Quarkslab has completed the first publicly documented independent audit of Bitcoin Core — the primary software implementation that powers the Bitcoin network. The review, which lasted 100 person-days, revealed no critical or high-severity vulnerabilities.
The initiative was funded by Brink, a nonprofit that supports Bitcoin development, and coordinated by the Open Source Technology Improvement Fund (OSTIF). The exact version of Bitcoin Core examined wasn’t disclosed, but the audit was conducted between May and September 2025.
How the audit was performed
The Quarkslab team carried out a comprehensive multilayer analysis, including:
- Manual code review of selected components
- Static and dynamic analysis using automated tooling
- Advanced fuzzing, generating random inputs to trigger unexpected code paths and uncover hidden issues
Their primary focus was the peer-to-peer (P2P) subsystem, especially scenarios that could impact network consensus or disrupt node availability.
What the team found
Auditors confirmed that the codebase is mature and robust:
- 0 critical vulnerabilities
- 0 high-severity issues
- 0 medium-severity issues
- 2 low-severity vulnerabilities
- 13 other findings that did not meet Bitcoin Core’s criteria for security vulnerabilities
The team also identified opportunities to enhance existing fuzzing frameworks and expand coverage to lesser-tested areas, including chain reorganization scenarios.
Comments from the auditors
One of the researchers, Robin David, described the effort as both challenging and inspiring:
“Months of relentless work have finally paid off — our Bitcoin Core security audit is complete! It’s both a blessing, thanks to the maturity and strong security culture of the codebase, and a curse because the task was incredibly complex.”
Recently, Bitcoin Core developers also released version v30.0, continuing the project’s evolution toward improved security, performance, and stability.
