Add a "tx output spender" index #24539

This PR adds a new "tx output spender" index, which allows users to query which tx spent a given outpoint with the gettxspendingprevout RPC call that was added by #24408.

Such an index would be extremely useful for Lightning, and probably for most layer-2 protocols that rely on chains of unpublished transactions.

UPDATE: this PR is ready for review and issues have been addressed:

• using a watch-only wallet instead would not work if there is a significant number of outpoints to watch (see #24539 (comment))
• this PR does not require -txindex anymore

We use a composite key with 2 parts (suggested by romanz): hash(spent outpoint) and tx position, with an empty value. Average composite key size is 15 bytes.

The spending tx can optionally be returned by gettxspendingprevout (even it -txindex is not set).

Concept ACK. It would be good know more about specific use-cases for this, if you can provide some links or more description. But the implementation seems very simple, so I don't think adding this would be a maintenance burden.

@ ryan, I think the idea is that there is one coin that is owned by more than one entity. There may be several (conflicting) pre-signed txs spending it and as soon as it is spent, all entities with ownership in it want to check which pre-signed tx spent the coin. If they use Bitcoin Core to monitor the coin, they may use:

• A watch-only wallet (which requires a file on disk and BDB/Sqlite)
• Walk the raw chain and raw mempool themselves (According to #24408 (comment) this is doable for the chain, but may not be for the mempool)
• Use an index. A blockfilterindex might speed up scanning the chain, whereas this index directly gives the answer.

Lightning channels are basically trees of unpublished transactions:

• a commit tx that spends a shared onchain "funding" UTXO
• HTLC txs that spend the commit tx (there can be competing HTLC txs that spend the same commit tx output: one for successful payments, one for timed out payments)

There is also a penalty scheme built into these txs: if you cheat, you need to wait before you can spend your outputs but your channel peer can spend them immediately.

And LN is also transitioning to a model where these txs pay minimum fees and can be "bumped" with RBF/CPFP.

=> it's very useful for LN nodes to detect when transactions have been spent, but also how they've been spent and react accordingly (by extracting info from the spending txs for example), and walk up chains of txs that spend each other.

As described above, there are tools in bitcoin core that we could use and would help a bit, and Lightning nodes could also create their own indexes independently or use electrum servers, block explorers, but this would make running LN nodes connected to your own bitcoin node much easier.

Concept ACK

I think the use case is clear and if others think the maintenance burden is reasonable there doesn't seem to be an obvious downside.

This PR can be viewed as an "extension" to #24408

Seems like review should be focused on #24408 first but assuming that gets merged, Concept ACK for this.

<!--e57a25ab6845829454e8d69fc972939a-->

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

<!--006a51241073e994b41acfe9ec718e94-->

Code Coverage & Benchmarks

For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/24539.

<!--021abf342d371248e50ceaed478a90ca-->

Reviews

See the guideline for information on the review process.

If your review is incorrectly listed, please copy-paste <code>&lt;!--meta-tag:bot-skip--&gt;</code> into the comment that the bot should ignore.

<!--174a7506f384e20aa4161008e828411d-->

Conflicts

Reviewers, this pull request conflicts with the following ones:

• #34435 (refactor: use _MiB/_GiB consistently for byte conversions by l0rinc)
• #31275 (doc: corrected lockunspent rpc quoting by Talej)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

<!--5faf32d7da4f0f540f40219e4f7537a3-->

LLM Linter (✨ experimental)

Possible places where named args for integral literals may be used (e.g. func(x, /*named_arg=*/0) in C++, and func(x, named_arg=0) in Python):

• std::make_unique<TxoSpenderIndex>(..., index_cache_sizes.txospender_index, false, do_reindex) in src/init.cpp
• TxoSpenderIndex txospenderindex(interfaces::MakeChain(m_node), 1 << 20, true) in src/test/txospenderindex_tests.cpp
• SignatureHash(this->m_coinbase_txns[i]->vout[0].scriptPubKey, spender[i], 0, SIGHASH_ALL, 0, SigVersion::BASE) in src/test/txospenderindex_tests.cpp

^{2026-02-19 20:10:56}

Concept ACK - I can see why this could be helpful for lightning, the code is very similar to the txindex code.

Some general thoughts:

• getmempooltxspendingprevout in #24408 takes a list of outpoints, gettxospender takes a single outpoint. Would it make sense to have the same format here (I'd guess a common use case would be to check both RPCs with the same outpoint(s)?)
• Taking this one step further, getrawtransaction queries transaction data from the mempool or from blocks (if txindex is enabled) in one RPC. Would it make sense to have something similar for outpoints, instead of two separate RPCs?
• I think that the indexed data will not be deleted in case of a reorg (but possibly overwritten if an outpoint would be spent in a different tx as a result of a reorg). That means that a result from gettxospender could be stale. Would it make sense to delete entries or should we at least mention this possibility in the rpc doc?
• What's the reason for the dependency on -txindex? As far as I can see it's not technical, so would knowing the fact that an outpoint was used in a tx (even if we can't lookup the details of that tx further) be sufficient for some use cases?

* `getmempooltxspendingprevout` in [#24408](/bitcoin-bitcoin/24408/) takes a list of outpoints, `gettxospender` takes a single outpoint. Would it make sense to have the same format here (I'd guess a common use case would be to check both RPCs with the same outpoint(s)?)

Bitcoin supports batched RPC request so from a functional p.o.v it's equivalent to passing a list of outpoints but it's a bit easier to reason about imho. I think that the use case for getmempooltxspendingprevout is a bit different: you want to bump fees for a set of txs that are related to the same channel and want to understand who is spending what. You may also have txs with multiple inputs, and would pass them all together to getmempooltxspendingprevout.

For gettxospender the use case is trying to understand why channels have been closed and react if needed, if we could pass in multiple outpoints they would likely be unrelated.

* Taking this one step further, `getrawtransaction` queries transaction data from the mempool or from blocks (if txindex is enabled) in one RPC. Would it make sense to have something similar for outpoints, instead of two separate RPCs?

Maybe, let's see where the discussion in #24408 but to me it feels cleaner to have separate calls.

* I think that the indexed data will not be deleted in case of a reorg (but possibly overwritten if an outpoint would be spent in a different tx as a result of a reorg). That means that a result from `gettxospender` could be stale. Would it make sense to delete entries or should we at least mention this possibility in the rpc doc?

* What's the reason for the dependency on -txindex? As far as I can see it's not technical, so would knowing the fact that an outpoint was used in a tx (even if we can't lookup the details of that tx further) be sufficient for some use cases?

We would almost always want to get the actual tx that spends our outpoint. My reasoning was that relying on -txindex makes gettxospender robust and consistent in the case of reorgs and is also simpler and easier to understand that storing block positions instead of txids.

Concept ACK, nice

Rebased on https://github.com/bitcoin/bitcoin/pull/24408

Looks like the test somehow went away? If #https://github.com/bitcoin/bitcoin/pull/24408 is merged soon, you can fix everything on the next rebase.

Looks like the test somehow went away? If ##24408 is merged soon, you can fix everything on the next rebase.

Yes sorry about that, I've brought it back. I will also add another commit to move gettxspendingprevout out of rpc/mempool.cpp.

As with #24408, unless there's a need for looking up an unpredictable outpoint after its spend is mined (why?), I think a watch-only wallet is the correct approach for this use case, and expecting users to build infinitely-growing indexes isn't a good solution.

Suggested patch: https://gist.github.com/luke-jr/beb37abb2cfc2f7db86605f74bc4b934

Approach ACK

@sstone I created a branch that modifies this PR to include the in_mempool and block_height of the transaction that spends the output. The result is like this:

[
  {
    "txid": "c8de5b22e7dac049cd6a2628580876d74c16a58a886be2b4b1c744901f8e953e",
    "vout": 0,
    "spendingtxid": "117dd0df58201d4ac6c49472dc59208487caa7d79079a4bb32d85c16f4174e72",
    "in_mempool": false,
    "block_height": 88551
  }
]

If you agree with this approach, feel free to use the code of that branch. https://github.com/w0xlt/bitcoin/tree/add_txospender_index_2

There is no need for a new commit to address review comments. The last commit can be squashed.

https://github.com/bitcoin/bitcoin/blob/master/CONTRIBUTING.md#squashing-commits

The static RPCHelpMan getindexinfo() RPC should also be updated.

static RPCHelpMan getindexinfo()
{
    // ...
    if (g_txindex) {
        result.pushKVs(SummaryToJSON(g_txindex->GetSummary(), index_name));
    }

    if (g_coin_stats_index) {
        result.pushKVs(SummaryToJSON(g_coin_stats_index->GetSummary(), index_name));
    }

+    if (g_txospenderindex) {
+        result.pushKVs(SummaryToJSON(g_txospenderindex->GetSummary(), index_name));
+    }

    ForEachBlockFilterIndex([&result, &index_name](const BlockFilterIndex& index) {
        result.pushKVs(SummaryToJSON(index.GetSummary(), index_name));
    });
    // ...
}

The static RPCHelpMan getindexinfo() RPC should also be updated.

static RPCHelpMan getindexinfo()
{
    // ...
    if (g_txindex) {
        result.pushKVs(SummaryToJSON(g_txindex->GetSummary(), index_name));
    }

    if (g_coin_stats_index) {
        result.pushKVs(SummaryToJSON(g_coin_stats_index->GetSummary(), index_name));
    }

+    if (g_txospenderindex) {
+        result.pushKVs(SummaryToJSON(g_txospenderindex->GetSummary(), index_name));
+    }

    ForEachBlockFilterIndex([&result, &index_name](const BlockFilterIndex& index) {
        result.pushKVs(SummaryToJSON(index.GetSummary(), index_name));
    });
    // ...
}

Thanks! done in https://github.com/bitcoin/bitcoin/pull/24539/commits/d9d96f8b5dab7a617efb95c7a4c53114a7815abe

As described above, there are tools in bitcoin core that we could use and would help a bit

MarcoFalke and luke-jr suggested using a watch-only wallet for this use case. I don't fully understand how Lightning works in depth/implementation. Do you know @sstone what would be the pros and cons of using a watch-only wallet for this?

I haven't fully synced the txospenderindex (height 568907) and I know the index is optional but it's already ~60GB, so is it worth it for layer 2 node operators?

For most LN nodes watch-only wallets are probably enough: you would import all your channel outpoints, and check your wallet transactions for spending transactions (bitcoin core should include them). AFAIK you would do this by importing each channel outpoint in a single "address" descriptor (though it seems that there is currently no way to remove a descriptor ?).

But I'm not sure yet how practical and efficient this would be for large nodes with 10s of 1000s of transactions (I would like to have bitcoin core do some kind of filtering before it returns wallet transactions).

update: unless I've missed something, unless you have just a few transactions to monitor, using watch-only wallet would not work as is and even if it was modified it would still create serious operational issues:

If we were to use a single watch-only wallet and import all the outpoints that we need to watch, with one descriptor per outpoint , we would still to to fetch all wallet transactions to get spending transactions even if we used labels when importing our descriptors because label filtering only works for incoming transactions, so this does not scale (and again there does not seem to be a way to remove descriptors once they've been imported).

Since with LN we currently know which transactions would spend the outpoints that we are watching, we could also import them. It would solves our filtering problem but we would end up with a huge number of transaction in our wallet (millions of them).

Another option would be using one watch-only wallet per channel. This would be much better from an indexing point of view but would scale even less because there would be one wallet database per channel.

And even if we modified how watch-only wallets work to add an optional "spent-by" field to listtransactions (this would be fairly easy), using them would be a problem from an operational point of view: rebuilding a node can be done very quickly, as we don't even need to restore the bitcoin wallet that we used before (we just need to have a backup): we can just point our system to a new bitcoin node with a fresh wallet and we're good to go. With watch-only wallets we would first need to rebuild this wallet, which could take hours, before we're operational again.

=> I still believe that indexing "spending" transactions is a better approach than watch-only wallets.

Thanks for the clarification @sstone.

I still believe that indexing "spending" transactions is a better approach than watch-only wallets.

Agreed, this is Concept ACK for me then.

rebuilding a node can be done very quickly, as we don't even need to restore the bitcoin wallet that we used before (we just need to have a backup): we can just point our system to a new bitcoin node with a fresh wallet and we're good to go. With watch-only wallets we would first need to rebuild this wallet, which could take hours, before we're operational again.

The "new bitcoin node" would still need to have the txospenderindex constructed though right? Which also takes some time no?

The "new bitcoin node" would still need to have the txospenderindex constructed though right? Which also takes some time no?

Yes, you would need to run your bitcoin nodes with -txospenderindex and -txindex (but theses indexes are "generic" and completely independent from your application).

LGTM. I tried this:

./src/bitcoin-cli -testnet gettxspendingprevout '[{"txid": "f52c6102a5e9b9d11ff5edf0d888009cdcad85b44a7e83f057cf934745d9dce2", "vout": 1}]'
[
  {
    "txid": "f52c6102a5e9b9d11ff5edf0d888009cdcad85b44a7e83f057cf934745d9dce2",
    "vout": 1,
    "spendingtxid": "cb891f936bb45b347495542ebc7f413db612424c5516e14faef0239fbedecee1"
  }
]

The information returned is correct (https://blockstream.info/testnet/tx/f52c6102a5e9b9d11ff5edf0d888009cdcad85b44a7e83f057cf934745d9dce2?output:1).

Here's the result on master:

./src/bitcoin-cli -testnet gettxspendingprevout '[{"txid": "f52c6102a5e9b9d11ff5edf0d888009cdcad85b44a7e83f057cf934745d9dce2", "vout": 1}]'
[
  {
    "txid": "f52c6102a5e9b9d11ff5edf0d888009cdcad85b44a7e83f057cf934745d9dce2",
    "vout": 1
  }
]

I verified that if the spending transaction is already in the mempool, gettxspendingprevout behaves the same on master and this PR.

For info, the index is 6.7GB on testnet, and 110GB on mainnet.

I would also suggest splitting the PR in 3 commits (index, rpc and test) for easier review.

didn't review, but left some nits (no need to address them, unless you push for other reasons)

I did not review the code but tested the PR at commit 972728ab72b63ad074ffc1f2d8275d0c05672fa8 and it works.

It would be great to reduce the size of the index because it is well larger than txindex:

bitcoin/indexes $ du -h --max-depth=1
119G	./txospenderindex
38G	./txindex
157G	.

Instead of storing outpoint (32 + 4 bytes) -> txid (32 bytes) it could be outpointhash (32 bytes) -> txid (32 bytes) to gain 4 bytes per txos (or even using RIPEMD160 to gain 4 + 12 bytes per txo).

The txospenderindex stores redondantly the funding_txid as key for each transaction's outputs. It could be made almost half its current size if it was possible to store with the following schema:

funding_txid (32 bytes) -> concat_txids (32 * number_of_outpoints_in_funding_txid bytes)

where concat_txid would be all the spending txid concatenated in the order of the vout of the funding transaction or 32 bytes at 0 if the outpoint is unspent. To get the spending transaction of an outpoint txid:vout, you would just have to read the bytes 32 * vout to 32 * (vout+1) of the concat_txids given by the index. However this requires modifying the value at a given key during the sync of the index, I don't know if it is an issue.

It could be nice to provide more informations on the spending transaction too, like blockheight of spending transaction and the index of the input spending the outpoint in the spending transaction althought not necessary since these information can be found by using txindex.

It would be great to reduce the size of the index because it is well larger than txindex: ... Instead of storing outpoint (32 + 4 bytes) -> txid (32 bytes) it could be outpointhash (32 bytes) -> txid (32 bytes) to gain 4 bytes per txos (or even using RIPEMD160 to gain 4 + 12 bytes per txo).

I went for a simple scheme that is easy to use and did not try to optimize for space as it would still be O(n) so there's not much to be gained unless I'm missing something. It could be made smaller by using blockheight | txindex |outputindex (8 bytes) instead of txids ((this is how we define "short channel ids" in LN), but it would be harder to use.

The txospenderindex stores redondantly the funding_txid as key for each transaction's outputs. It could be made almost half its current size if it was possible to store with the following schema:

funding_txid (32 bytes) -> concat_txids (32 * number_of_outpoints_in_funding_txid bytes)

where concat_txid would be all the spending txid concatenated in the order of the vout of the funding transaction or 32 bytes at 0 if the outpoint is unspent. To get the spending transaction of an outpoint txid:vout, you would just have to read the bytes 32 * vout to 32 * (vout+1) of the concat_txids given by the index. However this requires modifying the value at a given key during the sync of the index, I don't know if it is an issue.

Same reason as above, I'll have a look but I'm not sure the gain is worth the added complexity.

It could be nice to provide more informations on the spending transaction too, like blockheight of spending transaction and the index of the input spending the outpoint in the spending transaction althought not necessary since these information can be found by using txindex.

Yes, I supposed that users would call gettransaction to get additional info on the spending tx

Concept ACK

Concept ACK

<!--85328a0da195eb286784d51f73fa0af9-->

🚧 At least one of the CI tasks failed. Make sure to run all tests locally, according to the documentation.

Possibly this is due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.

Leave a comment here, if you need help tracking down a confusing failure.

_{Debug: https://github.com/bitcoin/bitcoin/runs/21097591816}

<!--85328a0da195eb286784d51f73fa0af9-->

🚧 At least one of the CI tasks failed. Make sure to run all tests locally, according to the documentation.

Possibly this is due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.

Leave a comment here, if you need help tracking down a confusing failure.

_{Debug: https://github.com/bitcoin/bitcoin/runs/22929252121}

<!--85328a0da195eb286784d51f73fa0af9-->

🚧 At least one of the CI tasks failed. Make sure to run all tests locally, according to the documentation.

Possibly this is due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.

Leave a comment here, if you need help tracking down a confusing failure.

_{Debug: https://github.com/bitcoin/bitcoin/runs/25775869882}

Concept ACK 40e44e96c38593210877f0b5d062e71a8dd292a5

Can see how this is useful for L2s. Is a variant of this PR known to be used in production?

I do agree with @Pantamis in #24539 (comment) that having it take 3x the space of TxIndex seems unfortunate, would prefer it used CDiskTxPos for the values. Edit: Would require disallowing pruning again.

Commits could be squashed/rewritten. Seems like the latter two are responses to PR feedback rather than "telling a story". Previously pointed out: #24539 (comment)

PR summary still has "(so -txospenderindex requires -txindex)" which doesn't match current implementation.

<!--85328a0da195eb286784d51f73fa0af9-->

🚧 At least one of the CI tasks failed. _{Debug: https://github.com/bitcoin/bitcoin/runs/29067777506}

<details><summary>Hints</summary>

Make sure to run all tests locally, according to the documentation.

The failure may happen due to a number of reasons, for example:

• Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.

• A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.

• An intermittent issue.

Leave a comment here, if you need help tracking down a confusing failure.

</details>

I do agree with @Pantamis in #24539 (comment) that having it take 3x the space of TxIndex seems unfortunate, would prefer it used CDiskTxPos for the values. Edit: Would require disallowing pruning again.

To make the index more efficient we could replace the indexed outpoint with an 8 byte value {block height|tx pos|output index} and use the block height where the tx is spent instead of the full spending tx id, reducing the size of an index entry from (32 + 4 + 32) to (8 + 4) bytes, though it would become less generic and harder to use (especially without -txindex).

<!--85328a0da195eb286784d51f73fa0af9-->

🚧 At least one of the CI tasks failed. _{Debug: https://github.com/bitcoin/bitcoin/runs/29068484289}

<details><summary>Hints</summary>

Make sure to run all tests locally, according to the documentation.

The failure may happen due to a number of reasons, for example:

• Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.

• A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.

• An intermittent issue.

Leave a comment here, if you need help tracking down a confusing failure.

</details>

I put some time into implementing 3 variations on different personal branches:

Variant 1: unchanged_key_CDiskTxPos / baf57fb3a45c97d6cfb531b9252c97d4f27ad7ae

uint256 value -> CDiskTxPos

Still have key of COutPoint: 32 + 4 = 36 bytes old value - uint256: 32 bytes new value - CDiskTxPos: 4 + 4 + 4 = 12 bytes

36+32 -> 36+12 => 29% theoretical size reduction.

Variant 2: slow_key_CDiskTxPos / 1d3fd04a60ca5c28d8bef6ce4f611a583667dc2e

Minimize key + CDiskTxPos value

old key - COutPoint: 32 + 4 = 36 bytes new key - uint64: 8 bytes old value - uint256: 32 bytes new value - CDiskTxPos: 4 + 4 + 4 = 12 bytes

36+32 -> 8+12 => 71% theoretical size reduction.

Uses expensive way of computing keys: looking up through BlockManager and reading the block data from disk.

Apologies for using "tx_index" both for the TxIndex database and the location of a transactions within a given block.

Variant 3: minimal_key_value / ced505834dd1349bccbceeac3bf5abaa2327bda0

Minimize key & value footprint

old key - COutPoint: 32 + 4 = 36 bytes new key - uint64: 8 bytes old value - uint256: 32 bytes new value - uint32: 4 bytes

36+32 -> 8+4 => 82% theoretical size reduction, matching #24539 (comment).

Uses expensive way of computing keys: looking up through BlockManager and reading the block data from disk.

TxoSpenderIndex::FindSpender uses questionable way of finding the correct block.

Conclusion

Not an expert on the BlockManager family of API's so there may well be better implementations.

The first one of just switching the value uint256 -> CDiskTxPos feels quite feasible. Should have similar performance as TxIndex::FindTx() for the TxoSpenderIndex::FindSpender()-lookups.

The 2 later variants do significantly decrease the amount of theoretical space used, but I'm guessing the cost of computing the key would be somewhat prohibitive.

If run in an environment where hardware cost is negligible, but speed of lookup is critical, keeping the current approach of full uint256 values may be preferable.

(The size reductions have not been confirmed on chain syncs and remain theoretical for now).

(All 3 explored variations contain the same 2 base refactoring commits de14caa0df5b90208400b96e5b1b34752f4d57c0 & 44e4e4e88fb10c3fe44ebe238f88da369a7572f0).

Edit: Managed to fix functional tests for variant 2 with an additional commit but variant 3 is still flaky despite being patched up.

minimal_key_value / ced5058

Minimize key & value footprint

...

This one (the third) is very similar to the 'spending' index of electrs (https://github.com/romanz/electrs), only different being how the key is calculated, electrs uses the first 8 bytes of the txid (as uint64) + vout, because the block height or tx position might not be known.

Needing to parse whole blocks to find a transaction for every request impacts lookup time and requires all blocks to be available (so either disallows pruning or needs to request blocks from peers, which hurts privacy).

This one (the third) is very similar to the 'spending' index of electrs (https://github.com/romanz/electrs), only different being how the key is calculated, electrs uses the first 8 bytes of the txid (as uint64) + vout, because the block height or tx position might not be known.

Needing to parse whole blocks to find a transaction for every request impacts lookup time and requires all blocks to be available (so either disallows pruning or needs to request blocks from peers, which hurts privacy).

