A Custody Stress Test for Bitcoin
v1.0 · February 2026
CustodyStress is an independent diagnostic assessment that models whether a Bitcoin custody setup remains controllable under defined stress scenarios, producing a survivability profile and reference documents that can be interpreted later without explanation. It uses a structured, scenario-based questionnaire and does not connect to wallets or collect sensitive data.
The assessment does not provide instructions, recommendations, or tool selection guidance.
It describes how a custody setup behaves when normal assumptions no longer hold.
CustodyStress is intended to surface hidden structural risks, not to provide advice.
The assessment is designed to surface failure modes that are often invisible during normal operation, including:
The custody setup is modeled exactly as it exists at the time of assessment, without assuming future explanations, improvisation, memory, or intervention.
CustodyStress is intentionally limited to Bitcoin custody systems.
This is not a branding choice. It is a methodological constraint.
Bitcoin is a bearer asset whose survivability depends almost entirely on system design and execution, not on institutional recovery. When access fails, there is no administrator, registry, or issuer that can restore custody.
Other asset classes fail differently and require separate diagnostic tools. While many of the underlying principles used here—such as independence, coordination, and time-based degradation—apply broadly, this assessment is valid only for Bitcoin under the stated assumptions.
Limiting scope preserves clarity, determinism, and interpretability.
The initial concept was inspired by a series of thought experiments shared by Bruce Fenton that asked whether a Bitcoin holder's custody setup would survive realistic stress conditions using only what already existed at the time of failure.
The scenarios deliberately removed normal assumptions, including personal availability, access to devices or home records, freedom from coercion, intact memory, legal safety, and geographic stability. The exercise illustrated that custody failures often arise not from lost keys, but from hidden assumptions, undocumented dependencies, and procedural knowledge that may not survive stress.
Building on these ideas—and informed by threat modeling, game theory, and reported custody failure patterns—CustodyStress was developed as an internal tool to model complex, multi-wallet family custody systems under conditions where normal recovery paths break down.
CustodyStress models Bitcoin custody as a single, integrated setup as described at assessment time, not as a collection of individual tools, wallets, or techniques.
Most custody arrangements involve multiple elements operating together, such as:
These elements are rarely modeled as a unified system, even though they often fail together.
CustodyStress is designed to make the entire custody arrangement visible at once and to model how that setup behaves when stress is applied.
The assessment focuses on how custody-related elements interact — how access is initiated, who must act and in what order, what information must be available, which dependencies must remain intact, and how delay or absence affects outcomes. Even when multiple tools are used, they often rely on the same underlying people, documents, credentials, or authority. CustodyStress treats these shared roots as part of a single setup.
Redundancy is modeled by independence, not by count.
If the owner died or became incapacitated, who would physically carry out the recovery process?
This asks who would perform the technical steps needed for recovery. This is about doing the work, not about legal ownership of the Bitcoin.
Would a second person physically discover the recovery materials if the first person was unavailable?
Imagine the primary recovery person is also unavailable. Is the recovery information (instructions, seed phrase location, etc.) stored somewhere a backup person would physically find it — like a safe they have access to, a filing cabinet, or papers a lawyer holds? Digital-only storage that requires the first person's login does NOT count.
Certain custody failures arise not from missing keys, but from quorum, dependency, or sequencing deadlocks that only appear under stress. Common examples include:
These failure modes are often invisible during setup and normal use, and may only become apparent when custody must be interpreted or executed without the original owner present.
Are physical copies of the seed phrase stored in separate locations?
Example: One copy in a home safe and another in a bank vault are separate locations. All copies in the same house are not separate.
Are those separate locations controlled by different people?
Example: One copy in YOUR safe + another in YOUR office = same person controls both. One copy in your home + another with your LAWYER or FAMILY MEMBER = different people control each.
Who physically holds the offsite backup (the copy NOT at home)?
This affects legal seizure protection. A backup held by another person is legally separate from you. A backup at your own safe deposit box or property is still legally "yours."
CustodyStress produces a survivability profile and standardized diagnostic documents intended for reference, discussion, and coordination.
These documents are designed to:
The assessment does not tell anyone what to change or how to act.
It describes how the custody setup behaves under stress for later interpretation in context.
This allows survivability profiles and related artifacts to function as neutral reference documents, similar to reference or history reports used in other domains.
Most Bitcoin custody failures do not result from broken cryptography.
They result from:
CustodyStress models how custody setups fail as they are encountered under stated assumptions, not how they were intended to work.
Custody outcomes are rarely all-or-nothing.
The assessment explicitly distinguishes between custody survivability states, including:
These are treated as materially different survivability states, not as success or failure judgments.
CustodyStress uses scenario-based modeling, not checklists.
Each scenario models a stress condition, such as:
Users describe what would actually occur given their current custody arrangement.
Structured inputs ensure consistency and repeatability. Internal logic models how those inputs interact under each stress scenario.
The CustodyStress assessment is completed through a structured, scenario-based questionnaire. The number of prompts presented depends on the complexity of the custody setup described, including the number of wallets, signers, dependencies, and recovery paths involved.
Most assessments are completed in a single session. More complex custody arrangements may require additional time to accurately describe roles, dependencies, and documentation paths.
An assessment may be paused and resumed on the same local device. Progress is stored locally in the browser environment used to complete the assessment.
The assessment does not require connecting wallets, importing data, or providing sensitive information. Accuracy depends on the completeness and correctness of the information provided at the time of assessment.
The assessment produces a single Modeled Survivability State derived from multiple internal dimensions, including:
Each stress scenario is modeled independently using Survives / Constrained / Compromised semantics, which describe whether custody control remains possible under that condition.
Scenario outcomes are then combined using fixed weighting, dependency handling, uncertainty handling, and catastrophic caps to produce a final modeled state.
Exact weights, thresholds, and interaction rules are not part of the published methodology specification. Outputs are designed to remain interpretable without reference to internal coefficients. This preserves semantic stability and reduces incentives to optimize for scores rather than structural survivability.
| Scenario | Modeled Outcome |
|---|---|
Death / Absence What happens if the original owner is no longer available to assist or provide information. | Survives |
Device Loss What happens if all primary devices and any information stored at home or work are lost or destroyed. | Survives |
Physical Coercion What happens if the owner is forced to act under immediate threat and attackers can access the premises. | Constrained |
Cognitive Failure What happens if the owner cannot recall details, passwords, or instructions. | Constrained |
Legal Seizure What happens if authorities can search all physical locations and seize any keys or phrases found on the premises. | Survives |
Forced Relocation What happens if the owner must relocate internationally on short notice without access to banks, offices, or storage locations. | Constrained |
CustodyStress is a deterministic diagnostic instrument.
For a given methodology version, identical declared inputs produce identical survivability classifications and reference artifacts.
There is no personalization, learning, optimization, adaptive weighting, or post-classification override.
Determinism ensures repeatability under a fixed methodology version:
Determinism implies repeatability under the same version and inputs, not correctness, safety, or completeness.
Each assessment is modeled against a fixed set of stress scenarios and rule logic. CustodyStress does not compare users to one another.
CustodyStress computes a deterministic Integrity Digest at issuance time that binds declared inputs and the Methodology Version to the issued survivability profile.
If declared inputs or methodology parameters are altered, the Integrity Digest changes. This allows independent confirmation that a survivability profile corresponds to its original declared state under the stated Methodology Version.
Structural issuance validity may be confirmed through the CustodyStress Verification page.
Verification confirms reproducibility under the stated Methodology Version only. It does not:
CustodyStress does not retain assessment inputs and does not re-verify records after issuance.
CustodyStress survivability profiles and related reference artifacts are designed to be cited in estate files, executor packets, lawyer workpapers, family coordination records, and professional review memoranda without requiring explanation from the original custodian.
When referencing an assessment, use one of the following:
CustodyStress survivability profile issued under Methodology vX.X.X.
CustodyStress survivability profile issued under Methodology vX.X.X, Reference ID [XXXX], dated [Month Year].
Where relevant, references may include the modeled survivability state:
CustodyStress survivability profile issued under Methodology vX.X.X concluding "Survives" (or "Constrained" / "Blocked" / "Indeterminate").
Citation of a CustodyStress profile does not imply sufficiency, safety, correctness, legal adequacy, or endorsement. It identifies that the custody setup was modeled under defined stress scenarios using a fixed methodology version and declared inputs at a specific point in time.
The methodology is version-bound. Interpretation of any profile is valid only within the methodology version under which it was issued.
Each CustodyStress assessment is tagged with a methodology version.
Results are valid and interpretable within the version under which they were produced.
New versions expand the lens of what is modeled without revising the meaning of prior results.
CustodyStress does not become "more correct" over time.
If a future methodology version is issued, prior survivability profiles retain their original meaning under the methodology version in effect at issuance.
Elements that define the meaning of a result—such as scenario structure, outcome semantics, and score construction—never change silently. Any change that would alter interpretation requires an explicit version bump.
Current version: v1.0
A detailed Methodology Lock & Change Policy is maintained for reference. A public methodology change log records versioned clarifications and corrections.
CustodyStress is not a one-time record.
Custody tools, personal circumstances, and legal environments change over time. A custody arrangement that is survivable today may not be survivable in the future.
Each assessment represents a point-in-time snapshot under stated assumptions. Changes in people, jurisdiction, tools, health, or access conditions create a materially different system.
CustodyStress does not collect or retain sensitive information.
Assessment data is processed locally in the browser for scoring and report generation and, by default, is not transmitted to a server.
Results describe modeled outcomes under defined stress assumptions.
They identify where survivability depends on assumptions that may fail under pressure. They do not prescribe actions, certify safety, or imply correctness of any custody approach.
Decisions and changes occur outside the tool.
CustodyStress does not model:
The goal of CustodyStress is to produce a structured, versioned survivability profile and supporting reference artifacts describing modeled outcomes under declared assumptions.
It surfaces assumptions and coordination gaps that are easy to overlook in complex custody arrangements. It does not claim completeness, correctness, or safety.
The assessment and resulting records are intentionally conservative, bounded, and non-reassuring — by design.
The following documents are provided for reference and citation.
The following terms are used with specific meanings throughout this document. These definitions are locked for consistency.
Access: The operational capability to move or control Bitcoin, independent of legal authority.
Authority: The legal or social entitlement to move or control Bitcoin, independent of operational access.
Blocked: A modeled outcome state in which recovery is not achievable under the stated scenario and assumptions.
Constrained: A modeled outcome state in which recovery is achievable but subject to significant limitations, delays, or dependencies.
Coordination failure: A state in which multiple parties cannot combine their capabilities to achieve recovery.
Custody system: The complete set of components required for Bitcoin to be moved or controlled.
Durability: The degree to which outcomes remain stable over time.
Dependency: Any component upon which a custody system relies.
Indeterminate: A state in which outcomes cannot be reliably modeled due to missing or ambiguous information.
Partial execution: A state in which some recovery actions have been completed but others remain.
Security: The degree to which a custody system resists unauthorized access.
Shared root: A dependency common to multiple supposedly independent components.
Survivability: The degree to which a custody system maintains the possibility of authorized recovery under stress.
Survives: A modeled outcome state in which recovery is achievable under the stated scenario and assumptions.
This appendix defines the meaning of outcome states used in Bitcoin custody survivability assessments.
Survives: Under the stated scenario and assumptions, the modeled custody system permits recovery by authorized parties. "Survives" indicates that a viable path to recovery exists given the information provided and the conditions modeled. It does not indicate that recovery is guaranteed, easy, or free of complications.
Constrained: Under the stated scenario and assumptions, the modeled custody system permits recovery but with significant limitations. Constraints may include: extended time requirements, dependency on specific parties or institutions, partial recovery only, assistance from third parties, or other factors that limit but do not eliminate recovery possibilities.
Blocked: Under the stated scenario and assumptions, the modeled custody system does not permit recovery by authorized parties. "Blocked" indicates that no viable path to recovery was identified given the information provided and the conditions modeled. It does not indicate that recovery is impossible under all possible circumstances; it indicates that recovery is not achievable under the modeled circumstances.
Indeterminate: The outcome cannot be reliably modeled because critical information is missing, ambiguous, or contradictory. "Indeterminate" is not a failure state; it is an acknowledgment that the available information does not support a confident projection. The most honest statement about some custody systems is that their behavior cannot be determined from available information.
Outcome states are modeled outcomes. They describe projected system behavior under stated assumptions. They are not: Guarantees of any result; Predictions of what will actually happen; Judgments of custody arrangement quality; Certifications of adequacy for any purpose; Advice about what to do; Endorsements of any custody approach; Standards against which custody arrangements should be measured.
Outcome states are scenario-bound. An outcome state describes behavior under a specific stress scenario. The same custody system may produce different outcome states under different scenarios. A system that survives one scenario may be blocked under another.
Outcome states are time-bound. An outcome state describes projected behavior at the time of assessment based on information available at that time. Circumstances change. An outcome state from a previous assessment may no longer reflect current behavior.
Outcome states are assumption-bound. Modeling requires assumptions about what information is accurate, what components exist, and how systems behave. Different assumptions may produce different outcomes from the same inputs. Stated assumptions constrain the validity of outcomes.