Why difference in 6 blocks is enough to think the transaction is secure?

[BoyFromDubai]

Everywhere it's said that 6 blocks is enough but why? I'm not talking about the probability that is in Bitcoin whitepaper, but I've heard that it was proven mathematically that it's impossible to attack the chain if the difference is 6 blocks and more. Maybe someone knows where I can find this thing?

[1715169790]

1715169790

[1715169790]

1715169790

[1715169790]

1715169790

[1715169790]

1715169790

[Charles-Tim]

The reason some people advice more confirmations is the possibility of chain reorg. You can read about it using this link:
https://learnmeabitcoin.com/technical/chain-reorganisation#:~:text=A%20chain%20reorganisation%20(or%20%E2%80%9Creorg,build%20the%20new%20longest%20chain.

It happens in a way that a block can be mined at the same time by two miners, but only the one that build on the new longest chain would be valid while the other would be invalidated as next blocks are no more building on it. A transaction in the block that was valid before but become invalid, if the transaction is not in the block in the new longest chain, the transaction would also become invalid, but most likely the transaction would be included in another block if not included in the valid block in the new longest chain.

Practically speaking though, if two blocks are mined at the same time, they’re probably going to include the same transactions in them, so a reorg isn’t usually going to cause anyone a problem.

However, if there are transactions in the orphan block that are not in the competing block, they will get sent back in to your node’s memory pool and propagated around the network again for the chance to be mined in to a future block.

But it would be frustrating to see a transaction that has been confirmed before to become invalidated even if it would be confirmed again.

[BoyFromDubai]

Yes, I know this, but I need mathematical proof

[baro77]

If you are really "brave", well motivated and with quite enough time to devote to your interest about that, here there's what imho is nearest to a proof. It's in lecture 8 videos while lecture 9 specialize the analysis to PoW blockchains, but you definitely need to watch (and understand) the whole course till there to understand... the many concepts needed -just to deal with it in a rigorous way- are introduced in a step by step way:

https://www.youtube.com/playlist?list=PLEGCF-WLh2RLOHv_xUGLqRts_9JxrckiA

just a quick note about what you have to expect: longest chain consensus attain PROBABILISTIC finality, even when formally described. The probabilistic nature comes from
the fact there isn't an a-priori knowledge of which node is an adversarial one, whichever leader election strategy (=way to choose who build the next block) it's chosen

Wish you a good learning work!

Yes, I know this, but I need mathematical proof

[DaveF]

Yes, I know this, but I need mathematical proof

There is no 'proof' it's part of the basic concept of PoW.

You would have to have enough hashing power to mine more then 6 blocks while the rest of the network only mined 6. So if nothing else changes you would need FAR MORE then current existing SHA256 hash power to ATTEMPT do it. And there is still the chance due to luck that it still would fail.

You can look at the amount of existing hash power and extrapolate from there.

-Dave

[baro77]

There is no 'proof' it's part of the basic concept of PoW.

I'm sure OP is thinking to Bitcoin, so it's ok for current level of talk to identify consensus with PoW, but for the sake of accuracy it depends on longest-chain consensus style, not on PoW leader election strategy.

The need to wait a number of blocks before considering finalized a previous one would apply in whichever uniform way we could choose the "miner", e.g. even in the "extreme" case of round-robin choice in a permissioned context. Or, as far as I know, Cardano using PoS on longest-chain as an analogous probabilistic finality concept.

I guess it's common to identify PoW with Longest-Chain cause it seems a bad idea to use it with BFT-style consensus, so everywhere you have PoW you also have LC

[vjudeu]

Yes, I know this, but I need mathematical proof

Then open the whitepaper, and read the last paragraph (11. Calculations), https://bitcoin.org/bitcoin.pdf

[odolvlobo]

...I've heard that it was proven mathematically that it's impossible to attack the chain if the difference is 6 blocks and more.

The person who told you that is wrong. It is possible to successfully "attack the chain" regardless of the number of blocks with sufficient resources.

There is a rule of thumb saying that it is extremely unlikely for a chain reorg to be 6 blocks deep. The six blocks rule of thumb comes from the math in the white paper and an analysis in a very old post here somewhere.

It is possible to reorg an unlimited number of blocks if you have more than 50% of the total hash rate. If you have less than 50%, then the probability of success drops exponentially with the number of blocks. It is not impossible to reorg 6 blocks with less than 50%, but it is very unlikely to succeed and therefore very impractical.

[Synchronice]

Isn't 6 confirmation an outdated method? In most cases, as far as I know, 3 confirmation is a safe bet and some websites even use something like confidence factor where they calculate via some methods the probability of double spend.

