htlcswitch: remove the bucket batchReplayBucket

[yyforyongyu]

This PR simplifies the htlc reforwarding logic by dropping the batch replay bucket.

Context

When an htlc is received, we call processRemoteAdds, which invokes DecodeHopIterators to decode the onion.

lnd/htlcswitch/link.go

Lines 3771 to 3773 in 92a5d35

	decodeResps, sphinxErr := l.cfg.DecodeHopIterators(
	fwdPkg.ID(), decodeReqs,
	)

We then create a Tx which has a memory batch in BeginTxn, and process it in ProcessOnionPacket,

lnd/htlcswitch/hop/iterator.go

Line 756 in 92a5d35

tx := p.router.BeginTxn(id, batchSize)

lnd/htlcswitch/hop/iterator.go

Line 786 in 92a5d35

err = tx.ProcessOnionPacket(

This ProcessOnionPacket then call this b.Put which saves the htlc:

• if IsCommitted is true, error out.
• if this is a new htlc, save its payment hash to map b.replayCache and, use its seqNum as key and batchEntry as the value to map b.entries. The batchEntry has the fields hashPrefix and cltv.
• if this is not a new htlc, add the seqNum to its b.ReplaySet, which is a map.

We then proceed to the tx.Commit, which calls PutBatch under the hood,

lnd/htlcswitch/hop/iterator.go

Line 831 in 92a5d35

packets, replays, err := tx.Commit()

It will also be noop if IsCommitted is true.

Now, in this PutBatch,

• we start with an empty ReplaySet
• query the batchReplayBucket, if b.ID is found, which is the fwdPkg.ID(), we return the saved ReplaySet on the disk - most of the time it's an empty map. This is also the mechanism to skip checking replays when reforwarding htlcs during restart.
• otherwise we iterate this memory batch via b.ForEach. We will iterate the map b.entries there,
  • we now query the sharedHashes bucket, if we find an item there, we add this entry's seqNum to ReplaySet. Note that when the item is found in sharedHashes bucket, it means it's a replay.
  • if we cannot find it in the shareHashes bucket, we will save the item's hashPrefix and cltv to disk.
• we then merge the ReplaySet with the batch's internal replay set, b.ReplaySet.
• finally we would save this ReplaySet on disk in batchReplayBucket.

The actual replay attack protection comes in the last step in ProcessOnionPacket, where we would check whether any of the decoded htlcs is found in the ReplaySet.

lnd/htlcswitch/hop/iterator.go

Lines 871 to 873 in 92a5d35

	if replays.Contains(uint16(i)) {
	log.Errorf("unable to process onion packet: %v",
	sphinx.ErrReplayedPacket)

The Fix

We now drop this table and explicitly signal reforwarding during startup to skip the replay check. This means,

• no more extra data is saved on disk, and,
• no new GC mechanism needed.

In combination with #9906 we can sunset this bucket completely.

[coderabbitai]

Important

Review skipped

Auto reviews are limited to specific labels.

🏷️ Labels to auto review (1)

• llm-review

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[ziggie1984]

but what if is a reforward and was a replay in the first run, we would now pass it through and forward it ?

[yyforyongyu]

yeah i thought about it too, unless the peer can crash all the nodes down the path I don't think the attack can succeed tho. The first time a replayed htlc is received, the node will fail back and wait for the remote's revoke_and_ack. Unless the node crashes and restarts to reload the htlc pkg, the replayed htlc won't be forwarded. Even if this edge case happens, the next hop will fail it, so I think it's extremely unlikely? btw lnd_sweep_test.go is a good place to observe the overall flow.

[ziggie1984]

It does not need to crash know, the link only has to flap and then we are in that situation.

[yyforyongyu]

Can you elaborate?

[ziggie1984]

this is called when a Link starts:

lnd/htlcswitch/link.go

Lines 1327 to 1328 in 35102e7

	if l.ShortChanID() != hop.Source {
	err := l.resolveFwdPkgs(ctx)

which means if a link flaps this is called again.

