
Breaking Bitcoin's Bottleneck: A Comprehensive Audit Guide to BTC Layer 2 Scaling Technologies
TechFlow Selected TechFlow Selected

Breaking Bitcoin's Bottleneck: A Comprehensive Audit Guide to BTC Layer 2 Scaling Technologies
Lightning Network, sidechains, Rollups, and similar technologies are collectively known as BTC Layer2 scaling solutions.
Author: Beosin
Bitcoin (BTC), the world's first cryptocurrency, has since its inception in 2009 gradually become the cornerstone of digital assets and decentralized finance. However, as user numbers and transaction volumes have grown, issues with the BTC network have become increasingly apparent, primarily manifesting in the following areas:
-
High transaction fees: When the Bitcoin network is congested, users must pay higher fees to ensure their transactions are confirmed promptly.
-
Transaction confirmation time: The Bitcoin blockchain generates a new block approximately every 10 minutes, meaning on-chain transactions typically require multiple block confirmations before being considered final.
-
Limited smart contract capabilities: Bitcoin’s scripting language is functionally limited, making it difficult to implement complex smart contracts.
In this article, we collectively refer to technologies such as the Lightning Network, sidechains, and Rollup as BTC Layer 2 scaling solutions. These aim to enable fast, low-cost transactions while preserving the decentralization and security of the BTC network. The introduction of Layer 2 technologies can enhance transaction speed, reduce costs, improve user experience, and expand network capacity—providing critical technical support and innovative directions for BTC’s future development.
Lightning Network
The earliest concept behind the Lightning Network was known as "payment channels." Its design approach involves continuously updating unconfirmed transaction states via transaction replacement until finally broadcasting the final state to the Bitcoin network. Satoshi Nakamoto had already proposed the idea of payment channels when creating Bitcoin in 2009 and included a draft implementation within Bitcoin 1.0. This draft allowed users to update transaction states before network confirmation. However, it wasn’t until the release of the whitepaper The Bitcoin Lightning Network: Scalable Off-Chain Instant Payments that the Lightning Network truly emerged into public awareness.
Today, implementations of payment channels and the Lightning Network are highly mature. As of now, the Lightning Network comprises 13,325 nodes, 49,417 channels, and holds a total of 4,975 BTC in collateral.

https://1ml.com/
In the Lightning Network, ensuring the security of user assets during transfer is crucial. Below, we explain how the Lightning Network operates and protects asset security based on network node scale.
Two parties submit two transactions to the Bitcoin mainnet: one to open a channel and another to close it. The process consists of three main steps:
1. Channel Opening:
First, both participants deposit BTC into a multi-signature wallet on the BTC blockchain managed by the Lightning Network. Once the BTC is successfully deposited and locked, the payment channel opens, enabling both parties to conduct off-chain transactions within this channel.

2. Off-Chain Transactions:
Once the channel is open, all transfers between users are processed within the Lightning Network, with no limit on the number of transactions. These off-chain transactions do not need to be immediately submitted to the Bitcoin mainnet but are instead settled instantly through the Lightning Network’s off-chain mechanisms.

This off-chain processing significantly improves transaction speed and efficiency, avoiding congestion and high fees on the Bitcoin mainnet.
3. Channel Closure and Ledger Settlement:
When either party decides to exit the channel, final ledger settlement occurs. This ensures funds are distributed according to the most recent state. Both users then withdraw their final balances from the multi-signature wallet, reflecting the actual fund allocation at closure. Finally, the channel submits the final state transaction to the Bitcoin mainnet.

