- Fix a deadlock when calling
batch_funding_transaction_generated
with invalid input (#2841).
0.0.121 fixes a denial-of-service vulnerability which is reachable from
untrusted input from peers in rare cases if we have a public channel or in
common cases if P2PGossipSync
is used.
- A peer that failed to complete its handshake would cause a reachable
unwrap
in LDK since 0.0.119 when LDK attempts to broadcast gossip to all peers (#2842).
In total, this release features 4 files changed, 52 insertions, 10 deletions in 4 commits from 2 authors, in alphabetical order:
- Jeffrey Czyz
- Matt Corallo
- The
PeerManager
bound onUtxoLookup
was removed entirely. This enables use ofUtxoLookup
in cases broken in 0.0.119 by #2773 (#2822). - LDK now exposes and fully implements the route blinding feature (#2812).
- The
lightning-transaction-sync
crate no longer relies on system time without thetime
feature (#2799, #2817). lightning::onion_message
's module layout has changed (#2821).Event::ChannelClosed
now includes thechannel_funding_txo
(#2800).CandidateRouteHop
variants were destructured into individual structs, hiding some fields which were not generally consumable (#2802).
- Fixed a rare issue where
lightning-net-tokio
may not fully flush its send buffer, leading to connection hangs (#2832). - Fixed a panic which may occur when connecting to a peer if we opened a second channel with that peer while they were disconnected (#2808).
- Retries for a payment which previously failed in a blinded path will now always use an alternative blinded path (#2818).
Feature
'sEq
andHash
implementation now ignore dummy bytes (#2808).- Some missing
DiscardFunding
orChannelClosed
events are now generated in rare funding-related failures (#2809). - Fixed a privacy issue in blinded path generation where the real
cltv_expiry_delta
would be exposed to senders (#2831).
0.0.120 fixes a denial-of-service vulnerability which is reachable from
untrusted input from peers if the UserConfig::manually_accept_inbound_channels
option is enabled.
- A peer that sent an
open_channel
message with thechannel_type
field unfilled would trigger a reachableunwrap
since LDK 0.0.117 (#2808). - In protocols where a funding output is shared with our counterparty before it is given to LDK, a malicious peer could have caused a reachable panic by reusing the same funding info in (#2809).
In total, this release features 67 files changed, 3016 insertions, 2473 deletions in 79 commits from 9 authors, in alphabetical order:
- Elias Rohrer
- Jeffrey Czyz
- José A.P
- Matt Corallo
- Tibo-lg
- Valentine Wallace
- benthecarman
- optout
- shuoer86
- The LDK crate ecosystem MSRV has been increased to 1.63 (#2681).
- The
bitcoin
dependency has been updated to version 0.30 (#2740). lightning-invoice::payment::*
have been replaced with parameter generation viapayment_parameters_from[_zero_amount]_invoice
(#2727).{CoinSelection,Wallet}Source::sign_tx
are nowsign_psbt
, providing more information, incl spent outputs, about the transaction being signed (#2775).- Logger
Record
s now includechannel_id
andpeer_id
fields. These are opportunistically filled in when a log record is specific to a given channel and/or peer, and may occasionally be spuriously empty (#2314). - When handling send or reply onion messages (e.g. for BOLT12 payments), a new
Event::ConnectionNeeded
may be raised, indicating a direct connection should be made to a payee or an introduction point. This event is expected to be removed once onion message forwarding is widespread in the network (#2723) - Scoring data decay now happens via
ScoreUpDate::time_passed
, called fromlightning-background-processor
.process_events_async
now takes a new time-fetch function, andScoreUpDate
methods now take the current time as aDuration
argument. This avoids fetching time during pathfinding (#2656). - Receiving payments to multi-hop blinded paths is now supported (#2688).
MessageRouter
andRouter
now feature methods to generate blinded paths to the local node for incoming messages and payments.Router
now extendsMessageRouter
, and both are used inChannelManager
when processing or creating BOLT12 structures to generate multi-hop blinded paths (#1781).lightning-transaction-sync
now supports Electrum-based sync (#2685).Confirm::get_relevant_txids
now returns the height at which a transaction was confirmed. This can be used to assist in reorg detection (#2685).ConfirmationTarget::MaxAllowedNonAnchorChannelRemoteFee
has been removed. Non-anchor channel feerates are bounded indirectly throughChannelConfig::max_dust_htlc_exposure
(#2696).lightning-invoice
Description
s now rely onUntrustedString
for sanitization (#2730).ScoreLookUp::channel_penalty_msat
now usesCandidateRouteHop
(#2551).- The
EcdsaChannelSigner
trait was moved tolightning::sign::ecdsa
(#2512). SignerProvider::get_destination_script
now takeschannel_keys_id
(#2744)SpendableOutputDescriptor::StaticOutput
now haschannel_keys_id
(#2749).EcdsaChannelSigner::sign_counterparty_commitment
now takes HTLC preimages for both inbound and outbound HTLCs (#2753).ClaimedHTLC
now includes acounterparty_skimmed_fee_msat
field (#2715).peel_payment_onion
was added to decode an encrypted onion for a payment without receiving an HTLC. This allows for stateless verification of if a theoretical payment would be accepted prior to receipt (#2700).create_payment_onion
was added to construct an encrypted onion for a payment path without sending an HTLC immediately (#2677).- Various keys used in channels are now wrapped to provide type-safety for specific usages of the keys (#2675).
TaggedHash
now includes the rawtag
andmerkle_root
(#2687).Offer::is_expired_no_std
was added (#2689).PaymentPurpose::preimage()
was added (#2768).temporary_channel_id
can now be specified increate_channel
(#2699).- Wire definitions for splicing messages were added (#2544).
