Authors Robin David, Nicolas Surbayrole, Mihail Kirov
Category Blockchain
Tags audit, OSTIF, software, bitcoin, BTC, blockchain, 2025
The Open Source Technology Improvement Fund, Inc. mandated Quarkslab to perform the first public security audit of Bitcoin core, the reference open-source implementation of the Bitcoin decentralized protocol.
Introduction
Quarkslab conducted the first public third-party security assessment of Bitcoin Core. The audit was funded by Brink and coordinated by the Open Source Technology Improvement Fund (OSTIF). Quarkslab has been collaborating with OSTIF since 2015, and has been involved in blockchain-related security audits since 2018, starting with the review of Monero’s Bulletproofs implementation.
In this new engagement, Quarkslab experts carried out a security assessment of Bitcoin Core with the goal of supporting the developers and the community in strengthening the security of the ecosystem. The audit combined static analysis and dynamic testing to develop a comprehensive understanding of the system’s security posture. Existing testing techniques were evaluated, and new approaches were proposed as part of the assessment.
The full report of the assessment can be found on Quarkslab's public reports repository.
Bitcoin Core
Bitcoin Core is the canonical implementation of the Bitcoin network, powering an asset valued in the trillions of dollars at the time of writing. It includes a full-node client, a GUI, mining functionalities, and an embedded wallet.
The first version released by Satoshi Nakamoto in August 2009, has since evolved drastically, with more than 46,000 commits over the past 16 years. Developed in C, C++, it is now maintained by dozens of active contributors, many of whom are funded by organizations such as Brink and Chaincode Labs. Bitcoin Core forms the backbone of Bitcoin’s decentralized infrastructure.
Although the Bitcoin protocol itself is not upgraded frequently, the underlying codebase undergoes continuous development, refinement, and a steady effort toward greater modularization.
With an overwhelming number of nodes running this software, any flaw or defect could have systemic consequences for the network. Despite the extensive security measures and best practices already in place, a comprehensive third-party audit by an external security firm had never been conducted before—making this assessment an important complement to the ongoing security-focused work of Bitcoin Core developers.
Scope
The audit was conducted by Robin David, Nicolas Surbayrole and Mihail Kirov, with the technical support from both Brink (Niklas Gögge) and Chaincode Labs (Antoine Poinsot). Carried out between May and September, the assessment represented a total of 100 man-days of work.
Given the size of the codebase and the limited time frame, it was necessary to focus on specific components. As agreed between Brink and Quarkslab the scope of work focuses on the peer-to-peer networking layer, which represents the primary attack surface of the Bitcoin network. By extension, this required investigating the mempool, peer and chain management, as well as consensus and policy-validation logic.
The 100 audit days were evenly divided in three stages: * Manual code review of targeted components with a keen focus on thread management and transaction validation * Dynamic testing, using tooling and frameworks already in production within Bitcoin’s workflows * Advanced fuzz testing with alternative approaches not yet or seldomly experimented on the codebase The primary goal of the assessment was to identify potential weaknesses or vulnerabilities. Beyond this, the objective was also to support the Bitcoin community in strengthening its overall security posture—whether through direct contributions such as pull requests and new fuzzing harnesses, or through indirect contributions by experimenting with new ways to harden the codebase and its testing processes.
Findings & Deliverables
Quarkslab identified 2 low-severity findings and 13 informational recommendations. None of them have any security impact according to Bitcoin Core’s vulnerability classifications. A large amount of the work focused on enhancing Bitcoin Core’s testing infrastructure, leveraging internal fuzzing tools and specialized expertise. This included developing new fuzzing harnesses for block connections and chain reorganizations, which exercised previously untapped code paths or targeted recommendations to improve thread-safety annotations and overall code readability.
The engagement also produced improvements to Bitcoin Core’s testing infrastructure with additional contributions:
- a test corpora improving the existing coverage
- a Docker image to run fuzzing campaigns in an ensemble fuzzing setting.1
- an experimental non-regression testing utility based on Bitcoin's tracepoints
- various experimental fuzzing approaches including structured fuzzing, and differential fuzzing
Details are available in the report:
Some audit artifacts are available in the companion repository bitcoin-audit-artifacts.
Conclusion
The security assessment focused on a specific scope, the P2P part and on most impactful attack scenarios altering consensus or protocol availability. No high-impact issues were found, but marginal gain was brought on existing fuzzing harnesses as well as new ones to cover untested scenarios like chain reorganization. Also, some alternative testing approaches were explored like ensemble fuzzing and differential testing. While not exhibiting any issues in the current code, such approaches can certainly add value to the whole testing strategy and project robustness. In that regard, Fuzzamoto 2, the snapshot fuzzing approach currently developed by Brink is likely the most valuable path to pursue in order to trigger deeper and more complex bugs.
Quarkslab would like to thank the Brink and Chaincode Labs engineers for their continuous support throughout the audit. Bitcoin Core's architecture, robustness, and overall maturity reflect outstanding work. Quarkslab truly enjoyed evaluating such a well-crafted and challenging software and hope our findings will help drive this ambitious project even further.