Bitcoin SPV

I'd like to get a discussion going regarding how SPV clients for Bitcoin and Bitcoin-like systems can be built into Ethereum. This is something that I've read Vitalik mention, but have never seen fleshed out.

My understanding of how this would work would to be something like:

1) A contract is created that has the hash of the relevant genesis block hard coded into it. The contract stores the genesis header into its memory.
2) Anybody who wants to can send this contract a transaction with a block header in the payload.
3) The contract looks up the prevBlockHash contained in the new header to see if it is exists in memory.
4) If the previous header exists, the contract stores the new header along with the cumulative difficulty of the chain
5) The contract maintains metadata about which chain is the "longest", difficulty-wise

Now anyone who wants to prove to a different contract that a Bitcoin transaction has confirmed will need to create an Ethereum transaction with data containing the block header hash and the Merkle branch leading to the transaction. The receiving contract can verify the bitcoin transaction by directly accessing the stored memory of the SPV contract. This means that costs for transaction verification are borne only by the person or contract who is interested in proving the transaction.

Maintaining the SPV client with the most recent blocks is more of a public service. It would be so useful that it could probably survive off of volunteers relaying block headers, but also anyone who wants to prove their transaction exists will have an incentive to keep the headers up to date.

I'm not sure under what circumstances contracts will actually want to *publish* bitcoin transactions since I don't know how private keys could be securely store online. I imagine that SPV client could accept signed bitcoin transactions and store them temporarily in a known memory location. In theory, the bitcoin fees would be an incentive for miners to monitor this memory location and include any transaction founds. Additionally the sender could provide an ether bounty for the first person to prove via SPV that the transaction was included in a block in the longest chain.


  • XertroVXertroV Member Posts: 10
    It's a little more complex.

    Firstly, a tx is only valid if it's in a block on the main chain.

    Things you need to prove or establish:

    * Chain headers of Bitcoin - tracks the chain with longest cumulative PoW (sum of difficulties)
    * Merkle tracker - track proven branches of merkle trees (efficiently)
    * SPV - link together the following:
    ** TX in merkle tree
    ** Merkle tree in block

    It's up to the contract that uses this (such as a market) to determine that the block is in the main chain. I do this through what I call a 'chain proof' which is simply an incremental merkle tree.

    They should be structured as 3 separate contracts for flexibility (so multiple dapps can use whichever parts they wish).

    I've fleshed out the logic here: (see and

    Yes maintaining the chainheaders is a public service, but it'll also be cheap-ish (hopefully)
Sign In or Register to comment.