- Various
lightning-invoice
structs now implDisplay
, now have pub fields, or implFrom
(#2730). - The
Hash
trait is now implemented for more structs, incl P2P msgs (#2716).
- Memory allocations (though not memory usage) have been substantially reduced, meaning less overhead and hopefully less memory fragmentation (#2708, #2779).
- Since 0.0.117, calling
close_channel*
on a channel which has not yet been funded would previously result in an infinite loop and hang (#2760). - Since 0.0.116, sending payments requiring data in the onion for the recipient which was too large for the onion may have caused corruption which resulted in payment failure (#2752).
- Cooperative channel closure on channels with remaining output HTLCs may have spuriously force-closed (#2529).
- In LDK versions 0.0.116 through 0.0.118, in rare cases where skimmed fees are
present on shutdown the
ChannelManager
may fail to deserialize (#2735). ChannelConfig::max_dust_exposure
values which, converted to absolute fees, exceeded 2^63 - 1 would result in an overflow and could lead to spurious payment failures or channel closures (#2722).- In cases where LDK is operating with provably-stale state, it panics to avoid funds loss. This may not have happened in cases where LDK was behind only exactly one state, leading instead to a revoked broadcast and funds loss (#2721).
- Fixed a bug where decoding
Txid
s from Bitcoin Core JSON-RPC responses usinglightning-block-sync
would not properly byte-swap the hash. Note that LDK does not use this API internally (#2796).
ChannelManager
s written with LDK 0.0.119 are no longer readable by versions of LDK prior to 0.0.113. Users wishing to downgrade to LDK 0.0.112 or before can read an 0.0.119-serializedChannelManager
with a version of LDK from 0.0.113 to 0.0.118, re-serialize it, and then downgrade (#2708).- Nodes that upgrade to 0.0.119 and subsequently downgrade after receiving a payment to a blinded path may leak recipient information if one or more of those HTLCs later fails (#2688).
- Similarly, forwarding a blinded HTLC and subsequently downgrading to an LDK version prior to 0.0.119 may result in leaking the path information to the payment sender (#2540).
In total, this release features 148 files changed, 13780 insertions, 6279 deletions in 280 commits from 22 authors, in alphabetical order:
- Arik Sosman
- Chris Waterson
- Elias Rohrer
- Evan Feenstra
- Gursharan Singh
- Jeffrey Czyz
- John Cantrell
- Lalitmohansharma1
- Matt Corallo
- Matthew Rheaume
- Orbital
- Rachel Malonson
- Valentine Wallace
- Willem Van Lint
- Wilmer Paulino
- alexanderwiederin
- benthecarman
- henghonglee
- jbesraa
- olegkubrakov
- optout
- shaavan
- BOLT12 sending and receiving is now supported as an alpha feature. You may run into unexpected issues and will need to have a direct connection with the offer's blinded path introduction points as messages are not yet routed. We are seeking feedback from early testers (#2578, #2039).
ConfirmationTarget
has been rewritten to provide information about the specific use LDK needs the feerate estimate for, rather than the generic low-, medium-, and high-priority estimates. This allows LDK users to more accurately target their feerate estimates (#2660). For those wishing to retain their existing behavior, see the table below for conversion.ChainHash
is now used in place ofBlockHash
where it represents the genesis block (#2662).lightning-invoice
payment utilities now take aDeref
toAChannelManager
(#2652).peel_onion
is provided to statelessly decode anOnionMessage
(#2599).ToSocketAddrs
+Display
are now impl'd forSocketAddress
(#2636, #2670)Display
is now implemented forOutPoint
(#2649).Features::from_be_bytes
is now provided (#2640).
For those moving to the new ConfirmationTarget
, the new variants in terms of
the old mempool/low/medium/high priorities are as follows:
OnChainSweep
=HighPriority
MaxAllowedNonAnchorChannelRemoteFee
=max(25 * 250, HighPriority * 10)
MinAllowedAnchorChannelRemoteFee
=MempoolMinimum
MinAllowedNonAnchorChannelRemoteFee
=Background - 250
AnchorChannelFee
=Background
NonAnchorChannelFee
=Normal
ChannelCloseMinimum
=Background
- Calling
ChannelManager::close_channel[_with_feerate_and_script]
on a channel which did not exist would immediately hang holding several keyChannelManager
-internal locks (#2657). - Channel information updates received from a failing HTLC are no longer
applied to our
NetworkGraph
. This prevents a node which we attempted to route a payment through from being able to learn the sender of the payment. In some rare cases, this may result in marginally reduced payment success rates (#2666). - Anchor outputs are now properly considered when calculating the amount available to send in HTLCs. This can prevent force-closes in anchor channels when sending payments which overflow the available balance (#2674).
- A peer that sends an
update_fulfill_htlc
message for a forwarded HTLC, then reconnects prior to sending acommitment_signed
(thus retransmitting theirupdate_fulfill_htlc
) may result in the channel stalling and being unable to make progress (#2661). - In exceedingly rare circumstances, messages intended to be sent to a peer prior to reconnection can be sent after reconnection. This could result in undefined channel state and force-closes (#2663).
- Creating a blinded path to receive a payment then downgrading to LDK prior to 0.0.117 may result in failure to receive the payment (#2413).
- Calling
ChannelManager::pay_for_offer
orChannelManager::create_refund_builder
may prevent downgrading to LDK prior to 0.0.118 until the payment times out and has been removed (#2039).
