Original Author: Justin Bechler
Original Compilation: AididiaoJP, Foresight New
Permissionless execution of Bitcoin's monetary policy and a distributed network of nodes are the sole sources of credibility that have propelled Bitcoin from zero to $125,000.
To reach the $1 million target, a similar level of credibility is required, but on a scale sufficient to meet the needs of sovereign wealth funds and central banks holding assets for decades.
Be very clear about this: the network and its nodes are under systemic attack, and Bitcoin Core has left the door wide open for it. But for the first time since the attack began, a real proposal is on the table that will stop it all.
This article explains this attack, the evidence behind the fix, and why the path to $1 million must go directly through it.
What Gives Bitcoin Value
Bitcoin's entire value proposition is based on a monetary guarantee.
The fact that there will only ever be 21 million Bitcoin is enforced by a distributed network of nodes that independently verify every transaction. This guarantee holds because ordinary people around the world can easily run the node software that enforces it.
This is precisely what distinguishes Bitcoin from all other centralized "crypto" projects. Ethereum has a foundation; Solana has a handful of validators running enterprise hardware; XRP has Ripple Labs. Each of these projects has a centralized bottleneck point that could be pressured, subpoenaed, sanctioned, or simply persuaded to change the rules. Bitcoin does not, because anyone with an ordinary computer and an internet connection can run a fully validating node, permissionlessly, without intermediaries, and without trusting anyone, interacting directly with the monetary protocol.
Gold requires trusting appraisers, bonds require trusting governments, stocks require trusting auditors. Bitcoin only requires trusting math and the nodes that run it.
Each node operator validating the chain is a vote for the monetary policy. The more nodes, the more decentralized the validation, and the more credible this guarantee appears to the capital that can push the asset into seven-figure territory.
Therefore, when something threatens the accessibility of running a node, it threatens Bitcoin's value and existence itself.
The Vulnerability Where It All Began
Bitcoin Core has included spam transaction filtering as a standard feature from day one. Since 2013, node operators have been able to set a limit on the size of extra data embedded in transactions through a configuration option called -datacarriersize. This was a deliberate design decision. The developers building and maintaining the protocol understood that without size limits on non-monetary data, the blockchain would inevitably be abused as a cheap data storage system, at the expense of every node operator on the network.
This system worked for a decade. Then, in early 2023, Casey Rodarmor launched the Ordinals protocol, and the dam broke.
Ordinals exploited a vulnerability in Bitcoin Core's spam filter. The existing data carrier limits were never extended to cover Taproot transactions introduced in the November 2021 upgrade. This meant that by disguising arbitrary data as program code within the Tapscript witness space, using an OP_FALSE OP_IF wrapper that is never actually executed, anyone could bypass the data size limits meant to prevent such abuse. Images, text files, BRC-20 token mints, and all other forms of non-monetary data could now be permanently embedded in the Bitcoin blockchain at a cost far below that of normal data transactions, thanks to the SegWit witness discount subsidy designed to reduce signature verification costs.
@LukeDashjr identified this as a vulnerability from the start. In December 2023, he formally registered the vulnerability in the NIST National Vulnerability Database as CVE-2023-50428, receiving a medium severity score of 5.3. The official description is precise: "In Bitcoin Core through 26.0 and Bitcoin Knots through 25.1.knots20231115, by obfuscating data as code (e.g., using OP_FALSE OP_IF), the data carrier size limit can be bypassed, as exploited in 2022 and 2023 in the case of inscriptions."
Luke was clear about what this meant. "Spam filtering has been a standard part of Bitcoin Core since day one," he explained. The failure to extend these filters to Taproot transactions was a bug, and inscriptions were exploiting this bug to attack the network. "The damage it has done to Bitcoin and Bitcoin users, including future users, is huge and irreversible," he wrote. "Ordinals were never permitted. It has been an attack on Bitcoin from the beginning."
The alternative node implementation Bitcoin Knots, maintained by Dashjr, patched CVE-2023-50428 in its 25.1 release in late 2023. The Ocean mining pool immediately deployed the fix, announcing its blocks would now contain "more real transactions" and characterizing Ordinals inscriptions as a denial-of-service attack on the network.
Bitcoin Core never patched it.
A formally registered NIST vulnerability, scored, exploited in millions of transactions, adding gigabytes of permanent bloat to every full node on the network, and the primary node software used by the vast majority of the Bitcoin network refuses to fix it. The patch exists, is tested, and is in production use on Knots. Core chose not to apply it and has instead moving further in the opposite direction.
Core 30: A Tax on Every Node
While BIP-110 proposed protecting nodes from data bloat, Bitcoin Core version 30 did the opposite. Instead of patching CVE-2023-50428, Core 30 completely removed the long-standing OP_RETURN size limit, opening the door to unlimited arbitrary data in OP_RETURN outputs.
The rationale provided by Core developers was that the existing 80-byte limit was being circumvented anyway, so maintaining it was pointless. This is like a city council stopping speed limit enforcement because people speed, and it directly contradicts the decade-long precedent noted by Dashjr.
Bitcoin Core maintained data carrier size limits since 2013 because developers understood that protecting block space from non-monetary abuse was crucial to keeping nodes accessible. Core 30 abandoned this principle.
The practical effect is a tax on every node runner. Unlimited OP_RETURN data means nodes must download, verify, and store an unlimited amount of data. And for what? The beneficiaries of this change are a handful of developers building non-monetary applications on Bitcoin who found the existing limits inconvenient.
Jameson Lopp argued for the change based on "extreme edge cases" unrelated to Bitcoin's function as money, yet highly relevant to his VS startup Citrea, which is "building on Bitcoin."
Ordinary people hate this.
In 2013, Core introduced data carrier limits to protect nodes from data spam. These limits worked for a decade. In 2023, a vulnerability allowed inscriptions to bypass these limits via Taproot, and Core refused to patch it.
In 2025, Core completely removed the limits. Each step makes nodes heavier and more expensive to run, each step moves further from the principle that "Bitcoin block space is for monetary transactions."
This is the fundamental contradiction in current Bitcoin development. One faction wants to keep the network a lean, accessible monetary protocol verifiable by anyone with a Raspberry Pi.
The other faction wants to expand the protocol's capabilities to accommodate any creative use case developers can imagine, and they are willing to make nodes heavier and more expensive to do it.
The first group is moving towards a $1 million Bitcoin. The second group is moving towards a "better version of Ethereum."
The Data: What BIP-110 Actually Does
@CunyRenaud just released a revised simulation of BIP-110, covering 10 days of mainnet data, from block height 929,592 to 931,032.
The results are unambiguous.
Out of 4.7 million transactions in the sample period:
1,957,896 transactions were filtered out by BIP-110 (41.5% of all transactions).
747.85 MB of block space was reclaimed (36%).
Zero legitimate financial transactions were blocked.
Out of nearly five million transactions, not a single monetary transfer was caught by the filter. Every payment, every exchange withdrawal, every Lightning channel open, every CoinJoin, every multisig spend went through smoothly.
A breakdown of the results reveals an important fact most in this debate have missed. The community has treated Ordinals inscriptions and OP_RETURN spam as two separate problems. They are not.
Of the inscription transactions caught by BIP-110, 94.6% were mixed transactions, carrying both a Tapscript OP_IF inscription wrapper and an OP_RETURN output containing Rune metadata. When BIP-110 filtered out the inscription, the associated OP_RETURN data went with it.
The narrative of "two spam problems" collapses in the face of the data. Bitcoin has one spam problem with two manifestations, and BIP-110 solves both simultaneously.
The Rule That Carries the Weight
BIP-110 contains multiple rules, but Rule 7 is the most critical. It prohibits the use of the OP_IF and OP_NOTIF opcodes within Tapscript execution. This directly targets the mechanism described in CVE-2023-50428, the OP_FALSE OP_IF wrapper that Ordinals inscriptions use to embed arbitrary data in the witness space.
Rule 7 alone caught 1,954,477 transactions in the simulation, 99.8% of all filtered transactions. Effectively, it is the patch Core refused to release, now formalized as a consensus rule with a one-year activation window.
An obvious question is whether this breaks any real functionality. The simulation specifically searched for legitimate Tapscript contracts using OP_IF, including conditional branches, timelocks, threshold signatures, and hash timelock contracts.
The answer, out of 4.7 million transactions, was zero. These patterns do not exist in mainnet Tapscript today. The Lightning Network still runs on SegWit v0, DLCs use adapter signatures, and vault implementations are still experimental.
The theoretical concern that Rule 7 might hinder future smart contracts is worth acknowledging. It might, but BIP-110's activation period is one year, not permanent. The inscription flood is happening *now*, and the damage to the UTXO set accumulates daily.
A one-year intervention that eliminates 41.5% of transaction spam while blocking zero financial activity is a trade-off that favors action.
Bitcoin Is Money
Some will oppose BIP-110 on the grounds that "any transaction that pays a fee is legitimate." Inscription users pay the market rate, miners voluntarily include their transactions, by what authority can they be filtered out?
