BIP54.org

Bitcoin has four known vulnerabilities that have gone unfixed for 15 years. BIP54, "Consensus Cleanup", proposes four narrowly-scoped changes to address these issues in Bitcoin's consensus rules that date back to the original version of Bitcoin in 2009.

Executive Summary

These four flaws could allow for effectively breaking the network with 6 blocks per second, poison blocks that take over an hour to validate, forging transactions for SPV verifiers, and require computationally expensive handling of duplicate transactions. These issues have been discussed for 7 years and the fixes are now well-understood and narrowly scoped. These represent systemic risks to Bitcoin's security and decentralization that become more dangerous as Bitcoin's value and adoption grow.

The four vulnerabilities

Timewarp attack

Timewarp is an exploit of Bitcoin's difficulty adjustment algorithm that allows miners controlling a large amount of hashrate to increase how fast blocks are mined. The attack could render the network non-viable with 6 blocks per second, mine the remaining subsidy, and impact the ability of users to run a full node.

Technical details and fix

How the attack works

Bitcoin adjusts mining difficulty every 2,016 blocks to maintain an average 10-minute block time. However, the current difficulty adjustment compares the timestamps of the first and last block of a period, a span that covers only 2,015 block intervals.

This creates an "off-by-one" bug: the first block of a difficulty adjustment period is different from the last block of the previous period. Miners exploiting the timewarp attack manipulate this gap by:

  1. Setting the timestamp of the last block in each difficulty period to the maximum allowed value (up to 2 hours in the future)
  2. Setting the timestamp of the first block of the next period to the minimum allowed value (up to several hours in the past, constrained only by Median Time Past)

This timestamp manipulation makes each period appear to have taken longer than it actually did, causing difficulty to decrease. The attack can be repeated indefinitely with a compounding effect, progressively reducing difficulty to its minimum value.

Impact

Once difficulty reaches the minimum, a majority of hashrate could mine blocks as fast as the Median Time Past rule allows which is approximately six blocks per second. At this rate:

  • All remaining block subsidy could be mined in roughly 40 days
  • Bitcoin's controlled supply schedule would be destroyed
  • UTXO set growth, network bandwidth, and validation requirements would spike dramatically with faster blocks, forcing out nodes on consumer hardware and accelerating centralization
  • Timelock-based contracts would break, including Lightning Network channels, HTLCs (Hash Time Locked Contracts), and other protocols that rely on nLockTime, OP_CHECKLOCKTIMEVERIFY or OP_CHECKSEQUENCEVERIFY providing a stable measure of time. Accelerated block production would cause timelocks to expire much faster than intended, potentially allowing theft of funds
  • Transaction confirmation assumptions like "N confirmations = X minutes of security" would be broken, as confirmations would arrive orders of magnitude faster than expected

BIP54's fix

BIP54 prevents timewarp attacks by requiring a minimum timestamp for the first block in a difficulty period based on the timestamp of its predecessor, the last block of the prior difficulty period. This restriction on shifting the start of a difficulty period precludes the timestamp manipulation across period boundaries necessary for the timewarp attack.

The fix also includes a two-hour grace period after each difficulty adjustment to accommodate natural timestamp variation.

Variants

The Murch-Zawy timewarp variant circumvents the above rule by setting the end timestamps of 2 difficulty periods several weeks into the future to achieve a greater decrease in difficulty by the time the chain is accepted. To ensure the chain is eventually accepted by the wider network and doesn't always have timestamps too far in the future, this attack has to alternate with 1 difficulty period which is closer to the real time, thereby increasing the difficulty momentarily. It therefore takes longer to drain the subsidy.

BIP54 also addresses this variant through requiring that the timestamp of the last block in a difficulty period must be greater than (or equal to) the timestamp of the first block in the same period.

Since in any case, nodes will follow the chain with most cumulative PoW, the attacks above both require 51% control of hashrate. Even if blocks were produced at a higher rate in one fork, the preference for highest cumulative PoW still imposes this constraint on an attacker. These new rules limit the damage that can be inflicted, should an attacker control 51% of the hashrate during a few weeks/months.

