Blink, the nonprofit organization that funds Bitcoin Core developers, released its 2025 Engineering Impact Report yesterday, March 26, documenting the first independent security audit of its Bitcoin Core client in its 16-year history, conducted by French company Quarkslab from May to September 2025.
Reviewed by 3 Quarkslab security engineers 4 months of research into the most important components of Bitcoin Corethe most used software to join the Bitcoin network:
- Peer-to-peer network layer (peer to peer).
- mempool: Temporary memory where transactions awaiting confirmation are stored before being included in a block.
- Managing blockchain and consensus logic, the code that defines and enforces the rules of Bitcoin.
As a result, Quarkslab No vulnerabilities of critical, high, or medium severity were found.. According to Brink’s report, this result is the first public validation of the code review culture that Bitcoin Core developers have built over the years.
In addition, Quarkslab has developed new automated testing tools that support two scenarios: connecting new blocks to the chain and reorganizing the chain. With these tools, Detect unexpected behavior It runs within those processes before reaching the nodes that the user interacts with.
Other security advances in 2025
Beyond the audit, Brink’s report documents other security advances made by its engineers during 2025.
One of these is the development of Fuzzamoto, an automated testing tool created by engineer Niklas Gögge to empower teams. Discover vulnerabilities before they reach production. Traditional testing tools analyze isolated features of the code, as if testing each part of the engine separately.
Fuzzmoto runs an actual Bitcoin Core node and sends a sequence of random network messages. Replicates exactly how real attackers try to find flaws in systems..
Brink’s team says that because of its approach, the tool has already detected real vulnerabilities that existing tests couldn’t find. among them Bug in memory pool management code This was identified while the changes were being reviewed by the community before reaching production.
Quarkslab auditors called Fuzzamoto “perhaps the most valuable tool for discovering deeper and more complex bugs” during their audit.
Additionally, engineer Eugene Siegel independently discovered and fixed a vulnerability that was publicly recorded as CVE-2025-54605. That’s the problem An attacker could send invalid blocks to a victim node This generated system log messages without rate limiting and filled the node’s disk to the point of inoperability.
This fix included in Bitcoin Core v30 not only resolved that particular case, but also implemented a system that limits the rate at which nodes can generate these messages. Permanently shut down attacks for that entire category.
Another advancement was SwiftSync, a prototype developed by Sebastian Falbesoner that reduced the initial synchronization time for new nodes. From about 41 hours to about 8 hours.
Meanwhile, on January 5, the Bitcoin Core team warned about an error in versions 30.0 and 30.1, as reported by CriptoNoticias. I was able to delete all wallet files from the node If you try to migrate your old wallet, you risk losing your funds without a backup. Both versions were deprecated as recommended and a fix was provided in Bitcoin Core 30.2.
How many nodes are currently running Bitcoin Core?
According to data from Coin Dance, the Bitcoin network currently has 22,084 active public full nodes. Of that total, 17,206 Bitcoin cores executed, 77.9% of total. The remaining 4,845, or 21.9%, run Bitcoin Knots, an alternative implementation that increased significantly in 2025 following controversy over changes to the OP_RETURN data limit introduced in Bitcoin Core v30.
The current distribution of node operators shows both the strength and vulnerability of the Bitcoin node ecosystem. Widely dominant implementations ensure consistency of consensus rules, but Focus on a single team Developmental decisions about what will and will not change in the software that protects your network.
However, only two companies have a majority of Bitcoin clients, and on March 23, the launch of ProductionReady Inc. was announced. This non-profit organization, backed by Samson Mow and Jimmy Song, plans to develop a new alternative Bitcoin client built on the core code, but with a more conservative development process that will restore the OP_RETURN limit to its previous value.
Quarkslab’s audit is not a solution to this structural problem, but it provides the first external validation of the team behind Core. After 16 years, An independent team reviewed the most important Bitcoin code And we made sure the review and maintenance processes our developers built over the years were working. While this does not resolve the debate over the governance of Bitcoin development, it does establish a verifiable baseline for the quality of work that supports it.
