How Covenant works

Covenant is a Bitcoin-native stablecoin protocol. It allows any user to lock BTC as collateral and mint USD·COV, a dollar-pegged token, without leaving Bitcoin's security model.

This page explains the full summarised picture: what backs USD·COV, how vaults work, and what keeps the peg stable.

The Problem Covenant Solves

Bitcoin is the most secure, most decentralised monetary network ever built. But it has never had a stable unit of account that lives within its own security model.

Every time a Bitcoin holder wants dollar stability today, they are forced to leave, sell their BTC, bridge to another chain, or trust a centralised issuer. In every case, they hand control to an intermediary. A bank. A bridge. An issuer with a freeze function.

Covenant removes that exit.

What Backs USD·COV

USD·COV is not a claim on a bank account. It is not a synthetic position on a derivatives exchange. Every USD·COV in circulation is backed by Bitcoin collateral locked directly on-chain at a minimum 200% collateral ratio, meaning at least $200 worth of BTC must be locked for every $100 of USD·COV minted.

The collateral never leaves Bitcoin. It is held in non-custodial Taproot vaults governed entirely by Bitcoin script. No bridge. No wrapped asset. No third-party custodian.

Vaults

A vault is the core unit of the Covenant protocol. When a user mints USD·COV, a vault is created. The vault holds:

• The user's locked BTC collateral
• The outstanding USD·COV debt issued against it

The vault is non-custodial by design. The BTC is locked into a script with two spend paths, one for normal user-controlled operations, and one for liquidation. The user retains primary control at all times. The protocol can only act through the liquidation path, and only when the collateral ratio breaches the safety threshold.

Every vault operation, opening, topping up collateral, repaying debt, closing, executes as a single atomic Bitcoin transaction. There is no intermediate state. Either the operation completes in full, or it does not happen at all.

Minting USD·COV

To mint USD·COV, a user:

1. Selects the amount of USD·COV they want to issue
2. Locks the required BTC collateral into a Taproot vault at a minimum 200% collateral ratio
3. Receives USD·COV as a Rune on Bitcoin

The mint transaction is atomic, collateral locking and token issuance happen together in a single transaction. If either step fails, the entire transaction is rejected.

Redeeming USD·COV

To close a vault and reclaim BTC collateral, a user:

1. Burns the outstanding USD·COV debt
2. The vault script releases the locked BTC back to the user

Redemption is always available. Even when the oracle is in a degraded or halted state, users retain the right to exit. The protocol is designed so that no system condition can trap user funds.

Liquidations

If the value of a vault's BTC collateral falls and the collateral ratio drops below 150%, the vault becomes eligible for liquidation.

Covenant uses a deterministic liquidation system. Incentives are pre-specified by the protocol, there are no auctions, no order books, and no discretionary intervention. Any participant can act as a liquidator by burning USD·COV or injecting collateral to restore the vault's collateral ratio. In return, they receive ownership of the vault and its collateral.

Liquidation incentives scale automatically with market stress: the deeper the collateral ratio falls, the more attractive the liquidation becomes. This ensures the system self-corrects without relying on governance or manual action.

The Oracle

Every mint, redemption, and liquidation decision depends on a reliable BTC/USD price. Covenant's oracle aggregates prices from multiple independent sources and applies a five-step anomaly detection pipeline, including statistical outlier filtering, staleness checks, and circuit breakers, before producing a final price.

If the oracle cannot guarantee a reliable price, it halts all price-dependent operations automatically. Burns and exits remain available regardless.

Security

The protocol is operated through geographically distributed signer networks rather than a single operator or server. Critical protocol functions are coordinated across multiple independent participants, so no one party can act alone or exercise unilateral control over the system.

Role separation means the oracle signing network, the liquidation signing network, and the protocol signing network are each independently generated and independently operated. Compromising one role grants no authority over another.

USD·COV as a Rune

USD·COV is represented on Bitcoin using the Runes protocol, a token standard that lives natively on Bitcoin L1 without requiring a sidechain or separate execution environment. This means USD·COV inherits Bitcoin's full security guarantees and settles with Bitcoin's finality.