Read more: "The timewarp attack" from BitMEX Research

Hard to validate blocks

A well-prepared attacker can create specially-crafted "poison blocks" that take more than an hour to verify on certain computers, allowing for various denial-of-service attacks.

Technical details and fix

The problem

Legacy Bitcoin transactions (pre-segwit) can be specially crafted to artificially increase their validation times. Various techniques may be used to exploit improper resource usage limits and quadratic behaviour in validation of pre-segwit Bitcoin Script.

An attacker can exploit this to create blocks that can take several hours to validate on lower-end hardware, even though it is valid according to current consensus rules. A variation of this attack is for a miner to delay its competition with blocks that take under a minute to validate but are significantly cheaper to create, to systematically delay its competition.

While most experts would be able to figure out how to create hard-to-validate blocks, details have been discussed in a private Delving Bitcoin thread out of an abundance of caution. A demo was performed on the Signet test network in March 2026.

Attack scenarios

  • Denial of service due to nodes spending excessive time validating malicious blocks fall behind the chain tip, making them vulnerable to eclipse attacks or causing them to be partitioned from the network
  • Longer block validation and propagation times increase stale rate, disproportionately advantaging larger miners at the expense of smaller ones
  • Prohibitive block validation times may:
    • incentivize miners to skip it in favour of non-technical enforcement mechanisms (typically, through legal contracts)
    • Push out node operators using less performant hardware

BIP54's fix

BIP54 introduces a per-transaction limit of 2,500 legacy sigops. This is a conservative limit since normal transactions use far fewer sigops. Even then, reaching this limit requires a transaction that deliberately inflates validation costs, which is the behavior this fix aims to prevent. The limit does not apply to segwit transactions, which represent 90% of today's traffic, since they are by definition not affected by this issue.

The fix reduces worst-case block validation time by approximately 40x while minimizing the risk of confiscating coins locked in unusual legacy scripts. Bitcoin Core has already made transactions exceeding this limit non-standard as a forward-compatibility measure, meaning miners running Bitcoin Core will not include these transactions in their blocks by default.

Read more: "Attack Blocks" from BitMEX Research

Forging confirmed transactions

A carefully-constructed Bitcoin transaction makes it possible to trick SPV verifiers (including SPV wallet users) into accepting what looks like a transaction that's part of the most proof-of-work chain but which is not actually part of the chain and which has never been verified by a full node.

Technical details and fix

The vulnerability

Bitcoin's merkle tree implementation has a flaw in that a 64-byte transaction has exactly the same size as an internal merkle tree node (two 32-byte hashes concatenated). An attacker can construct a transaction whose serialized form is identical to a merkle tree node, allowing them to forge merkle proofs.

How the attack works

Simplified Payment Verification (SPV) verifiers don't download or validate full blocks. Instead, they verify that a transaction is included in a block by checking a merkle proof, a path of hashes from the transaction up to the merkle root in the block header.

By crafting a 64-byte transaction that matches an internal merkle node hash, an attacker can:

  1. Create an arbitrarily-sized fake transaction that appears to have valid proof-of-work behind it
  2. Present a merkle proof to an SPV verifier showing this "transaction" is confirmed
  3. Trick the wallet or verifier into accepting payment that was never actually validated by any full node

The attacker doesn't need to mine blocks or perform expensive proof-of-work. They do need however to perform about 70 bits of work to construct a malicious merkle tree structure and present it to the victim's SPV wallet/verifier.

Impact on SPV wallets and verifiers

This vulnerability undermines the security model of SPV verification and lightweight wallets. While no known real-world losses have occurred, the attack is theoretically sound and exploitable. SPV verifiers are used in various contexts including mobile wallets and other resource-constrained environments as well as by side-systems to validate deposits, making this a concern for Bitcoin's usability and security.

