[WIP] wallet: tx creation, don't select outputs from txes that are being replaced #26732
Conversation
|
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. Code CoverageFor detailed information about the code coverage, see the test coverage report. ReviewsSee the guideline for information on the review process.
If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
|
To be clear, this is if you make a replacement manually, not with |
Yes, could happen if you manually pre-select an input from an unconfirmed transaction and provides it to any RPC command that creates or fund a transaction (e.g.
You mean, grouping inputs from different unconfirmed transactions into a single replacement tx? So far, what the test proves is that the wallet, during the transaction creation process, can automatically select outputs from the unconfirmed transaction that is being replaced to use them as inputs. Which shouldn't happen as those coins will no longer exist once the tx gets replaced. |
Unconfirmed inputs that were in the original transactions being replaced are fine. It's adding new unconfirmed inputs that is not allowed. |
ca9bacd to
c288c04
Compare
c288c04 to
431387b
Compare
Good to know. Thanks, it's BIP125 rule 2. The wallet can create invalid transactions due not be contemplating that neither. So, added test coverage and internal checks for it as well. Summary:
|
f82e7ba to
d7e41b6
Compare
There was a problem hiding this comment.
So far, what the test proves is that the wallet, during the transaction creation process, can automatically select outputs from the unconfirmed transaction that is being replaced to use them as inputs. Which shouldn't happen as those coins will no longer exist once the tx gets replaced.
Indeed this sounds like a bug that should be fixed.
Would it be better to stop + warn the user that they have selected an input that is already spent by something in this mempool, and, if this is intentional, they should use bumpfee RPC instead? Otherwise you end up implementing RBF checks in 2 places?
| } | ||
| } | ||
|
|
||
| // If this tx is a replacement, disallow unconfirmed UTXO selection by rising the | ||
| // coin control min depth param. Ensuring that we don't add any new unconfirmed UTXOs | ||
| // to replacement transactions (satisfying BIP125 rule 2). |
There was a problem hiding this comment.
please do not add new mentions of BIP125 that aren't signaling-related, see #25775
That is a good point and topic. Another point of view would be to understand Then, under this rationale, instead of blocking replacement txes from happening in lower level commands like Which, based on a brief walk-through the bumpfee process, might not be that bad as we are duplicating some code that is already inside the general fundtransaction function. Then, for advanced users, this view might be more adequate as otherwise we would need to add more customization options inside Still.. have to say that this comes from an out loud thinking.. atm, I don't have a strong preference over any approach: |
There was a problem hiding this comment.
Concept ACK, apologies for the late re-review
Just to recap the whiteboarding session we had offline, I think what we want is to add a SanitizeCoinControl function that can be used early on across both bumpfee and fundraw RPCs:
- If any of the selected inputs is already spent in mempool,
is_replacement=trueand keep track of which inputs are being spent again. - If the selected inputs includes UTXOs spent and created by the same transaction (i.e. selected output from a tx that is being replaced), return error "invalid input selection"
- If
is_replacement=true, automatically setmin_depth=1 - If
is_replacementand any of the selected inputs is<min_depthbut not part of the replaced tx, return error "invalid input selection" (i.e. selected an additional unconfirmed output in an RBF)
The transactions should fail regardless, but this gives the user a helpful "invalid input selection" to let them know that they have manually selected some inputs that don't make sense.
There was a problem hiding this comment.
There hasn't been much activity lately and the patch still needs rebase. What is the status here?
- Is it still relevant? ➡️ Please solve the conflicts to make it ready for review and to ensure the CI passes.
It is still relevant. I'm waiting for #27601 outcome to rebase it. This work depends on it.
Is there an outcome? Seems like nothing has happened on the pull since, other than it needing rebase. |
Not yet. Still need to rework #27601 first. Other wallet works have gotten more priority than this working path. This two PRs are still bugs within the wallet but they could wait a bit in favor of other PRs. |
When the wallet creates/fund a replacement transaction (spending one or more inputs of one or many existent transactions), it should not fund the new transaction with outputs belonging to the txes being replaced. Reason: Once replaced, those outputs are no longer going to exist, there by the created/funded transaction will be invalid.
The wallet tx creation process should not select any output belonging to the transaction that is being replaced.
Ensuring that we don't add any new unconfirmed UTXOs to the replacement transaction (satisfying BIP125 rule 2). note: needed to slightly adapt the 'test_add_inputs_default_value' functional test case because it was creating a replacement tx and adding new unconfirmed inputs without noticing it (we are testing a totally different things there).
the wallet should skip unconfirmed outputs when it is creating/funding a replacement tx Per BIP125 rule 2, the replacement tx must only have unconfirmed inputs from the original transaction that is being replaced. Cannot contain new unconfirmed inputs.
d7e41b6 to
34df3c7
Compare
|
🤔 There hasn't been much activity lately and the CI seems to be failing. If no one reviewed the current pull request by commit hash, a rebase can be considered. While the CI failure may be a false positive, the CI hasn't been running for some time, so there may be a real issue hiding as well. A rebase triggers the latest CI and makes sure that no silent merge conflicts have snuck in. |
|
Closing for now. Might revive it in the future, post #27286. |
Depends on #27601.
Adding test coverage and the needed checks for two scenarios
where the wallet create invalid transactions.
First Scenario, Do Not Use Outputs From the Tx Being Replaced
When the wallet creates/fund a replacement transaction, it should
not fund the new transaction with outputs belonging to the tx
being replaced.
Reason:
Once replaced, those outputs are no longer going to exist, there
by the created/funded transaction will be invalid.
Second Scenario, Do Not Create BIP125 Rule 2 Invalid Txes
Prevent adding new unconfirmed outputs to the transaction being
created/funded If any preset input was already spent by a mempool
transaction.
Note:
Both scenarios can can be verified cherry-picking the tests commits
on master. They will fail.