LogoLogo
Threshold WebsitetBTC v2 DocsTACo Docs
  • What is the Threshold Network?
  • THRESHOLD DASHBOARD
    • tBTC Minting Walkthrough
  • Applications
    • tBTC Bitcoin Bridge
      • Fees
      • Wallet Generation
      • Wallet Signing
      • The Path to Permissionlessness
      • Sweeping
      • Coverage Pool
    • Threshold USD
      • Overview of thUSD
      • Borrowing
      • Stability Pool and Liquidations
      • Redemptions and thUSD Price Stability
      • Recovery Mode
      • Bootstrapping
        • Initial Protocol Loan
      • B. Protocol
      • thUSD on Build on Bitcoin (BOB)
        • Connecting to BOB Network
        • Bridging Collateral to BOB Network
        • Opening Collateral Vaults and Minting thUSD
  • Governance
    • Threshold DAO
      • 🗳️Governance Process
      • 🙋‍♀️Guilds
      • 💰Threshold Multisigs
      • Threshold DAO Rules
    • Vote Delegation
      • Liquid Token Delegation
  • Staking & Running a Node
    • tBTC v2 Node Setup
      • Operator Account
      • Application Authorization & Operator Registration
      • Network Configuration
      • Data Storage
      • Installation
        • Docker Installation
        • Binary Installation
      • Updating tBTC v2 Node
      • Advanced Options
        • Alternatives to Dashboard
        • Logging
        • Config File
        • CLI Options
        • Client Info
      • Frequently Asked Questions
      • Sepolia Testnet
        • Testnet tBTC v2 node Setup
    • tBTC Beta Stakers Program
  • App Development
    • DAO Contracts
      • DAO Contracts API
        • BaseTokenholderGovernor
        • Checkpoints
        • GovernorParameters
        • IApplication
        • ILegacyTokenStaking
        • IStaking
        • IVotesHistory
        • KeepStake
        • PercentUtils
        • ProxyAdminWithDeputy
        • SafeTUpgradeable
        • StakerGovernor
        • StakerGovernorVotes
        • T
        • TokenholderGovernor
        • TokenholderGovernorVotes
        • TokenStaking
        • VendingMachine
    • Random Beacon
      • Random Beacon API
        • AltBn128
        • BeaconAuthorization
        • BeaconDkg
        • BeaconDkgValidator
        • BeaconInactivity
        • BLS
        • BytesLib
        • Callback
        • Governable
        • Groups
        • IRandomBeacon
        • IRandomBeaconConsumer
        • ModUtils
        • RandomBeacon
        • RandomBeaconChaosnet
        • RandomBeaconGovernance
        • Reimbursable
        • ReimbursementPool
        • Relay
    • tBTC
      • tBTC SDK
        • Quickstart
        • Architecture
        • Guides
          • Initialize SDK
            • Ethereum and Bitcoin mainnet
            • Ethereum and Bitcoin testnet
            • Crosschain
            • Custom mode
          • Deposit and mint
          • Unmint and redeem
        • API Reference
      • tBTC Contracts API
        • Bridge API
          • Bank
          • BitcoinTx
          • Bridge
          • BridgeGovernance
          • BridgeGovernanceParameters
          • BridgeState
          • Deposit
          • DepositSweep
          • DonationVault
          • EcdsaLib
          • Fraud
          • GovernanceUtils
          • Heartbeat
          • IReceiveBalanceApproval
          • IRelay
          • IVault
          • L2TBTC
          • L2WormholeGateway
          • LightRelay
          • LightRelayMaintainerProxy
          • MaintainerProxy
          • MovingFunds
          • Redemption
          • TBTC
          • TBTCOptimisticMinting
          • TBTCVault
          • VendingMachine
          • VendingMachineV2
          • VendingMachineV3
          • WalletCoordinator
          • Wallets
        • ECDSA API
          • EcdsaAuthorization
          • EcdsaDkg
          • EcdsaDkgValidator
          • EcdsaInactivity
          • IWalletOwner
          • IWalletRegistry
          • WalletRegistry
          • WalletRegistryGovernance
          • Wallets
  • Resources
    • T Token
    • Contract Addresses
      • Mainnet
        • Threshold DAO
        • tBTC
        • thUSD
        • Legacy
      • Görli Testnet
      • Sepolia Testnet
    • tBTC Pools
    • Upgrade NU & KEEP to T
    • Contribution
    • Security
    • Brand Assets
    • Links
Powered by GitBook
On this page
  • TL;DR
  • Permissionless Custodianship
  • Guardians and Minters

Was this helpful?

Export as PDF
  1. Applications
  2. tBTC Bitcoin Bridge

The Path to Permissionlessness

PreviousWallet SigningNextSweeping

Last updated 2 months ago

Was this helpful?

The system was designed from the outset to be fully permissionless - anyone with the minimum amount of T stake, could run a node and have a of being a custodian.

In order to effectively ship the product, we launched with a permissioned set of Signers, as well as permissioned sets of Guardians and Minters. This document will explain the ideas behind those changes and what we're doing about it going forward.

TL;DR

  • tBTC currently uses a permissioned set of signers (aka ) operating under an honest-majority assumption.

  • The permissioned honest-majority signer set will remain in place until custody is upgraded to a 1-of-N trust assumption using BitVM2 (or an equivalent design).

Permissionless Custodianship

To select the 100 signers for a wallet, tBTC selects from the permissioned list of Beta Stakers. This decision was made for several reasons:

  1. During the early days of the system; the testnet and phases, it is important to ensure that signers are available to help test changes and quickly respond to critical bugs. Having direct access to individuals known to the development team is critical in this context.

  2. The underlying signature algorithm, , cannot identify misbehaving signers.

The point about GG18 is crucial. Without being able to identify misbehaving signers, a small, sophisticated, malicious minority can make it difficult to sign Bitcoin transactions in a timely manner. If we were able to identify the misbehaving signers, we could exclude them directly from the signing process.

Although alternative algorithms exist for identifying misbehaving signers, they are not yet viable for production use for one or more of the following reasons:

  • They are not yet codebases.

  • They are not open source.

  • They exist only as whitepapers.

To address this issue, we have been developing a proof-of-concept for and exploring .

Recent advances in Bitcoin bridge design, specifically BitVM2, suggest the possibility of improving custody from an honest-majority assumption to a 1-of-N trust assumption. Threshold Network is closely monitoring the development of this design and various implementations, with the medium-term intent of upgrading tBTC's underlying custody mechanics once the technology is sufficiently mature.

Guardians and Minters

Guardians and Minters are a permissioned set of high-trust public operators with their reputations on the line.

Guardians are responsible for validating mint and redemption requests, and have the ability to veto malicious or fraudulent requests. If we were to make these lists permissionless, a malicious Minter could flood the system with fake minting requests for the Guardians to deal with, or a malicious Guardian could veto every proposed mint to halt growth.

Minters serve a convenience function by enabling "fast minting." Importantly, they do not have the ability to gatekeep mint requests; any deposit that all Minters refuse to approve or that a Guardian refuses to accept can still be minted every eight hours by the signers. This ensures that the system remains resilient and able to handle situations in which a malicious actor attempts to disrupt the minting process.

If a Guardian or Minter misbehaves, the can vote to remove them.

proportional chance
Beta Stakers
chaosnet
GG18
production-ready
CGGMP
FROST
Threshold DAO
Optimistic Minting for tBTC
Sweeping option for minting tBTC