Bitcoin defends against the threats of Chapter 36 with several mechanisms: confirmation requirements, checkpoints, minimum chain work, the validation shortcuts of Chapter 21, peer-selection hardening, and an off-protocol social layer. The mathematics of these mechanisms appears elsewhere in this book; this chapter asks a different question. None of these defenses is free: each one asks its user to trust something, and the useful question is not "what defenses exist?" but "what does each defense ask you to trust, and how is that trust bounded?" For each mechanism we state precisely what is trusted, by whom, and what a failure of that trust would mean. Every running node enables some configuration of these mechanisms, so every node operator holds a portfolio of trust assumptions, whether or not they have read the ledger. Figure 37.4 in Section 37.7 collects the threat–defense pairings that organize the chapter; each pairing should be read as a trade, in which a threat is mitigated at the price of a bounded trust assumption. Section 37.8 closes the account with a single table listing every mechanism, its trusted party, the scope of the trust, and its failure mode.
37.1 Confirmation-Based Security
The first defense is the oldest: wait. A transaction is k-confirmed when it is included in a block with k − 1 blocks built on top of it (Definition 26.11). The probability that an attacker with hashrate fraction q < 0.5 reverses a k-confirmed transaction is given by Nakamoto's double-spend formula, stated as Theorem 14.2, derived by the gambler's-ruin argument of Theorem 26.3, and tabulated in Section 14.8. We do not restate that analysis here; what this chapter adds is the trust statement it rests on.
Remark 37.1 (Trust Accounting: Confirmations)
What is trusted: the honest-majority hypothesis, q < 0.5, together with the assumption that the node observing the confirmations sees the real network rather than an attacker-curated view (Section 37.5). By whom: every recipient who treats a k-confirmed payment as settled. Failure mode: if q ≥ 0.5, Theorem 36.1 gives reversal probability 1 for every k; no confirmation count protects against a majority attacker. Even for q < 0.5 the guarantee is quantitative, not absolute: recall from Chapter 36 that the naive catch-up bound (q/(1−q))ᵏ understates the true probability (at q = 10%, k = 6: about 0.02%, not 0.0002%). Confirmations therefore buy a measured quantity of security against a hypothesized adversary; they do not buy finality.
Example 37.1 (Published Confirmation Policies)
Typical published exchange and merchant confirmation policies (approximate, mid-2026). Each row is an implicit trust statement: the chosen k encodes the operator's estimate of the largest q an attacker could profitably deploy against the value at risk.
| Amount/Risk | Confirmations | Rationale |
|---|---|---|
| Small (<$1000) | 1-2 | Attack cost > value |
| Medium ($1K-$100K) | 3-6 | Standard security |
| Large (>$100K) | 6-12 | High-value protection |
| Exchange deposits | 2-6 | Balance speed/security |
37.2 Checkpoints
Definition 37.1 (Checkpoint)
A checkpoint is a hardcoded (block height, block hash) pair in node software. The node rejects any chain that does not include the checkpoint block.
Remark 37.2 (Trust Accounting: Checkpoints)
What is trusted: the developers who selected the (height, hash) pairs, and the public review process around the release that shipped them. By whom: every node running an unmodified binary containing the checkpoints. Failure mode: a wrong or malicious checkpoint would force nodes onto a developer-chosen history, overriding proof-of-work entirely at the checkpointed heights. The trust is bounded in two ways. First, in scope: checkpoints cover only deep history. The most recent mainnet checkpoint sits at height 295,000 (April 2014), and none has been added since, so checkpoints constrain nothing about recent blocks. Second, in detectability: each pair is publicly checkable against the chain every existing node already holds, so a release containing a divergent checkpoint would fail review or be exposed immediately upon comparison. The trust is in a loud, auditable artifact, not a silent one.
Remark 37.3 (Historical Checkpoints)
Bitcoin Core historically included checkpoints:
// From chainparams.cpp (historical)
checkpointData = {
{11111, "0x0000000069e244f73d78e8fd29ba2fd2..."},
{33333, "0x000000002dd5588a74784eaa7ab0507a..."},
{74000, "0x0000000000573993a3c9e41ce34471c0..."},
{105000, "0x00000000000291ce28027faea320c8d2..."},
// ... more checkpoints
};
In exchange for the trust of Remark 37.2, checkpoints provide DoS protection (low-work fake chains are rejected quickly), deep-reorg prevention (no reorg past a checkpoint), and a sync speedup (some validation is skipped before the checkpoint).
Remark 37.4 (From Checkpoints to Weaker Assumptions)
Checkpoints are the most heavily criticized item in the trust ledger: they place the choice of valid history directly in developers' hands, could in principle be used maliciously, and sit uneasily with the "don't trust, verify" ethos. Modern Bitcoin Core has therefore frozen the checkpoint list and replaced its functions with mechanisms that ask for strictly less trust:
- Headers-first sync: verify the proof-of-work chain before downloading blocks (Definition 21.2); trusts nothing beyond proof-of-work itself
- Minimum chain work: reject chains below a work threshold (Section 37.3); trusts one number, not a chosen chain
- AssumeValid: skip signature verification beneath a buried block (Section 37.4); trusts a hash whose effect is void unless an attacker also out-works the honest network
The progression is the central pattern of this chapter: successive defenses retain most of the benefit while shrinking the scope of what must be trusted.
37.3 Minimum Chain Work
Definition 37.2 (Minimum Chain Work)
nMinimumChainWork is a hardcoded minimum cumulative proof-of-work a chain must have to be considered valid:
// Approximate minimum chain work (increases with each release;
// shown at its mid-2026 magnitude, roughly 8.5 × 10²⁸)
nMinimumChainWork = 0x0000000000000000000000000000000000000001
128750f82f4c366153a3a030;
Chains below this threshold are rejected without full validation.
Remark 37.5 (Trust Accounting: Minimum Chain Work)
What is trusted: that the cumulative-work value recorded in the release is honest, that is, no greater than the work of the actual best chain at release time. By whom: every syncing node. Failure mode: a value set too low (or an old release never updated) weakens the filter, and the node may accept a low-work attack chain as a plausible sync candidate, wasting bandwidth and, in the worst case, following a fake chain until full validation or a higher-work honest chain corrects it. A value set too high, above the honest chain's work, fails loudly: the node refuses to consider any chain valid and cannot complete sync, a denial of service that is immediately visible rather than silently corrupting.
The trust here is strictly weaker than checkpoint trust: the value names no block and selects no chain. Any chain meeting the threshold passes, so developers shipping the number cannot steer nodes onto a particular history; they can only set the height of the bar.
37.4 AssumeValid and AssumeUTXO
The mechanics of AssumeValid and AssumeUTXO are given in Chapter 21: AssumeValid (Definition 21.3, Section 21.2) skips signature verification for blocks beneath a hardcoded buried block while validating every other consensus rule and building the full UTXO set; AssumeUTXO (Definition 21.4, Section 21.3) bootstraps a node from a UTXO-set snapshot whose hash is hardcoded in the binary, with full historical validation continuing in the background. Their security properties are Theorems 21.1 and 21.2. Here we record only their entries in the trust ledger.
Remark 37.6 (Trust Accounting: AssumeValid)
What is trusted: the release process that selected
the buried block hash: the developers who proposed it, the reviewers
who checked it, and the signatures on the distributed binary.
By whom: every node running with the default setting
(it can be disabled with -assumevalid=0).
Failure mode: accepting a history containing invalid
signatures beneath the buried block. The trust is conjunctive, which
is what makes it small: by Theorem 21.1, a malicious hash has no
effect unless the chain containing the invalid signatures is also the
most-work chain the node sees. An attacker must therefore corrupt the
release process and out-work the honest network. The scope
is also narrow: only signature checks are skipped, only beneath the
buried block; amounts, inflation limits, and all other rules of the
validation function (Definition 13.18) are still enforced.
Remark 37.7 (Trust Accounting: AssumeUTXO)
What is trusted: the snapshot hash shipped with the binary, through the same release process as AssumeValid. By whom: nodes that opt in to snapshot-based sync. Failure mode: larger than AssumeValid's. A wrong snapshot hash endorses an arbitrary UTXO set: fabricated balances, erased coins, anything. The bound is temporal rather than structural: by Theorem 21.2, background validation eventually re-derives the UTXO set from genesis, and a node that finds a mismatch rejects the snapshot. The trust is therefore borrowed, not granted: it is real during the window between snapshot load and background-validation completion, and it is repaid in full when the two-phase sync finishes.
37.5 Node Hardening
Remark 37.8 (Trust Accounting: Peer Selection)
What is trusted: assumptions about network topology: that the DNS seeds and address gossip from which a node learns peers are not wholly attacker-controlled, and that honest listening nodes are spread across many network groups. By whom: every node, since every node must choose peers somehow. Failure mode: the eclipse attack of Section 36.4. An eclipsed node still enforces every consensus rule, so an attacker cannot feed it invalid blocks; but the node's view of the best chain, the mempool, and network time becomes attacker-curated, which undermines the confirmation counting of Section 37.1 and enables the time-dilation attacks of Section 36.5.3. Unlike the mechanisms of Sections 37.2–37.4, this trust cannot be replaced by a hash in a binary; it can only be diversified, which is what the following defenses do.
Remark 37.9 (Eclipse Attack Mitigations)
Bitcoin Core includes multiple eclipse attack defenses:
- Bucketed peer storage: Peers stored in buckets by IP range
- Outbound diversity: Connect to different /16 networks
- Anchor connections: Remember peers across restarts
- Feeler connections: Periodically test new peers
- Peer eviction logic: Protect diverse, long-standing connections
Each defense spreads the topology trust of Remark 37.8 across more independent parties, so that an attacker must control many network groups simultaneously rather than one address range.
Remark 37.10 (Tor and Privacy)
Running over Tor provides additional protection:
- IP address hidden from peers
- Harder to target a specific node
- Onion-only mode possible (-onlynet=onion)
In trust-accounting terms this is a substitution, not an elimination: the node exchanges trust in the visibility of its own network position for trust in the Tor network's relays and directory authorities, and accepts higher latency and exposure to Tor-level attacks in return.
37.6 Economic Security
Every entry in Section 37.1's ledger charged its trust to the honest-majority hypothesis. That hypothesis is not an axiom; it is purchased continuously.
Remark 37.11 (Trust Accounting: The Honest-Majority Hypothesis)
What is trusted: that the incentive structure of mining keeps a majority of hashrate honest, funded by the security budget:
Security Budget = Block Subsidy + Transaction Fees
By whom: everyone relying on confirmation-based security, which by Remark 37.1 is every recipient of a payment. Failure mode: if the budget no longer makes honest mining more attractive than attacking, the hypothesis q < 0.5 can fail, and with it the entire first row of the ledger. The trusted party here is notable: it is not a developer or a release process but a market structure, with no binary to audit and no flag to disable. Chapter 38 examines the conditions under which this trust could erode as the subsidy declines.
Remark 37.12 (Attack-Cost Asymmetry)
What currently keeps the hypothesis funded is an asymmetry between attacking and defending (cost figures in Section 36.6 and Example 36.2):
- An attacker must match the honest hashrate plus some margin
- The attacker pays for hardware, electricity, and opportunity cost
- Honest miners are paid (block rewards)
- Attacker gains are self-limiting: the double-spend value plus any block rewards earned, whose value tends to collapse if the attack undermines confidence
Example 37.2 (Cost Comparison)
| Honest Miner | Attacker | |
|---|---|---|
| Revenue | Block rewards + fees | Double-spend value |
| Cost | Hardware + electricity | Hardware + electricity |
| Duration | Ongoing | One-time |
| Risk | Market fluctuation | Detection, prosecution, price crash |
37.7 Social Layer Defenses
Remark 37.13 (Trust Accounting: The Social Layer)
What is trusted: off-protocol coordination: that an ad hoc set of developers, mining pool operators, and businesses can communicate, agree on a response, and act within hours when the protocol itself fails. By whom: everyone, but only in emergencies; in normal operation this layer is dormant. Failure mode: two-sided. If the trust is misplaced because coordination fails, a consensus emergency goes unresolved and the chain stays split. If the trust is misplaced in the opposite direction, the same small group that can coordinate a rescue could coordinate a rule change, which is precisely the governance concern of Chapter 33 and the maintainer trust vector of Section 33.9. The social layer is the only defense in this chapter whose trusted party is a group of identifiable people acting with discretion rather than an auditable artifact.
Remark 37.14 (Channels of Social Defense)
Beyond technical rules, Bitcoin has social defenses:
- User Activated Soft Fork: Users can reject miner misbehavior
- Exchange monitoring: Detect and respond to attacks
- Community coordination: Share attack intelligence
- Emergency response: Coordinate defensive forks if needed
Example 37.3 (The 2013 Coordinated Response)
The evidence that the social layer works is the fork of March 2013. A divergence between Bitcoin Core 0.7 and 0.8, an unwritten database-level validation rule analyzed as a specification failure in Example 33.7, split the network at block 225,430 into two chains, each extended by part of the hashrate. The protocol could not resolve the split: both chains were valid under the rules their miners ran, and the most-work rule was selecting the chain that older nodes could not accept.
