New COLDCARD Feature Release: Spending Policies!

Spending Policy for Single Signers

You can now take your existing single-signer COLDCARD and reconfigure it so that the COLDCARD will refuse to sign transactions that are “too big” / “too fast”, or send to an address not on your whitelist.

We have even found a way to support 2FA authentication using the usual phone apps (RFC 6238). If that’s enabled, you will not be able to spend using your COLDCARD unless you also have your phone and provide the correct 6-digit numeric code.

You can combine any and all of these restrictions. They cannot be overriden with just the main PIN: To clear or disable this feature (once activated) requires a unique PIN code, called the Bypass PIN, followed by the normal Main PIN (and optionally, you can be asked to provide the first and last seed words). We have carefully blocked all access to the seed phrase, private keys, and other routes that might allow your master seed phrase to be revealed, which would otherwise allow a bypass of the policy.

See docs/spending-policy.md for more details about this new feature. Our docs website will be updated shortly to include this material as well.

“Enable HSM” and “User Management” menu items have moved into a new menu: Advanced > Spending Policy.
Old “CCC” feature has been renamed and moved into that menu as well: “Co-Sign Multisig”
Multisig Co-Signing (CCC) implements the same types of restrictions, but requires 2-of-3 (or higher) multisig wallet support and of course new UTXO.
There are two new trick-PIN types: the Bypass PIN itself, and also a fake version of that which silently clears your seed.
“Hobbled Mode” is our internal name for COLDCARD’s operation when spending policy is in effect: backups, settings changes, firmware updates and many other features are removed from the menu system.

Shared Improvements - Both Mk4 and Q

Added Bull Bitcoin export to Export Wallet menu.
Added warning for zero value outputs if not OP_RETURN.
Show QR codes of output addresses in transaction output explorer. Explorer is now offered for transactions of all sizes, not just complex ones.
Added file rename, when listing contents of SD card.
Added ability to restore Coldcard backup via USB (needs latest of ckcc version).
Address ownership allows to specify particular multisig wallet in which to search, if wallet query parameter is provided via trivial extension to BIP-21. Example: tb1q4d67p7stxml3kdudrgkg5mgaxsrgzcqzjrrj4gg62nxtvnsnvqjsxjkej0?wallet=Haystack

Bugfixes

If all change outputs have nValue=0, they were not shown in UX.
Disallow negative input/output amounts in PSBT.
Fix filesystem initialization after Wipe LFS or Destroy Seed.
NFC loop exporting secrets would not work after first value exported.
Multisig address format handling.
Ownership check failing to find addresses near max (~760), needed to be re-run to succeed

5.4.4 - 2025-09-26 – Mk4 Specific Changes

Bugfix: Part of extended keys (xpubs) were not always visible.
Change: Mk4 default menu wrap-around lowered from 16 to 10 items.

1.3.4Q - 2025-09-26 – Q Specific Changes

Enhancement: Enters “forever calculator” mode when Q would otherwise be electronic waste (i.e. after 13 PIN failures). Always enabled, regardless of “login calculator” setting.
Bugfix: Correct line positioning when 24 seed words displayed.

Download the latest firmware

Get COLDCARD Mk4 or Q

Video Tutorials

We have a growing library of video tutorials on Youtube … and we’re still adding more!