Security Model

The proposed solution is secure and trustless by design. Once loan terms are agreed upon and transactions are signed, the platform leverages the security model of the Bitcoin L1 to enforce all agreements without requiring ongoing cooperation between parties.

Lender Security Guarantees

Guaranteed Loan Terms and Immutability

To originate a loan, the lender needs to sign two transactions:

An origination transaction that will lock the Ordinal in escrow and send the loan amount to the borrower.
A repayment transaction that will return the Ordinal to the borrower and send the repayment amount to the lender.

Security Guarantee: If any of the loan terms in the signed transaction is modified, the lender’s signatures becomes invalid, and loan funds will not be sent.

Origination transaction

Before signing the origination transaction, the lender can verify:

Ordinal: Verify the right inscription is being used as collateral.
Loan Amount: Verify the exact amount being lent to borrower.
Escrow UTXO: Validate that the escrow UTXO will unlock the ordinal via one of the only two ways:
- If the loan is not repaid by its due date, the lender can unilaterally send the Ordinal to their wallet.
- The Ordinal will be returned to the borrower if and only if the lender receives the correct repayment amount first.

Repayment transaction

Before signing the repayment transaction, the lender can verify:

Escrow: Verify the same Ordinal (same Escrow UTXO) as was locked in the origination transaction.
Repayment Amount: Verify the exact amount lender will receive when the loan is repaid.
Platform Fees: Verify the platform fees match the agreement.

Guaranteed Collateral Recovery on Default

The escrow mechanism has only two spending paths, both requiring the lender’s signature:

Timelock Path: Lender signature + timelock expiration.
Multisig Path: Lender signature + borrower signature.

Security Guarantee: After the timelock expires, if the borrower has not repaid (and therefore not reclaimed the Ordinal), the lender can unilaterally send the Ordinal to their wallet using the timelock path. This requires no cooperation from the platform or borrower.

Borrower Security Guarantees

Guaranteed Loan Terms and Immutability

Security Guarantee: If any of these elements are changed, the borrower’s signature becomes invalid, and the loan will not be originated.

Before signing the origination transaction, the borrower can verify:

Repayment Transaction was pre-signed by lender:

A valid lender signature was already provided.
The correct Ordinal is being returned to borrower.
The correct repayment amount is required.
The correct escrow UTXO design with only two paths:
- 2-2 Multisig: The lender’s signature (already provided) + the borrower’s signature (to be added later).
- Timelock Path: The lender’s signature + the timelock representing the loan’s due date.

Origination Transaction:

The correct Ordinal is being locked in escrow.
The correct loan amount is being sent to borrower.
The correct platform fees are being charged.
The same escrow UTXO is used in the repayment transaction as the origination transaction.

Guaranteed Collateral Recovery on Repayment

Security Guarantee: Any time before the timelock expires, the borrower can use the multisig spending path to reclaim their Ordinal. The repayment transaction was already signed by the lender before the Ordinal was locked in escrow, allowing the Ordinal to be returned to the borrower if and only if the correct repayment amount is provided.

The borrower needs only to:

Add their repayment UTXO to the repayment transaction already signed by the lender.
Sign and broadcast the repayment transaction.

No cooperation is required from the platform or the lender.

Platform Security Model

Limited Trust Requirements

The platform’s role is coordination only:

Transaction Construction: Builds properly structured transactions.
Message Passing: Facilitates communication between parties.
Broadcasting: Submits finalized transactions to the Bitcoin network.

Platform Failure Scenarios

If the Platform Disappears:

Lenders: Can still claim collateral after due date using the timelock path.
Borrowers: Can still repay and reclaim collateral using the pre-signed repayment transaction.

If the Platform Acts Maliciously:

Cannot Steal Funds: The platform never has custody of assets.
Cannot Modify Terms: The lender and borrower signatures prevent tampering with loan terms, the platform does not sign any transactions.
Cannot Prevent Resolution: Both parties have unilateral exit options.

Trustless Enforcement

Post-Origination Autonomy

Once the loan origination transaction is confirmed on the Bitcoin network:

Before the Due Date:

Only the borrower can reclaim the Ordinal (via repayment).
Lender cannot access the collateral due to the timelock.

After the Due Date:

Only the lender can claim the Ordinal as long as the loan is unpaid.
The Borrower can still reclaim the Ordinal via repayment if the lender has not yet claimed it.

Trust Minimization

Fountnhead achieves minimal trust through:

Self-Custody: Borrowers and lenders retain control of their assets.
Secure Enforcement by Bitcoin L1: Bitcoin script enforces all loan terms.
Unilateral Exit: Either party can exit without cooperation from the platform or the other party.
Transparent Terms: All loan terms are verifiable before signing transactions.

This design ensures that trust is only required during the brief setup phase, after which the protocol operates trustlessly through Bitcoin’s consensus mechanism.