How to Verify Bitcoin Transactions

The signing step on a hardware wallet is not a formality, but a security checkpoint. It is the last moment at which the details can be independently verified before funds leave your control.

Verification goes beyond the signing event. Reviewing your transaction in the mempool and confirming what happened on-chain after confirmation is the other half of the process.

What is On-Device Transaction Verification?

On-device transaction verification means reading and confirming the transaction details displayed on the hardware wallet's screen before approving the signing step.

The device displays the destination address, amount, change address, and total fee, all derived from the raw PSBT data independently of what the coordinator software reports.

A PSBT includes input UTXO information that allows the device to calculate the fee from the difference between inputs and outputs, decode destination addresses from the actual output scripts, and show what the transaction actually contains.

This makes the device screen the trust boundary in the signing workflow. The coordinator software, the host computer, and any connected network are all untrusted surfaces. The device screen reads transaction data directly, isolated from any software that could be compromised.

Coldcard devices display all four fields before the signing step. The user must confirm on-device before the device produces the signed transaction. The Coldcard Q model's larger screen displays full addresses more comfortably, making comparison straightforward.

On-device verification is the required step for every transaction, not only large ones. There is no reliable way to know in advance whether a transaction has been tampered with, and a tampered transaction looks identical to a legitimate one on the coordinator screen.

What is an Address Replacement Attack?

An address replacement attack is a primary transaction-level threat in bitcoin self-custody. Clipboard malware running silently on the host computer detects when a bitcoin address is copied and replaces it with the attacker's address at the moment of pasting.

The user pastes the attacker's address into the coordinator software, the transaction is constructed with it encoded in the output script, and the user signs and broadcasts with no indication that a substitution occurred.

In this situation, the coordinator software can show whatever address was pasted, displaying the tampered transaction as if it were legitimate. The device, by contrast, decodes the destination address from the actual output scripts in the PSBT.

If the PSBT contains the attacker's address, the device displays it. A user who reads the device screen will see an unfamiliar address that does not align with their intended recipient, and can cancel before signing.

Address comparison requires deliberate attention. At minimum, you should check the first four and last four characters of the displayed address against the address you received from the intended recipient through a trusted channel (typed directly, shared in person, or confirmed by phone). For large or important sends, compare the full address string character by character. For very large transfers, confirm the address through a separate communication channel before building the transaction at all.

Anti-virus software and clipboard monitoring tools can detect known malware variants but cannot provide a categorical guarantee. The device screen check is the only defence that verifies the actual transaction data, regardless of what the host computer shows.

What is Blind Signing?

Blind signing means approving a transaction on a hardware wallet without reading the transaction details on the device screen. It occurs in several distinct scenarios, each removing the verification capability for a different reason. A device without a screen, or with a screen too small to display a full address, leads to blind signing by design, leaving trust in the coordinator software as the only input to the signing decision.

PSBT blind signing occurs when the PSBT is missing input UTXO data. Without UTXO data, the device cannot calculate the fee (the difference between inputs and outputs) and cannot confirm how much is actually being spent. Some devices allow signing in this state with a warning. Coldcard devices refuse to sign transactions that are missing PSBT input UTXO data.

Workflow blind signing occurs when a signing workflow passes transactions through a software layer that strips PSBT fields or presents an abbreviated confirmation screen. This can happen with browser extensions, mobile wallets, or integration layers that do not pass the full PSBT to the device. Always verify that the coordinator is passing a complete PSBT with input UTXO data and that all four verification fields appear on the device display before signing.

If any of these four fields is absent from the device display, the user is signing blind. The correct response is to stop and investigate why the field is missing before proceeding.

How Do I Verify a Bitcoin Transaction Correctly?

Correct on-device verification follows a specific sequence. Each field answers a different security question, and checking all four is what makes the verification complete.

Before confirming any transaction, verify these four fields in order:

1. Destination address. Does the address on the device screen exactly match the address you received from the intended recipient? Compare at minimum the first four and last four characters. For significant amounts, compare the full string. If the address is unfamiliar or does not match, cancel and do not proceed.

2. Amount. Does the amount displayed match what you intended to send? A tampered PSBT may modify the amount or add a second output you did not authorize. Confirm the amount matches what you intended to send.

3. Change address. Is the change address shown on the device one of your own wallet addresses? Your wallet software should identify change addresses, and the device may also label them. An unrecognised change address is a warning sign that the change may be redirected to an attacker.

4. Fee. Is the fee reasonable for current conditions? Compare the fee against what the coordinator displayed. A discrepancy, particularly a much larger fee than expected, may indicate that excess value is being routed to an attacker-controlled output under the label of a fee.

Only after confirming all four fields should you approve the signing step on the device. If any field does not match expectations, cancel the transaction.

Bitcoin transactions are irreversible once confirmed. Canceling a transaction that looks wrong costs nothing. Signing a tampered one costs everything in that UTXO.

How Do I Verify a Transaction After Broadcast?

Once a transaction has been signed and broadcast, verification does not stop. Confirming what actually happened on-chain is a useful final step, particularly for large sends or when something felt uncertain during the signing process.

1. Find your transaction. Your coordinator (such as Sparrow Wallet) will display the txid immediately after broadcast. You can copy it and search for it on mempool.space or another block explorer. An unconfirmed transaction will appear in the mempool with its fee rate, inputs, and outputs visible. A confirmed transaction will show the block it was included in and the number of confirmations it has accumulated.

2. Verify the on-chain record. Once confirmed, check that the destination address in the block explorer matches the address you verified on the device screen. Confirm the amount sent and the fee paid. These figures come directly from the blockchain and cannot be altered after confirmation. If anything looks unexpected, it is worth reviewing your signing workflow to understand how it happened.

3. Track accumulating confirmations. For large transfers, check back periodically to see the confirmation count increasing. Each new block built on top of the one containing your transaction adds another confirmation. Six confirmations is the conventional threshold for high-value finality.

4. Verify received payments. When you are on the receiving end, check your wallet's transaction history or search your receiving address on a block explorer to confirm the payment arrived at the correct address and in the expected amount. Verify that the UTXO is now listed as spendable in your wallet software. If you are waiting on a payment from a counterparty, the txid they provide lets you check the broadcast and confirmation status independently, without relying solely on their word.

A Note On Privacy

Querying a public block explorer by address or txid sends that information to the operator's servers along with your IP address, which can be used to link your searches to your identity. For routine post-broadcast checks, this may be a minor concern, but for sensitive transactions it is worth being deliberate.

Running your own node and using it as your block explorer eliminates this exposure entirely. If that is not an option, using Tor or a VPN when querying a public explorer reduces but does not eliminate the risk.