Ah, I see: https://github.com/romanz/electrs/blob/875fb61951e3b337c9e4e468734e119ff58c0482/src/types.rs#L119-L124 Interesting variant. Just using 8 bytes from the txid + vout does allow for a lot of transactions before collisions start becoming frequent, and avoids the expensive block lookup. People do grind txid prefixes like https://mempool.space/tx/b10c0000004da5a9d1d9b4ae32e09f0b3e62d21a5cce5428d4ad714fb444eb5d so they could intentionally force a lot of equal prefixes, but that's probably negligible.

New variant inspired by @antonilol with same disk space requirements as my 2nd variant above (avoiding my messy and not 100% functional block-lookup-by-height code from variant 3 for now). Much cleaner, removing requirement for additional locking and removes dependencies on BlockManager and TxIndex - on parity with variant 1 but with the disk space savings of variant 2!

Edit 1: Drawback - does not handle key-collisions yet. :D Edit 2: Now contains tentative collision handling solution without specific tests. Prefix collisions should be very rare but do fall back to full outpoint keys (32 + 4 bytes).

Variant 4: txidprefix+vout_CDiskTxPos / 3bc5c8dbffd1ef529eb12bae5f5722c99cc17c69 (+ c2d0d97f467649748a7f21af3b1e58b74da12b49 for collision handling)

txout prefix + CDiskTxPos value

old key - COutPoint: 32 + 4 = 36 bytes new key - (COutPoint.hash.u64_prefix + COutPoint.vout) -> uint64: 8 bytes old value - uint256: 32 bytes new value - CDiskTxPos: 4 + 4 + 4 = 12 bytes

36+32 -> 8+12 => 71% theoretical size reduction.

<!--85328a0da195eb286784d51f73fa0af9-->

🚧 At least one of the CI tasks failed. _{Debug: https://github.com/bitcoin/bitcoin/runs/29873383730}

<details><summary>Hints</summary>

Make sure to run all tests locally, according to the documentation.

The failure may happen due to a number of reasons, for example:

• Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.

• A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.

• An intermittent issue.

Leave a comment here, if you need help tracking down a confusing failure.

</details>

How hard is it for attackers to deliberately insert collisions? Is it worth to (try to) counteract this?

How hard is it for attackers to deliberately insert collisions? Is it worth to (try to) counteract this?

The index is currently based on suggestions by @hodlinator and @antonilol and the key for a given outpoint is the last 8 bytes of the outpoint's tx hash, represented as an 8 bytes integer, to which we add the outpoint's output index. => to generated collisions attackers need to generate transactions which hash to values that have the same first 8 bytes. I guess that would not be that difficult.

I think it may be countered by using a 64 bits hash mixed with a random key initialised when the index is created (so different nodes would use different keys), something like siphash.

Another option that I'm looking at is simply to replace and extend txindex and create 2 indexes:

• txid (32 bytes) -> tx position (8 bytes) (same as txindex)
• tx position (8 bytes) + output index (4 bytes) -> spending tx position (8 bytes)

No more collisions, and we can return the full tx and not just its hash, but not as efficient as this version (which can also return the full tx)l

Updated with the following changes:

• key is now siphash(k, spent outpoint) (8 bytes) where k is a random value created when the index is created, to defend against potential collisions attacks. Value is still a tx position (8 bytes)
• gettxspendingprevout will return the full spending tx if option include_tx is set

That's a good way to prevent attackers from inserting collisions in everyone's database, the chance of collision will be dependent on k, which is unknown to an attacker and different for everyone (except by chance or people copying each other's database). Shouldn't 8 bytes of randomness be enough (instead of 16)? Assuming that siphash's output is uniformly distributed, more randomness than the output size (8 bytes) feels unnecessary.

Also, the rpc description should be updated, https://github.com/sstone/bitcoin/blob/add-txospender-index/src/rpc/mempool.cpp#L589 (couldn't add a github review comment because it is too far away from a changed line)

Reviewed 93e1cafc3f8a7f5b36e495d7eb68c19acdab5809

Concept: I am curious about the justification for including this Index in Bitcoin Core vs implementing it as a third party index, especially since it is not required by anything inside of Core itself. It keeps the index in close sync with the chain state and de-duplicates effort among L2-implementations, but adds maintenance burden in Core.

Implementation: Appreciate the fresh SipHash take. Solves the DoS problem and has some nerd-sniping potential. Also nice having include_tx, as CDiskPos already implies deserialization of the full tx. Feared the approach of storing values with colliding keys together, but turned out quite smooth.

sstone:

Value is still a tx position (8 bytes)

I believe CDiskPos is at least 12 bytes CDiskTxPos::nTxOffset + FlatFilePos::nFile + FlatFilePos::nPos. This is assuming there is no additional padding for alignment nor per-element size information in LevelDB. Since values are currently vector<CDiskPos> there should at the very least be an extra byte for the compressed size of the vector itself.

antonilol:

Shouldn't 8 bytes of randomness be enough (instead of 16)? Assuming that siphash's output is uniformly distributed, more randomness than the output size (8 bytes) feels unnecessary.

