Brainstorm: Transaction issuer-selected policy limits

ariard commented at 7:08 pm on February 19, 2024: member

This issue opens a brainstorm about introducing transaction issuer-selected policy limits.

Currently, all the policy limits are either static (e.g DUST_RELAY_TX_FEE or MIN_STANDARD_TX_NONWITNESS_SIZE) or it can be set dynamically on the command-line by the node operator (e.g ancestors / descendants / incremental tx-relay fee). New policy mechanism like v3 are introducing specific limit such as the 1000 vb limit on the single child.

This approach is limited for some use-cases, as there is an interdependency between the policy limits and efficiency or loss of funds risks. E.g for LN, higher the v3 child limit, higher is the pinning risk exposure, i.e the amount of satoshis one can steal by slipping a pinning package under the child limit. Applying limit on child only can additionally miss to protect package propagation, as in LN context at least parent can be inflated according channel parameters.

I did a small proof-of-concept with #29448. After writing it, I realize this might be too much policy flexibility for now, especially if transaction issuers-selected policy limits can introduce economic-induced performance asymmetries in the low performance host, i.e what if tx-relay traffic starts to be materially segregated and this breaks BIP152 compact blocks propagation (it might be fixed by being more aggrressive on prefilledtxn, however this assume “predictive” discrepancies algorithms).

In terms of transaction or protocol fields where such opt-in transaction-issuer policy limits could be inserted among others:

nSequence field - bip68 semantics to deal with
nVersion field lower bits
taproot annex
p2p extensions e.g ancpkginfo or a new issuer_wtxid, committing to a policy profile

I think it can be an interesting to experiment with a transaction-issuer selected limit for at least the 1000 vb limit. Making it a dynamic limit in the limit of MAX_STANDARD_TX_WEIGHT applied on the whole v3 package. This would at least address my strong concern that current v3 approach is realistically weak to address substantially pinning risks for LN.

Such transaction issuer-selected policy limits could be useful for a wide array of other use-cases. E.g iterative batching where you would like to have child of reasonable size to fanout payouts and fee-bump at the same-time.

Looking forward to thoughts.

maflcko added the label Brainstorming on Feb 21, 2024

maflcko added the label TX fees and policy on Feb 21, 2024

petertodd commented at 8:21 pm on March 11, 2024: contributor

The problem with policy limits is they’re all based on asking miners to ignore transactions that are potentially profitable. This is similar in spirit to opt-in RBF. And as we’ve seen, the supermajority of hash power eventually decided to ignore the opt-in flag and just do RBF all the time. If push came to shove, it wouldn’t be surprising to run into the same class of problem with policy limits.

Much better to focus on solutions like replace-by-fee-rate that rely on better aligning miner incentives with the protocols in question. These solutions also appear to be much simpler.

Finally, using the taproot annex specifically has the problem that you’re using extra bytes. As always, that’s a miner centralization concern because cheaper solutions are possible that do not use the annex.

maflcko commented at 6:52 am on June 27, 2024: member

Closing for now, due to inactivity. As this policy discussion isn’t directly and exclusively related to the Bitcoin Core code base, it could make more sense to discuss with the greater ecosystem first, for example https://groups.google.com/g/bitcoindev, or https://delvingbitcoin.org/ ?

maflcko closed this on Jun 27, 2024

ariard commented at 4:07 pm on June 27, 2024: member

The problem with policy limits is they’re all based on asking miners to ignore transactions that are potentially profitable. This is similar in spirit to opt-in RBF. And as we’ve seen, the supermajority of hash power eventually decided to ignore the opt-in flag and just do RBF all the time. If push came to shove, it wouldn’t be surprising to run into the same class of problem with policy limits.

Much better to focus on solutions like replace-by-fee-rate that rely on better aligning miner incentives with the protocols in question. These solutions also appear to be much simpler.

Finally, using the taproot annex specifically has the problem that you’re using extra bytes. As always, that’s a miner centralization concern because cheaper solutions are possible that do not use the annex.

I think note the spirit of transaction issuer-selected policy limits, where transaction issuers are instead signaling package limits that suits better their use-case requirements, and it can be handled by solo miners or a single mining pools by adjusting their local mempool settings, without entering into the wormhole of network-wide limits current MAX_PACKAGE_WEIGHT / MAX_PACKAGE_COUNT and subsequent network-wide change like we’re seeing with mempoolfullrbf.

I think the proposal is orthogonal to replace-by-feerate, there is certainly of issues which are addressed by both like hardening in face of transaction pinning vectors.

Note, this is correct that extra bytes can always be a miner centralization concern. There was a first patch I did with using only the nSequence though (a) it’s limited by the 32-bit field to encode semantics and (b) the field is already used by consensus mechanism like bip68. Trade-offs.

Closing for now, due to inactivity. As this policy discussion isn’t directly and exclusively related to the Bitcoin Core code base, it could make more sense to discuss with the greater ecosystem first, for example https://groups.google.com/g/bitcoindev, or https://delvingbitcoin.org/ ?

For context tracking, the subject has been mentioned on the google bitcoin mailing list here: https://groups.google.com/g/bitcoindev/c/NUKF4PZ0uLc/m/TP_XVg9yBAAJ. I think effectively it’s better to be talk at the conceptual level for now on another communication medium.

Brainstorm: Transaction issuer-selected policy limits #29454