This is the most under-discussed footgun in Lightning. If you ever run your own LN node, you must understand it. Even with Gopnik's managed-provider model, knowing how the underlying protocol works lets you read provider terms intelligently.
The cheat scenario
Lightning channels work on consensus between two parties: at any moment, the channel has a "current state" reflecting the latest balance split, signed by both sides. If either party tries to close the channel by broadcasting an old state — one in which they had more sats than they actually do now — the protocol allows the counterparty to broadcast a "justice transaction" within a time window (typically 144 blocks ≈ 1 day) and seize the entire channel balance as punishment.
That's the cryptography. The catch: the punishment only works if someone is watching.
Watchtowers
A watchtower is a third-party (or your own backup node) that watches the Bitcoin chain for cheating broadcasts and submits the justice transaction on your behalf if you're offline.
Without a watchtower:
- Your counterparty broadcasts an old state when you're asleep
- The 144-block challenge window expires
- The counterparty walks away with your sats
With a watchtower:
- The watchtower spots the bad broadcast
- It submits the justice tx with your pre-signed payload
- Your counterparty loses everything in the channel — and you get the punishment payout
This is why Lightning is sometimes described as "online wallet." Self-custodial Lightning requires either:
- 24/7 uptime (your node never misses a cheat)
- A trusted watchtower service watching for you
What Gopnik's managed model means for this
Because Gopnik delegates channel keys to a managed provider, the provider runs the watchtower for you. Specifically:
- The provider watches for cheats against the channels they manage
- They submit justice transactions on your behalf (in their own self-interest — they don't want their channels drained)
- You don't run a watchtower
The remaining risk: if the provider itself fails (bankruptcy, key compromise, deliberate exit-scam), you lose the channels they managed. This is why Gopnik recommends:
- Keep Lightning balance ≤ €500 (or whatever you'd accept losing in an extreme event)
- Drain large balances to your on-chain BIP-84 address regularly
- Treat Lightning as "spending money" — not savings
Force-close vs. mutual close
Two ways a channel ends:
Mutual close: both parties cooperate, sign a closing transaction, broadcast. One on-chain tx, fast (5-10 minutes), no challenge window. This is the normal case.
Force close: one party broadcasts unilaterally. The other party (or the watchtower) has the challenge window to dispute. Slower (the challenge window must expire), more expensive (force-close fee is higher), and signals a problem.
If the wallet ever shows a force-close in your action log, investigate immediately. Either the provider had an outage and force-closed defensively, or something genuinely went wrong.
What you commit to
- Lightning channels are watched by Gopnik's provider on your behalf
- You don't need to run a watchtower — the provider does
- The remaining custody risk is the provider's failure, bounded by your channel balance
- Keep LN balance low; settle to on-chain regularly
- Force-close events are not normal; they indicate a problem worth a support ticket
The next lesson covers a very different Bitcoin-native primitive: RGB, the protocol for tokens issued on Bitcoin without smart contracts.