sweeper: relax anchor sweeping when there's no deadline pressure

[yyforyongyu]

This PR prepares for #7549. It changes from always sweeping anchor for a local force close to only do so when there is an actual time pressure. After this change, a forced anchor sweeping will only be attempted when the deadline is less than 144 blocks.

A second change is, when supplying a wallet utxo to a force sweeping, we'd always try the smallest utxo first, which provides a chance to aggregate the small wallet utxos and keep the larger utxos available for other purposes.

There's also an attempt to make the anchor sweeping configurable #7939, which I think we could instead make it configurable so that users can decide to attach a wallet utxo to sweep the anchors or not.

NOTE: itest won't pass atm, looking for feedback first.

[ziggie1984]

Concept ACK, I think this is a good way forward, but we need to maybe force some second level htlc transaction now ?

Based on eugene's input, I think we will have problems with HTLC-Success Transactions because we should only sweep them if they are economical and they might have zero-fees attached which means they need wallet utxos (aggregating seems unlikely to work or is not deterministic enough)

[ziggie1984]

so you mean we should take care of this case before this function, and if we registered an input with a required dust output we just continue and anticipate the sweep to fail ?

[yyforyongyu]

yeah imo we should return an error here - so that the caller know this would fail.

[ziggie1984]

In case we remain with the default mempool feelimit of bitcoind (3000 sats/vbyte) I think this case should be marked as an error, because that means our HTLC acceptor engine did create an HTLC output although it should have be trimmed away ?

[ziggie1984]

But I think we cannot just continue for Force-Sweeps as well if we hit this case, because the input is signed with the SIGHASH-Single|AnyoneCanPay or what do you mean exactly by this comment?

[yyforyongyu]

But I think we cannot just continue for Force-Sweeps as well if we hit this case, because the input is signed with the SIGHASH-Single|AnyoneCanPay

What do you mean?

In case we remain with the default mempool feelimit of bitcoind (3000 sats/vbyte) I think this case should be marked as an error

Yeah agree, changed to log an error instead.

[ziggie1984]

Ok I was not 100% in regards of the comment, why do you want to distinguish here for force and non-forced sweeps and why should we not return early if we figure out that this is a required dust-output ?

[yyforyongyu]

It really depends on how we define force. Atm it means to collect the input although it may be uneconomical, while I think what it really means is, this output needs to be swept because it has other implications, such as CPFP the closing tx, and we should make it happen and fail loudly when it fails.

[ziggie1984]

Nit: I would intuitively pack this not in the constraintsRegular section.

[yyforyongyu]

you mean to put it there or not to?

[ziggie1984]

so I am not sure if your comment holds when a new regular Input has such a size that at the current fee-level would be negative yielding ?

[yyforyongyu]

If it's negative yielding it should not be added?

[ziggie1984]

I think it was just a misunderstanding on my side in regards of the comment. Maybe something like this:

	// In other words, though we may have negative `changeOutput` from
	// including force sweeps, `inputYield` should always increase when
	// adding regular inputs which are positive yielding`

[ziggie1984]

can we do this in the wallet lib maybe or what be really slick connect it to the lnd parameteer where we select random or ordered wallet inputs: https://github.com/lightningnetwork/lnd/blob/master/sample-lnd.conf#L149

[yyforyongyu]

oh yeah forgot about that config! added a todo here and we can fix it in later refactoring PRs.

[ziggie1984]

so you think doing this sorting in the btcwallet lib is not really worth it? I am good with both

[Roasbeef]

btcwallet does the sorting rn when it does its own coin selection for SendCoins. The existing behavior for ListUnspent is to return in decreasing order IIUC. We can thread through a new arg to allow that behavior to be modified, but don't think it's a blocking factor here.

[Roasbeef]

think we will have problems with HTLC-Success Transactions because we should only sweep them if they are economical and they might have zero-fees

We always need to sweep them (assuming you're referring to second level HTLC transactions). Otherwise if we don't, then we can trigger loss of funds if the outgoing link sweeps with preimage (after we go on chain), and we fail to sweep in the incoming link (after we had force closed for w/e reason).

[Roasbeef]

Yeah for the full-node backends, in theory we can either try to parse the error message to figure out why the input was rejected, or just re-publish and bisect to see why the transaction was rejected. A third route would be starting to use tstmempoolaccept, which I think returns structured information w.r.t why something wouldn't have been accepted.

[yyforyongyu]

Cool will fix this in the coming PRs which improve our sweeper.

[Roasbeef]

If what we want here is to reduce unnecessary UTXO consumption by the sweeper due to stuff like anchors, then we can remove this section here that preemptively sends the anchor sweeps to the sweeper upon force close:

lnd/contractcourt/channel_arbitrator.go

Lines 1112 to 1132 in 90effda

	// The commitment transaction has been broadcast, but it
	// doesn't necessarily need to be the commitment
	// transaction version that is going to be confirmed. To
	// be sure that any of those versions can be anchored
	// down, we now submit all anchor resolutions to the
	// sweeper. The sweeper will keep trying to sweep all of
	// them.
	//
	// Note that the sweeper is idempotent. If we ever
	// happen to end up at this point in the code again, no
	// harm is done by re-offering the anchors to the
	// sweeper.
	anchors, err := c.cfg.Channel.NewAnchorResolutions()
	if err != nil {
	return StateError, closeTx, err
	}
	err = c.sweepAnchors(anchors, triggerHeight)
	if err != nil {
	return StateError, closeTx, err
	}

We don't set those to Force because it makes no sense to sweep them if it's uneconomical

This isn't always the case. Normally yes, but if we did make the decision to go to chain, then we must sweeps those HTLCs as otherwise we won't be able to cancel back the HTLC on the incoming link. If mempools are congested, then this can lead to cascading force closes.

This PR attempts to short circuit that and avoid going to chain at all. But if we did decide to go to chain, then we must force close.

[Crypt-iQ]

The current code doesn't set it to Force though, so the 2nd-level won't happen if it's not economical? As far as #7685 goes, I think it makes more sense to abandon the sweep and give up on the incoming HTLC because then you're not losing value_of_outgoing_htlc + negative_outgoing_sweep and instead just lose value_of_outgoing_htlc

[ziggie1984]

This isn't always the case. Normally yes, but if we did make the decision to go to chain, then we must sweeps those HTLCs as otherwise

Does this not only apply for Outgoing HTLCs, why should we care for HTLC-Success transactions if they are not worth sweeping economically ? There should be no incoming link at risk for the Success-Tx ?

[Crypt-iQ]

My bad, I was looking at a branch before #7966 was applied. So this should only apply to the incoming side. However, I still don't think it makes sense to sweep the outgoing HTLC at a loss when we should just take the loss and not sweep it if possible

[Roasbeef]

Re the anchor issues, right now we always add force when we go to sweep them after we detect that we broadcasted the commitment (user or chain trigger):

lnd/contractcourt/channel_arbitrator.go

Lines 1325 to 1345 in 90effda

	// Sweep anchor output with a confirmation target fee
	// preference. Because this is a cpfp-operation, the anchor will
	// only be attempted to sweep when the current fee estimate for
	// the confirmation target exceeds the commit fee rate.
	//
	// Also signal that this is a force sweep, so that the anchor
	// will be swept even if it isn't economical purely based on the
	// anchor value.
	_, err = c.cfg.Sweeper.SweepInput(
	&anchorInput,
	sweep.Params{
	Fee: sweep.FeePreference{
	ConfTarget: deadline,
	},
	Force: true,
	ExclusiveGroup: &exclusiveGroup,
	},
	)
	if err != nil {
	return err
	}

Instead, we should only upgrade to force once we think it's actually needed. Implementation wise, this may allow us to bite off a smaller piece of the sweeper deadline awareness, but only for anchor outputs. Rather than insert this at the core of the sweeper, we'd have the anchor resolver listen for block epochs, then re-offer the anchor inputs with force and increasing fee rates until confirmed.

There might be a slight danger here though, if by the time we realize we need to bump the fee, the transactions has already fallen out of the mempool. IMO, this'll always apply to any scenario related to fee bumping, as without package relay, we can't ensure that the parent is still "in the mempool".

Thoughts?

[Roasbeef]

The anchor resolve is then created+launched after something confirms. This one tries to sweep at 1 sat/byte:

lnd/contractcourt/anchor_resolver.go

Lines 87 to 122 in 90effda

	// Attempt to update the sweep parameters to the post-confirmation
	// situation. We don't want to force sweep anymore, because the anchor
	// lost its special purpose to get the commitment confirmed. It is just
	// an output that we want to sweep only if it is economical to do so.
	//
	// An exclusive group is not necessary anymore, because we know that
	// this is the only anchor that can be swept.
	//
	// We also clear the parent tx information for cpfp, because the
	// commitment tx is confirmed.
	//
	// After a restart or when the remote force closes, the sweeper is not
	// yet aware of the anchor. In that case, it will be added as new input
	// to the sweeper.
	relayFeeRate := c.Sweeper.RelayFeePerKW()
	witnessType := input.CommitmentAnchor
	// For taproot channels, we need to use the proper witness type.
	if c.chanType.IsTaproot() {
	witnessType = input.TaprootAnchorSweepSpend
	}
	anchorInput := input.MakeBaseInput(
	&c.anchor, witnessType, &c.anchorSignDescriptor,
	c.broadcastHeight, nil,
	)
	resultChan, err := c.Sweeper.SweepInput(
	&anchorInput,
	sweep.Params{
	Fee: sweep.FeePreference{
	FeeRate: relayFeeRate,
	},
	},
	)

I think the primary goal of this PR was to stop this variant (which is always offered) from taking up wallet input to confirm the various versions?

Alternatively, we can also try to cancel the old anchor versions once something confirms. Once a commitment confirms, we know exactly which versions we want to sweep, so we can give up on the others.

[ziggie1984]

There might be a slight danger here though, if by the time we realize we need to bump the fee, the transactions has already fallen out of the mempool. IMO, this'll always apply to any scenario related to fee bumping, as without package relay, we can't ensure that the parent is still "in the mempool".

We need to track why a potential Force-Close is failing to get into mempool, because we might want to launch the CPFP operation of the Remote Commitment if our FC is not allowed into mempool because another transaction already spents the funding output? Meaning that we need launch also the CPFP operations for the Remote Commitment (+remote dangling one) or at least check whether those are in our mempool prior to launching the Anchor CPFPs?

[Crypt-iQ]

The latest set of changes makes sense to me. itests failing atm

[yyforyongyu]

Updated the PR to relax on deadline-aware anchor sweeping. It changes the sweeper from always sweeping anchor for a local force close to only do so when there is an actual time pressure. This doesn't completely solve the issue that we may lock up a wallet UTXO to sweep an anchor using a very low fee rate - need more investigation and possibly a refactor on the sweeper.

We always need to sweep them (assuming you're referring to second level HTLC transactions). Otherwise if we don't, then we can trigger loss of funds if the outgoing link sweeps with preimage (after we go on chain), and we fail to sweep in the incoming link (after we had force closed for w/e reason).

This is true prior to the fee spikes. I think after the fee spikes, it becomes conditional as it can be uneconomical to sweep the HTLC.

There might be a slight danger here though, if by the time we realize we need to bump the fee, the transactions has already fallen out of the mempool

Think this is handled by our rebroadcaster?

[lightninglabs-deploy]

@Roasbeef: review reminder
@Crypt-iQ: review reminder
@ziggie1984: review reminder

[ziggie1984]

Had some minor comments but its close 👍

[ziggie1984]

In case we remain with the default mempool feelimit of bitcoind (3000 sats/vbyte) I think this case should be marked as an error, because that means our HTLC acceptor engine did create an HTLC output although it should have be trimmed away ?

[ziggie1984]

But I think we cannot just continue for Force-Sweeps as well if we hit this case, because the input is signed with the SIGHASH-Single|AnyoneCanPay or what do you mean exactly by this comment?

[ziggie1984]

so I am not sure if your comment holds when a new regular Input has such a size that at the current fee-level would be negative yielding ?

[ziggie1984]

Nit: unless a relevant HTLC will timeout in less than 144 blocks ?

[Roasbeef]

Will the change to not offer the anchor output at all to the sweeper mean that users won't be able to use BumpFee anymore to CPFP before that deadline is hit?

[ziggie1984]

very good point, you are right we would not be able to bump the commitment transaction here (because we only accept it if it's in our pending_sweep map):

https://github.com/lightningnetwork/lnd/blob/master/sweep/sweeper.go#L1537-L1540

I think thats something we don't want (imo)

[yyforyongyu]

yeah unless the deadline is 144 blocks away, this anchor sweep won't be attempted - I think another option is to make the 144 blocks configurable.

[yyforyongyu]

actually i think you can still use BumpFee. When the deadline is more than 144 blocks away, the anchor input will still be sent to our sweeper, the difference is the force flag won't be used.

[ziggie1984]

Ahh correct, oversaw that. So it will be able to bump the closing transaction cool !

[ziggie1984]

Nit: s/swpet/swept/g

[yyforyongyu]

fixed

[ziggie1984]

Nit: maybe call this hasAnchorCpfpSweep ?

[ziggie1984]

Nit: I think the comment is not quite right, we did already mine more than 1 block?

[yyforyongyu]

yeah fixed - think we should avoid testing multiple commitment types in a single test in the future, it's a bit too involved to maintain🤦🏻

[Crypt-iQ]

very close, just think the comment about dust should be removed

[Roasbeef]

btcwallet does the sorting rn when it does its own coin selection for SendCoins. The existing behavior for ListUnspent is to return in decreasing order IIUC. We can thread through a new arg to allow that behavior to be modified, but don't think it's a blocking factor here.

[Roasbeef]

Yeah what we want to start to do there is actually use testmempoolaccept before we broadcast things. So we become less "spray and pray" in general.

[Roasbeef]

Will the change to not offer the anchor output at all to the sweeper mean that users won't be able to use BumpFee anymore to CPFP before that deadline is hit?

[ziggie1984]

Important PR, LGTM 🚀

[ziggie1984]

Ok I was not 100% in regards of the comment, why do you want to distinguish here for force and non-forced sweeps and why should we not return early if we figure out that this is a required dust-output ?

[ziggie1984]

I think it was just a misunderstanding on my side in regards of the comment. Maybe something like this:

	// In other words, though we may have negative `changeOutput` from
	// including force sweeps, `inputYield` should always increase when
	// adding regular inputs which are positive yielding`

[yyforyongyu]

updated release notes