According to https://en.wikipedia.org/wiki/SipHash key size is 128-bit as standard and that's what is currently supported in Bitcoin Core. Having a smaller key might increase DoS risk to much after all? + The key is only stored in one entry in LevelDB. + This type of computation using data that is cache-coherent (8 bytes next to the first 8 bytes of the key) should be exceedingly cheap.

According to https://en.wikipedia.org/wiki/SipHash key size is 128-bit as standard and that's what is currently supported in Bitcoin Core. Having a smaller key might increase DoS risk to much after all?

• The key is only stored in one entry in LevelDB.
• This type of computation using data that is cache-coherent (8 bytes next to the first 8 bytes of the key) should be exceedingly cheap.

You are right, siphash is designed for a 128 bit key, so lets keep it 128 bit then. It is not a cryptographic hash according to that wikipedia page, so I could be wrong about the output being uniformly distributed. Also, the cost of the extra 8 bytes is minimal/negligible.

SipHash with a 128-bit key seems like the correct choice for this.

It is indeed not cryptographic, in the sense that it is not practically collision-resistant (no 64-bit hash function can be, as that inherently allows a 2^32 birthday attack).

However, SipHash is effectively as secure and unpredictable as a 64-bit hash function can be, and is specifically designed for preventing attackers from triggering hash table collisions at scale, given that the salt is a uniform 128-bit key unknown to the attacker.

Concept: I am curious about the justification for including this Index in Bitcoin Core vs implementing it as a third party index, especially since it is not required by anything inside of Core itself. It keeps the index in close sync with the chain state and de-duplicates effort among L2-implementations, but adds maintenance burden in Core.

I understand that adding new indexes must be justified. This one is simple and quite efficient now, the code is compact, isolated and easy to understand, and imho there are more and more apps/protocols that work by creating/updating transactions that are not published that would benefit from such an index.

For applications that use Bitcoin Core's wallet (this is is our case,) and benefit from all the features that have been and are being developed (fee management, fee bumping, coin selection, package relay, descriptors, ...), adding a custom tool to build an external index would be sub-optimal from a dev and also an operational point of view, and people may prefer to use this PR instead.

Related to: https://github.com/bitcoin/bitcoin/issues/9641

Would be good to get a PR with 9 Concept ACKs and no significant concerns raised moving again. Can you rebase it? A recent PR (https://github.com/bitcoin/bitcoin/pull/32694) changed how we populate the block info struct. You'd now want to set CustomOptions for the index to get the required block data to the index, without having to call ReadBlock in your new TxSpenderIndex class.

<!--85328a0da195eb286784d51f73fa0af9-->

🚧 At least one of the CI tasks failed. _{Task previous releases, depends DEBUG: https://github.com/bitcoin/bitcoin/runs/36404454050} _{LLM reason (✨ experimental): The CI failure is caused by a compilation error due to an incorrect override in txospenderindex.h.}

<details><summary>Hints</summary>

Try to run the tests locally, according to the documentation. However, a CI failure may still happen due to a number of reasons, for example:

• Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.

• A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.

• An intermittent issue.

Leave a comment here, if you need help tracking down a confusing failure.

</details>

Would be good to get a PR with 9 Concept ACKs and no significant concerns raised moving again. Can you rebase it? A recent PR (#32694) changed how we populate the block info struct. You'd now want to set CustomOptions for the index to get the required block data to the index, without having to call ReadBlock in your new TxSpenderIndex class.

Rebased on 1be688f575151109816fa8956d54a5b5220e3b00

Thanks for the rebase :)

In the pull request description you are saying that the keys are 64 bytes, but I guess you mean 64 bits?

Did you split this work into two commits to gather feedback on tradeoffs between the two approaches? The space savings and the ability to immediately return a transaction is nice, but it is also not compatible with pruning (and still requires notices about that in init.cpp). Some lightning implementations do support pruned nodes, I guess they won't be able to leverage this extra index in that case?

Can you give a typical data query flow for both variants that you would expect from your use case in lightning? Is the read performance still acceptable for your use case? My guess is the extra read cost is compensated by not having to do an extra roundtrip to fetch the full transaction from the node.

I was also wondering if it were possible to combine this with #32541 to avoid the pruning limitation by writing the position in a block instead, but could not come up with a useful way to combine the two to that end.

In the pull request description you are saying that the keys are 64 bytes, but I guess you mean 64 bits? Yes 64 bits.

Did you split this work into two commits to gather feedback on tradeoffs between the two approaches? The space savings and the ability to immediately return a transaction is nice, but it is also not compatible with pruning (and still requires notices about that in init.cpp). Some lightning implementations do support pruned nodes, I guess they won't be able to leverage this extra index in that case?

