Retrieve all possible spendable outputs from transactions
Assuming our keys haven't been compromised, and that random transactions
aren't learning of these scripts somehow and sending funds to them, it
was only possible for one spendable output to exist within a
transaction.
- `shutdown_script` can only exist in co-op close transactions.
- `counterparty_payment_script` can only exist in counterparty
commitment transactions.
- `broadcasted_holder_revokable_script` can only exist in holder
commitment/HTLC transactions.
- `destination_script` can exist in any other type of claim we support.
Now that we're exposing this API to users such that they can rescan any
relevant transactions, there's no harm in allowing them to claim more
funds from spendable outputs than we expected.
Allow retrieval of SpendableOutputDescriptors from relevant transactions
Currently, our API will only expose `SpendableOutputDescriptor`s once
after they are no longer under reorg risk (see `ANTI_REORG_DELAY`).
Users have often requested they'd like the ability to retrieve these in
some other way, either for historical purposes, or to handle replaying
any in the event of a failure.
Matt Corallo [Thu, 28 Sep 2023 18:19:36 +0000 (18:19 +0000)]
Include any recipient overpayment amounts in the route fee limit
If the user told us to limit their total fee exposure, we should
do so including any potential overpayment to the recipient, which
is ultimately a part of the "fee" as far as the user is concerned.
Matt Corallo [Tue, 26 Sep 2023 21:58:53 +0000 (21:58 +0000)]
Try to overpay the recipient if we fail to find a path at all
Previously we'd only try to overpay if we managed to find a path
to the recipient which was sufficient. However, if we fail to find
any path to the recipient at all we should still retry overpaying
the recipient. Ultimately we should be silling to pay whatever
reasonable performance penalty if the alternative is not finding a
path at all, which we do here.
Matt Corallo [Thu, 28 Sep 2023 18:19:50 +0000 (18:19 +0000)]
Allow routefinding again due to HTLC limit based on >= not >
While this doesn't matter much in practice, if we go around again
when route-finding to try to meet an htlc_minimum_msat, we use the
`recommended_value_msat` which can work if we meet the
`htlc_minimum_msat` on a channel exactly, so using >= rather than >
can capture cases with 1msat more.
Elias Rohrer [Fri, 22 Sep 2023 14:38:30 +0000 (16:38 +0200)]
Avoid adding duplicate hint candidates if they are first hops
If we have a direct channel to a node generating an invoice with route
hints, we'd previously happily add multiple candidates that all refer to
the same channel. To keep our candidate set small and unify our tracking
where possible, we now check if its `short_channel_id` is an
`outbound_scid_alias` of any of our first hops and refrain from adding
another candidate if it's the case.
Elias Rohrer [Fri, 22 Sep 2023 13:56:07 +0000 (15:56 +0200)]
Also add route hints if we are the source
Previously, we would only consider route hints if we had a direct
channel to the first node in the hint or if the first node in the hint
was part of the public network graph.
However, this left out the possiblity of us being part of the first hop,
especially if our own node is not announced and part of the graph.
Matt Corallo [Thu, 28 Sep 2023 02:40:07 +0000 (02:40 +0000)]
Refer to top-level persistence namespaces as `primary_namespace`
This fixes a bindings build error as `namespace` is a C++ keyword
which cannot be used as an argument, and while this could be fixed
in the bindings rather than here, separating the term `namespace`
between the concept (which refers to the primary and sub
namespaces) and the primary namespace makes the documentation more
readable.
Matt Corallo [Wed, 27 Sep 2023 22:26:57 +0000 (22:26 +0000)]
Use `Result<_, io::Error>` over `io::Result<_>`
Personally I've always found the overload of a prelude enum to be
confusing, and never bothered to handle it properly in bindings as
a result. To avoid needing to do so now, we simply move the
newly-introduced `io::Result` usages over to
`Result<_, io::Error>`.
Matt Corallo [Thu, 28 Sep 2023 00:46:31 +0000 (00:46 +0000)]
Don't FC when a `channel_update` has a bogus `htlc_minimum_msat`
If a peer sends us a `channel_update` for our own channel with an
`htlc_minimum_msat` which is more than the channel's amount, that's
dumb, but there's no reason to force-close the channel. We don't
even use the field.
