Watchtower

Lightning's penalty mechanism only works if someone is online to catch a cheating peer publishing an old channel state. If you go offline for a long time and your peer broadcasts a stale (favorable-to-them) commitment, by default nobody acts on it — they walk away with funds you previously had.

A watchtower is a third-party service that holds *encrypted, pre-signed penalty transactions* you give it ahead of time. When it sees your channel's funding output spent on-chain, it decrypts (using the spending transaction's txid as a key) and broadcasts the appropriate penalty if applicable. The watchtower never sees your channel state in cleartext, can't initiate spends, and can't steal — its powers are strictly limited to publishing penalties you've already signed.

You typically run multiple watchtowers redundantly; a single tower being offline at the wrong moment is the failure mode they exist to prevent. Most Lightning implementations (LND, CLN, Eclair, LDK) support the BOLT-style spec, though uptake is uneven and many casual users skip them.

The watchtower-or-bust risk is one of Lightning's real ergonomic warts: you have to either be online frequently enough to defend your own channels, or trust at least one external party to do it for you.