Thread

Using bitcoin is like shitting with the door open.

Using Bitcoin on the Lightning Network is like letting someone sit next to you while you're shitting with the door open.

I’ve made a friend that way. Point taken tho

Paying with lightning is actually pretty damn private..

@Super Testnet seems to think so!

Taking a dump can get pretty lonely sometimes.

Yep! More private than monero for a lot of reasons: - lightning invoices reveal less information than monero addresses - in lightning transactions, the sender is encrypted (unlike monero, which uses 15 unencrypted decoys and 1 unencrypted real spender, and just hopes analysts can't eliminate the decoys) - in lightning, the full amount is encrypted (unlike monero, which leaves the fee in plaintext) - in lightning, the recipient is encrypted (unlike monero, which typically leaves the recipient's address and a change address in plaintext, though it does randomize their order, which is good) - none of that data is published on a blockchain (unlike monero, where it is) Monero does some pretty good things for your privacy and I can only identify the "real" sender of a monero transaction in about 1/5 cases, and only with about 80% confidence. Chain analytics companies can do a lot better because they have off-chain data that helps them eliminate more decoys. But by comparison with lightning, monero is pretty transparent.

True but we all deserve our privacy not just in the digital realm.

Not when you consider that Lightning is custodial in nature as well as centralizing Bitcoin, meaning that LN wallets can see transactions by each other, and the fact that some people don't use aliases for their Lightning wallets isn't helping either.

Monero doesn't solve shit about fuck.

If the recipient isn't encrypted on Monero then point to any of my transactions on it's blockchain. Should be easy since my Monero address is on my profile. Lightning nodes on a route (aka third parties) can see exact amounts passing through them. Nodes on Monero can't. Combine the above with the fact that most LN payments are routed through a handful of large hubs. Work out the implications of that yourself. ~90% of Lightning users don't enjoy almost any of the privacy benefits you lay out because they're using things like Wallet of Satoshi or Strike that see everything. Monero is better UX for privacy and it's by default.

😅😅😂😂✌️

> Should be easy since my Monero address is on my profile. The ones on the blockchain aren't the same as the one in your profile. Nonetheless, it's better to (1) not publish them (2) encrypt them so that fewer people can see them. You know, like lightning does. > Lightning nodes on a route (aka third parties) can see exact amounts passing through them. Nodes on Monero can't. In both cases they get partial amount information. Monero leaves the fee unencrypted and in fact publishes it for all to see, and this is one of the tools chain analysts use to fingerprint what type of wallet you're using. Lightning does not publish the amount info, the routing nodes only get a lower bound on the amount sent; they don't know the full amount because they don't know if a multipath payment was used, and they also don't know the total fee paid because that's encrypted -- each routing node only knows how much you paid *them.* > most LN payments are routed through a handful of large hubs ...he said, with no evidence > ~90% of Lightning users don't enjoy almost any of the privacy benefits you lay out because they're using things like Wallet of Satoshi or Strike that see everything Wallet of Satoshi and Strike don't see everything. Here's two critical details they're in the dark about: (1) they don't know what address the recipient receives the money into (neither the channel nor the htlc), because lightning invoices do not tell you that. (2) They don't know if the person who looks like the recipient is really the recipient or not (it might be a trampoline payment and they have no way to tell). Not even the sender knows that. > Monero is better UX for privacy and it's by default Monero has worse privacy under its slick UX and some LN wallets have better UX anyway.

Indeed. Consent matters! lol

I have a challenge for you. lnbc10641910p1p5pr6klpp5refgj5cv3k0zajlcz8hztfz4sezcv9e7hfwkv2z99m0p2mwx64dqhp5uwcvgs5clswpfxhm7nyfjmaeysn6us0yvjdexn9yjkv3k7zjhp2scqzdyxqyjwf3sp55u5qqhs88t5e5ag0d6gvacjkhfk5l7jdxc6usewu4xy8tp7y8xss9qxpqysgq0tcz422qrphc27m6xukk4xgjaawgp5ae003805wr9g3n4jrhp3hypd5tn2qj4smrc43fcfyjwlvpms0ydcjl7wchdpy2q4rst46e6ygp2vaqna Pay this $1 lightning invoice and I will send you $1 in xmr to an xmr "public address" of your choice. We'll see which of us learns more info about where the money ends up. Are you up to the challenge?