The Three Pillars

Everything in Covenant's design flows from three properties.

Atomicity, Every operation is a single, indivisible Bitcoin transaction. No partial states. No sequencing risk. No intermediate custody.

Sovereignty, Users retain control of their collateral throughout. BTC is locked by script, not surrendered to the protocol. No entity can freeze or redirect user funds.

Stability, The peg is maintained through overcollateralisation and deterministic liquidation rules enforced on Bitcoin itself, not by a governance vote, not by a committee, not by discretion.

Why Covenant

Built from within Bitcoin's architecture — extending what Bitcoin already does rather than working around what it lacks.

What Satoshi Actually Built

The popular framing of Bitcoin as "digital gold" captures only part of the design. Satoshi described a peer-to-peer electronic cash system — a network where economic activity flows continuously, where transactions settle directly between participants, and where miners are compensated for securing that activity.

Block rewards halve every four years. By 2140, they reach zero. The long-term security of Bitcoin is therefore inseparable from the volume of economic activity that flows through it.

The Stability Problem

The reason economic activity doesn't flow through Bitcoin comes down to one missing primitive: a stable unit of account.

• Pricing a contract in BTC means absorbing daily volatility risk.
• Paying an invoice in BTC creates treasury exposure.
• Building a lending market requires a denomination that holds its value.

Without stability, every meaningful financial operation pushes users off Bitcoin. Each exit represents a transaction that never happened on Bitcoin.

What Becomes Possible

• Miners — lock BTC, mint USD·COV, cover operational costs without selling.
• Long-term holders — access liquidity against their position without exiting their stack.
• Businesses — manage cash flow in stable terms while settling entirely on Bitcoin.
• Emerging markets — a stable unit backed by Bitcoin itself, with no issuer who can freeze it.

The Protocol's Scope

Covenant optimises for composability, neutrality, and determinism. The protocol does not prescribe how USD·COV gets used or what gets built on top of it. Just as DAI succeeded because Maker provided a reliable primitive, Covenant is designed for others to build on top of.

The protocol's scope is deliberately narrow: provide a stable, Bitcoin-native unit of account with credible, rule-based risk management. The rest emerges from that foundation.

Atomicity

Every core operation executes entirely or not at all.

Atomicity is a critical property of Covenant. It ensures that each core operation — minting, withdrawing, and claiming — executes entirely or not at all, preventing partial state changes and preserving system integrity.

Why Atomicity Matters

Protocols that split operations across multiple transactions introduce risk: failed intermediate steps can result in locked collateral without token issuance, or tokens burned without collateral release. Such failures require manual intervention — which contradicts the notion of decentralisation.

By executing all steps in a single transaction, Covenant ensures users never face partial failures. Every action yields a definitive result, eliminating uncertainty.

Validation and Verification

An open-source node functions as an indexer that scans Bitcoin blocks from genesis onward to identify and validate Covenant transactions. It confirms that mint, withdraw, and claim operations are contained within single transactions and conform to protocol rules. Anyone may run a Covenant Protocol Node to audit the full transaction history.

Sovereignty

Self-Custody by Design

Covenant ensures users maintain primary control over their Bitcoin collateral through non-custodial script-based transactions. Every interaction, minting, redeeming, and claiming, occurs directly on the Bitcoin blockchain with clearly defined conditions for collateral access.

Why Sovereignty Matters

Preserving User Control

Users retain ownership of their Bitcoin throughout the collateralization process. Collateral is locked into transparent Bitcoin Scripts that enforce protocol rules while preserving the user as the primary controller. User signatures are required for all standard operations, eliminating counterparty risk in normal circumstances.

Eliminating Single Points of Failure

Traditional stablecoins require users to trust centralized issuers with complete custody of reserves. USD·COV distributes control through deterministic script conditions and decentralized validation networks, removing dependence on any single custodial entity.

Maintaining Censorship Resistance

With no single operator controlling funds or operations, Covenant transactions cannot be arbitrarily censored or reversed. Users interact directly with Bitcoin's consensus mechanism and distributed protocol enforcement.

How Sovereignty is Enforced

Covenant uses multi-path Bitcoin Scripts that define clear spending conditions for different scenarios. Users maintain control over standard operations, while distributed mechanisms handle edge cases like liquidations. All conditions are transparent and verifiable on-chain.

Stability

The peg is maintained through overcollateralisation and deterministic liquidation rules enforced on Bitcoin itself.

USD·COV's peg relies on two pillars. First, overcollateralisation ensures the value of locked Bitcoin always exceeds outstanding USD·COV by a configurable margin (200%). Second, atomic on-chain minting and redemption enable arbitrageurs to correct price deviations instantly.

• When USD·COV trades at a premium — users mint and sell, driving the price down.
• When it trades at a discount — traders redeem and buy back, restoring parity without external market makers.

Deterministic Liquidations

If a vault's collateral ratio falls below the liquidation threshold, any participant can intervene by burning USD·COV or injecting collateral. Incentives scale automatically with the severity of undercollateralisation — making corrective action increasingly attractive as market stress rises.

Mint

Lock Bitcoin collateral and receive freshly minted USD·COV tokens in a single atomic transaction.

Minting is the process by which a user locks Bitcoin collateral and receives freshly minted USD·COV tokens in return. The process is completed in a single atomic Bitcoin transaction — issuance only occurs when collateral lock, token creation, protocol fee payment, and protocol participation are all recorded together on-chain.

Mint Transaction Overview

A valid Covenant mint transaction performs four actions simultaneously:

Burn

Destroy USD·COV tokens and unlock the corresponding Bitcoin collateral atomically.

Burning is the process by which a user destroys USD·COV tokens and unlocks the corresponding Bitcoin collateral in return. The process is completed in a single atomic Bitcoin transaction — collateral release only occurs when token burn, vault spend, and protocol participation are all recorded together on-chain.

Because the burn is atomic, Covenant does not rely on delayed settlement or off-chain bookkeeping. A burn is only recognized when both the token destruction and the collateral release are embedded in the same valid Bitcoin transaction.

Top Up

Add additional Bitcoin collateral to an existing vault to reduce liquidation risk.

Topping up allows a user to add additional Bitcoin collateral to an existing vault without minting new USD·COV — improving the vault's collateral ratio, reducing liquidation risk, and strengthening the position while keeping the outstanding USD·COV debt unchanged.

The transaction spends the current vault collateral output together with user-provided Bitcoin inputs, and recreates the vault with a higher collateral balance. No new USD·COV is issued.

Liquidation

The mechanism that keeps USD·COV fully backed as Bitcoin prices move.

When a vault's collateral ratio falls below the protocol's liquidation threshold, the vault becomes eligible for forced intervention so that undercollateralized debt does not remain in the system.

Deterministic Model

Covenant uses a deterministic liquidation model rather than an auction or order-book process. The protocol defines in advance how much of a vault's collateral becomes claimable as the vault weakens. At the liquidation boundary, only a portion of the collateral is offered. If the Bitcoin price continues to fall, the offered portion increases automatically.

Who Can Liquidate?

Any market participant can step in once a vault enters liquidation. The protocol does not rely on whitelists, preferred liquidators, or discretionary action. Liquidation is open, rule-based, and enforced directly through Bitcoin transactions.

Participants can restore a vault by burning USD·COV, injecting fresh Bitcoin collateral, or combining both. In return, they receive control over the offered portion of the vault's collateral.

Oracle

Multi-source Bitcoin price infrastructure designed to prioritise resilience, consistency, and safety.

Covenant relies on a multi-source Bitcoin price system to support its core protocol functions — determining minting capacity, monitoring vault health, and triggering liquidations. Because price integrity directly affects solvency, the oracle prioritises resilience over speed.

Price Sources

Covenant draws pricing data from five independent market sources: Binance, Coinbase, Kraken, Bitstamp, and CoinGecko. The protocol does not depend on any single venue.

Price Validation and Safety Checks

The oracle applies several layers of validation before a price is accepted for protocol use — freshness checks, statistical outlier filtering, consensus threshold requirements, and circuit breakers. If too few reliable inputs remain, the oracle halts rather than publish a weak price.

