Skip to content

Ark rounds

Rounds are the heartbeat of an Ark server—periodic events where users can refresh their VTXOs to extend their lifetime.

During a round, multiple users coordinate with the Ark server to forfeit old VTXOs and receive new refresh VTXOs in return. This is achieved through a collaborative signing process, where, together with the server, users create a transaction tree (a hierarchical structure of pre-signed transactions) and broadcast its root on-chain—the round transaction.

Diagram of a transaction tree produced during a round

A simplified example of the kind of transaction tree that is produced during a round

Payments now occur out-of-round

Early Ark protocol proposals included payments within rounds, but this is no longer the case. Second's implementation of Ark handles all payments instantly through arkoor (out-of-round) transactions. Rounds are now reserved for refreshes only.

What rounds accomplish

Users participate in rounds for two main reasons:

  • Lifetime management: Refreshing a VTXO that is nearing the end of its lifetime to extend it and maintain control of their bitcoin.

  • Security upgrade: Converting spend VTXOs (which have additional trust requirements) into refresh VTXOs with improved security.

Round process

Refreshing requires the wallet app to participate interactively with other users and the Ark server during the round, signing its own branches in the transaction tree. Once the round confirms, the resulting refresh VTXO can be exited unilaterally without relying on any third party.

Phase Description
1. Submit intent Wallet app comes online during round and submits VTXOs to refresh
2. Tree construction Server constructs transaction tree; wallet app signs exit branches
3. Funding Server broadcasts round transaction on-chain
4. Forfeit Wallet app signs forfeit to complete refresh
5. Claim New VTXO immediately accessible

This requires the wallet app to be online during scheduled round windows, making it suitable for always-on devices like desktops, servers, and nodes.

Delegated refreshes

Due to operating system limitations, some devices—particularly iOS devices—cannot reliably wake for scheduled round windows. Delegated signing addresses this by allowing designated co-signers to sign on the user's behalf during the round, with the wallet app claiming the new VTXO when the user next opens the app.

Co-signer functionality not yet available

Designated co-signer support has not been built out yet and while it's a priority for us, it is unlikely to be completed until after our mainnet launch. Until co-signers are added to the signing set, delegated refreshes will be dependent on the Ark server's signature only.

How delegated signing works

Rather than participating interactively during a round, the wallet app submits refresh intents ahead of time—either when the user opens the app or via a lightweight background wake. Designated co-signers then sign on the user's behalf during the round.

Phase Delegated refresh process
1. Submit intent Wallet app submits refresh intent ahead of time
2. Tree construction Server constructs transaction tree; designated co-signers sign on wallet app's behalf
3. Funding Server broadcasts round transaction on-chain
4. Forfeit Wallet app signs forfeit when user next opens app
5. Claim Server or cosigner reveals secret; wallet app claims new VTXO

Delegated refresh trust model

Delegated refresh VTXOs have reduced security compared to standard refresh VTXOs. Users must trust that at least one designated co-signer behaves honestly—a 1-of-n trust model.

Wallet app providers and other entities act as co-signers, each signing the entire transaction tree. Security is additive: each additional co-signer strengthens the trust model for all users, regardless of which app they use.

Some wallet apps will predefine a fixed co-signer set (presumably including themselves); others will let advanced users specify their own co-signer set. If a required co-signer is unavailable, the delegated refresh fails and alerts the user.

Delegated refresh is entirely opt-in—a practical compromise for mobile OS limitations. With multiple co-signers and a 1-of-n trust model, it offers pretty good security. However, mobile wallet app developers should still consider providing optional alternative paths to standard refreshes, e.g., push notifications that prompt users to open the app before upcoming rounds, or companion desktop/node apps that can refresh on behalf of the mobile wallet.

Covenants eliminate the trust requirement

If a covenant proposal (like CTV or TEMPLATEHASH) were adopted on bitcoin, delegated refreshes would become fully trustless.

Round atomicity

Round atomicity is ensured through hash-locks—the same mechanism that makes Lightning payments (HTLCs) atomic. The server only reveals the secret needed to access the new VTXO after receiving a valid forfeit signature, ensuring users cannot lose funds: either the round completes successfully (forfeit signed, secret revealed, new VTXO accessible) or it doesn't (old VTXO retained).

Round timing and interval

Round frequency is a configurable server parameter. Second's Ark server is expected to conduct rounds every 1-2 hours, though this may vary based on demand and server policy.

Diagram of an example one-hour round frequency

A one-hour round interval will result in a round transaction being confirmed roughly every six blocks

Interval length trade-offs

All things being equal, more frequent rounds will inevitably attract fewer participants per round since users are spread across more opportunities to refresh. Conversely, less frequent rounds lead to more participation demand per round. This fundamental relationship drives several important trade-offs:

Shorter round interval Longer round interval
Wait time for refreshes Enables users to improve security faster or react more quickly to soon-to-expire VTXOs Security-conscious users must wait longer for refreshes, and higher risk of VTXO expiries
On-chain fee sharing Higher per-user costs due to fewer participants splitting the round transaction fee Lower per-user costs due to more participants splitting the round transaction fee
Emergency exit Fewer transactions to complete exit (shallower trees) More transactions to complete exit (deeper trees)

Flexible round scheduling

While Second's Ark server will use fixed periodic rounds, servers can technically implement more flexible scheduling:

  • Demand-based rounds: Queue thresholds for triggering a round
  • Emergency rounds: On-demand rounds for users with soon-to-expire VTXOs
  • Scheduled maintenance: Temporary increase in round frequency before planned downtime

Round economics

Executing rounds involves two major costs for an Ark server:

  1. On-chain transaction fee: The cost of getting a round transaction confirmed on-chain, which is spread across all users participating in the round—the more users, the lower the cost per user. Despite the underlying transaction tree requiring an n-of-n multisig potentially involving hundreds of users, the Ark protocol uses Taproot and MuSig to make this complex script appear on-chain as a simple single-signature transaction, minimizing the blockchain footprint.

  2. Liquidity deployment costs: When users refresh their VTXOs, the Ark server must deploy bitcoin (liquidity) from its wallet to fund the new outputs. The forfeited bitcoin from old VTXOs only becomes available to the server after those VTXOs expire, so there is a cost of capital to cover. This cost is independent of the number of users participating in the round, and is instead dependent on the amount of bitcoin being forfeited and the age of the VTXOs.

Note

Fee schedules for Second's Ark server are still being finalized, and may not directly reflect the server's costs for users' individual operations. You can read more about fee considerations on our fees page.

Simultaneous expiry

All VTXOs created in a round share the same expiry time—the absolute timelock on the round transaction and all branch transactions expires simultaneously.

Under normal circumstances, users will forfeit their VTXOs before expiry (through spending, refreshing, or offboarding) to retain control over their bitcoin. This means that when expiry occurs, the server can sweep the entire round's bitcoin balance to its own wallet in a single on-chain transaction, rather than needing to reclaim individual VTXOs separately.