Taproot Vaults
How Non-Custodial Bitcoin Lending Actually Works

What Taproot actually brought to Bitcoin

Bitcoin always had scripts. From day one, every Bitcoin output is locked by a small program that says "here is what you have to prove to spend me." A simple wallet locks funds with a script that says "prove you know the private key for this public key." A multisig wallet locks funds with a script that says "prove you have signatures from M out of N specified keys."

Before Taproot, complex scripts had three problems. They were public. Every condition under which the output could be spent was visible on-chain from the moment the output was created. They were expensive. Complex scripts took more block space, which meant higher fees. They were limited. The Bitcoin script language was deliberately restricted.

Taproot, activated in November 2021, changed all three. A Taproot output looks like a single public key on-chain. The complex script is hidden inside a Merkleized tree of possible spending conditions, and only the branch you actually use is revealed when you spend the output. You only pay for the branch you use, the other branches stay invisible, and the language for writing those branches (Tapscript) is more expressive than the old one.

In practice, you can create a Bitcoin output with five, ten, fifty different spending conditions, attach a different policy to each one, and have the output look like any other ordinary single-key payment on-chain until you actually need to use one of the branches. This is what makes a vault possible.

A vault, in concept

Forget the implementation details for a moment. What does the word "vault" even mean in this context?

A vault is a Bitcoin output that can be spent in more than one way, with each spending path triggering under different conditions, and where the parties with the ability to trigger each path are different.

A simple example: imagine a vault that holds family savings. It can be spent in one of three ways. Your partner signs and the funds go to a withdrawal address you both control. You alone sign and the funds go to a withdrawal address you control, but only after a 30-day timelock. A trusted family member signs along with a notary and the funds go anywhere they specify, used only in emergencies. Three doors. Each door has its own policy. A Bitcoin lending vault works on exactly the same logic.

The three doors of a Bitcoin lending vault

A non-custodial Bitcoin-backed loan vault typically has three spending paths.

Door 1: Cooperative repayment

The borrower repays the loan in dollars (usually a stablecoin). The lender's signing infrastructure verifies repayment, co-signs a transaction that releases the collateral, and the borrower gets their Bitcoin back at the withdrawal address they specified when the vault was created. This is what should happen on the vast majority of loans. It is the equivalent of paying off a mortgage and getting the deed.

Door 2: Liquidation

The borrower's collateral value drops below the liquidation threshold, or the loan term expires without repayment. This door is signed by the lender's infrastructure without the borrower's signature. The script enforces that this path can only be used to send funds to a specific liquidation address, not to wherever the lender wants. Once the funds arrive there, they enter a Dutch auction (price starts high and drops until a buyer takes it). The lender does not get to set the price. The market does. Proceeds repay the loan, with any surplus returning to the borrower.

Door 3: Unilateral exit

This is the one that matters. If the lender disappears (bankrupt, hacked, regulated out of existence, simply gone), the borrower can spend the exit door themselves. No coordination with the lender. No legal proceedings. No bankruptcy court. They construct the transaction with public tooling, broadcast it to the Bitcoin network, and the funds arrive at their wallet.

There is a catch: this path is gated by a relative timelock, typically around one year. The vault output cannot be spent through this path until enough time has passed since the deposit. The timelock gives the lender a long window to use door 1 or door 2 under normal operations. In practice, door 3 should almost never be used. It is the smoke alarm, not the front door. But the door exists, it is enforced by Bitcoin script, and no human can override it.

This is what "non-custodial" actually means in the context of Bitcoin-backed lending. Not "the lender promises to give your coins back." Not "the lender has insurance." Not "the lender uses a regulated custodian." But "if everyone running the lender vanished tomorrow, you could still recover your Bitcoin using nothing but a Bitcoin node and a piece of public software."

The locked door: the NUMS trick

There is a fourth path on every Taproot output we have not talked about. It is called the key-path spend.

A Taproot output is technically locked by a single public key, with the script paths hanging off it as a backup. Most Taproot wallets use the key-path as the cheap and private way to move funds, with all parties holding shares of the corresponding private key and signing collaboratively.

In a Bitcoin lending vault, the key-path is dangerous. If the lender and the borrower had a shared key they could use to spend the output without going through any of the three doors, the whole point of the vault would be undermined. The lender's signing infrastructure could collude (or be compromised) and move funds outside the agreed rules.

The fix is called a NUMS internal key. NUMS stands for "Nothing Up My Sleeve." The idea is to construct a public key in a way that proves nobody knows the corresponding private key. The standard approach is to take the SHA-256 hash of a known phrase (something like "SURGE-NUMS" or "BIP-341-NUMS") and use that hash as the x-coordinate of the public key. Anyone can verify the key was derived this way. Nobody can derive the private key from a hash output because that would require breaking SHA-256, which would break Bitcoin entirely.

The practical effect: the key-path spend on a properly-constructed lending vault is provably useless. The only way to spend the output is through one of the three script-path doors. The lender literally cannot bypass the rules even if they wanted to. This is the kind of detail that separates a serious non-custodial product from a marketing campaign. Always check whether the key-path is disabled in any Taproot vault you are considering trusting your Bitcoin to.

Who signs the lender's transactions: threshold signatures

Doors 1 and 2 both require the lender to sign. If the lender is a single company with a single signing key, you have just recreated the custodial model with extra steps. A compromised key, a rogue employee, or a regulatory seizure of the lender's infrastructure all become single points of failure.

The solution is threshold signatures. The lender's signing key is split across multiple independent parties, with a threshold of them required to produce a valid signature. A 3-of-5 threshold means any 3 of the 5 signers can co-sign a transaction, but 2 cannot. The signers do not need to trust each other, they just need to follow the protocol.

There are several threshold signature schemes available for Bitcoin. The two most commonly used are FROST (Flexible Round-Optimized Schnorr Threshold) and Lindell 2024. FROST is well-studied, widely implemented, and produces a valid Schnorr signature indistinguishable from a single-party signature on-chain. Lindell 2024 is newer and has a property called identifiable abort: if a signer misbehaves during the signing process, the protocol produces cryptographic evidence of who did it. That matters when you want to slash misbehaving signers economically.

The harder question, for any lender claiming a threshold signature setup, is who the signers actually are. A 3-of-5 threshold is meaningless if the 5 signers are all employees of the same company. Look for signers that are independently operated, geographically distributed, and reputationally separate. If a lender has not published the names of their signers, treat the decentralization claim as provisional until they do.

What this actually means for you as a borrower

If you are considering a Bitcoin-backed loan, the architecture above changes a few things about how you should evaluate the product.

A real-world implementation: Surge Credit

The most fully-developed implementation of the architecture described above is Surge Credit, a Bitcoin-backed dollar credit line that launched mainnet public beta in April 2026.

Surge constructs Taproot vaults with the exact three-door pattern described in this post. Cooperative repayment, automated liquidation via Dutch auction on Base (Coinbase's Ethereum L2), and unilateral exit with a CSV timelock of roughly one year. The key-path is disabled using a NUMS internal key derived from the SHA-256 hash of the string "SURGE-NUMS." The threshold signature scheme is Lindell 2024 with a simple-majority threshold across a Distributed Custody Network. The credit accounting runs on Base. USDC flows cross-chain via Circle's CCTP v2.

The protocol-level work is being audited by Brandon Black (reardencode), co-author of BIP-349 (OP_INTERNALKEY) and former Taproot wallet engineer at BitGo. The EVM contracts are also in audit as of writing. The governance structure is a two-entity model (Amby Inc. building the software, Surge Foundation governing the protocol) similar to Aave and Morpho.

For the purposes of this explainer, Surge is the cleanest current example of how the Taproot vault model actually gets shipped in a usable product. The vault construction is principled, the key-path disabling is correct, the threshold signature scheme is well-chosen, and the escape hatch is real and testable. Other implementations of similar architectures will follow, and should. See our full Surge Credit review for rates, terms, current track record, and the honest tradeoffs of using a beta product.

What to look for in any Bitcoin-backed lender

A quick checklist if you are evaluating any product that claims to be non-custodial.

A lender that fails on any single one of these is not necessarily a bad lender, but each gap is something you should understand before deciding how much capital to entrust to them. Lenders that score well across the whole checklist are rare today. They will become less rare over the next few years.

The frontier and what still needs solving

The Taproot vault model is not finished. Several things still need to mature before it becomes mainstream-ready.

Closing

The Bitcoin-backed loan market is in the middle of a transition. The custodial model that defined the 2020-2022 cycle ate three of its biggest players. The next cycle is being built on a different foundation, one where the lender's promise is replaced by a script anyone can verify and an escape hatch nobody can override.

It is not finished. The decentralization story has gaps, the user experience has friction, and the audit infrastructure is still maturing. But the direction is right, and it is the only direction that addresses the actual root cause of why Bitcoin lenders keep blowing up. If you are going to borrow against Bitcoin, understand which model you are using. If you are going to lend Bitcoin (or stablecoins backed by Bitcoin), understand who actually holds the keys. The technology to do this properly exists today. The products that use it correctly are still rare. But the gap is closing, and "trust us" is a less acceptable answer with every cycle.

Further reading

External references

• BIP-341 (Taproot specification)
• BIP-342 (Tapscript)
• BIP-349 (OP_INTERNALKEY, co-authored by Brandon Black)
• FROST threshold signature paper
• Lindell 2024 threshold signature paper