I'm sorry to continue thrashing away at this topic, but it really does have me confused and trying to make these somewhat foolish arguments of mine helps me clarify things a little. If you find talking about ecash offense, don't bother reading any further.

Why custody isn't right for ecash

In my endeavor to assuage my own ignorance of ecash and how it works, I have somewhat incautiously been arguing that ecash tokens should be treated like altcoins that you purchase from the mint with bitcoin rather than IOUs for bitcoin that you deposited at the mint.
Most people in the Bitcoin world understand custody to mean that someone else holds the keys to your bitcoin and all you have is an account balance. This is how exchanges work and also how custodial wallets like Wallet of Satoshi work. Custodial means you can't do anything with your money without someone else's permission.
Even if we understand ecash mints as custodying a user's bitcoin, they are fundamentally different from this common conception of custody because users do not have accounts with the mint and users are able to trade their ecash tokens with anyone they wish without the mint's knowledge or permission.
While calling a user's relationship with a mint custodial helps to make it clear that they are no longer holding bitcoin and are exposed to the risk of getting rugged, it hides these beneficial aspects of ecash and leaves all of us arguing about the wrong things.

It's only custody if you say it is

It is clear from both Cashu and Fedimint's documentation that the maintainers of the protocol understand the relationship between the mint and its users to be custodial, much like a bank.
The mint is running the Lightning infrastructure and custodies the satoshis for the mint's ecash users. Users have to trust the mint to redeem their ecash once they want to swap out to Lightning. -Cashu FAQ
Users can submit a request to deposit bitcoin, "pegging in", in exchange for fm-BTC eCash notes or use the fm-BTC eCash notes in their wallet in order to redeem on-chain bitcoin (note: users could also transfer out to themselves via the LN Gateway). -Fedimint FAQ
What makes a mint custodial is not that you give them your sats. You can give your sats to someone as a gift or to buy something from them without turning them into a custodian. What makes a mint custodial is that the mint says it's taking custody of your sats and promising to give them back when you present your ecash tokens.
The model is similar to a free banking system where independent banks accept deposits and issue their depositors with banknotes which can be traded at will in the open market.
The analogy that mints are like banks is good and helps us think about what a mint is doing. But there are other models for what is going on here. We should remember that banks do more than hold your money; they also issue loans. So allow me to propose yet another way to understand a user's relationship with a mint: the Fed's Repo Window.

What is a repo?

Short for repurchase agreement, you may have encountered this term when reading about the Fed's Reverse Repo Window over the last few years. A reverse repo is where a bank loans cash to the Fed overnight and in return takes collateral from the Fed (usually a Treasury) and earns a bit of interest. What actually happens is that the bank buys a treasury from the Fed with an agreement to resell it to the Fed in the morning for a slightly higher price. The difference in prices is the interest earned by the bank for giving its cash to the Fed. In this case, the bank owns what is called a reverse repo. The Fed owns what is called a repo.
A repurchase agreement (repo) is a short-term agreement to sell securities and repurchase them later at a slightly higher price. -Investopedia
In addition to running a reverse repo window, the Fed also runs a repo window where they loan banks money in exchange for collateral. Banks use this facility to cover shortfalls in cash.

What the heck does a repo have to do with ecash?

What if instead of saying that you deposit your sats at a mint to get ecash tokens, we say that you give the mint your sats as collateral for a loan of ecash tokens. And the form this loan takes is that you sell your sats to the mint with an agreement to buy them back later for a slightly higher price.
EXAMPLE: Let's say you want 1000 ecash tokens, so you go to Nutstash and sell them 1000 sats for 1000 ecash tokens with the agreement that you are going to buy the sats back for 1001 ecash tokens. Obviously, you don't have 1001 ecash tokens, so you won't be able to buy back all your sats. And perhaps in the meantime, you trade some ecash tokens to me for a fabulous bitcoin-themed greeting card. I can take those repos (ecash tokens) you paid me to the mint and buy back the bitcoin they are worth (which is slightly less than a 1-1 rate) and as far as the financial world goes, this is a normal kind of transaction that happens every day.
The ecash tokens (repos) are worth slightly less than the sats I put into the mint, and this is good because it acknowledges that a mint might need to earn income and can include the price of lightning fees (in the case of Cashu) or onchain fees (if you don't use a LN gateway at a Fedimint). People are going to need to get used to the idea that you lose a few sats turning your ecash tokens back into sats.
Another advantage of this construction is that it makes it clear that you are giving up your bitcoin, but it also doesn't involve custody. You are selling your bitcoin to the mint in exchange for ecash tokens and the mint is agreeing to sell the sats back to you for ecash in the future.
In case the example didn't make it clear, what happens in my mint-as-repo-window example is this:
  • You sell an asset (your sats) to the mint with the agreement that you will buy it back at a future date.
  • The mint gives you ecash for your asset and when you buy it back you must do so with ecash from the mint.
In this case, you are actually getting a loan of ecash from the mint and giving them your bitcoin as collateral.
Now, why in the world would any sane person risk their sats in order to get a loan of crappy ecash tokens? The only answer I can see at the moment is that the ecash tokens are capable of something that your sats are not. One example of these capabilities is using an ecash mint to back your LN address do you don't have to run an always-on LN node.

Is this just a pipe dream?

The developers of these protocols certainly know much more than I do, but I suspect that the decision to describe the relationship between a mint and its users as custodial originated in a desire to make sure users understand that ecash tokens are not bitcoin. The most natural way to do this might have been to say that ecash tokens are altcoins, but this is a non-starter for most bitcoiners (nyet shitcoins!). So, perhaps, seeking the next best thing, they settled on calling it custody.
Clearly, being a custodian makes you vulnerable to overzealous regulators. At least in the US, and possibly in the EU, the main defense any Cashu mint has is to remain small. If they grow to any meaningful size, it's not hard to imagine regulators calling them a money transmitter and coming after the mint's operators. A Fedimint may survive somewhat longer by claiming decentralization, but it is untested how well defense this will work.
Repos are well-understood financial instruments. People know how to trade them and the laws around them are clear. The same may be said for custody and custodial relationships, but it seems to be the case that being a custodian carries rather heavier regulatory burdens than being a party to a repurchase agreement. Perhaps understanding a mint as a repo window could put the mint on sturdier legal ground. As a counterpoint to myself here, I should note that bitcoin-backed loan companies are almost as scarce as non-kyc custodians in the US; so it's possible that I've been on a wild goose chase.
I am not a lawyer nor an accountant. I doubt there is any realistic world where calling ecash tokens repo agreements actually helps the protocols avoid being stifled by regulatory uncertainty. But I do think it may be time for bitcoiners to seek new modes for understanding ecash protocols even if they seem distasteful.
About custody: I think they call them custodial because the mind has custody over your bitcoin.
So... The mint has custody over your bitcoin, you have custody over your ecash notes. I think this explanation is simple enough.
reply
I agree that the custody model is fairly straight forward, only it leaves mints in a very tenuous legal position and hides the fact that you do have some power that traditional custody doesn't afford to you.
reply
only it leaves mints in a very tenuous legal position
That's not a good reason to pretend they are something else. You don't get to make up new definitions just because you don't like the legal consequences of the correct definition.
and hides the fact that you do have some power that traditional custody doesn't afford to you
Then it's "enhanced" custody...but still custody. Imagine if every custodian who added some new feature declared that they weren't a custodian anymore because "traditional custodians don't have feature X!" It would be ridiculous. If you still have user funds, you're a custodian, and just because ecash mints have some cool features does not make them non-custodial.
While I'm here I'd like to comment on a few sentences from your opening post:
Most people in the Bitcoin world understand custody to mean that someone else holds the keys to your bitcoin and all you have is an account balance
I think it's just the first part, before the word "and." Being custodial has nothing to do with how they represent their relationship to you in their database. For example, the website acceptln.com is a custodial website that does not have accounts. Instead, you "deposit" sats without logging in and it automatically emails a "voucher" for that deposit to whoever you want it to go to. They email that person a link where they can claim the sats. Here, the depositor never has an account, but it's still obviously custodial -- acceptln has the money. What makes you a custodian is whether you have the keys, not whether you give your depositors an account or not.
