Hermes: A Noncustodial Lightning Address Messenger w/Fedimint \ stacker news ~lightning

Hermes: A Noncustodial Lightning Address Messenger w/Fedimint github.com/Kodylow/hermes

2289 sats \ 15 comments \ @isolabellart 31 Dec 2023 lightning

view all related items

50 sats \ 0 replies \ @orangecrush 31 Dec 2023

A reduced counterparty risk federation custody lightning address messenger.

153 sats \ 13 replies \ @supertestnet 31 Dec 2023

This does not compute

How is it non custodial if the money goes into fedimint?

That's like saying it's non custodial if the money goes into coinbase

0 sats \ 8 replies \ @fanis 17 Jan

I think it's "not custodial" in the sense that the Hermes server cannot use the funds, since the ecash is locked to the receiver's pubkey. But since the Hermes server can always stealthily steal from you by responding to requests with their own invoices, I'm not sure I see much of an advantage here. You need to trust the Hermes server anyway.

100 sats \ 7 replies \ @supertestnet 17 Jan

the Hermes server cannot use the funds, since the ecash is locked to the receiver's pubkey

They can use the funds, because even though the ecash is locked to the receiver's pubkey, the bitcoins are not. The ecash is a liability, a credit, backed by an asset, btc. Hermes can run off with the asset (btc) and refuse to honor the liability (ecash).

0 sats \ 6 replies \ @fanis 17 Jan

They can use the funds, because even though the ecash is locked to the receiver's pubkey, the bitcoins are not. The ecash is a liability, a credit, backed by an asset, btc. Hermes can run off with the asset (btc) and refuse to honor the liability (ecash).

I'm assuming Hermes isn't part of the Federation, just a service provider operating in the mint.

The mint will only create the ecash after the sats are in its control. So either Hermes steals the funds upfront (no ecash minted, nobody knows they stole unless the sender talks to the recipient), or they'd need to collude with the Federation.

0 sats \ 5 replies \ @supertestnet 17 Jan

Oh I see what you mean now. I think you are saying Hermes is non-custodial because they don't have your btc, fedimint does. Is that right?

If so, that doesn't make it non-custodial. Imagine if instead of using fedimint Hermes showed you a "deposit address" to coinbase. And then they said "You see, we are non-custodial because we don't have your btc, coinbase does."

If you tell users "non-custodial" when it's really all a frontend for a custodian's api, you're lying. Tell users the truth so that they are informed. They may be willing to trust that person or group with their money, but the wallet should definitely not lie about the trust model by calling itself non-custodial.

10 sats \ 0 replies \ @fanis 17 Jan

I agree 100%.

0 sats \ 3 replies \ @bluematt 19 Jan

Not only is that true, but even if you fully trust the federation its still a useless distinction - lnurl, by definition, cannot be non-custodial. Its a single (HTTPS) server that can steal any and all payments to you. They can't take money after you have it, but its not a very interesting distinction IMO.

0 sats \ 2 replies \ @supertestnet 19 Jan

lnurl, by definition, cannot be non-custodial

It can

You can run the server yourself, then it is self custodial

Senders can also validate the signature in the intended recipient's invoice to ensure it hasn't been swapped (I implemented something pretty similar to this for zaplocker, though I didn't go all the way) -- that also makes it self custodial

0 sats \ 1 reply \ @bluematt 19 Jan

You can run the server yourself, then it is self custodial

That's fair, and, indeed, I should have chosen my words more carefully. Maybe I should have said "lnurl, by definition, if you are not running the server yourself (which ~no one does) cannot be non-custodial".

Senders can also validate the signature in the intended recipient's invoice to ensure it hasn't been swapped (I implemented something pretty similar to this for zaplocker, though I didn't go all the way) -- that also makes it self custodial

Except, not only does no one do this, but it requires a spec extension for senders to (a) have any idea what the intended public key is and (b) requires some signaling to know whether the sender should be validating (possible using TOFU). In both cases, you need some kind of external signaling (because you can't simply trust the lnurl server, that would defeat the point), which defeats the point of lnaddress - a simple human-readable name to pay to.

view replies

0 sats \ 3 replies \ @benthecarman 31 Dec 2023

Coinbase has custody because they have unilateral access. In a fedimint no one has unilateral access to the funds so it is non-custodial.

1 sat \ 1 reply \ @supertestnet 5 Jan

Coinbase has custody because they have unilateral access

Agreed

In a fedimint no one has unilateral access to the funds

Disagreed

The group is someone

That someone has unilateral access to the funds

Therefore it is custodial

1464 sats \ 0 replies \ @supertestnet 5 Jan

On a related note, multisigs sometimes take money from people, especially when a court orders them to. Case in point:

https://dailycoin.com/oasis-counter-exploits-wormhole-hacker-to-retrieve-225m-on-court-order/

If the members of an ethereum multisig can receive and comply with a court order, why can't the members of a fedimint multisig do the same?

If they can do the same (and I'm pretty sure they can), how is that not an example of group custody (I'm pretty sure it is)?

0 sats \ 0 replies \ @justin_shocknet 5 Jan

They're the same picture.

Coinbase is multiple stakeholders overseeing a multisig vault.

No one at Coinbase has unilateral access any moreso than a gaggle of clowns running mintcoin.