Good write-up. Many of the issues you mention are already well understood, and, as always, this comes down to trade-offs and probabilities.
From my perspective, the probability that Spark would rug users and prevent them from exiting is very low. By contrast, I saw an order-of-magnitude higher probability of a government raid on our office and the seizure of keys when we were operating a custodial service. That is why we stepped back from that model.
Piggy is not designed to be a tool for storing life savings. It is a piggy bank. There are many risks associated with it, and we understand that clearly. Many of those risks are disclosed in our Terms of Service. Even in the unlikely scenario that Spark became fraudulent and unilateral exit failed, which I believe is close to zero, we would likely be the biggest losers, given our multi-bitcoin investment in building this project. No individual user should be keeping anywhere near that level of funds in Piggy, not even a hundred times less. In that kind of worst-case scenario, the loss should be thought of more like someone stealing a ceramic piggy bank from your kitchen, not like losing a serious long-term savings account.
More broadly, Lightning is not meant for savings. It is meant for transacting. If I were building a tool for storing life savings, I would not rely on current Lightning technology, including fully self-custodial Lightning setups. That problem is already well solved by other tools, including hardware wallets, multisig setups, and similar approaches.
Hug
(By the way, we don’t use Breez, and users can still exit even if our servers are down, so the only dependency is Spark)
Good write-up. Many of the issues you mention are already well understood, and, as always, this comes down to trade-offs and probabilities.
From my perspective, the probability that Spark would rug users and prevent them from exiting is very low. By contrast, I saw an order-of-magnitude higher probability of a government raid on our office and the seizure of keys when we were operating a custodial service. That is why we stepped back from that model.
Piggy is not designed to be a tool for storing life savings. It is a piggy bank. There are many risks associated with it, and we understand that clearly. Many of those risks are disclosed in our Terms of Service. Even in the unlikely scenario that Spark became fraudulent and unilateral exit failed, which I believe is close to zero, we would likely be the biggest losers, given our multi-bitcoin investment in building this project. No individual user should be keeping anywhere near that level of funds in Piggy, not even a hundred times less. In that kind of worst-case scenario, the loss should be thought of more like someone stealing a ceramic piggy bank from your kitchen, not like losing a serious long-term savings account.
More broadly, Lightning is not meant for savings. It is meant for transacting. If I were building a tool for storing life savings, I would not rely on current Lightning technology, including fully self-custodial Lightning setups. That problem is already well solved by other tools, including hardware wallets, multisig setups, and similar approaches.
Hug
(By the way, we don’t use Breez, and users can still exit even if our servers are down, so the only dependency is Spark)