pith. sign in

arxiv: 2408.01896 · v5 · pith:IEF3T5GRnew · submitted 2024-08-04 · 💻 cs.CR

Bitcoin Staking

Xinshu Dong , Orfeas Stefanos Thyfronitis Litos , Ertem Nusret Tas , David Tse , Robin Linus Woll , Lei Yang , Mingchao Yu This is my paper

Pith reviewed 2026-05-23 22:22 UTC · model grok-4.3

classification 💻 cs.CR
keywords Bitcoin stakingProof-of-Stake securityslashingdouble-authentication-preventing signaturesfinality gadgetsbi-directional timestampingmerge mining alternativesecurity sharing
0
0 comments X

The pith

Bitcoin holders can trustlessly stake their coins to secure any Proof-of-Stake chain through automatic slashing enforced on the Bitcoin ledger.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces a modular protocol that lets Bitcoin owners lend their idle holdings to protect PoS networks without requiring trust or changes to Bitcoin itself. The design solves the core problem of slashing misbehaving validators by linking safety violations on the PoS side to enforceable penalties on the Bitcoin side. It relies on double-authentication-preventing signatures, finality gadgets, and bi-directional timestamping to create this linkage. A live deployment on the Babylon network has already attracted over 58,000 bitcoins in stake at an annual reward cost of only 0.05 percent, roughly two orders of magnitude cheaper than native-token security. The approach can be added to existing PoS chains without altering their core rules.

Core claim

Bitcoin staking enables holders to secure PoS chains by committing their bitcoins on the Bitcoin ledger such that any safety violation detected by the PoS finality gadget triggers automatic slashing of the corresponding Bitcoin stake through double-authentication-preventing signatures and bi-directional timestamping.

What carries the argument

Double-authentication-preventing signatures together with finality gadgets and bi-directional timestamping, which together allow PoS safety violations to produce verifiable slashing transactions on Bitcoin.

If this is right

  • Any existing PoS chain can add Bitcoin-backed security without modifying its own consensus or token economics.
  • Stakers earn rewards while the same capital secures the network at a cost two orders of magnitude lower than native-token staking.
  • The protocol remains fully modular, allowing independent upgrades to the PoS finality gadget or the Bitcoin-side slashing logic.
  • Bitcoin capital that would otherwise sit idle can now provide economic security to multiple chains simultaneously.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Multiple PoS chains could eventually share overlapping Bitcoin stake pools, concentrating security capital rather than fragmenting it across native tokens.
  • The low reward rate observed in the Babylon deployment suggests that future chains may compete on security cost rather than on native-token inflation rates.
  • If timestamping reliability holds across many chains, Bitcoin could evolve from a settlement layer into a reusable security collateral market.

Load-bearing premise

Reliable bi-directional timestamping and finality gadgets can be built between Bitcoin and the PoS chain without creating new attack surfaces or requiring any change to Bitcoin consensus rules.

What would settle it

A documented safety violation on the secured PoS chain that produces no corresponding slashed Bitcoin transaction despite correct implementation of the timestamping and signature mechanisms.

Figures

Figures reproduced from arXiv: 2408.01896 by David Tse, Ertem Nusret Tas, Lei Yang, Mingchao Yu, Orfeas Stefanos Thyfronitis Litos, Robin Linus Woll, Xinshu Dong.

Figure 1
Figure 1. Figure 1: Nakamoto’s first post on the Bitcoin Forum about merge mining. [PITH_FULL_IMAGE:figures/full_fig_p002_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Remote staking protocol. Validators lock their stake [PITH_FULL_IMAGE:figures/full_fig_p002_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Staking market capitalizations of the top [PITH_FULL_IMAGE:figures/full_fig_p003_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Illustration of the data availability attack and the safe-stop rule 1 ( [PITH_FULL_IMAGE:figures/full_fig_p011_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Illustration of the escaping stake attacks and the block output rules ( [PITH_FULL_IMAGE:figures/full_fig_p011_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: Illustration of the mismatched timestamp attack and the safe-stop rule 2 ( [PITH_FULL_IMAGE:figures/full_fig_p012_6.png] view at source ↗
read the original abstract

