Blockchain security

Proof of work in consensus algorithms

Howard Poston
October 7, 2020 by
Howard Poston

Introduction to blockchain consensus

Blockchain systems are a collection of decentralized nodes that maintain a shared digital ledger. Without a centralized authority, the blockchain network needs some way to determine the “official” version of each block in the blockchain.

This is the job of the blockchain’s consensus algorithm, which selects the official creator of each block in the blockchain. A blockchain consensus algorithm needs to meet the following criteria:

Learn Blockchain Security

Learn Blockchain Security

Build your blockchain security skills with five courses covering blockchain structure, blockchain attacks, smart contract security and more.

  • Decentralization: The consensus algorithm must be completely decentralized, meaning that every node can run it independently and come to the same conclusion.
  • Byzantine fault tolerance: A blockchain network may have nodes that are not working in the network’s best interests. A blockchain consensus algorithm should be able to function despite the presence of malicious nodes within the network.

Blockchain networks are also governed by the longest chain rule, which states that a node, when presented with two versions of the blockchain, should select the “longer” of the two. As a result, blockchain consensus algorithms are designed to make building a valid, conflicting version of the ledger as difficult as possible.

Inside Proof of Work

Every consensus algorithm uses a scarce resource to manage nodes’ control over the blockchain. For Proof of Work, this resource is computational power. The more computing power that a node controls, the higher the probability of being selected as block creator.

Proof of Work enforces this policy by defining a “valid” block as one with a header that hashes to a value that is less than a set threshold. Due to the properties of hash functions, the only way to find such a block is through a brute force search. As a result, the node with the greatest amount of computational power is most likely to be selected; however, over time, every node participating in the process should be selected to create a block.

This is essential to the purpose of Proof of Work. When a node creates a block, it endorses the current state of the ledger and the process of creating future blocks. Once every node in the network has created a block, the network should be in consensus.

Attacking Proof of Work

The Proof of Work consensus algorithm is designed to ensure that no node or group of nodes gains an inappropriate level of control over the blockchain’s distributed ledger. This includes gaining either full control or more control than their share of the network’s computing power should give them. However, a number of different attacks exist against the Proof of Work consensus algorithm:

  • 51% attack: The 51% attack is a built-in vulnerability of the Proof of Work consensus algorithm. Proof of Work is designed to be a system based on majority vote, where votes are computing resources. If an attacker controls the majority of the network’s computing resources, they can (with high probability) find a valid version of the next block in the chain faster than anyone else. This gives them full control over the blockchain’s distributed ledger and the ability to rewrite it whenever they wish.
  • Denial-of-Service (DoS) attacks: The hash value threshold used in Proof of Work algorithms is designed so that a blockchain network with a certain amount of computing power creates blocks at the desired block rate (on average). By decreasing the computational power available to the network, an attacker can slow the block creation process, decreasing the blockchain’s throughput.
  • Selfish mining: Each block header contains the hash of the previous block, making it impossible to create the next block in the chain without knowledge of the current one. In theory, block creators immediately publish their blocks to the network upon creation, giving everyone a fair chance to create the next one. Selfish miners will conceal a new block for a time, giving themselves a head start toward finding the next one.
  • SPV mining: Simplified Payment Verification (SPV) nodes only track the headers in the blockchain and the contents of blocks of interest to them. They are not designed for mining since they cannot verify the validity of the transactions that they include in their blocks. SPV miners sidestep this issue by creating blocks that only create the transaction paying them the block reward, decreasing the capacity of the blockchain. Since these miners do not need to go through the time-consuming validation process when creating blocks, they have a head start for finding a valid version of the block, increasing their probability of success.

Securing Proof of Work

The security of the Proof of Work consensus algorithm mainly depends on the computational power of the blockchain network. To gain control over the blockchain (via the longest chain rule), an attacker needs to create a conflicting version of the blockchain faster than the rest of the network can build the legitimate one.

While attacks like selfish and SPV mining can help with this, a successful attack requires a large amount of computing power. By increasing the computing power devoted by honest nodes to protecting the network, a network can make an attack too expensive to perform or be profitable.

Learn Blockchain Security

Learn Blockchain Security

Build your blockchain security skills with five courses covering blockchain structure, blockchain attacks, smart contract security and more.



  1. Longest Chain, Learn Me A Bitcoin
  2. Proof-of-Work, Explained, Cointelegraph
  3. Simplified Payment Verification, BitcoinWiki
Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at or via his website at