Before we start talking about the number of confirmations it is important to understand what happens when someone initiates a Bitcoin transaction. Confirmed Bitcoin transactions are included in nodes. It takes approximately 10 minutes to create and mine a new node. Newly created transactions are not automatically included in upcoming nodes. Once a new transaction is initiated it goes to a place that we know as The Mempool or the Memory Pool. All the transactions in the Mempool are still unconfirmed. They have not been included in a block and that is why they are still considered to be unconfirmed.
How does an unconfirmed transaction become confirmed?
When a miner includes that particular transaction into an upcoming block it is considered to have been confirmed and has 1 confirmation. Once the next block gets mined and it gets included in that block the transaction will have 2 confirmations and so on. Miners receive a fee for every transaction that they mine. Naturally, they prefer transactions with higher fees because higher fees = bigger rewards. Imagine that the Memory Pool is a box containing coins and paper bills of different values.
Which one would you rather pick? The €1 coin or the €10 bill? You would take the €10 bill if you are given the chance. That is exactly how miners work as well. Transactions with higher fees are included in upcoming blocks before transactions with lower fees.
What can happen with unconfirmed transactions?
Bitcoin transactions can't expire so even if you include a very low fee and all the other conditions are met it will be added to the mempool waiting to be picked up by miners. Reading all this you would rightly think that your unconfirmed transaction will be confirmed sooner or later. Once the miners have picked up the transactions with higher fees it is only logical that those with lower fees will be next, right? This is true but there is one potential problem that I need to address. The possibility of double-spending.
Double spending is an illegal activity that involves broadcasting the same transaction two times. The first transaction would, in that case, be reversed. Confirmed Bitcoin transactions are irreversible and they can't be charged back but unconfirmed transactions can be canceled with a double spend. A fraudulent sender can trick the network and the receiver of the coins into thinking that he is sending the coins to destination A but at the same time he plans to send them to destination B.
Destination A is the person expecting the coins - the merchant. Destination B is another address of the same fraudulent sender. The sender initiates a transaction and relays it to the merchant. The transaction enters the Mempool and is unconfirmed until accepted by a miner and included in a node. At the same time, the fraudster creates a 2nd transaction that he broadcasts to the rest of the network via well-connected nodes. The two transactions will now be in a race with each other. Only one transaction can be valid and the 2nd transaction will be leading the race if it was relayed through multiple well-connected nodes and broadcast with a higher fee. This way the merchant expecting the coins could be tricked into believing that his Bitcoins are being sent to him while in reality, they are going back to the same person.
How to prevent the risks of double-spending?
Wait until the transaction has been officially confirmed and included in several blocks. Most exchanges require a minimum of six confirmations when you are depositing funds on their platforms. After the 6th confirmation, your deposit is considered as completed. The 6-confirmation standard means that the transaction has been part of the blockchain for approximately an hour and is now considered safe enough. It is very unlikely that an attacker could acquire enough power to try to double-spend that particular transaction. The risk for such an event is believed to be less than 0.1% and in many cases, the cost to successfully perform a double spend is greater than the potential gains.
Have there been successful double-spending attacks in the past?
Yes. In October 2018 Bitcoin researcher Peter Rizun tweeted that he succeeded in completing 2511 double spends in a simulated environment on the Bitcoin Cash network, using methods such as fast respend, miner bribes and reverse respend attacks. Here is the link to that tweet.
In November 2013 it was discovered that Ghash.io, a famous mining pool that operated until 2016, was committing fraud against gambling site BetCoin Dice. The gambling site accepted zero confirmation deposits which opened the door for double-spend attacks. Investigations found that an employee, who was later fired, was doing exactly that.
Is there a consensus to not accept zero-block confirmations?
Many reputable services still accept and credit their users' accounts even while the Bitcoin transactions are still considered as unconfirmed. Exchanges like Liquid and Gemini or payment service provider BitPay have their own methods to protect themselves against double-spend attacks. They claim that their deposits will be credited in less than 10 seconds. The only condition is that the mining fee is not too small. The technology these companies have in place analyses Bitcoin transactions and in the space of a few seconds, it can determine if the transaction can be confirmed instantly or not. They do so by being well connected to all important nodes and mining pools. Once a transaction passes through these nodes it is highly unlikely that it will be considered invalid. With the help of these nodes, the transaction gets relayed to the majority of the network and the possibility of a double-spend disappears.