Casa Blog - Bitcoin Security Made Easy

This article will explain why you should never use your Casa Node’s seed phrase with another Lightning wallet, using a real example from someone who learned the hard way.

One of our customers recently reached out to us concerned that he had been hacked and had lost all of the funds on his Casa Node. Luckily, this wasn’t the case, and many of the funds may be recoverable.

We thought the lessons learned would be helpful to others, so we asked the user’s permission to write an anonymized post about what happened. This post will explain what happened and how to avoid these errors yourself.

How it happened: User perspective

The user wanted to experiment with connecting his Casa Node to a third-party mobile Lightning wallet app. When setting up that wallet, he imported his Casa Node’s seed phrase to sync the funds. The funds from the Casa Node’s Lightning wallet showed up in the third-party app, leading the user to believe the two were correctly paired. Soon after, however, he navigated back to his Casa Node dashboard and realized that funds were missing from his on-chain wallet and all his channels had been closed.

The user thought a keylogger was possibly involved, so he wiped his computer to prevent further damage—a fitting response to a potential keylogger—then reached out to us for support.

What actually happened

There were a couple of red flags to our team right off the bat:

First – the user tried using his Casa Node seed phrase with another Lightning wallet. Many people (understandably) assume that Lightning seed phrases work the same way that Bitcoin seed phrases do. However, each individual Lightning wallet uses a different set of local data to record Lightning balances. Because of this, two different wallets trying to use the same seed phrase don't know about channels that the other opened.

Using a preexisting Lightning seed phrase on a new wallet will show you the on-chain balance of funds, but channels will not transfer. That’s why we advise against loading a Lightning seed phrase into additional wallets.

Second – the third-party Lightning wallet that the user attempted to connect to supports automatic autopilot. That means that as soon as he put funds into the wallet, it began opening channels using those funds. Wallets using automatic autopilot can cause confusion and potentially scary situations if you aren’t prepared. Some Lightning wallet providers consider this a calculated risk, trading off for a smoother user experience. It’s important to know the ins and outs of each wallet you use before depositing your funds.

Recovering funds

Hindsight is 20/20, but wiping the computer definitely threw a wrench in the recovery process. When the computer was wiped, the third-party Lightning app’s Static Channel Backup (SCB) file was erased. This file is typically used to back up channel states whenever new channels are opened, and it would have allowed the user to recover any funds added to new channels.

After the seed phrase was imported, the funds from the user’s Casa Node transferred to the third-party app through only one UTXO. Because of this, autopilot was only able to open one channel at a time, leaving most of the user’s funds in his on-chain wallet (and not yet pulled into channels). Although the off-chain funds were no longer recoverable due to loss of the SCB file, the slower setup process may have bought the user enough time to recover funds not yet used by autopilot.

Lessons learned

There are two simple but very important takeaways from this example that we wanted to stress to all Lightning users:

1) Never use the same seed phrase on multiple nodes or Lightning wallets.

Lightning nodes use local data to operate, so your seed phrase, channels, SCB files, etc. are not shared among all other nodes. Because of this, a secondary node attempting to use the same seed phrase doesn’t consider where it’s getting the funds from. It will only be concerned with doing its job of establishing channels. SCB files won’t be able to save you in every situation.

2) You should also make sure you research a Lightning wallet and learn its features before sending funds to it.

Knowing what to expect will help you avoid mistakes and potential fund loss when experimenting with new technology.

If you’re a Casa Node owner, don’t hesitate to reach out to us at the first sign of trouble. We’re here to help you through any issue.

We’re grateful that this user allowed us to spread the message, and we hope it doesn’t dissuade anyone from continuing to take all Lightning apps for a test drive! New technology supporting Lightning is expanding rapidly, and we couldn’t be more excited to watch Bitcoin adoption grow because of it.

Just don't get too #reckless.

Casa Support is here to help you solve any issue.

This customer's issue was quickly addressed by using Casa's world-class support, included in every Casa membership plan.

Casa Gold members have access to expedited email support for troubleshooting and key recovery signing.

Casa Platinum and Diamond members receive direct access to a personal client advisor. Your advisor is on call 24/7 to help you through any security concern you may have—physical or cyber.

Email to speak with a client advisor and get a free demo of our 3-of-5 multisig.

Ready to experience the Lightning Network?

Get a Casa Node today! Casa Node is the easiest way to run Lightning and Bitcoin and now comes with Casa Gold:

As a Gold member, you’ll receive:

  • a Casa Node
  • Sats App on iOS or Android to connect to your Casa Node on the go!
  • 2-of-3 Basic Multisig using Keymaster on iOS or Android
  • a Trezor One hardware wallet to use with Keymaster App
  • a Casa Faraday Bag
  • Unlimited Recovery Signings
  • Direct Email Support from Casa