The line between lost and hodl

[Satofan44]

Considering that bitcoin has not yet reached mass adoption, its 21 million cap is as unknown a bitcoin itself to majority of people.

Yeah, to claim that it is the most famous number is completely wrong. However, I think that it will enter history eventually as one of the most significant things to happen in this era. There is nothing like Bitcoin and pretty much everything has unlimited supply these days. Even many altcoins that had fixed supply switched to infinite supply after some time.

Usually those who "guess" the number of lost coins are simply counting the UTXOs that have not moved for a certain number of years. I say this to everyone who makes these claims: I started with bitcoin back in 2014 and I have small amount of coins from those years that I have not moved for 11 years. While I still own the keys, these "guessers" count my coins as lost.

Those that do it that way are dumb, it is similar to those that think that they understand quantum computers and the potential risks that they carry after reading a few articles or posts on X. The problem does not lie in the observation of coins based on again, the problem lies in inference. The internet is full of dumb people unfortunately, most of them don't even know what they don't know. From a statistics perspective, what those people are doing is basically like this:

• Observed variable: time since last movement or spend.
• Inference: probability that keys are lost after N years is equal to 1, where N is a random number decided by random guess work by some internet idiot.

This is an error that is as basic as it gets when it comes to statistics. If you think in terms of latent variables, "coin is lost" is not an observable state except in a few very specific cases where it is in a provably unspendable state (OP_RETURN being one)[1]. A proper analysis by a researcher would probably model coin movement as a stochastic process (and not a binary state of lost vs. not lost) and then use historical data to gather probabilities. For example, what is the probability that a coin that has not moved for N years will move again? This is done by analyzing all coins and movements. It could also make some distinction based on address types or other metrics.

So yes this can be done right but it requires a lot of statistical knowledge, Bitcoin technical expertise and research experience. However, the conclusion will never be dumb as the one we usually get. It will only gives us probabilities.

Their silence for over ten years isn't just a strategy, it’s a testament to a level of conviction that is rare in today’s attention driven market.

Another problem with these guesses is that they guess that an early day miner only owns the coins that are not moved and didn't own anything else! In other words if they haven't moved dozens of 50BTC rewards from early blocks, they may have already moved a single block reward that is worth almost $4.5 million. Do they need to move all their coins? Not really. Therefore the rest are untouched and that doesn't show "conviction" of any kind...

As of time of writing, only people with P2PK addresses should definitely move all their coins. Not doing so is a mistake and risky to both the user and the network. For everyone else (assuming normal and secure address derivation of course) you are correct.
[1] @stwenhao I summon thee. 

[Dunamisx]

The 21 million hard cap is the most famous number in finance,

21 million bitcoin hard cap may not be the most famous, what about the all time high figure, are people not more concerned about this than what they tend to see from the maximum supply, except we all have different approach to what we see with utmost value or priority to us.

[Ambatman]

I do consider lost coins as burned because actually they just cannot be spent and remains dormant on the network. It almost same thing, the only difference is one is done intentionally and the other isn't.

Not really. There's another difference which is lost coins can be recovered once their private keys are found
While burnt coins don't have any private key so has always been inaccessible.

You mean some don't? We've seen many stories this year that would probably back my point.. one way or the other a few number of them flaunts their holdings on their social media pages

Most of the time I find this common with traders not those that invested in Bitcoin (Holding)
And yes, Many prefer to sacrifice security for money and fame.

[PrivacyG]

It is interesting how the Bitcoin that has never moved are also an indicator of the Security of Bitcoin.  Older Addresses are more vulnerable to future attacks than newer Addresses.  If many old UTXOs start moving, it could also be a sign that an attack is occurring.  What I did not understand is why some people are very desperate about 'lost' Coins.  Every year, old Addresses are moving Bitcoin out.  It is going to keep happening.  People like Ross Ulbricht may still have some lots of Bitcoin in his stash to unload.

[Antona]

Yeah the waking of a satoshi-era wallet is always a trip. Proves those legendary holders are real and still among us that ticking clock analogy is perfect Every dormant coin is a story, and its potential movement is part of what makes Bitcoin's economics so unpredictable and alive

[shield132]

It's very hard to distinguish a line between lost coins and extremely patient holders or those, who lost access to coins but gained access more than a decade later. We have seen one of the oldest addresses moving their coins recently, too. I wouldn't treat dormant coins as deleted coins. The only coins that I consider truly deleted are those that are sent to burn addresses. There is no way someone can gain access to an address like this - 1CounterpartyXXXXXXXXXXXXXXXUWLpVr and this - 1111111111111111111114oLvT2, so it's safe to assume that any coin sent to these addresses is truly lost forever. Coins in the Genesis Block address are also guaranteed to be lost.

