This is an interesting paragraph imo. The first sentence reminds me of this maxim: it's custodial if someone can steal it. If John's first sentence here means (and I'm not sure it does) that every lightning user trusts someone not to steal their money, then it seems to follow that every lightning wallet is actually custodial, including every lightning full node. If that is true, it means the entire lightning network is actually a custodial system, not just products like WoS, but even network infrastructure like LND and CLN. It's really all just a cleverly disguised custodial system, if I understand John's thesis here correctly (which, I probably don't -- he probably doesn't mean that).

The second two sentences I quoted appear to back up the first one. If his thesis is: "there's always someone who can steal your money on lightning" then it is wise to identify who that is, because that person is actually a disguised custodian. John identifies two ways someone can steal from your lightning channel: "hashrate majority collusion and flood and loot attacks."

The second attack ("flood and loot attacks" aka FAL attacks, aka Forced Expiration Spam attacks, aka FES attacks) is outlined in section 9.2 of the lightning network whitepaper where it is described as "[maybe] the greatest systemic risk when using the Lightning Network." A FES attack is (1) hard to pull off (2) always at massive risk of failing (3) likely to cause loss of funds for the attacker if it does fail.

To accomplish a FES attack, the attacker must first create a situation where bitcoin blocks suddenly become very congested, or he must act quickly when that situation arises through some other cause. Next he must force close his channel with you using an "old state" where he owes you less money than you're actually due.

The victim is expected to broadcast a "justice transaction" when this happens, but due to sudden network congestion, the justice transaction is not expected to pay a sufficiently high fee to get into a block. Moreover, the input to a justice transaction is a utxo from a multisig address "owned by" the attacker and the victim jointly, which prevents the victim from using RBF to unilaterally bump the fee (to use RBF on a multisig utxo, both parties have to agree on the new feerate and cosign it -- which the attacker won't do).

The FES attack isn't over yet, though. The attack will fail if the victim successfully uses CPFP or a centralized transaction accelerator to bump the fee on the justice transaction, which, if the victim succeeds, that will cost the attacker all of the money they had in the lightning channel with the would-be victim. So he must hope the victim does not do that. And even if all of that turns out to be true, the attacker still might fail if, before the timelock on the attacker's force closure transaction expires, fees fall to levels that allow the victim's justice transaction to get mined.

It seems extremely unlikely that all of these factors are under the attacker's control, especially the part where the victim can just use CPFP or a transaction accelerator to foil the attack. So I personally don't think the FES attack "counts" as a proof that a trusted third party can steal your money. I don't think it proves John's thesis (which I probably misunderstood, but here I am acting as if I did not).

FES attacks do not imply that lightning is custodial or that anyone can steal your money. The victim is in control of whether or not the attack succeeds. Foiling it is even something you can automate through judicious software that watches for FES attacks and uses CPFP and transaction accelerators when they happen. Moreover, since foiling such an attack actually earns the victim some money (you get all of your counterparty's money when you successfully broadcast a justice transaction) there is an incentive to build an auto-foiler directly into lightning wallets. I'm not sure if any has done this but I wouldn't be surprised if Acinq has.

John calls the other attack "hashrate majority collusion." It refers to the fact that miners can censor transactions from getting into blocks, but only if they control a "hashrate majority" i.e. 51% of mining rigs. If you can convince a group of miners to do that for you, you can steal from your lightning counterparty in the following manner: force close your channel with them using an "old state" where you owe them less money than they're actually due.

Next, expect your counterparty to broadcast a justice transaction to stop your attempted theft, but tell your group of miners not to mine that transaction. Also, if anyone else mines that transaction, tell your group of miners to orphan that block and mine a different block to replace it -- one without the justice transaction in it. As long as your group of miners really has 51% of the hashrate they will eventually "win the fight" (though it may take weeks to do so if they only have 51% of mining rigs), the timelock on your force closure will expire, and you will get to keep whatever money you owed your counterparty because they couldn't get their justice transaction mined in time to prevent the theft.

In my opinion, the existence of this attack does not imply that lightning is custodial or that anyone can steal your money. The attack assumes that your counterparty can collude with 51% of miners, but that does not seem plausible to me. The most plausible way to do it that I can think of is to bribe the two largest mining pools. But those pools do not "control" 51% of mining rigs. The actual mining rig owners are just "members" of various pools, and not only can they switch to a new pool at a whim, they appear to do so very responsively in reaction to things like twitter mobs yelling "censorship!" about things like (1) Antpool following OFAC guidance (2) Foundry pool merely announcing an intention to comply with OFAC in the future and (3) most recently, Ocean censoring inscriptions.

I don't think John actually thinks this, but suppose for a moment that he believed all the members of large mining pools are actually trusted counterparties to every lightning channel. I think that would only be true if (1) they chose to collude together with one of the members of that channel to orchestrate a "miners can steal" attack, (2) they were able to maintain a hashrate majority for the duration of the attack (3) to the point of orphaning other miners who tried to mine your justice transaction (4) and stop their mining pool members from leaving the pool due to the clear censorship happening.

I just don't think this attack is serious. There is no evidence of that scale of collusion, and I don't even think it's possible without some sort of collusion tool, evidence of whose existence is lacking, unless I'm in the dark about it.

Both of the attacks John identifies are not serious in my opinion. They do not support the thesis (which I probably misunderstood, and which he probably does not claim to make) that all lightning users actually trust a third party not to steal their money, which, if it was true (I don't think it is), would imply that the lightning network is actually a giant custodial system. I hope this essay helps clarify why I think John is wrong (or rather, why I probably misunderstood him -- again, I don't think he really believes the thing I am arguing against).