[Lightning] Prove solvency using a HTLC?

[d5000]

As most advanced users know, Lightning Network has no "global state" as the Bitcoin blockchain has, which can be observed by external parties, as it's a private network.

Thus, it is not possible with conventional means to see a "balance" of a certain Bitcoin address, like it would be possible analyzing the blockchain (what block explorers do).

It could however be possible to create a transaction between the address owner we want to consult (A) and a verifier (B), without trust between these two parties, where A could prove to B that they have solvency of a certain amount of BTC X.

The idea is to create an HTLC between A and B, where A transfers the exact amount X to B, but B also transfers X back to A, with the same secret (preimage) and hash. If the payment goes through, A has proven to B that it has access to a certain balance.

I have found this paper on a similar subject, and the technique I'm asking about here is probably what there was described as "payment probing" (but there are no more details in the paper).

But the doubts I have is:

1) The HTLC(s) would have to be "bound" together with more than the preimage/secret. Because: What if B does't have enough balance to carry out the transaction? Wouldn't then be A transferring X, but B wouldn't transfer X back to A? If it was the other way around (B transferring X first, i.e. with shorter deadline), wouldn't A be able to scam B?
2) Does the Lightning protocol allow this kind of "fake swap"? There are no funds really moved (apart from fees).

If there is a name for this technique I would be interested in knowing it

PS: The original topic where this came up was deleted. There seems to have been a duplicate, but I couldn't find the duplicate thread. So I'm starting a new thread, a bit more "focused" on a possible solution to this issue.

[Hypnotizer]

Your idea about using Hash Time-Locked contracts(HTLC) for the proof of solvency is interesting..

1) The HTLC(s) would have to be "bound" together with more than the preimage/secret. Because: What if B does't have enough balance to carry out the transaction? Wouldn't then be A transferring X, but B wouldn't transfer X back to A? If it was the other way around (B transferring X first, i.e. with shorter deadline), wouldn't A be able to scam B?

Not sure about exploiting the system, but to ensure that both  A and B  fulfill their part, you could implement a system to bind the transactions together by  using multi signatures contracts where both A and B sign off the transaction and then they both will need each others consent to complete the transaction.
 
Also to prevent scams maybe the system having a timeout mechanism might help, I.e if the conditions aren’t fully met with a certain time, then the funds should be returned to its original owner(s).

[Donneski]

You’re thinking in the right direction but Lightning kind of pushes back on this by design.

I might be missing something but the shared preimage doesn’t bind the two payments strongly enough. If A sends first, B might not return X and if B sends first, A can just claim it. There’s no native way in LN to make both sides succeed or fail together.

Even if no one really loses money, these are still real payments, liquidity gets locked, routes are touched and fees happen. From the network’s point of view, that actually matters.

That’s why this feels closer to payment probing than an actual solvency proof. Basically, Lightning isn’t built to make balance attestations easy.

[d5000]

Not sure about exploiting the system, but to ensure that both  A and B  fulfill their part, you could implement a system to bind the transactions together by  using multi signatures contracts where both A and B sign off the transaction and then they both will need each others consent to complete the transaction.

At a first glance I thought, multisig looks good, even if the implementation would probably need protocol upgrades. But then I thought a bit more and I remembered why this probably does not help here:

Lightning works because of its potential to threaten you to punish you emptying your whole channel. But the problem is that in the attack I have in mind, the verifier (B) would not even have balance at the channel. Or have enough balance initially but then instantly, before A sends their funds, transfer the funds away. This means that A would try to close the channel to punish B, but the transaction would not go through, because the output referenced in the penalty transaction would no longer be unspent.

On the other hand, this problem must have dealt with in all Lightning-based atomic swaps too, e.g. if you do an atomic swap between Ligthning-BTC and Lightning-LTC, and these atomic swaps seem to work, so there must be a solution in my opinion. Probably a chain of transactions like in the "on-chain" variant of atomic swaps can do it.

Maybe I have only a knot in my brain and Lightning HTLCs already are constructed in a way that this kind of attack isn't possible (although this techique would be something like a "second layer HTLC based on first-layer HTLCs").

I have found the following paper on "payment probing" from 2020: https://arxiv.org/abs/2004.00333

Approximately their technique is this way:

- You consult the gossip data of LN (the data you would consult to route a payment) to see if the channel you want to check is open/active.
- You connect to both of the nodes of the channel via P2P connection
- You send a payment through this channel. I haven't understand the paper completely how you avoid to lose funds here, I assume that you pay to another node under your own control.

This means that in our example with Alice (A) who wants to prove she owns X and a verifier Bob (B), Alice could prove her balance in the following way:

- Bob connects to Alice and her channel partner,
- then he sends a payment of X from one of his nodes, B1, to another node B2, routing through Alice's channel,
- if the payment goes through, then he has proven that Alice has the payment capacity X.

The paper arguments however that the technique described exploits a vulnerability, because everybody can act like Bob and "probe" channels, and its possible that newer Lightning versions are already "fixed" and this is not longer possible. In addition Alice needs two nodes in this concept.

The technique I described in the OP, instead, would not be a vulnerability because it would only work in agreement between "prover" and "verifier" and would not prove the balance, but only a determined amount chosen by the "prover".

I might be missing something but the shared preimage doesn’t bind the two payments strongly enough. If A sends first, B might not return X and if B sends first, A can just claim it.

As long as both have enough balance on their channel the exchange should work because if one party doesn't fullfill their duty the other one can just close its own channel with the penalty transaction sighed by both, so this particular attack should not be possible.

[d5000]

The reality is that the Lightning Network is designed in such a way that it is impossible to see from the outside how much Bitcoin someone has.

I see it a bit different. Lightning depends on that you can always check if a route works, and thus there needs to be a way to check if all nodes on that routes have enough balance for the payment. And this mechanism can be used if you know not only the address of a Lightning participant, but also the node identity. So if a Lightning user is willing to trust a verifier to check its balance (and that's all what I'm searching for in this case) then that verifier shoud be able to do a payment probe through their channel. It's not very different from a "proof of solvency" in on-chain Bitcoin, where the verifier also needs the connection between identity and address(es) to check the solvency of a person. (That requires of course that this user is connected to LN via two different channels at least.)

And this can be shown to some extent, but it cannot be called a completely trustless proof. Because there is no system in Lightning that will force both sides of the payment to end together. If the liquidity of one side is a little low, the whole thing is at risk.

I haven't understood this sentence, can you elaborate? Of course if a node from/to the route on one side has no liquidity, then the proof will fail, but then the person wanting to prove their solvency would also not be able to make a payment through this route and thus not be "solvent".

Another thing is that making such payments just to show proof destroys the real liquidity of the channel and puts additional pressure on the nodes in between.

If that was a problem, it would have a relatively easy fix: the verifier could re-send the amount through the nodes "the other way around" and thus re-establish the balance and liquidity of both.

However, there seem to be probing techniques where the payment fails deliberately due to a timeout and actually no coins really move. I still have to search more info about these techniques because these would be the best way.

That is why what is often called payment probing is basically guessing, not sure proof. It cannot be said that a user really has a certain amount of BTC.

Again here: If this would not work at all then Lightning could not even route payments correctly.

[Jaksonhard]

Your idea about using Hash Time-Locked contracts(HTLC) for the proof of solvency is interesting..

1) The HTLC(s) would have to be "bound" together with more than the preimage/secret. Because: What if B does't have enough balance to carry out the transaction? Wouldn't then be A transferring X, but B wouldn't transfer X back to A? If it was the other way around (B transferring X first, i.e. with shorter deadline), wouldn't A be able to scam B?

Not sure about exploiting the system, but to ensure that both  A and B  fulfill their part, you could implement a system to bind the transactions together by  using multi signatures contracts where both A and B sign off the transaction and then they both will need each others consent to complete the transaction.
 
Also to prevent scams maybe the system having a timeout mechanism might help, I.e if the conditions aren’t fully met with a certain time, then the funds should be returned to its original owner(s).

Multi-signature contracts represent an innovative way for both participants to ensure the other participant will honor his or her end of the deal. This type of contract requires both signatories to confirm the transfer before it goes through; therefore, multi-signature contracts increase the level of security as well as the level of mutual trust between the two participants. These contracts also provide additional security due to the fact that both participants bear equal responsibility for fulfilling their obligations under the signed contract. The inclusion of a timeout clause in a multi-signature agreement helps protect against fraudulent acts or situations in which one participant refuses to fulfill a contractual obligation or delays in his or her performance under the agreement. Once the allotted time has lapsed, the standard contract provisions will automatically return any funds deposited back to the original owners. With these provisions in place, both participants will be able to conduct business with more assurance that they are all treated fairly and will have confidence in their business dealings with one another.