&lt;pre&gt;<br />  BIP: ?<br />  Layer: Consensus (soft fork)<br />  Title: Booby Trapped Wallets<br />  Author: Matias Monteagudo &lt;omatimonteagudov@gmail.com&gt;<br />  Comments-Summary: No comments yet.<br />  Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-XXXX<br />  Status: Draft<br />  Type: Standards Track<br />  Created: 2025-08-21<br />  License: BSD-2-Clause<br />  Requires: 341, 342<br />&lt;/pre&gt;<br /><br />== Abstract ==<br /><br />This BIP proposes covenant-only Taproot outputs, an optional but irrevocable wallet-level security mechanism. When activated by wallet owners, covenant-only mode disables key-path spending and mandates script-path spending, creating invisible transaction restrictions that only become apparent when violated. This mechanism provides an optional security layer for high-value institutional Bitcoin holdings against unauthorized access while maintaining transaction privacy until restrictions are triggered.<br /><br />== Copyright ==<br /><br />This BIP is licensed under the BSD 2-clause license.<br /><br />== Motivation ==<br /><br />High-profile Bitcoin holders, particularly institutional entities such as exchanges, face significant security risks. When attackers gain access to private keys, they can drain wallets with varying degrees of difficulty but ultimately succeed. Current security measures are visible and can be circumvented by sophisticated attackers.<br /><br />This proposal creates an optional but irrevocable security mechanism where:<br /><br /># Wallet owners can voluntarily and irrevocably restrict future transactions to predefined destination addresses<br /># Once activated, unauthorized transfer attempts are automatically redirected to arbitration wallets<br /># The restrictions remain completely invisible until triggered<br /># Protected wallets appear identical to unprotected ones, preventing attacker preparation<br /># The mechanism is entirely opt-in and cannot be forced upon any wallet<br /><br />== Specification ==<br /><br />=== Covenant-Only Taproot Output ===<br /><br />A covenant-only Taproot output extends standard Taproot (BIP 341) by mandating script-path spending through the use of an invalidated internal key:<br /><br />&lt;pre&gt;<br />scriptPubKey: OP_1 &lt;32-byte-covenant-taproot-output&gt;<br />&lt;/pre&gt;<br /><br />The output commitment follows standard Taproot construction:<br />&lt;pre&gt;<br />covenant_taproot_output = internal_pubkey + tagged_hash("TapTweak", internal_pubkey || merkle_root)<br />&lt;/pre&gt;<br /><br />Where internal_pubkey is set to an unspendable value, making key-path spending impossible.<br /><br />=== Key Components ===<br /><br />==== 1. Internal Key Invalidation ====<br /><br />The internal public key MUST be set to the following unspendable point:<br />&lt;pre&gt;<br />internal_pubkey = lift_x(tagged_hash("CovenantOnly/InvalidKey", b""))<br />&lt;/pre&gt;<br /><br />This point has no known discrete logarithm, ensuring key-path spending is cryptographically impossible while maintaining compatibility with existing Taproot validation rules.<br /><br />==== 2. Covenant Script Template ====<br /><br />The covenant script enforces destination restrictions through conditional execution:<br /><br />&lt;pre&gt;<br /># Check if destination is whitelisted<br />OP_DUP OP_HASH160 &lt;destination_hash&gt; OP_EQUAL<br />OP_IF<br />    # Validate whitelist membership with Merkle proof<br />    OP_SWAP &lt;whitelist_merkle_root&gt; OP_CHECKTEMPLATEVERIFY<br />    &lt;destination_pubkey&gt; OP_CHECKSIG<br />OP_ELSE<br />    # Enforce arbitration for unauthorized destinations<br />    &lt;arbitration_wallet_script&gt;<br />OP_ENDIF<br />&lt;/pre&gt;<br /><br />Note: This script assumes a hypothetical OP_CHECKTEMPLATEVERIFY opcode for Merkle proof validation. Actual implementation would use existing opcodes for Merkle tree verification. The arbitration_wallet_script can be any valid script (single-sig, multisig, or other) as determined by the institution and arbitrator.<br /><br />==== 3. Whitelist Construction ====<br /><br />Allowed destinations are hashed into a Merkle tree:<br />&lt;pre&gt;<br />whitelist_hash = merkle_root(destination_1, destination_2, ..., destination_n)<br />&lt;/pre&gt;<br /><br />=== Transaction Validation ===<br /><br />==== Normal Operation ====<br /><br />When spending to a whitelisted destination:<br /># Transaction appears as standard Taproot spend<br /># Script-path reveals the covenant logic<br /># Whitelist proof validates the destination<br /># Transaction proceeds normally<br /><br />==== Unauthorized Attempt ====<br /><br />When attempting to spend to non-whitelisted destination:<br /># Script-path execution fails whitelist check<br /># Automatic fallback to arbitration wallet<br /># Funds are locked pending arbitration resolution<br /><br />=== Activation and Deployment ===<br /><br />This soft fork follows the deployment mechanism specified in BIP 9 (Version bits with timeout and delay):<br /><br />&lt;pre&gt;<br />name: covenant-taproot<br />bit: TBD (to be assigned by BIP editors)<br />starttime: TBD (6 months after BIP Final status)<br />timeout: TBD (2 years after starttime)<br />threshold: 1815 (90% of 2016 blocks)<br />&lt;/pre&gt;<br /><br />The soft fork activates when 90% of blocks in a difficulty period signal readiness, ensuring broad miner consensus before enforcement begins.<br /><br />=== New Consensus Rules ===<br /><br />After activation, nodes MUST enforce the following rules for covenant-only Taproot outputs:<br /><br /># '''Internal Key Validation''': Outputs using the covenant-only internal key (as defined in section 1) MUST be validated as covenant-only outputs<br /># '''Mandatory Script-Path''': Covenant-only outputs MUST be spent using script-path spending; key-path spending attempts are INVALID<br /># '''Script Execution''': The covenant script MUST successfully execute and validate destination restrictions<br /># '''Merkle Proof Verification''': Whitelisted destinations MUST provide valid Merkle inclusion proofs<br /># '''Arbitration Fallback''': Non-whitelisted destinations MUST redirect to the specified arbitration wallet<br /><br />These rules only apply to outputs created after activation and do not affect existing Taproot outputs.<br /><br />== Backwards Compatibility ==<br /><br />This proposal maintains full backwards compatibility through careful soft fork design:<br /><br /># '''Pre-existing Outputs''': All existing Taproot outputs continue to function unchanged with their original semantics<br /># '''Node Compatibility''': Non-upgraded nodes validate covenant-only outputs as standard Taproot without additional restrictions<br /># '''Wallet Compatibility''': Existing wallet software continues to work; covenant functionality is purely additive<br /># '''Transaction Relay''': All transactions remain compatible with existing relay policies and fee estimation<br /># '''Mining Compatibility''': No changes required to mining software or pool configurations<br /><br />The soft fork nature ensures that old software never sees invalid transactions, maintaining network cohesion during the upgrade period.<br /><br />== Rationale ==<br /><br />=== Why Extend Taproot? ===<br /><br />Taproot provides the perfect foundation because:<br /><br /># '''Privacy''': Scripts remain hidden until execution<br /># '''Flexibility''': Merkle tree structure supports complex covenants<br /># '''Efficiency''': Minimal on-chain footprint<br /># '''Adoption''': Building on existing, activated technology<br /><br />=== Why Disable Key-Path Spending? ===<br /><br />Key-path spending would allow attackers to bypass covenant restrictions entirely. By making the internal key unspendable, we ensure that all spending must go through the covenant script validation.<br /><br />=== Arbitration Mechanism ===<br /><br />The automatic arbitration fallback provides:<br /><br /># '''Recovery path''': Legitimate users can recover funds through arbitration<br /># '''Deterrent effect''': Attackers know stolen funds will be locked<br /># '''Institutional security''': Professional arbitration services can be integrated with any wallet type<br /><br />Institutions can choose from existing specialized services such as the Blockchain Arbitration &amp; Commerce Society (https://bacsociety.com) or any other arbitrator they trust, providing flexibility in arbitration provider selection.