[stwenhao]

only people with P2PK addresses should definitely move all their coins

I disagree. If P2PK is unsafe, then many other things also are. In general, finding serious weaknesses in P2PK would render everything under P2TR as "unsafe", as it is under P2PK, just because by reaching the private key, the whole TapScript can be skipped by any attacker, who will just make a Schnorr signature, and then will unconditionally send coins to any destination. So, if you think, that people should move coins from P2PK to P2TR, then I have bad news: it won't make coins "safer" than they currently are.

Also, if you think, that hashing is a good protection, then again: there are more bad news. If someone is using 160-bit hash, to protect 256-bit public key, then there are around 2^96 matching public keys, which would allow sweeping everything. Currently, secp256k1 is safe, and hash functions are safe. Some people assume, that secp256k1 will be broken faster, but it doesn't have to be the case. And if someone will have enough power, to compute things 2^128 times, then the same person will also probably have enough power, to compute it 2^80 times, reach some collisions, and raise a panic.

If we believe, that the famous puzzle, based on N-bit public key, is honest, then we can see, that 71-bit hashed key is in progress, and 135-bit public key is also waiting for solution. Which means, that going from 71-bit hash to around 80-bit hashes may take less time, than going from 135-bit public keys, up to 256-bit ones (the puzzle ends on 160-bit, but range 161-256 should probably be recreated, and based on public keys, instead of hashes, if we would want to also trace that progress).

Current miners can produce double SHA-256 hashes with around 80 leading zero bits, every 10 minutes. I guess if there would be enough incentive, someone could produce a 160-bit address collision, just to raise some panic. Of course, finding a collision won't immediately render things under 160-bit hashes unsafe. But it will question the migration from for example P2PK to P2PKH. And in case of P2SH, it would indirectly provide TapScript features into P2SH, because by having a collision, users could reveal one version, or the other, and use "<pubkey> OP_CHECKSIG", and 2-of-2 multisig, by sending coins to the same, collided address.

More about it:

You can't use a coin without exposing its pubkey.

So, if someone thinks, that P2PK, P2TR, or any other address type is "unsafe", then there is a good question: what is the alternative? And if it is hashed, like P2PKH, P2SH, P2WPKH, or P2WSH, then still: does it use OP_CHECKSIG anywhere? Because if it does, then it is not "safer". And if it doesn't, then how public key cryptography is handled?

Not doing so is a mistake and risky to both the user and the network.

As long as we have OP_CHECKSIG, or its equivalent in use, practically everywhere, moving coins between different address types, won't change that much in practice. Because to use a coin in a safe way, you need to make a signature. And to do that, you have to touch secp256k1. As long as it is the case, there is no reason to play ping-pong between different address types, and weaken your privacy.

@stwenhao I summon thee.

Could you tell us all the methods that are provable state of "coin is lost"?

Only if the Script evaluates to false, or equivalent (for example if it is marked as invalid).

OP_FALSE as a raw script is unspendable. But wrapped in P2SH, P2WSH, or P2TR, it can be potentially moved, by reaching hash function collision, or by breaking the private key, and skipping the whole TapScript.

OP_RETURN is unspendable, if executed. You can however spend coins from "OP_IF OP_RETURN OP_ENDIF" with just "OP_TRUE OP_FALSE". Maybe some implementations can be forked with tricks like that, if they will mark unexecuted OP_RETURNs as unspendable.

Many unspendable scripts are described here: https://en.bitcoin.it/wiki/Script

For example: OP_VERNOTIF will automatically mark transaction as invalid, if it is present as a raw script. However, if you will wrap it in a TapScript, then it will be spendable by anyone, because of OP_SUCCESS.

In general, for P2TR, only addresses with invalid x-value coordinates of secp256k1 are unspendable. Everything else can be spent by key, if you can reach it somehow.

[Satofan44]

21 million bitcoin hard cap may not be the most famous, what about the all time high figure, are people not more concerned about this than what they tend to see from the maximum supply, except we all have different approach to what we see with utmost value or priority to us.

