1 // This file is Copyright its original authors, visible in version control
4 // This file is licensed under the Apache License, Version 2.0 <LICENSE-APACHE
5 // or http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
6 // <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your option.
7 // You may not use this file except in accordance with one or both of these
10 //! Various user-configurable channel limits and settings which ChannelManager
13 use ln::channel::MAX_FUNDING_SATOSHIS_NO_WUMBO;
14 use ln::channelmanager::{BREAKDOWN_TIMEOUT, MAX_LOCAL_BREAKDOWN_TIMEOUT};
16 /// Configuration we set when applicable.
18 /// Default::default() provides sane defaults.
19 #[derive(Copy, Clone, Debug)]
20 pub struct ChannelHandshakeConfig {
21 /// Confirmations we will wait for before considering the channel locked in.
22 /// Applied only for inbound channels (see ChannelHandshakeLimits::max_minimum_depth for the
23 /// equivalent limit applied to outbound channels).
26 pub minimum_depth: u32,
27 /// Set to the number of blocks we require our counterparty to wait to claim their money (ie
28 /// the number of blocks we have to punish our counterparty if they broadcast a revoked
31 /// This is one of the main parameters of our security model. We (or one of our watchtowers) MUST
32 /// be online to check for revoked transactions on-chain at least once every our_to_self_delay
33 /// blocks (minus some margin to allow us enough time to broadcast and confirm a transaction,
34 /// possibly with time in between to RBF the spending transaction).
36 /// Meanwhile, asking for a too high delay, we bother peer to freeze funds for nothing in
37 /// case of an honest unilateral channel close, which implicitly decrease the economic value of
40 /// Default value: [`BREAKDOWN_TIMEOUT`], we enforce it as a minimum at channel opening so you
41 /// can tweak config to ask for more security, not less.
42 pub our_to_self_delay: u16,
43 /// Set to the smallest value HTLC we will accept to process.
45 /// This value is sent to our counterparty on channel-open and we close the channel any time
46 /// our counterparty misbehaves by sending us an HTLC with a value smaller than this.
48 /// Default value: 1. If the value is less than 1, it is ignored and set to 1, as is required
50 pub our_htlc_minimum_msat: u64,
51 /// Sets the percentage of the channel value we will cap the total value of outstanding inbound
54 /// This can be set to a value between 1-100, where the value corresponds to the percent of the
55 /// channel value in whole percentages.
58 /// * If configured to another value than the default value 10, any new channels created with
59 /// the non default value will cause versions of LDK prior to 0.0.104 to refuse to read the
62 /// * This caps the total value for inbound HTLCs in-flight only, and there's currently
63 /// no way to configure the cap for the total value of outbound HTLCs in-flight.
65 /// * The requirements for your node being online to ensure the safety of HTLC-encumbered funds
66 /// are different from the non-HTLC-encumbered funds. This makes this an important knob to
67 /// restrict exposure to loss due to being offline for too long.
68 /// See [`ChannelHandshakeConfig::our_to_self_delay`] and [`ChannelConfig::cltv_expiry_delta`]
69 /// for more information.
71 /// Default value: 10.
72 /// Minimum value: 1, any values less than 1 will be treated as 1 instead.
73 /// Maximum value: 100, any values larger than 100 will be treated as 100 instead.
74 pub max_inbound_htlc_value_in_flight_percent_of_channel: u8,
75 /// If set, we attempt to negotiate the `scid_privacy` (referred to as `scid_alias` in the
76 /// BOLTs) option for outbound private channels. This provides better privacy by not including
77 /// our real on-chain channel UTXO in each invoice and requiring that our counterparty only
78 /// relay HTLCs to us using the channel's SCID alias.
80 /// If this option is set, channels may be created that will not be readable by LDK versions
81 /// prior to 0.0.106, causing [`ChannelManager`]'s read method to return a
82 /// [`DecodeError:InvalidValue`].
