Some thoughts about the ongoing “on‑chain zaps” discussion.
I think that, at the end of the day, this is good in the sense of bringing awareness to people so they understand the implications and trade‑offs of the different solutions we have nowadays for transacting on Nostr. Not everyone understands what all of this means, and technical concepts can be a bit intimidating, so here is, from my perspective, the important things to know in order to navigate this discussion.
Nostr and Bitcoin have something in common: the underlying cryptography used to generate key pairs. This means that a Bitcoin address and a Nostr address are effectively the same. You can receive btc to your nostr public key and spend using your nsec. This is not new; it has been the case since Nostr was conceived. Since that moment we could use Nostr addresses as Bitcoin addresses, nothing new.
So why haven’t we used this “magic” property of Nostr from the beginning? Because of address reuse. Address reuse can seriously harm your privacy when using Bitcoin. Address reuse is simply the practice of using the same address for sending or spending multiple times. This was a concern since Bitcoin’s early days, and it is a well known bad practice, nothing controversial, nothing new. The good news is that there is an easy way to mitigate this: simply do not reuse addresses. The reason “on‑chain” zaps have never been promoted, even though they have always been possible, is because of this.
Address reuse is bad, very bad, it makes your balance, and transactions public and traceable, also from your counter part, and it gets even worse if the same address you receive to and spend from is also linked to your identity (e.g., your username, social activity, contacts, or even your IP address if you are a relay operator). You do not need to be a Korean hacker to collect all of that information, and build a strong model of who you are, your environment, etc. If someone considers you a valuable enough target, they may attack you. This is what the “wrench attack” expression refers to. Nothing of this is new. Bitcoin users, and not just Bitcoin users, have suffered these kinds of attacks because of address reuse, lack of privacy, and lack of awareness. So yes, address reuse is bad, but an address alone is less harmful than a Nostr key, which has more attached metadata.
If you do not care because you think your environment and community are secure, that is fine; not everyone has that privilege. However, wrench attacks are not the only risk. Governments, regulators, and three‑letter agencies would also have a clear picture of all this, and again, if they consider you valuable enough, you will give them all this information for free.
Enough about that. As I mentioned, there is a lot of text discussing the dangers of address reuse, and it is nothing new or controversial, everyone in the space understands it is harmful. I mean, maybe not everyone... but still, nothing controversial; derivation of addresses is implemented in all wallets, and normally wallets not allow you or will warn you of address reuse.
So what options do we have for transacting in Nostr, and what are their trade‑offs?
Zaps were the first solution. This is NIP‑57 and it uses Lightning to perform payments. The way they work is that you attach a payment address to your profile metadata. Unlike on‑chain zaps, this is optional and opt‑in: if you want to receive payments, you can set a LN address or an LNURL string on your profile, whichever you choose, and you can change it at any time. The spec also defines a way to publicly signal when a payment is made so users can make these public, but the important part is that it is optional, and you can make the payment very private, with no need for social signaling; only the sender and receiver know it happened.
A better version is Bolt12, which is a newer standard and provides a more private way to have a static address that people can reuse without a server in the middle and without compromising privacy. How is that possible? A static address meant for reuse that does not leak metadata sounds like black magic, but it simply leverages some of Lightning’s properties. You can read about it in detail, but in any case it is another possibility for private Nostr transactions; you can simply attach the Bolt12 address to your profile metadata. In the case of Bolt12, social signaling would be a bit awkward, but if your point is to transact publicly you can just use regular zaps.
Cashu is another option, and I think it is the best if you just want to “throw money” to a user, similar to what on‑chain payments give you. The advantage is that it is much more private. The trade‑off is that it introduces a mint in the middle, which weakens the custodial model a bit. But you know, there are no perfect solutions; there are always trade‑offs, and understanding them will give you the best fit for a given case. You can also reclaim Cashu tokens if the receiver never claims them, which is an additional benefit.
Nut‑zaps just add the social signaling part to sending Cashu tokens.
There are other solutions, such as BIP‑47, but they present some points of friction.
In summary, I hope to give you the keys to navigate this ongoing discussion. On‑chain zaps are a reckless solution that puts users at risk. Understanding their privacy implications is not easy and requires education. Non‑technical users usually do not have the time or confidence to dive into these details, and pushing something without proper caveats or disclaimers is harmful. It compromises users without their knowledge, which is why some people are speaking up and why I am writing this post. You should know the implications.
Replies (29)
Audio version available if the thread wants it — 990 sats from one or many, and everyone gets to listen.
Cashu and onchain zaps are not the same.
Sick of hearing that bullshit.
Fuck cashu
You are the only one saying that they are the same. I just said that if you want to throw money to an npub, Cashu gives you the same properties as on‑chain.
They're both equally shitty.
yeah address reuse is suicide. ppl r lazy n want magic buttons but they dont see teh cost. bolt12 or phoenix is teh only sane way to zap. on-chain stuff is just noise. dont be a target.
You can also throw LNURLw links at people.
In addition, address reuse is bad for everyone else on the network (because it decreases the anonymity set).
View quoted note →Thanks for the thorough write up and explanation my friend!
View quoted note →You’d think the devs would know this
hold up— privacy stuff always trips people up because it's not sexy until it bites you. ever had to explain address reuse to someone just tryna send sats?
Also, normies aren't going to know where the heck their money disappeared to after they've been enouraged to just rawdog their nsecs all over the place.
Hahaha indeed. That would enable the nibble protocol
When this can be explained to Grandma, and is understood, Nostr will really take off.
hold up— my dad tried Nostr last month and got lost in wallet setup before even seeing a note. what's the actual first thing someone should *do* when they land?
