Timewarp is an exploit of Bitcoin's difficulty adjustment
algorithm that allows miners controlling a large amount of
hashrate to increase how fast blocks are mined. The
attack could render the network non-viable with 6 blocks per
second, mine the remaining subsidy, and impact the
ability of users to run a full node.
Technical details and fix
How the attack works
Bitcoin adjusts mining difficulty every 2,016
blocks to maintain an average 10-minute block time.
However, the current difficulty adjustment compares
the timestamps of the first and last block of a period,
a span that covers only 2,015 block intervals.
This creates an "off-by-one"
bug: the first block of a difficulty adjustment
period is different from the last block of the previous
period. Miners exploiting the timewarp attack manipulate
this gap by:
- Setting the timestamp of the last
block in each difficulty period to the
maximum allowed value (up to 2 hours in the
future)
- Setting the timestamp of the first
block of the next period to the minimum
allowed value (up to several hours in the past,
constrained only by Median
Time Past)
This timestamp manipulation makes each period
appear to have taken longer than it actually did,
causing difficulty to decrease. The attack can be
repeated indefinitely with a compounding effect,
progressively reducing difficulty to its minimum value.
Impact
Once difficulty reaches the minimum, a majority
of hashrate could mine blocks as fast as the Median
Time Past rule allows which is approximately six
blocks per second. At this rate:
- All remaining block subsidy could be mined
in roughly 40 days
- Bitcoin's controlled supply schedule would
be destroyed
- UTXO set growth, network bandwidth, and
validation requirements would spike dramatically
with faster blocks, forcing out nodes on
consumer hardware and accelerating
centralization
- Timelock-based contracts would break,
including Lightning Network channels, HTLCs
(Hash Time Locked Contracts), and other
protocols that rely on
nLockTime,
OP_CHECKLOCKTIMEVERIFY or
OP_CHECKSEQUENCEVERIFY providing a
stable measure of time. Accelerated block
production would cause timelocks to expire much
faster than intended, potentially allowing theft
of funds
- Transaction confirmation assumptions like "N
confirmations = X minutes of security" would be
broken, as confirmations would arrive orders of
magnitude faster than expected
BIP54's fix
BIP54 prevents timewarp attacks by requiring a
minimum timestamp for the first block in a
difficulty period based on the timestamp of its
predecessor, the last block of the prior difficulty
period. This restriction on shifting the start of a
difficulty period precludes the timestamp
manipulation across period boundaries necessary for
the timewarp attack.
The fix also includes a two-hour grace period
after each difficulty adjustment to accommodate
natural timestamp variation.
Variants
The Murch-Zawy
timewarp variant circumvents the above
rule by setting the end timestamps of 2 difficulty
periods several weeks into the future to achieve a
greater decrease in difficulty by the time the chain
is accepted. To ensure the chain is eventually
accepted by the wider network and doesn't always
have timestamps too far in the future, this attack
has to alternate with 1 difficulty period which is
closer to the real time, thereby increasing the
difficulty momentarily. It therefore takes longer to
drain the subsidy.
BIP54 also addresses this variant through
requiring that the timestamp of the last block in a
difficulty period must be greater than (or equal to)
the timestamp of the first block in the same
period.
Since in any case, nodes will follow the chain
with most cumulative PoW, the attacks above both
require 51% control of hashrate. Even if blocks were
produced at a higher rate in one fork, the
preference for highest cumulative PoW still imposes
this constraint on an attacker. These new rules
limit the damage that can be inflicted, should an
attacker control 51% of the hashrate during a few
weeks/months.
Read more: "The
timewarp attack" from BitMEX Research
A well-prepared attacker can create specially-crafted
blocks that take more than an hour to verify on
certain computers allowing for various denial-of-service
attacks.
Technical details and fix
The problem
Legacy Bitcoin transactions (pre-segwit) can be
specially crafted to artificially increase their
validation times. Various techniques may be used to
exploit improper resource usage limits and quadratic
behaviour in validation of pre-segwit Bitcoin Script.
An attacker can exploit this to create blocks that
can take several hours to validate on
lower-end hardware, even though it is valid according
to current consensus rules. A variation of this attack
is for a miner to delay its competition with blocks that
take under a minute to validate but are significantly
cheaper to create, to systematically delay its competition.
While most experts would be able to figure out how
to create hard-to-validate blocks, details have been
discussed in a private Delving Bitcoin thread out of
an abundance of caution. A
demo was performed on the Signet test network in
March 2026.