The idea of security sharing goes back to Nakamoto's introduction of merge mining, a technique that enables Bitcoin miners to reuse their hash power to bootstrap and secure other Proof-of-Work (PoW) blockchains. However, with the rise of Proof-of-Stake (PoS) chains, there is a need for new methods of Bitcoin security sharing. We introduce Bitcoin staking, a protocol that allows Bitcoin holders to trustlessly use their idle asset to secure a PoS chain. The key challenge is to enable automatic slashing of bitcoins on the Bitcoin chain upon safety violations on the PoS chain. We achieve this using double-authentication-preventing signatures, finality gadgets and bi-directional timestamping between Bitcoin and the PoS chain. Our design is entirely modular and can be integrated with any PoS chain. A version of this protocol was deployed to secure the Babylon mainnet in April 2025 and currently has over 58,000 bitcoins staked (about 4 billion USD at current prices) while paying only 0.05% APR reward to the stakers. This is 2 orders of magnitude cheaper security cost than in PoS chains secured by their native token.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper proposes Bitcoin staking, a modular protocol allowing Bitcoin holders to trustlessly secure any PoS chain via double-authentication-preventing signatures (DAPS), finality gadgets, and bi-directional timestamping. The design enables automatic slashing of BTC on Bitcoin upon PoS safety violations without changing Bitcoin consensus rules. A deployed version on the Babylon mainnet has secured over 58,000 BTC (~$4B) at 0.05% APR, claimed to be two orders of magnitude cheaper than native-token PoS security.

Significance. If the security properties and cross-chain linkage hold, the result would enable substantial cost reduction in PoS security by leveraging Bitcoin's economic weight, with the reported real-world deployment providing concrete evidence of practicality and adoption.

major comments (2)
  1. [Design] Design section: the central claim of trustless, automatic BTC slashing upon PoS violations relies on reliable bi-directional timestamping and finality gadgets without Bitcoin consensus changes; however, Bitcoin's reorg behavior and scripting limitations make handling of timestamp manipulation or reorg-induced false negatives/positives non-trivial, and no concrete mechanism or proof is given that these are resolved.
  2. [Security analysis] Security analysis: no formal security model, proofs, or detailed analysis of the slashing enforcement (DAPS + timestamping) is provided despite this being load-bearing for the trustless property; the abstract reports deployment numbers but the soundness of the mechanism cannot be verified from the given details.
minor comments (1)
  1. [Abstract] The abstract and deployment claims would benefit from explicit citation of the exact protocol version deployed and any public audit or code repository.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the detailed and constructive report. We address each major comment below, indicating planned revisions where the manuscript can be strengthened without misrepresenting the current content.

read point-by-point responses

  1. Referee: [Design] Design section: the central claim of trustless, automatic BTC slashing upon PoS violations relies on reliable bi-directional timestamping and finality gadgets without Bitcoin consensus changes; however, Bitcoin's reorg behavior and scripting limitations make handling of timestamp manipulation or reorg-induced false negatives/positives non-trivial, and no concrete mechanism or proof is given that these are resolved.

    Authors: We agree that the design section would benefit from greater explicitness on these points. The protocol relies on the finality gadget to anchor PoS timestamps to Bitcoin blocks and on DAPS to enforce single-use signatures for slashing, with bi-directional timestamping intended to bound reorg windows. In the revised version we will add a dedicated subsection with a concrete description of the reorg-handling logic and timestamp validation rules used in the Babylon implementation, including how false positives are avoided under Bitcoin's scripting constraints. revision: yes

  2. Referee: [Security analysis] Security analysis: no formal security model, proofs, or detailed analysis of the slashing enforcement (DAPS + timestamping) is provided despite this being load-bearing for the trustless property; the abstract reports deployment numbers but the soundness of the mechanism cannot be verified from the given details.

    Authors: The current manuscript presents the protocol design together with empirical evidence from the Babylon mainnet deployment rather than a formal security model. We acknowledge that a formal treatment of the DAPS-plus-timestamping slashing argument would strengthen the trustless claim. In revision we will insert an informal security analysis section that spells out the assumptions and reasoning under which slashing is enforced; a machine-checked proof lies outside the scope of this work. revision: partial

Circularity Check

0 steps flagged

No circularity: protocol design relies on external primitives without self-referential reductions

full rationale

The paper describes a modular protocol construction for Bitcoin staking that combines double-authentication-preventing signatures, finality gadgets, and bi-directional timestamping. No equations, fitted parameters, or predictions are presented that reduce by construction to the paper's own inputs or self-citations. The design claims modularity and deployability (with an empirical deployment note), but the load-bearing steps invoke standard cryptographic tools and PoS mechanisms as independent building blocks rather than deriving them internally. This is a self-contained engineering proposal against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The design rests on standard cryptographic assumptions for DAP signatures and the existence of finality gadgets on target PoS chains; no free parameters or invented entities are introduced in the abstract.

axioms (2)
  • domain assumption Double-authentication-preventing signatures provide the required slashing enforcement properties
    Invoked as the core mechanism for automatic slashing on Bitcoin upon PoS violations.
  • domain assumption Bi-directional timestamping between Bitcoin and PoS chain can be implemented without new vulnerabilities
    Required for the modular integration claim.

pith-pipeline@v0.9.0 · 5757 in / 1416 out tokens · 19648 ms · 2026-05-23T22:22:23.660869+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Ark: Offchain Transaction Batching in Bitcoin

    cs.DC 2026-05 unverdicted novelty 7.0

    Ark is the first Bitcoin-compatible commit-chain that batches offchain virtual UTXO transactions via an untrusted operator into succinct onchain commitments with constant footprint and simplified deployment.

Reference graph

Works this paper leans on

48 extracted references · 48 canonical work pages · cited by 1 Pith paper · 1 internal anchor

  1. [1]

    https://btcstaking.babylonlabs.io/

    Babylon - Staking Dashboard. https://btcstaking.babylonlabs.io/. 4In fact, finality signatures have to be sent to Bitcoin as part of timestamps only when certain slashing conditions are satisfied (cf. Appendix B). 5𝑘𝑓 and 𝑘𝑐 were originally measured in the number of newly mined Bitcoin blocks. For simplicity, we report their wall-clock time equivalents. 6...

    work page

  2. [2]

    https://ycharts.com/indicators/bitcoin_ price

    Bitcoin Price (I:BTCUSD) | YCHARTS. https://ycharts.com/indicators/bitcoin_ price

    work page

  3. [3]

    https://bitcoinfees.net/

    BitcoinFees. https://bitcoinfees.net/

    work page

  4. [4]

    https://www.bitgo.com/

    BitGo. https://www.bitgo.com/

    work page

  5. [5]

    https://dogecoin.com

    Dogecoin. https://dogecoin.com

    work page

  6. [6]

    https://github.com/osmosis-labs/mesh-security

    Mesh security. https://github.com/osmosis-labs/mesh-security

    work page

  7. [7]

    https://www.namecoin.org

    Namecoin. https://www.namecoin.org

    work page

  8. [8]

    https://en.bitcoin.it/wiki/OP_RETURN

    OP_RETURN. https://en.bitcoin.it/wiki/OP_RETURN

    work page

  9. [9]

    https://rootstock.io/

    Rootstock. https://rootstock.io/

    work page

  10. [10]

    https://stx.is/nakamoto

    Stacks: A bitcoin layer for smart contracts. https://stx.is/nakamoto

    work page

  11. [11]

    https://www

    Staking Rewards: Secure & Reliable Crypto Stakking. https://www. stakingrewards.com/

    work page

  12. [12]

    https://blog.cosmos

    Launch communications — june community update. https://blog.cosmos. network/launch-communications-june-community-update-e1b29d66338, 2018

    work page 2018

  13. [13]

    Mesh security talk at cosmoverse 2022

    Sunny Aggarwal. Mesh security talk at cosmoverse 2022. https://youtu.be/ Z2ZBKo9-iRs?t=4937

    work page 2022

  14. [14]

    Ouroboros genesis: Composable proof-of-stake blockchains with dynamic availability

    Christian Badertscher, Peter Gazi, Aggelos Kiayias, Alexander Russell, and Vassilis Zikas. Ouroboros genesis: Composable proof-of-stake blockchains with dynamic availability. In CCS, pages 913–930. ACM, 2018

    work page 2018

  15. [15]

    Lattice-based DAPS and gener- alizations: Self-enforcement in signature schemes

    Dan Boneh, Sam Kim, and Valeria Nikolaenko. Lattice-based DAPS and gener- alizations: Self-enforcement in signature schemes. In ACNS, volume 10355 of Lecture Notes in Computer Science , pages 457–477. Springer, 2017

    work page 2017

  16. [16]

    Tendermint: Byzantine fault tolerance in the age of blockchains, 2016

    Ethan Buchman. Tendermint: Byzantine fault tolerance in the age of blockchains, 2016

    work page 2016

  17. [17]

    Revisiting tendermint: Design tradeoffs, accountability, and practical use

    Ethan Buchman, Rachid Guerraoui, Jovan Komatovic, Zarko Milosevic, Dragos- Adrian Seredinschi, and Josef Widder. Revisiting tendermint: Design tradeoffs, accountability, and practical use. In DSN (Supplements), pages 11–14. IEEE, 2022

    work page 2022

  18. [18]

    The latest gossip on BFT consensus

    Ethan Buchman, Jae Kwon, and Zarko Milosevic. The latest gossip on BFT consensus. arXiv:1807.04938, 2018

    work page arXiv 2018

  19. [19]

