Press START for the full simulation. Explore the new tabs:
Constructor (how a block is assembled field by field with the nonce
incrementing live), Script (the stack executing OP_CHECKSIG step by
step), interactive Merkle Tree (change a TX and watch the root
break), Attacks (51%, double spend, selfish mining) and Expert Quiz.
Bitcoin P2P Network — Block and Transaction PropagationINACTIVE
Blockchain — Immutable Chain of Blocks0 blocks
Empty chain — waiting for Genesis Block...
Mempool — Unconfirmed TX Queue0 pending
No transactions...
Full Nodes — ValidationCONSENSUS OK
Proof of Work — MiningINACTIVE
Target:
0000ffffffffffffffffffffffffffff
—
Nonce: 0
Current reward:
3.125 BTC/block
Next halving: block
1,050,000
Event LogLIVE
UTXO Set — Unspent Coins0 UTXOs
No UTXOs...
Difficulty — Adjustment every 2016 blocksTARGET: 4 ZEROS
Key aggregation: a 3-of-5 multisig with Schnorr looks on-chain
like a normal 1-key signature → privacy + lower fees.
Nobody can tell it was a multisig.
Only the executed branch is revealed on-chain. The others (leaf
B, unused conditions) remain hidden inside the hash. A
cooperative spend via key path looks like a trivial transaction.
SegWit / Address Types — FeesUPGRADE
1... P2PKH legacy ·
~225 vB · fee 100%
3... P2SH-SegWit ·
~166 vB · fee ~74%
bc1q... P2WPKH SegWit
· ~140 vB · fee ~62%
bc1p... P2TR Taproot
· ~111 vB · fee ~49%
SegWit (2017) separates the signature (witness) → weight discount.
Taproot (2021) uses Schnorr + 32-byte keys → the cheapest and
most private address type today.
Lightning Network — Layer 2OFF-CHAIN
Alice 0.05 BTC
Lightning Channel
Capacity: 0.1 BTC
Bob 0.05 BTC
HTLC with timelock — multi-hop routing:
Alice → Bob → Carol: atomic payment via hash preimage
The miner sorts the mempool by sat/vByte and fills the block
(4M weight) with the most profitable TXs. Cheap ones wait.
Bitcoin Attack SimulatorDEFENSES OK
Confirmations and economic securityDEPTH
Why do exchanges wait for confirmations?
0 conf ·
reversible (RBF / double spend)
1 conf ·
~$ coffee, low risk
3 conf ·
standard exchange deposits
6 conf ·
~1h, gold standard
100 conf ·
coinbase matures (required)
Each additional block exponentially multiplies the cost of
reorganizing the chain. Reverting 6 blocks requires >50% of
the hashrate for ~1 hour: hundreds of millions of USD in
hardware + energy.
Security: 0 confirmations
Bitcoin Expert Quiz0 / 0
$95K
Price 2025
—
Floor 2025
—
Fair 2025
—
Ceiling 2025
—
Floor halving 2028
—
Floor ~2140
Bitcoin Power Law — Projection 2009 → 2142H. C. Burger 2019
Historical pricePower Law centralFloorCeilingHalvings
P(t) = 10^(5.84 × log₁₀(t) − 17.01) · t = days since Genesis ·
Bands ±0.75 decades ·
Speculative — not financial advice.
HALVING PROJECTION (Power Law Floor)
⬡ GUIDE v3 EXPERT · WHAT YOU NEED TO KNOW TO BECOME AN EXPERT
What's new in v3 Expert
This version adds the missing pieces to understand Bitcoin at an
engineer level, not just as a user. Each new tab answers a
"how does it work under the hood?" question.
🔨 Constructor
See the block header (80 bytes) field by field with the nonce
incrementing live until SHA256d < target. The mining
"eureka" moment.
⚙ Script + Stack
The stack machine executing OP_DUP, OP_HASH160, OP_CHECKSIG,
multisig and timelocks step by step.
🌳 Interactive Merkle
Modify a TX and watch the change propagate until the root
breaks: that's how immutability is demonstrated.
🔴 Attacks
51%, double spend, selfish mining and the quantum threat —
with real costs and why they fail.
🔑 Advanced Crypto
HD derivation (BIP32/39/84), ECDSA vs Schnorr and Taproot's
MAST tree.
🧠 Quiz
10 expert-level questions with explanations. Your score
appears in the header.
The Block Header (80 bytes)
What the miner hashes is NOT the entire block, but its header of
exactly 80 bytes. Finding the nonce that produces a valid hash
is the Proof of Work.
version (4 bytes) — protocol version / soft-fork signaling
prevBlockHash (32 bytes) — hash of the previous block (chains it)
merkleRoot (32 bytes) — root of all TXs in the block
timestamp (4 bytes) — Unix time
bits (4 bytes) — compact difficulty target (nBits)
nonce (4 bytes) — the field the miner varies (0 → 4.29e9)
Expert key: 4 bytes of nonce only give ~4.29 billion
attempts. Modern hardware exhausts that in <1 ms. That's why
miners also vary the extraNonce inside the coinbase TX
(which changes the merkleRoot) and the timestamp. The
real search space is enormous.