[mints] are fundamentally different from this common conception of custody because users do not have accounts with the mint
That does not matter. The mint holds user deposits and redeems them when bearer tokens are submitted to them. I like the analogy of a money order. If I go to my local walmart I can purchase a money order from them which is essentially a check drawn on walmart's account. I need no account of any kind to do this. I can then mail this money order to anyone and if they go to their own local walmart, or walmart's bank, they can redeem it, because it's walmart's check. Ecash tokens are a lot like that. But it's clearly custodial. I give my money to w̶a̶l̶m̶a̶r̶t̶ the mint, they keep it but give me an IOU for the same amount (minus a fee), I can give that to anyone I want, and they can redeem it without an account. But since w̶a̶l̶m̶a̶r̶t̶ the mint has my deposit the whole time, w̶a̶l̶m̶a̶r̶t̶ the mint is the custodian.
users are able to trade their ecash tokens with anyone they wish without the mint's knowledge or permission.
Not if the mint doesn't want you to. The problem is the melt/swap operation. If you send someone your IOU and the recipient doesn't swap or melt it at the mint, the IOU is double spendable -- you can give it to someone else or redeem it yourself. The recipient hasn't really "received" anything of value if it's still fully spendable by whoever they got it from. Therefore, ecash recipients have to swap or melt their tokens in order to safely consider them "received." And that means the whole system is permissioned, because the mint is under no obligation to issue IOUs for anyone and they are under no obligation to redeem them for anyone. They can refuse, or do shotgun KYC, or suddenly raise their fees, or do whatever they want, at any step of the process. They can suddenly start doing this at the time of issuance or at the time of redemption or anywhere in between. They hold the money so it is in fact a permissioned system. Which is just another indicator that it really is a custodial relationship, regardless of whether users have accounts or not.
reply
I found another example of an accountless custodian besides acceptln.com. Check out https://tipcards.io/ -- they only use lightning and lnurl withdraw codes, with no accounts. Users visit the site and load up a set of 1 or more "tip cards" which are just business-card sized cutouts with an lnurl withdraw code on them. You "fund" your cards by paying a lightning invoice and then start handing them out. Recipients can scan the lnurl withdraw code to withdraw the money.
It's pretty analogous to ecash: you "mint" these "tokens" (business cards) by paying a lightning invoice, and then hand them around to people without anyone needing an account, and those people "redeem" them by scanning the qr code with a lightning wallet. But it's obviously custodial: tipcards.io has the money the whole time, and they can run off with it whenever they want. They don't get to say "we're not a custodian because traditional custodians have accounts and don't give you printouts!" They have the money, the printouts are just IOUs, and therefore tipcards.io is a custodian. The same applies to ecash mints.
reply
Thanks for the thoughtful response, Super. This is exactly the kind of thing that helps me think this through.
First,
You don't get to make up new definitions just because you don't like the legal consequences of the correct definition
We do get to define what is happening here. For instance, if I open a mint that sells ecash tokens but makes no attempt to peg them to sats, I'm not custodying anything. It seems to me that something happens when a mint says they will redeem tokens for btc. If they did not make this promise, it would not be custody. It would be the sale of a token.
While I agree that laws don't let us "identify" our way out of their enforcement, I do think we can be smart about what we do and how we describe it.
This question does exist: for a thing to peg its value to another, must it be custodial? Can there be a stablecoin of any sort that is not custodial? I think a mint can impart value to an ecash token without custodying some reserve on behalf of its users, I'm not yet sure if they can make it a stable value.
Second,
Therefore, ecash recipients have to swap or melt their tokens in order to safely consider them "received." And that means the whole system is permissioned
I agree, but an important point here that you do not acknowledge is that for the mint to successfully single out any ecash token to refuse or "freeze" they would have to refuse ALL tokens, effectively shutting down. I agree that they can do this, but it's not the same as a custodial relationship like acceptln or tip cards, where it seems to me that they can trivially specify a single account to "freeze."
