> I don’t see how that thread debunks because it assumes a choice between one or the other. Why not both?
So imagine you broadcast OOB to antpool which has 25% of the hashrate. That gives you an estimated average confirmation time of 40 minutes
You have a 25% chance of it being mined in 10 minutes
82.2% chance of it being mined within the hour (1-(1-0.25)^6 = 82.2)
However it could take longer than this. 96.8% chance of it being mined in 2 hours
This vs paying a high enough fee to ensure it gets in the next block.
Imagine OOB was 25% cheaper than CPFP. Would you wait longer than usual for your transaction to be mined or pay 25% more to ensure it gets in the next block? Also, if it doesn't get in within the hour, would you pay 1.5x the original cost to send it to another miner?
It seems rational actors will choose just to broadcast.
Also, in practicality, it likely wouldn't be 25% cheaper because every single OOB tx acceleration option I've seen has been substantially more expensive than just doing CPFP. Pools want to charge a premium for this service.
> I’m not concerned with P2P trading, with primary origination on-chain, or with secondary trading off-chain that happens independently of miners. I think the issue is secondary trading of options directly on chain.
> You can use this to trade options, make atomic swaps, etc.
I suspect you're referring to "decentralized options" from the utxos.org/uses/options page
To clarify, an atomic swap is a purely peer-to-peer contract
And the option contract described on the page is also peer-to-peer.
So it would not be possible for secondary trading of options directly on-chain, unless you knew the counterparties you wanted to trade with ahead of time
You would need to pre-define potential change of ownership of the sell or buy side of the contract, and specify the participants that could take the contract off your hands ahead of time, which leaves no opportunity for MEV
> I think you would need to show that all AMMs must have a fundamental marketplace or contractual state that cannot be modeled by Sapio. It seems to me that if there is any possibility that there could be any secondary on-chain trading, then we can’t rule out the potential for time-based centralizing MEV through arbitrage, front-running, etc.
The key thing with CTV, is you commit to ALL inputs, and ALL outputs
Which means all participants in a CTV commitment or string of CTV commitments, need to be known ahead of time.
By definition, an AMM needs to allow anyone to participate to take trades in either direction
Not to mention, AMM doesn't work for Runes or BRC20 tokens
There's a proposal for AMMs to work with new OP_CAT tokens, but this doesn't apply at all to CTV: https://x.com/rot13maxi/status/1833667750469804315
So in this regard CTV is extremely safe. It only enables use cases that are peer-to-peer or known-parties-to-known-parties
> MEV already exists elsewhere.
Actually with the point above that you need to specify all the parties ahead of time, I don't think MEV is a concern at all actually
If you can give me a counter-example regarding MEV I'm happy to reconsider
MEV is a concern with runes, because someone can snipe a rune in the mempool when it's being bought
But if you lock into a CTV covenant, only parties specified ahead of time in the CTV commitment can "snipe" or front-run something
➡️ “It seems rational actors will choose just to broadcast. […] Acceleration options are more expensive.”
That’s true, but I think you’re conflating two services. Well, technically, there are three services (fast, regular, and slow). “Fast” would be an acceleration service for those who want faster transactions and willing to pay for speed. Regular would be the normal CPFP transaction. “Slow” would be a cheaper, slower service for those who don’t want to pay higher CPFP fees and are willing to wait.
A rational miner would offer a cheaper solution to obtain additional revenue not otherwise available. To them, it would be an option, one they could fulfill if they wanted. A rational user may be willing to wait longer for a solution that is cheaper than the default option if their transaction is not time sensitive.
➡️ “So it would not be possible for secondary trading of options directly on-chain, unless you knew the counterparties you wanted to trade with ahead of time.”
What if there was a registration step where traders sent the coordinator or AMM a small amount to register their address, and the contracts published the next day by the AMM would include these registered addresses?
I’m not particularly clever and I can see simplistic ways it might be accomplished. If I’ve learned anything in this space it’s that people are incredibly resourceful, and will find a way if the incentives are high enough.
> That’s true, but I think you’re conflating two services. Well, technically, there are three services (fast, regular, and slow). “Fast” would be an acceleration service for those who want faster transactions and willing to pay for speed. Regular would be the normal CPFP transaction. “Slow” would be a cheaper, slower service for those who don’t want to pay higher CPFP fees and are willing to wait.
Very fair point. However if folks are okay with “slow”, what’s the likelihood they’re also okay with just waiting for lower feerates for their tx to be confirmed in the first place?
> What if there was a registration step where traders sent the coordinator or AMM a small amount to register their address, and the contracts published the next day by the AMM would include these registered addresses?
AMMs are not possible with CTV only, because there is not sufficient transaction introspection to achieve this (aka you can’t look back at previous txs which is necessary to have the price update in an AMM).
Registration step with a coordinator is technically plausible, but in practice it’s computationally infeasible.
With CTV you need to pre-calculate all the possibility trees ahead of time.
For example, imagine you had 1 million addresses registered. You’re about to create an options contract that you want to be able to sell to any of the 1 million. So you need to precompute 1 million possibilities. Now imagine you want to allow that million to be able to also sell to any of the million registered as well. Well now you need to compute 1 million times 1 million combinations within your taproot tree script. Oh and if you want that 3rd sale to be able to sell to anyone, you need to do it again, creating infinite possibilities to compute.
On top of that, you’d need to also compute all the possible prices of the contract as well. For example dependent on the market price, it could sell for 0.01, 0.011, 0.012, 0.013 etc, etc. You’d typically have 100 possibilities for 0 to 0.1. To handle up to 1 BTC option price you’d need to compute an additional 1000 possibilities. So multiply all the previous million by another 1000 dependent on your price granularity.
So yea, you might be able to construct a transaction that is one time MEVable, but it can’t be continuously sold without infinite compute power. Additionally I highly doubt an on-chain market would ever form due to these restrictions
(Not to mention we haven’t even gotten into free option problem, since block confirmations take so long, that the potential for someone to RBF while they’re waiting for the block to confirm and they see the price move in the opposite direction makes these contracts infeasible in the first place)
➡️ “Very fair point. However if folks are okay with “slow”, what’s the likelihood they’re also okay with just waiting for lower feerates for their tx to be confirmed in the first place?”
They might be, but you’ll recall that this was the risk that Peter had identified in his paper — paying for cheaper transactions. My point was that Peter had overlooked the other case, specifically the risk that CTV could motivate people to pay for faster transactions. I believe both of these cases are risks and I don’t know for certain what the magnitude is (and I don’t believe anyone can know for certain — because our assumptions are based on the past and not what people might invent in the future).
➡️ “AMMs are not possible with CTV only, because there is not sufficient transaction introspection to achieve this (aka you can’t look back at previous txs which is necessary to have the price update in an AMM).”
I could imagine that this could be solved by the coordinator frequently reissuing the contracts with the current value.
Another possibility is to somehow link specific UTXOs in chains to track state. This is abstract; hope you understand what I mean.
Reissuing the contracts frequently or creating chains of UTXOs might also address your other point on the need to recalculate the contract for all the registered addresses. Creating more contract instances may reduce the complexity of trying to cram everything into one contract.
I recognize that republishing the contracts frequently would slow down trading, but again, this is me brainstorming for five minutes. Since it’s technically possible, it becomes an optimization problem. How do we know some clever person won’t solve it?
I understand your point that it looks infeasible and doubtful that a meaningful on-chain market could arise. But I recognize that this view is based on assumptions of past events, current technology, and current maturation of the bitcoin network. I don’t think we can look at it like this. We have to think about the future — the long and unknown future. Once these protocol changes are in, we can’t easily pull them out.
I believe that if something is technically possible, a sufficiently motivated person will eventually find a way. We can’t assume that it will never happen just because it seems infeasible today.
From another thread, but additional details on why I believe we should be conservative:
nostr:note1r4tjlj5yfmpu5rkq8n8f7k3t576gaut40uf7l3yk3kwamtzcu3pq004sjk
> My point was that Peter had overlooked the other case, specifically the risk that CTV could motivate people to pay for faster transactions.
Why would CTV motivate people to pay for faster transactions more than any other normal transaction? I don't see how it would create more motivation for paying OOB for faster transactions than lightning or on-chain payments.
> and I don’t believe anyone can know for certain — because our assumptions are based on the past and not what people might invent in the future
CTV has been pretty well researched over the past 4 years since it's inception. It's gone through several iterations to make it safer. In fact there's been way more scrutiny and edge cases researched for CTV than was ever done with Taproot.
> I could imagine that this could be solved by the coordinator frequently reissuing the contracts with the current value.
The key thing here, is you can't exit the contract if your counterparty is offline. So once the DLC options contract is created, unless you've pre-signed for all the possibilities ahead of time, if your counterparty goes offline, then you can't exit, and you have to hold to expiry.
You could have dedicated market makers that take the other side of contracts, but that means the market maker can't exit if their counterparty goes offline, making this process very capital inefficient (not to mention you can't do portfolio margining obviously, since risk is defined within the DLC contract itself).
