The audit was coordinated by Brink, an organization that funds eight Core developers.
Currently, almost 80% of Bitcoin node operators run Bitcoin Core.
Brink, a nonprofit organization that funds Bitcoin Core developers, published its 2025 Engineering Impact Report yesterday, March 26, documenting the first independent security audit of the Bitcoin Core client in its 16-year history, conducted by the French firm Quarkslab between May and September 2025.
Three Quarkslab security engineers reviewed for four months the most critical components of Bitcoin Corethe most used software to participate in the Bitcoin network:
- The peer-to-peer network layer (peer-to-peer).
- The mempool: the area where transactions pending confirmation are stored before being included in a block.
- The management of the blockchain and consensus logic, that is, the code that defines and enforces the rules of Bitcoin.
The result was that Quarkslab did not find vulnerabilities of critical, high or medium severity. According to the report From Brink, that result publicly validates for the first time the code review culture that Bitcoin Core developers have built for years.
Additionally, Quarkslab developed new automated testing tools for two scenarios: connecting new blocks to the chain and chain reorganizations. These tools allow detect unexpected behavior in those processes before they reach the nodes that users operate.
Other security advances in 2025
Beyond the audit, Brink’s report documents other security advances made by its engineers during 2025.
One of them was the development of Fuzzamotoan automated testing tool created by engineer Niklas Gögge that improves your computer’s ability to Find vulnerabilities before they reach production. Traditional testing tools analyze isolated functions of the code, as if testing each part of an engine separately.
Fuzzamoto runs a real Bitcoin Core node and sends it sequences of random network messages, replicating exactly how a real attacker would try to find flaws in the system.
Thanks to that approach, that tool has already detected real vulnerabilities that no existing test would have found, according to Brink’s team. Among them a bug in the mempool management code which was identified while the change was being reviewed by the community, before reaching production.
Quarkslab auditors during the audit described Fuzzamoto as “probably the most valuable path to finding deeper and more complex bugs.”
Additionally, engineer Eugene Siegel independently discovered and fixed a publicly recorded vulnerability as CVE-2025-54605. The problem was that an attacker could send invalid blocks to a victim’s node which generated system log messages without any rate limit, filling the node’s disk until it became inoperative.
The fix, included in Bitcoin Core v30, not only resolved that specific case but implemented a system that limits the speed at which the node can generate these messages, closing that entire category of attacks permanently.
Another advance was SwiftSync, a prototype developed by Sebastian Falbesoner that reduced the initial synchronization time of a new node. from approximately 41 hours to about 8 hours.
On the other hand, as reported by CriptoNoticias, on January 5, the Bitcoin Core team alerted about an error in versions 30.0 and 30.1 that I could delete all the wallet files from the node when trying to migrate an old wallet, with the risk of losing funds if there were no backups. Both versions were retired as recommended and the fix arrived with Bitcoin Core 30.2.
How many nodes run Bitcoin Core today?
According to data from Coin Dance, the Bitcoin network currently has 22,084 nodes active public. Of that total, 17,206 run Bitcoin Core, 77.9% of the total. The remaining 4,845, or 21.9%, run Bitcoin Knots, an alternative implementation that grew significantly in 2025 following the dispute over changes to the OP_RETURN data limit introduced in Bitcoin Core v30.
The current distribution of node operators illustrates both the strength and vulnerability of the Bitcoin node ecosystem: a widely dominant implementation ensures consistency in consensus rules, but also concentrates on a single team development decisions about what changes and what doesn’t in the software that protects the network.
However, although there is a predominance of only 2 Bitcoin clients, on March 23 the launch of ProductionReady Inc. was announced, a non-profit organization backed by Samson Mow and Jimmy Song that plans to develop a new alternative Bitcoin client built on the Core code but with a more conservative development process, which would restore the OP_RETURN limit to its previous value.
The Quarkslab audit, without being a solution to this structural problem, provides for the first time external validation of the team behind Core. After 16 years, an independent team reviewed the most critical Bitcoin code and confirmed that the review and maintenance process that its developers built for years is working. It is a fact that does not resolve the debate on the governance of Bitcoin development, but it does establish a verifiable baseline on the quality of the work that supports it.