How many Bitcoins have been provably lost? At least ...

[DeathAndTaxes]

In validating a UTXO parser I started looking at various outputs which are provably unspendable.  As of block #305303 2,745.22283996 BTC have been provably lost.  The total number of coins lost is higher potentially much higher but most of those losses can't be proven.   Funds sent to outputs that can never be redeemed can be provably shown to be lost.

Code:

Category       NumOutputs    AmountLost
-----------------------------------------
BugOpFalse            23   2,609.36304319
BugP2Pool            182       0.60280235
BugInvalidOpcode      14       0.04520008
BugInvalidPubKey  17,112       0.00242288
BugParseError          1       0.00040000
ZeroValue *        3,080       0.00000000
MissingFromUTXO **   ---     135.20897146
-----------------------------------------
Total             20,412   2,745.22283996 BTC

* Zero value unprunable outputs are not invalid outputs but they are undesirable.  I was surprised to see there are over three thousand in the UTXO.  In the future the creation of new zero value outputs (with the exception of the prunable OP_RETURN) could be made invalid and potentially even these outputs pruned off by a hard fork.

** As of block 305,303 the coin supply is limited to 12,882,575 BTC.   This is based on the max subsidy per block and the block height.  However the UTXO (set of all unspent outputs) is only 12,882,439.79102854 BTC.  Some of the difference may be due to OP_RETURN outputs (which are unspendable by protocol) having a value set.  This could be accidental or intentional.  Another source of lost coins is due to miners taking less than the maximum block reward which in effect "de-mines" an amount of coins equal to the difference between the allowed reward and the taken reward.

[newIndia]

In validating a UTXO parser I started looking at various outputs which are provably unspendable.  As of block #305303 2,745.22283996 BTC have been provably lost.  The total number of coins lost is higher potentially much higher but most of those losses can't be proven.   Funds sent to outputs that can never be redeemed can be provably shown to be lost.

Code:

Category       NumOutputs    AmountLost
-----------------------------------------
BugOpFalse            23   2,609.36304319
BugP2Pool            182       0.60280235
BugInvalidOpcode      14       0.04520008
BugInvalidPubKey  17,112       0.00242288
BugParseError          1       0.00040000
ZeroValue *        3,080       0.00000000
MissingFromUTXO **   ---     135.20897146
-----------------------------------------
Total             20,412   2,745.22283996 BTC

* Zero value unprunable outputs are not invalid outputs but they are undesirable.  I was surprised to see there are over three thousand in the UTXO.  In the future the creation of new zero value outputs (with the exception of the prunable OP_RETURN) could be made invalid and potentially even these outputs pruned off by a hard fork.

** As of block 305,303 the coin supply is limited to 12,882,575 BTC.   This is based on the max subsidy per block and the block height.  However the UTXO (set of all unspent outputs) is only 12,882,439.79102854 BTC.  Some of the difference may be due to OP_RETURN outputs (which are unspendable by protocol) having a value set.  This could be accidental or intentional.  Another source of lost coins is due to miners taking less than the maximum block reward which in effect "de-mines" an amount of coins equal to the difference between the allowed reward and the taken reward.

How is this happening ? Is not the reward scheme in the protocol ? Does a miner have choice for his reward ?

[Taras]

I'd like to know whether or not the bitcoins sent to nonexistent public keys should be left lost forever or somehow put back into the ecosystem via increasing the block reward a little bit until they have all been restored (and preventing future coin destruction).

Provably purging coins from the economy may have its advantages, though. Satoshi could send his coins to nowhere, and if bitcoin is ever illegal and the government possesses any of it they can do what they do with ivory: make it stop existing from their vaults.

This is still a pretty dangerous part of bitcoin, because all of these losses have been from faulty coding on the sender's behalf. This loss could have been prevented.

[justusranvier]

increasing the block reward a little bit

No.

[cinnamon_carter]

just because coins are unredeemed does not mean they don't belong to anyone and no one has the right to take those coins.

anyone who mined btc with such care can import those keys anytime they like (unless they died in an accident )

I'd like to know whether or not the bitcoins sent to nonexistent public keys should be left lost forever or somehow put back into the ecosystem via increasing the block reward a little bit until they have all been restored (and preventing future coin destruction).

Provably purging coins from the economy may have its advantages, though. Satoshi could send his coins to nowhere, and if bitcoin is ever illegal and the government possesses any of it they can do what they do with ivory: make it stop existing from their vaults.

This is still a pretty dangerous part of bitcoin, because all of these losses have been from faulty coding on the sender's behalf. This loss could have been prevented.

