-
Notifications
You must be signed in to change notification settings - Fork 359
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Post-anchor: do not aggregate claim of revoked output #1841
Post-anchor: do not aggregate claim of revoked output #1841
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is also missing the same change in package.rs
upon deserializing pending inputs.
Yes, correct. Do we prefer to add directly the malleability flag to the serializers or the channel type in |
We could add the |
Codecov ReportPatch coverage:
❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more. Additional details and impacted files@@ Coverage Diff @@
## main #1841 +/- ##
==========================================
+ Coverage 91.63% 91.99% +0.35%
==========================================
Files 104 104
Lines 51985 55966 +3981
Branches 51985 55966 +3981
==========================================
+ Hits 47638 51487 +3849
- Misses 4347 4479 +132
☔ View full report in Codecov by Sentry. |
ccaf9e5
to
e40fcda
Compare
Updated at e40fcda Added two new fields to |
Doesn't currently build? |
e40fcda
to
22d1238
Compare
Updated at 22d1238
That sound right we have unit test coverage here. Should be fixed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just one serialization comment, otherwise LGTM
22d1238
to
29ab7af
Compare
Updated at 29ab7af Should build, at least locally. |
06cab04
to
11ddd4f
Compare
Updated at 11ddd4f. |
Otherwise LGTM. |
679ba56
to
4b23f36
Compare
lightning/src/chain/package.rs
Outdated
PackageSolvingData::RevokedHTLCOutput(..) => { (PackageMalleability::Malleable, true) }, | ||
PackageSolvingData::CounterpartyOfferedHTLCOutput(..) => { (PackageMalleability::Malleable, true) }, | ||
PackageSolvingData::CounterpartyReceivedHTLCOutput(..) => { (PackageMalleability::Malleable, false) }, | ||
PackageSolvingData::HolderHTLCOutput(..) => { (PackageMalleability::Untractable, false) }, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This got rid of some of the anchor changes, was that intentional?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you point me to which changes ? Yes it modifies intentionally some changes to avoid exposures to claim batch on anchor outputs on our side though dunno if those are the changes you’re thinking of ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like some changes may have gotten lost in a rebase conflict. HolderHTLCOutput
should be Malleable
with anchors and additionally support aggregation on those with known preimages.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I agree on the first point that HolderHTLCOutput
should be Malleable
with anchors however on the second point to aggregate HTLCs with known preimages this can be a safety risk if a) the paired HTLC-timeout is final and can be broadcast therefore breaking the batch and b) the value of the HTLC do not weight for the average feerate weight of each input ?
Note there is no such aggregation based on preimage currently:
rust-lightning/lightning/src/chain/package.rs
Line 836 in 0e8da58
PackageMalleability::Malleable |
Are you thinking about another branch ?
Note, this is not I’m strongly opposed to aggregate preimages claims, at the minimal we should it with the safe-guards mentioned above and if as such better to introduce them in another PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
to aggregate HTLCs with known preimages this can be a safety risk
How are these claims any different from CounterpartyOfferedHTLCOutput
claims? It seems we already aggregate those.
the paired HTLC-timeout is final and can be broadcast therefore breaking the batch
I don't see the problem here, at least we still try the batch and save on fees. If a conflicting spend confirms, then we'll retry the batch without it. Again, this doesn't seem any different than CounterpartyOfferedHTLCOutput
claims.
I noticed for new requests we already have a path to try them by themselves even if we can aggregate them if their timelock is within CLTV_SHARED_CLAIM_BUFFER
blocks. Maybe we can also start splitting them up once we're within this range and we've them tried in a batch a few times without getting a confirmation?
the value of the HTLC do not weight for the average feerate weight of each input ?
That seems like a separate issue, no? I think we'll always claim outputs even if it's not economically rational to do so at the current feerates. That's something we can certainly improve on, but that can happen as a follow-up and doesn't need to impact our aggregation logic.
Note, this is not I’m strongly opposed to aggregate preimages claims, at the minimal we should it with the safe-guards mentioned above and if as such better to introduce them in another PR.
Well the issue is that the aggregation already exists upstream with tests, and this PR is attempting to revert that as an unrelated change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was under the impression we already handled this by splitting packages when we get close to the expiration.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wilmer pointed out offline that this doesn't happen later, only when we register the package. I think we should explore just spitting later, but I'm not sure this is a critical thing - we fundamentally assume in lightning that we can get a tx confirmed before the HTLC times out. If we cannot, its not unreasonable to have an issue, we already lost money! Certainly no need to break out packages into individual transactions for that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair enough, though I still don't see how this is any different from preimage claims on a remote commitment, as this > is all possible there. It seems like my suggestion of splitting them up (sorted by earliest HTLC expiry) after a few
unconfirmed batches would address this for the most part?
Yes I assume we would split anchor output preimage claims on both holder/counterparty commitment, as all those claims fee-bumping is under our responsibility. The issues with splitting up after few unconfirmed batches, this is as much blocks gain for an adversary, and i’m not even sure we don’t fail our broadcast for the reason that an individual claim might not have an absolute fee (RBF rule 3) better than the batch already propagated across network mempools (though with a poorer feerate).
In that case, we should keep the preimage aggregated claims logic intact, and follow up with this splitting heuristic in a new PR.
Just to be clear, I’m all good with keeping the preimage aggregated claim logic intact in this PR and introduce splitting heuristics or no-batch-all requirements on a new PR.
we fundamentally assume in lightning that we can get a tx confirmed before the HTLC times out.
And this is the exact assumption I have a strong doubt about in a anchor output world where we have to manage limited fee-bumping reserves to feed our HTLC claims, compared to the legacy world where the channel value can be used to feed HTLC claims (even if this legacy world is broken as you cannot assume liveliness/cooperation of your peer to succeed an update_fee
flow). Our fee-bumping reserves strategy is not really specified yet and the part of this strategy we delegate to the end user is unclear as of #2089. As there is already lightning softwares deployed with anchor output support, I’m suggesting to move this conversation offline.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And this is the exact assumption I have a strong doubt about in a anchor output world where we have to manage limited fee-bumping reserves to feed our HTLC claims, compared to the legacy world where the channel value can be used to feed HTLC claims (even if this legacy world is broken as you cannot assume liveliness/cooperation of your peer to succeed an update_feeflow)
But splitting makes it worse! If we're super concerned about our ability to get a tx confirmed in time because we're low on fees, the worst thing we can do is (preemptively) split the packages up into lots of transactions. At a minimum we should split as HTLCs near expiry, but even there I'm not super convinced. Indeed, anchors in general are pretty risky, but I'm very unconvinced that we should just go "well, we can't rely on the lightning security assumption, so lets write a ton of code to maybe kinda handle the case where we fail our security assumptions, but of course that code will hopefully never be hit, and thus never tested."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we're super concerned about our ability to get a tx confirmed in time because we're low on fees, the worst thing we can do is (preemptively) split the packages up into lots of transactions.
Splitting packages into a lot of transactions when we’re in low-fees is far from being the less economically rational strategy to adopt if we have HTLC-preimages with strong asymmetries in term of offered HTLC outputs because they have been inbound routed to us by an adversary. With anchors, I think we’re introducing a fee-bumping reserves oracle to an adversary that can be adapted in real-time based on the packages we’re broadcasting. I share the belief on having a lot of complex never-tested code to special-case on-time package splitting and the adequate mitigation might be at the ChannelManager
-level, namely refusing to route HTLC when we’re low on fee-bumping reserves. In anycase, if anyone has an up-to-date threat model for anchor output channels, you’re free to share it.
4b23f36
to
ef747d3
Compare
Updated at ef747d3 with @wpaulino comments addressed. Sorry for the latency - For context, post-anchor this changes prevents a counterparty to pin the claims of the offered HTLC outputs with timeout transactions until the |
lightning/src/chain/package.rs
Outdated
PackageSolvingData::RevokedHTLCOutput(..) => { (PackageMalleability::Malleable, true) }, | ||
PackageSolvingData::CounterpartyOfferedHTLCOutput(..) => { (PackageMalleability::Malleable, true) }, | ||
PackageSolvingData::CounterpartyReceivedHTLCOutput(..) => { (PackageMalleability::Malleable, false) }, | ||
PackageSolvingData::HolderHTLCOutput(..) => { (PackageMalleability::Untractable, false) }, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like some changes may have gotten lost in a rebase conflict. HolderHTLCOutput
should be Malleable
with anchors and additionally support aggregation on those with known preimages.
lightning/src/chain/package.rs
Outdated
@@ -846,20 +860,6 @@ impl PackageTemplate { | |||
height_original, | |||
} | |||
} | |||
|
|||
fn map_output_type_flags(input_solving_data: &PackageSolvingData) -> (PackageMalleability, bool) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To avoid moving this method between commits, this could have been added under PackageSolvingData
in the previous commit (a1eebd2).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unless you insist, I’ll leave as it :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would prefer it's done, but will defer to the second reviewer.
ef747d3
to
dba8d68
Compare
Updated at Thanks for the review. Took some comments and answered others, proposing to defer some to another PR. |
dba8d68
to
163db6f
Compare
Updated at 163db6f with aggregable flag true for anchor output. Tests should be fixed now. |
The anchor tests were still failing by the way. You can run them locally with |
163db6f
to
7d1b4a5
Compare
Thanks updated at 7d1b4a5, |
CI failure is #2266 |
7d1b4a5
to
6ff5e67
Compare
No need to do anything about CI/the message fuzz failures, no. |
9051884
to
5aec123
Compare
Updated at 5aec123 with comments addressed. |
5aec123
to
7ac1ed2
Compare
Updated at 7ac1ed2. |
lightning/src/chain/package.rs
Outdated
} | ||
} | ||
} | ||
|
||
impl_writeable_tlv_based!(RevokedOutput, { | ||
(0, per_commitment_point, required), | ||
(1, is_counterparty_balance_on_anchors, required), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should keep the Option<()>
hack over a bool
- making this odd and required means (a) previous versions that don't understand it will ignore it (which we don't want, we want them to fail to read) and (b) new code will refuse to read existing objects missing the field, which all existing objects are.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should have been modified to be compatible with the back-compatibility of the serialiazation framework.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this now be an even TLV with option
like opt_anchors
everywhere else? As is, odd with required means we'll fail to read on upgrade.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it needs to be an option to accept old data and needs to be even so that old clients will refuse to read.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be an even option
now. Let me know if new code matches what you have in mind.
7ac1ed2
to
b3bf68e
Compare
Updated at b3bf68e. |
See lightning/bolts#803 This protect the justice claim of counterparty revoked output. As otherwise if the all the revoked outputs claims are batched in a single transaction, low-feerate HTLCs transactions can delay our honest justice claim transaction until BREAKDOWN_TIMEOUT expires.
b3bf68e
to
6f9adfa
Compare
Updated at |
lightning/src/ln/monitor_tests.rs
Outdated
assert_eq!(revoked_claim_b.input.len(), 3); // Spends both HTLC outputs and to_self output | ||
assert_eq!(revoked_claim_b.output.len(), 1); | ||
check_spends!(revoked_claim_b, revoked_commitment_b); | ||
assert_eq!(revoked_htlc_claim_a.input.len(), 2); // Spends both HTLC outputs and to_self output |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please remove the TODO now and fix the comments on the spend assertions below. LGTM otherwise.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be done, thanks.
6f9adfa
to
5e968ed
Compare
Updated at 5e968ed |
See lightning/bolts#803
This protect the justice claim of counterparty revoked output. As otherwise if the all the revoked outputs claims are batched in a single transaction, low-feerate HTLCs transactions can delay our honest justice claim transaction until BREAKDOWN_TIMEOUT expires.