Merge bitcoin/bitcoin#28948: v3 transaction policy for anti-pinning

29029df5c7 [doc] v3 signaling in mempool-replacements.md (glozow) e643ea795e [fuzz] v3 transactions and sigop-adjusted vsize (glozow) 1fd16b5c62 [functional test] v3 transaction submission (glozow) 27c8786ba9 test framework: Add and use option for tx-version in MiniWallet methods (MarcoFalke) 9a1fea55b2 [policy/validation] allow v3 transactions with certain restrictions (glozow) eb8d5a2e7d [policy] add v3 policy rules (glozow) 9a29d470fb [rpc] return full string for package_msg and package-error (glozow) 158623b8e0 [refactor] change Workspace::m_conflicts and adjacent funcs/structs to use Txid (glozow) Pull request description: See #27463 for overall package relay tracking. Delving Bitcoin discussion thread: https://delvingbitcoin.org/t/v3-transaction-policy-for-anti-pinning/340 Delving Bitcoin discussion for LN usage: https://delvingbitcoin.org/t/lightning-transactions-with-v3-and-ephemeral-anchors/418 Rationale: - There are various pinning problems with RBF and our general ancestor/descendant limits. These policies help mitigate many pinning attacks and make package RBF feasible (see #28984 which implements package RBF on top of this). I would focus the most here on Rule 3 pinning. [1][2] - Switching to a cluster-based mempool (see #27677 and #28676) requires the removal of CPFP carve out, which applications depend on. V3 + package RBF + ephemeral anchors + 1-parent-1-child package relay provides an intermediate solution. V3 policy is for "Priority Transactions." [3][4] It allows users to opt in to more restrictive topological limits for shared transactions, in exchange for the more robust fee-bumping abilities that offers. Even though we don't have cluster limits, we are able to treat these transactions as having as having a maximum cluster size of 2. Immediate benefits: - You can presign a transaction with 0 fees (not just 1sat/vB!) and add a fee-bump later. - Rule 3 pinning is reduced by a significant amount, since the attacker can only attach a maximum of 1000vB to your shared transaction. This also enables some other cool things (again see #27463 for overall roadmap): - Ephemeral Anchors - Package RBF for these 1-parent-1-child packages. That means e.g. a commitment tx + child can replace another commitment tx using the child's fees. - We can transition to a "single anchor" universe without worrying about package limit pinning. So current users of CPFP carve out would have something else to use. - We can switch to a cluster-based mempool [5] (#27677 #28676), which removes CPFP carve out [6]. [1]: Original mailing list post and discussion about RBF pinning problems https://gist.github.com/glozow/25d9662c52453bd08b4b4b1d3783b9ff, https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-January/019817.html [2]: A FAQ is "we need this for cluster mempool, but is this still necessary afterwards?" There are some pinning issues that are fixed here and not fully fixed in cluster mempool, so we will still want this or something similar afterward. [3]: Mailing list post for v3 https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-September/020937.html [4]: Original PR #25038 also contains a lot of the discussion [5]: https://delvingbitcoin.org/t/an-overview-of-the-cluster-mempool-proposal/393/7 [6]: https://delvingbitcoin.org/t/an-overview-of-the-cluster-mempool-proposal/393#the-cpfp-carveout-rule-can-no-longer-be-supported-12 ACKs for top commit: sdaftuar: ACK 29029df5c7 achow101: ACK 29029df5c7 instagibbs: ACK 29029df5c7 modulo that Tree-SHA512: 9664b078890cfdca2a146439f8835c9d9ab483f43b30af8c7cd6962f09aa557fb1ce7689d5e130a2ec142235dbc8f21213881baa75241c5881660f9008d68450
2025-11-10 14:08:40 +01:00 · 2024-02-09 23:29:39 -05:00
parent 1d334d830f 29029df5c7
commit 7143d43884
23 changed files with 1136 additions and 42 deletions
--- a/src/test/util/txmempool.cpp
+++ b/src/test/util/txmempool.cpp
@@ -7,6 +7,7 @@
 #include <chainparams.h>
 #include <node/context.h>
 #include <node/mempool_args.h>
+#include <policy/v3_policy.h>
 #include <txmempool.h>
 #include <util/check.h>
 #include <util/time.h>
@@ -116,3 +117,28 @@ std::optional<std::string> CheckPackageMempoolAcceptResult(const Package& txns,
    }
    return std::nullopt;
 }
+
+void CheckMempoolV3Invariants(const CTxMemPool& tx_pool)
+{
+    LOCK(tx_pool.cs);
+    for (const auto& tx_info : tx_pool.infoAll()) {
+        const auto& entry = *Assert(tx_pool.GetEntry(tx_info.tx->GetHash()));
+        if (tx_info.tx->nVersion == 3) {
+            // Check that special v3 ancestor/descendant limits and rules are always respected
+            Assert(entry.GetCountWithDescendants() <= V3_DESCENDANT_LIMIT);
+            Assert(entry.GetCountWithAncestors() <= V3_ANCESTOR_LIMIT);
+            // If this transaction has at least 1 ancestor, it's a "child" and has restricted weight.
+            if (entry.GetCountWithAncestors() > 1) {
+                Assert(entry.GetTxSize() <= V3_CHILD_MAX_VSIZE);
+                // All v3 transactions must only have v3 unconfirmed parents.
+                const auto& parents = entry.GetMemPoolParentsConst();
+                Assert(parents.begin()->get().GetSharedTx()->nVersion == 3);
+            }
+        } else if (entry.GetCountWithAncestors() > 1) {
+            // All non-v3 transactions must only have non-v3 unconfirmed parents.
+            for (const auto& parent : entry.GetMemPoolParentsConst()) {
+                Assert(parent.get().GetSharedTx()->nVersion != 3);
+            }
+        }
+    }
+}
--- a/src/test/util/txmempool.h
+++ b/src/test/util/txmempool.h
@@ -46,4 +46,14 @@ std::optional<std::string>  CheckPackageMempoolAcceptResult(const Package& txns,
                                                            const PackageMempoolAcceptResult& result,
                                                            bool expect_valid,
                                                            const CTxMemPool* mempool);
+
+/** For every transaction in tx_pool, check v3 invariants:
+ * - a v3 tx's ancestor count must be within V3_ANCESTOR_LIMIT
+ * - a v3 tx's descendant count must be within V3_DESCENDANT_LIMIT
+ * - if a v3 tx has ancestors, its sigop-adjusted vsize must be within V3_CHILD_MAX_VSIZE
+ * - any non-v3 tx must only have non-v3 parents
+ * - any v3 tx must only have v3 parents
+ *   */
+void CheckMempoolV3Invariants(const CTxMemPool& tx_pool);
+
 #endif // BITCOIN_TEST_UTIL_TXMEMPOOL_H