The Most-Work Chain & Probabilistic Finality

Satoshi’s synthesis defined truth as “the history with the most accumulated computational work behind it.” Every page in this part has been building the tools to make that statement precise: work as expected hashes, the target that prices each block, and the mining that produces them. Now we cash it in. This page explains the rule that lets thousands of strangers, with no leader and no vote, converge on one ledger — and why a payment becomes practically irreversible without ever being mathematically final.

”Longest” is a lie we tell beginners

The folk name is the longest-chain rule, but “longest” (most blocks) is not the actual rule. The real rule is most cumulative work — sometimes called the “heaviest” or “most-work” chain.

   honest nodes always extend the chain tip with the GREATEST total accumulated work,
   where each block's work ≈ its expected number of hashes (set by its target).

The distinction matters because difficulty changes. A chain with fewer blocks mined at higher difficulty can embody more total work than a longer chain of easy blocks. If the rule were merely “most blocks,” an attacker could lower difficulty on a private fork and crank out a long, cheap chain. By summing work, the protocol counts the energy behind a history, not the block count — and energy is the thing that’s expensive to fake.

   Chain A:  block ─ block ─ block          (3 blocks, but each was 10× harder)
   Chain B:  block ─ block ─ block ─ block  (4 blocks, each easy)

   "longest" picks B.   "most work" picks A — and most-work is correct.

When two valid chains compete, every honest node independently picks the heavier one. No messaging, no consensus protocol in the traditional sense — just a local rule applied identically everywhere, which makes the whole network converge.

Reversal cost grows exponentially: why confirmations work

A transaction is confirmed once it’s in a block; it gets one more confirmation for each block stacked on top. To reverse a transaction that’s k blocks deep, an attacker must build an alternative chain that forks before that transaction and ends up heavier than the current chain — which means out-mining the entire honest network from the fork point onward.

Here’s the crux. If the attacker controls a fraction q of total hashrate (and honest miners control 1 − q, with q < 0.5), the probability of catching up from k blocks behind falls off roughly like:

   P(attacker overtakes) ≈ (q / (1−q))^k

For an attacker with, say, 10% of hashrate (q = 0.1), each additional confirmation multiplies the catch-up probability by about 1/9. The cost of a successful reversal therefore grows exponentially in the number of confirmations:

   confirmations:   0      1       2        3         4          5           6
   rough odds of
   attacker win :  high   ~0.11   ~0.012   ~0.0014   ~0.00015   ~0.000017   ~0.0000019   ...
                          (each step ≈ ×1/9 for a 10% attacker)

This is what “probabilistic finality” means: you never get a guarantee, but the probability of reversal rockets toward zero with each block, and so does any rational attacker’s hope of profit.

The 6-confirmation convention

“Six confirmations” (~one hour) is the customary settlement bar for ordinary high-value payments. It’s not a magic constant — it’s a rule of thumb: by six blocks, the probability that any plausible minority attacker reverses your payment is so small, and the energy they’d have to burn so large, that it’s treated as settled. Tiny payments often accept fewer (or zero) confirmations; exchanges may require more for very large deposits. The right number is a risk decision, scaled to the value at stake and your estimate of the largest attacker you might face.

Orphans, stale blocks, and reorgs

Sometimes two miners find a valid block at almost the same moment. The network briefly splits: some nodes saw block X first, others saw X′. This is a natural, honest fork — nobody cheated, the ~10-minute spacing just isn’t long enough to fully prevent it.

              ┌─ X  (some nodes build here)
   ... ─ A ─ B
              └─ X′ (other nodes build here)

   next block lands on X:   ... ─ A ─ B ─ X ─ Y      ← now the heavier chain
   X′ becomes an ORPHAN / STALE block (valid, but not on the winning chain)

The tie is broken by the next block: whichever branch gets extended first becomes heavier, and every node switches to it. The abandoned block (X′ here) is called an orphan or stale block — its work was real but wasted, and the miner who made it earns nothing. The act of nodes switching from one tip to a heavier competing tip is a reorganization, or reorg. (For the full mechanics of how nodes detect and apply this switch, see orphans & reorgs.)

Honest reorgs are almost always one block deep and resolve in minutes. A deep reorg — many blocks reversed at once — essentially never happens by accident; it’s the signature of an attack.

Reorgs are how double-spends happen

A deliberate deep reorg is exactly the double-spend attack: pay someone on the public chain, then secretly mine a heavier chain that omits (or replaces) that payment, and release it to overtake the honest tip. The whole confirmation discipline above exists to make this exponentially expensive. An attacker with sustained majority hashrate can force reorgs at will — the 51% attack — though even they can’t steal coins they don’t have keys for or inflate supply (see the double-spend family). Their power is exactly the power to reverse recent history, no more.

The thread

How does this help untrusting strangers agree on one ledger? This rule is the punchline. Each node, acting purely locally with no trust in anyone, applies one mechanical test — follow the most-work tip — and the global result is a single, agreed history. Disagreements (forks) are resolved automatically by which branch attracts the next block, and the cost of rewriting agreed history climbs exponentially with depth. Strangers don’t need to trust each other or a referee; they only need to trust that redoing work is expensive, which physics guarantees. That is Nakamoto consensus, fully assembled.

Check your understanding

1. Why is “most cumulative work” the correct rule rather than “most blocks”? Give the attack that “most blocks” would enable.
2. Explain why the cost of reversing a transaction grows exponentially with the number of confirmations.
3. Why is six confirmations a convention rather than a hard rule, and what should change the number you choose?
4. Distinguish an honest one-block orphan from a malicious deep reorg. What makes the latter a sign of attack?
5. A 51% attacker can reverse recent transactions at will. Name two things they still cannot do, and why.