Author: Devrandom 2022-05-09 19:04:26
Published on: 2022-05-09T19:04:26+00:00
This post discusses the risks associated with blind signers in the context of Lightning network. Blind signers do not provide users with control over their funds and are vulnerable to several exploits, making them an insecure option for deployment. To address this issue, the Validating Lightning Signer project has been introduced. It is an open-source Rust library and reference implementation that aims to secure the Lightning ecosystem by performing policy checks to ensure that keys are not misused. The project is approaching beta, which will ensure that funds remain safe even if the node is completely compromised. Blind signing wallets that rely on a separate node run by a Lightning Service Provider (LSP) are not self-custodial since the LSP can unilaterally control the funds. Blind signers have two points of attack: at the node and at the signer, making it easier for attackers to steal funds. In contrast, validated signers only have one point of attack and improve security by reducing the attack surface. They perform several validation rules such as not signing a revoked commitment transaction or closing a channel to an unapproved destination.The post also lists examples of blind signing exploits, including a compromised node asking the blind signer to sign a revoked transaction or submitting a mutual closing transaction that sends funds to the attacker's address. The VLS project targets both servers and consumer devices and offers many configurations of a Lightning node, including monolithic nodes, nodes with a separate blind signer, and nodes with a separate validating signer. Overall, blind signers reduce the security of Lightning nodes, while validating signers improve it.
Updated on: 2023-06-03T08:38:52.656355+00:00