Revault

• Name: Revault
• URL: https://wizardsardine.com/revault/
• Category: Bitcoin vault architecture / delegated-custody policy wallet / pre-signed transaction and watchtower control stack
• Tags: bitcoin-ecosystem
• Summary: Revault is a Bitcoin vault architecture for delegated spending under stakeholder control. The point is the pre-signed transaction graph: managers can propose spends only through an unvault path that can be canceled, forced into an emergency descriptor, or policed by watchtowers. Useful note because it makes the custody stack legible instead of hiding it inside generic multisig branding.
• What it does:
  • Keeps deposited bitcoin under an N-of-N stakeholder descriptor while allowing delegated spending workflows for managers through a separate unvault path
  • Uses pre-signed transaction sets around each deposit UTXO, including Unvault, Cancel, Emergency, and Unvault Emergency transactions
  • Forces manager-controlled spends through an unvault timelock window during which a Cancel or emergency path can revoke the attempt
  • Supports watchtower-operated enforcement of unvault policy, spend policy, and emergency-deterrent behavior
  • Uses an untrusted coordinator server for routing signatures and state updates between participants and supporting infrastructure
  • Optionally adds co-signing servers that sign Spend transactions only once, acting as anti-replay infrastructure so managers cannot swap in a different spend after policy checks
  • Offers modular deployment profiles ranging from simpler inactive custody to full-featured active-defense setups
• Key claims:
  • The main reusable mechanism is delegated Bitcoin custody through pre-committed transaction graphs, not through threshold signatures or smart-contract programmability. Revault makes policy enforcement happen through pre-signed exits plus monitoring infrastructure.
  • Its stakeholder-versus-manager split is the crucial comparison point. Stakeholders retain high-threshold ownership and emergency power, while managers get operational spend ability only inside an unvault-and-delay pipeline.
  • The timelocked unvault path is the architecture’s real control surface. Revault’s security story depends on whether watchtowers notice policy violations in time and whether cancellation or emergency transactions are actually available when needed.
  • The optional co-signing servers matter because they reveal a second control layer beyond ordinary multisig. Revault needs anti-replay assurance so managers cannot present one spend for approval and later broadcast another.
  • The emergency descriptor design is analytically important and double-edged. The architecture presents it as a coercion deterrent because any stakeholder can trigger a move to a harder-to-spend emergency wallet, but the same feature introduces business-continuity and blackmail risk if emergency transactions leak or are abused.
  • Revault therefore shifts trust questions away from generic custodian honesty and toward infrastructure topology: how many watchtowers exist, who runs them, how coordinator availability affects operations, whether co-signers are used, and how emergency paths are guarded.
  • Revault belongs in the active corpus because it exposes a distinctive Bitcoin custody pattern where cold-storage control, operational delegation, monitoring, and emergency response are separate layers that later custody products often collapse into one opaque brand.
• Whitepaper: Revault publishes a detailed architecture/specification PDF and related first-party implementation materials. The strongest reviewed sources for this pass are collected in ../whitepapers/revault-primary-sources-2026-05-13.md, and a local copy of the architecture PDF is saved as ../whitepapers/revault-documentation.pdf.
• Sources:
  • https://wizardsardine.com/revault/
  • https://wizardsardine.com/assets/revault_documentation.pdf
  • https://github.com/revault/practical-revault
  • https://github.com/revault/practical-revault/blob/master/introduction.md
  • https://github.com/revault/revaultd

Internal linkages

• Keep the linkage budget short.
• Best comparison points: bitkey, nunchuk, and bitgo.

Control surface

• Revault is mostly a policy-and-operations note. The leverage is in coordinator control, watchtower coverage, co-signer policy, emergency-path handling, and whether anyone can still react during the unvault delay window.

• That is why the note matters. Revault exposes authority more cleanly than most custody vendors, but it still depends on the boring operator layer actually working when something goes wrong.

• Last reviewed: 2026-05-29 UTC