I will tell you: - what address the monero went into - how much xmr is in that address in total You tell me: - what channel or htlc the bitcoin went into - how much btc is in that address in total Deal?

>"The ones on the blockchain aren't the same as the one in your profile" Exactly lmao. Third parties gain zero knowledge from my profile address about who I am as a reciever on the blockchain. > "...he said, with no evidence" We've already been through this before. You challenged yourself and discovered most LN wallet downloads were non-private custodial wallets (in other words a moot point in saying they are private). A smaller fraction were non-custodial wallets that relied on LSPs like ACINQ (where they have a section on their page describing how they aren't private). The incentives of Lightning drive towards these large hubs because they are more connected with less hops to your destination (less routing failures and cheaper fees). >"Wallet of Satoshi and Strike don't see everything." They see everything associated with you as a user. Your balance. The timing and amounts you receive and send. Plus they require personally identifiable information and accounts (especially Strike) Why the double standard? Just a moment ago you were critical about Monero not encrypting fee amounts and now you're making excuses for Wallet of Satoshi and Strike being able to see much more.

Why would I agree to that lol? You gave me the most difficult things to find and gave yourself what you know you can find (which I never denied, you wouldn't be a third party if you're making a transaction with me, so you can see the stealth adress you're sending to) I also have no doubt that you use Lightning privately and didn't contend that. You're Super Testnet the LN wizard. I said the average user is hanging with custodians and LSPs that can see a lot more than the best case scenario you were painting. But I will send you $1 for fun because I enjoy our frenemy discussions

The xmr ended up in this address: a77230221a6a44387c6ee10b68bfa38c476d254d6a353a0c73b6c4bbbdc1cfec The total amount of xmr in that address is: 0.003663250868 Your turn! What channel or htlc did your payment end up in? How much btc in total is in that address?

First I want to preface by saying I never denied you could give me the info you did from a Monero transaction (you're obviously not a third party if you're making a transaction with me), nor did I claim I could give you any of the info you cherrypicked for me to give you. But that being said just for fun this is what I could find from the invoice: Network: bitcoin mainnet Amount: 0.00001054 BTC Date: Wed, 30 Apr 2025 10:10:30 GMT Payment Secret: 0c92761048337708ab93e6b8b284d926e5aec53bd7d074b8973920b91f3d4874 Payment Hash: b4db7a1b19961d115b39bfdf8a17de7459f121708265f2c2273d67287372a8fb Description Hash: r59andxz6kzyrxtwv76xw32q2prawep07ydyph96gleyt7nqj29q Expiration Time: 2592000 seconds Min Final CLTV Expiry: 19 Routing Info Public Key: 02e1dad4d396696cb207a524bdf595f1a2e6792d7b990f18cef1ebd1b557bb110f Short Channel Id: 0d67030009bc0000 Fee Base Msat: 0 Fee Proportional Millimonths: 2999 CLTV Expiry Delta: 34 Feature Bits: 000010000000100100000100000000 Signature R value: d4fd6e70ad921daf2aa31dce282cbdad7177d696f1ef87c4b043229e9325e4c1 S value: 4c10f860c8ec20dab8dfef12f8fd91fd2c0c9941a102ba89b6ced2605782e8c2 Recovery Flag: 0 Signing Data: 6c6e626331303534306e0d023ee2d00d03249d84120cddc22ae4f9ae2ca13649b96bb14ef5f41d2e25ce482e47cf521d0021a5a6dbd0d8ccb0e88ad9cdfefc50bef3a2cf890b84132f961139eb39439b9547d85c341d0bd9b4c2d58441996e67b46745405047d7642ff11a40dcba47f245fa60928a0300a278d00c003318a405c3b5a9a72cd2d9640f4a497beb2be345ccf25af7321e319de3d7a36aaf76221e1ace060013780000000000000000176e0044140608090400 Checksum: q7zqwk

