Introduction
Multisignature (multisig) wallets are one of Bitcoin's most powerful native features, enabling m-of-n spending conditions that distribute trust across multiple keys. Unlike smart-contract-based multisig on EVM chains, Bitcoin multisig is enforced at the Script level—making it lean, battle-tested, and deeply integrated into the protocol. This guide assumes familiarity with Bitcoin transaction structure, Script opcodes, and output types.
How Multisig Works at the Script Level
At its core, a multisig spending condition uses the OP_CHECKMULTISIG opcode (or its verify variant). A classic bare multisig scriptPubKey for a 2-of-3 scheme looks like:
`
OP_2
`
The corresponding scriptSig provides:
`
OP_0
`
The leading OP_0 is a well-known workaround for the off-by-one bug in OP_CHECKMULTISIG, which pops one extra element from the stack. This bug has never been fixed to maintain backward compatibility.
Bare Multisig vs. Wrapped Constructions
Bare multisig embeds all public keys directly in the output script, bloating the UTXO set. Modern implementations wrap multisig inside:
- P2SH (BIP-16): The redeem script is hashed, and only the hash appears on-chain until spending. Address prefix:
3. - P2WSH (BIP-141): The witness script is placed in the segregated witness, reducing effective weight. Address prefix:
bc1q(Bech32). - P2SH-P2WSH: A nested construction for backward compatibility with wallets that don't support native SegWit.
Taproot and Multisig: The MuSig2 and FROST Era
With the Taproot upgrade (activated November 2021), multisig can be implemented in fundamentally different ways:
Key-Path Spending with MuSig2
MuSig2 (BIP-327) enables n-of-n multisig that is indistinguishable from a single-sig transaction on-chain. All participants collaborate to produce a single aggregated Schnorr signature. Benefits:
- Maximum privacy—no multisig fingerprint
- Reduced transaction weight (single 64-byte signature)
- Lower fees compared to traditional multisig
Script-Path Spending with Tapscript
For m-of-n (where m < n), you can encode different signing combinations as leaves in a Merkle tree (MAST). Each leaf uses OP_CHECKSIGADD (the Tapscript replacement for OP_CHECKMULTISIG):
This is more efficient and flexible—you can assign different spending paths with different thresholds and even embed timelocked recovery branches.`
`FROST (Flexible Round-Optimized Schnorr Threshold Signatures)
FROST extends threshold signing to true m-of-n Schnorr schemes at the cryptographic level. Unlike script-based approaches, FROST produces a single signature regardless of threshold configuration. As of 2025, FROST implementations are maturing (e.g., in the secp256k1-zkp library), though BIP standardization is still in progress.
Key Management Strategies
The security of a multisig wallet lives and dies by key management:
- Geographic distribution: Store keys in separate physical locations to mitigate single points of failure (fire, theft, seizure).
- Hardware wallet diversity: Use devices from different manufacturers (e.g., Coldcard + Ledger + Trezor) to reduce supply-chain attack risk.
- Descriptor backups: Always back up the wallet's output descriptor (BIP-380/381/382). Without the descriptor, you cannot reconstruct the multisig even if you have all keys. Example descriptor:
wsh(sortedmulti(2,[fingerprint/48h/0h/0h/2h]xpub.../0/,[fingerprint/48h/0h/0h/2h]xpub.../0/,[fingerprint/48h/0h/0h/2h]xpub.../0/*)) - BIP-48 derivation paths: Use the standardized derivation path
m/48'/0'/0'/2'for P2WSH multisig to ensure interoperability between coordinators.
Coordinator Software
Popular multisig coordinator tools in 2025 include:
- Sparrow Wallet: Full-featured desktop coordinator with excellent PSBT (BIP-174) support.
- Caravan (by Unchained): Open-source, stateless multisig coordination tool.
- Nunchuk: Mobile and desktop coordinator with collaborative key management.
- Bitcoin Core (with descriptor wallets): For advanced users who prefer direct RPC control.
All modern coordinators communicate via PSBTs (Partially Signed Bitcoin Transactions), allowing each signer to add their signature independently, even on air-gapped devices.
Edge Cases and Pitfalls
1. The Redeem Script Size Limit
P2SH has a 520-byte push limit for redeem scripts, effectively capping standard multisig at 15-of-15. P2WSH raises the witness script limit to 10,000 bytes, supporting much larger configurations—though standardness rules in Bitcoin Core limit relay to 20 keys with OP_CHECKMULTISIG.
2. Key Ordering and Reproducibility
If cosigners import xpubs in a different order, a completely different multisig address is generated. Use sortedmulti() in your descriptor to enforce lexicographic ordering of public keys, eliminating this footgun.
3. Change Address Verification
When spending from multisig, each hardware signer should verify the change output belongs to the same multisig wallet. Without registering the multisig policy on the device (supported by Coldcard, Ledger via the Bitcoin app 2.1+, and Jade), a compromised coordinator could substitute a change address controlled by an attacker.
4. Fee Estimation Gotchas
Multisig inputs are significantly larger than single-sig inputs. A 2-of-3 P2WSH input is ~105 vbytes vs. ~68 vbytes for a single-sig P2WPKH input. Failing to account for this leads to fee underpayment and stuck transactions.
5. Inheritance and Recovery Planning
A 2-of-3 multisig doesn't help if heirs cannot locate the second key or don't have the descriptor. Consider:
- Using a timelock decay path (e.g., after 1 year, a 1-of-3 Tapscript branch becomes spendable)
- Storing encrypted recovery instructions with a dead man's switch service
- Including a professional key agent (e.g., Unchained, Casa) as one of the keyholders
6. Sighash Complexity
Each signer can theoretically use different sighash flags. In adversarial setups, a malicious cosigner could use SIGHASH_NONE to allow output modification after their signature. Coordinators should enforce SIGHASH_ALL and signers should verify the full transaction before signing.
Practical Recommendation: The 2-of-3 P2WSH Setup
For most advanced self-custody users in 2025, a 2-of-3 P2WSH multisig remains the gold standard:
1. Key A: Primary hardware wallet (Coldcard), kept accessible.
2. Key B: Secondary hardware wallet (different vendor), stored offsite.
3. Key C: Seed phrase in metal backup, geographically separated or held by trusted party.
4. Descriptor: Backed up in multiple locations alongside (but not co-located with) any single key.
As Taproot tooling matures, migrating to a Tapscript-based setup with timelocked recovery paths will provide superior privacy and flexibility.
Conclusion
Bitcoin multisig eliminates single points of failure in self-custody without introducing smart contract complexity. Whether you use traditional OP_CHECKMULTISIG, Tapscript's OP_CHECKSIGADD, or bleeding-edge MuSig2/FROST schemes, the fundamentals remain: distribute keys thoughtfully, back up your descriptors, verify change addresses on-device, and plan for worst-case recovery scenarios. Multisig isn't just a feature—it's a custody philosophy.