Broadcast own transactions only via short-lived Tor or I2P connections

vasild commented at 1:39 pm on February 9, 2024: contributor

Parts of this PR are isolated in independent smaller PRs to ease review:

To improve privacy, broadcast locally submitted transactions (from the sendrawtransaction RPC) to the P2P network only via Tor or I2P short-lived connections, or to IPv4/IPv6 peers but through the Tor network.

Introduce a new connection type for private broadcast of transactions with the following properties:
- started whenever there are local transactions to be sent
- opened to Tor or I2P peers or IPv4/IPv6 via the Tor proxy
- opened regardless of max connections limits
- after handshake is completed one local transaction is pushed to the peer, PING is sent and after receiving PONG the connection is closed
- ignore all incoming messages after handshake is completed (except PONG)
Broadcast transactions submitted via sendrawtransaction using this new mechanism, to a few peers. Keep doing this until we receive back this transaction from one of our ordinary peers (this takes about 1 second on mainnet).
The transaction is stored in peerman and does not enter the mempool.
Once we get an INV from one of our ordinary peers, then the normal flow executes: we request the transaction with GETDATA, receive it with a TX message, put it in our mempool and broadcast it to all our existent connections (as if we see it for the first time).
After we receive the full transaction as a TX message, in reply to our GETDATA request, only then consider the transaction has propagated through the network and remove it from the storage in peerman, ending the private broadcast attempts.

The messages exchange should look like this:

 0tx-sender >--- connect -------> tx-recipient
 1tx-sender >--- VERSION -------> tx-recipient (dummy VERSION with no revealing data)
 2tx-sender <--- VERSION -------< tx-recipient
 3tx-sender <--- WTXIDRELAY ----< tx-recipient (maybe)
 4tx-sender <--- SENDADDRV2 ----< tx-recipient (maybe)
 5tx-sender <--- SENDTXRCNCL ---< tx-recipient (maybe)
 6tx-sender <--- VERACK --------< tx-recipient
 7tx-sender >--- VERACK --------> tx-recipient
 8tx-sender >--- INV/TX --------> tx-recipient
 9tx-sender <--- GETDATA/TX ----< tx-recipient
10tx-sender >--- TX ------------> tx-recipient
11tx-sender >--- PING ----------> tx-recipient
12tx-sender <--- PONG ----------< tx-recipient
13tx-sender disconnects

Whenever a new transaction is received from sendrawtransaction RPC, the node will send it to a few (NUM_PRIVATE_BROADCAST_PER_TX) recipients right away. If after 10-15 mins we still have not heard anything about the transaction from the network, then it will be sent to 1 more peer (see PeerManagerImpl::ReattemptPrivateBroadcast()).

A few considerations:

The short-lived private broadcast connections are very cheap and fast wrt network traffic. It is expected that some of those peers could blackhole the transaction. Just one honest/proper peer is enough for successful propagation.
The peers that receive the transaction could deduce that this is initial transaction broadcast from the transaction originator. This is ok, they can’t identify the sender.

Thank you, @stratospher and @andrewtoth!

Start bitcoind with -privatebroadcast=1 -debug=privatebroadcast.

Create a wallet and get a new address, go to the Signet faucet and request some coins to that address:

0build/bin/bitcoin-cli -chain="signet" createwallet test
1build/bin/bitcoin-cli -chain="signet" getnewaddress

Get a new address for the test transaction recipient:

0build/bin/bitcoin-cli -chain="signet" loadwallet test
1new_address=$(build/bin/bitcoin-cli -chain="signet" getnewaddress)

Create the transaction:

 0# Option 1: `createrawtransaction` and `signrawtransactionwithwallet`:
 1
 2txid=$(build/bin/bitcoin-cli -chain="signet" listunspent | jq -r '.[0] | .txid')
 3vout=$(build/bin/bitcoin-cli -chain="signet" listunspent | jq -r '.[0] | .vout')
 4echo "txid: $txid"
 5echo "vout: $vout"
 6
 7tx=$(build/bin/bitcoin-cli -chain="signet" createrawtransaction "[{\"txid\": \"$txid\", \"vout\": $vout}]" "[{\"$new_address\": 0.00001000}]" 0 false)
 8echo "tx: $tx"
 9
10signed_tx=$(build/bin/bitcoin-cli -chain="signet" signrawtransactionwithwallet "$tx" | jq -r '.hex')
11echo "signed_tx: $signed_tx"
12
13# OR Option 2: `walletcreatefundedpsbt` and `walletprocesspsbt`:
14# This makes it not have to worry about inputs and also automatically sends back change to the wallet.
15# Start `bitcoind` with `-fallbackfee=0.00003000` for instance for 3 sat/vbyte fee.
16
17psbt=$(build/bin/bitcoin-cli -chain="signet" walletcreatefundedpsbt "[]" "[{\"$new_address\": 0.00001000}]" | jq -r '.psbt')
18echo "psbt: $psbt"
19
20signed_tx=$(build/bin/bitcoin-cli -chain="signet" walletprocesspsbt "$psbt" | jq -r '.hex')
21echo "signed_tx: $signed_tx"

Finally, send the transaction:

0raw_tx=$(build/bin/bitcoin-cli -chain="signet" sendrawtransaction "$signed_tx")
1echo "raw_tx: $raw_tx"

New logging category and config option to enable private broadcast
- log: introduce a new category for private broadcast
- init: introduce a new option to enable/disable private broadcast
Implement the private broadcast connection handling on the CConnman side:
- net: introduce a new connection type for private broadcast
- net: implement opening PRIVATE_BROADCAST connections
Prepare BroadcastTransaction() for private broadcast requests:
- net_processing: rename RelayTransaction to better describe what it does
- node: change a tx-relay on/off flag to a tri-state
- net_processing: store transactions for private broadcast in PeerManager
Implement the private broadcast connection handling on the PeerManager side:
- net_processing: reorder the code that handles the VERSION message
- net_processing: handle ConnectionType::PRIVATE_BROADCAST connections
- net_processing: stop private broadcast of a transaction after round-trip
- net_processing: retry private broadcast
Engage the new functionality from sendrawtransaction:
- rpc: use private broadcast from sendrawtransaction RPC if -privatebroadcast is ON
Independent test framework improvement:
- test: move create_malleated_version() to messages.py for reuse
New functional test that exercies some of the new code:
- test: add functional test for local tx relay

This PR would close the following issues: #3828 Clients leak IPs if they are recipients of a transaction #14692 Can’t configure bitocoind to only send tx via Tor but receive clearnet transactions #19042 Tor-only transaction broadcast onlynet=onion alternative #24557 Option for receive events with all networks, but send transactions and/or blocks only with anonymous network[s]? #25450 Ability to broadcast wallet transactions only via dedicated oneshot Tor connections #32235 Tor: TX circuit isolation

Issues that are related, but (maybe?) not to be closed by this PR: #21876 Broadcast a transaction to specific nodes #28636 new RPC: sendrawtransactiontopeer

Further extensions:

Have the wallet do the private broadcast as well, #11887 would have to be resolved.
Have the submitpackage RPC do the private broadcast as well, draft diff in the comment below, thanks @ismaelsadeeq!
Add some stats via RPC, so that the user can better monitor what is going on during and after the broadcast. Currently this can be done via the debug log, but that is not convenient.
Make the private broadcast storage, currently in peerman, persistent over node restarts.
Add (optional) random delay before starting to broadcast the transaction in order to avoid correlating unrelated transactions based on the time when they were broadcast. Suggested independently of this PR here.
Consider periodically sending transactions that did not originate from the node as decoy, discussed here.
Consider waiting for peer’s FEEFILTER message and if the transaction that was sent to the peer is below that threshold, then assume the peer is going to drop it. Then use this knowledge to retry more aggressively with another peer, instead of the current 10 min. See comment below.

A previous incarnation of this can be found at #27509. It puts the transaction in the mempool and (tries to) hide it from the outside observers. This turned out to be too error prone or maybe even impossible.

DrahtBot commented at 1:39 pm on February 9, 2024: contributor

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage & Benchmarks

For details see: https://corecheck.dev/bitcoin/bitcoin/pulls/29415.

Reviews

See the guideline for information on the review process.

Type	Reviewers
Concept ACK	zzzi2p, nothingmuch, jonatack, kdmukai, kevkevinpal, RandyMcMillan, naiyoma, ajtowns
Stale ACK	pinheadmz, mzumsande, andrewtoth

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

Conflicts

Reviewers, this pull request conflicts with the following ones:

#33567 (node: change a tx-relay on/off flag to enum by vasild)
#33300 (fuzz: compact block harness by Crypt-iQ)
#33191 (net: Provide block templates to peers on request by ajtowns)
#32015 (net: replace manual reference counting of CNode with shared_ptr by vasild)
#30595 (kernel: Introduce C header API by TheCharlatan)
#30343 (wallet, logging: Replace WalletLogPrintf() with LogInfo() by ryanofsky)
#30277 ([DO NOT MERGE] Erlay: bandwidth-efficient transaction relay protocol (Full implementation) by sr-gi)
#30116 (p2p: Fill reconciliation sets (Erlay) attempt 2 by sr-gi)
#29700 (kernel, refactor: return error status on all fatal errors by ryanofsky)
#29278 (Wallet: Add maxfeerate wallet startup option by ismaelsadeeq)
#28690 (build: Introduce internal kernel library by TheCharlatan)
#28463 (p2p: Increase inbound capacity for block-relay only connections by mzumsande)
#27865 (wallet: Track no-longer-spendable TXOs separately by achow101)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

1440000bytes commented at 2:12 pm on February 9, 2024: none

I am not sure about this approach to improve privacy. Is it necessary to open new short lived tor/i2p connections for broadcasting the transaction? What are the trade-offs in this implementation vs a simple implementation to relay tx to one or more peers that our node is already connected to?

DrahtBot added the label CI failed on Feb 9, 2024

vasild force-pushed on Feb 10, 2024

vasild commented at 12:16 pm on February 10, 2024: contributor

@1440000bytes, thanks for asking! There is some discussion at #27509 (the previous attempt on this).

Is it necessary to open new short lived tor/i2p connections for broadcasting the transaction?

Yes, it is. See below.

What are the trade-offs in this implementation vs a simple implementation to relay tx to one or more peers that our node is already connected to?

Sending the transaction over clearnet reveals the IP address/geolocation of the sender. A spy with many connections to the network could try to guess who was the originator. So, why not send it to our Tor peers only? Because it is relatively easy for a spy to fingerprint and link clearnet and Tor connections to the same peer. That is, a long running connection over Tor could be linked to a long running clearnet connection. This is why the proposed changes open a short-lived connection that does not reveal any of the identity of the sender.

Would this benefit nodes that don’t have clearnet connections, e.g. Tor/I2P-only nodes? Yes! In the case where the sender sends two otherwise unrelated transactions over the same long-running Tor connection, the recipient will know that they have the same origin, even though they are not related on-chain. Using single shot connections fixes that too.

Related issues:

Linked in the OP, thanks!

DrahtBot removed the label CI failed on Feb 10, 2024

in src/logging.cpp:174 in 2b05af2760 outdated

210-    {BCLog::TXRECONCILIATION, "txreconciliation"},
211-    {BCLog::SCAN, "scan"},
212-    {BCLog::TXPACKAGES, "txpackages"},
213-    {BCLog::ALL, "1"},
214-    {BCLog::ALL, "all"},
215+    {"util", BCLog::UTIL},

davidgumberg commented at 9:48 pm on February 10, 2024:

While touching this, maybe BCLog::UTIL which is not used since #27896 should be dropped?

vasild commented at 2:28 pm on February 11, 2024:

Done in #29419, thanks for the suggestion!

epiccurious commented at 9:56 pm on February 10, 2024: contributor

v2 Transport will be enabled by default in the next release (https://github.com/bitcoin/bitcoin/pull/29347).

If there were eventually a change to force clearnet transactions over v2 transport (so the details of the communications were encrypted), would that solve the same problem that this PR is aiming to solve?

vasild commented at 2:13 pm on February 11, 2024: contributor

@epiccurious, p2p encryption “solves” the spying from intermediate routers on clearnet (aka man-in-the-middle). Tor, I2P and CJDNS solve that too. While this PR uses only Tor and I2P it would solve that problem. But there is more - it will as well solve issues with spying bitcoin nodes.

vasild referenced this in commit b0344c219a on Feb 11, 2024

DrahtBot added the label Needs rebase on Feb 27, 2024

vasild force-pushed on Feb 29, 2024

vasild commented at 1:18 pm on February 29, 2024: contributor

74ba7c7fb5...6fad02cf03: rebase due to conflicts

DrahtBot removed the label Needs rebase on Feb 29, 2024

pinheadmz commented at 4:32 pm on March 8, 2024: member

concept ACK 6fad02cf03

(code review in progress)

I am also testing this feature in Warnet, which deploys a regtest network and even has an internal Tor DA so I can simulate onion routing locally. Currently using a 20-node graph and a scenario which connects the graph, adds onion addresses to the test node, and then sends a raw transaction from the node running this branch.

The private broadcast succeeds frequently but not always. In Warnet anyway I had better luck when the test node had -listenonion=0, I tried that after suspecting that inbound onion connections were removing potential peers from the private broadcast list, but I’m not sure.

I think I noticed this in the original PR as well, if multiple transactions are sent, the count keeps going up without a limit:

0 [privatebroadcast] Requested to open 60 connection(s), trying to open one

Screenshot below, I managed to capture a private broadcast connection! I’ll mention when i get to that commit in review as well, but the connection type "privbcast" is breaking the very nice -netinfo table :-)

So far I have a few questions about the strategy:

How do we pick the onion peers to relay to? If we avoid reusing peers then (especially in my miniature network) we can run out quickly, and nothing ever gets broadcast.
Are we using fresh Tor identities for these connections? I think Wasabi does something like this:

Wasabi connects to each peer through a different Tor stream.

Do you think we need any RPC to get the status of private tx sends or provide the option to abandon (or revert to clearnet?)
I assume you are restricting the feature to sendraw so the wallet doesn’t get involved and try something silly like rebroadcasting over clearnet or inserting in to our own mempool? Do you think future work will integrate the wallet?

privbroadcast

in src/logging.h:73 in e672e55ddb outdated

69@@ -70,6 +70,7 @@ namespace BCLog {
70         TXRECONCILIATION = (1 << 27),
71         SCAN        = (1 << 28),
72         TXPACKAGES  = (1 << 29),
73+        PRIVATE_BROADCAST = (1 << 30),

pinheadmz commented at 4:42 pm on March 8, 2024:

e672e55ddb49378bd5c8e4f03fadae5774310c70 does this mean there is only one bit left in LogFlags : uint32_t ?!

vasild commented at 2:37 pm on March 11, 2024:

Yes. LogFlags is not stored on disk (I hope!) or participate in some permanent on-disk format. It is memory only and can be flipped to uint64_t when needed.

in src/init.cpp:1961 in 72f0dbc99e outdated

1910@@ -1900,6 +1911,23 @@ bool AppInitMain(NodeContext& node, interfaces::BlockAndHeaderTipInfo* tip_info)
1911 
1912     connOptions.m_i2p_accept_incoming = args.GetBoolArg("-i2pacceptincoming", DEFAULT_I2P_ACCEPT_INCOMING);
1913 
1914+    if (args.GetBoolArg("-privatebroadcast", DEFAULT_PRIVATE_BROADCAST)) {
1915+        // If -listenonion is set, then NET_ONION may not be reachable now
1916+        // but may become reachable later, thus only error here if it is not
1917+        // reachable and will not become reachable for sure.
1918+        if (!g_reachable_nets.Contains(NET_I2P) && !g_reachable_nets.Contains(NET_ONION) &&
1919+            (!listenonion || args.IsArgSet("-onlynet"))) {

pinheadmz commented at 4:50 pm on March 8, 2024:

72f0dbc99e6eed26bef21965dabc5f0bebf01b33 if user sets -onlynet=onion do we require (by the time we get to this line) that NET_ONION is reachable? Or couldn’t it come up later, similar to the -listenonion configuration?

vasild commented at 5:15 pm on March 11, 2024:

if user sets -onlynet=onion do we require (by the time we get to this line) that NET_ONION is reachable?

No. -listen=1 -listenonion=1 -torcontrol=... -torpassword=... -onlynet=onion would get us here with NET_ONION being unreachable.

Or couldn’t it come up later, similar to the -listenonion configuration?

Yes, if -listenonion=1 -torcontrol=... -torpassword=... is given then we will later, after startup, connect to the Tor daemon and possibly make NET_ONION reachable.

pinheadmz commented at 5:23 pm on March 11, 2024:

ok so then isn’t it possible for a user to start with -privatebroadcast but i2p and onion aren’t reachable yet? They would get an init error but the Tor daemon could become reachable later, by the time we need it.

vasild commented at 1:12 pm on March 12, 2024:

It would be possible. -privatebroadcast=1 -listenonion=1 -torcontrol=... -torpassword=... would do exactly that and allow the startup to proceed. However, args.IsArgSet("-onlynet") was misplaced. It was intended to give error on things like -privatebroadcast=1 -listenonion=1 -torcontrol=... -torpassword=... -onlynet=ipv4 but it was too strong and would mistakenly forbid -privatebroadcast=1 -listenonion=1 -torcontrol=... -torpassword=... -onlynet=onion as well.

Changed.

in src/bitcoin-cli.cpp:455 in 7a0f492104 outdated

451@@ -452,6 +452,7 @@ class NetinfoRequestHandler : public BaseRequestHandler
452         if (conn_type == "block-relay-only") return "block";
453         if (conn_type == "manual" || conn_type == "feeler") return conn_type;
454         if (conn_type == "addr-fetch") return "addr";
455+        if (conn_type == "private-broadcast") return "privbcast";

pinheadmz commented at 5:51 pm on March 8, 2024:

7a0f492104c1621b7089a64fa330c72b06d30574 "privbcast" needs to be <= 6 characters to fit nicely in the table layout, or you could extend the column width:

https://github.com/bitcoin/bitcoin/blob/1cd2e29870e4ad3b7c57b1d567df0e6df56572b0/src/bitcoin-cli.cpp#L549-L552

vasild commented at 5:54 pm on March 11, 2024:

Changed to privat. Feel free to suggest another name.

in src/node/connection_types.h:84 in 7a0f492104 outdated

79+    /**
80+     * Private broadcast connections are short-lived and only opened to
81+     * privacy networks (Tor, I2P) for relaying privacy-sensitive data (like
82+     * our own transactions) and closed afterwards.
83+     */
84+    PRIVATE_BROADCAST,

pinheadmz commented at 6:06 pm on March 8, 2024:

7a0f492104c1621b7089a64fa330c72b06d30574 I noticed this wasn’t added to the fuzzer, dunno if it needs to be:

https://github.com/bitcoin/bitcoin/blob/1cd2e29870e4ad3b7c57b1d567df0e6df56572b0/src/test/util/net.h#L112-L119

vasild commented at 5:55 pm on March 11, 2024:

Good catch, added!

vasild commented at 6:21 pm on March 8, 2024: contributor

@pinheadmz, excellent! Thank you for looking into this! Replies inline:

The private broadcast succeeds frequently but not always

Lets debug this in a sub-thread in order not to overwhelm the PR main thread: here.

suspecting that inbound onion connections were removing potential peers from the private broadcast list

No, this cannot be the case. Inbound onion connections appear as IPv4 connections coming from the Tor daemon. They do not have any source address associated with them, other than the one of the Tor daemon itself (usually 127.0.0.1).

I think I noticed this in the original PR as well, if multiple transactions are sent, the count keeps going up without a limit

That is now capped at size_t MAX_PRIVATE_BROADCAST_CONNECTIONS{64}.

the connection type "privbcast" is breaking the very nice -netinfo table

This better be addressed in the visualization engine, e.g. by using %5.5s

How do we pick the onion peers to relay to? If we avoid reusing peers then…

We pick a random Tor (or I2P) peer. In the same way we choose the address when we want to have an outbound connection to a peer from a particular network. No attempt to avoid reuse. But we don’t connect to already connected peers. This is the logic as in master.

Are we using fresh Tor identities for these connections?

Yes, if -proxyrandomize=1 (the default). This is the same in master - separate Tor circuit per connection. This PR does the same as Wasabi: https://docs.wasabiwallet.app/why-wasabi/NetworkLevelPrivacy.html#wasabi-wallet-light-node

Do you think we need any RPC to get the status of private tx sends or provide the option to abandon (or revert to clearnet?)

Yes, both would be useful, but as a followup PR. I am afraid putting those here would bloat this PR too much. I could however implement that and publish it under Draft PR that depends on this one, so people can use it during testing.

I assume you are restricting the feature to sendraw so the wallet doesn’t get involved and try something silly like rebroadcasting over clearnet or inserting in to our own mempool?

The reason to omit the wallet is that it currently does not count non-mempool change. For example, if we have 1 BTC and send 0.6 to somebody and 0.4 as change, the wallet will show a balance of 0 (or 1, unchanged? somebody correct me if I am wrong) until the transaction enters the mempool (or gets mined in a block). This would be quite rough user experience. Note that this is already the case in master if -walletbroadcast=0.

Do you think future work will integrate the wallet?

Yes, but I left that for another PR. Omitting it here reduces the size of this PR and allows to deal with the wallet in isolation, after all the distracting infrastructure is in (e.g. log category, new type of connection, the “net” code, etc).

in src/net.cpp:494 in 4e19f9cc98 outdated

455@@ -456,7 +456,7 @@ CNode* CConnman::ConnectNode(CAddress addrConnect, const char *pszDest, bool fCo
456         if (addrConnect.IsI2P() && use_proxy) {
457             i2p::Connection conn;
458 
459-            if (m_i2p_sam_session) {
460+            if (m_i2p_sam_session && conn_type != ConnectionType::PRIVATE_BROADCAST) {

pinheadmz commented at 6:38 pm on March 8, 2024:

4e19f9cc9834c0b76a2d03fea0921879de46fea9 Just to clarify: if a i2p sam session already exists, normally we would re-use it. But in the case of private broadcast we force a new transient session? Comment might be nice here.

vasild commented at 5:55 pm on March 11, 2024:

Yes. Added a comment.

in src/net.cpp:2465 in 4e19f9cc98 outdated

2465+    }
2466+
2467+    LogPrintLevel(BCLog::PRIVATE_BROADCAST,
2468+                  BCLog::Level::Debug,
2469+                  "Requested to open %d connection(s), trying to open one\n",
2470+                  num_needed);

pinheadmz commented at 7:01 pm on March 8, 2024:

4e19f9cc9834c0b76a2d03fea0921879de46fea9 Feels like this log message is not in the right place since this function does not try to open a connection.

vasild commented at 1:16 pm on March 12, 2024:

I think it is ok. This function is a helper of the caller which opens the connection. The doc of the function reads: Decide whether to open a private broadcast connection and if yes, to which network.

in src/net.cpp:3054 in 4e19f9cc98 outdated

2963@@ -2886,6 +2964,16 @@ void CConnman::OpenNetworkConnection(const CAddress& addrConnect, bool fCountFai
2964         return;
2965     pnode->grantOutbound = std::move(grant_outbound);
2966 
2967+    if (conn_type == ConnectionType::PRIVATE_BROADCAST) {
2968+        const size_t before_sub{m_private_broadcast_connections_to_open.fetch_sub(1)};

pinheadmz commented at 7:04 pm on March 8, 2024:

4e19f9cc9834c0b76a2d03fea0921879de46fea9 does this need underflow protection? Just like an Assume() even?

vasild commented at 2:29 pm on March 12, 2024:

Added Assume()

in src/wallet/wallet.cpp:2069 in 532e63279a outdated

2064@@ -2051,7 +2065,7 @@ NodeClock::time_point CWallet::GetDefaultNextResend() { return FastRandomContext
2065 // that depends on the `relay` option. Periodic rebroadcast uses the pattern
2066 // relay=true force=false, while loading into the mempool
2067 // (on start, or after import) uses relay=false force=true.
2068-void CWallet::ResubmitWalletTransactions(bool relay, bool force)
2069+void CWallet::ResubmitWalletTransactions(TxBroadcastMethod broadcast_method, bool force)

pinheadmz commented at 7:22 pm on March 8, 2024:

532e63279a3c04fef8da2c1bb95e5280c94abc4e consider rephrasing the comment on the previous line since relay=true isn’t a thing any more?

vasild commented at 2:36 pm on March 12, 2024:

Right, changed.

in src/net_processing.cpp:1236 in eb9d7386ca outdated

1126+            CTransactionRef tx;
1127+            Priority priority;
1128+        };
1129+
1130+        struct TxidHasher {
1131+            size_t operator()(const Txid& txid) const { return SipHashUint256(0, 0, txid.ToUint256()); }

pinheadmz commented at 7:47 pm on March 8, 2024:

eb9d7386ca82319ab682fc20ab35c13340d108a4 Hashing a hash? Does this just make the std::unordered_map lookups faster because the keys are smaller (looks like 64 bits?)

vasild commented at 4:49 pm on March 12, 2024:

https://www.erisian.com.au/bitcoin-core-dev/log-2024-03-12.html#l-136 switched to SaltedTxidHasher.

in src/net_processing.cpp:1150 in 07dee91112 outdated

1126+                return std::nullopt;
1127+            }
1128+            const Txid& txid = m_by_priority.begin()->second;
1129+            auto it = m_by_txid.find(txid);
1130+            if (it == m_by_txid.end()) {
1131+                return std::nullopt;

pinheadmz commented at 8:23 pm on March 8, 2024:

07dee91112189be02c6694385de261570725b56b this would be unexpected if we had the txid in the priority list but not in the actual txid list, right? Maybe we should at least remove the txid from the priority list if this ever happens, or log something, or like, call the police or something?

vasild commented at 5:20 pm on March 12, 2024:

Added Assume() that the entry is found.

in src/net_processing.cpp:1528 in 07dee91112 outdated

1691+    if (pnode.IsPrivateBroadcastConn()) {
1692+        my_services = NODE_NONE;
1693+        my_time = 0;
1694+        your_services = NODE_NONE;
1695+        your_addr = CService{};
1696+        my_user_agent = "/pynode:0.0.1/";

pinheadmz commented at 8:32 pm on March 8, 2024:

07dee91112189be02c6694385de261570725b56b could this just be blank?

vasild commented at 5:27 pm on March 12, 2024:

See this: #27509 (review)

sr-gi commented at 4:03 pm on May 10, 2024:

I think /pynode:0.0.1/ is as good as any other of the options commented on the linked thread, but having a comment there specifying why this was picked is worth. Any future traveller will be so confuse to see that user agent without context

andrewtoth commented at 6:23 pm on April 6, 2025:

Agree with @sr-gi that having a comment explaining why this ua was chosen would be helpful.

vasild commented at 1:40 pm on April 8, 2025:

Added a comment.

in src/net_processing.cpp:3859 in 07dee91112 outdated

3884@@ -3706,7 +3885,7 @@ void PeerManagerImpl::ProcessMessage(CNode& pfrom, const std::string& msg_type,
3885                       (mapped_as ? strprintf(", mapped_as=%d", mapped_as) : ""));
3886         }
3887 
3888-        if (pfrom.GetCommonVersion() >= SHORT_IDS_BLOCKS_VERSION) {
3889+        if (pfrom.GetCommonVersion() >= SHORT_IDS_BLOCKS_VERSION && !pfrom.IsPrivateBroadcastConn()) {

pinheadmz commented at 8:52 pm on March 8, 2024:

07dee91112189be02c6694385de261570725b56b do you need this here? I thought you had filtered out all the unnecessary messages already in CConnman::PushMessage()

vasild commented at 5:28 pm on March 12, 2024:

Somehow I find this more clear. Some redundancy doesn’t hurt.

in src/net_processing.cpp:5357 in 07dee91112 outdated

5132@@ -4929,6 +5133,16 @@ void PeerManagerImpl::ProcessMessage(CNode& pfrom, const std::string& msg_type,
5133                     if (ping_time.count() >= 0) {
5134                         // Let connman know about this successful ping-pong
5135                         pfrom.PongReceived(ping_time);
5136+                        if (pfrom.IsPrivateBroadcastConn()) {
5137+                            m_tx_for_private_broadcast.BroadcastEnd(pfrom.GetId(), /*confirmed_by_node=*/true);

pinheadmz commented at 8:55 pm on March 8, 2024:

07dee91112189be02c6694385de261570725b56b BroadcastEnd() returns a bool, seems like you could include that in the log message where you have the word “probably”

vasild commented at 5:37 pm on March 12, 2024:

By “probably successful private broadcast” I meant that probably the transaction will successfully reach the network, not that we successfully gave it to one peer. Reworded.

~~Also the return value of BroadcastEnd() was not used by the callers. Changed it to void.~~ ignore this nonsense

pinheadmz commented at 8:59 pm on March 8, 2024: member

Reviewed code through first 11 commits (up to 07dee91112189be02c6694385de261570725b56b) some nits but mostly questions below. I will continue review next week.

Really great clean up in first commit in logging.cpp, very satisfying!

One other out-of-line question, about commit eb9d7386ca82319ab682fc20ab35c13340d108a4, the commit message mentions “poking CConnman to start broadcast” but I don’t think that is in the code in that commit.

DrahtBot added the label Needs rebase on Mar 9, 2024

in src/bitcoin-cli.cpp:452 in 6fad02cf03 outdated

451@@ -452,6 +452,7 @@ class NetinfoRequestHandler : public BaseRequestHandler
452         if (conn_type == "block-relay-only") return "block";

vasild commented at 9:35 am on March 11, 2024:

From the PR main thread #29415 (comment):

The private broadcast succeeds frequently but not always

In the originator’s log you can check to whom is the transaction being sent. Then in the recipient’s logs you can check if it was accepted and further broadcast to everybody. Enable -debug=net -debug=privatebroadcast.

in src/net_processing.cpp:4663 in bc05ddc7b9 outdated

4514@@ -4499,6 +4515,16 @@ void PeerManagerImpl::ProcessMessage(CNode& pfrom, const std::string& msg_type,
4515         const uint256& hash = peer->m_wtxid_relay ? wtxid : txid;
4516         AddKnownTx(*peer, hash);
4517 
4518+        if (m_tx_for_private_broadcast.Remove(ptx)) {

pinheadmz commented at 5:19 pm on March 11, 2024:

bc05ddc7b9369cf263bf88d0a773ca853d3c9af5 maybe I’m missing something, but should we not also adjust m_private_broadcast_connections_to_open when we get our privately broadcast tx back over regular relay? In my first local test, all 5 onion connections were completed before I got the tx back. But if the very first private connection relays the tx around and we get it back, do we still need to bother with the next 4?

vasild commented at 2:33 pm on March 18, 2024:

Yes, good idea. Implemented.

in src/net.cpp:2761 in 4e19f9cc98 outdated

2732@@ -2657,7 +2733,9 @@ void CConnman::ThreadOpenConnections(const std::vector<std::string> connect)
2733             CAddress addr;
2734             NodeSeconds addr_last_try{0s};
2735 
2736-            if (fFeeler) {
2737+            if (open_private_broadcast_to.has_value()) {
2738+                std::tie(addr, addr_last_try) = addrman.Select(/*new_only=*/false, open_private_broadcast_to.value());

pinheadmz commented at 5:31 pm on March 11, 2024:

4e19f9cc9834c0b76a2d03fea0921879de46fea9 what if MaybePickPrivateBroadcastNetwork() chooses i2p but we don’t have any addrs for that network? I think the while loop below may try forever until addrman finally has something for i2p? But we could call MaybePickPrivateBroadcastNetwork() again or just switch to Tor if we know we have addrs there.

vasild commented at 5:50 pm on March 12, 2024:

No, in that case Select() will return an invalid address and we will break; from the inside loop. Then the outside loop will call MaybePickPrivateBroadcastNetwork() again.

in src/net_processing.cpp:1901 in c09d6409c9 outdated

1867+                m_tx_for_private_broadcast.Remove(stale_tx);
1868+            }
1869+        }
1870+    }
1871+
1872+    if (num_stale > num_active + num_to_open) {

pinheadmz commented at 5:40 pm on March 11, 2024:

c09d6409c957af7c449a60778689d6715d9a6628 num_stale is a count of transactions but the other two numbers here count p2p connections, are we still going to use NUM_PRIVATE_BROADCAST_PER_TX here?

vasild commented at 5:53 pm on March 12, 2024:

NUM_PRIVATE_BROADCAST_PER_TX is just for the initial broadcast. Then if a transaction gets stale, we retry one shot at a time. There is no special reason for this. Could be either way.

vasild commented at 2:34 pm on March 18, 2024:

I also renamed the variables to make it clear that we are comparing number of transactions with number of connections.

vasild force-pushed on Mar 11, 2024

vasild commented at 5:56 pm on March 11, 2024: contributor

6fad02cf03...d10a0649b0: rebase due to conflicts and address some suggestions

in src/rpc/mempool.cpp:95 in e36a1b4848 outdated

90@@ -89,11 +91,14 @@ static RPCHelpMan sendrawtransaction()
91             std::string err_string;
92             AssertLockNotHeld(cs_main);
93             NodeContext& node = EnsureAnyNodeContext(request.context);
94+            const auto method = gArgs.GetBoolArg("-privatebroadcast", DEFAULT_PRIVATE_BROADCAST) ?
95+                                    NO_MEMPOOL_PRIVATE_BROADCAST :

pinheadmz commented at 5:59 pm on March 11, 2024:

e36a1b4848f8f762b550a9469993211d41bd6cb9 heh, makes the placement of this function in mempool.cpp a bit arbitrary now!

vasild commented at 12:27 pm on March 13, 2024:

Yeah, it was before as well. Somehow the code and the comments around this say that “the transaction is sent to the mempool for broadcast” which is not quite accurate (in master). I don’t think that the mempool is broadcasting the transaction. Will leave it as it is for now.

in test/functional/test_framework/socks5.py:174 in 2b2e747455 outdated

127@@ -117,6 +128,33 @@ def handle(self):
128             cmdin = Socks5Command(cmd, atyp, addr, port, username, password)
129             self.serv.queue.put(cmdin)
130             logger.debug('Proxy: %s', cmdin)
131+

pinheadmz commented at 6:13 pm on March 11, 2024:

2b2e747455699236200fa3cddddfff7005f6a44a Could be overkill, but you could actually adjust the “dummy response” a few lines up to actually respond accurately, in particular the REPLY field could be used to report a connection failure back to bitcoind.

From https://www.rfc-editor.org/rfc/rfc1928

 0diff --git a/test/functional/test_framework/socks5.py b/test/functional/test_framework/socks5.py
 1index 48ad8bbeea..568e9fa64c 100644
 2--- a/test/functional/test_framework/socks5.py
 3+++ b/test/functional/test_framework/socks5.py
 4@@ -123,7 +123,14 @@ class Socks5Connection():
 5             port = (port_hi << 8) | port_lo
 6 
 7             # Send dummy response
 8-            self.conn.sendall(bytearray([0x05, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]))
 9+            self.conn.sendall(bytearray([
10+                0x05, # Protocol version
11+                0x00, # Reply (0x00 = success)
12+                0x00, # Reserved (must be 0x00)
13+                0x01, # Server bound address type (0x01 = ipv4)
14+                0x00, 0x00, 0x00, 0x00, # Server bound ipv4 address
15+                0x00, 0x00 # Server bound port
16+            ]))
17 
18             cmdin = Socks5Command(cmd, atyp, addr, port, username, password)
19             self.serv.queue.put(cmdin)

vasild commented at 2:16 pm on March 18, 2024:

I will leave it as it is, looks too complicated after looking at doing this for some time.

in test/functional/p2p_private_broadcast.py:56 in d10a0649b0 outdated

61+MAX_BLOCK_RELAY_ONLY_CONNECTIONS = 2
62+NUM_INITIAL_CONNECTIONS = MAX_OUTBOUND_FULL_RELAY_CONNECTIONS + MAX_BLOCK_RELAY_ONLY_CONNECTIONS
63+NUM_PRIVATE_BROADCAST_PER_TX = 5
64+
65+# Fill addrman with these addresses. Must have enough Tor addresses, so that even
66+# if all 10 default connections are opened to a Tor address (!?) there must be more

pinheadmz commented at 6:21 pm on March 11, 2024:

d10a0649b018638574fa7dc316b3e783bf6cee69 just a guess, would this work?

start the node with -addnode=<ipv4> x10
wait for 10 outbounds to connect
addpeeraddress with all the onion and i2p addrs
send raw, etc…

vasild commented at 2:17 pm on March 18, 2024:

No, because -addnode is counted separately from the 10 automatic outbound connections.

in test/functional/p2p_private_broadcast.py:182 in d10a0649b0 outdated

177+            if i == NUM_INITIAL_CONNECTIONS:
178+                # Instruct the SOCKS5 server to redirect the first private
179+                # broadcast connection from nodes[0] to nodes[1]
180+                self.socks5_server.conf.destinations.append({
181+                    "listen_addr": "127.0.0.1", # nodes[1] listen address
182+                    "listen_port": p2p_port(1), # nodes[1] listen port

pinheadmz commented at 6:26 pm on March 11, 2024:

d10a0649b018638574fa7dc316b3e783bf6cee69 nit: slightly confusing to prefix these with listen_ I would expect, like: to_addr to_port requested_to_addr

vasild commented at 2:29 pm on March 18, 2024:

Renamed.

in test/functional/p2p_private_broadcast.py:296 in d10a0649b0 outdated

291+
292+        wtxid_int = int(tx["wtxid"], 16)
293+        inv = CInv(MSG_WTX, wtxid_int)
294+
295+        self.log.info("Checking that the transaction is not in the originator node's mempool")
296+        assert len(tx_originator.getrawmempool()) == 0

pinheadmz commented at 6:40 pm on March 11, 2024:

d10a0649b018638574fa7dc316b3e783bf6cee69 sanity check: you can assert this because none of the private-broadcast peers are connected back to the tx_originator?

vasild commented at 12:40 pm on March 13, 2024:

Yes, exactly.

pinheadmz commented at 6:41 pm on March 11, 2024: member

code review ACK d10a0649b0

Although I think you rebased while was in there, so a few of my commit hashes might be off.

One additional out of line comment, in commit message for 6b8c645ea623875de9e3e3d3f77054dd0a784c20 you are using C++ syntax to describe python :-)

DrahtBot removed the label Needs rebase on Mar 11, 2024

vasild force-pushed on Mar 12, 2024

vasild commented at 6:03 pm on March 12, 2024: contributor

d10a0649b0...5ca891f4e0: address some suggestions

DrahtBot added the label Needs rebase on Mar 12, 2024

vasild force-pushed on Mar 12, 2024

vasild commented at 6:06 pm on March 12, 2024: contributor

5ca891f4e0...b6dce67064: rebase due to conflicts

DrahtBot removed the label Needs rebase on Mar 12, 2024

vasild force-pushed on Mar 13, 2024

vasild commented at 12:44 pm on March 13, 2024: contributor

b6dce67064...cc867ebd62: rebase due to conflicts

iotamega commented at 5:56 pm on March 15, 2024: none

Is this going to be on by default or just an option?

Haven’t had a chance to look at the code submissions yet but I do have concerns if this is on by default that many corporate networks will start blocking installation or that transactions will not be submitted as many corporate networks block Tor or I2P connections by default at the corporate firewall level.

I assume it has failovers as well if it is by default?

pinheadmz commented at 7:09 pm on March 15, 2024: member

Is this going to be on by default or just an option?

This PR only affects transactions sent with RPC sendrawtransaction and only if -privatebroadcast=1 is configured, which is not default

vasild force-pushed on Mar 18, 2024

vasild commented at 2:33 pm on March 18, 2024: contributor

cc867ebd62...4828d46209: rebase and address suggestions

andrewtoth commented at 8:10 pm on March 19, 2024: contributor

Concept ACK

I made similar solutions for EPS and CoreLightning, which I’m happy to see being obviated by adding this functionality to the source!

Curious why this is just pushing an unsolicited TX message instead of using INV/GETDATA/TX? This conversation seems to convince me the latter is better? Also, if the submitted tx is spending unconfirmed outputs, should we support sending the parents to the peer if requested?

vasild commented at 5:23 pm on March 21, 2024: contributor

Curious why this is just pushing an unsolicited TX message instead of using INV/GETDATA/TX? #27509 (review) seems to convince me the latter is better?

I followed up in that conversion. For now I am keeping it as it is, but if you are happy with all the rest and would otherwise ACK, then say so! ;-)

Also, if the submitted tx is spending unconfirmed outputs, should we support sending the parents to the peer if requested?

Right now in master sendrawtransaction RPC operates on a single transaction. Its parents must already be in the mempool. This PR keeps it that way. Parent+child is more for the submitpackage RPC. That + the wallet I will deal with in a followup PRs.

andrewtoth commented at 2:43 pm on March 22, 2024: contributor

Curious why this is just pushing an unsolicited TX message instead of using INV/GETDATA/TX? #27509 (comment) seems to convince me the latter is better?

I followed up in that conversion. For now I am keeping it as it is, but if you are happy with all the rest and would otherwise ACK, then say so! ;-)

Thanks. I read through the proposal to not accept unsolicited TX messages, and the reasoning to reject it makes sense to me. I suppose if you know you’re the originator of a tx, the only reason not to push the tx unsolicited to all your peers is for privacy reasons. However, in this case the privacy reasons are moot because of the ephemeral private connections.

Also, if the submitted tx is spending unconfirmed outputs, should we support sending the parents to the peer if requested?

Right now in master sendrawtransaction RPC operates on a single transaction. Its parents must already be in the mempool. This PR keeps it that way. Parent+child is more for the submitpackage RPC. That + the wallet I will deal with in a followup PRs.

I mean the case where we have a parent unconfirmed tx in our mempool, and the peer we connected to does not. If we push a tx spending that unconfirmed parent, the peer will respond with a GETDATA for the parent tx. So we can either:

Ignore the GETDATA . This will result in our tx not relaying through this connection if the peer doesn’t have all unconfirmed parents.
Wait for the GETDATA and respond with a TX message. We won’t know if the peer will eventually ask for the parent, so this will be tricky and we will have to wait for some time. However, in this time if we receive an INV for it from another peer we can close because we know we were successful.
Push all unconfirmed parents along with the tx we are sending. This will result in potentially wasted bandwidth.

in src/qt/rpcconsole.cpp:519 in 9eee0e9d71 outdated

513@@ -514,7 +514,10 @@ RPCConsole::RPCConsole(interfaces::Node& node, const PlatformStyle *_platformSty
514         tr("Outbound Feeler: short-lived, for testing addresses"),
515         /*: Explanatory text for a short-lived outbound peer connection that is used
516             to request addresses from a peer. */
517-        tr("Outbound Address Fetch: short-lived, for soliciting addresses")};
518+        tr("Outbound Address Fetch: short-lived, for soliciting addresses"),
519+        /*: Explanatory text for a short-lived outbound peer connection that is used
520+            to broadcast privacy-sensitve data (like our transactions). */

mzumsande commented at 5:58 pm on March 26, 2024:

typo: sensitive (this and next line)

vasild commented at 4:08 pm on March 28, 2024:

Fixed, will be in next push.

in src/init.cpp:1024 in 64742d7881 outdated

1011@@ -1007,10 +1012,22 @@ bool AppInitParameterInteraction(const ArgsManager& args)
1012 #endif
1013     // Trim requested connection counts, to fit into system limitations
1014     // <int> in std::min<int>(...) to work around FreeBSD compilation issue described in #2695
1015-    nMaxConnections = std::max(std::min<int>(nMaxConnections, fd_max - nBind - MIN_CORE_FILEDESCRIPTORS - MAX_ADDNODE_CONNECTIONS - NUM_FDS_MESSAGE_CAPTURE), 0);
1016+    nMaxConnections = std::max(std::min<int>(nMaxConnections,

mzumsande commented at 6:13 pm on March 26, 2024:

It seems excessive that MAX_PRIVATE_BROADCAST_CONNECTIONS=64 has the power to reduce nMaxConnections to a lower value even in the case where private broadcast isn’t enabled. Might be better to make that conditional on privatebroadcast, similar to how it’s done with nBind.

vasild commented at 4:10 pm on March 28, 2024:

Done, will be in next push. Good observation!

This raised the unrelated-to-this-PR question https://www.erisian.com.au/bitcoin-core-dev/log-2024-03-28.html#l-59

in src/primitives/transaction.h:446 in 52e6a40d2a outdated

438@@ -439,4 +439,18 @@ class GenTxid
439     friend bool operator<(const GenTxid& a, const GenTxid& b) { return std::tie(a.m_is_wtxid, a.m_hash) < std::tie(b.m_is_wtxid, b.m_hash); }
440 };
441 
442+/**
443+ * Methods to broadcast a local transaction.
444+ * Used to influence BroadcastTransaction() and its callers.
445+ */
446+enum TxBroadcastMethod : uint8_t {

mzumsande commented at 7:53 pm on March 26, 2024:

Wouldn’t this fit better into node/transaction.h , together with BroadcastTransaction ?

vasild commented at 1:22 pm on March 28, 2024:

I think so, but this drags some further changes, are you ok with those:

  0diff --git i/src/interfaces/chain.h w/src/interfaces/chain.h
  1index 315211ae49..eeb5fef42b 100644
  2--- i/src/interfaces/chain.h
  3+++ w/src/interfaces/chain.h
  4@@ -4,12 +4,13 @@
  5 
  6 #ifndef BITCOIN_INTERFACES_CHAIN_H
  7 #define BITCOIN_INTERFACES_CHAIN_H
  8 
  9 #include <blockfilter.h>
 10 #include <common/settings.h>
 11+#include <node/transaction.h>
 12 #include <primitives/transaction.h> // For CTransactionRef
 13 #include <util/result.h>
 14 
 15 #include <functional>
 16 #include <memory>
 17 #include <optional>
 18@@ -215,13 +216,13 @@ public:
 19     //! [@param](/bitcoin-bitcoin/contributor/param/)[in] broadcast_method Whether to add the transaction to the
 20     //! mempool and how/whether to broadcast it.
 21     //! [@param](/bitcoin-bitcoin/contributor/param/)[out] err_string Set if an error occurs.
 22     //! [@return](/bitcoin-bitcoin/contributor/return/) False if the transaction could not be added due to the fee or for another reason.
 23     virtual bool broadcastTransaction(const CTransactionRef& tx,
 24                                       const CAmount& max_tx_fee,
 25-                                      TxBroadcastMethod broadcast_method,
 26+                                      node::TxBroadcastMethod broadcast_method,
 27                                       std::string& err_string) = 0;
 28 
 29     //! Calculate mempool ancestor and descendant counts for the given transaction.
 30     virtual void getTransactionAncestry(const uint256& txid, size_t& ancestors, size_t& descendants, size_t* ancestorsize = nullptr, CAmount* ancestorfees = nullptr) = 0;
 31 
 32     //! For each outpoint, calculate the fee-bumping cost to spend this outpoint at the specified
 33diff --git i/src/node/transaction.h w/src/node/transaction.h
 34index 75c50bab28..01cdfaf1ff 100644
 35--- i/src/node/transaction.h
 36+++ w/src/node/transaction.h
 37@@ -29,12 +29,26 @@ static const CFeeRate DEFAULT_MAX_RAW_TX_FEE_RATE{COIN / 10};
 38 /** Maximum burn value for sendrawtransaction, submitpackage, and testmempoolaccept RPC calls.
 39  * By default, a transaction with a burn value higher than this will be rejected
 40  * by these RPCs and the GUI. This can be overridden with the maxburnamount argument.
 41  */
 42 static const CAmount DEFAULT_MAX_BURN_AMOUNT{0};
 43 
 44+/**
 45+ * Methods to broadcast a local transaction.
 46+ * Used to influence BroadcastTransaction() and its callers.
 47+ */
 48+enum TxBroadcastMethod : uint8_t {
 49+    /// Add the transaction to the mempool and broadcast to all currently connected peers.
 50+    ADD_TO_MEMPOOL_AND_BROADCAST_TO_ALL,
 51+    /// Add the transaction to the mempool, but don't broadcast to anybody.
 52+    ADD_TO_MEMPOOL_NO_BROADCAST,
 53+    /// Omit the mempool and directly send the transaction via a few dedicated connections to
 54+    /// peers on privacy networks.
 55+    NO_MEMPOOL_PRIVATE_BROADCAST,
 56+};
 57+
 58 /**
 59  * Submit a transaction to the mempool and (optionally) relay it to all P2P peers.
 60  *
 61  * Mempool submission can be synchronous (will await mempool entry notification
 62  * over the CValidationInterface) or asynchronous (will submit and not wait for
 63  * notification), depending on the value of wait_callback. wait_callback MUST
 64diff --git i/src/primitives/transaction.h w/src/primitives/transaction.h
 65index 2051ebae5a..ccbeb3ec49 100644
 66--- i/src/primitives/transaction.h
 67+++ w/src/primitives/transaction.h
 68@@ -436,21 +436,7 @@ public:
 69     bool IsWtxid() const { return m_is_wtxid; }
 70     const uint256& GetHash() const LIFETIMEBOUND { return m_hash; }
 71     friend bool operator==(const GenTxid& a, const GenTxid& b) { return a.m_is_wtxid == b.m_is_wtxid && a.m_hash == b.m_hash; }
 72     friend bool operator<(const GenTxid& a, const GenTxid& b) { return std::tie(a.m_is_wtxid, a.m_hash) < std::tie(b.m_is_wtxid, b.m_hash); }
 73 };
 74 
 75-/**
 76- * Methods to broadcast a local transaction.
 77- * Used to influence BroadcastTransaction() and its callers.
 78- */
 79-enum TxBroadcastMethod : uint8_t {
 80-    /// Add the transaction to the mempool and broadcast to all currently connected peers.
 81-    ADD_TO_MEMPOOL_AND_BROADCAST_TO_ALL,
 82-    /// Add the transaction to the mempool, but don't broadcast to anybody.
 83-    ADD_TO_MEMPOOL_NO_BROADCAST,
 84-    /// Omit the mempool and directly send the transaction via a few dedicated connections to
 85-    /// peers on privacy networks.
 86-    NO_MEMPOOL_PRIVATE_BROADCAST,
 87-};
 88-
 89 #endif // BITCOIN_PRIMITIVES_TRANSACTION_H
 90diff --git i/src/rpc/mempool.cpp w/src/rpc/mempool.cpp
 91index 14d303a0b1..ba69446f36 100644
 92--- i/src/rpc/mempool.cpp
 93+++ w/src/rpc/mempool.cpp
 94@@ -8,12 +8,13 @@
 95 #include <kernel/mempool_persist.h>
 96 
 97 #include <chainparams.h>
 98 #include <core_io.h>
 99 #include <kernel/mempool_entry.h>
100 #include <node/mempool_persist_args.h>
101+#include <node/transaction.h>
102 #include <policy/rbf.h>
103 #include <policy/settings.h>
104 #include <primitives/transaction.h>
105 #include <rpc/server.h>
106 #include <rpc/server_util.h>
107 #include <rpc/util.h>
108@@ -91,13 +92,13 @@ static RPCHelpMan sendrawtransaction()
109             AssertLockNotHeld(cs_main);
110             NodeContext& node = EnsureAnyNodeContext(request.context);
111             const TransactionError err = BroadcastTransaction(node,
112                                                               tx,
113                                                               err_string,
114                                                               max_raw_tx_fee,
115-                                                              ADD_TO_MEMPOOL_AND_BROADCAST_TO_ALL,
116+                                                              node::ADD_TO_MEMPOOL_AND_BROADCAST_TO_ALL,
117                                                               /*wait_callback=*/true);
118             if (TransactionError::OK != err) {
119                 throw JSONRPCTransactionError(err, err_string);
120             }
121 
122             return tx->GetHash().GetHex();
123@@ -953,13 +954,13 @@ static RPCHelpMan submitpackage()
124                 // We do not expect an error here; we are only broadcasting things already/still in mempool
125                 std::string err_string;
126                 const auto err = BroadcastTransaction(node,
127                                                       tx,
128                                                       err_string,
129                                                       /*max_tx_fee=*/0,
130-                                                      ADD_TO_MEMPOOL_AND_BROADCAST_TO_ALL,
131+                                                      node::ADD_TO_MEMPOOL_AND_BROADCAST_TO_ALL,
132                                                       /*wait_callback=*/true);
133                 if (err != TransactionError::OK) {
134                     throw JSONRPCTransactionError(err,
135                         strprintf("transaction broadcast failed: %s (%d transactions were broadcast successfully)",
136                             err_string, num_broadcast));
137                 }
138diff --git i/src/wallet/rpc/backup.cpp w/src/wallet/rpc/backup.cpp
139index fdbd44ffe5..2e61a0e945 100644
140--- i/src/wallet/rpc/backup.cpp
141+++ w/src/wallet/rpc/backup.cpp
142@@ -10,12 +10,13 @@
143 #include <clientversion.h>
144 #include <core_io.h>
145 #include <hash.h>
146 #include <interfaces/chain.h>
147 #include <key_io.h>
148 #include <merkleblock.h>
149+#include <node/transaction.h>
150 #include <rpc/util.h>
151 #include <script/descriptor.h>
152 #include <script/script.h>
153 #include <script/solver.h>
154 #include <sync.h>
155 #include <uint256.h>
156@@ -308,13 +309,13 @@ RPCHelpMan importaddress()
157             throw JSONRPCError(RPC_INVALID_ADDRESS_OR_KEY, "Invalid Bitcoin address or script");
158         }
159     }
160     if (fRescan)
161     {
162         RescanWallet(*pwallet, reserver);
163-        pwallet->ResubmitWalletTransactions(ADD_TO_MEMPOOL_NO_BROADCAST, /*force=*/true);
164+        pwallet->ResubmitWalletTransactions(node::ADD_TO_MEMPOOL_NO_BROADCAST, /*force=*/true);
165     }
166 
167     return UniValue::VNULL;
168 },
169     };
170 }
171@@ -479,13 +480,13 @@ RPCHelpMan importpubkey()
172 
173         pwallet->ImportPubKeys({pubKey.GetID()}, {{pubKey.GetID(), pubKey}} , /*key_origins=*/{}, /*add_keypool=*/false, /*internal=*/false, /*timestamp=*/1);
174     }
175     if (fRescan)
176     {
177         RescanWallet(*pwallet, reserver);
178-        pwallet->ResubmitWalletTransactions(ADD_TO_MEMPOOL_NO_BROADCAST, /*force=*/true);
179+        pwallet->ResubmitWalletTransactions(node::ADD_TO_MEMPOOL_NO_BROADCAST, /*force=*/true);
180     }
181 
182     return UniValue::VNULL;
183 },
184     };
185 }
186@@ -1400,13 +1401,13 @@ RPCHelpMan importmulti()
187                 nLowestTimestamp = timestamp;
188             }
189         }
190     }
191     if (fRescan && fRunScan && requests.size()) {
192         int64_t scannedTime = pwallet->RescanFromTime(nLowestTimestamp, reserver, /*update=*/true);
193-        pwallet->ResubmitWalletTransactions(ADD_TO_MEMPOOL_NO_BROADCAST, /*force=*/true);
194+        pwallet->ResubmitWalletTransactions(node::ADD_TO_MEMPOOL_NO_BROADCAST, /*force=*/true);
195 
196         if (pwallet->IsAbortingRescan()) {
197             throw JSONRPCError(RPC_MISC_ERROR, "Rescan aborted by user.");
198         }
199         if (scannedTime > nLowestTimestamp) {
200             std::vector<UniValue> results = response.getValues();
201@@ -1694,13 +1695,13 @@ RPCHelpMan importdescriptors()
202         pwallet->ConnectScriptPubKeyManNotifiers();
203     }
204 
205     // Rescan the blockchain using the lowest timestamp
206     if (rescan) {
207         int64_t scanned_time = pwallet->RescanFromTime(lowest_timestamp, reserver, /*update=*/true);
208-        pwallet->ResubmitWalletTransactions(ADD_TO_MEMPOOL_NO_BROADCAST, /*force=*/true);
209+        pwallet->ResubmitWalletTransactions(node::ADD_TO_MEMPOOL_NO_BROADCAST, /*force=*/true);
210 
211         if (pwallet->IsAbortingRescan()) {
212             throw JSONRPCError(RPC_MISC_ERROR, "Rescan aborted by user.");
213         }
214 
215         if (scanned_time > lowest_timestamp) {
216diff --git i/src/wallet/test/wallet_tests.cpp w/src/wallet/test/wallet_tests.cpp
217index 003d1aab29..2377c71e21 100644
218--- i/src/wallet/test/wallet_tests.cpp
219+++ w/src/wallet/test/wallet_tests.cpp
220@@ -10,12 +10,13 @@
221 #include <vector>
222 
223 #include <addresstype.h>
224 #include <interfaces/chain.h>
225 #include <key_io.h>
226 #include <node/blockstorage.h>
227+#include <node/transaction.h>
228 #include <policy/policy.h>
229 #include <rpc/server.h>
230 #include <script/solver.h>
231 #include <test/util/logging.h>
232 #include <test/util/random.h>
233 #include <test/util/setup_common.h>
234@@ -819,13 +820,13 @@ BOOST_FIXTURE_TEST_CASE(CreateWallet, TestChain100Setup)
235     });
236     std::string error;
237     m_coinbase_txns.push_back(CreateAndProcessBlock({}, GetScriptForRawPubKey(coinbaseKey.GetPubKey())).vtx[0]);
238     auto block_tx = TestSimpleSpend(*m_coinbase_txns[0], 0, coinbaseKey, GetScriptForRawPubKey(key.GetPubKey()));
239     m_coinbase_txns.push_back(CreateAndProcessBlock({block_tx}, GetScriptForRawPubKey(coinbaseKey.GetPubKey())).vtx[0]);
240     auto mempool_tx = TestSimpleSpend(*m_coinbase_txns[1], 0, coinbaseKey, GetScriptForRawPubKey(key.GetPubKey()));
241-    BOOST_CHECK(m_node.chain->broadcastTransaction(MakeTransactionRef(mempool_tx), DEFAULT_TRANSACTION_MAXFEE, ADD_TO_MEMPOOL_NO_BROADCAST, error));
242+    BOOST_CHECK(m_node.chain->broadcastTransaction(MakeTransactionRef(mempool_tx), DEFAULT_TRANSACTION_MAXFEE, node::ADD_TO_MEMPOOL_NO_BROADCAST, error));
243 
244 
245     // Reload wallet and make sure new transactions are detected despite events
246     // being blocked
247     // Loading will also ask for current mempool transactions
248     wallet = TestLoadWallet(context);
249@@ -861,13 +862,13 @@ BOOST_FIXTURE_TEST_CASE(CreateWallet, TestChain100Setup)
250     auto handler = HandleLoadWallet(context, [&](std::unique_ptr<interfaces::Wallet> wallet) {
251             BOOST_CHECK(rescan_completed);
252             m_coinbase_txns.push_back(CreateAndProcessBlock({}, GetScriptForRawPubKey(coinbaseKey.GetPubKey())).vtx[0]);
253             block_tx = TestSimpleSpend(*m_coinbase_txns[2], 0, coinbaseKey, GetScriptForRawPubKey(key.GetPubKey()));
254             m_coinbase_txns.push_back(CreateAndProcessBlock({block_tx}, GetScriptForRawPubKey(coinbaseKey.GetPubKey())).vtx[0]);
255             mempool_tx = TestSimpleSpend(*m_coinbase_txns[3], 0, coinbaseKey, GetScriptForRawPubKey(key.GetPubKey()));
256-            BOOST_CHECK(m_node.chain->broadcastTransaction(MakeTransactionRef(mempool_tx), DEFAULT_TRANSACTION_MAXFEE, ADD_TO_MEMPOOL_NO_BROADCAST, error));
257+            BOOST_CHECK(m_node.chain->broadcastTransaction(MakeTransactionRef(mempool_tx), DEFAULT_TRANSACTION_MAXFEE, node::ADD_TO_MEMPOOL_NO_BROADCAST, error));
258             m_node.validation_signals->SyncWithValidationInterfaceQueue();
259         });
260     wallet = TestLoadWallet(context);
261     // Since mempool transactions are requested at the end of loading, there will
262     // be 2 additional AddToWallet calls, one from the previous test, and a duplicate for mempool_tx
263     BOOST_CHECK_EQUAL(addtx_count, 2 + 2);
264diff --git i/src/wallet/wallet.cpp w/src/wallet/wallet.cpp
265index 0904399926..2566b2d543 100644
266--- i/src/wallet/wallet.cpp
267+++ w/src/wallet/wallet.cpp
268@@ -24,12 +24,13 @@
269 #include <interfaces/wallet.h>
270 #include <kernel/chain.h>
271 #include <kernel/mempool_removal_reason.h>
272 #include <key.h>
273 #include <key_io.h>
274 #include <logging.h>
275+#include <node/transaction.h>
276 #include <outputtype.h>
277 #include <policy/feerate.h>
278 #include <primitives/block.h>
279 #include <primitives/transaction.h>
280 #include <psbt.h>
281 #include <pubkey.h>
282@@ -1999,13 +2000,13 @@ CWallet::ScanResult CWallet::ScanForWalletTransactions(const uint256& start_bloc
283     }
284     return result;
285 }
286 
287 bool CWallet::SubmitTxMemoryPoolAndRelay(CWalletTx& wtx,
288                                          std::string& err_string,
289-                                         TxBroadcastMethod broadcast_method) const
290+                                         node::TxBroadcastMethod broadcast_method) const
291 {
292     AssertLockHeld(cs_wallet);
293 
294     // Can't relay if wallet is not broadcasting
295     if (!GetBroadcastTransactions()) return false;
296     // Don't relay abandoned transactions
297@@ -2016,19 +2017,19 @@ bool CWallet::SubmitTxMemoryPoolAndRelay(CWalletTx& wtx,
298     // Don't try to submit conflicted or confirmed transactions.
299     if (GetTxDepthInMainChain(wtx) != 0) return false;
300 
301     // Submit transaction to mempool for relay
302     const char* what{""};
303     switch (broadcast_method) {
304-    case ADD_TO_MEMPOOL_AND_BROADCAST_TO_ALL:
305+    case node::ADD_TO_MEMPOOL_AND_BROADCAST_TO_ALL:
306         what = "to mempool and for broadcast to all peers";
307         break;
308-    case ADD_TO_MEMPOOL_NO_BROADCAST:
309+    case node::ADD_TO_MEMPOOL_NO_BROADCAST:
310         what = "to mempool without broadcast";
311         break;
312-    case NO_MEMPOOL_PRIVATE_BROADCAST:
313+    case node::NO_MEMPOOL_PRIVATE_BROADCAST:
314         what = "for private broadcast without adding to the mempool";
315         break;
316     }
317     WalletLogPrintf("Submitting wtx %s %s\n", wtx.GetHash().ToString(), what);
318     // We must set TxStateInMempool here. Even though it will also be set later by the
319     // entered-mempool callback, if we did not there would be a race where a
320@@ -2095,13 +2096,13 @@ NodeClock::time_point CWallet::GetDefaultNextResend() { return FastRandomContext
321 // The `force` option results in all unconfirmed transactions being submitted to
322 // the mempool. This does not necessarily result in those transactions being relayed,
323 // that depends on the `broadcast_method` option. Periodic rebroadcast uses the pattern
324 // broadcast_method=ADD_TO_MEMPOOL_AND_BROADCAST_TO_ALL force=false, while loading into
325 // the mempool (on start, or after import) uses
326 // broadcast_method=ADD_TO_MEMPOOL_NO_BROADCAST force=true.
327-void CWallet::ResubmitWalletTransactions(TxBroadcastMethod broadcast_method, bool force)
328+void CWallet::ResubmitWalletTransactions(node::TxBroadcastMethod broadcast_method, bool force)
329 {
330     // Don't attempt to resubmit if the wallet is configured to not broadcast,
331     // even if forcing.
332     if (!fBroadcastTransactions) return;
333 
334     int submitted_tx_count = 0;
335@@ -2136,13 +2137,13 @@ void CWallet::ResubmitWalletTransactions(TxBroadcastMethod broadcast_method, boo
336 /** @} */ // end of mapWallet
337 
338 void MaybeResendWalletTxs(WalletContext& context)
339 {
340     for (const std::shared_ptr<CWallet>& pwallet : GetWallets(context)) {
341         if (!pwallet->ShouldResend()) continue;
342-        pwallet->ResubmitWalletTransactions(ADD_TO_MEMPOOL_AND_BROADCAST_TO_ALL, /*force=*/false);
343+        pwallet->ResubmitWalletTransactions(node::ADD_TO_MEMPOOL_AND_BROADCAST_TO_ALL, /*force=*/false);
344         pwallet->SetNextResend();
345     }
346 }
347 
348 
349 /** [@defgroup](/bitcoin-bitcoin/contributor/defgroup/) Actions
350@@ -2344,13 +2345,13 @@ void CWallet::CommitTransaction(CTransactionRef tx, mapValue_t mapValue, std::ve
351     if (!fBroadcastTransactions) {
352         // Don't submit tx to the mempool
353         return;
354     }
355 
356     std::string err_string;
357-    if (!SubmitTxMemoryPoolAndRelay(*wtx, err_string, ADD_TO_MEMPOOL_AND_BROADCAST_TO_ALL)) {
358+    if (!SubmitTxMemoryPoolAndRelay(*wtx, err_string, node::ADD_TO_MEMPOOL_AND_BROADCAST_TO_ALL)) {
359         WalletLogPrintf("CommitTransaction(): Transaction cannot be broadcast immediately, %s\n", err_string);
360         // TODO: if we expect the failure to be long term or permanent, instead delete wtx from the wallet and return failure.
361     }
362 }
363 
364 DBErrors CWallet::LoadWallet()
365@@ -3389,13 +3390,13 @@ bool CWallet::UpgradeWallet(int version, bilingual_str& error)
366 }
367 
368 void CWallet::postInitProcess()
369 {
370     // Add wallet transactions that aren't already in a block to mempool
371     // Do this here as mempool requires genesis block to be loaded
372-    ResubmitWalletTransactions(ADD_TO_MEMPOOL_NO_BROADCAST, /*force=*/true);
373+    ResubmitWalletTransactions(node::ADD_TO_MEMPOOL_NO_BROADCAST, /*force=*/true);
374 
375     // Update wallet transactions with current mempool transactions.
376     WITH_LOCK(cs_wallet, chain().requestMempoolTransactions(*this));
377 }
378 
379 bool CWallet::BackupWallet(const std::string& strDest) const
380diff --git i/src/wallet/wallet.h w/src/wallet/wallet.h
381index 8f9881c304..ceadabf165 100644
382--- i/src/wallet/wallet.h
383+++ w/src/wallet/wallet.h
384@@ -9,12 +9,13 @@
385 #include <addresstype.h>
386 #include <consensus/amount.h>
387 #include <interfaces/chain.h>
388 #include <interfaces/handler.h>
389 #include <kernel/cs_main.h>
390 #include <logging.h>
391+#include <node/transaction.h>
392 #include <outputtype.h>
393 #include <policy/feerate.h>
394 #include <primitives/transaction.h>
395 #include <script/interpreter.h>
396 #include <script/script.h>
397 #include <support/allocators/secure.h>
398@@ -631,13 +632,13 @@ public:
399     ScanResult ScanForWalletTransactions(const uint256& start_block, int start_height, std::optional<int> max_height, const WalletRescanReserver& reserver, bool fUpdate, const bool save_progress);
400     void transactionRemovedFromMempool(const CTransactionRef& tx, MemPoolRemovalReason reason) override;
401     /** Set the next time this wallet should resend transactions to 12-36 hours from now, ~1 day on average. */
402     void SetNextResend() { m_next_resend = GetDefaultNextResend(); }
403     /** Return true if all conditions for periodically resending transactions are met. */
404     bool ShouldResend() const;
405-    void ResubmitWalletTransactions(TxBroadcastMethod broadcast_method, bool force);
406+    void ResubmitWalletTransactions(node::TxBroadcastMethod broadcast_method, bool force);
407 
408     OutputType TransactionChangeType(const std::optional<OutputType>& change_type, const std::vector<CRecipient>& vecSend) const;
409 
410     /** Fetch the inputs and sign with SIGHASH_ALL. */
411     bool SignTransaction(CMutableTransaction& tx) const EXCLUSIVE_LOCKS_REQUIRED(cs_wallet);
412     /** Sign the tx given the input coins and sighash. */
413@@ -676,13 +677,13 @@ public:
414      * [@param](/bitcoin-bitcoin/contributor/param/)[in] mapValue key-values to be set on the transaction.
415      * [@param](/bitcoin-bitcoin/contributor/param/)[in] orderForm BIP 70 / BIP 21 order form details to be set on the transaction.
416      */
417     void CommitTransaction(CTransactionRef tx, mapValue_t mapValue, std::vector<std::pair<std::string, std::string>> orderForm);
418 
419     /** Pass this transaction to node for optional mempool insertion and relay to peers. */
420-    bool SubmitTxMemoryPoolAndRelay(CWalletTx& wtx, std::string& err_string, TxBroadcastMethod broadcast_method) const
421+    bool SubmitTxMemoryPoolAndRelay(CWalletTx& wtx, std::string& err_string, node::TxBroadcastMethod broadcast_method) const
422         EXCLUSIVE_LOCKS_REQUIRED(cs_wallet);
423 
424     bool ImportScripts(const std::set<CScript> scripts, int64_t timestamp) EXCLUSIVE_LOCKS_REQUIRED(cs_wallet);
425     bool ImportPrivKeys(const std::map<CKeyID, CKey>& privkey_map, const int64_t timestamp) EXCLUSIVE_LOCKS_REQUIRED(cs_wallet);
426     bool ImportPubKeys(const std::vector<CKeyID>& ordered_pubkeys, const std::map<CKeyID, CPubKey>& pubkey_map, const std::map<CKeyID, std::pair<CPubKey, KeyOriginInfo>>& key_origins, const bool add_keypool, const bool internal, const int64_t timestamp) EXCLUSIVE_LOCKS_REQUIRED(cs_wallet);
427     bool ImportScriptPubKeys(const std::string& label, const std::set<CScript>& script_pub_keys, const bool have_solving_data, const bool apply_label, const int64_t timestamp) EXCLUSIVE_LOCKS_REQUIRED(cs_wallet);

mzumsande commented at 3:27 pm on March 28, 2024:

Hmm, after looking at that diff I’m not so sure . It’s probably a layer violation include node/ files from the wallet. On the other hand, having this enum in primitive/transaction.h still doesn’t feel right, given that this isn’t really a primitive property of a transaction like COutPoint. Maybe put it into another (new) file in kernel/, and handle it similar to enum class ChainstateRole and enum class MemPoolRemovalReason could be the best way?

vasild commented at 4:24 pm on March 28, 2024:

Maybe it is ok to include node/ from the wallet:

 0$ git grep node/ origin/master -- "*wallet*"
 1origin/master:src/bench/wallet_balance.cpp:7:#include <node/chainstate.h>
 2origin/master:src/bench/wallet_balance.cpp:8:#include <node/context.h>
 3origin/master:src/bench/wallet_create.cpp:10:#include <node/context.h>
 4origin/master:src/bench/wallet_create_tx.cpp:10:#include <node/context.h>
 5origin/master:src/bench/wallet_ismine.cpp:12:#include <node/context.h>
 6origin/master:src/bench/wallet_loading.cpp:11:#include <node/context.h>
 7origin/master:src/qt/walletframe.cpp:7:#include <node/interface_ui.h>
 8origin/master:src/qt/walletmodel.cpp:21:#include <node/interface_ui.h>
 9origin/master:src/qt/walletview.cpp:22:#include <node/interface_ui.h>
10origin/master:src/wallet/init.cpp:16:#include <node/context.h>
11origin/master:src/wallet/init.cpp:17:#include <node/interface_ui.h>
12origin/master:src/wallet/test/coinselector_tests.cpp:6:#include <node/context.h>
13origin/master:src/wallet/test/init_test_fixture.h:10:#include <node/context.h>
14origin/master:src/wallet/test/ismine_tests.cpp:7:#include <node/context.h>
15origin/master:src/wallet/test/wallet_test_fixture.h:12:#include <node/context.h>
16origin/master:src/wallet/test/wallet_tests.cpp:15:#include <node/blockstorage.h>
17origin/master:test/functional/test_framework/wallet.py:141:            # Sort tx by ancestor count. See BlockAssembler::SortForBlock in src/node/miner.cpp

mzumsande commented at 4:53 pm on March 28, 2024:

@TheCharlatan you probably dealt a lot with these kind of questions for kernel, do you have an opinion where this enum should be?

ryanofsky commented at 5:39 pm on March 28, 2024:

re: #29415 (review)

I’d suggest moving TxBroadcastMethod enum to node/types.h, which doesn’t exist yet but is introduced in #29015, and could be added here as well.

It’s probably a layer violation include node/ files from the wallet.

We don’t want wallet code to call node functions or use internal node types, but node and wallet code do define a handful of “public” types (CNodeStats, CNodeStateStats, and SynchronizationState, AddressPurpose, isminetype, CRecipient, and CCoinControl) I mentioned recently in #29015 (review) that are useful even without depending on node or wallet libraries, and I think it makes sense to put the lightweight types in node/types.h, wallet/types.h, common/types.h files so they can be explained and used without dragging in other things. Other options I mentioned in that comment:

We do have a choice where about where to put public types which are not really part of any library. We can put them in the interfaces directory, or in common, or in the node and wallet directories. Personally, I think it makes sense to put them in the wallet directory when they are related to wallet functionality and used by wallet code, put them in the node directory when they are related to node functionality and used by node code, put them in the common directory when they are related to common functionality (like PSBT) and used by common code. The comments at the top of {node,wallet,common}/types.h files are meant to explain the idea that these are public types.

vasild commented at 10:27 am on March 29, 2024:

Moved to node/types.h (new file). Could put it elsewhere if there are better suggestions. Thanks for the suggestion!

Edit: btw, the doxygen comment should have \file on its own line. See https://www.doxygen.nl/manual/commands.html#cmdfile and run doxygen doc/Doxyfile and then inspect doc/doxygen/html/node_2types_8h.html.

in src/net.cpp:356 in 5ce95d9960 outdated

365@@ -366,7 +366,16 @@ bool CConnman::CheckIncomingNonce(uint64_t nonce)
366 {
367     LOCK(m_nodes_mutex);
368     for (const CNode* pnode : m_nodes) {
369-        if (!pnode->fSuccessfullyConnected && !pnode->IsInboundConn() && pnode->GetLocalNonce() == nonce)
370+        // Omit private broadcast connections from this check to prevent this privacy attack:

mzumsande commented at 9:35 pm on March 26, 2024:

The peer starts connecting to (clearnet) nodes and sends them a VERSION message which contains our nonce. If the peer manages to connect to us we would disconnect.

I’m confused by this attack. First, if the peer connects to us over clearnet it would be an inbound connection for us - we don’t disconnect inbounds, see !pnode->IsInboundConn() a few lines below. Second, even if we did disconnect, I still don’t see the how the attack could work - it would be a new connection with a new ID and a new nonce (the nonce is created using the peer id here, so it should be different for each peer).

vasild commented at 2:01 pm on March 28, 2024:

I reread your statement and the code a few times and I think that the code is legit (or the attack the code is guarding against could happen). Let me elaborate:

We connect for a private broadcast to boopeer.onion and send them nonce=1234 in our VERSION message. For this an entry is added to CConnman::m_nodes that has IsInboundConn() == false.
The boo guy delays their VERACK on the private connection and connects to random nodes on clearnet. Assuming we also listen on clearnet address, they are lucky enough and manage to connect to us. They send us VERSION with nonce=1234. For this connection IsInboundConn() == true on our side and this code is executed:

https://github.com/bitcoin/bitcoin/blob/c8e3978114716bb8fb10695b9d187652f3ab4926/src/net_processing.cpp#L3532-L3537

passing nonce=1234 to CheckIncomingNonce() which finds the entry in m_nodes from 1. and returns false. Then the clearnet connection from 2. is closed by us.

Makes sense?

mzumsande commented at 3:30 pm on March 28, 2024:

Yes, now it makes sense, thanks! I’m not sure where I got confused, I probably misread the existing code.

mzumsande commented at 9:47 pm on March 26, 2024: contributor

Haven’t finished my review yet, but submitting a few comments.

jb55 commented at 3:51 pm on March 27, 2024: contributor

Oh wow just saw this! Thank you. Will review.

zzzi2p commented at 7:08 pm on March 28, 2024: none

Concept ACK

This is consistent with i2p guidelines on resource usage. Good work!

vasild force-pushed on Mar 29, 2024

vasild commented at 10:48 am on March 29, 2024: contributor

4828d46209...09ad469cc1: rebase and address suggestions

vasild commented at 11:02 am on March 29, 2024: contributor

I mean the case where we have a parent unconfirmed tx in our mempool, and the peer we connected to does not. If we push a tx spending that unconfirmed parent, the peer will respond with a GETDATA for the parent tx…

I will keep it simple stupid for now, meaning that in this case that particular peer will not relay the transaction further. Others should succeed. If “nobody” has the parent in their mempool, then somehow we are trying to broadcast an orphaned transaction with parent(s) not seen by the network. Can say that this is not supported at this point and will best be supported by a future submitpackage which does private broadcast.

vasild force-pushed on Mar 29, 2024

DrahtBot commented at 11:41 am on March 29, 2024: contributor

🚧 At least one of the CI tasks failed. Make sure to run all tests locally, according to the documentation.

Possibly this is due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.

Leave a comment here, if you need help tracking down a confusing failure.

Debug: https://github.com/bitcoin/bitcoin/runs/23235305634

DrahtBot added the label CI failed on Mar 29, 2024

in test/functional/p2p_private_broadcast.py:296 in c7e4d5cb2b outdated

291+
292+        wtxid_int = int(tx["wtxid"], 16)
293+        inv = CInv(MSG_WTX, wtxid_int)
294+
295+        self.log.info("Checking that the transaction is not in the originator node's mempool")
296+        assert len(tx_originator.getrawmempool()) == 0

brunoerg commented at 6:35 pm on March 29, 2024:

nit:

0        assert_equal(len(tx_originator.getrawmempool()), 0)

vasild commented at 4:21 pm on April 1, 2024:

Done.

in src/rpc/mempool.cpp:96 in cf76f4f0fe outdated

92@@ -91,11 +93,14 @@ static RPCHelpMan sendrawtransaction()
93             std::string err_string;
94             AssertLockNotHeld(cs_main);
95             NodeContext& node = EnsureAnyNodeContext(request.context);
96+            const auto method = gArgs.GetBoolArg("-privatebroadcast", DEFAULT_PRIVATE_BROADCAST)

brunoerg commented at 8:55 pm on March 29, 2024:

In cf76f4f0fe1a3ef0730f70a035c10e01712b6d6b: Shouldn’t we check here whether any private network is reachable? Because we can start a node with -privatebroadcast with NET_ONION becoming reachable later, no?

vasild commented at 4:23 pm on April 1, 2024:

Done.

in src/bitcoin-cli.cpp:691 in c7e4d5cb2b outdated

664+        "           \"full\"      - full relay, the default\n"
665+        "           \"block\"     - block relay; like full relay but does not relay transactions or addresses\n"
666+        "           \"manual\"    - peer we manually added using RPC addnode or the -addnode/-connect config options\n"
667+        "           \"feeler\"    - short-lived connection for testing addresses\n"
668+        "           \"addr\"      - address fetch; short-lived connection for requesting addresses\n"
669+        "           \"privat\"    - private broadcast; short-lived connection for broadcasting our transactions\n"

brunoerg commented at 2:20 pm on March 30, 2024:

0        "           \"private\"    - private broadcast; short-lived connection for broadcasting our transactions\n"

vasild commented at 4:28 pm on April 1, 2024:

It was suggested that this be 6 chars or less: #29415 (review). Feel free to suggest another name.

sr-gi commented at 8:21 pm on May 6, 2024:

I’d go with priv, but just my opinion

vasild commented at 1:08 pm on May 21, 2024:

Changed to "priv".

luke-jr commented at 2:47 am on April 13, 2025:

Still documented as “privat”

vasild commented at 5:09 am on April 13, 2025:

Fixed, thanks!

in src/net.cpp:2580 in b1f65ba837 outdated

2560@@ -2493,7 +2561,17 @@ void CConnman::ThreadOpenConnections(const std::vector<std::string> connect)
2561             }
2562         }
2563 
2564-        CSemaphoreGrant grant(*semOutbound);
2565+        MaybePickPrivateBroadcastNetwork(open_private_broadcast_to,
2566+                                         m_private_broadcast_connections_to_open.load(),
2567+                                         num_private_broadcast_opened);
2568+
2569+        // Don't wait for outbound connection slot to be available if we are going

brunoerg commented at 9:47 am on April 1, 2024:

Private connections are opened regardless of max connections limits, I think we could cover it in the functional test.

vasild commented at 4:25 pm on April 1, 2024:

The current functional test already opens the usual 10 connections and then fires a private broadcast one. Is this what you mean?

brunoerg commented at 4:27 pm on April 1, 2024:

Yes, I missed that. Nevermind.

in src/net.cpp:2411 in b1f65ba837 outdated

2406+ * value. When the function ends if this has value then it will contain the network
2407+ * to which to open the connection.
2408+ * @param[in] num_needed Number of private broadcast connections that need to be opened.
2409+ * @param[in] num_opened Number of private broadcast connections that are currently opened.
2410+ */
2411+static void MaybePickPrivateBroadcastNetwork(std::optional<Network>& net, size_t num_needed, size_t num_opened)

brunoerg commented at 12:12 pm on April 1, 2024:

In b1f65ba837a805dc8f855c02337c1593c77add6d: non-blocker: I think it would be more elegant if MaybePickPrivateBroadcastNetwork returns std::optional<Network> net.

vasild commented at 4:25 pm on April 1, 2024:

Done.

vasild force-pushed on Apr 1, 2024

vasild commented at 4:25 pm on April 1, 2024: contributor

c7e4d5cb2b...413574e81e: rebase and address suggestions

in test/functional/p2p_private_broadcast.py:232 in 413574e81e outdated

230+        for addr in addresses:
231+            res = tx_originator.addpeeraddress(address=addr, port=8333, tried=False)
232+            if res["success"]:
233+                self.log.debug(f"Added {addr} to tx_originator's addrman")
234+            else:
235+                self.log.debug(f"Could not add {addr} to tx_originator's addrman (collision?)")

brunoerg commented at 7:29 pm on April 1, 2024:

In 413574e81ef4d608b9b0a2079f81a4e90ee2a341: You can use -test=addrman to make addrman deterministic. Running the test several times I realized that sometimes a collision happens, sometimes not.

vasild commented at 4:39 pm on April 2, 2024:

Done.

ryanofsky referenced this in commit 3b987d03a4 on Apr 2, 2024

DrahtBot added the label Needs rebase on Apr 2, 2024

vasild force-pushed on Apr 2, 2024

vasild commented at 4:40 pm on April 2, 2024: contributor

413574e81e...390e628a07: rebase due to conflicts and address suggestion

DrahtBot removed the label Needs rebase on Apr 2, 2024

in src/net_processing.cpp:1110 in 08c017b640 outdated

1105+    /**
1106+     * Store a list of transactions to be broadcast privately. Supports the following operations:
1107+     * - Add a new transaction
1108+     * - Remove a transaction, after it has been seen by the network
1109+     * - Mark a broadcast of a transaction (remember when and how many times)
1110+     * - Get a transaction for broadcast, the one that has been broadcast less times and least recently

andrewtoth commented at 7:59 pm on April 2, 2024:

0     * - Get a transaction for broadcast, the one that has been broadcast fewer times and least recently

vasild commented at 12:38 pm on April 4, 2024:

Done

in src/net_processing.cpp:1134 in e03f1b1eb0 outdated

1129@@ -1122,6 +1130,72 @@ class PeerManagerImpl final : public PeerManager
1130             }
1131         }
1132 
1133+        /**
1134+         * Get the transaction that has been broadcast less times and least recently.

andrewtoth commented at 8:34 pm on April 2, 2024:

0         * Get the transaction that has been broadcast fewest times and least recently.

vasild commented at 12:38 pm on April 4, 2024:

Done

in src/net_processing.cpp:1264 in e03f1b1eb0 outdated

1225         };
1226 
1227+        /**
1228+         * Get iterators in `m_by_txid` and `m_by_priority` for a given transaction.
1229+         */
1230+        std::optional<Iterators> Find(const Txid& txid) EXCLUSIVE_LOCKS_REQUIRED(m_mutex)

andrewtoth commented at 8:43 pm on April 2, 2024:

nit: This could be const method?

vasild commented at 12:30 pm on April 4, 2024:

Indeed the Find() method does not modify any of the members. I tried to make it const, but it has to return non-const iterators to the members… :(

in src/net_processing.cpp:1742 in e03f1b1eb0 outdated

1755     if (fLogIPs) {
1756-        LogPrint(BCLog::NET, "send version message: version %d, blocks=%d, them=%s, txrelay=%d, peer=%d\n", PROTOCOL_VERSION, nNodeStartingHeight, addr_you.ToStringAddrPort(), tx_relay, nodeid);
1757+        LogPrint(BCLog::NET, "send version message: version %d, blocks=%d, them=%s, txrelay=%d, peer=%d\n", PROTOCOL_VERSION, my_height, your_addr.ToStringAddrPort(), my_tx_relay, nodeid);
1758     } else {
1759-        LogPrint(BCLog::NET, "send version message: version %d, blocks=%d, txrelay=%d, peer=%d\n", PROTOCOL_VERSION, nNodeStartingHeight, tx_relay, nodeid);
1760+        LogPrint(BCLog::NET, "send version message: version %d, blocks=%d, txrelay=%d, peer=%d\n", PROTOCOL_VERSION, my_height, my_tx_relay, nodeid);

andrewtoth commented at 8:55 pm on April 2, 2024:

Since we’re touching these lines, maybe update to LogPrintLevel?

vasild commented at 12:38 pm on April 4, 2024:

Done

andrewtoth commented at 9:56 pm on April 2, 2024: contributor

Do we need test coverage for retrying stale txs and having multiple concurrent txs queued for private broadcast?

vasild force-pushed on Apr 4, 2024

vasild commented at 12:39 pm on April 4, 2024: contributor

390e628a07...9297437af2: rebase and address suggestions

Do we need test coverage for retrying stale txs and having multiple concurrent txs queued for private broadcast?

Yes.

DrahtBot removed the label CI failed on Apr 4, 2024

in src/net.cpp:2585 in fe57027b3e outdated

2499@@ -2440,6 +2500,11 @@ void CConnman::ThreadOpenConnections(const std::vector<std::string> connect)
2500         LogPrintf("Fixed seeds are disabled\n");
2501     }
2502 
2503+    // Private broadcast connections are opened with priority over others, but only half
2504+    // of the time to avoid depriving other connection types if private broadcast is
2505+    // needed but opening such connections is unsuccessful for some reason.

nothingmuch commented at 10:34 am on April 7, 2024:

With regards to this comment and:

We pick a random Tor (or I2P) peer.

To increase success rate and reduce latency, clearnet peers could be also be selected when using Tor, without harming privacy of broadcast…

Clearnet connections only need one Tor circuit, whereas hidden service connections which require two circuits for the connecting peer and one from the accepting peer.

Furthermore, if SOCKS proxy credentials are reused for the broadcast of a single transaction (but not all transactions in the private broadcast queue), multiple connections could share the same circuit/exit node. This specific optimization does introduce a censorship risk (even if BIP 324 is used [edit: due] to the MITM consideration) and there precedent for such malicious exit nodes.

From a privacy standpoint both optimizations would be more or less equivalent to broadcasting through isolated connections to peers with hidden service addresses, since the origin is still protected and being able to link these connections does not aid in deanonymization since these connections all pertain to the same data.

The main rationale for these optimizations is that Tor daemon builds circuits sequentially, and does not keep many built circuits in reserve (IIRC 2 unless their construction is explicitly requested through the control socket), so when SOCKS connections are opened with distinct credentials the connection establishment and time to first byte will typically scale linearly in the order that the SOCKS connections are accepted by tor daemon itself, and since building a new circuit can take on the order of seconds.

vasild commented at 5:23 pm on April 23, 2024:

I added broadcast to IPv4 and IPv6 peers through the Tor proxy. Thanks!

in test/functional/p2p_private_broadcast.py:68 in 9297437af2 outdated

63+NUM_PRIVATE_BROADCAST_PER_TX = 5
64+
65+# Fill addrman with these addresses. Must have enough Tor addresses, so that even
66+# if all 10 default connections are opened to a Tor address (!?) there must be more
67+# for private broadcast.
68+addresses = [

brunoerg commented at 9:48 am on April 8, 2024:

In 9297437af2c2f45a7b9a12be78fa0e597c54ac79: Since the addrman is deterministic now, you can remove addresses that are conflicting.

0--- a/test/functional/p2p_private_broadcast.py
1+++ b/test/functional/p2p_private_broadcast.py
2@@ -118,7 +118,6 @@ addresses = [
3     "bsqbtctulf2g4jtjsdfgl2ed7qs6zz5wqx27qnyiik7laockryvszqqd.onion",
4     "cwi3ekrwhig47dhhzfenr5hbvckj7fzaojygvazi2lucsenwbzwoyiqd.onion",
5     "devinbtcmwkuitvxl3tfi5of4zau46ymeannkjv6fpnylkgf3q5fa3id.onion",
6-    "devinbtctu7uctl7hly2juu3thbgeivfnvw3ckj3phy6nyvpnx66yeyd.onion",
7     "devinbtcyk643iruzfpaxw3on2jket7rbjmwygm42dmdyub3ietrbmid.onion",
8     "dtql5vci4iaml4anmueftqr7bfgzqlauzfy4rc2tfgulldd3ekyijjyd.onion",
9     "emzybtc25oddoa2prol2znpz2axnrg6k77xwgirmhv7igoiucddsxiad.onion",

brunoerg commented at 12:37 pm on April 8, 2024:

Also, maybe we do not need this verification anymore?

0if res["success"]:
1    self.log.info(f"Added {addr} to tx_originator's addrman")
2else:
3    self.log.info(f"Could not add {addr} to tx_originator's addrman (collision?)")

vasild commented at 5:22 pm on April 23, 2024:

Right, removed the conflicting address and reduced the logging to log only if adding to the addrman fails.

nothingmuch commented at 10:07 am on April 8, 2024: contributor

cACK, with a suggestion and some observations on the design space WRT reliability/success.

Yes, if -proxyrandomize=1 (the default). This is the same in master - separate Tor circuit per connection.

If this is not the case and a peer to which a long lived connection already exists is selected again, then tor will multiplex both connections on the same established circuit, which means that the two connections are unambiguously correlated.

Avoiding already connected peers would work around this, but perhaps it’s sufficient just to warn on startup if privatebroadcast=1 and proxyrandomize=0, since that is unlikely to be configured (requires opt out & opt in), and unlikely to be an issue even if it is configured since a malicious peer would need to be selected twice.

This would be less of a concern if clearnet hosts are also allowed, since the likelyhood of selecting the same peer diminishes quadratically in the size of the set of potential peers.

I assume you are restricting the feature to sendraw so the wallet doesn’t get involved and try something silly like rebroadcasting over clearnet or inserting in to our own mempool?

The reason to omit the wallet is that it currently does not count non-mempool change.

If I understand correctly, the concern with rebroadcasting still applies, but in the case that private broadcast was successful?

vasild force-pushed on Apr 23, 2024

vasild commented at 5:21 pm on April 23, 2024: contributor

9297437af2...cc760207b8: rebase and address suggestions:

Give a startup warning if -privatebroadcast=1, -proxyrandomize=0 and the Tor network is reachable (i.e. we will use Tor for private broadcast).
Enforce -walletbroadcast=0 if -privatebroadcast=1 because it would be confusing to have the wallet do the traditional broadcast while the sendrawtransaction RPC does a private broadcast. Furthermore if a wallet transaction is sent via sendrawtransaction and ends up in the mempool from outside and is not mined for some time, then the wallet will try to broadcast it using the traditional mechanism.
Private broadcast also to IPv4 and IPv6 peers (!) through the Tor proxy.
Remove conflicting Tor address from the functional test and don’t log every address added to addrman.

vasild commented at 5:27 pm on April 23, 2024: contributor

Avoiding already connected peers would work around this, but perhaps it’s sufficient just to warn on startup if privatebroadcast=1 and proxyrandomize=0

In master we already avoid connecting to an already connected address, regardless of the connection type:

https://github.com/bitcoin/bitcoin/blob/256e1703197fdddd78bc6d659431cd0fc3b63cde/src/net.cpp#L2862

I added a startup warning anyway.

I assume you are restricting the feature to sendraw so the wallet doesn’t get involved and try something silly like rebroadcasting over clearnet or inserting in to our own mempool?

The reason to omit the wallet is that it currently does not count non-mempool change.

If I understand correctly, the concern with rebroadcasting still applies, but in the case that private broadcast was successful?

Yes, I enforced walletbroadcast=0 to avoid the wallet rebroadcasting.

DrahtBot added the label CI failed on Apr 23, 2024

vasild force-pushed on Apr 24, 2024

vasild commented at 7:30 am on April 24, 2024: contributor

cc760207b8...ea1ca3715e: adjust feature_config_args.py after forbidding -walletbroadcast when -privatebroadcast is enabled.

vasild force-pushed on Apr 24, 2024

DrahtBot removed the label CI failed on Apr 24, 2024

in src/wallet/init.cpp:122 in 1407b3fa26 outdated

119@@ -120,6 +120,12 @@ bool WalletInit::ParameterInteraction() const
120         LogPrintf("%s: parameter interaction: -blocksonly=1 -> setting -walletbroadcast=0\n", __func__);
121     }
122 
123+    if (gArgs.GetBoolArg("-privatebroadcast", DEFAULT_PRIVATE_BROADCAST) &&

mzumsande commented at 9:25 pm on April 24, 2024:

have you considered using SoftSetBoolArg to set -walletbroadcast to 0 if -privatebroadcast was chosen? It’s not the most user-friendly thing to introduce a new command arg that would only work if another arg was also changed from its default.

vasild commented at 1:46 pm on May 1, 2024:

Yes, but I did not like the behavior of the wallet “unexpectedly” stopping to broadcast its own transactions because -privatebroadcast is enabled.

It’s not the most user-friendly thing to introduce a new command arg that would only work if another arg was also changed from its default.

Yes, I agree. I do not like that either but somewhat prefer it over automatically switching off wallet broadcast. I can imagine GUI users who enable -privatebroadcast and still try to send transactions from their wallets and have no clue why they are not being mined.

Leaving this open to discussion and proposals.

sr-gi commented at 8:18 pm on May 6, 2024:

I was pretty confused about this, maybe because I misunderstood the proposal. By just reading what the help for -privatebroadcast I wouldn’t assume that transactions made using the wallet won’t be broadcast. My understanding was that anything done via the wallet would work as usual, but that transactions sent via sendrawtransaction would use the private broadcast mechanism if set.

I think this should be mentioned in the help of -privatebroadcast.

pinheadmz commented at 5:19 pm on June 26, 2024:

I wonder if the option should be renamed -privaterpcbroadcast for now, and we can add -privatewalletbroadcast later.

We also won’t be able to prevent users from using their wallet with sendrawtransaction anyway. So if the goal here is to prevent accidental privacy leaks from confused users, we might want to consider “hiding” the option or restricting it to test networks until wallet integration is complete.

vasild commented at 12:28 pm on July 1, 2024:

I thought about this further and removed the requirement to set -walletbroadcast=0 when -privatebroadcast=1. The description of -privatebroadcast begins with

Broadcast transactions submitted via sendrawtransaction RPC using short lived connections…

so it should be clear that this applies to the sendrawtransaction RPC. In addition I extended the text with

Transactions submitted through the wallet are not affected by this option

vasild commented at 9:31 am on November 8, 2024:

Marking this as resolved because I removed the requirement to set -walletbroadcast=0 and extended the -privatebroadcast doc.

My understanding was that anything done via the wallet would work as usual, but that transactions sent via sendrawtransaction would use the private broadcast mechanism if set

Yes, this is exactly how it works now.

in src/net.cpp:406 in 6b4693ee85 outdated

397+    }
398+    Proxy tor_proxy;
399+    const std::string onion_arg{gArgs.GetArg("-onion", "")};
400+    if (onion_arg != "" && onion_arg == "0" && GetProxy(NET_ONION, tor_proxy)) {
401+        // Use the Tor proxy (if provided) for private broadcast connections to clearnet peers.
402+        // Note: we check whether -onion is explicitly used because GetProxy(NET_ONION) may

mzumsande commented at 5:12 pm on April 25, 2024:

I think this requires an update to tor.md, which currently says:

-onion=ip:port  Set the proxy server to use for Tor onion services. You do not need to set this if it's the same as -proxy.

After this PR, specifiying it explicitly is necessary if you want to do private broadcast to clearnet peers.

vasild commented at 1:47 pm on May 1, 2024:

Updated.

sr-gi commented at 5:15 pm on May 9, 2024:

Is there no better way of checking whether -proxy is an actual Tor proxy or just a regular SOCKS5 proxy? It feels like the amount of custom settings that this will require to run will make it hard to use

vasild commented at 7:35 am on May 21, 2024:

Hmm, maybe we can keep track of whether we have successfully managed to connect to at least one .onion address via the -proxy, then we can assume that is a Tor proxy? How does that sound?

vasild commented at 4:26 pm on May 22, 2024:

Is there no better way of checking whether -proxy is an actual Tor proxy or just a regular SOCKS5 proxy?

maybe we can keep track of whether we have successfully managed to connect to at least one .onion address

Done in e85cc59bad...057c79365c, see #29415 (comment), also dropped the change in tor.md because that is not needed anymore.

Looks better now, thank you!

in src/net.cpp:400 in 6b4693ee85 outdated

395+    if (clearnet != NET_IPV4 && clearnet != NET_IPV6) {
396+        return std::nullopt;
397+    }
398+    Proxy tor_proxy;
399+    const std::string onion_arg{gArgs.GetArg("-onion", "")};
400+    if (onion_arg != "" && onion_arg == "0" && GetProxy(NET_ONION, tor_proxy)) {

mzumsande commented at 5:13 pm on April 25, 2024:

You probably meant onion_arg != "0"

vasild commented at 1:47 pm on May 1, 2024:

Yes, fixed!

in src/net.cpp:4050 in ae6651d267 outdated

3913+        msg.m_type != NetMsgType::VERACK &&
3914+        msg.m_type != NetMsgType::TX &&
3915+        msg.m_type != NetMsgType::PING) {
3916+        // Ensure private broadcast connections only send the above message types.
3917+        // Others are not needed and may degrade privacy.
3918+        LogPrintLevel(BCLog::PRIVATE_BROADCAST,

mzumsande commented at 8:55 pm on April 25, 2024:

It looks like we make sure in net_processing to not send any of theses messages, and here we check again. I haven’t thought about this long, but can this log be triggered, or could this be an Assume(false) instead?

vasild commented at 1:48 pm on May 1, 2024:

Added Assume(false) and a comment.

vasild commented at 3:59 pm on May 1, 2024:

This was triggered in the fuzz tests. I could complicate the fuzz tests to avoid sending unwanted messages if the random node happens to be a private broadcast, but CConnman::PushMessage() is called from a lot of places including from the RPC and that may change in the future as well. It is somewhat hard to judge that nobody will call PushMessage() with an unwanted message. Thus I think it is better to assume that this is the real check here in CConnman::PushMessage() and that the one in PeerManagerImpl::SendMessages() is an optimization. Removed the Assume(false).

DrahtBot added the label Needs rebase on Apr 25, 2024

in src/net_processing.cpp:1155 in 4a5433c3c8 outdated

1150+        };
1151+
1152+        mutable Mutex m_mutex;
1153+        ByTxid m_by_txid GUARDED_BY(m_mutex);
1154+        ByPriority m_by_priority GUARDED_BY(m_mutex);
1155+    } m_tx_for_private_broadcast;

mzumsande commented at 9:20 pm on April 25, 2024:

This class is getting pretty large in the end, maybe put it into its own module (similar to TxReconciliationTracker or TxRequestTracker)

vasild commented at 1:48 pm on May 1, 2024:

Yes, I was thinking the same. Moved away.

in test/functional/p2p_private_broadcast.py:208 in fd603b8f5c outdated

203+
204+                self.socks5_server.conf.destinations[i]["node"] = listener
205+
206+        self.extra_args = [
207+            [
208+                "-peerbloomfilters", # needed to test replies to MEMPOOL

mzumsande commented at 10:23 pm on April 25, 2024:

I don’t think is needed, MEMPOOL is never tested.

vasild commented at 1:48 pm on May 1, 2024:

Removed.

in src/rpc/mempool.cpp:117 in 180e51a723 outdated

 93@@ -91,11 +94,23 @@ static RPCHelpMan sendrawtransaction()
 94             std::string err_string;
 95             AssertLockNotHeld(cs_main);
 96             NodeContext& node = EnsureAnyNodeContext(request.context);
 97+            const bool private_broadcast_enabled{gArgs.GetBoolArg("-privatebroadcast", DEFAULT_PRIVATE_BROADCAST)};
 98+            if (private_broadcast_enabled &&
 99+                !g_reachable_nets.Contains(NET_ONION) &&
100+                !g_reachable_nets.Contains(NET_I2P)) {
101+                throw JSONRPCError(RPC_MISC_ERROR,
102+                                   "-privatebroadcast is enabled, but none of the Tor or I2P networks is "

mzumsande commented at 10:30 pm on April 25, 2024:

sendrawtransaction doc should be updated (it already mentions privacy issues).

vasild commented at 1:48 pm on May 1, 2024:

Updated.

mzumsande commented at 10:34 pm on April 25, 2024: contributor

Did another round of review.

nit: local tx relay -> private broadcast in last commit message

in src/net.cpp:3102 in 6b4693ee85 outdated

3029+{
3030+    size_t before{m_private_broadcast_connections_to_open.load()};
3031+    size_t desired;
3032+    do {
3033+        desired = before > n ? before - n : 0;
3034+    } while (!m_private_broadcast_connections_to_open.compare_exchange_weak(before, desired));

brunoerg commented at 12:22 pm on April 30, 2024:

In 6b4693ee859d6bddf559a0b32749b1dafe015ef4 “net: implement opening PRIVATE_BROADCAST connections”: Just a question: why using compare_exchange_weak instead of fetch_sub?

vasild commented at 1:49 pm on May 1, 2024:

To avoid negative values. I added a comment in the source code to explain.

vasild force-pushed on May 1, 2024

vasild commented at 1:40 pm on May 1, 2024: contributor

fd603b8f5c...42cb080600: rebase and address suggestions

vasild force-pushed on May 1, 2024

DrahtBot removed the label Needs rebase on May 1, 2024

vasild force-pushed on May 1, 2024

DrahtBot added the label CI failed on May 1, 2024

DrahtBot removed the label CI failed on May 1, 2024

in src/net.h:76 in 0ba30dec08 outdated

70@@ -71,6 +71,8 @@ static const int MAX_ADDNODE_CONNECTIONS = 8;
71 static const int MAX_BLOCK_RELAY_ONLY_CONNECTIONS = 2;
72 /** Maximum number of feeler connections */
73 static const int MAX_FEELER_CONNECTIONS = 1;
74+/** Maximum number of private broadcast connections */
75+static constexpr size_t MAX_PRIVATE_BROADCAST_CONNECTIONS{64};

sr-gi commented at 2:48 pm on May 9, 2024:

In 0ba30dec085f860c89f4fd8c8a398aa8a13b5ebd

What is the rationale for 64? That seems like a lot of connections.

vasild commented at 5:06 pm on May 20, 2024:

It could be lower. I picked 64 because I imagine somebody submitting 100s or even 1000s of transactions at the same time. Processing those serially would take a lot of time. Would you suggest another number?

in src/net.cpp:390 in 0ba30dec08 outdated

385@@ -386,6 +386,27 @@ static CAddress GetBindAddress(const Sock& sock)
386     return addr_bind;
387 }
388 
389+/**
390+ * Check if private broadcast can be done to clearnet peers and if yes via which proxy.

sr-gi commented at 5:17 pm on May 9, 2024:

In 0ba30dec085f860c89f4fd8c8a398aa8a13b5ebd:

nit: if yes -> if so

vasild commented at 1:09 pm on May 21, 2024:

Done

in src/net.cpp:393 in 0ba30dec08 outdated

385@@ -386,6 +386,27 @@ static CAddress GetBindAddress(const Sock& sock)
386     return addr_bind;
387 }
388 
389+/**
390+ * Check if private broadcast can be done to clearnet peers and if yes via which proxy.
391+ * If private broadcast connections should not be opened to `net`, then this will return an empty optional.
392+ */
393+static std::optional<Proxy> ProxyForClearnetPrivateBroadcast(Network clearnet)

sr-gi commented at 5:19 pm on May 9, 2024:

In 0ba30dec085f860c89f4fd8c8a398aa8a13b5ebd:

nit: sorry for bikeshedding clearnet doesn’t seem the best name for this. Maybe net or network?

sr-gi commented at 5:20 pm on May 9, 2024:

Also, this is already referenced as net in the docs

vasild commented at 1:10 pm on May 21, 2024:

I removed the argument to this function and renamed it to ProxyForIPv4or6PrivateBroadcast(). It is a bit more simpler now.

in src/net.cpp:486 in 0ba30dec08 outdated

483+                const auto proxy_opt{ProxyForClearnetPrivateBroadcast(addrConnect.GetNetwork())};
484+                if (proxy_opt.has_value()) {
485+                    use_proxy = true;
486+                    proxy = proxy_opt.value();
487+                }
488+            }

sr-gi commented at 5:37 pm on May 9, 2024:

In 0ba30dec085f860c89f4fd8c8a398aa8a13b5ebd

The way you are defining use_proxy could lead to proxy_opt having no value, yet use_proxy being true

0            bool use_proxy;
1            if (conn_type == ConnectionType::PRIVATE_BROADCAST) {
2                const auto proxy_opt{ProxyForClearnetPrivateBroadcast(addrConnect.GetNetwork())};
3                if (proxy_opt.has_value()) {
4                    use_proxy = true;
5                    proxy = proxy_opt.value();
6                }
7            } else {
8                use_proxy = GetProxy(addrConnect.GetNetwork(), proxy);
9            }

sr-gi commented at 5:39 pm on May 9, 2024:

use_proxy can even be defined right after proxy (a few lined above) for simplicity

vasild commented at 10:36 am on May 21, 2024:

proxy_opt exists only inside the if. What matters after this if are the values of use_proxy and proxy. I think your suggestion is equivalent to the current code. I.e.

0set use_proxy and proxy (normal)
1if (special case)
2    replace use_proxy and proxy with special values

vs

0if (special case)
1    set use_proxy and proxy to special values
2else
3    set use_proxy and proxy (normal)

Right?

in src/net.cpp:472 in 0ba30dec08 outdated

494 
495-                if (m_i2p_sam_session) {
496+                // If an I2P SAM session already exists, normally we would re-use it. But in the case of
497+                // private broadcast we force a new transient session. A Connect() using m_i2p_sam_session
498+                // would use our permanent I2P address as a source address.
499+                if (m_i2p_sam_session && conn_type != ConnectionType::PRIVATE_BROADCAST) {

sr-gi commented at 5:57 pm on May 9, 2024:

In 0ba30dec085f860c89f4fd8c8a398aa8a13b5ebd

I’m confused here. We choose not to use our permanent m_i2p_sam_session to avoid linking this to our permanent I2P ID, however, we use a pool of transient I2P sessions (m_unused_i2p_sessions) instead. I understand these transient sessions can be reused (or at least that’s what I get from the docs of m_unused_i2p_sessions). So if the same (peer, session_id) pair is picked, the node will know that we created both transactions, wouldn’t it?

vasild commented at 10:47 am on May 21, 2024:

The transient sessions are not reused. m_unused_i2p_sessions description reads:

If connecting to a host fails, then the created session is put to this pool for reuse.

The code is this:

https://github.com/bitcoin/bitcoin/blob/a786fd2041913d82ca90b561de309421bd24e41b/src/net.cpp#L472-L480

I.e. pop/extract a session from m_unused_i2p_sessions and if we cannot connect, then we did not use the session and thus put it back to m_unused_i2p_sessions.

Do you think that the description of m_unused_i2p_sessions can be improved? Would you suggest an exact wording?

in src/net.cpp:2744 in 0ba30dec08 outdated

2742+        // * BLOCK_RELAY if it's time to try an extra block-relay-only peer (to confirm our tip is current)
2743+        // * FEELER if it's time to try a feeler
2744+        // * else retry the loop (sleep a bit and start from the top of this list)
2745+
2746+        if (open_private_broadcast_to.has_value()) {
2747+            conn_type = ConnectionType::PRIVATE_BROADCAST;

sr-gi commented at 6:21 pm on May 9, 2024:

In 0ba30dec085f860c89f4fd8c8a398aa8a13b5ebd

I don’t think we should be giving PRIVATE_BROADCAST priority over every other type of connection. At the very least, they should go after BLOCK_RELAY.

Having connections that keep us up to date should be more important than sending out our own stuff

vasild commented at 11:02 am on May 21, 2024:

A few considerations:

Private broadcast connections are not blocked on the semOutbound grant. They come to this code right away.
Even if there is a high demand for private broadcast connections, we would try to open such ones only half of the time in CConnman::ThreadOpenConnections() to avoid such starvation of only opening private broadcast and not others for a long time (see how MaybePickPrivateBroadcastNetwork() yields to other connection types if we previously opened a private broadcast one).
Non-BLOCK_RELAY connections keep us up to date as well (with new blocks). I.e blocks could come via inbound, full-outbound, etc.

Given the above, I think the current code does not need to be changed.

in src/net.cpp:2497 in 0ba30dec08 outdated

2482@@ -2452,6 +2483,72 @@ bool CConnman::MaybePickPreferredNetwork(std::optional<Network>& network)
2483     return false;
2484 }
2485 
2486+/**
2487+ * Decide whether to open a private broadcast connection and if yes, to which network.
2488+ * @param[in] prev_was_private_broadcast Whether the previous attempt to open a connection
2489+ * was an attempt to open a private broadcast connection (successful or not).
2490+ * @param[in] num_needed Number of private broadcast connections that need to be opened.

sr-gi commented at 7:20 pm on May 9, 2024:

In 0ba30dec085f860c89f4fd8c8a398aa8a13b5ebd

This took me a while to grasp. num_needed is set to m_private_broadcast_connections_to_open.load(), which is only set to anything above 0 if there are transactions pending to be broadcast.

I think it’d be good to clarify this here, to make it clear that we won’t try to open a connection of this type if we have no transactions pending

vasild commented at 11:38 am on May 21, 2024:

Added this sentence: “We try to open a connection of this type only if there are transactions pending, but up to a limit.”

in src/net_processing.cpp:182 in 434a20371e outdated

179@@ -179,6 +180,9 @@ static constexpr size_t MAX_ADDR_PROCESSING_TOKEN_BUCKET{MAX_ADDR_TO_SEND};
180 /** The compactblocks version we support. See BIP 152. */
181 static constexpr uint64_t CMPCTBLOCKS_VERSION{2};
182

sr-gi commented at 2:27 pm on May 10, 2024:

In 434a20371e441660147da6d0c6c1832cb0d0073b

nit: remove line break

vasild commented at 11:40 am on May 21, 2024:

Removed.

in src/net_processing.cpp:183 in 434a20371e outdated

179@@ -179,6 +180,9 @@ static constexpr size_t MAX_ADDR_PROCESSING_TOKEN_BUCKET{MAX_ADDR_TO_SEND};
180 /** The compactblocks version we support. See BIP 152. */
181 static constexpr uint64_t CMPCTBLOCKS_VERSION{2};
182 
183+/** For private broadcast, send a transaction to this many peers per one broadcast attempt. */

sr-gi commented at 2:28 pm on May 10, 2024:

In 434a20371e441660147da6d0c6c1832cb0d0073b

nit: per one -> for each

vasild commented at 11:42 am on May 21, 2024:

Done

in src/net_processing.cpp:1087 in 434a20371e outdated

1179@@ -1175,6 +1180,8 @@ class PeerManagerImpl final : public PeerManager
1180 
1181     void AddAddressKnown(Peer& peer, const CAddress& addr) EXCLUSIVE_LOCKS_REQUIRED(g_msgproc_mutex);
1182     void PushAddress(Peer& peer, const CAddress& addr) EXCLUSIVE_LOCKS_REQUIRED(g_msgproc_mutex);
1183+

sr-gi commented at 2:29 pm on May 10, 2024:

In 434a20371e441660147da6d0c6c1832cb0d0073b

This is missing docs

vasild commented at 11:44 am on May 21, 2024:

Added “A list of transactions to be broadcast privately.”

in src/net_processing.cpp:2459 in 434a20371e outdated

2352+{
2353+    m_tx_for_private_broadcast.Add(tx);
2354+
2355+    LogPrintLevel(BCLog::PRIVATE_BROADCAST,
2356+                  BCLog::Level::Debug,
2357+                  "Requesting %d new connections due to txid=%s, wtxid=%s\n",

sr-gi commented at 2:31 pm on May 10, 2024:

In 434a20371e441660147da6d0c6c1832cb0d0073b

I don’t follow this log. What is the “due to …” trying to convey here?

vasild commented at 11:47 am on May 21, 2024:

“due to” = “because of” = “because there is a new transaction for broadcast - txid=…”. I am open to suggestions for better wording.

in src/private_broadcast.h:26 in 434a20371e outdated

17+/**
18+ * Store a list of transactions to be broadcast privately. Supports the following operations:
19+ * - Add a new transaction
20+ * - Remove a transaction, after it has been seen by the network
21+ * - Mark a broadcast of a transaction (remember when and how many times)
22+ * - Get a transaction for broadcast, the one that has been broadcast fewer times and least recently

sr-gi commented at 2:37 pm on May 10, 2024:

In 434a20371e441660147da6d0c6c1832cb0d0073b

nit: I don’t think these belong to this commit yet

vasild commented at 11:54 am on May 21, 2024:

Right! Moved to the corresponding commits.

in src/private_broadcast.cpp:1 in 434a20371e outdated

0@@ -0,0 +1,23 @@
1+// Copyright (c) 2023-present The Bitcoin Core developers

sr-gi commented at 2:41 pm on May 10, 2024:

In 434a20371e441660147da6d0c6c1832cb0d0073b

nit: 2024

vasild commented at 11:55 am on May 21, 2024:

Some of the code was written in 2023

in src/private_broadcast.h:1 in 434a20371e outdated

0@@ -0,0 +1,55 @@
1+// Copyright (c) 2023-present The Bitcoin Core developers

sr-gi commented at 2:41 pm on May 10, 2024:

In 434a20371e441660147da6d0c6c1832cb0d0073b

nit: 2024

vasild commented at 11:55 am on May 21, 2024:

Same, some of the code was written in 2023

in src/net_processing.cpp:1550 in fecab592de outdated

1650+    int64_t my_time;
1651+    uint64_t your_services;
1652+    CService your_addr;
1653+    std::string my_user_agent;
1654+    int my_height;
1655+    bool my_tx_relay;

sr-gi commented at 4:12 pm on May 10, 2024:

In fecab592de8d0994e6d61e454e118d652ffd7b93

micro-nit: There is no your_ counterparty for this, so there’s no need to call them my_. This is kind of assumed

vasild commented at 12:00 pm on May 21, 2024:

I prefixed everything with my_ or your_ because otherwise it is unclear whether it is mine or yours. Deducting that without my/yours prefix requires an extra effort.

in src/net_processing.cpp:5290 in fecab592de outdated

5281@@ -5155,6 +5282,17 @@ void PeerManagerImpl::ProcessMessage(CNode& pfrom, const std::string& msg_type,
5282                     if (ping_time.count() >= 0) {
5283                         // Let connman know about this successful ping-pong
5284                         pfrom.PongReceived(ping_time);
5285+                        if (pfrom.IsPrivateBroadcastConn()) {
5286+                            m_tx_for_private_broadcast.BroadcastEnd(pfrom.GetId(), /*confirmed_by_node=*/true);
5287+                            LogPrintLevel(
5288+                                BCLog::PRIVATE_BROADCAST,
5289+                                BCLog::Level::Info,
5290+                                "Got a PONG (probably the transaction will reach the network), "

sr-gi commented at 4:22 pm on May 10, 2024:

In fecab592de8d0994e6d61e454e118d652ffd7b93

nit:

0                                "Got a PONG (the transaction will probably reach the network), "

vasild commented at 12:09 pm on May 21, 2024:

Done

in src/net_processing.cpp:1847 in fecab592de outdated

1842+    if (node.IsPrivateBroadcastConn() &&
1843+        m_tx_for_private_broadcast.BroadcastEnd(nodeid, /*confirmed_by_node=*/false)) {
1844+
1845+        LogPrintLevel(BCLog::PRIVATE_BROADCAST,
1846+                      BCLog::Level::Info,
1847+                      "Never got a PONG (probably the transaction will not "

sr-gi commented at 4:23 pm on May 10, 2024:

In fecab592de8d0994e6d61e454e118d652ffd7b93

0                      "Never got a PONG (the transaction will probably not "

vasild commented at 12:09 pm on May 21, 2024:

Done

in src/private_broadcast.h:50 in fecab592de outdated

45+    /**
46+     * Mark the end of a broadcast of a transaction. Either successful by receiving a PONG,
47+     * or unsuccessful by closing the connection to the node without getting PONG.
48+     * @return true if the reference by the given node id was removed
49+     */
50+    bool BroadcastEnd(const NodeId& nodeid, bool confirmed_by_node) EXCLUSIVE_LOCKS_REQUIRED(!m_mutex);

sr-gi commented at 4:49 pm on May 10, 2024:

In fecab592de8d0994e6d61e454e118d652ffd7b93

FinishBroadcast may sound better

vasild commented at 12:10 pm on May 21, 2024:

Renamed to FinishBroadcast().

in src/private_broadcast.cpp:65 in fecab592de outdated

60+
61+    ++priority.num_broadcasted;
62+    priority.last_broadcasted = GetTime<std::chrono::microseconds>();
63+
64+    m_by_priority.erase(iters->by_priority);
65+    m_by_priority.emplace(priority, iters->by_txid->first);

sr-gi commented at 5:08 pm on May 10, 2024:

In fecab592de8d0994e6d61e454e118d652ffd7b93

Isn’t iters->by_txid->first the same as txid? It would read way simpler by using the latter

sr-gi commented at 5:11 pm on May 10, 2024:

Also, excuse my lack of cpp proficiency but, is it necessary to delete and re-add the item? Why is not updating priority enough (as done in the above two lines)?

vasild commented at 12:38 pm on May 21, 2024:

Yes, iters->by_txid->first is the same as txid, changed it to use txid which is shorter.

It is necessary to remove and re-add because we have changed the key and C++ maps do not support modifying of the keys. That is, changing the key means that the entry will have to be in another place in the map, so it has to be removed from the old place and added to the new one.

in src/net_processing.cpp:4768 in bb697ba5f5 outdated

4667+                          pfrom.GetId(),
4668+                          fLogIPs ? strprintf(", peeraddr=%s", pfrom.addr.ToStringAddrPort()) : "");
4669+            if (NUM_PRIVATE_BROADCAST_PER_TX > num_broadcasted.value()) {
4670+                // Not all of the initial NUM_PRIVATE_BROADCAST_PER_TX connections were needed.
4671+                // Tell CConnman it does not need to start the remaining ones.
4672+                m_connman.PrivateBroadcastSub(NUM_PRIVATE_BROADCAST_PER_TX - num_broadcasted.value());

sr-gi commented at 7:28 pm on May 10, 2024:

In bb697ba5f51f5e31ec472f32682fbb6eb692fa37

AFAICT this is the only use of CConnman::PrivateBroadcastSub, meaning we should be able to simplify the method by unconditionally setting m_private_broadcast_connections_to_open to 0

vasild commented at 12:58 pm on May 21, 2024:

Yes, if there is only one transaction submitted for broadcast. But if there is more than one, then m_private_broadcast_connections_to_open should not be set to 0.

For example:

3 transactions are submitted at approximately the same time: tx1, tx2, tx3.
NUM_PRIVATE_BROADCAST_PER_TX=5 for each one, so m_private_broadcast_connections_to_open is set to 15.
tx1 is broadcast 2 times, tx2 once and tx3 once, m_private_broadcast_connections_to_open is now 15-2-1-1=11.
tx1 is received back from the network. We come to this code and see that tx1 has been broadcast two times and deduce that the other 5-2=3 we created are not needed and call PrivateBroadcastSub(3). m_private_broadcast_connections_to_open should be set to 11-3=8 (4 for tx2 and 4 for tx3), not 0.

sr-gi commented at 2:57 pm on May 13, 2024: member

Code review up to 28adad8eefd18a62232b5c77cbc9ca739a53308d (no tests so far).

The main thing I’m wondering currently is why are we tacking m_private_broadcast_connections_to_open loosely? It feels harder to reason about, but I don’t see what the benefit of it is.

in src/net.h:1517 in 0ba30dec08 outdated

1513@@ -1498,6 +1514,7 @@ class CConnman
1514     int m_max_outbound_block_relay;
1515 
1516     int m_max_addnode{MAX_ADDNODE_CONNECTIONS};
1517+    int m_max_private_broadcast{MAX_PRIVATE_BROADCAST_CONNECTIONS};

brunoerg commented at 3:12 pm on May 13, 2024:

In 0ba30dec085f860c89f4fd8c8a398aa8a13b5ebd “net: implement opening PRIVATE_BROADCAST connections”: m_max_private_broadcast is not used.

vasild commented at 1:04 pm on May 21, 2024:

Right! Removed.

vasild force-pushed on May 21, 2024

vasild commented at 1:18 pm on May 21, 2024: contributor

65ba8d0203...e85cc59bad: rebase, address suggestions and remove the argument of ProxyForClearnetPrivateBroadcast() because it is always IPv4 or IPv6 and we treat both in the same way.

