Add fee-bumping reserves recommendations for anchor channels

[ariard]

This PR introduces recommendations for the fee-bumping reserves that a LDK user using anchor outputs channels is required to maintain in a future where update_fee as a fee-updating mechanism is deprecated, or its impact reduced.

The recommendations are given on an indicative title only, and in no way are compulsive. Recommendations are conservative for the worst-case of the routing hop, one might have to envision lower level of thresholds if the channels are with “semi-trusted” peers, HTLC forwarding is blocked or fee-bumping is relied on a blessed third-party (e.g a LSP).

While the soundest recommendations might be translated in code default in the future, I think (and hope) this documentation will be always hopeful for LDK users integrating their own wallets with our fee-bumping traits like CoinSelectionSource or WalletSource.

[TheBlueMatt]

Thanks for writing this up! Handful of comments and I think we should try hard to lighten up the wording to make it as understandable as possible (mostly by trying to make it less wordy - pretend every paragraph has to fit in a tweet and cut it down accordingly 😀).

[TheBlueMatt]

Not sure why this link is here. I don't think it adds to the understandability of the overall sentence. Also I would drop the second sentence.

[ariard]

I don’t know if you have read the link, I think the following excerpt is a nice reminder about Lightning security model about time-sensitive transaction.

"Contracting protocols are even more intimately dependent on policies related to prioritization because enforceability on-chain depends on being able to get transactions confirmed quickly. In adversarial environments, cheating counterparties may have an interest in delaying a transaction’s confirmation, so we must also think about how quirks in the transaction relay policy interface can be used against a user.”

Do you think I should rather take a digest in fee-bumping-reserves.md rather than quoting a link ?

[TheBlueMatt]

Because this sentence isn't about policy and edge-cases, its purely a high-level introduction stating that there's outputs which are competing.

[ariard]

Which is nice to refresh users memory on anchor outputs channels and the competing balance interest ?

[TheBlueMatt]

Sure, but the sentences here themselves seem more than sufficient to remind folks of the ln security model, the fact that LDK itself also has to consider transaction standardness policies seems entirely unrelated?

[ariard]

the fact that LDK itself also has to consider transaction standardness policies seems entirely unrelated?

I wish it was that simple, though e.g with nversin=3 there is a limit on the number of package descendant, and therefore how many commitment a CPFP can cover as one example coming out of mind.

Though I think you’re right in the let’s start simple approach, removed the whole section. I still added a warning at the end “Those recommendations should be also revised in function of the interactions with transaction standardness policy and its evolutions (e.g number of transactions allowed to be relayed as a package and as such how many LN commitment one CPFP can cover)”.

[TheBlueMatt]

To someone with only a cursory knowledge of Bitcoin, mentioning HTLC transactions and SIGHASH modes is confusing. Let's just say CPFP and adding additional inputs in RBF.

[ariard]

That’s a good question, what level of knowledge we expect from the user reading the doc ? In my mind it’s more an application developer building on top of the raw LDK API or someone maintaining an enterprise Lightning infrastructure or advanced hobbyist.

[TheBlueMatt]

Just because they're an application developer who knows a good bit about integrating Bitcoin APIs and building a good UX doesn't mean they understand (or, maybe, remember) what specific sighash flags mean.

[ariard]

I’m taking the optimistic point than an application developer will search for the sighash flags and get smarter from our documentation, I can add more docs about sighash flags ? e.g https://bitcoin.stackexchange.com/questions/37093/what-goes-in-to-the-message-of-a-transaction-signature/37095#37095

[TheBlueMatt]

I don't see why RBF is less useful for users. We could dump information at them, or we could refer to it in the common terminology and leave it, and its not like the additional information adds context which allows users to make better decisions here.

[ariard]

For now I took the simplest approach of just mentioning replace-by-fee. I think in the future it can be still interesting to develop the point on sighash flags, as this malleability allow external fee-bumping e.g by a LSP or watchtower.

[codecov-commenter]

Codecov Report

Patch coverage has no change and project coverage change: +1.71% 🎉

Comparison is base (c383f06) 90.24% compared to head (031c8e5) 91.96%.
Report is 181 commits behind head on main.

❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the GitHub App Integration for your organization. Read more.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2450      +/-   ##
==========================================
+ Coverage   90.24%   91.96%   +1.71%     
==========================================
  Files         106      111       +5     
  Lines       55811    78059   +22248     
  Branches    55811    78059   +22248     
==========================================
+ Hits        50368    71786   +21418     
- Misses       5443     6273     +830     

Files Changed	Coverage Δ
lightning/src/events/bump_transaction.rs	77.55% <ø> (ø)
lightning/src/util/config.rs	56.56% <ø> (ø)

... and 71 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[ariard]

Updated at b8fcd03e with some comments addressed.

See the high-level feedback on a) documentation format and b) user level knowledge expected as other points will derive from those ones.

Happy to land it early in the 0.0.117 and see if it’s useful for folks using anchor channels. If we think this documentation is more adapted at the spec-level, I can close this one and open a PR in the bolt repository as a recommendation.

[ariard]

Happy to land it and other ones on timelock before to open more PRs to do sec hardening on the codebase.

[ariard]

Updated at d7fbd10

cc @wpaulino I think you will be interested by the doc, at least to give feedback on how much it’s currently human-readable.

[tnull]

I don't understand this sentence. What is the "number of opened anchor outputs channels" exactly referring to, i.e., what does the user need to 'select'?

[ariard]

Updated, the number of opened channel is the number of opened channels under this Lightning node (i.e the outcome of ChannelManager::list_channels()).

[tnull]

Similarly here, I'm not sure I understand how the user should act on this advise.

[ariard]

The aim of this documentation is to give the heuristics to the user to understand the amount in satoshis of fee-bumping reserves one should keep, assuming conservative risk exposure (e.g the “A factor of 2 is a conservative estimation”).

This section explains the details of the factors entering in the computation of the max number of pending HTLCs (inbound / outbound) that a channel can have, under default LDK settings.

Note, high-level helpers could be built from the level ones we have currently (get_inbound_pending_htlcs_stats() / get_outbound_pending_htlc_stats()).

[tnull]

max_htlc_allsides does not exist in this repo, what is it referring to?

[ariard]

See comment just above. In this context, this is used a convenience to yield the level of fee-bumping reserve that a LDK user is recommended to maintain. Specific helpers to compute it could be introduced.

[ariard]

Updated at 031c8e5. Thanks for the review, a lot of comments should have been included.

Current recommendation aims to be simple and waive at issues such as third-party delegated fee-bumping management or future interactions w.r.t changes in transaction-relay policy rules (and as such the dimension of many UTXOs one should keep for a number of opened channels) or the channel types. I think if the main equation and its components are judged sound, helpers to compute them can be introduced.

[wpaulino]

The docs mostly read well to me, though I'm wondering how useful they'll be once we introduce a helper to provide such max_channel_weight_surface to the user. This value is very dependent on the commitment format/channel type so I don't think it's worth providing a breakdown of it other than briefly describing what it covers (commitment transaction + max HTLC transactions).

[wpaulino]

The counterparty can also limit us so the 483 is actually dynamic per channel as well.

[ariard]

For now, no interest in the security maintenance of this codebase.