Why Satoshi (probably) didn’t move some coins from 2009

On block 631058 was mined a transaction which spent an output from February of 2009, that is a month after the Bitcoin network went live. This has caused a bit of a price swing, not to mention, a lot of speculation, about whether this is Satoshi Nakamoto moving these coins or not.

In this article, I’m going to lay out the case for why it probably wasn’t Satoshi and the bit of digital forensics we can use to figure this out.

What Happened

There weren’t that many people mining on the network (or even knowing what it was), so the speculation is that this output may belong to Satoshi Nakamoto. Given that a private key is required to unlock the output, the fact that this output was spent suggests that the spender has access to the private key. If this is Satoshi, this would suggest that there may be a lot more Bitcoins to be dumped. The price of Bitcoin dropped around 5% as of this writing, perhaps based on that speculation.

Bitcoin Back in 2009

So for one thing, we know that Satoshi Nakamoto mined block 9, at least, and may have mined more. That said, there were other people mining on the network, not the least of which was Hal Finney:

Because Bitcoin was so new and there was only one choice of software, everyone running the Bitcoin software at the time was mining.

What We Can Infer

Back in v0.1, there was a specific function in main.cpp that created proof-of-work. Of course, it was very easy to find proof-of-work back then by today’s standards, but it still required a good deal of CPU power to find. We can see the code that creates the coinbase transaction here.

The key piece of information we can gather in the coinbase transaction, besides the output, is something called the extra nonce:

You can see in line 2190 that bnExtraNonce gets set to 0. Further in line 2212, the same variable increments in the while loop for generating coins (aka mining). Lastly, also in line 2212, the bnExtraNonce is added to the the coinbase transaction’s scriptSig via the “<<” operator. This is where we can use some forensics as this variable gets set to 0 and increments as long as the program is running. If the program restarts, this gets reset to 0. Thus, the longer the bitcoin software was running, the higher this number would be and further, this number would show up in the coinbase transaction’s scriptSig field, which we can examine on the blockchain.

This is where Sergio Lerner’s examination of the early blocks have led to his labeling of certain coinbase transactions as having been from “Patoshi”. The coins in the graph are green if spent and blue if unspent with the y-axis being the extra nonce value and you can see the large blue strands:

These are what are suspected to be Satoshi’s coins as the extra nonce value increases when a block is mined. These are also pretty long running processes that seem to get restarted every week or so. To be fair, we don’t know if these are specifically Satoshi’s coins, except something like block #9, but there’s decent forensic evidence given how the blue strands line up (when one ends, another one begins soon after), that these coinbase outputs have a good argument of being Satoshi’s.

The Block in Question

The scriptSig has a 4-byte bits number (0xffff001d, which is the proof-of-work threshold) and then the extra nonce, which is 0xdd01. This number is in little-endian hexadecimal, which works out to be 477 in decimal.

Compare this with the nearest blue dots from one of the strands, blocks right before and after this block, which are blocks 3653 and 3655. They have extra nonces of 2367 and 2372 respectively.

Conclusion

Bitcoin Educator, Developer and Entrepreneur. Book: https://amzn.to/2RSlnTb PGP Fingerprint: C1D7 97BE 7D10 5291 228C D70C FAA6 17E3 2679 E455