3472 sats \ 2 replies \ @TonyGiorgio 5 Oct 2023 \ on: We're Max Fang and Philip Hayes, co-founders of Lexe (lexe.app). AMA bitcoin
Appreciate all the hard work and thoughtfulness with the security considerations file. I'm just still unsure that it's wise to be doing this. The attack vector for crypto SGX honeypots are high. At the end of the day, you have to extract the seed in order to present it to the user, and do occasional SGX server migrations which will require this seed again to provision.
Is this all so that you can offer offline receives for consumers? Because this is being worked on as far as the concept of Lightning goes.
Or do you see this as something you get enterprise customers with that already feel confident in the SGX model, whether that is wise or not?
In terms of there being a "honeypot" due to keys being centralized in one place, SGX makes things more secure, not less. If someone wants to hack a centralized custodian like Coinbase or Binance all the attacker has to do is get into their infrastructure to get access to their funds. If someone wants to hack us, they have to first get into our infra, and then also break SGX.
We believe that despite expected protocol advancements in handling async payments / offline receives (e.g. PTLCs), the problem is fundamental - someone has to come online in order to settle the payment. Our approach is simple - just keep the user online.
reply
There are definitely security tradeoffs here -- I'm somewhat more confident
-
The user nodes are never exposed to the public internet, which removes a huge class of attack vectors. All inbound connections are either from our LSP (inside the same VPC) or our gateway proxy, which authenticates the user connections. Standard hot wallets are notoriously problematic here.
-
All communication user app <-> node enclave are e2e encrypted+authenticated. Provisioned seeds/keys are never exposed to Lexe.
-
User nodes won't provision secrets unless it's to Lexe-signed enclaves running on our infra (among other things)
As far as features this enables:
- I think there are some cool additional payment products we can enable, like subscriptions, automatic weekly remittance payments, etc... That'll always work even if you're on vacation or you lose your phone :)
reply