Justin provides a sophisticated analysis of a possible 51% attack on bitcoin.
He assumes that some entity is able to obtain 51% of hashrate and lays out a few scenarios in terms of ways they would be able to mess with the network. To be sure, most of what he is saying is true. If some entity was able to marshal that much hashrate, they would be able to impair Bitcoin significantly, and he talks about breaking Lightning, breaking WBTC, not processing deposits from exchanges etc. They would also be able to mine empty blocks and just do a DoS on Bitcoin. The one main mitigation I would see would be Bitcoin becoming a de facto proof of stake system, whereby large stakeholders (i.e. exchanges, custodians, etc) agree together to mine on a distinct chain and only “bless” that separate chain, periodically reorging out the blocks mined by the adversary. However I don’t see this as a great solution, because it’s clearly very centralizing, and the attackers still has a ton of hashrate, and you can’t exactly pinpoint their ASICs and zero them out (without changing PoW, which doesn’t really achieve much). You could in theory move to a new PoW algo but I think that should be considered an absolute last resort, because it would nuke the businesses of all the miners (assuming it goes to GPUs), and they would keep the ASIC PoW chain going anyway.
He is right that the security ratio is declining with time, although the security budget isn’t necessarily decreasing with time, in dollar terms. But the ratio only really matters if you can short bitcoin, and make the attack worthwhile. And as I explain below, that’s not really the most obvious assumption.
There’s a few specific things I disagree with:

1. I think his budget for the attack is quite low. He says “on the order of 1-3b USD”. The state of the art research (done by my team at Coin Metrics), says it’s more like $6b at an absolute minimum to buy all the ASICs to do the attack (see: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4727999) . And obviously, there’s a market impact as you buy ASICs and theyre not actually available for sale, so you’d have to manufacture them, which means working with a foundry etc. And then there’s the cost to build or rent data centers etc. Just fundamentally speaking there’s huge logistical barriers to actually marshalling ~10GW of power (see: https://labs.coinmetrics.io/), getting the data centers, and getting the ASICs.
2. He says an attacker can make money by shorting bitcoin. But any liquid exchange will not honor transactions which are clearly market manipulation and paired with an attack. That’s how it works. Especially not the major most liquid exchanges like CME. Until there’s a ton of liquidity for decentralized Bitcoin DEXes, which isn’t the case today.

And it’s worth noting that bitcoin mining is getting more distributed, and more connected to energy infrastructure with time. The future of mining is basically energy utilities doing it alongside their infrastructure to monetize it, and they are all pro bitcoin (naturally). They’re not going to sell or rent their hardware or infra to an attacker, since it’s against their economic interests. A good fraction of miners are public companies too, and they are obviously highly incentivized to stay in business (which means keeping the bitcoin network intact), and they are transparent. They won’t sell or lease their equipment or energy resources to an attacker.
My other views on this have to do with the motives of an attacker. I don’t see a state level attacker wanting to attack bitcoin, because the rogue states generally benefit from the existence of Bitcoin mining (see Iran, Russia, NK, etc). So I don’t see obvious political will there. It’s very costly to attack bitcoin from a consensus approach, and there’s cheaper ways to “deal with Bitcoin” if you are a nation state that hates bitcoin – namely, you simply ban it, and ban the exchanges dealing with it. That’s cheap, and basically achieves the same thing (mostly getting rid of bitcoin usage within your borders). So I don’t see why an attacker would bother to try and undermine the entire network, when they can just solve their “bitcoin problem” super cheaply.
In terms of monitoring, the approach of monitoring mining pools already exists, pioneered by James Lovejoy’s work. Coin Metrics also extended this with their Farum product (monitoring work being done by mining pools to get advance notice of any oddities or mining on shadow chains or competing chains). I’m sure other analytics providers do this too. Basically you join a mining pool and monitor the block headers that they give you, and you compare them to the other pools. A big shadow chain being mined by an attacker would be evident. So the attacker would have to solo mine their blocks to avoid detection, which means they’d need a huge amount of hashrate which they would have had to amass secretly. The other thing you’d want to monitor would be the foundries selling space to a new ASIC manufacturer that didn’t want to sell ASICs but would use them for an attack, as well as looking at the secondary market of ASICs to see if there was a huge amount of activity there. Firms like Luxor and others monitor this.

The other thing is that mining companies use the latest ASICs, which are more efficient each generation, whereas the ASICs available on the secondary market have less “bang for their buck”, as in they produce fewer hashes, so you’d need a lot more of them to compete with the state of the art ASICs. So it would be monumentally difficult to compete with the pro-bitcoin miners. Of course, if there was a massive die-off of hashrate and most of the ASICs were furloughed, then you’d worry. What matters is the share of ASICs owned by honest miners versus “mercenary” ASICs which are available on the 2ndary market or furloughed.

I gave a talk at MIT Bitcoin Expo in 2019 about these ideas (https://www.youtube.com/watch?v=AyOyNF-bCkA) where I talked about the stock, threshold model, and the flow models of security. I used to believe in the stock model (the same on Justin talks about), basically believing that as the value of bitcoin grew, the “prize” to attack it would grow (aka the value that could be extracted by attacking it, with shorting eg), and so the security would have to be “proportional” to the value of Bitcoin. However, I now believe in the threshold model, because I think attacks can be defrayed relatively “cheaply” (i.e., exchanges can not honor short transactions made by an attacker), and I think the threshold of energy and hashrate required to mount an attack is so significant in real terms. So I think the real thing that protects bitcoin is the sheer real world resources required to attack it, and they are equally insurmountable at a $1t or $10t market cap (even if the security ratio is worse off). So I am also as a consequence less worried about fees (than I was in the presentation), because I am not requiring that security spend maintains a constant ratio versus market cap.

So I don’t think Justin is wildly wrong in his analysis, it’s just that it’s very theoretical and presumes an actor can amass 51% of hashrate, which I don’t think is very practical. Empirically speaking, I see great challenges to pulling this off. And I also have a hard time envisioning the motives of a sufficiently large hostile actor, when they can achieve policy objectives without attacking bitcoin consensus.