On Sat, Apr 23, 2022 at 12:56 AM Billy Tetrud wrote: > > If an attacker steals the hot key, then they have the option to simply > wait for the user to unvault their funds > > This is definitely true. Its kind of a problem with most vault proposals. > Its one of the primary reasons I designed an alternative proposal > . The > OP_BEFOREBLOCKVERIFY opcode I proposed solves this security hole by > automatically swapping control of the UTXO over to the intended recipient > after a timeout. Alternatively, if OP_BBV weren't available, OP_POS in > conjunction with OP_CD could encode things such that the transaction > with the hot key could only spend to the intended recipient. > > I'm curious if there are any other covenant proposals that have a solution > to that problem. I'm not aware of any that do other than my proposal. > As I noted, the original MES vault https://fc16.ifca.ai/bitcoin/papers/MES16.pdf, commits to the destination address during unvaulting. Their proposal uses CheckOutputVerify that checks if a given output has a given amount and a given scriptPubKey. (The MES vault then goes on to add a PATTERN parameter to OP_COV's scriptPubKey parameter in order to make a recursive vault, but that is used to deter cold-key theft, not hot-key theft). Our paper https://fc17.ifca.ai/bitcoin/papers/bitcoin17-final28.pdf impelments the MES vault in Elements (alpha) using CAT and CHECKSIGFROMSTACK. While I wouldn't necessarily call it a covenant proposal, rather it is an observation that these opcodes happen to be adequate for the task. With such a big security caveat, I really don't find CTV vaults a compelling example of using CTV. Sure, if CTV happens to exist, by all means do whatever you like. But if anything, the CTV vault scheme instead illustrates BlueMatt's point that we aren't really finished with covenant research design yet: Q: What ways can we build a secured vault that commits to the destination address? Q: Are there elegant ways of building secure vaults by using CTV plus something else. Presumably CAT + CTV would be enough, though maybe some people are concerned that CAT might enable recursive covenants (if people aren't willing to have even CAT, I don't see how we will ever really have programmable money).