The main thing I’m wondering currently is why are we tacking m_private_broadcast_connections_to_open loosely? It feels harder to reason about, but I don’t see what the benefit of it is.

Continued at #29415 (review) to avoid overwhelming the main discussion thread of the PR and to make replies close to each other (rather than scattered in the main thread).

in src/net.h:1584 in e85cc59bad outdated

1576@@ -1547,6 +1577,12 @@ class CConnman
1577      */
1578     std::atomic_bool m_start_extra_block_relay_peers{false};
1579 
1580+    /**
1581+     * Number of `ConnectionType::PRIVATE_BROADCAST` connections to open.
1582+     * Whenever such a connection is opened this is decremented with 1.
1583+     */
1584+    std::atomic_size_t m_private_broadcast_connections_to_open{0};

vasild commented at 1:21 pm on May 21, 2024:

from the main thread at #29415#pullrequestreview-2041604763

The main thing I’m wondering currently is why are we tacking m_private_broadcast_connections_to_open loosely? It feels harder to reason about, but I don’t see what the benefit of it is.

The reason for this is that it is simpler to implement that way (I think, somebody has a simpler proposal?). This is because the connman thread is creating the connections, they are consumed/used by the peerman thread and the requests for new connections can come from yet another (3rd) thread. For example, while connman is creating a new connection which is needed to broadcast a given transaction, that transaction may be successfully broadcast by peerman and received back from the network, rendering the just created new connection by connman unnecessary. This is harmless and I accept it because avoiding it would make things too complicated or slow.

vasild force-pushed on May 22, 2024

vasild commented at 4:22 pm on May 22, 2024: contributor

e85cc59bad...057c79365c: in order to decide whether to private broadcast to IPv4/IPv6 peers, instead of (before this force push) requiring that -onion= is explicitly set, do this (after this force push): keep track if we ever managed to connect to an .onion address via the NET_ONION proxy, if yes assume that this proxy is a Tor proxy and connecting to IPv4/IPv6 addresses through it will be done via the Tor network and via a Tor exit node.

This is better because it is stronger guarantee (before the user could still misconfigure an orginary non-Tor proxy as -onion=) and works automatically, without requiring config options to be set.

vasild referenced this in commit a63c7c7ea2 on May 23, 2024

alfred-hodler referenced this in commit cb75581df2 on May 23, 2024

DrahtBot added the label Needs rebase on Jun 12, 2024

vasild force-pushed on Jun 20, 2024

vasild commented at 1:44 pm on June 20, 2024: contributor

057c79365c...7a7e7d189d: rebase due to conflicts

DrahtBot removed the label Needs rebase on Jun 20, 2024

in src/net.h:1188 in ba75010289 outdated

1168+         * Decrement by `n` the number of new connections of type `ConnectionType::PRIVATE_BROADCAST`
1169+         * to be opened by `CConnman::ThreadOpenConnections()`. Will not go negative, for example a
1170+         * value of 4 is ok to be decremented by 5 and will result in 0.
1171+         * @return the value preceding this operation
1172+         */
1173+        size_t NumToOpen() const;

pinheadmz commented at 6:31 pm on June 26, 2024:

ba75010289f1d9bd3d3a6c635ad18b07cf914041

This is copy/paste the comment for NumToOpenSub() but doesn’t apply to this get-only method.

Also, the comments for the two following functions are missing @param[in] n ... but I don’t know how strict you need to be about doxygen comments for everything.

vasild commented at 12:40 pm on July 1, 2024:

Fixed and added @param[in] comments.

What is enforced by clang (not by doxygen) via -Wdocumentation is a mismatch in the parameter names - e.g. if there is @param[in] throughput ... and the actual parameter is int thrughput, then it will give a warning (or error if -Werror is used).

in src/net.cpp:3002 in ba75010289 outdated

2988+CConnman::PrivateBroadcast::ShouldOpen(bool prev_was_private_broadcast, size_t num_opened) const
2989+{
2990+    if (prev_was_private_broadcast) {
2991+        // Yield to other connection types.
2992+        return std::nullopt;
2993+    }

pinheadmz commented at 6:37 pm on June 26, 2024:

ba75010289f1d9bd3d3a6c635ad18b07cf914041

Why pass this in here instead of just checking it before calling?

vasild commented at 12:44 pm on July 1, 2024:

Could be either way. If there is more than one caller of this function, then having it here would avoid duplicating the check in every caller, but there is one caller so far.

vasild commented at 7:47 am on August 1, 2024:

In the latest push I moved this logic to the caller.

in src/private_broadcast.h:22 in cade8e8331 outdated

13+#include <chrono>
14+#include <map>
15+#include <unordered_map>
16+
17+/**
18+ * Store a list of transactions to be broadcast privately. Supports the following operations:

pinheadmz commented at 7:15 pm on June 26, 2024:

cade8e833197a202dbb03c50359396ecd437ac8c

~~optional, could use a comment explaining the priority metric. Looks like transactions with fewer broadcasts or older broadcasts are prioritized. A unit test would help make that clear as well.~~

nm, added later

in src/net_processing.cpp:4044 in b81c3cc19e outdated

4257+                          pfrom.GetId(),
4258+                          fLogIPs ? strprintf(", peeraddr=%s", pfrom.addr.ToStringAddrPort()) : "");
4259+            return;
4260+        }
4261+    }
4262+

pinheadmz commented at 7:36 pm on June 26, 2024:

b81c3cc19ec8055d04b38a72fdfabbfcb2ed2358

Why isn’t this at the top of the super long function (and include VERACK also?)

vasild commented at 12:58 pm on July 1, 2024:

Because we want to ignore incoming messages after a successful handshake. Ignoring the VERACK would disturb the handshake.

in src/private_broadcast.cpp:47 in b81c3cc19e outdated

24+    const Txid& txid = m_by_priority.begin()->second;
25+    auto it = m_by_txid.find(txid);
26+    if (Assume(it != m_by_txid.end())) {
27+        return it->second.tx;
28+    }
29+    m_by_priority.erase(m_by_priority.begin());

pinheadmz commented at 7:41 pm on June 26, 2024:

b81c3cc19ec8055d04b38a72fdfabbfcb2ed2358

Is it ok to erase from this map now? What if none of our connections are successful ?

vasild commented at 1:09 pm on July 1, 2024:

Note that this would only be reached if m_by_priority contains txid that does not have an entry in m_by_txid which is a gross bug in the PrivateBroadast class. IIRC this was an assert before but somebody suggested to use Assume() instead.

in src/private_broadcast.cpp:62 in b81c3cc19e outdated

57+        return true;
58+    }
59+    Priority& priority = iters->by_txid->second.priority;
60+
61+    ++priority.num_broadcasted;
62+    priority.last_broadcasted = GetTime<std::chrono::microseconds>();

pinheadmz commented at 7:47 pm on June 26, 2024:

b81c3cc19ec8055d04b38a72fdfabbfcb2ed2358

Isn’t this GetTime() deprecated?

https://github.com/bitcoin/bitcoin/blob/7a7e7d189dfe5efa6ab3c644f55f410412163503/src/util/time.h#L95-L100

vasild commented at 1:34 pm on July 1, 2024:

Replaced with NodeClock::now().

pinheadmz commented at 7:49 pm on June 26, 2024: member

Re-reviewed first half of commits, will continue tomorrow. A few comments and questions below.

in src/net_processing.cpp:4478 in 3f5a4187a9 outdated

4700@@ -4701,6 +4701,21 @@ void PeerManagerImpl::ProcessMessage(CNode& pfrom, const std::string& msg_type,
4701         const uint256& hash = peer->m_wtxid_relay ? wtxid : txid;
4702         AddKnownTx(*peer, hash);
4703 
4704+        if (auto num_broadcasted = m_tx_for_private_broadcast.Remove(ptx)) {
4705+            LogPrintLevel(BCLog::PRIVATE_BROADCAST,
4706+                          BCLog::Level::Info,
4707+                          "Received our privately broadcast transaction (txid=%s) from the "
4708+                          "network from peer=%d%s; stopping private broadcast attempts\n",

pinheadmz commented at 7:55 pm on June 27, 2024:

3f5a4187a9e5d2bbb65c06c1799155fd7dd0d132

This made me wonder, if the tx gets confirmed in a block before we get it via relay, will it ever get removed?

update: looks like this will happen in ReattemptPrivateBroadcast() when we call m_chainman.ProcessTransaction() ?

vasild commented at 5:01 pm on July 1, 2024:

Yes, it will return something other than MempoolAcceptResult::ResultType::VALID. Would happen as well if a conflicting transaction is mined in the meantime.

in src/net_processing.cpp:4524 in 3f5a4187a9 outdated

4710+                          pfrom.GetId(),
4711+                          fLogIPs ? strprintf(", peeraddr=%s", pfrom.addr.ToStringAddrPort()) : "");
4712+            if (NUM_PRIVATE_BROADCAST_PER_TX > num_broadcasted.value()) {
4713+                // Not all of the initial NUM_PRIVATE_BROADCAST_PER_TX connections were needed.
4714+                // Tell CConnman it does not need to start the remaining ones.
4715+                m_connman.m_private_broadcast.NumToOpenSub(NUM_PRIVATE_BROADCAST_PER_TX - num_broadcasted.value());

pinheadmz commented at 8:10 pm on June 27, 2024:

3f5a4187a9e5d2bbb65c06c1799155fd7dd0d132

Feels like this should be part of Remove(), which I think highlights some possible confusion between the two class PrivateBroadcast you have. One in ConnMan and one in its own unit, used in PeerManager.

I dunno if there’s a cleaner approach available, to ensure that the two objects don’t get out of sync? Like instead of m_num_to_open in ConnMan, could you refer to the size of the ByNodeId map?

vasild commented at 5:16 pm on July 1, 2024:

There is some layer separation between net/CConnman and net_processing/PeerManager which I am trying not to blur too much. The lower net level only knows about connections and things like “I need to open N connections of type X”. It does not know anything about transactions, or P2P messages which are handled by the net_processing layer.

The constant NUM_PRIVATE_BROADCAST_PER_TX (send a transaction to this many peers) belongs to the net_processing layer. Calling this NumToOpenSub() is only done if Remove() succeeds and NUM_PRIVATE_BROADCAST_PER_TX > num_broadcasted.value() holds. So, no way to do it in CConnman because that would mean accessing NUM_PRIVATE_BROADCAST_PER_TX from CConnman.

could you refer to the size of the ByNodeId map?

That is a “transaction id mapped by node id”. Couldn’t deal with transactions from within CConnman.

in src/private_broadcast.cpp:32 in 3f5a4187a9 outdated

22+    if (!iters) {
23+        return std::nullopt;
24+    }
25+    const size_t num_broadcasted{iters->by_priority->first.num_broadcasted};
26+    m_by_priority.erase(iters->by_priority);
27+    m_by_txid.erase(iters->by_txid);

pinheadmz commented at 8:11 pm on June 27, 2024:

what about m_by_nodeid?

vasild commented at 9:04 am on July 2, 2024:

m_by_nodeid is managed by PrivateBroadcast::PushedToNode() and PrivateBroadcast::FinishBroadcast().

in src/private_broadcast.cpp:87 in a86785dc29 outdated

80@@ -81,6 +81,19 @@ bool PrivateBroadcast::FinishBroadcast(const NodeId& nodeid, bool confirmed_by_n
81     return true;
82 }
83 
84+std::vector<CTransactionRef> PrivateBroadcast::GetStale() const EXCLUSIVE_LOCKS_REQUIRED(!m_mutex)
85+{
86+    LOCK(m_mutex);
87+    const auto stale_time = GetTime<std::chrono::microseconds>() - 1min;

pinheadmz commented at 3:38 pm on June 28, 2024:

a86785dc29faa2dcff301641e2f823b73089dae2

should 1min be defined as a constant in the header file? This is what we consider stale?

vasild commented at 9:53 am on July 2, 2024:

Yes, moved to a constant and added a comment to it. Placed the constant in the .cpp file since it is only used in that .cpp file, to limit its scope. It is not part of the “public” private_broadcast.h/cpp interface

in src/rpc/mempool.cpp:115 in 5f49e61ffa outdated

104@@ -93,11 +105,23 @@ static RPCHelpMan sendrawtransaction()
105             std::string err_string;
106             AssertLockNotHeld(cs_main);
107             NodeContext& node = EnsureAnyNodeContext(request.context);
108+            const bool private_broadcast_enabled{gArgs.GetBoolArg("-privatebroadcast", DEFAULT_PRIVATE_BROADCAST)};
109+            if (private_broadcast_enabled &&
110+                !g_reachable_nets.Contains(NET_ONION) &&
111+                !g_reachable_nets.Contains(NET_I2P)) {

pinheadmz commented at 3:46 pm on June 28, 2024:

5f49e61ffa576aa6c27de30a7db51d17c4f5c516

How could this be condition be different now than when it is checked in init.cpp?

vasild commented at 10:05 am on July 2, 2024:

The Tor connectivity could be “off” during startup and become “on” later at runtime, when we connect to the Tor daemon and it tells us the Tor proxy address. This is why the startup condition is a bit different, it has the onion_may_become_reachable variable.

in test/functional/test_framework/p2p.py:227 in 0a6797ffb3 outdated

221+        info = transport.get_extra_info("socket")
222+        us = info.getsockname()
223+        them = info.getpeername()
224+        logger.debug(f"Connected: us={us[0]}:{us[1]}, them={them[0]}:{them[1]}")
225+        self.dstaddr = them[0]
226+        self.dstport = them[1]

pinheadmz commented at 5:28 pm on June 28, 2024:

0a6797ffb3eb2d45bce1dc68e830efd89ac2a442

Teleporting the comment from #29420 (review)

Why didn’t we need to do this on master?

The old log message was Connected & Listening: 127.0.0.1:15689 not Connected & Listening: 0:0

vasild commented at 10:23 am on July 2, 2024:

I replied to that thread to keep the discussion in one place.

pinheadmz commented at 5:51 pm on June 28, 2024: member

code review ACK 7a7e7d189dfe5efa6ab3c644f55f410412163503

some questions and comments above and below (sorry spread out review over a few days)

I want to run this in warnet again with a lot more TXs and see how we do as well

DrahtBot requested review from nothingmuch on Jun 28, 2024

DrahtBot requested review from andrewtoth on Jun 28, 2024

vasild force-pushed on Jul 2, 2024

vasild commented at 10:43 am on July 2, 2024: contributor

7a7e7d189d...3bd618a91f: rebase and address suggestions

pinheadmz commented at 3:04 pm on July 2, 2024: member

utACK 3bd618a91f

Code changes since last review look good.

in test/functional/p2p_private_broadcast.py:68 in 3bd618a91f outdated

63+NUM_PRIVATE_BROADCAST_PER_TX = 5
64+
65+# Fill addrman with these addresses. Must have enough Tor addresses, so that even
66+# if all 10 default connections are opened to a Tor address (!?) there must be more
67+# for private broadcast.
68+addresses = [

instagibbs commented at 4:42 pm on July 2, 2024:

0ADDRMAN_ADDRESSES = [

vasild commented at 1:26 pm on July 31, 2024:

Done.

in test/functional/p2p_private_broadcast.py:236 in 3bd618a91f outdated

231+            if not res["success"]:
232+                self.log.debug(f"Could not add {addr} to tx_originator's addrman (collision?)")
233+
234+        self.wait_until(lambda: self.socks5_server.conf.destinations_used == NUM_INITIAL_CONNECTIONS)
235+
236+        node1 = self.nodes[1]

instagibbs commented at 6:38 pm on July 2, 2024:

s/node1/tx_receiver/

vasild commented at 1:26 pm on July 31, 2024:

Done, even though there is more than one tx receiver.

in test/functional/p2p_private_broadcast.py:303 in 3bd618a91f outdated

298+        observer_inbound.wait_until(lambda: "getdata" in observer_inbound.last_message)
299+        self.wait_until(lambda: len(tx_originator.getrawmempool()) > 0)
300+
301+        self.log.info("Waiting for normal broadcast to another observer")
302+        observer_outbound = self.socks5_server.conf.destinations[0]["node"]
303+        observer_outbound.wait_for_inv([inv])

instagibbs commented at 7:16 pm on July 2, 2024:

I think the test needs coverage for:

retrying broadcasts
sending the same tx again via sendrawtransaction
sending a different wtxid via sendrawtransaction
sending a tx with in-mempool dependencies (both that succeed and fail due to existing/missing parent)
rpc failing if it detects !g_reachable_nets
what happens if there’s not enough private connections when first broadcast attempt is tried, but more found later
what happens to pending broadcasts on restart of node

vasild commented at 1:31 pm on July 31, 2024:

I think the test needs coverage for:

I was stuck at #30543, thank you @mzumsande for resolving it!

1. retrying broadcasts

Done.

2. sending the same tx again via sendrawtransaction

Done.

3. sending a different wtxid via sendrawtransaction

Done, but the new tx has garbage witness. Would be nice to add one more test with a valid but different witness.

4. sending a tx with in-mempool dependencies (both that succeed and fail due to existing/missing parent)

Done, both.

5. rpc failing if it detects `!g_reachable_nets`

Done.

6. what happens if there's not enough private connections when first broadcast attempt is tried, but more found later

Private broadcast connections are created on demand. When first broadcast attempt is tried they are 0 (I did not add new test).

7. what happens to pending broadcasts on restart of node

They are lost. Persistence over restart is not in this PR, but will be in a subsequent one (I did not add new test).

instagibbs commented at 2:54 pm on July 31, 2024:

thanks for attending to this laundry list :+1:

DrahtBot added the label Needs rebase on Jul 4, 2024

vasild force-pushed on Jul 31, 2024

vasild commented at 1:25 pm on July 31, 2024: contributor

3bd618a91f...8baf19fb2a:

Rebase due to conflicts.
Tune the logic of the decision to open a private broadcast connection - we yield to other connection types every other attempt, but it might happen that when we yield the loop blocks on the semOutbound grant. This means that we are not ready to open other connection types. In this case and if private broadcast is needed, proceed with private broadcast even if the previous connection was private broadcast as well. This simplifies ShouldOpen() as the logic “previous was private broadcast” is moved to the caller.
Rename tor_proxy to proxy_for_ipv4or6 and actually set it, it’s used only for logging.
Run transactions to be broadcast through mempool acceptance test, they were not before.
If the same transaction is repeatedly given to sendrawtransaction RPC, then don’t open 5 new private broadcast connections every time. Change subsequent requests to do nothing but log a message that it was not necessary to sendrawtransaction the transaction again.
Change the extension of the SOCKS5 proxy - instead of being given a set of predefined destinations to redirect the connections to, it is now given a callback function which returns the destination where to redirect, or it can decide to return None asking the SOCKS5 proxy to close the connection (default behavior). This is more flexible.
Move create_malleated_version() from p2p_orphan_handling.py to test_framework/messages.py where it can be reused.
Extend the functional tests as per #29415 (review), thanks @instagibbs for the suggestions!

DrahtBot removed the label Needs rebase on Jul 31, 2024

DrahtBot commented at 4:50 pm on July 31, 2024: contributor

🚧 At least one of the CI tasks failed. Debug: https://github.com/bitcoin/bitcoin/runs/28160559851

Make sure to run all tests locally, according to the documentation.

The failure may happen due to a number of reasons, for example:

Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.
A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.
An intermittent issue.

Leave a comment here, if you need help tracking down a confusing failure.

DrahtBot added the label CI failed on Jul 31, 2024

vasild force-pushed on Aug 1, 2024

vasild commented at 8:20 am on August 1, 2024: contributor

8baf19fb2a...97ae670dc4: fix the scope of two local variables in socks5.py

vasild force-pushed on Aug 1, 2024

vasild commented at 9:36 am on August 1, 2024: contributor

97ae670dc4...30ec819596: pet the python linter

DrahtBot removed the label CI failed on Aug 1, 2024

in src/init.cpp:649 in 30ec819596 outdated

642@@ -643,6 +643,18 @@ void SetupServerArgs(ArgsManager& argsman)
643                    OptionsCategory::NODE_RELAY);
644     argsman.AddArg("-minrelaytxfee=<amt>", strprintf("Fees (in %s/kvB) smaller than this are considered zero fee for relaying, mining and transaction creation (default: %s)",
645         CURRENCY_UNIT, FormatMoney(DEFAULT_MIN_RELAY_TX_FEE)), ArgsManager::ALLOW_ANY, OptionsCategory::NODE_RELAY);
646+    argsman.AddArg("-privatebroadcast",
647+                   strprintf(
648+                       "Broadcast transactions submitted via sendrawtransaction RPC using short lived "
649+                       "connections to Tor or I2P peers without putting them in the mempool first. "

MarnixCroes commented at 12:18 pm on August 1, 2024:

to Tor or I2P peers, this should be updated? or maybe rewrite to simplify, something like: broadcast via short-lived Tor or I2P connection As it can also broadcast to ipv4 and ipv6 peers now (https://github.com/bitcoin/bitcoin/pull/29415/files#r1576619537)

vasild commented at 5:37 pm on August 1, 2024:

Yes, it needs to be updated, thanks for spotting this! How about this:

0 +                       "Broadcast transactions submitted via sendrawtransaction RPC using short lived "
1-+                       "connections to Tor or I2P peers without putting them in the mempool first. "
2++                       "connections through the Tor or I2P networks without putting them in the mempool first. "

vasild commented at 9:14 am on August 2, 2024:

Done

in src/net.cpp:2586 in 30ec819596 outdated

2516@@ -2496,6 +2517,11 @@ void CConnman::ThreadOpenConnections(const std::vector<std::string> connect)
2517         LogPrintf("Fixed seeds are disabled\n");
2518     }
2519 
2520+    // Private broadcast connections are opened with priority over others, but only half
2521+    // of the time to avoid depriving other connection types if private broadcast is
2522+    // needed but opening such connections is unsuccessful for some reason.
2523+    std::optional<Network> open_private_broadcast_to;

MarnixCroes commented at 12:26 pm on August 1, 2024:

on debian12, during compiling it shows this warning

0net.cpp: In member function ‘void CConnman::ThreadOpenConnections(std::vector<std::__cxx11::basic_string<char> >)’:
1net.cpp:2523:28: note: ‘*(unsigned int*)((char*)&open_private_broadcast_to + offsetof(std::optional<Network>,std::optional<Network>::<unnamed>.std::_Optional_base<Network, true, true>::<unnamed>))’ was declared here
2 2523 |     std::optional<Network> open_private_broadcast_to;
3      |                            ^~~~~~~~~~~~~~~~~~~~~~~~~

(there are also other unrelated warnings, #29359)

vasild commented at 5:39 pm on August 1, 2024:

This does not look like the whole warning? I only see in member function ... : note: '...' was declared here.

MarnixCroes commented at 8:33 am on August 2, 2024:

oh sry. this is the full warning:

 0In file included from ./bip324.h:10,
 1                 from ./net.h:9,
 2                 from net.cpp:8:
 3In constructor ‘constexpr std::_Optional_payload_base<_Tp>::_Storage<_Up, <anonymous> >::_Storage(std::in_place_t, _Args&& ...) [with _Args = {Network&}; _Up = Network; bool <anonymous> = true; _Tp = Network]’,
 4    inlined from ‘constexpr std::_Optional_payload_base<_Tp>::_Optional_payload_base(std::in_place_t, _Args&& ...) [with _Args = {Network&}; _Tp = Network]’ at /usr/include/c++/12/optional:126:4,
 5    inlined from ‘constexpr std::_Optional_payload<Network, true, true, true>::_Optional_payload(std::in_place_t, _Args&& ...) [with _Args = {Network&}][inherited from std::_Optional_payload_base<Network>]’ at /usr/include/c++/12/optional:339:42,
 6    inlined from ‘constexpr std::_Optional_base<_Tp, true, true>::_Optional_base(std::in_place_t, _Args&& ...) [with _Args = {Network&}; typename std::enable_if<is_constructible_v<_Tp, _Args ...>, bool>::type <anonymous> = false; _Tp = Network]’ at /usr/include/c++/12/optional:650:4,
 7    inlined from ‘constexpr std::optional<_Tp>::optional(_Up&&) [with _Up = Network&; typename std::enable_if<__and_v<std::__not_<std::is_same<std::optional<_Tp>, typename std::remove_cv<typename std::remove_reference<_Iter>::type>::type> >, std::__not_<std::is_same<std::in_place_t, typename std::remove_cv<typename std::remove_reference<_Iter>::type>::type> >, std::is_constructible<_Tp, _Up>, std::is_convertible<_Iter, _Iterator> >, bool>::type <anonymous> = true; _Tp = Network]’ at /usr/include/c++/12/optional:749:47,
 8    inlined from ‘void CConnman::ThreadOpenConnections(std::vector<std::__cxx11::basic_string<char> >)’ at net.cpp:2741:63:
 9/usr/include/c++/12/optional:214:15: warning: ‘*(unsigned int*)((char*)&open_private_broadcast_to + offsetof(std::optional<Network>,std::optional<Network>::<unnamed>.std::_Optional_base<Network, true, true>::<unnamed>))’ may be used uninitialized [-Wmaybe-uninitialized]
10  214 |             : _M_value(std::forward<_Args>(__args)...)
11      |               ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
12net.cpp: In member function ‘void CConnman::ThreadOpenConnections(std::vector<std::__cxx11::basic_string<char> >)’:
13net.cpp:2523:28: note: ‘*(unsigned int*)((char*)&open_private_broadcast_to + offsetof(std::optional<Network>,std::optional<Network>::<unnamed>.std::_Optional_base<Network, true, true>::<unnamed>))’ was declared here
14 2523 |     std::optional<Network> open_private_broadcast_to;
15      |                            ^~~~~~~~~~~~~~~~~~~~~~~~~

MarnixCroes commented at 8:33 am on August 2, 2024:

maybe it is ok as it is, I’m just mentioning it

vasild commented at 9:08 am on August 2, 2024:

Alright, it is upset that std::optional<Network> open_private_broadcast_to may be used uninitialized. But std::optional has a well defined default constructor - https://en.cppreference.com/w/cpp/utility/optional/optional, so this warning seems bogus. I will leave it as is. Which compiler it is? c++ --version

maflcko commented at 9:12 am on August 2, 2024:

Looks like a duplicate of #29359 (known gcc bug)

in src/init.cpp:2203 in 30ec819596 outdated

1990+        // reachable and will not become reachable for sure.
1991+        const bool onion_may_become_reachable{listenonion && (!args.IsArgSet("-onlynet") || onlynet_used_with_onion)};
1992+        if (!g_reachable_nets.Contains(NET_I2P) &&
1993+            !g_reachable_nets.Contains(NET_ONION) &&
1994+            !onion_may_become_reachable) {
1995+            return InitError(_("Private broadcast of own transactions requested (-privatebroadcast), "

MarnixCroes commented at 12:51 pm on August 1, 2024:

question: when running with -connect and privatebroadcast=1, bitcoind will immediately shutdown. shouldn’t the node just run, but fail to broadcast when using the rpc? additionally, bitcoin-qt fails to run too which doesn’t use the private broadcast (when using GUI).

vasild commented at 5:44 pm on August 1, 2024:

Emitting errors from the RPC is also an option, but I prefer to keep the current way because it clearly shows something is misconfigured and starting up knowing that the RPC will never work and always give errors seems like a bad user experience. I would prefer that the user stops and is forced to fix the misconfiguration of the node. bitcoin-qt also has a RPC console.

MarnixCroes commented at 8:42 am on August 2, 2024:

ok thanks for the answer. I also thought about that it might make sense to have an optional argument for sendrawtransaction rpc, whether to use privatebroadcast or not (for example in the case when it cannot be used, but user still wants to broadcast without restarting bitcoind) Same answer also applies to that I guess

vasild commented at 9:12 am on August 2, 2024:

Yeah. Also, having an extra argument to the RPC is an alternative of the -privatebroadcast config option that would be maybe viable if the plan was to stop with the RPC, but having in mind that the wallet will eventually also use private broadcast, I would like to avoid having to configure each module separately for private broadcast, so a single global config option seems to fit best.

MarnixCroes commented at 9:49 am on August 2, 2024:

makes sense, thanks

andrewtoth commented at 7:30 pm on November 10, 2024:

This is unfortunate that privatebroadcast is incompatible with connect. The use case would be to connect to a single trusted peer for listening, but broadcast through ephemeral connections to not link the trusted peer to our wallet.

vasild commented at 8:39 am on November 13, 2024:

By “for listening” you mean “for learning new transactions and blocks”, right? So, in that setup the node is not listening (not accepting inbound connections), has only one connection to a known honest node and broadcasts its own transactions using private broadcast? That seems like an useful setup that would be nice to have support for. But the current semantic of -connect is “only connect to the specified node(s)” which is at odds with “connect to random nodes for transaction broadcast”. I don’t like changing the semantic of -connect like that.

I wonder if this can be supported and to keep the current meaning of -connect… don’t use -connect but somehow restrict our node to be able to only connect to 1 address :thinking:

andrewtoth commented at 2:22 pm on November 13, 2024:

But we are adding a new option here privatebroadcast. Could we not change the semantics of connect if the new option privatebroadcast is used?

vasild commented at 2:49 pm on November 13, 2024:

Yeah, you are right that -connect=0 -privatebroadcast=1 did not exist before because -privatebroadcast= did not exist. Then the semantic of -connect=0 would be “do this if privatebroadcast=0 and do something else if privatebroadcast=1”. I do not like that, seems convoluted and a possible source of confusion to make the behavior of one option dependent on the value of another option. I would like to have less of that stuff, not more.

andrewtoth commented at 2:58 pm on November 13, 2024:

I suppose I can addnode my trusted node for now, but I will be leaking other outbound connections. I’m not sure how to handle my case unless we don’t consider the ephemeral broadcast connections as true “connections” in the sense of connect option.

vasild commented at 4:00 pm on November 13, 2024:

Just an idea - if the trusted node is accepting inbound Tor connections, then run the private node with -onlynet=onion -addnode=trusted.onion:8333 -privatebroadcast=1. Benefit of connecting to the trusted node over Tor - you know that you actually connected to the trusted node (or somebody who owns the private key for the trusted.onion service). If you connect over clearnet to an IP address, then you have to use v2 (bip324) and verify that the session ids match (session_id in getpeerinfo RPC output on both sides of the connection).

mzumsande commented at 4:05 pm on November 13, 2024:

This is a hack and I haven’t tested it, but instead of using -connect, -maxconnections=0 -privatebrodcast and then addnode your trusted peer might work for your use case?

andrewtoth commented at 2:32 am on November 29, 2024:

-maxconnections=0 -privatebrodcast and then addnode your trusted peer

Thanks for the idea, but sadly this does not work for this either. It will happily add only my trusted node, but it will not create the private broadcast connections when actually trying to send. It will just wait at 0 connections.

Since we break the maxconnections value already for the addnode exception, could we make an exception for private broadcast connections as well?

vasild commented at 2:57 pm on December 4, 2024:

Yes, that is the case:

argsman.AddArg("-maxconnections=", … It does not apply to short-lived private broadcast connections either, which have a separate limit of MAX_PRIVATE_BROADCAST_CONNECTIONS

You can run with -debug=privatebroadcast and see what happens when you send a new transaction.

andrewtoth commented at 8:06 pm on March 16, 2025:

I tried again with -debug=privatebroadcast. It does indeed just wait at 0 connections. The only relevant logs are

0[privatebroadcast] Requesting 5 new connections due to txid=<redacted>, wtxid=<redacted>
1[privatebroadcast] Request to increment the needed new connections by 5, changed from 0 to 5

Also had -debug=net -debug=tor, and no new connections were attempted.

andrewtoth commented at 8:44 pm on March 16, 2025:

What did work was setting -maxconnections=1 and then -addnode=<local node>. This did create a single blocks only peer along with the addnode peer, but it was able to use private broadcast. So, seems like there is a switch somewhere that disables this if -maxconnections=0 exactly?

andrewtoth commented at 3:18 am on March 17, 2025:

Hmm actually it stops opening new connections after all connection slots and the addnode are filled. It logs request to open 5, but then never manages to open one if I set maxconnections below 10. It only works if I call sendrawtransaction shortly after startup before all slots are filled.

vasild commented at 4:10 pm on March 17, 2025:

Right, it is because of this:

https://github.com/bitcoin/bitcoin/blob/e150e3064b4c8165a0429a536d5235e8475e0045/src/net.cpp#L2663-L2676

what happens is that there are no free slots, so the grant is not acquired immediately at line 2663. No private broadcast is needed, so it goes to line 2673 to wait for the grant, “indefinitely”, until some peer is disconnected. Then a transaction is submitted and a private broadcast is needed, but the code is waiting here on line 2673. Hmm…

vasild commented at 9:14 am on April 2, 2025:

This should be resolved in the latest push: #29415 (comment) because now opening private broadcast connections runs in a separate thread and is not subject to the blocking by semOutbound. Much simpler! Thank you, @andrewtoth for persisting here :sparkles:

andrewtoth commented at 0:44 am on April 5, 2025:

Confirmed the latest works with -maxconnections=0 -addnode=<localnode> :tada: Thanks @vasild for the fix and @mzumsande for the suggestion!

MarnixCroes commented at 1:52 pm on August 1, 2024: contributor

30ec819596f4000b46c9b7bf8d3ee1518af5d533 tested several things/scenarios and succesfully privately broadcasted several transactions✅

vasild force-pushed on Aug 2, 2024

vasild commented at 9:14 am on August 2, 2024: contributor

30ec819596...2b478bf332: update description of -privatebroadcast as per #29415 (review)

gmaxwell commented at 6:08 am on August 4, 2024: contributor

This shouldn’t send transactions without sending an INV. Instead, it should INV and wait for the GETDATA. (thanks to mzumsande for making a note of the behavior).

DrahtBot added the label Needs rebase on Aug 5, 2024

mzumsande commented at 6:17 pm on August 6, 2024: contributor

This shouldn’t send transactions without sending an INV. Instead, it should INV and wait for the GETDATA. (thanks to mzumsande for making a note of the behavior).

For context, an old discussion on this: #27509 (review) (I want to think a bit more on the potential benefits of #30572 before voicing an opinion).

instagibbs commented at 1:58 pm on August 7, 2024: member

(I want to think a bit more on the potential benefits of #30572 before voicing an opinion).

The cost here is that if this PR stays as-is, we can’t change our minds later abour 30572, fwiw. It’s something I’ve noted a few times elsewhere.

vasild force-pushed on Aug 13, 2024

vasild commented at 9:17 am on August 13, 2024: contributor

2b478bf332...11364e2e58: rebase due to conflicts

DrahtBot removed the label Needs rebase on Aug 13, 2024

vasild commented at 12:11 pm on August 13, 2024: contributor

11364e2e58..2db437fbd1: do the transaction send with INV+GETDATA+TX instead of just TX, so that this PR is now not related or tied to #30572.

I think this complicates the code without providing a benefit, thus my preference is to avoid it, so I kept the change in separate commits (the two on the top of the branch). It can be reviewed separately and squashed accordingly if people like it, or easily dropped.

DrahtBot added the label CI failed on Aug 13, 2024

DrahtBot commented at 1:18 pm on August 13, 2024: contributor

🚧 At least one of the CI tasks failed. Debug: https://github.com/bitcoin/bitcoin/runs/28704849578

Make sure to run all tests locally, according to the documentation.

The failure may happen due to a number of reasons, for example:

Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.
A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.
An intermittent issue.

Leave a comment here, if you need help tracking down a confusing failure.

vasild force-pushed on Aug 13, 2024

vasild commented at 2:06 pm on August 13, 2024: contributor

2db437fbd1...df3a22f87a: pet clang-tidy and combine the last two commits (that implement the INV+GETDATA) because otherwise the test-each-commit CI task fails.

in src/private_broadcast.cpp:75 in 4a955955ec outdated

35+{
36+    LOCK(m_mutex);
37+    m_by_nodeid.emplace(nodeid, txid);
38+}
39+
40+bool PrivateBroadcast::FinishBroadcast(const NodeId& nodeid, bool confirmed_by_node) EXCLUSIVE_LOCKS_REQUIRED(!m_mutex)

brunoerg commented at 5:42 pm on August 13, 2024:

In 4a955955ec587120fb121e5068e3bc1f80406ac5 “net_processing: handle ConnectionType::PRIVATE_BROADCAST connections”: It seems FinishBroadcast returns a bool, but this value is never used.

vasild commented at 8:26 am on August 14, 2024:

The return value is used here:

0    // This is done when we get a PONG from the peer. Repeat here too in case we never receive a PONG.
1    if (node.IsPrivateBroadcastConn() &&
2        m_tx_for_private_broadcast.FinishBroadcast(nodeid, /*confirmed_by_node=*/false)) {
3...
4        log a message that we never got a PONG response

The point is to avoid printing this log message in the happy path where we do get a PONG response.

brunoerg commented at 9:21 am on August 14, 2024:

Oh sorry, missed that. It’s fine.

vasild force-pushed on Aug 14, 2024

DrahtBot removed the label CI failed on Aug 14, 2024

hebasto added the label Needs CMake port on Aug 16, 2024

gmaxwell commented at 11:51 pm on August 18, 2024: contributor

Private broadcast can also reduce privacy. I think the weakness is a tossup vs the obvious alternative (run ordinary connections exclusively over Tor) so it’s not a reason to not implement the feature, but it’s worth discussing in order to understand the limits and see if mitigations are possible.

The issue on my mind is that Tor has little to no resistance to traffic analysis. The small amount of resistance it has is by quantizing messages into fixed size cells. Otherwise, it essentially doesn’t have much resistance because analysis resistance is incompatible with achieving low latency. Too bad for us because for txn broadcast latency is fairly irrelevant.

We assume the attacker is able to passively monitor the internet connection of our victim. Lets also assume their non-blocksonly Bitcoin P2P connection is encrypted as is increasingly so (and it’s a ~6 line change to add an option to make peer v2-only, which I assume someone will propose once they feel v2 listeners are widespread enough).

The attacker is attempting to confirm that the monitored peer is the originator of specific transactions on the network, or alternatively is looking at all the transactions and try to determine which are likely authored by the monitored peer.

Against this threat model, I think this PR creates a substantial weakness compared to not having it: any time the user transacts they will create a predictable amount of traffic to tor which is a somewhat a function of the size of the transaction. There may be enough noise that a single transaction isn’t enough alone, but someone who transacted a couple times a day would likely be identifiable.

Of course, this isn’t the threat model this PR really hopes to address. This PR is strong against a threat model where the attacker cannot traffic analyze anyone but instead runs many bitcoin “nodes” and then is able to correlate incoming (decrypted) traffic to originating IP address. Of the two threat models I think this latter one is a greater concern.

But, perhaps if there were padding traffic and a tiny amount of broadcast of third-party txn as if they were private broadcast then the weakness under the traffic analysis case would be improved to be no worse than you’d have from just running ordinary P2P across tor?

instagibbs commented at 1:10 pm on August 19, 2024: member

@gmaxwell

But, perhaps if there were padding traffic and a tiny amount of broadcast of third-party txn as if they were private broadcast then the weakness under the traffic analysis case would be improved to be no worse than you’d have from just running ordinary P2P across tor?

Assuming a switch to INV-based private relay, you might need to take some care to make sure the decoy tx gets requested at high rates, since the real private relay will tend to result in the getadata for the tx?

gmaxwell commented at 0:07 am on August 22, 2024: contributor

It might be possible to conceal from a traffic analysis perspective what if anything was requested using padding.

DrahtBot added the label CI failed on Sep 1, 2024

DrahtBot commented at 6:08 am on September 1, 2024: contributor

🚧 At least one of the CI tasks failed. Debug: https://github.com/bitcoin/bitcoin/runs/28761292823

Make sure to run all tests locally, according to the documentation.

The failure may happen due to a number of reasons, for example:

Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.
A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.
An intermittent issue.

Leave a comment here, if you need help tracking down a confusing failure.

maflcko removed the label Needs CMake port on Sep 2, 2024

vasild force-pushed on Sep 2, 2024

vasild commented at 4:41 pm on September 2, 2024: contributor

31d841ddb8...08c9a8254a: rebase to pick CMake

DrahtBot removed the label CI failed on Sep 2, 2024

DrahtBot added the label Needs rebase on Sep 3, 2024

vasild force-pushed on Sep 4, 2024

vasild commented at 8:00 am on September 4, 2024: contributor

08c9a8254a...ed7040a9da: rebase due to conflicts

DrahtBot removed the label Needs rebase on Sep 4, 2024

DrahtBot added the label CI failed on Sep 4, 2024

DrahtBot removed the label CI failed on Sep 4, 2024

DrahtBot added the label Needs rebase on Sep 4, 2024

vasild force-pushed on Sep 11, 2024

vasild commented at 1:47 pm on September 11, 2024: contributor

ed7040a9da...abec00bb80: rebase due to conflicts

DrahtBot removed the label Needs rebase on Sep 11, 2024

DrahtBot added the label CI failed on Sep 11, 2024

DrahtBot removed the label CI failed on Sep 12, 2024

DrahtBot added the label CI failed on Sep 19, 2024

DrahtBot commented at 12:19 pm on September 19, 2024: contributor

🚧 At least one of the CI tasks failed. Debug: https://github.com/bitcoin/bitcoin/runs/29995994415

Make sure to run all tests locally, according to the documentation.

The failure may happen due to a number of reasons, for example:

Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.
A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.
An intermittent issue.

Leave a comment here, if you need help tracking down a confusing failure.

vasild force-pushed on Sep 30, 2024

vasild commented at 10:52 am on September 30, 2024: contributor

abec00bb80...4101c7ac8d: rebase due to conflicts

vasild force-pushed on Sep 30, 2024

in src/init.cpp:648 in bc1b5670ec outdated

639@@ -640,6 +640,18 @@ void SetupServerArgs(ArgsManager& argsman, bool can_listen_ipc)
640                    OptionsCategory::NODE_RELAY);
641     argsman.AddArg("-minrelaytxfee=<amt>", strprintf("Fees (in %s/kvB) smaller than this are considered zero fee for relaying, mining and transaction creation (default: %s)",
642         CURRENCY_UNIT, FormatMoney(DEFAULT_MIN_RELAY_TX_FEE)), ArgsManager::ALLOW_ANY, OptionsCategory::NODE_RELAY);
643+    argsman.AddArg("-privatebroadcast",
644+                   strprintf(
645+                       "Broadcast transactions submitted via sendrawtransaction RPC using short lived "
646+                       "connections through the Tor or I2P networks without putting them in the mempool first. "
647+                       "There are two aspects of this - delinking transaction-origin/Bitcoin-owner from "
648+                       "IP-address/geolocation and delinking onchain-unrelated transactions from their "

mzumsande commented at 3:51 pm on September 30, 2024:

I found this help text hard to parse with all the “/” (had to read it multiple times to understand it). I’m not sure if the rpc help is the best place to give motivation for why features exist (instead of just describing them), but maybe this could be a bit more succinct?

vasild commented at 9:05 am on October 3, 2024:

I’m not sure if the rpc help is the best place to give motivation for why features exist

Right. I dropped some of the text. I will apply further rewording if you suggest some.

in src/net.cpp:2608 in e24c2706f7 outdated

2594+        CSemaphoreGrant grant{*semOutbound, /*fTry=*/true};
2595+        if (open_private_broadcast_to.has_value() && grant) {
2596+            // Previous connection was private broadcast, thus yield to other connection types
2597+            // if we are ready to do so (the outbound semaphore gave green light).
2598+            open_private_broadcast_to.reset();
2599+        } else if (!(open_private_broadcast_to = m_private_broadcast.ShouldOpen(num_private_broadcast_opened))) {

mzumsande commented at 8:07 pm on September 30, 2024:

I would find the ThreadOpenConnection logic (which is already convoluted in master) easier to understand if the private broadcast related logic would be separated more clearly, e.g. this whole thing could be behind some bool private_broadcast_enabled so m_private_broadcast.ShouldOpen wouldn’t be called in normal mode and one wouldn’t need to scroll down and verify that this function does nothing then. Of course there is no functional difference, so it may be a matter of taste.

vasild commented at 4:56 am on October 3, 2024:

This code in CConnman::ThreadOpenConnections() is not checking whether private broadcast is enabled because it is just a servant, its logic is: “if there is a request to open private broadcast connections, then I will open them”. The higher level code is making the decision (currently in RPC only, but eventually in the wallet as well) - “if private broadcast is enabled, then open such connections because I am now broadcasting a transaction (and don’t put it in the mempool)”. This is why there is no check in net.cpp whether -privatebroadcast is enabled.

I also find this snippet non-trivial to understand:

 0CSemaphoreGrant grant{*semOutbound, /*fTry=*/true};
 1if (open_private_broadcast_to.has_value() && grant) {
 2    // Previous connection was private broadcast, thus yield to other connection types
 3    // if we are ready to do so (the outbound semaphore gave green light).
 4    open_private_broadcast_to.reset();
 5} else if (!(open_private_broadcast_to = m_private_broadcast.ShouldOpen(num_private_broadcast_opened))) {
 6    // No need for private broadcast connections, go with other ones. Acquire the
 7    // grant if not already acquired. 
 8    grant.Acquire();
 9}
10// else private broadcast is needed to network *open_private_broadcast_to, try to open one.

Let me summarize why the logic is like that:

since private broadcast connections are needed now and are short lived, they override all others
however if there is a lot of demand for private broadcast connections we want to avoid starving other connection types, so we don’t open two consecutive private broadcast connections and instead yield to others
but this yield to others may end up blocking on the grant for a long time because we are not ready to open other connection types whereas private broadcast connections are needed now.

I am open to suggestions on how to implement that in a simpler way or how to simplify the logic itself (without sacrificing the functionality).

mzumsande commented at 6:34 pm on October 7, 2024:

I didn’t mean to suggest a change to the logic, just to make it more conditional on -privatebroadcast, so that in principle we wouldn’t even need to initiate a m_private_broadcast object unless the user is running in -privatebroadcast mode. But I don’t have a concrete suggestion right now (I might suggest on at a later point but need to look deeper into the grant logic for that) so it’s fine to resolve for now.

in src/node/types.h:54 in f945fd5eb2 outdated

49+/**
50+ * Methods to broadcast a local transaction.
51+ * Used to influence `BroadcastTransaction()` and its callers.
52+ */
53+enum TxBroadcastMethod : uint8_t {
54+    /// Add the transaction to the mempool and broadcast to all currently connected peers.

mzumsande commented at 8:32 pm on September 30, 2024:

nit: all peers for which tx relay is enabled (so not blocks-only, feelers etc.).

vasild commented at 9:06 am on October 3, 2024:

Changed, thanks!

in src/wallet/wallet.cpp:2039 in f945fd5eb2 outdated

2032@@ -2031,7 +2033,19 @@ bool CWallet::SubmitTxMemoryPoolAndRelay(CWalletTx& wtx, std::string& err_string
2033     if (GetTxDepthInMainChain(wtx) != 0) return false;
2034 
2035     // Submit transaction to mempool for relay
2036-    WalletLogPrintf("Submitting wtx %s to mempool for relay\n", wtx.GetHash().ToString());
2037+    const char* what{""};
2038+    switch (broadcast_method) {
2039+    case node::ADD_TO_MEMPOOL_AND_BROADCAST_TO_ALL:
2040+        what = "to mempool and for broadcast to all peers";

mzumsande commented at 8:34 pm on September 30, 2024:

nit: same here, I’d remove “all”

vasild commented at 9:06 am on October 3, 2024:

Removed.

in src/net_processing.cpp:3730 in b628d96f21 outdated

3867+            // AddrMan::Connected() on block-relay-only peers; see
3868+            // FinalizeNode().
3869+            //
3870+            // This moves an address from New to Tried table in Addrman,
3871+            // resolves tried-table collisions, etc.
3872+            m_addrman.Good(pfrom.addr);

mzumsande commented at 9:50 pm on September 30, 2024:

I’ve been thinking about leaking information about private broadcast via addrman: 1.) Here, we call Good(), possibly moving the peer from new to tried. Since tried table is smaller and sparsely filled especially for newer nodes, and addrs are picked with 50% probability from new/tried, this usually means that we are more likely to connect to them in the future - maybe via clearnet, maybe via future private connections. 2.) On disconnection, we call Connected(), changing the nTime of an address (that could be included in getaddr answers).

Not super easy to use either of these methods as an attack, but I still think it would be better not to do change addrman based on what happens in private connections.

Even if we disabled that, an existing addrman that has only a few Tor peers in tried could make it likely that subsequent private txns would be made to the same node (which could help that peer connect these two transactions). That is a separate problem I don’t see a straightforward solution for, but it would be mitigated by 1.) gathering more tried peers over time 2.) having many peers in the network make use of private broadcast.

vasild commented at 9:11 am on October 3, 2024:

it would be better not to do change addrman based on what happens in private connections

I agree! Changed to avoid the Good() and Connected() calls for private broadcast.

On the second problem - I agree that more tried peers (which happens naturally over time) and more people using private broadcast would help because then the recipient just sees multiple broadcasts and has no way to relate them.

in src/private_broadcast.h:91 in 80246442b8 outdated

40+    struct TxWithPriority {
41+        CTransactionRef tx;
42+        Priority priority;
43+    };
44+
45+    using ByTxid = std::unordered_map<Txid, TxWithPriority, SaltedTxidHasher>;

mzumsande commented at 10:54 pm on September 30, 2024:

Why store by TxId instead of WtxId? Would this add some attack surface, e.g. an attacker with many connections to peers receiving a private tx, and then sending each of their peers a modified version of the same tx with invalid witness data (but same TxId), in the hope of connecting to the originating node and clearing any further attempts to broadcast the transaction (note that m_tx_for_private_broadcast.Remove() also happens for invalid txs becaust it’s done before validation)

vasild commented at 8:34 am on October 3, 2024:

Because if stored by wtxid then the same could happen, but the attacker malleates the transaction to a valid witness data, so it has same txid, different wtxid, and is valid. When we receive that transaction we would not recognize it because we look at the wtxid, so we would keep broadcasting the original one, until the code in PeerManagerImpl::ReattemptPrivateBroadcast() gives up on it because it is not acceptable in the mempool.

Do you think we should check both txid and wtxid when we receive a transaction from the network, or try to validate the transaction before removing it via m_tx_for_private_broadcast.Remove(ptx)?

mzumsande commented at 3:27 pm on October 3, 2024:

I’d say it might be a good idea to keep using TxIDs, but move the removal until after validation - that should address both scenarios. We are going to validate it anyway, so I don’t really see any downsides to that.

vasild commented at 12:28 pm on October 4, 2024:

Here is the change:

 0--- i/src/net_processing.cpp
 1+++ w/src/net_processing.cpp
 2@@ -4803,27 +4803,12 @@ void PeerManagerImpl::ProcessMessage(CNode& pfrom, const std::string& msg_type,
 3         const uint256& txid = ptx->GetHash();
 4         const uint256& wtxid = ptx->GetWitnessHash();
 5 
 6         const uint256& hash = peer->m_wtxid_relay ? wtxid : txid;
 7         AddKnownTx(*peer, hash);
 8 
 9-        if (auto num_broadcasted = m_tx_for_private_broadcast.Remove(ptx)) {
10-            LogPrintLevel(BCLog::PRIVATE_BROADCAST,
11-                          BCLog::Level::Info,
12-                          "Received our privately broadcast transaction (txid=%s) from the "
13-                          "network from peer=%d%s; stopping private broadcast attempts\n",
14-                          txid.ToString(),
15-                          pfrom.GetId(),
16-                          fLogIPs ? strprintf(", peeraddr=%s", pfrom.addr.ToStringAddrPort()) : "");
17-            if (NUM_PRIVATE_BROADCAST_PER_TX > num_broadcasted.value()) {
18-                // Not all of the initial NUM_PRIVATE_BROADCAST_PER_TX connections were needed.
19-                // Tell CConnman it does not need to start the remaining ones.
20-                m_connman.m_private_broadcast.NumToOpenSub(NUM_PRIVATE_BROADCAST_PER_TX - num_broadcasted.value());
21-            }
22-        }
23-
24         LOCK2(cs_main, m_tx_download_mutex);
25 
26         m_txrequest.ReceivedResponse(pfrom.GetId(), txid);
27         if (tx.HasWitness()) m_txrequest.ReceivedResponse(pfrom.GetId(), wtxid);
28 
29         // We do the AlreadyHaveTx() check using wtxid, rather than txid - in the
30@@ -4878,21 +4863,37 @@ void PeerManagerImpl::ProcessMessage(CNode& pfrom, const std::string& msg_type,
31             //
32             // Note that m_lazy_recent_rejects doesn't just record DoSy or invalid
33             // transactions, but any tx not accepted by the mempool, which may be
34             // due to node policy (vs. consensus). So we can't blanket penalize a
35             // peer simply for relaying a tx that our m_lazy_recent_rejects has caught,
36             // regardless of false positives.
37+            // XXX what about Remove() also here?
38             return;
39         }
40 
41         const MempoolAcceptResult result = m_chainman.ProcessTransaction(ptx);
42         const TxValidationState& state = result.m_state;
43 
44         if (result.m_result_type == MempoolAcceptResult::ResultType::VALID) {
45             ProcessValidTx(pfrom.GetId(), ptx, result.m_replaced_transactions);
46             pfrom.m_last_tx_time = GetTime<std::chrono::seconds>();
47+
48+            if (auto num_broadcasted = m_tx_for_private_broadcast.Remove(ptx)) {
49+                LogPrintLevel(BCLog::PRIVATE_BROADCAST,
50+                              BCLog::Level::Info,
51+                              "Received our privately broadcast transaction (txid=%s) from the "
52+                              "network from peer=%d%s; stopping private broadcast attempts\n",
53+                              txid.ToString(),
54+                              pfrom.GetId(),
55+                              fLogIPs ? strprintf(", peeraddr=%s", pfrom.addr.ToStringAddrPort()) : "");
56+                if (NUM_PRIVATE_BROADCAST_PER_TX > num_broadcasted.value()) {
57+                    // Not all of the initial NUM_PRIVATE_BROADCAST_PER_TX connections were needed.
58+                    // Tell CConnman it does not need to start the remaining ones.
59+                    m_connman.m_private_broadcast.NumToOpenSub(NUM_PRIVATE_BROADCAST_PER_TX - num_broadcasted.value());
60+                }
61+            }
62         }
63         else if (state.GetResult() == TxValidationResult::TX_MISSING_INPUTS)
64         {
65             bool fRejectedParents = false; // It may be the case that the orphans parents have all been rejected
66 
67             // Deduplicate parent txids, so that we don't have to loop over

Note that if the tx is not accepted in our mempool because it has too low fee for our mempool, but is accepted in everybody else’s mempool, then we would do the remaining broadcasts up to NUM_PRIVATE_BROADCAST_PER_TX (5), then it would get stale and will be removed by PeerManagerImpl::ReattemptPrivateBroadcast(). Whereas currently, without this change it will be removed right away and we will not do the remaining broadcasts (up to 5).

I got another idea - remove the transaction only if the received tx has the same txid and the same wtxid as the one that we broadcast. Currently we only compare the txid.

 0--- i/src/private_broadcast.cpp
 1+++ w/src/private_broadcast.cpp
 2@@ -21,13 +21,13 @@ bool PrivateBroadcast::Add(const CTransactionRef& tx) EXCLUSIVE_LOCKS_REQUIRED(!
 3 }
 4 
 5 std::optional<size_t> PrivateBroadcast::Remove(const CTransactionRef& tx) EXCLUSIVE_LOCKS_REQUIRED(!m_mutex)
 6 {                 
 7     LOCK(m_mutex);
 8     auto iters = Find(tx->GetHash());
 9-    if (!iters) {
10+    if (!iters || iters->by_txid->second.tx->GetWitnessHash() != tx->GetWitnessHash()) {
11         return std::nullopt;
12     }
13     const size_t num_broadcasted{iters->by_priority->first.num_broadcasted};
14     m_by_priority.erase(iters->by_priority);
15     m_by_txid.erase(iters->by_txid);
16     return num_broadcasted;

With this, if a malleated and valid transaction makes it to our mempool, then we would keep broadcasting the original one, up to 5 times, and then it will be removed by PeerManagerImpl::ReattemptPrivateBroadcast().

Which one?

mzumsande commented at 6:35 pm on October 7, 2024:

Which one?

No strong opinion (I think that both should work), but the second one (also check wtxid) seems simpler.

vasild commented at 11:24 am on October 8, 2024:

I went for the second one being simpler and also easier to reason about - if we received something other than what we broadcasted, then keep broadcasting (but not infinitely).

vasild force-pushed on Oct 3, 2024

vasild commented at 10:36 am on October 3, 2024: contributor

b98320ceff...54f4f3b05e: address suggestions and blindly try to fix a bogus warning about uninitialized optional (didn’t work)

DrahtBot added the label Needs rebase on Oct 5, 2024

vasild force-pushed on Oct 7, 2024

vasild commented at 1:42 pm on October 7, 2024: contributor

54f4f3b05e...f9b2eaf96c: rebase due to conflicts

DrahtBot removed the label Needs rebase on Oct 7, 2024

in src/net_processing.cpp:4248 in f9b2eaf96c outdated

4534@@ -4537,6 +4535,41 @@ void PeerManagerImpl::ProcessMessage(CNode& pfrom, const std::string& msg_type,
4535             LogDebug(BCLog::NET, "received getdata for: %s peer=%d\n", vInv[0].ToString(), pfrom.GetId());
4536         }
4537 
4538+        if (pfrom.IsPrivateBroadcastConn()) {

mzumsande commented at 5:54 pm on October 7, 2024:

The final fixup commit leads to the question what should happen if the peer doesn’t send a GETDATA to our INV. I think this would happen in practice if they are one of the later broadcast attempts and already received the tx from someone else (as a result of our first attempts). I think that we would currently never disconnect on our end, but they might disconnect us after TIMEOUT_INTERVAL=20min because we don’t answer their ping. But if they don’t have this logic the connection might stay open indefinitely, whicih seems unfortunate, so we’d probably need some kind of timer here (see also other related comment)?

vasild commented at 11:22 am on October 8, 2024:

Right. To resolve this and the issue at #29415 (review) I introduced a maximum lifetime of a private broadcast connection, after which time, we disconnect the peer regardless of the state the connection is in.

vasild commented at 9:27 am on November 8, 2024:

Marking this as resolved, feel free to comment if you have concerns with the “maximum lifetime” solution.

in src/net_processing.cpp:4143 in d8325e33e2 outdated

4138+            // relay logic is designed to work even in cases when the peer drops
4139+            // the transaction (due to it being too cheap, or for other reasons).
4140+            PushPrivateBroadcastTx(pfrom);
4141+
4142+            peer->m_ping_queued = true; // Ensure a ping will be sent: mimick a request via RPC.
4143+            MaybeSendPing(pfrom, *peer, GetTime<std::chrono::microseconds>());

mzumsande commented at 6:07 pm on October 7, 2024:

What if the peer doesn’t answer our ping (because they are broken / malicious)? I think we would never disconnect them because the disconnection logic is inside of MaybeSendPing(), which will never be called again for private peers.

vasild commented at 11:19 am on October 8, 2024:

Continuing at #29415 (review)

vasild force-pushed on Oct 8, 2024

vasild commented at 11:26 am on October 8, 2024: contributor

f9b2eaf96c...a51c2cdda5: address suggestions and further try to silence the bogus std::optional warning.

DrahtBot added the label Needs rebase on Oct 9, 2024

vasild force-pushed on Oct 9, 2024

vasild commented at 9:33 am on October 9, 2024: contributor

a51c2cdda5...09a7394759: silence the bogus GCC warning about uninitialized std::optional

vasild force-pushed on Oct 9, 2024

vasild commented at 9:36 am on October 9, 2024: contributor

09a7394759...6b10008441: rebase due to conflicts

DrahtBot removed the label Needs rebase on Oct 9, 2024

DrahtBot removed the label CI failed on Oct 9, 2024

vasild force-pushed on Oct 22, 2024

vasild commented at 11:18 am on October 22, 2024: contributor

6b10008441...ec7693a9aa: take suggestions from #29420 - in the SOCKS5 proxy, put the sockets forwarding snippet from socks5.py to its own function and retry send()s.

achow101 referenced this in commit 97b790e844 on Oct 29, 2024

vasild force-pushed on Nov 8, 2024

vasild commented at 9:22 am on November 8, 2024: contributor

ec7693a9aa...f5fc9451aa: rebase and drop the commits that were already merged via https://github.com/bitcoin/bitcoin/pull/29420

1440000bytes commented at 7:37 pm on November 10, 2024: none

@1440000bytes, thanks for asking! There is some discussion at #27509 (the previous attempt on this).

Is it necessary to open new short lived tor/i2p connections for broadcasting the transaction?

Yes, it is. See below.

What are the trade-offs in this implementation vs a simple implementation to relay tx to one or more peers that our node is already connected to?

Sending the transaction over clearnet reveals the IP address/geolocation of the sender. A spy with many connections to the network could try to guess who was the originator. So, why not send it to our Tor peers only? Because it is relatively easy for a spy to fingerprint and link clearnet and Tor connections to the same peer. That is, a long running connection over Tor could be linked to a long running clearnet connection. This is why the proposed changes open a short-lived connection that does not reveal any of the identity of the sender.

Would this benefit nodes that don’t have clearnet connections, e.g. Tor/I2P-only nodes? Yes! In the case where the sender sends two otherwise unrelated transactions over the same long-running Tor connection, the recipient will know that they have the same origin, even though they are not related on-chain. Using single shot connections fixes that too.

Related issues:

Linked in the OP, thanks!

I am still not satisfied with this answer as a general approach could have allowed dandelion++ without changing bitcoin core. However, it improves privacy compared to status quo so I wont be a roadblock.

DrahtBot added the label Needs rebase on Dec 17, 2024

vasild force-pushed on Dec 20, 2024

vasild commented at 2:20 pm on December 20, 2024: contributor

f5fc9451aa...3522e897f2: rebase due to conflicts

DrahtBot removed the label Needs rebase on Dec 20, 2024

DrahtBot added the label CI failed on Dec 20, 2024

DrahtBot commented at 4:10 pm on December 20, 2024: contributor

🚧 At least one of the CI tasks failed. Debug: https://github.com/bitcoin/bitcoin/runs/34713712952

Try to run the tests locally, according to the documentation. However, a CI failure may still happen due to a number of reasons, for example:

Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.
A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.
An intermittent issue.

Leave a comment here, if you need help tracking down a confusing failure.

vasild force-pushed on Dec 20, 2024

vasild commented at 4:13 pm on December 20, 2024: contributor

3522e897f2...964b7b0ad6: pet clang-tidy

DrahtBot removed the label CI failed on Dec 20, 2024

DrahtBot added the label Needs rebase on Dec 27, 2024

vasild force-pushed on Feb 13, 2025

vasild commented at 9:19 am on February 13, 2025: contributor

964b7b0ad6...ebc7ba0216: rebase due to conflicts

DrahtBot removed the label Needs rebase on Feb 13, 2025

jonatack commented at 10:15 pm on March 7, 2025: member

Plan to review soon.

DrahtBot added the label Needs rebase on Mar 12, 2025

vasild force-pushed on Mar 17, 2025

vasild commented at 4:03 pm on March 17, 2025: contributor

ebc7ba0216...e150e3064b: rebase due to conflicts

DrahtBot removed the label Needs rebase on Mar 17, 2025

DrahtBot added the label Needs rebase on Apr 1, 2025

vasild force-pushed on Apr 2, 2025

vasild commented at 9:11 am on April 2, 2025: contributor

e150e3064b...cae4c1134d:

Instead of opening new private broadcast connections from ThreadOpenConnections(), together with all others, do that in a separate thread. This greatly simplifies the code because normal outbound connections and private broadcast ones are subject to too different opening conditions and logic and forcing all of the code in ThreadOpenConnections() made that function quite complex. Now the code is neatly separated in ThreadPrivateBroadcast() and easy to follow, just 59 lines of new code and ThreadOpenConnections() is not modified.
In practice a transaction usually gets received back before the last of the 5 connections has completed. Thus reduce the number of peers to send the transaction from 5 to 3 (there is a retry-later mechanism as well).
Change LogPrintLevel(BCLog::PRIVATE_BROADCAST, BCLog::Level::Debug, to LogDebug(BCLog::PRIVATE_BROADCAST, to reduce verbosity, even though this is inconsistent with higher level logs which use LogPrintLevel(): LogPrintLevel(BCLog::PRIVATE_BROADCAST, BCLog::Level::Warning, .
Remove trailing newlines from log messages since a recent change in master made them unnecessary.
Avoid repeating fLogIPs ? strprintf(", peeraddr=%s", pnode->addr.ToStringAddrPort()) : "" all over the place and use the recently added LogIP(), thanks @Sjors!

DrahtBot removed the label Needs rebase on Apr 2, 2025

mzumsande commented at 2:39 pm on April 3, 2025: contributor

Could we have a small guide how to test this (starting with a signet wallet with a few sats e.g. from a faucet)? I’ve done it once (successfully) a few months ago, but I don’t work with the wallet very often and always have to lookup the rpc commands again.

stratospher commented at 3:02 pm on April 3, 2025: contributor

+1! I saved this in a script to avoid repeating the procedure every time.

Create a wallet and get a new address:

0build/bin/bitcoin-cli -chain="signet" createwallet test
1build/bin/bitcoin-cli -chain="signet" getnewaddress

Go to the Signet faucet and request some coins.
Run the script

 0#!/bin/bash
 1cd bitcoin
 2build/bin/bitcoin-cli -chain="signet" loadwallet test
 3txid=$(build/bin/bitcoin-cli -chain="signet" listunspent | jq -r '.[0] | .txid')
 4vout=$(build/bin/bitcoin-cli -chain="signet" listunspent | jq -r '.[0] | .vout')
 5echo "txid: $txid"
 6echo "vout: $vout"
 7
 8new_address=$(build/bin/bitcoin-cli -chain="signet" getnewaddress)
 9tx=$(build/bin/bitcoin-cli -chain="signet" createrawtransaction "[{\"txid\": \"$txid\", \"vout\": $vout}]" "[{\"$new_address\": 0.00001}]" 0 false)
10echo "tx: $tx"
11
12signed_tx=$(build/bin/bitcoin-cli -chain="signet" signrawtransactionwithwallet $tx | jq -r '.hex')
13echo "signed_tx: $signed_tx"
14
15raw_tx=$(build/bin/bitcoin-cli -chain="signet" sendrawtransaction $signed_tx)
16echo "raw_tx: $raw_tx"

andrewtoth commented at 6:26 pm on April 3, 2025: contributor

@stratospher that’s a great script, thanks! I’ve modified it slightly to use the more modern psbt wallet commands. This makes it not have to worry about inputs and also automatically sends back change to the wallet.

This does mean you will have to start bitcoind with -fallbackfee=0.00003 for instance for 3 sat/vbyte fee. Also start bitcoind with -privatebroadcast=1 -debug=privatebroadcast.

 0#!/bin/bash
 1cd bitcoin
 2build/bin/bitcoin-cli -chain="signet" loadwallet test
 3
 4new_address=$(build/bin/bitcoin-cli -chain="signet" getnewaddress)
 5psbt=$(build/bin/bitcoin-cli -chain="signet" walletcreatefundedpsbt "[]" "[{\"$new_address\": 0.00001}]" | jq -r '.psbt')
 6echo "psbt: $psbt"
 7
 8signed_tx=$(build/bin/bitcoin-cli -chain="signet" walletprocesspsbt $psbt | jq -r '.hex')
 9echo "signed_tx: $signed_tx"
10
11raw_tx=$(build/bin/bitcoin-cli -chain="signet" sendrawtransaction $signed_tx)
12echo "raw_tx: $raw_tx"

in src/init.cpp:2082 in 3eb2ee0fbb outdated

2077+        }
2078+        if (!connOptions.m_use_addrman_outgoing) {
2079+            return InitError(_("Private broadcast of own transactions requested (-privatebroadcast), "
2080+                               "but -connect is also configured. They are incompatible because the "
2081+                               "private broadcast needs to open new connections to randomly "
2082+                               "chosen Tor or I2P peers"));

andrewtoth commented at 5:05 pm on April 6, 2025:

Maybe add a hint here to configure -maxconnections=0 -addnode=<connect node> to bypass this?

vasild commented at 1:35 pm on April 8, 2025:

Done.

in src/net.cpp:3066 in cb503ef72c outdated

3061+        return tor_proxy;
3062+    }
3063+    return std::nullopt;
3064+}
3065+
3066+bool CConnman::PrivateBroadcast::PickNetwork(Network& net, std::optional<Proxy>& proxy) const

andrewtoth commented at 5:19 pm on April 6, 2025:

Wouldn’t a std::option<Network> work better here as a return value?

vasild commented at 1:36 pm on April 8, 2025:

Yes, changed.

in src/net.cpp:3245 in cb503ef72c outdated

3240+            continue;
3241+        }
3242+        addrman_num_bad_addresses = 0;
3243+
3244+        auto target_str{addr.ToStringAddrPort()};
3245+        if ((net == NET_IPV4 || net == NET_IPV6) && proxy.has_value()) {

andrewtoth commented at 5:30 pm on April 6, 2025:

Based on implementation of PickNetwork the proxy.has_value() will always be true and is redundant here, no?

vasild commented at 1:39 pm on April 8, 2025:

Yes, it is best if this code in ThreadPrivateBroadcast() does not rely too much on the internal decisions made by PickNetwork() whose promise is that proxy will be set if there is a need to override the normal proxy selection. Nothing more and no details about which networks need proxy override. I changed this code and dropped net == NET_IPV4 || net == NET_IPV6 and changed the log message from “Tor proxy” or just “proxy”.

in src/wallet/wallet.cpp:2061 in b77bd663e9 outdated

2058@@ -2057,7 +2059,19 @@ bool CWallet::SubmitTxMemoryPoolAndRelay(CWalletTx& wtx, std::string& err_string
2059     if (GetTxDepthInMainChain(wtx) != 0) return false;
2060 
2061     // Submit transaction to mempool for relay

andrewtoth commented at 5:41 pm on April 6, 2025:

This comment is now stale.

vasild commented at 1:39 pm on April 8, 2025:

Removed.

in src/net_processing.cpp:1763 in 12f6e7f3d3 outdated

1674@@ -1627,7 +1675,7 @@ void PeerManagerImpl::FinalizeNode(const CNode& node)
1675     }
1676     } // cs_main
1677     if (node.fSuccessfullyConnected &&
1678-        !node.IsBlockOnlyConn() && !node.IsInboundConn()) {
1679+        !node.IsBlockOnlyConn() && !node.IsPrivateBroadcastConn() && !node.IsInboundConn()) {
1680         // Only change visible addrman state for full outbound peers.  We don't
1681         // call Connected() for feeler connections since they don't have

andrewtoth commented at 6:27 pm on April 6, 2025:

Maybe add // We don't call Connected() for private broadcast connections since they could leak information in addrman.

vasild commented at 1:40 pm on April 8, 2025:

Done.

in src/net_processing.cpp:3711 in 12f6e7f3d3 outdated

3610@@ -3525,7 +3611,7 @@ void PeerManagerImpl::ProcessMessage(CNode& pfrom, const std::string& msg_type,
3611             if (fRelay) pfrom.m_relays_txs = true;
3612         }
3613 
3614-        if (!pfrom.IsInboundConn()) {
3615+        if (!pfrom.IsInboundConn() && !pfrom.IsPrivateBroadcastConn()) {

andrewtoth commented at 6:30 pm on April 6, 2025:

Could expand on the comment below about why we don’t do this for private broadcast connections either. We don’t want to modify the addrman based on private broadcast connections in case they leak information about our node connecting to peers via those connections.

vasild commented at 1:40 pm on April 8, 2025:

Done.

in src/rpc/mempool.cpp:49 in 7d6fbced10 outdated

48-        "\nThe transaction will be sent unconditionally to all peers, so using sendrawtransaction\n"
49-        "for manual rebroadcast may degrade privacy by leaking the transaction's origin, as\n"
50-        "nodes will normally not rebroadcast non-wallet transactions already in their mempool.\n"
51+        "\nSubmit a raw transaction (serialized, hex-encoded) to the network.\n"
52+
53+        "\nIf -privatebroadcast is disabled, then the transaction will be sent\n"

andrewtoth commented at 6:57 pm on April 6, 2025:

Might be worth clarifying that in this case the the tx will be submitted to the local node immediately before broadcasting, whereas privatebroadcast it will not be.

vasild commented at 1:40 pm on April 8, 2025:

Done.

andrewtoth commented at 7:04 pm on April 6, 2025: contributor

Very nice, I’ve been testing on 398d9440db79d8b5f46094f831e79e3f2a835874 without the inv sending.

One thing is that sending multiple txs quickly using walletcreatefundedpsbt will select the same utxos since we didn’t get the previous tx yet. The double spent tx will still get pushed to peers, but there’s no indication that it failed from RPC or log perspective until next retry. This is a consequence of not submitting to our mempool, which I think is ok. But, maybe we could have a shorter duration stale tx check to have faster feedback than 10 minutes for these cases.

in src/net_processing.cpp:3572 in cae4c1134d outdated

3526+                 node.GetId(),
3527+                 node.LogIP(fLogIPs));
3528+        node.fDisconnect = true;
3529+        return;
3530+    }
3531+    const CTransactionRef& tx{*opt_tx};

andrewtoth commented at 3:53 pm on April 7, 2025:

Reaching here can be quite delayed from when the tx was actually scheduled. Could we check here that the tx is still acceptable to our mempool before pushing?

vasild commented at 1:43 pm on April 8, 2025:

Looks a bit of an overkill to me. It could be delayed but normally it is not and the worst that can happen is that this will be detected later during the rebroadcast attempt. No strong opinion but I somewhat lean on leaving it as it is.

learnwayback commented at 1:59 am on April 8, 2025: none

Isn’t this a bit much?

-proxyrandomize ensures that each connection is its own tor circuit so all you need to do is close the connection that was used to send a locally originating TX. minimal modification.

vasild commented at 7:18 am on April 8, 2025: contributor

Could we have a small guide how to test this … always have to lookup the rpc commands again.

Me too. Added “How to test this?” to the PR description, based on @stratospher and @andrewtoth’s commands, thank you!

in src/net_processing.cpp:1637 in cae4c1134d outdated

1600@@ -1543,6 +1601,13 @@ void PeerManagerImpl::InitializeNode(const CNode& node, ServiceFlags our_service
1601     }
1602 }
1603 
1604+/** Calculate the delta time after which to run the next transactions broadcast. */
1605+static std::chrono::milliseconds NextTxBroadcast()
1606+{
1607+    // We add randomness on every cycle to avoid the possibility of P2P fingerprinting.
1608+    return 10min + FastRandomContext().randrange<std::chrono::milliseconds>(5min);
1609+}

vasild commented at 10:30 am on April 8, 2025:

Continuing from #29415#pullrequestreview-2745195105

… maybe we could have a shorter duration stale tx check to have faster feedback than 10 minutes …

Could reduce those 10+5 mins to e.g. 5+2 mins? The NextTxBroadcast() method is reused from both private and non-private broadcast (the current one that sends to everybody). Is it worth having a separate method or parametrizing this one to cover a quick repeat of walletcreatefundedpsbt RPC with a sooner feedback? Is that also a realistic scenario or more of a testing one? In my testing the window of “broadcast but not received back” is just a few seconds. Maybe having this retry every 5 instead of 10 minutes will not make much of a difference?

IMO the best is to have the wallet account the “broadcast but not received back and not in the mempool” transaction - for balance display and for selecting inputs for subsequent transactions. That will be in a followup after this PR.

Another thing that will help with a loop of walletcreatefundedpsbt RPCs is a way to monitor the status of a transaction, e.g. “no sent”, “sent to 2 peers”, “received back from the network”. That is also for a followup. Both are mentioned in “Further extensions of this planned for subsequent PRs” as a reminder.

andrewtoth commented at 11:14 am on April 8, 2025:

Yeah it’s probably not worth changing the interval. I think the suggestion here would work better.

vasild commented at 1:49 pm on April 8, 2025:

Hmm, would it? If there is a script which runs walletcreatefundedpsbt RPC in quick succession, then all the transactions it generates will pass the mempool acceptance check, even if it is added to PushPrivateBroadcastTx()?

andrewtoth commented at 6:01 pm on April 8, 2025:

I’ve been testing sending multiple walletcreatefundedpsbts in quick successions. Since we are single threaded, the first connection is opened and we send the tx. The second connection is opened and we send the tx. Sometimes before we even connect to the second peer to send the second tx we receive the first tx, so we stop connections for the first tx. However, we still go through the motions of sending the second tx three more times.

I tried the same with the below patch, and before we push the tx in the second connection we will stop as well.

 0diff --git a/src/net_processing.cpp b/src/net_processing.cpp
 1index 94b398daf6..d76ebd3b6c 100644
 2--- a/src/net_processing.cpp
 3+++ b/src/net_processing.cpp
 4@@ -3531,6 +3531,25 @@ void PeerManagerImpl::PushPrivateBroadcastTx(CNode& node)
 5     }
 6     const CTransactionRef& tx{*opt_tx};
 7 
 8+    const auto mempool_acceptable{WITH_LOCK(cs_main, return m_chainman.ProcessTransaction(tx, /*test_accept=*/true))};
 9+    if (mempool_acceptable.m_result_type != MempoolAcceptResult::ResultType::VALID) {
10+        LogPrintLevel(BCLog::PRIVATE_BROADCAST,
11+            BCLog::Level::Info,
12+            "Giving up broadcast attempts for txid=%s wtxid=%s: %s",
13+            tx->GetHash().ToString(),
14+            tx->GetWitnessHash().ToString(),
15+            mempool_acceptable.m_state.ToString());
16+        if (const auto num_broadcasted{m_tx_for_private_broadcast.Remove(tx)}) {
17+            if (NUM_PRIVATE_BROADCAST_PER_TX > num_broadcasted.value()) {
18+                // Not all of the initial NUM_PRIVATE_BROADCAST_PER_TX connections were needed.
19+                // Tell CConnman it does not need to start the remaining ones.
20+                m_connman.m_private_broadcast.NumToOpenSub(NUM_PRIVATE_BROADCAST_PER_TX - num_broadcasted.value());
21+            }
22+        }
23+        node.fDisconnect = true;
24+        return;
25+    }
26+
27     LogPrintLevel(BCLog::PRIVATE_BROADCAST,
28                   BCLog::Level::Info,
29                   "P2P handshake completed, sending txid=%s%s, peer=%d%s",

vasild commented at 9:45 am on April 10, 2025:

@mzumsande, what do you think about the above patch? Check mempool acceptance one more time, before sending the transaction?

andrewtoth commented at 2:12 pm on April 10, 2025:

Hmm I’m now of the view that we should not send INV but only push the TX, and always send 3 times regardless if the tx is received in our mempool or is otherwise invalid. We should also send 3 times when reattempting.

Traffic analysis will be identical for any private broadcast, vs different patterns depending on when we receive a tx or our peer receives it.
Any possible timing analysis based on delaying the verack is negated.
Connections will not timeout waiting for getdata.
Decoy txs will be easier to implement. We can just randomly schedule one of the more recent txs we saw as a private broadcast and it will look identical to traffic analysis.

mzumsande commented at 2:58 pm on April 10, 2025:

Any possible timing analysis based on delaying the verack is negated.

Why? The peer can still delay the verack and then instead of checking for an inv they check whether they get sent a tx (we didn’t receive it yet from someone else) or not (we removed it from the m_tx_for_private_broadcast map in the meantime) - I don’t see any difference there.

@mzumsande, what do you think about the above patch? Check mempool acceptance one more time, before sending the transaction?

Hmm, it might be more helpful for the user if we didn’t accept the tx in the first place so that they can see the reason in the sendrawtransaction rpc response and are not confused why the tx is never sent - would it be hard to implement a check in BroadcastTransaction that the submitted tx doesn’t conflict with any other current private txns?

andrewtoth commented at 4:08 pm on April 10, 2025:

Why? The peer can still delay the verack and then instead of checking for an inv they check whether they get sent a tx (we didn’t receive it yet from someone else) or not (we removed it from the m_tx_for_private_broadcast map in the meantime)

My suggestion was

always send 3 times regardless if the tx is received in our mempool or is otherwise invalid

mzumsande commented at 4:20 pm on April 10, 2025:

oh, sorry, I missed that part! I don’t like that sending tx without invs would kill all attempts to restrict unrequested transactions for good. Even if #30572 was closed, I wouldn’t say that the idea, which has been floating around for a long time, is dead.

andrewtoth commented at 4:33 pm on April 10, 2025:

Ok, it’s unfortunate that it will make decoy txs less effective at camouflaging traffic analysis since the first private broadcast will likely not get a GETDATA response. But, better to keep the option open to restrict unrequested txs. @vasild what do you think of squashing the fixup commit?

would it be hard to implement a check in BroadcastTransaction that the submitted tx doesn’t conflict with any other current private txns?

Could this be done in a follow-up?

vasild commented at 4:36 pm on April 10, 2025:

it might be more helpful for the user if we didn’t accept the tx in the first place so that they can see the reason in the sendrawtransaction rpc response and are not confused why the tx is never sent - would it be hard to implement a check in BroadcastTransaction that the submitted tx doesn’t conflict with any other current private txns?

This is already done:

0$ bitcoin-cli sendrawtransaction ...
1error code: -25
2error message:
3bad-txns-inputs-missingorspent

The check is in BroadcastTransaction() (diff from this PR):

0-            if (max_tx_fee > 0) {
1+            if (max_tx_fee > 0 || broadcast_method == NO_MEMPOOL_PRIVATE_BROADCAST) {
2                 // First, call ATMP with test_accept and check the fee. If ATMP
3                 // fails here, return error immediately.
4                 const MempoolAcceptResult result = node.chainman->ProcessTransaction(tx, /*test_accept=*/ true);

The above patch which I asked for checks mempool acceptance one more time, before sending the transaction.

vasild commented at 4:50 pm on April 10, 2025:

@vasild what do you think of squashing the fixup commit?

Would you both prefer the INV way? Then maybe it is time for a squash…

andrewtoth commented at 5:05 pm on April 10, 2025:

Yes, it will always be possible to remove the INV/GETDATA later, but going the other way if we want to restrict unrequested txs in the future would be much more difficult.

vasild commented at 4:54 am on April 11, 2025:

Squashed the INV fixup commit: #29415 (comment) @andrewtoth, is it the case that you no longer favor the above patch to check one more time mempool acceptance because it would be better to just try to send 3 times, if possible?

andrewtoth commented at 1:10 pm on April 11, 2025:

@andrewtoth, is it the case that you no longer favor the above patch to check one more time mempool acceptance because it would be better to just try to send 3 times, if possible?

Yes, you can resolve this thread.

andrewtoth commented at 11:11 am on April 8, 2025: contributor

PR description is stale:

the node will send it to 5 (NUM_PRIVATE_BROADCAST_PER_TX)

Should be 3.

vasild force-pushed on Apr 8, 2025

vasild commented at 1:35 pm on April 8, 2025: contributor

cae4c1134d...14ebee8ea2: rebase and address suggestions

Should be 3.

Updated the OP.

Isn’t this a bit much? -proxyrandomize ensures that each connection is its own tor circuit so all you need to do is close the connection that was used to send a locally originating TX. minimal modification.

And also make sure that before sending the transaction we do not leak any node-identity-revealing information to the peer. And not put the transaction in the mempool. #27509 tried to put the tx in the mempool but that turned out to be not feasible. See also #32235 (comment)

in src/net.h:1191 in 14ebee8ea2 outdated

1187+        /**
1188+         * Check if private broadcast can be done to IPv4 or IPv6 peers and if so via which proxy.
1189+         * If private broadcast connections should not be opened to IPv4 or IPv6, then this will
1190+         * return an empty optional.
1191+         */
1192+        std::optional<Proxy> ProxyForIPv4or6() const;

andrewtoth commented at 3:38 pm on April 8, 2025:

This could be private.

vasild commented at 1:18 pm on April 9, 2025:

Right, done.

in src/net.cpp:3075 in 530c186eec outdated

3070+    if (g_reachable_nets.Contains(NET_ONION)) {
3071+        nets.push_back(NET_ONION);
3072+
3073+        clearnet_proxy = ProxyForIPv4or6();
3074+        if (clearnet_proxy.has_value()) {
3075+            nets.push_back(NET_IPV4);

mzumsande commented at 8:37 pm on April 8, 2025:

This should respect -onlynet settings and only attempt connections via proxy to IPv4 addresses if that network is in g_reachable_nets. Same for IPv6 a line below.

vasild commented at 1:18 pm on April 9, 2025:

Done.

in src/net_processing.cpp:1695 in e200bcbd4b outdated

1692+    if (node.IsPrivateBroadcastConn() &&
1693+        m_tx_for_private_broadcast.FinishBroadcast(nodeid, /*confirmed_by_node=*/false)) {
1694+
1695+        LogPrintLevel(BCLog::PRIVATE_BROADCAST,
1696+                      BCLog::Level::Info,
1697+                      "Never got a PONG (the transaction will probably not "

mzumsande commented at 9:49 pm on April 8, 2025:

This log could be a bit more generic, especially in combination with the last commit - no need to mention PONG: It happens pretty regularly that a node never answers our INV (because it is not the first one we connected to and they got it already from someone else first) we never sent a ping and the error message makes no sense.

vasild commented at 1:25 pm on April 9, 2025:

I agree. Further, this log is kind of redundant with the message that is logged earlier when PRIVATE_BROADCAST_MAX_CONNECTION_LIFETIME is exceeded:

Disconnecting: did not complete the transaction send within %d seconds, peer=%d%s

and later:

Never got a PONG (the transaction will probably not reach the network), disconnected, peer=%d%s

basically, the second message does not bring new information and both will be logged one after another. So I removed the second message. Then FinishBroadcast() does not need to return bool, so I changed it to void, minor simplification.

mzumsande commented at 10:07 pm on April 8, 2025: contributor

I like moving the connection-making logic into its own thread, ThreadOpenConnections() is already ~~confusing~~ complicated enough as is.

I tested this multiple time with the added guide (thanks!) on signet and it worked really well, got the tx back almost immediately. Might also test it on mainnet soon (fees are low…), I’d be interested to know if the time to receive a tx originating from Tor changes a lot between on i2p, clearnet, or tor peers.

FWIW I’m in favor of including the last commit, sending invs - even if this means more connections will timeout after 180s because there is a race between the second peer requesting the tx from you, or getting from someone else before.

w0xlt commented at 7:24 am on April 9, 2025: contributor

Would also broadcasting some random transactions through this same mechanism (also randomly) address the concern mentioned by @gmaxwell in #29415 (comment) ?

in src/CMakeLists.txt:245 in 14ebee8ea2 outdated

282@@ -283,6 +283,7 @@ add_library(bitcoin_node STATIC EXCLUDE_FROM_ALL
283   policy/rbf.cpp
284   policy/settings.cpp

vasild commented at 10:00 am on April 9, 2025:

Continuing discussion from PR main thread to a dedicated thread here. Main thread discussions get intermixed with other discussions and are hard to follow.

At #29415 (comment) @gmaxwell wrote:

Private broadcast can also reduce privacy. I think the weakness is a tossup vs the obvious alternative (run ordinary connections exclusively over Tor) so it’s not a reason to not implement the feature, but it’s worth discussing in order to understand the limits and see if mitigations are possible.

The issue on my mind is that Tor has little to no resistance to traffic analysis. The small amount of resistance it has is by quantizing messages into fixed size cells. Otherwise, it essentially doesn’t have much resistance because analysis resistance is incompatible with achieving low latency. Too bad for us because for txn broadcast latency is fairly irrelevant.

We assume the attacker is able to passively monitor the internet connection of our victim. Lets also assume their non-blocksonly Bitcoin P2P connection is encrypted as is increasingly so (and it’s a ~6 line change to add an option to make peer v2-only, which I assume someone will propose once they feel v2 listeners are widespread enough).

The attacker is attempting to confirm that the monitored peer is the originator of specific transactions on the network, or alternatively is looking at all the transactions and try to determine which are likely authored by the monitored peer.

Against this threat model, I think this PR creates a substantial weakness compared to not having it: any time the user transacts they will create a predictable amount of traffic to tor which is a somewhat a function of the size of the transaction. There may be enough noise that a single transaction isn’t enough alone, but someone who transacted a couple times a day would likely be identifiable.

Of course, this isn’t the threat model this PR really hopes to address. This PR is strong against a threat model where the attacker cannot traffic analyze anyone but instead runs many bitcoin “nodes” and then is able to correlate incoming (decrypted) traffic to originating IP address. Of the two threat models I think this latter one is a greater concern.

But, perhaps if there were padding traffic and a tiny amount of broadcast of third-party txn as if they were private broadcast then the weakness under the traffic analysis case would be improved to be no worse than you’d have from just running ordinary P2P across tor?

At #29415 (comment) @instagibbs wrote:

But, perhaps if there were padding traffic and a tiny amount of broadcast of third-party txn as if they were private broadcast then the weakness under the traffic analysis case would be improved to be no worse than you’d have from just running ordinary P2P across tor?

Assuming a switch to INV-based private relay, you might need to take some care to make sure the decoy tx gets requested at high rates, since the real private relay will tend to result in the getadata for the tx?

At #29415 (comment) @gmaxwell wrote:

It might be possible to conceal from a traffic analysis perspective what if anything was requested using padding.

At #29415 (comment) @w0xlt wrote:

Would also broadcasting some random transactions through this same mechanism (also randomly) address the concern mentioned by @gmaxwell in #29415 (comment) ?

vasild commented at 10:03 am on April 9, 2025:

@w0xlt, I do not think broadcasting existent transactions as decoy would bring us anything. A few considerations about the traffic analysis scenario:

The current “broadcast to everybody” is creating even more predictable traffic pattern.
There are at least a few new transactions per second on the network.
IMO padding does not belong to application level. Tor already has padding, search for “padding” in tor(1).
If we do INV and wait for GETDATA, then the decoy broadcasts will not work because the recipient will not ask for the transaction because they already have it. We can force this to send the recipient a bogus, new transaction id, which they do not know for sure, then they and will send us GETDATA. Then we can feed the recipient any bogus transaction that does not match the id and close the connection. That seems too much of an overkill to me, or even an abuse, for little to no gain.

andrewtoth commented at 11:38 am on April 9, 2025:

Is there a threat model where an attacker is sophisticated enough to passively analyze traffic but not sophisticated enough to monitor originating invs?

vasild commented at 1:39 pm on April 9, 2025:

Yes, I think there are two different aspects here and we could have one without the other:

Traffic monitoring, most easily done by the node’s ISP.
Near sybil, also through the Tor network, to monitor P2P traffic of the node.

andrewtoth commented at 1:46 pm on April 9, 2025:

In that case, not doing INV but pushing TX and sending recently received decoy txs like that once in a while as @w0xlt suggests defeats #1. This patch defeats #2.

In any case, adding something like that should be done in a follow-up IMO.

vasild commented at 8:58 am on April 10, 2025:

Added “Consider periodically sending transactions that did not originate from the node as decoy” to “Further extensions” in the PR description.

andrewtoth commented at 2:15 pm on April 10, 2025:

Another aspect of decoy txs is a network observer correlating txs into wallets that use private broadcast. An attacker running many nodes accepting private broadcast connections would have a high likelihood of being selected for a private broadcast and could correlate private broadcast users’ txs. If there is initially few users who use private broadcast, then these users could be grouped together. By periodically sending decoy txs, the effectiveness of this is reduced.

vasild force-pushed on Apr 9, 2025

vasild commented at 1:17 pm on April 9, 2025: contributor

14ebee8ea2...ddce2a585b: address suggestions

in src/net_processing.cpp:5754 in 33f2770bc8 outdated

5606@@ -5471,6 +5607,23 @@ bool PeerManagerImpl::SendMessages(CNode* pto)
5607 
5608     const auto current_time{GetTime<std::chrono::microseconds>()};
5609 
5610+    // The logic below does not apply to private broadcast peers, so skip it.
5611+    // Also in CConnman::PushMessage() we make sure that unwanted messages are
5612+    // not sent. This here is just an optimization.
5613+    if (pto->IsPrivateBroadcastConn()) {
5614+        if (pto->m_connected + PRIVATE_BROADCAST_MAX_CONNECTION_LIFETIME < current_time) {

mzumsande commented at 3:38 pm on April 9, 2025:

After thinking a bit more about the issue I mentioned before: I think we could also disconnect here if we have completed all outstanding broadcasts (we received any txn back from the network), no need to wait for the timeout then. This is especially relevant if we do INV/GETDATA: Because of the existing race between network propagation starting from the first peer / connection making to the second / third peer it occurs frequently that the later peers don’t answer our INV because they already know about the transaction - in that case, it is likely we also will have received it from our other peers, so there is no need to keep the connection open for 180s.

I guess it could also make sense in the case of ping timeouts without the last commit, although those are much less likely since they wouldn’t occur naturally.

Although on second thought I do wonder if that could be used for deanomyzation by a skilled attacker who knows when exactly each nodes receives each tx, so maybe it’s safer to just wait out the 180s?

mzumsande commented at 4:07 pm on April 9, 2025:

Hmm, if this is a problem, it is probably also an issue without the suggested change of disconnecting early:

We only send the inv out if we haven’t called Remove() : So the second peer we connect to (assuming it’s evil and has network-monitoring abilities) could delay the VERACK a little bit, and depending on the timing when we received the tx from other peers due to the first peer we either send out an inv to them or don’t. I’m not sure how viable this is in practice (you’d probably need a lot of transactions to gather statistics), but at least in theory it’s a possible de-anonymization attack.

andrewtoth commented at 4:23 pm on April 9, 2025:

we either send out an inv to them or don’t.

But if we don’t send out the inv, how will evil peer know it was because we received a specific tx vs any other?

vasild commented at 4:56 pm on April 9, 2025:

This code here in SendMessages() in the message handler thread only sets fDisconnect. So, after the transaction is received back from some peer we have to cycle through some other peers in the message handler thread to get to this one to set the fDisconnect flag. Then the socket handler thread has to cycle through some further peers to call DisconnectNodes() which will actually close the socket. That said, we wouldn’t disconnect immediately after receiving the transaction. I did not measure how much is the delay.

Such a deanon attack scenario looks far fetched to me because of the delay + the attacker must have network monitoring capabilities on the node, e.g. their ISP + near sybil the node, also via the Tor network, so that the node happens to select the attacker as a private broadcast recipient. We could skip a few loops here in SendMessages() or in DisconnectNodes() before closing the socket to magnify the existent delay. Looks like an overkill to me though.

mzumsande commented at 5:00 pm on April 9, 2025:

But if we don’t send out the inv, how will evil peer know it was because we received a specific tx vs any other?

Yes, it’s harder if we don’t send out the inv (they could guess among current new txns if there isn’t too much traffic?), but there is also some information if we do send it out: If they finish the handshake for a private tx just at the time where one half of the public network knows about a tx, and the other half doesn’t (and they know which nodes belong to which half), and then they receive an INV from us on the private conn, the attacker could conclude that our public identity is not in the first half. I’m just saying that this connects our normal node activity a little bit with the private transaction via timing, not that there is a feasible attack making use of that information.

andrewtoth commented at 5:59 pm on April 9, 2025:

In this scenario the evil peer would also have to be the first peer or somehow know that the tx was sent initially to the first peer via private broadcast. Otherwise they would need to be tracking the network propagation of all txs all the time. They would have to finish these private broadcast handshakes whenever they get them at the moment of a specific tx propagating to exactly half the network and hope that the inv they receive is of that specific tx.

Decoy txs being sent periodically would help here too.

vasild commented at 8:21 am on April 11, 2025:

@mzumsande, is this what you mean (first message in this thread):

 0     if (pto->IsPrivateBroadcastConn()) {
 1         if (pto->m_connected + PRIVATE_BROADCAST_MAX_CONNECTION_LIFETIME < current_time) {
 2             LogPrintLevel(
 3                 BCLog::PRIVATE_BROADCAST,
 4                 BCLog::Level::Info,
 5                 "Disconnecting: did not complete the transaction send within %d seconds, peer=%d%s",
 6                 std::chrono::duration_cast<std::chrono::seconds>(PRIVATE_BROADCAST_MAX_CONNECTION_LIFETIME).count(),
 7                 pto->GetId(),
 8                 pto->LogIP(fLogIPs));
 9             pto->fDisconnect = true;
10+        } else if (!m_tx_for_private_broadcast.GetTxForBroadcast()) {
11+            LogDebug(
12+                BCLog::PRIVATE_BROADCAST,
13+                "Disconnecting: no more transactions for private broadcast (connected in vain), peer=%d%s",
14+                pto->GetId(),
15+                pto->LogIP(fLogIPs));
16+            pto->fDisconnect = true;
17         }
18         return true;
19     }

?

mzumsande commented at 8:29 pm on April 11, 2025:

yes, that was my suggestion (I don’t insist on it or anything, I just observed during testing that 180s timeouts happened frequently).

vasild force-pushed on Apr 11, 2025

vasild commented at 4:51 am on April 11, 2025: contributor

ddce2a585b...17342ec4b5: squash the extra INV step into commit 33f2770bc8 net_processing: handle ConnectionType::PRIVATE_BROADCAST connections (which is now 7b1527a95a). Verdict: #29415 (review)

Just for the records, if we ever want to send TX directly, omit the INV/GETDATA step, this is the patch to reverse apply:

  0commit ddce2a585b8bb179cf2be8027ab6daf29cac7e21
  1Parent: 8db1ee3587794646a339dc003628964f3376718d
  2Author:     Vasil Dimov <vd@FreeBSD.org>
  3AuthorDate: Tue Aug 13 11:44:32 2024 +0200
  4Commit:     Vasil Dimov <vd@FreeBSD.org>
  5CommitDate: Wed Apr 9 15:11:49 2025 +0200
  6gpg: Signature made Wed Apr  9 15:11:51 2025 CEST
  7gpg:                using RSA key E64D8D45614DB07545D9CCC154DF06F64B55CBBF
  8gpg: Good signature from "Vasil Dimov <vd@myforest.net>" [ultimate]
  9gpg:                 aka "Vasil Dimov <vd@FreeBSD.org>" [ultimate]
 10gpg:                 aka "Vasil Dimov <vasild@gmail.com>" [ultimate]
 11
 12
 13    fixup! net_processing: handle ConnectionType::PRIVATE_BROADCAST connections
 14    
 15    This change adds INV+GETDATA to the transaction sending sequence.
 16
 17diff --git a/src/net.cpp b/src/net.cpp
 18index 66e463e8c7..d7378ae095 100644
 19--- a/src/net.cpp
 20+++ b/src/net.cpp
 21@@ -4065,12 +4065,13 @@ void CConnman::PushMessage(CNode* pnode, CSerializedNetMsg&& msg)
 22 {
 23     AssertLockNotHeld(m_total_bytes_sent_mutex);
 24 
 25     if (pnode->IsPrivateBroadcastConn() &&
 26         msg.m_type != NetMsgType::VERSION &&
 27         msg.m_type != NetMsgType::VERACK &&
 28+        msg.m_type != NetMsgType::INV &&
 29         msg.m_type != NetMsgType::TX &&
 30         msg.m_type != NetMsgType::PING) {
 31         // Ensure private broadcast connections only send the above message types.
 32         // Others are not needed and may degrade privacy.
 33         LogDebug(BCLog::PRIVATE_BROADCAST,
 34                  "Omitting send of message '%s', peer=%d%s",
 35diff --git a/src/net_processing.cpp b/src/net_processing.cpp
 36index c06cce1df7..776a9d6cdd 100644
 37--- a/src/net_processing.cpp
 38+++ b/src/net_processing.cpp
 39@@ -938,13 +938,13 @@ private:
 40 
 41     /** Process compact block txns  */
 42     void ProcessCompactBlockTxns(CNode& pfrom, Peer& peer, const BlockTransactions& block_transactions)
 43         EXCLUSIVE_LOCKS_REQUIRED(g_msgproc_mutex, !m_most_recent_block_mutex);
 44 
 45     /**
 46-     * Schedule a transaction be sent to the given peer (via `PushMessage()`), unsolicited.
 47+     * Schedule an INV for a transaction be sent to the given peer (via `PushMessage()`).
 48      * The transaction is picked from the list of transactions for private broadcast.
 49      * It is assumed that the connection to the peer is `ConnectionType::PRIVATE_BROADCAST`.
 50      * Calling this for other peers will degrade privacy. Don't do that.
 51      */
 52     void PushPrivateBroadcastTx(CNode& node) EXCLUSIVE_LOCKS_REQUIRED(g_msgproc_mutex, !m_most_recent_block_mutex);
 53 
 54@@ -3525,19 +3525,20 @@ void PeerManagerImpl::PushPrivateBroadcastTx(CNode& node)
 55         return;
 56     }
 57     const CTransactionRef& tx{*opt_tx};
 58 
 59     LogPrintLevel(BCLog::PRIVATE_BROADCAST,
 60                   BCLog::Level::Info,
 61-                  "P2P handshake completed, sending txid=%s%s, peer=%d%s",
 62+                  "P2P handshake completed, sending INV for txid=%s%s, peer=%d%s",
 63                   tx->GetHash().ToString(),
 64                   tx->HasWitness() ? strprintf(", wtxid=%s", tx->GetWitnessHash().ToString()) : "",
 65                   node.GetId(),
 66                   node.LogIP(fLogIPs));
 67 
 68-    MakeAndPushMessage(node, NetMsgType::TX, TX_WITH_WITNESS(*tx));
 69+    MakeAndPushMessage(node, NetMsgType::INV, std::vector<CInv>{{CInv{MSG_TX, tx->GetHash().ToUint256()}}});
 70+
 71     m_tx_for_private_broadcast.PushedToNode(node.GetId(), tx->GetHash());
 72 }
 73 
 74 void PeerManagerImpl::ProcessMessage(CNode& pfrom, const std::string& msg_type, DataStream& vRecv,
 75                                      const std::chrono::microseconds time_received,
 76                                      const std::atomic<bool>& interruptMsgProc)
 77@@ -3859,15 +3860,12 @@ void PeerManagerImpl::ProcessMessage(CNode& pfrom, const std::string& msg_type,
 78             // The peer may intend to later send us NetMsgType::FEEFILTER limiting
 79             // cheap transactions, but we don't wait for that and thus we may send
 80             // them a transaction below their threshold. This is ok because this
 81             // relay logic is designed to work even in cases when the peer drops
 82             // the transaction (due to it being too cheap, or for other reasons).
 83             PushPrivateBroadcastTx(pfrom);
 84-
 85-            peer->m_ping_queued = true; // Ensure a ping will be sent: mimick a request via RPC.
 86-            MaybeSendPing(pfrom, *peer, GetTime<std::chrono::microseconds>());
 87         }
 88 
 89         return;
 90     }
 91 
 92     if (msg_type == NetMsgType::SENDHEADERS) {
 93@@ -3987,13 +3985,13 @@ void PeerManagerImpl::ProcessMessage(CNode& pfrom, const std::string& msg_type,
 94     if (!pfrom.fSuccessfullyConnected) {
 95         LogDebug(BCLog::NET, "Unsupported message \"%s\" prior to verack from peer=%d\n", SanitizeString(msg_type), pfrom.GetId());
 96         return;
 97     }
 98 
 99     if (pfrom.IsPrivateBroadcastConn()) {
100-        if (msg_type != NetMsgType::PONG) {
101+        if (msg_type != NetMsgType::PONG && msg_type != NetMsgType::GETDATA) {
102             LogDebug(BCLog::PRIVATE_BROADCAST,
103                      "Ignoring incoming message '%s', peer=%d%s",
104                      msg_type,
105                      pfrom.GetId(),
106                      pfrom.LogIP(fLogIPs));
107             return;
108@@ -4200,12 +4198,47 @@ void PeerManagerImpl::ProcessMessage(CNode& pfrom, const std::string& msg_type,
109         LogDebug(BCLog::NET, "received getdata (%u invsz) peer=%d\n", vInv.size(), pfrom.GetId());
110 
111         if (vInv.size() > 0) {
112             LogDebug(BCLog::NET, "received getdata for: %s peer=%d\n", vInv[0].ToString(), pfrom.GetId());
113         }
114 
115+        if (pfrom.IsPrivateBroadcastConn()) {
116+            const auto pushed_tx_opt = m_tx_for_private_broadcast.GetTxPushedToNode(pfrom.GetId());
117+            if (!pushed_tx_opt) {
118+                LogPrintLevel(BCLog::PRIVATE_BROADCAST,
119+                              BCLog::Level::Info,
120+                              "Disconnecting: got GETDATA without sending an INV, peer=%d%s\n",
121+                              pfrom.GetId(),
122+                              fLogIPs ? strprintf(", peeraddr=%s", pfrom.addr.ToStringAddrPort()) : "");
123+                pfrom.fDisconnect = true;
124+                m_connman.m_private_broadcast.NumToOpenAdd(1);
125+                return;
126+            }
127+
128+            const CTransactionRef& pushed_tx{*pushed_tx_opt};
129+
130+            // The GETDATA request must contain exactly one inv and it must be for the transaction
131+            // that we INVed to the peer earlier.
132+            if (vInv.size() == 1 && vInv[0].IsMsgTx() && vInv[0].hash == pushed_tx->GetHash()) {
133+
134+                MakeAndPushMessage(pfrom, NetMsgType::TX, TX_WITH_WITNESS(*pushed_tx));
135+
136+                peer->m_ping_queued = true; // Ensure a ping will be sent: mimick a request via RPC.
137+                MaybeSendPing(pfrom, *peer, GetTime<std::chrono::microseconds>());
138+            } else {
139+                LogPrintLevel(BCLog::PRIVATE_BROADCAST,
140+                              BCLog::Level::Info,
141+                              "Disconnecting: got an unexpected GETDATA message, peer=%d%s\n",
142+                              pfrom.GetId(),
143+                              fLogIPs ? strprintf(", peeraddr=%s", pfrom.addr.ToStringAddrPort()) : "");
144+                pfrom.fDisconnect = true;
145+                m_connman.m_private_broadcast.NumToOpenAdd(1);
146+            }
147+            return;
148+        }
149+
150         {
151             LOCK(peer->m_getdata_requests_mutex);
152             peer->m_getdata_requests.insert(peer->m_getdata_requests.end(), vInv.begin(), vInv.end());
153             ProcessGetData(pfrom, *peer, interruptMsgProc);
154         }
155 
156diff --git a/src/private_broadcast.cpp b/src/private_broadcast.cpp
157index a96dbe0856..8483c61829 100644
158--- a/src/private_broadcast.cpp
159+++ b/src/private_broadcast.cpp
160@@ -51,12 +51,30 @@ std::optional<CTransactionRef> PrivateBroadcast::GetTxForBroadcast() EXCLUSIVE_L
161 void PrivateBroadcast::PushedToNode(const NodeId& nodeid, const Txid& txid) EXCLUSIVE_LOCKS_REQUIRED(!m_mutex)
162 {
163     LOCK(m_mutex);
164     m_by_nodeid.emplace(nodeid, txid);
165 }
166 
167+std::optional<CTransactionRef> PrivateBroadcast::GetTxPushedToNode(const NodeId& nodeid)
168+    EXCLUSIVE_LOCKS_REQUIRED(!m_mutex)
169+{
170+    LOCK(m_mutex);
171+
172+    auto it_by_node = m_by_nodeid.find(nodeid);
173+    if (it_by_node == m_by_nodeid.end()) {
174+        return std::nullopt;
175+    }
176+    const Txid txid{it_by_node->second};
177+
178+    auto it_by_txid = m_by_txid.find(txid);
179+    if (it_by_txid == m_by_txid.end()) {
180+        return std::nullopt;
181+    }
182+    return it_by_txid->second.tx;
183+}
184+
185 void PrivateBroadcast::FinishBroadcast(const NodeId& nodeid, bool confirmed_by_node) EXCLUSIVE_LOCKS_REQUIRED(!m_mutex)
186 {
187     LOCK(m_mutex);
188     auto it = m_by_nodeid.find(nodeid);
189     if (it == m_by_nodeid.end()) {
190         return;
191diff --git a/src/private_broadcast.h b/src/private_broadcast.h
192index bc8735cdfc..72183be7b2 100644
193--- a/src/private_broadcast.h
194+++ b/src/private_broadcast.h
195@@ -53,12 +53,17 @@ public:
196      * we get a PONG from the node which would confirm that the transaction has been received.
197      * At the time we get the PONG we need to know which transaction we sent to that node,
198      * so that we can account how many times we broadcast each transaction.
199      */
200     void PushedToNode(const NodeId& nodeid, const Txid& txid) EXCLUSIVE_LOCKS_REQUIRED(!m_mutex);
201 
202+    /**
203+     * Get the transaction that was pushed to a given node by PushedToNode().
204+     */
205+    std::optional<CTransactionRef> GetTxPushedToNode(const NodeId& nodeid) EXCLUSIVE_LOCKS_REQUIRED(!m_mutex);
206+
207     /**
208      * Mark the end of a broadcast of a transaction. Either successful by receiving a PONG,
209      * or unsuccessful by closing the connection to the node without getting PONG.
210      */
211     void FinishBroadcast(const NodeId& nodeid, bool confirmed_by_node) EXCLUSIVE_LOCKS_REQUIRED(!m_mutex);
212 
213diff --git a/test/functional/p2p_private_broadcast.py b/test/functional/p2p_private_broadcast.py
214index 4bdd7e2e87..25d297ff7b 100755
215--- a/test/functional/p2p_private_broadcast.py
216+++ b/test/functional/p2p_private_broadcast.py
217@@ -252,12 +252,13 @@ class P2PPrivateBroadcast(BitcoinTestFramework):
218             self.log.debug(f"{label}: outbound connection i={i} to {dest['requested_to']} must be a private broadcast, checking it")
219             peer.wait_for_disconnect()
220             # Now it is (C).
221             assert_equal(peer.message_count, {
222                 "version": 1,
223                 "verack": 1,
224+                "inv": 1,
225                 "tx": 1,
226                 "ping": 1
227             })
228             dummy_address = CAddress()
229             dummy_address.nServices = 0
230             assert_equal(peer.last_message["version"].nVersion, P2P_VERSION)

vasild force-pushed on Apr 13, 2025

vasild commented at 5:08 am on April 13, 2025: contributor

17342ec4b5...b8c8ff8968: address #29415 (review)

in src/net_processing.cpp:1748 in b8c8ff8968 outdated

1745     }
1746+    if (node.IsPrivateBroadcastConn()) {
1747+        // FinishBroadcast() is called when we get a PONG from the peer which means that the send
1748+        // has concluded successfully. Call FinishBroadcast() here as well in case we did not call
1749+        // it before (unsuccessful, never concluded with the reception of a PONG).
1750+        m_tx_for_private_broadcast.FinishBroadcast(nodeid, /*confirmed_by_node=*/false);

andrewtoth commented at 4:29 pm on April 13, 2025:

There are many reasons why a private broadcast connection would be disconnected. Many are outside of the checks added in this patch where we do NumToOpenAdd(1) before disconnecting (just skim ProcessMessage). In these cases, the peer will disconnect silently and we won’t open a new one. We should instead track if we actually finish the connection (or time out after sending the INV) and then call NumToOpenAdd(1) here if we didn’t. This was happening frequently in my testing where peers would disconnect before handshake completion and no new connections were initiated.

vasild commented at 7:29 am on April 14, 2025:

I see. Would this resolve it:

 0diff --git i/src/net_processing.cpp w/src/net_processing.cpp
 1index 6753a7dea0..2129c7d90c 100644
 2--- i/src/net_processing.cpp
 3+++ w/src/net_processing.cpp
 4@@ -1742,13 +1742,15 @@ void PeerManagerImpl::FinalizeNode(const CNode& node)
 5         m_headers_presync_stats.erase(nodeid);
 6     }
 7     if (node.IsPrivateBroadcastConn()) {
 8         // FinishBroadcast() is called when we get a PONG from the peer which means that the send
 9         // has concluded successfully. Call FinishBroadcast() here as well in case we did not call
10         // it before (unsuccessful, never concluded with the reception of a PONG).
11-        m_tx_for_private_broadcast.FinishBroadcast(nodeid, /*confirmed_by_node=*/false);
12+        if (m_tx_for_private_broadcast.FinishBroadcast(nodeid, /*confirmed_by_node=*/false)) {
13+            m_connman.m_private_broadcast.NumToOpenAdd(1);
14+        }
15     }
16     LogDebug(BCLog::NET, "Cleared nodestate for peer=%d\n", nodeid);
17     if (node.IsPrivateBroadcastConn()) {
18         LogPrintLevel(BCLog::PRIVATE_BROADCAST, BCLog::Level::Debug, "Cleared nodestate for peer=%d\n", nodeid);
19     }
20 }
21diff --git i/src/private_broadcast.cpp w/src/private_broadcast.cpp
22index 8483c61829..25cc69f6a7 100644
23--- i/src/private_broadcast.cpp
24+++ w/src/private_broadcast.cpp
25@@ -69,40 +69,42 @@ std::optional<CTransactionRef> PrivateBroadcast::GetTxPushedToNode(const NodeId&
26     if (it_by_txid == m_by_txid.end()) {
27         return std::nullopt;
28     }
29     return it_by_txid->second.tx;
30 }
31 
32-void PrivateBroadcast::FinishBroadcast(const NodeId& nodeid, bool confirmed_by_node) EXCLUSIVE_LOCKS_REQUIRED(!m_mutex)
33+bool PrivateBroadcast::FinishBroadcast(const NodeId& nodeid, bool confirmed_by_node) EXCLUSIVE_LOCKS_REQUIRED(!m_mutex)
34 {
35     LOCK(m_mutex);
36     auto it = m_by_nodeid.find(nodeid);
37     if (it == m_by_nodeid.end()) {
38-        return;
39+        return false;
40     }
41     const Txid txid{it->second};
42     m_by_nodeid.erase(it);
43 
44     if (!confirmed_by_node) {
45-        return;
46+        return true;
47     }
48 
49     // Update broadcast stats.
50 
51     auto iters = Find(txid);
52     if (!iters) {
53-        return;
54+        return true;
55     }
56     Priority& priority = iters->by_txid->second.priority;
57 
58     ++priority.num_broadcasted;
59     priority.last_broadcasted = NodeClock::now();
60 
61     // Remove and re-add the entry in the m_by_priority map because we have changed the key.
62     m_by_priority.erase(iters->by_priority);
63     m_by_priority.emplace(priority, txid);
64+
65+    return true;
66 }
67 
68 std::vector<CTransactionRef> PrivateBroadcast::GetStale() const EXCLUSIVE_LOCKS_REQUIRED(!m_mutex)
69 {
70     LOCK(m_mutex);
71     const auto stale_time = NodeClock::now() - STALE_DURATION;
72diff --git i/src/private_broadcast.h w/src/private_broadcast.h
73index 72183be7b2..239f3a7c99 100644
74--- i/src/private_broadcast.h
75+++ w/src/private_broadcast.h
76@@ -61,14 +61,15 @@ public:
77      */
78     std::optional<CTransactionRef> GetTxPushedToNode(const NodeId& nodeid) EXCLUSIVE_LOCKS_REQUIRED(!m_mutex);
79 
80     /**
81      * Mark the end of a broadcast of a transaction. Either successful by receiving a PONG,
82      * or unsuccessful by closing the connection to the node without getting PONG.
83+     * [@return](/bitcoin-bitcoin/contributor/return/) true if the reference by the given node id was removed
84      */
85-    void FinishBroadcast(const NodeId& nodeid, bool confirmed_by_node) EXCLUSIVE_LOCKS_REQUIRED(!m_mutex);
86+    bool FinishBroadcast(const NodeId& nodeid, bool confirmed_by_node) EXCLUSIVE_LOCKS_REQUIRED(!m_mutex);
87 
88     /**
89      * Get the transactions that have not been broadcast recently.
90      */
91     std::vector<CTransactionRef> GetStale() const EXCLUSIVE_LOCKS_REQUIRED(!m_mutex);

andrewtoth commented at 1:34 pm on April 14, 2025:

This patch will always return true because confirmed_by_node is statically false, so it will be an endless loop of new connections.

0     if (!confirmed_by_node) {
1-        return;
2+        return true;
3     }

What I suggest is tracking confirmed by node id, and set it to true if we receive the PONG or if we timeout after we already sent an INV. Then here check if the confirmed by node id is false, and if so call NumToOpenAdd(1). Remove all other NumToOpenAdd(1) calls.

Right now we pass confirmed by node id statically as true only when we receive a PONG, and false always when we finalize the node. Instead, track the confirmed by node status and use it in FinishBroadcast only here at FinalizeNode.

andrewtoth commented at 1:50 pm on April 14, 2025:

Oh I see actually this works, because the first return will be false if we already called FinishBroadcast after we got the PONG. So yes, this will work. We still need to remove all other NumToOpenAdd calls, and also call FinishBroadcast with true if we timeout after sending the INV.

vasild commented at 2:35 pm on April 14, 2025:

We still need to remove all other NumToOpenAdd calls

Right! Here is an updated patch:

  0diff --git i/src/net_processing.cpp w/src/net_processing.cpp
  1index 6753a7dea0..d35601c7ce 100644
  2--- i/src/net_processing.cpp
  3+++ w/src/net_processing.cpp
  4@@ -1742,13 +1742,15 @@ void PeerManagerImpl::FinalizeNode(const CNode& node)
  5         m_headers_presync_stats.erase(nodeid);
  6     }
  7     if (node.IsPrivateBroadcastConn()) {
  8         // FinishBroadcast() is called when we get a PONG from the peer which means that the send
  9         // has concluded successfully. Call FinishBroadcast() here as well in case we did not call
 10         // it before (unsuccessful, never concluded with the reception of a PONG).
 11-        m_tx_for_private_broadcast.FinishBroadcast(nodeid, /*confirmed_by_node=*/false);
 12+        if (m_tx_for_private_broadcast.FinishBroadcast(nodeid, /*confirmed_by_node=*/false)) {
 13+            m_connman.m_private_broadcast.NumToOpenAdd(1);
 14+        }
 15     }
 16     LogDebug(BCLog::NET, "Cleared nodestate for peer=%d\n", nodeid);
 17     if (node.IsPrivateBroadcastConn()) {
 18         LogPrintLevel(BCLog::PRIVATE_BROADCAST, BCLog::Level::Debug, "Cleared nodestate for peer=%d\n", nodeid);
 19     }
 20 }
 21@@ -3704,13 +3706,12 @@ void PeerManagerImpl::ProcessMessage(CNode& pfrom, const std::string& msg_type,
 22                 LogPrintLevel(BCLog::PRIVATE_BROADCAST,
 23                               BCLog::Level::Info,
 24                               "Disconnecting: does not support transactions relay (connected in vain), peer=%d%s",
 25                               pfrom.GetId(),
 26                               pfrom.LogIP(fLogIPs));
 27                 pfrom.fDisconnect = true;
 28-                m_connman.m_private_broadcast.NumToOpenAdd(1);
 29             }
 30             return;
 31         }
 32 
 33         if (greatest_common_version >= WTXID_RELAY_VERSION) {
 34             MakeAndPushMessage(pfrom, NetMsgType::WTXIDRELAY);
 35@@ -4213,13 +4214,12 @@ void PeerManagerImpl::ProcessMessage(CNode& pfrom, const std::string& msg_type,
 36                 LogPrintLevel(BCLog::PRIVATE_BROADCAST,
 37                               BCLog::Level::Info,
 38                               "Disconnecting: got GETDATA without sending an INV, peer=%d%s\n",
 39                               pfrom.GetId(),
 40                               fLogIPs ? strprintf(", peeraddr=%s", pfrom.addr.ToStringAddrPort()) : "");
 41                 pfrom.fDisconnect = true;
 42-                m_connman.m_private_broadcast.NumToOpenAdd(1);
 43                 return;
 44             }
 45 
 46             const CTransactionRef& pushed_tx{*pushed_tx_opt};
 47 
 48             // The GETDATA request must contain exactly one inv and it must be for the transaction
 49@@ -4234,13 +4234,12 @@ void PeerManagerImpl::ProcessMessage(CNode& pfrom, const std::string& msg_type,
 50                 LogPrintLevel(BCLog::PRIVATE_BROADCAST,
 51                               BCLog::Level::Info,
 52                               "Disconnecting: got an unexpected GETDATA message, peer=%d%s\n",
 53                               pfrom.GetId(),
 54                               fLogIPs ? strprintf(", peeraddr=%s", pfrom.addr.ToStringAddrPort()) : "");
 55                 pfrom.fDisconnect = true;
 56-                m_connman.m_private_broadcast.NumToOpenAdd(1);
 57             }
 58             return;
 59         }
 60 
 61         {
 62             LOCK(peer->m_getdata_requests_mutex);
 63diff --git i/src/private_broadcast.cpp w/src/private_broadcast.cpp
 64index 8483c61829..25cc69f6a7 100644
 65--- i/src/private_broadcast.cpp
 66+++ w/src/private_broadcast.cpp
 67@@ -69,40 +69,42 @@ std::optional<CTransactionRef> PrivateBroadcast::GetTxPushedToNode(const NodeId&
 68     if (it_by_txid == m_by_txid.end()) {
 69         return std::nullopt;
 70     }
 71     return it_by_txid->second.tx;
 72 }
 73 
 74-void PrivateBroadcast::FinishBroadcast(const NodeId& nodeid, bool confirmed_by_node) EXCLUSIVE_LOCKS_REQUIRED(!m_mutex)
 75+bool PrivateBroadcast::FinishBroadcast(const NodeId& nodeid, bool confirmed_by_node) EXCLUSIVE_LOCKS_REQUIRED(!m_mutex)
 76 {
 77     LOCK(m_mutex);
 78     auto it = m_by_nodeid.find(nodeid);
 79     if (it == m_by_nodeid.end()) {
 80-        return;
 81+        return false;
 82     }
 83     const Txid txid{it->second};
 84     m_by_nodeid.erase(it);
 85 
 86     if (!confirmed_by_node) {
 87-        return;
 88+        return true;
 89     }
 90 
 91     // Update broadcast stats.
 92 
 93     auto iters = Find(txid);
 94     if (!iters) {
 95-        return;
 96+        return true;
 97     }
 98     Priority& priority = iters->by_txid->second.priority;
 99 
100     ++priority.num_broadcasted;
101     priority.last_broadcasted = NodeClock::now();
102 
103     // Remove and re-add the entry in the m_by_priority map because we have changed the key.
104     m_by_priority.erase(iters->by_priority);
105     m_by_priority.emplace(priority, txid);
106+
107+    return true;
108 }
109 
110 std::vector<CTransactionRef> PrivateBroadcast::GetStale() const EXCLUSIVE_LOCKS_REQUIRED(!m_mutex)
111 {
112     LOCK(m_mutex);
113     const auto stale_time = NodeClock::now() - STALE_DURATION;
114diff --git i/src/private_broadcast.h w/src/private_broadcast.h
115index 72183be7b2..239f3a7c99 100644
116--- i/src/private_broadcast.h
117+++ w/src/private_broadcast.h
118@@ -61,14 +61,15 @@ public:
119      */
120     std::optional<CTransactionRef> GetTxPushedToNode(const NodeId& nodeid) EXCLUSIVE_LOCKS_REQUIRED(!m_mutex);
121 
122     /**
123      * Mark the end of a broadcast of a transaction. Either successful by receiving a PONG,
124      * or unsuccessful by closing the connection to the node without getting PONG.
125+     * [@return](/bitcoin-bitcoin/contributor/return/) true if the reference by the given node id was removed
126      */
127-    void FinishBroadcast(const NodeId& nodeid, bool confirmed_by_node) EXCLUSIVE_LOCKS_REQUIRED(!m_mutex);
128+    bool FinishBroadcast(const NodeId& nodeid, bool confirmed_by_node) EXCLUSIVE_LOCKS_REQUIRED(!m_mutex);
129 
130     /**
131      * Get the transactions that have not been broadcast recently.
132      */
133     std::vector<CTransactionRef> GetStale() const EXCLUSIVE_LOCKS_REQUIRED(!m_mutex);
134

and also call FinishBroadcast with true if we timeout after sending the INV.

