Chapter 30

Covenant Proposals

Programmable Spending Restrictions

A covenant is a spending condition that restricts not just who can spend, but how the funds can be spent—constraining future transactions. This chapter examines the major covenant proposals under discussion: OP_CHECKTEMPLATEVERIFY (CTV), OP_CAT, OP_VAULT, and others. We analyze their technical mechanisms, use cases, and the tradeoffs that make covenant design contentious. The Layer 2 protocols of Chapter 32 are the principal intended applications: covenants are what those designs would buy.

30.1 What Are Covenants?

Definition 30.1 (Covenant)

A covenant is a script mechanism that constrains how an output can be spent beyond simple authorization. Specifically, it can restrict:

  • What outputs the spending transaction must create
  • What other inputs must be included
  • Transaction-level properties (locktime, version, etc.)

Definition 30.2 (Introspection)

Introspection is the ability of a script to examine properties of its containing transaction. Covenants require some form of introspection to constrain spending.

Traditional Script Constrains: WHO can spend (signature check) Covenant Script Constrains: WHO + HOW (spending conditions) "Alice can spend" "Alice can spend, but only to Bob or Carol" +Covenant
Figure 30.1: Covenants add HOW constraints to the traditional WHO authorization.

Remark 30.1 (Why Bitcoin Lacks Covenants)

Bitcoin Script currently has no introspection opcodes. A script cannot examine:

  • The outputs of the spending transaction
  • Other inputs being spent
  • Transaction metadata beyond the current input

The opcodes that would permit introspection were disabled in 2010 after vulnerabilities were found; Bitcoin Script has remained without introspection since.

30.2 OP_CHECKTEMPLATEVERIFY (CTV)

CTV (BIP-119) commits to a fixed transaction template; of the proposals surveyed here it adds the smallest amount of new script machinery, and its proponents describe it as the most conservative option (Remark 30.2).

Definition 30.3 (OP_CHECKTEMPLATEVERIFY)

OP_CTV takes a 32-byte hash from the stack and verifies that it matches a commitment to the spending transaction's:

  • nVersion
  • nLockTime
  • scriptSig hash (if any scriptSig is non-empty)
  • Number of inputs
  • Sequences hash
  • Number of outputs
  • Outputs hash
  • Input index (which input is being spent)

Definition 30.4 (CTV Template Hash)

The template hash is computed as: 

DefaultCheckTemplateVerifyHash(tx, input_index):
    return SHA256(
        nVersion ||
        nLockTime ||
        SHA256(scriptSigs) ||      // if any
        input_count ||
        SHA256(sequences) ||
        output_count ||
        SHA256(outputs) ||
        input_index
    )
CTV Output <hash> OP_CTV spend Spending Transaction nVersion ✓ nLockTime ✓ Outputs (hash committed) ✓ Input count ✓ Sequences ✓ Inputs (NOT) CTV constrains outputs but NOT which inputs fund the tx → Input count IS committed; fee bumping uses CPFP or a pre-committed input slot
Figure 30.2: CTV commits to most transaction fields except which inputs fund it.

30.2.1 CTV Use Cases

Example 30.1 (Congestion Control / Payment Batching)

An exchange wants to batch withdrawals but fees spike. With CTV:

  1. Create single output: CTV(hash of batch expansion)
  2. Commit to a tree of future transactions
  3. Users can later expand their branch when fees drop
  4. Exchange's commitment is on-chain immediately
CTV Root CTV CTV Alice Bob Carol Dave Eve
Figure 30.3: CTV enables tree-structured withdrawal batching.

Example 30.2 (Simple Vault)

A basic vault with CTV: 

Vault Output (CTV-only; no key can spend it directly):
  <ctv_hash> CTV               // Can only go to the staged withdrawal

Staged Withdrawal Output:
  IF
    <delay> CSV DROP
    <hot_key> CHECKSIG         // Withdrawal: hot key, after the delay
  ELSE
    <ctv_to_cold_hash> CTV     // Clawback to cold storage: immediate
  ENDIF

A thief who steals the hot key must wait out the CSV delay,
during which the owner claws the funds back to cold storage.

