TL;DR

"Non-custodial" is not a security model on Lightning. Because signing must be online, the real question is: what happens when the node is compromised? Most Lightning wallets are online (hot) wallets. This is fine for spending balances, but the risk scales fast as funds grow. Level 3 (hardened environments) reduces the probability of compromise. Level 4 (VLS) reduces the blast radius by enforcing policy outside the node, so even a compromised node cannot steal funds. If you are a developer, operator, or service holding meaningful Lightning balances, this distinction matters.

Security Spectrum at a glance

A useful distinction

  • Level 3: make node compromise less likely.
  • Level 4: make node compromise survivable (node cannot steal outside policy).

Ask your wallet or provider

  • If the node is compromised, can it obtain signatures to steal funds?
  • Is signing policy enforced outside the node, by a separate component?
  • What is the worst-case loss, and what stops the bleeding?
  • Check your wallet

If the signer itself is compromised, it's game over. The goal is to make that much harder than compromising a node.

A Promise and Problem of Lightning

You researched and chose a non-custodial Lightning wallet because you believe in "not your keys, not your coins." You carefully secured your seed phrase. You hold your own keys.

Then one morning, you wake up to find your channels have been closed. Your sats have been sent to addresses you don't recognize. The logs show your node approved everything. Your bitcoin is gone. Your Lightning wallet just rugged you.

Lightning promised Bitcoin's secure and self-sovereign principles for instant payments. But something went wrong.

Non-custodial isn't a security model

On Bitcoin L1, non-custodial pairs cleanly with security: private keys stay in cold storage and only sign when you choose. Lightning changes the constraints. Payments, HTLCs, and channel updates are time-sensitive, so signing keys must be online, on your phone, a server, or somewhere in between. On Lightning, “I hold the keys” does not automatically mean “my funds are safe”:

  • Non-custodial still matters. It means a provider cannot simply move funds at will.
  • But non-custodial alone is not enough. Because signing is online, you need a compromise model. Assume an attacker controls your node: what stops them from getting signatures to steal funds?

What matters is this:

If your Lightning node is compromised, what can the attacker do?

Let's map common Lightning setups and find out.

The Lightning Security Spectrum

This spectrum is ordered by a simple test: how hard is it for an attacker to steal funds?

As you move up the spectrum, you generally trade simplicity for a smaller attack surface and stronger guarantees under compromise.

-1

Blind signing (anti-pattern)

What it is:
A signer separated from the node, but it approves requests without independently validating safety.
What happens under compromise:
If the node (or anything that can influence it) is compromised, it can trick the signer into authorizing harmful actions.
Why it is bad:
It is more complicated than a standard hot wallet and less safe because you now have two attack surfaces (node and signer), instead of only 1.
Examples:
None in mainstream products today. Included as a warning for builders: DO NOT BUILD THIS.
1

Custodial hot wallet

What it is:
A provider controls keys and runs the node on your behalf.
What happens under compromise:
A provider breach or insider can move user funds.
Tradeoff:
Best UX, least user responsibility, highest trust and business liability.
Best for:
Small balances and onboarding.
Examples:
Cash App, Strike, River
2

Non-custodial hot wallet

What it is:
You hold keys, but keys are online in the environment that runs your Lightning node and wallet.
What happens under compromise:
If the node is compromised, funds can be stolen.
Tradeoff:
Self-sovereign, but security depends heavily on how safe your node environment is.
Best for:
Spending balances.
Local vs hosted nuance: a non-custodial hot wallet can live on a user device (local) or a server run by a team (hosted). Hosted is not automatically safer or riskier. It can reduce user error and improve operational hygiene for disciplined teams, but it often increases remote attack surface and concentrates risk in infrastructure access controls.
3

Hardened node environment (secure enclave / HSM-like)

What it is:
A standard Lightning node model, but running inside a hardened environment (secure enclaves, HSMs, attestation-driven secret delivery).
What it improves:
Makes “server compromise” and “admin access” less likely to turn into key extraction, by isolating sensitive memory and tightening how secrets are provisioned.
What happens under compromise:
If an attacker manages to execute malicious logic inside the node (for example via a node software vulnerability or a compromised update path), the node will authorize theft. Hardening reduces likelihood but doesn't contain the blast radius.
Tradeoff:
Often expensive. Requires specialized infrastructure, tooling, and operational ceremony (attestation, secret injection, controlled deployments). Even world-class operators describe this as a multi-year effort to reach an acceptable tradeoff.
Best for:
High-volume operators who (a) cannot change architecture yet and (b) have a dedicated security and ops budget. A reasonable "step up" from plain hot wallets, but not the endgame if you want strong guarantees.
4

