Following the widespread uproar of Bitcoin (BTC) wallets bending to the “travel rule” to comply with Swiss and Dutch regulations, a developer warned that something similar could be brewing on the Lightning Network (LN). English), the solution for cryptocurrency micropayments.
In a publication On the Linux Foundation blog, developer “Armdxxi” said that when a Lightning node creates an invoice in the BOLT11 format, which includes a description of what the payment is for, it is signed by the issuer with detailed information. The signature verification process validates that it comes from a specific node and that it is unchanged.
But here comes the detail. That description could be “exploited” by “bad actors” within the regulated space. And the users, unwary, are accepting it without even knowing the repercussions.
A BOLT11 bill is the most used mechanism in Bitcoin’s second layer solution. At, the recipient of the funds generates a QR code with the payment invoice, which allows you to add a description which, in this case, is the problem.
How does it work?
There are ways in which, through LN, a process similar to that of the AOPP protocol can be generated. With it, users of Bitcoin wallets they must sign a message from an address to prove it is theirs, at the time they make withdrawals of more than $1,000 from centralized cryptocurrency exchanges.
Know-your-customer (KYC) node verification is one such process. Here, a “specialized invoice” can be created to verify those points.
That “invoice”, which includes the BOLT11 format, must be filled with personal information in the description and then delivered to service. The tricky thing is that this information can be stored and shared in a user database. The same goes for nodes. whose information may end up in the hands of regulators and governments.
For Armdxxi, that’s more than enough to recommend Lightning Network compatible wallet developers to that eliminate the possibility for users to sign declarations with their nodes.
“As with the widespread removal of AOPP from hardware/software wallets, exchanges can stop expecting users to be able to hand over this information easily,” the developer said.
Reason for payment, the other way
The second way in which the travel rule can be facilitated in the Lightning network is with the aggregation of payment reasons in the transactions under the BOLT11 format. Here the role is played by the receiver of funds.
Although in theory the payer and the beneficiary are the only ones who know the reason for the payment, the “custodians” of funds could see and store that information.
For this reason, the developer warns, if the exchanges transmit invoices to blockchain analysis companies, such as Chainalysis or Messari, “it could be quite revealing”, on the understanding that it could be known, for example, the internal username that is paying, which Lightning node is receiving the shipment, the total amount, and the description.
This mass-collected information allows risk scores to be mapped across the network. These risk scores will lead to censorship issues. Additionally, they can share suspicious node owners and their known transactions with malicious parties.
Armdxxi, developer of the Lightning Network.
For the specialist, this can be remedied by clearly communicating that the information that users enter in the invoices could be verified by third parties. Nevertheless, Ideally, wallet developers remove descriptions entirely, He suggested.
Bends to travel rule
This possible violation of privacy in the Bitcoin Lightning network is known after the case of cryptocurrency wallets that decided to comply with the recommendation of the International Financial Action Task Force (FATF) to operate in Switzerland and the Netherlands went viral.
As CriptoNoticias reported a few days ago, companies such as Trezor, BitBox and BlueWallet integrated a protocol into their products which automatically sends exchanges proof of ownership of personal wallets.
Although Trezor backed down the next day and gave up incorporating the questioned protocol (possibly driven by the harsh rejection of the bitcoiner community) other companies of its competition endured with the decision.
Thus, and given the impact and growth of the Bitcoin Lightning network, the contribution of the developer is important, whose intention is to ensure privacy before all things.
There is currently enough being exploited with BOLT11 bills that we should be concerned about this. My recommendation is to eliminate the possibility of users shooting themselves in the foot. This can happen today at the application layer by stripping wallet descriptions. The lack of description support will help hinder mass surveillance capability in the Lightning space.
Armdxxi, developer of the Lightning Network.