There is a rule of thumb saying that it is extremely unlikely for a chain reorg to be 6 blocks deep. The six blocks rule of thumb comes from the math in the white paper and an analysis in a very old post here somewhere.

Has it ever been 5 block deep? 4 block deep? And what will happen if chain reorg will be 6 blocks deep? Will the 6 block criteria just grow or can it turn into a huge problem?

[HeRetiK]

Isn't 6 confirmation an outdated method? In most cases, as far as I know, 3 confirmation is a safe bet and some websites even use something like confidence factor where they calculate via some methods the probability of double spend.

There is a rule of thumb saying that it is extremely unlikely for a chain reorg to be 6 blocks deep. The six blocks rule of thumb comes from the math in the white paper and an analysis in a very old post here somewhere.

Has it ever been 5 block deep? 4 block deep? And what will happen if chain reorg will be 6 blocks deep? Will the 6 block criteria just grow or can it turn into a huge problem?

It's at everyone's personal discretion after how many confirmations they deem a Bitcoin transaction as settled. A small online shop will have a different risk profile than a large online exchange. I think most exchanges still require 6 confirmations before allowing trading and withdrawal, while casinos tend to allow gambling after 1 confirmation but require a few more confirmations for withdrawal.

The deepest re-orgs were 53 blocks in 2010 and 24 blocks in 2013: https://bitcoin.stackexchange.com/questions/92974/what-is-the-length-of-largest-known-reorganization-in-bitcoin

I'm not aware of any other major re-orgs happening since then, but back in 2017 during the fork wars, most exchanges highly increased confirmation requirements for the minority forks like Bitcoin Cash. IIRC it was in the order of 24, maybe even as high as 100 confirmations on some exchanges. This was due to high hashrate fluctuations and a subsequent lack of reliability in transaction finality.

[NotATether]

The deepest re-orgs were 53 blocks in 2010 and 24 blocks in 2013: https://bitcoin.stackexchange.com/questions/92974/what-is-the-length-of-largest-known-reorganization-in-bitcoin

I'm not aware of any other major re-orgs happening since then, but back in 2017 during the fork wars, most exchanges highly increased confirmation requirements for the minority forks like Bitcoin Cash. IIRC it was in the order of 24, maybe even as high as 100 confirmations on some exchanges. This was due to high hashrate fluctuations and a subsequent lack of reliability in transaction finality.

As the average difficulty goes up, pools tend to run mining software that have a predictable reorg policy, in order to minimize the probability that their own blocks get invalidated. That is why we don't see large reorgs these past few years.

[npuath]

As the average difficulty goes up, pools tend to run mining software that have a predictable reorg policy, in order to minimize the probability that their own blocks get invalidated. That is why we don't see large reorgs these past few years.

Could you elaborate on this? What is a reorg policy, and are there unpredictable variants?
I would have guessed that the decline in reorg frequency and depth is the result of lower inter-miner latency. ^{typo edit}

[DaveF]

As the average difficulty goes up, pools tend to run mining software that have a predictable reorg policy, in order to minimize the probability that their own blocks get invalidated. That is why we don't see large reorgs these past few years.

Could you elaborate on this? What is a reorg policy, and are there unpredictable variants?
I would have guessed that the decline in reorg frequency and depth is the result of lower miner inter-latency.

And fewer pools. Think back to when there were dozens and dozens of pools as those numbers shrank a couple of block reorg seems to have become a thing of the past.

NOT wanting to put words in NotATether's mouth but what I think he was getting at is that is the way a pool will handle a block they see coming in at the same time they find a block.

I would also think that as BTC went up in value the existing pools improved their back ends to keep up better instead of using the method of just hoping nothing went wrong.

-Dave

[Yoshimaka]

You don't need to worry much about an attacker, Bitcoin network is so big that attacking after 1 or 2 blocks not worth the hassle. And there is this option where you can turn off RBF, the receiver sees the RBF is turned off for a transaction and would accept it even with zero confirm.

If you're selling digital goods and services, where you don't lose much if someone gets a free access, and it can't be resold for profit, I think you're fine to accept 0 confirmations.

It's mostly only if you were selling gold or currency that you'd need multiple confirmations.

[Omair Amin]

The commonly cited reasoning for why a difference of six blocks is considered "safe" is based on the assumption that an attacker with a majority of computing power in the network would take, on average, 6 blocks worth of time to extend their version of the blockchain faster than the rest of the network. So, if a block has already been added to the blockchain six blocks ago, it is considered irreversible and unlikely to be overwritten by an attacker. This idea is based on a heuristic rather than a proven mathematical proof, however.