Phase 5 — Bitcoin (reduced custody)

Status: Planned.

Every new BTC payment link becomes a 2-of-2 P2WSH multisig (merchant + platform). Pre-signed refund PSBTs. Platform key moves to HSM/MPC. BTC subscriptions remain out of scope until Lightning BOLT12 recurrence matures.

See Bitcoin considerations for the full reasoning.

Scope

P2WSH descriptor template finalized (wsh(multi(2, ...)) v1, MuSig2/Taproot future).
HSM or MPC provider selected for the platform signer.
Merchant xpub onboarding in the dashboard.
Pre-signed refund PSBT generation + encrypted storage.
Co-sign UI for settlement.

Code touched

api/src/withdrawals/services/bitcoin-hot-wallet.service.ts — unilateral key replaced with per-link descriptor derivation.
api/src/withdrawals/services/bitcoin-withdrawal-transfer.service.ts — signs via multisig ceremony.
New: HSM/MPC integration module.
Dashboard: merchant xpub onboarding flow; per-link settlement co-sign UI.

Runtime / UX impact

BTC addresses are multisig; Bech32 format for P2WSH.
Merchants must onboard a BTC signer to use the non-custodial path. A platform-only fallback exists for 30 days during migration.
Payers see a standard BTC address; no change in their flow.
Refund can be broadcast any time by the merchant with one click.

Current limitations

No BTC subscriptions (existing limitation; stays true).
MuSig2 deferred to v2 once tooling is widely audited.
Settlement fee volatility during congestion; CPFP hook available.

Linked blog post

Phase 5: Bitcoin — Taproot 2-of-2 and Honest Scope

Status checklist

Taproot descriptor template finalized
HSM / MPC provider selected
Merchant xpub onboarding shipped
Per-link descriptor derivation + storage
Refund PSBT generation + encrypted storage
Settlement co-sign UI shipped
Runbook for HSM failover and merchant key loss
Canary cohort of merchants on BTC 2-of-2

Scope​

Code touched​

Runtime / UX impact​

Current limitations​

Linked blog post​

Status checklist​