Role in Covenant

The oracle sits at the centre of Covenant's risk engine. Every participant — minters, vault operators, liquidators, validators — depends on a consistent reference price to evaluate protocol state from the same set of facts.

Threshold Execution Network

Distributed signer infrastructure enforcing vault rules without a single point of control.

Covenant's vault system is enforced through a distributed signer infrastructure called the Threshold Execution Network (TEN). Rather than relying on a single operator, Covenant distributes responsibility across independent signer networks — ensuring sensitive protocol actions cannot be carried out unilaterally.

Role Separation

Pricing, liquidation, and protocol-level execution are handled by distinct, independently operated signer networks. Each has its own authority boundary. Compromise or malfunction in one domain does not grant influence over another.

Security Model

No single participant can independently authorize a sensitive protocol action. Execution authority is distributed across multiple independent actors. The network can only participate in actions already permitted by Covenant's vault design and Bitcoin's native enforcement rules.

Transparency and Verifiability

All vault state, collateral movements, mint activity, burn activity, and liquidation outcomes are reflected on Bitcoin and can be reconstructed by independent indexers and validators. The TEN is not trusted blindly — its actions are constrained by protocol rules and observable by any external participant.

Mechanics

Fully deterministic. No auctions. No discretion. Open to any participant.

Every vault carries a collateral ratio — the value of locked BTC relative to the USD·COV issued against it. When it falls below the liquidation threshold, the vault becomes eligible for intervention. Covenant does not use auctions, order books, or manual approval.

How Incentives Scale With Stress

When a vault first crosses the liquidation threshold, only a portion of its collateral becomes claimable. As the vault deteriorates further, the claimable portion increases automatically. The deeper the stress, the more attractive the opportunity — without any manual adjustment or governance vote.

Three Ways to Intervene

• Burn USD·COV — reduce the vault's outstanding debt directly.
• Inject BTC — add fresh collateral to strengthen the position.
• Combine both — use a mix of debt reduction and collateral injection in the same transaction.

What the Liquidator Receives

In return for restoring the vault to health, the participant receives control over the portion of collateral the protocol makes available at that stage — determined entirely by the protocol's predefined rules, not by bidding or any off-chain factor.

The Two Goals

Covenant's liquidation system serves two purposes simultaneously: protecting USD·COV solvency by ensuring unhealthy debt does not remain unresolved, and creating a predictable, open incentive environment that attracts independent participants to keep the system healthy.

Liquidator

Market participants who restore system safety by resolving unhealthy vaults — permissionlessly.

Covenant does not rely on a privileged liquidation class. Any participant who satisfies the protocol's intervention rules may act as a liquidator. Liquidation has two distinct stages:

The Role of Liquidators

Liquidators are not just profit-seeking participants — they are the mechanism through which the system maintains solvency. They remove undercollateralized debt, restore vault health, and enforce system stability through economic incentives. Covenant's design ensures that liquidation remains permissionless, continuously functional, market-driven, and resilient under stress.

Inject vs Burn

Both paths are valid — but they are not equally attractive economically.

In general, burning USD·COV is the more profitable intervention path. Injecting BTC can still be useful — especially for participants who do not hold USD·COV — but it usually captures a smaller discount.

When a liquidator burns USD·COV, they directly remove debt from the vault. This reduces the liability side of the position immediately, meaning a smaller amount of capital can unlock claim over a larger amount of distressed collateral. Injecting BTC adds new collateral rather than reducing debt — less capital-efficient.

Practical Meaning

BTC injection remains an important path because it broadens the set of possible liquidators. A participant who does not hold USD·COV can still stabilize a vault by contributing BTC directly. That flexibility matters for protocol resilience — in stressed conditions, multiple valid intervention paths are more robust than depending on a single liquidator profile.

System Risks & Mitigation

Engineered to remain robust under market volatility, infrastructure failures, adversarial manipulation, and partial system compromise.

Rather than assuming ideal environments, the protocol is designed to bound risk, isolate it, and prevent systemic failure. The objective is not to eliminate all risk — but to bound it, isolate it, and prevent systemic failure.

System Architecture

Covenant enforces correctness through multiple independent layers: atomic Bitcoin transactions, MPC-FROST signer infrastructure, oracle-based price validation, deterministic liquidation logic, and open indexer-based verification. Each layer operates independently — failure in one does not immediately compromise the entire system.

Primary Risk Classes

Design Principles

Oracle & MPC Security

The two critical coordination layers — and why neither can independently compromise funds.

Covenant's security model is built around two critical coordination layers: the Oracle Network providing BTC/USD price signals and authorising liquidation conditions, and the MPC Signer Infrastructure enforcing custody and transaction execution via threshold signatures.

Oracle Security

MPC Signer Security

Three distinct signer domains — Protocol, Oracle, and Liquidation Signers — each operate independently to prevent cross-domain compromise.

Evolution of Trust Assumptions

Current architecture uses MPC as a controlled coordination layer. Future upgrades aim to replace MPC enforcement with Bitcoin-native covenant mechanisms, removing reliance on off-chain signing and eliminating entire trust domains.

Economic & Liquidation Risk

Risks are bounded, modeled, and mitigated through mechanism design — not assumed away.

Covenant operates in an open market environment where Bitcoin price dynamics and network conditions directly influence system stability. While the protocol enforces overcollateralisation and deterministic liquidation, economic risks cannot be fully eliminated.

Treasury as Stability Backstop

The protocol treasury captures liquidation fees and system surplus, supports liquidation execution during stress, and provides buffer against extreme scenarios. This ensures the system maintains resilience even under adverse conditions.

Design Philosophy

Covenant assumes that markets can move faster than systems, liquidity can disappear under stress, and participants act rationally only when incentives are clear. The protocol is therefore designed to make liquidation opportunities immediately obvious, minimise coordination requirements, and ensure incentives remain aligned under stress.

Vault Security & Execution Model

All execution outcomes are defined at vault creation — enforced by Bitcoin consensus itself.

Covenant vaults are secured directly on Bitcoin through predefined spending conditions encoded within Taproot outputs. When a user locks BTC as collateral, the vault defines all possible execution outcomes at creation. These rules are enforced directly by Bitcoin consensus.

Vault Structure

• User-Controlled Path — allows the user to unlock collateral by burning USD·COV and satisfying protocol-defined conditions. Requires user signature.
• Liquidation Path — activates when collateral falls below required thresholds, enabling the system to enforce corrective actions without user participation.

Both paths are embedded at vault creation and cannot be altered afterward. A vault can only be spent if the exact conditions defined in its script are satisfied.

Execution Model

Protocol-controlled execution paths are coordinated through the Threshold Execution Network. This network does not custody user funds — it only participates in execution when predefined conditions are met. All execution requires coordination across multiple independent signers. No single participant can unilaterally authorize a vault spend.

Enforcement Guarantees

Vault behavior is fully determined at the time of creation. Execution paths are predefined, conditions are enforced by Bitcoin, and outcomes do not depend on discretionary actors. All outcomes are enforced by Bitcoin consensus.

Protocol Economics

Designed to generate sustainable revenue while reinforcing Bitcoin-native liquidity.

1. Native Liquidity Pool

Minters can provide liquidity to the Covenant pool and earn approximately 5% APY. The protocol deploys this liquidity into low-risk Bitcoin-native DeFi strategies, targeting 7–8% APY. The spread of approximately 2–3% is retained by the protocol as revenue.

2. Minting Costs

Each mint incurs a protocol fee denominated in BTC, in addition to standard Bitcoin network fees. This fee compensates the protocol for infrastructure and execution, aligns incentives between users and system sustainability, and ensures long-term viability without relying solely on yield spread.

3. Liquidation Fees

When a position falls below the required collateralisation threshold, a 25% fee is applied on the liquidated collateral. Fees are collected in BTC. This mechanism incentivises system stability and compensates the protocol for risk absorption.

4. Future Revenue Streams

• Payments Infrastructure — credit card integrations, QR-based payments, transaction fee capture.
• OTC Desks — facilitating large-volume Covenant transactions, earning spread-based fees.
• Cross-Chain Bridging — bridging Covenant to ecosystems like Ethereum and Solana, capturing bridge and liquidity fees.