Development of BitVM Solutions
The problem is straightforward: you have Bitcoin with its security and liquidity, but you cannot execute arbitrary logic on its base without trusted intermediaries. Multisig solves part of the problem, but once the logic becomes complex — HTLC, conditional payments, ZK-proof verification — you must either move to a sidechain with a different security model, or wrap BTC in ERC-20 and work in an EVM environment with custodial risks. BitVM changes this equation: it enables executing arbitrary computations with verification on Bitcoin L1 without changing the network consensus.
How BitVM Works: More Than "Smart Contracts on Bitcoin"
The term "smart contracts" applied to BitVM is technically inaccurate — Bitcoin has no EVM. BitVM (proposed by Robin Lanus in October 2023, developed into BitVM2 in 2024) implements optimistic execution with fraud proof verification.
Basic principle:
- Prover asserts the computation result and publishes a commitment — a Merkle tree of program states
- Verifier can remain silent (treating the result as correct by default) or initiate a challenge
- Upon challenge, a bisection protocol begins: opponents iteratively narrow the dispute to a single NAND operation that can be verified through Bitcoin Script
- A dishonest prover loses their stake
BitVM2 simplifies the model: any observer can be a verifier (not just designated ones), and the challenge period compresses from several rounds to two transactions. This is critical for practical application.
What Actually Executes On-Chain vs Off-Chain
A common misconception: BitVM does not "run programs" on Bitcoin. Execution is always off-chain — the program is executed locally by the prover. Bitcoin L1 is engaged only in case of a dispute, and only to verify a single bit operation. This is a fundamental difference from Ethereum, where execution happens on-chain every time.
Practical consequence: BitVM solutions are optimal for low-frequency, high-value operations — cross-chain bridges, ZK-proof verification, conditional payments with complex logic. They are not suitable for high-throughput applications like DEX or games where each user generates transactions.
BitVM Bridge Architecture: The Most Sought After Use Case
A BitVM bridge between Bitcoin and other networks is currently the most mature production use case. Several projects exist: BitVM Bridge (Robin Linus), BitlayerLabs, Citrea.
Trustless Withdrawal Scheme
Bitcoin L1:
- Locked BTC in multisig (Federation N-of-M)
- Pre-signed transactions with taproot scriptpath
L2/Sidechain:
- User burns wrapped BTC
- Generates withdrawal proof (ZK or optimistic)
Verifier Network:
- Verifies proof
- If valid → signs release transaction on L1
- If invalid → publishes fraud proof, activates challenge
The key component is pre-signed transaction graph. Before bridge deployment, all participants (Federation) pre-sign Taproot transactions for all possible execution paths. This requires a one-time interactive session between participants, after which the bridge operates automatically.
Taproot and Its Role in BitVM
Without Taproot (BIP-341/342, activated in November 2021), BitVM would be impossible. Taproot enables:
- Script trees: one address conceals up to 2^128 possible scripts, revealing only the executed path
- Schnorr signatures: combine linearly (MuSig2), critical for efficient multisig
- Script size: each leaf script can be up to 520 bytes, sufficient for NAND verification
In a BitVM bridge, the typical taproot tree structure looks like:
Internal Key: MuSig2(federation_keys)
├── Script Leaf 1: normal_withdrawal (federation_threshold_sig + timelock)
├── Script Leaf 2: challenge_response (verifier_sig + proof_data)
├── Script Leaf 3: fraud_proof (challenger_sig + bisection_result)
└── Script Leaf N: timeout_refund (prover_sig + CSV_timelock)
Implementation: Technology Stack
Writing BitVM Programs
BitVM programs are compiled into circuits — sets of NAND/OR gates represented as Bitcoin Script. Main tools:
bitcoin-script (Rust crate) — low-level script work. Most BitVM implementations use it.
BitVM Rust SDK (BitVM Alliance) — high-level abstractions for writing circuits. As of 2024-2025, actively developed, API unstable — important to pin the version.
Groth16/PLONK verifier circuits — for BitVM bridges you need ZK-proof verification in Bitcoin Script. This is the hardest part: native Bitcoin Script is extremely limited in operations, so ZK verifier is broken into thousands of NAND gates.
Development Infrastructure
# Local Bitcoin regtest network
bitcoind -regtest -txindex=1 -rpcuser=user -rpcpass=pass
# or via docker
docker run -d --name bitcoin-regtest \
-p 18443:18443 \
ruimarinho/bitcoin-core \
-regtest -txindex -rpcallowip=0.0.0.0/0
# Esplora for indexing
docker run -d electrs --network regtest
Testing BitVM requires transaction simulation — you need to verify that the pre-signed transaction graph is consistent, all scripts satisfy constraints, timelocks are correct. We use a custom harness in Python on top of bitcoinlib + python-bitcointx.
Handling Transaction Pinning
A critical issue for BitVM: if a challenger broadcasts a fraud proof transaction, an attacker can pin it with minimal fee, blocking confirmation. Defense:
- CPFP (Child Pays For Parent) anchors in all dispute transactions
- Package relay (Bitcoin Core 26.0+) — allows broadcasting related transactions as a package
- Anchor output size: 240 sats (dust threshold in 2024)
Economics and Limitations
Real Transaction Costs
A typical BitVM bridge withdrawal (without dispute):
- 1–2 on-chain transactions
- Size: ~500-1500 bytes with Taproot witness
- At 50 sat/vB feerate: $5–15 per withdrawal
With challenge (fraud proof):
- Up to 10–20 transactions in bisection protocol
- Total size: 10-50KB
- Cost: $100–500 at high feerate
- Challenger loses all transaction costs, prover loses their stake — economic security rests on asymmetry
Current Limitations
No script introspection — Bitcoin Script cannot read its own transaction fields (TXID, inputs, outputs). Worked around through pre-commitment, but complicates architecture. OP_CAT (if activated) would solve part of these issues.
Witness data size — complex circuits generate witness transactions of several MB. Miners accept them, but propagation through the network is slower.
Latency — challenge period for safety must be sufficient (7–14 days for trustless withdrawal, similar to Optimistic Rollups). For UX this is a problem — most use liquidity from providers with fast withdrawal for a fee.
Federation assumptions — most current implementations require N-of-M federation. Truly trustless (1-of-N) is still in development.
Development Process and Timeline
| Component | Complexity | Timeline |
|---|---|---|
| Architecture and circuit design | High | 3–4 weeks |
| Bitcoin Script / Taproot transactions | High | 4–6 weeks |
| Off-chain prover/verifier | Medium | 3–4 weeks |
| L2-side (smart contract) | Medium | 2–3 weeks |
| Integration testing (regtest) | High | 2–3 weeks |
| Security review | Critical | 3–5 weeks |
A realistic minimum for production-grade BitVM bridge: 4–6 months. Projects promising less typically have high trust assumptions in federation or non-production code quality. Current BitVM landscape is still frontier engineering: little documentation, most knowledge lives in source code and Discord (BitVM Alliance, BitVM2 stack by Robin Linus).