Share
Spiral, Block’s Bitcoin-focused subsidiary, launched Loupe on May 12, a free AI-powered vulnerability scanner built specifically for open-source Bitcoin projects.
The tool is available now, and the initial list of participating projects includes Bitcoin Core, BDK, LDK, rust-bitcoin, Cashu, Blockstream Jade, bitcoinj, and the Stratum Reference Implementation.
Meet Loupe, an AI-powered vulnerability scanner for open-source bitcoin projects. Attackers already use AI to find weaknesses. Maintainers should do the same.
Bitcoin Core, BDK, LDK, rust-bitcoin, Cashu, Jade, bitcoinj, and SRI are already onboard. https://t.co/S5kF1TWw4F https://t.co/2yst5utXLw
— Spiral (@spiralbtc) May 12, 2026
Loupe addresses a growing security problem: AI tools capable of finding software vulnerabilities are already accessible to attackers, while many Bitcoin open source maintainers remain under resourced volunteers.
With Bitcoin Core and key Lightning infrastructure securing billions in value, a single vulnerability could become a systemic risk. As Spiral put it, “The asymmetry between attackers and maintainers shouldn’t decide Bitcoin’s security.”
Loupe is a scanning-as-a-service tool that points an AI model at one or more repositories and returns vulnerability findings. The critical design decision is the quality gate: Loupe will only report vulnerabilities backed by a demonstrable test case.
It does not generate speculative findings, surface low-confidence potential issues, or produce the kind of AI-generated noise that has already become a problem in open-source communities, where automated systems flood maintainers with low-quality pull requests and false-positive security reports.
The open-source Bitcoin community’s concern about AI slop is explicitly acknowledged in the post. Spiral is aware that maintainers are already overburdened and that a tool producing hundreds of low-signal reports would add to that burden rather than reduce it. The test-case requirement is the mechanism for avoiding that failure mode: if Loupe cannot produce a reproducible demonstration of the vulnerability, it does not file a report.
Loupe is model-agnostic by design. Anyone can run it using their own model access and API tokens. Block and Spiral will fund the security scans they run themselves.
The model-agnostic approach is a deliberate hedge against vendor dependency: the frontier AI landscape shifts rapidly, and a tool hardwired to a specific model becomes obsolete or sub-optimal as the rankings change. Loupe adds a specialized software layer optimized for Bitcoin FOSS projects on top of whichever LLM performs best for a given task.
Block and Spiral have structured the deployment in three phases.
The responsible disclosure protocol is the load-bearing component of phase one. When Loupe finds a vulnerability, it is reported to the project’s maintainers privately before any public disclosure. This is the standard security research protocol that the Bitcoin ecosystem has followed for consensus-layer vulnerabilities, now applied to the tooling layer.
Spiral has indicated it is already running scans internally across several open-source Bitcoin repositories and reporting findings to maintainers as part of the setup work before Loupe’s formal public availability.
Loupe’s launch is adjacent to the most prominent Bitcoin security debate of 2026. The Coinbase Advisory Board paper from April 21 estimated that 6.9 million BTC are held in wallets with publicly exposed keys and identified quantum computing as a long-term, hardware-dependent threat requiring years of engineering to materialize at scale.
AI assisted vulnerability discovery is a current software level threat that requires no specialized hardware. Loupe targets that immediate risk.
Under Spiral’s rollout plan, maintainers will gain continuous security monitoring instead of periodic audits, a major upgrade for Bitcoin Core where vulnerabilities can carry billion dollar consequences.
Share
