Support opening anchor channels and test end-to-end unilateral close #1860
Conversation
|
Currently, it doesn't expose any way to automatically reject inbound anchor channels (e.g., low onchain funds) and it doesn't force users to manually accept them either (like with zero conf). I'd imagine we'd at least want to implement the latter before considering merging this. |
|
Note, there was a security issue affecting LND/Core Lightning anchor output support few months ago: https://lists.linuxfoundation.org/pipermail/lightning-dev/2022-April/003561.html. Briefly, anchor output relaxes the sighash flags for second-stage HTLC transactions from With the current state of our parsing logic in |
|
Let's make sure we have test coverage that would have caught #1825 (comment) |
|
More test coverage requested from #1825: #1825 (comment) |
|
Needs rebase now 🎉 |
|
And more test coverage: #1825 (comment) |
|
Working on the aggregated revoked HTLC test before I push another update to this. There are definitely several more cases we should be testing, but in the spirit of keeping PRs relatively small, this PR will just focus on that edge case and the happy case. |
There was a problem hiding this comment.
Left few reviews comments.
There are definitely several more cases we should be testing, but in the spirit of keeping PRs relatively small, this PR will just focus on that edge case and the happy case.
We can even move the aggregated revoked HTLC test in its own PR, bundled with few others from #1825. I think it's already good if we focus just on all the cases of features bit interpretation in both directions here, including unsafe option_anchor_outputs attempts.
wpaulino
force-pushed
the
open-channel-anchors-support
branch
from
1231907 to
0d7b5fa
Compare
| /// [`ChannelManager`]: crate::ln::channelmanager::ChannelManager | ||
| /// [`DecodeError::InvalidValue`]: crate::ln::msgs::DecodeError::InvalidValue | ||
| /// [`SIGHASH_SINGLE + update_fee Considered Harmful`]: https://lists.linuxfoundation.org/pipermail/lightning-dev/2020-September/002796.html | ||
| pub negotiate_anchors_zero_fee_htlc_tx: bool, |
There was a problem hiding this comment.
Do we want a separate flag for "dont accept anchor channels" in addition to "open outbound channels"?
There was a problem hiding this comment.
Possibly. We'll also want to base our acceptance of anchor channels on our availability of fee UTXOs, which will come in a follow-up, so we could choose to do it all there.
wpaulino
force-pushed
the
open-channel-anchors-support
branch
from
0d7b5fa to
523c412
Compare
Codecov ReportBase: 90.69% // Head: 90.69% // Decreases project coverage by
Additional details and impacted files@@ Coverage Diff @@
## main #1860 +/- ##
==========================================
- Coverage 90.69% 90.69% -0.01%
==========================================
Files 97 95 -2
Lines 50577 50074 -503
Branches 50577 50074 -503
==========================================
- Hits 45870 45413 -457
+ Misses 4707 4661 -46
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. ☔ View full report at Codecov. |
wpaulino
force-pushed
the
open-channel-anchors-support
branch
from
523c412 to
27a74fe
Compare
lightning/src/ln/channel.rs
Outdated
| @@ -911,7 +932,11 @@ impl<Signer: Sign> Channel<Signer> { | |||
| where K::Target: KeysInterface<Signer = Signer>, | |||
| F::Target: FeeEstimator, | |||
| { | |||
| let opt_anchors = false; // TODO - should be based on features | |||
| #[cfg(anchors)] | |||
There was a problem hiding this comment.
This is only used for "is it even possible to build a channel with this amount". Should we just drop this and always pass anchors (since its a slightly higher commitment tx fee)? Otherwise I'm worried about making decisions based on the anchor flag which isn't really right, its just the initial state.
There was a problem hiding this comment.
It's also setting the value in ChannelTransactionParameters. That of course won't be locked in until we receive an accept_channel with the same channel_type we extended. Are you also suggesting we delay setting that value in ChannelTransactionParameters until then?
wpaulino
force-pushed
the
open-channel-anchors-support
branch
from
27a74fe to
a88d650
Compare
wpaulino
force-pushed
the
open-channel-anchors-support
branch
2 times, most recently
from
9cf8351 to
404f3d1
Compare
wpaulino
force-pushed
the
open-channel-anchors-support
branch
from
404f3d1 to
7e7abb5
Compare
|
|
||
| #[cfg(anchors)] | ||
| #[test] | ||
| fn test_supports_anchors_zero_htlc_tx_fee() { |
There was a problem hiding this comment.
I don't know if the flow that matters, though when our negotiate_anchors_zero_fee_htlc_tx=true and their init features option_anchors_zero_fee_htlc_tx=false doesn't seem cover:
diff --git a/lightning/src/ln/channel.rs b/lightning/src/ln/channel.rs
index 8cf5e54f..b552b61b 100644
--- a/lightning/src/ln/channel.rs
+++ b/lightning/src/ln/channel.rs
@@ -892,10 +892,8 @@ impl<Signer: Sign> Channel<Signer> {
// Optionally, if the user would like to negotiate the `anchors_zero_fee_htlc_tx` option, we
// set it now. If they don't understand it, we'll fall back to our default of
// `only_static_remotekey`.
- #[cfg(anchors)]
{ // Attributes are not allowed on if expressions on our current MSRV of 1.41.
- if config.channel_handshake_config.negotiate_anchors_zero_fee_htlc_tx &&
- their_features.supports_anchors_zero_fee_htlc_tx() {
+ if config.channel_handshake_config.negotiate_anchors_zero_fee_htlc_tx {
ret.set_anchors_zero_fee_htlc_tx_required();
}
}
There was a problem hiding this comment.
Should be covered now.
| // We support opening a few different types of channels. Try removing our additional | ||
| // features one by one until we've either arrived at our default or the counterparty has | ||
| // accepted one. | ||
| if self.channel_type.supports_anchors_zero_fee_htlc_tx() { |
There was a problem hiding this comment.
Do we have test coverage for handle_error once we got an error message due to rejection of channel type ?
There was a problem hiding this comment.
Should be covered now.
wpaulino
force-pushed
the
open-channel-anchors-support
branch
from
7e7abb5 to
6dbcde5
Compare
wpaulino
force-pushed
the
open-channel-anchors-support
branch
from
6dbcde5 to
202ff7f
Compare
|
Would appreciate a thorough pass from reviewers as it's been a while since the previous review iteration. |
| // We support opening a few different types of channels. Try removing our additional | ||
| // features one by one until we've either arrived at our default or the counterparty has | ||
| // accepted one. | ||
| if self.channel_type.supports_anchors_zero_fee_htlc_tx() { |
There was a problem hiding this comment.
May be worth adding a comment that the ordering here would mean that we'd never negotiate anchor with a peer that supports anchor but not scid privacy, except that we check the peer's init flags above so in general this code should really only apply for a peer that is setting init flags but not actually supporting the channel type, which should be very rare.
There was a problem hiding this comment.
May be worth adding a comment that the ordering here would mean that we'd never negotiate anchor with a peer that supports anchor but not scid privacy
Comment added.
this code should really only apply for a peer that is setting init flags but not actually supporting the channel type, which should be very rare
It won't be too rare with anchors if the inbound node doesn't have enough onchain funds to bump their commitments. They'll still advertise the feature, but reject the channel.
There was a problem hiding this comment.
Sure, sorry, my point was if we didn't do the check initially we'd never negotiate anchors for lots of old lnd nodes - because anchors predates the scid privacy stuff we'd always end up with no features. As long as we check their features, we're safe from that.
| if self.channel_type.supports_anchors_zero_fee_htlc_tx() { | ||
| self.channel_type.clear_anchors_zero_fee_htlc_tx(); | ||
| assert!(self.channel_transaction_parameters.opt_non_zero_fee_anchors.is_none()); | ||
| self.channel_transaction_parameters.opt_anchors = None; |
There was a problem hiding this comment.
Given we're only supporting anchors with channel type negotiation, we should probably just drop opt_anchors entirely and do channel_type.supports... instead? Can come in a followup though since its a new change...I really do hate having duplicate state tracking the same thing :)
There was a problem hiding this comment.
I don't think we can drop ChannelTransactionParamerters.opt_anchors since signers rely on it in provide_channel_parameters.
There was a problem hiding this comment.
We can regenerate it for them, though, rather than storing it explicitly in Channel and in its serialized form.
There was a problem hiding this comment.
Ah, I'll look into this later then.
wpaulino
force-pushed
the
open-channel-anchors-support
branch
from
202ff7f to
660165c
Compare
| /// If set, we attempt to negotiate the `anchors_zero_fee_htlc_tx`option for outbound channels. | ||
| /// | ||
| /// If this option is set, channels may be created that will not be readable by LDK versions | ||
| /// prior to 0.0.114, causing [`ChannelManager`]'s read method to return a |
There was a problem hiding this comment.
Reminder that we may need to update this when we make anchor not cfg-gated anymore. Would be nice if we didn't and that happens in 0.0.114, but if not, that's okay too.
This PR introduces support for the anchors feature bit and opening/accepting anchor channels. It also includes an end-to-end test of the unilateral channel close flow, consuming the recently added anchor events and attaching fees to transactions when necessary.
Depends on #1825.