VLS (validating signer)

What it is:
A separated signer that validates requests and enforces policy before signing.
What it improves:
Changes the failure mode: a compromised node will not be able to steal funds outside policy.
What happens under compromise:
Node compromise is contained. The signer becomes the critical security boundary.
Tradeoff:
Requires upfront integration and ongoing maintenance, in exchange for much stronger security guarantees.
Best for:
Balances you care about, especially in hosted or service environments.
5

VLS + threshold multisig signer (future)

What it is:
Require M-of-N approvals for Lightning signing (example: 3-of-5).
Status:
Not a standard Lightning model today, but a plausible direction if there is demand.
Tradeoff:
Highest assurance, highest complexity (and likely more operational overhead).
Best for:
Treasury-like Lightning balances where multi-party control is worth the friction.
Examples:
None yet, but there is growing interest 👀
Demand signal: Some operators want Lightning signing to match internal treasury controls like multi-approver governance. Flowrate recently approached the VLS project interested in a threshold approval model for customer funds. This is exploratory, and there is no standard production “Lightning multisig signer” architecture today.
Expanding brain meme showing the Lightning security spectrum from custodial hot wallet to multisig Lightning with VLS

How to choose the right level

Lightning security has two knobs: probability of compromise (how likely someone breaks in) and blast radius (how much can be lost if they do).

A practical way to choose is: how much could you lose before this becomes a real problem?

Keep smaller balances in simpler models. As balances become serious or business-critical, invest in designs that reduce worst-case loss, not just the chance of an incident.

Security is a product decision. The right level depends on how much you are protecting, your risk tolerance, and what failure modes you can tolerate.

Hardened Node Environments (Secure Enclaves / HSM-like)

Level 3 is a common instinct: if the node environment is the risk, harden it. Stronger isolation, tighter access controls, and hardware-backed protections can reduce the chance that “server compromise” becomes “keys stolen.”

This can meaningfully raise the bar, especially for operators with mature security and deployment practices. But it’s still a hot, online system, so your worst case is still: what will a compromised node sign?

Here is what Level 3 looks like in practice:

Real-world example: ACINQ's "Securing a $100M Lightning node." They run their node inside AWS Nitro Enclaves (isolation + attestation) with Ledger-based human approval for sensitive operations like deployments. This reduces operator and server-access risk meaningfully.

ACINQ also highlights why this is not "done" security:

  • Enclaves do not make dependencies trusted. The application must still verify it is talking to the right services.
  • You still have an online, hot node. A serious node software vulnerability can still abuse signing authority.
  • It is operationally heavy. High-complexity security engineering with real operational burden.

Real Incidents and Disclosed Vulnerabilities

These are real Lightning-related incidents (and one disclosed theft-capable vulnerability) where loss can occur without “breaking Lightning cryptography.” The common theme is simple: if an attacker can influence what gets signed they can steal funds.

LNBank (BTCPay Server plugin): concurrent-withdraw race drained ~4.07 BTC

A race condition in LNBank’s balance enforcement allowed an attacker to trigger many concurrent withdrawals before the database reflected prior debits, draining Lightning liquidity via outgoing payments.

  • Spectrum fit: Level 2 for the operator. Note: LNBank itself is a custodial layer (level 1) for users.
  • Impact: 407,361,805 sats reported drained (~4.07 BTC).
  • Root cause: balance checks could use stale state under concurrency.
  • Why it matters: “The node approved everything” can be true even without key extraction.

Sources: victim report, maintainer recap

More details
  • Mechanics: attacker submits many parallel withdrawal/payment requests, slipping between “request accepted” and “DB updated.”
  • Observed behavior: rapid sequence of outgoing Lightning payments draining outbound liquidity.
  • Response: fix release shipped shortly after reports; public recap posted.

LNbits: malicious routing fees reportedly drained >0.1 BTC

A public report (in an LNbits GitHub issue) described attackers draining an LNbits-backed wallet by forcing withdrawals to route through a node charging extreme fees. Without tight per-payment fee ceilings, the wallet can burn funds as routing fees.

  • Spectrum fit: Level 1–2 (hot wallet logic plus fee policy gap, depends on how LNbits is deployed).
  • Impact: the report claims “together more than 0.1 BTC” drained.
  • Root cause: missing or ineffective per-payment fee limit and “amount + fee” guardrails.
  • Why it matters: on Lightning, fees are value. Fee ceilings are part of your security boundary.

Source: LNbits issue report

More details
  • Mechanics: attacker influences routing so the only viable path includes an attacker-controlled node charging extreme fees.
  • Outcome: payment succeeds, but a large share of the wallet balance is paid out as routing fees.
  • Response: reported publicly and later closed (fix and deployment details vary).

LND “Replacement Stalling” (disclosed theft-capable vulnerability)

A disclosed LND vulnerability (“replacement stalling”) describes a theft-capable condition involving force-close sweeping and replacement behavior, with a recommended upgrade path.

  • Spectrum fit: Level 2–3 (hot node operators; infrastructure hardening does not remove this class of risk).
  • Impact: theft-capable vulnerability (public disclosures do not always include confirmed loss totals).
  • Root cause: implementation-level failure mode at the on-chain sweeping edge.
  • Why it matters: even with strong infrastructure controls, implementation bugs can still create loss.

Source: disclosure writeup

More details
  • Who is exposed: operators running affected LND versions.
  • When it matters: adversarial conditions around force closes and on-chain claims.
  • Mitigation: upgrade to the fixed release recommended in the disclosure.

These aren’t exotic attacks. They are common software and operational failures that become drains because the compromised node is a hot wallet that has full authority to approve the theft.

VLS: A Separated Signer With Fewer Attack Vectors

VLS aims to contain compromise by changing the architecture, not just hardening the same architecture.

It does three things at once:

  1. Separation: keys and signing decisions move out of the node into a dedicated signer.
  2. Reduction: the signer does far less than a node; fewer dependencies, smaller attack surface.
  3. Enforcement: the signer validates requests against policy before signing, so a compromised node can't force harmful actions.

Instead of “I hold the keys,” the promise becomes:

Even if the node is compromised, the attacker cannot get signatures for actions that violate policy.

Examples of policies:

  • Close destinations restricted to approved addresses
  • Fee bounds and rate limits
  • Payment amount limits and velocity limits
  • “Panic button” behavior (lock down signing if something looks wrong)
  • And more

VLS in Action

Standard hot wallet

Compromised node environment: "Close channel to attacker address."
Signer: "Approved."
Result: compromise can become theft.

VLS

Compromised node: "Close channel to attacker address."
VLS: "Is this allowed by policy? Is this state valid? Are fees within bounds? If not, reject."
Result: compromise is contained by the signer.

Proof in Practice: Greenlight

Greenlight is an example of the Level 4 pattern in the wild: hosted node convenience paired with a VLS-based validating signer.

This answers the obvious objection:

“Sure, separation and validation sound great, but can it ship without destroying UX?”

Greenlight demonstrates that you can have hosted Lightning convenience without turning ‘hot server keys’ into your biggest existential risk.

How to Check Your Current Setup

Most Lightning products can tell you whether they are custodial or non-custodial. Almost none will clearly tell you what happens when something gets compromised. So here is a checklist that forces the real answers.

Question 1: “If the node environment is compromised, can an attacker steal funds?”

  • Strong answer: “Node compromise is survivable. The signer enforces policy outside the node.”
  • ⚠️ Weak answer: “Users hold keys so it’s non-custodial.”
  • Honest answer: “Yes. If the node is compromised, funds can move.” (Treat this as Level 2 or Level 3 risk.)

Question 2: “Where does signing power actually live?”

  • ⚠️ “Inside the app/node process” means you are trusting that entire environment.
  • “In a separate signer that enforces rules” is a different security boundary.

Question 3: “What concrete limits are enforced outside the node?”

  • Close destinations restricted to approved addresses
  • Payment amount limits and velocity limits
  • Fee ceilings and safe defaults
  • Emergency lock or “panic mode” that stops signing
  • ⚠️ “We have security” without enforcement details usually means “trust me, bro.”
Deep dive: More questions

Worst-case analysis, observability, insider risk, and recovery planning.

Question 4: "What is the worst-case loss if something goes wrong?"

  • A good team can answer this in one paragraph, including what stops the bleeding.
  • ⚠️ If they cannot describe the worst case, assume it is "total loss."

Question 5: "What would you expect to see in logs if an attacker tried to steal?"

  • Clear audit trail, rejected attempts logged, alerts on policy violations
  • ⚠️ "We do not know" or "it depends" means weak observability

Question 6: "What is protected against insider risk?"

  • Separation of duties, controlled deployments, restricted admin actions, human approvals for dangerous operations
  • ⚠️ One admin key that can do everything is not a security model

Question 7: "What is the recovery plan if compromise is suspected?"

  • Documented incident response, immediate lock-down steps, channel close strategy, and how keys are rotated or re-established
  • ⚠️ No written plan means you are learning during the fire

If the only reassurance you get is “it's non-custodial,” you do not have an answer to the compromise question.

Call to Action for Developers

Stop selling “non-custodial” as if it answers the hard questions. Ship explicit guarantees.

  1. Define your worst-case compromise model (and write it down).
  2. Publish what controls prevent unauthorized closes and policy violations.
  3. Document recovery, auditability, and operational safeguards.
  4. If you want hosted UX, aim for a validating-signer model where node compromise cannot steal funds outside policy.

Security is an architecture choice, not a checkbox.

The Current State: How Secure is Your Wallet?

Here's where major Lightning wallets and LSPs actually fall on the security spectrum.

Note: Classifications based on public information as of 2026-02-11. Vendors are encouraged to verify or update their status.

Filters

Security Level

Click to filter by security level. Select multiple to compare.

Additional Filters

Showing 47 of 47 products. Show wallets not currently using Lightning

Product Type Security Level Custody Keys / Node Location
Alby Wallet2: Non-custodial (hot)Non-custodial User Device
Bitkit (Synonym) Wallet2: Non-custodial (hot)Non-custodial User Device
Blockstream App Wallet4: Validating signer (VLS)Non-custodial Keys: User Device (VLS) Node: Provider
Blockstream Greenlight LSP4: Validating signer (VLS)Non-custodial Keys: User Device (VLS) Node: Provider
Blocktank (Synonym) LSP2: Non-custodial (hot)Non-custodial User Device
BlueWallet Wallet2: Non-custodial (hot)Non-custodial User Device
Breez SDK LSPNot using LightningN/A N/A
Cash App Wallet1: Custodial (hot)Custodial Custodian
Electrum Wallet2: Non-custodial (hot)Non-custodial User Device
IBEX Mercado LSP1: Custodial (hot)Custodial Custodian
Lightspark LSPNot using LightningN/A N/A
Muun WalletNot using LightningN/A N/A
Phoenix (ACINQ) Wallet2: Non-custodial (hot)Non-custodial User Device
River LSP1: Custodial (hot)Custodial Custodian
Strike Wallet1: Custodial (hot)Custodial Custodian
Voltage LSP2: Non-custodial (hot)Non-custodial Provider Cloud
Wallet of Satoshi WalletNot using LightningN/A N/A
ZEUS Wallet2: Non-custodial (hot)Non-custodial User Device
BitBox (Shift Crypto) WalletNot using LightningN/A N/A
bitmo.me WalletNot using LightningN/A N/A
Blink (Galoy) Wallet1: Custodial (hot)Custodial Custodian
Blixt Wallet Wallet2: Non-custodial (hot)Non-custodial User Device
Bringin Wallet WalletNot using LightningN/A N/A
Cake Wallet WalletNot using LightningN/A N/A
Coinos Wallet1: Custodial (hot)Custodial Custodian
Cowbolt WalletNot using LightningN/A N/A
Evomone WalletNot using LightningN/A N/A
Flash Wallet1: Custodial (hot)Custodial Custodian
Grimm App WalletNot using LightningN/A N/A
Klever Wallet WalletNot using LightningN/A N/A
LEXE LSP3: Hardened node environmentNon-custodial Intel SGX
LIGHTNINGPAY WalletNot using LightningN/A N/A
lipa WalletNot using LightningN/A N/A
Machankura (8333.mobi) Wallet1: Custodial (hot)Custodial Custodian
Mooze Labs WalletNot using LightningN/A N/A
Ordermoon WalletNot using LightningN/A N/A
PICNIC GROUPS WalletNot using LightningN/A N/A
Pouch.ph Wallet1: Custodial (hot)Custodial Custodian
Satoshi App WalletNot using LightningN/A N/A
Satsails WalletNot using LightningN/A N/A
Shakesco wallet WalletNot using LightningN/A N/A
Sorted Wallet WalletNot using LightningN/A N/A
Speed Wallet Wallet1: Custodial (hot)Custodial Custodian
Swapso WalletNot using LightningN/A N/A
Yopaki WalletNot using LightningN/A N/A
ZEBEDEE LN App1: Custodial (hot)Custodial Custodian
Zero Hash LSP1: Custodial (hot)Custodial Custodian