bitcoinbook/ch09_fees.adoc

[[tx_fees]]
== Transaction Fees

The digital signature we saw Alice create in <<c_signatures>> only
proves that she knows her private key and that she committed to a
transaction that pays Bob.  She can create another signature that
instead commits to a transaction paying Carol--a transaction that spends
the same output (bitcoins) that she used to pay Bob.  Those two
transactions are now _conflicting transactions_ because only one
transaction spending a particular output can be included in the valid
blockchain with the most proof of work--the blockchain that full nodes
use to determine which keys control which bitcoins.

To protect himself against conflicting transactions, it would be wise
for Bob to wait until the transaction from Alice is included in the
blockchain to a sufficient depth before he considers the money he
received as his to spend (see <<confirmations>>).
For Alice's transaction to be included in the
blockchain, it must be included in a _block_ of transactions.  There are
a limited number of blocks produced in a given amount of time and each
block only has a limited amount of space.  Only the miner who creates
that block gets to choose which transactions to include.  Miners may
select transactions by any criteria they want, including refusing to
include any transactions at all.

[NOTE]
====
When we say "transactions" in this chapter, we refer to every
transaction in a block except for the first transaction.  The first
transaction in a block is a _coinbase transaction_, described in
<<coinbase_transactions>>, which allows the miner of the block to
collect their reward for producing the block.  Unlike other
transactions, a coinbase transaction doesn't spend the output of a
previous transaction and is also an exception to several other rules
that apply to other transactions.  Coinbase transactions don't pay
transaction fees, don't need to be fee bumped, aren't subject to
transaction pinning, and are largely uninteresting to the following
discussion about fees--so we're going to ignore them in this chapter.
====

The criterion that almost all miners use to select which transactions to
include in their blocks is to maximize their revenue.  Bitcoin was
specifically designed to accommodate this by providing a mechanism that
allows a transaction to give money to the miner who includes that
transaction in a block.  We call that mechanism _transaction fees_,
although it's not a fee in the usual sense of that word.  It's not an
amount set by the protocol or by any particular miner--it's much more
like a bid in an auction.  The good being purchased is the portion of
limited space in a block that a transaction will consume.  Miners choose
the set of transactions whose bids will allow them to earn the greatest
revenue.

In this chapter, we'll explore various aspects of those
bids--transaction fees--and how they influence the creation and
management of Bitcoin transactions.

=== Who Pays the Transaction Fee?

Most payment systems involve some sort of fee for transacting, but
often this fee is hidden from typical buyers.  For example, a merchant
may advertise the same item for the same price whether you pay with cash
or a credit card even though their payment processor may charge them
a higher fee for credit transactions than their bank charges them for
cash deposits.

In Bitcoin, every spend of bitcoins must be authenticated (typically
with a signature), so it's not possible for a transaction to pay a fee
without the permission of the spender.  It is possible for the receiver
of a transaction to pay a fee in a different transaction--and we'll see
that in use later--but if we want a single transaction to pay its own
fee, that fee needs to be something agreed upon by the spender.  It
can't be hidden.

Bitcoin transactions are designed so that it doesn't take any extra
space in a transaction for a spender to commit to the fee it pays.  That
means that, even though it's possible to pay the fee in a different
transaction, it's most efficient (and thus cheapest) to pay the fee in a
single transaction.

In Bitcoin,
the fee is a bid and the amount paid contributes to determining how long
it will take the transaction to confirm.  Both spenders and receivers of
a payment typically have an interest in having it confirming quickly, so
normally allowing only spenders to choose fees can sometimes be a
problem; we'll look at a solution to that problem in <<cpfp>>.  However,
in many common payment flows, the parties with the highest desire to see a
transaction confirm quickly--that is, the parties who'd be the most
willing to pay higher fees--are the spenders.

For those reasons, both technical and practical, it is customary in
Bitcoin for spenders to pay transaction fees.  There are exceptions,
such as for merchants that accept unconfirmed transactions and in
protocols that don't immediately broadcast transactions after they are
signed (preventing the spender from being able to choose an appropriate
fee for the current market).  We'll explore those exceptions later.

=== Fees and Fee Rates

Each transaction only pays a single fee--it doesn't matter how large the
transaction is.  However, the larger transactions become, the fewer of
them a miner will be able to fit in a block.  For that reason, miners
evaluate transactions the same way you might comparison shop between
several equivalent items at the market: they divide the price by the
quantity.

Whereas you might divide the cost of several different bags of rice by
each bag's weight to find the lowest price per weight (best deal), miners
divide the fee of a transaction by its size (also called its weight) to
find the highest fee per weight (most revenue).  In Bitcoin, we use the
term _fee rate_ for a transaction's size divided by weight.  Due to
changes in Bitcoin over the years, fee rate can be expressed in
different units:

- BTC/Bytes (a legacy unit rarely used anymore)
- BTC/Kilobytes (a legacy unit rarely used anymore)
- BTC/Vbytes (rarely used)
- BTC/Kilo-vbyte (used mainly in Bitcoin Core)
- Satoshi/Vbyte (most commonly used today)
- Satoshi/Weight (also commonly used today)

We recommend either the sat/vbyte or sat/weight units for displaying
fee rates.

[WARNING]
====
Be careful accepting input for fee rates.  If a user copies and pastes a
fee rate printed in one denominator into a field using a different
enumerator, they could overpay fees by 1,000 times.  If they instead
switch the enumerator, they could theoretically overpay by 100,000,000
times.  Wallets should make it hard for the user to pay an excessive
fee rate and may want to prompt the user to confirm any fee rate that was
not generated by the wallet itself using a trusted data source.

An excessive fee, also called an _absurd fee_, is any fee rate that's
significantly higher than the amount that fee rate estimators currently
expect is necessary to get a transaction confirmed in the next block.
Note that wallets should not entirely prevent users from choosing an
excessive fee rate--they should only make using such a fee rate hard to do
by accident.  There are legitimate reasons for users to overpay fees on
rare occasions.
====

=== Estimating Appropriate Fee Rates

We've established that you can pay a lower fee rate if you're willing to
wait longer for your transaction to be confirmed, with the exception
that paying too low of a fee rate could result in your transaction never
confirming.  Because fee rates are bids in an open auction for block
space, it's not possible to perfectly predict what fee rate you need to
pay to get your transaction confirmed by a certain time.  However, we
can generate a rough estimate based on what fee rates other transactions
have paid in the recent past.

A full node can record three pieces of information about each
transactions it sees: the time (block height) when it first received
that transaction, the block height when that transaction was confirmed,
and the fee rate paid by that transaction.  By grouping together
transactions that arrived at similar heights, were confirmed at similar
heights, and which paid similar fees, we can calculate how many blocks it
took to confirm transactions paying a certain fee rate.  We can then
assume that a transaction paying a similar fee rate now will take a
similar number of blocks to confirm.  Bitcoin Core includes a fee rate
estimator that uses these principles, which can be called using the
`estimatesmartfee` RPC with a parameter specifying how many blocks
you're willing to wait before the transaction is highly likely to
confirm (for example, 144 blocks is about 1 day):

----
$ bitcoin-cli -named estimatesmartfee conf_target=144
{
  "feerate": 0.00006570,
  "blocks": 144
}
----

Many web-based services also provide fee estimation as an API.  For a
current list, see https://www.lopp.net/bitcoin-information/fee-estimates.html.

As mentioned, fee rate estimation can never be perfect.  One common
problem is that the fundamental demand might change, adjusting the
equilibrium and either increasing prices (fees) to new heights or
decreasing them toward the minimum.
If fee rates go down, then a transaction
that previously paid a normal fee rate might now be paying a high fee
rate and it will be confirmed earlier than expected.  There's no way to
lower the fee rate on a transaction you've already sent, so you're stuck
paying a higher fee rate.  But, when fee rates go up, there's a need for
methods to be able to increase the fee rates on those transactions,
which is called _fee bumping_.  There are two commonly used types of fee
bumping in Bitcoin, replace by fee (RBF) and child pays for parent
(CPFP).

[[rbf]]
=== Replace By Fee (RBF) Fee Bumping

To increase the fee of a transaction using RBF fee bumping, you create
a conflicting version of the transaction that pays a higher fee.  Two
or more transactions are considered to be _conflicting transactions_ if
only one of them can be included in a valid blockchain, forcing a miner
to choose only one of them.  Conflicts occur when two or more transactions
each try to spend one of the same UTXOs, i.e., they each include an input
that has the same outpoint (reference to the output of a previous
transaction).

To prevent someone from consuming large amounts of bandwidth by creating
an unlimited number of conflicting transactions and sending them through
the network of relaying full nodes, Bitcoin Core and other full nodes
that support transaction replacement require each replacement
transaction to pay a higher fee rate than the transaction being
replaced.  Bitcoin Core also currently requires the replacement
transaction to pay a higher total fee than the original transaction, but
this requirement has undesired side effects and developers have been
looking for ways to remove it at the time of writing.

Bitcoin Core currently supports two variations of RBF:

Opt-in RBF::
  An unconfirmed transaction can signal to miners and full nodes that
  the creator of the transaction wants to allow it to be replaced by a
  higher fee rate version.  This signal and the rules for using it
  are specified in BIP125.  As of this writing, this has been enabled by
  default in Bitcoin Core for several years.

Full RBF::
  Any unconfirmed transaction can be replaced by a higher fee rate
  version.  As of this writing, this can be optionally enabled in
  Bitcoin Core (but it is disabled by default).

.Why Are There Two Variants of RBF?
****
The reason for the two different versions of RBF is that full RBF has
been controversial.  Early versions of Bitcoin allowed transaction
replacement but this behavior was disabled for several releases.  During
that time, a miner or full node using the software now called Bitcoin
Core would not replace the first version of an unconfirmed transaction
they received with any different version.  Some merchants came to expect
this behavior: they assumed that any valid unconfirmed transaction which
paid an appropriate fee rate would eventually become a confirmed
transaction, so they provided their goods or services shortly after
receiving such an unconfirmed transaction.

However, there's no way for the Bitcoin protocol to guarantee that any
unconfirmed transaction will eventually be confirmed.  As mentioned
earlier in this chapter, every miner gets to choose for themselves which
transactions they will try to confirm--including which versions of those
transactions.  Bitcoin Core is open source software, so anyone with a
copy of its source code can add (or remove) transaction replacement.
Even if Bitcoin Core wasn't open source, Bitcoin is an open protocol
that can be reimplemented from scratch by a sufficiently competent
programmer, allowing the reimplementor to include or not include
transaction replacement.

Transaction replacement breaks the assumption of some merchants that
every reasonable unconfirmed transaction will eventually be confirmed.
An alternative version of a transaction can pay the same outputs as the
original, but it isn't required to pay any of those outputs.  If the
first version of an unconfirmed transaction pays a merchant, the second
version might not pay them.  If the merchant provided goods or services
based on the first version, but the second version gets confirmed, then
the merchant will not receive payment for its costs.

Some merchants, and people supporting them, requested that transaction
replacement not be reenabled in Bitcoin Core.  Other people pointed out
that transaction replacement provides benefits, including the ability to
fee bump transactions that initially paid too low of a fee rate.

Eventually, developers working on Bitcoin Core implemented a compromise:
instead of allowing every unconfirmed transaction to be replaced (full
RBF), they only programmed Bitcoin Core to allow replacement of
transactions that signaled they wanted to allow replacement (opt-in RBF).
Merchants can check the transactions they receive for the opt-in
signal and treat those transactions differently than those without the
signal.

This doesn't change the fundamental concern: anyone can still alter
their copy of Bitcoin Core, or create a reimplementation, to allow full
RBF--and some developers even did this, but seemingly few people used
their software.

After several years, developers working on Bitcoin Core changed the
compromise slightly.  In addition to keeping opt-in RBF by default, they
added an option that allows users to enable full RBF.  If enough mining
hash rate and relaying full nodes enable this option, it will be
possible for any unconfirmed transaction to eventually be replaced by a
version paying a higher fee rate.  As of this writing, it's not clear
whether or not that has happened yet.
****

As a user, if you plan to use RBF fee bumping, you will first need to
choose a wallet that supports it, such as one of the wallets listed as
having "Sending support" on
https://bitcoinops.org/en/compatibility/#replace-by-fee-rbf.

As a developer, if you plan to implement RBF fee bumping, you will first
need to decided whether to perform opt-in RBF or full RBF.  At the time
of writing, opt-in RBF is the only method that's sure to work.  Even if
full RBF becomes reliable, there will likely be several years where
replacements of opt-in transactions get confirmed slightly faster than
full-RBF replacements.  If you choose opt-in RBF, your wallet will need
to implement the signaling specified in BIP125, which is a simple
modification to any one of the sequence fields in a transaction (see
<<sequence>>).  If you choose full RBF, you don't need to include any
signaling in your transactions.  Everything else related to RBF is the
same for both approaches.

When you need to fee bump a transaction, you will simply create a new
transaction that spends at least one of the same UTXOs as the original
transaction you want to replace.  You will likely want to keep the
same outputs in the transaction that pay the receiver (or receivers).
You may pay the increased fee by reducing the value of your change
output or by adding additional inputs to the transaction.  Developers
should provide users with a fee-bumping interface that does all of this
work for them and simply asks them (or suggests to them) how much the
fee rate should be increased.

[WARNING]
====
Be very careful when creating more than one replacement of the same
transaction.  You must ensure than all versions of the transactions
conflict with each other.  If they aren't all conflicts, it may be
possible for multiple separate transactions to confirm, leading you to
overpay the receivers.  For example:

- Transaction version 0 includes input _A_.
- Transaction version 1 includes inputs _A_ and _B_ (e.g., you had to add
  input _B_ to pay the extra fees)
- Transaction version 2 includes inputs _B_ and _C_ (e.g., you had to add input
  _C_ to pay the extra fees but _C_ was large enough that you no longer
  need input _A_).

In this scenario, any miner who saved version 0 of the transaction
will be able to confirm both it and version 2 of the transaction.  If
both versions pay the same receivers, they'll be paid twice (and the
miner will receive transaction fees from two separate transactions).

A simple method to avoid this problem is to ensure the replacement
transaction always includes all of the same inputs as the previous
version of the transaction.
====

The advantage of RBF fee bumping over other types of fee bumping is that
it can be very efficient at using block space.  Often, a replacement
transaction is the same size as the transaction it replaces.  Even when
it's larger, it's often the same size as the transaction the user would
have created if they had paid the increased fee rate in the first place.

The fundamental disadvantage of RBF fee bumping is that it can normally
only be performed by the creator of the transaction--the person or
people who were required to provide signatures or other authentication
data for the transaction.  An exception to this is transactions that
were designed to allow additional inputs to be added by using sighash
flags (see <<sighash_types>>), but that presents its own challenges.  In
general, if you're the receiver of an unconfirmed transaction and you
want to make it confirm faster (or at all), you can't use an RBF fee
bump; you need some other method.

There are additional problems with RBF that we'll explore in <<transaction_pinning>>.

[[cpfp]]
=== Child Pays for Parent (CPFP) Fee Bumping

Anyone who receives the output of an unconfirmed transaction can
incentivize miners to confirm that transaction by spending that output.
The transaction you want to get confirmed is called the _parent
transaction_.  A transaction that spends an output of the parent
transaction is called a _child transaction_.

As we learned in <<outpoints>>, every input in a confirmed transaction
must reference the unspent output of a transaction that appears earlier
in the blockchain (whether earlier in the same block or in a previous
block).  That means a miner who wants to confirm a child transaction
must also ensure that its parent transaction is confirmed.  If the
parent transaction hasn't been confirmed yet but the child transaction
pays a high enough fee, the miner can consider whether it would be
profitable to confirm both of them in the same block.

