What Am I Missing Bitcoin Custody

Identifying Unknown Gaps in Custody Arrangements

This memo is published by CustodyStress, an independent Bitcoin custody stress test that produces reference documents for individuals, families, and professionals.

The Nature of Missing Elements

The question "what am I missing in bitcoin custody" emerges from a particular kind of uncertainty—not confusion about what has been done, but awareness that unknown gaps may exist despite careful planning. The holder has thought about their custody setup, has implemented measures that seem appropriate, and yet suspects that something has been overlooked. This suspicion may be vague, a nagging feeling that the picture is incomplete, or it may be more specific, triggered by reading about someone else's failure or encountering a scenario that had not previously been considered. Either way, the question reflects intellectual humility: the recognition that one's own knowledge has limits and that those limits may coincide with consequential vulnerabilities.

This analysis addresses the nature of what-am-I-missing uncertainty in bitcoin custody. The question is fundamentally about unknown unknowns—the gaps that cannot be identified through reviewing what is already known because they exist outside that knowledge. Addressing this uncertainty requires systematic approaches that do not depend on already knowing what to look for, because if the holder knew what to look for, it would not be missing. The challenge is surfacing gaps that, by definition, have evaded the holder's existing mental model of their custody system.

---

The Nature of Missing Elements

Missing elements in custody systems take several characteristic forms. Unaddressed threats represent scenarios where something bad could happen but no protection exists against it. The holder may not have considered this threat, or may have considered it and decided the probability was too low to address, or may have addressed it incompletely without realizing the incompleteness. Unaddressed threats remain invisible until they materialize, at which point the holder discovers that their system had no defense against something that actually occurred. Every holder has unaddressed threats in their custody system; the question is which ones matter enough to identify and address before they cause harm.

Incomplete implementations represent elements that were intended but not fully realized. The holder planned to create a backup at a secondary location but never got around to it, or created the backup but never verified that it works, or verified it once but has not checked in years. The intention exists; the execution falls short. Incomplete implementations are particularly common because custody is not most people's primary focus—other life demands compete for attention, and custody tasks get deferred. The holder may believe they have complete coverage because they remember their intentions, forgetting that intentions and completed actions are not the same thing.

Incorrect assumptions represent beliefs about the custody system that do not match reality. The holder assumes the backup is where they left it, but it was moved during a home renovation. The holder assumes the passphrase is correctly remembered, but memory has degraded over years without practice. The holder assumes the cosigner is still willing and able to participate, but the relationship has soured or the cosigner's circumstances have changed. These assumptions feel like knowledge until tested, at which point they reveal themselves as untested beliefs that may or may not be true. The custody system depends on these assumptions, and incorrect assumptions create gaps even when everything else is perfectly configured.

---

Why Elements Get Missed

Elements get missed because threat modeling is constrained by imagination and knowledge. Holders can only protect against scenarios they have conceived of, and conception is limited by what the holder has learned, read, experienced, and been able to imagine. Threats outside this conception space do not get addressed because they do not enter the planning process. Security discussions tend to focus on common, dramatic scenarios—hacking, physical theft, device failure—while overlooking less common scenarios that may be equally consequential. The holder who follows typical guidance addresses typical threats while potentially missing atypical ones that apply to their specific situation.

Elements also get missed because human attention is finite and custody competes with everything else demanding attention. Even holders who thoroughly planned their initial custody setup may not have revisited it as circumstances changed. The relationship that deteriorated, the move to a new home, the software update that changed how the wallet works—each represented an opportunity for the custody system to fall out of alignment with reality, and each opportunity may have passed without triggering review. The holder who was diligent at setup may have become less diligent over time, not through intention but through the natural drift of attention toward whatever is currently demanding it.

Elements get missed because documentation is always incomplete relative to the knowledge in the holder's head. The holder knows things about their custody system that they never wrote down because those things seemed obvious or because they intended to write them down later. When reviewing documentation to identify gaps, the holder fills in the gaps mentally from their own knowledge, which masks the gaps that would be visible to someone who had only the documentation to work from. The documentation feels complete because the holder cannot read it without supplementing it from memory, but the documentation is not complete—it only appears complete to the one person who least needs it to be complete.

---

Categories Commonly Overlooked

Certain categories of custody requirements are frequently overlooked even by holders who have been thoughtful about security, because these categories receive less attention in typical security discussions. Incapacity scenarios—what happens if the holder is alive but unable to manage their own custody—receive less attention than death scenarios despite being equally important and potentially more prolonged. Powers of attorney that cover bitcoin specifically, procedures for accessing funds during temporary incapacity, and communication with family about what to do if the holder cannot direct their own affairs all tend to be missing from custody plans that otherwise seem thorough.

Maintenance requirements represent another commonly overlooked category. Custody systems require ongoing attention to remain functional: backups must be verified, documentation must be updated, relationships with keyholders must be maintained, and hardware and software must be kept current. Holders who carefully implemented their initial setup may not have established routines for maintaining it. Years pass, maintenance gets deferred, and the system slowly degrades from its initial state. By the time the system is needed, it may have drifted far from the documented configuration, with backups in different locations, software that no longer matches the documentation, and relationships that have lapsed without replacement.

Transition scenarios also tend to be overlooked—the specific mechanics of how heirs actually execute recovery. The holder knows how to use their custody system, but has the process been translated into instructions that work for people who have never done it before? Have heirs actually practiced? Has the documentation been tested against someone who does not already understand the system? The gap between the holder's capability and heir capability is often wider than holders recognize, and the transition from one to the other is where many custody plans fail even when the technical security is sound.

---

Approaches to Surfacing the Missing

Surfacing missing elements requires approaches that do not depend on already knowing what is missing. Systematic threat enumeration involves working through categories of threats—online attacks, physical attacks, social engineering, natural disasters, legal actions, relationship changes, operational errors, inheritance failures—and asking for each category what protection exists and what scenarios might defeat that protection. This enumeration will not surface every threat, but it imposes a structure that is broader than intuitive self-review, potentially catching items that unstructured reflection would miss.

External perspective provides a different kind of completeness check. Someone unfamiliar with the custody system can attempt to understand it from documentation alone, revealing gaps that are invisible to the holder who fills those gaps from memory. Having an heir attempt to understand and describe the recovery process exposes disconnections between what the documentation says and what readers can actually comprehend. Professional review by someone with custody expertise may surface gaps that the holder's own knowledge does not encompass. Each form of external perspective sees the system from a different angle than the holder sees it, and the differences between these perspectives reveal information about what is present and what is absent.

Scenario simulation involves imagining specific events and tracing through what would happen under the current custody system. What happens if the holder dies suddenly tonight—can the spouse actually access the bitcoin, or are there barriers that would block them? What happens if the holder's home burns down—is everything needed for recovery accessible from other locations? What happens if the holder is incapacitated for six months—who has authority to act, and do they have the capability to act? Each scenario tests different aspects of the custody system, and scenarios that produce uncomfortable answers point toward missing elements that should be considered.

---

Scenarios Showing Missing Elements Revealed

Estate planning conversations with an attorney surfaced a gap that years of custody planning had not addressed. The custody documentation was thorough—where everything was, how to access it, what passwords to use. But none of this documentation had any legal status. When the attorney asked who would have legal authority to access the bitcoin, the answer was unclear. The will named an executor, but the executor was not the same person as the family member who had been prepared to handle the technical recovery. Two people would need to coordinate: one with legal authority and one with technical capability. This coordination requirement had never been considered, and no preparation had been made for it. The missing element was not technical but relational—the gap between legal planning and custody planning.

A health scare prompted review of what would happen if recovery were needed while under significant stress. The custody procedures that seemed manageable under normal conditions appeared daunting when imagined from a hospital bed or during chemotherapy recovery. Steps that required careful attention and fine motor control, procedures that spanned multiple sessions over multiple days, coordination that assumed full mental capacity—none of this would work when capacity was diminished. The missing element was robustness under degraded conditions. The system was designed for the holder at full capability, not for the holder impaired by illness, injury, or age.

A child's question during a family financial discussion revealed a gap in understanding. The child asked what bitcoin actually was and how it worked. Attempting to explain revealed that the holder's own understanding was shallower than assumed—they knew how to operate their custody system but not the underlying principles that would explain it to someone else. If explaining to a curious child was difficult, how much more difficult would explaining to grieving heirs who needed to actually recover funds? The missing element was educational: the holder had procedural knowledge without the explanatory knowledge that would transfer to others.

---

The Limits of Finding Everything Missing

Complete identification of missing elements is not possible because unknown unknowns are by definition outside the boundaries of what can be known without encountering them. No amount of systematic review will surface every gap, because the review process itself is constrained by the reviewer's knowledge and imagination. This limitation is not a reason to avoid searching for missing elements—the search still surfaces many gaps that would otherwise remain hidden—but it is a reason to maintain humility about what the search can accomplish. Even after thorough review, gaps will remain. The holder who believes they have identified everything missing has simply reached the limits of their ability to identify, not the limits of what actually exists.

Accepting this limitation enables appropriate response. The goal shifts from finding everything to finding the most consequential things—the gaps that would cause the most significant failures if they remained unaddressed. Prioritizing by consequence focuses effort where it matters most, accepting that lower-priority gaps may persist while higher-priority gaps receive attention. This prioritization requires judgment about what failures would be most harmful, which itself may be imperfect, but imperfect prioritization is better than exhaustive pursuit of a completeness that cannot be achieved.

---

Conclusion

The question "what am I missing in bitcoin custody" reflects awareness that unknown gaps may exist despite careful planning. Missing elements take the form of unaddressed threats, incomplete implementations, and incorrect assumptions. They persist because threat modeling is constrained by imagination and knowledge, because attention is finite and custody competes with other demands, and because documentation is always incomplete relative to the knowledge in the holder's head. Categories commonly overlooked include incapacity scenarios, maintenance requirements, and transition mechanics for heirs.

Surfacing missing elements requires approaches that do not depend on already knowing what is missing: systematic threat enumeration, external perspective from people unfamiliar with the system, and scenario simulation that tests what would happen under specific events. Complete identification is not possible because unknown unknowns exist by definition outside what can be known without encountering them. Accepting this limitation enables appropriate prioritization—focusing on the most consequential gaps rather than pursuing an unachievable completeness.

---

System Context

Examining Bitcoin Custody Under Stress

Bitcoin Custody Red Flags

Bitcoin Custody Overlooked Risks

← Return to CustodyStress