Let's say Alice wants to buy a coffee from Bob.
A lightning node allows Alice to add collateral to it before approaching Bob, correct? And, the lightning node cannot steal Alice's btc because only Alice has her private key. So when Alice meets Bob, Bob sees that the lightning node has enough collateral from Alice, and Alice shows she has her private key by signing a transaction for the coffee. Once the lightning node reports back to the core network, the transaction will be recorded forever. Everyone's happy!
But then what happens if Alice then goes to the lightning node operator, Sam, and says: "I don't really want to pay for this coffee, why don't you take your lightning node offline, and never bring it up again." Then Alice's transaction never gets recorded on the main blockchain, and she gets to keep her coffee.
Surely there is something I am missing here.
1. Alice temporarily locks funds inside a LN payment hub to process an off chain transaction to Bob through a multi-sig address. Both Alice and Bob needs to sign to make it a valid transaction.
2. Payment hubs have no control over your funds, you have the keys. LN is entirely dependent on Bitcoin blockchain.
3. On chain transactions are necessary to both open and close a channel. Between opening and closing a channel you can make as many off chain transactions as you like.
When you close a channel the last transaction gets recorded on the main chain, on chain transaction.4. If both Alice and Bob agree to close the channel then it can be closed immediately.
5. Theft is possible during LN transactions, but there is adequate built-in protection to prevent such scenarios. If Alice closes the channel with the intention of scamming Bob, then the party who is trying to steal ends up paying a penalty.
Outsourcable enforcement: if one party closes a channel in an old state in an attempt to steal money, the other party has to act within a defined period of time to block the attempted theft. This function can be outsourced to a third-party without giving them control over any funds, allowing wallets to safely go offline for periods longer than the defined period.
Breach Remedy Transaction: the transaction Alice creates when Mallory attempts to steal her money by having an old version of the channel state committed to the blockchain. Alice's breach remedy transaction spends all the money that Mallory received but which Mallory can't spend yet because his unilateral spend is still locked by a relative locktime.
https://en.bitcoin.it/wiki/Lightning_Network