So unless you have all those pre-signed outcomes, you won't have secondary markets. But you won't have secondary markets without infinite compute.
So as much as I would like that use case to work, CTV just doesn't enable it.
CAT on the other hand would enable it, since you can commit to specific inputs and outputs, whereas with CTV you must commit to ALL inputs and outputs.
This is why CTV is actually incredibly conservative. At face value things that you think are possible, aren't actually possible. It's a very restrictive covenant scheme.
➡️ “Why would CTV motivate people to pay for faster transactions more than any other normal transaction?”
It appears that it might be possible for CTV to create on-chain AMM-style marketplaces. On chain marketplaces create arbitrage opportunities which motivate people to pay for faster transactions:
https://www.coindesk.com/opinion/2024/07/09/mev-has-spread-to-bitcoin-in-subtler-forms-than-on-ethereum/
➡️ “CTV has been pretty well researched over the past 4 years since its inception.”
Please show me where the non-technical risks were discussed. I haven’t been able to find anything other than Peter identifying the risk of cheaper OOB payments.
➡️ “The key thing here, is you can't exit the contract if your counterparty is offline. So once the DLC options contract is created[…]”
It looks like you’re now referring to DLC contracts. We were previously discussing AMM style marketplaces.
You raised the issues of how the parties could be known. I suggested that a preregistration step might work.
You raised the issue whether the prices could be known. I suggested that perhaps specific UTXOs could represent points on the hyperbolic constant product curve (x * y = k) that’s used in AMM marketplaces.
You haven’t yet shown me why it’s impossible to create AMM style marketplaces using CTV.
> It appears that it might be possible for CTV to create on-chain AMM-style marketplaces. On chain marketplaces create arbitrage opportunities which motivate people to pay for faster transactions:
That article doesn't mention AMMs at all. It mentioned inscription marketplaces, like Magic Eden, which is running today, where you need to construct a PSBT to create an "ask" for a Rune (you can't even do bids). They were talking about that creating some MEV.
> Please show me where the non-technical risks were discussed. I haven’t been able to find anything other than Peter identifying the risk of cheaper OOB payments.
Great question. Let's see what folks say:
https://x.com/matthewjablack/status/1838340344607355010
utxos.org is obviously a great resource. And mailing list for previous iterations of CTV
OpTech had some things to say: https://utxos.org/analysis/optech/
> We were previously discussing AMM style marketplaces.
AMM style marketplaces can't be built with CTV.
> I suggested that perhaps specific UTXOs could represent points on the hyperbolic constant product curve (x * y = k) that’s used in AMM marketplaces.
You can't do transaction introspection with CTV, so this isn't possible
> You haven’t yet shown me why it’s impossible to create AMM style marketplaces using CTV.
You haven't shown me how you can!
First of all, you need to do multiplication to do x * y = k. You don't have OP_MUL in Bitcoin script since it was disabled back in 2010 by Satoshi. You can emulate OP_MUL using CAT in order 1400 bytes. But you cannot emulate it with just CTV.
Bitmatrix ran into this problem when they were building an AMM on Liquid. They were able to get MUL working using OP_SUBSTR and OP_CAT:
https://medium.com/bit-matrix/technical-how-does-bitmatrix-v1-multiply-two-integers-in-the-absence-of-op-mul-a58b7a3794a3
However CTV doesn't enable MUL in any capacity. You cannot create an AMM if you cannot calculate the price after a swap occurs.
➡️ “That article doesn't mention AMMs at all.”
The term “AMM” appears 19 times in that article. 🤷♂️
➡️ “You can't do transaction introspection with CTV, so this isn't possible”
You don’t need introspection if the addresses are preregistered. Scanning the address will list all the UTXOs. Once you know the UTXOs then you also know the amounts.
➡️ “First of all, you need to do multiplication to do x * y = k.”
No, you don’t need multiplication if you can determine the product in another way. You might be able to create a state machine through a chain of predefined UTXOs that represent the AMM’s balance ratio.
Specifically, I’m suggesting to model the AMM's pricing curve through output UTXOs. Each UTXO represents a specific state of the liquidity pool at a point on the curve, with predefined balances of Bitcoin and tokens.
Trades are executed by consuming a state UTXO and creating a new one corresponding to the next state along the curve, effectively moving the liquidity pool's balances according to the AMM's pricing function.
