multi: update close logic to handle re-orgs of depth n-1, where n is num confs - add min conf floor

[Roasbeef]

In this PR, we address the oldest issue in the lnd track: #53. Incremental improvements have landed over the years, but this is the most significant one to date.

First, we start to scale confs for closes just like we do for funding confirmation. A small refactor helps us to re-use this, with additional tests added.

We revamp the chain watcher to implement a state machine to ensure that we recognize the most deeply confirmed transaction closure. Once we detect a spend, we'll register for N confirmations for that spend. If we detect anther one (we can get another spend if a re-org happens, and a new one confirms), then we'll re-register for confirmations for that spend. We also start to read from the NegativeConf channel which will be sent upon if the transaction is re-org'd out after confirmation.

It's important to note that the logic around the NegativeConf case is incomplete, as this will only trigger if: we wait for 6 confs, then we have a 7 block re-org. In that case, we've already claimed all of our outputs on chain typically. To handle this, we'll actually need to re-create the channel arb and the chain watcher, the re-handle any contested outputs we may have had. If the re-org goes all the way back to the funding transaction, then that's extremely dire, and needs special handling. This isn't covered in this PR.

Most of the diff is actually just tests: unit tests, property based tests (helps us ensure we can handle spend, conf, re-org, spend, conf of nearly arbitrary params -- eg: confirm coop, re-org, confirm force close, etc), integration tests, etc. The core change is in this commit: b1d055e.

This fixes most of #53. Re the second item, if the funding txn gets re-org out, then confirmed again, then we'll be able to detect that, and close it normally. We still need the active logic to detect such a case though.

[gemini-code-assist]

Summary of Changes

Hello @Roasbeef, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a major overhaul to the chainWatcher component, focusing on making channel closure logic more resilient to blockchain reorganizations. By implementing a sophisticated state machine, the system can now dynamically adapt to re-orgs, re-registering for spend and confirmation notifications as needed to ensure the correct closing transaction is ultimately processed. Additionally, the number of confirmations required for channel closes now scales with channel capacity, providing a more balanced approach to security and user experience. This foundational work significantly improves the reliability of on-chain channel management.

Highlights

• Robust Re-org Handling for Channel Closes: The chainWatcher has been significantly revamped to incorporate a state machine that robustly handles blockchain reorganizations during channel closure. This ensures that the system can accurately track and react to changes in the chain, such as a closing transaction being re-orged out and replaced by another.
• Scaled Confirmation Requirements for Closes: Confirmation requirements for channel closes now scale based on the channel's capacity, similar to how funding transactions are handled. This balances security for larger channels with faster finality for smaller ones. A minimum of 3 confirmations is enforced for cooperative closes in production for re-org safety.
• Improved User Feedback for Cooperative Closes: For cooperative closes, the system now provides an intermediate update after just one confirmation, giving users quicker feedback that their transaction has been included in a block, followed by a final update once the full, scaled number of confirmations is reached.
• Extensive Testing with Property-Based and Integration Tests: A substantial portion of this pull request is dedicated to new and enhanced tests, including property-based tests using rapid and new integration tests. These cover various re-org scenarios and different channel close types (cooperative, unilateral, breach) to ensure the new logic is sound and resilient.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces significant improvements to the channel closing logic, making it more robust against chain reorganizations by implementing a state machine in the chainWatcher. It also adds a more nuanced, capacity-based confirmation scaling for channel closes. The changes are well-structured, with logic centralized in new files like lnwallet/confscale.go and supported by an impressive suite of new tests, including property-based tests for reorg scenarios. My review found a couple of minor areas for improvement: one related to potentially redundant code in peer/brontide.go and a naming suggestion in lnwallet/confscale_prod.go for better readability.

[Roasbeef]

Looking into the itest failure, I think it's due to a change in how we notify the coop close.

[Roasbeef]

Pushed up a few fix up commits.

One thing I realized is that the old blockbeat sync processing assumptions no longer apply. This is due to the fact that we won't call handleCommitSpend right after the block beat comes, as we'll now do other async operations, eg: wait for more confs. This is causing some of hte tests to fail with the old timing assumptions.

IMO, the best way to handle this may just be to add a devrpc call that we can use to force a sweep.

