Bitcoin Core disclosed on June 6, 2026 a privateness bug in model 31.0 of its node software program, which may trigger the IP handle of the pc from which a transaction is shipped to be uncovered to the receiving node. In keeping with the official discover, the failure originates in a perform designed exactly to guard that info.
The undertaking notes that the error happens when the node makes an attempt to determine an encrypted reference to a peer on the standard Web (IPv4 or IPv6) and that connection fails. In that case, the software program retries the connection unencrypted and with out routing visitors by Tor, exposing the sender’s actual IP. The group warns {that a} malicious actor can intentionally trigger such a failure to drive unprotected retry.
Bitcoin Core is the crew of builders that maintains the reference software program for working nodes on the Bitcoin community. Its repository has the biggest historical past of safety audits within the ecosystem and its vulnerability notices are carefully adopted by node operators, exchanges and institutional custodians.
The bug contradicts a assure printed within the 31.0 launch notes, the place the undertaking said that the sender’s IP handle “would by no means be identified to receivers” when utilizing the characteristic. privatebroadcast. In keeping with the discover, Connections over networks akin to Tor onion and I2P aren’t affectedsince they continue to be protected even when the connection retry happens.
Circumstances affecting Bitcoin Core 31.0
The undertaking specifies that the error is just activated when the entire following situations happen in the identical node:
- Bitcoin Core 31.0 working with privatebroadcast enabled.
- Transactions despatched utilizing the command sendrawtransaction.
- Tor obtainable for outbound connections.
- Energetic direct connections to standard web, with out extra community restrictions.
- BIP324 encrypted transport protocol enabled (default setting).
The undertaking clarifies that customary pockets capabilities—akin to sendtoaddress o sendall— don’t use privatebroadcast and aren’t affected.
Bug fixes and interim measures
Bitcoin Core signifies that the repair will ship with model 31.1. In the meantime, The group recommends that affected customers apply certainly one of three measures: deactivate the perform with privatebroadcast=0; disable the BIP324 encryption protocol with v2transport=0which suggests that each one node connections will function with out encryption; or redirect all outgoing standard web visitors by Tor, an answer that in accordance with the undertaking will increase publicity to Sybil assaults.
The invention of the error is attributed to Eugene Siegel, as said within the official Bitcoin Core discover.
Till model 31.1 is on the market, the undertaking maintains that no customers of privatebroadcast you may assume that your IP handle stays non-public to the node receiving the transaction.
The bug exposes a contradiction between what was promised in model 31.0 and the precise conduct of the software program below opposed community situations. Bitcoin Core acknowledges the ruling, attributes it to an unexpected interplay between the BIP324 encrypted protocol and the connection retry mechanism, and is engaged on a repair. In the meantime, the privateness of node operators who belief privatebroadcast It is determined by provisional measures that, in accordance with the undertaking itself, introduce new safety limitations.
