Allow forwarding less than the amount in the onion

[valentinewallace]

Support skimming an additional fee off of intercepted HTLCs, per lightning/blips#25.

V1 of addressing #1999
Based on #2305

[codecov-commenter]

Codecov Report

Patch coverage: 90.61% and project coverage change: +0.15 🎉

Comparison is base (ae9e96e) 90.35% compared to head (2127eb8) 90.50%.

❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2319      +/-   ##
==========================================
+ Coverage   90.35%   90.50%   +0.15%     
==========================================
  Files         106      106              
  Lines       54347    59105    +4758     
  Branches    54347    59105    +4758     
==========================================
+ Hits        49105    53494    +4389     
- Misses       5242     5611     +369     

Impacted Files	Coverage Δ
lightning/src/ln/functional_tests.rs	98.34% <ø> (+0.11%)	⬆️
lightning/src/ln/channel.rs	89.49% <57.89%> (-0.33%)	⬇️
lightning/src/events/mod.rs	43.58% <90.00%> (+2.17%)	⬆️
lightning/src/ln/channelmanager.rs	87.79% <94.07%> (+1.21%)	⬆️
lightning/src/ln/payment_tests.rs	97.66% <98.79%> (+0.04%)	⬆️
lightning/src/ln/functional_test_utils.rs	87.63% <100.00%> (+0.34%)	⬆️
lightning/src/ln/msgs.rs	84.59% <100.00%> (+0.01%)	⬆️
lightning/src/util/config.rs	57.47% <100.00%> (-0.18%)	⬇️

... and 11 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

[TheBlueMatt]

At first glance this basically looks good I think.

[valentinewallace]

I removed phantom support for now. Also noticed that this breaks compat for current users of UserConfig::accept_intercept_htlcs. Not sure if a release note is sufficient so thoughts welcome there. (edit: we now only break compat if the forwarder actually skims a fee)

[alecchendev]

Nice!

[alecchendev]

In the case where a counterparty overshoots the amount in the onion, I think this would report the skimmed fee inaccurately? E.g. the counterparty_skimmed_fee_msat would be offset by amount_msat - total_value. It probably wouldn't happen very often and the offset probably wouldn't be much, but figured I'd still make note of it.

[valentinewallace]

Yeah, I think this field will be inaccurate if some non-penultimate intermediate node took took less fee than intended by the sender (if I understand you correctly), but I'm not sure if we're able to detect that? IIUC we only have sender_intended_total and actual_received_total to work off of here, though might be missing something.

[alecchendev]

I think it'd be possible by adding the skimmed fee to PendingHTLCRouting::Receive/ReceiveKeysend (which seems possible since the skimmed fee gets sent through construct_recv_pending_htlc_info), and then probably keeping this on ClaimableHTLC and using those when finally calculating? Not sure if it's worth trying to fit it in here, could maybe be followup

[TheBlueMatt]

Yea, I think this would be nice, otherwise an intermediary node can cause a payment to fail by not taking enough fee? Its not itself a super big deal, but I think you could use it to figure out if the destination node is an LSP Client and if so a recent one - eg if you have a guess that the ultimate node is one further than some large LSP you could short yourself 1 msat and see if the payment fails to see if its an LSP client or just a routing node peer?

[valentinewallace]

Nice catch! Fixed. I didn't want to just trust whatever the counterparty set as the skimmed fee since they could technically lie about that, so it's now a mix of the previous and new solution, PTAL.

[tnull]

Looks good to me after a quick initial pass.

I wonder if it would be nice to also expose the counterparty_skimmed_fee_msat field via PaymentClaimed?

[valentinewallace]

I wonder if it would be nice to also expose the counterparty_skimmed_fee_msat field via PaymentClaimed?

Added a TODO for this to #1999

[TheBlueMatt]

Feel free to squash IMO.

[TheBlueMatt]

Will need a small rebase after #2077

[TheBlueMatt]

Yea, I think this would be nice, otherwise an intermediary node can cause a payment to fail by not taking enough fee? Its not itself a super big deal, but I think you could use it to figure out if the destination node is an LSP Client and if so a recent one - eg if you have a guess that the ultimate node is one further than some large LSP you could short yourself 1 msat and see if the payment fails to see if its an LSP client or just a routing node peer?

[TheBlueMatt]

TIL what minuend means.

[TheBlueMatt]

This should be None if we're not subtracting anything. Also do we want to fail if the resulting amount is zero?

[valentinewallace]

Switched to None. I don't think we should fail if we forward more than expected, since the docs already say we allow this?

[valentinewallace]

Rebased on #2077 to get a head start on rebase conflicts.

[TheBlueMatt]

LGTM, one real comment and a nit, feel free to squash.

[alecchendev]

LGTM I think!

[alecchendev]

Not sure if it's worth mentioning here or is maybe more fit for an LSP client spec, but I think the attack described in #2319 (comment) is still possible if the payee fails a payment based on the skimmed fee being too high instead of just checking amount_msat and that the sum of amount_msat + counterparty_skimmed_fee_msat add up to at least what they expected. The docs here already only say to check amount_msat so I think it's probably fine as is but figured I'd still make note of it :)

[TheBlueMatt]

I don't think so? If the fee skimmed is too high that means the immediately-prior node took too much, if a node prior to that in the path took too much it should result in the second-to-last hop taking too little (if they're taking a percentage fee).

[alecchendev]

Oh my bad, for some reason I was thinking intermediate nodes could still affect the final skimmed fee but that was fixed, oops

[valentinewallace]

Squashed.

[TheBlueMatt]

We probably need, as a followup, to support setting this - if you're an LSP and want to be the first payment to a given client you'll need it to take a fee on the first hop. Ideally we'd have something to handle that, but right now I don't think we will let you "just" send a payment to an intercept SCID, which we may consider.