Smart Vaults
Liquid Smart Vaults & Lit Protocol Integration
Last updated
Liquid Smart Vaults & Lit Protocol Integration
Last updated
Smart Vaults are programmable, multi-chain vaults represented by NFTs. Each Smart Vault has an associated decentralized key pair (PKP) from Lit Protocol, enabling secure, permissioned signing across Bitcoin and EVM chains β without ever exposing the private key.
A Smart Vault is:
An NFT that grants ownership and operational control.
A Lit PKP (Programmable Key Pair) that enables decentralized signing.
A Bitcoin + EVM address derived from the PKP public key.
A set of Lit Actions (JavaScript smart contracts) that define what it can do.
Lit Protocol powers the secure signing mechanism for Smart Vaults.
DKG (Distributed Key Generation): m-node network generates and holds key shares.
Threshold Signing (β₯n/m): No full key ever exists; only node consensus can sign.
TEEs (Trusted Execution Environments): Lit Actions run securely, isolated from outside interference.
Periodic Key Rotation: Key shares are invalidated and refreshed frequently for added security.
π Learn more: https://litprotocol.com
Each Smart Vault is bound to a unique Lit PKP. The public key is used to:
Derive a Bitcoin SegWit (or Taproot) address.
Derive an EVM address (for use on CoreDAO, Ethereum, etc.).
The NFT owner is the only party authorized to sign transactions using the PKP.
Smart Vaults are only allowed to run hardened Lit Actions:
signBitcoinTx β Sign Bitcoin staking or redemption transactions.
callContract β Trigger EVM transactions (e.g., ERC20 transfers, swaps, claims).
coinTransfer β Tranfer EVM native coin (e.g., CORE, ETH).
decryptSecrets β Retrieve encrypted data (e.g., strategy prompts, Telegram handles).
delegate β Grant permission to approved agents (like VaulterBTC) with on-chain policies.
These actions are:
Deployed to IPFS.
Indexed by content hash (CID).
Registered on-chain and enforced by policy contracts.
Every Lit Action is wrapped with:
checkLitAuthAddressIsERC721Owner.ts: Confirms that the signer owns the controlling NFT.
A call to the PKPPermissions contract to check the CID is allowed for this PKP.
If any condition fails, the action is aborted.
Smart Vaults also disable signEcdsa, which blocks pre-signing and rug attempts.
All components are public and inspectable:
PKP Token ID and public key: visible in VaultLayer UI.
Permissions: inspectable on Lit Explorer.
Lit Actions: fetch CIDs from chain, load from IPFS, review raw JS code.
Policies: fully encoded on-chain and linked to each tool + agent.
VaultLayer provides verification scripts in the VaultLayer GitHub repo to audit all permitted actions for any Smart Vault.
Private key secrecy
Threshold signing with DKG (no single node can sign alone)
Agent control limits
On-chain tool + policy contracts
NFT ownership binding
Runtime validation of signer via checkERC721Owner
Verifiability
All logic hosted on IPFS + registered on-chain
Anti-rug enforcement
signEcdsa disabled; no pre-signed txs
Smart Vaults combine NFT-based control with Lit Protocolβs decentralized signing to deliver:
β Fully programmable Bitcoin + EVM wallets.
β Tradeable and transferable vaults (NFT = control).
β Verifiable automation with no private key risk.
β Real-time agent delegation without backend trust.
This architecture allows VaultLayer to offer secure, user-owned DeFi automation β turning Bitcoin into a programmable asset without compromising its core principles.
