四月区块链技术更新:抗量子解决方案、rsETH 攻击、莱特币 MWEB 零日漏洞GaryMa,Wu BlockchainWuBlockchain 总结了 4 月份区块链技术领域的主要发展:比特币 为了应对量子计算可能对比特币安全构成的长期威胁,比特币开发者和研究人员正式提出了 BIP-361。该提案建议冻结被认为具有“量子漏洞”的早期比特币地址(主要是公钥直接暴露的 P2PK 地址),以防止未来的量子计算机从公共信息中获取私钥并窃取资金。目前,该提案已在社区内引发广泛讨论;支持者将其视为确保比特币代际安全的必要手段,而反对者则对“冻结资金”的干预是否违反去中心化和抗审查原则表示担忧。Lightning Labs CTO Olaoluwa Osuntokun 构建了第一个比特币抗量子钱包救援工具的功能原型。该工具旨在防止数百万钱包永久被盗
如果现有的签名系统在未来的紧急抗量子防御升级期间被关闭,则会被冻结。该解决方案允许用户在数学上证明他们是钱包创建者,而无需透露他们的助记词种子,从而重新获得资金。该原型目前已投入运行,在高规格 MacBook 上大约需要 55 秒即可生成证明,验证时间不到 2 秒,不过目前还没有正式的 BIP 或明确的部署时间表。StarkWare 研究人员发表论文指出,比特币可以通过“量子安全比特币(QSB)”方案在不进行软分叉的情况下实现量子抗性。该方案构建了一种基于哈希函数的签名机制来替代当前易受量子威胁的椭圆曲线密码学。
April Blockchain Technology Update:Quantum-Resistant Solutions, rsETH Attack, Litecoin MWEB Zero-Day Vulnerability
Written by | GaryMa, Wu Blockchain
The WuBlockchain summarizes key developments in the blockchain technology space for April:
Bitcoin
In response to the long-term threat that quantum computing may pose to Bitcoin’s security, Bitcoin developers and researchers have formally proposed BIP-361. The proposal suggests freezing early Bitcoin addresses considered to have “quantum vulnerability” (primarily P2PK addresses where public keys are directly exposed) to prevent future quantum computers from deriving private keys from public information and stealing funds. Currently, this proposal has sparked extensive discussion within the community; supporters view it as a necessary means to ensure Bitcoin’s intergenerational security, while opponents express concern over whether the intervention of “freezing funds” violates the principles of decentralization and censorship resistance.
Lightning Labs CTO Olaoluwa Osuntokun has built the first functional prototype of a Bitcoin quantum-resistant wallet rescue tool. This tool is designed to prevent millions of wallets from being permanently frozen if existing signature systems are shut down during a future emergency quantum-resistant defense upgrade. The solution allows users to mathematically prove they are the wallet creator without revealing their mnemonic seed, thereby regaining access to funds. The prototype is currently operational, generating a proof in approximately 55 seconds on a high-spec MacBook with a verification time of less than 2 seconds, though there is currently no formal BIP or definitive deployment timeline.
StarkWare researchers published a paper stating that Bitcoin can achieve quantum resistance without a soft fork through a “Quantum Safe Bitcoin (QSB)” scheme. This scheme constructs a signature mechanism based on hash functions to replace the current elliptic curve cryptography vulnerable to quantum threats, thereby enhancing security. However, the current cost per transaction for this scheme is approximately $75 to $150, significantly higher than existing levels, and the user experience is complex. Researchers believe it is better suited as a “last resort,” and the project remains in the experimental stage, making large-scale application unlikely in the short term.
According to an official announcement from Bitcoin Core, Bitcoin Core v31.0 has been formally released. This version introduces several underlying updates and improvements, primarily including: the GUI framework updated to Qt 6.8; the default database cache for systems with more than 4GB of memory increased from 450 MiB to 1024 MiB; and the addition of -privatebroadcast to support private broadcasting behavior. Furthermore, to prevent fee calculation errors, the new version has completely removed the -paytxfee startup option for setting static fees; users will now rely on automated fee estimation or specify a per-transaction fee rate. The new version also implements privacy and security filters for commands used when restoring and migrating wallets.
Bitcoin developer Paul Sztorc announced that he is assisting in the creation of a new Bitcoin hard fork called “eCash,” expected to go live this August. Bitcoin holders will receive eCash at a 1:1 ratio. The project’s L1 code maintains compatibility with Bitcoin Core and will activate BIP300/301 via CUSF, introducing seven Drivechain Layer 2 networks that support merged mining. Sztorc stated that unlike the BCH fork in 2017, the name eCash does not contain “Bitcoin,” and a warning has been issued four months in advance. The team will provide token splitting tools to replay all initial transactions.
According to BTC Times, research into Bitcoin’s quantum-resistant security continues to advance, with researchers proposing several new schemes and prototype implementations. Jonas Nick proposed a hash-based signature scheme named SHRIMPS, which supports multi-device signatures; Avihu Levy proposed QSB, a method for constructing quantum-safe transactions without a soft fork; and Olaoluwa Osuntokun developed a zk-STARK-based wallet recovery prototype that can prove ownership without exposing mnemonic phrases. Various quantum-resistant paths are currently being explored in parallel to address potential future cryptographic risks.
Bitcoin developer Jimmy Song stated that Bitcoin needs more “conservative” node clients to maintain its monetary properties and strengthen network decentralization. He pointed out that the OP_RETURN 83-byte data limit should be restored to reduce node storage and bandwidth costs, ensuring that average users can still run nodes at a low cost. Previously, Bitcoin Core 30 increased this limit to 100,000 bytes in 2025, sparking community controversy and driving a significant increase in the number of Bitcoin Knots nodes, which currently account for approximately 21.7% of all nodes on the network.
F2Pool co-founder Wang Chun posted that Bitcoin protocol upgrades should not adopt the “bundled legislation” approach used by U.S. politicians, which is why he rejected BIP-110 and BIP-54. He believes the four problems the proposals attempt to solve (including time-warp attacks, blocks that take too long to verify, forged payment proofs, and duplicate transactions) are relatively trivial historical edge cases that do not justify the coordination costs, node upgrade workload, and community attention required for a soft fork. Wang Chun emphasized that Bitcoin has far more than four known vulnerabilities and that limited development resources should be focused on more critical, high-impact issues.
Ethereum
Glamsterdam Upgrade: Extreme L1 Scaling and MEV Fairness. Progress: The development team successfully verified EIP-7928 (Block-level Access Lists — BALs) on Devnet-5. This is the “map” for achieving parallel processing. By pre-tagging accounts touched by transactions, nodes can now invoke multiple CPU cores simultaneously. ePBS will “write” the block construction logic, which previously relied on external entities (like Flashbots), directly into the protocol. Mainnet code is currently near lockdown. If the Holesky and Sepolia testnets in May go smoothly, activation in late June is essentially a given.
Hegota Upgrade: Anti-censorship, Privacy Enhancement, and Node Slimming. Progress: As Frame Transactions make way, FOCIL (Fork-Choice Inclusion List) has become the core of Hegota. It forces proposers to include specific transactions, fundamentally solving the censorship issue of large mining pools/validators selectively blocking transactions. Substantial progress has been made on the migration plan for Verkle Trees. The engineering implementation path for “State Conversion” has been formally established. By using EIP-7928 (Block-level Access Lists) from the Glamsterdam upgrade as a data preprocessing source, a smooth migration of terabytes of state to a lightweight Verkle structure has been achieved without shutting down the network. This marks the formal transition of “stateless clients” from cryptographic theory to practical mainnet deployment.
Ethereum researchers proposed EIP-8142 (”Block-in-Blobs”), which aims to migrate execution payload data to blobs to reduce validator bandwidth requirements and enhance scalability. Based on EIP-4844, the scheme uses cryptographic commitments and Data Availability Sampling to allow validators to complete verification without downloading the full dataset, while supplementing data availability guarantees in a zkEVM environment. Additionally, this model may unify execution gas and blob gas into a “data gas” system. Meanwhile, Biconomy and the Ethereum Foundation proposed the ERC-8211 standard, which converts transactions into programmable workflows, supporting multi-step execution with a single signature.
Ethereum L2s
Polygon announced the launch of a Private Mempool, designed to protect transactions from frontrunning and sandwich attacks. This feature allows developers to connect by simply changing a single line of the RPC URL; transactions will bypass the public mempool and be sent directly to block producers regulated by the validator set, ensuring transaction order is not manipulated. Polygon stated that this architecture addresses malicious MEV issues common in applications like Polymarket while maintaining decentralization.
