Skip to content

Instantly share code, notes, and snippets.

@coreyphillips

coreyphillips/unilateral-sweep-channels.md

Last active September 17, 2023 20:21
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save coreyphillips/2190c0f53c327b68d3e6fd92f7791860 to your computer and use it in GitHub Desktop.
Save coreyphillips/2190c0f53c327b68d3e6fd92f7791860 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
unilateral-sweep-channels.md

Been giving some thought to Arc's hybrid custody model. This model operates on the premise that you maintain custody of your funds unless you go offline for x weeks or longer, at which point your funds can be reclaimed or swept by the other party involved.

While it's unlikely that most nodes would consent to establishing channels that propose unilateral, fund-sweeping arrangements, such channels could be beneficial for close-knit relationships like family and friends. This is particularly true in situations where one party is more likely to lose their device or private keys than the other. In these cases, the more tech-savvy, reliable or attuned party can sweep and reclaim the funds that their family member or friend would have otherwise lost. With such an arrangement, even grandma could use the lightning network without worrying about losing access to her funds if she misplaces the device or forgets her seed.

To implement this kind of arrangement in the Lightning Network, we would need to define a new type of channel in the open_channel channel_flags message, or apply some similar modification. Let's tentatively label this new channel type as a Unilateral Sweep Channel (USC). Config-wise, nodes would need to specify whether they accept USC channels, which would allow incoming channel requests of this type to be accepted or denied accordingly. Additionally, two configuration options would need to be created: one for the minimum number of blocks before a unilateral sweep and another for the maximum number of blocks before a unilateral sweep a node is willing to agree to for a USC channel. Any incoming open_channel message containing a value below the minimum or above the maximum would be denied.

If this type of channel is accepted between two nodes, they would need to establish separate logic for constructing the commitment transaction for the USC channel. In these channels, the unilateral sweeping ability is granted to the channel initiator and is achieved by modifying the witness script of the channel initiator as follows:

OP_IF
    # Penalty transaction
    <revocationpubkey>
OP_ELSE
    OP_IF
        `to_self_delay`
        OP_CHECKSEQUENCEVERIFY
        OP_DROP
        <local_delayedpubkey>
    OP_ELSE
        <block_height>
        OP_CHECKLOCKTIMEVERIFY
        OP_DROP
        `to_self_delay`
        OP_CHECKSEQUENCEVERIFY
        OP_DROP
        <sweepingpubkey>
    OP_ENDIF
OP_ENDIF
OP_CHECKSIG

In this script, we're introducing two additional values: block_height and sweepingpubkey. The sweepingpubkey operates in a manner similar to the revocationpubkey, with the key distinction being that the sweepingpubkey is always known, enabling the channel initiator to sweep the funds once the required conditions are met (block_height & to_self_delay).

The block_height is incorporated to set the point at which this transaction can be broadcast. For instance, if Alice opens a USC channel with her Father Bob, and they both agree that Alice can sweep the funds after four weeks, they would set the block_height to current_block_height + 4032. With each new commitment transaction, the block_height value increments by the specified amount (in this case, 4032).

To address scenarios where Alice broadcasts an outdated state using old but now valid block height data, we must also set the to_self_delay. This would afford Bob the time necessary to issue a penalty transaction as usual. Bob's script would not reflect the modifications detailed above and would retain its typical form, allowing Alice to be the sole party able to sweep funds in the USC channel.

Lastly, nodes should aim to update these commitment transactions as frequently as possible to extend the block_height in the condition. If the condition is halfway to being met, the node should seek an updated commitment transaction from its peer. If the channel initiator goes offline and the block height limit is approaching, the recipient of the channel should proactively force-close the channel. This action prevents the block_height from reaching the threshold that would otherwise permit their peer to sweep the funds.

@BitcoinErrorLog
Copy link

I am getting hung up on whether these nodes are regulated and what kind of new UX is needed, etc...

@coreyphillips
Copy link
Author

coreyphillips commented Jun 5, 2023
edited

UX-wise, for larger companies like Bitfinex, the channel could be initiated from the user's account. If the user lost access to their channel, they would put in a request for Bitfinex to close and sweep the funds to their account. Providing the user with an additional safety net/chance of recovery.

Legally, I'm not sure how this arrangement would alter channel terms and regulations. There could be a chance for legal to claim that public nodes are legally obligated to sweep and return funds to the best of their ability and failure to do-so could potentially result in fines or legal action depending on the jurisdiction when that would not be the case with a normal lightning channel.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment