Skip to main content
Arkade’s security model rests on a single principle: users can always exit to Bitcoin L1 independently. Every other security mechanism reinforces or extends this guarantee.

The Trust Model

Rather than asking users to trust operators, Arkade implements technical safeguards that transform “trust the operator” into “verify the operator.” Every layer of the system is designed so that misbehavior produces cryptographic evidence, honest execution can be independently verified, economic incentives punish cheating, and communication between users and the signer remains uncensorable. In normal operation, users interact through the fast collaborative path where the operator cosigns transactions. If anything goes wrong, users fall back to the unilateral exit path that requires no operator involvement at all.

Unilateral Exit

Every VTXO comes with a set of presigned Bitcoin transactions that can be broadcast at any time without requiring cooperation from the operator or anyone else. This is the self-custody guarantee.

How It Works

VTXOs are organized in a virtual transaction tree rooted in a batch output. To exit, a user broadcasts the transactions along their specific path through the tree, from the batch output down to their individual VTXO. Example exit path:
  1. Batch Output → Virtual Transaction A (first level)
  2. Virtual Transaction A → Virtual Transaction B (second level)
  3. Virtual Transaction B → User’s VTXO (final claim)
Each transaction in this chain must be individually broadcast and confirmed on Bitcoin, with the user paying standard network fees for each one. Other users’ VTXOs in the same batch remain undisturbed.

Exit Costs

Every unilateral exit incurs Bitcoin network fees for each transaction in the path. The deeper a VTXO sits in the tree, the more transactions are required:
  • Direct child of batch output: 1 Bitcoin transaction
  • Second level: 2 Bitcoin transactions
  • Third level: 3 Bitcoin transactions
Extended offchain transaction chains push VTXOs deeper, compounding exit costs. For smaller VTXO values, costs can become prohibitive when Bitcoin fees are high, as the cumulative fee may exceed the VTXO’s balance.
This cost structure creates natural economic incentives to settle periodically rather than letting exit paths grow indefinitely. Users should balance the convenience of extended offchain activity against the cost of maintaining unilateral exit optionality.
Possessing the presigned transactions is what guarantees your ability to exit. The SDK manages these automatically, but applications should ensure they are stored safely.

Security Stack

Three mechanisms work together to constrain operator behavior and protect users.
The Arkade Signer is an architectural separation that isolates transaction signing authority from operator control. Rather than allowing the operator to directly sign user transactions, signing responsibility is delegated to a separate module that operates under verifiable constraints.The Signer generates a single signing key required for all VTXO cosigning. This key is protected within a secure hardware environment (TEE) that prevents access even by the operator. Users communicate directly with the Signer through encrypted channels, ensuring that signature requests remain confidential and uncensorable.This transforms the trust model from relying on operator honesty to relying on cryptographic and hardware guarantees that can be independently verified.
The Arkade Signer runs inside a Trusted Execution Environment (TEE), an isolated hardware environment that can attest to the software it is running.The TEE provides several properties:
  • Key isolation. The signing key is generated and maintained inside the TEE. It is inaccessible to the operator or any external process.
  • Tamper resistance. The isolated environment provides strong guarantees against external interference.
  • Remote attestation. Anyone can verify, using open-source software and reproducible builds, that the Signer is running the expected code.
Communication between users and the Arkade Signer is designed to support end-to-end encryption (E2EE). Even though the operator serves as coordinating infrastructure, E2EE prevents the operator from:
  • Seeing what specific transactions are being processed
  • Blocking individual transactions based on their content
  • Analyzing user behavior patterns
This protects both confidentiality and censorship resistance at the transaction level.

Risks & Limitations

Mass exit scenarios

A mass exit occurs when many users simultaneously attempt to exit, typically triggered by operator infrastructure failures or concerns about operator behavior. Users retain full control over existing VTXOs through presigned exit paths. The challenge: when high exit demand coincides with elevated Bitcoin network fees, exit costs can become prohibitive for smaller VTXO values. Longer transaction chains amplify the problem by requiring more onchain transactions to unroll. The operator faces strong incentives to restore service quickly (lost fee revenue), and the modular architecture may enable migration to alternative infrastructure.

Signer compromise

If the Arkade Signer’s cryptographic keys are breached through software vulnerabilities, infrastructure attacks, or other security failures, a malicious actor could sign conflicting ownership claims for the same VTXOs. Detection occurs through remote attestation failures and cryptographic evidence of conflicting signatures. The operator is expected to halt the system immediately. Users should stop creating new VTXOs and prepare for emergency exits. TEE compromise is the most critical failure mode: unlike operator downtime (which affects availability), key compromise enables double-signing attacks that create irreconcilable ownership disputes. The TEE’s hardware isolation makes this difficult to execute, but it remains a theoretical risk.

Previous: VTXO Lifecycle & Liveness

Expiration, renewal, and delegation.

Start Building

Create your first Arkade wallet with the TypeScript SDK.