Partially Signed Bitcoin Transactions (PSBT) have gained significant traction within the Bitcoin ecosystem, according to an update from CertiK.
CertiK noted in a report that the rise of innovations like Ordinals and inscription-based assets has driven demand for “secure, multi-party signatures and complex transactions, positioning PSBT as an indispensable tool for navigating Bitcoin’s evolving landscape.”
At CertiK, they are focused on advancing the security and integrity of PSBT usage.
They have conducted audits and penetration tests on projects such as UniSat Wallet Extension, SwapSats, and Trac’s Tap Protocol, which heavily utilize PSBT for facilitating “complex transaction workflows.”
Through CertiK’s in-depth analyses, they have identified vulnerabilities related to PSBT implementation and provided “actionable recommendations to enhance their security posture.”
They have shared their extensive research and insights into PSBT, delving into its components, applications in Bitcoin DeFi, and the “security risks associated with improper usage.”
They aim to highlight best practices for secure PSBT implementation and contribute to the ongoing “efforts to strengthen Bitcoin ecosystem security.”
Since its inception, the Bitcoin network has evolved to address increasing demands for “security, efficiency, and scalability.”
CertiK further noted that among the most notable advancements during this journey is the development of Partially Signed Bitcoin Transactions (PSBT), a transformative “innovation in transaction management.”
Defined in Bitcoin Improvement Proposal 174 (BIP 174), PSBTs standardize the workflow for creating, sharing, and “signing Bitcoin transactions, especially in multi-party or multi-device contexts.”
CertiK pointed out that prior to the introduction of PSBT in 2017, coordinating complex transactions “that required multiple signatures or involved multiple parties was difficult and fraught with security risks.”
CertiK also mentioned that wallet software often used proprietary formats for partially signed transactions, “leading to incompatibilities between different wallets and platforms.”
CertiK further noted that the introduction of BIP-174 addressed these issues by proposing “a universal format for PSBTs.”
According to the update from CertiK, this standardization allowed different wallet software and hardware devices “to communicate seamlessly, facilitating the collaborative creation and signing of multi-party transactions.”
In 2023, Ordinals—a protocol that assigns serial numbers to individual satoshis and allows users to attach extra data to them—brought “renewed focus to PSBTs.”
CertiK further explained that Ordinals enable the creation of non-fungible tokens (NFTs) and other unique digital assets such as BRC-20 “directly on the Bitcoin blockchain by inscribing data onto individual satoshis.”
Certik added that managing these assets requires “precise control over transaction inputs and outputs, as well as the ability to handle complex scripts and signatures, which PSBTs are well-equipped to handle.”
Certik also noted in a blog post that as a result, PSBT technology experienced a revival last year, and has “been widely applied in applications across the Bitcoin ecosystem.”
PSBTs enable the creation, sharing, and “signing of Bitcoin transactions in a standardized and secure manner, especially when multiple parties are involved.”
The initiator constructs an unsigned transaction by “selecting the necessary inputs and outputs, which is then converted into PSBT format.”
As noted by CertiK, this PSBT, which contains all required transaction details but “no signatures, is securely distributed to the relevant parties.”
Each participant independently reviews the PSBT to “verify that the inputs, outputs, amounts, and addresses align with their intentions, ensuring the accuracy and validity of the transaction details.”
Participants then add their partial signatures to the PSBT for the inputs they control, “without exposing private keys.”
After signing, they may verify the partial signatures “added by others to ensure their validity and accuracy.”
As explained in the update from CertiK, this collaborative “process may require multiple iterations of signature contributions and verifications until all required signatures have been added.”
The PSBT is then returned to the transaction initiator or coordinator, who checks that “all necessary signatures are present.”
Once all signatures are collected and verified, the PSBT is “finalized by replacing the partial signatures and scripts with the final input scripts (scriptSig and scriptWitness), creating a fully signed transaction ready for broadcasting.”
The finalized transaction is then “broadcasted to the Bitcoin network for confirmation and execution. Once the transaction is confirmed and included in the blockchain, the Bitcoin ledger is updated to reflect the transaction’s inputs and outputs.”
Partially Signed Bitcoin Transactions (PSBT) have been widely used in the Bitcoin ecosystem to “enable secure, complex, and collaborative transaction workflows essential for DeFi applications.”
But Certik also stated that “improper usage of PSBTs can introduce serious security vulnerabilities, including transaction malleability and accidental loss of assets.”
At CertiK, they claim to leverage their deep technical expertise in PSBT security to help projects “tackle the intricate challenges of secure PSBT implementation.”
Through audits and the development of comprehensive best practices, CertiK equip developers and organizations with the “critical knowledge to utilize PSBTs securely and efficiently.”