Use correct input sequence for HTLC claims from counterparty commitments
HTLC outputs, like the `to_remote` output, in commitment transactions
with anchor outputs also have an additional `1 CSV` constraint on the
counterparty. When spending such outputs, their corresponding input
needs to have their sequence set to 1. This was done for HTLC claims
from holder commitments, but unfortunately not for counterparty
commitments as we were lacking test coverage.
get_route: fix path value contribution to include min htlc overpay
Previously, the fuzzer hit a debug panic because we wouldn't include the amount
overpaid to meet a last hop's min_htlc in the total collected paths value. We
now include this value and also penalize hops along the overpaying path to
ensure that it gets deprioritized in path selection.
get_route: fix path_min for first_hop<>network_node candidates
Previously, we would add a first_hop<>network_node channel that did not have
enough contribution amount to cover the next channel's min htlc plus fees,
because we were storing the next hop as having a path_min that did not include
fees, and would add a connecting first_hop node that did not have enough
contribution amount, leading to a debug panic upon invalid path construction.
get_route: fix path_min for first_hop<>blinded_hint candidates
See previous commit, but the bug where we would underestimate how much a first
hop candidate needed to be able to relay was also present in blinded paths.
get_route: fix path_min when adding first_hop<>route_hint candidates
Previously, we would add a candidate hop to the list of potential hops even
though its available contribution wasn't sufficient to meet the next hop's
min_htlc. We'd subsequently build an invalid path using this hop and hit a
debug assertion.
Dom Zippilli [Wed, 30 Aug 2023 00:42:07 +0000 (17:42 -0700)]
Add MonitorUpdatingPersister
MonitorUpdatingPersister is an implementation of Persister that stores
ChannelMonitorUpdates separately from ChannelMonitors. Its RFC is
in #2545, at https://github.com/orgs/lightningdevkit/discussions/2545.
Matt Corallo [Tue, 26 Sep 2023 21:28:29 +0000 (21:28 +0000)]
Set a default `max_total_routing_fee_msat` of 1% + 50sats
When using the normal default constructors, we should have some
fee maximum to ensure our default behavior is safe. Here we pick
1% + 50 sats to ensure we're always willing to pay
reasonabl(y high) fees, but not anything too wild.
Elias Rohrer [Tue, 26 Sep 2023 13:30:39 +0000 (15:30 +0200)]
Test `max_total_routing_fee_msat` handling when retrying overpaid paths
We setup an MPP scenario with two paths in which we need to overpay to
reach `htlc_minimum_msat`. We then fail the overpaid path and check that
on retry our `max_total_routing_fee_msat` only accounts for the path
fees, but not for the fees overpaid in the first attempt.
Matt Corallo [Thu, 21 Sep 2023 20:19:08 +0000 (20:19 +0000)]
Correct ChannelUnavailable error docs on `send_payment_with_route`
Monitor update failure can no longer lead to a `ChannelUnavailable`
error, but more common cases such as the peer being disconnected
always could, so those should be documented clearer.
Currently, users have no means to upper-bound the total fees accruing
when finding a route. Here, we add a corresponding field to
`RouteParameters` which will be used to limit the candidate set during
path finding in the following commits.
Matt Corallo [Mon, 25 Sep 2023 18:05:53 +0000 (18:05 +0000)]
Fix potential peer_state deadlocks in `finish_force_close_channel`
`ChannelManager::finish_force_close_channel` exists to do cleanups
which must happen without the `per_peer_state` mutex held. However,
because it lacked lock assertions, several changes snuck in
recently which resulted in it running with peer-state locks held,
risking a deadlock if some HTLCs need to be failed.
Blame outbound channel on UPDATE onion failure with 0-len update
We've run into this several times in the wild, likely due to
https://github.com/ElementsProject/lightning/issues/6200 wherein a node on the
path will error with 0x1000 but not provide a channel update (a spec
violation).
Previously, we would blame the inbound edge even though the buggy peer wanted
us to blame the outbound edge. Since this issue seems to be recurring and our
blaming the inbound edge is causing us to punish innocent channels, trust the
peer that the outbound edge is the one to blame.
Fix PaymentPathFailed::payment_failed_permanently on blinded path fail
Previously this value would be incorrectly set to true because we wouldn't
account for blinded hops when determining if we were processing the last hop's
failure packet.
Our ultimate goal with this field is to set
PaymentPathFailed::payment_failed_permanently, so use this name rather than
flipping a bool back and forth across methods.
Matt Corallo [Thu, 14 Sep 2023 20:02:46 +0000 (20:02 +0000)]
Add an `UnrecoverableError` variant to `ChannelMonitorUpdateStatus`
While there is no great way to handle a true failure to persist a
`ChannelMonitorUpdate`, it is confusing for users for there to be
no error variant at all on an I/O operation.
Thus, here we re-add the error variant removed over the past
handful of commits, but rather than handle it in a truly unsafe
way, we simply panic, optimizing for maximum mutex poisoning to
ensure any future operations fail and return immediately.
In the future, we may consider changing the handling of this to
instead set some "disconnect all peers and fail all operations"
bool to give the user a better chance to shutdown in a semi-orderly
fashion, but there's only so much that can be done in lightning if
we truly cannot persist new updates.
Matt Corallo [Sun, 10 Sep 2023 20:21:50 +0000 (20:21 +0000)]
Drop doc comments on `ChainMonitor` trait impl methods
In general, doc comments on trait impl blocks are not very visible
in rustdoc output, and unless they provide useful information they
should be elided.
Here we drop useless doc comments on `ChainMonitor`'s `Watch` impl
methods.
Matt Corallo [Sun, 10 Sep 2023 20:05:43 +0000 (20:05 +0000)]
Drop error handling in `handle_new_monitor_update`
Now that `handle_new_monitor_update` can no longer return an error,
it similarly no longer needs any code to handle errors. Here we
remove that code, substantially reducing macro variants.
Matt Corallo [Fri, 8 Sep 2023 00:05:56 +0000 (00:05 +0000)]
Update `ChannelMonitorUpdateStatus` documentation with async support
Since we now (almost) support async monitor update persistence, the
documentation on `ChannelMonitorUpdateStatus` can be updated to no
longer suggest users must keep a local copy that persists before
returning. However, because there are still a few remaining issues,
we note that async support is currently beta and explicily warn of
potential for funds-loss.
Matt Corallo [Wed, 30 Aug 2023 18:22:33 +0000 (18:22 +0000)]
Rename `MonitorEvent::CommitmentTxConfirmed` to `HolderForceClosed`
The `MonitorEvent::CommitmentTxConfirmed` has always been a result
of us force-closing the channel, not the counterparty doing so.
Thus, it was always a bit of a misnomer. Worse, it carried over
into the channel's `ClosureReason` in the event API.
Here we simply rename it and use the proper `ClosureReason`.
Matt Corallo [Sun, 10 Sep 2023 17:14:32 +0000 (17:14 +0000)]
Drop the `ChannelMonitorUpdateStatus::PermanentFailure` variant
When a `ChannelMonitorUpdate` fails to apply, it generally means
we cannot reach our storage backend. This, in general, is a
critical issue, but is often only a transient issue.
Sadly, users see the failure variant and return it on any I/O
error, resulting in channel force-closures due to transient issues.
Users don't generally expect force-closes in most cases, and
luckily with async `ChannelMonitorUpdate`s supported we don't take
any risk by "delaying" the `ChannelMonitorUpdate` indefinitely.
Thus, here we drop the `PermanentFailure` variant entirely, making
all failures instead be "the update is in progress, but won't ever
complete", which is equivalent if we do not close the channel
automatically.
Matt Corallo [Sun, 10 Sep 2023 22:11:56 +0000 (22:11 +0000)]
Rewrite failure payment retry tests to avoid perm-fail storage
Two tests in the payment tests currently rely on failing to persist
ChannelMonitorUpdates as their method of failing payments before
they even get out the door.
In the coming commits we'll drop the persist failure error codes,
so here rewrite these tests to rely on trying to send more than is
available in a channel.
Matt Corallo [Thu, 21 Sep 2023 01:44:23 +0000 (01:44 +0000)]
Use `Default::default()` to construct `()` as a test scoring param
In bindings, we can't use unbounded generic types, and thus have to
rip out the `ScoreParams` and replace them with static
`ProbabilisticScoringFeeParams` universally. To make this easier,
using `Default::default()` everywhere allows the type to change out
from under the test without the test needing to change.