BitVM2, Citrea, and Alpen: The Validity-Proof Generation of Bitcoin L2s

On 15 August 2024, six researchers — Robin Linus, Lukas Aumayr, Alexei Zamyatin, Andrea Pelosi, Zeta Avarikioti, and Matteo Maffei — published a paper called BitVM2: Bridging Bitcoin to Second Layers. That paper is the reason Citrea, Alpen, and Bitlayer exist as live products today.

Recap from Part 1: why validity proofs are the endgame

Part 1 of this series mapped the trust spectrum of Bitcoin L2s, from federated wraps at one end to fully trustless verification at the other. The most trust-minimised wave we identified depends on something Bitcoin could not previously do: verify off-chain computation directly.

The blocker has always been Bitcoin Script. It is intentionally limited — no loops, no general-purpose opcodes, and certainly no native verifier for zero-knowledge (ZK) proofs. Ethereum L2s solved this by adding precompiles to the base layer. Bitcoin will not do that. Soft forks are politically and technically expensive, and proposals like OP_CAT and OP_CTV have been debated for years without activation.

BitVM2 broke the deadlock without asking Bitcoin to change. That matters because every other Bitcoin scaling story you have heard — from drivechains to covenant-based rollups — has been waiting on a fork that may never come.

BitVM2 in plain language

The trick is to never make Bitcoin verify a whole computation. Instead, BitVM2 makes Bitcoin verify a single disputed step of one.

Here is the shape of it. An entity called an Operator runs the rollup's heavy work off-chain — executing transactions, generating a ZK proof, posting a result. They lock a bond in a Taproot output and effectively say, "Here is the answer. Challenge me if you think I am lying."

The full computation is committed in advance as thousands of small Bitcoin Script chunks, each chunk verifiable on its own. Inputs and intermediate values are bound together using Lamport-style hash commitments — a one-time signature scheme where reusing the same key on two different values reveals a private key. That is the mechanism that makes lying expensive.

If an Operator equivocates — claims one intermediate value here and a different one there — anyone can grab those two contradictory signatures, build a disprove transaction that exposes the cheat on-chain, and claim the bond. BitVM2's headline achievement is reducing this dispute resolution to three on-chain transactions and making challenging permissionless: anyone with a fee can challenge, not just a pre-approved set of verifiers.

No soft fork. No new opcodes. Just existing Bitcoin Script, Taproot, and a clever pattern of "connector" UTXOs that thread the dispute graph together. If you have not internalised how Bitcoin's UTXOs work, the UTXO model explainer is worth a detour — BitVM2 is essentially a very elaborate UTXO choreography.

The 1-of-N honesty assumption

This is where the honest framing has to come in.

BitVM2 verifies computation under an optimistic-with-fraud-proofs model. But moving BTC into and out of an L2 still requires custody. In every shipping BitVM2 design, peg-in deposits are locked in an N-of-N multisig controlled by a federation of named members. To unlock funds, all N must sign — unless the canonical BitVM2 spending paths are taken, in which case any honest participant can force the correct outcome.

The security claim is: funds are safe as long as at least one member is honest and deletes their share of the key after setup. That is the famous 1-of-N honesty assumption.

It is strictly weaker than a t-of-n federation. Liquid, for example, breaks if a majority of its functionaries collude. A BitVM2 bridge breaks only if every single committee member colludes (or loses their key material in the same way). One honest deletion is enough.

Weaker is good. But it is still a trust assumption. It is not the "verified by every full node" property that Bitcoin itself has, and it is not the eventual trustless validity bridges that Ethereum L2s aim for. Liveness — the ability to actually withdraw — also requires at least one honest Operator willing to front the BTC, and validity in the face of fraud requires at least one honest Challenger willing to spend on a disprove transaction.

Citrea: Bitcoin's first live zkEVM rollup

Citrea is built by Chainway Labs, founded in 2023. They raised a $2.7M seed in February 2024 led by Galaxy Ventures, then a $14M Series A in October 2024 led by Founders Fund — roughly $16.7M total.

The public testnet went live on Bitcoin Testnet4 on 24 September 2024. Mainnet launched on 27 January 2026, making Citrea the first production zkEVM rollup with Bitcoin as its data-availability and settlement layer.

A few specifics worth knowing:

• Multi-prover stack. Citrea runs both RISC Zero zkVM 1.0 and Succinct Labs' SP1 in parallel. A block is only finalised once both prover systems agree, which hedges against a soundness bug in any single ZK system.
• Clementine bridge. Their two-way peg is a BitVM2 implementation operating under the 1-of-N committee model described above.
• Native assets. cBTC is the 1:1 BTC representation that pays gas; ctUSD is a USD stablecoin issued by MoonPay and powered by M0.
• EVM-equivalence. Citrea extends revm (a Rust EVM implementation) so existing Ethereum dApps deploy without code changes. Solidity, Foundry, Hardhat — they all just work.

For readers coming from the Ethereum scaling world, this is a familiar pattern but with Bitcoin underneath. If you have not read it yet, our Ethereum rollups primer covers the ZK-vs-optimistic split that Citrea inherits.

Alpen Labs and Bitlayer

Citrea is not alone.

Alpen Labs raised a $10.6M seed in April 2024 led by Ribbit Capital, then an $8.5M strategic round in January 2025 led by DBA and Cyber Fund. Their rollup is called Strata, EVM-compatible, with two public testnets shipped in 2025 (named Shanghai and Prague). The Strata bridge uses BitVM2 paired with a proprietary proving system called Glock plus a Groth16 verifier — the same elliptic-curve pairing-based scheme used by older Ethereum L2s.

Bitlayer took a different route to market. They launched the first production BitVM Bridge mainnet beta on 15 July 2025, focused on a 1:1 BTC-backed token called YBTC that lives natively across Solana, Ethereum, Base, and Sui in addition to Bitlayer's own L2. By February 2026 the project reports network TVL above $360M, YBTC Family TVL around $93.75M, and over 3,000 BTC deposited.

Three teams, three flavours, one underlying primitive.

Where the trust still lives in 2026

If you take only one thing from this part of the series, take this: BitVM2 moves the trust, it does not remove it.

The weakest link is still the peg. A federated N-of-N committee of named operators sets up the multisig and deletes their keys. You are trusting that the setup ceremony was honest and that at least one of those deletions actually happened. There is no on-chain way to verify a deletion — only social and reputational signals.

The challenge cycle itself is also more theoretical than battle-tested. Disprove transactions are large and expensive. As of mid-2026 the number of real adversarial challenges that have actually been adjudicated on mainnet is in the single digits across all BitVM2 systems. The mechanism should work; we have not seen it stress-tested in anger.

Provers also still need a trusted setup. Citrea ran a 63-contributor RISC Zero-to-BitVM ceremony in 2025 — a meaningful but not infinite anonymity set. And the multi-prover hedge (RISC0 + SP1) doubles the code surface area, which is itself an attack surface.

None of this makes BitVM2 bad. It is genuinely a leap beyond multisig wraps. But "as safe as Bitcoin itself" it is not, and any honest builder in this space will tell you so.

What this unlocks for Bitcoin holders

The practical upside is real. With cBTC on Citrea or YBTC on Bitlayer you can:

• Lend and borrow against BTC collateral on Morpho-style markets.
• Swap on AMMs like Satsuma and JuiceSwap.
• Deploy or use any Solidity contract you already know.
• Get sub-second to roughly 2-second L2 block times instead of Bitcoin's 10-minute base layer, with gas paid in BTC rather than a separate token.

Fee dynamics matter too — every peg-in, peg-out, and disprove transaction competes for Bitcoin blockspace, which is a topic our blockspace and fees explainer covers in detail.

The practical guidance from this desk: only bridge what you would be comfortable putting on a federated sidechain. Read the signer set before you peg in. Look up who the named committee members are, when the ceremony was held, whether key-deletion attestations were published. Treat the 1-of-N model as a real — and meaningfully improved — trust assumption, not as zero trust. And keep your long-term cold storage where it has always belonged: in self-custody on the Bitcoin base layer, held in a wallet you control.

BitVM2 is the most ambitious thing happening on Bitcoin in 2026. It also is not the only model competing for your attention. Part 3 turns to the federated alternative that has been live the longest — Stacks and sBTC — and asks the uncomfortable question of whether their published, transparent signer set is actually a better trust trade than a 1-of-N committee you have to take on faith.