Attack scenarios
- Denial of service due to nodes spending
excessive time validating malicious blocks fall
behind the chain tip, making them vulnerable to
eclipse attacks or causing them to be
partitioned from the network
- Longer block validation and propagation times
increase stale rate, disproportionately advantaging
larger miners at the expense of smaller ones
- Prohibitive block validation times may:
- incentivize miners to skip it in favour of non-technical enforcement
mechanisms (typically, through legal contracts)
- Push out node operators using less performant hardware
BIP54's fix
BIP54 introduces a per-transaction limit
of 2,500 legacy sigops. This is a
conservative limit since normal transactions use far
fewer sigops. Even then, reaching this limit
requires a transaction that deliberately inflates
validation costs, which is the behavior this fix
aims to prevent. The limit does not apply to segwit
transactions, which represent 90% of today's traffic,
since they are by definition not affected by this issue.
The fix reduces worst-case block validation time
by approximately 40x while
minimizing the risk of confiscating coins locked in
unusual legacy scripts. Bitcoin Core has already
made transactions exceeding this limit non-standard
as a forward-compatibility measure, meaning miners
running Bitcoin Core will not include these transactions
in their blocks by default.
Read more: "Attack Blocks" from BitMEX Research
A carefully-constructed Bitcoin transaction makes it
possible to trick SPV verifiers (including SPV wallet
users) into accepting what looks like a transaction that's
part of the most proof-of-work chain but which is not
actually part of the chain and which has never been verified
by a full node.
Technical details and fix
The vulnerability
Bitcoin's merkle tree implementation has a flaw
in that a 64-byte transaction has exactly the same
size as an internal merkle tree node (two 32-byte
hashes concatenated). An attacker can construct a
transaction whose serialized form is identical to a
merkle tree node, allowing them to forge merkle
proofs.
How the attack works
Simplified Payment Verification (SPV) verifiers
don't download or validate full blocks. Instead,
they verify that a transaction is included in a
block by checking a merkle proof, a path of hashes
from the transaction up to the merkle root in the
block header.
By crafting a 64-byte transaction that matches an
internal merkle node hash, an attacker can:
- Create an arbitrarily-sized fake transaction that appears to
have valid proof-of-work behind it
- Present a merkle proof to an SPV verifier
showing this "transaction" is confirmed
- Trick the wallet or verifier into accepting
payment that was never actually validated by any
full node
The attacker doesn't need to mine blocks or
perform expensive proof-of-work. They do need
however to perform about 70 bits of work to
construct a malicious merkle tree structure and
present it to the victim's SPV wallet/verifier.
Impact on SPV wallets and verifiers
This vulnerability undermines the security model
of SPV verification and lightweight wallets. While
no
known real-world losses have occurred, the
attack is theoretically sound and exploitable. SPV
verifiers are used in various contexts including
mobile wallets and other resource-constrained
environments as well as by side-systems to validate
deposits, making this a concern for Bitcoin's
usability and security.
BIP54's fix
BIP54 takes a straightforward approach:
make all 64-byte transactions
invalid at the consensus level. This
prevents anyone from creating transactions that
could be confused with internal merkle tree
nodes.
This fix is safe because any 64-byte transaction
is necessarily insecure: it must contain at most one
output, which must either burn the coins or be
spendable by anyone. The practical impact is minimal
as such transactions are inherently unsafe to
use.
The related BIP53
formally specifies the 64-byte transaction ban,
which is incorporated into BIP54's broader consensus
cleanup.
Read more: "64
Byte Transactions" from BitMEX Research
Bitcoin's consensus rules use transaction IDs to uniquely
identify transactions, so duplicate transactions
can cause unwanted behavior including loss of funds and
other attack vectors.
Technical details and fix
Historical incidents
In Bitcoin's early history, identical
coinbase transactions were actually mined in two
separate pairs of blocks:
- Blocks 91,722 and 91,880 (same coinbase
transaction)
- Blocks 91,812 and 91,842 (same coinbase
transaction)
When the second block in each pair was mined, the
UTXO from the first block was effectively destroyed.
The coins became unspendable because the UTXO
database only keeps one entry per transaction ID.
This resulted in permanent loss of 100 BTC (50 BTC
from each duplicate).
Why this was possible
Early Bitcoin had no mechanism to ensure coinbase
transactions were unique. Miners could create
identical coinbase transactions in different blocks,
producing the same transaction ID. Since Bitcoin's
UTXO set uses transaction IDs as part of the keys,
the second occurrence would overwrite the first,
destroying the earlier coins.
Additionally, Bitcoin's design assumption that
transaction IDs uniquely identify transactions
breaks down when duplicates exist, creating
potential consensus failures and attack vectors.