Thoughts?
reply
We do get to define what is happening here. For instance, if I open a mint that sells ecash tokens but makes no attempt to peg them to sats, I'm not custodying anything.
That depends. Just because you're not custodying sats doesn't mean you're not custodying anything. A mint could pop up tomorrow that gives you an iou for USDT instead of for satoshis. It still has custody of your money in that case. If it gives you any type of monetary IOU then it is acting as a depository institution, regardless of the monetary instrument involved. It becomes a custodian the moment it decides "instead of selling a regular *product* to our customers, we'll let them deposit and withdraw some form of *money*." That's the line. If you cross that line, from merchant to depository institution, you've become a custodian -- a bank -- a money service business.
If they did not make this promise, it would not be custody. It would be the sale of a token.
Yes. If you say or do something that gives your customers a reasonable expectation of getting back the money they put in, or an equivalent amount of some other money, then you're a custodian. If not, you're not. Merchants do get an exception for 30 day returnable items, but if the government thinks a merchant is abusing this exception to get around MSB laws and act as a shadow bank, they come down hard on them.
This question does exist: for a thing to peg its value to another, must it be custodial?
No, I think there are rollups on ethereum that demonstrate the possibility of creating two different tokens on two different blockchains with a two way peg between them, without relying on a custodian. But on bitcoin, no one has achieved this yet, at least not to my knowledge.
I think a mint can impart value to an ecash token without custodying some reserve on behalf of its users, I'm not yet sure if they can make it a stable value.
If they can run off with user deposits then any value associated with their IOUs depends on their integrity and ability to evade US law enforcement officers. On an unrelated note, this is a good time to remind readers that I applaud folks who violate these unjust laws and I will continue doing my best to create tools that help you do so more effectively. But also, I value self custody enough to work on that even more.
you do not acknowledge...that for the mint to successfully single out any ecash token to refuse or "freeze" they would have to refuse ALL tokens, effectively shutting down.
I think they have more options than that. Some people say "with ecash mints it's all or nothing" but I think they neglect to acknowledge all of these possibilities:
  • mints can require users to interact with them via http requests
  • mints can then engage in selective traffic blocking
  • e.g. they can block ip addresses known to belong to tor, vpns, anything in the USA range, or any other country
  • they can even block specific businesses and residences with known ip addresses, specific cities, or individual provinces
  • mints can do shotgun KYC and suddenly refuse to issue or redeem any more tokens without each user individually identifying themselves with full official documentation
All of these examples let a mint continue operating and selectively restrict either a class of users or an individual user -- and most of these are exactly the same tools "regular" custodians use to e.g. deny service to people in the USA, or in North Korea, or in Russia, etc.
I acknowledge that someone like Tether can do this on a "token by token" basis and a mint cannot, but since a mint can do it on a "user by user" basis instead, that's a sufficiently powerful set of tools to implement any government compliance requirements as soon as any government comes down hard enough on these service providers. And no amount of claiming to be special will save them from that.
Rather than try to "define" a way out of it, I prefer to make the tech hard to stop, its users and operators hard to track, and -- especially -- make self-custodial alternatives so that users don't have to deal with the extra trust assumptions that come with using mints.
reply
This is a pretty well-reasoned response. I'm not sure I have any tenable stance to take in my argument short of saying that ecash mints should just sell their tokens and abandon entirely this business of redemption and 1-1 value with sats. Sell 'em as an altcoin and see how the market values them. Or, I can concede that they are indeed custodial bitcoin.
Rather than try to "define" a way out of it, I prefer to make the tech hard to stop, its users and operators hard to track, and -- especially -- make self-custodial alternatives so that users don't have to deal with the extra trust assumptions that come with using mints.
I have decided that I need to sign up for your classes.
reply
I have decided that I need to sign up for your classes
Wow, that's an unexpected result! Thank you. You can buy your ticket here: https://supertestnet.org/workshops.html
Well shoot - after reading through this I have even less optimism for any type of far-reaching mint or federation being developed any time soon....err...at least in the USA or EU...
