schmidty

Murch and I cover a lot of Bitcoin technical developments on the Bitcoin Optech podcast each week. But there is a lot going on in Bitcoin that we don’t cover. What are you curious about? Drop a question below and join us for a Twitter/X Space tomorrow and we will get to as many as we can. https://x.com/i/spaces/1OwxWeWXMoVGQ

As part of Brink's mission to ensure the safety and robustness of the open-source Bitcoin Core software, we recently sponsored an independent security audit of the Bitcoin Core codebase. This represents the first public, third-party audit of Bitcoin Core. https://brink.dev/blog/2025/11/19/bitcoin-core-security-audit/ The assessment was conducted by Quarkslab and was coordinated with the help of the Open Source Technology Improvement Fund (OSTIF). Funding was provided by Brink with the support of our donors, with technical collaboration from Brink engineer, Niklas Gögge, and Chaincode Labs engineer, Antoine Poinsot. Why Brink funded this work The project has a strong security track record, but it has never undergone an external security assessment. We wanted to provide an additional layer of assurance for developers, node operators, holders, and businesses who rely on Bitcoin Core every day What the audit involved The focus was on the most security-critical components of the software, including the peer-to-peer networking layer, mempool, chain management, and consensus logic and included: - Manual code review - Static and dynamic analysis - Advanced fuzz testing What the auditors found The auditors at Quarkslab reported no critical, high, or medium-severity issues. They identified two low-severity findings and thirteen informational recommendations, none of which were classified as security vulnerabilities under Bitcoin Core’s criteria. Funding independent reviews like this is just one way we help ensure Bitcoin doesn’t break and continues to serve the world as a secure, reliable monetary network. Independent review only strengthens that confidence. Thank you to Quarkslab, the OSTIF, Niklas, and Antoine for their work on this project. The full report is publicly available here: https://ostif.org/wp-content/uploads/2025/11/25-05-2133-REP-bitcoincore-security-assessment-V1.3.pdf

Meanwhile… The decade-long engineering efforts toward libsecp256k1, a minimal from scratch Bitcoin-specific library, result in an 800% speed up over OpenSSL while also: - removing a problematic dependency - avoiding side channel attacks - being fully deterministic Sebastian Falbesoner via https://bitcoinops.org/en/newsletters/2025/11/07/#comparing-performance-of-ecdsa-signature-validation-in-openssl-vs-libsecp256k1