Great info! The most interesting part to me is the routing info. The first hop in your path was a node whose pubkey is 02e1...110f. This belongs to a nostr user whose handle is UNITEDPLOW:

npub17y4ykazexey6mhyk33lxapycpfsmcwxpwjfw8cxw739g2r5c39hsrmudwx

unitedplow

02e1dad4d396696cb207a524bdf595f1a2e6792d7b990f18cef1ebd1b557bb110f

You even got his short channel id, which you can use to find your channel with him on the blockchain. Fortunately for me, onion routing (and recipient encryption) led you to a dead end! My money is not in his channel. He's just a routing node. You know *a* channel -- one you created (or a custodian created it, if you're using a custodian) -- just not the one with my money in it. The rest of your routing info doesn't tell you much about what happened next. Does UnitedPlow have a direct channel to me? Maybe! Did it go through five more hops? Maybe! Was he a trampoline node, a decoy this whole time? Maybe! You'll never know where the money ended up because lightning hides that info from the sender through multiple indecipherable layers of encryption. Unlike monero, which told me in plaintext. Lightning "receiver privacy" is simply designed better.

THIS IS THE FUCKING CONTENT WE CAME HERE FOR. 🤙 @npub14a6q...z6rn

"Lightning "receiver privacy" is simply designed better." For the 5% who use it correctly, like you, sure you can make that argument (though there is a lot of nuance in each ones privacy as a whole and how it's used realistically) Most users that would otherwise be fully exposed to wallets like WoS and Strike are better off using Monero or even ecash (if they accept the rug risk)

What do you think about wallets like phoenix and Zeus? Do they have better or worse privacy protection in standard settings than monero?

Lightning Network is more private than Monero.

Yes it did, that why we use it. And yes, I do use for donations and buying real stuff since years. Not my fault you yourself don't use crypto on the real world and then think we are the same.

He's wrong about unencrypted receiver (or meant something else) but LN nodes only see MINIMUM amount, not total amount because of multi paths. And funnily enough, large nodes provide better privacy if they are honest. So if you use several large hubs and at least one of them is honest it's pretty good. (But there are some issues being worked on.) Also ~90% Monero users use Coinomi or similar wallets that scan their entire wallets so you have the same problem with the difference that people don't talk as much about it.

>"...LN nodes only see MINIMUM amount, not total amount because of multi paths" Multi path payments is optional for every wallet I've tried that even has it available (same with things for wrapped invoices/blinded paths/bolt12). That's the problem when these things aren't default very few will use them. "...And funnily enough, large nodes provide better privacy if they are honest." The whole point is not requiring trusted third parties to insure your privacy. Otherwise it's just offering the same privacy of a traditional bank. The last part is not true. All the popular Monero wallets are non-custodial (GUI/CLI, Cake, Monerujo, Stack, Feather) and don't have your viewkeys. That's why you have to spend time syncing your wallet every time you open it. I've never seen anyone even mention the word Coinomi much less recommend them.

Zeus is probably my favorite LN wallet for sure. It has a lot of privacy features other LN wallets like Phoenix lack.

> He's wrong about unencrypted receiver (or meant something else) I meant what I said: monero does not encrypt the receiver. If it did, monero devs could tell me what encryption standard they use (in lightning, we use the Sphinx encryption standard specified in bolt4) and they could point me to the code where the recipient's key gets encrypted (in lightning, that code is here:

GitHub

lnd/htlcswitch/hop/iterator.go at b068d79dfbd2f583d890fd605953d0d4fb897a27 · lightningnetwork/lnd

Lightning Network Daemon ⚡️. Contribute to lightningnetwork/lnd development by creating an account on GitHub.

