This is partially correct, but it's not the whole picture. Lava's old custody model used DLCs as one component of a complex cross-chain (Solana) multi-transaction smart contract where, in theory, the user would always have a unilateral exit back to Bitcoin when the loan expires. In theory, the user should always be able to get their Bitcoin back in full by repaying the stablecoins on Solana. Vice versa: Lava should always be able to recover the loan capital plus any accrued interest even if the user is malicious.

The problem was, like Spark's protocol, there were many assumptions made to get to that goal. The oracle behaving, the Solana smart contract key staying secure, the closed-source software being authentic, etc. The on-chain protocol itself was as well-designed as it could be, but ultimately brittle and susceptible to subtle implementation bugs or misuse.

If they wanted to, it would've been easy for Lava to rug-pull everyone, which is exactly the same as any other closed-source bitcoin wallet, because of remote code updates, naive users, etc. Lava's CEO Shehzan and I have spoken about this subject quite a bit, and while I'm more optimistic about self-custody than he is, we mostly see eye to eye.

There was no practical path to fixing all of these issues definitively. All the while, if even the smallest bug were to sneak through, if they were hit by a phishing attack, or an NPM supply chain attack, etc, it would lead to a catastrophic hack or lost user funds. This never happened, but it was a factor on their minds.

Knowing this, and also having opportunities to build a better product by doing so... Lava rebuilt everything and moved to an institutional custody model. But unlike most custodians, every user's deposits are kept isolated until they are withdrawn. You can audit on-chain to confirm your collateral isn't being rehypothecated and gambled away SBF-style. You can find more info about their new system here.

Having audited both the old and the new code bases, I would be far more confident using the new platform rather than the old DLC-based on-chain protocol.

Source: I work part time for Lava as a security contractor.