Funding_tx: add anti-fee sniping recommendation and check if final

[ariard]

First commit checks if the funding transaction is final for propagation. If the nLocktime field has been set for any reason (e.g anti-fee sniping) and our bitcoind client is a bit behind, we may fail the p2p propagation in case of fast signatures exchange with our counterparty.

While this check is implemented the nearest from the user to allow correction, one alternative could be to make a requirement of BroadcastInterface::broadcast_transaction to check for transaction finality, beyond our scope. broadcast_transaction could be modified to return a boolean, potentially signaling a transaction standardness issue, that we would propagate back to the user within an APIError::BroadcastFailure ?

Second commit invites funding transaction software to implement anti-fee sniping, I think a wallet best practice across the ecosystem to align the long-term incentives of the miners.

[TheBlueMatt]

Sure, makes sense.

[TheBlueMatt]

nit: wrap with <> to make it a "real" link (and add a \n). Also...man there needs to be a better link, maybe optech has one?

[ariard]

Yeah I was thinking to point towards BIP326, though Taproot-only and I don't believe the nSequence will be really binding in practice for off-chain contract : https://github.com/bitcoin/bips/blob/master/bip-0326.mediawiki

Optech good one : https://bitcoinops.org/en/topics/fee-sniping/

[TheBlueMatt]

Maybe +2 or +3 to give a little bit of headroom?

[ariard]

IIRC Core is strict on the +1 ? If we give a headroom and the transaction is inside that window, we fail ?

[TheBlueMatt]

Hmm, true. I guess I worry that if we reject hard at exactly +1 we'll fail to accept in some race conditions around block connection orders and the easy way to fix that is to break the anti-fee-sniping stuff by just subtracting one.

[ariard]

Yeah, thinking more I would assume that your bitcoind is never behind as it should be the authoritative source of blocks for the other modules I think it's really hard to make assumption on the block connection orders between your wallet and LDK. So taking the +2 in case the wallet is faster than LDK. However, unless you have multiple and non-reconciliated (meeeeh...) block sources, your wallet shouldn't be faster than bitcoind-or-equivalent and not hit the headroom window (contrary what I was worried about in previous comment).

[wpaulino]

If we rebroadcast funding transactions (e.g., every block), we could be a bit more forgiving here regarding the window. I wonder if this is something we'd want to do anyway outside of this context to ensure transaction propagation, as they could be dropped from mempools due to other higher fee transactions.

[ariard]

Apart of the funding and closing transactions, I think we fee-bump and rebroadcast all our LN transactions in OnchainTxHandler. Of course, it would be really nice if we implement fee-bumping for those transactions suiting the user confirmation requirements (or to hedge against unreliable tx-relay peers). I think it's better implemented by us rather than BroadcastInterface as we might have view on the user UTXO set (at least after anchor output). My thinking on that has always been to wait to support dual-funding and splicing, as fee-bumping is part of the spec for both opening and close. That way we would have all our transactions scheduled by one unified component OnchainTxHandler (where it would become a trait and given access to ChannelManager, only of being a ChannelMonitor's struct for now).

[codecov-commenter]

Codecov Report

Merging #1531 (f99fa81) into main (22dc964) will decrease coverage by 0.01%.
The diff coverage is 91.17%.

❗ Current head f99fa81 differs from pull request most recent head 69344fa. Consider uploading reports for the commit 69344fa to get more accurate results

@@            Coverage Diff             @@
##             main    #1531      +/-   ##
==========================================
- Coverage   90.94%   90.93%   -0.02%     
==========================================
  Files          80       80              
  Lines       43469    43503      +34     
  Branches    43469    43503      +34     
==========================================
+ Hits        39533    39559      +26     
- Misses       3936     3944       +8     

Impacted Files	Coverage Δ
lightning/src/ln/functional_tests.rs	97.04% <90.00%> (-0.13%)	⬇️
lightning/src/ln/channelmanager.rs	84.34% <100.00%> (+0.01%)	⬆️
lightning-net-tokio/src/lib.rs	77.16% <0.00%> (+0.30%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 22dc964...69344fa. Read the comment docs.

[ariard]

Updated at 2cae4ef with suggestions. Added test_non_final_funding_tx to exercise new APIError.

[wpaulino]

Not something to worry about yet, but we should make this very clear in the release notes, as I'm unsure of how prevalent the use of final transactions is across our users.

[wpaulino]

If we rebroadcast funding transactions (e.g., every block), we could be a bit more forgiving here regarding the window. I wonder if this is something we'd want to do anyway outside of this context to ensure transaction propagation, as they could be dropped from mempools due to other higher fee transactions.

[ariard]

Updated at f99fa81, with review comment addressed.

Not something to worry about yet, but we should make this very clear in the release notes, as I'm unsure of how prevalent the use of final transactions is across our users.

Well to be propagated and included a transaction must be final no ? I think what is worrying are users calling our API with non-final transactions, and from now on we would reject them. At least with an error instead of a silent sendrawtransaction if you implement a really basic BroadcastInterface. Though yep, better to document that clearly in release notes.

[ariard]

Updated at 6e4a895 with comment addressed. Test has been updated in consequence.

[ariard]

Updated at 69344fa with comments addressed.