- LDK now sends a bogus
channel_reestablish
message to peers when they ask to resume an unknown channel. This should cause LND nodes to force-close and broadcast the latest channel state to the chain. In order to trigger this when we wish to force-close a channel, LDK now disconnects immediately after sending a channel-closingerror
message. This should result in cooperative peers also working to confirm the latest commitment transaction when we wish to force-close (#2658).
0.0.118 expands mitigations against transaction cycling attacks to non-anchor channels, though note that no mitigations which exist today are considered robust to prevent the class of attacks.
- In order to mitigate against transaction cycling attacks, non-anchor HTLC transactions are now properly re-signed before broadcasting (#2667).
In total, this release features 61 files changed, 3470 insertions, 1503 deletions in 85 commits from 12 authors, in alphabetical order:
- Antonio Yang
- Elias Rohrer
- Evan Feenstra
- Fedeparma74
- Gursharan Singh
- Jeffrey Czyz
- Matt Corallo
- Sergi Delgado Segura
- Vladimir Fomene
- Wilmer Paulino
- benthecarman
- slanesuke
ProbabilisticScorer
's internal models have been substantially improved, including better decaying (#1789), a more granular historical channel liquidity tracker (#2176) and a now-default option to make our estimate for a channel's current liquidity nonlinear in the channel's capacity (#2547). In total, these changes should result in improved payment success rates at the cost of slightly worse routefinding performance.- Support for custom TLVs for recipients of HTLCs has been added (#2308).
- Support for generating transactions for third-party watchtowers has been
added to
ChannelMonitor/Update
s (#2337). KVStorePersister
has been replaced with a more generic and featurefulKVStore
interface (#2472).- A new
MonitorUpdatingPersister
is provided which wraps aKVStore
and implementsPersist
by writing differential updates rather than fullChannelMonitor
s (#2359). - Batch funding of outbound channels is now supported using the new
ChannelManager::batch_funding_transaction_generated
method (#2486). ChannelManager::send_preflight_probes
has been added to probe a payment's potential paths while a user is providing approval for a payment (#2534).- Fully asynchronous
ChannelMonitor
updating is available as an alpha preview. There remain a few known but incredibly rare race conditions which may lead to loss of funds (#2112, #2169, #2562). ChannelMonitorUpdateStatus::PermanentFailure
has been removed in favor of a newChannelMonitorUpdateStatus::UnrecoverableError
. The new variant panics on use, rather than force-closing a channel in an unsafe manner, which the previous variant did (#2562). Rather than panicking with the new variant, users may wish to use the new asynchronousChannelMonitor
updating usingChannelMonitorUpdateStatus::InProgress
.RouteParameters::max_total_routing_fee_msat
was added to limit the fees paid when routing, defaulting to 1% + 50sats when using the newfrom_payment_params_and_value
constructor (#2417, #2603, #2604).- Implementations of
UtxoSource
are now provided inlightning-block-sync
. Those running with a full node should use this to validate gossip (#2248). LockableScore
now supports read locking for parallel routefinding (#2197).ChannelMonitor::get_spendable_outputs
was added to allow for re-generation ofSpendableOutputDescriptor
s for a channel after they were provided viaEvent::SpendableOutputs
(#2609, #2624).[u8; 32]
has been replaced with aChannelId
newtype for chan ids (#2485).NetAddress
was renamedSocketAddress
(#2549) andFromStr
impl'd (#2134)- For
no-std
users,parse_onion_address
was added which creates aNetAddress
from a "...onion" string and port (#2134, #2633). - HTLC information is now provided in
Event::PaymentClaimed::htlcs
(#2478). - The success probability used in historical penalties when scoring is now
available via
historical_estimated_payment_success_probability
(#2466). RecentPaymentDetails::*::payment_id
has been added (#2567).Route
now contains aRouteParameters
rather than aPaymentParameters
, tracking the original arguments passed to routefinding (#2555).Balance::*::claimable_amount_satoshis
was renamedamount_satoshis
(#2460)*Features::set_*_feature_bit
have been added for non-custom flags (#2522).channel_id
was added toSpendableOutputs
events (#2511).counterparty_node_id
andchannel_capacity_sats
were added toChannelClosed
events (#2387).ChannelMonitor
now implementsClone
forClone
able signers (#2448).create_onion_message
was added to build an onion message (#2583, #2595).HTLCDescriptor
now implementsWriteable
/Readable
(#2571).SpendableOutputDescriptor
now implementsHash
(#2602).MonitorUpdateId
now implementsDebug
(#2594).Payment{Hash,Id,Preimage}
now implementDisplay
(#2492).NodeSigner::sign_bolt12_invoice{,request}
were added for future use (#2432)
- Users migrating to the new
KVStore
can use a concatentation of[{primary_namespace}/[{secondary_namespace}/]]{key}
to build a key compatible with the previousKVStorePersister
interface (#2472). - Downgrading after receipt of a payment with custom HTLC TLVs may result in unintentionally accepting payments with TLVs you do not understand (#2308).
Route
objects (including pending payments) written by LDK versions prior to 0.0.117 won't be retryable after being deserialized by LDK 0.0.117 or above (#2555).- Users of the
MonitorUpdatingPersister
can upgrade seamlessly from the defaultKVStore
Persist
implementation, however the storedChannelMonitor
s are deliberately unreadable by the defaultPersist
. This ensures the correct downgrade procedure is followed, which is: (#2359)- First, make a backup copy of all channel state,
- then ensure all
ChannelMonitorUpdate
s stored are fully applied to the relevantChannelMonitor
, - finally, write each full
ChannelMonitor
using your newPersist
impl.
