In recent years, Partially Signed Bitcoin Transactions (PSBT) have gained significant traction within the Bitcoin ecosystem. The rise of innovations like Ordinals and inscription-based assets has driven demand for secure, multi-party signatures and complex transactions, positioning PSBT as an indispensable tool for navigating Bitcoin’s evolving landscape
At CertiK, we are dedicated to advancing the security and integrity of PSBT usage. We have recently conducted comprehensive audits and penetration tests on popular projects like UniSat Wallet Extension, SwapSats, and Trac’s Tap Protocol, which heavily utilize PSBT for facilitating complex transaction workflows. Through our in-depth analyses, we have identified vulnerabilities related to PSBT implementation and provided actionable recommendations to enhance their security posture.
In this article, we share our extensive research and insights into PSBT, delving into its components, applications in Bitcoin DeFi, and the security risks associated with improper usage. We aim to highlight best practices for secure PSBT implementation and contribute to the ongoing efforts to strengthen Bitcoin ecosystem security.
Since its inception, the Bitcoin network has continuously evolved to address increasing demands for security, efficiency, and scalability. Among the most notable advancements during this journey is the development of Partially Signed Bitcoin Transactions (PSBT), a transformative innovation in transaction management. Defined in Bitcoin Improvement Proposal 174 (BIP 174), PSBTs standardize the workflow for creating, sharing, and signing Bitcoin transactions, especially in multi-party or multi-device contexts.
Prior to the introduction of PSBT in 2017, coordinating complex transactions that required multiple signatures or involved multiple parties was difficult and fraught with security risks. Wallet software often used proprietary formats for partially signed transactions, leading to incompatibilities between different wallets and platforms. The introduction of BIP-174 addressed these issues by proposing a universal format for PSBTs. This standardization allowed different wallet software and hardware devices to communicate seamlessly, facilitating the collaborative creation and signing of multi-party transactions.
In 2023, Ordinals—a protocol that assigns serial numbers to individual satoshis and allows users to attach extra data to them—brought renewed focus to PSBTs. Ordinals enable the creation of non-fungible tokens (NFTs) and other unique digital assets such as BRC-20 directly on the Bitcoin blockchain by inscribing data onto individual satoshis. Managing these assets requires precise control over transaction inputs and outputs, as well as the ability to handle complex scripts and signatures, which PSBTs are well-equipped to handle. As a result, PSBT technology experienced a revival last year, and has been widely applied in applications across the Bitcoin ecosystem.
PSBTs enable the creation, sharing, and signing of Bitcoin transactions in a standardized and secure manner, especially when multiple parties are involved.
High-level steps of PSBT workflow:
The following diagram may help clarify the workflow described above:
PSBT CoinJoin Workflow
While both PSBTs and multisignature transactions involve multiple signatures, they serve different purposes within the Bitcoin network. Multisignature transactions require multiple private keys to authorize a transaction, enforcing a specified number of signatures before funds can be spent. PSBTs, on the other hand, allow multiple parties to collaboratively create and sign transactions, regardless of whether the transaction itself requires multiple signatures.
Table: Comparison between PSBT and Multisignature Transactions
Understanding the structure of a PSBT is essential for utilizing it effectively, and ensuring transaction security. Below is a breakdown of its key components.
1. Inputs
Inputs in a PSBT reference the unspent transaction outputs (UTXOs) that are being used to fund the transaction.
Sample input:
2. Outputs
Outputs define where the funds are being sent, which are in the form of UTXO. They are often used for sending change or refund.
3. Transaction Metadata
4. Signatures
5. Finalization Data
A variety of tools and libraries support the creation, manipulation, and signing of PSBTs, facilitating their adoption across different platforms.
Bitcoin Core Commands
Bitcoin Core, the reference implementation of the Bitcoin protocol, provides several commands for working with PSBTs.