    The economic limits of permissionless consensus

    Eric Budish, Andrew Lewis-Pye, and Tim Roughgarden. The economic limits of permissionless consensus. arXiv:2405.09173, 2024

    work page arXiv 2024

  20. [20]

    Casper the Friendly Finality Gadget

    Vitalik Buterin and Virgil Griffith. Casper the friendly finality gadget. arXiv:1710.09437, 2017

    work page internal anchor Pith review Pith/arXiv arXiv 2017

  21. [21]

    Vitalik Buterin, Diego Hernandez, Thor Kamphefner, Khiem Pham, Zhi Qiao, Danny Ryan, Juhyeok Sin, Ying Wang, and Yan X. Zhang. Combining GHOST and casper. arXiv:2003.03052, 2020

    work page arXiv 2003

  22. [22]

    Practical byzantine fault tolerance

    Miguel Castro and Barbara Liskov. Practical byzantine fault tolerance. In OSDI, pages 173–186. USENIX Association, 1999

    work page 1999

  23. [23]

    SIGHASH_ANYPREVOUT for taproot scripts

    Anthony Towns Christian Decker. SIGHASH_ANYPREVOUT for taproot scripts. https://github.com/bitcoin/bips/blob/master/bip-0118.mediawiki, 2020

    work page 2020

  24. [24]

    Snow white: Robustly reconfigurable consensus and applications to provably secure proof of stake

    Phil Daian, Rafael Pass, and Elaine Shi. Snow white: Robustly reconfigurable consensus and applications to provably secure proof of stake. In Financial Cryptography, volume 11598 of Lecture Notes in Computer Science , pages 23–41. Springer, 2019

    work page 2019

  25. [25]

    A survey on long-range attacks for proof of stake protocols

    Evangelos Deirmentzoglou, Georgios Papakyriakopoulos, and Constantinos Pat- sakis. A survey on long-range attacks for proof of stake protocols. IEEE Access, 7:28712–28725, 2019

    work page 2019

  26. [26]

    Garay, Aggelos Kiayias, and Nikos Leonardos

    Juan A. Garay, Aggelos Kiayias, and Nikos Leonardos. The bitcoin backbone protocol: Analysis and applications. In EUROCRYPT (2), volume 9057 of Lecture Notes in Computer Science , pages 281–310. Springer, 2015

    work page 2015

  27. [27]

    OP_CAT BIP Draft

    Ethan Heilman and Armin Sabouri. OP_CAT BIP Draft. https://github.com/ EthanHeilman/op_cat_draft/blob/main/cat.mediawiki, 2023

    work page 2023

  28. [28]

    Interlay v2: Bitcoin finance, unbanked, 2023

    Interlay Labs. Interlay v2: Bitcoin finance, unbanked, 2023. https://gateway. pinata.cloud/ipfs/QmWp62gdLssFpAoG2JqK8sy3m3rTRUa8LyzoSY8ZFisYNB

    work page 2023

  29. [29]

    Shostak, and Marshall C

    Leslie Lamport, Robert E. Shostak, and Marshall C. Pease. The byzantine generals problem. ACM Trans. Program. Lang. Syst. , 4(3):382–401, 1982

    work page 1982

  30. [30]

    Close latency-security trade-off for the nakamoto consensus

    Jing Li, Dongning Guo, and Ling Ren. Close latency-security trade-off for the nakamoto consensus. In AFT, pages 100–113. ACM, 2021

    work page 2021

  31. [31]

    Stakechain: A bitcoin-backed proof-of-stake

    Robin Linus. Stakechain: A bitcoin-backed proof-of-stake. In Financial Cryptog- raphy Workshops, volume 13412 of Lecture Notes in Computer Science , pages 3–14. Springer, 2022

    work page 2022

  32. [32]

    CoinCovenants using SCIP signatures, an amusingly bad idea

    Gregory Maxwell. CoinCovenants using SCIP signatures, an amusingly bad idea. https://bitcointalk.org/index.php?topic=278122.msg2970937#msg2970937, 2023

    work page 2023

  33. [33]

    Bitcoin covenants

    Malte Möser, Ittay Eyal, and Emin Gün Sirer. Bitcoin covenants. In Financial Cryptography Workshops, volume 9604 ofLecture Notes in Computer Science, pages 126–141. Springer, 2016

    work page 2016

  34. [34]

    Optimal flexible con- sensus and its application to ethereum

    Joachim Neu, Srivatsan Sridhar, Lei Yang, and David Tse. Optimal flexible con- sensus and its application to ethereum. CoRR, abs/2308.05096, 2023. In IEEE S&P 2024

    work page arXiv 2023

  35. [35]

