What you're trusting, and what you aren't.
Trustless is a word that gets thrown around too often. Here's the honest version: some parts of this really are trustless. Other parts aren't — yet. We'd rather tell you than hope you don't notice.
The short version
The randomness
- Outcome =
SHA-256(secretA || secretB) - Both secrets committed before either is revealed
- Neither player can bias the result
- Neither can the operator
- Anyone can verify the math from the Nostr record
The escrow
- Wagers sit in the operator's LNbits node during a flip
- Operator could, in principle, refuse to pay out
- Mitigated by: public identity, cheat timer, published settlements
- Not mitigated by: cryptography (yet)
- Non-custodial upgrade is on the roadmap
The cheat timer
Once both players fund escrow, a 10-minute reveal window opens. If one side reveals and the other doesn't, the no-show forfeits — the honest player gets the full pot minus the house cut. If neither side reveals, both wagers are refunded. This means refusing to reveal a losing secret is strictly worse than revealing it: you lose the same amount, plus you can't win future flips with the same pubkey if you develop a reputation for ghosting.
Auditability
Every settled flip publishes a Nostr event signed by the COIN FLIP identity. The event contains both commits, both reveals, the computed outcome, the declared winner, the payout amount, the fee taken, and the payout preimage. That's enough to verify the whole thing with a line of Python and a copy of SHA-256:
assert sha256(sA + sideA) == commitA
assert sha256(sB + sideB) == commitB
assert winner == (sideA if sha256(sA + sB)[-1] & 1 == 0 else sideB)
If you don't trust the Nostr event, pull it from multiple relays. If the operator ever publishes conflicting events for the same flip, that's provable dishonesty and it's permanent.
The operator, on purpose
This product has a named operator. That's a feature.
Thomas Hunt — also known as Mad Bitcoins — runs 1n2.org. His face, his voice, and a decade and a half of Bitcoin media are attached to this project. If the escrow ever misbehaves, you know exactly who to shout at and exactly where to find him. A pseudonymous operator with a fresh npub would not give you that.
This is not a replacement for cryptographic guarantees. It's the bridge while we build them.
Roadmap to non-custodial
The current escrow model is the simplest thing that works. It's not the end state. The goal is to get the operator out of the custody loop entirely. Candidate paths:
- HTLC escrow. Both players fund a hash-locked contract; the commit-reveal outcome unlocks the winner's branch. Works on Lightning today with some routing pain.
- PTLCs. Point-locked contracts for cleaner multi-party unlocking when they land on mainline Lightning implementations.
- DLCs or a minimal on-chain escrow contract. Heavier, but fully trustless and auditable on the base layer.
We will ship the first viable one. Until then, the custodial step is real and disclosed here on purpose.
The house cut
3% by default, taken from the winner's payout at settle time. Every settlement record on Nostr includes the exact fee charged. The fee funds development of this project and the operator's Lightning node. It is not silently adjustable — the value used for any given flip is recorded and signed along with the outcome.
Source code
The repository will be published at github.com/1n2-org/coin-flip (placeholder until the initial release is tagged). Audit the commit-reveal implementation, the settlement publisher, the LNbits integration, and the cheat-timer logic. Open an issue if something looks off.
If you find a bug
Email thecuriobot@gmail.com. If it's a security issue, say so in the subject and we'll pause the live flips until it's patched.