-
Notifications
You must be signed in to change notification settings - Fork 493
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Funder's balance can dip back below channel reserve due to race #761
Comments
That's not exactly it. There was a previous proposal by rusty to indeed allow using the channel reserve to pay for the on-chain fee, but it was rejected because it made the protocol a bit more complex. Maybe @rustyrussell can dig up the discussion? It would probably have exactly the same kind of arguments as yours.
I think this is were it's incorrect. Alice should not send a |
Note that there are no such checks listed in BOLT-02 for So is the channel dead then? Or is Alice supposed to disconnect to "undo" that she had sent And if Alice is indeed supposed to run such checks at
Is it only regarding the early channel lifecycle before the reserve is met? Note that in that case it could only possibly apply if the funder used a huge |
No, she can just send her |
She already sent So let's consider the other case, (scenario 2) Alice's POV:
If neither party disconnects then either this (below-reserve) commitment tx gets signed or I don't know how the channel can be used further (if either party refuses to progress the state). |
Yes it's true that there is a potential race where you can end up in that state (which will trigger a close in the worst case to avoid letting the funder dip into its channel reserve). To my knowledge, the best you can do as an implementer to avoid running into this too frequently is to avoid sending Obviously if your channel stays inactive like that for a long while and the feerate keeps increasing, the situation is getting worse. But you can't predict the future, so you don't know that maybe an incoming HTLC will give you more balance soon and thus allow you to correctly sign an update_fee, getting you out of this painful situation. That's some uncertainty you'll have to live with. This is in my opinion one of the most rabbit-hole-y area of the spec. You'll have to choose trade-offs in your implementation depending on the kind of usage you expect (I guess electrum-ln will be used mostly as a wallet, right?). |
Yes, of course you are right, from the funder's perspective that is sufficient (or I guess as good as it gets atm :) ). However, I am also interested in the fundee's perspective.
From your comments I gather that Alice at some point would run some check, and she might decide to force-close the channel (or at least disconnect). What I don't understand yet however, is exactly when and approx what checks is Alice supposed to run to actually accomplish this. Note that neither Also, as pointed out in a comment above, if you are right and such a commitment tx where the funder dips below reserve is not "valid" and must not be signed, then I don't understand the purpose of this paragraph (BOLT-03):
Is it only regarding the niche case of the early channel lifecycle before the reserve is met for a channel where the funder used a huge When I am in doubt about the spec, I usually just check what implementations are doing. :)
Yes, for the foreseeable future we will likely only create unannounced channels and not forward payments. |
I'm not sure when this paragraph is applicable either. It's not in any bolt 2 requirement, and AFAICT in eclair we can never end up in that situation (except for cases where the reserve isn't initially met)...it would be interesting to have other implementation's feedback on this.
In eclair this will result in a |
(This has been split off from #740 (comment))
BOLT-02 claims:
I think that it is not true that once the reserve is met it is invariant that it will stay met.
The key insight is this: the funder, by sending
update_fee
, can reduce their own balance byx
. And the fundee, by sendingupdate_add_htlc
, can makex
larger. Exploiting this concurrently is the trick to dip the funder back below channel reserves.(note: I sometimes use "ctx" to mean "commitment transaction")
Consider the following example:
Alice is the fundee
Bob is the funder
update_add_htlc
(amount: 50000 sat)Alice calculates that in the next remote ctx:
update_fee
(new feerate: 41 sat/byte).Bob calculates that in the next remote ctx:
events from Alice's POV: (scenario 1)
update_add_htlc
update_fee
commitment_signed
(only contains fee update)revoke_and_ack
commitment_signed
(contains both fee update and new htlc)8000-41*(181+43)= -1184 sat (of course this will just end up being pruned)
From BOLT-03:
So in "ctxA" the to_local output (that would pay Bob) is supposed to have a -1184 sat value,
which is below the dust limit so it gets pruned. The effective feerate hence will be different,
but this is not interesting.
What is interesting is that Bob dipped back below reserve!
That is, there is no incentive for Bob not to try to cheat.
Now that I wrote up this whole example, it occurred to me that maybe what is meant by the invariant is that balance before subtracting the onchain fees will always stay above the reserve.
If this is what is meant then I guess the text is correct.
However, even in that case, it still stands that in the example above Bob has positive expected value for trying to cheat. If such a situation can occur in a way where onchain fees have actually increased and Bob actually wants to pay high fees to have a chance at getting the tx mined at all, he very well might try to cheat.
Also note that Bob can keep sending
update_fee
messages, low feerate, high feerate, going back and forth, trying to trigger the race.The text was updated successfully, but these errors were encountered: