Coinswap v0.2.2 Release Notes
This release focuses on security hardening, privacy, and production readiness. Between April 1, 2026 and early July 2026, the core library absorbed the findings of an external security audit, gained its first deniability-proof support, introduced a multi-transaction swap pathway, refined the marketplace and offerbook layer, and modernized core dependencies, while the surrounding apps moved closer to a self-contained operator and client experience.
📋 Changelog Summary (v0.2.1 → v0.2.2)
- 🔧 37 Issues Closed across security, swap reporting, marketplace, and contract validation: View on GitHub
- ✅ 57 Merged PRs in the core
coinswaprepo forv0.2.1 → v0.2.2: View on GitHub - 🧱 Core repo diff since v0.2.1: 101 files changed, 7k+ insertions, 3k+ deletions
🔒 Special Note: Security Audit with Loupe
This release absorbed a security audit of the core coinswap codebase using Loupe, Spiral's open-source AI-powered security scanner for Bitcoin projects. The scan of 75+ Rust source files surfaced 72 candidate findings; after human triage, five substantive fixes were merged — covering Taproot/legacy contract validation gaps, missing invariant checks, fidelity bond verification, and maker reboot-recovery data loss (tracked as [Loupe Finding] issues; see the Security rows below).
Full writeup: 📄 Auditing Coinswap with Loupe.
Highlights of v0.2.2
The major highlights of this release are as follows:
- External security audit hardening. A round of audit findings (tracked as
[Loupe Finding]issues) was addressed across the maker and taker, tightening Taproot and legacy contract validation, fidelity bond verification, and reboot-recovery safety so makers and takers reject malformed, unspendable, or under-funded contracts before committing funds. - Deniability proof support landed in the core library, advancing the project's privacy goals by letting participants demonstrate plausible deniability for swap outputs.
- Multi-transaction swap pathway — a large protocol change enabling multi-transaction routing across hops for both Taproot (
P2TR) and legacy SegWit (P2WPKH) paths, with per-hop miner fees folded into the outgoing amount and internal-address indexing added to the wallet store. - Offerbook and marketplace overhaul — one of the largest areas of core work this cycle, driven largely by stark-3k: async/incremental offerbook sync, per-maker
poll_maker/remove_makerAPIs, simplified offerbook discovery, duplicate-maker rejection, and a bumped, network-specific Nostr event kind for a clean, freshly seeded marketplace. - Wallet and key hygiene improvements, including AES-GCM nonce rotation on every wallet encryption, removal of the seed phrase from logs, and Merkle-proof verification for legacy funding transactions.
- Dependency modernization, replacing the unmaintained
secp256k1fork with upstream0.32.0-beta.2and restoring compatibility with Bitcoin Core v30+. - Performance profiling in CI via a hotpath profiler that reports per-PR deltas, giving early visibility into regressions on swap-critical code paths.
- Fee and rate tuning, updating fee estimates and fee rates toward realistic production values.
Major Improvements in v0.2.2
| Type | Improvement | PR(s) | Contributor |
|---|---|---|---|
| Security | Harden maker and taker Taproot contract validation so malformed or unspendable contracts are rejected before funds are committed. | #881, #886 | 0xEgao |
| Security | Verify the legacy maker funding output before the taker signs, and validate Taproot contract amounts against transaction outputs. | #901 | 0xEgao |
| Security | Prevent maker reboot recovery from discarding funded, unfinished swapcoins when tracker state is missing. | #879 | 0xEgao |
| Security | Validate the fidelity bond amount against the on-chain output rather than trusting maker-supplied values. | #884 | 0xEgao |
| Security | Rotate the AES-GCM nonce on every wallet encryption. | #907 | 0xEgao |
| Security | Stop logging the wallet seed phrase / mnemonic. | #905 | Supremesv715 |
| Security | Implement Merkle proof verification for legacy funding transactions. | #852 | piyush-1337 |
| Security | Harden RPC code paths against unwrap-induced panics. | #832 | Vedd-Patel |
| Privacy | Add deniability proof support to the core library. | #915 | keraliss |
| Marketplace | Add async per-maker poll_maker and remove_maker offerbook APIs for incremental marketplace updates. |
#889 | stark-3k |
| Marketplace | Simplify offerbook discovery and reject duplicate makers. | #872, #869 | stark-3k |
| Marketplace | Bump the CoinSwap Nostr event kind for a cleanly, freshly seeded marketplace. | #820 | stark-3k |
| Marketplace | Use network-specific CoinSwap Nostr event kinds for publish/discovery. | #824 | Supremesv715 |
| Protocol | Enable the multi-transaction swap pathway for both Taproot (P2TR) and legacy (P2WPKH) routes, folding per-hop miner fees into the outgoing amount and adding internal-address indexing to the wallet store. |
#918 | NeoZ666 |
| Protocol | Derive the maker Tor identity from the wallet and add a BIP32 fidelity-bond ownership check. | #868 | Godzilla-oss |
| Protocol | Reject maker swaps that exceed active liquidity. | #861 | 0xEgao |
| Protocol | Persist swapcoins before broadcasting funding, and wait for maker funding confirmation in Taproot swaps. | #837, #895 | stark-3k |
| Wallet | Update the wallet coin-selection integration to the latest rust-coinselect. |
#919 | NeoZ666 |
| Wallet | Update fee estimates toward realistic production values. | #913 | Godzilla-oss |
| Wallet | Tune fee rates toward realistic production values. | #896 | 0xEgao |
| Reporting | Unify swap reports into a single JSON file and write them to the wallet folder. | #857, #880 | keraliss |
| Performance | Add a hotpath profiler and per-PR profiling comments in CI. | #858, #867 | 0xEgao |
| Infrastructure | Replace the unmaintained secp256k1 fork with upstream 0.32.0-beta.2. |
#854 | stark-3k |
| Infrastructure | Restore Bitcoin Core v30+ compatibility by fixing getwalletinfo deserialization. |
#818 | 0xEgao |
| Infrastructure | Replace the nostr-rs-relay crate with a GitHub Action in tests to avoid event conflicts. |
#904 | hulxv |
| Apps | Add a list-offers command to the taker CLI. |
#823 | Antrikshgwal |
Notable Issues Closed
The following issues were among the most important items addressed during the release window:
- #906: Fidelity timelock verification trusted maker-supplied confirmation height (Loupe finding).
