System Architecture and Implementation

This document explains the technical implementation of tBTC. We’ll cover the protocol’s core mechanisms, economic security, and failure handling.

Understanding the Single-Signer Model

The simplest way to understand tBTC is to look at a basic single-signer design first:

  1. A depositor wants to create TBTC
  2. They ask a smart contract to take their BTC
  3. A signer provides a BTC address and stakes 150% collateral in ETH
  4. The depositor sends BTC to that address
  5. The contract mints TBTC – 0.99 for the depositor, 0.01 as signer fee

This design is elegant but has fatal flaws:

  • Single signer can steal funds if BTC price rises vs ETH
  • Single hot wallet creates a honeypot for attackers
  • No failure isolation – one problem affects the whole system

Multi-Wallet Multi-Signer Protocol

tBTC fixes these issues with distributed signing groups and multiple wallets. The system implements random signer selection, multi-sig payments, improved bonding mechanics, a price feed for collateral monitoring, Bitcoin transaction verification, and clear failure handling on both chains.

Random Signer Selection

The protocol uses Keep Network’s random beacon to select signers, preventing system gaming and ensuring geographic distribution. Each signing group creates a shared ECDSA key using threshold signatures. The protocol limits groups to 80 signers due to Bitcoin consensus rules, typically using 3-of-5 threshold signing. Each signer stakes ETH worth 1/3 of the deposit, creating total collateral of 150% of deposit value.

Bonding Economics

Bonds create economic security. Each signer must put up ETH collateral proportional to the deposit size. The system monitors two key ratios:

  • 150% – Required initial collateralization
  • 125% – Triggers pre-liquidation if breached
  • 110% – Final liquidation threshold

If ETH price drops relative to BTC, signers enter pre-liquidation. They have 6 hours to either:

  • Close the deposit by redeeming it
  • Add more collateral (removed in v1)
  • Let it enter full liquidation

Making Deposits

The deposit process operates in fixed lots of 1 BTC. A depositor starts by sending a transaction to the tBTC contract with a small ETH fee. The system then selects random signers who create a shared wallet. The core requirement is sending exactly 1 BTC to the provided address – the system doesn’t accept partial deposits, and overpayment doesn’t create extra TBTC. Only the first UTXO counts for deposit verification.

Light Relays for Transaction Proof

tBTC uses a specialized SPV system called Light Relays to verify Bitcoin transactions. Unlike full SPV:

  1. Only stores difficulty adjustment headers
  2. Uses stateless proofs
  3. Provides recency guarantees through difficulty data
  4. More efficient than storing all block headers

Minting Process

Minting happens in two distinct phases after deposit. First, the system issues a Deposit Owner Token – an NFT tied to the specific UTXO that proves deposit ownership and gives exclusive redemption rights. This token can be transferred to others. The second phase creates fungible TBTC, requiring a confirmed Bitcoin deposit. The original holder receives 1 TBTC minus a 0.005 fee, with optional deposit beneficiary tokens providing fee rebates to encourage releasing owner tokens for liquidity.

Handling Price Changes

The ETH/BTC price relationship fundamentally affects system security. The protocol initially uses a single trusted price feed that updates every 6 hours when changes exceed 1%. Future versions will adopt Maker’s Medianizer model and integrate DEX prices for better decentralization.

When collateral value drops, the liquidation process begins with pre-liquidation at 125% ratio. If not resolved, full liquidation kicks in, selling seized ETH for TBTC. The system burns this TBTC to maintain the peg, splitting any remaining value between the liquidation triggerer and signers.

Redemption Mechanics

Redemption rights belong exclusively to deposit owner token holders. The process starts with a redemption request specifying the BTC address, deposit size, and fees. Standard fees include 0.005 BTC for signers and additional beneficiary fees if applicable. The system burns TBTC and notifies signers, who must create a valid Bitcoin signature within 3 hours and provide redemption proof within 12 hours. To handle varying Bitcoin network conditions, signers can adjust transaction fees every 4 hours.

Failure Handling

The protocol distinguishes between aborts and fraud when handling failures. Aborts occur when participants miss critical deadlines, resulting in penalties against deposit and signing bonds. Fraud, which includes unauthorized ECDSA signatures or unexplained UTXO movements, triggers full bond seizure. This tiered approach maintains system security while accounting for honest mistakes.

Future Improvements

The protocol roadmap includes several technical upgrades. MuSig and BLS signatures will improve signing efficiency. Decentralized price feeds will remove single points of failure. Variable lot sizes and improved UTXO handling will increase flexibility, while new collateral types will expand participation options.

Economic Model

The economic model mirrors traditional custody services while maintaining decentralization. Signers earn 0.005 BTC per deposit, achieving roughly 1.875% annual returns. While this requires higher capital commitments than centralized services, it enables truly trustless Bitcoin-Ethereum bridging. The system prioritizes censorship resistance and supply peg maintenance while enabling immediate redeemability with minimal value loss.

This comprehensive security model and technical architecture demonstrates how tBTC maintains Bitcoin’s core properties while enabling seamless Ethereum integration.

Created by
Tools for thought, aimed at crypto investors
Visit main site

Sign up for the Rebase newsletter

Sign up now
© 2019—2025 Copyright Rebase