BIP idea: Timelock-Recovery storage format
217 views
Skip to first unread message
Oren
Dec 28, 2025, 9:59:43 AM12/28/25
to Bitcoin Development Mailing List
Reposting here from BitcoinTalk:
After a short talk with Ava Chow during BTC++ Taiwan, I'm starting this thread to discuss whether my idea is BIP-worthy.
Motivation for Timelock-Recovery plans:
Storing seeds for recovery & inheritance is scary.
Pre-signed transactions to a secondary-wallet/custodian, are safer to handle and backup due to their immutability.
A single pre-signed transaction with a future nLocktime requires "renewal" when the nLocktime deadline is getting close, which could be annoying (i.e. if the seed is split over multiple geographic locations).
Covenants/Vaults are still being debated, and could scare less-technical Bitcoiners.
Solution:
Pre-signing a pair of transactions:
• Alert/Initiate Transaction: A consolidation transaction that keeps most funds on the original wallet (except for a minimal amount that goes to anchor-addresses, for CPFP acceleration)
• Recovery Transaction: A transaction that moves the Bitcoin from the consolidated UTXO to the secondary-wallet(s), with an nSequence relative-locktime that gives the user enough time to move the funds elsewhere (assuming they noticed that the Alert transaction was mined, and still have the seed or signed an alternative transaction in advance).
Similar to a single pre-signed transaction with a future nLocktime, Timelock-Recovery plans will not include new funds that are added to the wallet, and will be revoked even if a tiny amount is spent. This mechanism is intended for wallets that are going to remain untouched for a long time.
An example implementation can be found in the Timelock Recovery plugin that I've implemented for Electrum (merged since Electrum v4.6.0b1). Details and demo videos can be found at: https://timelockrecovery.com.
The plugin creates a UI for signing the two transactions, then saving them either in a PDF file (with detailed manual instructions for less-technological Bitcoiners how to broadcast them), or in a JSON format.
The BIP will be about the JSON format, which includes not only the raw transactions themselves, but also user-information (i.e. name, description, destination-labels, wallet-name, wallet-version), and data about the transactions (i.e. txids, amounts, fees, input-utxos, anchor-addresses, relative-locktime).
A standard JSON format will allow implementing a compatible feature on other wallets, as well as apps/servers for monitoring & initiating timelock-recovery plans - such as the one being developed by RITREK.com (disclosure: I'm one of RITREK's founders).
Let me know what you think!
Oren
Motivation for Timelock-Recovery plans:
Storing seeds for recovery & inheritance is scary.
Pre-signed transactions to a secondary-wallet/custodian, are safer to handle and backup due to their immutability.
A single pre-signed transaction with a future nLocktime requires "renewal" when the nLocktime deadline is getting close, which could be annoying (i.e. if the seed is split over multiple geographic locations).
Covenants/Vaults are still being debated, and could scare less-technical Bitcoiners.
Solution:
Pre-signing a pair of transactions:
• Alert/Initiate Transaction: A consolidation transaction that keeps most funds on the original wallet (except for a minimal amount that goes to anchor-addresses, for CPFP acceleration)
• Recovery Transaction: A transaction that moves the Bitcoin from the consolidated UTXO to the secondary-wallet(s), with an nSequence relative-locktime that gives the user enough time to move the funds elsewhere (assuming they noticed that the Alert transaction was mined, and still have the seed or signed an alternative transaction in advance).
Similar to a single pre-signed transaction with a future nLocktime, Timelock-Recovery plans will not include new funds that are added to the wallet, and will be revoked even if a tiny amount is spent. This mechanism is intended for wallets that are going to remain untouched for a long time.
An example implementation can be found in the Timelock Recovery plugin that I've implemented for Electrum (merged since Electrum v4.6.0b1). Details and demo videos can be found at: https://timelockrecovery.com.
The plugin creates a UI for signing the two transactions, then saving them either in a PDF file (with detailed manual instructions for less-technological Bitcoiners how to broadcast them), or in a JSON format.
The BIP will be about the JSON format, which includes not only the raw transactions themselves, but also user-information (i.e. name, description, destination-labels, wallet-name, wallet-version), and data about the transactions (i.e. txids, amounts, fees, input-utxos, anchor-addresses, relative-locktime).
A standard JSON format will allow implementing a compatible feature on other wallets, as well as apps/servers for monitoring & initiating timelock-recovery plans - such as the one being developed by RITREK.com (disclosure: I'm one of RITREK's founders).
Let me know what you think!
Oren
waxwing/ AdamISZ
Jan 1, 2026, 9:34:07 AMJan 1
to Bitcoin Development Mailing List
Hi Oren, list,
I do think this is a really good general idea - and certainly fits into "this could be a BIP". Current covenant-less "deadman's switch" style systems are of course limited, but useful, at least to the enthusiast that can hand-craft them. Avoiding the "need to refresh every interval" is clearly desirable, though the extra complexity *may* end up being more trouble than it's worth (clearly, you don't think so!).
Btw, do you think you should address directly the philosophy found in Liana, and what setups they have decided to expose? (i.e. what's the delta, here).
Btw, do you think you should address directly the philosophy found in Liana, and what setups they have decided to expose? (i.e. what's the delta, here).
Should the BIP actually be something with more flexibility in transaction structure, so as to cover more use-cases?
Other comments stimulated by the BIP text:
Other comments stimulated by the BIP text:
"The testmempoolaccept RPC can receive a list of transactions in which the later transactions may depend on earlier transactions - however in our case the Recovery Transaction has an nSequence relative-locktime, and therefore calling testmempoolaccept 'alert-tx' 'recovery-tx' will fail, claiming that the Alert Transaction UTXO is not confirmed (and the required time window has not passed). "
This sounds like a pretty chunky and important problem (which surprised me, as in, it never occurred to me). Speaking for myself, I would not rest easy with a recovery plan that I couldn't unambiguously check as follows: "I really, really want to know that this recovery works, but much more than that, I *must* know that it doesn't work (leak my funds) before the intended deadline".
With a single nlocktime you can do that (testmempoolaccept -> "non-final").
Is there a case for requesting a feature in Core that one could do a 'testmempoolaccept' with a conditional setting of the time/block height as argument? Would that solve this issue? I'm guessing not, as (clue is in the name!) the tool was mostly designed around "how does this tx interact with the currently seen mempool" more than "forget conflicts, is this even valid/could it ever be valid in and of itself?" (yeah perhaps it's just an incoherent question..?).
"alert_inputs (mandatory): An array of up to 10,000 inputs spent by the Alert Transaction. Each input is a string in the format "txid:vout" where txid is a 64-character lowercase hexadecimal string and vout is a decimal number of up to 6 digits.
alert_tx (mandatory): The raw Alert Transaction in uppercase hexadecimal format. A string of up to 800,000 characters."
I'm probably being an idiot, but: since you're defining alert_inputs as just txid:vout, what's the point of including it since that data is already in alert_tx, no?
One last thing, that 388 day limit is a little unfortunate, no? I certainly think a year is a good, reasonable "long time", but still, all the same.
Cheers,
AdamISZ/waxwing
Oren
Jan 1, 2026, 11:22:40 AMJan 1
to Bitcoin Development Mailing List
Hi AdamSZ, list,
Thanks for showing interest in the BIP and happy new year.
> Btw, do you think you should address directly the philosophy found in Liana, and what setups they have decided to expose? (i.e. what's the delta, here).
Yes, I think it's a good idea to talk about the advantages and disadvantages of pre-signed transactions vs script-based wallets. I'll add it to the Motivation section.
> Should the BIP actually be something with more flexibility in transaction structure, so as to cover more use-cases?
I think it's good to limit the structure of the transactions, so that different services could easily integrate this feature.
One guy that I talked to suggested building a more sophisticated sequence of transactions with multiple wallets, for example that after 90 days the Bitcoin will move to his wife's wallet, from which there will be another pre-signed transaction that moves the Bitcoin to his brother's wallet after 180 days, etc.
But after all, trying to support all custom logics and use-cases will end up in a service that compiles general-purpose "code" instead of something useful for standard users.
> Is there a case for requesting a feature in Core that one could do a 'testmempoolaccept' with a conditional setting of the time/block height as argument?
I've asked for a testmempoolaccept RPC that ignores nSequence/nLocktime here: https://github.com/bitcoin/bitcoin/issues/32142
It's a problem even in transactions with a single nLocktime. testmempoolaccept breaks on the first problem that it finds. Suppose you are signing a transaction with a future nLocktime, and testmempoolaccept breaks on "non-final" - how do you know that there are no other problems in the transaction? How can you tell that the cryptographic signatures are good, and what if it's a script-based wallet?
Some worry that complicate the testmempoolaccept RPC diverge from how transactions are checked in sendrawtransaction, and I somewhat agree with that.
Checking the signatures of P2WPKH wallets is straight-forward, but in order to build a service that verifies the Recovery transaction of a complicated wallet (i.e. multisig, taproot, etc.), without initiating the plan - I guess you would need to run a node with patched code for testmempoolaccept.
> I'm probably being an idiot, but: since you're defining alert_inputs as just txid:vout, what's the point of including it since that data is already in alert_tx, no?