- #885 and #862: Taker did not fully validate maker Taproot contract data before accepting an incoming swapcoin, and Taproot contract amounts were not strictly validated against outputs.
- #882: Maker accepted replaceable/mempool Taproot incoming contracts before funding the outgoing side (Loupe finding).
- #883: Legacy taker accepted an unspendable maker contract and reported a successful swap with zero output.
- #878: Maker reboot recovery could discard funded, unfinished swapcoins when tracker state was missing (Loupe finding).
- #903: Wallet seed phrase was exposed in logs.
- #887 and #891: Taker reported swap success even when the incoming sweep failed, and maker swap reports showed incorrect swap duration.
- #873: Swap reports were written to the wrong directory.
- #860: Maker accepted multiple swap offers even without sufficient liquidity.
- #851: Removed the
.onionpostfix from Tor addresses inOP_RETURN.
Ecosystem Updates Beyond the Core Repo
This release also includes substantial work in the surrounding Coinswap ecosystem:
- Maker Dashboard saw the largest app-layer activity this cycle, adding dashboard authentication, automatic Tor deployment (removing the Docker dependency for demos), a docker-compose stack bundling bitcoind, Tor, and the dashboard, an automated CI workflow that bumps the
coinswapdependency, maker auto-start, deployment-with-notification, password-change support, and a steady stream of UI and login-flow fixes. - Taker App improved substantially with bundled Tor for distribution builds, failed-swap reporting and recovery UI, manual maker selection, async/incremental offerbook sync, CBOR-based swap status tracking, an updated block explorer and confirmation handling, and numerous bug fixes.
- Coinswap-FFI added React Native bindings via turbo modules and standardized on the
uniffi-react-nativeglue, exposed async offerbook sync withpollMakerAsync/removeMakerover N-API, and streamlined Swift/macOS CI. - Coinswap Website gained a market page, a dark-mode toggle, React Native FFI documentation, clean-URL routing, and performance/Lighthouse improvements.
Documentation and References
Documentation also improved during this cycle:
- Demo documentation was refreshed with the v0.2.1 demo flow, FTS demo instructions, and cleanup of demo assets.
- Maker Dashboard docs added guidance for running from the published image and the libtor build dependencies for macOS and Windows.
- Website docs added React Native FFI integration documentation and demo-doc fixes.
- Core code docs were corrected, including the
send_messagewire-format comment and assorted module-level fixes, alongside a README community-link fix.
Full Changelog: v0.2.1...v0.2.2
Weighted Contribution Ranking
Contributions across all public citadel-tech repositories are scored with a per-PR impact model that combines two tracks:
- Authorship — each merged pull request scores
severity × criticality × durability. Severity reflects the nature of the change (security > bug fix > feature > refactor/infrastructure > docs/chore); criticality weights thecoinswapcore library highest and the other repositories lower, refined by how central the touched code is; durability discounts reverted work. - Stewardship — code review and issue triage (opening, closing, and labeling), weighted to favor substantive participation.
Each contributor's authorship and stewardship are combined into a single score, normalized to 100%. Automated bot accounts are excluded.
| Rank | Contributor | PRs (core/aux) | Reviews | Issues (open/close) | Authorship | Score % |
|---|---|---|---|---|---|---|
| 1 | 0xEgao | 23 / 20 | 4 | 14 / 3 | 84.7 | 30.1% |
| 2 | mojoX911 | 3 / 0 | 47 | 35 / 42 | 1.6 | 19.2% |
| 3 | keraliss | 4 / 27 | 5 | 8 / 15 | 32.6 | 15.7% |
| 4 | stark-3k | 9 / 5 | 7 | 9 / 0 | 36.2 | 13.5% |
| 5 | hulxv | 1 / 17 | 12 | 4 / 4 | 20.1 | 9.3% |
| 6 | Godzilla-oss | 6 / 1 | 0 | 1 / 0 | 11.5 | 3.7% |
| 7 | NeoZ666 | 4 / 5 | 0 | 3 / 2 | 6.7 | 3.0% |
| 8 | Vedd-Patel | 1 / 0 | 0 | 0 / 0 | 5.8 | 1.8% |
| 9 | piyush-1337 | 1 / 0 | 0 | 1 / 0 | 5.0 | 1.7% |
| 10 | Antrikshgwal | 1 / 0 | 0 | 0 / 0 | 2.0 | 0.6% |
| 11 | Supremesv715 | 2 / 0 | 0 | 0 / 0 | 1.5 | 0.5% |
| 12 | YoganshSharma | 1 / 0 | 0 | 1 / 0 | 0.3 | 0.2% |
Plus five issue-only reporters (Mandalorian7773, kushagra0902, theAnuragMishra, oren-z0, Ferryx349) at ≈0.1–0.2% each.
Major References
- Project overview, contribution and guidelines: Readme
- Manuals and Demo Docs: Doc Folder
- Protocol Specifications: Spec Repo
- Coinswap Docker: Setup Instructions
- Coinswap-FFI: Repository
- Taker App: Build From Source
- Maker Dashboard: Repository
- Coinswap Website: Visit Website