I merged them into a single commit, the first approach requires too much disk space. This index would mostly be useful to fairly large nodes (like ours :)) which would not use pruning.

I think that we can simplify collision handling a bit and allow pruning if the index data is stored using the following schema:

• key: siphash(spent_outpoint) + serialize(tx_disk_position)
• value: b""

instead of storing a list of positions per siphash(spent_outpoint).

It supports fast lookup of a outpoint spender by using LevelDB prefix scan (similar to how it's done in electrs and bindex).

When pruning a block, the key can be recomputed and deleted from the index DB (since the key containing the tx_disk_position should be unique).

I think that we can simplify collision handling a bit and allow pruning if the index data is stored using the following schema:

• key: siphash(spent_outpoint) + serialize(tx_disk_position)
• value: b""

instead of storing a list of positions per siphash(spent_outpoint).

It supports fast lookup of a outpoint spender by using LevelDB prefix scan (similar to how it's done in electrs and bindex).

When pruning a block, the key can be recomputed and deleted from the index DB (since the key containing the tx_disk_position should be unique).

Thanks! I used your suggestion in https://github.com/bitcoin/bitcoin/pull/24539/commits/0970256ffb56df6ad663eaa7192aed0e87a4aae3 and it is cleaner than using a list of tx positions.

Approach ACK on using siphash and FlatFilePos.

Do you want to squash the commits? This just feels like an improvement in every regard.

Approach ACK on using siphash and FlatFilePos.

Do you want to squash the commits? This just feels like an improvement in every regard.

Rebased and squashed in https://github.com/bitcoin/bitcoin/commit/845b54defebc1987b9d654ea7b611a4ddebe345a. I also updated the PR description.

ACK 845b54defebc1987b9d654ea7b611a4ddebe345a

I previously wrote software that had to add a bunch of extra logic to accurately react when a certain output was spent. This would have made my life considerably easier.

Re-ACK 9d3dfd77224fbe40033feccb346a167dc5f031a7

Hello there !

I finally had the motivation to upgrade my node to run the last version of this PR and sync the new txospenderindex since the last time in... 2022 😶‍🌫️ !

Here are the size of the indexes once synced at blockheight 921677: <img width="363" height="53" alt="Capture d’écran 2025-11-01 à 00 03 40" src="https://github.com/user-attachments/assets/b0e69f58-449e-4000-804f-00a9e2aa4342" />

Great to see it is now comparable with the usual txindex even with the surge of tx with many small output 👍

@sstone Question -- In LDK, when we confirm transactions, we require the transaction's index-in-block to be provided, for short channel ID construction. I'm curious how this API works for you without this information?

@sstone Question -- In LDK, when we confirm transactions, we require the transaction's index-in-block to be provided, for short channel ID construction. I'm curious how this API works for you without this information?

This index would be used to find if and how channels have been spent (after a restart for example) and would be much more efficient that walking down the blockchain from the tip.

To compute the short channel Id we simply call getrawtransaction which gives us the block hash for the block that confirmed the tx, then load that block to get the tx position in that block.

Concept ACK.

I like the idea of us providing (useful) optional indexes.

I haven't done an in-depth code review yet, but at a high level I feel that this feature would be worthy of a release note? I have reindexed with this enabled and see that the index currently takes about 75GB of space, which could be worth mentioning in such a note so users know what they need before enabling.

❯ du -h .
74G     ./txospenderindex/db
74G     ./txospenderindex

To compute the short channel Id we simply call getrawtransaction which gives us the block hash for the block that confirmed the tx, then load that block to get the tx position in that block.

So you need txindex and make 3 RPC calls? ISTM storing the position in this new index would make it much more efficient and more useful to other people.

To compute the short channel Id we simply call getrawtransaction which gives us the block hash for the block that confirmed the tx, then load that block to get the tx position in that block.

So you need txindex and make 3 RPC calls? ISTM storing the position in this new index would make it much more efficient and more useful to other people.

I could easily return the block hash along with the spending tx, txindex would not be needed anymore but users would still need to call getblock.

<!--85328a0da195eb286784d51f73fa0af9-->

🚧 At least one of the CI tasks failed. _{Task test each commit: https://github.com/bitcoin/bitcoin/actions/runs/19615986599/job/56168637751} _{LLM reason (✨ experimental): Compilation failed due to incorrect return types in src/index/txospenderindex.cpp (static_cast to bool and returning void), leading to a build error.}

<details><summary>Hints</summary>

Try to run the tests locally, according to the documentation. However, a CI failure may still happen due to a number of reasons, for example:

• Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.

• A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.

• An intermittent issue.

Leave a comment here, if you need help tracking down a confusing failure.

</details>

Block hash addition looks good to me. Just needs a small iwyu fix to get the CI to pass again.

re-ACK 38f2f53963e833d25bc71df0713fb28cff17cc43