I did mention that the JSON has some information duplicated. Even the alert_txid can be calculated from the raw transaction.
This is useful for displaying the information to the user for review. For example, a webpage to which you drag-n-drop the JSON file, shows you its information and has a button saying "Upload for Monitoring".
This will allow the frontend to show the user the list of UTXOs covered by the recovery-plan, without complicated frontend-code to parse the raw transaction.
Of course, if the user clicks "Upload for Monitoring" and the backend finds out that the alert_inputs mismatch the raw transaction, the whole process should be rejected with a warning that the file was corrupt (possibly maliciously).
> One last thing, that 388 day limit is a little unfortunate, no? I certainly think a year is a good, reasonable "long time", but still, all the same.
388 days is just the maximal value that you get from BIP-68:
After setting the correct bit flags, the relative-locktime is calculated from the lowest 16 bits, in units of 512 seconds.
This gives a maximal value of (2^16 - 1) * 512 seconds = 33,553,920 seconds = 388 days, 8 hours and 32 minutes.
Users can obviously choose a shorter cancellation-window.
Thanks for showing interest in the BIP and happy new year.
> Btw, do you think you should address directly the philosophy found in Liana, and what setups they have decided to expose? (i.e. what's the delta, here).
> Should the BIP actually be something with more flexibility in transaction structure, so as to cover more use-cases?
One guy that I talked to suggested building a more sophisticated sequence of transactions with multiple wallets, for example that after 90 days the Bitcoin will move to his wife's wallet, from which there will be another pre-signed transaction that moves the Bitcoin to his brother's wallet after 180 days, etc.
But after all, trying to support all custom logics and use-cases will end up in a service that compiles general-purpose "code" instead of something useful for standard users.
> Is there a case for requesting a feature in Core that one could do a 'testmempoolaccept' with a conditional setting of the time/block height as argument?
It's a problem even in transactions with a single nLocktime. testmempoolaccept breaks on the first problem that it finds. Suppose you are signing a transaction with a future nLocktime, and testmempoolaccept breaks on "non-final" - how do you know that there are no other problems in the transaction? How can you tell that the cryptographic signatures are good, and what if it's a script-based wallet?
Some worry that complicate the testmempoolaccept RPC diverge from how transactions are checked in sendrawtransaction, and I somewhat agree with that.
Checking the signatures of P2WPKH wallets is straight-forward, but in order to build a service that verifies the Recovery transaction of a complicated wallet (i.e. multisig, taproot, etc.), without initiating the plan - I guess you would need to run a node with patched code for testmempoolaccept.
> I'm probably being an idiot, but: since you're defining alert_inputs as just txid:vout, what's the point of including it since that data is already in alert_tx, no?
This is useful for displaying the information to the user for review. For example, a webpage to which you drag-n-drop the JSON file, shows you its information and has a button saying "Upload for Monitoring".
This will allow the frontend to show the user the list of UTXOs covered by the recovery-plan, without complicated frontend-code to parse the raw transaction.
Of course, if the user clicks "Upload for Monitoring" and the backend finds out that the alert_inputs mismatch the raw transaction, the whole process should be rejected with a warning that the file was corrupt (possibly maliciously).
> One last thing, that 388 day limit is a little unfortunate, no? I certainly think a year is a good, reasonable "long time", but still, all the same.
After setting the correct bit flags, the relative-locktime is calculated from the lowest 16 bits, in units of 512 seconds.
This gives a maximal value of (2^16 - 1) * 512 seconds = 33,553,920 seconds = 388 days, 8 hours and 32 minutes.
Users can obviously choose a shorter cancellation-window.
Regards,
Oren
Oren
Jan 1, 2026, 11:53:13 AMJan 1
to Bitcoin Development Mailing List
One more thing to mention - none of the hardware wallets that I've tested show the custom nSequence fields to the user, and only some show a custom nLocktime.
They just agree to sign whatever nSequence/nLocktime was in the PSBT, even if they it's not one of the common values (i.e. nSequence of 0xFFFFFFFD - 0xFFFFFFFF).
This is an issue regardless of my BIP idea, because a malicious virus could manipulate the nSequence field before sending it to the hardware wallet, making the user sign transactions that would seem corrupt when they try to broadcast them, but will become valid in the future.
Just as users may wish to verify that all pre-signed transactions are valid using some custom testmempoolaccept, they may also want to verify the exact relative-locktime (nSequence) value on their hardware wallet.
I wrote a PR for Specter-DIY to show this information, and wish for other wallets to follow: https://github.com/cryptoadvance/specter-diy/pull/321
Regards,
Oren
Reply all
Reply to author
Forward
0 new messages