- Anchor channels which were closed by a counterparty broadcasting its
commitment transaction (i.e. force-closing) would previously not generate a
SpendableOutputs
event for ourto_remote
(i.e. non-HTLC-encumbered) balance. Those with such balances available should fetch the missingSpendableOutputDescriptor
s using the newChannelMonitor::get_spendable_outputs
method (#2605). - Anchor channels may result in spurious or missing
Balance
entries for HTLC balances (#2610). ChannelManager::send_spontaneous_payment_with_retry
spuriously did not provide the recipient with enough information to claim the payment, leading to all spontaneous payments failing (#2475).send_spontaneous_payment_with_route
was unaffected.- The
keysend
feature on node announcements was spuriously un-set in 0.0.112 and has been re-enabled (#2465). - Fixed several races which could lead to deadlock when force-closing a channel (#2597). These races have not been seen in production.
- The
ChannelManager
is persisted substantially less when it has not changed, leading to substantially less I/O traffic for it (#2521, #2617). - Passing new block data to
ChainMonitor
no longer results in all other monitor operations being blocked until it completes (#2528). - When retrying payments, any excess amount sent to the recipient in order to
meet an
htlc_minimum
constraint on the path is now no longer included in the amount we send in the retry (#2575). - Several edge cases in route-finding around HTLC minimums were fixed which could have caused invalid routes or panics when built with debug assertions (#2570, #2575).
- Several edge cases in route-finding around HTLC minimums and route hints were fixed which would spuriously result in no route found (#2575, #2604).
- The
user_channel_id
passed toSignerProvider::generate_channel_keys_id
for inbound channels is now correctly using the one passed toChannelManager::accept_inbound_channel
rather than a default value (#2428). - Users of
impl_writeable_tlv_based!
no longer have use requirements (#2506). - No longer force-close channels when counterparties send a
channel_update
with a bogushtlc_minimum_msat
, which LND users can manually build (#2611).
- LDK now ignores
error
messages generated by LND in response to ashutdown
message, avoiding force-closes due to LND bug 6039. This may lead to non-trivial bandwidth usage with LND peers exhibiting this bug during the cooperative shutdown process (#2507).
0.0.117 fixes several loss-of-funds vulnerabilities in anchor output channels, support for which was added in 0.0.116, in reorg handling, and when accepting channel(s) from counterparties which are miners.
- When a counterparty broadcasts their latest commitment transaction for a channel with anchor outputs, we'd previously fail to build claiming transactions against any HTLC outputs in that transaction. This could lead to loss of funds if the counterparty is able to eventually claim the HTLC after a timeout (#2606).
- Anchor channels HTLC claims on-chain previously spent the entire value of any HTLCs as fee, which has now been fixed (#2587).
- If a channel is closed via an on-chain commitment transaction confirmation with a pending outbound HTLC in the commitment transaction, followed by a reorg which replaces the confirmed commitment transaction with a different (but non-revoked) commitment transaction, all before we learn the payment preimage for this HTLC, we may previously have not generated a proper claiming transaction for the HTLC's value (#2623).
- 0.0.117 now correctly handles channels for which our counterparty funded the channel with a coinbase transaction. As such transactions are not spendable until they've reached 100 confirmations, this could have resulted in accepting HTLC(s) which are not enforcible on-chain (#1924).
In total, this release features 121 files changed, 20477 insertions, 8184 deletions in 381 commits from 27 authors, in alphabetical order:
- Alec Chen
- Allan Douglas R. de Oliveira
- Antonio Yang
- Arik Sosman
- Chris Waterson
- David Caseria
- DhananjayPurohit
- Dom Zippilli
- Duncan Dean
- Elias Rohrer
- Erik De Smedt
- Evan Feenstra
- Gabor Szabo
- Gursharan Singh
- Jeffrey Czyz
- Joseph Goulden
- Lalitmohansharma1
- Matt Corallo
- Rachel Malonson
- Sergi Delgado Segura
- Valentine Wallace
- Vladimir Fomene
- Willem Van Lint
- Wilmer Paulino
- benthecarman
- jbesraa
- optout
- Support for zero-HTLC-fee anchor output channels has been added and is now
considered beta (#2367). Users who set
ChannelHandshakeConfig::negotiate_anchors_zero_fee_htlc_tx
should be prepared to handle the newEvent::BumpTransaction
, e.g. via theBumpTransactionEventHandler
(#2089). Note that in order to do so you must ensure you always have a reserve of available unspent on-chain funds to use for CPFP. LDK currently makes no attempt to ensure this for you. - Users who set
ChannelHandshakeConfig::negotiate_anchors_zero_fee_htlc_tx
and wish to accept inbound anchor-based channels must do so manually by settingUserConfig::manually_accept_inbound_channels
(#2368). - Support forwarding and accepting HTLCs with a reduced amount has been added, to support LSPs skimming a fee on the penultimate hop (#2319).
