Security Model

Canton Token Standard Compliance

CBTC uses the Canton registry utility and will adopt the universal token standard when viable

Distributed Infrastructure

CBTC's security foundation rests on a carefully selected network of institutional-grade operators. The system employs 9 pre-screened external node operators (including established providers like P2P and Everstake) alongside 1 BitSafe-operated node.

Each operator maintains over $1 billion in AUM (Assets Under Management), ensuring they have both the technical expertise and financial incentives to maintain system integrity. These operators run both Bitcoin and Canton nodes.

Cryptographic Address Generation

CBTC employs sophisticated cryptographic techniques to ensure each user receives a unique, secure Bitcoin deposit address. Each DepositAccount (DA) on Canton deterministically maps to a unique Bitcoin deposit address through a multi-step cryptographic process involving public key derivation and Taproot script construction.

Two-Stage Derivation Process:

1. Entropy Generation: The system starts with a fixed unspendable public key as the cryptographic foundation. Each DA's unique identifier undergoes SHA-256 hashing to generate entropy, which then serves as the chain code in the key derivation process. This creates a deterministic extended public key (xpub) that's unique to each deposit account.

2. Taproot Integration: The derived xpub combines with a fixed single-key script to construct a Taproot output with script-path spending enabled. This results in a valid P2TR (Pay-to-Taproot) Bitcoin address that's fully determined by the DA's identifier and can only be spent using the Attestors' group private key.

Transaction Validation Rules

The system employs strict UTXO selection criteria to prevent double-spending and ensure proper transaction ordering:

For Deposit Processing: A UTXO qualifies for minting only if it received 6 confirmations after the DepositAccount's recorded block_height, ensuring new deposits are processed in chronological order.

For Withdrawal Processing: A UTXO becomes eligible for spending only if it was confirmed with 6 confirmations before or at the DepositAccount's block_height, guaranteeing that only properly secured funds can be withdrawn.

This dual-criteria approach creates a clear separation between "available for withdrawal" and "pending deposit" funds, preventing race conditions and ensuring the integrity of the 1:1 backing mechanism.