I feel like there will be some smaller successes in those countries but they are likely going to be prone to being shut down if they get they see large user numbers (as you pointed out as well). Of course I would also expect some fairly large rug-pulls unless we do a very good job of monitoring them...which I guess is a hurtle to be figured out yet???
Anyway - I had really been hoping to start using a federation to run a property management company in and maybe that will yet happen in the future...for now I think it needs a little more time and I will stick with excel and lightning.....
reply
Actually, there is a really solid and feasible to implement proposal, coming from Cashu author, about monitoring the activity of mints with decent tradeoffs: https://gist.github.com/callebtc/ed5228d1d8cbaade0104db5d1cf63939
reply
102 sats \ 1 reply \ @k00b 7 Jun
I think you're really onto something with this framing, but I'm not sure it matters from a regulatory standpoint.
If starbucks points started being accepted as money generically, and they allowed them to be transferred, my understanding is that starbucks would be an msb/money transmitter.
reply
Yes, it seems likely that no amount of reframing things will squeak mints out is money services business territory. Still, I find it fascinating to think about why the developers of both protocols opted for describing it as custody. Also, I do feel like I've come to a much better understanding of ecash as stackers have helped me to work through it.
reply
ecash is good for liquidity in a small trust group or family
reply
this! very niche use case, trying to make it more than it is, is asking for a rugging
reply
34 sats \ 0 replies \ @mh31 7 Jun
Great post. Fascinated to see how it plays out.
reply
Great post, very clear and easy to understand. I see great potential in ecash but the question of not being able to verify the amounts issued leaves me with a flea behind my ear.
reply
As I wrote above, there is really solid proposal to fix this issue: https://gist.github.com/callebtc/ed5228d1d8cbaade0104db5d1cf63939
reply
It doesn't seem to be a definitive solution yet, but it's a way forward.
I would not use the word "proof" alone since it gives a false sense of security, because the exact value of the outstanding balance cannot be verified. What can be verified is that this amount is within a range.
reply
Definitely right! I hate ecash and other similar products and they are blooming with one objective that they wanna steal our Bitcoin/Sats anyhow... I urge everyone not to fall in their trap!! Great Article and you're 100% right about REPO.
reply
"Adoption" doesn't always choose the best technology. BetaMax vs VHS anyone?
Businesses in a market place organize around value and trust. It's why supply chains are reliable and valuable.
Private money (ecash) will be organized and layered atop BTC.
Those who choose to use ecash will value the "utility" and "ease of use" at the fee they are willing to pay (Voluntary exchange). Is this not Value for Value? To maximize "utility" businesses may organize - Wallmart eCash at Starbucks, and starbuck ecash at Wallmart. Network effects of private money.
Trust has risk but Trust also has value. Being Trusted as a brand is not free and takes time.
Any Bank/mint that "behaves badly" will get wrecked so fast in an open digital marketplace. Silicon Valley Bank was gutted in 48 hours because of its withdrawal API. If a mint blocks a withdrawal, the brand damage will be irreparable. Users don't forgive or forget when they lose money.
Trust accrues to those who behave well.
reply
While i don't think they have objective to steal, some mints that will appear in the future may have such objective.
Ecash is booming due to a very simple reason that hardcore bitcoiners aggressively deny. It's not "simple" to open a self custodial channel. Imagine you are presenting your friend to bitcoin. You tell him download mutiny, when prompted tell them to select freedom one as a federation, then tell them to use the receive button and immediately send them 100 sats. Then create an invoice and get them to send you 10 sats. Bam, the new user has experienced sending and receiving bitcoin in 1-2 minutes. Good luck doing the same with a pure lightning wallet.
reply
If you simply tell a noob to select freedom one as a federation, they will think the bitcoin user experience is the freedom one user experience, and it's not. Freedom one is not bitcoin. When you send sats to them, your intended recipient never receives them, freedom one does. So your intended recipient will think "wow, bitcoin works great!" But they haven't actually used bitcoin. They've used a permissioned database, and didn't give informed consent to let that federation hold their funds.
