Custody Bit

A custody bit is a single binary flag (0 or 1) encoded within the nSequence field of a Bitcoin transaction output. This bit does not affect the cryptographic validity of a transaction but signals the intended custody arrangement to wallets and services.

• Bit = 0: Typically denotes self-custody. The private key is held by the user.
• Bit = 1: Typically denotes third-party custody. The private key is held by a service (e.g., an exchange).

The custody bit is a social and tooling convention, not a protocol-enforced rule. The Bitcoin network itself does not validate or act upon this bit; it is purely informational.

• Purpose: Provides a standardized signal for wallets, explorers, and analytics platforms to categorize and display transaction outputs.
• Adoption: Relies on widespread industry adoption to be effective. Major wallets and services must agree to set and read the bit consistently.

The bit is implemented using the most significant bit (bit 31) of the 32-bit nSequence field. This field was originally for transaction replacement (BIP 125) but has repurposed bits for new signaling.

• Setting the Bit: To signal custody, the output's nSequence value must have its 31st bit set to 1 (nSequence | 0x80000000).
• Backwards Compatibility: Using this specific bit preserves the original functionality of nSequence for other purposes, as defined in BIP 68.

The primary utility of the custody bit is to bring transparency to Bitcoin's ownership landscape. It allows on-chain analysis to distinguish between user-held and exchange-held coins.

• Market Analysis: Analysts can track the flow of coins into and out of custodial services, measuring trends like exchange net flows.
• Risk Assessment: Developers can build tools that warn users if they are about to send funds to a custodial address when intending self-custody.

The custody bit is distinct from the scriptPubKey, which is the actual locking script that cryptographically secures the funds.

• scriptPubKey: Defines the spending conditions (e.g., requiring a signature from a specific key). This is enforced by the network.
• Custody Bit: Provides metadata about who likely holds the key satisfying those conditions. This is not enforced by the network.

The specification for the custody bit is detailed in Bitcoin Improvement Proposal (BIP) 345. This BIP formalizes the bit's location, meaning, and intended use to drive industry-wide consistency.

• Goal: To create a common language for signaling custody on-chain without requiring a soft fork.
• Evolution: As a standard, it allows new wallet software and services to reliably interpret the custody state of any transaction output.

A custody bit is a single bit of data (0 or 1) appended to a Bitcoin UTXO's locking script. It acts as a control flag that determines which of two pre-defined spending paths is authorized. This simple mechanism enables complex multi-party agreements and covenants by programmatically restricting how funds can be moved.

• Bit Value (0/1): Typically, a 0 grants spending authority to one party (e.g., a user), while a 1 grants it to another (e.g., a federation or smart contract).
• Script Integration: The bit is checked by the ScriptPubKey using opcodes like OP_CSV (Check Sequence Verify) or OP_CHECKSIG with conditional logic.

The Liquid sidechain uses custody bits to implement its federated peg and confidential assets. In Liquid, the custody bit distinguishes between:

• User-Controlled Outputs (bit = 0): Funds the user can spend freely on the Liquid network.
• Federation-Controlled Outputs (bit = 1): Funds locked by the functionary federation for peg-in/peg-out operations.

This allows the federation to securely manage the pegged Bitcoin in a multi-signature vault while users retain full control of their Liquid-side assets. The system's security relies on the 11-of-15 multi-signature scheme of the federation.

In Discreet Log Contracts (DLCs), custody bits are crucial for enabling non-custodial derivatives. They allow a contract's funds to be allocated based on oracle-attested outcomes.

• Oracle Role: The oracle publishes a signature corresponding to the outcome, which effectively 'sets' the custody bit for the relevant UTXO.
• Conditional Payouts: Contract UTXOs are locked with two spending paths: one for Party A if the bit is 0, and one for Party B if the bit is 1. The oracle's signature authorizes the correct path, executing the contract without revealing its terms on-chain.

