-
Notifications
You must be signed in to change notification settings - Fork 377
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump default CSV delay on counterparty states to 3 days of blocks #1884
Bump default CSV delay on counterparty states to 3 days of blocks #1884
Conversation
5590e4d
to
213b15a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally LGTM, some tests need the to-self-delay reset back to the old default.
Any update on this PR @ariard? |
213b15a
to
66224ce
Compare
Updated at 66224ce - (tests should have been fixed)
Sorry for the latency - Note the latest push update to 4 days of blocks rather than 3 as initially proposed. I think we could be even more conservative and bump to 7 days of blocks. The logic could be tweaked to scale the value in function of the channel value (what LND does) though this is quite arbitrary w.r.t node operators risk-sensitivity imho. I think the I think this is still very valuable to bump all our default timelocks as in case of future meltdown around upstream transaction-relay we have reasonable time to roll out a patch. Additionally, if there is any wrong in CPU/memory issues (e.g #1889) this gives far more time to the node operators to monitor their logs and intervene. So from my understanding this should give us decent robustness against loss of funds in the LDK ecosystem (assuming you have “fresher” keys storage like vls). |
Before we do this, we should check the default max for lnd/CLN/eclair to make sure we're not gonna end up unable to open channels with default configured nodes. |
Also looks like some tests need updating. |
Here you go with max CSV delay value accepted by our counterparty (remote’s Eclair: 2016 blocks https://github.com/ACINQ/eclair/blob/0d3de8f3778240afe8b2729f51495a150f06cbbe/eclair-core/src/main/scala/fr/acinq/eclair/channel/fsm/Channel.scala#L133 CLN: 2016 blocks https://github.com/ElementsProject/lightning/blob/21cc16fb5bfe116bd0430a19c1301ef606c424b9/lightningd/opening_common.c#L143 and https://github.com/ElementsProject/lightning/blob/21cc16fb5bfe116bd0430a19c1301ef606c424b9/lightningd/opening_common.c#L143 LND: 10000 blocks https://github.com/lightningnetwork/lnd/blob/3c8c057ea9ad57e0174501f35dce9c1b6f132f1d/config.go#L180 In light of those other implementation values, I think we can be even more conservative in our choice of our default CSV value we required at minimum from our counterparty. What do you think about 1008 blocks (a week) ? I’ll fix the tests when we’re good on the value choice. |
Yea, I'd vote for 1008, or even 2016. |
01e8078
to
20841db
Compare
Updated at 01e8078 with 1008. So I went finally for 1008 rather than 2016 as otherwise we expose our software channel opening request to be rejected by other implementations if they downgrade their 2016 max acceptance value to a lower limit to reduce the timevalue exposure of their users. I would love to go to 2016 though I think we’ll need to call for a harmonization and guidelines at the spec-level to avoid dumb cross-implementation wreckage due one implementation changing their default config. I’m thinking we can land this one + #2250 on our side then we can open the discussion at the spec-level ? Tests should have been fixed. Note changed |
let mut bob_config = UserConfig::default(); | ||
bob_config.channel_handshake_config.announced_channel = true; | ||
bob_config.channel_handshake_limits.force_announced_channel_preference = false; | ||
bob_config.channel_handshake_config.our_to_self_delay = 6 * 24 * 3; | ||
bob_config.channel_handshake_config.our_to_self_delay = 1008 + 144; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note to reviewers, the value there has been bumped to maintain the original asymmetry between alice and bob config. From my memory authoring this test the purpose was testing we correctly claim justice transaction on revoked output on counterparty transaction where the counterparty request a different value than ours.
Looks like this is still failing tests. |
IMO we should go with what you had before - I think we should allow users to set a CSV timeout lower than a full week if they really want to. |
20841db
to
468d8cf
Compare
See your point, now we’ll have two CSV timeout limits, a soft one at 1008 and a hard one at 144 blocks, update PR in that sense. Note you can test by checking Rebased and fixed the tests minus one due to legacy checks. See comment under. |
@@ -398,7 +398,7 @@ fn do_test_claim_value_force_close(prev_commitment_tx: bool) { | |||
|
|||
// Broadcast the closing transaction (which has both pending HTLCs in it) and get B's |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wpaulino Pinging you as you authored a3b416a and the test_restored_packages_retry
.
For its true
variant, this test is failing with new config CSV timeout of 7 days of blocks:
thread 'ln::monitor_tests::test_restored_packages_retry' panicked at 'assertion failed: `(left == right)`
left: `OutPoint { txid: 0dfec8a032dd7df936c62f8a43c40ed92b15fdc76a513f955be589092dd4cf45, vout: 0 }`,
right: `OutPoint { txid: d738d83463d1edb85a557328e0789b1f63807e96d2a3516747f75a0478fd4236, vout: 0 }`', lightning/src/ln/monitor_tests.rs:1719:13
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
My understanding of the root of the failure is that serialized_monitor
is hardcoding the old value of 1 day of block as a CSV timeout, therefore when it’s compared to “witness” HTLC timeout transactions, the scriptPubkey has been altered and the previous outpoint differs. So I think I’ve to do a new dump of the monitor state ? However doing so I might break the compatibility check that the true
variant sounds to verify ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah that's unfortunate. I generated another one locally with the intended our_to_self_delay
set to BREAKDOWN_TIMEOUT * 7
. You can verify it's correct by adding a panic here and making sure it crashes.

There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why can't we just set the config in that test to 1 day of blocks?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Latest push as Wilmer suggestion to update the old chain monitor deserialized and that packages/transactions are rebroadcast accordingly. However I got a flappy test sometimes works well, and sometimes I got a connection logic error.
thread 'ln::monitor_tests::test_restored_packages_retry' panicked at 'assertion failed: `(left == right)`
left: `7d75aecbfa7227b3911f8dd40c6be8dfce35ae1635551d418d7b65eaf60e60f1`,
right: `077b978d9bcba00814c8e6d68a4d3290a8f29813c40eb82889c7d4908cca5294`: Transaction d738d83463d1edb85a557328e0789b1f63807e96d2a3516747f75a0478fd4236 was already confirmed and is being re-confirmed in a different block.
This indicates a severe bug in the transaction connection logic - a reorg should have been processed first!', lightning/src/chain/channelmonitor.rs:3162:25
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
Note the PR has been rebased.
Happy if you have a look, I’ll dig more into it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Before looking into the failure, were you able to check whether Matt's suggestion works?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes I tested both it didn’t yield a test success.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Matt's suggestion did work for me. Check out this diff, it reverts the monitor payload and uses the original CSV delay:
diff --git a/lightning/src/ln/monitor_tests.rs b/lightning/src/ln/monitor_tests.rs
index e61426f4..e6bd9728 100644
--- a/lightning/src/ln/monitor_tests.rs
+++ b/lightning/src/ln/monitor_tests.rs
@@ -1644,7 +1644,10 @@ fn do_test_restored_packages_retry(check_old_monitor_retries_after_upgrade: bool
let chanmon_cfgs = create_chanmon_cfgs(2);
let node_cfgs = create_node_cfgs(2, &chanmon_cfgs);
- let node_chanmgrs = create_node_chanmgrs(2, &node_cfgs, &[None, None]);
+ let mut config = test_default_channel_config();
+ // The monitor payload below relies on CSV delays being `BREAKDOWN_TIMEOUT` for both parties.
+ config.channel_handshake_config.our_to_self_delay = BREAKDOWN_TIMEOUT;
+ let node_chanmgrs = create_node_chanmgrs(2, &node_cfgs, &[Some(config), Some(config)]);
let mut nodes = create_network(2, &node_cfgs, &node_chanmgrs);
// Open a channel, lock in an HTLC, and immediately broadcast the commitment transaction. This
@@ -1680,9 +1683,7 @@ fn do_test_restored_packages_retry(check_old_monitor_retries_after_upgrade: bool
// old `ChannelMonitor` that did not exercise said rebroadcasting logic.
if check_old_monitor_retries_after_upgrade {
let serialized_monitor = hex::decode(
-
- "",
-
+ ""
).unwrap();
reload_node!(nodes[0], &nodes[0].node.encode(), &[&serialized_monitor], persister, new_chain_monitor, node_deserialized);
}
edited: Going to work on them, timelocks have interactions with a lot of things in the Lightning ecosystem. |
Any desire to work on this again? |
468d8cf
to
6120719
Compare
6120719
to
9658b34
Compare
Updated and rebased at 9658b34
Yep still happy to land it and sorry for the review delay, see unsolved comment. |
@@ -45,8 +45,11 @@ pub struct ChannelHandshakeConfig { | |||
/// case of an honest unilateral channel close, which implicitly decrease the economic value of | |||
/// our channel. | |||
/// | |||
/// Default value: [`BREAKDOWN_TIMEOUT`], we enforce it as a minimum at channel opening so you | |||
/// can tweak config to ask for more security, not less. | |||
/// Default value: [`BREAKDOWN_TIMEOUT`], we enforce [`BREAKDOWN_TIMEOUT`] * 7 as a minimum at |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like the default is BREAKDOWN * 7, not BREAKDOWN. Also, considerations when setting belong in the main text, not the default value specification.
For now, no interest in the security maintenance of this codebase. |
After the recent "node-shutdown" bugs affecting LND, highlighting not only the infancy of the Lightning infrastructure but also the short incident response human reactivity requested both on vendor team and all the node operators due to the time-sensitive Lightning security model, bump our default CSV delay to 3 days of works. Especially if we have to face worst-case scenario in case of coordinated response between both Bitcoin Core and Lightning implementations, e.g non-propagating justice transactions due to some pinning/standardness malleability vector. Advanced mempool policy to improve contracting protocols security like Lightning (e.g bitcoin/bitcoin#25038), while they improve the state of things, they also increase the critical dependency surface on our side. Further, we could even have to modify in-flight channel types in agreement with our counterparty, and in the lack of lightning/bolts#1026, having enough time to figure out a workaround sounds conservative practice.
If we see CSV delays being penalized in the selection of channel counterparties in the future, we can decrease this value again, or at least when we think the ecosystem robustness is more mature.
(Note, this is acknowledged tests are not fixed yet, seeking Concept ACK first)