“Where is the public roadmap for Bitcoin Core?” This sentiment from Zach is common and Ill give my own thoughts on it https://x.com/zachherbert/status/1976726178376696016 The subprojects that individual Bitcoin Core engineers contribute to reflect the project’s *software development priorities* which can include things like testing improvements, refactors, features, maintenance, or performance improvements. These software engineering efforts are distinct from the Bitcoin *protocol*, whose consensus rules change only through broad community agreement and network adoption, not by decisions made exclusively within the Bitcoin Core repository. If I were looking to derive a shorter term “public roadmap for Bitcoin Core” (again, the Bitcoin Core software, not Bitcoin protocol), there are a few places to look. **Working Groups** Contributors actively working on similar efforts form working groups to implement and review projects in Bitcoin Core. A list of the current working groups is on the Bitcoin Core Wiki: https://github.com/bitcoin-core/bitcoin-devwiki/wiki/Working-Groups#current-working-groups From here we can see interest in: Erlay, Fuzzing, Kernel, Benchmarking, Silent Payments, Cluster Mempool, Stratum v2, Multiprocess, QML GUI, and Net Split These working groups also provide updates at the weekly Bitcoin Core developer meetings on IRC: https://bitcoincore.org/en/meetings/ This is another place to see current work. **Tracking issues** Many subprojects within Bitcoin Core have a place to track a todo list of code changes that roll up into that project. Here are just a few examples (search the GitHub for “tracking issue” for more): Multiprocess - https://github.com/bitcoin/bitcoin/issues/28722 Mining interface - https://github.com/bitcoin/bitcoin/issues/33777 MuSig2 - https://github.com/bitcoin/bitcoin/issues/31246 Cluster mempool - https://github.com/bitcoin/bitcoin/issues/30289 Erlay - https://github.com/bitcoin/bitcoin/issues/30249 Bitcoin Kernel Library - https://github.com/bitcoin/bitcoin/issues/27587 SENDTEMPLATE - https://github.com/bitcoin/bitcoin/issues/33691 **Core Dev meetups** What developers discuss at recent in-person meetings is another data point. Here are transcripts from the October 2025 meeting - https://btctranscripts.com/bitcoin-core-dev-tech/2025-10 February 2025 meeting - https://btctranscripts.com/bitcoin-core-dev-tech/2025-02 **Merged PRs** As code changes are merged into the Bitcoin Core GitHub before the next release you can see precisely what will be in the upcoming release. These code changes include PRs related to projects above, but also more general changes unrelated to a particular project, like maintenance work, additional testing, one-off features, etc. https://github.com/bitcoin/bitcoin/pulls?q=is%3Apr+is%3Amerged Likewise Optech has a weekly notable code segment that picks interesting code merges to cover: https://bitcoinops.org/ **Release Milestones** As Bitcoin Core progresses toward a new release, PRs can be tagged with a milestone representing that release. For example, here are the items tagged for the previous v30 release: https://github.com/bitcoin/bitcoin/pulls?q=is%3Apr+milestone%3A30.0 And here are considerations for the v31 release: https://github.com/bitcoin/bitcoin/pulls?q=is%3Apr+milestone%3A31.0 **TLDR, just tell me what will be in v31** Sorry, there isn’t a definitive authoritative answer for a decentralized open source project like this. But also in the spirit of decentralization, I can provide my own guesses of what might be in there. Kernel API - modular use of Bitcoin’s consensus and validation logic outside the full node MuSig2 (in wallet) - fee-efficient, privacy-preserving multi-signature support Cluster mempool - makes transaction relay and block assembly more efficient, predictable, and network reliability. ASMap - help diversify peer connections, strengthening network resilience against eclipse attacks Static builds - reproducible, portable binaries that enhance security, verifiability, and ease of deployment I’ll emphasize that while these projects took a ton of work to get where they are, there will also be a majority of PRs in v31 that will not be part of a “project”. They will simply be general improvements, bug fixes, and maintenance work (see https://x.com/bitschmidty/status/1976692672023667057 for examples)

Last week many Bitcoin Core developers met up in Frankfurt, Germany as part of their regular twice-yearly in person meetings. Attendees volunteered to take notes on the unconference-style sessions and I have a pull request to add the notes to the BTC transcripts website: - ASMap - Batch Validation - Secp256k1 and quantum - CISA - Cluster mempool - CMake - CoreCheck - Debugging - Fuzzamoto - Libsha - Multiprocess and Mining Interface - Fingerprinting - Net / net_processing split - Package relay - Private broadcast - Security audit - Subject matter experts and working groups - Sockets abstraction Additional informal discussions, code reviews, working groups, or other sessions occurred on: - BIP 3 - Wallet priorities - Compact Block prefills - Silent Payments - btck - CI - SwiftSync - Benchmarking and IBD - When do Bitcoin Core users upgrade? - MuSig2 - Kernel - Working in-person - Complications with fuzz testing - BlockTemplateManager - QML GUI - Shared Templates BIP - Headers-first sync - Batch Validation - FIBRE - Consensus Cleanup - Silent payments libsecp256k1 light client - Better communicating with the broad community - Discussion on block 920138 and Bitcoin Core #33687 - Mempool and relay policy - CI with CTest and CDash This meeting was sponsored by BTrust who provided the funding for the venue, food, supplies, etc to facilitate the meeting (thank you!). JD (from localhost research), Emily (from Brink) and myself organized. A list of previous meetings is here: https://coredev.tech The PR to the http://btctranscripts.com website is open here, pending approval: https://github.com/bitcointranscripts/bitcointranscripts/pull/593

Bitcoin Core v30: a deeper look Link to the tweet https://x.com/bitschmidty/status/1976692672023667057 Non Twitter link https://twitter-thread.com/t/1976692672023667057

Fuzz testing and Bitcoin Core... We received a pretty overwhelming response to our recent job post for a Bitcoin Core Fuzzing Internship at Brink. Brink received over 70 applications for the role with many qualified candidates. After the results of a coding challenge, we decided to actually move forward with two engineers for the 3 month role. Dongjia Zhang is a Ph.D. fuzzing researcher and maintainer of the LibAFL fuzzing library used to fuzz test Bitcoin Core. Stratos has a background in vulnerability research and will join Dongjia in working with Niklas (@dergoegge) in the coming months to enhance the fuzz testing capabilities in Bitcoin Core. Fuzz testing is the idea of throwing a bunch of quasi-random inputs at various functions of a codebase and seeing if anything abnormal happens. Think of it like mining for bugs. There is work in both the Bitcoin Core codebase as well as fuzz tooling (like fuzzamoto) in order to test more and more of Bitcoin Core in this way. Here is a bit more about fuzz testing in Bitcoin Core: https://brink.dev/blog/2023/07/14/fuzzing/ Here is a conversation we had with Matt Morehouse on fuzz testing the Lightning Network: https://brink.dev/blog/2024/06/25/eng-call-fuzz-testing-lightning/ Marco (@macrohead7) recently completed his year long onsite fuzzing fellowship at Brink and provided some thoughts as well: https://brink.dev/blog/2025/07/31/marco-fuzzing-fellowship/ Brink is proud to support the build out of further fuzzing capabilities in the Bitcoin Core codebase as well as other ecosystem softwares. We have not had intern roles before either and are excited to see how it works out. Welcome Dongjia and Stratos!

The topic of non-developer contributions to Bitcoin and Bitcoin Core came up in a thread the other day. So I wanted to elevate this list, in case people are interested. Ways to contribute other than code: Education / Outreach Optech Conferences Saving Satoshi Fundraising Bitdevs User feedback Reproducing issues Priorities? Security Dependency auditing CVE disclosure Mailing list Pen testing Dev Tooling CI Signet Fuzzing Drahtbot Corecheck,dev Bitcoin dev wiki Mentoring Developer hubs Review clubs Release Process Testing guide Building binaries Signing binaries translations Packaging for distro Monitoring b10c stuff etc Standardization BIPs Bolts etc Events Coredev Online communication channels Mailing list Delving IRC Twitter / etc Stack exchange http://bitcoincore.org Backups of stuff Dev Infrastructure Fuzzing Devops stuff Dns seeds User feedback Outward Talk to miners? Exchanges? Surveys Research BRW Janitor work Reproducing Other items listed: Coredev conference BIPs (review, reading) Stack exchange CI Fuzzer machines Devops Monitoring http://bitcoincore.org maintaining/hosting Signet / inquisition Utilities for interacting with Bitcoin (Core) Educational stuff like saving satoshi Delving Mailing list Backup of delving/mailing list/github comments IRC and logs Drahtbot / meetingbot Bitcoinacks (?) Fundraising Developer hubs Review clubs Technical talks / podcasts / outreach Bitdevs Deterministic builds (running) Dns seed Dependency auditing/pruning Architecture CI doesn’t account for Reproducing issues Moderation of github Research Week Twitter threads Translations Security Security mailing list CVE management / disclosure etc Pen testing http://Corecheck.dev Core dev wiki Bitcoin wiki Summaries of communal knowledge Optech Release packaging for distros Janitoring old issues/PRs BOSS program Summer of Bitcoin Original: https://btctranscripts.com/bitcoin-core-dev-tech/2025-02/non-development-contributions

Many people, myself included, tout the importance of software maintenance in the context of Bitcoin Core. It is easy to throw out "maintenance!" and most people will nod their head in agreement, but I think its helpful to have some examples to understand the depth of this work and risks of not doing it. There are many categories of maintenance work, today I am just going to zoom in on one: minimizing dependencies. Recently someone attempted to put in a backdoor into XZ, a library used by softwares in hundreds of millions of computers around the world. Even a couple weeks ago hackers slipped malicious code into dozens of NPM packages that receive millions of downloads each week. Bitcoin Core and other Bitcoin software are not immune to these kinds of attacks. While Bitcoin Core has a robust culture of code review and testing, Bitcoin Core uses third-party libraries as well. Code from these libraries is run, in addition to Bitcoin Core's code, when you are running your node. Any bug, vulnerability, or performance issue in these libraries (dependencies) can cause issues for Bitcoin Core. Updates to these dependencies of Bitcoin Core are a potential risk and need to be regularly tracked and reviewed. From a security perspective, these dependencies should also be minimized and eliminated where possible. Bitcoin Core developers have spent years minimizing the number of dependencies of the project. In some cases replacing them with minimal, in-house alternatives that achieve the same function in order to reduce attack surface. In this latest Brink blog, we outline the risks of using dependencies as well as several examples of Bitcoin Core removing problematic or unnecessary dependencies of the project. https://brink.dev/blog/2025/09/19/minimizing-dependencies/

