Single Signer Spending Policy (SSSP)

New in firmware versions Mk4: v5.4.4, Q: v1.3.4Q

Single Signer Spending Policy (SSSP) is a security mode that can be activated on your COLDCARD^®, which enforces predefined spending policies when signing transactions with single signer keys. In addition, the menu items in SSSP mode are limited to hide sensitive features. Once SSSP is activated, it remains in effect until disabled with a special Policy Unlock PIN.

SSSP is similar to Co-Sign Multisig Spending Policies (CCC), and they can both be in effect at the same time.

This mode is ideal for scenarios like traveling, delegating wallet access while maintaining control, or improving the security of your everyday use.

How Does SSSP Work?#

When SSSP is activated, the COLDCARD immediately switches to the limited menus to protect sensitive information and features. Additionally, the Single Signer Spending Policy is now applied to all single-signature wallets (which can optionally include BIP-39 Passwords, Seed Vault, and Temporary Seeds).

Spending Policy#

The spending policy can be defined in the SSSP settings, either during initial setup or any time the COLDCARD is not in SSSP mode. The rules in the policy include:

Magnitude Limits: Caps the amount of Bitcoin that can be spent in a single transaction.
Velocity Limits: Restricts how fast transactions can occur, requiring a minimum number of blocks between spends.
Whitelisted Addresses: Only allows to send to pre-approved Bitcoin addresses. Change addresses are automatically whitelisted.
2FA Authentication: Requires confirmations from a mobile 2FA application (TOTP RFC 6238) on an NFC-enabled phone with Internet access.

Once SSSP is activated, the COLDCARD cannot view or change the spending policy or any settings. To prevent adversaries from learning info about your policy, any violations found in a PSBT are not explained, just denied.

Knowledge of the Policy Unlock PIN is the only way to edit the spending policy, settings, or learn the last violated policy rule.

Limited Menus#

While the COLDCARD is in SSSP mode, some menu items will be hidden to protect secrets and disallow certain features. The removed items include:

Seed Word Access: There is no way to view or export seed words.
Backup/Restore: All options for performing backups or restoring from backups are removed.
Firmware Changes: No ability to change the current firmware.
Settings: The entire Settings Menu is removed.
BIP-39 Passphrase Wallets, Seed Vault (read-only), and Temporary Seeds: All are hidden, unless allowed using the Related Keys setting in the SSSP Menu.
Secure Notes & Passwords (Q Only): The database will be missing, but can be available as read-only with the SSSP Menu setting: Allow Notes.
Key Teleport (Q Only): Limited to only multisig PSBT exchange (if multisig wallet already enrolled before SSSP activation).

Setup SSSP#

Before Single Signer Spending Policy mode can be activated, you will need to create a Policy Unlock PIN and optionally set your spending policy. Once you've created your Policy Unlock PIN you will be able to enter SSSP mode.

Set Everything Up Before Activating SSSP!

Enabling SSSP locks down many features, including firmware updates, backups, and settings changes. Configure your COLDCARD fully before activation, and keep a backup of your Policy Unlock PIN.

The only way to disable SSSP without the Policy Unlock PIN is to destroy the seed and recover from a backup or seed words.

Create a Policy Unlock PIN#

The first step in setting up SSSP is to create a Policy Unlock PIN. If you need to bypass the spending policy, or have access to the full COLDCARD menus, it will require first entering the Policy Unlock PIN and then the Main PIN.

Click below to see the steps required to create a Policy Unlock PIN.

Steps to Create a Policy Unlock PIN

From the Main Menu, go to: Advanced/Tools > Spending Policy > Single-Signer.
Read the information, then press ✔/ENTER.
Create your Policy Unlock PIN prefix (2-6 numbers), and record a backup of it.
Enter the Policy Unlock PIN prefix into the COLDCARD and hit ✔/ENTER.
You will be shown the Anti-Phishing Words associated with your Policy Unlock PIN prefix, back them up with your Policy Unlock PIN.
Next create the suffix for the Policy Unlock PIN (2-6 numbers), and save it on your backup.
Now enter your Policy Unlock PIN suffix on the COLDCARD and tap ✔/ENTER.
The last step is to confirm your Policy Unlock PIN and Anti-Phishing Words. Enter your Policy Unlock PIN prefix, click ✔/ENTER, and check that the Anti-Phishing Words are the same.
- If your Policy Unlock PIN prefix and Anti-Phishing Words are the correct, enter your Policy Unlock PIN suffix and press ✔/ENTER to move on.
- If there was a problem with your Policy Unlock PIN prefix, or Anti-Phishing Words, tap X/CANCEL to retry the confirmation. To start over completely, hit X/CANCEL twice to get back to the Spending Policy Menu. From there you can select Single-Signer and start over from Step 2 above.

