Freedom

Bitcoin Core v31.0rc2 Tagged as P2P Privacy Fix Targets Final Release

HyperSinc Intelligence/MARCH 31, 2026

Bitcoin Core v31.0rc2 was tagged on March 25, 2026, with a final release targeting early April — and an OpenSats grant is driving a live fingerprinting-attack mitigation into the same codebase.

Bitcoin Core v31.0rc2 Tagged as P2P Privacy Fix Targets Final Release

7 min read

Conventional wisdom holds that Bitcoin Core release cycles are routine maintenance events — incremental, predictable, and strategically inconsequential. The v31.0 release cycle challenges that framing directly. The second release candidate was tagged on March 25, 2026, a live P2P deanonymization attack has been replicated on the mainnet and a mitigation is queued for this branch, and the static fee-rate configuration that many legacy wallet integrations still depend on is being removed entirely. Together, these changes make v31.0 the most consequential release for node operators and privacy-tool builders since v26.0 introduced the initial Tor outbound connection improvements. The competitive and operational calculus is no longer about whether to upgrade, but how quickly the ecosystem can absorb three simultaneous breaking changes.

The arena in which this release lands is larger than most infrastructure discussions acknowledge. Approximately 95% of Bitcoin full nodes run some version of Bitcoin Core as their reference implementation, according to node survey data from Bitnodes and Luke Dashjr's historical estimates — figures that have held broadly stable across the past four major release cycles. The active developer ecosystem funding this work is notably small relative to its systemic importance: OpenSats, the Human Rights Foundation's Bitcoin Development Fund, Spiral, and Brink collectively fund the majority of full-time Bitcoin Core contributors. As of March 2026, the network operates at 1,013.5 EH/s (source: Mempool.space, live at rc2 tagging), a figure that underscores the scale of the infrastructure running atop this software. The structural condition shaping this release cycle is a six-month major-version cadence that has held since 2016 — v30.0 shipped in October 2025, and v31.0 is its direct successor.

The granular specifics of the rc2 event are straightforward but consequential in their detail. Bitcoin Core maintainer achow101 (Andrew Chow) confirmed at the Bitcoin Core developer IRC meeting on March 12, 2026, that rc2 was certain: 'there is a backports PR and still a couple things in the milestone, so definitely will have a rc2.' The rc2 tag was applied to the bitcoin/bitcoin repository on March 25, 2026, per the cryptographically verified release tag on GitHub. The final release is targeted for early April 2026, per the project's release schedule tracked in GitHub issue 33607. Community testing is coordinated under GitHub issue 34840, which asks contributors to test across a wide variety of supported platforms and to report the specific operating system and version tested. The fee environment at the rc2 window — 2 sat/vB for fastest confirmation, 1 sat/vB for 30-minute confirmation (source: Mempool.space) — represents near-floor conditions, which creates a clean testing window for fee-estimation logic and wallet behavior without high-congestion interference. Two specific changes define v31.0's operational impact: the removal of the '-paytxfee' startup option and the 'settxfee' RPC, both deprecated because static fee rates can cause systematic overpayment or underpayment, and the expected landing of Naiyoma's P2P fingerprinting mitigation, pending final review.

The deeper structural force behind this release cycle is that P2P privacy has moved from theoretical research to active exploitation. On March 11, 2026, OpenSats announced a new grant round funding five Bitcoin Core contributors, including Naiyoma — a first-time grantee — whose work specifically addresses a fingerprinting attack that allows outside observers to correlate a node's identity across multiple networks simultaneously, such as clearnet and Tor, thereby exposing the real IP address of users who rely on privacy overlays. Naiyoma and returning grantee Daniela Brozzoni (re-granted January 2025) researched, replicated, and published the attack in a Delving Bitcoin post before opening the mitigation pull request against Bitcoin Core. This research-to-PR pipeline, funded entirely by OpenSats and coordinated outside any corporate structure, mirrors the precedent set by the addrman privacy improvements funded by Brink in 2022-2023 — demonstrating that the open-source grant model can move a live attack surface from discovery to proposed fix within a single release cycle when the funding is continuous and the contributor is full-time.

