Trust Model Trade Offs
This guide has been developed as a community project and is a live document. We would advise you to fully consider your own risk model and mitigations before running Fedimint. We also appreciate any feedback you may have and you can submit edits, corrections and pull requests through the link at the bottom of each page.
The Fedimint protocol is an optional opensource protocol which can be utilized alongside bitcoin and the lightning network.
The protocol makes a number of trade offs in order to provide benefits including Financial Privacy, Community Custody and Transnational Scaling.
These trade offs are largely based on the trust assumptions in the system which is explored below and detailed over the coming pages.
These trust assumptions are:
- Custody: The user must trust the Federation Guardians with custody of their funds which introduces custodial risk.
- LN Pay: The user must trust "1 of n" Lightning Gateways to pay lightning invoices outside of the mint.
- LN Receive: The user must trust "1 of n" Lightning Gateways to receive lightning payments into the mint.
- Tx Execution: The user must trust a quorum of Federation Guardians to process transactions (deposit, redeem, swap, contract enforcement).
On the flip side the user benefits from the following positive attributes:
- Blind Balance: The guardians cannot see a users balance.
- Blind Transactions: The guardians cannot tell which parties are part of a transaction.
- Unattended LN deposits: A user of a fedimint can receive payment on the lightning network without needing to be online.
- Simplified use: Using the Bitcoin and Lightning network is made simpler due to the operation of the Bitcoin and Lightning nodes being outsourced to the federation of LN gateways.
Fedimint is a voluntary system which individuals can use in part or fully for their bitcoin custody. We hope that an honest accounting of the trade offs will help individuals make better decisions for their risk profiles.
The Risks
The trade offs in the trust model have been captured as five key risks as outlined below1 and explored in more detail on the following pages.
- Custodial Risk: Can the federation steal or lose your funds.
- Debasement Risk: Can the federation issue more claims to bitcoin than they own.
- Regulatory Risk: Can the federation be unilaterally shut down or forced to cease operations.
- LN Gateway Censorship Risk: What are the risks in LN gateways refusing service to mint users.
- Transaction Censorship Risk: In what instance could a federation refuse service.
- This is under constant revision, please raise further trade offs for consideration.↩