Russell O’Connor joined Brink to explain his work on formal verification of software, the process of mathematically proving that a program satisfies its specification. - Overview of formal verification of software - Walkthrough w/ libsecp256k1 - Coq, Rocq, Clightgen - SafeGCD - Q&A https://brink.dev/blog/2025/08/07/eng-call-russell-oconnor-formal-verification/

Jameson Lopp and Tim Ruffing on quantum Steven Roose on the OP_TEMPLATEHASH soft fork bundle David Gumberg on compact block prefilling Lauren Shareshian from Block on mempool fee estimation nostr:note1m07vc6tgzecf3u2rahygyau5rn9xv65kcwcfv3lylxgats9r5hqsc27wma

One year ago Marco De Leon embarked on a year long Brink fellowship in our London office. Today, after a year of progress and contributions, we’re happy to bring him on as a full-time Bitcoin Core engineer! "The idea of diving into a codebase as critical and complex as Bitcoin Core’s was intimidating, and frankly, I was a bit worried I didn’t have enough experience to contribute meaningfully. The fellowship provided the perfect bridge..." https://brink.dev/blog/2025/07/31/marco-fuzzing-fellowship/ Marco, with guidance from his mentor Niklas Gögge, focused his fellowship on fuzz testing, a technique for catching subtle bugs and security vulnerabilities. https://brink.dev/blog/2023/07/14/fuzzing/ His work took him from improving existing fuzz tests, to removing the longstanding mainnet checkpoints, to improving type safety in the Bitcoin Core codebase. We are proud of Marco and Niklas for their efforts this past year. Bitcoin is more secure because of Marco's contributions and Bitcoin is stronger with another experienced engineer working on security into the future. If you're interested in fuzzing and a career as an open source Bitcoin engineer, like Marco, we are pleased to offer, in addition to the fellowship, a new Bitcoin Core Fuzzing Internship at Brink Join us and contribute to Bitcoin security through fuzzing! https://bitcoinerjobs.com/job/1801236-bitcoin-core-fuzzing-internship

The CTV and CSFS open letter segment got a little spicy with some real talk We really dug in on Tadge's commit/reveal scheme for quantum as well nostr:note1qrea0l73j8c7cdhx07cyvnn5j7rew6jy5y3xsh33htuxnpz064vqe92kra

What is Bitcoin Core's release process for managing release candidates, minor releases, and major releases? Bitcoin Core's Release Process doc: https://github.com/bitcoin/bitcoin/blob/master/doc/release-process.md

Eric Voskuil joined Bitcoin engineers to discuss architectural and performance differences between libbitcoin and Bitcoin Core: - libbitcoin’s history/latest updates - libbitcoin architecture - Initial block download (IBD) performance - IBD workflow - SwiftSync - Q&A Watch the 90 minute discussion: https://brink.dev/blog/2025/06/17/eng-call-eric-voskuil-utxo-model/

Optech's "Changing Consensus" monthly segment always makes for an interesting recap podcast nostr:note1leu6c9ld9kyjwpuggy269vzqfgqeps5a3zlgwgqr23z0wez3966slzl6p8

There is a lot going on in the OP_RETURN debate, but I definitely agree with this: "What the OP_RETURN debate has demonstrated is that Bitcoin Core and the Bitcoin technical community have not done a good job communicating their value – not to mention the rationale behind their decisions – to the average bitcoin user." https://blockspace.media/insight/op_return-debate-the-influencers-vs-the-devs/ The Bitcoin Core developers have produced artifacts and content on these matters already, but those of us closely observing need to do a better job of disseminating that information to a broader set of Bitcoin ecosystem participants. "The single biggest problem in communication is the illusion that it has taken place." I need to do better.