Cryptocurrency exchanges are prime targets for hackers due to the immense value flowing through them. A common threat is the "51% attack" or double-spend, where a malicious actor gains control of the majority of a network's mining power to reverse transactions. While exchanges cannot prevent these attacks, they can mitigate risk by adjusting the number of block confirmations required for deposits.
This analysis examines the deposit confirmation policies of 46 exchanges across nine major Proof-of-Work (PoW) cryptocurrencies. We evaluate three key dimensions: the number of blocks, the waiting time in minutes, and the estimated dollar cost for a potential attacker.
Understanding Key Metrics
Before diving into the data, it's crucial to define the terms used in this analysis.
- Confirmations: This is the number of times a transaction has been verified by the network after being included in a block. A higher number of required confirmations makes it exponentially harder for an attacker to reverse a transaction.
- Minutes: The estimated time a user must wait for a deposit to be credited. This is calculated by multiplying the average block time of a specific blockchain by the number of confirmations required by the exchange.
- Estimated Attack Cost ($): The approximate dollar value an attacker would need to spend to reverse a transaction. This is calculated by multiplying the block reward (in USD) by the number of confirmations required. This metric helps estimate the economic barrier to launching a 51% attack against an exchange.
Analysis of Major Cryptocurrencies
Bitcoin (BTC)
All 46 sampled exchanges support Bitcoin (BTC). The average number of confirmations required is 2.4 (approximately 24 minutes), with a median of 2 confirmations.
- Most Conservative: Four exchanges require 6 confirmations (~60 minutes), raising the estimated attack cost to approximately $374,000.
- Least Conservative: Nearly one-third of exchanges require only 1 confirmation for a BTC deposit.
- Security Consensus: Bitcoin shows the lowest standard deviation in confirmation requirements, indicating a broad industry consensus on its security model.
Ethereum (ETH)
93% of the sampled exchanges support Ethereum (ETH). The average number of confirmations required is 18 (~3.9 minutes), with a median of 12.
- Most Conservative: Two exchanges require 50 confirmations (~11 minutes), with an estimated attack cost of around $11,000.
- Least Conservative: One exchange requires only 5 confirmations (~1 minute).
- 👉 Explore real-time network security metrics
Bitcoin Cash (BCH)
91% of the exchanges sampled support Bitcoin Cash (BCH). The average number of confirmations required is 7.2 (~72 minutes), with a median of 4.5.
- Most Conservative: One exchange requires 30 confirmations (~300 minutes), setting the attack cost at roughly $63,000.
- Least Conservative: Four exchanges require only 1 confirmation (~10 minutes).
Litecoin (LTC)
85% of the sampled exchanges support Litecoin (LTC). The average number of confirmations required is 4.6 (~11.5 minutes), with a median of 4.
- Most Conservative: Four exchanges require 12 confirmations (~30 minutes), making an attack cost approximately $4,900.
- Least Conservative: Seven exchanges require only 1 confirmation (~2.5 minutes).
Other Notable Assets
The analysis also covered several other cryptocurrencies, revealing significant variations in security policies:
- Ethereum Classic (ETC): Exhibited the widest range of confirmation requirements by far. One exchange required an extreme 43,200 confirmations, leading to a wait of over 6.5 days and an estimated attack cost of $621,000. This is likely a direct response to the 51% attacks the network experienced in the past.
- Monero (XMR), Dash (DASH), Zcash (ZEC): These privacy-focused coins showed moderate confirmation requirements, with averages between 10 and 15 blocks. However, specific exchanges took a much more conservative approach, requiring 50 or more confirmations for some assets.
The Security vs. Convenience Trade-Off
Exchanges constantly balance user convenience with platform security. A lower confirmation count means faster deposits for users but increases vulnerability to double-spend attacks. A higher confirmation count provides greater security but creates a poor user experience with long waiting times.
According to a major Asian exchange that provided commentary for the original study, several factors influence this decision:
- The token's consensus algorithm.
- The history of the network and its ecosystem.
- The current operational status of the network.
The exchange noted that while security is paramount, they also strive to provide a "fast and convenient experience" for users, and adjustments to confirmation times are made cautiously based on continuous network monitoring.
Frequently Asked Questions
Q1: Why do exchanges require multiple confirmations?
A: Confirmations prevent double-spending. Each subsequent block mined on top of the one containing a transaction makes it progressively more difficult and expensive to reverse, securing the network and the exchange's funds.
Q2: Can the required number of confirmations change?
A: Yes. Exchange security teams continuously monitor blockchain networks. If a network's hash rate drops significantly or a security incident occurs, exchanges may temporarily or permanently increase the confirmation requirement to mitigate risk.
Q3: Why is there such a huge difference in confirmations for coins like Ethereum Classic?
A: Networks that have suffered previous 51% attacks are deemed higher risk. Exchanges react to this history by drastically increasing the confirmation requirement to make an attack economically unfeasible, hence the extreme variance.
Q4: Does a higher confirmation requirement always mean an asset is less secure?
A: Not necessarily. It often means the exchange perceives a higher risk for that specific asset. A very high requirement can be a red flag indicating a history of network instability or a currently low hash rate, making it a potential target.
Q5: What is the estimated attack cost based on?
A: It is based on the current block reward valued in USD. This provides a rough estimate of the capital needed to mine enough blocks secretly to override the required confirmations, not including other expenses like hardware and electricity.
Q6: Should I avoid depositing to exchanges with low confirmation requirements?
A: A very low requirement on a smaller network could be a sign of inadequate security practices. It's wise to consider an exchange's overall reputation, security features, and insurance policies, not just its confirmation counts. 👉 Learn more about advanced security strategies
Conclusion
This analysis reveals a complex landscape of security practices across the cryptocurrency exchange industry. While there is strong consensus on secure confirmation times for established assets like Bitcoin, policies vary wildly for other cryptocurrencies. For traders, understanding these confirmation times and the reasons behind them is a critical part of evaluating both the security of an exchange and the inherent risk profile of different digital assets. Exwalks the tightrope between user convenience and robust security, a balance that is essential for the trust and growth of the ecosystem.