Safe Addresses¶
The safe address is where your funds are sent when Theft Shield activates. Choosing the right safe address is critical for effective protection.
What is a Safe Address?¶
A safe address is a Bitcoin address you control that is:
- From a DIFFERENT wallet than the one being protected
- Secured independently from your main wallet
- Ready to receive funds in an emergency
Requirements¶
Technical Requirements¶
| Requirement | Reason |
|---|---|
| Valid Bitcoin address | Must be parseable |
| Same network | Mainnet address for mainnet wallet |
| P2WPKH recommended | bc1q... format is most efficient |
Security Requirements¶
| Requirement | Reason |
|---|---|
| Different seed phrase | If main seed is compromised, safe is still secure |
| Different device | Hardware failure won't affect both |
| You control it | You must be able to spend from it |
Address Types¶
P2WPKH (Recommended)¶
Native SegWit addresses starting with bc1q...
Advantages: - Lowest transaction fees - Most efficient for Theft Shield - Widely supported
Example: bc1qw508d6qejxtdg4y5r3zarvary0c5xw7kxpjzsx
P2SH-P2WPKH¶
Wrapped SegWit addresses starting with 3...
Advantages: - Good compatibility - Reasonable efficiency
Disadvantages: - Slightly larger transactions than P2WPKH
P2TR (Taproot)¶
Taproot addresses starting with bc1p...
Advantages: - Future-proof - Good privacy properties
Considerations: - Ensure your receiving wallet supports Taproot
P2PKH (Legacy)¶
Legacy addresses starting with 1...
Disadvantages: - Largest transaction size - Higher fees
Use only if: Your safe wallet only supports legacy addresses
Safe Address Strategies¶
Strategy 1: Different Hardware Wallet¶
Setup: - Protected wallet: Coldcard with seed A - Safe address: Ledger with seed B
Security: If seed A is compromised, seed B remains secure.
Strategy 2: Multisig Safe¶
Setup: - Protected wallet: Single-sig hardware wallet - Safe address: 2-of-3 multisig
Security: Even if one multisig key is compromised, funds are still protected.
Strategy 3: Geographic Distribution¶
Setup: - Protected wallet: Hardware wallet at home - Safe address: Hardware wallet in bank safe deposit box
Security: Physical security through separation.
Strategy 4: Trusted Third Party¶
Setup: - Protected wallet: Your main wallet - Safe address: Address from trusted family member
Security: Complete independence from your security setup.
Third Party Trust
Only use this if you fully trust the third party. They will have access to the funds once swept.
Choosing Your Safe Address¶
Decision Flowchart¶
Do you have a second hardware wallet?
├── Yes → Use address from second device
│
└── No → Do you have a trusted person?
├── Yes → Use their address (with agreement)
│
└── No → Consider purchasing a second device
or using a well-secured software wallet
What NOT to Use¶
| Bad Choice | Reason |
|---|---|
| Same device address | If device is stolen, attacker has both |
| Same seed address | If seed is compromised, attacker has both |
| Exchange address | Funds may be locked, seized, or lost |
| Unknown address | You must be able to spend the funds |
Configuring Your Safe Address¶
In the Setup Wizard¶
- Navigate to Wallets → [Wallet] → Theft Shield
- Click Enable Theft Shield
- Enter your safe address
- Vigil validates the format
- Continue with setup
Changing Your Safe Address¶
To change your safe address:
- Go to Theft Shield → Settings
- Click Change Safe Address
- Enter new address
- Regenerate all PSBTs (required)
- Sign and upload new PSBTs
PSBT Regeneration Required
Changing your safe address invalidates all existing PSBTs. You must complete the full PSBT regeneration and signing process.
Verification¶
Before Enabling¶
Verify your safe address setup:
- [ ] Address is from a wallet you control
- [ ] You have tested receiving to this address
- [ ] The wallet uses a different seed than your protected wallet
- [ ] You have secure backup of the safe wallet's seed
On Your Hardware Wallet¶
When signing PSBTs, your hardware wallet will display the destination address. Verify it matches your safe address EXACTLY:
Testnet Safe Addresses¶
For testnet wallets, use a testnet safe address:
tb1q...(Native SegWit testnet)2...(P2SH testnet)
Testing
Test your entire Theft Shield setup on testnet before enabling on mainnet. This includes testing the safe address receives funds correctly.
Next: Whitelist →