All news at TU Wien

04. February 2026

Decentralized Finance in Bitcoin

How can Bitcoin become more flexible and meet more complex demands? A team at TU Wien has found a solution.

Eine Brücke mit einem leuchtenden Bitcoin-Symbol in der Mitte. — © Iftikhar alam - stock.adobe.com

Bitcoin is the world’s most widely used cryptocurrency and is seen as simple, stable, and secure. But this simplicity also has a downside: Bitcoin supports payments but not advanced functionalities. Other blockchains, such as Ethereum, support decentralized exchanges, lending markets, or other types of “smart” contracts, which are not available in Bitcoin. In collaboration with international academic (Stanford University, the University of Edinburgh, Imperial College London, University of Pisa) and industrial (ZeroSync, Common Prefix, Babylon, and BOB) partners, the TU Wien team has developed a solution, called BitVM2, to integrate decentralized finance applications, and, more generally, arbitrary programs, into Bitcoin.

BitVM2 and Cryptographic Techniques

At the heart of most smart contract systems lies a capability that Bitcoin fundamentally lacks:
conditioning payments on the outcome of arbitrary computations. For instance, Alice might refund Bob only if Bob can prove that he previously executed a specific payment, potentially on another blockchain.

This raises a key question: how can one prove to someone else that a certain payment—or more generally, a certain computation—has been done correctly? BitVM2 addresses this challenge using a cryptographic technique called zero-knowledge proofs. The proof that everything was done correctly is transformed into a mathematical code that is difficult to produce but relatively easy to verify—much like solving a Sudoku puzzle is hard, but checking whether a Sudoku solution is correct is easy.

This mathematical proof could, in principle, be verified in milliseconds—but not directly on the Bitcoin blockchain, since Bitcoin does not support computations of this complexity. Indeed, zero-knowledge proofs require a large and complex verification program that would normally need gigabytes of storage space. “This has always been a central problem,” says Matteo Maffei. “Bitcoin offers only very limited space—you cannot place such code directly on-chain.” To overcome this limitation, the team came up with the following approach: splitting the large verification program into many small pieces and storing them in what is known as a Taproot tree. Only if there is suspicion of wrongdoing must a single one of these pieces be revealed and executed.

Decentralized Finance in Bitcoin through a Secure Bridge

By enabling Bitcoin to verify complex off-chain computations, BitVM2 unlocks functionality that was previously out of reach. Specifically, the TU Wien team has leveraged BitVM2 to combine Bitcoin’s unmatched security with the programmability and application ecosystems of other chains. The key mechanism to enable this interoperability is a bridge —a system that allows users to move their Bitcoin to another platform where richer functionality exists and then safely store their funds back on the Bitcoin blockchain.

“Building connections between different blockchains is not a new idea,” says Zeta Avarikioti. “You can lock Bitcoins on the Bitcoin blockchain and receive corresponding tokens on another blockchain. When you want to switch back, these tokens are destroyed, and the original Bitcoins on the Bitcoin blockchain are released again.”

Such systems are called bridges, but until now they have come with serious problems: anyone using a bridge between different cryptocurrencies has had to trust a group of people who operate that bridge. And this is exactly where attacks have repeatedly occurred—many of the major crypto thefts in recent years, sometimes involving millions in losses, exploited weaknesses in bridge systems. “Traditional bridges have been considered one of the biggest security risks in the crypto ecosystem,” says Christos Stefo.

Designing a trust minimizing bridge was long considered impossible in Bitcoin, until now. The main issue has always been the return path from another blockchain back to Bitcoin. The Bitcoins that were previously locked can only be released if the tokens on the other blockchain were truly destroyed. Whether this was the case had to be verified essentially on a trust basis—for example by a committee that decided by simple majority whether the transaction had been carried out correctly. “If a dishonest majority gained control of this committee, the honest minority had no chance to intervene,” explains Matteo Maffei.

The TU Wien team has now developed a completely new trust-minimizing bridge concept that works in a fundamentally different way. It involves three groups of participants: Operators, who pay out Bitcoins to people returning from another blockchain and later reclaim their funds on Bitcoin after proving correct execution, signers, who prepare certain transactions in advance, and challengers—any person in the world who believes they have detected incorrect behavior by the operators.

The crucial point is this: it is enough for just one honest person to exist in each group. Even if the majority acts maliciously, the system cannot be compromised. This robustness is achieved by BitVM2, which allows operators to reclaim their funds after proving on the Bitcoin chain that they have initially fronted them to clients.

“We have shown that it is possible to combine the advantages of different cryptocurrencies,” says Zeta Avarikioti. “Our model links Bitcoin’s security with the flexibility of other blockchains—based on mathematically well-defined and cryptographically secure principles.”

This work will be presented at the Usenix Security Symposium, opens an external URL in a new window in August and received the Bitcoin Research Prize from ChainCode Labs last December.

Originalpublikation

R. Linus et al., Bridging Bitcoin to Second Layers via BITVM2, Usenix Security Symposium 2026, https://eprint.iacr.org/2025/1158.pdf, opens an external URL in a new window

Contact

Prof. Matteo Maffei
Institut für Logic and Computation
Technische Universität Wien
+43 1 58801 184860
matteo.maffei@tuwien.ac.at
Prof. Dr. Zeta (Georgia) Avarikioti
Institut für Logic and Computation
Technische Universität Wien
+43 1 58801 192606
georgia.avarikioti@tuwien.ac.at

Christos Stefo, MSc
Institut für Logic and Computation
Technische Universität Wien
christos.stefo@tuwien.ac.at

Text:Florian Aigner

Name	Purpose	Lifetime	Type	Provider
CookieConsent	Saves your settings for the use of cookies on this website.	1 year	HTML	Homepage TU Wien
SimpleSAML	This is needed to distinguish between the sessions of the logged-in users.	session	HTTP	Login TU Wien
SimpleSAMLAuthToken	This is needed to distinguish between the sessions of the logged-in users.	session	HTTP	Login TU Wien
fe_typo_user	Is needed so that in case of a Typo3 frontend login the session ID is recognized to grant access to protected areas.	session	HTTP	Homepage TU Wien
staticfilecache	Is needed to optimize the delivery time of the website.	session	HTTP	Homepage TU Wien
JESSIONSID	Is needed so that in case of a LectureTube the session ID is recognized to grant access to protected areas.	session	HTTP	LectureTube TU Wien
_shibsession_lecturetube	This is needed to distinguish between the sessions of the logged-in users.	session	HTTP	LectureTube TU Wien

Name	Purpose	Lifetime	Type	Provider
_pk_id	Used to store a few details about the user such as the unique visitor ID.	13 months	HTML	Matomo TU Wien
_pk_ref	Is used to store the information of the users home website.	6 months	HTML	Matomo TU Wien
_pk_ses	Is needed to store temporary data of the visit.	30 minutes	HTML	Matomo TU Wien

Name	Purpose	Lifetime	Type	Provider
facebook	Is used to Enable ad delivery or retargeting	90 days	HTTP	Meta
__fb_chat_plugin	Is needed to store and track interactions (marketing/tracking).	persistent	HTTP	Meta
_js_datr	Is needed to save user settings.	2 years	HTTP	Meta
_fbc	Is needed to save the last visit (marketing/tracking).	2 years	HTTP	Meta
fbm	Is needed to store account data (marketing/tracking).	1 year	HTTP	Meta
xs	Is needed to store a unique session ID (marketing/tracking).	1 year	HTTP	Meta
wd	Is needed to log the screen resolution.	1 week	HTTP	Meta
fr	Is needed to serve ads and measure and improve their relevance.	3 months	HTTP	Meta
act	Is needed to store logged in users (marketing/tracking).	90 days	HTTP	Meta
_fbp	Is needed to store and track visits to various websites (marketing/tracking).	3 months	HTTP	Meta
datr	Is needed to identify the browser for security and website integrity purposes, including account recovery and identification of potentially compromised accounts.	2 years	HTTP	Meta
dpr	Is used for analysis purposes. Technical parameters are logged (e.g. aspect ratio and dimensions of the screen) so that Facebook apps can be displayed correctly.	1 week	HTTP	Meta
sb	Is needed to store browser details and security information of the Facebook account.	2 years	HTTP	Meta
dbln	Is needed to store browser details and security information of the Facebook account.	2 years	HTTP	Meta
spin	Is needed for promotional purposes and social campaign reporting.	session	HTTP	Meta
presence	Contains the "chat" status of logged in users.	1 month	HTTP	Meta
cppo	Is needed for statistical purposes.	90 days	HTTP	Meta
locale	Is needed to save the language settings.	session	HTTP	Meta
pl	Required for Facebook Pixel.	2 years	HTTP	Meta
lu	Required for Facebook Pixel.	2 years	HTTP	Meta
c_user	Required for Facebook Pixel.	3 months	HTTP	Meta
bcookie	Is needed to store browser data (marketing/tracking).	2 years	HTTP	LinkedIn
li_oatml	Is needed to identify LinkedIn members outside of LinkedIn for advertising and analytics purposes.	1 month	HTTP	LinkedIn
BizographicsOptOut	Is needed to save privacy settings.	10 years	HTTP	LinkedIn
li_sugr	Is needed to store browser data (marketing/tracking).	3 months	HTTP	LinkedIn
UserMatchHistory	Is needed to provide advertising or retargeting (marketing/tracking).	30 days	HTTP	LinkedIn
linkedin_oauth_	Is needed to provide cross-page functionality.	session	HTTP	LinkedIn
lidc	Is needed to store performed actions on the website (marketing/tracking).	1 day	HTTP	LinkedIn
bscookie	Is needed to store performed actions on the website (marketing/tracking).	2 years	HTTP	LinkedIn
X-LI-IDC	Is needed to provide cross-page functionality (marketing/tracking).	session	HTTP	LinkedIn
AnalyticsSyncHistory	Stores the time when the user was synchronized with the "lms_analytics" cookie.	30 days	HTTP	LinkedIn
lms_ads	Is needed to identify LinkedIn members outside of LinkedIn.	30 days	HTTP	LinkedIn
lms_analytics	Is needed to identify LinkedIn members for analytics purposes.	30 days	HTTP	LinkedIn
li_fat_id	Required for indirect member identification used for conversion tracking, retargeting and analytics.	30 days	HTTP	LinkedIn
U	Is needed to identify the browser.	3 months	HTTP	LinkedIn
_guid	Is needed to identify a LinkedIn member for advertising via Google Ads.	90 days	HTTP	LinkedIn