By virtue of its Proof of Transfer consensus algorithm, Stacks has read access to the Bitcoin blockchain. Clarity smart contracts can thus be triggered by Bitcoin transactions. However, how to use Stacks to write back to Bitcoin has been an open challenge. This document describes a concept that is a possible solution to the Bitcoin Write Problem. It is compiled by the Clarity Lab, a residency that is funded by the Stacks Foundation.
There have been various approaches to the problem over the lifetime of Stacks. Most started reasoning from the Stacks side. In our approach, we first looked at Bitcoin to see what different options exist could get us what we want. The core desire can be summed up in a single sentence: to have a pool of BTC that is not controlled by any single entity or federation of entities.
But before we dive into it, let us quickly consider how custodial wrapped Bitcoin works. These are tokens that are backed by a custodian that holds native Bitcoin in escrow. They are created when people send their BTC to the custodian, which in turn mints an equal amount of wrapped BTC on the Stacks (or a different) blockchain. The wrapped tokens thus have value only insofar their redemption for native Bitcoin can be guaranteed by the minting entity. Custodians are undesirable for a multitude of reasons, but we will skip over these in this article for brevity. Can we do away with the custodians and create true noncustodial wrapped Bitcoin? (”nBTC”.) Stacks seems perfectly positioned to make it a reality.
When it comes to Bitcoin, there are really only a few ways to spend BTC. Single-signature wallets are conventional wallets that require a signature from a single private key to move BTC. Next, there are multi-signature solutions. Simple multi-signature setups are n-of-n, which means that in order to spend the BTC, all participants need to sign off on the transaction. Such setups are brittle, as the loss of one private key results in the loss of the BTC. Another downside is that it produces one signature per participant. For a 2-of-2, it means two signatures, and so on. Then there are m-of-n multi-signature wallets. A 3-of-5 wallet will provide a lot more security, although it still produces one signature per participant. It means that we cannot potentially scale it to hundreds of participants.
A third type of wallet, however, has been gaining more traction since Bitcoin’s Taproot upgrade. The operation of this type of wallet is backed by a threshold signature scheme. In such schemes, none of the participants hold a full private key. Instead, they all hold a cryptographic slice—a partial private key if you will. The participants then coordinate and sign off on a particular transaction until a pre-defined threshold is met. Only at that point will the scheme produce a valid signature to move the BTC. What is interesting is that regardless of the number of participants, the scheme will only produce a single key and signature, making it a lot cheaper to process. It also makes it indistinguishable from single-signature wallets and will thus also protect the privacy and the number of the participants. Threshold signatures are at the core of the nBTC concept found herein.
Combining a threshold signature scheme and the ability of Stacks to verify that Bitcoin transactions have been mined should enable us to create a noncustodial wrapped Bitcoin protocol. A simplified diagram of the concept is provided below.
On the Bitcoin side, there will be a chain of threshold signature addresses that hold the BTC currently locked in the protocol. The BTC will be intermittently forwarded to a new address to allow for an open membership scheme. At any point in time, others may join the group of threshold signature participants (the TS-Participants). Additionally, a timelock is used to prevent the Bitcoin from getting stuck in the unlikely case of too many new participants disappearing at once. Once the timelock expires, the previous TS-Participants group can reclaim the BTC and recover the protocol. The structure has been dubbed “Threshold Signature Time-Locked Contract”, or TSTLC for short. Since the Bitcoin is moving along a chain of TSTLC over time, with BTC being pegged in and out, we refer to it as the “Bitcoin train”.
The entire state of the protocol is captured in the nBTC Clarity smart contract. It performs the following actions: (1) track active TS-Participants, (2) allow users to join or leave the TS-Participants group, (3) validate peg-in transactions, (4) stage peg-out transactions, (5) generate the next outputs for the Bitcoin train, (6) allow users to punish dishonest or inactive TS-Participants.
The nBTC Clarity smart contract keeps a list of all currently active TS-Participants that anyone can access at any time. Users must register with the protocol to become participants, akin to how a Stacks miner must first register prior to mining. Users may have to post a minimum amount of collateral in order to be admitted to the TS-Participants group. All participants are required to be active and will be punished if they are either dishonest or become inactive. Too many participants becoming inactive at once risks stalling the protocol, forcing everyone to wait for the timelock to kick in. Participants that expect to become inactive should therefore resign and retrieve their collateral.
Users send native Bitcoin to the latest TSTLC address. Once the Bitcoin transaction is mined, it will be submitted to the nBTC Clarity smart contract for verification. The contract will then mint an equal amount of nBTC and award it to the equivalent Stacks address, as every Stacks address has a Bitcoin address and vice versa. (See the “BTC peg-in transaction” on the diagram.)