How to Verify Bitcoin Custody Still Correct

Confirming Custody Validity After Extended Time

This memo is published by CustodyStress, an independent Bitcoin custody stress test that produces reference documents for individuals, families, and professionals.

Correctness at Setup

Someone sets up bitcoin custody. Time passes. Months go by, then years. The person has not moved the bitcoin or tested the setup since the beginning. Now a question emerges: is the custody still correct? The desire to verify bitcoin custody still correct reflects a deeper uncertainty. Nothing has signaled a problem, but nothing has confirmed things still work either.

This memo examines how custody correctness becomes invisible over time. The setup existed in a known state at one point. Whether it remains in that state cannot be observed without testing. Yet testing carries its own risks. The gap between "it worked once" and "it works now" grows wider with each passing month, but the gap itself produces no visible warning.

---

Correctness at Setup

When custody is first created, correctness can be tested. A seed phrase is written down. The holder can restore from that phrase to confirm it works. A hardware wallet is configured. The holder can send a small amount and verify receipt. These tests happen close to the moment of creation, and they produce confidence.

That initial confidence is time-bound. It reflects the state of the system at that moment. The seed phrase was copied correctly at that moment. The hardware wallet accepted the PIN at that moment. The backup was stored in that location at that moment. Everything was true then.

But "then" is not "now." The passage of time introduces distance between confirmed state and current state. What was true becomes what was once true. The confidence from initial testing does not automatically extend forward. It describes a past condition, not a present one.

Holders often treat initial setup confidence as permanent. The logic seems reasonable: nothing was done to change things, so things remain unchanged. But this logic contains an assumption that may not hold. It assumes no drift, no degradation, no external change. These assumptions are invisible until they fail.

---

Drift Without Signals

Custody components can drift from their correct state without producing any signal. Ink on paper fades. Memory of a PIN becomes uncertain. The location of a backup becomes unclear. A passphrase that was once familiar becomes unfamiliar. None of these changes announce themselves.

Physical media degrades silently. Paper stored in damp conditions may become unreadable, but it does not send an alert. Metal backups may corrode in ways that affect legibility. The degradation happens on its own timeline, unconnected to the holder's awareness. By the time damage becomes visible, the damage is already complete.

Human memory shifts without conscious recognition. A holder who has not entered their PIN in two years may believe they remember it. That belief persists until the moment of entry, when the belief confronts reality. The gap between believed memory and actual memory cannot be detected through introspection alone.

Environmental changes accumulate invisibly. A safe deposit box rental lapses. A relative who held backup materials dies or moves. A cloud storage account changes its terms. These changes happen in the world around the custody setup, but they do not trigger notifications within the custody itself. The system does not know its context has shifted.

---

The Verification Paradox

To know if custody is still correct, the holder would need to test it. Testing means using the backup materials to regenerate access. This proves the materials work. But testing also creates exposure. Every test is a moment when sensitive information is active, present, and vulnerable.

A holder who restores a seed phrase to verify it must enter that phrase somewhere. The entry point becomes an exposure point. Even brief exposure matters. Malware on a device could capture the phrase during the test. A camera could record it. The very act of verification introduces risk that would not exist if the holder simply left things alone.

This creates a paradox. Not testing preserves the sealed state of the backup but leaves correctness unknown. Testing reveals correctness but breaks the sealed state. The holder faces a choice between two forms of uncertainty: uncertainty about current correctness, or uncertainty about whether testing introduced new problems.

Some holders resolve this by testing on dedicated hardware, in controlled environments, with extensive precautions. These precautions reduce but do not eliminate risk. Other holders resolve it by never testing, accepting unknown correctness in exchange for untouched materials. Neither resolution fully eliminates the underlying tension.

---

The Assumption of Continuity

Most custody holders operate on an assumption of continuity. They assume that because nothing was deliberately changed, nothing has changed at all. This assumption is comfortable. It allows the holder to avoid the verification paradox entirely. It also allows drift to continue undetected.

Continuity assumptions work until they don't. A setup that was correct for years remains correct until the one factor that mattered shifts. The shift might be tiny: a single digit forgotten, a single page water-damaged, a single device firmware update that introduces incompatibility. The holder's confidence extends across these small shifts because the holder cannot see them.

Families who inherit bitcoin often discover that continuity assumptions were false. The deceased was confident. The deceased had tested things years ago. The deceased had no reason to believe anything had changed. But the deceased also had not verified recently, and something had in fact changed. The assumption that looked reasonable from inside became obviously false from outside.

Continuity is not a property of the system. It is a belief held by the holder. The system itself has no mechanism for maintaining continuity. It sits in whatever state it sits in, regardless of what the holder believes that state to be.

---

Layers of Correctness

Verifying custody involves multiple layers. Each layer can drift independently. A setup might be correct at one layer and broken at another. The holder who checks one layer may believe the whole system is verified when only that one layer has been confirmed.

The seed phrase layer involves the actual words and their sequence. This layer fails if words are missing, misspelled, or out of order. Checking this layer means comparing the recorded phrase against what the wallet software accepts. But checking the phrase does not check the passphrase.

The passphrase layer sits on top of the seed phrase. A holder who verifies the seed phrase but forgets the passphrase has verified the wrong thing. The seed phrase works. The complete access path does not. This layer fails silently because the seed phrase still looks correct on its own.

The hardware layer involves devices, firmware, and compatibility. A hardware wallet that worked three years ago may require firmware updates to work now. The firmware update process may require the seed phrase. If the holder's seed phrase layer has drifted, the hardware layer cannot be corrected. Each layer depends on layers beneath it.

Physical location is its own layer. The backup may be correct but unreachable. A holder who stored materials in a safe deposit box in another city may not have access to that box when verification is needed. The materials work; the access path to the materials does not.

---

External Dependencies

Custody correctness depends on factors outside the holder's control. Wallet software must remain available and compatible. Exchanges or services that were part of the setup must continue to exist. Protocols and standards must remain stable. Changes in any of these areas can make a correct setup incorrect through no action of the holder.

Software dependencies age in unpredictable ways. A wallet application that was standard practice five years ago may be abandoned today. The holder's setup was built around that software. The software's absence does not automatically break the custody, but it removes the familiar path to access. The seed phrase remains valid, but the tools for using it have changed.

Service dependencies can vanish entirely. A holder who used a particular exchange as part of their custody workflow may find that exchange gone. Records, interfaces, and relationships that existed disappear. The holder's documentation refers to things that no longer exist. The custody may still be technically correct, but the map no longer matches the territory.

Even the bitcoin protocol itself could change in ways that affect custody. Hard forks, soft forks, and network upgrades may introduce compatibility concerns. A setup that was entirely correct under one set of rules may require attention under a different set. The holder who does not track these changes cannot know if changes have affected them.

---

The Observability Gap

The fundamental challenge is that correctness is not observable without action. A backup sitting in a drawer either works or doesn't, but the drawer provides no information about which is true. The holder can open the drawer and look at the paper, but looking confirms only that paper exists. It does not confirm that the paper's contents will produce access.

Bank accounts provide statements. Investment accounts provide confirmations. Real estate has recorded deeds that can be searched. These assets have external systems that continuously affirm their state. Bitcoin in self-custody has no such external system. The blockchain confirms what addresses hold what amounts, but it provides no confirmation that the holder can actually access those addresses.

This observability gap grows with time. At setup, the gap is small because testing just happened. After a year, the gap is wider. After five years, the gap may be enormous. The holder's confidence often does not track the growing gap. Confidence remains stable while uncertainty actually accumulates beneath it.

Nothing in the system prompts the holder to close this gap. No reminder says it has been 18 months since the last verification. No alert says that humidity in the storage area may have affected the backup. The system is indifferent to whether the holder knows its state. The holder must generate their own concern, on their own timeline, without external prompts.

---

Verification as Moment-in-Time

Even successful verification only confirms a moment. A holder who tests their setup today confirms that the setup worked today. Tomorrow introduces new uncertainty. The verified state immediately begins aging. The clock resets with each test, then begins counting again.

This means verification is not a permanent state. It is an event that produces information valid for a limited time. How long that information remains valid depends on factors the holder may not be able to assess. Faster environmental change means faster expiration of verified status. Slower change means slower expiration. But some expiration always occurs.

Holders who verify once and consider themselves done have misunderstood what verification provides. It provides a data point, not a permanent condition. The data point ages. Eventually it becomes so old that it provides little information about current state. At that point, the holder is back to operating on assumption rather than knowledge.

---

Summary

The desire to verify bitcoin custody still correct emerges from a structural uncertainty. Custody that was correct at setup may or may not be correct now. Time introduces drift that produces no signal. Physical materials degrade. Memory shifts. External dependencies change. Nothing within the system indicates when these changes have occurred.

Verification can close the uncertainty gap, but verification itself carries risk. Testing requires exposing backup materials. This exposure may introduce new problems even as it solves the observability problem. Holders face a choice between two forms of uncertainty, neither of which fully resolves.

Correctness is not a stable property. It is a condition that must be re-established through testing. The gap between last verification and present moment always exists. That gap may contain drift that the holder cannot see. This is the structure of custody uncertainty, and it applies to every self-custody setup regardless of how carefully it was created.

---

System Context

Bitcoin Custody Failure Modes

How Do I Know My Bitcoin Custody Works

Bitcoin Setup Sanity Check

← Return to CustodyStress