I think not, because getting silence after sending INV does not equate to “we sent the tx to the peer”. It could be that they have it already or it could be that they are just broken and misbehaving or the network connection is down or slow or whatever.

What I suggest is tracking confirmed by node id

I like keeping track of more things especially wrt a future addition to expose the status via RPC. For example - I think it would be nice to keep status per peer, something like:

transaction	to	status	status timestamp
tx1	2ai…a.onion:8333	sent INV	16:29:31
tx1	do6…a.b32.i2p:0	sending complete	16:29:40
tx1	87.211.224.212:8333	connected	16:30:01

andrewtoth commented at 3:16 pm on April 14, 2025:

Here is an updated patch

Looks good! Just one thing - if we receive the tx in our mempool before the node is finalized and disconnect before receiving a PONG, we will still increment the connection count. Then we would wastefully connect to another peer and disconnect in PushPrivateBroadcastTx. I think this can be fixed if we change the following:

0     if (!confirmed_by_node) {
1-        return;
2+        return Find(txid).has_value();
3     }

The comment about the return value would also have to be updated.

getting silence after sending INV does not equate to “we sent the tx to the peer”.

Here are some arguments for assuming silence after INV means a successful private broadcast connection:

Not receiving a GETDATA for 3 minutes and retaining the connection would mean it is highly likely the node already has seen the tx. Yes, there could be other issues with the node, but it is about probabilities. Receiving a PONG after we push the TX also does not guarantee the node will broadcast our tx. The node could die before it broadcasts our tx, or it is malicious and blackholes it. The same with silence after an INV.
If our node is not well connected, e.g. maxconnections=0, and we still want to use it to private broadcast txs, it will forever keep opening private broadcast connections that timeout since it would not receive our tx back.
This would make it very difficult to support decoy txs. If we schedule a tx that is already received to be a decoy to send to 3 peers, it will forever keep opening connections.

vasild commented at 5:12 am on April 15, 2025:

0-        return;
1+        return Find(txid).has_value();

Done.

Good arguments about the “what to do with silence after INV”. I will consider this. One more possibility - the peer may not be interested in transactions relay and thus not be interested in INV (and mistakenly did not indicate that during the handshake).

vasild commented at 12:31 pm on April 16, 2025:

@mzumsande, any thoughts on how to treat a timeout after we sent INV (no GETDATA request)? Treat as send failure and schedule a new connection or treat as successful send and do not schedule a new connection?

mzumsande commented at 6:51 pm on April 22, 2025:

@mzumsande, any thoughts on how to treat a timeout after we sent INV (no GETDATA request)? Treat as send failure and schedule a new connection or treat as successful send and do not schedule a new connection?

The arguments from @andrewtoth make sense to me. I think all situations where we’d like to treat it as a send failure/schedule another connection involve a peer that is either broken in an unusual way or malicious. Malicious peers can act as a black hole, so they can be ignored here, while broken peers seem unlikely, when there is a natural cause that is much more likely.

in src/init.cpp:2089 in 9c4aad2a01 outdated

2081+                               "private broadcast needs to open new connections to randomly "
2082+                               "chosen Tor or I2P peers. Consider using -maxconnections=0 -addnode=... "
2083+                               "instead"));
2084+        }
2085+        if (!proxyRandomize && (g_reachable_nets.Contains(NET_ONION) || onion_may_become_reachable)) {
2086+            InitWarning(strprintf(

stratospher commented at 8:17 am on April 14, 2025:

9c4aad2a: could remove strprintf

vasild commented at 12:53 pm on April 23, 2025:

Done

in src/qt/rpcconsole.cpp:523 in 030204c5bd outdated

516@@ -517,7 +517,10 @@ RPCConsole::RPCConsole(interfaces::Node& node, const PlatformStyle *_platformSty
517         tr("Outbound Feeler: short-lived, for testing addresses"),
518         /*: Explanatory text for a short-lived outbound peer connection that is used
519             to request addresses from a peer. */
520-        tr("Outbound Address Fetch: short-lived, for soliciting addresses")};
521+        tr("Outbound Address Fetch: short-lived, for soliciting addresses"),
522+        /*: Explanatory text for a short-lived outbound peer connection that is used
523+            to broadcast privacy-sensitive data (like our transactions). */
524+        tr("Private broadcast: short-lived, for broadcasting privacy-sensitive data")};

stratospher commented at 8:47 am on April 14, 2025:

4e45e9c: micro nit: could we also mention “transaction” here and in src/rpc/net.cpp? people looking at help might be confused about what privacy-sensitive data is meant here.

vasild commented at 12:53 pm on April 23, 2025:

Done

in src/net.h:1182 in 3c1bb45fe7 outdated

1177+         * Remember if we ever established at least one outbound connection to a
1178+         * Tor peer, including sending and receiving P2P messages. If this is
1179+         * true then the Tor proxy indeed works and is a proxy to the Tor network,
1180+         * not a misconfigured ordinary SOCKS5 proxy as -proxy or -onion. If that
1181+         * is the case, then we assume that connecting to an IPv4 or IPv6 address
1182+         * via that proxy will be done trough the Tor network and a Tor exit node.

stratospher commented at 10:54 am on April 14, 2025:

2acd12c: micro nit: s/trough/through.

vasild commented at 12:53 pm on April 23, 2025:

Done

DrahtBot added the label Needs rebase on Apr 14, 2025

vasild force-pushed on Apr 15, 2025

vasild commented at 5:10 am on April 15, 2025: contributor

b8c8ff8968...400e9b1764: rebase due to conflicts and #29415 (review)

DrahtBot removed the label Needs rebase on Apr 15, 2025

in src/private_broadcast.cpp:87 in 400e9b1764 outdated

82+    const Txid txid{it->second};
83+    m_by_nodeid.erase(it);
84+
85+    auto iters = Find(txid);
86+
87+    if (!confirmed_by_node) {

andrewtoth commented at 4:30 pm on April 15, 2025:

nit: we can remove the second if block below

0    if (!confirmed_by_node || !iters.has_value()) {

vasild commented at 12:26 pm on April 16, 2025:

Right, done.

vasild force-pushed on Apr 16, 2025

vasild commented at 12:26 pm on April 16, 2025: contributor

400e9b1764...2b34857ad5: address #29415 (review)

in src/net_processing.cpp:1692 in 655af59765 outdated

1693+                              BCLog::Level::Info,
1694+                              "Giving up broadcast attempts for txid=%s wtxid=%s: %s",
1695+                              stale_tx->GetHash().ToString(),
1696+                              stale_tx->GetWitnessHash().ToString(),
1697+                              mempool_acceptable.m_state.ToString());
1698+                m_tx_for_private_broadcast.Remove(stale_tx);

stratospher commented at 2:25 pm on April 16, 2025:

655af59:

If the malleated transaction wins then we will eventually stop broadcasting the original when it gets stale and gets removed from the “to broadcast” storage cause it is not acceptable in our mempool." doesn’t happen.

looks like Remove(stale_tx) doesn’t happen here (returns nullopt without removing the transaction from m_by_txid) and we keep re-attempting private broadcast of this malleated transaction scenario every 10-15 mins.

constructing a malleated transaction wasn’t as straightforward as I thought so I tested the code path in a hacky way - but I think this is what might happen if a malleated transaction was used:

when we receive the malleated transaction in net_processing, we call Remove() which returns nullopt since there is a wtxid mismatch. and we don’t reach the code line where the transaction is removed from m_by_txid.
eventually transaction gets stale and it gets picked up in ReattemptPrivateBroadcast() attempts
but there since it’s not acceptable to our mempool (MempoolAcceptResult::ResultType::DIFFERENT_WITNESS), it calls Remove() which again returns nullopt without removing the transaction from m_by_txid.

vasild commented at 10:29 am on April 23, 2025:

I think 1. and 2. are correct, but in 3. it would happen differently - it would remove the transaction because both txid and wtxid match. stale_tx came from the private broadcast storage, is the original transaction, not the malleated one.

vasild commented at 12:13 pm on April 23, 2025:

constructing a malleated transaction wasn’t as straightforward as I thought

There is malleate_tx() Python function in the tests. It is used by the newly added p2p_private_broadcast.py. It creates an invalid witness. Did you create a valid one? If yes, then maybe you want to contribute to that function, to make it possible to create valid or invalid.

stratospher commented at 8:15 am on April 30, 2025:

Here’s something we can play with in this PR - https://github.com/stratospher/bitcoin/commit/dace16b34f31f6ad97ab21c66f3e65274cdace8c

It’s not a pretty and compact method of generating like malleate_tx() but it works. I’ve also opened #32385 to discuss how this could be done better!

stratospher commented at 8:21 am on April 30, 2025:

stale_tx came from the private broadcast storage, is the original transaction, not the malleated one.

ohh missed that, will check it again.

EDIT: ok got it now. 1st Remove() is called with the malleated tx and that doesn’t remove it from m_by_txid but the 2nd Remove() is called with our original tx and that does remove it from m_by_txid. Feel free to mark this as resolved!

in src/net_processing.cpp:4513 in 2b34857ad5 outdated

4497@@ -4260,6 +4498,21 @@ void PeerManagerImpl::ProcessMessage(CNode& pfrom, const std::string& msg_type,
4498         const uint256& hash = peer->m_wtxid_relay ? wtxid : txid;
4499         AddKnownTx(*peer, hash);
4500 
4501+        if (auto num_broadcasted = m_tx_for_private_broadcast.Remove(ptx)) {

andrewtoth commented at 2:51 pm on April 17, 2025:

Just noting here that this is also racy (like reattempt). If we have more than 1 connection open and more than 1 succeeds, it will decrement the extra successful connections count. But, if there are any stale txs caused by this they will be picked up in reattempt.

vasild commented at 1:10 pm on April 23, 2025:

Yes, this loose handling makes it possible to do the job with less code. My reasoning is that the worst outcome from the race is acceptable.

I am looking into keeping track of more stuff with respect to the future RPC stats (see at the bottom of #29415 (review)) which would also give us more fine grained control here. If it looks reasonable and is not too much code, I will propose the change in #29415 (review).

in test/functional/p2p_private_broadcast.py:317 in 2b34857ad5 outdated

312+        with tx_originator.busy_wait_for_debug_log(expected_msgs=[ignoring_msg.encode()]):
313+            tx_originator.sendrawtransaction(hexstring=txs[0]["hex"], maxfeerate=0.1)
314+
315+        # How to create a malleated valid witness?
316+        #self.log.info("Sending a malleated transaction with a valid witness via RPC")
317+        #malleated_valid = malleate_tx(txs[0])

andrewtoth commented at 3:25 pm on April 19, 2025:

I don’t understand why these lines are commented out. They seem incorrect, since malleated_valid is created the exact same way as malleated_invalid below. Uncommenting this results in the test failing because sendrawtransaction fails with mandartory-script-verify-flag-failed but is not caught.

andrewtoth commented at 4:05 pm on April 19, 2025:

I think I understand, the line How to create a malleated valid witness? is wondering if there is a way. Then instead of malleate_tx we can do the valid way instead. Maybe that can be made more clear with a comment like: “TODO: Create a malleated valid witness (how?) and substitute malleate_tx below.”.

vasild commented at 12:54 pm on April 23, 2025:

Done, reworded the comment.

andrewtoth commented at 4:10 pm on April 19, 2025: contributor

ACK 2b34857ad54aebbf0a9271e742c2caee85577bc8 - modulo the functional test malleated valid witness comment

Made many successful private broadcast connections with all 4 network types. Successfully had connections timeout after sending the INV. Tested resending the same raw tx multiple times. Tested sending many double spends of the same tx at the same time. Successfully had stale txs reattempted. Tested with both -maxconnections=0 and many inbound and outbound connections.

DrahtBot requested review from pinheadmz on Apr 19, 2025

andrewtoth approved

in src/private_broadcast.h:62 in 2b34857ad5 outdated

57+    void PushedToNode(const NodeId& nodeid, const Txid& txid) EXCLUSIVE_LOCKS_REQUIRED(!m_mutex);
58+
59+    /**
60+     * Get the transaction that was pushed to a given node by PushedToNode().
61+     */
62+    std::optional<CTransactionRef> GetTxPushedToNode(const NodeId& nodeid) EXCLUSIVE_LOCKS_REQUIRED(!m_mutex);

andrewtoth commented at 1:39 pm on April 21, 2025:

nit: could be const method.

vasild commented at 12:53 pm on April 23, 2025:

Done

Asad1445 commented at 2:02 am on April 23, 2025: none

1FiHzRUVuA9rx3QJiCbnmoqtu7KouUoMPq

vasild force-pushed on Apr 23, 2025

vasild commented at 12:53 pm on April 23, 2025: contributor

2b34857ad5...1c16944a4a: address suggestions

andrewtoth commented at 5:17 pm on April 23, 2025: contributor

re-ACK 1c16944a4aff71e6560703916b11b2a544ea71ca

Diff from 2b34857ad54aebbf0a9271e742c2caee85577bc8 is trivial.

DrahtBot added the label Needs rebase on Apr 29, 2025

vasild force-pushed on May 8, 2025

vasild commented at 1:17 pm on May 8, 2025: contributor

1c16944a4a...32488cfd6c: rebase due to conflicts

DrahtBot removed the label Needs rebase on May 8, 2025

DrahtBot added the label Needs rebase on May 17, 2025

vasild force-pushed on May 20, 2025

vasild commented at 10:05 am on May 20, 2025: contributor

32488cfd6c...fb12a062b8: rebase due to conflicts

DrahtBot removed the label Needs rebase on May 20, 2025

DrahtBot added the label Needs rebase on May 20, 2025

vasild force-pushed on May 21, 2025

vasild commented at 12:48 pm on May 21, 2025: contributor

fb12a062b8...cedbc2cd99: rebase due to conflicts

DrahtBot removed the label Needs rebase on May 21, 2025

DrahtBot added the label CI failed on May 21, 2025

DrahtBot removed the label CI failed on May 22, 2025

jonatack commented at 5:22 pm on May 23, 2025: member

Concept ACK, need to review this

andrewtoth commented at 5:35 pm on May 25, 2025: contributor

re-ACK cedbc2cd99754c099e92f074e1d5566da265bf26

Changes from previously ACK’d 1c16944a4aff71e6560703916b11b2a544ea71ca - git range-diff 99a4ddf5ab...1c16944a4a 7763e86afa...cedbc2cd99

CSempahoreGrant -> CountingSemaphoreGrant in c3ff0b2e46be289f7c8e4aa2ea72b18f853dc100
CSemaphoreGrant::post -> CountingSempahoreGrant::release in c3ff0b2e46be289f7c8e4aa2ea72b18f853dc100
CSempahore -> std::counting_sempahore in c3ff0b2e46be289f7c8e4aa2ea72b18f853dc100
Removed some changes to CWallet::ResubmitWalletTransactions callsites used for legacy wallet in 0c1b3988a3af703302d01d586ca9aaf75f0144b0.
Removed a leading \n character in aeddefa4b6144b3ddc401a2f03052a83d3361a60.

DrahtBot requested review from jonatack on May 25, 2025

pinheadmz commented at 7:30 pm on May 29, 2025: member

Tested this again with Warnet branch https://github.com/bitcoin-dev-project/warnet/pull/720, a feature that actually deploys a “local” Tor with its own directory authority into the cluster – so I can deploy 20 regtest with onion addresses and monitor them all. Was able to catch to the private broadcast connections in the netinfo dashboard:

0<->   type   net   serv  v  mping   ping send recv  txn  blk  hb addrp addrl  age id address
1out   priv onion   nwl2  2                  0    0                   .          0 54 ljockabue5siujir4sqsgc23ks4jgfdlyxd2eedqk4ywe3iwajigplad.onion:18444
2out   priv onion   nwl2  2                  1    1                   .          0 53 6vzl73cby36qkbsaiinplnsz5mufxtzjr3xubgdliucpjx53lgfw2nad.onion:18444

I can also grep all the nodes’ logs for the txid and observe the relay pattern across the network:

Here, tank-0000 sends a tx to tank-0001

0tank-0000 default [privatebroadcast] Requesting 3 new connections due to txid=bd7e40aa9d6346ac3513b0daac10cc8329a41ef2f180473cccfd7446489e0ba2, wtxid=bf7d6a592f8a04ea4799e4748d2e7a9a57ec669b68b747f0c74035c2f22bb733
1tank-0000 default [privatebroadcast:info] P2P handshake completed, sending INV for txid=bd7e40aa9d6346ac3513b0daac10cc8329a41ef2f180473cccfd7446489e0ba2, wtxid=bf7d6a592f8a04ea4799e4748d2e7a9a57ec669b68b747f0c74035c2f22bb733, peer=206 peeraddr=10.109.0.153:18444
2tank-0016 default [net] got inv: tx bd7e40aa9d6346ac3513b0daac10cc8329a41ef2f180473cccfd7446489e0ba2  new peer=103
3tank-0000 default [privatebroadcast:info] P2P handshake completed, sending INV for txid=bd7e40aa9d6346ac3513b0daac10cc8329a41ef2f180473cccfd7446489e0ba2, wtxid=bf7d6a592f8a04ea4799e4748d2e7a9a57ec669b68b747f0c74035c2f22bb733, peer=207 peeraddr=ah3rqn6qilhnqscv76gk5xzdxvoh7y7d2psoujtrjggmsiwqif53f4yd.onion:18444
4tank-0014 default [net] got inv: tx bd7e40aa9d6346ac3513b0daac10cc8329a41ef2f180473cccfd7446489e0ba2  new peer=122
5tank-0000 default [net] received getdata for: tx bd7e40aa9d6346ac3513b0daac10cc8329a41ef2f180473cccfd7446489e0ba2 peer=206
6tank-0016 default [net] Requesting tx bd7e40aa9d6346ac3513b0daac10cc8329a41ef2f180473cccfd7446489e0ba2 peer=103
7tank-0000 default [privatebroadcast:info] Received our privately broadcast transaction (txid=bd7e40aa9d6346ac3513b0daac10cc8329a41ef2f180473cccfd7446489e0ba2) from the network from peer=28 peeraddr=10.108.51.222:18444; stopping private broadcast attempts
8tank-0000 default [miner] AddToWallet bd7e40aa9d6346ac3513b0daac10cc8329a41ef2f180473cccfd7446489e0ba2  new InMempool
9tank-0001 default [miner] AddToWallet bd7e40aa9d6346ac3513b0daac10cc8329a41ef2f180473cccfd7446489e0ba2  new InMempool

One thing I noticed is that if I (perhaps accidentally) sendrawtransaction the same tx a second time, we open private connections, send our INV – but those nodes already have the tx. So the connection remains open until we get disconnected by (I think) the remote peer when we (I think) ignore their PING. The cycle then continues, even though the re-submitted tx is in our own mempool already!

0tank-0000 default [privatebroadcast] Requesting 3 new connections due to txid=bd7e40aa9d6346ac3513b0daac10cc8329a41ef2f180473cccfd7446489e0ba2, wtxid=bf7d6a592f8a04ea4799e4748d2e7a9a57ec669b68b747f0c74035c2f22bb733
1tank-0000 default [privatebroadcast:info] P2P handshake completed, sending INV for txid=bd7e40aa9d6346ac3513b0daac10cc8329a41ef2f180473cccfd7446489e0ba2, wtxid=bf7d6a592f8a04ea4799e4748d2e7a9a57ec669b68b747f0c74035c2f22bb733, peer=211 peeraddr=2iz75k2b3w5krzrf4si3axpgc3hbpvwoiq3ry7kppnohh4icmu4l4myd.onion:18444
2tank-0011 default [net] got inv: tx bd7e40aa9d6346ac3513b0daac10cc8329a41ef2f180473cccfd7446489e0ba2  have peer=108
3tank-0000 default [privatebroadcast:info] P2P handshake completed, sending INV for txid=bd7e40aa9d6346ac3513b0daac10cc8329a41ef2f180473cccfd7446489e0ba2, wtxid=bf7d6a592f8a04ea4799e4748d2e7a9a57ec669b68b747f0c74035c2f22bb733, peer=212 peeraddr=ctxl43uomyccbdknlpr2bp57va64eprkcch66nwwhnjbnwqeslfy3yid.onion:18444
4tank-0009 default [net] got inv: tx bd7e40aa9d6346ac3513b0daac10cc8329a41ef2f180473cccfd7446489e0ba2  have peer=111
5tank-0000 default [privatebroadcast:info] P2P handshake completed, sending INV for txid=bd7e40aa9d6346ac3513b0daac10cc8329a41ef2f180473cccfd7446489e0ba2, wtxid=bf7d6a592f8a04ea4799e4748d2e7a9a57ec669b68b747f0c74035c2f22bb733, peer=213 peeraddr=kcbwa3x2cdes6yyshibbydq5ataeorsvntraanmvbmucfvk5uvu2jaad.onion:18444
6tank-0017 default [net] got inv: tx bd7e40aa9d6346ac3513b0daac10cc8329a41ef2f180473cccfd7446489e0ba2  have peer=111

This appears to continue even after the tx is confirmed, until

0Giving up broadcast attempts for txid=bd7e40aa9d6346ac3513b0daac10cc8329a41ef2f180473cccfd7446489e0ba2 wtxid=bf7d6a592f8a04ea4799e4748d2e7a9a57ec669b68b747f0c74035c2f22bb733: txn-already-known

andrewtoth commented at 1:42 pm on June 2, 2025: contributor

if I (perhaps accidentally) sendrawtransaction the same tx a second time, we open private connections, send our INV – but those nodes already have the tx.

This PR will not queue new private broadcast connections if the same tx is submitted again. However, it does keep trying to broadcast with the 3 connections queued from the first time the tx is submitted. If those peers already have the tx, then the connection will wait for 3 minutes until disconnecting. See discussion here for why I think we should treat a 3 minute wait as a successful private broadcast connection and decrement the queued connection count.

The cycle then continues, even though the re-submitted tx is in our own mempool already!

This should not happen with this PR. The tx is removed from the private broadcast queue when we receive it in our mempool. Were you testing on the latest version of this PR?

pinheadmz commented at 3:20 pm on June 2, 2025: member

This PR will not queue new private broadcast connections if the same tx is submitted again.

Where is this implemented in the PR?

andrewtoth commented at 3:31 pm on June 2, 2025: contributor

@pinheadmz in ScheduleTxForPrivateBroadcast we check if the tx was inserted into the private broadcast queue, and only then do we queue more private broadcast connections to open. The tx is removed from the private broadcast queue when we receive the tx in our mempool here.

Edit: ugh it’s hard to link to the lines, because they are not expanded by default in net_processing.cpp. They are lines 2295-2313 in net_processing.cpp.

pinheadmz commented at 3:34 pm on June 2, 2025: member

Ok and then after the tx is received in mempool and removed from queue, I send it again. I think it’s probably harmless but we will continue to re-send the tx until it finally gets confirmed and then ReattemptPrivateBroadcast() will catch it as txn-already-known

andrewtoth commented at 3:35 pm on June 2, 2025: contributor

Ok and then after the tx is received in mempool and removed from queue, I send it again.

But sendrawtransaction will fail if the tx is already in our mempool, no? How will this succeed?

pinheadmz commented at 3:40 pm on June 2, 2025: member

But sendrawtransaction will fail if the tx is already in our mempool, no? How will this succeed?

Are you sure about this?

0
1            // There's already a transaction in the mempool with this txid. Don't
2            // try to submit this transaction to the mempool (since it'll be
3            // rejected as a TX_CONFLICT), but do attempt to reannounce the mempool
4            // transaction if broadcast_method is not ADD_TO_MEMPOOL_NO_BROADCAST.
5            //
6            // The mempool transaction may have the same or different witness (and
7            // wtxid) as this transaction. Use the mempool's wtxid for reannouncement.

andrewtoth commented at 3:48 pm on June 2, 2025: contributor

Are you sure about this?

I was not sure, thanks for the correction :). I see we only check for acceptance if the tx is not already in our mempool. If it is, then we skip checking acceptance and try and broadcast again. That behavior makes sense to me, and I think this is another reason why we should treat 3 minute timeouts waiting for GETDATA as a successful private broadcast connection.

kdmukai commented at 2:59 pm on June 9, 2025: contributor

Summary

Since this PR now has 444 comments, this is an attempt to help people get up to speed on the discussion thus far and identify any remaining concerns or TODO items.

Note vasild’s “Further extensions” section in the PR description. Throughout this discussion he has emphasized keeping this PR as simple as possible, deferring further work to subsequent PRs.

Q&A highlights

vasild to 1440000bytes: Why not relay to an existing Tor peer?
- 1440000bytes’ follow-up
- related response to learnwayback
vasild to epiccurious: This PR’s privacy wins vs encrypting all relay traffic?
vasild to andrewtoth: What if the recipient needs the parent tx also?
- vasild follow up
pinheadmz, others (from prior related PR): Why hard-code a user agent for these broadcasts?
- continues here
vasild to sr-gi: Why MAX_PRIVATE_BROADCAST_CONNECTIONS=64?
vasild: Why NUM_PRIVATE_BROADCAST_PER_TX=3?
mzumsande, others: Where to define TxBroadcastMethod -> node/types.h
vasild to mzumsande: step through theoretical attack + mitigation
vasild to sr-gi: Prioritization of private broadcast vs other connections
- related discussion w/mzumsande

Useful comments

iotamega: note that corporate firewalls block Tor/I2P
nothingmuch: warn if privatebroadcast=1 and proxyrandomize=0
- vasild: warning added
- related walletbroadcast=0 restriction removed
gmaxwell: PR is strong against attacker running many nodes, weak against direct Tor traffic analysis (but deems this a lesser risk)
- vasild: response to gmaxwell, also to w0xlt on decoy txs
andrewtoth: sending multiple txs quickly using walletcreatefundedpsbt can create double spend attempts
pinheadmz: Successful testing in a 20 node Tor cluster
nothingmuch: Can add clearnet connections when using Tor
MarnixCroes, others: can’t run with -connect; solution = -maxconnections=0 -addnode=<localnode>
mzumsande: avoid Good() and Connected() to prevent inadvertent Tor connection reuse
mzumsande: checking txid vs wtxid to decide private broadcast was successful

Unresolved questions / remaining TODO

Send INV message?

Discussion of the exact broadcast approach to take seemed to coalesce in favor of sending INV and then waiting for the GETDATA request. But there are subtleties to consider around what it means if the connection times out at various stages of the communication cycle, when to consider the private broadcast a success, etc.

See the last two bullet points in particular for the most recent ongoing discussions. This goes beyond my depth so unfortunately I can’t say how much remains to be resolved here.

andrewtoth: Beginning of discussion on TX vs INV / GETDATA / TX
gmaxwell: should send INV and wait
vasild: implemented INV / GETDATA / TX but with misgivings
mzumsande: Send INV
mzumsande: More detailed discussion of de-anon analysis / timing considerations
andrewtoth: Further timeout considerations

Misc

The only other open TODO items or unresolved concerns I could identify:

andrewtoth: missing test coverage (now resolved?)
sr-gi: Are you satisfied with vasild’s answer re: m_private_broadcast_connections_to_open?

kdmukai commented at 3:04 pm on June 9, 2025: contributor

Concept ACK.

This seems like a significant chain analysis heuristic breaker. While only newly updated nodes would have this private broadcast option, my understanding is that any Tor- or I2P-enabled node will be able to receive these txs and then broadcast them out to all their peers.

So now the broadcaster-is-the-sender heuristic is permanently called into question even when it’s an older node that’s being spied on. That’s pretty neat.

andrewtoth commented at 3:09 pm on June 9, 2025: contributor

my understanding is that any Tor- or I2P-enabled node will be able to receive these txs and then broadcast them out to all their peers. @kdmukai it’s even better than that, any node listening on clearnet can also receive these txs through Tor exit nodes and appear to be the broadcast origin.

DrahtBot added the label Needs rebase on Jun 11, 2025

kevkevinpal commented at 1:32 pm on June 14, 2025: contributor

Concept ACK, still need to review fully

I wrote a fuzz test for private_broadcast.cpp https://github.com/kevkevinpal/bitcoin/commit/fcee39cdefcf5ccb55ae9a019d534e09f230e50c Feel free to pick the commit

Added coverage Screenshot 2025-06-14 at 8 30 16 AM

in src/net.cpp:3611 in cd862a990f outdated

3605@@ -3451,10 +3606,16 @@ void CConnman::Interrupt()
3606             semAddnode->release();
3607         }
3608     }
3609+
3610+    m_private_broadcast.m_sem_conn_max.release();
3611+    m_private_broadcast.NumToOpenAdd(1);

mzumsande commented at 3:31 pm on June 16, 2025:

nit: this could have a comment (we don’t really want to add a request, just unblock NumToOpenWait to be able to continue with shutdown).

vasild commented at 10:21 am on June 18, 2025:

Added a comment.

mzumsande commented at 3:37 pm on June 16, 2025: contributor

ACK cedbc2cd99754c099e92f074e1d5566da265bf26 (I know it needs rebase)

I reviewed the code again and tested this on signet over the last couple of days - it works well. While it increases complexity of net_processing and net, I think the privacy gains are worth it.

vasild force-pushed on Jun 18, 2025

vasild commented at 10:24 am on June 18, 2025: contributor

cedbc2cd99...281f6f3b4d: rebase due to conflicts and address a suggestion

Edit:

I wrote a fuzz test for private_broadcast.cpp https://github.com/kevkevinpal/bitcoin/commit/fcee39cdefcf5ccb55ae9a019d534e09f230e50c @kevkevinpal, that looks nice! I am doing some mods to it and will come back with it soon…

DrahtBot added the label CI failed on Jun 18, 2025

DrahtBot removed the label Needs rebase on Jun 18, 2025

DrahtBot added the label Needs rebase on Jun 19, 2025

vasild force-pushed on Jun 19, 2025

vasild commented at 9:43 am on June 19, 2025: contributor

281f6f3b4d...4a873c2a67: rebase due to conflicts and break an if into two equivalent ifs to make it more readable, fix a silent conflict in the functional test - use .txid_hex instead of .rehash().

A modified version of the fuzz test from https://github.com/kevkevinpal/bitcoin/commit/fcee39cdefcf5ccb55ae9a019d534e09f230e50c is in https://github.com/vasild/bitcoin/commit/1c406354fc7254dc9266d1c69f4a4e7dcb478856. Thanks @kevkevinpal! Since the fuzz test is an extra load on reviewers and is not a blocker for this PR I did not include it (yet) here. If reviewers like it and are willing to ACK it as well, then I will add that commit on top of this PR, otherwise it will be in a followup.

DrahtBot removed the label Needs rebase on Jun 19, 2025

DrahtBot removed the label CI failed on Jun 19, 2025

kevkevinpal commented at 12:29 pm on June 19, 2025: contributor

A modified version of the fuzz test from https://github.com/kevkevinpal/bitcoin/commit/fcee39cdefcf5ccb55ae9a019d534e09f230e50c is in https://github.com/vasild/bitcoin/commit/1c406354fc7254dc9266d1c69f4a4e7dcb478856. Thanks @kevkevinpal! Since the fuzz test is an extra load on reviewers and is not a blocker for this PR I did not include it (yet) here. If reviewers like it and are willing to ACK it as well, then I will add that commit on top of this PR, otherwise it will be in a followup.

Yup no problem! Adding as a follow-up sounds good to me

in test/functional/p2p_private_broadcast.py:318 in 4a873c2a67 outdated

313+            tx_originator.sendrawtransaction(hexstring=txs[0]["hex"], maxfeerate=0.1)
314+
315+        # TODO: Create a malleated valid witness (how?) and substitute malleate_tx() below:
316+        #self.log.info("Sending a malleated transaction with a valid witness via RPC")
317+        #malleated_valid = malleate_tx(txs[0])
318+        #ignoring_msg = f"Ignoring unnecessary request to schedule an already scheduled transaction: txid={malleated_valid.txid_hex}, wtxid={malleated_valid.getwtxid()}"

andrewtoth commented at 9:15 pm on June 22, 2025:

0        #ignoring_msg = f"Ignoring unnecessary request to schedule an already scheduled transaction: txid={malleated_valid.txid_hex}, wtxid={malleated_valid.wtxid_hex}"

stratospher commented at 5:51 am on June 23, 2025:

i’ve tried this test in https://github.com/stratospher/bitcoin/commit/c14812402aa370b448a46efad1b0e5a5af1199ee (built on top of #32385 )

vasild commented at 11:13 am on June 24, 2025:

@andrewtoth, right! I will change that next time I retouch, “resolving” this. @stratospher, thanks! Lets continue the discussion in #32385 (review)

andrewtoth commented at 2:39 am on July 18, 2025:

You did not change it :(. It is commented out so it’s not a deal breaker here.

in src/rpc/mempool.cpp:59 in a4c4dd9138 outdated

58+        "rebroadcast non-wallet transactions already in their mempool.\n"
59+
60+        "\nIf -privatebroadcast is enabled, then the transaction will be sent only via\n"
61+        "dedicated, short-lived connections to Tor or I2P peers or IPv4/IPv6 peers\n"
62+        "through the Tor network. This conceals the transaction origin. The transaction\n"
63+        "will only enter the local mempool when it is received back from the network.\n"

ismaelsadeeq commented at 6:47 pm on June 30, 2025:

This should be in doc?

vasild commented at 10:05 am on July 7, 2025:

Which doc? This is in the output of bitcoin-cli help sendrawtransaction.

ismaelsadeeq commented at 6:21 pm on July 7, 2025:

“So using sendrawtransaction for manual rebroadcast will degrade privacy by leaking the transaction’s origin.” “This conceals the transaction origin.”

What I meant is that this seems to go beyond the scope of API docs imo? Perhaps we should have a dedicated privacy section in the docs maybe something like doc/privacy which could include:

The existing content from [doc/tor.md#4-privacy-recommendations](https://github.com/bitcoin/bitcoin/blob/master/doc/tor.md#4-privacy-recommendations)
Brief overviews of I2P and CJDNS, with links to them and what they provide
Documentation of the newly introduced -privatebroadcast option

vasild commented at 12:22 pm on July 15, 2025:

something like doc/privacy

Concept ACK. Out of the scope of this PR.

ismaelsadeeq commented at 7:07 pm on June 30, 2025: member

I was experimenting with privacy on Bitcoin core and see this work. Kudos 🎉 and thanks for your work to improve privacy

Great summary by @kdmukai

Did some manual tests on signet using the script provided; it was smooth on the happy path

 02025-06-30T17:06:38Z [privatebroadcast:info] P2P handshake completed, sending INV for txid=fdb1884dd42d940c3edd786487e45311a2d5f2328cf7349fa4ad5f29f5449c96, wtxid=862c319f69d047db646a375b2287a511614c246e4956ead1d715d6d492ea1c80, peer=12
 12025-06-30T17:06:40Z Saw new header hash=0000000b9db2e9016363a6869d25691acef5ccdb94216c1683dee955dcc8ff4f height=258554 peer=4
 22025-06-30T17:06:42Z UpdateTip: new best=0000000b9db2e9016363a6869d25691acef5ccdb94216c1683dee955dcc8ff4f height=258554 version=0x20000000 log2_work=42.262158 tx=21879263 date='2025-06-30T17:06:01Z' progress=1.000000 cache=5.1MiB(25884txo)
 32025-06-30T17:06:43Z New private-broadcast v1 peer connected: version: 70016, blocks=258554, peer=14
 42025-06-30T17:06:43Z [privatebroadcast:info] P2P handshake completed, sending INV for txid=fdb1884dd42d940c3edd786487e45311a2d5f2328cf7349fa4ad5f29f5449c96, wtxid=862c319f69d047db646a375b2287a511614c246e4956ead1d715d6d492ea1c80, peer=14
 52025-06-30T17:06:43Z New private-broadcast v2 peer connected: version: 70016, blocks=258554, peer=13
 62025-06-30T17:06:43Z [privatebroadcast:info] P2P handshake completed, sending INV for txid=fdb1884dd42d940c3edd786487e45311a2d5f2328cf7349fa4ad5f29f5449c96, wtxid=862c319f69d047db646a375b2287a511614c246e4956ead1d715d6d492ea1c80, peer=13
 72025-06-30T17:06:43Z [privatebroadcast:info] Got a PONG (the transaction will probably reach the network), marking for disconnect, peer=12
 82025-06-30T17:06:48Z [privatebroadcast:info] Got a PONG (the transaction will probably reach the network), marking for disconnect, peer=13
 92025-06-30T17:06:48Z [privatebroadcast:info] Got a PONG (the transaction will probably reach the network), marking for disconnect, peer=14
102025-06-30T17:06:49Z [privatebroadcast:info] Received our privately broadcast transaction (txid=fdb1884dd42d940c3edd786487e45311a2d5f2328cf7349fa4ad5f29f5449c96) from the network from peer=7; stopping private broadcast attempt

I’ve noticed an issue and have two questions on approach.

Issue: I think there is a bug in BroadcastTransaction whereby if you pass 0 as the value of maxfeerate the transaction won’t be broadcasted because you combine maxfee check and test accept check when we want want private broadcast.

 0#!/bin/bash
 1build/bin/bitcoin-cli -chain="signet" loadwallet test
 2
 3new_address=$(build/bin/bitcoin-cli -chain="signet" getnewaddress)
 4psbt=$(build/bin/bitcoin-cli -chain="signet" walletcreatefundedpsbt "[]" "[{\"$new_address\": 0.00001}]" | jq -r '.psbt')
 5echo "psbt: $psbt"
 6
 7
 8signed_tx=$(build/bin/bitcoin-cli -chain="signet" walletprocesspsbt $psbt | jq -r '.hex')
 9echo "signed_tx: $signed_tx"
10
11raw_tx=$(build/bin/bitcoin-cli -chain="signet" sendrawtransaction $signed_tx 0)
12echo "raw_tx: $raw_tx"

0error code: -25
1error message:
2max fee exceeded

The fix is simple i.e is to just separate them or something like that.

