Joined September 2020
- Tweets 725
- Following 51
- Followers 1,129
- Likes 216
39 Photos and videos
Pinned Tweet
“Non-custodial” is not a security model on Lightning.
Because signing must be online, the real question is:
If your node is compromised, what can the attacker do?
2
9
8
496
Losing the sats is bad enough.
But then you have to tell your users. You have to pause development to investigate.
Potential partners read the headline. The fundraise gets harder.
A single breach costs more than the funds lost.
1
4
132
With much, much difficulty. ZmnSCPxj joined VLS in March to look into this.
Short version: first step is to remove `shachain` and then it requires an upgrade to the LN protocol to make multisig revocation work.
Rest assured, real Lightning multisig is on our roadmap.
3
1
5
1,585
Also, threshhold FROST-in-MuSig2 is not "proven" yet, the way MuSig2-in-MuSig2 is proven, so general threshhold will also have to wait until that is proven too.
1
59
When a business integrates Lightning, they are betting their reputation on the infrastructure.
If a breach happens, it is their name in the headline.
Hot wallet security is a lot of risk for that bet.
1
1
42
If you are building a fintech product and want to add Lightning payments without taking on custody regulation, you need a way for users to hold their own keys while you run the infrastructure.
That is exactly the architecture VLS enables.
1
2
41
You do not need to be paranoid to invest in better Lightning security.
Just ask yourself: at what channel balance would I start losing sleep with my current setup?
That is when it starts mattering.
1
1
89
When one Lightning operator gets hacked, it is not just their problem.
It's a headline that makes every other business more cautious about adopting Lightning.
Safer infrastructure benefits the whole ecosystem, not just the operator running it.
1
68
Lightning's best marketing is a merchant who accepts it confidently.
That confidence comes from channel balances they are comfortable holding.
And those balances depend on the security of the underlying setup.
2
3
95
Validating Lightning Signer retweeted
UX is the most talked-about Lightning adoption bottleneck.
But there is another one that gets less attention: operators with real money do not yet trust the security model enough to commit real balances.
Both need solving.
1
3
5
195
For Lightning to become a real payment network, merchants need to onboard with meaningful channel balances.
But no merchant is going to commit real operating capital to a hot wallet they cannot defend.
Better security is what gets them to say yes.
1
52
Leaked credentials, misconfigured firewalls, unpatched CVEs, rogue insiders.
These are not exotic attacks. They happen constantly across the software industry, even more so recently.
If any of them give access to the node process, and the node holds keys, the funds are gone.
1
4
137
One reason VLS is open source: every bug found and fixed benefits every team using it.
That is a better model than every company maintaining its own proprietary signing stack in isolation.
1
3
147
If you want VLS support in LND, drop a comment here: github.com/lightningnetwork/…
3
6
140
Bigger channel balances unlock bigger commerce.
But what business is going to park 6 - 7 figures on a hot wallet?
That is the ceiling you hit without better security.
VLS moves that ceiling.
1
66
A pattern VLS enables:
A provider hosts the Lightning node for uptime and reliability, but the user's signer enforces policy independently.
The provider never gets signing authority. @BlksGreenlight is one example of this working in production.
1
2
5
157
In countries where property rights are fragile, the ability to hold and spend Bitcoin without a custodian is not a preference.
It is a necessity.
VLS helps make that possible on Lightning, not just on L1.
1
1
145
Every time a Lightning service loses funds publicly, it is not just their problem.
Every business evaluating Lightning takes note.
One incident can set the whole ecosystem's credibility back.
1
3
218
VLS has been open source since commit one.
The code is on GitLab, the security policy is public, and anyone can audit the signer logic.
For security infrastructure, that transparency matters.
1
1
63
VLS starts from a simple assumption: the node might be compromised.
Every signing request is checked independently against channel state and policy.
That assumption is what makes the architecture hold up when things go wrong.
3
4
154