BIP30 fixes the vulnerability
BIP30
(activated in 2012) fixed this vulnerability by
requiring that new transactions cannot have the same
ID as an existing transaction whose outputs haven’t
all been spent. This is a stopgap to prevent
duplicate coinbase transactions from overwriting
existing UTXOs. However, BIP30 requires
computationally unnecessary overhead for enforcement
for every block. Additionally, alternative
full-validation models being explored, like Utreexo,
may not be able to perform BIP30 validation at
all.
BIP34
(activated in 2013) required coinbase transactions
to include the block height in their coinbase field
(similar to scriptSig, with different rules), which
made coinbase transactions effectively unique. This
allowed nodes to skip the expensive BIP30 checks in
most cases.
However, BIP34 has a known gap: some early
coinbase transactions happened to contain data that
matches valid future block heights, meaning BIP30
checks would need to be re-enabled around
block 2,000,000 (approximately year
2047).
Why BIP30 needs improvement
While BIP30 successfully prevents duplicate
transactions, it has two inefficiencies. First, the
checks are computationally expensive. Second,
BIP34's gap means that around block 2,000,000, nodes
would need to re-enable full BIP30 validation for
every block.
BIP54's improvement
BIP54 improves the BIP34 fix to BIP30 by
requiring coinbase transactions to set their
nLockTime field to the block height minus
1. Since nLockTime is currently unused in
coinbase transactions, this adds transaction
uniqueness without disrupting existing uses.
This requirement ensures that every coinbase
transaction will be unique by construction, closing
the BIP34 gap and allowing nodes to permanently skip
expensive BIP30 checks. Bitcoin Core's internal
miner has already been updated to implement this
requirement.
Read more: "Bitcoin's
Duplicate Transactions" from BitMEX Research
These vulnerabilities have existed since Bitcoin's launch in
2009. While none are known to have been exploited on mainnet yet,
they represent systemic risks to Bitcoin's security and
decentralization. The timewarp attack could
allow a majority of hashrate to mine all remaining block subsidy in
just 40 days. Slow-to-validate
blocks create denial-of-service attack vectors and
centralization pressure. The merkle
tree vulnerability enables attacks on SPV verifiers, and duplicate transactions risk is
mitigated by BIP30 but BIP54 significantly improves that fix.
These issues have been discussed for 7 years and BIP54 has been
refined over two years of research and community discussion since Antoine
Poinsot revived Matt
Corallo's 2019 proposal. The fixes are now well-understood,
narrowly scoped, and have test
vectors and implementation code ready. Waiting longer only
increases the window during which these vulnerabilities could be
exploited.
BIP54 is designed to be a safe soft
fork that minimizes disruption to existing Bitcoin usage. The
proposal has been carefully refined to avoid confiscating coins or
breaking legitimate use cases:
- 64-byte transaction ban: Only affects a
very specific edge case. Any 64-byte transaction is necessarily
insecure as it must contain at most one output that either burns
coins or is spendable by anyone.
- Legacy sigops limit: The 2,500 sigops per
transaction limit is set conservatively high. Normal
transactions use far fewer sigops, and Bitcoin Core has already
made transactions exceeding this limit non-standard
as a forward-compatibility measure. Any transaction that would
hit this limit may be split into multiple transactions that don't,
ensuring that no UTXO is directly made unspendable.
- Timewarp fix: Only constrains timestamps at
difficulty period boundaries. Normal mining operations are
unaffected, and the fix includes a grace period as a
belt-and-suspenders safety measure.
- Coinbase locktime requirement: Miners
simply set the coinbase locktime field, whose usage is currently
unspecified. This change is already implemented in Bitcoin
Core's internal miner and is in the process of being
adopted by mining pools.
The main remaining objections center on the coinbase locktime
requirement and the 64-byte transaction ban:
- Coinbase locktime: Some argue that
requiring coinbase transactions to set nLockTime to the block
height reduces miner flexibility, as this field could otherwise
be used as extra nonce space. Proponents
counter that miners have other nonce sources available and
that improving the existing fix against duplicate coinbase
transactions is more important.
- 64-byte transaction invalidation: Some
suggest
alternative approaches like introducing a whole new
merkle tree that would allow 64-byte transactions. However,
these alternatives would require more invasive consensus
changes, while the simple ban affects virtually no real-world
usage.
Overall, BIP54 is considered relatively uncontroversial compared
to other soft fork proposals, as it addresses clear vulnerabilities
without enabling new functionality that might have uncertain
implications. Discussion continues on Delving
Bitcoin.
Bitcoin would continue to carry known vulnerabilities that could
be exploited:
- Timewarp attack risk: A mining majority could
manipulate block timestamps to reduce difficulty and mine blocks
far faster than intended, potentially destabilizing Bitcoin's monetary
policy and crippling the network in the process.
- Denial-of-service exposure: Attackers could
create slow to validate blocks that would skew miner incentive
and raise the bar to join the network and perform full validation.
- SPV verifier vulnerability: The 64-byte
transaction issue allows attackers to forge merkle proofs,
tricking SPV verifiers (wallets, side systems) into accepting
transactions that don't exist on the main chain.
- Duplicate transaction burden: Around block
2 million, preventing duplicate transaction imposes an additional
burden on block validation and precludes alternative full node
designs (like Utreexo).
These represent exploitable attack vectors that become more
dangerous as Bitcoin's value and adoption grow.
BIP54 and covenant proposals (like OP_CTV, OP_CAT, or other
script upgrades) serve completely different purposes and are not
mutually exclusive:
- BIP54 fixes vulnerabilities that already
exist in Bitcoin. These are security issues that need to be
addressed regardless of what new features are added.
- Covenants add new functionality to enable
advanced smart contracts, vaults, payment pools, and other
features that don't currently exist in Bitcoin.
The "covenants first" argument essentially suggests leaving known
security holes open while debating the design space for new
features. It is up to the community to determine if security fixes
should be prioritized independently of feature additions.
Additionally, BIP54 is much less controversial than covenant
designs, making it a more straightforward path to consensus.
There's no technical reason these can't proceed in parallel or in
either order. The Bitcoin community can work on both.
No. The testnet4
test network includes some consensus cleanup rules
(portions of the timewarp fix, but not the fix against the
Murch-Zawy attack), but testnet breakage is unrelated to those
rules. Test networks are meant to be disposable environments where
developers can experiment without the constraints of mainnet.
Importantly, testnet4 has special difficulty adjustment rules
that don't exist on mainnet: if no block is found for 20 minutes,
difficulty resets to minimum. This testnet-specific rule creates
instability and disruption that wouldn't occur on Bitcoin mainnet,
where difficulty adjustments follow strict 2,016-block periods.
The timewarp fix on testnet4 has worked as intended. When
testnet4 has reset or experienced issues, these have been due to
other factors like the 20-minute difficulty reset rule, low
hashrate, difficulty gaming, or intentional stress testing, not
failures of the consensus cleanup rules themselves.
BIP54's implementation
on Bitcoin Inquisition (on the signet test network) provides a
more controlled testing environment with comprehensive
test vectors covering all the edge cases.
Quantum computing resistance is a separate concern from the
vulnerabilities BIP54 addresses. BIP54 is about fixing specific bugs
and attack vectors in Bitcoin's existing consensus rules: timewarp,
slow validation, merkle tree exploits, and duplicate
transactions.
Quantum-resistant cryptography would require a different set of
changes (possibly a new address format and signature algorithm) and
is still an area of active research. The timeline for quantum
computers threatening Bitcoin's elliptic curve cryptography is
uncertain.
BIP54 should be evaluated on its own merits as a security
upgrade. It neither helps nor hinders future quantum resistance
efforts, and there's no reason to delay fixing known vulnerabilities
while waiting for quantum-resistant proposals to mature.
BIP54 is a soft fork which is a
backwards-compatible Bitcoin consensus change. After activation,
nodes that haven't upgraded will still follow the chain and
recognize blocks as valid, though they won't enforce the new rules
themselves. Soft forks only tighten the consensus rules; they don't
expand what's considered valid.
The activation mechanism for BIP54 has not yet been finalized.
Previous Bitcoin soft forks have used mechanisms like BIP9
(version bits with miner signaling), BIP8
(user-activated soft fork with optional miner signaling), or
combinations thereof.
The activation debate is separate from the technical merits of
the proposal itself. Once there is rough consensus on the changes
BIP54 proposes, the community will need to agree on an activation
method that balances user activation, miner coordination, and
network safety.
There are several ways to contribute:
- Review the proposal: Read BIP54
and provide technical feedback on the Delving
Bitcoin thread.
- Test the implementation: Run Bitcoin
Inquisition on signet and test BIP54's behavior with the
provided test vectors.
- Educate others: Share information about
BIP54's goals and benefits.
- Miner outreach: If you operate mining
infrastructure or know people who do, ensure they understand the
forward-compatibility requirements (especially the coinbase
locktime changes).
- Improve this website: If you have a
suggestion or improvement, see this website's repository on GitHub.