Special thanks to those who helped me get up to speed: Casey Rodarmor, Rijndael, an unnamed bitcoin developer

The purpose of bitcoin transactions has been a topic of longstanding debate since the formative days of bitcoin. Is bitcoin primarily for financial transactions, or should bitcoin instead be a secure, distributed data store for everything from app data to domain names? This controversy has been quiet for years based on a careful compromise that I will describe, however a design quirk of taproot has allowed a new NFT protocol called Ordinals to emerge that upends prior limits. Here, I will describe the early debate of what constitutes a “legitimate” bitcoin transaction, the negotiated limits established with OP_RETURN, and how SegWit and Taproot allowed Ordinals’ Inscriptions to end run these limits. This is an area of emerging controversy within bitcoin and my goal is to lay out the diverging points of view and put them in historic context.

dennis @pourteaux

I recently wrote a message that will forever be included in the #bitcoin blockchain. This got more attention than I expected, so I decided to dive into this controversial and misunderstood function of bitcoin called op_return. Here's what a learned: a thread 🧵 (1/23)

11:34 PM ∙ Feb 16, 2021

---

168Likes40Retweets

In 2010, there was a fierce debate on Bitcoin Talk over a proposal to support a DNS service on bitcoin called BitDNS. This proposal advocated for website domain names to be hosted on bitcoin and thereby benefit from its decentralized trustlessness and permissionlessness. However there was concern (including from Satoshi) that this would bloat the bitcoin blockchain, making it harder to do things like verify financial transactions, which were argued to be the primary (or only?) usecase for bitcoin:

“Piling every proof-of-work quorum system in the world into one dataset doesn’t scale. Bitcoin and BitDNS can be used separately. Users shouldn’t have to download all of both to use one or the other.” - Satoshi (Dec. 2010)

Interestingly, Satoshi didn’t argue that alternative blockchains supporting non-financial uses shouldn’t exist (an implicit acceptance of “altcoins”), he just argued that they shouldn’t be on bitcoin. Bitcoin, according to this perspective, should primarily be focused on financial transactions and trying to do all use cases on a technology that fundamentally doesn’t scale (like a blockchain) would crowd out the financial uses that bitcoin was intended for. And that’s what happened: BitDNS eventually found a home on a separate blockchain called Namecoin. And, this was to the benefit of bitcoiners today, who would otherwise be stuck downloading all the data of an ultimately failed DNS experiment whenever they tried to sync a new full node had BitDNS been built on bitcoin.

Yet the debate endured: should bitcoin’s ledger (1) be reserved for recording financial transactions only, or (2) be a secure, distributed data store for any potential application. Option 1 is more sustainable as bitcoin grows to be a global financial network given that blockchains inherently don’t scale. Option 2 allows for more experimentation that could grow the bitcoin ecosystem in the near term and provide miners with revenue that will be necessary as the block subsidy shrinks.

Neither of these points of view emerged the winner, and instead a compromise was reached. In May 2014, Bitcoin Core (the primary reference software of bitcoin nodes) enabled extremely short (80 bytes) messages in a function called OP_RETURN. This was a sufficient size to, for example, store hashes linked to an external service but forced these services to use bitcoin block space efficiently. And significantly, the messages stored on OP_RETURN were “prunable,” meaning that while they must be downloaded by every full node, the bitcoin software recognizes them as dead ends (as they are unspendable) and thus don’t need to be held in the memory of a bitcoin node.

From 2018 to 2019, approximately 20% of all bitcoin transactions were OP_RETURN transactions. These transactions were for things like Omni (the basis for the early Tether stablecoin), Counterparty (the early NFT protocol used for Rare Pepes), and Veriblock (an altcoin that settles on bitcoin). Each of these relied on OP_RETURN to function, and bitcoin fees were quite high during this time due to their popularity. As before, proponents of these OP_RETURN apps asserted that high fees are good: it raises demand for bitcoin blockspace and pays miners to secure the network. Opponents argued that they crowd out bitcoin’s intended financial transactions.

Veriblock, Omni, and Counterparty met a similar fate to BitDNS: they have fallen out of use and likewise OP_RETURN use itself has collapsed. Even Rare Pepes are now wrapped onto Ethereum. Despite this collapse, Veriblock and Omni added about 10GB to the bitcoin blockchain in 32 million transactions that all bitcoin nodes have to download forever. Thankfully, these transactions are at least prunable so there isn’t a memory cost given they aren’t part of bitcoin’s UTXO set.

This brings us up to the present moment: OP_RETURN is hardly used (except when I write haikus or make protest statements), bitcoin blocks aren’t often full, and block space is cheap. Yet, this may be on the verge of being upended, as a design quirk of Taproot (a 2021 bitcoin upgrade) unwittingly has allowed limitless bitcoin data storage short the block size limit without using OP_RETURN at all. This has been codified into a new NFT protocol on bitcoin, called Ordinals.