Advantages of the Lightning Network include:
-
Improved transaction speed: By enabling off-chain transactions, the Lightning Network allows near-instant settlements without waiting for block confirmations, achieving second-level transaction speeds and greatly enhancing user experience.
-
Enhanced privacy: Off-chain transactions on the Lightning Network are not publicly recorded on the Bitcoin mainchain, increasing transaction privacy. Only channel opening and closing are recorded on-chain, so user activity remains largely private.
-
Support for micropayments: The Lightning Network is ideal for handling small payments (micropayments), such as content monetization or IoT device payments. Traditional Bitcoin transactions are too expensive for frequent microtransactions, a problem solved by the Lightning Network.
Challenges facing the Lightning Network:
-
Liquidity constraints: The Lightning Network relies on BTC pre-locked in channels. Users must deposit sufficient BTC upfront to conduct transactions. Insufficient liquidity may lead to failed payments, especially for larger amounts.
-
Routing complexity: Finding an effective path from sender to receiver can be complex, particularly as the network scales. As the number of nodes and channels increases, ensuring successful payment routing becomes more challenging.
-
Custodial trust risks: Nodes may face malicious attacks, requiring users to trust that connected nodes won’t attempt to steal funds. The risk of private key exposure must also be mitigated.
-
Standardization and interoperability: Different Lightning Network implementations must adhere to consistent technical standards and protocols to ensure interoperability. Currently, multiple development teams are building different versions, potentially leading to compatibility issues.
-
Privacy concerns: While the Lightning Network enhances privacy compared to on-chain transactions, transaction data may still be traceable or analyzable. Additionally, operators of routing nodes can observe transactions passing through their nodes, potentially leaking some private information.
The security of the Lightning Network directly impacts Bitcoin’s off-chain scalability and user fund safety. Therefore, beyond general public chain audit items (see appendix at end of article), the following critical security risks must also be addressed:
-
Channel congestion: Assess whether the system design is comprehensive enough to prevent channel flooding due to griefing attacks.
-
Channel interference: Evaluate the structural security of payment channels against interference attacks.
-
Asset locking and unlocking: Review processes for locking and unlocking assets in the Lightning Network to ensure safe and reliable movement of funds between on-chain and off-chain environments during channel setup and closure.
-
State updates and closure: Assess the state update workflow and force-close mechanism to ensure correct identification and execution of the latest state in abnormal scenarios.
-
Hash Time-Locked Contracts (HTLC): Evaluate HTLC implementation to ensure time locks and hash locks execute correctly, preventing fund loss due to timing window vulnerabilities.
-
Blockchain timestamp dependency: Assess reliance on Bitcoin blockchain timestamps to ensure proper coordination between on-chain and off-chain time, preventing time-based attacks.
-
Routing algorithm security: Examine the efficiency and security of routing algorithms to prevent privacy leaks and malicious route manipulation.
-
Channel storage and data recovery: Evaluate channel storage mechanisms and data recovery strategies to ensure state can be restored after node failure or disconnection, preventing fund loss.
Sidechains
Unlike the Lightning Network, sidechains are independent blockchains that run parallel to the main chain (e.g., the BTC blockchain) and interoperate via a two-way peg (2WP). The goal of sidechains is to add functionality and improve scalability without altering the main chain protocol.
As standalone blockchains, sidechains have their own consensus mechanisms, nodes, and transaction processing rules. They can adopt different technologies and protocols tailored to specific use cases. Through the two-way peg mechanism, sidechains communicate with the main chain, enabling free and secure asset transfers between them. The 2WP mechanism works roughly as follows:

-
A user locks BTC on the main chain; a trusted entity uses SPV verification to confirm the lock transaction.
-
The trusted entity mints an equivalent amount of tokens on the sidechain and credits them to the user.
-
After conducting transactions, the user locks remaining tokens on the sidechain.
-
The trusted entity verifies the legitimacy of the transaction and unlocks the corresponding BTC value on the main chain for the user.
Note 1: Trusted entities play a critical role in the two-way peg mechanism, managing asset locking and release. These entities must possess strong credibility and technical capability to ensure user asset security.
Note 2: SPV (Simplified Payment Verification) allows nodes to verify specific transactions without downloading the full blockchain. SPV nodes only download block headers and use Merkle Trees to verify if a transaction is included in a block.
Prominent sidechain projects include:
CKB (Nervos Network)
Nervos Network is an open-source public blockchain ecosystem designed to leverage Bitcoin’s PoW consensus for security and decentralization while introducing a more scalable and flexible UTXO model for transaction processing. Its core component is the Common Knowledge Base (CKB)—a Layer 1 blockchain built on RISC-V architecture using Proof-of-Work (PoW) consensus. CKB extends the UTXO model into a Cell model capable of storing any data and supporting scripts written in any language, enabling smart contracts to be executed on-chain.

Stacks
Stacks connects each Stacks block to a Bitcoin block using its Proof of Transfer (PoX) mechanism. To support smart contracts, Stacks developed the Clarity programming language. In Clarity, the get-burn-block-info? function accepts a Bitcoin block height and retrieves its header hash, while the burn-block-height keyword fetches the current Bitcoin block height. These features allow Clarity smart contracts to read Bitcoin base layer state, enabling Bitcoin transactions to trigger contract executions. By automatically executing these contracts, Stacks extends Bitcoin’s functionality.
For a detailed analysis of Stacks, please refer to Beosin’s previous research article: What Is Stacks? What Challenges Might the BTC Layer 2 Network Stacks Face?

Advantages of sidechains:
-
Sidechains can experiment with different technologies and protocols without affecting the stability and security of the main chain.
-
They can introduce features absent from the main chain—such as smart contracts, privacy enhancements, and token issuance—thereby expanding the range of applications in the blockchain ecosystem.
Challenges facing sidechains:
-
Sidechains operate under independent consensus mechanisms, which may not be as secure as the BTC main chain. If a sidechain’s consensus is weak or flawed, it could be vulnerable to 51% attacks or other exploits, jeopardizing user assets. The BTC main chain’s security stems from massive hashing power and widespread node distribution—standards sidechains may struggle to match.
-
Implementing the two-way peg requires complex cryptographic algorithms and protocols. Any vulnerability in this mechanism could disrupt asset transfers between chains or even result in asset loss or theft.
-
To balance speed and security, most sidechains are more centralized than the main chain.
Since Layer 2 is a complete blockchain system, general public chain audit items also apply to sidechains—refer to the appendix at the end of this article.
In addition, due to their unique nature, sidechains require additional audits:
-
Consensus protocol security: Review the sidechain’s consensus protocol (e.g., PoW, PoS, DPoS) for thorough validation and testing, checking for potential vulnerabilities or attack vectors like 51% attacks or long-range attacks.
-
Consensus node security: Evaluate the security of consensus nodes, including key management, node protection, and redundancy backups, to prevent compromise or misuse.
-
Asset locking and release: Audit the bidirectional peg mechanism between the sidechain and main chain to ensure smart contracts governing asset locking and release are secure and reliable, preventing double-spending, asset loss, or failed locking.
-
Cross-chain validation: Verify the accuracy and security of cross-chain validation, ensuring the process is decentralized and tamper-proof to prevent validation failures or malicious validation.
-
Smart contract code audit: Conduct deep audits of all smart contracts running on the sidechain, identifying potential vulnerabilities or backdoors—especially in logic handling cross-chain operations.
-
Upgrade mechanisms: Examine the security of smart contract upgrade mechanisms, ensuring appropriate auditing and community consensus procedures are in place to prevent malicious upgrades or contract tampering.
-
Node-to-node communication: Inspect communication protocols among sidechain nodes for security, verifying encrypted channels are used to prevent man-in-the-middle attacks or data leaks.
-
Cross-chain communication: Check the communication channel between the sidechain and main chain to ensure data integrity and authenticity, preventing hijacking or tampering.
-
Timestamp and block timing: Validate the sidechain’s time synchronization mechanism to ensure consistency and accuracy in block generation times, preventing attacks or rollbacks caused by time discrepancies.
-
On-chain governance security: Review the sidechain’s governance model to ensure transparency and security in voting, proposal submission, and decision-making processes, preventing malicious control or attacks.
-
Token economics audit: Analyze the sidechain’s token economic model—including token distribution, incentive mechanisms, and inflation models—to ensure incentives don’t encourage malicious behavior or system instability.
-
Fee mechanism: Examine the sidechain’s transaction fee structure to ensure alignment with user needs on both main and side chains, preventing fee manipulation or network congestion.
-
Asset security: Audit the management mechanisms for on-chain assets to ensure secure storage, transfer, and destruction processes, eliminating risks of unauthorized access or theft.
-
Key management: Review the sidechain’s key management policies to ensure private key security and access control, preventing leakage or unauthorized use.
Rollup
Rollup is a Layer 2 scaling solution designed to increase blockchain transaction throughput and efficiency. It achieves this by bundling numerous transactions ("rolling up") and processing them off-chain, submitting only the final results to the main chain—significantly reducing the load on the main chain.
Rollups are mainly categorized into zk-Rollups and op-Rollups. However, unlike Ethereum, Bitcoin lacks Turing completeness and cannot natively validate zero-knowledge proofs via smart contracts. Traditional zk-Rollup solutions cannot be directly implemented on BTC. So how can zk-Rollup be realized on BTC? Let’s take the B² Network project as an example:
To perform zero-knowledge proof verification on BTC, B² Network creates Taproot scripts combining zk-Rollup’s zero-knowledge proof verification with op-Rollup’s incentive-based challenge mechanism. The operation flow is as follows:

