The standard critique of Bitcoin is that it burns enormous computation for no external purpose. The standard rebuttal — make the work useful — has long been dismissed with a one-line objection: if the work is valuable, attackers are 'paid to attack.' A paper posted to arXiv on June 4 — The Economics of Proof-of-Useful-Work, by Rafael Pass — takes that objection seriously enough to model it formally, and concludes that the strawman, once you price the equilibrium properly, does not hold.

The setup is precise about the contrast. In existing systems such as Bitcoin, computational expenditure is intentionally useless: the computation secures consensus but produces no external economic output. The proposed alternative is to recover that output.

"An emerging alternative -- proof of useful work (PoUW) -- enables the same computation to simultaneously secure the blockchain and generate economically valuable output."— arXiv:2606.06700, source

That is the promise of proof of useful work: the same cycles that secure the ledger also do something the world pays for. The author instantiates the useful work as machine-learning inference — a market with real, growing demand — which makes the model concrete rather than abstract. The economic question is whether coupling security to a valuable output undermines the security, and the paper answers it with a competitive-equilibrium model rather than intuition.

A model with one knob that matters

The model lets compute be allocated three ways: pure mining, pure useful work (the ML inference), or 'duplex' work that produces both with computational overheads. The author then provides a complete closed-form characterization of equilibrium allocations and prices as a function of the duplex overheads and a single economic parameter — the token-inference ratio — measuring token adoption relative to the inference market. Reducing the system's behavior to one interpretable parameter is the kind of result that makes a model useful: it turns a vague debate into a question of where you sit on a single axis.

That axis produces three regimes, and the names tell the story. In Bitconia, the economy reduces to classical proof-of-work — token value dominates, useful work is negligible, and you are back to Bitcoin. In Fortessia, duplex work replaces pure mining, which increases security while useful output remains unchanged — you get more security for free, in effect, because miners do double-duty. In Duplexia, token rewards subsidize inference, lowering prices and expanding inference supply — the blockchain becomes a subsidy engine for useful computation. The regime you land in depends on the token-inference ratio.

Why 'paid to attack' is a strawman

The paper's central rebuttal is the part worth dwelling on. The 'paid to attack' worry says that if mining produces sellable output, an attacker mining to attack also earns that output, lowering their net attack cost. Pass shows this reasoning ignores equilibrium prices. Contrary to the common strawman argument, PoUW does not make attacks economically cheap: once equilibrium prices are taken into account, the economic cost of a majority attack remains tied to the block reward. The intuition is that if useful work were a free lunch for attackers, it would be a free lunch for everyone, and competition would compete that surplus away — the price of the useful output adjusts until the attacker's edge disappears. Security stays anchored to the block reward, just as in classical proof-of-work.

The most striking claim is the welfare one in the Duplexia regime. There, block rewards act as rebates on inference prices, generating additional socially useful computation that would not arise without the blockchain — and that expansion is monotonically increasing in token adoption and technological efficiency. In other words, the blockchain does not merely redirect existing inference demand; it can subsidize new, otherwise-unprofitable computation into existence. The more the token is adopted and the more efficient the hardware, the more useful work the system pulls into the economy. That reframes the energy debate entirely: the question is no longer 'how do we stop wasting the work' but 'how much extra useful work can the security budget bankroll.'

The welfare result is also where the policy conversation should migrate, because it reframes the externality. Critics of Proof-of-Work treat the energy as pure social waste; defenders treat it as the unavoidable price of decentralized security. Pass's Duplexia regime suggests a third position: under the right token-inference ratio, the security spend can be partially recovered as useful output, so the relevant question is not whether the work is wasted but what fraction of the security budget can be converted into computation society would have paid for anyway. That does not make Proof-of-Useful-Work obviously superior — the duplex overheads are real, and a chain in the Bitconia regime captures none of the benefit — but it does turn a binary moral argument into a quantitative design question. For a sector whose energy debate has been unusually unproductive, replacing 'wasteful versus necessary' with 'how much is recoverable, and under what parameters' is itself the contribution.

A model is only as good as its assumptions, and a reader should hold the conclusions at the altitude the paper does. This is a competitive-equilibrium analysis with idealized duplex overheads and a single demand market (inference); real markets have frictions, hardware specialization, and demand volatility the closed form abstracts away, and the elegant three-regime map is a property of the model, not a measurement of any deployed chain. But the contribution is exactly the right kind for a debate that has run on slogans: it takes the strongest one-line objection to proof-of-useful-work — paid to attack — and shows, with equilibrium reasoning, why it fails. For anyone weighing whether useful-work consensus is a serious alternative or a marketing veneer, this paper moves the conversation from intuition to a characterization you can argue with on its own terms, which is precisely where it should be.