be to separe the absolutely core consensus protocol from the Core client (e.g. with some library which could be called "libbitcoincore" or so), so at least the important features are maintained in one place.

Of course a ZeroSync option in Core would be nice too. I have still not seen anybody in Core directly against the approach, so it could become possible. (I may need to investigate more though.)