Neither is this number the most famous number in finance. If you are talking about the most famous number in Bitcoin or cryptocurrency circles, perhaps it is so. However, overall these things are still not that widely popular. Their significance will continue to rise over time.

Not really. There's another difference which is lost coins can't be recovered once their private keys are found

This does not make any sense, unless you are trying to create a definition of lost coins. All coins can be recovered once their private keys are found, except those that are related to some unspendable conditions.

While burnt coins don't have any private key so has always been inaccessible.

This is also not true, most burning in Bitcoin is done through pseudo-burn addresses. This does not mean that the address can not have a private key, it is just unknown at this point of time. It is entirely possible that someone eventually gets the key generated.

only people with P2PK addresses should definitely move all their coins

I disagree. If P2PK is unsafe, then many other things also are. In general, finding serious weaknesses in P2PK would render everything under P2TR as "unsafe", as it is under P2PK, just because by reaching the private key, the whole TapScript can be skipped by any attacker, who will just make a Schnorr signature, and then will unconditionally send coins to any destination. So, if you think, that people should move coins from P2PK to P2TR, then I have bad news: it won't make coins "safer" than they currently are.

Perhaps I should have been more specific, but I was considering this from the potential quantum threat. P2PK addresses are the most vulnerable ones, followed by P2TR. Yes in this context P2TR is also unsafe, but there are very few coins parked in those addresses comparatively speaking to P2PK. There are millions of coins in P2PK addresses and reused addresses. We can't do anything that does not compromise Bitcoin's ideals to solve the situation with old P2PK addresses that are lost.

You can't use a coin without exposing its pubkey.

So, if someone thinks, that P2PK, P2TR, or any other address type is "unsafe", then there is a good question: what is the alternative? And if it is hashed, like P2PKH, P2SH, P2WPKH, or P2WSH, then still: does it use OP_CHECKSIG anywhere? Because if it does, then it is not "safer". And if it doesn't, then how public key cryptography is handled?

Yes indeed that is the question. What is the alternative? We need something new deployed that will focus on future security threads and not functionality improvements, which taproot mostly was about. If you could deploy a new address type that significantly increases the security compared to the existing ones, do you have an idea what you would do? For this thought process you can adjust anything, from the security algorithm, the bits, the hashing process.

Could you tell us all the methods that are provable state of "coin is lost"?

Only if the Script evaluates to false, or equivalent (for example if it is marked as invalid).

OP_FALSE as a raw script is unspendable. But wrapped in P2SH, P2WSH, or P2TR, it can be potentially moved, by reaching hash function collision, or by breaking the private key, and skipping the whole TapScript.

OP_RETURN is unspendable, if executed. You can however spend coins from "OP_IF OP_RETURN OP_ENDIF" with just "OP_TRUE OP_FALSE". Maybe some implementations can be forked with tricks like that, if they will mark unexecuted OP_RETURNs as unspendable.

Many unspendable scripts are described here: https://en.bitcoin.it/wiki/Script

For example: OP_VERNOTIF will automatically mark transaction as invalid, if it is present as a raw script. However, if you will wrap it in a TapScript, then it will be spendable by anyone, because of OP_SUCCESS.

Excellent, thank you for posting here.

In general, for P2TR, only addresses with invalid x-value coordinates of secp256k1 are unspendable. Everything else can be spent by key, if you can reach it somehow.

Do you have an example of such addresses? Could we publicly designate those as burn addresses that are superior to the ones that are being used now?

[Ambatman]

This does not make any sense, unless you are trying to create a definition of lost coins. All coins can be recovered once their private keys are found, except those that are related to some unspendable conditions.

  A typo
I meant can. Fixed. Thanks. I was trying to differentiate between lost coins and burnt.

This is also not true, most burning in Bitcoin is done through pseudo-burn addresses.

My POV was on provable burnt (OP Return) and though 1BitcoinEaterAddressDontSendf59kuE are considered burnt by most
I read somewhere that there was always a risk that they could be found
So they look similar to intentionally  lost coins in a way.

Thanks for pointing these out

[BlackHatCoiner]

Yeah, you shouldn't consider any of those millions of bitcoin "lost". They are just as in circulation, as the new ones. In fact, we frequently notice many of the old dormant wallets waking up after a long period of inactivity.

We don't know with accuracy how many are lost. There is a number of provably lost, but it's just nickles comparably to the 21 million in total, so I don't even take it into consideration. It's probably less than 20 thousand.

