pull down to refresh
21 sats \ 9 replies \ @stackingharder OP 25 Aug \ on: Day 1: Lightswap – Building in Public, No Curtain builders
What’s one thing you’d like me to share over the next 21 days? Design sketches? Security model? Behind-the-scenes of building?
I'm curious about the trust model: it seems that Lightswap is mobile only. So, I'm at least trusting that my device isn't compromised (although I could imagine some ways you mitigate against that). But what else?
If I can independently verify deposit and withdrawal addresses on hardware signers and on exchanges, that helps.
If the keys always remain on the signing device (which means I have to sign every transaction on with my signer), I'm not at risk that lightswap gets my keys.
I'm sure you've thought through this stuff endlessly, but I'm curious to know where you think I end up trusting LIghtswap -- what are the failure cases?
reply
Great question and one we’re constantly thinking about.
Where you trust Lightswap:
The app itself (and future updates) aren’t malicious.
The UI shows you the correct addresses and amounts — and you verify them in Lightswap’s confirmation screen and on your hardware signer’s trusted display before approving.
Our backend that parses your text intent isn’t exfiltrating sensitive info - although we don’t have any private information- we don’t ask for or know your name, personal details, or keys — just the natural-language request.
Failure cases we think about:
- Compromised device or malware
- Malicious/supply-chain app update
- UX mistakes (e.g. skipping checks in-app or on your signer and approving blindly)
These are the same classes of risks you already have with, say, a Kraken or Cash App client or a hardware wallet. We mitigate with Secure Enclave storage (or equivalent), clear verification prompts, seeing or storing as little information as possible, open-sourcing our code and aft some point we’ll explore reproducible builds so anyone can verify what the binary does.
As you said, you can always verify deposit/withdrawal addresses independently on your hardware signer or exchange, and that’s encouraged. Our aim is to keep the trust surface as narrow as possible.
No system is perfectly trustless but we want users to understand exactly where trust is required and to minimize it wherever possible. Questions like this help us get there.
reply
Thanks for the reply! Do you anticipate Lightswap being able to interact with multisigs? (working with more than one hardware signer at a time?)
Also, will users need to create new wallets in Lightswap or will Lightswap be able to import an existing Bitcoin wallet (like from a .dat file or a descriptor)?
reply
We love multisig but for v1 we’re laser focused on single sig.
Yes you’ll be able to import wallets using descriptors. We don’t have .dat files on the roadmap but we’ll add it to our future features voting board so people can tell us what they want to see.
reply