The Lightning Custody Spectrum - Your Keys, Not Your Coins? \ stacker news ~lightning

pull down to refresh

The Lightning Custody Spectrum - Your Keys, Not Your Coins?vls.tech/posts/lightning-custody-models/

1179 sats \ 10 comments \ @jackronaldi 11 Nov lightning

Your keys are not your coins if your signer does not validate.

Blind signing is shared custody with two failure points.

Read about the four Lightning custody models and how VLS enables secure, non-custodial Lightning.

view all related items

50 sats \ 5 replies \ @siggy47 11 Nov

A really good explanation of risks you take using a LSP. I'm not using one now, but I did in the past.

36 sats \ 4 replies \ @justin_shocknet 12 Nov

Article has a pretty dodgy use of the term LSP, colloquially this is just another peer on the network that will lease liquidity for a channel.

I don't recall any service that has been billed as an LSP that runs a a node for you, may be referring to cloud nodes like voltage... but they run the whole thing, no blind signer involved.

Edit:

Even VLS's own website doesn't have any good examples

Voltage is a hosted LND node, not a blind signer.
Synonym has a mobile LND in Bitkit afaik, Blocktank was one of the authors of the LSP-01 spec which is just a channel sales protocol
Lightspark and WoS are obviously scams since they've pivoted to Spark

Sounds like fictional boogeymen to shill Greenlight, which is itself retarded: #1280112

0 sats \ 3 replies \ @jackronaldi OP 2h

Thanks for the feedback Justin. That was my bad, I did not research these well enough. I've updated Voltage, Lightspark and WoS to correctly categorize them and will ship with the next round of updates in the next day or two.

For Synonym, AFAICT, while Bitkit is a mobile LND hot wallet, the Blocktank LSP seems to be a blind signer. From their website : "Instant Bitcoin transactions require a Lightning connection. Blocktank provides you with a self-custodial, stable, and seamless experience, while eliminating the complexity of managing a node."

Unless I'm missing something.

0 sats \ 2 replies \ @justin_shocknet 2h

Their LSP opens a channel to the node on the phone, the lack of management is the automation of that. The node being on the phone is because that it is the full signer, the LSP is just the default channel peer.

They may be doing that with zero-conf or an up-front purchase, which would still make that trusted until such time the channel is broadcasted and confirmed, but that's a separate matter from blind signing all future transactions.

From a marketing angle I think you guys would be better positioned to highlight that a Lightning node needs to operate in a demilitarized network zone to handle client connections from the open internet, and therefore VLS can separate the key storage from that intp a system on an otherwise dark network that maintains only a single connection to the node.

That's a pretty niche requirement for people though, more of an enterprise-scale thing. Even the demilitarized node can limit connections to only the 9735 port, and perhaps an IPtable whitelist for systems to which RPCs are called to/from.

17 sats \ 1 reply \ @jackronaldi OP 2h

Ah ok. I will update Blocktank as well then.

And yeah, it seems blind signing is not being used anywhere. So the focus should be on the improved security VLS can bring, to your point. Seems I have more work to do to change our positioning back to security.

Appreciate your feedback!

0 sats \ 0 replies \ @justin_shocknet 2h

Thanks for taking it well 🫡

I know Ken has put in real work so I'd be happy to see that find a market fit. Might be useful to us at future scale.

0 sats \ 2 replies \ @justin_shocknet 11 Nov

Definitely lots of trustodial dog shit out their larping as self-custody, and I like the idea of a signer being a more secure device than a node on the open internet, but given there's inherently an interactivity requirement on behalf of the signer I'm still not clear what VLS's complexity actually achieves.

Greenlight has always seemed like another dumb thing downstream of the mobile node fantasy and trying to loophole the regulator, from the geniuses that call Liquid an L2.

0 sats \ 1 reply \ @jackronaldi OP 2h

As I understand it, the node handles most of the complex, high-risk stuff: gossip, routing, channel management, networking. The signer just validates and signs. By moving that logic onto a separate, hardened device, you can cut down the attack surface compared to everything running inside one node process.

You can also split signing roles: one signer that’s always on for receiving, and another that only turns on when you want to send or close channels. That isn’t possible with a monolithic node.

0 sats \ 0 replies \ @justin_shocknet 2h

Indeed, and I like that angle, but that's a systems/network security thing not a trust thing.

The problem with greenlight specifically is that its geared towards mobile nodes to make them lighter, while Lightning still has an interactivity requirement by nature for state updates, and phones are probably less secure for holding secrets than a hardened server.

0 sats \ 0 replies \ @SevenOfNine 11 Nov

There's no spectrum here. It's quite binary.