Sorry I click-baited you with the title, I hope you'll find it justified.
It's important to discuss the unavoidable downsides to complex (technical) systems, since there is a relatively low percentage of people who have capacity to understand the details of how things actually work.
It's particularly bad when dealing with money as money attracts the worst parasites. This is why, since the advent of Bitcoin, the carousel of buzzwords has equated it in the minds of many as the center of the scam universe.
Federations are the latest arrow in the scammers quiver.
So, what exactly is a scammer trying to achieve exactly when they call something Federated?
A fed scammer wants to distinguish their product/service from something non-federated. When they tell you their thing is federated, they are implying is that
There's multiple parties involved that would have to collude, so you're not trusting us directly, there's a higher threshold to rug you
This is dishonest, because in all cases with federated things, you are still trusting someone (usually them) directly, 1:1.
Simplified Example:
You generate an address to receive a payment to your federated shitcoin wallet, but the wallet publisher serves an invoice not from the federation.
More Complex Example:
An honest but naive wallet uses an external Federation for bootstrapping, but the federations API server responds with an address not of the federation.
Because you didn't query a server from each federation member to ensure they all agree it's a legit address, you have no idea where the address/invoice actually comes from.
Yet More Complex Example:
Your wallet fetches a legitimate federation address, but when you later spend, the gateway/swap service sends the bitcoin somewhere else- no fractional reserve to tip off the guardian.
Steel-Man
Obviously not everyone advocating or working on federated stuff is a bad actor. There are well-meaning and virtuous bitcoiners working on this that care very much about users privacy, and want to create on-ramps for people who can't yet afford a transactable amount of Bitcoin.
You see federated stuff everywhere because it's proponents want you to know how virtuous they are. If you disagree, it must only be because you hate privacy, innovation, and poor people.
There's is a case to be made that Federatoors aren't scamming you the user, but scamming the regulator, by obfuscating the custodians with technobabble.
Counter
It's the virtuous non-communists that brought the Bolsheviks to power. There is an analog here, useful idiots are normalizing bad technology. To make matters worse, there's a disproportionate amount of funding for these projects from undisclosed interests, proxied through NGO's and Front Work, and it's buying up any developer with their hand out.
Privacy and on-ramps are important, but Federations are fit for larger custodians relative to their Uncle Jim counter-parts. The bigger the custodians, the more liability to privacy is created by consolidating flows into surveillance choke-points. Federations are honeypots.
I think most all Bitcoiners agree that large custodians are bad, and smalle custodians have less than 0 to gain from federation software. Uncle Jim is the smallest custodian next to the individual, there's no benefit to him by federating since as illustrated above it's all a LARP to begin with. A billion Uncle Jim's are how we keep the network decentralized and private, and there's a lot at stake from the financial and surveillance state in preventing that.
Since builders of Federated solutions are technical and capable of understanding these workings, we must conclude that they are ashamed of their products and have to lie about the trust trade-offs vs. non-federated alternatives. Even if they are scamming the regulator, which is commendable at face value, they're actually helping the regulator by standing in the way of real innovation and decentralization that will permanently disempower the regulator.
In summary, Federation narratives serve one purpose, to obfuscate whom you are trusting... so why the hell would you trust one?
38 sats \ 2 replies \ @nym 24 Apr
Great post. I get this feeling from it now also until it is more mature and secure.
reply
Thanks, but even though the software may improve it's always going to be an obfuscated 1:1 trust relationship masquerading as a quorum.
There are ways to fix that I can dream up, but the performance and UX trade-offs would be so bad it would favor self-custody from the jump.
reply
17 sats \ 0 replies \ @nym 24 Apr
Great point!
reply
non technical person here
you seem to be saying:
because of the way the internet works via API calls its still a 1:1 trust relationship. think of fedi/liquid as functuonally the same as any single party custodian like an exchange and know what you're dealing with
that makes sense to me and hadn't seen like that before thanks for explaining for simpletons like me
then you seem to be saying:
because it works to capture dev mindshare which would otherwise be spent on developing alternate tools, were fucked
putting my best mutiny wallet hat on, just for example, i assume the reason for going down the 'federated' path is to minimise legal attack surface to show they not straight 1:1 custodying funds like WoS which cant operate in US. gives cover for a period of time? is that not good? whats alternative if didn't do this when you hear all the problems with lightning. and its open protocol though cant stop people building what they want.
I don't know what answer is, what would you rather people work on?
reply
Scamming the regulators is where I give the concept at least some credit, but Federations do so at the cost of corrupt big-custodian incentives buying up resources, and slowing the pursuit of better solutions.
Nostr as a social graph and communication layer gives us an opportunity to bootstrap new users from their pre-existing social network. I'm personally working on that with Lightning.Pub, but the concept has gained traction on other projects as well, like LNBits.
reply
scamming regulators is funny way to think about it i like it
nostr does seem promising. will check out lightning.pub 👀
reply
17 sats \ 0 replies \ @Fabs 24 Apr
My thoughts exactly.
reply
The perfect explanation of a federated "thing"
reply
always clutch with the memes
reply
memes are always a powerful message / weapon
reply
WELCOME TO THE DIGITAL BATTLEFIELD
reply
21 sats \ 1 reply \ @tolot 24 Apr
Agree 100% on the fact that the movement and massive financing of custodial services is positionally wrong, even if directionally correct.
Directionally correct because the tendency is towards enhancing some features of existing solutions, possibly improving user experience, privacy and bitcoin adoption. Since stuff exist, let's at least improve it with some more clever cryptography, can't we?
Clearly this is positionally wrong, because the goal we are aiming at and the problems are tackled still validating and perpetuating the idea of custodiality.
If the environment is trusted, just have a go with a credit-debit system based on relationships. If I've a debit with my uncle of 50 bucks, I'll pay it back the next dinner by paying also for him. You don't need real asset istant settlement in a relatioship-based credit system. If trust is not an option, then there is no point in using ecash, because you cannot trust that the mint will enforce the "21mln limit".
Nonetheless, I value a lot the chance that the federation narrative could possibly "protect" honest custodial services. Since they exist and thrive and users use them, at least we try to solve issues in the custodial model, meaning that we can possibly mislead regulators into thinking that there a nuanced architecture that realizes somehow "not centralization".
At the end of the day, we must spread and push for non custodial solutions and sovranity, knowing that someone (now the majority of users) will still use custodial services for convenience and because nowadays bitcoin cannot really host a totally self custodial user base.
reply
federation narrative could possibly "protect" honest custodial services
As I said, scamming the regulator is commendable, that's the premise of stablecoins in creating a shadow banking sector. Stables work on reputation though, much more honest than federation theater.
It's clear that by marginalizing trust relationships, Federations are an attack on small custodians that would truly disempower regulators.
reply
35 sats \ 7 replies \ @om 24 Apr
This is bullshit.
Simplified Example (users pwned by a bad wallet): nothing to do with federations, a bad L1 wallet could do the exact same thing. We have to assume that the wallets are open source and work as intended whether it's chain, LN or federations.
More Complex Example (peg-in by a trusted party): regular peg-ins should be signed by multiple federation members, in this example the bad wallet does something else instead and it is the problem of the bad wallet.
Yet More Complex Example (pwn by a trusted gateway): in Fedimint gateways are untrusted and this situation can't occur, if a bad wallet uses a trusted gateway instead that is the problem of the bad wallet. In Liquid there are no gateways distinct from the federation itself.
"Counter": the entirety of that section is based on the assumption that the previous examples hit the target, which they don't.
reply
bullshit
Triggered!
Bad wallet
Sure, bad wallet can happen with anything... but auditing the wallet client code isn't also an audit of the external API server it uses. There's little point in auditing a wallet using a trusted API from the jump.
