This paper addresses the challenge of formally verifying fund safety in the Lightning Network under adversarial participants. We propose a two-step refinement-based verification methodology: first, constructing an abstract timed model; second, separating the single-channel state machine from multi-hop payment logic. This approach overcomes the state-explosion barrier inherent in conventional model checking, enabling systematic coverage of concurrent and multi-hop scenarios. Leveraging TLA+ formal specification, timed automata abstraction, and refinement proofs, we achieve the first fully automated model checking of the Lightning Network protocol—verifying a complete model featuring four-hop paths and two concurrent payments. Our results formally establish that, under any adversarial strategy, honest users can always reclaim their rightful on-chain balances via on-chain arbitration, thereby strictly satisfying the core fund-safety property.

Payment channel networks are an approach to improve the scalability of blockchain-based cryptocurrencies. The Lightning Network is a payment channel network built for Bitcoin that is already used in practice. Because the Lightning Network is used for transfer of financial value, its security in the presence of adversarial participants should be verified. The Lightning protocol's complexity makes it hard to assess whether the protocol is secure. To enable computer-aided security verification of Lightning, we formalize the protocol in TLA+ and formally specify the security property that honest users are guaranteed to retrieve their correct balance. While model checking provides a fully automated verification of the security property, the state space of the protocol's specification is so large that model checking becomes unfeasible. We make model checking the Lightning Network possible using two refinement steps that we verify using proofs. In a first step, we prove that the model of time used in the protocol can be abstracted using ideas from the research of timed automata. In a second step, we prove that it suffices to model check the protocol for single payment channels and the protocol for multi-hop payments separately. These refinements reduce the state space sufficiently to allow for model checking Lightning with models with payments over up to four hops and two concurrent payments. These results indicate that the current specification of Lightning is secure.