Bitcoin mining pool concentration highlights a weak spot in the "six confirmations" rule

Bitcoin recorded an unusual two-block reorganization on March 23 at block height 941,880, after Foundry mined six blocks in a row while AntPool and ViaBTC briefly pushed a competing branch. The network resolved the split as intended, selecting the chain backed by the most hash rate. In other words, the protocol behaved normally—but the episode drew attention to how much today’s mining concentration can strain the market’s most common finality shorthand: "six confirmations." The six-confirmation rule is often repeated as a universal safety threshold, even though its roots are narrower. The idea comes from Satoshi Nakamoto’s 2008 whitepaper, which frames finality as an attacker’s probability of catching up. As more blocks accumulate on top of a transaction, rewriting history becomes increasingly expensive for an attacker with limited hashpower. Over time, "six blocks" became a community default for "safe enough," but the whitepaper’s assumptions mattered—notably a scenario where the attacker controls roughly 10% of total hashpower. Jameson Lopp later made the implication explicit: the comfort implied by six confirmations depends on who else is mining and how concentrated block production is. Under the Nakamoto catch-up model, six confirmations against a 10% attacker implies about a 0.02% reversal risk. At 20%, the risk rises to roughly 1.43%; at 30%, to about 13.2%. Using the same model, a 32.2% share—the level Foundry held in recent pool-share snapshots—puts the six-confirmation reversal risk near 18.9%. Mining pools are not automatically coordinated attackers, and a real-world pool operator has strong economic reasons not to launch an overt attack. Foundry USA markets itself as an institutional-grade pool coordinating many independent operators, and miners can move between pools. Even so, higher concentration in block production changes how users should think about settlement risk, regardless of how geographically dispersed the underlying machines may be. Other research reinforces that fixed confirmation counts were never a hard guarantee. A 2022 latency security analysis noted that with a 10% adversary and a 10-second propagation delay, six confirmations still yield a safety-violation probability between 0.11% and 0.35%. Three pressures are converging The reorg landed during a period when three conditions are simultaneously putting the six-confirmation heuristic under unusual stress. First is pool concentration. Over the past three days, Foundry has held about 31% of global hash rate, AntPool about 18.4%, and ViaBTC about 10.5%, according to Hashrate Index data. Together, those three pools account for roughly 60% of block production—an elevated level of coordination power by recent historical standards. Second is deteriorating mining economics. Difficulty fell 7.76% on March 21, one of the largest negative adjustments of 2026. In February, hashprice averaged $32.31 per petahash per day, down nearly 18% month over month, and briefly hit an all-time low of $27.89. Transaction fees provided only 0.57% of total block rewards in the most recent 24-hour window available. When margins tighten and fee revenue is thin, smaller and mid-sized miners have stronger incentives to join whichever pool offers the best variance reduction—typically reinforcing the largest pools. Third is the lack of an automatic market convention for adjusting "required confirmations" as pool shares move. External shocks can redistribute hashpower quickly—a counterexample came during the January winter storm, when Foundry’s hashrate reportedly fell around 60% (nearly 200 EH/s). Even so, the folk standard of "six" does not adapt in real time to concentration shifts. Operational reality already diverges from the folk rule Large industry venues quietly moved away from "six" years ago. Coinbase marks BTC deposits as pending after two confirmations; Kraken and Gemini require three. For typical retail deposits, those thresholds can be a rational tradeoff between user experience and risk. That gap between real-world policies and the cultural standard underscores the core point: "six confirmations" has long been more tradition than universal rule. Lopp’s framework argues the next step is to make confirmation requirements explicitly value- and risk-based. A $500 retail deposit does not carry the same risk tolerance as a $50 million OTC settlement, and finality guidance should say so plainly. What changes—and what doesn’t Two broad paths are now plausible. If mining margins improve and hashpower spreads across more coordinators, concentration could ease and six confirmations could remain a reasonable default for large BTC settlements. The January storm showed that dominance can erode quickly under the right conditions. If concentration persists—with Foundry staying above 30% and the top three pools continuing to control around 60%—the norm can degrade without any malicious act. Exchanges, OTC desks, and merchants handling high-value transfers can raise thresholds internally or adopt dynamic tiers tied to observable pool-share data. Under the Nakamoto model, six confirmations against a fully coordinated 32.2% attacker implies about an 18.9% catch-up risk—a number that sits uneasily beside claims that large transfers are "effectively irreversible." The March 23 two-block reorg didn’t break Bitcoin’s design; it offered a rare, visible reminder that the "six confirmations" rule only made sense under a particular distribution of hashpower and a particular tolerance for risk. As pool concentration rises, its status as a universal, unqualified standard looks increasingly hard to defend.