Share

Ordinals work by individually tracking single satoshis (the smallest unit of a bitcoin) and repurposing these as NFTs. In reality, satoshis are fungible, but “Ordinal Theory” is a convention by which to consistently follow these fungible units such that those who opt-into this convention can ascribe non-fungible features to them. This can be a hard idea to wrap your head around at first, but it is similar to an accounting standard in personal finance. Say, for example, that I bought Disney stock over several years at many different prices. Then, I decide I want to sell one unit of Disney stock, and have to determine which entry price to use in order to calculate the gains I made on the sale. Which entry price do I use? Well, there is no way to differentiate the different units of Disney stock that I bought since they are all identical, but I can opt-into an accounting standard like LIFO (“Last In, First Out”) where the unit sold is assumed to be the last one that I bought. Similarly, Ordinals uses a FIFO (“First In, First Out”) system to track individual satoshis in a way that is consistent for those who wish to participate in this system, but without compromising the true fungibility of these Satoshis for everyone else.

I personally find this way of making NFTs (called “Inscriptions”) out of individual satoshis quite elegant, as it threads the needle of allowing features of a non-fungible token without compromising the true fungibility that is fundamental to bitcoin’s design. And, these NFTs get all the benefits of bitcoin’s blockchain (it’s immutability, it’s security, it’s decentralization) and doesn’t require any changes to the bitcoin protocol. You can send one of these NFTs to an existing bitcoin address today. There are challenges, however, as existing bitcoin software does not observe “Ordinal Theory,” and thus satoshis that you have ascribed individual value to might be accidentally spent as a transaction fee or sent as a payment. Thus, there is Ordinal specific software that allows you to track these individual satoshis so they aren't spent accidentally.

From what I can tell, this component of the architecture of Ordinals isn’t controversial at all. In fact, I find it quite exciting as I am a long time bitcoiner who also enjoys NFTs and believe that NFTs are one of the few areas in crypto to have achieved a durable product-market fit. I’ve spent a lot of time experimenting with other NFT and token proposals on bitcoin (like Counterparty and Omni) and have found them clunky, inefficient, and frankly deprecated as they are so poorly maintained.

The part of Ordinals which is sure to garner controversy and debate within bitcoin is how the NFTs are stored as Inscriptions.

NFTs on Ordinals (“Inscriptions”) are stored entirely on-chain. Looking at NFTs broadly (like on Ethereum), this is often considered a positive attribute, as the “art” is truly stored in a decentralized manner and isn’t just pointing to a jpg on a centralized server that can be changed on a whim. Thus, many of the most acclaimed NFT projects on Ethereum (like CryptoPunks) truly store the jpg on Ethereum (rather than “the cloud”) so that the jpg is as secure and censorship resistant as Ethereum itself.

However, the size limit of OP_RETURN was intended to limit the ability to store non-financial data on bitcoin. This limitation was set to 80 bytes—essentially, a short string of text. Yet, Ordinals was only launched on bitcoin mainnet a few days ago and already people are storing not just images, but short videos and even a pdf of Satoshi’s white paper on bitcoin’s blockchain. To reiterate, these aren’t links to the white paper or a video, the actual white paper and videos are permanent parts of the bitcoin blockchain that must be downloaded by all full nodes. How are Ordinals able to store such large files on the bitcoin blockchain despite OP_RETURN limits?

Ordinals take advantage of the recent Taproot upgrade to bitcoin to store the NFT data in Taproot script-path spend scripts. SegWit relaxed the limits on witness (signature) data sizes and Taproot made it easier to store arbitrary witness data in a bitcoin transaction, allowing Ordinals developer Casey Rodarmor to repurpose old opcodes (OP_FALSE, OP_IF, OP_PUSH) into what he describes as “envelopes” to store arbitrary data for NFTs called Inscriptions. Of course, that wasn’t the intention of the Taproot or SegWit upgrades, which made it easer to store data, and relaxed this limit on witness data sizes to allow for future bitcoin contract functionality.

The end result is that there is effectively no limit short of the blocksize on what can be stored on the bitcoin blockchain using this method (thankfully, like OP_RETURN, Inscription transactions can still be pruned). In other words, it is possible to make an Inscription transaction that takes up an entire 4MB block if you broadcast such a transaction to a miner (in practice, Bitcoin Core limits this size to 400,000 bytes). Yet even considering this smaller 400,000 size limit for an Ordinals transaction, such a size is still five thousand times the size of the OP_RETURN limit that was the source of all the controversy back in 2014. While this was possible with SegWit, it is much easier with Taproot given that you can store the arbitrary data in one linear segment in the Witness section. These combine to remove any technical limit short of blocksize for data storage on bitcoin: if it can fit into a block, it can be a bitcoin transaction.