) Monero does not encrypt the recipient's public key -- it gets published in plaintext on the blockchain -- so the protocol does not specify any encryption standard for that and there is nothing in the codebase where it gets encrypted.

Maybe technically it's more like hashing? Regardless, the practical effect is the same since it's a string of indecipherable and seemingly random characters that are seen once and never again. Third parties can't link a stealth address to a public address off-chain or to any other stealth address.

Alby is self custodial

Oh i see the year....2023. a lot has changed since then.

I like Zeus for sure, but I've found it too complicated for onboarding newbs. For me it's like a "power user lite" wallet

Working on it! A lot of focus on entry level users is going into v1.0. The idea is to be able to start the user off with a simple to use wallet and level them up as they go.

I love the idea, UX and on boarding must be top notch to have a chance of more adoption but you should never give up on the advanced features that make Zeus the best. Including educational content with gamification like achievement that bring you to try more advanced features step by step while getting educated about Bitcoin self-custody.

Alright, that's true. But it's not a good argument against Monero privacy because the link between UTXO and the receiver is still hidden from third parties and the link between receiver and his subsequent receiver is also hidden from the sender. The link between sender's sender and the sender is somewhat obscured, as you said with probability 1/15. I do agree that LN has better privacy than Monero, but using bad arguments doesn't help anyone.

It's diffie-helman which does involve hashing but only as a layer of protection and the most significant thing doing the unlinking is the diffie-helman computation.

I need an updated versions of this chart. Idk if anything has changed tho.

It doesn't matter that it's optional. The node in the middle doesn't know if it's turned on or not, so it cannot know if it sees the full amount or not. Monero also requires trusting that the other 14 keys are not held by the same entity or cooperate to deanon you. This is true for any privacy system and impossible to avoid. 14 is arguably higher than the usual length of payment path in LN, so I'll give you that but it's stilk not infinite and making LN path 14 nodes long is still possible. You might be in a different social bubble, I've seen many people use Coinomi and recommend it. But that was a long time ago, maybe it has changed. A significant problem with Monero is that it requires scanning whole chain, which will get expensive as more users come, pushing people to send view keys to scanning services. Compared to that, you only need block filters to scan bitcoin and then just handle the channel. The irony of Monero is that the more people use it the more some privacy breaks and other improves.

Zeus has point of sale functionality as well, that’s a nice touch.

Excellent analysis 🙃

Btc not crypto

If a node guessed it was the full amount passing thru it would be right most of the time. If many transactions are passing through large hubs (because they are well connected and require less hops to the destination = more likely to succeed and cheaper) an adversary could collect quite a lot of info on the network. But sure it existing gives some plausible deniability. If it was made default that would be even better. >"Monero also requires trusting that the other 14 keys are not held by the same entity or cooperate to deanon you." You mean 15 decoys? That only applies to senders and every spend exponentially decreases the likelihood of being denon'd. Also, you don't have to trust others not being the same entity/colluding for reciever or amount privacy on Monero (both technically possible with LN if the nodes on your routes are colluding, but very unlikely) >"This is true for any privacy system and impossible to avoid." It's not true. Cryptographic accumulators are not really affected by the problem you describe because you're proving you're one of the global set of all transactions instead of a tiny subset - which is what will FCMP be. I've been around many different Monero communities/forums/groups for years and I've never heard Coinomi before. Not sure who recommended it to you but that is not the norm at all. It's usually Cake, Monerujo, Feather, or the GUI/CLI. Yes, scanning can be annoying, but that is what guarantees no one but you can see your transactions (any proper LN privacy wallet, like Zeus, also requires scanning). If you use it somewhat often it's not really a big deal. Wallets with periodic background scanning make this a non-problem. You are always caught up (or very close). You should check it out on Cakes new update. It's very new so I'm sure in time more wallets will adopt it. The only Monero wallet left that holds users viewkeys to eliminate sync time, at the cost of some privacy, is Exodus I believe. There used to be another one MyMonero but it's been defunct for quite a long time. Block filters only help privacy when querying, not when broadcasting a transaction. Not sure what you meant by the last part. Generally more people using something means a larger anonymity set. I've grown to appreciate Lightning more, but there are a lot of nuances to both. We could talk about them forever.

