Bitcoin Core disclosed on June 6, 2026 a privacy bug in version 31.0 of its node software, which can cause the IP address of the computer from which a transaction is sent to be exposed to the receiving node. According to the official notice, the failure originates in a function designed precisely to protect that information.
The project notes that the error occurs when the node attempts to establish an encrypted connection with a peer on the conventional Internet (IPv4 or IPv6) and that connection fails. In that case, the software retries the connection unencrypted and without routing traffic through Tor, exposing the sender’s real IP. The organization warns that a malicious actor can deliberately cause such a failure to force unprotected retry.
Bitcoin Core is the team of developers that maintains the reference software for operating nodes on the Bitcoin network. Its repository has the largest history of security audits in the ecosystem and its vulnerability notices are closely followed by node operators, exchanges and institutional custodians.
The bug contradicts a guarantee published in the 31.0 release notes, where the project stated that the sender’s IP address “would never be known to receivers” when using the feature. privatebroadcast. According to the notice, connections over networks such as Tor onion and I2P are not affectedsince they remain protected even when the connection retry occurs.
Conditions affecting Bitcoin Core 31.0
The project specifies that the error It is only activated when all the following conditions occur in the same node:
- Bitcoin Core 31.0 running with privatebroadcast enabled.
- Transactions sent using the command senddrawtransaction.
- Tor available for outbound connections.
- Active direct connections to conventional internet, without additional network restrictions.
- BIP324 encrypted transport protocol enabled (default setting).
The project clarifies that standard wallet functions—such as sendtoaddress either sendall— do not use privatebroadcast and are not affected.
Bug fixes and interim measures
Bitcoin Core indicates that the fix will ship with version 31.1. Meanwhile, The organization recommends that affected users apply one of three measures: deactivate the function with privatebroadcast=0; disable the BIP324 encryption protocol with v2transport=0which implies that all node connections will operate without encryption; or redirect all outgoing conventional internet traffic through Tor, a solution that according to the project increases exposure to Sybil attacks.
The discovery of the error is attributed to Eugene Siegel, as stated in the official Bitcoin Core notice.
Until version 31.1 is available, the project maintains that no users of privatebroadcast you can assume that your IP address remains private to the node receiving the transaction.
The bug exposes a contradiction between what was promised in version 31.0 and the actual behavior of the software under adverse network conditions. Bitcoin Core acknowledges the ruling, attributes it to an unforeseen interaction between the BIP324 encrypted protocol and the connection retry mechanism, and is working on a fix. Meanwhile, the privacy of node operators who trust privatebroadcast It depends on provisional measures that, according to the project itself, introduce new security limitations.