The answer lies in understanding what Bitcoin actually protects and why.
Bitcoin's censorship resistance is designed to guarantee *monetary transactions*. The proof-of-work, the difficulty adjustment, the block reward schedule, and the entire security model are designed to protect a peer-to-peer electronic cash system.
That design, that single purpose, is what justifies the immense energy expenditure required to protect the network.
Monetary transactions on Bitcoin are uncensorable. This is the very property that makes Bitcoin valuable, and it's a property BIP-110 leaves entirely intact. If you are sending or receiving Bitcoin as money, BIP-110 does not affect you. The simulation proves this empirically. 2.5 million financial transactions passed through, unaffected.
The existence of non-monetary transactions is contingent on the network's forbearance. No one is outlawing them by decree, no one is arresting inscription users. The argument is simply that storing NFT data and token minting instructions in the witness space does not merit the same protocol-level protection as transferring value between people. When non-monetary use begins to threaten the infrastructure that makes monetary use possible, the network is fully within its rights to prioritize its core function.
This is not censorship. Censorship is when a government stops your payment because it dislikes your politics. Filtering out operations that exploit a vulnerability that should have been patched years ago for data storage is network maintenance. This distinction matters, and anyone conflating the two is either confused or arguing in bad faith.
When critics argue that miners would never voluntarily stop including inscription transactions, Dashjr articulated this clearly: "Bitcoin operates under the assumption that most miners are honest, not malicious." The security model assumes miners will act in the long-term interest of the network, not damage the infrastructure that makes fees valuable for the sake of maximizing short-term fee revenue.
The Path to $1 Million
Imagine explaining Bitcoin to a sovereign wealth fund manager in 2028. You are arguing that this asset deserves a permanent allocation alongside gold and treasury bonds.
The argument rests on three pillars: a fixed supply, censorship-resistant transactions, and decentralized validation. If any one of these pillars is weakened, the argument weakens. If the supply schedule can be changed, Bitcoin is just another, better-marketed fiat. If transactions can be censored, Bitcoin is just a slow database.
If validation becomes centralized to a few data centers because running a node becomes too expensive, then Bitcoin's monetary guarantee becomes a gentleman's agreement enforced by entities with identifiable interests and political pressure points.
Inscription-driven UTXO bloat directly attacks the third pillar. It makes nodes more expensive, makes validation more centralized, and damages the decentralization that makes the monetary guarantee credible. And it does all this to provide a service unrelated to money that can be done more efficiently on systems built for the purpose.
Arbitrary data storage is a solved problem; Bitcoin does not need to be Filecoin.
Meanwhile, Core's trajectory—from refusing to patch CVE-2023-50428 to actively removing OP_RETURN limits in version 30—shows that the current development leadership is willing to let nodes become bloated to serve non-monetary use cases. BIP-110 resists this trajectory. It signals that the network's priority is money, the node network exists to validate money, and the protocol should be optimized for money.
BIP-110 eliminates the inscription attack vector for one year, while completely unaffected every single financial transaction on the network. It eliminates 41.5% of spam transactions and reclaims 36% of block space. Out of 4.7 million transactions tested, it produced zero false positives. And it preserves the option to reassess as data on legitimate Tapscript usage becomes clearer.
The path to a $1 million Bitcoin is paved by the credibility of the monetary policy, the credibility of censorship resistance, and the credibility of the decentralized validation network that enforces both.
A $1 million Bitcoin stands or falls with the node network.
What You Can Do
If you run a node, you have a say in this.
Research the BIP-110 specification. Review the simulation data published by Bitcoin Block Space Weekly. If you have the technical ability, run the numbers yourself. Then decide based on what the evidence shows, not what the loudest voices on social media tell you to think.
If you're ready to act, switching from Bitcoin Core to Bitcoin Knots is easier than most think. If you run Umbrel, Start9, MyNode, or RaspiBlitz, Knots is a one-click install in your app market, and your existing blockchain data can be moved over. If you run Core on desktop or bare-metal Linux, the migration is just as straightforward. Either way, you can be running Knots and enforcing BIP-110 in minutes.
Every node that switches to Knots is a vote for Bitcoin's future as money, and every vote matters.
The data is clear, the trade-offs are honest, and the window is one year. The cost of inaction is gigabytes of permanent data bloat added to every node on the network, daily.
Bitcoin is money, and BIP-110 keeps it that way.
Bitcoin will not survive as a non-monetary arbitrary data relay and storage.
If you believe that, then you are running a sovereign, censorship-resistant node, using Bitcoin as money, permissionlessly.
