Skip to content

Unilateral exits

When are unilateral exits required?

Unilateral exits serve as an emergency mechanism that ensures users always maintain control over their bitcoin regardless of server behavior. This backup measure is fundamentally what makes Ark self-custodial.

Under normal operating conditions, users should always follow the standard offboard process when moving bitcoin from Ark back on-chain. Standard offboarding is more efficient and cost-effective for getting bitcoin back on-chain.

Unilateral exits should only be considered when the server is unresponsive or refuses to honor offboard requests. These situations typically fall into three categories:

1. Malicious behavior

The Ark server may be acting maliciously, attempting to withhold or effectively steal user bitcoin by refusing to process legitimate offboard requests.

2. Technical difficulties

The server might experience technical problems preventing normal operation. While these issues can be expected to be temporary, users can still face urgency if they hold VTXOs that are approaching expiration.

Legal or regulatory actions may prevent an Ark server from processing certain transactions. In these cases, the server might be legally restricted from honoring offboard requests for specific users or regions.

The unilateral exit process

When a user or their wallet app triggers a unilateral exit, they must broadcast a sequence of transactions from their VTXO's transaction tree in the correct order. Each transaction in this sequence must confirm before the next can be broadcast, making this a multi-step process that requires careful coordination.

The exit process follows these steps:

  1. First branch transaction: The wallet broadcasts the first branch transaction in their VTXO's path from the root of the transaction tree
  2. Wait for confirmation: Once confirmed, the wallet broadcasts the next branch transaction in the sequence
  3. Continue down the tree: This process continues, broadcasting each branch transaction and waiting for confirmation, until reaching the leaf
  4. Broadcast leaf (exit) transaction: The last transaction in the tree, the exit transaction, is broadcast, which activates a relative timelock
  5. Relative timelock period: The user must wait for the timelock to expire (currently expected to be around four hours, though this is a server-configurable parameter)
  6. Final exit transaction: Once the timelock expires, the user can broadcast their final transaction to send the bitcoin to any on-chain address of their choice

Users need to be aware that they must pay on-chain transaction fees for each of these transactions in the exit sequence. The total on-chain fees will be dependent on their refresh VTXO's transaction tree depth, which is a product of the number of VTXOs refreshed in the associated round, plus the length of any additional spend VTXO chain.

Economic viability of unilateral exits

Users should be aware that if the balance held in a VTXO is less than the total on-chain fees of broadcasting all required transactions, it may not be economically viable to recover those bitcoin. However, as explained in the early vs. late exit section below, other users performing exits from the same round can reduce your exit costs, as each transaction another user broadcasts reduces the number of transactions you need to complete by one.

Automated wallet management

Users should never need to manage the unilateral exit process manually. Well-designed wallet apps should automate the entire sequence once an exit is triggered. The wallet app will:

  • Monitor the blockchain for transaction confirmations
  • Automatically broadcast the next transaction in sequence once the previous one confirms
  • Track block height to determine when the relative timelock becomes valid
  • Execute the final exit transaction to complete the process

The purpose of the relative timelock

The relative timelock on the leaf transaction serves a critical security function—it gives the Ark server sufficient time to broadcast a forfeit transaction if the user is attempting a malicious exit (trying to exit a VTXO they have already forfeited).

Partially-completed exits

An exit is not completed until the final leaf (exit) transaction of the transaction tree is broadcast and confirmed on-chain. At any point before that, the bitcoin can still be considered held in the Ark—the VTXO will expire according to the original expiry time and become sweepable by the Ark server.

This gives unilateral exits some "cancellability". For instance, if a user begins an exit because an Ark server goes offline for an extended period, but after broadcasting three of four exit transactions that make up their VTXO the Ark server comes back online, then they can choose to abort broadcasting the final transaction and keep their bitcoin in the Ark.

Partially completed exits increase the costs for the Ark server to sweep the bitcoin after forfeit and expiry—with the round transaction broken up into multiple smaller transactions, the Ark server must pay multiple on-chain transaction fees to sweep the bitcoin, instead of the typical one.

How early exits reduce costs for later exiters

When users initiate unilateral exits, their actions benefit other users that have participated in the same round(s). This occurs because VTXOs share common branches in the transaction tree. When a user broadcasts a branch transaction as part of their exit, they reduce the number of transactions needed by other users on the same branch by one. In scenarios where many users need to exit, those who exit earlier effectively reduce the exit costs for those who exit later.

Managing exits during high fee periods

When network fees increase significantly, situations may arise where a VTXO's value becomes smaller than the cost to exit. This raises important considerations for the Ark protocol.

Server-side

Ark servers are unlikely to monitor or restrict transactions based on economic exit viability:

  • Exit viability varies based on multiple factors beyond just VTXO value
  • Users have different risk tolerances and fee preferences
  • The protocol should remain neutral to economic conditions

Client-side

Wallet apps should instead implement the appropriate safeguards for users. Options include:

  • Warning notifications when a VTXO may cost a significant percentage of the VTXO value to exit
  • Exit fee estimation tools to help users make informed decisions
  • Options to delay exits to allow other users to exit earlier (thus reducing exit costs)