I greatly prefer telling people the truth: bitcoin is sometimes expensive on a per tx basis; lightning is sometimes expensive to set up; and you have to actively manage it or you will lose money. Federations, on the other hand, are cheap and easy, and some of them give you compatibility with bitcoin and lightning, but with this massive tradeoff: you have to trust them not to censor you or shut down and keep your money, and they probably will sooner or later. They are not magical. They are custodial.
reply
I explained why ecash solutions are "blooming". You are not really contradicting me.
reply
And you, my friend, are not really contradicting me. Truly we are all members of a great circle of life. Kumbaya, BallLightning, kumbaya.
reply
This is very much true. Great point!
reply
I'm sorry to hear you don't think ecash is useful, but I'm happy you agree with my point. I don't think they are a trap at all.
reply
30 sats \ 8 replies \ @freetx 7 Jun
While eCash may be useful, it is pretty much guaranteed that they will be abused by debasement in the long-term.
The mint issuing an extra 1% back to itself during every transaction would be nearly impossible to detect, yet it would be very profitable for the mint operator. Thus we must conclude that this will not just happen, but also become the norm.
No one has produced a funding model for mints (other than debasement), so why would anyone run them? The notion of kind old Uncle Jim being a bank for his family is naive. Running a mint will be a full time job and will require lots of effort and lots of responsibility. With nothing to stop him, Uncle Jim will soon start issuing an extra few percentage points to himself....
reply
Well, in my experience with mutiny when you deposit in the mint, you use a bitcoin address, where you can see exactly the amount sent and you can see in the interface that the received esats are exactly the same amount. How would 1% be undetectable? And if the mint wants to debase, why does it need to create 1% in each transaction. It can create as many as it wants without anyone knowing really.
reply
Couldn't it debase by issuing tokens to itself for free? You would not be able to tell if the mint did this. They could spend them into the mint ecosystem and no one would be the wiser till enough people tried to trade back their ecash to the mint for sats that the mint couldn't cover it.
reply
Yes it could. It could also just spend the bitcoins in its possession (people won't see it any different than a normal withdrawal). Mints obviously require you to trust them. They have custody over your bitcoin.
On a side note since deposits and withdrawals are completely anonymous, they cannot selectively stop specific participants from doing these things.
reply
they cannot selectively stop participants from [depositing and withdrawing]
They can. I outline how in this post: #565618
reply
If mints remain somewhat small, what would be the disadvantage of debasement? At the end of the day, ecash mints are a trusted model. If there were many many mints, competition might constrain their desire to debase.
reply
24 sats \ 2 replies \ @freetx 7 Jun
Yes, being small would greatly lessen the impact of debasement.
However, successful projects tend to coalesce into a 2 or 3 main providers. I mean just think about opensource in general: How many SMTP projects are there? At best there may be 3 or 4 major projects, but not dozens/hundreds.
To that end, how will you evaluate the 100 mint providers? When you see a long list of unknown random names...forget about debasement, which ones do you even trust not to rug you completely?
reply
Thanks for describing my point. I totally agree with you.
reply
I have a feeling a ratings system could work pretty well. I think this is why we actually want mint operators to charge a fee: if they are earning money for running the mint it is in their interest to keep it going. The faintest whiff of a person not being able to trade their ecash back for sats and everyone will be running for the doors.
In this sense, fees are the antidote to debasement.
reply
As I said if Ecash is run by a corporate thing, I despise it. But it can be used at for small groups. No objection to it...
reply
In that case you may want to say that mints are indeed unlicensed money transmitters so they all have a strong incentive to remain small and avoid the notice of the Man.
reply
I just want that Ecash shouldn't be a thing for stealing Bitcoin.
reply
Great post - I can see regulators coming after Ecash pretty heavily if its adoption grows as it did with Lightning. I know someone who actually got rugged from a mint (I don't know if he set it up wrong, or if he didn't do things right), but it was only a couple thousand sats.
reply
Maybe blockstream do something about custodial? Liquid is a shitcoin, but maybe they can help with ecash custody problem...
reply