Third-Party Libraries and Tools
The rise of protocols like Ordinals, Runes, and BRC-20 tokens has significantly expanded Bitcoin's functionality by enabling tokenized assets and NFTs directly on the Bitcoin blockchain. PSBTs play a crucial role in these developments by allowing precise control over transaction inputs and outputs, which is essential for securely managing and transferring these unique digital assets. PSBTs have also helped improve wallet signing processes, particularly with the integration of hardware wallets and secure signing devices.
The growing interest in Bitcoin DeFi has also accelerated the usage of PSBTs. Developers are leveraging PSBTs to build decentralized exchanges, atomic swap protocols, and collaborative transaction platforms that operate securely and efficiently. By standardizing the process of creating, sharing, and signing transactions involving multiple parties, PSBTs facilitate complex financial operations that were previously difficult to implement securely on the Bitcoin network.
PSBT is used by ordinal marketplaces to facilitate trading Ordinal NFTs. An order transaction utilizing PSBT solutions can be created by a buyer or seller. The creator sends the PSBT file to other participants. After the PSBT file is signed by all participants, it can be finalized and broadcasted to the Bitcoin network.
Why is PSBT Essential in Ordinal Marketplaces?
Ordinals are unique digital assets inscribed on individual satoshis, requiring precise control over transaction inputs and outputs to preserve their integrity. PSBT enables multiple parties, such as buyers and sellers, to collaboratively construct and sign transactions without exposing private keys or compromising security.
Other options, like raw transactions or custom protocols, are not suitable because they lack necessary features and security guarantees. Raw transactions do not support partial signing, which means there is always a single transaction creator responsible for constructing the entire transaction. This approach requires users to manually validate transactions, increasing the risk of errors and security vulnerabilities. For custom protocols, users might be forced to use specific wallets provided by the marketplace. This requirement can limit accessibility because users cannot use their preferred wallets. It also reduces interoperability, as these marketplace-specific wallets may not be compatible with other platforms or services. Besides, some marketplaces might employ centralized escrow services to facilitate trades, introducing counterparty risk, as users must trust the escrow agent to handle funds appropriately.
The following is a typical PSBT workflow for marketplaces trading, illustrated with an example based on msigner, where a selling order can be created through the following steps:
PSBTs simplify the workflow in multisig setups by standardizing the signing process. They enable multiple parties to contribute inputs and agree on outputs.
PSBTs are crucial for enabling atomic swaps and trustless exchanges between different blockchains. By constructing transactions that are only valid under specific conditions, PSBTs facilitate cross-chain swaps without intermediaries. In this process, Hash Time-Locked Contracts (HTLCs) are often used alongside PSBTs to enforce atomicity in the exchange. HTLCs employ cryptographic hash functions and time-based conditions to guarantee a fair transaction. If the required conditions are not satisfied within a predetermined timeframe, the transaction is automatically canceled. This mechanism ensures that both parties either complete the exchange or revert to their original state without any loss. Integrating PSBTs with HTLCs allows users to perform secure cross-chain swaps between Bitcoin and other blockchains, enabling asset exchanges without relying on centralized platforms or trusted third parties.
PSBTs’ unique capabilities enable each input and output in a batched transaction to be signed separately. The use of PSBTs in transaction batching helps reduce transaction fees. By combining multiple transactions into one, users not only save on fees, but also help alleviate congestion on the Bitcoin network.
PSBTs provide a safer and more efficient workflow for offline signing by standardizing how incomplete transactions are represented. Before PSBT, users had to manually handle raw transaction data and perform input and output validations themselves. In multi-party transactions, one participant had to assemble the complete transaction before others could verify it. This approach relied on a trusted third party or required users to carefully verify the transaction. With PSBT, each party can independently add their own inputs and outputs and verify all components without needing an internet connection. This keeps the signing and verification processes offline, which is a significant security benefit for hardware wallets. The standardized PSBT format also ensures compatibility across various hardware wallets, allowing them to interpret and sign transactions seamlessly—even on air-gapped devices.
