Bitcoin Core disclosed on June 6, 2026 a privateness bug in model 31.0 of its node software program, which might trigger the IP tackle of the pc from which a transaction is shipped to be uncovered to the receiving node. In line with the official discover, the failure originates in a perform designed exactly to guard that data.
The venture notes that the error happens when the node makes an attempt to ascertain an encrypted reference to a peer on the standard Web (IPv4 or IPv6) and that connection fails. In that case, the software program retries the connection unencrypted and with out routing site visitors by Tor, exposing the sender’s actual IP. The group warns {that a} malicious actor can intentionally trigger such a failure to power unprotected retry.
Bitcoin Core is the staff of builders that maintains the reference software program for working nodes on the Bitcoin community. Its repository has the most important historical past of safety audits within the ecosystem and its vulnerability notices are carefully adopted by node operators, exchanges and institutional custodians.
The bug contradicts a assure revealed within the 31.0 launch notes, the place the venture said that the sender’s IP tackle “would by no means be identified to receivers” when utilizing the characteristic. privatebroadcast. In line with the discover, connections over networks similar to Tor onion and I2P should not affectedsince they continue to be protected even when the connection retry happens.
Situations affecting Bitcoin Core 31.0
The venture specifies that the error is simply activated when the entire following situations happen in the identical node:
- Bitcoin Core 31.0 operating with privatebroadcast enabled.
- Transactions despatched utilizing the command sendrawtransaction.
- Tor obtainable for outbound connections.
- Lively direct connections to standard web, with out extra community restrictions.
- BIP324 encrypted transport protocol enabled (default setting).
The venture clarifies that commonplace pockets features—similar to sendtoaddress o sendall— don’t use privatebroadcast and should not affected.
Bug fixes and interim measures
Bitcoin Core signifies that the repair will ship with model 31.1. In the meantime, The group recommends that affected customers apply certainly one of three measures: deactivate the perform with privatebroadcast=0; disable the BIP324 encryption protocol with v2transport=0which suggests that each one node connections will function with out encryption; or redirect all outgoing standard web site visitors by Tor, an answer that in accordance with the venture will increase publicity to Sybil assaults.
The invention of the error is attributed to Eugene Siegel, as said within the official Bitcoin Core discover.
Till model 31.1 is accessible, the venture maintains that no customers of privatebroadcast you possibly can assume that your IP tackle stays non-public to the node receiving the transaction.
The bug exposes a contradiction between what was promised in model 31.0 and the precise conduct of the software program underneath opposed community situations. Bitcoin Core acknowledges the ruling, attributes it to an unexpected interplay between the BIP324 encrypted protocol and the connection retry mechanism, and is engaged on a repair. In the meantime, the privateness of node operators who belief privatebroadcast It is determined by provisional measures that, in accordance with the venture itself, introduce new safety limitations.
