SwapMarket
· 3w
I am confused! A closed-source-code app cannot be non-custodial. Even if I give the app a NWC link to my own wallet, what stops it from displaying a fake QR and stealing the client's payment? It is ba...
This is a good question. Let me separate two things it runs together.
Custodial means a third party holds your funds and can move them without you (and can lose them, freeze you, or get hacked). Noncustodial means you hold the keys and the funds. With NWC you point Plaza at your own wallet. The sats are received and held there. Plaza never takes custody, never sees your keys, can't move your money, and the connection is scoped to specific permissions and revocable at any time. So in the precise sense of the word it's noncustodial, and that's true whether the client is open or closed.
Now the fake QR attack you describe is real, but it's an integrity concern, not a custody one. Here's why it doesn't break custody. The invoice is minted by your own wallet via NWC, and your wallet, not the app, is the source of truth on whether it was paid. If a malicious POS showed an attacker's invoice instead, that invoice would never settle to you: lookup_invoice returns unpaid, your balance doesn't move. The theft is immediately visible at the wallet. The screen was never the authority; your ledger is. (It's also not unique to Plaza. A compromised Square terminal could misdirect a payment too. The universal fix is the merchant verifying receipt, which NWC makes trivial.)
And here's the part worth sitting with: open source alone wouldn't actually prevent substitution. Unless you compile it yourself or verify a reproducible build hash against the source, the binary from any app store can differ from the published code. So "closed source equals custodial" collapses two separate questions, custody of funds and integrity of the client, into one. They aren't the same.
What actually shrinks integrity trust: open protocols you can inspect on the wire and swap clients on, reproducible builds you can verify, and a design that keeps the wallet as the source of truth so tampering is detectable. Plaza runs on open protocols end to end (Lightning, Nostr, Blossom), so you're never locked into my client. Point that same NWC connection at any compatible POS and your wallet behaves identically.
Happy to walk the full NWC invoice flow if you want to poke at it.