feature: define option_zero_htlc_tx_fee (feature 22/23) #824
Conversation
09-features.md
Outdated
| @@ -39,6 +39,7 @@ The Context column decodes as follows: | |||
| | 16/17 | `basic_mpp` | Node can receive basic multi-part payments | IN9 | `payment_secret` | [BOLT #4][bolt04-mpp] | | |||
| | 18/19 | `option_support_large_channel` | Can create large channels | IN | | [BOLT #2](02-peer-protocol.md#the-open_channel-message) | | |||
| | 20/21 | `option_anchor_outputs` | Anchor outputs | IN | `option_static_remotekey` | [BOLT #3](03-transactions.md) | | |||
| | 22/23 | `option_zero_fee_second_stage` | Anchor commitment type with zero fee second-stage HTLC txs| IN | `option_anchor_outputs` | [BOLT #3](03-transactions.md) | | |||
There was a problem hiding this comment.
We can discuss what bit to use, but to me it sounds preferable to just one-up the anchor bit.
There was a problem hiding this comment.
Or, depending on how widely anchors have been rolled out (on mainnet not a lot apart from the devs I would guess) we could just say that option_anchor_outputs means also this new zero-fee requirement.
|
You went through all the painful steps of #815 to find the right tx weight, just to multiply that by 0? ¯_(ツ)_/¯ I'll think about this more thoroughly, thanks for sharing! What feature bit are you currently using in lnd if we want to do some testing? |
There was a problem hiding this comment.
I prefer this approach over the one proposed in your 11/23 mail :)
Advantages:
- it doesn't make the number of HTLCs function of channel_reserve, you might have a trusted relation with your counterparty thus not caring at all about reserve but willingly to have high HTLC-throughput
- it avoids adverserial, congestioned mempools where a commitment tx with 10sat/b doesn't propagate, and confirm, even if the proposed feerate is likely fine for now
- less channel liquidity provisioned as likely-not-used onchain feerate
Disadvantages:
- increase the cost of any "sad path" channel closure by encumbering HTLC txn, even aggregated, with a bumping utxo spent
For a full-BYOF future, it could be super interesting to model when BYOF is a satoshi loss compare to update_fee. You should take as parameters a channel liquidity usage rate over a block period, a routing fees rate and a % of unilateral channel closure. At some high-level of mempool congestion it will be theoritically more interesting to switch back to update_fee as the bumping utxo cost you more that the marginal routing fees gain from the non-feerate committed liquidity 🤔
09-features.md
Outdated
| @@ -39,6 +39,7 @@ The Context column decodes as follows: | |||
| | 16/17 | `basic_mpp` | Node can receive basic multi-part payments | IN9 | `payment_secret` | [BOLT #4][bolt04-mpp] | | |||
| | 18/19 | `option_support_large_channel` | Can create large channels | IN | | [BOLT #2](02-peer-protocol.md#the-open_channel-message) | | |||
| | 20/21 | `option_anchor_outputs` | Anchor outputs | IN | `option_static_remotekey` | [BOLT #3](03-transactions.md) | | |||
| | 22/23 | `option_zero_fee_second_stage` | Anchor commitment type with zero fee second-stage HTLC txs| IN | `option_anchor_outputs` | [BOLT #3](03-transactions.md) | | |||
There was a problem hiding this comment.
What about adding the original vulnerability mail as a footnote, let's ease understanding of this cryptic option rational by future LN devs ?
@t-bast Haha. Yeah, I have to do actual weight estimation now when bumping the fees instead of relying on magic constants, so had to go through to make sure it was correct 😀
I have a branch here if you want to test, using feature bits 22/23: lightningnetwork/lnd#4840 |
@ariard I prefer this also :) Thanks for your suggestions, I will update the PR! The main thing to agree on at this point I think, is the feature bit. I see three avenues to take:
I prefer 1 or 2, they should be similar in complexity. 1 is perhaps better for avoiding the spec to sprawl too much, but harder to guarantee that it won't have unintended consequences for existing deployments of anchors. |
|
From RL-side, I favor 1., our anchor implementation doesn't bump if feerate is still gauged as fast-confirm according to the fee-estimator at first-broadcast so just have to remove this check and also it would let remove some feerate negotiation code. I don't think anchors outputs has been rolled out on mainet beyond LND so OG anchor channels aren't that much a concern but I would let other implems confirm this point? |
|
No, you have to make this a new bit, don't roll it into anchors (though this should require anchors, ofc). Anchors is already deployed, and this will cause massive confusion. Plus if there are bugs it's easier to disable a single feature. Secondly, please call it "option_zero_htlc_tx_fee" since the term "htlc transaction" is used in the spec. |
|
Renamed to |
halseth
changed the title
|
ACK on the behavioral changes in this PR. My only concern is with the interaction of the new feature bit with The primary distinction is that IMO If we don't take this approach, consider Alice and Bob advertising the following:
where Alice will reject any attempt to make a broken anchor channel. When Bob is proposing, he will ignore the optional So, by forcing Alice to signal As far as it pertains to the spec, it means we would need to update any existing references of NOTE: There is a similar discussion to be had as to whether EDIT: On second thought, maybe it is a good idea to make all commitment formats dependency free... |
|
I think @cfromknecht raises a very good point here. If we want Alice to be able to advertize support for |
|
I think that makes sense. The lnd imlementation has been updated to only set this new bit, and not the "old" anchor bit. Will update this PR as well. |
|
Updated to remove the dependency on previous feature bits, and added definition of This is used everywhere in the spec where the two formats now should be handled equally. |
|
If anybody wants to test, lnd has merged support for what is outlined in this PR to master. EDIT: and it is also included with v0.12 RC1. |
|
ACK e4f1579 Will jump directly to this new commitment transaction format for RL. |
| @@ -378,10 +378,14 @@ This message introduces the `channel_id` to identify the channel. It's derived f | |||
| #### Requirements | |||
|
|
|||
| Both peers: | |||
| - if `option_static_remotekey` or `option_anchor_outputs` was negotiated: | |||
| - `option_static_remotekey` or `option_anchor_outputs` applies to all commitment transactions | |||
| - if `option_static_remotekey`, `option_anchor_outputs` or | |||
There was a problem hiding this comment.
since option_anchors has been added to cover _outputs and _zero_fee_htlc_tx, why is it not used here?
There was a problem hiding this comment.
Worse, you don't define what the effect is if both are negotiated!
- if `option_anchors_zero_fee_htlc_tx` was negotiated:
- `option_anchor_outputs` is ignored.
...
Rationale:
`option_anchors_zero_fee_htlc_tx` is considered superior to `option_anchor_outputs`, so is favored if both are negotiated.
There was a problem hiding this comment.
If both are negotiated, then both can apply which I don't think is a problem since the latter is a superset of features.
I added a rationale and also specified option_anchors the places where option_static_remotekey defines behavior (since technically option_anchors_zero_fee_htlc_tx does no longer depend on option_static_remotekey): 75a4cde
09-features.md
Outdated
| @@ -39,6 +39,11 @@ The Context column decodes as follows: | |||
| | 16/17 | `basic_mpp` | Node can receive basic multi-part payments | IN9 | `payment_secret` | [BOLT #4][bolt04-mpp] | | |||
| | 18/19 | `option_support_large_channel` | Can create large channels | IN | | [BOLT #2](02-peer-protocol.md#the-open_channel-message) | | |||
| | 20/21 | `option_anchor_outputs` | Anchor outputs | IN | `option_static_remotekey` | [BOLT #3](03-transactions.md) | | |||
| | 22/23 | `option_anchors_zero_fee_htlc_tx` | Anchor commitment type with zero fee HTLC txs | IN | | [BOLT #3][bolt03-htlc-tx], [lightning-dev][ml-zero-fee-vuln]| | |||
There was a problem hiding this comment.
Depends on option_static_remotekey, please.
There was a problem hiding this comment.
I guess this was deliberate because of #824 (comment) :
On second thought, maybe it is a good idea to make all commitment formats dependency free...
There was a problem hiding this comment.
No, it's a terrible idea because it blows up the test matrix. This without static_remotekey is unsupported, just make that clear in the spec and we can all sleep easy.
| @@ -378,10 +378,14 @@ This message introduces the `channel_id` to identify the channel. It's derived f | |||
| #### Requirements | |||
|
|
|||
| Both peers: | |||
| - if `option_static_remotekey` or `option_anchor_outputs` was negotiated: | |||
| - `option_static_remotekey` or `option_anchor_outputs` applies to all commitment transactions | |||
| - if `option_static_remotekey`, `option_anchor_outputs` or | |||
There was a problem hiding this comment.
Worse, you don't define what the effect is if both are negotiated!
- if `option_anchors_zero_fee_htlc_tx` was negotiated:
- `option_anchor_outputs` is ignored.
...
Rationale:
`option_anchors_zero_fee_htlc_tx` is considered superior to `option_anchor_outputs`, so is favored if both are negotiated.
halseth
force-pushed
the
zero-fee-second-stage
branch
from
e4f1579
to
77dfee2
Compare
rustyrussell
changed the title
|
I realize now this never was merged in, lnd has been using this feature bit for the last major version (0.13) in the wild. Have other implementations shipped a release that uses this new bit? |
|
Not yet for eclair, but it is on the short term todo list ;) |
|
|
||
| `option_anchors_zero_fee_htlc_tx` is considered superior to | ||
| `option_anchor_outputs`, which again is considered superior to | ||
| `option_static_remotekey`, and the superior one is is favored if more than one |
| 2. if `option_anchors_zero_fee_htlc_tx` applies: | ||
| - MUST combine it with inputs contributing sufficient fee to ensure timely | ||
| inclusion in a block. | ||
| - MAY combine it with other transactions. |
There was a problem hiding this comment.
This MAY is really unsafe, if the combined-with transaction includes an input from a third-party transaction you might have feerate manipulation (like big witness data). Or same if it pays to a third-party (pinning the first-broadcast HTLC-txn and blocking any replacement)
| @@ -41,6 +41,10 @@ The Context column decodes as follows: | |||
| | 20/21 | `option_anchor_outputs` | Anchor outputs | IN | `option_static_remotekey` | [BOLT #3](03-transactions.md) | | |||
| | 22/23 | `option_anchors_zero_fee_htlc_tx` | Anchor commitment type with zero fee HTLC transactions | IN | | [BOLT #3][bolt03-htlc-tx], [lightning-dev][ml-sighash-single-harmful]| | |||
|
|
|||
| ## Definitions | |||
|
|
|||
| We define `option_anchors` as `option_anchor_outputs || option_anchors_zero_fee_htlc_tx`. | |||
There was a problem hiding this comment.
Commenting here that we want the table row above to explicitly add the static key dependancy.
|
Will squash this and have it land now, then make a smol follow up PR with the additions. |
|
@halseth enjoy a glass of champagne, it eventually landed! 😆 |
Add support for lightning/bolts#824 When the channel type is anchor outputs with zero fee htlc txs, we set the fees for the htlc txs to 0. An important side-effect is that it changes the trimmed to dust calculation, and outputs that were previously dust can now be included in the commit tx.
Extension to the anchor output format that hinders the fee siphoning attack described by @ariard in https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-September/002796.html
The fix itself, making the HTLC second stage transactions zero fee, was proposed by @ariard in the same thread.