BitVM2

BitVM2 is a verification scheme that enables arbitrary, effectively Turing-complete computation to be secured by Bitcoin, presented by Robin Linus and co-authors in "Bridging Bitcoin to Second Layers via BitVM2." Crucially, it works on Bitcoin today without any soft fork, using existing primitives such as Lamport signatures and Taptrees. We describe it neutrally; it is a young, actively researched construction whose security depends on its assumptions.

How it works

Computation runs off-chain optimistically. If an operator asserts an incorrect result, the design lets a challenger force an on-chain dispute. Earlier BitVM versions required challengers to be part of a predefined set; BitVM2's key advance is permissionless challenging, so anyone can disprove a faulty assertion by executing a single contested step on-chain. The balanced construction resolves a dispute in a small number of on-chain transactions, far fewer than earlier interactive designs.

Trust model

BitVM2-based bridges operate under a 1-of-n honesty assumption during setup: as long as one participant is honest, funds cannot be stolen. In the worst case where all operators are dishonest, the design holds that deposits can at most be burned, not stolen. This makes it a building block for trust-minimized bridges and rollup verification, though as with any new system, real-world security hinges on careful implementation and ongoing review.

BitVM2 shares its optimistic, bisection-style dispute approach with covenant research like MATT and underpins some validity rollup bridge designs on Bitcoin.