[nakamura12]

I would say that lost bitcoins are lost but in reality it still in a wallet address but the difference is that it is no longer accessible to anyone even the owner. Hodl is kind of the same in sense since you are holding your bitcoin in your wallet for safekeeping. That way it can help reduce the bitcoin supply compared to having all available bitcoin in the market. As others have said bitcoin that isn't in the market because it is lost us considered as burnt coins which I agree.

[Odusko]

The most fascinating moments occur when the assumed dead wallets wake up.

Not that fascinating to be honest because when a wallet moves from being assumed of dead for so long or simply being dormant, that's thought of being sold in the market. But when this is done in the fiats and long term bank accounts that have been dormant, the banks are going to deduct from the balance. The advantage is in holding bitcoin for so long, no policies of dormancy accounts and deduction from its balance. And what actually happens in the opposite for which is causes more value because of the 4 year cycle.

Long dormant account could also trigger sarcacity in the market and when their become active, it could affect price most especially when those Bitcoin are sold in the market, this is why it best dormant since any movement in the wallet will result into sending the Bitcoin into exchange possibly taking profits, it only beneficial to the owner most especially if the amount of Bitcoin is somewhat huge I mean diamon whale wallet.

[Judith87403]

The real scarcity of Bitcoin has gone beyond the cap of 21 million. Having an estimate of 3.7 to 5 million BTC effectively taken away from circulation, the supply that is usable is much smaller than a lot of people realize. Some coins are forever lost lost as a result of death, being imprisoned, or thrown away keys, but others sit remaining untouched in early wallets as a sign of long term conviction that is extreme. In any way, Bitcoin is always priced in the market as though other coins do not exist. This raises a permanent supply shock that makes the scarcity narrative strengthened and encourages bigger valuations as long as there is growth in demand. The uncommon times when old wallets awake brings to our reminder that lost and held are always not the same, yet the cure reality is not altered. Bitcoin isn't only scarce by design, it is by human behavior, history, deflationary and by choice irreversible.

[stwenhao]

Do you have an example of such addresses?

If you understand, how to check if P2PK is spendable or not, then in case of P2TR, it is quite similar.

P2PK example:

Code:

020000000000000000000000000000000000000000000000000000000000000004 //very difficult to reach, but spendable
020000000000000000000000000000000000000000000000000000000000000005 //unspendable

P2TR example:

Code:

bc1pqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqzqln7y9h //very difficult to reach, but spendable
bc1pqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqzs2jkusy //unspendable

Could we publicly designate those as burn addresses that are superior to the ones that are being used now?

We already have a good method of burning coins. It is called OP_RETURN. Trying to extend this set will slow down validation.

Of course, if you are 100% sure, that some address is unspendable in the current consensus, then sure, you can remove it from your node. But it is usually not worth the effort, and there is some risk, that if you throw away something valid, then you may be forked in the future.

[xbetz.io]

Well written.

One thing I think often gets missed in the “lost vs held” discussion is that intent doesn’t really matter to the market. Whether coins are lost due to negligence, death or deliberate long-term holding, the effect on circulating supply is the same, until the moment it isn’t.

The interesting signal isn’t the existence of dormant coins but when they move. Those moments tend to coincide with regime changes: macro shifts, liquidity events or structural stress.

In that sense, dormant wallets aren’t just scarcity, they’re latent information.

[BlackHatCoiner]

P2PK example:

Code:

020000000000000000000000000000000000000000000000000000000000000004 //very difficult to reach, but spendable
020000000000000000000000000000000000000000000000000000000000000005 //unspendable

I'm not very familiar with the public key cryptography, but how do you know the second public key does not have a private key?

[stwenhao]

Just use Sage: https://sagecell.sagemath.org/

Code:

def check_x_value(x):
    p=0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f
    modulo_root=(p+1)/4
    b_value=7
    x_cube=(x*x*x)%p
    y_square=(x_cube+b_value)%p
    y=y_square.powermod(modulo_root,p)
    is_on_curve=(y.powermod(2,p)==y_square)
    return (is_on_curve,hex(x),hex(y))

print(check_x_value(4))
print(check_x_value(5))

Standard output:

Code:

(True, '0x4', '0x598ec453728e0ffe0ae2f5e174243cf58f2a3f2c83d2457b43036db568b11093')
(False, '0x5', '0x350ae3b48047adacdeea49fb8a0b289a94f726801078408aba79631fa7a1b6ba')

And when it comes to knowing, how it works, you just use curve equation: y^2=x^3+7. You pick x-value, for example x=4, and later x=5. You calculate y^2. Then, you raise it to the right power, to get a square root of it. And then you check, if the end result is something, that can be placed on this curve, or not. If not, then it is simply invalid, and then, there is no private key, which could be used to make a valid signature, and move it anywhere.

[Satofan44]

Do you have an example of such addresses?

If you understand, how to check if P2PK is spendable or not, then in case of P2TR, it is quite similar.

P2PK example:

Code:

020000000000000000000000000000000000000000000000000000000000000004 //very difficult to reach, but spendable
020000000000000000000000000000000000000000000000000000000000000005 //unspendable

P2TR example:

Code:

bc1pqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqzqln7y9h //very difficult to reach, but spendable
bc1pqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqzs2jkusy //unspendable

Thank you for the examples (of both address types and both kinds, spendable but hard and unspendable). I would need to freshen up on some knowledge and tools, I am getting old. Thank you for the examples. Nobody has used the P2TR address at all as a burn destination.

Could we publicly designate those as burn addresses that are superior to the ones that are being used now?

We already have a good method of burning coins. It is called OP_RETURN. Trying to extend this set will slow down validation.

Of course, if you are 100% sure, that some address is unspendable in the current consensus, then sure, you can remove it from your node. But it is usually not worth the effort, and there is some risk, that if you throw away something valid, then you may be forked in the future.

It is correct that OP_RETURN is better, but how many users know how to use it for this purpose? Compared to the other method which just involves sending it to the designed address, it is essentially identical to the actions involved in a normal sending transaction. For this purpose, I think it would be better to publicly promote these addresses as replacements for the existing addresses that are commonly used for burning. The following link https://github.com/jconorgrogan/BTC-Burn-Addresses lists many addresses, I will just quote some:

1CounterpartyXXXXXXXXXXXXXXXUWLpVr
1111111111111111111114oLvT2
1BitcoinEaterAddressDontSendf59kuE
1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
1DoNotSubmitDoNotBe1ieveLies9MUahF
1ChancecoinXXXXXXXXXXXXXXXXXZELUFD
11111111111111112WRJvAgEgjksg
11111111111111111Ahh1bppfZG

My idea is that we generally replace these with addresses such as bc1pqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqzs2jkusy since coins that are sent there are provably unspendable? The very least that we can do is to promote it in discussions regarding burn that come up occasionally.

[PX-Z]

The 21 million hard cap is the most famous number in finance

Why 21M hard cap is most famous number in finance?
Could you share any link and discussion about this famous number, especially in finance?

Nothing, just bitcoin stuff, idk how OP think about it.

The line between a coin being lost and being held is often impossible to see until a wallet suddenly stirs.

Well, yes, it's blurry until the coins move again. That's why bitcoin supply that's actually liquid can be tricky to gauge. Some articles mention those digits are only estimates of the known lost coins and dead users, including satoshi holdings, etc. This matters for the market because lost coins reduce liquid supply, but if someone suddenly move, it can impact price unexpectedly. So dormant coins aren't necessarily gone, just assumptions or not, and their sudden activity can create short-term market effects.

[stwenhao]

Nobody has used the P2TR address at all as a burn destination.

I am not sure about it. There are around 0x80000000000000000000000000000000a2a8918ca85bafe22016d0b997e4df60 unspendable keys. I guess you didn't scan the whole UTXO set, to validate all P2TR addresses, and check, which x-values are outside of secp256k1. Such scanning can be done, but it would be probably quite slow, and I guess it is not worth it.

My ideas is that we generally replace these with addresses such as bc1pqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqzs2jkusy since coins that are sent there are provably unspendable?

It would bloat the UTXO set for no reason. It is much better to write a GUI support for OP_RETURN instead. For example: "bcret1..." or anything similar could be used, and decoded into OP_RETURN automatically.

The very least that we can do is to promote it in discussions regarding burn that come up occasionally.

There is a difference between these addresses. Coins sent to 1CounterpartyXXXXXXXXXXXXXXXUWLpVr and similar addresses have around 2^96 valid public keys on average, so it will likely be moved in the future. Coins sent to bc1pqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqzs2jkusy will never move, unless you use it on some altcoin, where Taproot is not active, then it would be spendable by miners in a non-standard way, without any signatures.