Make Channel's block connection API more electrum-friendly

[TheBlueMatt]

This is very much a WIP, but we're gonna YOLO this one into the Java bindings to see if the API works. It breaks a ton of tests which rely on bogus blockchain structure, but we need to fix those either way. At least some tests pass, right?

[jkczyz]

Shouldn't this be the old height of the disconnected block?

[TheBlueMatt]

Hmm, I dont think so? Thew new argument is passed into update_best_block in channel and handled the same as a new block (and the header part ignored, except to get the time).

[jkczyz]

I guess my confusion here is because in ChainMonitor and ChannelMonitor, the height is that of the disconnected header, which is inconsistent with this.

[TheBlueMatt]

Note new_height is calculated by fetching the height from the local latest_block_height variable, not from the user. In later commits, that variable is checked against what the user passes in.

[jkczyz]

Won't this be the header of the disconnected block rather than the best block? Presumably the best block will come from the next call to block_connected.

[TheBlueMatt]

Yea, that API needs to be clarified - I dropped the Channel::block_disconnected method.

[ariard]

Do you plan also to dry-up ChannelManager::block_disconnected in ChannelManager::update_best_block?

[ariard]

Is this requirement holds right now ? We don't have a ChannelState::Reorged blocking any further non post-shutdown calls, it should rather say "force_shutdown() should be the next call" ?

[TheBlueMatt]

Hmm? It could be clarified, but not just force_shutdown is the next call, but force_shutdown is the only allowed call ever again on this Channel (and the stuff for get_channel_update). This is true in any "return channel-closing-error" case.

[ariard]

I agree on the only call allowed, my remark was more on the how of this restriction. After this PR, if we return from Channel::update_best_block, we'll call force_shutdown in ChannelManager::do_chain_event.

I believe a more straightforward API would be to call force_shutdown directly inside update_best_block thus avoiding caller to forget to call force_shutdown. State transition to ShutdownComplete is only done in this latter method.

At least comment should say, "If we return Err, force_shutdown must be called" ?

[ariard]

In the future we might consider to dry-up that kind of messages. Otherwise, even if your light-client shelter its connections to an Electrum server behind Tor, a malicious server can still delay announcement of commitment transaction to observe a concomitant error message as a collusioning channel peer. And thus link your Lightning node to its validation backend.

[TheBlueMatt]

Yea, possibly, we'd need to be very careful, however, that we handle several cases identically - eg it would be very easy to return a dummy error message, but it be detectable exactly which case we hit by observing other behavior.

[ariard]

Okay I understand the rational of this special case -- Making 1-conf lock-in functional with regards to order of block confirmation/transaction announcement. But this should be documented pretty clearly in our API that either transactions_confirmed or update_best_block might generate FundingLocked in function of minimum_depth value. Really counter-intuitive to have a channel configuration variable changing by which method an event is expected to be delivered.

[TheBlueMatt]

We could, but we don't document which message events a function may generate in any other place? What makes this site special - in general the PeerHandler should just be polling for new message events regularly.

[ariard]

I think it would serve more as a friendly note for library developers than library users. It was surprising at first sight with the old API model in mind, now I get it.

[ariard]

Is calling update_best_block requirement true ? ChannelManager::block_disconnected is calling Channel::update_best_block ?

[TheBlueMatt]

Mmm, docs unclear - I meant to go from the fork point to the new tip. In any case, I'm going to work on updating block_disconnected to build a cleaner API so I'll just fix it with that.

[ariard]

Docs is better now by mentioning both reorg fork point and new best-chain tip as required called for update_best_block. Thanks

[ariard]

"It does not need to be called for each new block" What about check_get_funding_locked() to account for confirmations ?

[TheBlueMatt]

I'm not really sure what you're asking? check_get_funding_locked handles skipped blocks fine, or, it should?

[ariard]

Better now. I think you can add a small comment on check_get_funding_locked "Confirmations are accounted with an absolute height and not incrementally. This method might be only be called when new chain tip reach, after multiple block connections".

[valentinewallace]

Fixing tests over here: https://github.com/valentinewallace/rust-lightning/tree/make-tests-compile (will update this comment as I go)

• ln::functional_tests::htlc_claim_single_commitment_only_a
• ln::functional_tests::htlc_claim_single_commitment_only_b
• ln::functional_tests::test_bump_penalty_txn_on_revoked_commitment
• ln::functional_tests::test_bump_penalty_txn_on_revoked_htlcs
• ln::functional_tests::test_check_htlc_underpaying
• ln::functional_tests::test_concurrent_monitor_claim
• ln::functional_tests::test_holding_cell_htlc_add_timeouts
• ln::functional_tests::test_htlc_on_chain_timeout
• ln::functional_tests::test_htlc_timeout
• test_unconf_chan
• test_test_onchain_htlc_settlement_after_close

[arik-so]

this code block looks like it might be convenient to isolate in a utility method somewhere

[TheBlueMatt]

It depends on the if let Some(funding_txo), though, and its also nice to do it in the same transaction walk loop to avoid looping twice per channel.

[arik-so]

perhaps too short a repeated code fragment to extract, but maybe worth considering? Something like update_confirmation_height or similar?

[TheBlueMatt]

We can move it around a bit to clean it up, actually, relying on the fact that check_get_funding_locked will never return a funding_locked if we also want to fail the channel due to the < minimum_depth / 2 check.

[TheBlueMatt]

Thanks for the work on this last week @valentinewallace. This is now rebased on #846 and should be passing all the tests. I'll add a few tests for things tomorrow and then it should be good to go.

[codecov]

Codecov Report

Merging #838 (22f280c) into main (8a8c75a) will increase coverage by 0.04%.
The diff coverage is 91.72%.

❗ Current head 22f280c differs from pull request most recent head 47ad3d6. Consider uploading reports for the commit 47ad3d6 to get more accurate results

@@            Coverage Diff             @@
##             main     #838      +/-   ##
==========================================
+ Coverage   90.59%   90.63%   +0.04%     
==========================================
  Files          51       51              
  Lines       27109    27204      +95     
==========================================
+ Hits        24560    24657      +97     
+ Misses       2549     2547       -2     

Impacted Files	Coverage Δ
lightning/src/ln/channel.rs	87.32% <86.74%> (+0.19%)	⬆️
lightning/src/ln/channelmanager.rs	83.42% <90.90%> (+0.21%)	⬆️
lightning/src/ln/functional_test_utils.rs	95.02% <93.75%> (-0.20%)	⬇️
lightning/src/ln/functional_tests.rs	96.83% <93.97%> (-0.02%)	⬇️
lightning-persister/src/lib.rs	95.61% <100.00%> (ø)
lightning/src/ln/chanmon_update_fail_tests.rs	97.56% <100.00%> (ø)
lightning/src/ln/reorg_tests.rs	99.57% <100.00%> (+0.01%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8a8c75a...47ad3d6. Read the comment docs.

[TheBlueMatt]

Still needs more tests, but now has no PR dependencies and I think is code/doc-complete (though I'd very much welcome suggestions on making the docs more clear).

[TheBlueMatt]

Added tests which I'm somewhat happy with. I think there may end up being a followup to tweak the API further, but I'd prefer to land this as-is first.

[jkczyz]

Went through commit-by-commit, so please disregard anything that changed in a later commit.

[jkczyz]

Is i64 needed in case of a reorg?

[TheBlueMatt]

Yes, if you call with a lower height it could underflow and go negative.

[jkczyz]

A one-line comment explaining this would be useful or the reader.

[jkczyz]

I guess my confusion here is because in ChainMonitor and ChannelMonitor, the height is that of the disconnected header, which is inconsistent with this.

[ariard]

Mostly minor points. Test changes sounds good to me, will look twice.

[ariard]

After this PR, funding_tx_confirmed_in is directly set in transactions_confirmed so I don't think it makes sense to mention it here ?

I even think you can cut this branch if you initialize need_commitment_update to false ?

[TheBlueMatt]

No, its an exception to the next (channel_state < ChannelFunded) panic. Updated comments.

[ariard]

Why does this comment mentions the commitment point they send us when in fact it's us sending our commitment point to be used in next holder commitment transaction ?

[TheBlueMatt]

Its completely stale nonsense based on my misunderstanding the spec in 2017, and it hasn't been touched since. I've removed it.

[ariard]

If we hit this branch, it does mean the confirmed transaction matches our expectation (tx.txid() = funding_txo.index) so we might be okay there, even if we're exposed to malleation during tx-relay.

That said our expected funding_txo might belong to a malleable transaction given as such by get_outbound_funding_created and in fact this method should recall that funding_txo MUST NOT belong to a malleable transaction.

[TheBlueMatt]

Yea, technically by then we're ok, but its also a critical bug in the implementation of the wallet calling LDK, so we should do something. Honestly, I think we should probably replace the whole FundingTransactionBroadcastable path to make the user provide us the transaction, but that's a separate PR.

[ariard]

Don't we have a risk of breaking bolt 7 requirement by setting update_time_counter to highest header time ? "MUST set timestamp to greater than 0, AND to greater than any previously-sent channel_update for this short_channel_id."

[TheBlueMatt]

its a cmp::max so it should never go down? But we definitely need to do this because many clients filter updates based on the timestamp, so we need the time to be at least as of very recently (without having a "real" time source).

[ariard]

Can you document the divide by 2 usage ?

[TheBlueMatt]

Honestly, its arbitrary. I think we should drop it entirely and replace with "funding tx conf is now 0", but there's enough changes in this PR already.

[jkczyz]

Mostly some confusion on my part it seems. :P

[jkczyz]

Oh, I missed that this wasn't using the Listen version of block_connected. Nevermind.

[jkczyz]

I think that I confused block_connected with update_best_block when I wrote that comment. I understand the change now.

[jkczyz]

May have misread this. I think I was referring to:

let non_shutdown_state = self.channel_state & (!MULTI_STATE_FLAGS);
if non_shutdown_state & !(ChannelState::TheirFundingLocked as u32) == ChannelState::FundingSent as u32 {

and

if let Some(funding_txo) = self.get_funding_txo() {

but did't catch the move inside the for-loop.

[ariard]

Sounds good to me, just have to squash ?

[ariard]

Are we going to send any channel gossip if we fail here before ?

[TheBlueMatt]

Presumably not - we can't have announced the channel yet. I'm gonna leave this unless you feel strongly - its generally "correct" to increment the counter before failure, even if we don't need it here.

[ariard]

What's highest_header_time there ? Block timestamp or MTP or local client reception of Electrum header

[TheBlueMatt]

In this case its just the header.time, which is max current time + 2 hours. We just use it to ensure our gossip messages aren't too far in the past.

[ariard]

For low-conf chans (e.g 1 or 2 confs) eventually we could attach a CPFP and rebroadcast to avoid canceling payments already sold-out. If bumping feerate is lower than the ongoing-to-be-lost HTLCs received as holder balance.

[TheBlueMatt]

Note that this only triggers on a disconnect, ie if the transaction was confirmed, but is now less-confirmed. Honestly I think we should drop this entirely, its kinda dumb, but that shouldn't be in this PR.

[ariard]

Is this expected to break test coverage ?

diff --git a/lightning/src/ln/channel.rs b/lightning/src/ln/channel.rs
index dd026398..48602544 100644
--- a/lightning/src/ln/channel.rs
+++ b/lightning/src/ln/channel.rs
@@ -3664,7 +3664,7 @@ impl<Signer: Sign> Channel<Signer> {
                        // the funding transaction's confirmation count has dipped below minimum_depth / 2,
                        // close the channel and hope we can get the latest state on chain (because presumably
                        // the funding transaction is at least still in the mempool of most nodes).
-                       if funding_tx_confirmations < self.minimum_depth as i64 / 2 {
+                       if funding_tx_confirmations < self.minimum_depth as i64 / 4 {
                                return Err(msgs::ErrorMessage {
                                        channel_id: self.channel_id(),
                                        data: format!("Funding transaction was un-confirmed. Locked at {} confs, now have {} confs.", self.minimum_depth, funding_tx_confirmations),

[TheBlueMatt]

Hmm, likely not, I'm not sure how much coverage we have for the "confs went down, close channel" stuff, and we should drop it anyway.

[TheBlueMatt]

Squashed fixup commits with only one wording diff:

$ git diff-tree -U1 22f280c8d 945f2136c
diff --git a/lightning/src/ln/channel.rs b/lightning/src/ln/channel.rs
index dd026398a..174eed9b9 100644
--- a/lightning/src/ln/channel.rs
+++ b/lightning/src/ln/channel.rs
@@ -3610,3 +3610,3 @@ impl<Signer: Sign> Channel<Signer> {
 							channel_id: self.channel_id(),
-							data: "Commitment transaction was confirmed on chain.".to_owned()
+							data: "Commitment or closing transaction was confirmed on chain.".to_owned()
 						});

[jkczyz]

ACK 7f2f046

No other concerns after my last review.

[ariard]

Code Review ACK 7f2f046

Okay to revise later the closing-channel-on-reorg feature.

[TheBlueMatt]

Ugh, noticed CI was broken due to bad doc links. The fix diff is pure doc and trivial, so I'm going to merge this after CI passes:

$ git diff-tree -U1 7f2f046f 47ad3d6b
diff --git a/lightning/src/ln/channelmanager.rs b/lightning/src/ln/channelmanager.rs
index 25013780..31c8dcca 100644
--- a/lightning/src/ln/channelmanager.rs
+++ b/lightning/src/ln/channelmanager.rs
@@ -3422,7 +3422,9 @@ impl<Signer: Sign, M: Deref, T: Deref, K: Deref, F: Deref, L: Deref> ChannelMana
 	///
-	/// This method may be called for a previous block after an [`update_best_block()`] call has
+	/// This method may be called for a previous block after an [`update_best_block`] call has
 	/// been made for a later block, however it must *not* be called with transaction data from a
-	/// block which is no longer in the best chain (ie where [`update_best_block()`] has already
+	/// block which is no longer in the best chain (ie where [`update_best_block`] has already
 	/// been informed about a blockchain reorganization which no longer includes the block which
 	/// corresponds to `header`).
+	///
+	/// [`update_best_block`]: `Self::update_best_block`
 	pub fn transactions_confirmed(&self, header: &BlockHeader, height: u32, txdata: &TransactionData) {