BIP54's fix

BIP54 takes a straightforward approach: make all 64-byte transactions invalid at the consensus level. This prevents anyone from creating transactions that could be confused with internal merkle tree nodes.

This fix is safe because any 64-byte transaction is necessarily insecure: it must contain at most one output, which must either burn the coins or be spendable by anyone. The practical impact is minimal as such transactions are inherently unsafe to use.

The related BIP53 formally specifies the 64-byte transaction ban, which is incorporated into BIP54's broader consensus cleanup.

Read more: "64 Byte Transactions" from BitMEX Research

Duplicate transactions

Bitcoin's consensus rules use transaction IDs to uniquely identify transactions, so duplicate transactions can cause unwanted behavior including loss of funds and other attack vectors.

Technical details and fix

Historical incidents

In Bitcoin's early history, identical coinbase transactions were actually mined in two separate pairs of blocks:

  • Blocks 91,722 and 91,880 (same coinbase transaction)
  • Blocks 91,812 and 91,842 (same coinbase transaction)

When the second block in each pair was mined, the UTXO from the first block was effectively destroyed. The coins became unspendable because the UTXO database only keeps one entry per transaction ID. This resulted in permanent loss of 100 BTC (50 BTC from each duplicate).

Why this was possible

Early Bitcoin had no mechanism to ensure coinbase transactions were unique. Miners could create identical coinbase transactions in different blocks, producing the same transaction ID. Since Bitcoin's UTXO set uses transaction IDs as part of the keys, the second occurrence would overwrite the first, destroying the earlier coins.

Additionally, Bitcoin's design assumption that transaction IDs uniquely identify transactions breaks down when duplicates exist, creating potential consensus failures and attack vectors.

BIP30 fixes the vulnerability

BIP30 (activated in 2012) fixed this vulnerability by requiring that new transactions cannot have the same ID as an existing transaction whose outputs haven’t all been spent. This is a stopgap to prevent duplicate coinbase transactions from overwriting existing UTXOs. However, BIP30 requires computationally unnecessary overhead for enforcement for every block. Additionally, alternative full-validation models being explored, like Utreexo, may not be able to perform BIP30 validation at all.

BIP34 (activated in 2013) required coinbase transactions to include the block height in their coinbase field (similar to scriptSig, with different rules), which made coinbase transactions effectively unique. This allowed nodes to skip the expensive BIP30 checks in most cases.

However, BIP34 has a known gap: some early coinbase transactions happened to contain data that matches valid future block heights, meaning BIP30 checks would need to be re-enabled around block 2,000,000 (approximately year 2047).

Why BIP30 needs improvement

While BIP30 successfully prevents duplicate transactions, it has two inefficiencies. First, the checks are computationally expensive. Second, BIP34's gap means that around block 2,000,000, nodes would need to re-enable full BIP30 validation for every block.

BIP54's improvement

BIP54 improves the BIP34 fix to BIP30 by requiring coinbase transactions to set their nLockTime field to the block height minus 1. Since nLockTime is currently unused in coinbase transactions, this adds transaction uniqueness without disrupting existing uses.

This requirement ensures that every coinbase transaction will be unique by construction, closing the BIP34 gap and allowing nodes to permanently skip expensive BIP30 checks. Bitcoin Core's internal miner has already been updated to implement this requirement.

Read more: "Bitcoin's Duplicate Transactions" from BitMEX Research

FAQ

Why do BIP54 now?

These vulnerabilities have existed since Bitcoin's launch in 2009. While none are known to have been exploited on mainnet yet, they represent systemic risks to Bitcoin's security and decentralization. The timewarp attack could allow a majority of hashrate to mine all remaining block subsidy in just 40 days. Slow-to-validate blocks create denial-of-service attack vectors and centralization pressure. The merkle tree vulnerability enables attacks on SPV verifiers, and duplicate transactions risk is mitigated by BIP30 but BIP54 significantly improves that fix.

These issues have been discussed for 7 years and BIP54 has been refined over two years of research and community discussion since Antoine Poinsot revived Matt Corallo's 2019 proposal. The fixes are now well-understood, narrowly scoped, and have test vectors and implementation code ready. Waiting longer only increases the window during which these vulnerabilities could be exploited.

Is BIP54 safe? Could it break existing uses of Bitcoin?

BIP54 is designed to be a safe soft fork that minimizes disruption to existing Bitcoin usage. The proposal has been carefully refined to avoid confiscating coins or breaking legitimate use cases:

  • 64-byte transaction ban: Only affects a very specific edge case. Any 64-byte transaction is necessarily insecure as it must contain at most one output that either burns coins or is spendable by anyone.
  • Legacy sigops limit: The 2,500 sigops per transaction limit is set conservatively high. Normal transactions use far fewer sigops, and Bitcoin Core has already made transactions exceeding this limit non-standard as a forward-compatibility measure. Any transaction that would hit this limit may be split into multiple transactions that don't, ensuring that no UTXO is directly made unspendable.
  • Timewarp fix: Only constrains timestamps at difficulty period boundaries. Normal mining operations are unaffected, and the fix includes a grace period as a belt-and-suspenders safety measure.
  • Coinbase locktime requirement: Miners simply set the coinbase locktime field, whose usage is currently unspecified. This change is already implemented in Bitcoin Core's internal miner and is in the process of being adopted by mining pools.
What objections to BIP54 remain?

The main remaining objections center on the coinbase locktime requirement and the 64-byte transaction ban:

  • Coinbase locktime: Some argue that requiring coinbase transactions to set nLockTime to the block height reduces miner flexibility, as this field could otherwise be used as extra nonce space. Proponents counter that miners have other nonce sources available and that improving the existing fix against duplicate coinbase transactions is more important.
  • 64-byte transaction invalidation: Some suggest alternative approaches like introducing a whole new merkle tree that would allow 64-byte transactions. However, these alternatives would require more invasive consensus changes, while the simple ban affects virtually no real-world usage.

Overall, BIP54 is considered relatively uncontroversial compared to other soft fork proposals, as it addresses clear vulnerabilities without enabling new functionality that might have uncertain implications. Discussion continues on Delving Bitcoin.

What would an average user have to do if BIP54 activates?

Nothing. BIP54 is a soft fork that activates at the consensus layer and requires no action from average Bitcoin users:

  • Wallet users: No action required. Your wallet will continue to work normally. The changes don't affect how you send, receive, or store bitcoin.
  • Node operators: Upgrading to a version of Bitcoin Core (or other node software) that includes BIP54 is recommended but not required. Non-upgraded nodes will still follow the chain and see all transactions, though they won't enforce the new rules themselves.
  • Transactions: You don't need to do anything different. Normal transactions are completely unaffected by BIP54's changes.

The fixes happen in the background to make Bitcoin more secure and robust.

What will happen to Bitcoin if we don't do BIP54?

Bitcoin would continue to carry known vulnerabilities that could be exploited:

  • Timewarp attack risk: A mining majority could manipulate block timestamps to reduce difficulty and mine blocks far faster than intended, potentially destabilizing Bitcoin's monetary policy and crippling the network in the process.
  • Denial-of-service exposure: Attackers could create slow to validate blocks that would skew miner incentive and raise the bar to join the network and perform full validation.
  • SPV verifier vulnerability: The 64-byte transaction issue allows attackers to forge merkle proofs, tricking SPV verifiers (wallets, side systems) into accepting transactions that don't exist on the main chain.
  • Duplicate transaction burden: Around block 2 million, preventing duplicate transaction imposes an additional burden on block validation and precludes alternative full node designs (like Utreexo).

These represent exploitable attack vectors that become more dangerous as Bitcoin's value and adoption grow.

Why not covenants first?

BIP54 and covenant proposals (like OP_CTV, OP_CAT, or other script upgrades) serve completely different purposes and are not mutually exclusive:

  • BIP54 fixes vulnerabilities that already exist in Bitcoin. These are security issues that need to be addressed regardless of what new features are added.
  • Covenants add new functionality to enable advanced smart contracts, vaults, payment pools, and other features that don't currently exist in Bitcoin.

The "covenants first" argument essentially suggests leaving known security holes open while debating the design space for new features. It is up to the community to determine if security fixes should be prioritized independently of feature additions. Additionally, BIP54 is much less controversial than covenant designs, making it a more straightforward path to consensus.

There's no technical reason these can't proceed in parallel or in either order. The Bitcoin community can work on both.

Testnet4 has these consensus cleanup fixes and keeps breaking. Does that mean BIP54 is broken?

No. The testnet4 test network includes some consensus cleanup rules (portions of the timewarp fix, but not the fix against the Murch-Zawy attack), but testnet breakage is unrelated to those rules. Test networks are meant to be disposable environments where developers can experiment without the constraints of mainnet.

Importantly, testnet4 has special difficulty adjustment rules that don't exist on mainnet: if no block is found for 20 minutes, difficulty resets to minimum. This testnet-specific rule creates instability and disruption that wouldn't occur on Bitcoin mainnet, where difficulty adjustments follow strict 2,016-block periods.

The timewarp fix on testnet4 has worked as intended. When testnet4 has reset or experienced issues, these have been due to other factors like the 20-minute difficulty reset rule, low hashrate, difficulty gaming, or intentional stress testing, not failures of the consensus cleanup rules themselves.

BIP54's implementation on Bitcoin Inquisition (on the signet test network) provides a more controlled testing environment with comprehensive test vectors covering all the edge cases.

What about quantum?

Quantum computing resistance is a separate concern from the vulnerabilities BIP54 addresses. BIP54 is about fixing specific bugs and attack vectors in Bitcoin's existing consensus rules: timewarp, slow validation, merkle tree exploits, and duplicate transactions.

Quantum-resistant cryptography would require a different set of changes (possibly a new address format and signature algorithm) and is still an area of active research. The timeline for quantum computers threatening Bitcoin's elliptic curve cryptography is uncertain.

BIP54 should be evaluated on its own merits as a security upgrade. It neither helps nor hinders future quantum resistance efforts, and there's no reason to delay fixing known vulnerabilities while waiting for quantum-resistant proposals to mature.

Is BIP54 a hard fork or a soft fork?

BIP54 is a soft fork which is a backwards-compatible Bitcoin consensus change. After activation, nodes that haven't upgraded will still follow the chain and recognize blocks as valid, though they won't enforce the new rules themselves. Soft forks only tighten the consensus rules; they don't expand what's considered valid.

How would BIP54 activate?

The activation mechanism for BIP54 has not yet been finalized. Previous Bitcoin soft forks have used mechanisms like BIP9 (version bits with miner signaling), BIP8 (user-activated soft fork with optional miner signaling), or combinations thereof.

The activation debate is separate from the technical merits of the proposal itself. Once there is rough consensus on the changes BIP54 proposes, the community will need to agree on an activation method that balances user activation, miner coordination, and network safety.

How can I help with BIP54?

There are several ways to contribute:

  • Review the proposal: Read BIP54 and provide technical feedback on the Delving Bitcoin thread.
  • Test the implementation: Run Bitcoin Inquisition on signet and test BIP54's behavior with the provided test vectors.
  • Educate others: Share information about BIP54's goals and benefits.
  • Miner outreach: If you operate mining infrastructure or know people who do, ensure they understand the forward-compatibility requirements (especially the coinbase locktime changes).
  • Improve this website: If you have a suggestion or improvement, see this website's repository on GitHub.

Timeline

In progress

Future

History

2026

2025

2024

2020

2019

Resources

Summaries

Specification

Mailing list posts

Technical discussion

Implementation

Bitcoin Stack Exchange

Podcasts & presentations