There have been some new developments in BitVM, called BitVM3. Several of our portfolio companies, including Babylon, Fiamma, and Nubit, have been developing around BitVM3, while their implementation for BitVM2 has been getting ready for production.
In this article, we survey about the recent developments on BitVM3 as well as the existing results from portfolio companies on BitVM2.
For interested readers, we have a comprehensive SoK paper that summarizes the recent developments in BitVM3 that will continue to update: https://eprint.iacr.org/2025/1253
What is BitVM?
BitVM is a way to construct transactions on Bitcoin that are conditioned on any computation. Previously, Bitcoin can only condition on very specific computation related to multi-signatures, timelocks, and hashlocks. This is already sufficient for many applications that are in production, such as Lightning Network and Atomic Swap, which only require very basic functionalities from the Bitcoin script.
But, due to the limitations of multi-signatures, timelocks, and hashlocks, after almost a decade, these are basically all the applications that we have using Bitcoin script. When it comes to wrapped BTC, BTC bridge, or Ordinals/Runes bridge, we have to rely on multisig, where a number of nodes are trusted. DLC contract-based protocols such as Lygos Finance are examples of using multisig for oracles.
A multisig scheme usually uses N parties, and approving a certain operation requires only T out of the N parties to agree. This is not ideal because:
Safety. These nodes could be compromised by hackers, and the hackers may be able to steal assets on the bridge, or be able to mint wrapped BTCs that are unauthorized and unpegged. Specifically, the hackers only need to compromise T out of the N parties.
Liveness. At least T parties need to be live in order for the multisig to process requests from the users. If more than (N - T) parties are no longer participating (e.g. censorship), then the requests would not proceed. This is a counterparty risk for users who wish to, for example, withdraw assets from the bridge.
Solutions based on multisig have long been known to be vulnerable to hackers such as the Lazarus Group, who have become increasingly skillful and sophisticated on social engineering attacks and insider attacks. This is why people start to look into other solutions such as zero-knowledge proofs.
Zero-knowledge proofs provide two notable advantages, one for safety, one for liveness:
Safety. Regardless of how many nodes are being compromised, the security of zero-knowledge proofs is mathematical, meaning that nodes cannot forge a proof with a reasonable amount of computation resources. In comparison to multisig, one needs to trust 0 nodes for safety.
Liveness: It is possible to design protocols using zero-knowledge proofs that require only one out of the N parties being available to process a transaction, while the remaining (N - 1) parties are not cooperative. One can set N to be a relatively large number and accommodate many more nodes as backup.
BitVM builds upon zero-knowledge proofs and departs from multisig. There are some use cases of BitVM that cannot be substituted by multisig without sacrificing security, which in fact enables some important use cases of Bitcoin-Fi.
Example use case
Probably the most important use case for BitVM and also the most important use case for Bitcoin-Fi in general is lending stablecoins with BTC. This is a special case of the trustless vault from Babylon built from BitVM3.
In this use case, we have Alice and Bob.
Alice has BTC and would like to lend some stablecoins such as USDT.
Bob has stablecoins and is willing to participate in this protocol to lend the stablecoins to other users.
For example, let us assume that the current BTC price is US$120,000 for one BTC. Alice and Bob agrees on the following terms for one BTC:
Bob lends US$70,000 to Alice at an annualized interest rate of 6%.
Alice needs to repay Bob no later than one year later.
Bob can liquidate the BTC when the BTC price drops below $75,000.
When liquidating, Bob needs to pay Alice the difference between the market price of 1 BTC and US$70,000 plus the aggregated interest.
The loan can be extended if both parties agree. For example, if we speculate that after 11 months, BTC reaches a new all-time high at US$360,000 (this is pure speculation and is not investment advice), Alice and Bob can jointly update the Babylon vault.
Bob lends additional $200,000 to Alice at the same interest rate.
or, Alice withdraws 0.67 BTC from the vault to herself, leaving only 0.33 BTC as the collateral for the original US$70,000 loan.
The duration of the loan will be extended, and the liquidation price can be modified accordingly.
The trustless vault, created by Alice and Bob jointly, is activated when Alice deposits BTC on the Bitcoin mainnet and Bob sends Alice the stablecoins on the Ethereum mainnet (or other network with stablecoins). The trustless vault will be opened in the following one of the two cases.
Case 1: repayment. If Alice repays Bob the corresponding stablecoins, Alice and Bob can co-sign a transaction that returns the BTC to Alice (happy case, which doesn’t require BitVM). If Bob is unwilling to co-sign this transaction (unhappy case, which needs BitVM for rescue), Alice publishes a proof with BitVM proving that she has already repaid the stablecoins on Ethereum (by proving the inclusion of such a transaction on the Ethereum blockchain), and the trustless vault will release the tokens to Alice after the challenge period.
Case 2: liquidation. If the liquidation conditions are met, which can be either Alice being late for the repayment, or that BTC drops below the agreed upon price (here, $75,000, adjusted by the accumulated interest), Alice and Bob can co-sign a transaction that gives the BTC to Bob (after Bob has paid the difference in amounts to Alice in stablecoins). If Alice is unwilling to co-sign this transaction, Bob publishes a proof with BitVM proving that liquidation conditions are met and confirmed on Ethereum and Bob has already paid the difference in price and the loan, then Bob can withdraw that BTC after the challenge period. Note that when Bob confirms the liquidation conditions on Ethereum, the liquidation will be irreversible.
Other than these two cases, the trustless vault remains valid and locks the corresponding BTCs.
So far, we have presented the trusteless BTC vault by Babylon for borrowing stablecoins with BTCs. We are enthusiastic about this use case because we expect that it has a broad market and strong demands, and we believe that BitVM removes some of the counterparty risks that have prevented BTC whales (which could be, for example, Strategy!) from using these services.
Market demands for borrowing stablecoins with BTC
There are several reasons why we believe there are strong market demands for borrowing stablecoins with BTC, and specifically, it is probably the most significant Bitcoin-Fi product.
First, there are a number of reasons why BTC may grow in value in comparison to USD and other fiat currencies. Halving in BTC block rewards mathematically limits the supply of new BTC, making new BTC more and more difficult to mine, and historically it has been, unsurprisingly, correlated with the surge in price. An article from the RR2 Capital surveyed past halving events and concluded that:
“price increases generally begin six to twelve months after a halving event”
“notable surges are often seen between 12 to 18 months post-halving”
We can see from historical Bitcoin prices that, although Bitcoin has fluctuated from time to time, halving seems to contribute to some sort of cycle that in the end reaches a new all-time high.
This historical performance is a reason why BTC has also been considered as digital gold (Deutsche Bank agrees so!). In fact, qualitatively speaking, many have said that BTC is better than gold. It is easy to transmit a large amount of BTC. It is easy to prove the ownership of BTC. It is easy to verify that the BTC is genuine. It is easy to know how much BTC is in the world. And we don’t need to worry about scientific advancement in turning cheap materials into “BTC” or discovery of a new, huge “BTC” gold mine on earth, while turning lead to gold is not just theoretically possible, but also has been tested in practice in Large Hadron Collider (LHC), and gold prices will likely struggle if a mysterious gold mine is unveiled. If we believe so, then we just need to argue why BTC, rather than another cryptocurrency such as ETH or SOL (which may similarly possess these properties), will be the digital gold.
Compared with all the other cryptocurrencies, BTC is still the one with the strongest community, highest popularity, most well-recognized decentralization, and strongest institution adoption. We do need to admit though, that the Bitcoin network is not superior to other networks in all dimensions—Ethereum has more DeFi and altcoin activities (with higher daily total transaction fees than Bitcoin), and both Ethereum and Solana have better scalability and shorter latencies, but the price of BTC seems to be more attributed to its first mover advantage as well as the proof-of-work consensus.
