Document better -keypool as a look-ahead safety mechanism #17719
Conversation
src/wallet/init.cpp
Outdated
| @@ -46,7 +46,7 @@ void WalletInit::AddWalletOptions() const | |||
|
|
|||
| gArgs.AddArg("-fallbackfee=<amt>", strprintf("A fee rate (in %s/kB) that will be used when fee estimation has insufficient data. 0 to entirely disable the fallbackfee feature. (default: %s)", | |||
| CURRENCY_UNIT, FormatMoney(DEFAULT_FALLBACK_FEE)), ArgsManager::ALLOW_ANY, OptionsCategory::WALLET); | |||
| gArgs.AddArg("-keypool=<n>", strprintf("Set key pool size to <n> (default: %u)", DEFAULT_KEYPOOL_SIZE), ArgsManager::ALLOW_ANY, OptionsCategory::WALLET); | |||
| gArgs.AddArg("-keypool=<n>", strprintf("Set key pool size to <n> (default: %u). Decreasing keypool size to a low value may increase the risk of losing funds in case of restoring from an old backup if none of the addresses in the original keypool have been used.", DEFAULT_KEYPOOL_SIZE), ArgsManager::ALLOW_ANY, OptionsCategory::WALLET); | |||
There was a problem hiding this comment.
Consider:
- gArgs.AddArg("-keypool=<n>", strprintf("Set key pool size to <n> (default: %u). Decreasing keypool size to a low value may increase the risk of losing funds in case of restoring from an old backup if none of the addresses in the original keypool have been used.", DEFAULT_KEYPOOL_SIZE), ArgsManager::ALLOW_ANY, OptionsCategory::WALLET);
+ gArgs.AddArg("-keypool=<n>", strprintf("Set key pool size to <n> (default: %u). "
+ "Smaller sizes may increase the risk of losing funds when restoring from an "
+ "old backup, if none of the addresses in the original keypool have been used.",
+ DEFAULT_KEYPOOL_SIZE), ArgsManager::ALLOW_ANY, OptionsCategory::WALLET);There was a problem hiding this comment.
maybe want to clarify that the original keypool was larger
There was a problem hiding this comment.
My understanding is if none of the addresses is detected as used on-chain, the keypool is not going to be top-up. If size is N keypool stays at range 0..N instead of being shifted by I, with I being index of address detected. Size is always going to be constant ?
Or do you mean original keypool as keypool set by default ?
There was a problem hiding this comment.
@ariard who are you asking here? sorry
There was a problem hiding this comment.
@instagibbs what your comment that seems unclear to me
There was a problem hiding this comment.
I'm saying that the explanation should explicitly mention that the value for the "original keypool" was larger in this loss-risk case.
There was a problem hiding this comment.
The original keypool as set by a mindless user before any detection in the loss-risk case or the default keypool ?
Sorry first option doesn't make sense to me as AFAII keypool keeps the same size.
src/wallet/scriptpubkeyman.h
Outdated
| * be used onchain, the look-ahead wouldn't be incremented to keep | ||
| * a constant-size and addresses beyond this range wouldn't be detected by an | ||
| * old backup, that's why it's not recommended to decrease keypool size lower | ||
| * than default value. |
There was a problem hiding this comment.
Consider:
- * In the unlikely case where none of the addresses in the `gap limit` would
- * be used onchain, the look-ahead wouldn't be incremented to keep
- * a constant-size and addresses beyond this range wouldn't be detected by an
- * old backup, that's why it's not recommended to decrease keypool size lower
- * than default value.
+
+ * In the unlikely case where none of the addresses in the 'gap limit' are used
+ * on-chain, the look-ahead will not be incremented to keep a constant size and
+ * addresses beyond this range will not be detected by an old backup. For this
+ * reason, it is not recommended to decrease keypool size lower than default
+ * value.46b54df to
8af8063
Compare
|
@jonatack, thanks for review, took your suggestions! |
|
ACK. |
There was a problem hiding this comment.
ACK 8af8063
before
bitcoin ((HEAD detached at origin/pr/17719)) $ bitcoind -help | grep -C1 keypool
-keypool=<n>
Set key pool size to <n> (default: 1000)
after
bitcoin/src ((HEAD detached at origin/pr/17719)) $ bitcoind -help | grep -C1 keypool
-keypool=<n>
Set key pool size to <n> (default: 1000). Smaller sizes may increase the
risk of losing funds when restoring from an old backup, if none
of the addresses in the original keypool have been used.
src/wallet/init.cpp
Outdated
| @@ -46,7 +46,7 @@ void WalletInit::AddWalletOptions() const | |||
|
|
|||
| gArgs.AddArg("-fallbackfee=<amt>", strprintf("A fee rate (in %s/kB) that will be used when fee estimation has insufficient data. 0 to entirely disable the fallbackfee feature. (default: %s)", | |||
| CURRENCY_UNIT, FormatMoney(DEFAULT_FALLBACK_FEE)), ArgsManager::ALLOW_ANY, OptionsCategory::WALLET); | |||
| gArgs.AddArg("-keypool=<n>", strprintf("Set key pool size to <n> (default: %u)", DEFAULT_KEYPOOL_SIZE), ArgsManager::ALLOW_ANY, OptionsCategory::WALLET); | |||
| gArgs.AddArg("-keypool=<n>", strprintf("Set key pool size to <n> (default: %u). Smaller sizes may increase the risk of losing funds when restoring from an old backup, if none of the addresses in the original keypool have been used.", DEFAULT_KEYPOOL_SIZE), ArgsManager::ALLOW_ANY, OptionsCategory::WALLET); | |||
There was a problem hiding this comment.
Now that I test it on the command line, perhaps:
- Smaller sizes may increase the risk...
+ Warning: A size lower than the default may increase the risk...Happy to re-ACK if you agree
There was a problem hiding this comment.
Now that I test it on the command line, perhaps:
- Smaller sizes may increase the risk... + Warning: A size lower than the default may increase the risk...
Adding the Warning: prefix could be a good idea, but it's misleading to say that "size lower than the default may increase the risk", because that implies the default value has the right amount of risk, even though it could easily be unsafe if you generate a lot of addresses. "Smaller sizes may increase the risk" is more accurate because smaller sizes decrease the risk and larger sizes increase it, and the default value is actually pretty arbitrary.
There was a problem hiding this comment.
Good points @ryanofsky; I agree.
There was a problem hiding this comment.
There was a problem hiding this comment.
Code review ACK 46b54df. New documentation is an improvement. I wonder if there's a good way to convey that "risk of losing funds" means list of "risk of irrecoverably losing funds" in the case of non-HD wallets and "risk of funds not showing up when recovering with a small pool size" in the case of HD wallets.
If after a backup, an address is issued beyond the initial keypool range and none of the addresses in this range is seen onchain, if a wallet is restored from backup, even in case of rescan, funds may be loss due to the look-ahead buffer not being incremented and so restored wallet not detecting onchain out-of-range address as derived from its seed. This scenario is theoretically unavoidable due to the requirement of the keypool to have a max size. However, given the default keypool size, this is unlikely. Document better keypool size implications to avoid user setting a too low value.
8af8063 to
f41d589
Compare
|
@ryanofsky, thanks for review, I think than both HD/non-HD wallets are subjected to risk of loss of funds in case of look-ahead misses. Deriving all your keys by backing up all of them or just the seed, and detecting if derived range has been used are too tied problems but still different? Overall, I agree security assumptions of wallet operations could be more documented. |
|
Yeah, this PR is already an improvement. I think there is an important distinction between irrecoverable loss off funds restoring an non-hd backup vs fixable loss off funds restoring an HD wallet backup with too-small -keypool value. But it seems ok for this documentation not to go into the details if there isn't a simple way to describe them. |
|
Concept ACK. This will hopefully prevent some people from losing funds and has no downside. |
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
There was a problem hiding this comment.
ACK f41d589 code review and build/test. The added Warning: since last review is a good addition.
bitcoin/src ((HEAD detached at origin/pr/17719))$ bitcoind -help | grep -C1 keypool
-keypool=<n>
Set key pool size to <n> (default: 1000). Warning: Smaller sizes may
increase the risk of losing funds when restoring from an old
backup, if none of the addresses in the original keypool have
been used.
|
Maintainers, it seems like this might be ready to be merged. There are just two ACKs, but it is a pretty straightforward documentation update |
f41d589 Document better -keypool as a look-ahead safety mechanism (Antoine Riard) Pull request description: If after a backup, an address is issued beyond the initial keypool range and none of the addresses in this range is seen onchain, if a wallet is restored from backup, even in case of rescan, funds may be loss due to the look-ahead buffer not being incremented and so restored wallet not detecting onchain out-of-range address as derived from its seed. This scenario is theoretically unavoidable due to the requirement of the keypool to have a max size. However, given the default keypool size, this is unlikely. Document better keypool size implications to avoid user setting a too low value. While reviewing #17681, it took me a while to figure out the safety implications of keypool, I find it would be better to document this a bit farther to avoid users shooting themselves in the foot. For further context & discussion, see #17681 (comment) ACKs for top commit: ryanofsky: Code review ACK f41d589. Just "Warning:" prefix added since the last review jonatack: ACK f41d589 code review and build/test. The added `Warning:` since last review is a good addition. Tree-SHA512: d3d0ee88fcdfc5c8841a2bd4bada0e4eeb412a0dce5054e5fb023643c2fa57206a0f3efb06890c245528dc4431413ed2fd5645b9319d26245d044c490b7f0db0
…mechanism f41d589 Document better -keypool as a look-ahead safety mechanism (Antoine Riard) Pull request description: If after a backup, an address is issued beyond the initial keypool range and none of the addresses in this range is seen onchain, if a wallet is restored from backup, even in case of rescan, funds may be loss due to the look-ahead buffer not being incremented and so restored wallet not detecting onchain out-of-range address as derived from its seed. This scenario is theoretically unavoidable due to the requirement of the keypool to have a max size. However, given the default keypool size, this is unlikely. Document better keypool size implications to avoid user setting a too low value. While reviewing bitcoin#17681, it took me a while to figure out the safety implications of keypool, I find it would be better to document this a bit farther to avoid users shooting themselves in the foot. For further context & discussion, see bitcoin#17681 (comment) ACKs for top commit: ryanofsky: Code review ACK f41d589. Just "Warning:" prefix added since the last review jonatack: ACK f41d589 code review and build/test. The added `Warning:` since last review is a good addition. Tree-SHA512: d3d0ee88fcdfc5c8841a2bd4bada0e4eeb412a0dce5054e5fb023643c2fa57206a0f3efb06890c245528dc4431413ed2fd5645b9319d26245d044c490b7f0db0
…anism Summary: f41d58966995fe69df433fa684117fae74a56e66 Document better -keypool as a look-ahead safety mechanism (Antoine Riard) Pull request description: If after a backup, an address is issued beyond the initial keypool range and none of the addresses in this range is seen onchain, if a wallet is restored from backup, even in case of rescan, funds may be loss due to the look-ahead buffer not being incremented and so restored wallet not detecting onchain out-of-range address as derived from its seed. This scenario is theoretically unavoidable due to the requirement of the keypool to have a max size. However, given the default keypool size, this is unlikely. Document better keypool size implications to avoid user setting a too low value. While reviewing #17681, it took me a while to figure out the safety implications of keypool, I find it would be better to document this a bit farther to avoid users shooting themselves in the foot. For further context & discussion, see bitcoin/bitcoin#17681 (comment) ACKs for top commit: ryanofsky: Code review ACK f41d58966995fe69df433fa684117fae74a56e66. Just "Warning:" prefix added since the last review jonatack: ACK f41d58966995fe69df433fa684117fae74a56e66 code review and build/test. The added `Warning:` since last review is a good addition. --- Backport of Core [[bitcoin/bitcoin#17719 | PR17719]] Test Plan: ninja read it Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D7836
…mechanism f41d589 Document better -keypool as a look-ahead safety mechanism (Antoine Riard) Pull request description: If after a backup, an address is issued beyond the initial keypool range and none of the addresses in this range is seen onchain, if a wallet is restored from backup, even in case of rescan, funds may be loss due to the look-ahead buffer not being incremented and so restored wallet not detecting onchain out-of-range address as derived from its seed. This scenario is theoretically unavoidable due to the requirement of the keypool to have a max size. However, given the default keypool size, this is unlikely. Document better keypool size implications to avoid user setting a too low value. While reviewing bitcoin#17681, it took me a while to figure out the safety implications of keypool, I find it would be better to document this a bit farther to avoid users shooting themselves in the foot. For further context & discussion, see bitcoin#17681 (comment) ACKs for top commit: ryanofsky: Code review ACK f41d589. Just "Warning:" prefix added since the last review jonatack: ACK f41d589 code review and build/test. The added `Warning:` since last review is a good addition. Tree-SHA512: d3d0ee88fcdfc5c8841a2bd4bada0e4eeb412a0dce5054e5fb023643c2fa57206a0f3efb06890c245528dc4431413ed2fd5645b9319d26245d044c490b7f0db0
If after a backup, an address is issued beyond the initial
keypool range and none of the addresses in this range
is seen onchain, if a wallet is restored from backup, even in
case of rescan, funds may be loss due to the look-ahead
buffer not being incremented and so restored wallet not detecting
onchain out-of-range address as derived from its seed.
This scenario is theoretically unavoidable due to the requirement
of the keypool to have a max size. However, given the default
keypool size, this is unlikely. Document better keypool size
implications to avoid user setting a too low value.
While reviewing #17681, it took me a while to figure out the safety implications of keypool, I find it would be better to document this a bit farther to avoid users shooting themselves in the foot. For further context & discussion, see #17681 (comment)