Add new config setting max_balance_dust_htlc_msat

[ariard]

First step to support lightning/bolts#873

[TheBlueMatt]

Making this required means we cannot read serialized configs from old versions. Can you take https://git.bitcoin.ninja/index.cgi?p=rust-lightning;a=commit;h=fcf9ac5ca6055254955fca9a1402b24168aeab14 and use (default_value, 25_350_000) instead of required?

[ariard]

Does it present another burden for the user, namely to override the default value after deser if user is willingly to enforce its own setting ?

[TheBlueMatt]

Yes, we'll need them to update the field after loading. Sadly we currently don't have any mechanism to update channel config after load at all, but it's something we'll need to as soon to allow updating channel channel relay fees soon.

[TheBlueMatt]

I don't think there's any reason to keep the current default here. Maybe 10k sats for max exposure of $5? Maybe 5k if we want to go a little lower?

[ariard]

Picked up 5k as we might expect this threshold to become more sensible with time for the average node operator.

[ariard]

New default is breaking tests, gonna fix that.

[TheBlueMatt]

You can also simply override the default to a higher value in the default config constructor in functional_test_utils.

[ariard]

Beyond fixes, add a supplemental commit to generalize the new setting on incoming dust HTLC on counterparty commitment transaction. I'm still toying with the idea of introducing a new max_accepted_dust_htlc to achieve exposure symmetry on incoming dust HTLC on holder commitment transaction, currently limited (and as such dependent) by max_accepted_htlc.

[codecov]

Codecov Report

Merging #1009 (d282586) into main (69ee486) will increase coverage by 1.71%.
The diff coverage is 98.03%.

❗ Current head d282586 differs from pull request most recent head 730f6f3. Consider uploading reports for the commit 730f6f3 to get more accurate results

@@            Coverage Diff             @@
##             main    #1009      +/-   ##
==========================================
+ Coverage   90.79%   92.50%   +1.71%     
==========================================
  Files          61       63       +2     
  Lines       31578    37857    +6279     
==========================================
+ Hits        28672    35021    +6349     
+ Misses       2906     2836      -70     

Impacted Files	Coverage Δ
lightning/src/util/ser_macros.rs	96.31% <ø> (ø)
lightning/src/util/config.rs	46.51% <33.33%> (+0.17%)	⬆️
lightning/src/ln/channel.rs	93.04% <97.84%> (+3.80%)	⬆️
lightning/src/ln/functional_test_utils.rs	95.53% <100.00%> (+0.35%)	⬆️
lightning/src/ln/functional_tests.rs	98.98% <100.00%> (+1.69%)	⬆️
lightning/src/util/errors.rs	69.33% <0.00%> (-2.10%)	⬇️
lightning-background-processor/src/lib.rs	95.22% <0.00%> (-0.36%)	⬇️
lightning/src/ln/script.rs	93.75% <0.00%> (ø)
lightning/src/ln/monitor_tests.rs	100.00% <0.00%> (ø)
lightning/src/ln/chanmon_update_fail_tests.rs	97.80% <0.00%> (+0.05%)	⬆️
... and 9 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 69ee486...730f6f3. Read the comment docs.

[TheBlueMatt]

I do not understand why we need to enforce this on the inbound leg. It should be sufficient to enforce it only on outbound HTLCs - ensuring our balance isn't dusted heavily. If our counterparty wants to burn all their balance to dust, that's on them.

[TheBlueMatt]

@ariard pointed out that this matters if we have to go claim the funds from this HTLC after it was forwarded onwards. The funds may be our counterparty's balance, but once we receive the preimage from the place we forwarded the HTLC to, the funds are now "ours" and may not be in the commitment transaction. Thus, this does need to be here.

[TheBlueMatt]

Users have no idea what dust_limit_satoshis is, or why it matters at all what the sum of dust HTLCs is. We need to say something that describes, without assuming any significant knowledge of lightning, why we limit the dust balance to some low value (that those funds go to miners, and that a malicious miner could forward lots of small payments through us that miners claim as additional fee revenue if we force-close).

[TheBlueMatt]

Oops, the "approve" check shouldn't have been marked on that one. I mean Concept ACK, but I left comments :).

[ariard]

I went through a lot of back-and-forth on the utility to also check the dust balance on the holder transaction as it's implicitly protected by the check on the commitment transaction, with our current assumption that holder's dust_limit_satoshis is always under counterparty's one.

Though finally I left it, as it gives us more belt-and-suspender if we touch our config settings/implementation default in the future.

Without, as of today, the worst-fee discrepancy would be 344_000 msat as explained in this Big Comment(tm): https://github.com/ariard/rust-lightning/blob/0db41f057ac4967f72646cc1e77ee59280fbf07c/lightning/src/ln/channel.rs#L2066

[ariard]

See lastest squashed branch at 3faf229, addressing review comment and hopefully exhaustive test coverage!

[TheBlueMatt]

Needs rebase.

[TheBlueMatt]

Looks good. Few doc comments and one actual code comment, haven't reviewed the test yet.

[TheBlueMatt]

Did we agree to a multiplier here? Ie instead of checking with the current feerate, check with the current feerate times 2/4/whatever to prevent feerate increases from blowing up our dust? I think we should set the multiplier pretty high so that we can remove the counterparty feerate check entirely and only ever check the dust threshold.

[ariard]

edit: I think we agree in principle, but not on the heuristics to pick up an adequate feerate. In fact I'm not sure it makes sense to take a multiplier against the current feerate as this one might be already in the higher percentiles of the mempool feerate groups, thus allowing this HTLC to consume all our dust bandwidth.

Maybe we should instead give us a multiplier of the dust balance against a fixed point of 253 sat/kWU ?

[TheBlueMatt]

Hmm, the reason I like a multiplier is that, without any other information, if the feerate is high, it seems likely the feerate may increase significantly. If the feerate is low, probably it will only increase by 10sat/vb or so.

We could do something nonlinear, but I'm not a fan of a straight constant. Maybe we could always increase by max(10 sat/vb, 0.25x current feerate)?

[ariard]

Okay so implemented the evaluation against a preventive high-feerate, note tests coverage has been modified in consequence to avoid the newly inflated check of counterparty dust limit satoshi blocking failure against the holder limit (508_000 -> 2_300_000)

                let pending_remote_value_msat =
@@ -3482,6 +3496,10 @@ impl<Signer: Sign> Channel<Signer> {
                self.feerate_per_kw
        }
 
+       pub fn get_dust_buffer_feerate(&self) -> u32 {
+               cmp::max(2530, self.feerate_per_kw * 1250 / 1000)
+       }
+

[TheBlueMatt]

This includes way too much technical detail about the implementation and not enough detail about what this means for users.

Suggested change

	/// Limit holder balance exposure to dusted HTLCs at any given time.
	///
	/// Applied on at HTLC reception/forwarding, *each* on both-sides commitment transactions.
	///
	/// Dust HTLCs are defined as any HTLC lower than counterparty's `dust_limit_satoshis` or
	/// holder's `dust_limit_satoshis` summed up with their expected onchain claim cost at
	/// negotiated feerate (`feerate_per_kw` * HTLC_*_TX_WEIGHT * 1000 / 1000).
	///
	/// This limit does exist to prevent holder balance burnt to miners fees if the link is
	/// broken, either due to a accidental force-closure or a counterparty maliciously
	/// cooperating with miners.
	/// Limit our total exposure to in-flight HTLCs which are burned to fees as they are too small.
	/// to claim on-chain.
	///
	/// When an HTLC present in one of our channels is below a "dust" threshold, the HTLC will not
	/// be claimable on-chain, instead being turned into additional miner fees if either party
	/// force-closes the channel. Because the threshold is per-HTLC, our total exposure to such
	/// payments may be substantial if there are many dust HTLCs present when the channel is
	/// force-closed.
	///
	/// This limit is applied for send, forwarded, and received HTLCs and limits the total exposure
	/// across all three types per-channel. Setting this too low may prevent the sending or receipt
	/// of low-value HTLCs on high-traffic nodes, and is very important if your counterparty is a
	/// miner (as they could benefit from such dust HTLCs becoming miner fees).

[ariard]

Better, though I would recall the last part about counterparty=miner being a worrying concern is kind of helpless. Even assuming you can effectively identify your LN counterparty, you can't exclude unseen out-of-band negotiation with a miner pool to introduce such non-propagated "dust-stealing tx".

[TheBlueMatt]

Yea, I think you're right. It would give users too much of a false sense of security.

[ariard]

Yep modified a bit.

[TheBlueMatt]

No functional issues, only docs/logs/git issues.

[valentinewallace]

Mostly nits, overall, this makes a lot of sense to me as a precursor to lightning/bolts#873.

Still grokking but I do wonder if the dust_buffer_feerate deserves more thought/is more suited to its own PR, like should we also use it in dust calculations like in next_remote_commit_tx_fee_msat?

[valentinewallace]

suggested nit: s/value/balance

[ariard]

I think balance includes either the to_local or to_remote output so would like to avoid blurring meanings here.

[valentinewallace]

suggestion: get rid of the on_ prefixes, and add _msat at the end

[ariard]

Moved to on_holder_tx_dust_exposure_msat/on_counterparty_tx_dust_exposure_msat. I concede the on_ prefix can be redundant but it's easy for a reviewer to interpret dust_balance as coming from holder channel policy imo

[valentinewallace]

Should we make a const of this number and use it everywhere?

[ariard]

Well the interest of a configuration setting, if a channel is opened with a trusted/highly-reliable peer, this number could be considerably lifted up and as such increase the dust bandwidth available on this link. The reasoning holds also in the other sense, a LDK node operator could consider the number picked up by us too high in function of their economic capabilities and would like to reduce.

[valentinewallace]

nit: prefer making (self.get_dust_buffer_feerate() as u64 * HTLC_TIMEOUT_TX_WEIGHT / 1000) + self.counterparty_dust_limit_satoshis into a variable and below

[ariard]

Do you mean in this function call ? I think it's used only once, as the following check is based on HTLC_SUCCESS_TX_WEIGHT?

[valentinewallace]

Question: why not make get_max_balance_dust_htlc_msat include transaction fees for paying for said HTLCs, and instead check that the total dust HTLC values + their fees don't violate max_balance_dust_htlc_msat? Not fully thought out but to me that seems like it would have more protection against burning $ to miners

[ariard]

Not sure if understand well your point but this check does include the transaction fees potentially paying for said HTLCs with the following equation component : (self.get_dust_buffer_feerate() as u64 * HTLC_TIMEOUT_TX_WEIGHT / 1000) ? It's just we use a preventive higher-feerate to anticipate fees spikes during the lifetime of the HTLC on the commitment transactions.

[ariard]

Updated at 5eb6cce, incorporating lastest reviews.

[ariard]

Still grokking but I do wonder if the dust_buffer_feerate deserves more thought/is more suited to its own PR, like should we also use it in dust calculations like in next_remote_commit_tx_fee_msat?

I don't think so, this is a newer "dust" definition whereas the one in next_remote_commit_tx_fee_msat spec-level one. The former serves to protect us against dust HTLC exposure, with a margin of safety (get_dust_buffer_feerate) and the latter serves to agree among implementations on non-economically interesting HTLCs to claim on-chain and better to prune out.

[valentinewallace]

Basically LGTM. Would be nice to fix fuzz

[valentinewallace]

"Stealing" might sound a little intense to users. Is there another way of phrasing it? lol

[TheBlueMatt]

This should fix the fuzz test:

$ git diff
diff --git a/fuzz/src/chanmon_consistency.rs b/fuzz/src/chanmon_consistency.rs
index 70ddac5d..36d12ad5 100644
--- a/fuzz/src/chanmon_consistency.rs
+++ b/fuzz/src/chanmon_consistency.rs
@@ -244,6 +244,7 @@ fn check_api_err(api_err: APIError) {
                                _ if err.starts_with("Cannot send value that would put counterparty balance under holder-announced channel reserve value") => {},
                                _ if err.starts_with("Cannot send value that would overdraw remaining funds.") => {},
                                _ if err.starts_with("Cannot send value that would not leave enough to pay for fees.") => {},
+                               _ if err.starts_with("Cannot send value that would put our exposure to dust HTLCs at") => {},
                                _ => panic!("{}", err),
                        }
                },

[TheBlueMatt]

LGTM aside from one comment and the fuzz failure I pasted a patch for.