We're really sorry about this and working to fix the issues.

Currently there are two main issues that cause force closes in mutiny.

Paying to a zeus lightning address almost always causes a force closure because it uses hodl invoices so the user need to come online between the time the zeus user claims the payment and before the htlcs time out, this can be a few hour window and often no user will hit it. Ldk is doing some work to help prevent this to give us more leeway in when the user can come back online but this will still be a problem, frankly zeus lightning addresses are just a nonsensical way to use lightning. https://github.com/lightningdevkit/rust-lightning/issues/2698

The second being multiple instances of mutiny running for the same seed. We have a bunch of checks to try to prevent this but it is difficult. We've exhausted so many options we're beginning to suspect some browsers (mainly safari) just clears some of our state which can cause the error. In our latest release we've started using a fork of ldk so instead of force closing it'll fail to start up instead, just to add more protection.

After all this, if you do everything right but still get a force close, you needed to come back online within 24 hours of the force close to sweep your money. This is just the nature of lightning with its high availability requirements. Our latest release extended this to two days but the best solution would be to add watch tower support so it can be swept without the user. Ldk does have experimental support for this but not something we've built out yet.

We do work closely with the LSP and if the user's funds are swept we are always able to get the money back.

These always really pain me because everyone on the team uses the wallet everyday and haven't ran into any loss of funds issues, so it's really hard to try and reproduce what exactly is causing all the problems. Fixing these is our top priority but a lot of it is just trying something and putting it out into the wild and seeing if our number of channel closures go up or down. Posting any logs when you get an issue is always extremely helpful.

Hey there, Graham from Voltage (the LSP Mutiny uses). I'll let the Mutiny team comment on the actual issues, LDK, sweeps, etc because we don't directly work on that. I just wanted to comment that any time this happens we work with Mutiny to send all funds back to users. So I understand the concern and annoyance, but you always get your money back. I know there's a lot of work ongoing to prevent this and make it better so it's one of those subpar solutions until we get the right solutions in place.

FYI for anyone reading this. The user funds are not missing. This dude has a force closed transaction and then immediately opens an issue then blasts it on multiple social media platforms. He's got a transaction in the mempool but no LSP funds were swept.

Maybe you should chill for a second for us to help you before jumping to conclusions.

Thanks for all the replies to this thread. The summary for me is:

1: my particular issue seems NOT to be an LSP sweep and the transaction seems stuck in Mempool due to the high fee situation. The Mutiny UI doesn't help showing 0 balance with no indication of unconfirmed funds, which goes against standard wallet UI, but thanks to @TonyGiorgio kindly looking into the GitHub ticket and demonstrating the transaction is in Mempool the funds appear to be safe assuming they are confirmed eventually.

2: the users who did suffer loss of funds with Mutiny are iOS users and due to a bug in iOS Mutiny PWA broadcasting incorrect state they lost their funds as is by design in the LN. However, funds are apparently being returned by the LSP (Voltage, as posted by @gkrizek and confirmed by @benthecarman ) so this is nothing malicious and is ultimately an inconvenience but not leading to any permenant loss of funds

3: The FC issue appears related to hodl invoices an innovation from Zeus which allows users to receive LN payments even when offline. The issue is that the HTLCs are often sort of in a pending state and that can lead to FCs in the case the sender is offline for an extended period of time. Another cause appears to be Safari browsers clearing state leading to errors (As per @benthecarman). Mitigation steps include not being offline for too long, or not sending to users of hodl invoices. Further mitigations mentioned are an LDK fork from Mutiny which will caused a failure to start node rather than a FC of channel. (As per @benthecarman ) Also there is talk of blacklist to prevent payments to hodl invoices or at least in the future a way to flag them for special treatment to mitigate the issue, such as the ability to cancel pending payments before they expire .(mentioned by @petertodd ) LDK is also working on some means to extend the time interval within which a sender must come online in order to avoid the FC. (As per @benthecarman) there is also talk of adding watchtower support by LDK to make sure FC--of they do occur--are swept in a timely fashion without user needing to be online (as per @benthecarman)

4: As @TonyGiorgio mentions, Mutiny is very clear that Mutiny is a beta project and that issues could happen, and to fund channels with this risk in mind. So people should not expect things to work perfectly at all times in such a fast paced development frontier as LN dev.

5: For me, I had been guilty of being naive not so much with Mutiny, as the team were always upfront on the risks and I never had much in there, but with other wallets like Phoenix I've been too cavalier. What this incident has revealed to me is that the nature of LN means that if you are not running a 24/7 connected LN backend or at least a 24/7 connected watchtower then funds will always be at serious risk in a LN mobile wallet. Not just because of malicious rug/ exit scam risk but because of bugs and things that can and do happen and can lead to loss of funds. Yes, I should have known this. But they polish and exceptional user experience of a wallet like Phoenix sort of hides the risk from users. Going forward I will be trying to keep this lesson in mind and be a lot more wary when using mobile LN wallets without hosting my own backend.

Isn't Mutiny Wallet a self custodial Lightning Wallet? How is this possible?

We literally have a big fat warning box that pops up when you use the wallet for the first time. Let us know what we can do to have this even more apparent so you don't miss it.

Also, this is a property of LN. Feel free to browse the github issues of LND, CLN, etc. and you'll see the same.

Similar cases with LDK mobile nodes here (that are still not resolved until today, nobody knows where the funds go after the FC):

Random idea but have you tried restoring the wallet from seed phrase in Sparrow to check there?

I lost sats on munity too. Like the project but it’s not ready yet

Have the same issue, crated in GitHub as well, my force close is from 26.10, still no funds back

Mutiny is still a fully trusted solution unless you host it yourself, in which case you're better off running a proper remote node on a Pi / VPS or with Voltage etc.

Force closes happen more often because of hacky workarounds like hold invoice flows for async payments, and spotty connectivity that comes with a roaming device.

LDK also isn't a serious project, to date it's just a hole for shady grant money to attack Lightning with shit like Bolt12 and tricking people into thinking mobile nodes are trustless.

It’s time to reconsider what we want from layer 2s