84 /// Note that setting this to true does *not* prevent us from opening channels with
85 /// counterparties that do not support the `scid_alias` option; we will simply fall back to a
86 /// private channel without that option.
88 /// Ignored if the channel is negotiated to be announced, see
89 /// [`ChannelConfig::announced_channel`] and
90 /// [`ChannelHandshakeLimits::force_announced_channel_preference`] for more.
92 /// Default value: false. This value is likely to change to true in the future.
94 /// [`ChannelManager`]: crate::ln::channelmanager::ChannelManager
95 /// [`DecodeError:InvalidValue`]: crate::ln::msgs::DecodeError::InvalidValue
96 pub negotiate_scid_privacy: bool,
99 impl Default for ChannelHandshakeConfig {
100 fn default() -> ChannelHandshakeConfig {
101 ChannelHandshakeConfig {
103 our_to_self_delay: BREAKDOWN_TIMEOUT,
104 our_htlc_minimum_msat: 1,
105 max_inbound_htlc_value_in_flight_percent_of_channel: 10,
106 negotiate_scid_privacy: false,
111 /// Optional channel limits which are applied during channel creation.
113 /// These limits are only applied to our counterparty's limits, not our own.
115 /// Use 0/<type>::max_value() as appropriate to skip checking.
117 /// Provides sane defaults for most configurations.
119 /// Most additional limits are disabled except those with which specify a default in individual
120 /// field documentation. Note that this may result in barely-usable channels, but since they
121 /// are applied mostly only to incoming channels that's not much of a problem.
122 #[derive(Copy, Clone, Debug)]
123 pub struct ChannelHandshakeLimits {
124 /// Minimum allowed satoshis when a channel is funded. This is supplied by the sender and so
125 /// only applies to inbound channels.
127 /// Default value: 0.
128 pub min_funding_satoshis: u64,
129 /// Maximum allowed satoshis when a channel is funded. This is supplied by the sender and so
130 /// only applies to inbound channels.
132 /// Default value: 2^24 - 1.
133 pub max_funding_satoshis: u64,
134 /// The remote node sets a limit on the minimum size of HTLCs we can send to them. This allows
135 /// you to limit the maximum minimum-size they can require.
137 /// Default value: u64::max_value.
138 pub max_htlc_minimum_msat: u64,
139 /// The remote node sets a limit on the maximum value of pending HTLCs to them at any given
140 /// time to limit their funds exposure to HTLCs. This allows you to set a minimum such value.
142 /// Default value: 0.
143 pub min_max_htlc_value_in_flight_msat: u64,
144 /// The remote node will require we keep a certain amount in direct payment to ourselves at all
145 /// time, ensuring that we are able to be punished if we broadcast an old state. This allows to
146 /// you limit the amount which we will have to keep to ourselves (and cannot use for HTLCs).
148 /// Default value: u64::max_value.
149 pub max_channel_reserve_satoshis: u64,
150 /// The remote node sets a limit on the maximum number of pending HTLCs to them at any given
151 /// time. This allows you to set a minimum such value.
153 /// Default value: 0.
154 pub min_max_accepted_htlcs: u16,
155 /// Before a channel is usable the funding transaction will need to be confirmed by at least a
156 /// certain number of blocks, specified by the node which is not the funder (as the funder can
157 /// assume they aren't going to double-spend themselves).
158 /// This config allows you to set a limit on the maximum amount of time to wait.
160 /// Default value: 144, or roughly one day and only applies to outbound channels.
161 pub max_minimum_depth: u32,
162 /// Whether we implicitly trust funding transactions generated by us for our own outbound
163 /// channels to not be double-spent.
165 /// If this is set, we assume that our own funding transactions are *never* double-spent, and
166 /// thus we can trust them without any confirmations. This is generally a reasonable
167 /// assumption, given we're the only ones who could ever double-spend it (assuming we have sole
168 /// control of the signing keys).
170 /// You may wish to un-set this if you allow the user to (or do in an automated fashion)
171 /// double-spend the funding transaction to RBF with an alternative channel open.
173 /// This only applies if our counterparty set their confirmations-required value to 0, and we
174 /// always trust our own funding transaction at 1 confirmation irrespective of this value.
175 /// Thus, this effectively acts as a `min_minimum_depth`, with the only possible values being
176 /// `true` (0) and `false` (1).
178 /// Default value: true
179 pub trust_own_funding_0conf: bool,
180 /// Set to force an incoming channel to match our announced channel preference in
181 /// [`ChannelConfig::announced_channel`].
183 /// For a node which is not online reliably, this should be set to true and
184 /// [`ChannelConfig::announced_channel`] set to false, ensuring that no announced (aka public)
185 /// channels will ever be opened.
187 /// Default value: true.
188 pub force_announced_channel_preference: bool,
189 /// Set to the amount of time we're willing to wait to claim money back to us.
191 /// Not checking this value would be a security issue, as our peer would be able to set it to
192 /// max relative lock-time (a year) and we would "lose" money as it would be locked for a long time.
194 /// Default value: 2016, which we also enforce as a maximum value so you can tweak config to
195 /// reduce the loss of having useless locked funds (if your peer accepts)
196 pub their_to_self_delay: u16
199 impl Default for ChannelHandshakeLimits {
200 fn default() -> Self {
201 ChannelHandshakeLimits {
202 min_funding_satoshis: 0,
203 max_funding_satoshis: MAX_FUNDING_SATOSHIS_NO_WUMBO,
204 max_htlc_minimum_msat: <u64>::max_value(),
205 min_max_htlc_value_in_flight_msat: 0,
206 max_channel_reserve_satoshis: <u64>::max_value(),
207 min_max_accepted_htlcs: 0,
208 trust_own_funding_0conf: true,
209 max_minimum_depth: 144,
210 force_announced_channel_preference: true,
211 their_to_self_delay: MAX_LOCAL_BREAKDOWN_TIMEOUT,
216 /// Options which apply on a per-channel basis and may change at runtime or based on negotiation
217 /// with our counterparty.
218 #[derive(Copy, Clone, Debug)]
219 pub struct ChannelConfig {
220 /// Amount (in millionths of a satoshi) charged per satoshi for payments forwarded outbound
221 /// over the channel.
222 /// This may be allowed to change at runtime in a later update, however doing so must result in
223 /// update messages sent to notify all nodes of our updated relay fee.
225 /// Default value: 0.
226 pub forwarding_fee_proportional_millionths: u32,
227 /// Amount (in milli-satoshi) charged for payments forwarded outbound over the channel, in
228 /// excess of [`forwarding_fee_proportional_millionths`].
229 /// This may be allowed to change at runtime in a later update, however doing so must result in
230 /// update messages sent to notify all nodes of our updated relay fee.
232 /// The default value of a single satoshi roughly matches the market rate on many routing nodes
233 /// as of July 2021. Adjusting it upwards or downwards may change whether nodes route through
236 /// Default value: 1000.
238 /// [`forwarding_fee_proportional_millionths`]: ChannelConfig::forwarding_fee_proportional_millionths
239 pub forwarding_fee_base_msat: u32,
240 /// The difference in the CLTV value between incoming HTLCs and an outbound HTLC forwarded over
241 /// the channel this config applies to.
243 /// This is analogous to [`ChannelHandshakeConfig::our_to_self_delay`] but applies to in-flight
244 /// HTLC balance when a channel appears on-chain whereas
245 /// [`ChannelHandshakeConfig::our_to_self_delay`] applies to the remaining
246 /// (non-HTLC-encumbered) balance.
248 /// Thus, for HTLC-encumbered balances to be enforced on-chain when a channel is force-closed,
249 /// we (or one of our watchtowers) MUST be online to check for broadcast of the current
250 /// commitment transaction at least once per this many blocks (minus some margin to allow us
251 /// enough time to broadcast and confirm a transaction, possibly with time in between to RBF
252 /// the spending transaction).
254 /// Default value: 72 (12 hours at an average of 6 blocks/hour).
255 /// Minimum value: [`MIN_CLTV_EXPIRY_DELTA`], any values less than this will be treated as
256 /// [`MIN_CLTV_EXPIRY_DELTA`] instead.
258 /// [`MIN_CLTV_EXPIRY_DELTA`]: crate::ln::channelmanager::MIN_CLTV_EXPIRY_DELTA
259 pub cltv_expiry_delta: u16,
260 /// Set to announce the channel publicly and notify all nodes that they can route via this
263 /// This should only be set to true for nodes which expect to be online reliably.
265 /// As the node which funds a channel picks this value this will only apply for new outbound
266 /// channels unless [`ChannelHandshakeLimits::force_announced_channel_preference`] is set.
268 /// This cannot be changed after the initial channel handshake.
270 /// Default value: false.
271 pub announced_channel: bool,
272 /// When set, we commit to an upfront shutdown_pubkey at channel open. If our counterparty
273 /// supports it, they will then enforce the mutual-close output to us matches what we provided
274 /// at intialization, preventing us from closing to an alternate pubkey.
276 /// This is set to true by default to provide a slight increase in security, though ultimately
277 /// any attacker who is able to take control of a channel can just as easily send the funds via
278 /// lightning payments, so we never require that our counterparties support this option.
280 /// This cannot be changed after a channel has been initialized.
282 /// Default value: true.
283 pub commit_upfront_shutdown_pubkey: bool,
284 /// Limit our total exposure to in-flight HTLCs which are burned to fees as they are too
285 /// small to claim on-chain.
287 /// When an HTLC present in one of our channels is below a "dust" threshold, the HTLC will
288 /// not be claimable on-chain, instead being turned into additional miner fees if either
289 /// party force-closes the channel. Because the threshold is per-HTLC, our total exposure
290 /// to such payments may be sustantial if there are many dust HTLCs present when the
291 /// channel is force-closed.
293 /// This limit is applied for sent, forwarded, and received HTLCs and limits the total
294 /// exposure across all three types per-channel. Setting this too low may prevent the
295 /// sending or receipt of low-value HTLCs on high-traffic nodes, and this limit is very
296 /// important to prevent stealing of dust HTLCs by miners.
298 /// Default value: 5_000_000 msat.
299 pub max_dust_htlc_exposure_msat: u64,
300 /// The additional fee we're willing to pay to avoid waiting for the counterparty's
301 /// `to_self_delay` to reclaim funds.
303 /// When we close a channel cooperatively with our counterparty, we negotiate a fee for the
304 /// closing transaction which both sides find acceptable, ultimately paid by the channel
305 /// funder/initiator.
307 /// When we are the funder, because we have to pay the channel closing fee, we bound the
308 /// acceptable fee by our [`Background`] and [`Normal`] fees, with the upper bound increased by
309 /// this value. Because the on-chain fee we'd pay to force-close the channel is kept near our
310 /// [`Normal`] feerate during normal operation, this value represents the additional fee we're
311 /// willing to pay in order to avoid waiting for our counterparty's to_self_delay to reclaim our
314 /// When we are not the funder, we require the closing transaction fee pay at least our
315 /// [`Background`] fee estimate, but allow our counterparty to pay as much fee as they like.
316 /// Thus, this value is ignored when we are not the funder.
318 /// Default value: 1000 satoshis.
320 /// [`Normal`]: crate::chain::chaininterface::ConfirmationTarget::Normal
321 /// [`Background`]: crate::chain::chaininterface::ConfirmationTarget::Background
322 pub force_close_avoidance_max_fee_satoshis: u64,
325 impl Default for ChannelConfig {
326 /// Provides sane defaults for most configurations (but with zero relay fees!).
327 fn default() -> Self {
329 forwarding_fee_proportional_millionths: 0,
330 forwarding_fee_base_msat: 1000,
331 cltv_expiry_delta: 6 * 12, // 6 blocks/hour * 12 hours
332 announced_channel: false,
333 commit_upfront_shutdown_pubkey: true,
334 max_dust_htlc_exposure_msat: 5_000_000,
335 force_close_avoidance_max_fee_satoshis: 1000,
340 impl_writeable_tlv_based!(ChannelConfig, {
341 (0, forwarding_fee_proportional_millionths, required),
342 (1, max_dust_htlc_exposure_msat, (default_value, 5_000_000)),
343 (2, cltv_expiry_delta, required),
344 (3, force_close_avoidance_max_fee_satoshis, (default_value, 1000)),
345 (4, announced_channel, required),
346 (6, commit_upfront_shutdown_pubkey, required),
347 (8, forwarding_fee_base_msat, required),
350 /// Top-level config which holds ChannelHandshakeLimits and ChannelConfig.
352 /// Default::default() provides sane defaults for most configurations
353 /// (but currently with 0 relay fees!)
354 #[derive(Copy, Clone, Debug)]
355 pub struct UserConfig {
356 /// Channel config that we propose to our counterparty.
357 pub own_channel_config: ChannelHandshakeConfig,
358 /// Limits applied to our counterparty's proposed channel config settings.
359 pub peer_channel_config_limits: ChannelHandshakeLimits,
360 /// Channel config which affects behavior during channel lifetime.
361 pub channel_options: ChannelConfig,
362 /// If this is set to false, we will reject any HTLCs which were to be forwarded over private
363 /// channels. This prevents us from taking on HTLC-forwarding risk when we intend to run as a
364 /// node which is not online reliably.
366 /// For nodes which are not online reliably, you should set all channels to *not* be announced
367 /// (using [`ChannelConfig::announced_channel`] and
368 /// [`ChannelHandshakeLimits::force_announced_channel_preference`]) and set this to false to
369 /// ensure you are not exposed to any forwarding risk.
371 /// Note that because you cannot change a channel's announced state after creation, there is no
372 /// way to disable forwarding on public channels retroactively. Thus, in order to change a node
373 /// from a publicly-announced forwarding node to a private non-forwarding node you must close
374 /// all your channels and open new ones. For privacy, you should also change your node_id
375 /// (swapping all private and public key material for new ones) at that time.
377 /// Default value: false.
378 pub accept_forwards_to_priv_channels: bool,
379 /// If this is set to false, we do not accept inbound requests to open a new channel.
380 /// Default value: true.
381 pub accept_inbound_channels: bool,
382 /// If this is set to true, the user needs to manually accept inbound requests to open a new
385 /// When set to true, [`Event::OpenChannelRequest`] will be triggered once a request to open a
386 /// new inbound channel is received through a [`msgs::OpenChannel`] message. In that case, a
387 /// [`msgs::AcceptChannel`] message will not be sent back to the counterparty node unless the
388 /// user explicitly chooses to accept the request.
390 /// Default value: false.
392 /// [`Event::OpenChannelRequest`]: crate::util::events::Event::OpenChannelRequest
393 /// [`msgs::OpenChannel`]: crate::ln::msgs::OpenChannel
394 /// [`msgs::AcceptChannel`]: crate::ln::msgs::AcceptChannel
395 pub manually_accept_inbound_channels: bool,
398 impl Default for UserConfig {
399 fn default() -> Self {
401 own_channel_config: ChannelHandshakeConfig::default(),
402 peer_channel_config_limits: ChannelHandshakeLimits::default(),
403 channel_options: ChannelConfig::default(),
404 accept_forwards_to_priv_channels: false,
405 accept_inbound_channels: true,
406 manually_accept_inbound_channels: false,