Six Confirmations Feeling Lonely as Mining Pools Throw a Hashrate Party

The Bitcoin network had a rare two-block reorg on March 23 at block height 941,880. Foundry decided to go on a solo mining spree, grabbing six consecutive blocks, while AntPool and ViaBTC briefly tried to start their own competing chain branch. The network, being the ultimate arbiter of who has the biggest hash stick, resolved the fork exactly as its creator intended by following the path with the most accumulated proof-of-work. The system performed flawlessly, proving once again that Nakamoto Consensus works—even when it looks a bit spicy.

The "six-confirmation rule" is a piece of crypto folklore that most people treat like a religious text without knowing the scripture. It originates from Satoshi's 2008 whitepaper, which modeled finality as a simple probability game of catch-up. As more blocks pile on top of a transaction, rewriting that history becomes exponentially more expensive for an attacker with limited hashpower. Six blocks became the community's lazy shorthand for "safe enough," though the whitepaper itself presented it as a calculation contingent on the attacker controlling a modest 10% of the network's total hash rate.

That cozy assumption has been quietly powering our confirmation bias for sixteen straight years. Jameson Lopp did the public service of making the uncomfortable implication explicit in his analysis of confirmation risk. The comfort baked into six confirmations depends entirely on who else is playing in the sandbox and how big their shovels are.

Crunching the Nakamoto catch-up model, six confirmations against an attacker with 10% of the hashpower yields a reversal risk of roughly 0.02%. Ramp that up to a 20% attacker, and the risk climbs to about 1.43%. Give an attacker 30%, and you're looking at a heart-pounding ~13.2% chance of a rewrite. At the 32.2% share Foundry recently held, the same model puts the six-confirmation reversal risk near 18.9%—a number that should make any large settlement desk break out in a cold sweat.

Of course, mining pools are not, by default, a coordinated cabal of attackers, which is why they don't fit neatly into these scary model outputs. Foundry USA describes itself as an institutional-grade pool coordinating many independent operators. Miners can and do switch pools faster than a degenerate flips a meme coin, making an overt attack economically suicidal for any rational pool operator with a spreadsheet.

Concentration in block production, however, fundamentally warps the risk model people use to decide when a payment feels "final," regardless of how distributed the actual mining machines are. A 2022 latency security analysis coldly noted that with a 10% adversary and a 10-second propagation delay, six confirmations still produce a safety-violation probability between 0.11% and 0.35%. The number six was never a magical shield; it was always more of a suggestion.

Bitcoin's network is currently running three simultaneous conditions that are giving the six-confirmation heuristic a full-blown existential crisis. Per Hashrate Index data, over the past three days, Foundry has held roughly 31% of the global hashrate, AntPool sits at about 18.4%, and ViaBTC lounges at 10.5%. Combined, these three pools are responsible for approximately 60% of all new blocks—a majority that would make any cartel blush.

This degree of concentration in coordinator power is elevated by any reasonable measure over the last several years. Simultaneously, mining economics have decided to take a nosedive off a cliff. Difficulty dropped 7.76% on March 21 in one of 2024's largest negative adjustments. Hashprice averaged a meager $32.31 per petahash per day in February, down nearly 18% month-over-month, and briefly touched a record low of $27.89. Transaction fees, the miners' hoped-for lifeline, contributed a pitiful 0.57% of total block rewards in the last 24 hours of available data.

When profit margins compress and fee revenue evaporates faster than a shitcoin's liquidity, smaller and mid-sized miners face a growing, desperate incentive to pool into whichever coordinator offers the best variance reduction. In this game, the big just get bigger—it's the law of the jungle, powered by SHA-256.

The January winter storm offered a brief, hopeful counterpoint. Foundry's hashrate reportedly plummeted by around 60%, or nearly 200 exahashes per second, during that period. This demonstrated that pool shares can redistribute with the speed of a panicked trader exiting a leveraged position when external conditions get rough.

Amid this backdrop, the sacred six-confirmation rule lacks any automatic adjustment mechanism for when pool shares shuffle. In practice, the industry's largest venues abandoned the six-confirmation standard years ago in a quiet, pragmatic judgment. Coinbase requires just two confirmations for BTC deposits to be marked as pending, while Kraken and Gemini each require three. The old guard is already living in the future.

None of these lower thresholds is wrong for their specific use cases: for ordinary retail deposits, two or three confirmations represent an entirely defensible, cost-benefit analyzed risk tolerance. The yawning gap between these real-world numbers and the folk standard of six illustrates that "six confirmations" was always more of a cultural meme than a universal, immutable law.

Lopp's framework argues this gap should become more deliberate and less accidental. Required confirmations should scale logically with transaction value and the evolving economics of a potential attacker. A $500 retail deposit and a $50 million OTC settlement do not—and should not—share the same risk profile; treating them the same is financial negligence dressed up as tradition.

There are divergent paths forward from the current hashrate concentration. On the bullish side, hashrate could redistribute across a broader pool of coordinators as mining margins eventually recover and new entrants smell opportunity and compete for share. The January storm already demonstrated that Foundry's dominance can erode faster than a shitcoin's Twitter hype under the right conditions.

If concentration eases and the hash price recovers from its current comatose state, six confirmations could remain a reasonable default for large BTC settlements. On the flip side, Foundry could stubbornly remain above 30%, and the top-three concentration could become a sticky, permanent feature of the landscape.

No malicious event or 51% attack is required for the norm to degrade. Exchanges, OTC desks, and merchants handling high-value transfers can simply—and quietly—raise their internal confirmation thresholds or formalize dynamic tiers tied to real-time, observable pool-share data. Risk management is often just boring paperwork until it isn't.

Under the Nakamoto model, six confirmations against a fully coordinated 32.2% attacker leaves roughly 18.9% catch-up risk. This is a figure genuinely difficult to reconcile with the industry's favorite phrase, "effectively irreversible," for transfers involving tens of millions of dollars. That's not "irreversible"; that's "a really bad day at the office."

The situation doesn't require a villain; it only requires that the current pool concentration remain where it is, while the gap between the comforting folk standard and the cold, hard math widens enough that someone with serious money on the line finally stops ignoring it.

Bitcoin's settlement assurances were always conditional: "six blocks, under a certain distribution of hashpower and a certain tolerance for risk." The recent two-block reorg produced a rare, illuminating moment when the gap between Bitcoin's finality folklore and its underlying cryptographic math became impossible to ignore. The six-confirmation rule's days as a universal, unqualified standard for everyone are numbered, and the countdown is well underway.