Explain unintentional initiation of rrecovery-plan.

oren-z0 · oren-z0 · commit a87962794b8d · 2026-01-30T01:25:18.000+02:00
diff --git a/bip-timelock-recovery-storage-format.mediawiki b/bip-timelock-recovery-storage-format.mediawiki
@@ -65,9 +65,17 @@ pre-signed transactions:
 
 A ''Timelock-Recovery plan'' consists of two transactions:
 
-* ''Alert Transaction'': A mostly-consolidation transaction that keeps most funds in the original wallet, except for a fee and a small fixed amount that goes to ''anchor-addresses'' - addresses which can be used to accelerate the ''Alert Transaction'' via CPFP. The majority of funds should remain on the original wallet, in a new previously-unused address which we call the ''alert-address''. We use the term ''Alert Transaction'' because it should alert the user that the recovery-plan has been triggered, giving them a limited time to prevent the majority of the funds from moving to the secondary wallets.
+* ''Alert Transaction'': A mostly-consolidation transaction that keeps most funds in the original wallet, except for a fee and a small fixed amount that goes to ''anchor-addresses'' - addresses which can be used to accelerate the ''Alert Transaction'' via CPFP. The majority of funds should remain on the original wallet, in a new previously-unused address which we call the ''alert-address''. We use the term ''Alert Transaction'' because monitoring the blockchain and looking for it should alert the user that the recovery-plan has been initiated (intentionally, unintentionally or maliciously).
 * ''Recovery Transaction'': The transaction that moves the funds from the alert-address UTXO from the ''Alert Transaction'' to one or more addresses of secondary wallets (each may receive a different amount). This transaction should have a special <code>nSequence</code> relative-locktime according to the size of cancellation-period requested by the user, following the rules of [[bip-0068.mediawiki|BIP-68]].
 
+With a reliable tool to monitor the blockchain and look for the ''Alert Transaction''
+and/or ''Alert Address'', the user can safely save online backups of the recovery-plan's
+JSON file.
+If the presigned transactions have leaked and the ''Alert Transaction'' has been broadcast
+unintentionally, the user has the cancellation-period (which is expected to be at least a
+few days) to stop the majority of funds from moving, by sending them to a new address, thus
+invalidating the ''Recovery Transaction''.
+
 It is important that the ''Alert Transaction'' will be non-malleable (e.g. by using
 [[bip-0140.mediawiki|BIP-140]]).
 If a malleable ''Alert Transaction'' is used, a malicious miner could replace the
