Most people evaluate Bitcoin bridges with a simple shortcut: is it a federation, or is it a validator model?
In that mental model, a federation bridge is a multisig controlled by a set of known parties. A validator model is a separate group that watches one chain and attests to actions on another. Both categories focus on the same thing: who is authorized to move funds.
That framing is useful, but it is incomplete for Rootstock’s PowPeg bridge.
The PowPeg is much more than a federation because its enforcement is anchored into Bitcoin’s Proof of Work through merged mining. The practical question is not only who can sign, but what confirmations must still occur for BTC to move back to Bitcoin L1. To understand why PowPeg is positioned as the most secure way to bring BTC into DeFi, you have to understand merged mining in action.
The basics of merged mining
Merged mining is simple: miners can mine Bitcoin and Rootstock simultaneously with no extra cost.
Instead of forcing miners to choose between chains, the same mining effort can secure both networks at once. That matters because it ties Rootstock’s block production, and the bridge enforcement that depends on Rootstock confirmations, directly to Bitcoin’s hashrate.
Key implications:
- Rootstock’s block production is tied to Bitcoin’s hashrate
- Rootstock miners are also Bitcoin miners, aligning incentives
- Outcome: Rootstock inherits the same security guarantees as Bitcoin
This is the foundation that changes how you should think about PowPeg. If a bridge depends on confirmations backed by merged mining, then Bitcoin’s Proof of Work becomes part of the bridge’s security story. It is not only about key custody.
How PowPeg works with merged mining
PowPeg has a custody layer that looks familiar. BTC is locked in a 5-of-9 multisig controlled by independent, global entities. This layer exists because the bridge needs a mechanism to custody BTC on Bitcoin L1 while representing it inside Rootstock.
What the custody layer looks like:
- BTC is locked in a 5-of-9 multisig
- The keys are controlled by independent signers
- Signing keys are secured with hardware security modules (HSMs), adding an additional layer of protection at the custody level.
If you stop there, PowPeg can look like a standard federated multisig bridge. But PowPeg’s design is not only about signing. It is about how peg-outs are enforced.
Peg-outs, releasing BTC back to Bitcoin L1, are not only signed by the multisig. They require confirmation through Rootstock blocks that are merged-mined with Bitcoin. That means miners, not just the signers, act as gatekeepers by verifying and timestamping withdrawals through block confirmation.
What makes PowPeg different:
- Peg-outs are not only signed, they require merged-mined Rootstock confirmation
- Miners verify and timestamp withdrawals through block confirmation
- Even if the signers colluded, peg-outs still need to be mined and confirmed under Bitcoin security assumptions
Federation alone vs federation plus merged mining
A pure federation model, like Liquid, is controlled by a set of functionaries with no miner involvement. In federation-only designs, risk concentrates in the signer set.
What that means in practice:
- Collusion between signers can lead to unauthorized movement of funds
- Key compromise can lead to funds being drained
PowPeg strengthens the model by adding another security layer. On top of signers, miners validate and secure the transaction flow through merged-mined confirmation.
What PowPeg adds:
- Signers are not the only gatekeepers in the peg-out path
- Breaking PowPeg requires compromising the signer set and overpowering Bitcoin’s merged mining consensus
- That is materially much harder than attacking a pure multisig bridge
This is defense-in-depth. It is not a new trust assumption, it is an additional enforcement layer that reduces single-point-of-failure risk.
Real-world proof: PowPeg’s security track record
Bridge security is ultimately judged by outcomes. Over the last several years, bridges have been one of the most attacked surfaces in crypto, with many of the largest losses tied to validator or key compromise.
That is why PowPeg’s track record matters in this discussion.
What PowPeg has shown:
- PowPeg has run since early 2018 with no exploits
- It has secured BTC worth hundreds of millions
- It has survived multiple market cycles, miner fluctuations, and bridge attacks elsewhere
And the contrast category matters. Wormhole, Ronin, and Multichain are examples of bridges that lost billions due to validator or key compromise. These incidents highlight the failure modes PowPeg is designed to resist by not relying on a single enforcement layer.
Bottom Line: A Bridge Secured by Miners, Not Just Signers
PowPeg combines an independent, globally distributed set of signers at the custody layer, and merged mining anchored enforcement at the confirmation layer. Peg-outs are not simply a question of signatures. They still need to be mined and confirmed through Rootstock blocks that are merged-mined with Bitcoin, which means Bitcoin’s Proof of Work assumptions become part of withdrawal enforcement.
To go deeper and explore all five layers of PowPeg security, check out the PowPeg bridge webpage and the merged mining webpage.