The resolution came entirely from the layer described in Remark 37.13. Developers, major mining pools, and businesses converged on IRC within the hour; the pools mining the 0.8 chain voluntarily downgraded to 0.7, deliberately abandoning the longer chain and forfeiting their own block rewards on it; the 0.7 chain overtook within hours, producing a 24-block reorganization (Example 36.1); and the incident, including a roughly $10,000 double-spend executed against a payment processor during the window, was documented in BIP-50. Every element of the trust statement was exercised: a small identifiable group, acting with discretion, off protocol, against their immediate economic interest, within hours.
37.8 Finality and the Trust Portfolio
Bitcoin's finality is probabilistic: by Definition 26.11 and Theorem 26.3, reversal probability decays exponentially with confirmations but never reaches zero. Some other consensus systems offer a categorically different guarantee.
Definition 37.3 (Deterministic Finality)
A consensus system provides deterministic finality if, once a designated condition is met (for example, a supermajority vote by a known validator set), a block cannot be reversed without violating the protocol itself, rather than merely winning a probabilistic race.
Remark 37.15 (Practical Finality)
Deterministic finality is not free of trust either: it relocates trust into the validator set and its membership rules. Bitcoin's probabilistic finality becomes practical finality when the cost of reversal exceeds the value at risk: typically 6 confirmations for large amounts, fewer for amounts below the attack-cost threshold of Section 37.6. As always in this chapter, "final" abbreviates a trust statement: final, assuming the honest-majority hypothesis holds and the node's view of the network is genuine.
We can now close the ledger. A node's configuration, which mechanisms it
enables and with what parameters, is a portfolio of trust assumptions,
and the table below is the portfolio statement. A default Bitcoin Core
node holds every row except the snapshot row; a node run with
-assumevalid=0 returns the AssumeValid row; no configuration
returns the first, sixth, or seventh.
| Mechanism | Trusted party | Scope of trust | Failure mode |
|---|---|---|---|
| Confirmations (§37.1) | Honest majority of hashrate | Every accepted payment | Reversal despite k confirmations |
| Checkpoints (§37.2) | Developers + release review | Deep history only (≤ height 295,000) | Developer-chosen history overrides proof-of-work |
| Minimum chain work (§37.3) | Honesty of one recorded work value | Sync-time chain filtering; no chain named | Low-work chain accepted as sync candidate (too low); sync impossible (too high) |
| AssumeValid (§37.4) | Release process (and attacker must also out-work network) | Signature checks beneath buried block | Invalid historical signatures accepted |
| AssumeUTXO (§37.4) | Snapshot hash in binary | Entire UTXO set, until background validation completes | Arbitrary balances during the validation window |
| Peer diversity, Tor (§37.5) | Network topology; seed and gossip honesty | View of best chain, mempool, time | Eclipse: attacker-curated view of the network |
| Social layer (§37.7) | Ad hoc coordination of developers, pools, businesses | Emergencies only | Unresolved split; or the same group coordinating rule changes |
Read down the trusted-party column and the portfolio's structure appears: Bitcoin replaces a single trusted party not with nothing, but with many small, bounded, mostly auditable trust assumptions, each falsifiable in a different way. The largest position in the portfolio, the honest-majority hypothesis, is also the only one that must be continuously paid for; whether the payment remains sufficient is the subject of Chapter 38.
Exercises
Exercise 37.1
A merchant accepts payment of $10,000 with 3 confirmations. Estimate the minimum hashrate an attacker needs to have >50% chance of successful double-spend. Is this attack economically rational?
Exercise 37.2
Explain the security tradeoff between AssumeValid and full verification. Under what threat model does AssumeValid fail to protect users?
Exercise 37.3
Design an eclipse attack detection system. What metrics would you monitor? How would you respond to detected attacks?
Exercise 37.4
Compare Bitcoin's probabilistic finality to Ethereum's Casper finality gadget. What are the tradeoffs of each approach?
Exercise 37.5
Write the trust portfolio of a node run with default settings (checkpoints, minimum chain work, and AssumeValid enabled; AssumeUTXO not used): for each enabled mechanism, state the trusted party, the scope, and the failure mode, in the format of the table of Section 37.8. Which single row of the portfolio would you eliminate first if you could, and what would eliminating it cost?