Disclosure of the details of a resource exhaustion issue when processing an unconfirmed transaction. A fix was released on October 10th 2025 in Bitcoin Core v30.0.
This issue is considered Low severity.
Details
An attacker could send specially-crafted unconfirmed transactions that would take a victim node a few seconds each to validate. The non-standard transactions would be rejected but not lead to a disconnection and the process could be repeated. This could be exploited to delay block propagation.
The issue was mitigated in multiple steps by reducing the validation time in different Script contexts.
Attribution
Antoine Poinsot reported this issue to the Bitcoin Core security mailing list.
Pieter Wuille, Anthony Towns and Antoine Poinsot implemented mitigations to reduce the worst case validation time of unconfirmed transactions.
Timeline
- 2025-04-25 - Antoine Poinsot reports the issue
- 2025-05-12 - Pieter Wuille opens PR #32473 to mitigate the worst case quadratic signature hashing in legacy Script context
- 2025-07-24 - Anthony Towns opens PR #33050 to mitigate the worst case hashing in Tapscript context
- 2025-07-30 - Antoine Poinsot opens PR #33105 to further mitigate the worst case in legacy Script context
- 2025-08-08 - PR #33105 is merged into master
- 2025-08-11 - PR #32473 is merged into master
- 2025-08-12 - PR #33050 is merged into master
- 2025-10-10 - Version 30.0 is released with the mitigations
- 2025-10-24 - Public Disclosure