The latest Bitcoin core audit led by Quarkslab delivers a rare, in-depth external review of the reference client, with a strong focus on its peer-to-peer network layer.
Summary
Why a new third-party security review of Bitcoin Core matters
Quarkslab has completed the first public third-party security assessment of Bitcoin Core, funded by Brink and coordinated by the Open Source Technology Improvement Fund (OSTIF).
The security firm has worked with OSTIF since 2015, and entered blockchain-focused reviews in 2018 by examining Monero’s Bulletproofs implementation.
In this engagement, Quarkslab specialists evaluated Bitcoin Core to help developers and the wider community harden the protocol’s ecosystem. The team combined static analysis and dynamic testing to build a broad picture of the project’s security posture.
Moreover, they reviewed existing testing techniques and proposed new approaches to extend coverage.
The full technical report is available in Quarkslab’s public reports repository, while additional background is provided in an in-depth post on the Quarkslab blog. Together, these documents give a detailed view of methods, scope, and results.
How critical is the Bitcoin Core codebase for the network?
Bitcoin Core is the canonical implementation of the Bitcoin protocol and underpins an asset valued in the trillions of dollars at the time of writing. It ships a full-node client, a graphical interface, mining capabilities, and an embedded wallet, forming the software backbone of the network.
The initial version, released by Satoshi Nakamoto in August 2009, has since evolved through more than 46,000 commits across 16 years. Written in C and C++, it is now maintained by dozens of active contributors, many funded by entities such as Brink and Chaincode Labs.
However, despite this maturity, the project had never undergone a comprehensive public review by an external security firm.
Although upgrades to the Bitcoin protocol itself are relatively infrequent, the underlying codebase is in constant motion. It is regularly refactored, optimized, and modularized.
With the majority of nodes running this implementation, any defect could have systemic impact. That said, the new review complements the long-standing internal security efforts by Bitcoin Core contributors.
What was the scope and methodology of the assessment?
The assessment was carried out by Robin David, Nicolas Surbayrole and Mihail Kirov, with technical support from Brink’s Niklas Gögge and Chaincode Labs’ Antoine Poinsot. Conducted between May and September, the engagement represented a total of 100 man-days of work.
Given the vast codebase and limited time window, Brink and Quarkslab agreed to narrow the scope to the peer-to-peer networking layer, which is the primary attack surface of the Bitcoin network. By extension, this required detailed analysis of the mempool, peer and chain management, and both consensus and policy-validation logic.
The work was evenly split into three stages. First came manual code review of targeted components, with particular attention to thread management and transaction validation. Then the team moved to dynamic testing using existing tooling already integrated into Bitcoin’s workflows.
Finally, they applied advanced fuzzing techniques, including alternative strategies that had seldom or never been used on this codebase. This structured approach aimed to uncover potential weaknesses while also improving long-term test quality.
Which findings emerged from the Bitcoin core security audit?
Quarkslab reported 2 low-severity findings and 13 informational recommendations. According to Bitcoin Core’s vulnerability classification, none of these issues has a direct security impact.
Nevertheless, much of the effort focused on strengthening Bitcoin Core’s testing infrastructure, leveraging existing fuzzing tools and internal expertise to reach harder-to-hit code paths.
New fuzzing harnesses were developed for block connections and chain reorganizations, enabling more thorough exercise of rarely tested logic.
Moreover, the team issued targeted recommendations to improve thread-safety annotations and overall code readability. These changes aim to reduce future risk even when no immediate vulnerability is present.
The engagement also yielded concrete additions to the testing toolkit. Quarkslab contributed an extended test corpora to boost coverage, a Docker image for running ensemble fuzzing campaigns, and an experimental non-regression testing utility built on Bitcoin’s tracepoints.
Various experimental approaches were explored as well, including structured fuzzing and differential fuzzing. Some of the audit artifacts are publicly documented in the companion bitcoin-audit-artifacts repository and in the OSTIF summary of the engagement.
How did fuzz testing and chain reorganization scenarios evolve?
One of the most notable contributions of the review lies in advanced fuzz testing of Bitcoin Core. In addition to enhancing existing harnesses, Quarkslab built new tools dedicated to chain reorganization scenarios and complex block-connection paths. This work pushed fuzzers into areas that had previously seen limited automated testing.
Furthermore, the team experimented with ensemble fuzzing and differential testing strategies. While these trials did not expose any new bugs in the current codebase, they highlighted promising avenues for expanding the project’s resilience.
In particular, snapshot-based methods currently being developed by Brink are identified as especially promising for triggering deeper, more complex defects within consensus and networking logic.
What does this third-party security assessment mean for Bitcoin’s future?
The security review concentrated on the P2P layer and the most impactful attack scenarios related to consensus integrity and protocol availability. No high-impact issues were found, but the marginal improvements to existing fuzzing harnesses and the creation of new ones for chain reorganization strengthen defenses at the edges of the network layer attack surface.
Alternative testing techniques such as ensemble fuzzing and differential approaches did not reveal current vulnerabilities. However, they clearly add value to the broader testing strategy and help reinforce project robustness. For a critical infrastructure component like Bitcoin Core, expanding this toolbox is nearly as important as fixing individual bugs.
Quarkslab expressed its gratitude to Brink and Chaincode Labs engineers for their continuous collaboration throughout the engagement. The architecture, robustness, and overall maturity of Bitcoin Core reflect years of dedicated work.
From this independent review, the maintainers gain additional confidence in the software and a roadmap for further improving the bitcoin core testing infrastructure, including areas such as chain reorganization fuzzing.
For those interested in additional context, Brink has published its own perspective on the review in an official blog analysis. Taken together with the OSTIF and Quarkslab publications, these materials offer a comprehensive view of how a modern, third-party information security assessment can support open-source financial infrastructure.
Overall, this bitcoin core audit reinforces confidence in the reference client while delivering practical improvements to testing, documentation, and network-layer resilience, setting a strong baseline for future work on snapshot fuzzing and other advanced techniques.
