Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

multi: add BuildOnion, SendOnion, and TrackOnion RPCs #9489

Open
wants to merge 18 commits into
base: master
Choose a base branch
from
Open

multi: add BuildOnion, SendOnion, and TrackOnion RPCs #9489

wants to merge 18 commits into from

Conversation

calvinrzachman
Copy link
Contributor

@calvinrzachman calvinrzachman commented Feb 8, 2025
edited
Loading

Change Description

We add a new switchrpc RPC sub-system with SendOnion, BuildOnion, and TrackOnion RPCs. This allows the daemon to offload path-finding, onion construction and payment life-cycle management to an external entity (such as a remotely instantiated ChannelRouter type) and instead accept onion payments for direct delivery to the network.

  • Almost all the new functionality is hidden by a non-default build tag called switchrpc.
  • Opted for a very slim wrapper around direct delivery of UpdateAddHTLC to the HTLCSwitch for forwarding, eg: no extra tracking by way of ChannelRouter and the ControlTower structures. This may be suitable given intended use by remote server with with instantiated ChannelRouter component which will perform this payment attempt life-cycle tracking centrally for a collection of backing lnd instances. NOTE: This would allow for the deployment of a slimmed down lnd instance which does not contain any routing components in the future.
  • Error information is communicated via RPC protobuf message directly such that the error types can be recreated client side if desired - as would be the case if this RPC is used by a remotely instantiated ChannelRouter .
  • This RPC could be used to implement an "oblivious send" in which a client submits onions via RPC to a hosted node provider such that the node provider does not know to whom the onion is going.

Avoiding Duplicate Payment Attempts

We are making send/track(onion) requests which traverse an async and unreliable network. Clients which use these RPCs to make decisions about whether to make additional payment attempts run the risk of a race/re-ordering of request processing misleading them into making a re-attempt when such a re-attempt is not safe to make. We'd like to prevent duplicate payment attempts and unintentional loss of funds by RPC clients.

Consider the following scenario:

  1. Client calls SendOnion with attempt ID A. Client receives gRPC DeadlineExceeded or service Unavailable error and is unable to distinguish between the request never reaching the server (eg: the server is offline --> safe to re-attempt via different server) and the server receiving the request and being unable to respond in time.
  2. TrackOnion with attempt ID A.
  3. TrackOnion indicates no HTLC for attempt ID A, so client makes another attempt and calls SendOnion again with different attempt ID.
  4. SendOnion for attempt ID A executes.
  5. SendOnion for attempt ID B executes. We have leaked an attempt and unintentionally overpaid!
  • One approach involves idempotent SendOnion implementation combined with an RPC client which persists acknowledgement of successful onion/HTLC receipt and dispatch from the server. The client can wait, retrying if necessary, until it gets an explicit acknowledgment from the server about the HTLC’s status before ever calling TrackOnion.
    • To handle restarts, it must persist this acknowledgement and differentiate between ACK’d and UNACK’d attempts, handling them differently on startup. NOTE: This would require ChannelRouter changes for how we intend to use these RPCs ⚠️
  • The server acknowledgement in the previous approach is what allows a careful RPC caller to guarantee ordering between “send” and “track” for the same attempt ID even with an unreliable network. “Send” will always complete before “track”, thereby removing the risk of duplicate payment.
  • The other alternative is to make this protective "send then track" enforcement the responsibility of the server. The server can prevent sends for an attempt ID which has already been tracked. The client will just have to try again with a different attempt ID. NOTE: This avoids ChannelRouter changes for how we intend to use these RPCs ⚠️
    • The server can make this determination by way of a store consulted by both SendOnion and TrackOnion. Both must write to the store so there can be communication. If TrackOnion only reads, then the potential for a race or unsafe order of execution still exists.

