Skip to content

PSBT Format

Technical details about Partially Signed Bitcoin Transactions (PSBTs) used in Theft Shield.

What is a PSBT?

A PSBT (BIP-174) is a standardized format for creating, signing, and finalizing Bitcoin transactions across multiple parties or devices.

Structure

Global Fields

Key Description
PSBT_GLOBAL_UNSIGNED_TX The unsigned transaction
PSBT_GLOBAL_XPUB Extended public keys
PSBT_GLOBAL_VERSION PSBT version number

Input Fields

Key Description
PSBT_IN_NON_WITNESS_UTXO Full previous transaction (legacy)
PSBT_IN_WITNESS_UTXO UTXO being spent (SegWit)
PSBT_IN_PARTIAL_SIG Partial signatures
PSBT_IN_SIGHASH_TYPE Signature hash type
PSBT_IN_REDEEM_SCRIPT Redeem script (P2SH)
PSBT_IN_WITNESS_SCRIPT Witness script (P2WSH)
PSBT_IN_BIP32_DERIVATION Key derivation paths

Output Fields

Key Description
PSBT_OUT_REDEEM_SCRIPT Redeem script for output
PSBT_OUT_WITNESS_SCRIPT Witness script for output
PSBT_OUT_BIP32_DERIVATION Derivation for change outputs

Theft Shield PSBTs

Structure

Vigil's Theft Shield PSBTs include:

PSBT {
  Global:
    - Unsigned transaction spending all monitored UTXOs
    - Version: 2

  Inputs (one per UTXO):
    - Previous output reference
    - Witness UTXO data
    - BIP32 derivation path
    - (Empty partial signatures - to be filled)

  Outputs:
    - Single output to safe address
    - Amount: Total - fee
}

Signing Process

  1. Creator (Vigil) constructs PSBT
  2. Signer (Your hardware wallet) adds signatures
  3. Finalizer (Vigil) verifies completeness
  4. Extractor (Vigil) creates broadcastable transaction

Encoding Formats

Base64

Human-readable encoding:

cHNidP8BAHECAAAAAZvDiCVxT73PiMpxKCEHULgJHBkKR5B3/yCaW2VU+...

Binary

Raw PSBT format:

70 73 62 74 ff 01 00 71 02 00 00 00 01 9b c3 88 ...

Hex

Hexadecimal encoding:

70736274ff010071020000...

Validation

Required Checks

Vigil validates PSBTs for:

  1. Signature Completeness
  2. All inputs have required signatures

  3. Signature types are correct (SIGHASH_ALL)

  4. Output Verification

  5. Output address matches safe address

  6. Amount calculation is correct

  7. Fee Verification

  8. Fee matches expected round budget

  9. Fee rate is reasonable

  10. UTXO Coverage

  11. All monitored UTXOs are included
  12. No unexpected inputs

Common PSBT Operations

Combining PSBTs

Merge multiple partially signed PSBTs:

bitcoin-cli combinepsbt '["psbt1...", "psbt2..."]'

Analyzing PSBT

Inspect PSBT contents:

bitcoin-cli decodepsbt "cHNidP8BAHECAAAAAZvDiCVxT..."

Finalizing PSBT

Convert signed PSBT to transaction:

bitcoin-cli finalizepsbt "cHNidP8BAHECAAAAAZvDiCVxT..."

Security Considerations

What PSBTs Reveal

PSBTs contain: - ✅ Transaction structure (inputs, outputs) - ✅ Addresses involved - ✅ Amounts - ✅ Derivation paths (if included)

PSBTs do NOT contain: - ❌ Private keys - ❌ Seed phrases

PSBT Storage

Vigil stores signed PSBTs securely:

  • Encrypted at rest
  • Access-controlled
  • Regular integrity checks

Next: Webhook Integration →