Blockchain

Nakamoto vs Classical Consensus

In May 2022, Terra/Luna lost $40 billion in 72 hours. Validators fled the network en masse, and Tendermint - the engine with deterministic finality - simply stopped. No quorum, no blocks, no rescue. At the same moment Bitcoin kept running as if nothing had happened, despite the market panic. Two protocols, two approaches to consensus - and diametrically opposite behavior in a crisis. Why did one stop and the other didn't? The answer lies in the fundamental choice every blockchain makes before writing a single line of code: probabilistic or deterministic finality.

**Exchanges (Coinbase, Binance)** wait for different numbers of confirmations for different blockchains: 6 for Bitcoin (~60 min), 1 for Cosmos (~6 sec) - because they have different types of finality
**DeFi protocols** choose L1 based on CAP properties: Aave and Compound on Ethereum (AP+CP hybrid), Cosmos ecosystem protocols on CP chains with instant finality
**Cross-chain bridges** (Wormhole, IBC) must understand the finality type of both chains: transferring from a CP chain to an AP chain and back requires different waiting and verification strategies
**Ethereum after The Merge** uses a GHOST + Casper FFG hybrid (Gasper): blocks are produced every 12 seconds (AP style), but finalized in batches every ~13 minutes (CP style)

Предварительные знания

Probabilistic Finality: confidence instead of certainty

In Bitcoin, no transaction is final in an absolute sense. Each new block built on top of yours **reduces the probability of reorganization** exponentially - but never brings it to zero.

**Probabilistic finality** means that confidence in a transaction grows with every confirmation, but theoretically a non-zero probability of reversal always remains.

Satoshi Nakamoto derived a formula describing the probability of a successful attack for an adversary controlling fraction `q` of total hashrate after `z` confirmations:

Notice: at `q = 0.1` (10% hashrate) the attack probability drops below **0.025%** after just 6 confirmations. At 12 confirmations - below one ten-millionth. This is exactly why exchanges wait for 6 confirmations for Bitcoin.

When `q >= 0.5` the formula breaks down: the attacker **always** catches up with the honest chain. This is the famous **51% attack** - not a magic threshold, but the point where the attack probability becomes 1.

Coinbase requires 6 confirmations for a Bitcoin deposit. Why 6 and not 1?

Deterministic Finality: once and for all

Unlike Bitcoin, **BFT protocols** (Byzantine Fault Tolerant) give an absolute guarantee: once a block has passed the commit phase, it is **final forever**. No reorganization, no rollbacks, no waiting for confirmations.

**Tendermint** (the Cosmos consensus engine) is a classic example of deterministic finality. Every block goes through a two-phase vote: **pre-vote** and **pre-commit**. If more than 2/3 of validators have signed the pre-commit, the block is considered final.

But deterministic finality comes at a cost. The main trade-off is **liveness vs safety**:

**Safety**: a finalized block will never be reverted - guaranteed when `f < n/3`
**Liveness**: the network continues producing blocks - **NOT guaranteed** if >1/3 of validators go offline
If 61 of 180 Cosmos Hub validators go offline, **the network stops completely** until they return
Bitcoin in the same situation would continue working - just slower

**Liveness failure** is a real problem. The Cosmos Hub network halted in 2019. Terra/Luna halted in May 2022 when validators fled en masse. Solana (partially BFT) experienced multi-hour outages.

The Cosmos Hub network has 180 validators. If 70 validators go offline simultaneously, what happens?

CAP Theorem: an impossible choice

In 2000, Eric Brewer formulated the theorem that explains the **fundamental** trade-off between Nakamoto and Classical consensus. In a distributed system it is impossible to simultaneously guarantee all three properties:

In a blockchain **Partition Tolerance is mandatory** - nodes are spread across the globe and network splits are inevitable. So the real choice is between **C** and **A**:

**Hybrid approaches** try to take the best of both worlds:

**Ethereum 2.0 (Gasper):** Nakamoto-style block production (always available) + BFT-style finality via Casper FFG every ~13 minutes. The chain works even when >1/3 is offline, but finality pauses
**Avalanche:** probabilistic sampling of a subset of validators (subsampling) - fast finality (~1 sec) with high availability. Formally AP, but with very high probability of consistency
**Polkadot (GRANDPA + BABE):** BABE produces blocks (AP), GRANDPA finalizes them in batches (CP). If GRANDPA falls behind, blocks are still produced

Choosing AP vs CP is not a question of "what is better" but of **what the system is for**. For payments (Bitcoin), availability is more critical: better to accept a payment with a small reorg risk than not accept it at all. For DeFi (Cosmos), consistency is more critical: better to stop than allow a multi-million double-spend.

A DeFi protocol issues loans worth $100M. When choosing an L1 blockchain, which CAP property is most important and why?

Fork Choice Rule: who decides?

When two miners find a block simultaneously, a **fork** occurs - a temporary divergence of the chain. Who decides which branch is "correct"? This requires a **fork choice rule** - a deterministic rule by which every node selects the canonical chain.

