Organic trust in Bitcoin Deposits:

- Does my vault operator have other vaults

- Are they roughly balanced

- Are their channel peers auditing this vault

- Are they different parties

- Is the recovery output a multisig of the auditors

- Are my invoices valid

There are three ways to steal funds in Deposits:

- an operator that colludes with their channel partner

- a recovery party that doesn't reintegrate deposits

- an operator that creates fake invoices that the client doesn't validate

Fake invoices allow theft of a single payment but reveal the operator as dishonest before the theft, so validation is important but exploitation is unlikely.

Recovery is still an open design item, so I'm glossing over it for now.

The key to Deposits is organically preventing collusion. Payments can only be claimed by both channel partners, and funds (plus security) must be assigned to the recovery output or the payment fails. Operator theft requires suspending these rules.

To avoid collusion we need consequences. Since the reward is a split of the funds, the penalty should be similar. If depositors require operators to run multiple vaults, with different peers, who are also auditors, then the theft of a vault will be detected and the operators other channels can be force closed.

This close-for-dishonesty would forfeit security deposits. If vaults are roughly balanced and security deposit ratios set appropriately, this provides the funds necessary for the recovery party to recreate the stolen vault.

Not only are depositors made whole, we have removed the incentive to steal in the first place