The rule of thumb is no longer applicable; those making large transactions need to assess transaction risks in real-time based on the current mining ecosystem.
Written by: Jameson Lopp, Cypherpunk Cogitations
Compiled by: aididiaojp.eth, Foresight News
If you have ever used the Bitcoin network for transactions, you may realize that accepting unconfirmed (a.k.a. zero-confirmation) transactions is risky. In an unconfirmed state, Bitcoin receivers are easily susceptible to race attacks, Finney attacks, and 51% attacks.
When you have at least one transaction confirmation, you are no longer as vulnerable to race attacks or Finney attacks. Now the only concern is the 51% attack. What is the rule of thumb for acceptable confirmation counts?
1 Confirmation: Sufficient for small payments under $1,000.
3 Confirmations: For payment amounts between $1,000 - $10,000, most exchanges require 3 deposit confirmations.
6 Confirmations: Suitable for large payments between $10,000 and $1 million. Six confirmations are considered the standard for safety.
10 Confirmations: Recommended for payments larger than $1 million.
In-depth Exploration
Naturally, Bitcoin is not that simple, and our so-called confirmation experience rules are based on assumptions we are not really discussing.
For example, the confirmation thresholds listed above are actually based on an attacker having 10% of the global hash rate, where in this case, 6 confirmations can guarantee 99.99% that the attacker cannot rewrite a large amount of historical records in the blockchain network.
However, these calculations (found in the white paper) were done long before mining pools and industrial mining, when it was reasonable to assume that it was difficult for someone to have more than 10% of the global hash rate. Since 2011, there has been a surge in the number of block production entities (mining pools) on the network, accumulating far more than 10% of the global hash rate. At the time of writing, there are 5 such mining pools.
Quantifying Real-Time Risk
Pages 6 and 7 of the Bitcoin white paper outline the method for calculating the risk of an attacker rewriting the blockchain after a given number of transaction confirmations.
The competition between the honest chain and the attacker's chain can be described as a binomial random walk. A successful event is when the honest chain is extended by one block, increasing its lead by 1, while a failed event is when the attacker's chain is extended by one block, decreasing the gap by 1. The probability that the attacker's chain catches up to the honest chain is similar to the gambler's ruin problem. In layman's terms: the gambler (attacker) has a negative expected value most of the time, so the longer they play this game with a negative expected value, the less likely they are to become a winner.
Given that we assume the attacker has less than 50% of the network hash rate, the probability that the attacker catches up decreases exponentially as the number of blocks they must catch up increases. The longer the time drags on, the worse it is for the attacker; if they do not get lucky and sprint ahead early, their chances become negligible as they fall further behind. The potential progress probability for the attacker resembles a Poisson distribution since all mining is a Poisson process, and successful outcomes follow this distribution.
To determine the probability that an attacker can rewrite the blockchain from z blocks back, we multiply the Poisson density of each advance the attacker can achieve by the probability that he can catch up at that position, where:
p = The probability that an honest miner finds the next block
q = The probability that the attacker finds the next block
z = The number of blocks (confirmations) that need to be reorganized
lambda = z * (q / p)
k = An integer from 0 to z
This is not a particularly interesting calculation, so it seems like a good choice for open-source projects.
Confirmation Risk Calculator
I created the following tool that dynamically calculates the current chain reorganization risk based on the pool with the highest hash rate estimate (from the trailing weeks of mined blocks). Of course, you can override this parameter with any other hash rate percentage and the number of confirmations needed to obtain the risk score.
It is now easy to see that if we want to have a 99.9% probability of ensuring our transaction is not double-spent, the number of confirmations increases sharply as an attacker's hash rate approaches 50% for a given percentage network hash rate.
Why should you care?
At the time of writing, Foundry has a global hash rate of 36%, which means if you accept payments after 3 confirmations, Foundry still has a 49% chance of rewriting the blockchain and initiating a double-spend attack.
Assuming the attacker has a 10% hash rate, the rule of thumb of 6 block confirmations ensures a 99.99% chance of no double-spend, while now it takes 60 transaction confirmations to achieve the same confidence.
As for the practicality of such attacks: mining pools certainly have no incentive to attack, as doing so could result in a significant loss of business. Miners are generally long-term holders who do not want to undermine confidence in the ecosystem. However, mining pools can still present single points of failure, where someone could exploit vulnerabilities to hijack a pool in a short time. Similar situations have occurred, such as the BGP attack that rerouted a significant amount of mining pool traffic to mine coins for the attacker.
Summary
While Bitcoin has robustness and stability in some aspects, it is highly unstable in others. For those conducting high-value transactions on the Bitcoin blockchain, it is important to be aware that their risk assessments should be adjusted based on the current state of the mining ecosystem.
It should be made clear that the above views on Foundry should not be interpreted as a looming or systemic threat to the integrity of the Bitcoin network. Over the past decade, we have seen fluctuations in the centralization of miners due to various factors. For example:
I remain optimistic that the incentives driving industrial Bitcoin miners are rational. They will continue to seek cheap, stranded, surplus energy sources, and the essence of energy is that it can be effectively utilized around the world. In the long run, I expect to see a more decentralized distribution of hash rates among mining pools. In addition, there are some technical improvements, such as Stratum V2, which takes power away from pool operators and puts it back in the hands of individuals.