Future

  • Consider improvements to the Switch network result store.
    • Allow remote maintenance of the data in this store.
    • Implement duplicate protection for SendOnion which survives restarts, possibly via InitAttempt style method on the Switch store. All duplicates with same attempt ID would be rejected until the result for that attempt ID has been read and cleaned from the result store. Then the attempt ID can be freed for re-use.
  • Generalized concept of HTLC attempt ID (whether tuple or server generated) which permits multiple remote clients dispatching payments via SendOnion style RPC. Each RPC client should be able to clean only the attempt results relevant to it from the Switch's network result store. This would also allow lnd to be used both by remote clients dispatching payments via SendOnion and by more traditional clients via SendPaymentV2 at the same time.

calvinrzachman and others added 18 commits February 7, 2025 20:34
@calvinrzachman
switchrpc: configuration
d6462fa 
The SwitchRPC server will be hidden behind a build tag.
@calvinrzachman
switchrpc: add logger
0405c15
@calvinrzachman
switchrpc: add sub-server dependencies
2910b95
@calvinrzachman
switchrpc: subserver functionality
e003f6c
@calvinrzachman
switchrpc: add new SendOnion rpc proto
8fd59c1
@calvinrzachman
switchrpc: add SendOnion rpc
304ef41 
Add RPC for dispatching payments via onions. The payment
route and onion are computed by the caller and the onion
is delivered to the server for forwarding.

NOTE: The server does NOT process or peel the onion so it assumed
that the onion will be constructed such that the first hop is encrypted
to one of the server's channel partners.
@calvinrzachman
htlcswitch: return encrypted error blob when missing deobfuscator
9e5aa87 
Allow the switch to defer error handling when callers of GetAttemptResult
do not provide an error decrypter.
@calvinrzachman
switchrpc: add new TrackOnion rpc proto
cf9944c
@calvinrzachman
switchrpc: add TrackOnion rpc
6409abe 
Add RPC to lookup the status of a previously forwarded
onion. Allow callers of the TrackOnion rpc to indicate
whether they would like to handle errors themselves or
delegate error decryption to the server.

We take care to return ErrPaymentIDNotFound across RPC
boundary to the RPC caller. This will allow the caller
of TrackOnion to explicitly confirm that there is no HTLC
in-flight for the supplied attempt ID, so it is free to
safely re-attempt the payment.
@calvinrzachman
switchrpc: add new BuildOnion rpc proto
1f9d769
@calvinrzachman
switchrpc: add BuildOnion rpc
90ec101 
Add RPC which constructs a sphinx onion packet for the
given payment route.

NOTE: This is added primarily to aid with the itests added later.
@calvinrzachman
lntest: add switchrpc methods to harness
055836f
@calvinrzachman
itest: add send_onion test
9041056
@calvinrzachman
itest: add track_onion test
e03df91
@calvinrzachman
itest: add duplicate onion send test
f96f094 
This demonstrates how the Switch and SendOnion rpc
behave when asked to dispatch duplicate onions. Notably,
the Switch circuit map detects this - but only if the
matching onion is still in flight. Once the circuit is
torn down, the duplicate is permitted by the Switch.

It is likely that we will add a layer of protection to the
SendOnion call itself to prevent duplicates even after the
first HTLC is no longer in-flight.

TODO: Determine whether this SendOnion duplication protection
should presist across restarts.
@starius @calvinrzachman
switchrpc: protect from attemptID reuse
b1a1753 
Add a memory optimized store for SendOnion/TrackOnion duplication/safe ordering
protection. This ensures that if TrackOnion returns PAYMENT_ID_NOT_FOUND or
SendOnion initiates HTLC creation for a given attempt ID, SendOnion cannot
subsequently succeed with the same attempt ID. This mechanism safeguards against
overpayment in scenarios where network requests are reordered. If an attempt ID
has already been used by either SendOnion or TrackOnion, SendOnion will return
DUPLICATE_HTLC for that attempt ID.

Used https://github.com/RoaringBitmap/roaring as a store for attemp IDs.
@calvinrzachman
itest: update sendonion itest given duplicate protection
f69c058 
We can now assert that making multiple calls to SendOnion for
the same attempt ID is prevented.
@calvinrzachman
itest: verify switchrpc server enforces send then track
3bf2f15 
We prevent the rpc server from allowing onion dispatches for
attempt IDs which have already been tracked by rpc clients.

This helps protect the client from leaking a duplicate onion
attempt. NOTE: This is not the only method for solving this
issue! The issue could be addressed via careful client side
programming which accounts for the uncertainty and async
nature of dispatching onions to a remote process via RPC.
This would require some lnd ChannelRouter changes for how
we intend to use these RPCs though.
@coderabbitai coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 8, 2025

Important

Review skipped

Auto reviews are limited to specific labels.

🏷️ Labels to auto review (1)
  • llm-review

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@calvinrzachman calvinrzachman mentioned this pull request Feb 8, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@calvinrzachman @starius