Despite the advantages offered by PSBTs, they may not be a familiar topic for newcomers eager to launch innovative Bitcoin DeFi solutions. Improper usage can lead to significant security vulnerabilities, resulting in breaches and financial losses.
In the following section, we present case studies of real-world incidents involving PSBT misuse. These examples aim to provide developers with essential insights into safeguarding assets and ensuring the integrity of transactions within the Bitcoin DeFi ecosystem.
The sighash flag dictates the immutability of certain parts of a transaction once it's signed. Using the sighash flag incorrectly can leave a transaction vulnerable to alterations by hackers. Below is an explanation of different sighash flags and their implications.
Real-World Example of Sighash Flag Misuse: Atomicals Market Incident
On November 15, 2023, Atomicals Market experienced a “zero-yuan purchase” incident. Sellers placed an order to sell $ATOM on the market, but it was purchased by a hacker at zero cost. The Atomicals Protocol revealed that the root cause was the usage of the SIGHASH_NONE | ANYONECANPAY sighash by Atomicals Market, leading to the theft of user funds.
The SIGHASH_NONE | ANYONECANPAY flag specifies that only the signer's input is signed and other inputs can be added, while leaving the outputs changeable. This could potentially be exploited by a hacker to alter the destination of the funds after the input has been signed. It's important for users and developers to understand and correctly implement sighash flags to avoid misuses and asset loss.
The seller’s order should be signed with SIGHASH_SINGLE | ANYONECANPAY instead.
The SIGHASH_NONE | ANYONECANPAY flag indicates that the seller’s input is signed, leaving the transaction output mutable. If the hacker manages to obtain the seller’s signature and rebuild the transaction with the output value set to zero, signing and broadcasting the transaction will result in the seller’s token being sold with no payment.
Other Potential Attack Vectors
Best Practices for Secure SigHash Flag Usage
Effective UTXO selection is critical for both the security and efficiency of PSBT transactions. Poor UTXO selection can expose users to privacy risks, unnecessarily increase transaction fees, and potentially lead to transaction failure.
When constructing a transaction, the wallet selects UTXOs to fund the transaction outputs and fees. The strategy used in selecting these UTXOs can have significant implications:
Best Practices for UTXO Selection
To mitigate risks associated with poor UTXO selection, the following best practices should be adopted:
Proper handling of ordinals and other tokenized assets is essential to prevent accidental losses or burning. Ordinals, Runes, ARC-20 tokens, and similar protocols enable the representation of non-fungible tokens (NFTs) and other digital assets directly on the Bitcoin blockchain by associating data with individual satoshis. Mismanagement of these assets in PSBT handling can lead to irreversible loss.
Best Practices for Preventing Burning of Ordinal-Based Assets
UTXO Management Strategies for User
To systematically identify potential security issues in PSBT implementations during audits, we have developed a comprehensive security checklist based on our past experience auditing PSBT projects. This checklist also serves as a practical guide for developers, providing essential insights and best practices for securely utilizing PSBT in Bitcoin DeFi projects.
tapInternalKey
when dealing with Taproot addresses to ensure proper spending conditions and enhance privacy features provided by Taproot.Partially Signed Bitcoin Transactions (PSBT) have been widely used in the Bitcoin ecosystem to enable secure, complex, and collaborative transaction workflows essential for DeFi applications. However, improper usage of PSBTs can introduce serious security vulnerabilities, including transaction malleability and accidental loss of assets.
At CertiK, we leverage our deep technical expertise in PSBT security to help projects tackle the intricate challenges of secure PSBT implementation. Through audits and the development of comprehensive best practices, we equip developers and organizations with the critical knowledge to utilize PSBTs securely and efficiently.
For an in-depth audit of your protocol code or to consult with our team of experienced auditors and security experts, please get in touch with us at CertiK.com.