That's an interesting mechanism. Since the goal of OP_VAULT was to avoid being another general covenant proposal, that avenue could be blocked by requiring that for a transaction spending a utxo with a script using OP_UNVAULT, the script (or taproot tree) must *only* contain that one opcode call (perhaps with an escape hatch that OP_UNVAULT turns into a NOOP if that constraint isn't satisfied). If no other conditions can be placed on the utxo, then the only relevant condition is the delay (and the prescribed output targets). 

Even with this restriction, it could be used for Jeremy Rubin's congestion control transactions, which just commits to a list of future outputs, to be sent when the fee environment is cheaper. 

However, James mentioned adding <recovery-params> that includes a scriptPubKey for authorizing recovery. With that addition, OP_UNVAULT can be used to do more general covenants by making `unvault-target-hash` unsatisfiable (set to some random number that isn't derived from a hash) the delay wouldn't matter, but arbitrary conditions can be set on spending the utxo to the "recovery address" which could be another OP_UNVAULT. It seems like that could be used as a general CTV-like covenant.

On Fri, Jan 13, 2023 at 2:04 PM Ben Carman via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
Hi list,

After reading through James's OP_VAULT proposal this week, I had a realization that this can be used for more than a deep cold storage wallet.

Instead of vaulting and unvaulting, we can just send to a OP_UNVAULT output.
When using OP_UNVAULT if we set the `recovery-spk-hash` to a burn address (ie OP_RETURN `<random value>`)
and the `delay-period` to `0` we can use it as a not-so simple covenant with the `unvault-target-hash` being
set to whatever output restrictions you want to create.

Given this we can recreate a lot of what CTV promises, one of my favorites being
[Lloyd's improvement to DLCs](https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-January/019808.html)
(I recommend reading that first)

A similiar construction could be done by creating a taproot tree similiar to LLoyd's construction with each leaf looking like:

`<hash-of-burn-spk> 0 <CET-hash_i> OP_UNVAULT <CET_i> CHECKSIG`

In the same as Lloyd's proposal: when the oracle(s) reveals their attestations either party can combine them to get the secret key corresponding to `CET_i` and spend the coins to the CET (whose `unvault-target-hash`
hash is `CET-hash`) which distributes the funds according to the contract.

## Comparison

Compared to the original CTV proposal, this should get all the same computational savings. However, it would use more blockchain space. 

The main downside I see is our final spending script will be slightly larger.
Instead of just having `<hash> OP_CTV` it will be replaced with `<hash> 0 <hash> OP_UNVAULT` (34 bytes extra, not including the witness discount).
However, this may be negligible in the case of a DLC with many outcomes as a lot of the input size will be coming from the control block.
This also can always be skipped by doing a cooperative close of the DLC if the internal-key of the taproot tree can be spent using something like MuSig.

I imagine a lot of the other applications for CTV can be recreated with OP_VAULT using this same trick.

# Credits

- Lloyd Fournier for the original proposal
- James O'Beirne for the OP_VAULT proposal and giving me the idea to skip the intial OP_VAULT and just use OP_UNVAULT


Best,
benthecarman
_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev