Security & Trust | Ducat Protocol

Trust Architecture

Ducat's security model is built on four independent layers, each reducing counterparty risk.

2-of-2 Taproot Vaults

Your BTC sits in a multisig vault: one key is yours, one belongs to the Guardian network. Neither side can move funds alone. The vault is structured as a Taproot tap tree with only two possible outcomes: you repay and redeem, or the vault is liquidated when collateral falls below 135%. There is no third option.

Guardian MPC Network

Approximately 15 independent nodes using FROST threshold signatures (11-of-15 must agree). Guardians cannot alter transactions or redirect BTC. They can only co-sign spending paths that already exist in Bitcoin Script. Key rotation uses full DKG ceremonies without interrupting vault operations.

Chainlink Oracle

Ducat worked with Chainlink to build a custom CRE integration specifically for Bitcoin. Most oracle setups push data to a smart contract. This one works differently: Chainlink signs price attestations off-chain, and the protocol consumes them via hash-lock commitments embedded in Bitcoin OP_RETURN data. The oracle never signs transactions, never manages state, and cannot move funds. Guardians independently verify prices against a secondary feed before co-signing any liquidation.

Official oracle partner

Open Validators

Anyone can run a Ducat validator. Validators parse Bitcoin data, reconstruct the full protocol state from on-chain OP_RETURN metadata, and produce a deterministic ledger. They have no signing power. They exist only to verify and provide transparency.

Who Trusts Whom?

Every protocol has trust assumptions. Here are Ducat's, stated plainly.

You trust Bitcoin

All vault logic, spending conditions, and redemption paths are enforced by Bitcoin Script. If you trust Bitcoin to settle transactions correctly, the protocol's core guarantees hold.

You trust that 11 of 15 Guardians are honest

Guardians co-sign vault operations using FROST threshold signatures. A single compromised Guardian cannot do anything. Five compromised Guardians still cannot do anything. It takes 11 colluding nodes to produce a valid signature, and even then, they can only sign spending paths that already exist in the vault's tap tree.

You trust Chainlink to report prices accurately

Chainlink provides price attestations that determine whether a vault is healthy or eligible for liquidation. But this is not blind trust: Guardians cross-check every Chainlink price against an independent secondary feed before co-signing. A bad price from Chainlink alone cannot trigger a liquidation.

You do not need to trust Ducat

Ducat has no admin keys, no ability to freeze vaults, and no way to redirect your BTC. The protocol coordinates vault creation and provides the front end, but your funds sit in Bitcoin UTXOs governed by Script. Anyone can verify this by running a validator.

How Liquidation Works

The liquidation process requires two independent confirmations and is fully enforced by Bitcoin.

1

Hash commitment at vault creation

When you open a vault, Chainlink generates a secret value (pre-image) and commits only the hash to your vault's OP_RETURN on Bitcoin. The liquidation price is calculated and locked at this point. Neither Chainlink nor Ducat can change it after the fact.

2

Continuous price monitoring

Chainlink CRE nodes passively watch the BTC/USD price. During this phase, the oracle does nothing. Your BTC sits safely in the vault. If the price stays above your liquidation threshold, nothing happens.

3

Price crosses the threshold

If BTC/USD drops to your vault's liquidation price, Chainlink reveals the pre-image. This unlocks the liquidation spending path in your vault's tap tree. The pre-image becomes publicly available to anyone monitoring the network.

4

Guardian verification

Before co-signing, Guardians check the reported price against a secondary, non-Chainlink price feed. If the prices diverge outside the permitted band, Guardians refuse to sign. This is the two-key approval: Chainlink must attest AND Guardians must independently confirm.

5

Bitcoin enforces the outcome

Any participant on the network can submit the liquidation transaction. Bitcoin validates the pre-image, checks the tap tree conditions, and executes the liquidation as a standard Bitcoin transaction. No off-chain committee, no discretionary decisions.

Trust Questions

Can a human move my BTC without permission?

No. BTC movement is constrained by Bitcoin Script spending conditions. There are only two valid outcomes: redemption (you repay) or liquidation (collateral falls below threshold). Even if a Guardian is compromised, they are bound by script conditions enforced by Bitcoin itself.

Can the oracle trigger a false liquidation?

No. Even if Chainlink revealed a pre-image incorrectly, the Guardians would check the price against their secondary feed and refuse to co-sign. Both systems must agree for a liquidation to proceed.

What if Chainlink goes down?

No new borrows or liquidations can occur (they require a fresh oracle quote). But your BTC remains safe in its vault. Vaults with no outstanding debt can still be closed. Ducat is integrating backup oracles for redundancy.

What if the website goes down?

The front end is open-source with community mirrors. The protocol continues operating via independent validators and Guardians on Bitcoin L1. Your vault and BTC are on Bitcoin, not on any server.

Is my collateral lent out or rehypothecated?

No. Your BTC sits in a discrete UTXO on Bitcoin. It cannot be moved, lent, or rehypothecated. The vault can only be spent via redemption or liquidation. This is enforced by Bitcoin Script, not by a company policy.

In Progress

External Security Audit

Ducat is engaging external audit firms to review the full protocol codebase including the SDK, Guardian network, Validator, and Runestone library. Multiple internal security audits have been completed. Audit reports will be published here when finalised.

How Ducat Protects Your Bitcoin