 0diff --git a/src/node/transaction.cpp b/src/node/transaction.cpp
 1index 0c4f37e4714..9cd9fde1000 100644
 2--- a/src/node/transaction.cpp
 3+++ b/src/node/transaction.cpp
 4@@ -74,13 +74,27 @@ TransactionError BroadcastTransaction(NodeContext& node,
 5             wtxid = mempool_tx->GetWitnessHash();
 6         } else {
 7             // Transaction is not already in the mempool.
 8-            if (max_tx_fee > 0 || broadcast_method == NO_MEMPOOL_PRIVATE_BROADCAST) {
 9+            std::optional<CAmount> base_fee;
10+            if (broadcast_method == NO_MEMPOOL_PRIVATE_BROADCAST) {
11                 // First, call ATMP with test_accept and check the fee. If ATMP
12                 // fails here, return error immediately.
13-                const MempoolAcceptResult result = node.chainman->ProcessTransaction(tx, /*test_accept=*/ true);
14+                const auto result = node.chainman->ProcessTransaction(tx, /*test_accept=*/ true);
15                 if (result.m_result_type != MempoolAcceptResult::ResultType::VALID) {
16                     return HandleATMPError(result.m_state, err_string);
17-                } else if (result.m_base_fees.value() > max_tx_fee) {
18+                }
19+                base_fee = result.m_base_fees.value();
20+            }
21+
22+            if (max_tx_fee > 0) {
23+                // Only call ProcessTransaction if we did not call it before
24+                if (!base_fee) {
25+                    const auto result = node.chainman->ProcessTransaction(tx, /*test_accept=*/ true);
26+                    if (result.m_result_type != MempoolAcceptResult::ResultType::VALID) {
27+                        return HandleATMPError(result.m_state, err_string);
28+                    }
29+                    base_fee = result.m_base_fees.value();
30+                }
31+                if (base_fee > max_tx_fee) {
32                     return TransactionError::MAX_FEE_EXCEEDED;
33                 }
34             }

Questions

Why is this only on sendrawtransaction, could also be implemented on the experimental submitpackage RPC to ensure no contradiction in approach and also 1p1c package relay is a thing now. (edit: if you have 1p1c that you will want to relay, parent is below the minrelayfee; the mechanism right now is to submit the package txs via submitpackage; it will be accepted to the mempool both, and be broadcasted to peers, peers will reject the parent because it is below minrelayfee and accept child in it’s orphanage, then request the parent from the peer and this is how the 1p1c will relay (opportunistically)) Correct me if I am wrong they currently contradict base on the decision not to add the txs to the mempool, and in submitpackage adding to the mempool before broadcasting is a requirement that must be satisfied although I think you can bye-pass that limitiation easily by passing test-accept as false the ProcessNewPackage call and then remove the check that tx must exist in mempool before broadcasting to peers (edit: in case of 1p1c package relay only the child will be accept to peer orphanage but then their is no way for the peer to get the parent from the original sender because it does not save the parent in it’s mempool) .

I’ve try implementing it and it works

 0diff --git a/src/node/transaction.cpp b/src/node/transaction.cpp
 1index 0c4f37e4714..9cd9fde1000 100644
 2--- a/src/node/transaction.cpp
 3+++ b/src/node/transaction.cpp
 4@@ -74,13 +74,27 @@ TransactionError BroadcastTransaction(NodeContext& node,
 5             wtxid = mempool_tx->GetWitnessHash();
 6         } else {
 7             // Transaction is not already in the mempool.
 8-            if (max_tx_fee > 0 || broadcast_method == NO_MEMPOOL_PRIVATE_BROADCAST) {
 9+            std::optional<CAmount> base_fee;
10+            if (broadcast_method == NO_MEMPOOL_PRIVATE_BROADCAST) {
11                 // First, call ATMP with test_accept and check the fee. If ATMP
12                 // fails here, return error immediately.
13-                const MempoolAcceptResult result = node.chainman->ProcessTransaction(tx, /*test_accept=*/ true);
14+                const auto result = node.chainman->ProcessTransaction(tx, /*test_accept=*/ true);
15                 if (result.m_result_type != MempoolAcceptResult::ResultType::VALID) {
16                     return HandleATMPError(result.m_state, err_string);
17-                } else if (result.m_base_fees.value() > max_tx_fee) {
18+                }
19+                base_fee = result.m_base_fees.value();
20+            }
21+
22+            if (max_tx_fee > 0) {
23+                // Only call ProcessTransaction if we did not call it before
24+                if (!base_fee) {
25+                    const auto result = node.chainman->ProcessTransaction(tx, /*test_accept=*/ true);
26+                    if (result.m_result_type != MempoolAcceptResult::ResultType::VALID) {
27+                        return HandleATMPError(result.m_state, err_string);
28+                    }
29+                    base_fee = result.m_base_fees.value();
30+                }
31+                if (base_fee > max_tx_fee) {
32                     return TransactionError::MAX_FEE_EXCEEDED;
33                 }
34             }
35diff --git a/src/rpc/mempool.cpp b/src/rpc/mempool.cpp
36index 4fd78d732f1..f9c1b130665 100644
37--- a/src/rpc/mempool.cpp
38+++ b/src/rpc/mempool.cpp
39@@ -1053,10 +1053,23 @@ static RPCHelpMan submitpackage()
40                 throw JSONRPCTransactionError(TransactionError::INVALID_PACKAGE, "package topology disallowed. not child-with-parents or parents depend on each other.");
41             }
42 
43+            const bool private_broadcast_enabled{gArgs.GetBoolArg("-privatebroadcast", DEFAULT_PRIVATE_BROADCAST)};
44+            if (private_broadcast_enabled &&
45+                !g_reachable_nets.Contains(NET_ONION) &&
46+                !g_reachable_nets.Contains(NET_I2P)) {
47+                throw JSONRPCError(RPC_MISC_ERROR,
48+                                   "-privatebroadcast is enabled, but none of the Tor or I2P networks is "
49+                                   "reachable. Maybe the location of the Tor proxy couldn't be retrieved "
50+                                   "from the Tor daemon at startup. Check whether the Tor daemon is running "
51+                                   "and that -torcontrol, -torpassword and -i2psam are configured properly.");
52+            }
53+            const auto method = private_broadcast_enabled ? node::NO_MEMPOOL_PRIVATE_BROADCAST
54+                                                          : node::ADD_TO_MEMPOOL_AND_BROADCAST_TO_ALL;
55+
56             NodeContext& node = EnsureAnyNodeContext(request.context);
57             CTxMemPool& mempool = EnsureMemPool(node);
58             Chainstate& chainstate = EnsureChainman(node).ActiveChainstate();
59-            const auto package_result = WITH_LOCK(::cs_main, return ProcessNewPackage(chainstate, mempool, txns, /*test_accept=*/ false, client_maxfeerate));
60+            const auto package_result = WITH_LOCK(::cs_main, return ProcessNewPackage(chainstate, mempool, txns, /*test_accept=*/ private_broadcast_enabled, client_maxfeerate));
61 
62             std::string package_msg = "success";
63 
64@@ -1066,9 +1079,9 @@ static RPCHelpMan submitpackage()
65                 {
66                     // Belt-and-suspenders check; everything should be successful here
67                     CHECK_NONFATAL(package_result.m_tx_results.size() == txns.size());
68-                    for (const auto& tx : txns) {
69-                        CHECK_NONFATAL(mempool.exists(GenTxid::Txid(tx->GetHash())));
70-                    }
71+                    // for (const auto& tx : txns) {
72+                    //     CHECK_NONFATAL(mempool.exists(GenTxid::Txid(tx->GetHash())));
73+                    // }
74                     break;
75                 }
76                 case PackageValidationResult::PCKG_MEMPOOL_ERROR:
77@@ -1091,17 +1104,15 @@ static RPCHelpMan submitpackage()
78             size_t num_broadcast{0};
79             for (const auto& tx : txns) {
80                 // We don't want to re-submit the txn for validation in BroadcastTransaction
81-                if (!mempool.exists(GenTxid::Txid(tx->GetHash()))) {
82+                if (!private_broadcast_enabled && !mempool.exists(GenTxid::Txid(tx->GetHash()))) {
83                     continue;
84                 }
85-
86-                // We do not expect an error here; we are only broadcasting things already/still in mempool
87                 std::string err_string;
88                 const auto err = BroadcastTransaction(node,
89                                                       tx,
90                                                       err_string,
91                                                       /*max_tx_fee=*/0,
92-                                                      node::ADD_TO_MEMPOOL_AND_BROADCAST_TO_ALL,
93+                                                      method,
94                                                       /*wait_callback=*/true);
95                 if (err != TransactionError::OK) {
96                     throw JSONRPCTransactionError(err,

However I am still not confident on this diff that is the consistency with when test accept is either false or true since test accept has some limitations see #32160

How does this approach compare to running a node with -onlynet=tor and onlynet=i2p and not having inbound? Because I thought that I can achieve the privacy that this PR provided by doing that? (edit: we can then improve this by having a more strict onlynet where even inbounds are the network specified ) Or if conservative you can have two nodes one via with peers only on tor/i2p only and another via clearnet peers and only using my tor node for personal transactions submissions to the network.

Side question: I see this is opt-in, do we plan to enable this by default; if yes did we have intuition theoretically on the impact on the whole network in terms of tx propagation speed?

vasild force-pushed on Jul 7, 2025

vasild commented at 10:04 am on July 7, 2025: contributor

4a873c2a67...6d697bba16: rebase and address the above suggestion about BroadcastTransaction().

I think there is a bug in BroadcastTransaction() …

Right, good catch! I fixed it like this:

 0             // Transaction is not already in the mempool.
 1-            if (max_tx_fee > 0 || broadcast_method == NO_MEMPOOL_PRIVATE_BROADCAST) {
 2+            const bool check_max_fee{max_tx_fee > 0};
 3+            if (check_max_fee || broadcast_method == NO_MEMPOOL_PRIVATE_BROADCAST) {
 4                 // First, call ATMP with test_accept and check the fee. If ATMP
 5                 // fails here, return error immediately.
 6                 const MempoolAcceptResult result = node.chainman->ProcessTransaction(tx, /*test_accept=*/ true);
 7                 if (result.m_result_type != MempoolAcceptResult::ResultType::VALID) {
 8                     return HandleATMPError(result.m_state, err_string);
 9-                } else if (result.m_base_fees.value() > max_tx_fee) {
10+                } else if (check_max_fee && result.m_base_fees.value() > max_tx_fee) {
11                     return TransactionError::MAX_FEE_EXCEEDED;
12                 }
13             }
14             
15             switch (broadcast_method) {

and also tweaked the functional test to cover that maxtxfee=0 case. The modified test would fail without the above change to BroadcastTransaction(). Cool, thanks!

Why is this only on sendrawtransaction, could also be implemented on the experimental submitpackage …

Yes, this should be also for submitpackage. The reason I did not implement it is because I want to cut this PR slim to get the private broadcast mechanism in, reduce review load, because it is already big as it is. There is a “Future extenstions” section the PR description, added submitpackage there and linked to your comment with the diff.

How does this approach compare to running a node with -onlynet=tor and onlynet=i2p and not having inbound? Because I thought that I can achieve the privacy that this PR provided by doing that? …

Hiding the IP address (geolocation) - yes, but:

Sending own transactions over long lived connections is problematic because then two different transactions that are otherwise unrelated, looking at the coins (ie on-chain analysis) could be linked together to the same originator. See the comment above Would this benefit nodes that don’t have clearnet connections, e.g. Tor/I2P-only nodes?. In general, long lived connections exchange a ton of information that can be used to fingerprint a node. The most blatant of those is a customized user-agent string, e.g. -uacomment=vasilsnode.
onlynet tor+i2p node is more likely to be Sybiled.

Side question: I see this is opt-in, do we plan to enable this by default

I do not know about “we”. I guess making private broadcast default has not been widely discussed and either accepted or rejected. My personal plan is this - once this is released and we see that it works (!) and also the wallet and submitpackage RPC do it and that works as well, then yes, I will propose to change the default of -privatebroadcast from 0 to 1. I guess then the question of “should enable this by default?” will get widely discussed.

if yes did we have intuition theoretically on the impact on the whole network in terms of tx propagation speed?

Good question. With -privatebroadcast=0 the transaction originator broadcasts it to everybody and then everybody broadcasts it to everybody, and so on, the transaction floods the network. With -privatebroadcast=1 the originator will give the transaction to somebody and they will send it to everybody, starting the same flooding process. So, the only difference wrt timing is the initial send via the short lived connection. For the originator this adds a delay of a few seconds. For the network I think it does not matter.

ismaelsadeeq commented at 6:21 pm on July 7, 2025: member

Yes, this should be also for submitpackage. The reason I did not implement it is because I want to cut this PR slim to get the private broadcast mechanism in, reduce review load, because it is already big as it is. There is a “Future extenstions” section the PR description, added submitpackage there and linked to your comment with the diff.

In that case, this probably shouldn’t be a startup option but rather a runtime option for sendrawtransaction, I think. when we have privatebroadcast on all broadcast RPC then it should be implemented as a startup option where the runtime option overrides the startup value.
FWIW, the diff would only allow reliably broadcasting a single tx package privately, but 1p1c package broadcast is problematic due to the current limitation of not adding transactions to the mempool.

Sending own transactions over long lived connections is problematic because then two different transactions that are otherwise unrelated, looking at the coins (ie on-chain analysis) could be linked together to the same originator.

Is it not possible to perform this type of on-chain analysis even with privatebroadcast? For example, someone could observe the blockchain and fingerprint transactions as likely coming from a particular node and label it as “vasilsnode”?

Hiding the IP address (geolocation) is the most important gain from this imo, what will a tor/i2p peer be able to do after fingerprinting that bunch of transactions are from it’s peer?

onlynet tor+i2p node is more likely to be Sybiled. low-latency encryption/anonymization of Bitcoin’s transmissions (with Tor, JAP, etc.) can be defeated relatively easily with a timing attack if you’re connected to several of the attacker’s nodes and the attacker is watching your transmissions at your ISP

Thanks, I wasn’t aware of this before I’ll need to ponder more about it.

I do not know about “we”.

Yeah, I meant your plan. Thanks for explaining :)

once this is released and we see that it works (!) and also the wallet and submitpackage RPC do it and that works as well, then yes, I will propose to change the default of -privatebroadcast from 0 to 1. I guess then the question of “should enable this by default?” will get widely discussed.

Nice plan. I’ve seen that review burden can be significantly eased when there’s a major PR that outlines the overall architecture and plan and provide the holistic view of the project, along with smaller sub-PRs that tackle each component individually. Maybe that structure could help in this case (and have all what you mentioned above implemented so that e2e test will be easy)?

For the originator this adds a delay of a few seconds. For the network I think it does not matter.

Great, thanks for explaining.

andrewtoth commented at 6:48 pm on July 7, 2025: contributor

Sending own transactions over long lived connections is problematic because then two different transactions that are otherwise unrelated, looking at the coins (ie on-chain analysis) could be linked together to the same originator.

Is it not possible to perform this type of on-chain analysis even with privatebroadcast? For example, someone could observe the blockchain and fingerprint transactions as likely coming from a particular node and label it as “vasilsnode”?

Consider a wallet with 2 unrelated utxos. Spending both individually in separate txs will not link the two txs when observing the blockchain. If the same node was observed to initially broadcast both txs, then they will be linked to the same originator. This is not solved by an onlynet tor or i2p node, but is solved by privatebroadcast.

glozow referenced this in commit fc543f94a9 on Jul 7, 2025

instagibbs commented at 9:02 pm on July 7, 2025: member

@ismaelsadeeq I don’t think 1p1c is compatible with this approach at all, unless the connection is intentionally held open long enough for the parent to be fetched from the sending node? Obviously the connection could be held open with additional logic but just pointing this out. A sender-initiated package relay system might be easier to extend (but way out of scope of this PR).

DrahtBot added the label Needs rebase on Jul 11, 2025

User087 commented at 8:12 pm on July 13, 2025: none

To be clear, in what ways does the proposed feature resemble/differ from the --tx-proxy option in monero:

Send out your local transactions through SOCKS5 proxy (Tor or I2P). … This was introduced to make publishing transactions over Tor easier (no need for torsocks) while allowing clearnet for blocks at the same time (while torsocks affected everything). … Note that forwarded transactions (those not originating from the connected wallet(s)) will still be relayed over clearnet.

and from the guide:

If any anonymity network is enabled, transactions being broadcast that lack a valid “context” (i.e. the transaction did not come from a P2P connection), will only be sent to peers on anonymity networks. If an anonymity network is enabled but no peers over an anonymity network are available, an error is logged and the transaction is kept for future broadcasting over an anonymity network. The transaction will not be broadcast unless an anonymity connection is made or until monerod is shutdown and restarted with only public connections enabled.

Would monero’s implementation be useful at all?

andrewtoth commented at 1:00 pm on July 14, 2025: contributor

@User087 There are a few differences from the feature you linked. From the same guide, the very last section:

I2P/Tor Stream Used Twice monerod currently selects two outgoing connections every 5 minutes for transmitting transactions over I2P/Tor.

The proposed feature here does not use any existing connections for transmitting transactions. It creates a new connection to a random peer for every transaction that is submitted.

From my understanding, the --tx-proxy option also will not relay to clearnet nodes via Tor exit nodes. The proposed feature here will also connect to IPv4 and IPv6 nodes by tunneling through a Tor exit node.

vasild force-pushed on Jul 15, 2025

vasild commented at 12:32 pm on July 15, 2025: contributor

6d697bba16...dbd76e68c3: rebase due to conflicts

runtime option for sendrawtransaction @ismaelsadeeq, I thought about this, but decided to have a single global option to control the behavior given that the plan is to do private broadcast from other places as well. Otherwise it would be a messy situation where “my wallet is doing private broadcast but my RPC is not” or similar.

what will a tor/i2p peer be able to do after fingerprinting that bunch of transactions are from it’s peer?

Link them together to the same originator, even if the UTXOs are unrelated.

DrahtBot removed the label Needs rebase on Jul 15, 2025

andrewtoth commented at 2:38 am on July 18, 2025: contributor

re-ACK dbd76e68c3fd86814e96be85a2d23eb542df6e55

Changes from my last ACK cedbc2cd99754c099e92f074e1d5566da265bf26 (git range-diff 7763e86afa...cedbc2cd99 5d17e64a02...dbd76e68c3)

4480ca4a2f - Added a comment ead32f37c8 - const uint256& in some places were changed to const Txid/Wtxid& and this caused a conflict 7255b28cbb - fixed issue with passing 0 as second parameter to sendrawtransaction 9ec10ceb59 - split up combined if statement into two separate statements. Expanded on a comment. b817c3e45b - updated methods to field access in test due to conflict

I tested sendrawtransaction with 0 as second parameter as well for good measure. It worked correctly.

DrahtBot requested review from mzumsande on Jul 18, 2025

DrahtBot added the label Needs rebase on Jul 18, 2025

DashCoreAutoGuix referenced this in commit 6b53b0b9b3 on Jul 31, 2025

kdmukai commented at 12:49 pm on August 7, 2025: contributor

I successfully completed an end-to-end test:

I configured the Bitcoin Keeper android wallet (v2.5.1) to connect to my electrs instance (v0.10.10) which in turn connected to bitcoind at dbd76e6 on testnet4.

A basic transaction created in Keeper was sent through electrs and out to the network via private broadcast without any complaints. No modifications needed in Keeper or electrs.

As far as electrs was concerned, nothing was out of the ordinary:

0[2025-08-07T11:56:21.829Z DEBUG electrs::server] 1: recv {"jsonrpc":"2.0","method":"blockchain.transaction.broadcast","params":["0200000000010180e479f995f35081b96d754640b3614795c7e7a2b3487e1364857ee60fe7d1940100000000feffffff0213b50000000000001600148d38a74a217d0b676481bf5201aa6be9f0f0cf3aac0d0000000000001600141faf25fdc3344325ff5433efdc193db70dc199a402483045022100abbdd964305f6aa5e1d460b30ccadf5084d0708d76da4cd508c95ab4a1cb641b0220400b6123c34fbe035b7dd9be44781b484ae7cc635e0e1dab5e2a402fb57ca91d012102c3239d07a327bfd938dceb288d371f70f508a8243fc0861affb2d4c83065b56d8f750100"],"id":44}
1[2025-08-07T11:56:21.829Z DEBUG bitcoincore_rpc] JSON-RPC request: sendrawtransaction ["0200000000010180e479f995f35081b96d754640b3614795c7e7a2b3487e1364857ee60fe7d1940100000000feffffff0213b50000000000001600148d38a74a217d0b676481bf5201aa6be9f0f0cf3aac0d0000000000001600141faf25fdc3344325ff5433efdc193db70dc199a402483045022100abbdd964305f6aa5e1d460b30ccadf5084d0708d76da4cd508c95ab4a1cb641b0220400b6123c34fbe035b7dd9be44781b484ae7cc635e0e1dab5e2a402fb57ca91d012102c3239d07a327bfd938dceb288d371f70f508a8243fc0861affb2d4c83065b56d8f750100"]
2[2025-08-07T11:56:21.831Z DEBUG electrs::server] 1: send {"id":44,"jsonrpc":"2.0","result":"af2c09c62e9a7e81c0974b8be393b9b3cd606c5246860fecbc10916bff10fbe5"}

bitcoind logs:

02025-08-07T11:56:21Z [privatebroadcast] Requesting 3 new connections due to txid=af2c09c62e9a7e81c0974b8be393b9b3cd606c5246860fecbc10916bff10fbe5, wtxid=fe1fc666af1425bf61ee3155ded9aa301490229f302db232eb99ba9e15c55a85
12025-08-07T11:56:24Z [privatebroadcast] Socket connected to 85.203.53.149:18333 through the proxy at 127.0.0.1:9050; remaining connections to open: 2
22025-08-07T11:56:24Z [privatebroadcast] Failed to connect to [2607:5300:205:200::115b]:48333 through the proxy at 127.0.0.1:9050, will retry to a different address; remaining connections to open: 2
32025-08-07T11:56:24Z [privatebroadcast] Reattempting broadcast of stale txid=af2c09c62e9a7e81c0974b8be393b9b3cd606c5246860fecbc10916bff10fbe5 wtxid=fe1fc666af1425bf61ee3155ded9aa301490229f302db232eb99ba9e15c55a85
42025-08-07T11:56:24Z New private-broadcast v2 peer connected: version: 70016, blocks=95632, peer=14
52025-08-07T11:56:24Z [privatebroadcast:info] P2P handshake completed, sending INV for txid=af2c09c62e9a7e81c0974b8be393b9b3cd606c5246860fecbc10916bff10fbe5, wtxid=fe1fc666af1425bf61ee3155ded9aa301490229f302db232eb99ba9e15c55a85, peer=14
62025-08-07T11:56:24Z [privatebroadcast] Ignoring incoming message 'ping', peer=14
72025-08-07T11:56:24Z [privatebroadcast] Ignoring incoming message 'feefilter', peer=14
82025-08-07T11:56:29Z [privatebroadcast:info] Got a PONG (the transaction will probably reach the network), marking for disconnect, peer=14
92025-08-07T11:56:32Z [privatebroadcast:info] Received our privately broadcast transaction (txid=af2c09c62e9a7e81c0974b8be393b9b3cd606c5246860fecbc10916bff10fbe5) from the network from peer=8; stopping private broadcast attempts

RandyMcMillan commented at 9:52 pm on August 10, 2025: contributor

Concept ACK

jonatack commented at 5:38 pm on August 13, 2025: member

Needs trivial rebase in commit "test: move create_malleated_version() to messages.py for reuse"

 0diff --cc test/functional/p2p_orphan_handling.py
 1index f2eed48603c,94b911f4b5a..00000000000
 2--- a/test/functional/p2p_orphan_handling.py
 3+++ b/test/functional/p2p_orphan_handling.py
 4  
 5  from test_framework.messages import (
 6      CInv,
 7++<<<<<<< HEAD
 8 +    CTxInWitness,
 9 +    DEFAULT_ANCESTOR_LIMIT,
10++=======
11++>>>>>>> b817c3e45bd (test: move create_malleated_version() to messages.py for reuse)
12      MSG_TX,
13      MSG_WITNESS_TX,

(Not a blocker for reviewing further.)

in src/init.cpp:660 in dbd76e68c3 outdated

654@@ -655,6 +655,15 @@ void SetupServerArgs(ArgsManager& argsman, bool can_listen_ipc)
655                    OptionsCategory::NODE_RELAY);
656     argsman.AddArg("-minrelaytxfee=<amt>", strprintf("Fees (in %s/kvB) smaller than this are considered zero fee for relaying, mining and transaction creation (default: %s)",
657         CURRENCY_UNIT, FormatMoney(DEFAULT_MIN_RELAY_TX_FEE)), ArgsManager::ALLOW_ANY, OptionsCategory::NODE_RELAY);
658+    argsman.AddArg("-privatebroadcast",
659+                   strprintf(
660+                       "Broadcast transactions submitted via sendrawtransaction RPC using short lived "

jonatack commented at 9:51 pm on August 13, 2025:

ee752253 two minor grammar touch-ups

0                       "Broadcast transactions submitted via sendrawtransaction RPC using short-lived "

and on the next line, s/networks without/networks, without/

vasild commented at 3:06 pm on September 1, 2025:

Done.

jonatack commented at 10:07 pm on August 13, 2025: member

Reviewed up to and including b9cf8a1ea533291bb6395b0efd104c39, looks good so far.

DrahtBot requested review from jonatack on Aug 13, 2025

vasild force-pushed on Sep 1, 2025

vasild commented at 9:41 am on September 1, 2025: contributor

dbd76e68c3...2bd4714fa9: rebase due to conflicts and address #29415 (review)

I am back from some afk time.

DrahtBot removed the label Needs rebase on Sep 1, 2025

vasild force-pushed on Sep 3, 2025

vasild commented at 9:20 am on September 3, 2025: contributor

2bd4714fa9...8fbff5233f: extend the functional test to send two transactions that have the same txid but different wtxid, made possible by #32385. Thank you, @stratospher!

The functional test has grown quite extensive. It is a further load on reviewers. That is in the last two commits. If you don’t feel like reviewing it, you can omit those last two commits and review up to bb814cde2a rpc: use private broadcast from sendrawtransaction RPC if -privatebroadcast is ON. In that case I am going to remove the last two commits from here and put them into a separate PR.

vasild force-pushed on Sep 3, 2025

DrahtBot added the label CI failed on Sep 3, 2025

vasild commented at 9:31 am on September 3, 2025: contributor

8fbff5233f...4327327dd0: fix python linter f-string without any placeholders

DrahtBot commented at 9:31 am on September 3, 2025: contributor

🚧 At least one of the CI tasks failed. Task lint: https://github.com/bitcoin/bitcoin/runs/49482001469 LLM reason (✨ experimental): (empty)

Try to run the tests locally, according to the documentation. However, a CI failure may still happen due to a number of reasons, for example:

Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.
A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.
An intermittent issue.

Leave a comment here, if you need help tracking down a confusing failure.

DrahtBot removed the label CI failed on Sep 3, 2025

andrewtoth commented at 2:44 pm on September 5, 2025: contributor

I tried sending a tx with fee rate 0.1 sat/vbyte using 4327327dd07457621fe1a9c88dfbf6fccb0e8854.

I connected to 3 nodes and disconnected after receiving the PONG, and then attempted one more connection every 10 minutes. I finally received the tx back from another peer after 13 hours and 90 connection attempts.

in test/functional/p2p_private_broadcast.py:371 in 4327327dd0 outdated

366+            tx_originator.setmocktime(int(time.time()) + delta)
367+            tx_originator.mockscheduler(delta)
368+        self.check_broadcasts("Rebroadcast", txs[1], 1, skip_destinations)
369+        tx_originator.setmocktime(0) # Let the clock tick again (it will go backwards due to this).
370+
371+        self.log.info("Sending a pair of transactions with same txid and different and valid wtxid via RPC")

andrewtoth commented at 0:15 am on September 8, 2025:

grammar nit:

0        self.log.info("Sending a pair of transactions with the same txid but different valid wtxids via RPC")

vasild commented at 9:29 am on September 8, 2025:

Changed locally, will be in the next push, thanks!

vasild commented at 11:20 am on September 11, 2025:

Done.

andrewtoth approved

andrewtoth commented at 0:27 am on September 8, 2025: contributor

re-ACK 4327327dd07457621fe1a9c88dfbf6fccb0e8854

Changes from my last ACK dbd76e68c3fd86814e96be85a2d23eb542df6e55 (git range-diff 5d17e64a02...dbd76e68c3 7cc9a08706...4327327dd0):

ee75225369: grammar
ead32f37c8: remove txid conversions to resolve conflict
9ec10ceb59: convert Txid to uint256, update import from util/transaction_identifier.h to primitives/transaction_identifier.h to resolve conflict
dbd76e68c3: add functional test for rejecting scheduling private broadcast for a tx which shares a txid with a different already scheduled tx

Also ran functional tests locally.

vasild commented at 10:10 am on September 8, 2025: contributor

I tried sending a tx with fee rate 0.1 sat/vbyte

Added a note to “Further extensions” in PR description (see at the bottom) to consider checking the FEEFILTER message and retrying sooner than 10 minutes if the transaction is below their threshold.

I finally received the tx back from another peer after 13 hours and 90 connection attempts.

I wonder how this compares to the current send-to-all-connected-peers approach. If it took 90 peers to find one to accept the transaction, and if we are connected to less peers, then even sending to all of them could turn out to be futile (edit: note that we will honor FEEFILTER for connected peers). Then we don’t actively cycle our connected peers or deliberately try to find a peer that will accept our low fee transaction. So it could be that it takes even more time with the current send-to-all-connected-peers approach?

DrahtBot added the label Needs rebase on Sep 9, 2025

vasild force-pushed on Sep 11, 2025

vasild commented at 11:20 am on September 11, 2025: contributor

4327327dd0...3f6a61e3c5: rebase due to conflicts and take #29415 (review)

DrahtBot removed the label Needs rebase on Sep 11, 2025

DrahtBot added the label Needs rebase on Sep 17, 2025

vasild force-pushed on Sep 19, 2025

vasild commented at 11:23 am on September 19, 2025: contributor

3f6a61e3c5...3aa74b5176: rebase due to conflicts

DrahtBot removed the label Needs rebase on Sep 19, 2025

instagibbs commented at 12:57 pm on September 19, 2025: member

if we take the last commit: fixup

I feel like this is going to be taken, no? Especially as we think ahead with relay (say, 1p1pc packages), seems necessary to do the INV/getdata cycle.

vasild commented at 1:22 pm on September 19, 2025: contributor

@instagibbs, yes, this was already taken some time ago and squashed into the relevant commit: #29415 (comment)

andrewtoth commented at 4:37 pm on September 20, 2025: contributor

re-ACK 3aa74b517621950b7c987d9c6db1856b4bd70ed1

Trivial changes since my last ACK (git range-diff 7cc9a08706...4327327dd0 edb871cba2...3aa74b5176).

vasild commented at 2:00 pm on September 22, 2025: contributor

I extracted one commit from here into #33454 with the aim to reduce the size of this PR once #33454 is merged.

DrahtBot added the label Needs rebase on Sep 30, 2025

vasild force-pushed on Oct 1, 2025

vasild commented at 2:25 pm on October 1, 2025: contributor

3aa74b5176...22fadecc14: rebase due to conflicts and pick changes from https://github.com/bitcoin/bitcoin/pull/33454

DrahtBot removed the label Needs rebase on Oct 1, 2025

vasild force-pushed on Oct 1, 2025

vasild commented at 3:57 pm on October 1, 2025: contributor

22fadecc14...b01d6df464: resolve silent merge conflict / fix CI

DrahtBot added the label Needs rebase on Oct 1, 2025

vasild force-pushed on Oct 2, 2025

vasild commented at 10:05 am on October 2, 2025: contributor

b01d6df464...21efe8fa82: rebase due to conflicts

DrahtBot removed the label Needs rebase on Oct 2, 2025

glozow referenced this in commit 452ea59281 on Oct 6, 2025

DrahtBot added the label Needs rebase on Oct 6, 2025

log: introduce a new category for private broadcast 8325b6d07f

init: introduce a new option to enable/disable private broadcast

Co-authored-by: brunoerg <brunoely.gc@gmail.com>

8ebfb79ef7

net: introduce a new connection type for private broadcast

We will open a short-lived connection to a random Tor or I2P peer,
send our transaction to that peer and close the connection.

de6d7c03a2

net: implement opening PRIVATE_BROADCAST connections

Implement opening `ConnectionType::PRIVATE_BROADCAST` connections with
the following properties:
* Only to Tor or I2P (or IPv4/IPv6 through the Tor proxy, if provided)
* Open such connections only when requested and don't maintain N opened
  connections of this type.
* Since this is substantially different than what
  `OpenNetworkConnection()` does, open the private broadcast connections
  from a different thread instead of modifying `OpenNetworkConnection()`
  to also open those types of connections.

7d550e2f2e

vasild force-pushed on Oct 7, 2025

vasild commented at 8:53 am on October 7, 2025: contributor

21efe8fa82...7d837fef28: rebase due to conflicts; remove changes that were already merged via https://github.com/bitcoin/bitcoin/pull/33454

DrahtBot removed the label Needs rebase on Oct 7, 2025

net_processing: rename RelayTransaction to better describe what it does

Rename `PeerManager::RelayTransaction()` to
`PeerManager::ScheduleTxForBroadcastToAll()`. The transaction is not relayed
when the method returns. It is only scheduled for broadcasting at a later
time. Also, there will be another method which only schedules for broadcast
to Tor or I2P peers.

8b1cf94af8

node: change a tx-relay on/off flag to enum

Previously the `bool relay` argument to `BroadcastTransaction()`
designated:

```
relay=true: add to the mempool and broadcast to all peers
relay=false: add to the mempool
```

Change this to an `enum`, so it is more readable and easier to extend
with a 3rd option. Consider these example call sites:

```cpp
Paint(true);
// Or
Paint(/*is_red=*/true);
```

vs

```cpp
Paint(RED);
```

The idea for putting `TxBroadcastMethod` into `node/types.h` by Ryan.

Co-authored-by: Ryan Ofsky <ryan@ofsky.org>

9c47c17c01

node: extend node::TxBroadcastMethod with a 3rd option

Extend `node::TxBroadcastMethod` with a 3rd option to not add the
transaction to the mempool and broadcast privately.

This is a non-functional change - `BroadcastTransaction()` will not
do anything if the 3rd options is passed and is not used by any of
its callers.

3fbb7ec887

net_processing: store transactions for private broadcast in PeerManager

Extend `PeerManager` with a transaction storage and a new method
`ScheduleTxForPrivateBroadcast()` which:
* adds a transaction to that storage and
* calls `CConnman::PrivateBroadcastAdd()` to open dedicated privacy
  connections that will pick an entry from the transaction storage and
  broadcast it.

5341c5a282

net_processing: reorder the code that handles the VERSION message

Change the order in which code snippets are executed as a result of
receiving the `VERSION` message. Move the snippets that do
`MakeAndPushMessage()` near the end. This will help with handling of
private broadcast connections - they do not require any of that.

This is a non-functional change.

72c894d291

net_processing: handle ConnectionType::PRIVATE_BROADCAST connections

For connections of type `ConnectionType::PRIVATE_BROADCAST`:
* After receiving VERACK, relay a transaction from the list of
  transactions for private broadcast and disconnect
* Don't process any messages after VERACK
* Don't send any messages other than the minimum required for the
  transaction relay

cf196554cf

net_processing: stop private broadcast of a transaction after round-trip

Remove the transaction from the list of transactions to broadcast after
we receive it from the network.

Only remove the transaction if it is the same as the one we sent: both
txid and wtxid match. Don't remove transactions that have the same txid
and different wxtid. Such transactions show that some of the private
broadcast recipients malleated the witness and the transaction made it
back to us. The witness could be either:
* invalid, in which case the transaction will not be accepted in
  anybody's pool; or
* valid, in which case either the original or the malleated transaction
  will make it to nodes' mempools and eventually be mined. Our response
  is to keep broadcasting the original. If the malleated transaction
  wins then we will eventually stop broadcasting the original when it
  gets stale and gets removed from the "to broadcast" storage cause it
  is not acceptable in our mempool.

d6ec9adf13

net_processing: retry private broadcast

Periodically check for stale transactions in peerman and if found,
reschedule new connections to be opened by connman for broadcasting
them.

6959d42271

rpc: use private broadcast from sendrawtransaction RPC if -privatebroadcast is ON abb62dc58a

test: move create_malleated_version() to messages.py for reuse e5a677ce49

test: add functional test for private broadcast a9d697c0e1

vasild force-pushed on Oct 7, 2025

vasild commented at 3:16 pm on October 7, 2025: contributor

7d837fef28...a9d697c0e1: minor changes to facilitate chopping off two pieces of this into smaller independent PRs:

#33565 https://github.com/bitcoin/bitcoin/pull/33567

naiyoma commented at 11:55 am on October 14, 2025: contributor

Concept ACK

Tested consecutively for 5 days on Signet,

Day 1 Time to hear back: 11 seconds Connections: 3 attempted, 3 successful
Day 2 Time to hear back: 72 seconds (1 min 12 sec) Connections: 3 attempted, 1 successful
Day 3 Time to hear back: 14 seconds Connections: 3 attempted, 3 successful
Day 4 Time to hear back: 15 seconds Connections: 3 attempted, 1 successful
Day 5 Time to hear back: 15 seconds Connections: 3 attempted, 3 successful

I got an intermittent SOCKS5 error while running tests

 02025-10-08T11:54:47.008390Z TestFramework (INFO):   - siblings' parent added to the mempool
 12025-10-08T11:54:47.011980Z TestFramework (INFO):   - sent sibling1: ok
 22025-10-08T11:54:47.019053Z TestFramework (INFO):   - sibling2 rejected because it has the same txid: ok
 32025-10-08T11:54:47.019536Z TestFramework (INFO): Trying to send a transaction when none of Tor or I2P is reachable
 42025-10-08T11:54:47.023692Z TestFramework.socks5 (ERROR): socks5 request handling failed.
 5Traceback (most recent call last):
 6 File "/home/ubuntu/Projects/bitcoin/test/functional/test_framework/socks5.py", line 139, in handle
 7   ver = recvall(self.conn, 1)[0]
 8         ^^^^^^^^^^^^^^^^^^^^^
 9 File "/home/ubuntu/Projects/bitcoin/test/functional/test_framework/socks5.py", line 33, in recvall
10   d = s.recv(n)
11       ^^^^^^^^^
12ConnectionResetError: [Errno 104] Connection reset by peer
132025-10-08T11:54:47.489806Z TestFramework (INFO): Stopping nodes
142025-10-08T11:54:47.597776Z TestFramework (INFO): Cleaning up /tmp/bitcoin_func_test_6jjqtl1l on exit
152025-10-08T11:54:47.598040Z TestFramework (INFO): Tests successful

ajtowns commented at 2:48 pm on October 21, 2025: contributor

Concept ACK as per #27509 (comment)

Not sure the internal implementation around BroadcastTransaction() fully makes sense – I could see BroadcastTransaction() having the knowledge of how transactions should be broadcast being better than having every caller of it specify it. If that means we need to prioritise fixing #11887 so that we can do this for wallet transactions straight away, that doesn’t seem like a bad thing (EDIT: see #33671 as a first pass). Not doing this for wallet txs seems like a big miss anyway?

It may make sense to be able to override the default policy – eg so submitrawtransaction can go straight to the mempool and relay, even if txs are normally privately relayed; but I think the default logic and parameter lookups should be centralised.

As far as the protocol goes, it may make sense to wait a little longer to allow for GETDATA <parent txid> 1p1c relay, including in the case where you’re not sending a package, but cpfp’ing something that was already in the mempool.

Consider periodically sending transactions that did not originate from the node as decoy, discussed #29415 (review).

It might be good to align the behaviour of feeler connections made over private networks with the private relay logic. ie, rather than introducing a new connection type, overload feeler connections as follows:

if the feeler connection is over a public network, no change
otherwise:
- continue to do normal feeler logic
- if there are private txs due to be broadcast, pick a private tx. otherwise, pick a recent tx.
- send an INV, wait for a GETDATA, send a PING, wait for a PONG. if there were parent txs in the mempool or parent txs in the private pool. once it’s been 30s since the last message, disconnect.
make private network feeler connections more frequently when there are private txs queued to send
restrict feeler connection messages in a similar way to how this PR restricts private broadcast connections

Moving private_broadcast storage into the mempool rather than in peermanager would probably make sense in that case.

Broadcast own transactions only via short-lived Tor or I2P connections #29415

Code Coverage & Benchmarks

Reviews

Conflicts

Summary

Q&A highlights

Useful comments

Unresolved questions / remaining TODO

Send INV message?

Misc