[BurtW]

I'd like to know whether or not the bitcoins sent to nonexistent public keys should be left lost forever or somehow put back into the ecosystem via increasing the block reward a little bit until they have all been restored (and preventing future coin destruction).

Please find one of the thousands of threads discussing the topic you brought up (modifying the protocol).  This thread is only for discussing those coins that are provably lost.

[DeathAndTaxes]

just because coins are unredeemed does not mean they don't belong to anyone and no one has the right to take those coins.

I don't advocate reclaiming outputs but to be clear the ones I identified are invalid.  They will never be spent by anyone no matter how much time passes.  They are zombie coins, they remain unspent but also can never be spent and thus can never be pruned from the blockchain.

[BurtW]

Back on topic.  D&T are you asking us to supply other known amounts?  If so you should add the 1.8252962 at https://blockchain.info/address/1BitcoinEaterAddressDontSendf59kuE

[justusranvier]

Back on topic.  D&T are you asking us to supply other known amounts?  If so you should add the 1.8252962 at https://blockchain.info/address/1BitcoinEaterAddressDontSendf59kuE

A general purpose quantum computer might someday find a private key whose public key corresponds to that address.

[BurtW]

Back on topic.  D&T are you asking us to supply other known amounts?  If so you should add the 1.8252962 at https://blockchain.info/address/1BitcoinEaterAddressDontSendf59kuE

A general purpose quantum computer might someday find a private key whose public key corresponds to that address.

No, it won't.

[justusranvier]

No, it won't.

Do we know for certain that Bitcoin's address hash function will never be susceptible to GPQC?

[BurtW]

No, it won't.

Do we know for certain that Bitcoin's address hash function will never be susceptible to GPQC?

Yes, this has been discussed many, many times.

QC will not help you go from Bitcoin address to public key at all.

If you had the public key then it might help you go from public key to private key, maybe.

[CEG5952]

just because coins are unredeemed does not mean they don't belong to anyone and no one has the right to take those coins.

I don't advocate reclaiming outputs but to be clear the ones I identified are invalid.  They will never be spent by anyone no matter how much time passes.  They are zombie coins, they remain unspent but also can never be spent and thus can never be pruned from the blockchain.

Can you point me to some resources about this? Still a bit of a newbie in this regard. What makes an output provably invalid?

[justusranvier]

QC will not help you go from Bitcoin address to public key at all.

Grover's algorithm helps some, but currently isn't enough.

Currently-unknown weaknesses in SHA and/or RIPEMD might close the gap someday.

On the other hand, invalid scripts will always be invalid.

[BurtW]

QC will not help you go from Bitcoin address to public key at all.

Grover's algorithm helps some, but currently isn't enough.

Currently-unknown weaknesses in SHA and/or RIPEMD might close the gap someday.

On the other hand, invalid scripts will always be invalid.

OK, fine.

Also, all of the 0.00000001 BTC outputs from this address: 

https://blockchain.info/address/1EtchrGAQGeVbqDRssTTLeYJxWSeYAyaiw

fall into the BurtW says never, jutusranvier says maybe with QC category.

[justusranvier]

fall into the BurtW says never, jutusranvier says maybe with QC category.

I say "probably never."

[Beliathon]

Who cares? "Lost" wealth in BTC is the same as wealth donated to every other holder of BTC in the exact proportion of their holdings. It's a self-resolving non-issue.

[BurtW]

Who cares? "Lost" wealth in BTC is the same as wealth donated to every other holder of BTC in the exact proportion of their holdings. It's a self-resolving non-issue.

I care.

[zimmah]

Back on topic.  D&T are you asking us to supply other known amounts?  If so you should add the 1.8252962 at https://blockchain.info/address/1BitcoinEaterAddressDontSendf59kuE

Apart from having a funny name, what makes this address so special? It is a valid address isn't it?

So theoretically it could someday be mined, even if it is after several generations?

[BurtW]

Back on topic.  D&T are you asking us to supply other known amounts?  If so you should add the 1.8252962 at https://blockchain.info/address/1BitcoinEaterAddressDontSendf59kuE

Apart from having a funny name, what makes this address so special? It is a valid address isn't it?

So theoretically it could someday be mined, even if it is after several generations?

Mined? What? Do you mean cracked?  Bitcoin mining has nothing to do with keypairs or Bitcoin addresses.

It is a valid Bitcoin address in that it has a valid checksum and it uses valid characters, that is it.  None of the keypairs that map to this Bitcoin address were ever generated or known and, I argue, will ever be known.