How many bitcoins are lost forever?

Bitcoin's whitepaper, which recently turned 11 years old, is so concise that the issue of coinsIt mentionsonly fleetingly:

"As soon as the total volume of money supply reaches a predetermined maximum, the only source of incentives for work on blocks will remain commissions, while getting rid ofinflation."

By examining one of the earliest copies of Bitcoin code, we can findlegendarya formula that sets a limit on the block reward. These simple lines of code set the Bitcoin supply cap at 21 million:

</p>

Little is known that the Bitcoin code base (BTC) does not contain any checks on the total offer of 21 million BTC. Instead, the system checks that each block does not require more coins.

The application of the proposal formula on the 600,000 block (dated October 19, 2019) gives us 18 million BTC:

210,000 blocks * 50 BTC + 210,000 blocks * 25 BTC + 180,000 blocks * 12.5 BTC = 18 million BTC

The community marked the location of this block asan important milestone in the issuance of Bitcoin. However, keen observers have noted that Bitcoin's supply did not actually pass the 18 million BTC mark at block 600,000. Bitcoin Core developer Peter Wulle said that the actual supply at block 600,002 was 17,999,854.82192702 BTC.

In this article, we will examine why the proposalBitcoin is lower than expected, and calculate how many coins are lost forever. We will also provide an analysis of why these coins are lost. First, we examine coins that are provably lost, and then analyze coins that are supposedly lost, but theoretically can be found.

Provenly Lost Bitcoins

First block and duplicates

Bitcoin blockchain stores “unspent”outputs »(Unspent Transaction Output, UTXO) - a set of unspent transactions (or a set of UTXO). Summing up the set of these outputs, you get the bitcoins that the full node (node) of the network sees.

The first block of bitcoin (genesis) containstransaction at 50 BTC. However, the output of this transaction at 50 BTC is not included in the UTXO set. It is still unclear whether this was an omission or was intentional. As a result, these 50 BTCs are not in the Bitcoin registry, even if they are visible in the transaction included in the blockchain.

Another oversight by the creator of bitcoin- processing of duplicate transactions. Although, at first glance, this is not possible (since they contain digital signatures and links to previous transactions, which makes them unique), nevertheless, there was the possibility of creating duplicate transactions.

Easiest to duplicateBitcoin transactions are coin-based transactions, which are the first transactions in each block and allow the miner to claim a reward for their block (the so-called coinbase transactions - hence the name of the famous Coinbase company), since they do not contain digital signatures or references to previous ones deals. This happened twice in the early history of bitcoin:

Transaction d5d2..8599 became the output of coins for block 91 812 and 91 842;
Transaction e3bf…b468 became the coin output for blocks 91,722 and 91,880.

In each case, the second time the transactionwas turned on, its outputs overwritten the previous ones. As a result, two overwritten outputs are not part of the UTXO suite. These 100 BTCs are not included in the Bitcoin blockchain.

Developer Russell O'Connor identified this as an attack vector back in 2012. By using duplicate transactions, an attacker can delete past transactions of other users from the ledger.

In response, BIP-30 was introduced in 2012,which forbade the inclusion of new duplicate transactions. However, the processing of existing duplicates has not changed, and they still remain on the blockchain to this day. Later, in 2012, BIP-34 also greatly complicated the duplication of coinbase transactions, since now they must include the height of the block of which they are a part.

Unclaimed Remuneration

The loss of coins in this category is associated with the verification of coinbase transactions by full nodes.

Bitcoin protocol requires minera valid block could credit itself a certain reward (plus commissions from transactions that are included in this block). Each node verifies that the miners are not trying to demand more than is provided. However, they do not care if the miner requires less.

Obviously, the requirement is less than the assignedreward is not a very rational behavior of the miner, but this has already happened many times. The first time this happened at block 124 724 in May 2011, and the last time - at block 564 959 (at the end of February 2019).

The most notable cases are listed in this table:

</p>

In general, this behavior was observed in 3various episodes (a total of 1221 anomalies). The following graph shows the number of blocks that did not receive full rewards, grouped into 1000 blocks:

A very intense episode was observed on block 162,000. Another, longer, occurred from 180,000 to 230,000, and the latter - about 530,000.

According to Bitcointalk user under the nicknamemidnightmagic, the first case was made specifically as a tribute to Satoshi Nakamoto at the suggestion of Bitcoin developer Matt Corallo. Other cases (given the amounts lost) are most likely due to bugs in the software used by miners to create the coin generation transaction.

Outputs OP_RETURN

There is a special type of exit inBitcoin transaction called OP_RETURN. They allow users to embed data in the blockchain (up to 80 bytes per exit at the moment) without inflating the UTXO set (these outputs are not added to the UTXO set - they are considered provably non-expendable).

Although the vast majority of such outputs are created with a value of 0 Satoshi, some are not. About 3.723039 BTCs were found that were sent to the OP_RETURN outputs, making them lost forever.

The actual offer of bitcoins

In general, we can calculate the actual offer of bitcoins in a block of 600,000, working in the opposite direction from the expected value of 18 million BTC and subtracting what is provably lost.

</p>

The figure of 17,999,817 BTC per block 600,000 is"Technically correct" idea of the offer of bitcoins. Nevertheless, we can conduct a broader analysis of the blockchain, including cases that make bitcoins practically, but not provably lost.

Alleged Lost Coins

Fictitious Addresses

Prior to standardization, there were no OP_RETURN outputsan easily accessible and provable way to burn bitcoins. In this regard, some users used "dummy addresses" that do not have a known private key.

The creation of a bitcoin address begins with the well-knownprivate key. This process makes it difficult to generate the so-called custom vanity prefixes. A user who wants to get an address with certain characters must actually “mine” private keys to find those whose address begins with the desired prefix.

In the case of dummy addresses, there is nothe desire to spend coins from such an address, so there is no need to know its private key. Therefore, a fake address can begin with any prefix (if it can be written using the Base58 alphabet). However, the last characters will be random - they are checksum to prevent typos.

Although it is not possible to compile a complete list of fake addresses, we can list a few of the best known:

</p>

Only these three addresses lost 2213,19538012 BTC.

Theoretically, these coins are not lost forever. The only known way to find the private key at a given address is a random assumption (that is, using exhaustive search). However, in practice, the likelihood that this will happen within the life of our universe is rather small.

Mistakes

Under beautiful modern interfacesBitcoin wallets hide critical pieces of code responsible for creating, signing and broadcasting transactions to the network. At present, serious errors are rarely found in them, but this was not always the case.

In November 2011, the Mt. Gox fell victim to a bug in its own software, as a result of which the exchange lost 2609.36304319 BTC.

There were other similar errors in other assets. The Parity error in ethereum was especially prominent (513 thousand ETH were lost).

Zombicoins

These are coins that did not move formany years. Since it is impossible to find out if their owners have keys or not, they are often called “zombikoins” - neither alive nor dead. With this category, we are leaving the area of quasi-confidence that these coins are truly lost.

To remain conservative in our estimates,we will only consider those coins that were last active before Bitcoin began to be traded on the first cryptoexchanges (until July 2010). The meaning is simple: people who purchased bitcoins before they could be exchanged had less incentive to securely store their wallets, since the perceived value of bitcoin (at that time) was very low.

As of 600,000 block, there were 1,496907.88000 BTC, which last showed activity before July 2010. According to various estimates, Satoshi Nakamoto owns more than half of these coins due to his status as a dominant miner at that time.

Given the price increase from 2013 to the present, either the owners of these coins are long-term holders, or they simply do not have access to these coins.

Labeled coins

The famous stolen coins are the lasta category of coins that can be considered lost or at least temporarily withdrawn from circulation. Until more advanced mixing solutions appear, it will be difficult to put them back into circulation (especially large amounts).

There have been many hacks and thefts in the history of Bitcoin, but many especially remember the theft of 80,000 BTC at MtGox in 2011 and the theft of 120,000 BTC at Bitfinex.

In March 2011, 79,956 BTC were withdrawn from the Mt. Gox and still haven't touched them. Today this is the 6th address on the rich list.