The Ultimate Guide to Bitcoin Self-custody for Miners
Originally published on Unchained.com.
Unchained is the official US Collaborative Custody partner of Bitcoin Magazine and an integral sponsor of related content published through Bitcoin Magazine. For more information on services offered, custody products, and the relationship between Unchained and Bitcoin Magazine, please visit our website.
As a bitcoin miner, you have a lot to manage, from seeking out inexpensive electricity, to constructing facilities, to acquiring rigs and building a knowledgeable team that can keep them hashing. In speaking with mining companies over the years, we know that bitcoin custody is often an afterthought.
Here we’ll describe the process of securing your mined bitcoin in self-custody while managing a bitcoin treasury, CapEx, OpEx, OpSec, LP distributions, taxes, and more. Given the ever-present risks of hacks and suspended withdrawals, our goal is to explain the benefits and trade-offs of various approaches to bitcoin self-custody—regardless of the size of your operation.
Bitcoin self-custody considerations for miners
There are unique challenges miners face with self-custody in comparison to other types of bitcoin holders:
- Miners receive a high frequency of incoming deposits from mining pool payouts, which can increase transaction costs due to UTXO bloat (more on this below).
- Some portion of mined bitcoin must be sold to cover overhead.
Other challenges are similar to that of other businesses that hold bitcoin:
- Businesses may not have the in-house expertise needed to set up self-custody securely while minimizing complexity.
- Businesses generally have multiple operators and desire distributed control over bitcoin funds.
- Businesses want to minimize counterparty risk while eliminating the risks of malware, user error, storage media decay, phishing, physical attacks, and other security risks.
In all cases, holding the private keys to your organization’s bitcoin should be prioritized. As we’ll explain next, multisig can enhance the security of your bitcoin regardless of your organization’s size. While the details of your setup may vary, multisig helps to address many of the above concerns while allowing your bitcoin to touch exchanges only when necessary (e.g., for OpEx/CapEx).
Why miners need multisig
Better security than singlesig
Singlesignature (singlesig) wallets—controlled by a single key secured by a Trezor or Ledger hardware wallet, for instance—improve security, reduce counterparty risk, and remove exchanges as a single point of failure. With singlesig, however, your bitcoin is put at risk if a hardware wallet or seed phrase is lost or compromised. Just one or the other, in the wrong hands, could lead to permanent loss of funds.
Multisignature wallets, on the other hand, enable you to store bitcoin in a wallet controlled by multiple keys. They increase your security by ensuring more than one of those keys, held in different locations, are required to sign a transaction. If set up correctly, multisig can eliminate all single points of failure. For a miner, this means removing the risk of a single rogue employee moving funds, and creating redundancy so that the loss of a single hardware wallet or seed phrase cannot lead to a critical loss of funds.
Eliminates exchange custody risk
Exchanges can be a convenient place to send newly-mined bitcoin. They allow you to easily exchange bitcoin for your local fiat currency before sending funds to a linked bank account, and they even take care of things like UTXO management. In bitcoin, however, there is always a price to pay for convenience. The risks and potential downsides of using an exchange for key storage are numerous—the fact that they can cut you off at any time and the possibility of hacks and insolvency are only the beginning.
Flexibility to achieve an ideal balance of security and complexity
A 2-of-3 multisig quorum has three total keys where two are required to spend, which keeps your bitcoin secure even if one key is compromised. Many mining firms find that 2-of-3 multisig is the perfect setup for their corporate treasury because no single individual can compromise the entire treasury, while sending out LP payouts and monthly expenses is still kept straightforward (only two signatures required).
Higher-quorum multisig (e.g., 3-of-5, with five total keys and three required to spend) adds more keys and typically more individuals to the equation. This can technically improve the security of your bitcoin wallet in some cases—but also dramatically increases complexity. We wrote a comprehensive article explaining why this is the case, but for the purposes of this article, you just need to know the sweet spot for most individuals, organizations, and mining operations tends to be 2-of-3.
The benefits of collaborative custody
When using multisig for your mining company’s treasury, you might also benefit by including an institution (like Unchained) to hold one of three keys for your multisig setup.
In addition to the enhanced security that multisig provides, collaborative custody can also help with:
- Reduces the number of physical items (hardware wallets and seed phrases) you need to secure.
- Active monitoring over suspicious activity like unauthorized transaction signatures or account logins
- A partner that can help your team recover the wallet in the event where one of your keys has been lost or compromised.
Wallet management
Managing mining pool payouts
Every miner needs to make decisions on security, transaction cost, and counterparty risk when deciding which type of wallets to use for their newly mined bitcoin.
Below are four example workflows that may help you determine which model is the best for your mining operation.
Workflow #1: Mining pool payouts sent to a singlesig wallet
In this popular workflow for smaller mining operations, you receive mining pool payouts directly to a singlesig wallet controlled by a single operator. Funds that need to be sold can then be sent to an exchange, while funds to be stored long-term are sent to a multisig wallet.
Workflow #2: Mining pool payouts sent to a multisig wallet
This workflow is the same as the workflow described above, except that mining pool payouts are sent to a multisig wallet instead of singlesig. A second multisig wallet is required for the corporate treasury.
Sending bitcoin payouts direct to multisig maximizes security throughout the workflow, but requires two people to approve each transaction to the exchange and treasury. As such, it is better suited for larger mining operations.
“With multisig you’re paying higher fees to remove counterparty risk.” – Griffin Haby, Mountain Lion Mining
Workflow #3: Split payouts from the mining pool
Some mining pools allow miners to split payouts between two or more accounts. In this workflow, we show automating the payout process to send a fixed percentage directly to cold storage, and the rest to an exchange to sell to cover overhead.
Workflow #4: Mining pool payouts sent to an exchange
In this workflow, bitcoin is mined directly to an exchange. This is far more convenient for the purposes of UTXO and fee management purposes, and allows immediate liquidation of funds, but leaves bitcoin in the most vulnerable state for the longest amount of time, with high counterparty risk.
Maintaining multiple fund buckets
Even within the above high-level approaches to bitcoin security, you may want to further separate wallets for separate purposes, like distributions, operating expenses, or corporate treasury. Keeping these buckets of bitcoin cryptographically separated from each other will make it far easier to keep track of your operation from a tax and accounting standpoint—and much easier to ensure those long-term satoshis aren’t being used for overhead!
Managing transaction fees
Miners are typically more concerned with collecting transaction fees from other users. However, when managing your bitcoin mining wallets, the fees you pay when sending bitcoin—whether to an exchange, cold storage, or investors/partners—should also be considered.
As we described in a previous article, bitcoin transaction fees depend on how congested the bitcoin network is at any given time and how much data is being processed in a transaction. One of the key factors behind the data size of a transaction is the number of UTXOs involved. Our article on the problem of too many UTXOs is a good primer on UTXO consolidations, payout thresholds, and how bitcoin transaction fees are calculated.
As a miner, there are four main ways you can reduce your transaction costs:
1. Increase payout thresholds from mining pools
If you use a mining pool, and take a high frequency of payouts, it’s going to result in a lot of small UTXOs in your destination wallet, which could be expensive to spend when the time comes.
To mitigate this, you can increase your pool payout threshold to reduce the number of deposits being made to your wallet (and therefore reduce the wallet’s UTXO count). This method is especially useful for future fee mitigation if you are pointing your payouts directly to a multisig wallet (which requires more data to make a transaction than a singlesig wallet).
2. Manually consolidate your UTXOs
You can further reduce the number of UTXOs in your wallet by periodically consolidating. This is a relatively simple process; you just need to author a transaction containing the UTXOs you wish to consolidate, and send them back to yourself. You can learn more in our article covering strategies to manage too many UTXOs.
3. Set a low fee…and wait
Block space is limited by design—the higher the demand for space (increased quantity of transactions), the higher fees will be. If you don’t need a transaction to be processed immediately, consider setting a lower fee rate than recommended at the time of sending. This makes the transaction take longer to process, but can help you avoid paying excessive fees during periods of high demand.
At any given time, there is a minimum fee rate the mempool is willing to accept. Typically, this stays between one to three sats/vbyte. Current fees can easily be viewed on most block explorers, such as mempool.space.
4. Batched spending
Miners who need to send multiple payments at the same time can reduce transaction fees by sending them all at once using a transaction method called batching. This method of consolidating multiple payments can be performed with many popular bitcoin wallets (such as Bitcoin Core, Electrum, or BlueWallet) and can be helpful for LP distributions or any other time you need to make multiple transactions at once.
Key management
Identify your keyholders
When your company decides to hold the keys to its bitcoin you will need to determine who at the company will physically hold the keys.
The goal is to distribute control over keys and seeds evenly. This gives no one person the ability to sign a transaction or move bitcoin on their own. What this looks like for your organization will depend on your specific circumstances, such as the number of principals, the number of keys, and whether the wallet is for long-term storage or simply distributing control over spends.
In the above example where you’ve decided to use 2-of-3 multisig for your mining operation’s bitcoin treasury (we’d typically recommend this), you might select the company’s CEO and CFO to hold a key each, and a collaborative custody partner to hold the third key.
Properly secure your hardware wallets and seed phrases
There are typically two separate physical items to protect for each of your company’s bitcoin keys: a hardware wallet and a seed phrase. A critical element of implementing a secure multisig model is the geographical distribution of hardware wallets and seed phrases so that no single physical location is a point of failure for your bitcoin.
Seed phrases are worth particular attention because they are a physical and unencrypted copy of your bitcoin private keys. You should always retain seed phrase backups of your keys to reduce the reliance on sometimes finicky hardware wallets.
The location of the hardware wallets and seed phrases should only be known to individuals who will be expected to provide transaction signatures to move bitcoin. Keep in mind: When storing and securing these items, you may want to ensure that no single person at your organization has seen or knows the location of the necessary hardware wallets or seed phrases to spend—so that no single person can compromise your bitcoin treasury.
Ongoing key maintenance
Key hygiene
After you’ve properly stored your hardware wallets and seed phrases, there are a few best practices you should observe to keep the device and data on the device in proper working order:
- Keep the firmware up to date: This should be done roughly two to three times a year to ensure your hardware wallets have the best security, newest functionality, and will work to sign transactions when you need to.
- Perform key checks: At regular intervals, check that your hardware wallets are functional and check the physical security of your seed phrases. We recommend this should be done roughly four times a year.
Changing key holders
When a key holder leaves your mining operation, you should always replace their key as soon as possible. Don’t simply hand over the old key to a new key holder—that would be a a potential security hole. Even if the original key holder can be trusted and left in good standing, replacing the key reduces the risk that unauthorized signatures will be performed or attempted in the future.
Key replacements
To replace a key, you will need the new key holder to generate a new key, (if using multisig) create a new multisig wallet with the new quorum, and then (carefully) send all the company’s bitcoin to the new wallet.
If you’re using collaborative custody with Unchained Capital, our platform can safely guide you through the key replacement process. If you’re not using a collaborative partner, we’d recommend having someone technical on hand to help with the process.
- For Unchained Capital clients needing help with key replacements, reach out to your dedicated account manager or client services.
- If you are unsure whether or not you need to perform a key replacement, or if you would like to learn how key replacements for multisig work technically, you can refer to this article.
Other considerations
Bitcoin mining and taxes
Bitcoin miners are responsible for understanding and abiding by local and federal tax regulations. Taxes and accounting as they pertain to bitcoin mining are beyond the scope of this guide, but they are relevant considerations and you should consult with an accountant or tax professional to learn more.
For US-based miners, Unchained’s Head of Legal Jeff Vandrew briefly touched on the topic of mining and taxes in his piece covering what you need to know about bitcoin mining, IRAs, and taxes:
If a taxpayer obtains bitcoin through mining, they must recognize income in the amount of the fair market value in U.S. dollar terms of the bitcoin received on the date of receipt. That recognized income is subject to income tax at ordinary income tax rates. On top of income tax, the taxpayer may also be subject to self-employment tax.
Selling bitcoin
If you do need to convert bitcoin to your local currency to pay bills, taxes, or cover overhead, you may want to expedite the process by setting up an exchange account and linking an active bank account. Some exchanges can take days or weeks to approve new accounts, so plan accordingly, especially if you are up against a deadline like paying an invoice, payroll, or taxes.
Unchained Capital can help facilitate the purchase or sale of bitcoin straight to or from a multisig vault, within certain limits, for companies and individuals in the U.S. that reside in a state where our trading desk is active.
Collateralizing your bitcoin
Securing your bitcoin with a collaborative custody partner like Unchained Capital means you can easily use that bitcoin to access liquidity to reinvest in your mining operations—without ever selling your bitcoin. For more detailed information on bitcoin collateralized lending, visit unchained.com/loans.
Let Unchained Capital be your guide
Whether it be the daunting task of managing fees, advice on how to structure your bitcoin custody workflow, or access to a trading desk to buy and sell bitcoin, we’re here to help. Our multisig vaults for business give your organization complete control over your bitcoin while providing a trusted partner to guide you and your team through setup and to help with key replacements and wallet recovery if and when necessary.
Originally published on Unchained.com.
Unchained is the official US Collaborative Custody partner of Bitcoin Magazine and an integral sponsor of related content published through Bitcoin Magazine. For more information on services offered, custody products, and the relationship between Unchained and Bitcoin Magazine, please visit our website.