The long-awaited Bitcoin Core audit has concluded, revealing a remarkable lack of significant criticisms. This finding is particularly noteworthy for software that underpins a network valued in the hundreds of billions of dollars. It serves as a strong endorsement for both cypherpunks and institutional investors who are actively accumulating Bitcoin.
In brief
- •The independent Bitcoin Core audit uncovered no major vulnerabilities, confirming the high maturity and robustness of its code.
- •Discussions surrounding Bitcoin Core v30 and Bitcoin Knots primarily revolve around the inclusion of non-financial data on the blockchain, touching on the balance between protocol neutrality and filtering intentions.
- •This audit reinforces the perception for both individual users and large institutions that Bitcoin relies on a robust software infrastructure that is highly resistant to security attacks.
Bitcoin Core Audit Passes With Flying Colors
For a period of 104 days, Quarkslab conducted an audit of Bitcoin Core, commissioned by OSTIF and funded by Brink. This marked the first public audit of its kind, aiming to ascertain whether the software powering the majority of Bitcoin nodes truly warrants the trust it has commanded for years.
The audit's scope was extensive and focused on the most critical components of the software. Auditors examined the peer-to-peer (P2P) layer, block validation logic, chain state management, and reorganization scenarios. In essence, they scrutinized every aspect that, if compromised by a subtle bug, could potentially destabilize the entire network.
The outcome was clear: no critical, high, or even medium vulnerabilities were identified. Only two minor issues were detected, accompanied by recommendations for improving fuzzing tools and enhancing test coverage. Crucially, these points do not impact consensus mechanisms, resistance to denial-of-service (DoS) attacks, or the validation of transactions. For over 200,000 lines of C++ code and 1,200 tests, the auditors commended the codebase for its exceptional maturity.
P2P, Mempool, Reorganizations: The Network’s Core Examined Closely
The Bitcoin Core audit specifically investigated the P2P layer, which is responsible for the transit of blocks, transactions, and peer discovery. Each node is capable of managing approximately 125 connections, forming a vast propagation network. The auditors explored potential workaround paths, attempting to bypass validation and the banning of malicious peers within Bitcoin Core, but found no exploitable avenues.
Subsequently, the audit turned its attention to the mempool, chain state transitions, and the management of reorganizations. These are vital areas that can lead to chain divergences, temporary desynchronizations, or create openings for sophisticated attacks. In these critical domains as well, the audit revealed no practical attack vectors that could be exploited on the live network.
Importantly, Quarkslab's work extended beyond a superficial review. The team provided recommendations for expanding fuzzing capabilities with new scenarios, particularly concerning block connections and reorganizations. This has already led to the development of new fuzzing harnesses, improved file system management to accelerate tests, and tools designed to detect performance regressions over time. In summary, the audit not only affirms the current stability of Bitcoin Core but also enhances its capacity to maintain robustness in the future.
While the Bitcoin Core audit concluded without identifying significant flaws, a separate debate was intensifying within the community. In October, the Bitcoin Core v30 update, which some described as a change that threatens network unity, reignited tensions between proponents of Bitcoin Core and those who favor Bitcoin Knots.