Is this good or bad? I’m not nearly smart enough to answer that question, but I’ve spoken to spirited advocates and opponents to using bitcoin this way. Before diving into their diverging perspectives, I can say that both basically agree on a couple points:

1. Using tapscript to store arbitrary data was not the intention of the Taproot developers

2. There probably isn’t anything that can be done to limit this use of tapscript

In defense of Ordinals and Inscriptions, NFTs are fun. NFTs are an OG bitcoin concept from the days of colored coins, yet due to bitcoin’s design constraints, most NFT activity has moved to Ethereum. There are a lot of reasons for bitcoiners to wish that NFTs were on bitcoin, the foremost of which is that bitcoin needs fees to survive long term. Bitcoin miners are currently paid a subsidy to maintain the network, but that subsidy is decreasing with each halvening and at a certain point the bitcoin network will need to be able to survive only on transaction fees. Inscriptions and NFTs compete for limited blockspace, and thus generate fees to pay miners and help make the bitcoin network sustainable. Even a single Ethereum app like Uniswap generates more fees today then the entire Bitcoin network, so perhaps we should open bitcoin to apps of its own that allow for sustainable fee-based security. Furthermore, bitcoin is permissionless. Who is to judge which transactions are legitimate and which are illegitimate as long as the fee is paid to be included in a block? Just like no one should be able to say whether a financial transaction I make on bitcoin is “illegitimate,” likewise no one should be able to say it’s illegitimate to make a non-financial bitcoin transaction that happens to mint an NFT.

The other side of this argument is that bitcoin blockspace, though cheap today, is already extremely constrained when forecasting bitcoin as a future global financial network. The bitcoin base layer already couldn’t support even a single transaction for every human (say, for example, for each individual to open their own lightning channel), let alone expand to every possible non-financial use case too. Thus, non-financial uses of bitcoin blockspace could crowd out “legitimate” financial transactions. Bitcoin is a peer-to-peer cash system, and as such, its primary objective is to mediate financial transactions. Skeptics of Ordinals and Inscriptions also point to more efficient methods for tokenization on bitcoin, like the forthcoming Taro (also enabled by Taproot) and assert that Ordinals are a misuse of tapscript that breaks the spirit of the OP_RETURN compromise for on-chain data storage. Should entire blocks be taken up with witness data for an Inscription transaction, it could delay confirmation of “legitimate” financial transactions, thus hurting bitcoin’s credibility as a reliable financial network.

There’s another concern: the part of the bitcoin transaction where the NFT is stored is called the witness data. SegWit allowed witness data to receive a substantial 75% discount compared to data in other parts of a transaction, like inputs, outputs, and even OP_RETURN values. What this means is that those who choose to mint NFTs or store data on bitcoin using this quirk of taproot do so at steep discount relative to those doing a more typical financial transaction. This then limits the contribution that such data storage can make to the fee market, especially relative to the size of the data that is stored on the blockchain and increases the risk that these discounted transactions could crowd out financial ones.

With these diverging perspectives in mind, it’s possible there is a middle road where there is some use of Inscriptions on bitcoin without significant crowding of financial transactions. For example, Ordinals could be a niche way to mint especially high value or vintage NFTs that place a premium on bitcoin’s network security and credibility. Especially as blockspace becomes scarce when bitcoin becomes a dominant financial asset, Ordinals NFTs could be limited to especially vintage or valuable NFTs. It is unlikely to be the venue of the common pfp series given that there is a cost associated with minting each individual NFT (unlike in Ethereum, where the cost to mint a series of 1 or 10,000 NFTs are the same). There are plenty of other chains where you can mint low value NFTs for essentially no cost, there is no reason to do that on bitcoin. Meanwhile, Taro could be used for fungible tokens like stable coins and the bitcoin network could still primarily be used for financial transactions.

The debate between the financial transaction and data store wings of the bitcoin community has been around almost as long as bitcoin itself. While this debate seemed to be settled in 2014 with the OP_RETURN compromise, it is about to be blown back open as tapscript unwittingly cast off basically all data store limitations. Despite the insistence of the most strident bitcoiners, there are lots of interesting applications for cryptocurrency besides financial transactions, and NFTs are one such example. Of course, the integrity of the bitcoin network for financial transactions is paramount, and any non-financial uses ideally support rather than detract from this principle goal.

Further reading:

1. My original thread on OP_RETURN

2. https://bitzuma.com/posts/op-return-and-the-future-of-bitcoin/

3. https://opreturn.org/op-return-per-month/

4. https://docs.ordinals.com/

Addendum: I am happy to revise this or correct it if needed, send me a DM!

Addendum 2: I errantly ascribed some changes in SegWit to Taproot and vice versa. I believe this is now corrected.

Addendum 3: I corrected the terminology on Ordinals vs Inscriptions. Ordinals is about tracking satoshis, Inscriptions are how NFTs are stored and added to satoshis.