#28126 (wallet legacy: bugfix, disallow importing invalid scripts via importaddress by furszy)
#28122 (Silent Payments: Implement BIP352 by josibake)
#28031 (Package Relay 1/3: Introduce TxPackageTracker as Orphan Resolution Module by glozow)
#27827 (Silent Payments: send and receive by josibake)
#27432 (contrib: add tool to convert compact-serialized UTXO set to SQLite database by theStack)
#26840 (refactor: importpubkey, importprivkey, importaddress, importmulti, and importdescriptors rpc by KolbyML)
#26711 (validate package transactions with their in-package ancestor sets by glozow)
#26451 (Enforce incentive compatibility for all RBF replacements by sdaftuar)
#20892 (tests: Run both descriptor and legacy tests within a single test invocation by achow101)
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.
instagibbs force-pushed
on Nov 4, 2022
instagibbs force-pushed
on Nov 4, 2022
instagibbs force-pushed
on Nov 4, 2022
luke-jr
commented at 3:48 pm on November 5, 2022:
member
Concept NACK as a mere policy. Without consensus enforcement, cost is a full UTXO which may potentially never be spent. OP_TRUE does not have a weight that reflects this high cost.
instagibbs
commented at 5:48 pm on November 5, 2022:
member
@luke-jr Can you elaborate more on what the potential issues are?
This policy defines that any transaction with such an output must be 0-fee, which means there’s little incentive to mine it on its own, but only as part of a CPFP spend of that output.
Assuming the PR is correct and being run on the network, there should be no way(aside from miners prioritizing the parent explicitly) to leaving the utxo in the uxto set. Prioritizing the parent could also be disallowed easily.
luke-jr
commented at 5:55 pm on November 5, 2022:
member
The main issue I see is that it has a very low weight, but rather high cost. There is no consensus rule requiring it to be spent immediately.
Couldn’t it be CPFP’d by spending another of its outputs?
instagibbs
commented at 1:11 pm on November 6, 2022:
member
The argument here is that dust limits are already policy only, and this is basically a “cut-through” of potentially dust outputs. It’s no practical change of dust policy, except in the case where a miner prioritizes a parent tx with this kind of output after its included in mempool(it’s in the test cases)
JeremyRubin
commented at 4:38 pm on November 6, 2022:
contributor
@luke-jr either you do a consensus fork and everything that entails for something like tx sponsors, or your enable in policy only something like ephemeral anchors.
One option that could be taken would be to make the OP_TRUE script contain an upgradable NOP that we document as reserved to in the future treat as a pre-execution parsed flag with a consensus must-spend rule, and then we’d be able to (if there was wide adoption of ephemeral anchors and we saw utxo bloat) add a consensus rule to enforce them as must-spend.
luke-jr
commented at 5:51 pm on November 6, 2022:
member
One option that could be taken would be to make the OP_TRUE script contain an upgradable NOP that we document as reserved to in the future treat as a pre-execution parsed flag with a consensus must-spend rule, and then we’d be able to (if there was wide adoption of ephemeral anchors and we saw utxo bloat) add a consensus rule to enforce them as must-spend.
I think this would be better, since it allows a real OP_TRUE to be given a more cost-based weight in a future softfork.
maflcko
commented at 9:40 am on November 7, 2022:
member
It would also be possible to deploy a consensus change to treat them as unspendable, unless they are spent in the block they are created in, but it seems odd to enforce policy with consensus, and this is likely the wrong thread to discuss anyway.
JeremyRubin
commented at 5:09 pm on November 7, 2022:
contributor
@MarcoFalke that is an inverse timelock, which has nasty consequences for reorg safety and dependent transactions.
instagibbs
commented at 5:16 pm on November 7, 2022:
member
@JeremyRubin including a NOP would just be to not “camp” a raw single byte value push for a future soft fork? Making sure I didn’t miss the underlying motivation.
JeremyRubin
commented at 5:20 pm on November 7, 2022:
contributor
more or less, you might also be able to do a min byte segwit v1 script (2 bytes?) or something else similar too.