-
B² Network first rolls up all user-initiated transactions.
-
A sequencer orders the rolled-up transactions, stores them in decentralized storage, and forwards them to zkEVM for processing.
-
zkEVM synchronizes with BTC chain state, processes contract executions and other transactions, then bundles and sends results to the aggregator.
-
The prover generates zero-knowledge proofs and sends them to the aggregator, which combines transactions and proofs before forwarding them to B² Nodes.
-
B² Nodes verify the zero-knowledge proofs and create Taproot scripts based on the rollup data stored in decentralized storage.
-
Taproot is a UTXO with a value of 1 satoshi. Its data structure includes B² Inscription, which stores all rollup data, and Tapleaf, which stores all proof verification data. After undergoing an incentive-based challenge mechanism, this serves as a zk-proof-verified commitment sent to BTC.
Advantages of Rollups:
-
Rollups inherit the security and decentralization of the main chain. By periodically submitting transaction data and state to the main chain, they ensure data integrity and transparency.
-
Rollups integrate seamlessly with existing blockchain networks like Ethereum, allowing developers to easily leverage their benefits without major modifications to existing smart contracts or applications.
-
By processing large volumes of transactions off-chain and batching them for main chain submission, Rollups significantly boost transaction processing capacity, increasing transactions per second (TPS).
-
Rollup transactions are processed off-chain, drastically reducing the computational and storage resources required on-chain, thereby significantly lowering transaction fees for users.
Challenges facing Rollups:
-
If off-chain data becomes unavailable, users may be unable to verify transactions or recover their state.
-
Rollup transactions require batch processing and eventual main chain submission, potentially resulting in longer settlement times. In op-Rollups, a dispute period exists, meaning users may have to wait a considerable time before transaction finality.
-
While zk-Rollups offer higher security and instant finality, they demand significant computational and storage resources, with generating zero-knowledge proofs requiring substantial computing power.
Given the Rollup approach, key security audit items align closely with those of ETH Layer 2 solutions.
Others (Babylon)
Beyond traditional BTC Layer 2 solutions, recently emerged third-party protocols related to the BTC ecosystem include Babylon:
Babylon aims to transform 21 million BTC into decentralized staking assets. Unlike other BTC Layer 2 solutions, Babylon does not scale the BTC chain itself. Instead, it is a distinct blockchain featuring a special BTC staking protocol, primarily designed to interface with PoS chains—using BTC staking to enhance PoS chain security and address long-range attacks and centralization risks.
The architecture consists of three layers:
-
Bitcoin Layer: This forms Babylon’s solid foundation, leveraging Bitcoin’s well-known security to ensure all transactions are highly secure—just like on the Bitcoin network.
-
Babylon Layer: At its core, Babylon Layer is a custom blockchain connecting Bitcoin to various Proof-of-Stake (PoS) chains. It handles transactions, executes smart contracts, and ensures smooth operation across the entire ecosystem.
-
PoS Chain Layer: The top layer comprises multiple PoS chains, each selected for its unique strengths. This gives Babylon remarkable scalability and flexibility, allowing users to benefit from the best features of different PoS blockchains.

The mechanism works by signing final blocks on the BTC chain to protect PoS chains. This effectively extends the base protocol with an additional round of signatures. The signatures in this final +1 round have a unique property: they are Extractable One-Time Signatures (EOTS). The goal is to anchor PoS checkpoints onto BTC, solving long unbonding periods and remote attack vulnerabilities in PoS systems.
Advantages of Babylon:
-
Accelerates PoS unbonding periods
-
Reduces inflationary pressure on associated PoS networks, as staking rewards are tied to BTC’s price
-
Opens new yield opportunities for BTC holders
Challenges facing Babylon:
-
Economic design elements such as staking reward rates significantly influence BTC holder participation
-
Lack of consistent reward frameworks across PoS chains
Third-party protocols vary in implementation, leading to differing security focus areas. Using Babylon as an example, the following security audit items warrant attention:
-
Smart contract security: Staking contracts on BTC are implemented via UTXO scripts—these must be carefully reviewed for security.
-
Signature algorithm security: Contracts use signatures to manage user stakes—the security of these algorithms directly affects signature generation and verification.
-
Protocol economic model design: Assess whether the protocol’s economic model appropriately balances rewards and penalties to prevent user asset losses.
Appendix:
General Public Chain & Layer 2 Audit Checklist
-
Integer overflow: Check for integer overflows and underflows
-
Infinite loops: Verify loop termination conditions are logically sound
-
Unbounded recursion: Ensure recursive calls have valid exit conditions
-
Race conditions: Examine access to shared resources under concurrent execution
-
Crash-inducing exceptions: Identify code that throws unhandled exceptions causing program crashes
-
Division by zero: Check for instances of division by zero
-
Type casting: Verify type conversions are correct and do not lose critical data
-
Array out-of-bounds access: Prevent reading or writing beyond array boundaries
-
Deserialization vulnerabilities: Inspect deserialization processes for flaws
-
Functionality implementation security: Review RPC interface implementations for vulnerabilities and compliance with intended functions
-
Consistency of function descriptions
-
Sensitive RPC permission settings: Verify access controls on sensitive RPC interfaces are properly configured
-
Encrypted transmission mechanisms: Confirm use of secure protocols such as TLS
-
Request data format parsing: Inspect how request data formats are parsed
-
Wallet unlock attacks: Prevent fund theft via RPC requests during wallet unlocking
-
Traditional web security: Check for vulnerabilities including XSS, template injection,
-
third-party component vulnerabilities, HTTP parameter pollution, SQL injection, XXE injection,
-
deserialization flaws, SSRF, code injection, local/remote file inclusion, command injection, etc.
-
Network node identity authentication: Verify robust node identification mechanisms exist and cannot be bypassed
-
Routing table poisoning: Ensure routing tables cannot be arbitrarily modified or overwritten
-
Node discovery algorithm: Evaluate whether the discovery algorithm is balanced and unpredictable (e.g., avoid skewed distance calculations)
-
Connection count audit: Review limits and management of peer-to-peer connection counts
-
Eclipse attacks: Assess cost and impact of eclipse attacks, providing quantitative analysis where necessary
-
Sybil attacks: Evaluate consensus voting mechanisms and eligibility checks
-
Eavesdropping attacks: Check whether communication protocols leak private information
-
Alien attacks: Assess whether nodes can identify peers from the same chain
-
Time hijacking: Inspect network time calculation mechanisms on nodes
-
Memory exhaustion attacks: Identify areas prone to excessive memory consumption
-
Disk exhaustion attacks: Identify locations where large files are stored
-
Socket pressure attacks: Review connection number limiting strategies
-
Kernel handle exhaustion: Check limits on creation of kernel handles (e.g., file descriptors)
-
Persistent memory leaks: Identify sources of ongoing memory leaks
-
Hash algorithm security: Evaluate resistance to hash collisions
-
Digital signature algorithm security: Review the security of signature algorithms and their implementations
-
Encryption algorithm security: Review the security of encryption algorithms and their implementations
-
Random number generator security: Verify the soundness of critical random number generation algorithms
-
BFT implementation security: Assess the security of BFT algorithm implementations
-
Fork choice rule: Inspect fork selection logic to ensure security
-
Centralization detection: Identify any excessive centralization in system design
-
Incentive mechanism audit: Evaluate how incentive structures affect overall security
-
Double-spend attack resistance: Verify consensus can defend against double-spending
-
MEV attack audit: Examine how MEV by block proposers affects fairness on-chain
-
Block synchronization audit: Inspect security issues during sync processes
-
Block format parsing audit: Check for parsing-related vulnerabilities (e.g., crashes from malformed input)
-
Block generation audit: Review security in block creation, including proper Merkle root construction
-
Block validation audit: Verify completeness of block signature verification logic
-
Block confirmation logic audit: Ensure block confirmation algorithms and implementations are sound
-
Block hash collision: Examine methods for constructing block hash collisions and assess handling procedures
-
Block processing resource limits: Evaluate reasonable constraints on orphan block pools, validation computation, disk seeks, etc.
-
Transaction sync audit: Inspect security during transaction synchronization
-
Transaction hash collision: Examine methods for creating transaction hash collisions and their mitigation
-
Transaction format parsing: Check for parsing vulnerabilities (e.g., crashes from malformed inputs)
-
Transaction validity verification: Ensure all transaction types undergo thorough signature and logic validation
-
Transaction processing resource limits: Assess reasonable constraints on mempool size, validation compute, disk access, etc.
-
Transaction malleability attacks: Determine if internal fields (e.g., ScriptSig) can be altered to change transaction hashes without invalidating the transaction
-
Transaction replay attack audit: Check system-level detection of transaction replays
-
Contract bytecode verification: Inspect VM-level contract verification for vulnerabilities (e.g., overflow, infinite loops)
-
Contract bytecode execution: Inspect VM-level bytecode execution for vulnerabilities (e.g., overflow, infinite loops)
-
Gas model: Verify that transaction and contract operation fees proportionally reflect resource consumption
-
Log completeness: Ensure critical events are properly logged
-
Log security: Check that log processing doesn't introduce vulnerabilities (e.g., integer overflows)
-
Logs containing private data: Ensure logs do not contain keys or other sensitive information
-
Log storage: Verify logs aren't excessively verbose, consuming unnecessary node resources
-
Node code supply chain security: Review known vulnerabilities in all third-party libraries, components, and blockchain frameworks used
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News