Peg-In Gateway
The wallet can be innocent in this scenario because it has no way of knowing the gateway is honest, barring full signature verification of the quorum (n gateways), which afaik no client is going out and confirming signing keys with m/n members.
Doing so would defeatthe purpose of the gateway in providing compatible addresses/invoices.
There's simply no getting around trusting the a single API server, which is necessarily run by a single party.
Gateway Out
Shitquid's entire business model is literally a trusted swap service ffs.
reply
25 sats \ 4 replies \ @om 24 Apr
Doing so would defeatthe purpose of the gateway in providing compatible addresses/invoices. There's simply no getting around trusting the a single API server, which is necessarily run by a single party.
This is not how any of this works. Swaps between Liquid/Fedi and LN/L1 are atomic and untrusted basically using the same submarine mechanism that Boltz uses to swap between LN and L1. Not trusting gateways is the whole point of Fedimint.
Shitquid's entire business model is literally a trusted swap service ffs.
There's 11-of-15-trusted and then there's 1-trusted. Very different beasts.
reply
point of Fedimint
The point of Fedimint is to obfuscate trust point, it's still a client-server relationship.
Server being singular.
No one argues that these shitcoins are trusted, my point is that you're trusting 1 party, not many.
Are you really claiming that Liquid/Shitmints are Trustless? 🍿
11-of-15-trusted
You can't prove how many key holders there are, it's a trusted attestation
reply
25 sats \ 2 replies \ @om 24 Apr
Are you really claiming that Liquid/Shitmints are Trustless?
Not trustless, but m-of-n trusted under assumptions that the wallets work as intended. Fedimint gateways are trustless only under assumption that you trust the federation itself.
You can't prove how many key holders there are, it's a trusted attestation
Indeed I have not independently verified that the 15 functionaries of Liquid are not the same person. For example, maybe the photos on https://liquid.net of the Nym guy are AI-generated and Nym is actually run by Blockstream. However, the m-of-n trust model is by definition broken if more than n-m parties are evil, and such a case does include the possibility that n-m+1 parties are actually one and the same. Users that worry about this possibility should either use fedimints run by their friends or investigate the Liquid federation more thoroughly than I did.
reply
I think we're in agreement then that the purpose of a federation can only be to obfuscate the trusted party.
reply
0 sats \ 0 replies \ @om 25 Apr
I did not say that. I consider m-of-n model to be a significant improvement, but of course the user has to verify that those n do in fact exist.
reply
Hello, I have built a module for fedimint and have some knowledge of the inner workings.
The examples you put forward are accounted for in the fedimint implementation. The invite code used to join a federation contains all the public keys of the guardians in that federation. The client ensures data received from the federation is signed by a threshold of the guardians.
Lightning gateways are implemented in fedimint in a way that gateways cannot steal users funds.
I would argue that fedimint is actually harder to justify to the regulators because of its great privacy guarantees. I agree that public federations could very likely be targets of rug pulls from the governments they operate under.
reply
By their own documentation, the security model is bank runs... It's not even multisig (I'm aware they are pursuing FROST but that begs other questions about the coordination)
A client that verifys signatures can eliminate some of the communication layer risk, but it still comes down to single point of control transactionally, including ingest of the destination specified by the client.
Important to remember that at a high level these are perpetual motion machines, if they worked as users are lead to believe, Bitcoin wouldn't be needed because we could forego PoW consensus and call it good with quorum.
As for scamming the regulators, the holy grail is breaking up custodianship into countless pieces. Federations are re-centralization tech, and therefore and an attack on that vision.
reply
If its not multisig, then that defeats the whole purpose of a federation.
The client can broadcast their transactions to multiple guardians to mitigate transaction censorship from malicious guardian.
Federations are just another way to run custodial bitcoin. They have a different trust model than the traditional single custodian controls everything. They still require total trust that a group of the guardians won't go malicious.
reply