Damus
Open in Damus
LightningGoats profile picture
LightningGoats

Chainsplits, Lightning, and BIP-444: Dangers You Might Not Have Considered

Lightning follows your Bitcoin backend. A split makes two look-alike funding outputs, but enforcement only works on the chain you watch. With replay protection, the minority chain needs fresh, fork-valid closes. Without it, closes and revoked states can be replayed across forks. If peers diverge, you can be safe on Chain A yet lose coins on Chain B if you don’t monitor B within CSV. Watchtowers must match your chain. Gossip breaks across forks. SCIDs shift, routes fail, liquidity thins off the economic-majority chain. Nostr zaps fracture: receipts and money can land on different chains; custodial zappers may pause or force one chain view. Incentives favor the main chain: lower loss risk, deeper liquidity, lower ops cost, simpler UX. Playbook: halt HTLCs, pick your chain, align LN and watchtower, prefer cooperative closes, only manage the other fork if you’ll fully monitor it, label chain in zap logs. TL;DR: In a split, treat the minority fork as a separate universe. Either watch it with full tooling or ignore it. Half-measures leak funds.

Here’s the frame: Lightning follows whatever chain your Bitcoin node follows. A chainsplit turns one confirmed funding output into two look-alikes. Enforcement then depends on which chain you and your tools actually watch.

What BIP-444 changes in the backdrop

BIP-444 debates raise split risk. You don’t need to pick a side to see the blast radius. If a fork happens, your operations face higher monitoring load and new failure modes.

How Lightning “chooses” a chain

Lightning does not choose. Your LN node binds to your Bitcoin backend and inherits that view. The effective choice is the chain your Bitcoin node tracks.

The funding output problem

If your channel funding tx confirmed before the split, that UTXO exists on both forks. That creates two separate enforcement games.

  • With replay protection on the minority fork: closes and spends need fork-specific signatures. If you don’t re-coordinate, coins on that fork can sit inert.

  • With no replay protection: a close on Chain A can be replayed on Chain B. A revoked state can also be posted on B. You only punish it if you or your watchtower are watching B and can act within the CSV window there.

When peers diverge after the split

You both start on Chain A. Later your peer points to Chain B.

  • Off-chain updates can continue, but settlement safety now depends on monitoring both chains.

  • If you ignore B and your peer publishes on B, you cannot respond there. You may be safe on A and still lose value on B.

  • Gossip breaks because short_channel_id = (block, txindex, vout) diverges across forks. Routes valid on A fail on B.

Nostr and zapping impact

Zaps bind invoices to signed zap requests and receipts. During a split:

  • Sender and receiver can settle on different forks. You get mismatched receipts and money.

  • Without replay protection, closes or sweeps tied to zap flows can be replayed on the other fork.

  • Custodial zappers may pause, force a single chain view, or degrade features until the fork resolves. Expect inconsistent badges, delayed receipts, or disabled zaps.

Incentives to stay on the main chain

Rational operators minimize monitoring and replay risk.

  • Loss risk on the small chain: if you do not watch it, an old state posted there can win by default. Watchtowers also choose a chain. Many will track only the economic majority.

  • Liquidity and routing: LSPs, routers, and custodians converge on the deepest market. Off-fork channels become low-reliability or unroutable.

  • Operational cost: dual-fork safety means duplicated nodes, watchers, backups, and playbooks.

  • UX gravity: wallets and exchanges disable or warn on the minority fork. Users follow the simplest path.

Practical playbook if a split looms

  1. Stop adding HTLCs until your backend’s chain is settled.

  2. Pick your chain by picking the Bitcoin node you follow. Point LN and any watchtower at the same chain. Verify.

  3. Cooperatively close channels you do not need on your chosen chain.

  4. If you care about coins on the other fork, check replay protection. Without it, either monitor both forks until all channels are closed, or consciously abandon the minority balance.

  5. For Nostr services, bind zap accounting and receipts to the same chain as your wallet. Label the chain in logs and receipts. Pause receipts if your backend is uncertain.

Bottom line

Lightning security is chain-dependent. Treat the minority fork as a separate universe. Either watch it with full tooling or opt out. Half-measures create silent loss.