CTV would enforce that only valid state transitions can occur by committing to specific transaction templates. If input A and input B, then move to point on the curve #1. But if input A and input C, then move to point #2. You’re determining the product based on the inputs provided. It has the same effect as multiplication, just doesn’t require computation or introspection.
➡️ “Great question. Let's see what folks say”
Looks like nobody responded with any information showing the non-technical risks were considered. I still haven’t seen anything either. It’s on the proponents to show safety. It would be negligent to not fully consider all risks.
> The term “AMM” appears 19 times in that article. 🤷♂️
It doesn't talk about AMMs in relation to CTV creating on-chain AMM-style marketplaces
> You don’t need introspection if the addresses are preregistered. Scanning the address will list all the UTXOs. Once you know the UTXOs then you also know the amounts.
The need for introspection relates to needing to look at the previous price of the AMM, to determine what the new price should be. It doesn't matter who previously did a trade for calculating the price, just that someone did, and you can verify that someone did.
> No, you don’t need multiplication if you can determine the product in another way. You might be able to create a state machine through a chain of predefined UTXOs that represent the AMM’s balance ratio.
I'm not sure how exactly this would be done, but even if it were possible to validate or invalidate certain pathways, you would still need a ridiculous amount of compute for this. CTV commit to all inputs and outputs, so you need to compute for all the possible prices for all the possible participants ahead of time.
You run into the infinite compute problem again
The key thing with CTV, is all possible states must be known ahead of time. So AMM with price x and pool of a,b,c,d....z users
All that must be precomputed. It's virtually impossible to precompute all the possible states of an AMM ahead of time.
This is specifically because you're committing to ALL inputs and outputs. If it was only committing to a subset of inputs and outputs, then you wouldn't need to precompute all the possible states ahead of time.
> CTV would enforce that only valid state transitions can occur by committing to specific transaction templates. If input A and input B, then move to point on the curve #1. But if input A and input C, then move to point #2. You’re determining the product based on the inputs provided. It has the same effect as multiplication, just doesn’t require computation or introspection.
This is an oversimplification of all the possible states. Also there isn't a good way to add funds to the AMM. You'd need to calculate all the possible states ahead of time when folks first add funds. And you'd also have to precompute anyone on the registrar that could add funds, for any amount. You'd also need to precompute anyone being able to withdraw funds from the AMM for any amount ahead of time too.
Like the number of states you need to precompute, makes the entire thing impossible.
> Looks like nobody responded with any information showing the non-technical risks were considered. I still haven’t seen anything either. It’s on the proponents to show safety. It would be negligent to not fully consider all risks.
Yea ended up getting limited visibility on that post. The main resources I've seen have been on mailing lists. But many of them were also for old versions of CTV.
The BIP119 PR is probably the best resource for risks discussed:
https://github.com/bitcoin/bitcoin/pull/21702
For example:
- https://github.com/bitcoin/bitcoin/pull/21702#issuecomment-825557354
- https://github.com/bitcoin/bitcoin/pull/21702#issuecomment-1106795814
- https://github.com/bitcoin/bitcoin/pull/21702#issuecomment-1107666137
- https://github.com/bitcoin/bitcoin/pull/21702#issuecomment-1129462467
- https://github.com/bitcoin/bitcoin/pull/21702#issuecomment-1335764227
Most of these concerns seem to be related to getting consensus on the change or confusion about the change, and I think one concern is related to complexity (raised by John).
➡️ “It doesn't talk about AMMs in relation to CTV creating on-chain AMM-style marketplaces”
Of course not. It was explaining how AMM marketplaces create centralizing MEV.
➡️ “The need for introspection relates to needing to look at the previous price of the AMM, to determine what the new price should be.”
I explained how you might create a state machine using output UTXOs to model the AMM pricing curve. If you don’t understand the concept, you could ask an AI to explain it to you.
➡️ “I'm not sure how exactly this would be done, but even if it were possible to validate or invalidate certain pathways, you would still need a ridiculous amount of compute for this.”
You don’t fully understand the concept so you assume it must take “ridiculous” compute.
I showed how it might be possible, but it may or not be feasible. I don’t know and neither do you. The point is that nobody knows for sure and it’s likely that nobody has looked into it either.
I don’t need to prove it’s safe. The people advocating for the feature do.
➡️ The BIP119 PR is probably the best resource for risks discussed
I reviewed the links you sent. I didn’t see any analysis of non-technical risks. If I missed anything, please forward it to me.
You seem like a well-read person on the topic and you can’t seem to refer me to anyone who’s done a non-technical risk assessment.
I guess we can leave it there unless you want to discuss anything further.
Oddbean new post about login | logout