Upcoming talks at bitcoin++ Floripa 2026, exploits edition, Feb 26 - 28, 2026
Differential fuzzing compares how different implementations handle the same input. When they disagree, you've found a bug. I'll walk through how the technique works and share some real bugs it's caught.
Venue: Main Stage
Vinteum
From Linus Torvalds (Linux) and Eric Raymond (The Cathedral & The Bazaar) to Andrej Karpathy (OpenAI) and Armin Ronacher (Flask), everyone is relying more and more into AI to write code. In this talk, I’ll share the leading AI coding workflows being used right now, as best practices are still being figured out.
Venue: Talks Stage
Dimensionalidade
TBD
Venue: Talks Stage
Bitcoin Dev Kit ; Vinteum
Lightning security relies on the assumption that valid transactions can be confirmed when needed. This talk examines why that assumption breaks down under adversarial mempool policy. It explains how pinning attacks, replacement cycling, and fee manipulation allow attackers to delay or invalidate time-critical Lightning transactions using only standard, policy-compliant behavior. The talk then explores how zero-fee commitment channels and pay-to-anchor redesign the fee model, changing the Lightning threat surface and highlighting lessons for building protocols that must survive hostile mempools.
Venue: Talks Stage
Vinteum Fellow
Hardware wallet exploits have rarely been caused by broken cryptography but more often by subtle issues in system design, implementation, and assumptions. This workshop examines why these exploits were possible by reconstructing historical failures from publicly disclosed incidents across popular hardware wallets. Participants work with a simplified and deliberately vulnerable "toy wallet" on a constrained microcontroller to reproduce these conditions in a controlled environment and apply the defensive changes that mitigated them. Attendees leave with practical insight into how Bitcoin custody systems have broken in the past and how to reason about future exploit risks.
Venue: Workshops
Specter Association
This talk will introduce listeners to Fuzzamoto, a full-system fuzzing framework for Bitcoin protocol implementations built on LibAFL and powered by Nyx for snapshot-based fuzzing. We'll explore how Fuzzamoto enables coverage-guided fuzzing of Bitcoin nodes in a realistic environment, moving beyond unit-level harnesses to catch bugs that only emerge through full system interaction. Attendees will learn about the architecture, the challenges of fuzzing complex P2P protocol implementations, and findings from applying Fuzzamoto to real-world Bitcoin software.
Venue: Main Stage
Security Engineer, Brink
This talk demystifies how native mobile wallets store and handle sensitive key material on-device. Using Fedi’s in-app browser as a sample / case study, we’ll walk through how WebLN payments and NIP-07 Nostr signing are used to create a convenient UX and what security assumptions and attack surfaces come with that design.
Venue: Talks Stage
Fedi
This talk explores the Lightning Network from an adversarial perspective, based on real-world failures and vulnerabilities observed in Lightning implementations. Drawing primarily from documented findings by Matt Morehouse, it presents twelve concrete scenarios where nodes failed under hostile conditions, including denial-of-service vectors, fee and replacement edge cases, state desynchronization bugs, and gossip abuse. The goal is to help developers and operators better understand Lightning’s attack surfaces and threat model.
Venue: Main Stage
Round robin hackathon judging session. Finalists will be announced after the debate.
Venue: Main Stage
Fedi
Go over the details and the motivation behind Glock (Garbled Lock), a Garbled Circuits BitVM3 style bridge that is being pioneered and implemented by Alpen Labs.
Venue: Main Stage
Alpen Labs
Get your best hacking team assembled, we’re taking down lightning nodes. In this player vs lightning node simulation, we’ll do our best to knock nodes off the network.
Venue: Talks Stage
Chaincode
In this talk, I'll go over the basics of Utreexo, and how Floresta leverages it to implement a super lightweight node that can run inside your phone, with minimal resource footprint. We'll do an overview and live demo of `bdk_floresta`, a novel chain-source crate for BDK that makes it possible for developers to embbed a fully validating node inside their application, and stop using trusted wallet synching methods, such as Electrum and Esplora, which leak transaction and IP address information to whoever controls these servers. The end goal is having a zero-trust production grade drop-in replacement wallet synching mechanism for all wallets built with BDK.
Venue: Talks Stage
BitcoinDevKit
Many Bitcoin projects use fuzzing to find vulnerabilities in their applications, such as memory errors, for example. However, we have seen that fuzzing can go further and also find logical bugs. One way we can evaluate fuzz harnesses on its ability to find these bugs is using mutation testing. In this talk, we're going to explore how this can happen, going deep tools and strategies. Also, we're going to see how differential fuzzing can help to reduce manual efforts to indentify equivalent mutants and enhance other existing tests like unit and functional ones.
Venue: Main Stage
Vinteum
Stratum V1, the protocol used by most Bitcoin miners today, was never designed with security in mind. This has led to real-world exploitation such as hashrate theft, share hijacking, and pool impersonation. In this talk, we will look at how these attacks work in practice and how Stratum V2’s encrypted, authenticated protocol design eliminates entire classes of mining infrastructure attacks.
Venue: Talks Stage
Stratum Reference Implementation (SRI)
Round robin hackathon judging session. Finalists will be announced after the debate.
Venue: Main Stage
Fedi
Discussion on the landscape of exploiting bitcoin
Venue: Main Stage
Second
Chaincode
Security Engineer, Brink
OpenSats
Author of Bitcoin: A Work in Progress
Discussion on the landscape of exploiting bitcoin
Venue: Main Stage
Fedi
Base58⛓️🔓