Skip to content

Ark payments

Payments on Ark are handled out-of-round (arkoor), enabling:

  • Instant payments at any time
  • Offline receiving capability
  • No liquidity requirements

During a payment, a user works with the Ark server to create a new VTXO—a spend VTXO—that spends from one of their existing VTXOs.

The payment security trade-off

Handling payments out-of-round comes with a trade-off: until a receiver refreshes their received balance, they must trust that the sender and Ark server don't collude to double-spend. Once refreshed, the received balance returns to a fully trustless state, guaranteeing the user's unilateral exit.

Users have control over their preferred security model

This mechanism allows users to control their balance between cost and security:

  • Early refreshes improve security but increase wallet operating costs.
  • Later refreshes save costs but temporarily reduce security (users must still always refresh before expiry).

The adjusted security model is only ever temporary. When a user refreshes their spend VTXO, it regains all the trustless properties of a refresh VTXO. Since all VTXOs must be refreshed before their expiry period, users are only exposed to the adjusted security model for a limited time. Second's expiry time is expected to be around 30 days, though this may change.

Users can also eliminate security concerns by spending the VTXO via Ark, Lightning, or offboard transactions.

Incentives against double-spending

While spend VTXOs temporarily operate under an adjusted security model, several strong deterrents exist against sender-server collusion:

  • Inevitable disclosure: Users can always detect double-spending when multiple recipients attempt to refresh, offboard, or exit unilaterally. Wallets can detect invalid duplicate signatures immediately and potentially trigger automatic alerts or remedial actions. Duplicate signatures can easily be publicly proven.
  • Irreparable reputational damage: An Ark server caught double-spending would lose credibility and revenue as users quickly offboard or exit to avoid further risk.
  • Requires sender and server collusion: Payments remain secure as long as at least one party (either sender or Ark server) remains honest. Even when both actors are malicious, they must closely coordinate for double-spending to succeed.
  • Mutually-assured destruction: Any attempted unilateral exit from a double-spent VTXO should trigger immediate detection by user wallets, prompting competing unilateral exit transactions. The resulting transaction fee race would likely consume the entire VTXO amount in miner fees.

Expected user behavior

It's difficult to predict what user behavior will look like once Ark is in the wild. At Second we expect that most users will be comfortable leaving all received payments until close to expiry before refreshing. This is especially likely on Ark servers that have built a reputation for reliable operations.

The rationale is that users will prefer to take advantage of the cost savings from fewer refreshes and lower liquidity costs. Additionally, users will likely only hold a portion of their bitcoin holdings on Ark as a kind of "checking account." Only recently received payments would be subject to the spend VTXO trust model—the rest of their Ark balance will be in refresh VTXOs.

However, users may prefer more sophisticated refresh thresholds and timing strategies, for example:

  • Small payments: For day-to-day transactions, users accept the temporary trust model and wait until near expiry before refreshing, prioritizing cost savings over immediate trustlessness.
  • Large payments: For significant amounts, users may refresh immediately after receiving payment, prioritizing security over cost optimization.

Whatever the case, wallet refresh policies should be passive and automatic, handled by the wallet app based on user settings. Users shouldn't be required to monitor individual VTXOs manually!

Payment chains

Payments can be chained, where a received spend VTXO is subsequently spent to another user. This creates arkoor chains where users must trust that no sender in the chain has colluded with the Ark server to double-spend. Longer chains increase exit costs and expand the trust surface area, so wallet apps may want to limit chain lengths based on user preferences.

Change handling in payments

When making payments, the sender will typically also receive change back as a spend VTXO. Change inherits the trust properties of the VTXO it was spent from. For example, if a user is spending from a refresh VTXO, the change received is inherently trustless since the sender cannot collude against themselves to double-spend.