<br /><br />=== Privacy Benefits ===<br /><br /># Protected wallets are indistinguishable from regular Taproot addresses<br /># Covenant restrictions only become visible when violated<br /># Normal operations remain completely private<br /># Attackers cannot identify targets in advance<br /><br />== Reference Implementation ==<br /><br />=== Core Validation Logic ===<br /><br />&lt;pre&gt;<br />def validate_covenant_taproot(scriptPubKey, witness_stack, tx_outputs):<br />    """Validate a Covenant-Only Taproot spend"""<br />    <br />    # Extract the covenant output<br />    if len(scriptPubKey) != 34 or scriptPubKey[0] != 0x51:<br />        return False<br />        <br />    covenant_output = scriptPubKey[2:]<br />    <br />    # Verify script-path spending (key-path is invalid)<br />    if len(witness_stack) &lt; 3:<br />        return False<br />        <br />    script = witness_stack[-2]<br />    control_block = witness_stack[-1]<br />    <br />    # Validate Taproot script-path<br />    if not validate_taproot_script_path(script, control_block, covenant_output):<br />        return False<br />        <br />    # Execute covenant script<br />    return execute_covenant_script(script, witness_stack[:-2], tx_outputs)<br /><br />def execute_covenant_script(script, witness_stack, tx_outputs):<br />    """Execute the covenant validation script"""<br />    <br />    # Parse script to extract whitelist and arbitration keys<br />    whitelist_hash, destination_key, arbitration_keys = parse_covenant_script(script)<br />    <br />    # Check if spending to whitelisted destination<br />    for output in tx_outputs:<br />        dest_hash = hash160(output.scriptPubKey)<br />        if validate_whitelist_inclusion(dest_hash, whitelist_hash, witness_stack):<br />            # Spending to authorized destination<br />            return validate_signature(destination_key, witness_stack)<br />    <br />    # No whitelisted destination found - enforce arbitration<br />    return validate_arbitration_wallet(arbitration_keys, witness_stack)<br />&lt;/pre&gt;<br /><br />=== Wallet Integration ===<br /><br />&lt;pre&gt;<br />class CovenantWallet:<br />    def create_covenant_output(self, whitelist_destinations, arbitrator_pubkey):<br />        """Create a new Covenant-Only Taproot output"""<br />        <br />        # Create whitelist Merkle tree<br />        whitelist_hash = self.build_whitelist_merkle_tree(whitelist_destinations)<br />        <br />        # Build covenant script<br />        covenant_script = self.build_covenant_script(<br />            whitelist_hash, <br />            self.institution_pubkey,<br />            arbitrator_pubkey<br />        )<br />        <br />        # Create Taproot commitment with invalid internal key<br />        invalid_internal_key = tagged_hash("CovenantOnly/InvalidKey", b"")<br />        taproot_output = self.compute_taproot_output(invalid_internal_key, covenant_script)<br />        <br />        return taproot_output<br />        <br />    def spend_covenant_output(self, utxo, destination, whitelist_proof):<br />        """Spend from a covenant-protected output"""<br />        <br />        # Build witness stack<br />        witness_stack = []<br />        witness_stack.extend(self.create_signature_data())<br />        witness_stack.append(whitelist_proof)<br />        witness_stack.append(self.covenant_script)<br />        witness_stack.append(self.control_block)<br />        <br />        return self.create_transaction(utxo, destination, witness_stack)<br />&lt;/pre&gt;<br /><br />== Security Considerations ==<br /><br />=== Cryptographic Security ===<br /><br /># '''Internal Key Security''': The covenant-only internal key is derived using a cryptographically secure hash function with no known preimage, ensuring no party can compute the corresponding private key<br /># '''Script Hiding''': Covenant logic remains hidden until first execution, preventing attackers from analyzing restrictions beforehand<br /># '''Merkle Tree Security''': Whitelist validation relies on cryptographically secure Merkle tree inclusion proofs, preventing unauthorized destination forgery<br /><br />=== Attack Vectors and Mitigations ===<br /><br /># '''Private Key Compromise''': Primary threat mitigated by mandatory script-path spending that enforces covenant restrictions regardless of key compromise<br /># '''Script Analysis Attack''': Covenant structure only revealed upon violation attempt, limiting attacker intelligence gathering<br /># '''Arbitration Compromise''': Mitigated by using secure arbitration wallet configurations and the ability to use multiple independent arbitrators<br /># '''Implementation Vulnerabilities''': Reference implementation includes comprehensive test vectors and edge case handling<br /># '''Social Engineering''': Attacks against arbitrators are mitigated because the arbitrator's identity remains hidden until the covenant is triggered, preventing targeted attacks during normal operations<br /><br />=== Economic Security Model ===<br /><br /># '''Attacker Economics''': Theft