Decision
Non-custodial watchtowers hold the latest voucher for a registered channel and submitdisputeChannel if a stale close is detected on-chain. Watchtowers cannot steal funds or worsen settlement — the voucher’s EIP-712 signature is the only authorization the contract honors.
Nodes register with 2–3 independent watchtowers via cdn/watchtower/v1 over iroh QUIC. A local in-process dispute monitor provides defense-in-depth for the node-is-online case.
Why watchtowers exist
Payment channels require a party to respond during the dispute window if a counterparty submits a stale-nonce close. If the node is offline for maintenance, a cloud outage, or is under a denial-of-service attack during the window, an honest node would lose funds without help. Watchtowers decouple dispute liveness from the node’s own uptime.Non-custodial model
The watchtower stores a signed voucher. If a stale close is submitted, the watchtower submitsdisputeChannel(voucher) — the PaymentChannel contract only accepts vouchers with valid EIP-712 signatures from the channel’s counterparty. A malicious watchtower cannot:
- Forge a voucher (signature required).
- Close the channel early (close authority is the parties, not the watchtower).
- Direct funds elsewhere (settlement payout is determined by the voucher’s
channel_idbinding).
Registration flow
Nodes should register with 2–3 independent watchtowers — losing all of them simultaneously is rare, losing one is not.WatchtowerEscrow
Fee accountability is enforced on-chain:
- Watched party (node) prepays watchtower fees into escrow.
- Watchtower submits periodic heartbeats with mandatory voucher state attestation — a BLAKE3 commitment over the vouchers it currently holds.
- On heartbeat failure, the watched party can reclaim escrowed fees.
WatchtowerEscrow is standalone — it reads channel state but does not modify the PaymentChannel contract. Watchtowers advertise themselves via WatchtowerAnnounce gossip on cdn/global/v1.