Yea we need an updated chart

> Multi path payments is optional for every wallet I've tried that even has it available Which wallets have you tried? It's built into LND and turned on by default. So any wallets based on LND should just do it. E.g. most custodial wallets as well as most nodes-in-a-box (Umbrel, Start9, etc.), plus many mobile phones like Breez, Zeus, Blixt, Bitkit, and ShockWallet. Multipath payments are also turned on in electrum by default and I suspect they are turned on in the other implementations by default too

I checked the Core Lightning github and multipath payments are "on" by default there too. See, for example, this issue:

GitHub

MPP pay splits into too many subpayments · Issue #3926 · ElementsProject/lightning

I have an outbound channel with an BTC to Lightning exchange worth 2.000.000 satoshi, with enough capacity. I try to swap my 2.000.000 satoshi for ...

It involved an error report where a user encountered this entry too many times in their error logs: "Detected large payment, splitting into 100 sub-payments" I checked the Eclair github too and multipath payments are "on" by default whenever trampoline routing is used (which is the case in Phoenix, which always uses Acinq as a trampoline node)

GitHub

eclair/eclair-core/src/main/scala/fr/acinq/eclair/payment/send/TrampolinePaymentLifecycle.scala at 826284cb277c28c7eef14aa275f3d6e3255c8e66 · ACINQ/eclair

A scala implementation of the Lightning Network. Contribute to ACINQ/eclair development by creating an account on GitHub.

Thanks for the info. Appreciate you bringing the receipts. I mostly use Zeus now when I use Lightning (which isnt very often), and Atomic Multi Path is optional on it. I just realized I was confusing AMP with MPP. They do similar things but seems like AMP is an improvement over MPP. I haven't checked other LN wallets in quite awhile. Good to be proven wrong and see MPP is on by default more than I previously thought 🔥

IIRC MPPs are quite frequent for a while. But TBH I never looked into it closely. Yes, I mean decoys. You do have to trust them. The only difference is what number of interactions you need to have sufficient confidence that there is a sufficient number of honest participants. Even with accumulators you're still trusting. The only difference is that the parameter becomes all users which is really good and efficient but effectively homomorphic with just using everything as decoy or using every single LN node in path. As long as you believe that for some number of participants it's safe enough it's OK. I heard Coinomi suggested to newbies because it had a bunch of other shitcoins as well as btc. LN doesn't require scanning comparable with Monero. It only requires block filters which are comparatively smaller and only for channel states, not for every transaction. That's orders of magnitude difference. In LN broadcast privacy is only an issue for initiators and only if they don't use Tor, which is trivial to enable these days. More people increase anonset but make scanning more expensive pushing people towards revealing their view keys to third parties. There are also obscure probabilistic attacks that are only possible because anonset is high. But once FCMP is no longer vaporware they indeed cease to exist.

Yes, Super Testnet corrected me on the MPP thing earlier. Sure, I agree, but decoys only apply to the sender. Receivers are always the anon set of every Monero user since they are only ever seen once on the blockchain as a receiver (effectively ZK). I think you're technically right about the accumulator thing now that I think about it...if you're the only one using the accumulator, and the rest are colluding adversaries, they would know when it's you. But once you have a handful of honest users you cant be picked out among them. So much better like you said. Maybe you're right about the LN scanning. It always just felt to me that it took about the same time to sync Zeus compared to my Monero wallet. Maybe I use it more than the average user so don't usually have to wait long. But even so background sync basically eliminates this issue. Not sure why you think the view keys thing is popular. None but maybe two wallets support giving your view keys up to a third party, they're not popular, and it is pretty frowned upon by the Monero community. I've never seen anyone recommend them. If you really wanted to eliminate sync times, without giving up your view keys to a third party, you could connect to your own LWS or, more realistic for most, simply use Cake and enable background sync. Huge UX upgrade.