attempts face high probability of fund seizure through arbitration, making attacks economically irrational<br /># '''Arbitrator Incentives''': Arbitrators have economic stake in fair resolution to maintain reputation and future business<br /># '''Institution Benefits''': Legitimate institutions maintain full operational control while gaining protection against unauthorized access<br /># '''Network Effects''': Widespread adoption increases overall ecosystem security without degrading privacy or performance<br /><br />=== Privacy Trade-offs ===<br /><br /># Normal operations maintain full privacy<br /># Violation attempts reveal covenant structure<br /># Overall privacy significantly better than current multisig alternatives<br /><br />== Test Vectors ==<br /><br />=== Vector 1: Covenant-Only Output Creation ===<br /><br />&lt;pre&gt;<br />Internal Key: 50929b74c1a04954b78b4b6035e97a5e078a5a0f28ec96d547bfee9ace803ac0<br />Merkle Root: 9a1c7d8f0e5b3a4c2d9f8e7b6a5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f9a8b7c<br />Script Tree: [covenant_script_leaf]<br />Expected Output: bc1p... (32-byte commitment)<br />&lt;/pre&gt;<br /><br />=== Vector 2: Valid Whitelisted Spend ===<br /><br />&lt;pre&gt;<br />Input: Covenant-only Taproot UTXO from Vector 1<br />Destination: bc1qw508d6qejxtdg4y5r3zarvary0c5xw7kv8f3t4 (whitelisted)<br />Witness Stack: [signature, merkle_proof, covenant_script, control_block]<br />Expected: VALID transaction<br />Privacy: Covenant script revealed but appears as normal Taproot spend<br />&lt;/pre&gt;<br /><br />=== Vector 3: Unauthorized Destination Attempt ===<br /><br />&lt;pre&gt;<br />Input: Covenant-only Taproot UTXO from Vector 1  <br />Destination: bc1qrp33g0q5c5txsp9arysrx4k6zdkfs4nce4xj0gdcccefvpysxf3qccfmv3 (not whitelisted)<br />Witness Stack: [arbitration_signatures, covenant_script, control_block]<br />Expected: Funds redirected to arbitration wallet<br />Privacy: Covenant structure fully revealed<br />&lt;/pre&gt;<br /><br />=== Vector 4: Key-Path Bypass Attempt ===<br /><br />&lt;pre&gt;<br />Input: Covenant-only Taproot UTXO from Vector 1<br />Spend Type: Key-path (single signature, no script reveal)<br />Witness Stack: [invalid_signature]<br />Expected: INVALID (unspendable internal key)<br />Result: Transaction rejected by consensus rules<br />&lt;/pre&gt;<br /><br />== Implementation Timeline ==<br /><br /># '''Phase 1''': Reference implementation and test suite<br /># '''Phase 2''': Community review and feedback incorporation  <br /># '''Phase 3''': Testnet deployment and testing<br /># '''Phase 4''': Mainnet soft fork activation (if consensus achieved)<br /><br />== Conclusion ==<br /><br />This proposal introduces covenant-only Taproot outputs as an optional security enhancement for Bitcoin. By leveraging existing Taproot infrastructure with invalidated internal keys, we enable invisible transaction restrictions that provide institutional-grade protection without compromising privacy or usability.<br /><br />The mechanism offers a balanced approach to high-value Bitcoin security, maintaining compatibility with existing systems while providing powerful deterrence against unauthorized access. The optional nature ensures no impact on users who do not require this additional security layer.<br /><br />== Acknowledgments ==<br /><br />The author thanks the Bitcoin development community for their work on Taproot (BIP 341) which provides the foundation for this proposal. Special appreciation to the designers of the Taproot script commitment scheme that enables covenant functionality.<br /><br />== References ==<br /><br />* [[bip-0341.mediawiki|BIP 341: Taproot: SegWit version 1 spending rules]]<br />* [[bip-0342.mediawiki|BIP 342: Validation of Taproot Scripts]]<br />* [https://github.com/bitcoin/bitcoin Bitcoin Core implementation]<br />* [[https://bacsociety.com Blockchain Arbitration &amp; Commerce Society]]

<p></p>

-- <br />
You received this message because you are subscribed to the Google Groups &quot;Bitcoin Development Mailing List&quot; group.<br />
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="mailto:bitcoindev+unsubscribe@googlegroups.com">bitcoindev+unsubscribe@googlegroups.com</a>.<br />
To view this discussion visit <a href="https://groups.google.com/d/msgid/bitcoindev/6778d5ec-91dc-4c3b-9718-581ec2cf7be6n%40googlegroups.com?utm_medium=email&utm_source=footer">https://groups.google.com/d/msgid/bitcoindev/6778d5ec-91dc-4c3b-9718-581ec2cf7be6n%40googlegroups.com</a>.<br />