Set the Spending Policy#

After a Policy Unlock PIN has been created, you can edit the spending policy. This dictates when the COLDCARD will sign transactions while SSSP is activated.

You do not need to create a spending policy to make use of SSSP mode. Without setting any spending policy, you can still activate SSSP mode and make use of the limited menus. However, it may still make sense to set some sane Max Magnitude or Limit Velocity, to prevent all your Bitcoin being sent in a single transaction or many smaller transactions in rapid succession.

The dropdown below explains the spending policy options, and how to use them.

Spending Policy Options

If you are on the Single Signer Spending Policy Menu, select Edit Policy... to view the policy or make adjustments.

From the Main Menu of the COLDCARD, go to: Advanced/Tools > Spending Policy > Single Signer > Edit Policy....

There are no default policy settings. If you don't make any changes, all transactions will be signed by single signer keys while SSSP is activated.

These are your spending policy options:

Max Magnitude: Maximum amount of Bitcoin that can be sent in a single transaction. Values below 1000 are treated as whole Bitcoin, values over or equal to 1000 are treated as Satoshis.

To disable Max Magnitude completely, enter a value of 0 and press ✔/ENTER.
Limit Velocity: Sets a minimum number of blocks that you must wait between transactions. Cannot be used without Max Magnitude.

If Limit Velocity is in use, the PSBT creator must include the nLockTime value (most do to avoid fee sniping). Previous block height is determined by the nLockTime value of the last signed transaction, even if the last transaction has not been broadcasted.
Whitelist Addresses: Import a list of up to 25 addresses that the PSBT can send to. Addresses can be imported from a file on the SD card, Virtual Disk, via NFC, or QR code (Q only). Change addresses are automatically whitelisted.
Web 2FA: If enabled, requires the use of a mobile 2FA application to sign. You will not be able to sign transactions if you do not have a phone with NFC and Internet access.

Before signing a transaction you will have to tap your 2FA enabled phone to the COLDCARD. That will take you to a page on coldcard.com where you will enter the 6 digit code from your authenticator app. If you entered the code correctly you'll be presented with an 8 digit code (Mk4) or a QR code (Q). On the COLDCARD, scan the QR code (Q), or enter the digits (Mk4), and transaction signing will proceed.

Once enabled, new options will appear:
- Test 2FA: Takes you through the process of trying to pass 2FA authentication. This test is part of initially setting up Web 2FA.
- Enroll More: Multiple devices can be enrolled in 2FA, but they will all have the same shared-secret.

The SSSP Menu contains settings and information related to SSSP mode, including: the Spending Policy rules, bypassing the policy, and the menu items available while in SSSP mode. This is also where you can test out SSSP with your current settings and policy, or activate the mode until it is bypassed with the Policy Unlock PIN.

To see all the SSSP Menu options and their explanation, expand the box below.

SSSP Menu Options

These options are found on the Single Signer Spending Policy Menu. To get there from the Main Menu of the COLDCARD, head to: Advanced/Tools > Spending Policy > Single Signer.

The SSSP Menu options are:

Edit Policy...: Allows you to make changes to the spending policy for single signers. For more information, go to: Set the Spending Policy.
Last Violation: After a transaction signing fails due to SSSP policy rules, the reason is given here. Use the dropdown below to see the violation codes and their meanings.

Policy Violation Reason Codes

has warnings: Any warning from the PSBT, even unrelated to the spending policy, will be rejected.
magnitude: Sent more than the maximum amount of Bitcoin allowed per transaction.
no nLockTime: The PSBT didn't include the nLockTime value and there is a velocity limit in the policy.
nLockTime not height: Can't use a Unix timestamp for nLockTime, must be blocks.
rewound: The block height of the current PSBT is lower than the last signed PSBT.
velocity: The PSBT is too recent for the velocity limit, compared to the last signed PSBT.
whitelist: A destination address was not in the whitelist.
2FA fail: Web 2FA was not completed successfully.

Word Check: Enabling this option will require you to know the first and last seed words of the Master Seed, along with the Spending Policy Unlock PIN and Main PIN, to bypass SSSP mode.
Allow Notes (Q Only): Allow read-only access to the Secure Notes & Passwords database while in SSSP mode.
Related Keys: This gives access to BIP-39 passphrase wallets, the Seed Vault (read-only), and Temporary Seeds in SSSP mode. The spending policy set for single signers is applied to them all.
Remove Policy: Removes the Spending Policy Unlock PIN, and all policy settings.
Test Drive: Test how the COLDCARD will operate in SSSP mode with your current settings. A new option will be added to the Main Menu for when you are done testing: EXIT TEST DRIVE. You may also reboot to exit the test drive.
ACTIVATE: Activate SSSP mode after a confirmation. The COLDCARD will immediately go to the new, limited Main Menu and enable the spending policy. Rebooting the COLDCARD, and unlocking it with your Main PIN, will not disable SSSP.

For instructions on bypassing SSSP once activated, see: Disable SSSP.

Use Test Drive Before Activating SSSP!

SSSP can only be disabled when the Spending Policy Unlock PIN is entered (and possibly the first and last seed words), or the seed is destroyed and you restore from seed words or a backup. Therefore, using Test Drive is highly recommended before activating SSSP.

Signing PSBTs in SSSP Mode#

For general instructions on PSBT creation and signing, check out our guide: Ready To Sign?.

In SSSP mode the PSBT signing process is basically identical to normal operation, however there are two things to know:

The COLDCARD will refuse sign transactions that violates the spending policy without any details.
The PSBT must include an nLockTime value if there is a Limit Velocity in the spending policy.

Policy Violations#

When a policy violation is detected in a PSBT, the COLDCARD will refuse with a generic message that doesn't give specific details about the violation that occurred. This is to prevent adversaries from gaining information about your spending policy.

mk4 refuse sign q refuse sign

The last violation that occurred will always be available by disabling SSSP, and then going to: Advanced/Tools > Spending Policy > Single-Signer > Last Violation.

mk4 last violation q last violation

Click on the box below to see a list of the violation codes and their meaning.

Policy Violation Reason Codes

has warnings: Any warning from the PSBT, even unrelated to the spending policy, will be rejected.
magnitude: Sent more than the maximum amount of Bitcoin allowed per transaction.
no nLockTime: The PSBT didn't include the nLockTime value and there is a velocity limit in the policy.
nLockTime not height: Can't use a Unix timestamp for nLockTime, must be blocks.
rewound: The block height of the current PSBT is lower than the last signed PSBT.
velocity: The PSBT is too recent for the velocity limit, compared to the last signed PSBT.
whitelist: A destination address was not in the whitelist.
2FA fail: Web 2FA was not completed successfully.

Limit Velocity & `nLockTime`#

When using a Velocity Limit in the spending policy, it is up to the user to provide "correct" nLockTime value in the PSBT. For proper functioning of the Limit Velocity policy, COLDCARD expects nLockTime to be set to the current best block height. Issues like a missing nLockTime, using a timestamp instead of block height, setting nLockTime to past values COLDCARD has already seen, or just failing to wait the necessary amount of blocks from the last transaction will cause the COLDCARD to refuse signing.

Transaction nLockTime value depends on the external wallet you use to create the PSBT. The table below outlines nLockTime behavior for common wallets, along with recommendation of which to use with SSSP:

Wallet Name	nLockTime Value	Recommended
Sparrow Wallet	Current block height	YES
Nunchuk	0	YES
Blue Wallet	0	NO
Electrum	Current block height*	YES*
Wasabi Wallet	Current block height*	YES*
Bitcoin Core	Current block height*	YES*
Bitcoin Keeper	0	NO
Specter Desktop	Current block height	YES

* Some wallets like Bitcoin Core and Electrum implemented nLockTime randomization to combat wallet fingerprinting. These wallets generate ~10% transactions that do not provide current best block height as nLockTime, but instead use formula nLockTime=block_height - randint(100). This constitutes a problem for frequent spenders as nLockTime in transaction B can be smaller than nLockTime in transaction A, which was signed first on the COLDCARD. Transaction B would be rejected as "rewound" because the COLDCARD has already saved the block height from transaction A, which nLockTime is higher. If your spends are more than 100 blocks (17 hrs) apart, this randomization should have no impact.

Users are recommended to use wallets with "correct" nLocktime behavior (ones marked with YES in table above) if they set up Limit Velocity the spending policy. For those that need to use different wallets, nLockTime can be adjusted manually after PSBT has been created.

Nunchuk: Enable "Correct" nLockTime Behavior

Open Nunchuk and select Profile -> Fee settings
Select the checkbox Enable Anti-Fee Sniping by default and hit Save fee settings

Sparrow: Steps to Fix Locktime Errors in PSBTs

Use Sparrow to open the transaction. The wallet does not need to be known by Sparrow. You can open the transaction from a file, by pasting the transaction details from your clipboard, or by scanning a QR code.

Select File > Open Transaction from the menu bar, and then choose the method you would like to use to import the PSBT.
The transaction overview is shown first.
Select the Details tab from the right side of the window. You can see that the Absolute Locktime field is set to Disabled.
Select the Block tab under the Absolute Locktime field.
Click Set current height.
The last step is to get the fixed PSBT back to the COLDCARD for signing. You can do that by saving the PSBT to a file on your SD card, or sharing it as a BBQr code (Q only).
- To save as a file, select File > Save PSBT from the menu bar. Then you are free to choose As Binary... or As Base64....
  
  Make sure to save the file to your SD card, insert it back in the COLDCARD, and then retry to sign the PSBT.
- If you are using the COLDCARD Q, you can simply scan a BBQr code to begin signing. Head to File > Show PSBT as QR... from the menu bar. Then click Show BBQr at the bottom of the QR screen.
  
  Hit the QR button on the Q and scan the BBQr code to initiate signing the modified PSBT.

Disable SSSP#

Disable SSSP with the Policy Unlock PIN#

The easiest way to bypass SSSP mode is by using the Policy Unlock PIN, followed by your Main PIN, when powering on the COLDCARD.

This will give you access to all menu items, and allow you to make changes to the spending policy, SSSP settings, or view the last violation code.

Expand the box below for instructions on disabling SSSP using the Policy Unlock PIN.

Steps to Disable SSSP With the Policy Unlock PIN

This is similar to your normal unlock procedure, but this time you will be entering your Policy Unlock PIN and then your Main PIN. For each PIN you should be checking the anti-phishing words against your backup. DO NOT PROCEED IF YOUR ANTI-PHISHING WORDS HAVE CHANGED!

If Your Anti-Phishing Words Have Changed

If your anti-phishing words have changed after entering your PIN prefix, DO NOT enter your PIN suffix. In this case your device has most likely been tampered with in some way, and is no longer trustworthy. You should securely dispose of the old device, and use a backup to restore on a new COLDCARD.

Turn the COLDCARD on.
At the PIN entry prompt, enter your Policy Unlock PIN prefix and hit ✔/ENTER.
Check that your anti-phishing words are correct.
If your anti-phishing words are correct, enter your Policy Unlock PIN suffix and tap ✔/ENTER.
You'll need to enter your Main PIN next. When you're ready, press ✔/ENTER.
At the next PIN entry prompt, enter your Main PIN prefix and hit ✔/ENTER.
See if your anti-phishing words match your backup.
As long as your anti-phishing words haven't changed, you can enter your Main PIN suffix and click ✔/ENTER.
SSSP mode is now disabled on your COLDCARD. You have access to all menus and features.

To enable SSSP mode again, or tweak its settings, head to: Advanced/Tools > Spending Policy > Single Signer.

Disable SSSP By Destroying Seed#

If you no longer have access to the Policy Unlock PIN, you can disable SSSP mode by destroying the Master Seed. After the seed is destroyed, your Main PIN will still unlock the COLDCARD, but there will be no seed. You will have to recover your Master Seed from a written backup, or a backup file.

Destroying the Master Seed Wipes All Data!

The process of destroying your Master Seed will cause you to lose access to all funds associated with that seed, and also erase all settings, multisig wallets, Seed Vault, Temporary Seeds, Trick PINs, and Secure Notes & Passwords.

Importing your seed words will give you access to the funds on that wallet, but will not restore any other information that was wiped. The only way to completely restore your COLDCARD after destroying the seed is to use a backup file.

Use this dropdown to see the steps for disabling SSSP by destroying the seed, and then restoring from the seed words or a backup file.

Steps to Disable SSSP by Destroying the Seed

This method of disabling SSSP involves entering your Main PIN two different times. For each PIN you should be checking the anti-phishing words against your backup. DO NOT PROCEED IF YOUR ANTI-PHISHING WORDS HAVE CHANGED!

If Your Anti-Phishing Words Have Changed

If your anti-phishing words have changed after entering your PIN prefix, DO NOT enter your PIN suffix. In this case your device has most likely been tampered with in some way, and is no longer trustworthy. You should securely dispose of the old device, and use a backup to restore on a new COLDCARD.

