Winternitz state management
Winternitz approvals are hash-based, but they are also stateful. Operators must treat one-time signing state as part of the custody procedure.
Quorum is devnet software and should not be used to protect production funds before audit and mainnet readiness.
One-time positions
Each Winternitz approval consumes a position. A wallet must track which position is next and must never sign two different proposal messages from the same one-time position.
Burn-on-broadcast behavior
Once a Winternitz approval is broadcast, the signing position should be treated as burned. Even if a transaction later fails, operators should avoid reusing that position unless the implementation explicitly proves it is safe.
Wallet preflight
Wallets should preflight the next state, the proposal message, and the expected state transition before producing a Winternitz approval. This keeps state mistakes out of the proposal flow.
Operational guidance
- Keep Winternitz signing in a wallet that understands one-time state.
- Back up the root secret and state metadata together.
- Prefer Falcon when the team needs simpler repeated approval operations.
Reusing one-time signing state can invalidate the security assumption behind a Winternitz approval.
See the operator-facing state checklist.