routing: add result interpretation for intermediate invalid blinding

This commit adds handling for route blinding errors that are reported by the introduction node in a multi-hop blinded route. As the introduction node is always responsible for handling blinded errors, it is not penalized - only the final hop is penalized to discourage the blinded route without filling up mission control with ephemeral results. If this error code is reported by a node that is not an introduction node, we penalize the node because it is returning an error code that it should not be using.
2025-08-27 14:11:04 +02:00 · 2023-11-06 11:32:30 -05:00
parent f91589bef9
commit b82478a7e7
2 changed files with 187 additions and 0 deletions
--- a/routing/result_interpretation.go
+++ b/routing/result_interpretation.go
@@ -431,6 +431,70 @@ func (i *interpretedResult) processPaymentOutcomeIntermediate(
 	case *lnwire.FailExpiryTooSoon:
 		reportAll()

+	// We only expect to get FailInvalidBlinding from an introduction node
+	// in a blinded route. The introduction node in a blinded route is
+	// always responsible for reporting errors for the blinded portion of
+	// the route (to protect the privacy of the members of the route), so
+	// we need to be careful not to unfairly "shoot the messenger".
+	//
+	// The introduction node has no incentive to falsely report errors to
+	// sabotage the blinded route because:
+	//   1. Its ability to route this payment is strictly tied to the
+	//      blinded route.
+	//   2. The pubkeys in the blinded route are ephemeral, so doing so
+	//      will have no impact on the nodes beyond the individual payment.
+	//
+	// Here we handle a few cases where we could unexpectedly receive this
+	// error:
+	// 1. Outside of a blinded route: erring node is not spec compliant.
+	// 2. Before the introduction point: erring node is not spec compliant.
+	//
+	// Note that we expect the case where this error is sent from a node
+	// after the introduction node to be handled elsewhere as this is part
+	// of a more general class of errors where the introduction node has
+	// failed to convert errors for the blinded route.
+	case *lnwire.FailInvalidBlinding:
+		introIdx, isBlinded := introductionPointIndex(route)
+
+		// Deal with cases where a node has incorrectly returned a
+		// blinding error:
+		// 1. A node before the introduction point returned it.
+		// 2. A node in a non-blinded route returned it.
+		if errorSourceIdx < introIdx || !isBlinded {
+			reportNode()
+			return
+		}
+
+		// Otherwise, the error was at the introduction node. All
+		// nodes up until the introduction node forwarded correctly,
+		// so we award them as successful.
+		if introIdx >= 1 {
+			i.successPairRange(route, 0, introIdx-1)
+		}
+
+		// If the hop after the introduction node that sent us an
+		// error is the final recipient, then we finally fail the
+		// payment because the receiver has generated a blinded route
+		// that they're unable to use. We have this special case so
+		// that we don't penalize the introduction node, and there is
+		// no point in retrying the payment while LND only supports
+		// one blinded route per payment.
+		//
+		// Note that if LND is extended to support multiple blinded
+		// routes, this will terminate the payment without re-trying
+		// the other routes.
+		if introIdx == len(route.Hops)-1 {
+			i.finalFailureReason = &reasonError
+		} else {
+			// If there are other hops between the recipient and
+			// introduction node, then we just penalize the last
+			// hop in the blinded route to minimize the storage of
+			// results for ephemeral keys.
+			i.failPairBalance(
+				route, len(route.Hops)-1,
+			)
+		}
+
 	// In all other cases, we penalize the reporting node. These are all
 	// failures that should not happen.
 	default: