The Open Source Technology Improvement Fund is proud to share the results of our security audit of Bitcoin Core. Bitcoin core, the reference implementation of the Bitcoin protocol, is an open source cryptocurrency with assets valued at several billion USD. With the help of Quarkslab, Brink, and Chaincode Labs, this project underwent its first public security audit to aid and inform the Bitcoin Core developers and community about the project’s current security practices, health, and testing suite.
Audit Process:
This engagement was a large undertaking, spanning May-September of 2025 and was performed by 3 engineers from Quarkslab. The assessment focused on the Peer-to-Peer (P2P) interface and affected components: mempool management, block validation, transaction evaluation, chain state and peer management. First, the audit team spent time developing a threat model and combing through the project to understand its function. During this initial period, arrangements were made for the auditors to work in person to be onboarded to the project by Brink’s team. Once a threat model had been created, the team moved on to manual code review and static analysis of the project, improvement of current testing, and exploring new testing.
Audit Results:
- 16 Findings
- 2 Low Severity
- 14 Informational Improvements
- Improved Fuzz Testing
- 3 new harnesses testing block connection and chain reorganisation
- 14 structured fuzzing harnesses using libprotobuf-mutator (+1 grammar-based for minis-cript)
- 2 differential testing harnesses for chacha20_poly1305 and SHA256 variants (SSE4, SHANI)
- a virtual Filesystem utility class to be used in fuzzing harnesses for fast state restoration
- a Docker image to run harnesses in an ensemble fuzzing setting with PASTIS (using AFL++, Honggfuzz and libFuzzer)
Bitcoin is a highly valuable and mature target for exploitation. While it has been previously audited internally, Brink and Chaincode Labs looked outside to source a review and provide further assurance, confidence, and advice for the security of Bitcoin. While no findings with critical, high, or medium security impact were identified during this engagement, this audit provided valuable feedback, insight, information, and testing improvements for Bitcoin.
Thank you to the individuals and groups that made this engagement possible:
- Bitcoin maintainers and community
- Quarkslab, especially: Nicolas Surbayrole, Mihail Kirov, Pauline Sauder
- Brink, especially: Mike Schmidt and Niklas Goegge
- Chaincode Labs, especially: Antoine Poinsot and Gloria Zhao
You can read the Audit Report HERE
You can read Quarkslab’s Blog HERE
You can read Brink’s Blog HERE
Everyone around the world depends on open source software. If you’re interested in financially supporting this critical work, reach out to [email protected].
Join our OSTIF Calendar to stay up to date with our community events!