Add require_confirmed_inputs TLV to open and accept

[t-bast]

This lets any side of the protocol require the other side to use confirmed inputs, to avoid paying the fees of a low feerate unconfirmed ancestor. It is using an even TLV field to ensure that the other side understands it, and make sure that it will be correctly applied whenever it is set.

Since it is specified at the beginning of the protocol (in open_channel2 and accept_channel2), if the receiving node doesn't want to use confirmed inputs they can fail the negotiation early with a helpful error.

[niftynei]

what happens if a node receives an input that's unconfirmed? should we add a note on the receiver's side that they should verify received inputs?

[t-bast]

Added in the tx_complete requirements, since that's where it makes most sense to check.

[niftynei]

Hm i think there's a different way to express (1 byte) ...

[t-bast]

Note that this isn't 1 byte, this is a 0-byte TLV. It should be encoded as: 0x0200 (tag = 0x02, length = 0x00). Such tlv "signals" will likely appear more often in the spec (we have the same need for async payments), but I'm not sure how it should be written to avoid breaking cln's parsing tool?

[niftynei]

Ah I see, it's a zero-length TLV item.

[niftynei]

Let me check in with the parser.. i'm not sure we have an annotation for that yet. Do you know if this is the first one in the spec?

[t-bast]

It is indeed the first one in the spec...

[niftynei]

Checking my understanding:

• if either peer requests confirmed outputs, the both sides MUST only send confirmed outputs?

If a node receives a request for confirmed-only inputs, they MAY fail the channel if they can't comply.

There's nothing mentioned for when to check proposed inputs confirmation status; may be worth doing during the tx_complete checks or there abouts?

[niftynei]

require the other participant -> if either side asks for it then it should be a requirement on both sides?

[t-bast]

I've reworked this commit in 1be9fee to provide more details.

There's nothing mentioned for when to check proposed inputs confirmation status; may be worth doing during the tx_complete checks or there abouts?

Agreed, added!

if either peer requests confirmed outputs, the both sides MUST only send confirmed outputs?

No, I'd like that to be asymmetric which is more flexible. You set this flag to tell the other party that they're only allowed to use confirmed inputs. If both parties set the flag, then both sides can only use confirmed inputs.

The reason it's useful to allow the asymmetry is for example for the LSP <-> mobile wallet case. The mobile wallet will likely pay a fee to have the LSP open a channel to them with liquidity on their side (à la liquidity ads). The LSP will be the one driving the RBF logic to ensure the funding tx confirms, but they don't want their liquidity fee to be "burnt" by having to pay for unconfirmed ancestors of the mobile wallet. The mobile wallet on the other hand doesn't necessarily care whether the LSP uses confirmed inputs or not, as the LSP will be responsible for doing RBF and getting the funding tx to confirm, and will deal with the feerate of their unconfirmed ancestors. Also, LSPs will likely have a bigger utxo churn than mobile wallet users, and will have a hard time doing channel open at scale with only confirmed inputs.

Does that sound reasonable?

[morehouse]

LGTM

[t-bast]

@niftynei would you have time to implement this in cln and let me know if we can finalize the tlv format?

[t-bast]

Rebased.

[niftynei]

subsumed by #11