fundchannel: cancel channel on transaction broadcast error #3910
Conversation
darosior
force-pushed
the
fundchannel_cancel
branch
from
3c06d42 to
4433d11
Compare
Changelog-Added: fundchannel will now cancel ongoing channel creation when transaction broadcast fails. Signed-off-by: Antoine Poinsot <[email protected]>
darosior
force-pushed
the
fundchannel_cancel
branch
from
4433d11 to
02748ac
Compare
|
I believe there is an edge-case possibility below:
Even if we do mempool monitoring, if the So I think it is dangerous to assume that failure of the In order to implement double-spending the funding transaction we should create an alternative RBF of the funding tx that pays to ourself only (call it the "cancellation tx") and spends the same set of inputs. Then if That also means we need to suppress the @rustyrussell I think we need to separate the "gather change outputs of psbt" from the "send out a psbt" commands, which is one reason I proposed
This also means that |
|
Generally speaking, I think this issue points to a good question, namely: should a broadcast error be automatically cleaned up, or should we allow the user some discretion in resolving the error? The corner case that @ZmnSCPxj pointed out leads me to think that perhaps alerting the user and allowing them to take action is perhaps the best course in this situation. In this case, we should consider improving our error messages that we report back to the user, perhaps with the suggestion of ways to fix it. This is probably enough of a corner case that expecting manual intervention is warranted? otoh, if it's just a case of confirming that the transaction has not in fact been broadcast, unbeknownst to us, i believe that |
|
It seems like the real solution to this specific problem (feerates rising faster than your ability to publish txs) however, is to allow RBF for channel opens, which will be possible with the v2 of channel opens. Our updated PSBT RPC interface will allow us to theoretically to offer this for v1, but will require some non-standard erroring out of existing/established channels and basically the same as canceling a channel and restarting the fundchannel call... which is bascially the blueprint of what this PR is starting down... |
|
Oh, one more thing. If we wanted to take specific action for how to handle specific bitcoin backend error codes (i.e. this transaction failed to broadcast because of fees), that might be a more robust / safe way to automatically cancel channel opens? Just a thought. I don't love the idea of integrating bitcoind error codes, but maybe that's ok. |
|
@niftynei I described how to do it with funding v1 a long time ago:https://lists.linuxfoundation.org/pipermail/lightning-dev/2018-January/000889.html Unfortunately that requires support for multiple channels per peer on both sides, and we have a policy of allowing only one channel per peer. Note that it is not safe to cancel any version of a channel until you have deeply confirmed a transaction that double-spends the funding tx of that version of the channel! The best we in Also, note that the specific problem @darosior is trying to fix is having a feerate lower than the minimum relay rate of your peers, RBF might not help there. |
Please do not make #3858 harder than it already is! |
|
I like the idea of specific errors from the backend, but of course not specific to bitcoind. This can be made backward compatible, i think. |
|
Firstly, yes, there is a danger here in cancelling on any bitcoind failure: good catch @ZmnSCPxj ! We can, however, and should cancel in the specific case of known errors. In general, we need to shepherd our transactions properly: @ZmnSCPxj has pointed this our before. This is not just for funding a transaction, but includes RBF. outgoing payments to others, penalty transactions, HTLC transactions, commitment transactions, etc. It also includes noticing when a transaction is no longer possible (an input is spent by another tx, to sufficient depth). Fundamentally, we care about deadlines, unspendability and outputs.
Note that various transactions can be usefully combined, particularly the SIGHASH_SINGLE HTLC transactions with option_anchor_inputs, and potentially we could do the same with penalty transactions (which are currently one-tx-per-output for simplicity). Thoughts? |
If we double-spend, then any change outputs on the funding transaction become invalidated, and if we later use that change output to anchor a different tx (such as a withdraw or another funding tx) then double-spending to self will also invalidate the subsequent tx. This is particularly saddening if you send a single coin to
We can safely forget channel fundings where we have no money in (i.e. acceptor in fundchannelv1, or fundchannelv2 if we do not add any of our own money). We already have an implicit deadline for fundings, sort of. If the channel remains unconfirmed for a long time, if we are the acceptor, we forget it. If the initiator then mentions it after we forgot, we If we are going to maintain deadlines, we want data about those deadlines to be stored in permanent storage, in case of a restart in the middle of a deadline. If we are managing our fundings and withdrawals in a separate plugin, then those plugins need to store the information about those transactions on-disk. That probably means putting a separate database for each plugin, since a database would give us some assurance of the atomicity and reliability of the information storage, which we would have to reimplement if we used our own storage mechanism. A lot of the complexity here can be simplified by separating the onchain-related transactions (funding channels, withdrawing) from the Lightning-related ones (commitment, HTLC, penalty).
Whut. Deadline is when the thief can steal from you; if you reach that, you should prefer to burn the fund (i.e. send to an |
There was a problem hiding this comment.
I have to agree with the other reviewers that this is too simplistic in its current form, even without the complexity of @ZmnSCPxj remote bitcoind, the return codes from bitcoin-cli sendrawtransaction are far from easy to interpret. Consider for example that it'll return "missing inputs" if we submit the same transaction twice, and "already in blockchain" once it gets confirmed (and at least one outpoint is still unspent, otherwise it reverts to "missing inputs").
Shepherding transactions we send, and overriding with RBF if necessary, before considering the attempt cancelled is really the only option I see.
| * `txprepare`. */ | ||
| req = jsonrpc_request_start(cmd->plugin, cmd, "fundchannel_cancel", | ||
| tx_abort, tx_abort, fr); | ||
| json_add_string(req->js, "id", node_id_to_hexstr(tmpctx, fr->id)); |
There was a problem hiding this comment.
| json_add_string(req->js, "id", node_id_to_hexstr(tmpctx, fr->id)); | |
| json_add_node_id(req->js, "id", fr->id); |
|
i completely agree as well and was keeping it open to not stop discussions (and to evaluate a possible move to standard errors on the Bitcoin plugin API). I'm going to close this and rather open an issue as i'm not going to implement any to the proposed solutions soon. |
|
Is it considered safe calling this for a channel-opening attempt that had the fee low enough that it now has fallen out of the mempool? Channel is still in |
There is no real way to know whether a transaction has been dropped from the mempool of all nodes. Node operators may adjust their mempool size, and potentially rebroadcast low-fee transactions at any time. We know some mining pools do this to stuff their blocks in low-fee periods. |
As minimum mempool fee rose, i encountered some expected errors from
bitcoindwhen funding channels (eg:Error broadcasting transaction: error code: -26\\nerror message:\\nmempool min fee not met, 154 < 200.), however i had to cancel half-started channel by hand. This makesfundchannelcallfundchannel_cancelon transaction broadcast error.