Wu Says March Technical Monthly Report: Rare Bitcoin Two-Block Reorganization, New Proposals Addressing Potential Quantum Computing Threats, etc.

Author | GaryMa Wu Says Blockchain

The Wu Says team summarizes key important updates in the blockchain technology sector in March:

Bitcoin

The main development branch of the Bitcoin Core client has merged the Cluster Mempool update (PR #34616), which is expected to be included in the future Bitcoin Core 31.0 release. This upgrade will redesign how nodes handle the mempool by processing related transactions in groups, improving block packing efficiency and optimizing fee calculation for RBF and CPFP transactions. Bitcoin Core 31.0 is expected to be released in the second half of 2026.

BTQ Technologies, a quantum technology company, announced the successful deployment of the first functional implementation of the Bitcoin improvement proposal BIP-360 on its Bitcoin Quantum testnet (v0.3.0). BIP-360 is designed to address the potential threat that quantum computing poses to Bitcoin. Its core introduces a new output type called “pay to Merkle root,” which minimizes the risk of exposing elliptic curve public keys to the greatest extent possible. Earlier this year, this proposal was officially merged into the Bitcoin BIP codebase.

A relatively rare two-block reorganization (two-block reorg) occurred on the Bitcoin network recently. Near block height 941880, mining pools Foundry USA, AntPool, and ViaBTC formed two short-lived fork chains in their mining competition. Then Foundry USA mined the subsequent blocks in succession, making its chain the main chain and completing the reorg. Researchers said that such events are part of normal operation of Bitcoin’s consensus mechanism, not an attack or system failure.

Ethereum

Glamsterdam upgrade: extreme L1 scaling and MEV fairness. Progress: the development team has tested it on Devnet-5, and several core EIPs have entered a “consider for inclusion (CFI)” status, expected to be activated around June.

Hegota upgrade: anti-censorship, privacy enhancement, and node slimming. Progress: Frame Transactions was originally planned to be introduced to support post-quantum cryptography and more advanced account abstraction. However, due to excessive complexity, it has been postponed or streamlined in recent development meetings to ensure Hegota can be released on time by the end of 2026.

Vitalik Buterin said that the two major core directions for Ethereum execution layer upgrades are state tree restructuring and virtual machine adjustments, with the goal of addressing the main bottleneck of proof efficiency. At the state layer, EIP-7864 proposes replacing the current six-branch Merkle Patricia Tree with a binary-tree structure based on more efficient hash functions, shortening Merkle branches, lowering bandwidth and proof costs, and optimizing storage access structures. In the long-term direction, he proposed gradually replacing the EVM with a more proof-friendly virtual machine (such as RISC-V) to improve execution and ZK proof efficiency. The transition path may include using it first for precompiles, then opening contract deployment, and ultimately running the EVM as a compatibility layer—maintaining backward compatibility while only involving Gas cost adjustments.

Ethereum co-founder Vitalik said that EIP-8141 will complete the account abstraction upgrade by introducing a “Frame Transactions” mechanism, making features such as batched operations, Gas fee sponsorship, and private payments native capabilities of the protocol. Vitalik said the upgrade may land within a year via the Hegota fork.

Virtuals Protocol announced that it will, together with the dAI team of the Ethereum Foundation, propose and publish ERC-8183 (Agentic Commerce), aiming to provide an open, permissionless on-chain commercial settlement standard for AI Agents. The core of this standard is the “Job” primitive, consisting of three parties: Client, Provider, and Evaluator. Funds are locked in contract escrow and settled by a state machine: Open → Funded → Submitted → Terminal (completed/rejected/expired). Evaluator is responsible for on-chain confirmation or rejection of deliverables, and related records can be used for composite applications such as a reputation system.

Ethereum co-founder Vitalik Buterin introduced on X a new Ethereum fast-confirmation rule mechanism. This mechanism allows users to receive a hard guarantee that an Ethereum transaction will not be reverted (Non-revert) after only one Slot (12 seconds). Vitalik pointed out that the rule’s security is based on two assumptions: first, that the vast majority of validators are honest nodes; second, that network latency is below about 3 seconds. Although its security is slightly lower than economic finality, it is already highly reliable for many application scenarios.

The Ethereum Foundation published a post outlining its future ecosystem vision for L1 and L2. The article states that L1 will keep its role as a global settlement and DeFi hub, while the core task of L2 has shifted from mere scaling to providing differentiated and customized services. The Foundation recommends that L2s reach at least the Stage 1 security standard and encourages them to evolve toward Stage 2, synchronous composability, and the “native Rollup” direction. Meanwhile, the Ethereum Foundation also commits to continuing to scale L1 and Blob (currently only about 30% full) and focusing on solving the cross-chain experience fragmentation brought by multi-chain ecosystems.

Ethereum released what is arguably its most detailed upgrade plan: seven upgrades, five goals, and one large-scale rebuild. The system that helps all operators reach consensus is called the “consensus mechanism.” Ethereum’s consensus mechanism is currently operating normally and has been battle-tested, but it was designed for an earlier era and limits the network’s maximum capability ceiling. No matter what privacy solutions Ethereum builds, they must also have quantum resistance; the two must be solved simultaneously. Once this problem is addressed, a major obstacle to large-scale adoption will disappear.

Ethereum L2s

Gnosis and Zisk proposed a framework for building an “Ethereum Economic Zone” (EEZ), aiming to enable coordination and seamless operation between the Ethereum mainnet and various Layer 2 networks through shared infrastructure. This reduces duplicate development and technical friction and improves the user experience; the Ethereum Foundation has participated in funding the project. The proposal is intended to mitigate Layer 2 ecosystem fragmentation by using a unified execution environment and a default ETH payment mechanism.

Polygon announced the launch of the AI tool Agent CLI. It supports AI agents creating wallets on Polygon chains and transferring and managing funds, providing features such as token sending, swapping, cross-chain bridging, fiat on-ramp, and querying balances and transaction records. It also supports registering agents as on-chain NFT identities via the ERC-8004 standard with an associated reputation score, and offers an HTTP-based x402 micropayment function that supports paying Gas fees with stablecoins and local key storage.

Optimism announced that it will stop supporting op-geth and op-program on May 31, 2026. Until then, it will still provide security patches and critical bug fixes, but development of new features—including the next Karst hard fork—will be done only on op-reth. In addition, the fault proof program for op-program will migrate to kona-client. The current deployment is expected to continue to be usable before the Karst hard fork.

Solana

The Solana governance proposal SIMD-0266 has been approved. The proposal was put forward by Anza last year and introduces a new p-tokens token model to improve computational efficiency, theoretically allowing Solana transaction efficiency to increase by up to about 19x. The Solana Foundation’s technical vice president said the upgrade is expected to go live on the mainnet in April.

The Solana Foundation released a report titled “Privacy on Solana,” proposing a privacy framework for institutional adoption. It argues that the next phase of applications in the crypto industry will rely more on configurable privacy mechanisms rather than solely on transparency. The report proposes four privacy modes, including pseudonymization, confidentiality, anonymity, and fully private systems. It also points out that Solana’s high throughput and low latency can support privacy technologies such as zero-knowledge proofs. These can protect transaction data while meeting regulatory compliance requirements—for example, by enabling controlled disclosure through audited keys or compliance proofs.

Security-related

Security company BlockSec re-tested EVMBench and believes that the benchmark overestimates AI’s automation capabilities in smart contract audits. By expanding testing to 26 model configurations and introducing 22 real attack incidents that occurred after February 2026, the results show that in 110 test cases, the success rate of AI in real attack exploitation is 0%, but performance in vulnerability detection is close to the original report. Some models can identify known-pattern vulnerabilities.

According to GoPlus Security, a new type of malware called Infiniti Stealer is targeting Mac users’ crypto wallets. It induces users to execute malicious code in the terminal by forging Cloudflare verification pages, and then steals browser credentials, macOS Keychain, crypto wallets, and developers’ sensitive information. It also has covert capabilities such as sandbox detection and delayed execution. Users are reminded not to click unknown links and not to execute commands from untrusted sources.

As disclosed by Aikido, a network security company, the GlassWorm malware has recently been upgraded to use the Solana transaction memo field as a covert communication channel to obtain C2 instructions and carry out multi-stage attacks. The malicious program propagates by impersonating open-source packages such as npm and PyPI, and can steal information including private keys, seed phrases, browser cookies, and session data, and deploy remote control trojans (RAT). The attack can also target hardware wallets such as Ledger and Trezor by popping up forged interfaces to induce users to input seed phrases, and it supports keyboard logging, screenshots, and remote command execution. Researchers remind developers to be cautious when installing dependencies and to verify the source of packages.

According to security company Socket, researchers found five malicious npm packages targeting Ethereum and Solana developers. The packages induce installation through typosquatting (name impersonation), steal private keys, and send the stolen data back to the attackers via Telegram. Four of the packages target Solana and one targets Ethereum. The related malicious packages hijack key functions that developers call and upload private key data before returning normal results. Researchers have submitted takedown requests to npm and reminded potentially affected private keys to transfer assets immediately.

Vercel CEO Guillermo Rauch disclosed in a post that during a user’s development work using Opus 4.6 and OpenClaw, the AI Agent hallucinated a false GitHub repository ID (repoId) despite having a known correct project ID, and triggered a deployment via the API. Because this random ID happened to correspond to a real open-source project, the user’s server showed a “deployment offset” of unrelated code. In response, slow fog CISO 23pds warned that as AI Agents become more widespread, automating deployment pipelines through methods such as GEO (AI search marketing) poisoning and AI search offset attacks will become a new security challenge.

Ctrl-Alt-Intel, a security research organization, disclosed that a group of suspected North Korea–linked hackers launched attacks targeting staking platforms, software vendors for exchanges, and crypto exchanges. The attackers used the React2Shell vulnerability (CVE-2025–55182) and the obtained AWS access credentials to compromise the cloud environment, enumerating resources such as S3, EC2, RDS, EKS, and ECR, and extracting keys and credentials from Secrets Manager, Terraform files, Kubernetes configurations, and Docker containers. Researchers said the attackers downloaded five Docker images and stole source code, including software components related to ChainUp clients. The attack infrastructure involved a Korean server 64.176.226[.]36 and the domain itemnania[.]com. The report states that the activity matches attack characteristics associated with North Korea, but attribution confidence is moderate and the source of the AWS credentials is unclear.

Slow fog Chief Information Security Officer 23pds posted on X that the Python AI gateway library LiteLLM, which has reached 97 million monthly downloads, suffered a PyPI supply-chain attack. The attackers used the pip install litellm command to steal sensitive information on users’ devices. The sensitive data that could be stolen includes: SSH keys, cloud service credentials (AWS / GCP / Azure), Kubernetes configuration files, Git credentials, API keys stored in environment variables, shell history records, crypto wallet information, and database passwords, among others. Slow fog Chief Information Security Officer 23pds warned that the LiteLLM vulnerability attacks have already resulted in attackers stealing roughly 300GB of data and about 500,000 credentials. He suggested that all crypto developers perform immediate self-checks, rotate the relevant keys and credentials as soon as possible, review logs, access records, and sensitive data exposure, and avoid severe losses similar to the Trust Wallet incident.

Slow fog Chief Information Security Officer 23pds issued an alert urging all iOS users to update their systems as soon as possible. Based on monitoring, an attack program named DarkSword has been leaked. The program’s core capability is extracting forensic-grade data from iOS devices via an HTTP interface. In real attack scenarios, attackers may induce users to fall for it through social engineering or watering-hole attacks, thereby stealing internal data from the iPhone or iPad and uploading it to a controlled server.

Others

The Sui development team announced that its new virtual machine (VM) has been publicly released, and it has opened a bug bounty program, inviting the community to conduct security reviews before mainnet deployment. This version rewrites the execution layer, introduces per-package caching and a new generation of Move features, and has completed internal reviews and security audits by organizations such as OSEC and Zellic.

Sui officially announced that the mainnet has been upgraded to V1.68.1 and the protocol has been upgraded to version 118. The main contents of this upgrade include enabling address aliases on the mainnet, enhancing metadata security in Sui System, and fixing an issue where all nodes could crash when simulating an abnormal transaction that includes invalid fund extraction.

Polkadot officially announced that its issuance model upgrade officially started on March 14 (Pi Day). The protocol changes mainly introduce two core initiatives: first, setting a maximum supply cap of 2.1 billion DOT (currently about 80% has been issued); second, reducing DOT’s emission rate by about 53% starting from March 14 and planning further emission reductions in the future. The official said these changes were proposed by the community and approved through OpenGov, aiming to limit long-term issuance, maintain incentive mechanisms, and provide a transparent and predictable issuance plan.

Cosmos Labs said in a post that it recently discovered a vulnerability affecting some chains that adopt the Cosmos EVM stack. It involves a certain function used by some chains, and it has already been affected in the Saga production environment. Cosmos Labs said it has worked with Saga and ecosystem partners to complete issue investigation and coordinate mitigation measures, and it has released fix patches to the relevant chains.

Brevis today launched Brevis Vera, a media authenticity verification system driven by zero-knowledge proofs. It is used to verify whether published images and videos come from real devices and confirm that they have only undergone provable, legitimate editing processes. The system combines C2PA hardware-level capture signatures and zero-knowledge proofs generated by Brevis Pico zkVM, thereby continuously preserving encrypted proofs of the media source throughout the entire editing process. Brevis Vera is now live and supports open-source libraries.

The Stacks Labs, the development team behind Bitcoin Layer2 Stacks, said that its SIP-034 upgrade has completed mainnet implementation. By optimizing how transaction resource limits are handled, in some DeFi applications it can increase the network’s “effective capacity” by up to about 30x. The upgrade changes the previous mechanism of “resetting all limits whenever any resource budget hits the cap” to “only reset the specific exhausted limit,” thereby improving throughput available within blocks. The team said the upgrade does not directly change STX token economics, but may enable more transactions and fees as network activity increases.