To evaluate the profitability of mining both a parent and child
transaction, the miner looks at them as a _package of transactions_ with
an aggregate size and aggregate fees, from which the fees can be divided
by the size to calculate a _package fee rate_.  The miner can then sort
all of the individual transactions and transaction packages they know
about by fee rate and include the highest-revenue ones in the block
they're attempting to mine, up to the maximum size (weight) allowed to
be included in a block.  To find even more packages that might be
profitable to mine, the miner can evaluate packages across multiple
generations (e.g., an unconfirmed parent transaction being combined with
both its child and grandchild).  This is called _ancestor fee rate
mining_.

Bitcoin Core has implemented ancestor fee rate mining for many years,
and it's believed that almost all miners use it at the time of writing.
That means it's practical for wallets to use this feature to fee bump an
incoming transaction by using a child transaction to pay for its parent
(CPFP).

CPFP has several advantages over RBF.  Anyone who receives an output
from a transaction can use CPFP--that includes both the receivers of
payments and the spender (if the spender included a change output).  It
also doesn't require replacing the original transaction, which makes it
less disruptive to some merchants than RBF.

The primary disadvantage of CPFP compared to RBF is that CPFP typically
uses more block space.  In RBF, a fee bump transaction is often the same
size as the transaction it replaces.  In CPFP, a fee bump adds a whole
separate transaction.  Using extra block space requires paying extra
fees beyond the cost of the fee bump.

There are several challenges with CPFP, some of which we'll explore in
<<transaction_pinning>>.  One other problem that we
specifically need to mention is the minimum relay fee rate problem,
which is addressed by package relay.

=== Package Relay

Early versions of Bitcoin Core didn't place any limits on the number of
unconfirmed transactions they stored for later relay and mining in their
mempools (see <<mempool>>).  Of course, computers have physical limits, whether
it's the memory (RAM) or disk space--it's not possible for a full node
to store an unlimited number of unconfirmed transactions.  Later
versions of Bitcoin Core limited the size of the mempool to hold about
one day's worth of transactions, storing only the transactions or packages
with the highest fee rate.

That works extremely well for most things, but it creates a dependency
problem.  In order to calculate the fee rate for a transaction package,
we need both the parent and descendant transactions--but if the parent
transaction doesn't pay a high enough fee rate, it won't be kept in a
node's mempool.  If a node receives a child transaction without having
access to its parent, it can't do anything with that transaction.

The solution to this problem is the ability to relay transactions as a
package, called _package relay_, allowing the receiving node to evaluate
the fee rate of the entire package before operating on any individual
transaction.  As of this writing, developers working on Bitcoin Core
have made significant progress on implementing package relay and a
limited early version of it may be available by the time this book is
published.

Package relay is especially important for protocols based on
time-sensitive presigned transactions, such as Lightning Network.  In
non-cooperative cases, some presigned transactions can't be fee bumped
using RBF, forcing them to depend on CPFP.  In those protocols, some
transactions may also be created long before they need to be broadcast,
making it effectively impossible to estimate an appropriate fee rate.
If a presigned transaction pays a fee rate below the amount necessary to
get into a node's mempool, there's no way to fee bump it with a child.
If that prevents the transaction from confirming in time, an honest user
might lose money.  Package relay is the solution for this critical
problem.

[[transaction_pinning]]
=== Transaction Pinning

Although both RBF and CPFP fee bumping work in the basic cases we
described, there are rules related to both
methods that are designed to prevent denial-of-service attacks on miners
and relaying full nodes.  An unfortunate side effect of those rules
is that they can sometimes prevent someone from being able to use fee
bumping.  Making it impossible or difficult to fee bump a transaction is
called _transaction pinning_.

One of the major denial of service concerns revolves around the effect of
transaction relationships.  Whenever the output of a transaction is
spent, that transaction's identifier (txid) is referenced by the child
transaction.  However, when a transaction is replaced, the replacement
has a different txid.  If that replacement transaction gets confirmed,
none of its descendants can be included in the same blockchain.  It's
possible to re-create and re-sign the descendant transactions, but that's
not guaranteed to happen.  This has related but divergent implications
for RBF and CPFP:

- In the context of RBF, when Bitcoin Core accepts a replacement
  transaction, it keeps things simple by forgetting about the original
  transaction and all descendant transactions that depended on that
  original.  To ensure that it's more profitable for miners to accept
  replacements, Bitcoin Core only accepts a replacement transaction if it
  pays more fees than all the transactions that will be forgotten.
+
The downside of this approach is that Alice can create a small
transaction that pays Bob.  Bob can then use his output to create a
large child transaction.  If Alice then wants to replace her original
transaction, she needs to pay a fee that's larger than what both she and
Bob originally paid.  For example, if Alice's original transaction was
about 100 vbytes and Bob's transaction was about 100,000 vbytes, and
they both used the same fee rate, Alice now needs to pay more than 1,000
times as much as she originally paid in order to RBF fee bump her
transaction.

- In the context of CPFP, any time the node considers including a
  package in a block, it must remove the transactions in that package
  from any other package it wants to consider for the same block.  For
  example, if a child transaction pays for 25 ancestors, and each of
  those ancestors has 25 other children, then including the package in
  the block requires updating approximately 625 packages (25^2^).
  Similarly, if a transaction with 25 descendants is removed from a
  node's mempool (such as for being included in a block), and each of
  those descendants has 25 other ancestors, another 625 packages need to
  be updated.  Each time we double our parameter (e.g., from 25 to 50),
  we quadruple the amount of work our node needs to perform.
+
Additionally, a transaction and all of its descendants is not
  useful to keep in a mempool long term if an alternative version of
  that transaction is mined--none of those transactions can now be
  confirmed unless there's a rare blockchain reorganization.  Bitcoin
  Core will remove from its mempool every transaction that can no longer
  be confirmed on the current blockchain.  At it's worst, that can
  waste an enormous amount of your node's bandwidth and possibly be used
  to prevent transactions from propagating correctly.
+
To prevent these problems, and other related
  problems, Bitcoin Core limits a parent transaction to having a maximum
  of 25 ancestors or descendants in its mempool and limits the
  total size of all those transactions to 100,000 vbytes.  The downside
  of this approach is that users are prevented from creating CPFP fee
  bumps if a transaction already has too many descendants (or if it and
  its descendants are too large).

Transaction pinning can happen by accident, but it also represents a
serious vulnerability for multiparty time-sensitive protocols such as
Lightning Network.  If your counterparty can prevent one of your
transactions from confirming by a deadline, they may be able to steal
money from you.

Protocol developers have been working on mitigating problems with
transaction pinning for several years.  One partial solution is
described in <<cpfp_carve_out>>.  Several other solutions have been
proposed, and at least one solution is being actively developed as of
this writing—https://bitcoinops.org/en/topics/ephemeral-anchors/[ephemeral anchors].

[[cpfp_carve_out]]
=== CPFP Carve Out and Anchor Outputs

In 2018, developers working on Lightning Network (LN) had a problem.
Their protocol uses transactions that require signatures from two
different parties.  Neither party wants to trust the other, so they sign
transactions at a point in the protocol when trust isn't needed,
allowing either of them to broadcast one of those transactions at a
later time when the other party may not want to (or be able to) fulfill
its obligations.  The problem with this approach is that the
transactions might need to be broadcast at an unknown time, far in the future, beyond any
reasonable ability to estimate an appropriate fee rate for the
transactions.

In theory, the developers could have designed their transactions to
allow fee bumping with either RBF (using special sighash flags) or CPFP,
but both of those protocols are vulnerable to transaction pinning.
Given that the involved transactions are time sensitive, allowing a
counterparty to use transaction pinning to delay confirmation of a
transaction can easily lead to a repeatable exploit that malicious
parties could use to steal money from honest parties.

LN developer Matt Corallo proposed a solution: give the rules for CPFP
fee bumping a special exception, called _CPFP carve out_.  The normal
rules for CPFP forbid the inclusion of an additional descendant if it
would cause a parent transaction to have 26 or more descendants or if it
would cause a parent and all of its descendants to exceed 100,000 vbytes
in size.  Under the rules of CPFP carve out, a single additional
transaction up to 1,000 vbytes in size can be added to a package even if
it would exceed the other limits as long as it is a direct child of an
unconfirmed transaction with no unconfirmed ancestors.

For example, Bob and Mallory both co-sign a transaction with two
outputs, one to each of them.  Mallory broadcasts that transaction and
uses her output to attach either 25 child transactions or any smaller
number of child transactions equaling 100,000 vbytes in size.  Without
carve-out, Bob would be unable to attach another child transaction to
his output for CPFP fee bumping.  With carve-out, he can spend one of
the two outputs in the transaction, the one that belongs to him, as long
as his child transaction is less than 1,000 vbytes in size (which should
be more than enough space).

It's not allowed to use CPFP carve-out more than once, so it only works
for two-party protocols.  There have been proposals to extend it to
protocols involving more participants, but there hasn't been much demand
for that and developers are focused on building more generic solutions
to transaction pinning attacks.

As of this writing, most popular LN implementations use a transaction
template called _anchor outputs_, which is designed to be used with CPFP
carve out.

=== Adding Fees to Transactions

The data structure of transactions does not have a field for fees.
Instead, fees are implied as the difference between the sum of inputs
and the sum of outputs. Any excess amount that remains after all outputs
have been deducted from all inputs is the fee that is collected by the
miners:

[[tx_fee_equation]]
.Transaction fees are implied, as the excess of inputs minus outputs:
----
Fees = Sum(Inputs) – Sum(Outputs)
----

This is a somewhat confusing element of transactions and an important
point to understand, because if you are constructing your own
transactions you must ensure you do not inadvertently include a very
large fee by underspending the inputs. That means that you must account
for all inputs, if necessary by creating change, or you will end up
giving the miners a very big tip!

For example, if you spend a 20-bitcoin UTXO to make a 1-bitcoin
payment, you must include a 19-bitcoin change output back to your
wallet. Otherwise, the 19-bitcoin "leftover" will be counted as a
transaction fee and will be collected by the miner who mines your
transaction in a block. Although you will receive priority processing
and make a miner very happy, this is probably not what you intended.

[WARNING]
====
If you forget to add a
change output in a manually constructed transaction, you will be paying
the change as a transaction fee. "Keep the change!" might not be what
you intended.
====

[[fee_sniping]]
=== Timelock Defense Against Fee Sniping

Fee sniping is a theoretical
attack scenario, where miners attempting to rewrite past blocks "snipe"
higher-fee transactions from future blocks to maximize their
profitability.

For example, let's say the highest block in existence is block
#100,000. If instead of attempting to mine block #100,001 to extend the
chain, some miners attempt to remine  #100,000. These miners can choose
to include any valid transaction (that hasn't been mined yet) in their
candidate block  #100,000. They don't have to remine the block with the
same transactions. In fact, they have the incentive to select the most
profitable (highest fee per kB) transactions to include in their block.
They can include any transactions that were in the "old" block
#100,000, as well as any transactions from the current mempool.
Essentially they have the option to pull transactions from the "present"
into the rewritten "past" when they re-create block  #100,000.

Today, this attack is not very lucrative, because the block subsidy is much
higher than total fees per block. But at some point in the future,
transaction fees will be the majority of the reward (or even the
entirety of the reward). At that time, this scenario becomes inevitable.

Several wallets discourage fee sniping by creating transactions with a
lock time that limits those transactions to being included in the next
block or any later block. In our
scenario, our wallet would set lock time to 100,001 on any
transaction it created. Under normal circumstances, this lock time has
no effect&#x2014;the transactions could only be included in block
#100,001 anyway; it's the next block.

But under a reorganization attack, the miners would not be able to pull
high-fee transactions from the mempool, because all those transactions
would be timelocked to block #100,001. They can only remine  #100,000
with whatever transactions were valid at that time, essentially gaining
no new fees.

This does not entirely prevent fee sniping, but it does make it less
profitable in some cases and so can help preserve the stability of the
Bitcoin network as the block subsidy declines.  We recommend all wallets
implement anti fee sniping when it doesn't interfere with the wallet's
other uses of the lock time field.

As Bitcoin continues to mature, and as the subsidy continues to decline,
fees become more and more important to Bitcoin users, both in their
day-to-day use for getting transactions confirmed quickly and in
providing an incentive for miners to continue securing Bitcoin
transactions with new proof of work.