Otherwise you end up with some “specific script template matching upgrade”, which is IMO messy & risks being uneccessarily confiscatory.
ajtowns
commented at 8:25 am on November 9, 2022:
contributor
Camping an OP_NOP and preventing it from being used for any other future soft fork seems worse than camping OP_TRUE.
If in the future we have a soft fork that makes small scriptPubKeys more costly to limit utxo bloat with an exemption for ephmeral outputs that are spent in the same block, which should just apply both rules to all scriptPubKeys, whether they’re OP_TRUE, OP_2, or OP_NOP5 OP_TRUE…
DrahtBot added the label
Needs rebase
on Nov 28, 2022
instagibbs
commented at 6:02 pm on December 16, 2022:
member
I’ll rebase on top of #25038 once it leaves draft mode, since I have to update my tests to new V3 packages.
naumenkogs
commented at 10:32 am on January 3, 2023:
member
What will happen at the p2p level, if the attacker manages to submit a transaction with ephemeral outputs to many nodes but without a child?
It looks like its wtxid will make it into m_recent_rejects, and then the network won’t reconsider the tx even when the child is attached?
instagibbs
commented at 3:39 pm on January 3, 2023:
member
@naumenkogs Ideally I would hope it would be treated like any other too-low-fee transaction, and be re-evaluated again in the package context. I’ll double check, thanks!
in
test/functional/mempool_ephemeral_anchor.py:151
in
62f020d2deoutdated
146+ package_hex4, package_txns4 = self.create_simple_package(parent_coins=parent_coins, parent_fee=0, child_fee=DEFAULT_FEE*2, version=3, spend_anchors=2)
147+ assert_raises_rpc_error(-26, "v3-tx-nonstandard", node.submitpackage, package_hex4)
148+ self.assert_mempool_contents(expected=package_txns3, unexpected=[])
149+
150+ # All ephemeral anchors this time, make sure old child evicted
151+ package_hex5, package_txns5 = self.create_simple_package(parent_coins=parent_coins, parent_fee=0, child_fee=DEFAULT_FEE*2, version=3)
instagibbs
commented at 4:23 pm on January 3, 2023:
todo: double-check we can’t get blinded to a parent tx if submitted separately
fwiw with package relay the plan is to add a separate rejects cache for transactions that failed but are eligible for reconsideration if submitted with another transaction. We wouldn’t validate/download these again by themselves (renews on every change in chain tip similar to recent rejects), but will reconsider if submitted with another tx. It’s intended for these kinds of situations, where a parent needs a child to be valid.
instagibbs marked this as a draft
on Jan 11, 2023
in
test/functional/mempool_ephemeral_anchor.py:334
in
04778d1289outdated
330@@ -331,11 +331,12 @@ def test_xor_rbf(self):
331 self.generate(node, 1)
332 self.assert_mempool_contents(expected=[second_package_txns[1]], unexpected=[])
333334- # Parent can still be prioritised
335+ # Parent can't be prioritised; RPC call succeeds but is modified fees are ignored if it has EAs
ajtowns
commented at 12:14 pm on January 12, 2023:
“its modified fees” ?
instagibbs
commented at 6:48 pm on January 20, 2023:
removed the test since it’s duplicated by v3 work which now trims lower than min relay fee txns
in
src/txmempool.cpp:410
in
04778d1289outdated
406@@ -402,6 +407,11 @@ void CTxMemPoolEntry::UpdateDescendantState(int64_t modifySize, CAmount modifyFe
407408 void CTxMemPoolEntry::UpdateAncestorState(int64_t modifySize, CAmount modifyFee, int64_t modifyCount, int64_t modifySigOps)
409 {
410+ // We don't want to encourage miners to mine these transacitons alone. Instead
ajtowns
commented at 12:14 pm on January 12, 2023:
“transactions”
instagibbs
commented at 6:48 pm on January 20, 2023:
no longer changing this
instagibbs force-pushed
on Jan 20, 2023
instagibbs force-pushed
on Jan 20, 2023
instagibbs force-pushed
on Jan 20, 2023
instagibbs
commented at 6:51 pm on January 20, 2023:
member
instagibbs
commented at 4:35 pm on March 13, 2023:
member
Switched to OP_TRUE, as it was less confusing for at least a few people, and only requires light test editing. Having an odd conflict with master that I am not resolving until parent PR is rebased.
