Client trusts lsp #572
Client trusts lsp #572
Conversation
|
👋 I see @tnull was un-assigned. |
|
🔔 1st Reminder Hey @tnull! This PR has been waiting for your review. |
src/event.rs
Outdated
| "Failed to process funding transaction: {:?}", | ||
| err | ||
| self.liquidity_source.as_ref().map(|ls| { | ||
| ls.lsps2_store_funding_transaction( |
There was a problem hiding this comment.
Would we always need to store the funding transaction, even if we're not doing the full flow?
There was a problem hiding this comment.
I moved it to inside the if statement, so it will store it only if needs_manual_broadcast is true 👍
src/event.rs
Outdated
| return Err(ReplayEvent()); | ||
| }, | ||
| }; | ||
| self.payment_store.update(&update).map_err(|e| { |
There was a problem hiding this comment.
There are a lot of unrelated changes happening in this commit. a) not sure if I agree that they are worth doing at all but b) always try to keep such changes in separate commits please.
There was a problem hiding this comment.
Sorry about that, I made a rebase and a cleanup. now this commit 53a8174 will have the minimal changes to make the client_trusts_lsp flow work
There was a problem hiding this comment.
There are a lot of unrelated changes happening in this commit.
This was a refactor on the PaymentClaimable event to make the manual claim work on my tests.
That part is removed after the rebase, so we should be good now
martinsaposnic
force-pushed
the
client-trusts-lsp
branch
from
480a3ce to
53a8174
Compare
|
🔔 1st Reminder Hey @tnull! This PR has been waiting for your review. |
|
🔔 2nd Reminder Hey @tnull! This PR has been waiting for your review. |
|
🔔 3rd Reminder Hey @tnull! This PR has been waiting for your review. |
|
🔔 4th Reminder Hey @tnull! This PR has been waiting for your review. |
|
cc @johncantrell97 as he previously looked into this and might be interested in reviewing/and or might have additional thoughts. |
There was a problem hiding this comment.
I have partially reviewed 53a81743 (pending tests) and found it helpful in clarifying my understanding of LSPs. I have some initial comments/questions regarding the following:
client_trusts_lsp configuration
client_trusts_lspis configured statically but I have assumed that based on blip52, this could (should?) be dynamically configured without restarting the node when it detects an attack.- Given the current implementation, what happens to in-flight outbound JIT channels (whose clients are awaiting funding transactions to be broadcast) during a trust mode transition, i.e.
lsp_trusts_clienttoclient_trusts_lsp?
error silencing
I don't fully understand why possible APIMisuseError relating to channel_needs_manual_broadcast is silenced/ignored with unwrap_or(false). Should we proceed with funding if we can't, for example, associate a channel with the user_channel_id?
src/liquidity.rs
Outdated
| @@ -134,6 +133,8 @@ pub struct LSPS2ServiceConfig { | |||
| pub min_payment_size_msat: u64, | |||
| /// The maximum payment size that we will accept when opening a channel. | |||
| pub max_payment_size_msat: u64, | |||
| /// Use the client trusts lsp model | |||
| pub client_trusts_lsp: bool, | |||
There was a problem hiding this comment.
I'm trying to understand the client_trusts_lsp configuration here. According to bLIP-52, I expect the LSP to dynamically switch from lsp_trusts_client to client_trusts_lsp mode upon detecting an attack, without requiring a restart.
However, this configuration appears to be static and set at node startup. If that's the case, what happens when:
- A node initially running in
lsp_trusts_clientmode detects an attack - The node restarts with
client_trusts_lsp:trueto switch modes - There's an existing outbound JIT channel where the client expects the LSP to broadcast the funding transaction before sending the preimage to claim.
What are the potential consequences for that in-flight JIT channel during the mode transition?
There was a problem hiding this comment.
just pushed a fixup that makes the flag dynamic
There's an existing outbound JIT channel where the client expects the LSP to broadcast the funding transaction before sending the preimage to claim.
I just posted a question about this https://discord.com/channels/915026692102316113/994015949176963183/1397280758196080660
my current interpretation about this is that once lsps2.buy succeeds, that flag is part of the contract for this flow. the LSP can always abort and make you start over, but it cannot change the trust model mid negotiation
we will see what they respond on discord
There was a problem hiding this comment.
my current interpretation about this is that once lsps2.buy succeeds, that flag is part of the contract for this flow. the LSP can always abort and make you start over, but it cannot change the trust model mid negotiation
I created a test that shows how this works (test lsps2_in_flight_under_attack_switch)
There was a problem hiding this comment.
my current interpretation about this is that once lsps2.buy succeeds, that flag is part of the contract for this flow. the LSP can always abort and make you start over, but it cannot change the trust model mid negotiation
Yes, as also noted on Discord, I agree with that interpretation and even think that for now we can leave the flag to be statically determined at startup.
src/liquidity.rs
Outdated
| if let Some(handler) = lsps2_service_handler { | ||
| handler | ||
| .channel_needs_manual_broadcast(user_channel_id, &counterparty_node_id) | ||
| .unwrap_or(false) |
There was a problem hiding this comment.
Unsure about unwrap_or here. I think we should log the error and be concerned about its cause if channel_needs_manual_broadcast returns an APIError::APIMisuseError? Say we couldn't find a channel mapped to the provided user_channel_id, should we still go on to call channel_manager.funding_transaction_generated for a non-existent channel when handling FundingGenerationReady? I am confused about this.
There was a problem hiding this comment.
this is also fixed in commit 2cc5267
thank you for the review!
…nual_broadcast logs error if it fails
Please just review the second commit 53a8174. The first commit is just compatibility changes so it works with rust-lightning
This PR uses the functionality introduced in this other PR lightningdevkit/rust-lightning#3838, and creates 2 tests that demonstrates the feature
Changes: