UX guidance for LN channel reserve #659
Comments
GBKS
added
Copy
|
Here's an article that includes an explainer on what the reserve is. |
|
I'd like to contribute to this one as well. |
|
This is a proposal for issue #659 to add information about UX Guidance for LN channel reserve; WHAT IS A CHANNEL RESERVE? The bitcoin protocol suggests that it is always important to keep some reserve. This is often called the channel reserve, it is an amount that will be held in a channel. As an example; For users we can imagine that they would now question why when they put 100k sats into a channel that only 98k sats would then be available for them to use. WHY DO WE HAVE A CHANNEL RESERVE? A channel reserve works as a type of insurance against theft. If a peer tries to cheat in a channel then the other party can submit a penalty transaction. This transaction will then take away all the funds from the other users channel. Having the channel reserve in place that there are funds available to take away should this occur. AFFECT OF CHANNEL RESERVE ON USERS: If a user funds a channel and they are unable to spend the full amount they have put into the channel this can be confusing to them. From a UX standpoint we would need to consider the following:
Below are some suggested screen states as to how this can be done: (to be added) |
|
Some context to what a channel reserve is to anyone reading, from BOLT 2:
When regularly opening channels with random nodes, having a reserve is important. Routing nodes do this often, mobile lite nodes do not. Mobile nodes usually only open channels with the LSP that their wallet uses. Mobile nodes usually only have a single peer (the LSP) who is known to them. When using an LSP, incentives (or their is trust) are often aligned between them and the user. This changes the trust-model and makes things like having a channel reserve less important for mobile nodes. Channel reserves are something that only non-mobile node operating users should have to deal with. They add a lot of UX issues for mobile node end users who just want to make payments and mostly aren't necessary when using a Lightning Service Provider (LSP) trust-model. Zero-reserve mobile node channels can be classified as a lightning service, something offered by a LSP. This service has been used in Phoenix since 2019. This isn't proof it's secure, but it most likely is isn't a protocol breaking change. When zero-reserve is used the LSP should still use a reserve as Phoenix / ACINQ does so they have something at stake. This is an asymmetrical incentive in favor of the mobile node user but other aspects of this setup explained below balance this out. There are obvious UX improvement of having end users use zero-reserve. Not being able to spend your full balance will confuse a lot of users and having to explain why to users is a big mental burden for someone who just wants to simply make payments. However, this comes with some asymmetrical trade-offs, some in favor of the LSP, some in favor of the mobile node. I've attempted to address these trade-offs in my questions below. Be sure to read this article for a deeper dive on the trade-offs around using zero-reserve. Couldn't the mobile node easily cheat the LSP without anything at stake? LSP nodes are often highly monitored / managed meaning it is very unlikely a mobile node would be successful in cheating the LSP by broadcasting an old state. LSPs could also use third-party watchtowers (they likely do) for further protection from cheating attempts. Mobile nodes still have to pay for the channel opening, and sometimes an additional LSP service fee on top, so an attack of this kind isn't completely zero-stakes. The 1% reserve isn't a huge deterrent from cheating anyways imo - but this is a protocol dev discussion out of the scope of this issue. Mobile nodes benefit from the services offered by the LSP which would also deter cheating as they have an incentive to keep using the services. For these reasons, this is unlikely. What about the LSP cheating the mobile node user? This is more likely to occur than the mobile node cheating the the LSP - but is also unlikely. Mobile nodes are customers to LSPs so cheating them is not in their interest. LSPs earn fees from offering services / routing payments for mobile nodes. Their long term acquisition is most likely more profitable than exit scamming users which would likely forever ruin their reputation / kill their business model. This would also likely kill their routing node as network peers wouldn't want to support a dishonest node. Shutting down a routing node / re-allocating all that capital is expensive. Users should have the option to use third-party (not the LSP) watchtowers as well as have some kind of in-built push notification system prompting the user to check their app / look for old channel states being broadcast. What if a user manually opens a channel? This should be an 'advanced' option for any bitcoin lightning payments app, users should not be locked into using an LSP! When manually opening a channel a local channel reserve should be used in this situation. For this scenario, this should be explained to the user as @Mogashni has pointed out above. Side note: With Zeus, we are working on a mobile node (late 2022) using an LSP. Manual channel opens will only be for users who run their own node - which you can connect as a separate profile alongside your mobile node LSP payments profile. Mobile nodes using LSPs, combined with opening channels in the same UI results in a messy UX (I've tried to combine the two). Manually opening channels should only be done if you run your own always on node. Mobile nodes are not always online and peers will likely close your channels. Using autopilot doesn't solve this. Just my 2c on this. How should content be added around this in the guide?
|
|
@Mogashni thanks so much for taking this issue on! I left some comments on your Google Doc. I'll summarize here. In general, I agree with the notion that perhaps channel reserve is not necessary for nodes running on mobile devices. The tl;dr is that a channel reserve by itself will not protect that mobile node, so it needs a watchtower. Thus, the better UX might be to simply rely on the watchtower for protection. We're not at that glorious future yet where powerful, easy-to-use watchtowers are a dime-a-dozen, but I think that's likely the best approach. Having said that, we should include this information on how to communicate channel reserve in situations where it must be communicated. I think some visuals will help explain this a lot. |
|
@sbddesign @Bosch-0 @GBKS Really appreciate your comments around the UX guidance explanation. I've updated the google doc and tried to incorporate as much of your comments as possible. https://docs.google.com/document/d/1gyMGtWqXS3NvxKAYUeMmd7NHhDRVnlKBz7EK3RZRWzs/edit?usp=sharing What I still need to do:
The UX opportunites could be during;
|
|
Updated the explanation based on the paragraph provided by Bosch. UI designs will be finished soon. WHAT IS A CHANNEL RESERVE? Lets say a user opens a channel and puts in 100k sats. When they then want to make payments, they will then only have access to X - Y; (the amount they added to the channel) - (1% minimum of the total channel value). CHANNEL RESERVE AMOUNT WHY DO WE HAVE A CHANNEL RESERVE? MOBILE NODES AND NON-MOBILE NODES AFFECT OF CHANNEL RESERVE ON USERS:
There are however other, much more fool-proof ways to prevent theft such as ;
|
|
Awesome! This is looking good Mo, few comments!
It's speced in BOLT 2 but it's not mandatory across the board - lightning protocol stuff is messy atm 😆 These things also become flexible when dealing with LSPs on a peer, rather than, network level.
A note on this section, which you did mention lower down but wanted to add some detail, is that this 1% is dynamically adjusted over the channels lifespan. So if this 200k sats channel receives 50,000 sats this reserve will adjust to 2,500. This adds further complexity for users as it will look like they are constantly losing sats. Compound this with if the user has lots of channels this dynamic adjusting will be all the over place. Also you have a channel capacity which is both sides of the parties combined. Both sides independent have a channel reserve. So if my side is 200,000 sats mine will be 2,000, other parties is 100,000 sats they will have 1,000 reserve for a total channel wide reserve capacity of 3,000. I included a small mock-up below of a toggle that could be used for showing channel reserve / actual spendable balance. This design is mostly focused on pending on-chain transactions atm though, some added detail would be needed to account for channel reserve nuances (as the available balance will never not be higher, increase with new channels, and dynamically change as mentioned above).
|
Bosch-0
added
Daily spending wallet
|
Updated Figma file on UI opportunities for the channel reserve: Updated google doc: |
|
Left feedback on Google Drive and Figma. |
|
Sharing an exploration from a while back. The idea was to have a dedicated screen to let the user quickly see what fees and their current limits are. Added a "minimum balance" which would be the channel reserve. I miss something like this from Muun, which has no way to learn about fees. The third screen shows how some of this info could be shown in context and only when needed. Will be important to identify those points to keep the overall experience simple.
|
|
Almost there! The figma file has been updated and simplified alot based on the amazing feedback from you guys. Any other feedback is most welcomed. |
|
Updated Google doc, perhaps to be added at the bottom of Stephens liquidity page; |
I searched the guide for "reserve" and came up empty. The guide should provide UX guidance for when and how to describe LN channel reserves to users. Users might fund a channel/wallet with X but then only be able to spend X-R where R is the reserve. This can be very confusing for users.
The text was updated successfully, but these errors were encountered: