The Two Things Blockchains Mean When They Say 'Final'
The block explorer turns green. You screenshot it, close the tab, consider the matter settled. That green checkmark, though, is doing one of two completely different jobs depending on which chain just flashed it at you, and if you're settling anything of real value, the difference is not academic.
Here's the short version: cryptographic finality means a transaction is mathematically locked in by the protocol itself, typically within a fixed number of blocks or epochs. Economic finality means reversing a transaction would cost an attacker more money than they could plausibly gain from doing so. One is a proof. The other is a price tag.
The Price Tag: How Economic Finality Works on Proof-of-Work Chains
Bitcoin doesn't offer finality in the mathematical sense. It never has. What it offers is a probabilistic guarantee that gets stronger with every block added on top.
Here's the mechanic. Suppose someone wants to rewrite block 700,000 to reverse a payment. They need to rebuild a competing chain from that block forward and outpace the honest network to make their version the longest. That requires controlling more than 50% of total hash power long enough to do the work. The deeper the target block, the more computation that costs.
Satoshi Nakamoto worked through the numbers in the original whitepaper. With an attacker controlling 10% of hash power, the probability of successfully reversing a transaction drops below 0.1% after just five confirmations. At 30% attacker hash power, you need around 24 confirmations to reach similar confidence. The numbers are real and the math holds.
So why do exchanges typically wait for six confirmations on Bitcoin? Six blocks represents roughly one hour of work, and at Bitcoin's historical hash rates, redoing that work would cost millions of dollars in electricity and hardware for a realistic attacker. The transaction isn't cryptographically sealed. It's just economically irrational to undo. That's economic finality: the guarantee is denominated in dollars and joules, not theorems.
The catch: economic finality is only as strong as the economic assumptions underneath it. Hash rate concentrates, hardware prices fall, and if the value of what you're reversing is high enough, the calculus changes. Several smaller proof-of-work chains have suffered 51% attacks that were economically rational precisely because their hash rates were low enough to rent cheaply. Economic finality on a thin chain is a screen door, not a vault.
The Proof: How Cryptographic Finality Works in BFT-Based Systems
Certain proof-of-stake designs take a different approach entirely. Rather than making reversal expensive, they make it structurally impossible once a supermajority of validators has signed off.
Ethereum's consensus layer, using Gasper (a combination of LMD-GHOST and Casper FFG), is the clearest large-scale example. Every 32 slots, a new epoch completes. At the end of two consecutive justified epochs, the earlier one is finalized. What finalized means here is precise: for that checkpoint to be reversed, at least one-third of all staked ETH would need to have voted for two conflicting checkpoints simultaneously. The protocol detects this through slashing and destroys the offending validators' stake.
When Ethereum's validator set holds 30 million ETH staked, reversing a finalized block requires corrupting or coordinating validators holding 10 million ETH, then accepting that stake being burned. At any realistic ETH price, that's tens of billions of dollars of deliberate self-destruction. Not irrational because attacking from outside is expensive. Irrational because the attack mechanism is self-inflicted.
That distinction matters enormously. Economic finality says attacking costs more than an attacker can steal. Cryptographic finality in the BFT sense says attacking requires provably destroying your own capital, which the protocol will execute automatically on your behalf. The guarantee is embedded in the rules, not in the market.
Other systems, including Tendermint-based chains throughout the Cosmos ecosystem, go further still: absolute finality, block by block, no probabilistic waiting period at all. Once two-thirds of validators sign a block, it's final. Full stop. The tradeoff is liveness: if more than one-third of validators go offline, the chain halts rather than continuing with weakened guarantees. That is the right call for certain applications, and anyone who tells you otherwise hasn't thought carefully about what "proceeding unsafely" actually means downstream.
What People Get Wrong (and the Folk Remedy That Needs to Die)
The most persistent misconception is treating confirmation counts as a universal standard. "Six confirmations" means something specific on Bitcoin and something completely different, or nothing at all, on a BFT chain. On Ethereum post-merge, waiting six slots for finality theatre is pointless. You're either before the finality checkpoint or after it. On a Tendermint chain, one confirmation is final. On a small proof-of-work chain with thin hash coverage, sixty confirmations might still leave you exposed.
Consider two payment processors that both accept crypto. One waits for six confirmations on every chain they support, treating the number as magic. The other actually reads the consensus documentation: one epoch finalization on Ethereum, six blocks on Bitcoin, twenty minutes on a smaller PoW chain where they've calculated the 51% attack cost against their average transaction size. The second processor has better security and faster settlement. The first has a policy that sounds rigorous and isn't. Which one are you?
The other thing people get wrong: conflating protocol finality with irreversibility at the application layer. A transaction can be cryptographically final on-chain and still be reversible in practice if the application logic has an upgrade key, a multisig override, or a smart contract with an admin function. Protocol finality and application finality are separate problems. Mixing them up is how people end up surprised by things that were, in retrospect, obvious.
Reading the Guarantee Before You Rely On It
If you're evaluating how much to trust a settlement on any given chain, the question isn't "how many confirmations" but "what is the attack model and what does it cost?"
For economic finality: find the current cost to rent or acquire 51% of the network's hash power for one hour. Sites like Crypto51 have tracked this historically for dozens of chains, and the spread is shocking. Some chains cost millions to attack; others cost hundreds.
For cryptographic finality: find the slashing conditions and the size of the validator set. Ask what fraction of staked value would need to be deliberately destroyed to revert your transaction. If that number dwarfs your transaction value by several orders of magnitude, the guarantee is real.
Still, neither type of finality is inherently superior. They reflect genuine engineering tradeoffs between decentralization, liveness, and the nature of the security guarantee. Bitcoin's probabilistic model survives validator downtime gracefully. Tendermint's absolute finality halts cleanly rather than proceeding unsafely. Ethereum's design tries to thread a needle between the two.
The word "final" is pulling very different weight depending on who's using it. Assume otherwise and you're not trusting the math. You're trusting the marketing.