BitVM: A New Paradigm for Bitcoin

Introduction

BitVM plays a crucial role in BOB's Hybrid L2 Roadmap by enabling superior Bitcoin bridging for our rollup. BOB will integrate a native Bitcoin bridge via BitVM that will serve as a backbone for Bitcoin DeFi in synergy with the Babylon LSTs and LRTs. From the network infrastructure to the tokens in your wallet, BitVM unlocks huge security advancements for Bitcoin DeFi.

Read on to learn how BitVM enables Bitcoin rollups and a new type of BTC bridge with a "1-of-n" trust assumption - all without a soft fork to Bitcoin.

Why BitVM Matters

tl;dr:

• BitVM2 is a major improvement over previous BitVM versions.
• BitVM Bridge is now the most secure BTC bridge design.
• BOB co-authored the most comprehensive write-up of the BitVM2 design so far.

BitVM2 is:

• Secure: optimistic computation secured by Bitcoin.
• Practical: only three transactions to complete a challenge.
• Permissionless: anyone can challenge.

BitVM Bridge is the most secure BTC bridge to date.

• BTC Bridges so far: t-of-n multisigs, honest majority assumption.
• BitVM Bridge: 1-of-n security model, where anyone can challenge and prevent theft.

BitVM Non-Technical Summary

BitVM is a way to expand the range of what is possible to do on Bitcoin. It does this by performing computation off-chain that is held accountable by an on-chain fraud proving mechanism. Since Bitcoin Script is very limited in what it can do, running more advanced programs on Bitcoin requires a way to verify that the results of off-chain calculations are correct.

Existing bridges typically rely on centralized entities—such as Wrapped Bitcoin (WBTC) and Coinbase Wrapped Bitcoin (cbBTC)—or semi-trusted networks like tBTC, where security depends on the honesty of the majority of participants. In contrast, BitVM bridges introduce a superior security model: BTC deposits cannot be stolen as long as there is a single honest and online node in the network, and this node can be the depositor themself.

BitVM verifies off-chain computation similarly to optimistic rollups:

1. An operator performs a computation off-chain,
2. then makes an on-chain claim about the results of that computation.
3. If the claim is incorrect, a verifier will invalidate it directly on the Bitcoin blockchain.

In practice, this would look like a collection of operators depositing their collateral and committing to manage a pool of BTC according to the rules of a specific, pre-defined computer program (a bridge, for example).

If an operator attempts to withdraw BTC in a way that violates those rules, any verifier can prevent the withdrawal and slash the dishonest operator's collateral for the malicious attempt. The verifier does this by submitting a specific kind of transaction on Bitcoin that will be explained in a moment.

This reveals two important aspects of the setup:

1. An operator only needs to provide enough collateral to cover the cost of disproving plus some extra amount to deter them from cheating and being slashed. This capital efficiency is exactly why BitVM is much better than other bridges, including collateralized bridges.
2. The verifier can challenge a dishonest transaction directly to Bitcoin, slashing the operator and preventing the malicious withdrawal from happening. In other words, one honest verifier can prevent an infinite number of operators from cheating.

This setup is called optimistic because normal operation is assumed to be correct, allowing compute to happen at web2 prices while also maintaining a strong mechanism of on-chain accountability to prevent a dishonest claim from any operators.

BitVM Technical Summary

1. Compress a program into a SNARK verifier implemented in Bitcoin Script. With Groth16, this will be about 1GB in size.
2. Split the verifier into discrete sub-program chunks that are a maximum of 4MB each. This makes it possible for an entire specific sub-program chunk could be included in a Bitcoin transaction in the event of a challenge.
3. During the setup step, each operator commits to the program by depositing collateral.
4. Each operator continually runs the original program (e.g. a bridge) off-chain to determine the correct outputs of each input (e.g. how much BTC to withdraw and who to send it to during a bridge peg-out).
5. The operator uses their own funds to cover the program's output (e.g. sends their own BTC to a withdrawing user), then requests a reimbursement by withdrawing funds from BitVM (i.e. the set of funds being managed by the operators).
6. If challenged, the operator must reveal all of the intermediary program results (i.e. each of the inputs and outputs of the sub-program chunks). If the operator is cheating, at least one of the sub-program results will be fake.
7. Anyone can disprove the operator by executing that specific sub-program in a Bitcoin transaction, showing that the operator's attempted withdrawal was invalid.
8. The bad operator is kicked out and cannot access the BitVM funds.

Practical and Permissionless

Anyone can challenge a dishonest operator with only three Bitcoin transactions.

BitVM Bridge Summary

One of the most exciting applications of BitVM is a BTC light-client bridge on Bitcoin. Specifically, BitVM reduces the trust assumptions needed for a safe peg-out when users want to withdraw or unwrap their BTC back to Bitcoin.

1. Operators pay BTC to the withdrawing user from their own funds and then reclaim the BTC from BitVM.

2. A smart contract on BOB uses the BTC relay to verify that there is a correct peg-out on Bitcoin corresponding to the withdrawal request by a user on BOB. If this check passes, a burn event on BOB is emitted.

3. BitVM checks that there is a correct peg-out on Bitcoin matching the burn event on BOB.

4. The operator uses the BitVM light client to create a SNARK, proving that

   • there is a burn event on BOB that burns bobBTC,
   • the BOB block that includes the burn event was correctly created,
   • the BOB block is signed by Babylon Finality Providers (FPs) staked on Bitcoin,
   • the BOB block hash that includes the burn event is stored on the Babylon chain, and
   • the BOB block hash is part of a Babylon checkpoint on Bitcoin with at least 100 Bitcoin confirmations.

5. If all is correct, the operator gets the BTC refunded.

6. If the operator has committed fraud (e.g. by sending BTC to their wallet instead of the user's), the refund transaction is prevented and the operator is slashed and kicked out.

Under correct operation, the bridging process completes in less than one hour in each direction for users bridging in and out. This is much faster than existing Ethereum L1 or L2 bridges to Bitcoin.

Common Misconceptions

• "BitVM" is not a virtual machine (VM) like the Ethereum Virtual Machine (EVM) or the Java Virtual Machine (JVM); it is not an execution environment for arbitrary programs. Rather, each instance of BitVM is a way to use existing tools in Bitcoin to create on-chain fraud proofs for off-chain execution of a specific, pre-determined program (e.g. a bridge or rollup).
• In its current design, a specific BitVM instance only supports deposits and withdrawals of a fixed amount defined at setup, such as exactly 0.1 BTC. A user can only PegOut (i.e. withdraw) an amount that exactly matches a previous PegIn. A potential workaround is to create several instances of BitVM for the same purpose (e.g. bridge), each corresponding to a different PegIn size (e.g. 0.1 BTC, 1 BTC, 10 BTC).
• The 1GB program is never put on-chain. That would require 1,000 separate transactions, each the size of an entire Bitcoin block! Instead, the setup process includes the creation of a Taproot tree that represents the relationship between the inputs and outputs of all the intermediary sub-programs. The last Tapleaf in the tree is used for the Payout transaction, enabling the operator to claim the funds if the program execution is not challenged.
• Operators pay out using their own money, then are reimbursed by spending the UTXO from a previous PegIn after the challenge period. These settings (challenge period duration, operator capital) are what constrain the throughput of the bridge(/other collateralized program)

Next Steps

BOB plans to launch the BitVM bridge on BOB Sepolia in early 2025. The mainnet deployment will follow after successful auditing and partner integrations.

BOB is also working with Babylon to make BOB a Bitcoin Secured Network (BSN). Once complete, transactions on BOB will receive finality from staked BTC in addition to the finality it already has as an Ethereum rollup. This increase in network security advances BOB on its Hybrid L2 Roadmap.

Further Reading

Credit to Janusz for compiling many of these resources.

BitVM Papers

• BitVM: Compute anything on Bitcoin
• BitVM2: Bridging Bitcoin to Second Layers

Written resources on BitVM

• BitVM Bridge Prototype on Signet
• Deep dive into BitVM Computing Paradigm - Ichiro Kuwahara.
• The BitVM Primer - Tyler Whittle
• BitVM: A Breakthrough in Computing on the Bitcoin Layer - Trust Machines
• The Big Deal with BitVM - Bitcoin Magazine
• BitVM FAQs

Video and audio resources on BitVM

• BitVM Uses a 'Compilation of a Couple Tricks' to Overcome Limitations of Bitcoin's Script: Robin Linus
• What is BitVM? with Robin Linus and Super Testnet (SLP520) - Stephan Livera Podcast
• Zero Sync - Bitcoin Amsterdam
• BitVM two way peg design - Ordinals Show
• BitVM - A Tiny Web3 Podcast
• Everything on Bitcoin with Robin Linus & Super Testnet - Bitcoin Audible
• BitVM Takeover with Super Testnet - Layer Two Labs
• BitVM, Convenants and Scaling - Bitcoin News
• BitVM and UTXO Dealership
• BitVM Discussion - Ordinals Show

Related Github Repos

• BitVM Official Implementation
• Things BitVM Needs
• Awesome BitVM - Rsync25, an amazing resource on technical resources regarding BitVM

Tweet threads on BitVM

• BitVM2 and BitVM Bridge: TLDR - Alexei Zamyatin
• Decentralized two way peg on BitVM - Alex Emidio
• BitVM Explainer - Bob Bodily
• BitVM Explainer, BitVM GPT - Dylan LeClair

Communities

• BitVM Telegram