en | ja | es | cs | hi | zh | de | fr | pt

Bitcoin Optech Newsletter #383

Dec 5, 2025

This week’s newsletter describes a fixed vulnerability affecting the NBitcoin library. Also included are our regular sections summarizing discussion about changing Bitcoin’s consensus rules, announcing new releases and release candidates, and describing notable changes to popular Bitcoin infrastructure software.

News

● Consensus bug in NBitcoin library: Bruno Garcia posted to Delving Bitcoin about a theoretical consensus failure in NBitcoin that could occur when using OP_NIP. When the underlying array is at full capacity and _stack.Remove(-2)is called, the Remove operation deletes the item at index 14 and then attempts to shift the subsequent elements down. During this shift, the implementation may try to access _array[16], which does not exist, leading to an exception.

This bug was found through differential fuzzing, and since the failure was caught in a try/catch block it may never have been found with traditional fuzzing techniques. After finding the problem, Bruno Garcia reported it to Nicolas Dorier on October 23rd, 2025. On the same day, Nicolas Dorier confirmed the issue and opened a patch to resolve it. There is no known full node implementation using NBitcoin, so there is no risk of a chain split, which is why the disclosure was made quickly.

Changing consensus

A monthly section summarizing proposals and discussion about changing Bitcoin’s consensus rules.

● LNHANCE soft fork: Moonsettler proposes a soft fork for LNHANCE now that all four of its constituent opcodes have updated BIPs and reference implementations. BIP119 (OP_CHECKTEMPLATEVERIFY), BIP348 (OP_CHECKSIGFROMSTACK), BIP349 (OP_INTERNALKEY), and BIPs #1699 (OP_PAIRCOMMIT) add re-bindable signatures and multi-commitments to tapscript, and next transaction commitments to all Script versions. A similar tapscript-only opcode package including OP_TEMPLATEHASH was recently proposed and has similar capabilities, but without general multi-commitments and, being newer, is awaiting further feedback and review.
● Benchmarking The Varops Budget: Julian posted a call to action to benchmark Bitcoin script execution under the varops budget. The Script Restoration (see Newsletter #374) team asks that users run their benchmark and share the results from a wide variety of hardware and operating systems to confirm or improve the chosen varops parameters. In response to Russell O’Connor, Julian also clarified that the varops budget would be used instead of (not in addition to) the sigops budget in the new tapscript version.
● SLH-DSA (SPHINCS) post-quantum signature optimizations: Continuing the discussions around hardening Bitcoin against quantum computing, conduition presented his work on optimizing the SPHINCS signing algorithm. These optimizations require several megabytes of RAM and locally compiled shaders (highly optimized, cpu-specific machine code — either durably cached or computed on startup). Where applicable, the optimized SPHINCS signing and key generation operations are an order of magnitude faster than the previous state of the art and only two orders of magnitude slower than elliptic curve operations. More importantly, the optimized signature verification is approximately as fast as elliptic curve signature verification.

Releases and release candidates

New releases and release candidates for popular Bitcoin infrastructure projects. Please consider upgrading to new releases or helping to test release candidates.

● Core Lightning v25.12 is a release of this major LN implementation that adds BIP39 mnemonic seed phrases as the new default backup method, improves pathfinding, adds experimental JIT channels support, and many other features and bug fixes. Due to breaking database changes, this release includes a downgrade tool in case something goes wrong (see below for more information).
● LDK 0.2 is a major release of this library for building Lightning applications that adds support for splicing (experimental), serving and paying static invoices for async payments, zero-fee-commitment channels using ephemeral anchors as well as many other features, bug fixes, and API improvements.

Notable code and documentation changes

Notable recent changes in Bitcoin Core, Core Lightning, Eclair, LDK, LND, libsecp256k1, Hardware Wallet Interface (HWI), Rust Bitcoin, BTCPay Server, BDK, Bitcoin Improvement Proposals (BIPs), Lightning BOLTs, Lightning BLIPs, Bitcoin Inquisition, and BINANAs.

● Core Lightning #8728 fixes a bug that caused hsmd to crash when a user entered the wrong passphrase; it now properly handles this user error case and exits cleanly.
● Core Lightning #8702 adds a lightningd-downgrade tool that downgrades the database version from 25.12 to the previous 25.09 in case of an upgrade error.
● Core Lightning #8735 fixes a long-standing bug where some on-chain spends could disappear from CLN’s view during a restart. Upon startup, CLN rolls back the latest 15 blocks (by default), resets the spend height of UTXOs spent in those blocks to null, and then rescans. Previously, CLN failed to rewatch those UTXOs, which could cause CLN to keep relaying channel announcements that had already been closed, or to miss important on-chain spends. This PR ensures that these UTXOs are rewatched during startup and adds a one-time backward scan to recover any spends that were previously missed due to this bug.
● LDK #4226 begins validating the amount and CLTV fields of received trampoline onions against the outer onion. It also adds three new local failure reasons: TemporaryTrampolineFailure,TrampolineFeeOrExpiryInsufficient, and UnknownNextTrampoline as a first step towards supporting trampoline payment forwarding.
● LND #10341 fixes a bug where the same Tor onion address was duplicated in the node announcement and in the getinfo output whenever the hidden service was restarted. The PR ensures the createNewHiddenService function never duplicates an address.
● BTCPay Server #6986 introduces Monetization, which allows server admins to require a Subscription (see Newsletter #379) for user login. This feature enables ambassadors, Bitcoin users who onboard new users and merchants in local contexts, to monetize their work. There’s a default seven-day free trial period and a free starter plan; however, subscriptions are customizable. Existing users will not be automatically enrolled in a subscription, though they can be migrated later.
● BIPs #2015 adds test vectors to BIP54, the consensus cleanup proposal, by introducing a set of vectors for each of the four mitigations. The vectors are generated from the BIP54 implementation in Bitcoin Inquisition and a custom Bitcoin Core mining unit test, and are documented with instructions for their use in implementation and review. See Newsletter #379 for additional context.

Want more?

For more discussion about the topics mentioned in this newsletter, join us for the weekly Bitcoin Optech Recap on Riverside.fm at 17:30 UTC on December 9. The discussion is also recorded and will be available from our podcasts page.