SHA256 is applied twice: SHA256(SHA256(header)). This is
called SHA256d and protects against length-extension attacks.
Bitcoin Script — the stack machine
Script is not Turing-complete (no loops) by design: it guarantees
every validation terminates. It works with a LIFO stack. The
scriptSig (unlock) executes first, then the scriptPubKey (lock).
If TRUE remains at the top at the end, the spend is valid.
Execution: sig and pubKey are pushed; OP_DUP duplicates
the pubKey; OP_HASH160 hashes it; the expected pubKeyHash is
pushed; OP_EQUALVERIFY checks they match; OP_CHECKSIG verifies
the ECDSA/Schnorr signature against the pubKey.
Multisig (OP_CHECKMULTISIG): has the famous "off-by-one"
bug that consumes an extra stack element — that's why scripts start
with OP_0. It is consensus-critical: cannot be fixed without a hard
fork.
Merkle Tree and immutability
TXs are hashed in pairs upward to a single root. Changing 1 bit
in 1 TX changes its hash, which changes the parent hash, all the
way to the root — which is inside the header committed by the PoW.
Rewriting would require re-mining the block and all subsequent ones.
Leaf: H(TX)
Branch: H( H(TXa) || H(TXb) )
Root: H( left_branch || right_branch ) → goes in the header
Merkle proof (SPV): to prove a TX is in a block you only
need log₂(n) hashes (the branch), not thousands of TXs. That's why
a mobile wallet verifies inclusion downloading kilobytes, not
gigabytes.
Note CVE-2012-2459: duplicating the last TX to forge the
same root was a real bug. Bitcoin now rejects blocks with duplicate
TXs.
Attack vectors (and why they fail)
51% Attack
With >50% of the hashrate you can reorganize the chain and
double-spend. You CANNOT steal others' coins or create BTC out of
thin air (nodes reject invalid signatures and excessive subsidies).
Cost 2024: hundreds of M$ in ASICs + ~$millions/hour of energy.
Attacking would destroy the value of what you're trying to steal.
Selfish Mining
Mining blocks in secret and publishing them strategically to
invalidate honest work. Theoretically profitable with >~25-33%
of the hashrate, but detectable and risky.
Double Spend
Spending the same UTXO twice. Impossible once confirmed; that's
why confirmations are waited for. At 0-conf it is viable with
Replace-By-Fee.
Quantum
A quantum computer with enough logical qubits could break ECDSA
(Shor) on exposed public keys. Mitigation: do not reuse addresses
(the pubkey is only revealed when spending) and future migration
to post-quantum signatures. Estimated: not before ~2030+.
Advanced cryptography
HD Derivation — BIP32/39/44/84
A single seed phrase (12-24 words, BIP39) generates infinite keys
deterministically. The path m/84'/0'/0'/0/0 means: purpose 84
(native SegWit) / coin 0 (Bitcoin) / account 0 / external chain /
index 0.
Schnorr (BIP340, activated with Taproot 2021) is linear: it allows
adding signatures and keys. An n-of-n multisig aggregates into ONE
64-byte signature via MuSig2 → cheaper and more private.
Taproot and MAST
A Taproot output Q = P + H(P‖merkle_root)·G combines a key (key
path) with a script tree (script path). Only the executed branch
is revealed; the rest stays hidden. A cooperative spend is
indistinguishable from a normal payment.
Path to becoming an expert
1
Fundamentals: SHA256 hash, public/private keys, UTXO vs
accounts. Master this simulation at 1x by reading each scenario.
2
Read the Whitepaper by Satoshi (9 pages) and then "Mastering
Bitcoin" by Andreas Antonopoulos (free on GitHub).
3
Hands on: install Bitcoin Core, run a full node on
testnet/signet, use bitcoin-cli to create and sign TXs manually.
4
Code: explore the bitcoin/bitcoin repo on GitHub. Start
with validation.cpp, script/interpreter.cpp and pow.cpp.
5
Build: use a library (bitcoinjs-lib, rust-bitcoin, BDK)
to assemble transactions, derive HD wallets and verify Merkle
proofs yourself.
6
Go deep: read the BIPs (Bitcoin Improvement Proposals),
especially BIP32, 39, 141 (SegWit), 340-342 (Taproot/Schnorr).
Golden rule: "Don't trust, verify". An expert doesn't
believe claims about Bitcoin — they verify them with their own
node and by reading the consensus code.