30.2.2 CTV Controversy

Remark 30.2 (CTV Debate)

CTV has been controversial despite its simplicity:

Proponents—including BIP-119's author and, by 2025, a substantial list of developers urging activation alongside CSFS—argue that CTV is the most-reviewed covenant primitive ever proposed, that vaults address theft losses users suffer today, and that indefinite delay is itself a choice with costs. Opponents counter that no consensus change should activate without demonstrated demand from production systems, that the 2022 activation attempt tried to short-circuit the consensus process of Chapter 33, and that committing to a limited primitive now may foreclose a better general design later. (Critics sometimes add that even limited covenants begin a path toward MEV-like extraction; proponents respond that CTV's fixed, non-recursive templates leave nothing to extract—the expressivity concern belongs to general introspection, Remark 30.3.) Beneath the specific proposals lies the meta-debate of Remark 33.4: whether the difficulty of activating any covenant is a failure of governance or its proper functioning.

30.3 OP_CAT

OP_CAT (concatenation) was disabled in 2010, but proposals to re-enable it have gained support.

Definition 30.5 (OP_CAT)

OP_CAT concatenates two stack elements: 

Stack before: [x] [y]
OP_CAT
Stack after:  [x || y]

BIP-347 proposes re-enabling CAT in Tapscript with a 520-byte limit.

Proposition 30.1 (CAT Enables Covenants)

OP_CAT combined with Schnorr signatures enables introspection through on-stack sighash construction—the "Schnorr trick" (Poelstra, "CAT and Schnorr Tricks", 2021):

  1. Schnorr signature: (R, s) where s = k + H(R||P||m)·d, with the nonce fixed to R = G so s is predictable from m
  2. Script assembles the claimed sighash components from witness data using CAT
  3. The assembled signature is passed to CHECKSIG, which only succeeds if the claimed message equals the transaction's true sighash
  4. Equality forces the witness-supplied components to describe the real transaction—so the script has verified properties of it

Example 30.3 (CAT-based Vault)

Using CAT to verify transaction outputs: 

// Conceptual (simplified)
<expected_output_script>
<actual_output_from_witness>
OP_EQUAL                        // Verify output matches
OP_VERIFY

// Then verify the sighash includes this output
<sig_components...>
OP_CAT OP_CAT ...               // Reconstruct sighash
<signature>
<pubkey>
OP_CHECKSIG

Remark 30.3 (CAT Power and Concerns)

OP_CAT, despite its two-line semantics, suffices for:

  • Enables: Covenants, validity proofs, Lamport signatures
  • Recursive covenants: Potentially possible with CAT
  • Script complexity: CAT-based covenants are complex
  • Audit difficulty: Harder to reason about than CTV
  • MEV and expressivity: Critics argue that general introspection imports the miner-extractable-value dynamics of expressive chains and could be used to build transferable restrictions on coins; proponents respond that the same restrictions are already constructible off-chain and that opt-in scripts cannot encumber anyone else's coins

30.4 OP_VAULT (BIP-345)

OP_VAULT is a purpose-built opcode for secure custody.

Example 30.4 (OP_VAULT)

OP_VAULT (BIP-345) creates a two-stage withdrawal process:

  • Trigger: Initiates withdrawal, starts timelock
  • Recovery: Can cancel during timelock period
  • Complete: After timelock, funds go to destination
Vault UTXO trigger Triggered timelock: 24h recover Back to Vault complete Destination (withdrawal) emergency t=0 timelock complete
Figure 30.4: OP_VAULT lifecycle with trigger, recovery, and completion paths.

Example 30.5 (OP_VAULT Opcodes)

BIP-345 introduces two new opcodes:

  • OP_VAULT: Creates vault with recovery and trigger paths
  • OP_VAULT_RECOVER: Specialized for recovery spending

Remark 30.4 (Vault Security Properties)

OP_VAULT provides security guarantees, under two assumptions: the owner or a delegate monitors the chain within the timelock window, and the recovery key remains uncompromised. Given these:

  1. Theft prevention: Attacker with trigger key cannot steal immediately
  2. Recovery window: Owner has timelock period to react
  3. Emergency recovery: Recovery key bypasses normal flow
  4. No key rotation: Recovery works even if the trigger key is compromised

30.5 Other Covenant Proposals

30.5.1 SIGHASH_ANYPREVOUT (BIP-118)

Definition 30.6 (ANYPREVOUT)

SIGHASH_ANYPREVOUT creates signatures that do not commit to specific inputs:

  • Signature valid for any UTXO with matching script
  • Enables "floating" transactions
  • Primary use: LN-Symmetry (Eltoo) protocol

30.5.2 OP_TXHASH / OP_CHECKTXHASHVERIFY

Definition 30.7 (TXHASH)

OP_TXHASH provides flexible transaction introspection:

  • Field selector specifies which parts to hash
  • More flexible than CTV's fixed commitment
  • Can commit to outputs only, inputs only, or various combinations

30.5.3 OP_CHECKSIGFROMSTACK

Definition 30.8 (CSFS)

OP_CHECKSIGFROMSTACK verifies a signature against arbitrary data (not the transaction sighash): 

Stack before (top → bottom): [pubkey] [message] [signature]
OP_CHECKSIGFROMSTACK
Stack after:  valid signature     → [1]
              empty signature     → [0]
              invalid (non-empty) → script fails

Enables oracles, delegation, and complex covenant constructions.

30.5.4 Comparison Table

Statuses as of mid-2026.

Proposal Complexity Power Status
CTV (BIP-119) Low Limited covenants Draft, stalled
CAT (BIP-347) Low opcode, high usage General covenants Complete (spec)
VAULT (BIP-345) Medium Custody-specific Closed (no longer pursued)
APO (BIP-118) Low LN-Symmetry Draft
TXHASH (BIP-346) Medium Flexible covenants Draft
CSFS (BIP-348) Low Oracles, delegation Draft

30.6 Recursive Covenants and Concerns

Definition 30.9 (Recursive Covenant)

A recursive covenant can enforce that outputs must themselves be encumbered by the same (or similar) covenant:

spend(covenant) → outputs must have covenant

This creates perpetual spending restrictions.

Remark 30.5 (Recursive Covenant Implications)

Recursive covenants enable:

  • Positive: Perpetual vaults, on-chain governance, colored coins
  • Concerning: "Tainted" coins, censorship infrastructure

Remark 30.6 (The Fungibility Debate)

A key concern about recursive covenants:

  • Could governments mandate covenants on regulated coins?
  • Would "covenant-free" coins trade at a premium?
  • Does this threaten Bitcoin's fungibility?

Counter-arguments:

  • Coerced covenant adoption is already possible via regulation
  • Covenants are opt-in; users choose to use them
  • Benefits (vaults, scaling) may outweigh risks

30.7 Covenant Applications

Example 30.6 (Summary of Applications)

Application Minimum Requirement Benefit
Vaults CTV or VAULT Custody security
Congestion control CTV Fee smoothing
Channel factories CTV + APO LN scaling
LN-Symmetry APO Simpler channels
DLCs CTV or CSFS Efficient oracles
Validity rollups CAT + more L2 scaling

Exercises

Exercise 30.1

Design a CTV-based "dead man's switch" that automatically sends funds to heirs if not renewed annually. What are the limitations?

Exercise 30.2

Explain how OP_CAT + CHECKSIG can verify that a spending transaction has specific outputs. What stack manipulations are required?

Exercise 30.3

Compare the on-chain footprint of a 3-of-5 multisig vault using: (a) Current Taproot/MuSig, (b) OP_VAULT, (c) CTV-based vault.

Exercise 30.4

Analyze the fungibility implications of recursive covenants. Could a government effectively "mark" Bitcoin with spending restrictions? What would users do in response?

Exercise 30.5

SIGHASH_ANYPREVOUT enables "floating" transactions. Design an attack scenario where this could be dangerous, and explain how the proposed restrictions in BIP-118 mitigate it.