If we focus on the year 2025, we can see the surge of BTC treasury companies, ETFs, or liquid funds, with Strategy being the most significant example. These companies, in a sense, raise capitals from the market and use these capitals to continuously buy BTC. There are many reasons why people choose to invest into these vehicles rather than self-custody, one of which is that self-custody implies management overheads and risks. In addition, some national states are also considering buying Bitcoin as a reserve asset. This suggests buying power.
Second, there is a demand for BTC holders to borrow stablecoins, as an alternative to “selling” them. A lot of BTC holders are reluctant to sell BTC—in fact, many of them are likely regretting not buying more BTC earlier or regretting selling BTC, and the fear of missing out (FOMO) is probably prevalent among BTC holders. Another reason is purely for tax reasons. In many jurisdictions including the majority of the U.S., selling BTC as a gain needs to pay capital gains tax, however, borrowing a loan (in the proper manner) is not treated as income. There is a famous saying that rich people “escape” tax by “Buy, Borrow, Die”, with a caveat that you now need to pay the interest. Whether this interest justifies the tax benefits of selling depends on whether BTC grows in value and your capital gain tax rate (which is usually progressive).
If we speculate, which is not investment advice, that BTC will never drop below US$75,000 and is expected to grow, in average, significantly more than 6%, then the BTC loan protocol above is beneficial to both Alice and Bob:
Alice should be able to renew, increase, and extend the loan with Bob every year under a similar condition, in which Alice keeps borrowing money to meet her spending needs. Legally speaking, Alice needs to repay the loan (in order for this to be excluded as a personal income), but effectively, as BTC is growing, Alice doesn’t effectively need to repay the money.
Bob is accumulating interest income at a rate of 6%. For now, this may not seem to be a big number, as there are still 30-year treasury bonds selling at a yield of 4.68%, but remember that in the midst of 2020, the yield was once below 2%. The interest rate can adjust based on the market situations. For Bob, this is not a high-risk investment, as Bob can liquidate the BTC in case BTC drops significantly in value, without the need to trust Alice in the process. The risk can be adjusted by adopting different liquidation conditions.
When this is not the case, repayment or liquidation will happen. This is similar to other BTC loans based on multisig (such as the DLC contract), but BitVM has strengths in that it can remove a lot of the counterparty risks.
Reducing counterparty risks with BitVM
To understand the counterparty risks, we need to understand why previous solutions based on custody or multisig have these issues.
Custody. In CEX and some lending protocols, usually the users deposit the BTC into the protocol. The counterparty risk for Alice (and potentially also Bob) is that CEX could be compromised (think Bybit hack) and so do protocols (if, for example, using upgradable smart contracts or being found vulnerabilities).
Multisig. Multisig is in essence similar to custody, with stronger security guarantees that a committee of nodes need to do a multisig to approve transactions. The safety of multisig not only depends on the setup and parameters of the committee, but also how each node is configured and operated.
Note that converting BTC into WBTC (which can be done using atomic swap) and borrowing stablecoins with WBTC rely on the safety of WBTC that each WBTC must be pegged by one BTC and can be unpegged back to a BTC. The WBTC protocol is based on multisig, but has been running reliably for many years.
Back to BTC loans. BTC loans are by themselves between two parties, Alice and Bob. But neither custody or multisig between these two parties will work well.
Custody. If Alice deposits the BTC to Bob and receives the loan of US$70,000, Alice suffers from a counterparty risk that Bob may refuse to give the BTC back to Alice since the loan amount $70,000 is expected to be lower than the actual price of a BTC. This is especially possible when BTC reaches a much higher price.
Multisig. When there are only two parties (Alice and Bob), multisig doesn’t really work well as it would require both of them to co-sign related transactions. But if one party does not cooperate, there is nothing the other party can do. For example, Alice can unconditionally stop Bob from liquidation (unfavorable to Bob), and Bob can unconditionally stop Alice from repayment (unfavorable to Alice).
BitVM, however, can solve this problem quite elegantly.
Repayment. The Bitcoin vault is a BitVM instance that allows Alice to claim the BTC if Alice submits a ZK proof showing that repayment has been made on the Ethereum blockchain and the BTC loan should be considered repaid, and that this proof is not being challenged during a withdrawal period. We can call this Condition #1 ZK proof, which is solely for Alice.
Liquidation. Separately, the Bitcoin vault also allows Bob to claim the BTC if Bob submits a ZK proof showing that the BTC loan shall be liquidated and Bob has paid Alice the fair amount of the difference between the BTC market price and the loan amount.
Note that if Alice and Bob are both online and cooperative, they do not have to run BitVM, but they can co-sign a repayment transaction or a liquidation transaction. BitVM can be seen as the arbitration and settlement method when the other party is offline or non-cooperative.
From BitVM2 to BitVM3
We have discussed how BitVM can enable BTC loans between Alice and Bob that do not require a third party and avoid counterparty risks. For BitVM to be used in production, we need to look into its performance metrics, specifically:
on-chain cost, i.e. the transaction fees
settlement latency, which affects how long the challenge period needs to be
The previous scheme for BitVM is BitVM2, which can similarly be used for BTC loans, but its performance metrics may make it not suitable for most users. David Tse from Babylon presented their team’s experimental result on a full workflow of BitVM2 on Bitcoin mainnet.
The total fee was $15,742.55, or 14,931,277 sats when a challenger occurred between Alice and Bob (this fee can disappear if Alice and Bob are cooperative, in which case they don’t need to use BitVM).
The settlement on-chain requires 7 hours 36 mins, spanning 42 blocks.
The high fee and the settlement latency has to do with the fact that many transactions in BitVM2 are “nonstandard” because they are too big. These transactions may still appear on-chain, but most of the miners will not include them in their own blocks. As a result, Babylon has to work with miners who are willing to include these transactions. The only viable public service at this moment is Slipstream from Marathon Digital (now MARA), which will try to include these transactions in the next block that MARA mines, but it charges a higher fee (often 3x) since such transactions bring an overhead in block building.
This high fee is undesirable because it is almost 0.1 BTC, and the fee could only be justified if the amount of BTC in the vault is huge. This is partially the reason why previously BitVM2 has been focused on “BitVM bridge” for creating a trust-minimized wrapped BTC. Blockspace Media has an article “Why you should pay attention to BitVM again” summarizing the history of BitVM and these early use cases and focuses.
BitVM3 changes the focus of BitVM because the performance metrics are now very different:
The total fee can be made to be below $50 for the current Bitcoin mainnet fee rate.
The settlement on-chain can be done in the next block, as the transaction is standard and very small.
This is all thanks to BitVM3 for having a small on-chain footprint. These performance metrics make it practical to have regular users with even less than 0.1 BTC (about US$11,500 at the time of writing) to borrow a loan, and the ease of settlement removes the need to have access to some miners.
There has been significant progress in reducing the offchain cost of BitVM3, mostly from Alpen Labs’s work called Glock, which shows that for the BTC loan use case that is purely between two parties, one can use something called designated-verifier SNARK (DV-SNARK), which is a kind of zero-knowledge proofs that can be easily verified in BitVM3.
What is next
We have been working and researching on BitVM3. There has been a fruitful amount of open-source development in BitVM3, for example, Chainway Labs has been working on integrating BitVM3 directly with RISC Zero (a portfolio company building Boundless).
What is next is to write the logic of BTC loans and many other use cases in zero-knowledge proofs—which involves light clients on Bitcoin and Ethereum collectively. There have been integrations on Ethereum light clients in RISC Zero and Succinct, and StarkWare (a LP of L2IV) recently built Bitcoin light clients that emit header proofs. This would be the last step in completing the BitVM and bringing BTC loans to production.
We will continue to share more updates related to the progress of BitVM3.
Disclaimer: This content is provided for informational purposes only and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisors as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services.