The competitive implications of v31.0 segment sharply by stakeholder. For node operators and infrastructure providers running v28.x, the practical consequence is binary: v28.x enters End-of-Life status the moment v31.0 is tagged, per the Bitcoin Core software lifecycle policy at bitcoincore.org/en/lifecycle, and continuing to run EOL software against a 1,013.5 EH/s network without security backports is an unacceptable operational posture. For privacy-tool builders — wallet software that routes through Tor, Lightning node implementations with onion-routing dependencies, and coinjoin coordinators such as JoinMarket and Wasabi that rely on node-level network isolation — the fingerprinting mitigation's merge status in v31.0 versus a 31.x maintenance release is the decisive variable. A deferral to 31.1 or 31.2 means these tools ship on top of a known, publicly documented attack surface for potentially another two to four months. For the fee-estimation ecosystem, the removal of 'settxfee' and '-paytxfee' forces every wallet integration that relied on static fee configuration to migrate to per-transaction 'fee_rate' arguments — a change that will expose poorly maintained wallet backends that have not tracked Core's deprecation notices. The stakeholder facing the least disruption is the mining pool and block-template-construction layer, where the v31.0 changes are not consensus-critical and do not alter block validation or template logic.

Our read: the v31.0 cycle is the first release in which Bitcoin Core's P2P privacy posture is being addressed as a funded research programme rather than an ad-hoc contribution, and that structural change is more significant than any individual change in the release. The testable hypothesis is this — if Naiyoma's fingerprinting mitigation merges into v31.0 final rather than being deferred, it will establish a repeatable model: OpenSats-funded researcher identifies attack vector, replicates on live network, publishes, opens PR, ships within one release cycle. If that model holds, the documented inventory of fingerprinting risks she is building will serve as the backlog for v31.x and v32.0. Three imperatives follow. First, node operators running v28.x should begin upgrade testing against rc2 now, using the testing guide coordinated by janb84 under GitHub issue 34840, before the EOL deadline removes any grace period. Second, privacy-tool developers should track the fingerprinting mitigation PR's review status daily and build conditional release plans for both the v31.0-ships-with-fix and v31.0-defers-fix scenarios before the early April tag. Third, infrastructure providers that expose any node connectivity metadata — Lightning Service Providers, BTCPay Server hosters, Electrum server operators — should audit their Tor and clearnet configurations against the published Delving Bitcoin attack description before v31.0 ships, because the attack is live regardless of when the fix lands.

Four specific signals will determine whether this release cycle closes the fingerprinting risk or extends it. First, the merge status of Naiyoma's fingerprinting mitigation PR against the bitcoin/bitcoin repository — watch the pull request for ACKs from maintainers achow101, sipa, and fanquake; a merge before the final tag is the affirmative signal, a 'needs-more-review' label is the deferral signal, and both outcomes have clear downstream implications for privacy-tool release timelines. Second, the outcome of janb84's release candidate testing coordination under issue 34840 — if janb84's public testing summary surfaces a platform-specific regression, an rc3 becomes probable and the early April target slips by approximately one to two weeks; absence of a reported regression by the first week of April is the green light. Third, the Address Manager per-network-type research that Naiyoma has scoped as follow-on work is expected to surface as a Bitcoin Improvement Proposal or major pull request in Q2 2026 — its appearance on the bitcoin-dev mailing list or Delving Bitcoin is the leading indicator that the P2P privacy research programme is compounding rather than stalling. Fourth, announcements from major Lightning node software maintainers — specifically LND (Lightning Labs), CLN (Blockstream), and LDK (Spiral) — regarding their v31.0 compatibility testing completion will signal whether the broader infrastructure layer is tracking the upgrade cycle or running behind it.

Key Takeaways

Bitcoin Core v31.0rc2 landed on March 25, 2026, putting the reference implementation used by roughly 95% of full nodes within days of its next major version bump.
A live P2P fingerprinting attack — capable of correlating a node's identity across clearnet and Tor to expose real IP addresses — has been replicated on the live network and a mitigation PR is open against v31.0.
Node operators running v28.x face an imminent End-of-Life deadline once v31.0 ships; infrastructure providers that delay upgrades will run unsupported software against a 1,013.5 EH/s network.

What it meansThe convergence of a near-final v31.0 release and an active fingerprinting-mitigation pull request forces every node operator and privacy-dependent infrastructure provider to make an immediate upgrade decision.

DISCLAIMER

This article is for informational purposes only and does not constitute financial, investment, legal, or tax advice.

SOURCES

← Back to HyperSinc