The Cost of Custody: Security Tradeoffs and Fee Dynamics in Bitcoin Covenant Vaults

Abstract

Four Bitcoin Script extension proposals—OP_CTV (BIP-119), OP_VAULT (BIP-345), OP_CCV (BIP-443), and the OP_CAT + OP_CHECKSIGFROMSTACK composition (BIP-347 + BIP-348)— enable self-custody vaults that enforce spending conditions beyond simple signature checks, but no prior work compares them empirically. We build all four vault implementations, run 15 experiments on Bitcoin regtest, and additionally implement Simplicity on Elements regtest as a cross-substrate reference point. We formalise a defender-loss metric L and, threat by threat, characterise how L varies with the fee rate across designs. Two results constrain the design space: (1) a Griefing–Safety Incompatibility (no vault simultaneously achieves permissionless recovery and griefing resistance), and (2) a Structural Decomposition theo- rem (covenant designs decompose along four axes whose values mechanically imply attack- class susceptibility, and no Bitcoin reference vault occupies either of the two non-dominated anchors of the resulting lattice). We measure OP_VAULT and CCV watchtower split- ting capacity (3,427 and 6,172 splits/block respectively), show that defender-side batched recovery—spec-level in BIP-345 §"Batching" and BIP-443 aggregation—approximately dou- bles the dust-threshold fee rate and flips the CCV/OP_VAULT ordering under watchtower exhaustion, and provide the first parameterised attack cost functions across fee environ- ments. Alloy bounded model checking verifies fund conservation, recovery liveness, and no- extraction properties. Simplicity's federated-sidechain threat model is treated separately. The framework, measurements, and formal models are open-source.