**Longest Chain Rule** (Bitcoin) - the simplest fork choice rule: the chain with the most blocks wins. But it has a problem: it ignores the "wasted" work in side branches.

Ethereum before The Merge used **GHOST** (Greedy Heaviest Observed SubTree) - a modified rule proposed by Sompolinsky & Zohar in 2013:

**Uncle (ommer) blocks** - valid blocks that didn't make it into the main chain. In Bitcoin they are simply lost (orphaned blocks). Ethereum included ommer blocks in the subtree weight calculation and even gave their authors a partial reward (7/8 of the full amount):

**Fairness:** a miner who found a valid block receives a reward even if they were beaten by a millisecond
**Security:** accounting for ommer blocks makes a 51% attack more expensive, since the attacker must outweigh the ENTIRE subtree, not just the main chain
**Scalability:** allows reducing block time without sacrificing security (Ethereum: 12-15 sec vs Bitcoin: 10 min)

After The Merge (September 2022) Ethereum switched to **LMD-GHOST** (Latest Message Driven GHOST) as part of Gasper - a hybrid of GHOST and Casper FFG. Instead of hashrate weight, validator votes are used:

**Chain quality** is a metric measuring the fraction of blocks in the canonical chain produced by honest participants. A good fork choice rule should ensure chain quality > `1 - f/n`, where `f` is the number of Byzantine nodes. GHOST improves chain quality compared to the longest chain rule at high block frequencies.

Fork choice rule is one of the most underappreciated design decisions in blockchain. It determines attack resistance, speed of convergence after a fork, and fairness for miners/validators. Every major protocol has its own rule adapted to its threat model.

Longest chain rule selects the chain with the most blocks, so in Bitcoin whoever produces blocks faster wins

In Bitcoin, "longest chain" in practice means the chain with the greatest **cumulative proof of work** (total difficulty). If an attacker produces many lightweight blocks with reduced difficulty, they will not beat a smaller number of heavy blocks. It is more accurate to say **heaviest chain**, not longest chain.

This distinction is critical for security. If plain block count were used, an attacker could create a long chain of cheap blocks. Cumulative PoW makes the attack proportionally expensive: to outweigh the honest chain, you must spend as much (or more) energy as the entire network has spent.

Ethereum before The Merge used GHOST instead of Bitcoin-style longest chain. What was the main advantage?

Key ideas

**Probabilistic finality** (Nakamoto): confidence grows exponentially with each confirmation but never reaches 100%. Nakamoto's formula: with a 10% hashrate attacker and 6 confirmations, reorg probability < 0.025%
**Deterministic finality** (BFT): after commit a block is final forever. Trade-off: the network may stop if >1/3 of validators go offline (liveness failure). Recall Terra/Luna from the intro - exactly this trade-off played out in the crisis
**CAP theorem** defines the fundamental choice: Bitcoin = AP (always works, eventual consistency), BFT = CP (always consistent, may stop). Hybrid approaches (Gasper, Avalanche) switch between modes
**Fork choice rule** determines the canonical chain on divergence. Longest chain (Bitcoin) measures cumulative PoW; GHOST (Ethereum) counts ommer blocks in subtree weight, allowing safe reduction of block time
The choice between Nakamoto and Classical is not "which is better" but **which failure mode is acceptable**: temporary inconsistency (reorg) or temporary outage (liveness failure)

Вопросы для размышления

If you are designing a blockchain for international bank settlements (billions of dollars per day), which type of finality would you choose and why? Which failure mode (reorg vs outage) is less acceptable for banks?
Ethereum moved from pure Nakamoto consensus (PoW + longest chain) to a hybrid (PoS + LMD-GHOST + Casper FFG). What properties did it gain and what did it lose? Did Ethereum after The Merge move closer to AP or CP?
Avalanche claims to achieve "finality in 1 second" through probabilistic sampling. Is this probabilistic or deterministic finality? Can probabilistic finality be "good enough" as a substitute for deterministic?

Связанные уроки

dist-08-paxos

Blockchain

Nakamoto vs Classical Consensus

**Exchanges (Coinbase, Binance)** wait for different numbers of confirmations for different blockchains: 6 for Bitcoin (~60 min), 1 for Cosmos (~6 sec) - because they have different types of finality
**DeFi protocols** choose L1 based on CAP properties: Aave and Compound on Ethereum (AP+CP hybrid), Cosmos ecosystem protocols on CP chains with instant finality
**Cross-chain bridges** (Wormhole, IBC) must understand the finality type of both chains: transferring from a CP chain to an AP chain and back requires different waiting and verification strategies
**Ethereum after The Merge** uses a GHOST + Casper FFG hybrid (Gasper): blocks are produced every 12 seconds (AP style), but finalized in batches every ~13 minutes (CP style)

Предварительные знания

Probabilistic Finality: confidence instead of certainty

In Bitcoin, no transaction is final in an absolute sense. Each new block built on top of yours **reduces the probability of reorganization** exponentially - but never brings it to zero.

**Probabilistic finality** means that confidence in a transaction grows with every confirmation, but theoretically a non-zero probability of reversal always remains.

Satoshi Nakamoto derived a formula describing the probability of a successful attack for an adversary controlling fraction `q` of total hashrate after `z` confirmations:

Coinbase requires 6 confirmations for a Bitcoin deposit. Why 6 and not 1?

Deterministic Finality: once and for all

But deterministic finality comes at a cost. The main trade-off is **liveness vs safety**:

**Safety**: a finalized block will never be reverted - guaranteed when `f < n/3`
**Liveness**: the network continues producing blocks - **NOT guaranteed** if >1/3 of validators go offline
If 61 of 180 Cosmos Hub validators go offline, **the network stops completely** until they return
Bitcoin in the same situation would continue working - just slower

**Liveness failure** is a real problem. The Cosmos Hub network halted in 2019. Terra/Luna halted in May 2022 when validators fled en masse. Solana (partially BFT) experienced multi-hour outages.

The Cosmos Hub network has 180 validators. If 70 validators go offline simultaneously, what happens?

CAP Theorem: an impossible choice

In a blockchain **Partition Tolerance is mandatory** - nodes are spread across the globe and network splits are inevitable. So the real choice is between **C** and **A**:

**Hybrid approaches** try to take the best of both worlds:

**Ethereum 2.0 (Gasper):** Nakamoto-style block production (always available) + BFT-style finality via Casper FFG every ~13 minutes. The chain works even when >1/3 is offline, but finality pauses
**Avalanche:** probabilistic sampling of a subset of validators (subsampling) - fast finality (~1 sec) with high availability. Formally AP, but with very high probability of consistency
**Polkadot (GRANDPA + BABE):** BABE produces blocks (AP), GRANDPA finalizes them in batches (CP). If GRANDPA falls behind, blocks are still produced

A DeFi protocol issues loans worth $100M. When choosing an L1 blockchain, which CAP property is most important and why?

Fork Choice Rule: who decides?

**Longest Chain Rule** (Bitcoin) - the simplest fork choice rule: the chain with the most blocks wins. But it has a problem: it ignores the "wasted" work in side branches.

Ethereum before The Merge used **GHOST** (Greedy Heaviest Observed SubTree) - a modified rule proposed by Sompolinsky & Zohar in 2013:

**Fairness:** a miner who found a valid block receives a reward even if they were beaten by a millisecond
**Security:** accounting for ommer blocks makes a 51% attack more expensive, since the attacker must outweigh the ENTIRE subtree, not just the main chain
**Scalability:** allows reducing block time without sacrificing security (Ethereum: 12-15 sec vs Bitcoin: 10 min)

Longest chain rule selects the chain with the most blocks, so in Bitcoin whoever produces blocks faster wins

Ethereum before The Merge used GHOST instead of Bitcoin-style longest chain. What was the main advantage?

Key ideas

**Probabilistic finality** (Nakamoto): confidence grows exponentially with each confirmation but never reaches 100%. Nakamoto's formula: with a 10% hashrate attacker and 6 confirmations, reorg probability < 0.025%
**Deterministic finality** (BFT): after commit a block is final forever. Trade-off: the network may stop if >1/3 of validators go offline (liveness failure). Recall Terra/Luna from the intro - exactly this trade-off played out in the crisis
**CAP theorem** defines the fundamental choice: Bitcoin = AP (always works, eventual consistency), BFT = CP (always consistent, may stop). Hybrid approaches (Gasper, Avalanche) switch between modes
**Fork choice rule** determines the canonical chain on divergence. Longest chain (Bitcoin) measures cumulative PoW; GHOST (Ethereum) counts ommer blocks in subtree weight, allowing safe reduction of block time
The choice between Nakamoto and Classical is not "which is better" but **which failure mode is acceptable**: temporary inconsistency (reorg) or temporary outage (liveness failure)

Вопросы для размышления

If you are designing a blockchain for international bank settlements (billions of dollars per day), which type of finality would you choose and why? Which failure mode (reorg vs outage) is less acceptable for banks?
Ethereum moved from pure Nakamoto consensus (PoW + longest chain) to a hybrid (PoS + LMD-GHOST + Casper FFG). What properties did it gain and what did it lose? Did Ethereum after The Merge move closer to AP or CP?
Avalanche claims to achieve "finality in 1 second" through probabilistic sampling. Is this probabilistic or deterministic finality? Can probabilistic finality be "good enough" as a substitute for deterministic?

Связанные уроки

dist-08-paxos

Nakamoto vs Classical Consensus

Предварительные знания

Probabilistic Finality: confidence instead of certainty

Deterministic Finality: once and for all

CAP Theorem: an impossible choice

Fork Choice Rule: who decides?

Key ideas

Related topics

Вопросы для размышления

Связанные уроки

Nakamoto vs Classical Consensus

Предварительные знания

Probabilistic Finality: confidence instead of certainty

Deterministic Finality: once and for all

CAP Theorem: an impossible choice

Fork Choice Rule: who decides?

Key ideas

Related topics

Вопросы для размышления

Связанные уроки