X-Git-Url: http://git.bitcoin.ninja/index.cgi?a=blobdiff_plain;f=src%2Fln%2Fchannelmonitor.rs;h=f3c5c89f6e67cbc1c0e175b75439729385212d33;hb=6e1318b0e28522244493c280f556e6749694b81e;hp=acd63da79e1bd63b511bfc7ec49ed29bb3dbcebb;hpb=79a0a0c95910509b54ca98371758aac9af23b2ba;p=rust-lightning diff --git a/src/ln/channelmonitor.rs b/src/ln/channelmonitor.rs index acd63da7..f3c5c89f 100644 --- a/src/ln/channelmonitor.rs +++ b/src/ln/channelmonitor.rs @@ -1,8 +1,10 @@ //! The logic to monitor for on-chain transactions and create the relevant claim responses lives //! here. +//! //! ChannelMonitor objects are generated by ChannelManager in response to relevant //! messages/actions, and MUST be persisted to disk (and, preferably, remotely) before progress can //! be made in responding to certain messages, see ManyChannelMonitor for more. +//! //! Note that ChannelMonitors are an important part of the lightning trust model and a copy of the //! latest ChannelMonitor must always be actively monitoring for chain updates (and no out-of-date //! ChannelMonitors should do so). Thus, if you're building rust-lightning into an HSM or other @@ -40,6 +42,7 @@ use std::{hash,cmp}; pub enum ChannelMonitorUpdateErr { /// Used to indicate a temporary failure (eg connection to a watchtower failed, but is expected /// to succeed at some point in the future). + /// /// Such a failure will "freeze" a channel, preventing us from revoking old states or /// submitting new commitment transactions to the remote party. /// ChannelManager::test_restore_channel_monitor can be used to retry the update(s) and restore @@ -55,12 +58,14 @@ pub enum ChannelMonitorUpdateErr { /// them. Generally should be implemented by keeping a local SimpleManyChannelMonitor and passing /// events to it, while also taking any add_update_monitor events and passing them to some remote /// server(s). +/// /// Note that any updates to a channel's monitor *must* be applied to each instance of the /// channel's monitor everywhere (including remote watchtowers) *before* this function returns. If /// an update occurs and a remote watchtower is left with old state, it may broadcast transactions /// which we have revoked, allowing our counterparty to claim all funds in the channel! pub trait ManyChannelMonitor: Send + Sync { /// Adds or updates a monitor for the given `funding_txo`. + /// /// Implementor must also ensure that the funding_txo outpoint is registered with any relevant /// ChainWatchInterfaces such that the provided monitor receives block_connected callbacks with /// any spends of it. @@ -69,10 +74,13 @@ pub trait ManyChannelMonitor: Send + Sync { /// A simple implementation of a ManyChannelMonitor and ChainListener. Can be used to create a /// watchtower or watch our own channels. +/// /// Note that you must provide your own key by which to refer to channels. +/// /// If you're accepting remote monitors (ie are implementing a watchtower), you must verify that /// users cannot overwrite a given channel by providing a duplicate key. ie you should probably /// index by a PublicKey which is required to sign any updates. +/// /// If you're using this for local monitoring of your own channels, you probably want to use /// `OutPoint` as the key, which will give you a ManyChannelMonitor implementation. pub struct SimpleManyChannelMonitor { @@ -180,6 +188,7 @@ const MIN_SERIALIZATION_VERSION: u8 = 1; /// A ChannelMonitor handles chain events (blocks connected and disconnected) and generates /// on-chain transactions to ensure no loss of funds occurs. +/// /// You MUST ensure that no ChannelMonitors for a given channel anywhere contain out-of-date /// information and are actively monitoring the chain. pub struct ChannelMonitor {