instagibbs force-pushed
on Mar 13, 2023
in
src/policy/policy.cpp:145
in
97d254e5f4outdated
141@@ -142,8 +142,12 @@ bool IsStandardTx(const CTransaction& tx, const std::optional<unsigned>& max_dat
142 reason = "bare-multisig";
143 return false;
144 } else if (IsDust(txout, dust_relay_fee)) {
145- reason = "dust";
146- return false;
147+ // We ensure ephemeral output is spent in the same mempool package
instagibbs
commented at 4:55 pm on March 13, 2023:
suggested in other PR: “switch the ordering? else if (whichType != ANCHOR && IsDust())”
instagibbs force-pushed
on Mar 13, 2023
DrahtBot added the label
Needs rebase
on Mar 13, 2023
instagibbs
commented at 3:02 pm on March 14, 2023:
member
Should a flag be threaded through to disallow any dust outputs even if they’re EA?
Until there is package-aware re-submission, should these transactions just be dropped on the floor? These types of transactions are opting into fairly aggressive fee bumping patterns, maybe that’s an ok first cut.
DrahtBot added the label
Needs rebase
on May 9, 2023
instagibbs
commented at 8:09 pm on June 8, 2023:
member
note to self: after rebased onto BIP331, need to make sure rejected ephemeral anchor tx is put in m_recent_rejects_reconsiderable filter instead of m_recent_rejects
in
src/policy/v3_policy.cpp:139
in
bb3a55a306outdated
135 }
136137+ /* Only allow in package feerate context */
138+ if (!package_context) {
139+ /* Allows re-evaluation in package context */
140+ return state.Invalid(TxValidationResult::TX_MEMPOOL_POLICY, "missing-ephemeral-spends");
should return code like TX_LOW_FEE re:BIP331 to avoid blinding relay of an otherwise valid parent
edit: does this actually matter? in the individual context we never want to reset, really. We only want to try again, per block period, if it’s sent in a package with a new combined hash?
instagibbs
commented at 2:47 pm on July 6, 2023:
member
Random thought:
OP_TRUE is txid-malleable by block maker. e.g., they could theoretically add in superfluous pushes in the scriptSig and this would not fail validation because CLEANSTACK is a policy-only rule. Miner is of course taking less in fees by doing this.
In this particular V3 context, it just means your CPFP could change txid, wouldn’t do anything else. Maybe in a more general context if we weren’t restricted to V3 topology this would be an issue? In the context of keyless anchors, I’m not sure that will ever make sense anyways.
The “fix” would be: OP_DEPTH OP_0 OP_EQUAL, making it consensus-non-malleable at the cost of 8 additional WU. Seems like a bad tradeoff, noting anyways.
0<_aj_> instagibbs: can't a blockmaker put "OP_NOP OP_NOP OP_NOP" in the scriptSig and also satisfy a scriptPubKey of "DEPTH 0 EQUAL" ?
legacy script: i cri everytim
This also means the child transaction spending the ephemeral anchor cannot be relied upon for further transaction chaining, e.g., spent in a splice-in for a LN channel, since the funding output can have its txid mutated. A soft-fork would be necessary.
instagibbs renamed this:
[POLICY] Ephemeral anchors
policy: Ephemeral anchors
on Aug 8, 2023
instagibbs force-pushed
on Aug 9, 2023
instagibbs force-pushed
on Aug 9, 2023
instagibbs force-pushed
on Aug 9, 2023
DrahtBot removed the label
Needs rebase
on Aug 9, 2023
glozow
commented at 10:23 am on August 10, 2023:
member
hacked a quick-ish fix on top of this branch here (it fails some other tests). As discussed offline, the general problem is with calling TrimToSize in the middle of package validation (meaning something can go from already-in-mempool to evicted, or just-submitted to evicted) so a coin may be cached in m_view but then it disappears from the mempool/temporary coins in m_viewmempool. Crash is in CheckInputsFromMempoolAndCache which asserts the coin exists, but it doesn’t anymore. Will open a separate PR to address this since it’s also a problem pre-v3.
[validation] refactor sub-package submissions, call AcceptSingle when only 1 tx
Avoid calling PackageMempoolChecks() when there is only 1 transaction.
Note to reviewers: there is a slight change in the error type returned,
as shown in the txpackage_tests change. When a transaction is the last
one left in the package and its fee is too low, this returns a PCKG_TX
instead of PCKG_POLICY. This interface is clearer;
"package-fee-too-low" for 1 transaction would be a bit misleading.
0678df31d5
[validation] make PackageMempoolAcceptResult members mutable
After the PackageMempoolAcceptResult is returned from
AcceptMultipleTransactions, leave room for results to change due to
LimitMempool() eviction.
62eeee115c
[refactor] back-filling m_tx_results in AcceptPackage472de1dec9
[validation] don't LimitMempoolSize in any subpackage submissionsc2c9dfe95b
[doc] cpfp carveout is excluded in packages
The behavior is not new, but this rule exits earlier than before.
Previously, a carve out could have been granted in PreChecks() but then
nullified in PackageMempoolChecks() when CheckPackageLimits() is called
with the default limits.
9b576f0fb1
[mempool] evict everything below min relay fee in TrimToSize()
At this point it's not expected that there are any such transactions,
except from reorgs and possibly when loading from mempool.dat.
4e8ea37030
[doc] nVersion 3 and package rbf policies0f6f95c98f
[policy] policy rules for nVersion=32c2d96b650
[policy] allow V3 transactions under certain conditionsa28288573d
[policy] allow individual v3 txns to be below min relay feerate
As long as they are otherwise paid for, i.e. through package CPFP.
If a v3 transaction loses its sponsor, we can evict them with no trouble
because it will not have other descendants or ancestors to make the
feerate assessment more complicated.
161b1bb777
[test framework] parameterize version in create_self_transferc16340d7dc
No change in behavior.
For single transaction acceptance, this is a simple refactor:
Workspace::m_all_conflicting -> MemPoolAccept::m_all_conflicts
Workspace::m_replacement_transaction -> MemPoolAccept::m_rbf
Workspace::m_conflicting_fees -> MemPoolAccept::m_conflicting_fees
Workspace::m_conflicting_size -> MemPoolAccept::m_conflicting_size
Workspace::m_replaced_transactions -> MemPoolAccept::m_replaced_transactions
And local variables m_total_vsize and m_total_modified_fees are now
MemPoolAccept members so they can be accessed from PackageMempoolChecks.
We want these to be package-wide variables because
- Transactions could conflict with the same tx (just not the same
prevout), or their conflicts could share descendants.
- We want to compare conflicts with the package fee rather than
individual transaction fee.
5abf6ca5e0
[policy] check whether replacement is more incentive compatible
Avoid accepting replacements that are not more incentive compatible to
mine. For now, as a conservative estimate, require that the minimum
between the transaction's individual feerate and ancestor feerate is
higher than the individual feerates of directly conflicting transactions
and the ancestor feerates of all original transactions.
Note that a package/transaction's ancestor feerate is not perfectly
representative of its incentive compatibility; it may overestimate (some
subset of the ancestors could be included by itself if it has other
high-feerate descendants or are themselves higher feerate than this
package/transaction). This is a conservative estimate and works for now.
Co-authored-by: Suhas Daftuar <sdaftuar@chaincode.com>
78e202e13f
[refactor] rename entries to be more descriptive7e522d4a9a
[unit test] for CheckAncestorScores63dc362cf9
[packages/policy] implement package RBFe642bd3db2
[doc] doc assumptions package RBF
Try to prevent accidental future breakage and document some assumptions
that would break package RBF if changed.
0ee425f6f7
[test util] CreateValidMempoolTransaction version parameter, always signal bip1255ff9462d6b
[test] package rbf06e4187468
Add OP_TRUE as a standard output type
This will be used in following commits
as the flag for ephemeral anchors, allowing
dust values, but also requiring
the output to be spend in the same relay package.
e4fee49ec2
Allow dust anchor outputs
Anchor outputs are not yet required
to be spent in same mempool package.
0bfd0a50cb
Add -ephemeralanchors which when set to false disallows anchor outputsd3d6efbc4e
Allow one ephemeral anchor per transactionc2ef3f67b9
Enforce that ephemeral anchor transactions are 0 base feeb0f93855a3
GetDustThreshold: Make anchor output dust threshold 0 explicitly0f93c45f0e
Functional tests for ephemeral anchors
Does not have test coverage for making sure EA are spent,
and package RBF cases, neither of which exist currently.
e0b764359d
Only allow ephemeral anchors in v3 transactions1c837938c9
Add anchor argument to transaction creation rpcsdb1e5d39a5
Require ephemeral anchors to be spent in mempool atomically
Either in the same relay package, or by transactions RBFing
the CPFP.
1606792bc9
Add test for more complicated ephemeral anchor scenariosa040e2f52e
instagibbs force-pushed
on Aug 10, 2023
instagibbs force-pushed
on Aug 10, 2023
DrahtBot added the label
Needs rebase
on Aug 17, 2023
DrahtBot
commented at 1:51 pm on August 17, 2023:
contributor
🐙 This pull request conflicts with the target branch and needs rebase.
Add test for ephemeral anchors on node restart53e475358b
Test failure to evict ephemeral transaction on node restart1d2ed162ff
Disallow individual submission of ephemeral transaction8f9b0d91be
Test to make sure that EA txns are evicted6ed2626565
Return complete reason for package submission failurec103a4c3c7
Make sure test_sponsor_swap is testing the desired behavior08b575f32c
instagibbs force-pushed
on Oct 31, 2023
whitslack
commented at 7:47 pm on November 15, 2023:
contributor
What’s the point of having a non-malleable version? Okay, so a miner cannot add extra pushes to the input script that spends the anchor, but there is nothing to stop the miner from mining an alternative child transaction that spends only the anchor. Thus, the party that had broadcast the original child transaction will be forced to construct a new spending transaction with a different TxID anyway. Indeed, anyone (not only a miner) is free to propose a replacement child that spends only the anchor, so it will never be okay to depend upon the TxID of a transaction that spends an ephemeral anchor. So again I ask, what is the point of having a non-malleable ephemeral anchor?
instagibbs
commented at 8:44 pm on November 15, 2023:
member
Thus, the party that had broadcast the original child transaction will be forced to construct a new spending transaction with a different TxID anyway
Canonical example here which motivated the change was that of LN channel splicing being used to cpfp bump another transaction, would could be another channel’s commitment transaction itself. This requires the ephemeral anchor-spending tx(the splice) to retain txid stability otherwise funds are locked up in the new funding output.
I understand that not all use-cases require such things, but two points:
It’s easy to expand standardness, and really hard to restrict. In deploying one version, we’ll likely learn lessons we’d want to apply to other versions. If we see tons of uptake from wallets that explicitly don’t care about txid stability? That’s a signal as well.
“I don’t see the problem” is much weaker than “there is no problem” and I’d rather be able to reason via modern bitcoin rules
whitslack
commented at 10:13 pm on November 15, 2023:
contributor
This requires the ephemeral anchor-spending tx(the splice) to retain txid stability otherwise funds are locked up in the new funding output.
The point I was missing is that a non-malleable anchor ensures that the other output(s) do not get spent in a transaction whose TxID was not known in advance of signing. Thank you for the answer.
This is a metadata mirror of the GitHub repository
bitcoin/bitcoin.
This site is not affiliated with GitHub.
Content is generated from a GitHub metadata backup.
generated: 2024-12-22 00:12 UTC
This site is hosted by @0xB10C More mirrored repositories can be found on mirror.b10c.me