Power on, and unlock your COLDCARD using the Main PIN.
From the Main Menu of the COLDCARD, select: Advanced/Tools > Destroy Seed.
Read the warnings carefully, and make sure you understand the risks in destroying your Master Seed. To prove you've read to the end, you'll have to press a special key to continue with destroying the seed.
After the erasing process has completed, the COLDCARD will start back up.
At the PIN entry prompt, enter your Main PIN prefix.
See if your anti-phishing words match your backup.
As long as your anti-phishing words haven't changed, you can enter your Main PIN suffix.
You are now on the Main Menu that is used when no Master Seed is setup.
Select Import Existing.
On the Import Existing Menu, choose your method of importing your Master Seed. For detailed instructions on the different import methods, see: Import an Existing Seed.

Limitations#

Velocity Limit:
- Takes into account the Max Magnitude set per transaction, and the required minimum block height gap.
- Previous block height is determined by the nLockTime value of the last signed PSBT.
- If a PSBT is signed, but never broadcast, you will still have wait for the number of blocks set in the velocity policy.
- If the velocity is not set to Unlimited, your PSBT creator must include the nLockTime value (most do to avoid fee sniping).
A maximum of 25 whitelisted addresses can be stored.
Any number of mobile devices can be enrolled for Web 2FA, but they will all share the same secret.
Any warning at all, not just policy violations, from the PSBT will prevent signing.

Tips and Tricks#

Money Manager Mode#

You could setup a COLDCARD for another person, perhaps a family member, and enable web 2FA authentication. There does not need to be any other spending policy limits (velocity could be unlimited). Then enroll your own phone with the required 2FA values, and keep both that and the Policy Unlock PIN confidential.

The holder the the COLDCARD will need a 2FA code from your phone when they want to spend. They can call you for the 6-digit code from the 2FA app on your phone. This is not hard to provide over a voice call.

Because a spending policy is in effect, they will not be able to see the seed words, or other private key material, so regardless of any spoofing or phishing, they cannot move funds without your help.

You should record the Policy Unlock PIN, so it can be revealed somehow, should you die. You do not need to share the risks associated with holding a copy of the seed words.

Passphrase Considerations#

If you are using the same BIP-39 passphrase for everything, you should probably do a Lock Down Seed (Advanced/Tools > Danger Zone > Seed Functions) first. This takes your Master Seed and BIP-39 passphrase and cooks them together into an XPRV which then is stored as your Master Secret. (Replacing the Master Seed phrase.) This process cannot be reversed, so other funds you may have on the same seed words are protected.

Once you are operating in XPRV mode, you can define a spending policy, and know that it is restricted to only that wallet. In addition, in XPRV mode the Passphrase menu item is not shown because BIP-39 passwords cannot be applied to XPRV secrets.

Trick PIN Thoughts#

When doing your game theory with regards to bypass mode and this feature, remember that you should assume the attacker already has your Main PIN. That's how they know they cannot spend all your Bitcoin, because they either tried to, or noticed the menus are very limited. They also have all your UTXO locations and total wallet balance (because they can export your XPUBs to any wallet and load the balance from there).

Therefore, a Trick PIN that leads to a duress wallet after giving up the Policy Unlock PIN, will not fool them. Best would be to provide a false Policy Unlock PIN that is in fact a brick/wipe PIN.

Lock Out Changes to Policy#

Once a Policy Unlock PIN has been created, you will find it in the Trick PIN Menu. You could delete or "hide" it. Hiding it is pointless since you cannot get to the Trick PIN Menu while SSSP is enabled. Deleting the PIN however, is useful because it assures changes to spending policy are impossible. To recover the COLDCARD when this move is later regretted, use the instructions in the section: Disable SSSP By Destroying Seed.

Unlock Policy & Wipe#

We've provided a new Trick PIN that pretends to be the Policy Unlock PIN, so the login sequence is correct, but it will wipe the seed in the process. It will be obvious to your attackers that you've wiped the seed because the Main PIN will lead to a blank wallet now (no seed loaded).

Delta Mode and Spending Policy#

If, from the start, you gave your "Delta Mode PIN" to the attackers, then when they bypass the policy (after also getting the Policy Unlock PIN from you), they will still be in Delta Mode.

They could attempt unlimited spending, but transactions signed will not be valid. If they try to view the seed words or generally export private key material, they will hit many of the "wipe seed if delta mode" cases.

Multisig Wallets#

Spending policy affects all enrolled Multisig Wallets same as it does for Single Signer wallets. However, it is not possible to enroll new multisig wallets while in SSSP mode.