[yyforyongyu]

It looks like an easier and more direct way to resolve this is to listen to a conf channel instead of a spend channel? so replace c.fundingSpendNtfn with a c.fundingConfNtfn, and other logic can stay untouched?

[Roasbeef]

So we don't know what to listen for conf of, until we get the spend. Hence the need to request confs for each spend we get. With the way things work, if a spend confs, then is re-org'd out, then we get another spend, we'll get another notification on this same spend channel.

[yyforyongyu]

Sorry I wasn't been clear enough offline, what I meant is, we can just listen for the spendness of the fundingPkScript with a nil tx via

c.cfg.notifier.RegisterConfirmationsNtfn(nil, fundingPkScript, numConfs, beat.CurrentHeight())

Then we can now replace the usage of c.fundingSpendNtfn with c.fundingConfNtfn, and the change will be smaller.

[yyforyongyu]

When a reorg happens, a replaced block will be sent from the blockbeat, and we can ask the subsystem to reprocess this new block; hence the reorg is handled. That was part of the initial design so we can have a single piece of logic to handle reorg, assuming the blockbeat is extended to other subsystems like funding manager or gossip. Atm the blockbeat only gives the block height data, which is very much limited, and it can easily carry more info like utxos spent so we can just use a callback query to check for spending of interested outpoints. This will have the advantage that we now have a sync, single source of truth to check for spendness. This linear flow makes the code easier to reason and maintain.

These are long-term projects tho, just want to mention since it's related to the reorg handling.

[Roasbeef]

PTAL @yyforyongyu. This includes the extra commits for TriggerSweep.

[yyforyongyu]

I think instead of RegisterSpendNtfn, we can create a single, long-lived confirmation notifier:

fundingPkScript, err := deriveFundingPkScript(c.cfg.chanState)
// ...
heightHint := c.cfg.chanState.DeriveHeightHint()
numConfs := c.requiredConfsForSpend()

fundingConfNtfn, err := c.cfg.notifier.RegisterConfirmationsNtfn(
    nil, // No specific txid, watch the script
    fundingPkScript,
    numConfs,
    heightHint,
)
if err != nil {
    // Handle error
}
defer fundingConfNtfn.Cancel()

We then add a checkFundingConfirmed to replace checkFundingSpend,

// checkFundingConfirmed performs a non-blocking read on the Confirmed
// channel to check whether the spend has been fully confirmed.
func (c *chainWatcher) checkFundingConfirmed() *chainntnfs.TxConfirmation {
    select {
    case conf, ok := <-c.fundingConfNtfn.Confirmed:
        if !ok {
            return nil
        }
        return conf
    default:
        return nil
    }
}

Which is used on handleBlockbeat to replace the old checkFundingSpend check, and everything else stays unchanged.

The main loop then just needs fewer changes,

func (c *chainWatcher) closeObserver() {
    defer c.wg.Done()

    for {
        select {
        case beat := <-c.BlockbeatChan:
            c.handleBlockbeat(beat)

        // This case handles the initial discovery of the spend,
        // or a re-orged spend.
        case update := <-fundingConfNtfn.Updates:
        	...

        // This case handles a re-org.
        case <-fundingConfNtfn.NegativeConf:
        	...

        // This case handles a confirmation that might arrive between blocks.
        case conf := <-fundingConfNtfn.Confirmed:
        	// TODO: handleCommitSpend needs to be refactored to use `conf` instead of `SpendDetail`.
            err := c.handleCommitSpend(conf)
            ...

        case <-c.quit:
            return
        }
    }
}

I think this should bring the least disruption to the system and itests (fixing the remaining itest would be a nightmare🤦🏻).

[yyforyongyu]

Just wanna note that this is no longer from 1 to 6 but 3 to 6, which makes sense.

[yyforyongyu]

the formatting isn't quite right

[yyforyongyu]

hmm should we also derive and pass the numConfs here?

[yyforyongyu]

ok i see, looks like this commit can be a fixup commit for the previous one

[yyforyongyu]

Sorry I wasn't been clear enough offline, what I meant is, we can just listen for the spendness of the fundingPkScript with a nil tx via

c.cfg.notifier.RegisterConfirmationsNtfn(nil, fundingPkScript, numConfs, beat.CurrentHeight())

Then we can now replace the usage of c.fundingSpendNtfn with c.fundingConfNtfn, and the change will be smaller.