The Polygon Foundation announced that the Giugliano hard fork will be executed on the mainnet at block height 85,268,500 on April 8 at 22:00 UTC+8. This upgrade will improve finality speed by allowing block producers to broadcast blocks earlier, while adding a block header fee parameter and RPC support for fee data. Official guidance advises all node operators to upgrade Bor to v2.7.0 or Erigon to v3.5.0.
Base officially announced its first independent network upgrade, Base Azul, scheduled for activation on the mainnet on May 13. This upgrade aims to enhance Base’s security, performance, and developer experience. Core improvements include: first, the activation of the Multiproofs mechanism, which combines TEE and ZK proof systems to push the network toward “Stage 2” decentralization and potentially shorten withdrawal periods to just one day; second, the integration of a performance-oriented client stack, using base-reth-node as the sole execution client and introducing a new consensus client based on Kona, base-consensus, to accelerate the goal of 1 gigagas/s throughput; and third, the adoption of Ethereum’s latest execution layer specifications (Osaka) to optimize the developer experience.
The Starknet mainnet underwent the v0.14.2 upgrade, with an expected downtime of about 10 minutes. This upgrade introduces in-protocol proof verification, enabling the network to verify proofs natively without relying on application-layer solutions. This unlocks native privacy capabilities, supports STRK20 and strkBTC, and lays the foundation for zkThreads (leading to infinite scaling) and deeper decentralization.
Solana
The Solana Foundation stated that its ecosystem has conducted long-term research into the potential threats of quantum computing and has formulated a post-quantum migration plan. Following independent research, both Anza and Jump Crypto chose the Falcon post-quantum digital signature scheme and completed preliminary implementations. This scheme is characterized by short signature lengths and suitability for high-throughput blockchains. Solana stated that no protocol changes are currently required, but if quantum computing achieves a breakthrough, the upgrade can be completed according to the established path.
Solana is collaborating with Project Eleven to test quantum-resistant security signatures to prepare for future quantum computing threats. However, early test results show a severe trade-off between security and speed: the size of quantum-resistant signatures increased by up to 40 times, leading to a roughly 90% decrease in network operating speed, raising concerns about its scalability.
BNB Chain
BNB Chain officially announced that the Osaka/Mendel hard fork upgrade has gone live on the BNB Smart Chain mainnet. Officials stated that with the continuous growth of BSC on-chain activity, the focus of this upgrade is to provide superior execution, more stable network performance, and faster transaction finality. Reportedly, the hard fork includes 9 protocol improvements aimed at consolidating the underlying infrastructure following previous network speed increases.
Security
A zero-day vulnerability appeared in the Litecoin MimbleWimble Extension Block (MWEB) privacy layer, causing some unupdated nodes to verify invalid transactions and triggering a DoS attack against mining pools. The attacker used this to transfer funds to a third-party DEX. Subsequently, the network performed a reorganization of approximately 13 blocks to roll back the invalid transactions; normal transactions were unaffected. The vulnerability has been fixed, and the network has resumed normal operation.
Kelp DAO’s rsETH cross-chain bridge was suspected of being attacked, with the attacker using LayerZero-related contract calls to transfer approximately 116,500 rsETH from the bridge, worth about $292 million at current prices. The protocol paused core contracts approximately 46 minutes later to prevent further attack attempts and launched an investigation with LayerZero and Unichain. Following the incident, Aave froze the rsETH market to assess potential bad debt risks.
According to disclosures by security researcher Feross and the SlowMist team, axios, one of the most commonly used dependency packages in the npm ecosystem, suffered a serious supply chain attack. The attacker released versions axios@1.14.1 and axios@0.30.4 containing malicious code. These versions automatically introduce a malicious loader that decrypts and executes Shell commands during runtime, planting malicious payloads into the operating system (covering macOS, Linux, and Windows) with anti-forensic capabilities to erase traces. Axios has over 100 million weekly downloads, making the impact extremely broad. SlowMist advised developers to pin dependency versions immediately, avoid upgrading, and inspect local environments for infection.
According to an official post from Vercel, its security team confirmed, after a joint investigation with GitHub, Microsoft, npmjs, and SocketSecurity, that no npm packages published by Vercel were compromised in recent security incidents. Vercel stated there is no evidence of tampering and its software supply chain remains secure. It is reported that Vercel confirmed on April 19 that its internal systems had been subject to unauthorized access. The incident originated from an attacker compromising the Google Workspace OAuth credentials of a third-party AI tool (Context ai) used by an employee, gaining access to some non-sensitive environment variables, but sensitive data was not affected.
The North Korean Lazarus Group was revealed to be launching a new attack campaign called “Mach-O Man,” primarily targeting executives at high-value firms in crypto and fintech through social engineering attacks disguised as routine business communications. The attack utilizes “ClickFix” technology, guiding victims to join fake meetings and paste commands into the Mac terminal to gain access to corporate systems and funds. CertiK researchers stated the malware is a modular macOS toolkit capable of self-deletion after an attack, increasing the difficulty of detection and tracking. Data shows that related attacks have moved over $500 million from the Drift and KelpDAO incidents in the past two weeks; the Lazarus Group has cumulatively profited approximately $6.7 billion since 2017.
Other
Zcash node software recently fixed a critical security vulnerability. The bug existed in the deprecated but still balance-retaining Sprout privacy pool, which could theoretically have been exploited by malicious miners to steal approximately 25k ZEC, worth about $6.5 million at current prices. The development team released version v6.12.0 to fix it, and major mining pools completed upgrades within three days. Officials stated the vulnerability was not exploited in practice, and user funds remained secure.
TON Core announced that the Sub-Second upgrade has begun deployment on the mainnet. This upgrade is a consensus layer update aimed at achieving sub-second confirmation and improving on-chain response speed. The upgrade plan included completing validator version updates on March 31, a validator vote to activate the new consensus on the basechain and increase block frequency on April 2, and the full enablement of the fast consensus mechanism on the basechain and masterchain on April 7.
According to a Sonic Labs announcement, as the ecosystem has migrated to Sonic, the Fantom Opera network will cease operations on June 30, 2026, at 17:00 GMT. Users must complete asset migrations before then. The team stated this is a retirement of legacy infrastructure; on-chain data and history will be preserved, and the ERC-20 FTM to S conversion path and Sonic Gateway will remain unaffected.
World announced an upgrade to the World ID protocol, introducing mechanisms such as multi-key support, key rotation, and session management, alongside the launch of a standalone app and an open-source SDK to strengthen “human verification” capabilities. The new version has integrated with platforms like Tinder and Zoom for user authenticity labeling and anti-deepfake verification, while expanding into ticketing, social, and gaming scenarios and introducing a fee model for application providers, while remaining free for users. (The Block)
Sei officially noted that the Sei v6.4 upgrade has added a protocol-level switch to “disable inbound IBC transfers,” which will be formally enabled via a governance proposal. Users holding certain IBC assets on Sei are advised to bridge out to the original chains as soon as possible before the proposal passes; otherwise, those Cosmos-native assets will no longer be transferable to Sei, and users may face the risk of being unable to retrieve them. Assets currently flagged for urgent processing include: USDCet (Wormhole Ethereum USDC), USDCop (Wormhole Optimism USDC), USDTbs, ATOM, and WBTC. This adjustment is a transitional step in Sei’s progression of SIP-3 to upgrade the network to an “EVM-only chain.”
Zcash has released zcashd v6.12.1, and the Zcash Foundation simultaneously released Zebra v4.3.1, fixing four security vulnerabilities. These include an Orchard action encoding flaw that could cause node crashes and potentially trigger consensus splits between the two clients. Officials stated that mining pools running both implementations have completed patch deployment, with no evidence of exploitation detected; user funds and privacy are unaffected, and there is no risk of ZEC inflation. Officials suggest users upgrade as soon as possible and check announcements for full details.
Circle’s L1 blockchain Arc released a quantum-resistant design and roadmap, proposing a phased implementation of full-stack quantum resistance covering wallet authorization, private state, validator authentication, and infrastructure. It introduces a quantum-resistant signature mechanism on the mainnet using an opt-in approach to avoid forced migration. The roadmap shows progress toward quantum-resistant private state protection, infrastructure upgrades (including TLS 1.3), and validator signature hardening. Circle noted that quantum computing may threaten public-key cryptography by 2030 or earlier, warning of “harvest now, decrypt later” risks.
Follow us
Twitter: https://twitter.com/WuBlockchain
Telegram: https://t.me/wublockchainenglish