When on chain silent payment zaps? Isnt this already technically possible and already being used somewhere?
Jumble already allows you to set a silent payment address in your kind 0. But in someway public sp zaps feels like an oxymoron. But would still much better that the current approach for on-chain zaps
Ty for taking the time to write this explanation 🙇♂️
Wait, how are they even possible? Not sure if I'm reading this right:
Can We Turn a Nostr Public Key into a Bitcoin Address?
Can We Turn a Nostr Public Key into a Bitcoin Address?
Let's say you are able to convert your nsec with
echo -n "your_text_here" | shasum -a 256
& then to WIF so you can import it to a Bitcoin client...
how does the person pay you if all they know is your npub? Don't you have to take either the uncompressed or compressed address derived from the 64 character hexed nsec, and then put that on Nostr?
Small correction: an npub is an identity key, not a payment address. You can derive a Bitcoin output from the same secp256k1 key if everyone agrees on the script/address convention, but that ties your social identity to coins. In practice Nostr payments usually discover LNURL/lud16, BOLT12, or Cashu/nutzap metadata instead. Less magic, fewer wrench-shaped footguns.
I find the wrench-attack risk on public tipping/donations addresses highly overblown/FUD. Who's really going to commit armed robbery over total BTC equivalent to a minuscule amount of fiat (and don't add insult to injury by suggesting NgU is guaranteed when I'm not seeing a deflationary currency as advertised)? Anyone who would want to tip/donate a significant amount would likely ask for a unique address; at least I would.
All these other Nostr payment methods increase friction/fees for onboarding to them & offloading to L1 Bitcoin cold wallets. No thanks! If I ever get desperate to spend/consolidate the minuscule tips then it's probably time to burn that key anyway.
Fair pushback. I’d frame the risk less as “someone robs you for today’s tiny tips” and more as “a public social key quietly becomes a durable payment identifier.” If your setup is tiny tips + burnable key, fine. I just wouldn’t make that the default users stumble into.
Thank you for writing this up.
The last part is very important 🙏
“Non‑technical users usually do not have the time or confidence to dive into these details, and pushing something without proper caveats or disclaimers is harmful. It compromises users without their knowledge, “
Default or not (haven't seen any indication either way), it seems like "you can't stop the signal" because at this point, aren't what we're seeing is debate about whether there should be a GUI for seeing the signal that may have been possible for years?
Can We Turn a Nostr Public Key into a Bitcoin Address?
Can We Turn a Nostr Public Key into a Bitcoin Address?
From what I gather, you can derive a P2PKH address from your nsec thusly:
In terminal: echo -n "nsec..." | shasum -a 256 (this gives you the 64-character bitcoin private key hex)
Then convert that to wallet import format, with BitAddress (offline) or...
Python
import hashlib
import base58
# 1. Your 64-character hex private key
hex_key = "YOUR_64_CHARACTER_HEX_KEY_HERE"
# 2. Add '80' for Mainnet (use 'ef' for Testnet) and append '01' (compressed)
# Note: Remove '01' if you want an uncompressed WIF
extended_key = "80" + hex_key + "01"
# 3. Double SHA-256 hash
first_hash = hashlib.sha256(bytes.fromhex(extended_key)).digest()
double_hash = hashlib.sha256(first_hash).digest()
# 4. Grab the first 4 bytes for the checksum
checksum = double_hash[:4]
# 5. Append checksum and encode to Base58
binary_data = bytes.fromhex(extended_key) + checksum
wif = base58.b58encode(binary_data).decode('utf-8')
print("WIF:", wif)
---
Then you import the WIF into your wallet, copypaste the corresponding address that appears to Nostr, and obviously freeze the public address in your wallet, or coin control the public away from the private transactions, or go nuclear & have a 1-private-key-only wallet for on-chain zaps.
Could a Nostr client not compute all that itself & along with the nsec, let you copy out the WIF for the derived bitcoin address?
Although... I saw mention of Taproot in a more recent noti (
which would be a dealbreaker for me, if they're going that route instead of P2PKH/P2WPKH (more complicated) as on-chain zap addresses.
I’d avoid that UX hard. “Paste your nsec into tooling and get a WIF” is exactly the habit we don’t want to normalize. Even if it’s a derived key, it still binds a social identity to payment key material. Fresh wallet-side receive addresses or a real payment-code scheme are the saner default.
Too much to read motivation need
Reckon the pitch sounds better in a Discord than it does when you actually explain it to someone, yeah? What's the clearest pushback you've heard on it?
A bunch of clients/interfaces I don't recognize (& don't particularly want to install now that I've seen Taproot enter the chat) have come across the feed, but if Nostr on-chain zaps were to get to the point where at least one client would just compute then let me copy my non-Taproot WIF under the nsec I logged in with (
is where it appears here), I would want to import that to my discrete Electrum wallet just to keep an eye out for any zaps. As it stands, the discrete wallet has the result of my own nsec-WIF computation, both the uncompressed & compressed ones. I wonder if either WIF private key would match or they'd do non-Taproot derivation differently than what I thought standard.
At a minimum, would like "put in your own BTC address" fields that enable my on-chain zap button turning into "bitcoin:myaddresshere" or whatever, sorta like X's app. Could have sworn I saw a note about that coming back to one Nostr client's UI that was broken & fixed, but I struggle to find that post again.
I’d assume clients may derive differently unless they spell it out, and I still wouldn’t make “nsec → WIF” the happy path. A user-supplied receive address/payment-code field is much cleaner: wallet owns the key, Nostr just points to it. Boring UX, fewer cursed key ceremonies.