[yyforyongyu]

explained in this comment

[ziggie1984]

It seems like an acceptable way forward however we are accepting a case where we might flap on the incoming link and therefore would reforward a potential "replayed" HTLC (which very likely be detected by the next node as a replay if it is LND). It might be very unlikely that it happens so I am ok with going with this approach. The proper solution would be to add a new Relayed-Fwd-Filter into the forwarding logic and query it when the above happens.

[ziggie1984]

It does not need to crash know, the link only has to flap and then we are in that situation.

[ziggie1984]

On restart of the channel not on restart of the LND server, or do you mean the same ?

[yyforyongyu]

restart of lnd, tho link restart is a superset?

[ziggie1984]

yes but what I wanted to say is, flaping of a link is way more likely than crashing a node, so just want to make sure we take this into account when talking about the edge case. But then can you say only on restart of the link ?

[yyforyongyu]

Yes, if it's just the flapping of a link, it means it will go through the full cycle of start/stop, which has all the necessary data persisted. If a replay has been detected before, we will call sendMalformedHTLCError to store it in updateLogs, and update the commitment via AppendRemoteCommitChain, which will remove the Adds. Then, if the link restarts, it will restore the state, but the fwdPkg will have empty logs, as shown in the experiment here yyforyongyu#47. So as long as the link is going through normal restarts, we are protected. The only possible way is that somehow the remote node can crash our node, causing us to skip AppendRemoteCommitChain before the link shuts down, which is a different level of assumption I think, also don't think it's feasible.

[ziggie1984]

There is a time period between processing the incoming ADD and updating the Channel via AppendRemoteCommitChain which is called within the ChannelLink object where we might run in the scenario described above.

Scenario:

1. Incoming replayed ADD comes in on the incoming, we process it (DecodeHopInterator etc.)
2. We figure out that it is a Replay
3. Call sendMalformedHTLCError
4. Before we can call AppendRemoteCommitChain (batchtimer hits => default 50ms) => Link flaps
5. MalFormed msg never persited on the State => meaning we will forward the Incoming Replayed ADD the next time we start-up the link.

[yyforyongyu]

I think it will be a good argument if we assume the user will use a different batch commit interval as 50ms is a bit too short. That being said I think we do need to perform a commitment update, which is missing from this method when we fail some of the ADDs in processRemoteAdds.

The replay check also seems to be performed a bit late - we should instead perform this check when we receive an update_add_htlc, not revoke_and_ack. I'll see how easy it is to change that.

[ziggie1984]

I would keep it as is, I would propose that we add a comment that we are aware of this edge case and are willing to accept it (see my other comment #9929 (comment))

[yyforyongyu]

Actually I don't think it relies on the batch ticker as there will be an immediate commitment update after calling processRemoteAdds,

lnd/htlcswitch/link.go

Lines 2541 to 2568 in 35102e7

	if l.quiescer.CanSendUpdates() {
	l.processRemoteAdds(fwdPkg)
	} else {
	l.quiescer.OnResume(func() {
	l.processRemoteAdds(fwdPkg)
	})
	}
	l.processRemoteSettleFails(fwdPkg)
	// If the link failed during processing the adds, we must
	// return to ensure we won't attempted to update the state
	// further.
	if l.failed {
	return
	}
	// The revocation window opened up. If there are pending local
	// updates, try to update the commit tx. Pending updates could
	// already have been present because of a previously failed
	// update to the commit tx or freshly added in by
	// processRemoteAdds. Also in case there are no local updates,
	// but there are still remote updates that are not in the remote
	// commit tx yet, send out an update.
	if l.channel.OweCommitment() {
	if !l.updateCommitTxOrFail(ctx) {
	return
	}
	}

Think I will keep this PR as is and create a new one to address that we need to check replay when receiving update_add_htlc, maybe fix it in the dyn series.

[ziggie1984]

great analysis !

[yyforyongyu]

It seems like an acceptable way forward however we are accepting a case where we might flap on the incoming link and therefore would reforward a potential "replayed" HTLC (which very likely be detected by the next node as a replay if it is LND).

I think it's better than keeping the batch delay db then adding another key to bloat the disk. Also can you think of a case where a replay can happen without crashing the node?

[ziggie1984]

yes but what I wanted to say is, flaping of a link is way more likely than crashing a node, so just want to make sure we take this into account when talking about the edge case. But then can you say only on restart of the link ?

[ziggie1984]

Here we should mention the edge case which we talked about, that in a very unlikely scenario an ADD can be reforwared and if it is a replay it will be forwarded to the next node.

[ziggie1984]

I think we need to properly cleanup also the underlying replay set. No batch is written here anymore, also the tx.Commit() call does not commit anything anymore. So I think we should clean that up with either this PR or a followup.

[yyforyongyu]

Discussed offline and @ziggie1984 will create a follow-up PR to clean this.

[ziggie1984]

LGTM

[ziggie1984]

Just want to point out that we will for reforward have more db roundtrips compared to the previous implementation if we have more than 1 incoming ADD in the fwd package.

[ziggie1984]

Will be fixed in a follow up PR, I think we can skip the whole fetching of shared_secrets if it is a replay because we will mark them as replayed anyways in the refwd case,

so should probably be something link tx.Commit(reforward) => return all replays.

[Roasbeef]

decaly -> decay

[yyforyongyu]

fixed

[Roasbeef]

Cool. This is fine as a short circuit, as if the state is channeldb.FwdStateCompleted, then the check to fwdPkg.SettleFailFilter.Contains(uint16(i)) in the inner loop will always return true. Same for when we go to process adds.

[Roasbeef]

Just defined in this commit, but the useage in teh call site below was already present.

[yyforyongyu]

This is actually introduced in a previous commit, where we added reforward := fwdPkg.State != channeldb.FwdStateLockedIn, and since FwdStateCompleted is skipped, we can now only check fwdPkg.State == channeldb.FwdStateProcessed.

[Roasbeef]

Should we modify this to instead always try to delete the bucket on start up? Or will we reserve that for a distinct PR that handles the optional migration?

[yyforyongyu]

Correct - the migration is done in #9945.

[Roasbeef]

Why do we return replays at all, if we no longer decode the bytes from disk?

[Roasbeef]

Nvm, the sharedHashes bucket is just the primary source of truth.

Is there any situation wherein by only consulting sharedHashes we'd let through a replay that was already captured in the batchReplayBkt bucket?

IIRC historically, all onion replay processing was serial. We then introduced the batch replay bucket and processing to speed things up. Compared to the shared hashes, the batch replay bucket uses an ID derived from the source channel ID and the height of the outbound commitment that locked in those changes.

In retrospect, it's clear now that we were duplicating data across both sources, as replaying an HTLC is defined as using the very same shared secret, and assuming the same sender, that forces re-use of the payment hash as it's included in the associated data.

[yyforyongyu]

Is there any situation wherein by only consulting sharedHashes we'd let through a replay that was already captured in the batchReplayBkt bucket?

Don't think so. As for a replay to happen it must use a new commitment height, which means it will create a new key to query batchReplayBkt, then find nothing, and continue to query sharedHashes. So in the end it's the sharedHashes as the source of truth. This batchReplayBkt is only helpful for a very specific case - the node receives replays, but before it persists its forwarding pkg, it goes offline. When it comes online again, it will reload the forwarding logs, then query batchReplayBkt instead of the sharedHashes to find the replays and fail the HTLCs back.

In retrospect, it's clear now that we were duplicating data across both sources, as replaying an HTLC is defined as using the very same shared secret, and assuming the same sender, that forces re-use of the payment hash as it's included in the associated data.

Totally - think eventually we can move the replay attack protection to be handled at the forwarding logs instead. Also given sharedHashes are GCed based on the CLTV values, which also means the replays are allowed to happen after CLTV blocks. So as long as we are within CLTV blocks we are protected.

[Roasbeef]

LGTM 🦩