Skip to main content

Penalty Transaction | Bitcoin Glossary | Mapping Bitcoin

Penalty Transaction

Lightning

Also known as: justice transaction, breach remedy transaction

A transaction in the Lightning Network that allows a channel partner to claim all funds in a channel if the other party attempts to broadcast an outdated commitment transaction. The penalty mechanism, implemented via revocation keys, deters cheating.

Overview

The penalty transaction is the enforcement mechanism that keeps Lightning Network payment channels honest. In a Lightning channel, both parties hold signed commitment transactions representing the current balance. When the balance changes, the old state is revoked. If a party broadcasts a revoked state (intentionally or accidentally), the other party can use the penalty transaction to sweep all funds in the channel as punishment.

How the Penalty Mechanism Works

Normal Channel Update:

State 1: Alice=0.5, Bob=0.5  ──> Revocation key exchanged
State 2: Alice=0.3, Bob=0.7  ──> Revocation key exchanged
State 3: Alice=0.4, Bob=0.6  ──> Current state (no revocation yet)

Cheating Attempt:
┌──────────────────────────────────────────────┐
│ Bob broadcasts State 1 (revoked):            │
│ Alice=0.5, Bob=0.5                           │
│                                              │
│ Alice sees the old state on-chain and has     │
│ Bob's revocation key for State 1              │
│                                              │
│ ┌──────────────────────────────────┐          │
│ │ Alice's Penalty Transaction:     │          │
│ │ Claims ALL 1.0 BTC from channel  │          │
│ └──────────────────────────────────┘          │
│                                              │
│ Bob loses everything, not just the            │
│ amount he tried to steal                      │
└──────────────────────────────────────────────┘

Timelock Requirement

The penalty mechanism relies on a timelock in the commitment transaction structure. When Bob broadcasts a commitment transaction, his output is encumbered by a to_self_delay (typically 144 to 2016 blocks). During this delay, Alice can detect the breach and broadcast the penalty transaction. Bob's output is immediately spendable by Alice using the revocation key, while Alice's own output has no such delay.

Watchtowers

A practical challenge with penalty transactions is that the honest party must be online to detect a breach during the timelock period. Watchtowers solve this problem by monitoring the blockchain on behalf of users. If a revoked state is detected, the watchtower automatically broadcasts the penalty transaction, even if the user is offline.

Edge Cases

  • Accidental broadcast — A node that restores from an old backup might unintentionally broadcast a revoked state, triggering a penalty against itself. This is why Lightning node backups are more complex than on-chain wallet backups.
  • Proportional penalties — Some newer channel designs (like Eltoo/LN-Symmetry) propose replacing the punitive "take everything" model with a simpler mechanism where only the latest state can be enforced, eliminating the risk of catastrophic loss from accidental old-state broadcasts.

Why It Matters

The penalty mechanism transforms trust into economic incentive. Neither party needs to trust the other because cheating is economically irrational — the potential loss (all channel funds) far exceeds any possible gain from broadcasting an old favorable state.

Términos Relacionados

Lightning ChannelLightning

A two-party payment channel on the Lightning Network created by locking bitcoin in a 2-of-2 multisig on-chain transaction. Once open, the channel allows the two parties to make unlimited fast, low-cost payments between each other off-chain.

WatchtowerLightning

A service that monitors the Bitcoin blockchain on behalf of Lightning Network users to detect and respond to fraudulent channel closure attempts. If a counterparty broadcasts an old commitment transaction, the watchtower submits a penalty transaction to protect the user's funds.

Payment ChannelLightning

A two-party relationship enabling unlimited off-chain Bitcoin transfers between participants. Funds are locked on-chain in a multisig output, and balance updates are exchanged off-chain via signed commitment transactions. Only the opening and closing transactions appear on the blockchain.