Can Bitcoin survive on fees alone after block subsidy dies?

[Satofan44]

So the answer to the question, even if you assume that yes this is profitable and it will rise upwards in the future, is this: We will implement measures that will make the attack so costly that it will be near impossible.

What kind of measures? Can you be more precise? Introduce them where? Bitcoin game theory relies on the presumption that the majority of the hashrate stays honest. There is no counter measure that can back the network up, if this theory fails.

You are talking about a very specific kind of attack, which is renting hashrate. This can be easily fought off with rudimentary measures such as increasing the coin maturity, making it extremely uneconomical to even try to do this as you would burn up resources before you are able to sell any Bitcoin to continue financing the attack.

There are always measures for other kinds of attacks or subattacks as well, the main reason we do not use them now is because they come with tradeoffs or changes:
1. You can implement some sort of finality mechanisms.
2. Any other kind of pending research ideas, I could look if you really wanted to but you should get the point by now.
3. You can completely dump the algorithm and render the attackers ineffective and in billions of losses in assets. Bitcoin mining machines are not useful for anything else. In the worst case this is what we would do. You must understand that pure technology can not win this battle. We can take the blows, and the chain continues running and even balances stay in tact. It is going to be chaotic, turbulent, but this is not something that can kill Bitcoin.
You must remember that there is no measure that solves problems for good, that is not how computer security works. It just makes them harder, more expensive, more difficult, or disables some particular cases. Do not expect a solution of a kind that is not possible for computers.

[ap2pfuture]

I think the correct way to frame this is not “what happens in 2140?”, but “what happens as the subsidy asymptotically approaches zero and the security budget becomes mostly fee-driven?”

2140 is almost irrelevant from an incentive perspective. The transition is continuous. Bitcoin does not suddenly move from subsidy security to fee security at the last satoshi. Every halving reduces the subsidy component of miner revenue, and the market gradually tests whether transaction fees can compensate for that reduction.

Miner revenue per block is simply:

block reward = subsidy + transaction fees

Today the subsidy still dominates most of the time. In a fee-only regime, the entire security budget must come from users bidding for scarce block space. That means Bitcoin security eventually depends on the existence of a persistent, high-value settlement market.

I do not think Satoshi “forgot” this. He explicitly expected transaction fees to replace the subsidy. But this is an economic assumption, not a mathematical guarantee. The protocol guarantees the 21 million supply schedule; it does not guarantee that future users will pay enough fees to maintain any specific amount of hashrate.

The key point is that proof-of-work security is not measured in BTC only. Miners pay most of their costs in the real world: energy, ASICs, facilities, financing, cooling, labor, jurisdictional risk. Therefore the relevant security budget is the fiat purchasing power of miner revenue, not just the nominal BTC amount. A fee market producing 50 BTC per block at a low BTC price and a fee market producing 0.5 BTC per block at an extremely high BTC price are very different in BTC terms but may be similar in real economic security.

So the sustainability question becomes:

Will users pay enough, in aggregate, for censorship-resistant final settlement?

If Bitcoin becomes a global settlement layer, the answer can be yes. Large transactions, exchange settlements, custodians, Lightning channel opens/closes, sidechain/L2 settlements, institutional cold-storage movements, coinjoins, sovereign/corporate treasury operations, and high-value self-custody transfers can all rationally pay high fees if the value being settled is large enough. A $50, $200, or even $1,000 fee is not irrational for a transaction settling millions of dollars with finality on the most liquid PoW network.

But if on-chain demand is weak, or if almost all activity migrates to custodial layers that rarely settle back to L1, then the fee market may not be sufficient. In that case Bitcoin would still function, but with a lower security budget. Lower miner revenue means lower equilibrium hashrate, which means the cost of attacking the chain decreases.

However, “lower hashrate” does not automatically mean “easy 51% attack.” The attack model matters. An attacker needs access to ASICs, power, infrastructure, and time. They also face opportunity cost, capital cost, detection risk, market reaction, and the fact that attacking Bitcoin may destroy the value of the very asset they are trying to exploit. For deep reorgs, exchanges can also increase confirmation requirements. So the attack cost is not simply “one block of miner revenue × 51%.” It is more complex.

That said, the fee-only regime introduces a different class of incentive problems. Subsidy is smooth and predictable; fees are volatile and concentrated in individual blocks. When a block contains unusually high fees, miners may have an incentive to reorg or “fee snipe” that block instead of extending the chain honestly. This problem is much weaker when the subsidy is large because the next block subsidy gives miners a stable reason to keep building forward. In a pure fee market, block-to-block reward variance becomes more important.

So the issue is not only “will total fees be high enough?” but also:

1. Will fee revenue be stable enough?
2. Will miners prefer honest extension over short reorgs?
3. Will the mempool fee market produce predictable settlement demand?
4. Will mining remain sufficiently decentralized?
5. Will large pools avoid strategies like selfish mining, undercutting, or fee sniping when subsidy becomes negligible?

This is why I do not think past halvings fully prove the fee-only model. So far, each halving has been absorbed mostly because BTC price increased enough over time to offset the reduced subsidy in fiat terms. That is not the same as proving that fees alone can support the same level of security.

The optimistic case is that block space becomes extremely valuable because Bitcoin L1 becomes the final settlement layer for a much larger financial system. In that world, fees can replace subsidy naturally. Bitcoin does not need billions of daily users transacting directly on-chain; it needs enough high-value settlement demand competing for limited block space.

The pessimistic case is that users want the 21 million hard cap but do not want to pay for security through fees. That cannot work indefinitely. If the subsidy disappears and users refuse to pay meaningful fees, the security budget falls. There is no free lunch in PoW.

Changing the 21 million cap or adding tail emission would be a completely different monetary system and would almost certainly be rejected by the market. The fixed supply is not just a parameter; it is the core social contract of Bitcoin. If Bitcoin’s long-term security requires violating that promise, then the original economic model has failed.

My view is that Satoshi did not make a simple mistake. He made a very strong assumption: that Bitcoin block space would become valuable enough that users would voluntarily fund security through fees. Whether that assumption is correct will be known long before 2140.

The real test is not the last satoshi. The real test is the next several halvings.

[athanred]

You can completely dump the algorithm and render the attackers ineffective

This is possible in theory, but it was historically proven to be unsuccessful in practice. Each altcoin, which stopped using SHA-256, even though nobody broke this hash function, ended up in a worse position. For example: some developers wanted to stick with "1 CPU = 1 vote" principle, and changed the mining algorithm each time, when GPUs or ASICs were built for it. And of course, such coin could work, and provide some level of security, but it would be much worse than Bitcoin. Meanwhile, altcoins, which maintained a fraction of BTCs hashrate, but stayed with SHA-256, were much more successful.

and in billions of losses in assets

I am not so sure about that. If there are many devices in use, which can mine a given coin, in a given way, then it will often find a group of people, which would do that. All new features and upgrades have to be backward-compatible, at least to some extent, otherwise they will be just altcoins. And many users can simply reject new version, and stay with the old one, as long as it is not fully broken. Which means, that if transactions can be processed, then many miners will keep mining even highly-centralized chains, as long as they will be worth some money. In practice, chains can die, if there are exactly zero users, otherwise they can be kept alive as long as needed.

Do not expect a solution of a kind that is not possible for computers.

Sidechains can provide additional revenue for miners, but decentralized ones were rejected, so we have only some centralized federations, like RSK or Liquid, which are still very far from reaching the full potential. Currently, Bitcoin is harder and harder to change, and soon, it can reach a point of being unchangeable, which is called as "ossification" by some people. And then, the only new changes will be completely outside of consensus rules, and will happen only in second layers and subnetworks, because nobody would successfully reach any consensus for changing the main layer anymore.

[d5000]

Sidechains can provide additional revenue for miners, but decentralized ones were rejected, so we have only some centralized federations, like RSK or Liquid,

While drivechains are indeed controversial, there are other quite decentralized models based on multisignature wallets. An example is Threshold Network's tBTC (not to be confused with testnet Bitcoin of course, they should really have chosen another name) which lives on existing blockchains like Ethereum but the federation is dynamic, everybody can participate. It is however not merge-mined with Bitcoin, it currently works with a PoS token.

From my understanding it would be possible to build a sidechain with a similar decentralized federation but with merge-mining, and then it would be possible to increase miner income with the subsidy. Why hasn't this been tried? I don't know but I assume it's simply more profitable to build a premined PoS token-based system, and the L2 boom has waned a bit also.

You are talking about a very specific kind of attack, which is renting hashrate. This can be easily fought off with rudimentary measures such as increasing the coin maturity, making it extremely uneconomical to even try to do this as you would burn up resources before you are able to sell any Bitcoin to continue financing the attack.

I believe the problem is that the attacker would build his economic profit model on the idea to short-sell Bitcoin. I think currently there would be too few Bitcoins available on lending platforms to make this attack profitable, and it would come with a lot of complexities (on lending platforms you have to hide your identity for example).

Regarding a finality measure, yes there could be an addition of PoS-voted checkpoints, which can be even added "after the fact", i.e. after the attack. It would however be fine if we didn't even come close to that.


Shower thought: Has adaptive block size already been discussed for that problem? I.e. one could determine an "ideal" percentage of block filling for fees to stay high, e.g. 90%. And then if the blocks of a difficulty period are significantly below that number, decrease the maximum block size for the next period by 1% and so on (i.e. very gradually, but eventually the blocks should become fuller again).

This would of course mean to think also about the effects of the fee level. For example, currently many Bitcoiners would still pay 5 sat/vByte without problems (I think the compllains started when in 2023/23 they went over 10 sat/vByte) and 5 sat/vByte with full blocks would still lead to significant fee income for miners. above all if Bitcoin rose again to 100k $+. And the fee level should be intimately tied to the percentage of the block space filled with transactions.

[athanred]

Why hasn't this been tried?

Because many people don't understand sidechains, and they think the system works differently, than it works in practice. For example: some people argue, that all full nodes will have to trace all sidechains. Or that all miners will have to mine all sidechains. Or some people worry, that all miners will try to steal all coins from all sidechains, and kill The Goose that Laid the Golden Eggs, instead of taking just fees, and letting them grow.

Also, it decreases the power, that developers have over Bitcoin. If anyone can just make a new sidechain, and ask miners to activate it, then anyone can change the code, and it is all about convincing users to try new features. If everything has to go through Bitcoin Core, then they decide, in which direction Bitcoin should go. But if anyone can make new changes, then the project goes into an unknown direction, and you can make any sidechains you want, including harmful ones, like "you are rewarded for each reorged block on chain X, and your coins comes from successful double-spends".

Another reason is that it competes with Lightning Network. If you have a sidechain, then you can send any funds anywhere, without worrying about liquidity, channel capacity, and other limitations like that. But in LN, everything has to touch the main layer, for every single user. Which also means, that when Core developers shifted their focus from sidechains into LN, then they basically stopped working on decentralized sidechains at all. And if someone can control centralized ones, and degrade the whole idea into that, then these people have no reason to support their competition, to allow someone else to run these centralized sidechains, which they created, or to allow random people to activate any kind of changes, without any control over it.

While drivechains are indeed controversial

Are they more controversial, than centralized ones? Are fully trusted sidechains better, than trusting the miners? What is more likely: that the sidechain creator, who has the same power over it, as signet creators have, will steal something, or that random miners will do the same thing? Existing centralized sidechains are like "just send me the coins, I will send them back correctly, I promise".

Anyway, if Bitcoin won't support decentralized sidechains, then altcoins will do that instead. Or: we will have only centralized ones, and they will work, until some sidechain operator will decide, that it is worth just signing a different message, and claiming all coins, and it will be compatible with all consensus rules.

It is however not merge-mined with Bitcoin

Yet another reason, why decentralized sidechains are not there: because people are afraid, that Merged Mining is bad, and it doesn't work for some reason. If done correctly, then it can work. But instead, we have a NameCoin, which made some mistakes, and anyone can just point at it, and say: "See? It doesn't work". Many altcoins were destroyed, because of poorly implemented Merged Mining, and now, a lot of people think, that it is a bad idea, because the same mining power can be redirected at something else, with no additional cost, and can be used to do some harmful things.

Has adaptive block size already been discussed for that problem?

There are BIPs for that, but they were unsuccessful: https://github.com/bitcoin/bips/blob/master/bip-0100.mediawiki