    Snap-and-Chat protocols: System aspects

    Joachim Neu, Ertem Nusret Tas, and David Tse. Snap-and-Chat protocols: System aspects. arXiv:2010.10447, 2020

    work page arXiv 2010

  36. [36]

    Ebb-and-flow protocols: A resolution of the availability-finality dilemma

    Joachim Neu, Ertem Nusret Tas, and David Tse. Ebb-and-flow protocols: A resolution of the availability-finality dilemma. In SP, pages 446–465. IEEE, 2021

    work page 2021

  37. [37]

    The availability-accountability dilemma and its resolution via accountability gadgets

    Joachim Neu, Ertem Nusret Tas, and David Tse. The availability-accountability dilemma and its resolution via accountability gadgets. In Financial Cryptography, volume 13411 of Lecture Notes in Computer Science, pages 541–559. Springer, 2022

    work page 2022

  38. [38]

    Musig2: Simple two-round schnorr multi-signatures

    Jonas Nick, Tim Ruffing, and Yannick Seurin. Musig2: Simple two-round schnorr multi-signatures. In CRYPTO (1), volume 12825 of Lecture Notes in Computer Science, pages 189–221. Springer, 2021

    work page 2021

  39. [39]

    Nomic bitcoin bridge

    Nomic. Nomic bitcoin bridge. https://www.nomic.io/

    work page

  40. [40]

    Cat and Schnorr Tricks I

    Andrew Poelstra. Cat and Schnorr Tricks I. https://medium.com/blockstream/cat- and-schnorr-tricks-i-faf1b59bd298, 2021

    work page 2021

  41. [41]

    Double-authentication-preventing signatures

    Bertram Poettering and Douglas Stebila. Double-authentication-preventing signatures. In ESORICS (1), volume 8712 of Lecture Notes in Computer Science , pages 436–453. Springer, 2014

    work page 2014

  42. [42]

    Powpeg: Building the most secure, permissionless and uncensorable bitcoin peg

    Rootstock. Powpeg: Building the most secure, permissionless and uncensorable bitcoin peg. https://dev.rootstock.io/rsk/architecture/powpeg/

    work page

  43. [43]

    Liar, liar, coins on fire!: Penalizing equivocation by loss of bitcoins

    Tim Ruffing, Aniket Kate, and Dominique Schröder. Liar, liar, coins on fire!: Penalizing equivocation by loss of bitcoins. In CCS, pages 219–230. ACM, 2015

    work page 2015

  44. [44]

    Blockchain CAP theorem allows user-dependent adaptivity and finality

    Suryanarayana Sankagiri, Xuechao Wang, Sreeram Kannan, and Pramod Viswanath. Blockchain CAP theorem allows user-dependent adaptivity and finality. In Financial Cryptography (2), volume 12675 of Lecture Notes in Computer Science, pages 84–103. Springer, 2021

    work page 2021

  45. [45]

    BFT protocol forensics

    Peiyao Sheng, Gerui Wang, Kartik Nayak, Sreeram Kannan, and Pramod Viswanath. BFT protocol forensics. In CCS, pages 1722–1743. ACM, 2021

    work page 2021

  46. [46]

    Bitcoin-enhanced proof-of-stake security: Possibili- ties and impossibilities

    Ertem Nusret Tas, David Tse, Fangyu Gai, Sreeram Kannan, Mohammad Ali Maddah-Ali, and Fisher Yu. Bitcoin-enhanced proof-of-stake security: Possibili- ties and impossibilities. In SP, pages 126–145. IEEE, 2023

    work page 2023

  47. [47]

    Eigenlayer: The restaking collective

    EigenLayer Team. Eigenlayer: The restaking collective. https://docs.eigenlayer. xyz/overview/whitepaper

    work page

  48. [48]

    Reiter, Guy Golan-Gueta, and Ittai Abra- ham

    Maofan Yin, Dahlia Malkhi, Michael K. Reiter, Guy Golan-Gueta, and Ittai Abra- ham. Hotstuff: BFT consensus with linearity and responsiveness. In PODC, pages 347–356. ACM, 2019. A FORMAL DEFINITIONS FOR THE PROPERTIES OF DAPS A.1 Correctness Definition 6 (Correctness). ∀𝑚 ∈ M : Pr DAPS-Ver(pk, 𝑚, 𝜎,ct) = 1 : sk←DAPS-KeyGen(1𝜅 ), pk←DAPS-PK(1𝜅 ), 𝜎←DAPS-Si...

    work page 2019