A simplified Bitcoin Script using a custody bit might look like this:

OP_IF <Federation_PubKey> OP_CHECKSIG // Path if bit = 1 OP_ELSE <User_PubKey> OP_CHECKSIG // Path if bit = 0 OP_ENDIF

The spending transaction must provide a signature that matches the path determined by the pre-image or condition that sets the bit. This is often combined with OP_CHECKSIGFROMSTACK or OP_CAT in advanced covenants to verify oracle signatures or other data.

Custody bits differ from other Bitcoin control mechanisms:

• vs. Multi-signature (Multisig): A custody bit chooses between discrete spending authorities, while multisig requires M-of-N signatures from a fixed set. Bits enable simpler state transitions.
• vs. Full Covenants: Custody bits are a primitive for building covenants. Full covenants (e.g., using OP_CHECKTEMPLATEVERIFY) can restrict outputs to specific scripts, offering more granular control than a single bit.
• vs. Timelocks: Often used together. A timelock (e.g., OP_CLTV) can delay one spending path, allowing a grace period before the bit-controlled alternative becomes active.

Custody bits are a foundational primitive for Bitcoin scaling and DeFi.

• Drivechains & Sidechains: Proposals like BIP-300 use similar 1-bit consensus to allow miners to vote on moving funds between chains.
• Taproot & Schnorr: Schnorr signatures and Taproot trees (MAST) make custody bit logic more efficient and private by collapsing complex scripts into a single key path.
• Covenant Opcodes: Future opcodes like OP_CTV or OP_VAULT could use custody-bit-like logic to create more powerful and secure self-custody protocols, reducing reliance on federations.

A custody bit is a single bit (0 or 1) encoded within a validator's withdrawal credentials on Ethereum. It signals the entity with ultimate control over the validator's 32 ETH stake. A bit of 0x00 signifies non-custodial or self-custody, where the validator controls its own withdrawal keys. A bit of 0x01 signifies third-party custody, where a staking service or custodian holds the withdrawal keys. This distinction is critical for assessing slashing risk and trust assumptions.

The custody bit directly influences the consequences of a slashing event. For validators with a 0x01 (custodial) bit, slashing penalties are significantly more severe. This is a security-by-design feature to disincentivize centralized staking pools. The protocol imposes higher penalties because the failure of a single custodian could simultaneously slash thousands of dependent validators, posing a systemic risk to the network. Validators with a 0x00 bit face standard penalties, as their failure is considered an isolated event.

A high concentration of validators using the 0x01 custody bit under a single entity creates a centralization risk. Key challenges include:

• Single Point of Failure: A compromise or malicious act by the custodian could affect all linked validators.
• Coordinated Slashing: The protocol's correlated penalty mechanism is designed to punish this scenario, but it remains a network-level risk.
• Reduced Censorship Resistance: A large custodial staker could be compelled to censor transactions or comply with regulatory actions across all its validators.

Choosing a custody bit involves a fundamental security trade-off.

• 0x00 (Self-Custody): Maximizes sovereignty but places the full burden of private key security and offline backup on the validator operator. Loss of the withdrawal keys means permanent loss of the staked ETH.
• 0x01 (Third-Party Custody): Offloads key management complexity to a professional service, reducing individual operational risk but introducing counterparty risk. The validator must fully trust the custodian's security practices, governance, and longevity.

The custody bit is set at validator creation and is immutable for the lifetime of that validator key. It is enforced at the consensus layer protocol level. Validator client software (e.g., Prysm, Lighthouse) must correctly interpret and act upon the bit. A key challenge is ensuring all network participants can reliably and transparently audit the custody status of validators to make informed decisions about network health and risk.

With the advent of Ethereum's Capella upgrade and staking withdrawals, the custody bit's role is embedded within the broader system of withdrawal credentials. While the bit itself is static, the development of distributed validator technology (DVT) and more sophisticated multi-party computation (MPC) solutions aims to create staking setups that offer the security benefits of decentralization without necessarily triggering the punitive 0x01 flag, navigating the trade-offs between security, penalty risk, and operational practicality.