RGB Protocol: Smart Contracts and Assets on Bitcoin
How RGB enables smart contracts and token issuance on Bitcoin using client-side validation.
The RGB protocol brings smart contracts and programmable assets to Bitcoin without modifying Bitcoin's core protocol. Instead of executing contract logic on-chain (as Ethereum does), RGB uses client-side validation: all state data lives off-chain, and Bitcoin serves only as a commitment and ownership layer. The result is a system capable of issuing tokens, running Turing-complete smart contracts, and supporting confidential transactions, all while preserving Bitcoin's security model and avoiding chain bloat.
Originally envisioned in 2016 by Giacomo Zucco, RGB builds on earlier ideas from Peter Todd around client-side validation and single-use seals. Since 2019, Dr. Maxim Orlovsky and the LNP/BP Standards Association have led the protocol's development. The v0.12 release in July 2025 marked a major milestone, introducing zk-STARK support and simplifying the consensus layer for production readiness.
What Is Client-Side Validation?
In blockchain-based smart contract systems like Ethereum, every node validates every transaction globally. This creates a shared, transparent ledger but limits scalability and privacy. Client-side validation takes the opposite approach: only the parties directly involved in a contract validate its state. Bitcoin's blockchain is used solely to anchor cryptographic commitments that prove state transitions occurred, without revealing their contents.
When you receive an RGB asset, the sender provides you with a consignment: a bundle of cryptographic proofs tracing the asset's history back to its genesis (the original issuance). Your wallet validates this entire chain locally. No third party, miner, or full node needs to see or process the contract data. To everyone else on the Bitcoin network, an RGB transaction looks like a normal Bitcoin transaction.
Privacy by default: Because contract state never touches the blockchain, RGB transactions are private unless participants choose to disclose them. Outside observers cannot determine whether a Bitcoin transaction carries an RGB commitment, what assets are involved, or who the counterparties are.
Commitments on Bitcoin
RGB anchors its state to Bitcoin using deterministic commitments embedded in Taproot outputs (called "tapret") or OP_RETURN outputs (called "opret"). These commitments use a Merkle tree structure that allows multiple RGB contracts to share a single Bitcoin transaction output. The commitment proves that a state transition happened at a specific point in Bitcoin's timeline without revealing what changed.
This design means RGB adds zero additional data to Bitcoin blocks beyond what a normal transaction already contains. There is no chain bloat, no increased storage burden on full nodes, and no special indexing requirement.
How Single-Use Seals Prevent Double-Spending
The core security mechanism in RGB is the single-use seal, a concept Peter Todd introduced in 2016. A single-use seal binds a piece of contract state to a specific Bitcoin UTXO. To update that state (for example, to transfer an asset), you must spend that UTXO on the Bitcoin blockchain. Spending a UTXO can only happen once, which is enforced by Bitcoin's consensus rules. This means each piece of RGB state can only be updated once, effectively preventing double-spending at the Bitcoin layer.
The process works in three steps. First, a seal is defined: contract state is assigned to a specific Bitcoin transaction output. Second, the seal is closed: the owner spends that output in a Bitcoin transaction that commits to the new state. Third, a new seal is created: the updated state is assigned to a fresh UTXO. Anyone holding the contract's history can verify that each seal was closed exactly once and that no conflicting state transitions exist.
Why this matters for tokens
Single-use seals give RGB a double-spend protection mechanism that is as strong as Bitcoin's own. Unlike systems that rely on a separate consensus layer or a federation to prevent double-spending, RGB inherits Bitcoin's proof-of-work security directly. If an attacker wanted to double-spend an RGB asset, they would need to reverse a confirmed Bitcoin transaction, which requires overwhelming the entire Bitcoin mining network.
RGB Architecture: Schema, Genesis, and State Transitions
RGB organizes smart contracts around three core concepts: schemas define the rules, genesis operations create contracts, and state transitions update them.
Schema
A schema is a template that defines what a contract can do. It specifies which types of state are allowed, what metadata the contract carries, which scripts govern validation, and how state transitions must be structured. Think of a schema as a class definition in object-oriented programming: it sets the rules that all instances (contracts) must follow. The RGB-20 schema, for example, defines the rules for fungible tokens, while RGB-21 handles non-fungible assets.
Schemas can include Turing-complete validation scripts that run on AluVM (Arithmetic Logic Unit Virtual Machine), RGB's execution environment. AluVM uses only 40 instructions and limits computation through a cumulative complexity measure similar to Ethereum's gas model, ensuring that validation always terminates.
Genesis
Every RGB contract begins with a genesis operation. This is the initial data block created by the contract issuer. It defines the starting state: for a fungible token, this means the total supply, token name, precision (decimal places), and the initial distribution of tokens to specific single-use seals. All subsequent state transitions must trace back to this genesis through a directed acyclic graph (DAG) of operations.
State transitions
A state transition is the primary operation for updating contract state. It references one or more previous states (from genesis or earlier transitions), closes the associated seals by spending the corresponding Bitcoin UTXOs, and defines new state assigned to fresh seals. The transition is committed to the Bitcoin blockchain through an anchor, which connects the on-chain commitment to the off-chain RGB validation structure.
Because each input seal can only be referenced once, and Bitcoin consensus enforces that each UTXO can only be spent once, double-spending a state transition is impossible. The entire history forms a DAG where every node can be independently verified by any party holding the relevant consignment data.
| Concept | Role | Analogy |
|---|---|---|
| Schema | Defines contract rules and validation logic | Class definition |
| Genesis | Creates the contract with initial state | Constructor call |
| State transition | Updates state by closing and creating seals | Method invocation |
| Consignment | Proof bundle sent to recipients for validation | Transaction receipt with full audit trail |
| Anchor | Connects RGB commitment to Bitcoin transaction | Notarization stamp |
Issuing and Transferring an RGB Asset
To understand how RGB works in practice, consider the lifecycle of a fungible token issued under the RGB-20 schema.
Step 1: Issuance (Genesis)
The issuer creates a genesis operation defining the token's properties: name, ticker, total supply, and decimal precision. The initial supply is assigned to one or more single-use seals, each tied to a Bitcoin UTXO controlled by the issuer. This genesis data is stored off-chain by the issuer and shared with initial recipients via consignments.
Step 2: First transfer
When the issuer sends tokens to Alice, they create a state transition that closes the seal on their UTXO and assigns the tokens to a new seal defined on one of Alice's UTXOs. The issuer spends the original UTXO in a Bitcoin transaction that includes a tapret commitment to the state transition. Alice receives a consignment containing the genesis and the state transition, which her wallet validates locally.
Step 3: Subsequent transfers
When Alice sends tokens to Bob, the same process repeats. Alice closes her seal, commits the new state transition to Bitcoin, and sends Bob a consignment containing the full history: genesis, the issuer-to-Alice transition, and the Alice-to-Bob transition. Bob's wallet verifies the entire chain. As the asset changes hands more times, consignments grow longer, though mechanisms like state pruning and zk-STARK proofs (introduced in v0.12) can compress this history.
Blinded UTXOs: Recipients can provide blinded UTXO references, meaning the sender does not learn which specific Bitcoin output the tokens are assigned to. This adds an additional layer of privacy: even the counterparty in a transfer cannot track where the asset lives on-chain.
RGB on Lightning: The Bifrost Protocol
RGB is designed to work not only on Bitcoin's base layer but also over the Lightning Network. The integration happens through Bifrost, an extension to Lightning's peer-to-peer protocol that enables RGB state transfers within payment channels.
Bifrost allows nodes to store and propagate encrypted RGB consignment data, acting as a generalized version of Lightning watchtowers. Any node can store public schema information, encrypted payment consignments, and asset metadata for a fee. The protocol also supports channel constructions that can carry RGB state transitions alongside regular Lightning payments.
The LNP/BP Standards Association maintains formal specifications for Bifrost channels (LNPBP-50 through LNPBP-55), and an LNP Node implementation written in Rust supports both standard BOLT Lightning and Bifrost natively. This means RGB assets can theoretically be transferred with the same speed as Lightning payments: near-instant and with minimal fees.
What Bifrost enables
- Transfer of RGB-20 fungible tokens over Lightning channels
- Decentralized exchanges (DEXes) for RGB assets via atomic multiparty state changes
- Decentralized storage for large media data attached to NFTs
- Support for PTLCs and Taproot-native channel constructions
- Multiparty coordinated state changes across contracts
RGB v0.12: Production Readiness with zk-STARKs
Released on July 10, 2025, RGB v0.12 represented the protocol's most significant upgrade. The release achieved a 4x reduction in consensus code size (from 8,610 lines to 3,198) and over 90% test coverage, with formal guarantees against block reorganization attacks.
Key changes in v0.12
The most notable change was replacing Pedersen commitments and Bulletproofs with native zk-STARK support. Bulletproofs had never been implemented for Bitcoin's secp256k1 curve, creating a years-long bottleneck. zk-STARKs provide more efficient, transparent zero-knowledge proofs that enable confidential transactions, compressed history verification, and scalable contract auditing.
The release also unified the contract state model. Previously, RGB contracts could have three separate state forms: fungible, structured (non-fungible), and blob attachments. In v0.12, these were merged into a single state type, reducing the codebase and the attack surface. The seal model was similarly unified, combining Taproot-based and OP_RETURN-based contracts into a single interface with automatic fallback.
For smart contract developers, v0.12 introduced zk-AluVM, a Turing-complete virtual machine with only 40 instructions that operates in an arithmetized form compatible with zk-STARK provers. Higher-level contract programming is planned through Contractum, a functional and declarative language inspired by Haskell that compiles to AluVM bytecode.
Comparing Bitcoin Token Approaches
RGB is not the only way to issue tokens on Bitcoin. Ordinals, Runes, and BRC-20 each take different approaches with distinct tradeoffs. Understanding these differences is important for evaluating which approach suits a given use case.
| Feature | RGB | Ordinals | Runes | BRC-20 |
|---|---|---|---|---|
| Token types | Fungible and non-fungible | Non-fungible (inscriptions) | Fungible | Fungible |
| Data storage | Off-chain (client-side) | On-chain (witness data) | On-chain (OP_RETURN) | On-chain (inscriptions) |
| Privacy | Private by default | Fully public | Fully public | Fully public |
| Smart contracts | Turing-complete (AluVM) | No | No | No |
| Chain bloat | None | High (large inscriptions) | Minimal (80-byte OP_RETURN) | Moderate |
| Lightning support | Yes (via Bifrost) | No | No | No |
| Scalability | High (off-chain + Lightning) | Limited by block space | Limited by block space | Limited by block space |
| Complexity | High | Low | Low | Low |
| Maturity | v0.12 (July 2025) | Established (since January 2023) | Established (since April 2024) | Established (since March 2023) |
The fundamental distinction is where data lives. Ordinals, Runes, and BRC-20 store token data directly on the Bitcoin blockchain, consuming block space and making all transfers publicly visible. RGB stores everything off-chain, using Bitcoin only for cryptographic anchoring. This gives RGB superior privacy and scalability but at the cost of significantly higher complexity for wallet developers and users.
Ordinals and Runes found rapid adoption for collectibles and meme tokens because they are simple to use and require no special infrastructure beyond a Bitcoin wallet. RGB targets more demanding use cases: stablecoins, securities, tokenized real-world assets, and programmable finance, where privacy, scalability, and contract logic are requirements rather than nice-to-haves.
RGB and Tether: USDT on Bitcoin
On August 28, 2025, Tether announced plans to launch USD₮ natively on Bitcoin via the RGB protocol. This would bring the world's largest stablecoin (over $170 billion in circulation) back to Bitcoin, where the first USDT was originally issued on the Omni Layer in 2014 before migrating primarily to Ethereum and Tron.
Tether CEO Paolo Ardoino framed the move as completing a circle: "Bitcoin deserves a stablecoin that feels truly native, lightweight, private, and scalable." The integration would allow users to hold and transfer USDT alongside BTC in the same wallet, with private off-chain validation and Lightning Network compatibility for fast, low-cost transfers.
If this integration reaches production scale, it would be one of the most significant real-world deployments of client-side validation technology. For a deeper look at stablecoins already live on Bitcoin, see our coverage of USDB and dollar-denominated Bitcoin payments.
Tradeoffs and Limitations
RGB's design offers clear advantages in privacy and scalability, but it introduces tradeoffs that are worth understanding honestly.
Complexity
Client-side validation shifts the validation burden from the network to individual users. Every recipient must verify the full history of an asset, which grows with each transfer. Wallet software must handle consignment exchange, history validation, and UTXO management. This makes RGB wallets significantly harder to build than wallets for on-chain token standards. The ecosystem of production-ready RGB wallets and tooling remains smaller than that of Ordinals or Runes.
History growth
As an RGB asset is transferred many times, the consignment (proof history) that must be shared with each new recipient grows linearly. For a token that has changed hands hundreds of times, the consignment could become large. The v0.12 introduction of zk-STARKs is designed to address this by allowing compressed proofs that verify history without transmitting every intermediate step, but this capability is still maturing.
Ecosystem maturity
Despite years of development, RGB's tooling, documentation, and developer ecosystem are still catching up to the protocol's ambitions. The RGB documentation has improved, and the formal Yellow Paper (published July 2025) provides rigorous specifications. But the number of production applications remains limited compared to more established token standards. The formation of the RGB Consortium aims to address this by coordinating maintenance and stability across companies building on RGB.
Interoperability
RGB contracts operate as independent shards: each contract has its own state history, and different contracts do not intersect directly. While this is excellent for scalability (each contract scales independently), it makes cross-contract interactions harder than on a shared global state system. Bifrost and coordinated state changes address some of this, but the composability that Ethereum DeFi developers take for granted does not exist in RGB in the same form.
RGB and Spark: Different Approaches to Extending Bitcoin
Both RGB and Spark extend Bitcoin's capabilities beyond simple value transfer, but they target different problems with fundamentally different architectures.
RGB is a general-purpose smart contract system. Its goal is to bring programmable finance, token issuance, and complex contract logic to Bitcoin while keeping everything private and off-chain. This generality comes with complexity: building on RGB requires deep understanding of client-side validation, AluVM, schemas, and consignment management.
Spark focuses on a narrower but critical use case: instant, self-custodial payments and stablecoin transfers. Rather than client-side validation, Spark uses a statechain model with FROST threshold signatures and a leaf architecture that enables partial transfers without channels. The tradeoff is a 1-of-n trust assumption during transfers, but the developer experience and user experience are significantly simpler.
The two approaches are complementary. RGB provides the programmability layer for complex financial instruments, while Spark provides the payment infrastructure for moving value quickly. Both preserve Bitcoin's security, both avoid chain bloat, and both support self-custody.
Building on Bitcoin's Token Future
RGB represents the most ambitious vision for programmable assets on Bitcoin: a fully client-side validated, Turing-complete smart contract system with native Lightning integration and privacy by default. The protocol's complexity is both its strength (enabling capabilities no other Bitcoin token standard offers) and its challenge (requiring significant engineering effort to build on).
For developers interested in building on Bitcoin's expanding token ecosystem, the Spark developer documentation provides a more accessible entry point for payment and stablecoin use cases. For a broader view of the Bitcoin Layer 2 landscape and how these approaches relate, see our Bitcoin second-layer scaling landscape overview and the stablecoins on Bitcoin guide.
This article is for educational purposes only. It does not constitute financial or investment advice. Bitcoin and Layer 2 protocols involve technical and financial risk. Always do your own research and understand the tradeoffs before using any protocol.