- BOLT11 and BOLT12 Invoice and related types have been renamed to include a
BOLTNN prefix, ensuring uniqueness in
lightning{,-invoice}
crates (#2416). Score
rs now have an associated type which represents a parameter passed when calculating penalties. This allows for the sameScore
r to be used with different penalty calculation parameters (#2237).DefaultRouter
is no longer restrained to aMutex
-wrappedScore
, allowing it to be used inno-std
builds (#2383).CustomMessageHandler::provided_{node,init}_features
and various custom feature bit methods on*Features
were added (#2204).- Keysend/push payments using MPP are now supported when receiving if
UserConfig::accept_mpp_keysend
is set and when sending if specified in thePaymentParameters
. Note that not all recipients support this (#2156). - A new
ConfirmationTarget::MempoolMinimum
has been added (#2415). SpendableOutputDescriptor::to_psbt_input
was added (#2286).ChannelManager::update_partial_channel_config
was added (#2330).ChannelDetails::channel_shutdown_state
was added (#2347).- The shutdown script can now be provided at shutdown time via
ChannelManager::close_channel_with_feerate_and_script
(#2219). BroadcasterInterface
now takes multiple transactions at once. While not available today, in the future single calls should be passed to a full node via a single batch/package transaction acceptance API (#2272).Balance::claimable_amount_satoshis
was added (#2333).payment_{hash,preimage}
have been added to someBalance
variants (#2217).- The
lightning::chain::keysinterface
is nowlightning::sign
(#2246). - Routing to a blinded path has been implemented, though sending to such a
route is not yet supported in
ChannelManager
(#2120). OffersMessageHandler
was added for offers-related onion messages (#2294).- The
CustomMessageHandler
parameter toPeerManager
has moved toMessageHandler
fromPeerManager::new
explicitly (#2249). - Various P2P messages for dual funding channel establishment have been added,
though handling for them is not yet in
ChannelManager
(#1794) - Script-fetching methods in
sign
interfaces can now return errors, see docs for the implications of failing (#2213). - The
data_loss_protect
option is now required when readingchannel_reestablish
messages, as many others have done (#2253). InFlightHtlcs::add_inflight_htlc
has been added (#2042).- The
init
messagenetworks
field is now written and checked (#2329). PeerManager
generics have been simplified with the introduction of theAPeerManager
trait (#2249).ParitalOrd
andOrd
are now implemented forInvoice
(#2279).ParitalEq
andDebug
are now implemented forInMemorySigner
(#2328).ParitalEq
andEq
are now implemented forPaymentError
(#2316).NetworkGraph::update_channel_from_announcement_no_lookup
was added (#2222).lightning::routing::gossip::verify_{channel,node}_announcement
was added (#2307).
PaymentParameters
written with blinded path info using LDK 0.0.115 will not be readable in LDK 0.0.116, and vice versa.- Forwarding less than
Event::HTLCIntercepted::expected_outbound_amount_msat
inChannelManager::forward_intercepted_htlc
may prevent theChannelManager
from being read by LDK prior to 0.0.116 (#2319) - Setting
ChannelConfig::accept_underpaying_htlcs
may prevent theChannelManager
from being read by LDK prior to 0.0.116 and un-setting the parameter between restarts may lead to payment failures (#2319). ChannelManager::create_inbound_payment{,_for_hash}_legacy
has been removed, removing the ability to create inbound payments which are claimable after downgrade to LDK 0.0.103 and prior. In the future handling such payments will also be removed (#2351).- Some fields required by LDK 0.0.103 and earlier are no longer written, thus deserializing objects written by 0.0.116 with 0.0.103 may now fail (#2351).
ChannelDetails::next_outbound_htlc_limit_msat
was made substantially more accurate and a correspondingnext_outbound_htlc_minimum_msat
was added. This resolves issues where unpayable routes were generated due to overestimation of the amount which is payable over one of our channels as the first hop (#2312).- A rare case where delays in processing
Event
s generated byChannelMonitor
s could lead to loss of those events in case of an untimely crash. This could lead to the loss of anEvent::SpendableOutputs
(#2369). - Fixed a regression in 0.0.115 which caused
PendingHTLCsForwardable
events to be missed when processing phantom node receives. This caused such payments to be delayed until a further, unrelated HTLC came in (#2395). - Peers which are unresponsive to channel messages for several timer ticks are now disconnected to allow for on-reconnection state machine reset. This works around some issues in LND prior to 16.3 which can cause channels to hang and eventually force-close (#2293).
ChannelManager::new
now requires the current time (either from a recent block header or the system clock), ensuring invoices created immediately after startup aren't already expired (#2372).- Resolved an issue where reading a
ProbabilisticScorer
on some platforms (e.g. iOS) can lead to a panic (#2322). ChannelConfig::max_dust_htlc_exposure
is now allowed to scale based on current fees, and the default has been updated to do so. This substantially reduces the chance of force-closure due to dust exposure. Note that existing channels will retain their current value and you may wish to update the value on your existing channels on upgrade (#2354).PeerManager::process_events
no longer blocks in any case. This fixes a bug where reentrancy fromPeerManager
into user code which eventually callsprocess_events
could lead to a deadlock (#2280).- The persist timing of network graph and scoring in
lightning-background-processor
has been tweaked to provide more reliable persistence after updates to either (#2226). - The number of route hints added to BOLT 11 invoices by the
lightning-invoice::utils
builders has been reduced to three to ensure invoices can be represented in scan-able QR codes (#2044). - Fixed sending large onion messages, which would previously have resulted in an HMAC error on the second hop (#2277).
- Fixed a memory leak that may occur when a
ChannelManager
orChannelMonitor
isdrop
ed (#2233). - A potential deadlock in calling
NetworkGraph::eq
was resolved (#2284). - Fixed an overflow which prevented disconnecting peers in some minor cases with more than 31 peers (#2245).
- Gossip messages with an unknown chain hash are now ignored (#2230).
- Rapid Gossip Sync processing now fails on an unknown chain hash (#2324).
RouteHintHop::htlc_maximum_msat
is now enforced. Note that BOLT11 route hints do not have such a field so this code is generally unused (#2305).
0.0.116 fixes a denial-of-service vulnerability which is reachable from untrusted input from channel counterparties if a 0-conf channel exists with that counterparty.
- A premature
announcement_signatures
message from a peer prior to a 0-conf channel's funding transaction receiving any confirmations would panic in any version since 0-conf channels were introduced (#2439).
In total, this release features 142 files changed, 21033 insertions, 11066 deletions in 327 commits from 21 authors, in alphabetical order:
- Alec Chen
- Andrei
- Antoine Riard
- Arik Sosman
- Chad Upjohn
- Daniel Granhão
- Duncan Dean
- Elias Rohrer
- Fred Walker
- Gleb Naumenko
- Jeffrey Czyz
- Martin Habovstiak
- Matt Corallo
- Tony Giorgio
- Valentine Wallace
- Vladimir Fomene
- Willem Van Lint
- Wilmer Paulino
- benthecarman
- ff
- henghonglee
- The MSRV of the main LDK crates has been increased to 1.48 (#2107).
- Attempting to claim an un-expired payment on a channel which has closed no
longer fails. The expiry time of payments is exposed via
PaymentClaimable::claim_deadline
(#2148). payment_metadata
is now supported inInvoice
deserialization, sending, and receiving (via a newRecipientOnionFields
struct) (#2139, #2127).Event::PaymentFailed
now exposes a failure reason (#2142).- BOLT12 messages now support stateless generation and validation (#1989).
- The
NetworkGraph
is now pruned of stale data after RGS processing (#2161). - Max inbound HTLCs in-flight can be changed in the handshake config (#2138).
lightning-transaction-sync
featureesplora-async-https
was added (#2085).- A
ChannelPending
event is now emitted after the initial handshake (#2098). PaymentForwarded::outbound_amount_forwarded_msat
was added (#2136).ChannelManager::list_channels_by_counterparty
was added (#2079).ChannelDetails::feerate_sat_per_1000_weight
was added (#2094).Invoice::fallback_addresses
was added to fetchbitcoin
types (#2023).- The offer/refund description is now exposed in
Invoice{,Request}
(#2206).
- Payments sent with the legacy
*_with_route
methods on LDK 0.0.115+ will no longer be retryable via the LDK 0.0.114-retry_payment
method (#2139). Event::PaymentPathFailed::retry
was removed and will always beNone
for payments initiated on 0.0.115 which fail on an earlier version (#2063).Route
s andPaymentParameters
with blinded path information will not be readable on prior versions of LDK. Such objects are not currently constructed by LDK, but may be when processing BOLT12 data in a coming release (#2146).- Providing
ChannelMonitorUpdate
s generated by LDK 0.0.115 to aChannelMonitor
on 0.0.114 or before may panic (#2059). Note that this is in general unsupported, and included here only for completeness.
- Fixed a case where
process_events_async
maypoll
aFuture
which has already completed (#2081). - Fixed deserialization of
u16
arrays. This bug may have previously corrupted the historical buckets in aProbabilisticScorer
. Users relying on the historical buckets may wish to wipe their scorer on upgrade to remove corrupt data rather than waiting on it to decay (#2191). - The
process_events_async
task is nowSend
and can thus be polled on a multi-threaded runtime (#2199). - Fixed a missing macro export causing
impl_writeable_tlv_based_enum{,_upgradable}
calls to not compile (#2091). - Fixed compilation of
lightning-invoice
with bothno-std
and serde (#2187) - Fix an issue where the
background-processor
would not wake when aChannelMonitorUpdate
completed asynchronously, causing delays (#2090). - Fix an issue where
process_events_async
would exit immediately (#2145). Router
calls from theChannelManager
now callfind_route_with_id
rather thanfind_route
, as was intended and described in the API (#2092).- Ensure
process_events_async
always exits if any sleep future returns true, not just if all sleep futures repeatedly return true (#2145). channel_update
messages no longer set the disable bit unless the peer has been disconnected for some time. This should resolve cases where channels are disabled for extended periods of time (#2198).- We no longer remove CLN nodes from the network graph for violating the BOLT spec in some cases after failing to pay through them (#2220).
- Fixed a debug assertion which may panic under heavy load (#2172).
CounterpartyForceClosed::peer_msg
is now wrapped in UntrustedString (#2114)- Fixed a potential deadlock in
funding_transaction_generated
(#2158).
- Transaction re-broadcasting is now substantially more aggressive, including a
new regular rebroadcast feature called on a timer from the
background-processor
or fromChainMonitor::rebroadcast_pending_claims
. This should substantially increase transaction confirmation reliability without relying on downstreamTransactionBroadcaster
implementations for rebroadcasting (#2203, #2205, #2208). - Implemented the changes from BOLT PRs #1031, #1032, and #1040 which resolve a privacy vulnerability which allows an intermediate node on the path to discover the final destination for a payment (#2062).
In total, this release features 110 files changed, 11928 insertions, 6368 deletions in 215 commits from 21 authors, in alphabetical order:
- Advait
- Alan Cohen
- Alec Chen
- Allan Douglas R. de Oliveira
- Arik Sosman
- Elias Rohrer
- Evan Feenstra
- Jeffrey Czyz
- John Cantrell
- Lucas Soriano del Pino
- Marc Tyndel
- Matt Corallo
- Paul Miller
- Steven
- Steven Williamson
- Steven Zhao
- Tony Giorgio
- Valentine Wallace
- Wilmer Paulino
- benthecarman
- munjesi
InvoicePayer
has been removed and its features moved directly intoChannelManager
. As such it now requires a simplifiedRouter
and supportssend_payment_with_retry
(and friends).ChannelManager::retry_payment
was removed in favor of the automated retries. Invoice payment utilities inlightning-invoice
now call the new code (#1812, #1916, #1929, #2007, etc).Sign
/BaseSign
has been renamedChannelSigner
, withEcdsaChannelSigner
split out in anticipation of future schnorr/taproot support (#1967).- The catch-all
KeysInterface
was split intoEntropySource
,NodeSigner
, andSignerProvider
.KeysManager
implements all three (#1910, #1930). KeysInterface::get_node_secret
is nowKeysManager::get_node_secret_key
and is no longer required for external signers (#1951, #2070).- A
lightning-transaction-sync
crate has been added which implements keeping LDK in sync with the chain via an esplora server (#1870). Note that it can only be used on nodes that never ran a previous version of LDK. Score
is updated inBackgroundProcessor
instead of viaRouter
(#1996).ChainAccess::get_utxo
(nowUtxoAccess
) can now be resolved async (#1980).- BOLT12
Offer
,InvoiceRequest
,Invoice
andRefund
structs as well as associated builders have been added. Such invoices cannot yet be paid due to missing support for blinded path payments (#1927, #1908, #1926). - A
lightning-custom-message
crate has been added to make combining multiple custom messages into one enum/handler easier (#1832). Event::PaymentPathFailed
is now generated for failure to send an HTLC over the first hop on our local channel (#2014, #2043).lightning-net-tokio
no longer requires anArc
onPeerManager
(#1968).ChannelManager::list_recent_payments
was added (#1873).lightning-background-processor
std
is now optional in async mode (#1962).create_phantom_invoice
can now be used inno-std
(#1985).- The required final CLTV delta on inbound payments is now configurable (#1878)
- bitcoind RPC error code and message are now surfaced in
block-sync
(#2057). - Get
historical_estimated_channel_liquidity_probabilities
was added (#1961). ChannelManager::fail_htlc_backwards_with_reason
was added (#1948).- Macros which implement serialization using TLVs or straight writing of struct fields are now public (#1823, #1976, #1977).
- Any inbound payments with a custom final CLTV delta will be rejected by LDK if you downgrade prior to receipt (#1878).
Event::PaymentPathFailed::network_update
will always beNone
if an 0.0.114-generated event is read by a prior version of LDK (#2043).Event::PaymentPathFailed::all_paths_failed
will always be false if an 0.0.114-generated event is read by a prior version of LDK. Users who rely on it to determine payment retries should migrate toEvent::PaymentFailed
, in a separate release prior to upgrading to LDK 0.0.114 if downgrading is supported (#2043).
- Channel data is now stored per-peer and channel updates across multiple peers can be operated on simultaneously (#1507).
- Routefinding is roughly 1.5x faster (#1799).
- Deserializing a
NetworkGraph
is roughly 6x faster (#2016). - Memory usage for a
NetworkGraph
has been reduced substantially (#2040). KeysInterface::get_secure_random_bytes
is roughly 200x faster (#1974).
- Fixed a bug where a delay in processing a
PaymentSent
event longer than the time taken to persist aChannelMonitor
update, when occurring immediately prior to a crash, may result in thePaymentSent
event being lost (#2048). - Fixed spurious rejections of rapid gossip sync data when the graph has been updated by other means between gossip syncs (#2046).
- Fixed a panic in
KeysManager
when the high bit ofstarting_time_nanos
is set (#1935). - Resolved an issue where the
ChannelManager::get_persistable_update_future
future would fail to wake until a second notification occurs (#2064). - Resolved a memory leak when using
ChannelManager::send_probe
(#2037). - Fixed a deadlock on some platforms at least when using async
ChannelMonitor
updating (#2006). - Removed debug-only assertions which were reachable in threaded code (#1964).
- In some cases when payment sending fails on our local channel retries no longer take the same path and thus never succeed (#2014).
- Retries for spontaneous payments have been fixed (#2002).
- Return an
Err
iflightning-persister
fails to read the directory listing rather than panicing (#1943). peer_disconnected
will now never be called withoutpeer_connected
(#2035)
0.0.114 fixes several denial-of-service vulnerabilities which are reachable from untrusted input from channel counterparties or in deployments accepting inbound connections or channels. It also fixes a denial-of-service vulnerability in rare cases in the route finding logic.
- The number of pending un-funded channels as well as peers without funded channels is now limited to avoid denial of service (#1988).
- A second
channel_ready
message received immediately after the first could lead to a spurious panic (#2071). This issue was introduced with 0conf support in LDK 0.0.107. - A division-by-zero issue was fixed in the
ProbabilisticScorer
if the amount being sent (including previous-hop fees) is equal to a channel's capacity while walking the graph (#2072). The division-by-zero was introduced with historical data tracking in LDK 0.0.112.
In total, this release features 130 files changed, 21457 insertions, 10113 deletions in 343 commits from 18 authors, in alphabetical order:
- Alec Chen
- Allan Douglas R. de Oliveira
- Andrei
- Arik Sosman
- Daniel Granhão
- Duncan Dean
- Elias Rohrer
- Jeffrey Czyz
- John Cantrell
- Kurtsley
- Matt Corallo
- Max Fang
- Omer Yacine
- Valentine Wallace
- Viktor Tigerström
- Wilmer Paulino
- benthecarman
- jurvis
ChannelManager::send_payment
now takes an explicitPaymentId
which is a loose idempotency token. Seesend_payment
docs for more (#1761, #1826).- HTLCs bound for SCIDs from
ChannelManager::get_intercept_scid
are now intercepted and can be forwarded manually over any channel (#1835, #1893). Confirm::get_relevant_txids
now returns aBlockHash
, expanding the set of cases wheretransaction_unconfirmed
must be called, see docs (#1796).- Pending outbound payments are no longer automatically timed-out a few blocks
after failure. Thus, in order to avoid leaking memory, you MUST call
ChannelManager::abandon_payment
when you no longer wish to retry (#1761). ChannelManager::abandon_payment
docs were updated to note that the payment may return to pending after a restart if no persistence occurs (#1907).Event::PaymentReceived
has been renamedEvent::PaymentClaimable
(#1891).Event
handling is now optionally async for Rust users (#1787).user_channel_id
is now au128
and random for inbound channels (#1790).- A new
ChannelReady
event is generated whenever a channel becomes ready to be used, i.e., after both sides sent thechannel_ready
message (#1743). NetworkGraph
now prunes channels where either node is offline for 2 weeks and refuses to accept re-announcements of pruned channels (#1735).- Onion messages are now read in
CustomOnionMessageHandler
rather than viaMaybeReadableArgs
(#1809). - Added a new util to generate an invoice with a custom hash (#1894) -
create_invoice_from_channelmanager_and_duration_since_epoch_with_payment_hash
Sign
ers are now by default re-derived usingKeysInterface
's newderive_channel_signer
rather thanread_chan_signer
(#1867).Confirm::transactions_confirmed
is now idempotent (#1861).ChannelManager::compute_inflight_htlcs
has been added to fetch in-flight HTLCs for scoring. Note thatInvoicePayer
does this for you (#1830).- Added
PaymentClaimable::via_channel_id
(#1856). - Added the
node_id
(phantom or regular) to payment events (#1766). - Added the funding transaction
confirmations
toChannelDetails
(#1856). BlindedRoute
has been renamedBlindedPath
(#1918).- Support for the BOLT 4 "legacy" onion format has been removed, in line with its removal in the spec and vanishingly rare use (#1413).
ChainMonitor::list_pending_monitor_updates
was added (#1834).- Signing for non-zero-fee anchor commitments is supported again (#1828).
- Several helpers for transaction matching and generation are now pub (#1839).
- Fixed a rare race where a crash may result in a pending HTLC not being failed backwards, leading to a force-closure by our counterparty (#1857).
- Avoid incorrectly assigning a lower-bound on channel liquidity when routing fails due to a closed channel earlier in the path (#1817).
- If a counterparty increases the channel fee, but not enough per our own fee estimator, we no longer force-close the channel (#1852).
- Several bugs in the
lightning-background-processor
future
feature were fixed, including requirements doc corrections (#1843, #1845, #1851). - Some failure messages sent back when failing an HTLC were corrected (#1895).
rapid-gossip-sync
no longer errors if an update is applied duplicatively or in rare cases when the graph is updated from payment failures (#1833).- Sending onion messages to a blinded path in which we're the introduction node no longer fails (#1791).
- No
ChannelReady
events will be generated for previously existing channels, including those which become ready after upgrading to 0.0.113 (#1743). - Once
UserConfig::accept_intercept_htlcs
is set, downgrades to LDK versions prior to 0.0.113 are not supported (#1835). - Existing payments may see a
PaymentClaimable::user_channel_id
of 0 (#1856) - When downgrading to a version of LDK prior to 0.0.113 when there are
resolved payments waiting for a small timeout, the payments may not be
removed, preventing payments with the same
PaymentId
(#1761).
In total, this release features 76 files changed, 11639 insertions, 6067 deletions in 210 commits from 18 authors, in alphabetical order:
- Antoine Riard
- Arik Sosman
- Devrandom
- Duncan Dean
- Elias Rohrer
- Gleb Naumenko
- Jeffrey Czyz
- John Cantrell
- Matt Corallo
- Tee8z
- Tobin C. Harding
- Tristan F
- Valentine Wallace
- Viktor Tigerström
- Wilmer Paulino
- benthecarman
- jurvis
- ssbright
Result<(), ChannelMonitorUpdateErr>
return values have been replaced with aChannelMonitorUpdateStatus
trinary enum. This better denotes thatChannelMonitorUpdateStatus::InProgress
is not an error, but asynchronous persistence of a monitor update. Note that asynchronous persistence still has some edge cases and is not yet recommended for production (#1106).ChannelMonitor
persistence failure no longer automatically broadcasts the latest commitment transaction. See theChannelMonitorUpdateStatus::PermanentFailure
docs for more info (#1106).*Features::known
has been replaced with individual*MessageHandler::provided_*_features
methods (#1707).OnionMessenger
now takes aCustomOnionMessageHandler
implementation, allowing you to send and receive custom onion messages (#1748).ProbabilisticScorer
now tracks the historical distribution of liquidity estimates for channels. See newhistorical_*
parameters inProbabilisticScoringParameters
for more details (#1625).lightning-block-sync
'sBlockSource
trait now supports BIP 157/158 filtering clients by returning only header data for some blocks (#1706).lightning-invoice
'sRouter
trait now accepts anInFlightHtlcs
to ensure we do not over-use a remote channel's funds during routing (#1694). Note that this was previously backported to 0.0.111 for bindings users.NetworkGraph::remove_stale_channels
has been renamedNetworkGraph::remove_stale_channels_and_tracking
asNetworkGraph
now refuses to re-add nodes and channels that were recently removed (#1649).- The
lightning-rapid-gossip-sync
crate now supportsno-std
(#1708). - The default
ProbabilisticScoringParameters::liquidity_offset_half_life
has been increased to six hours from one (#1754). - All commitment transaction building logic for anchor outputs now assumes the no-HTLC-tx-fee variant (#1685).
- A number of missing
Eq
implementations were added (#1763).
lightning-background-processor
now builds without error with thefutures
feature (#1744).ChannelManager::get_persistable_update_future
's returnedFuture
has been corrected to not fail to be awoken in some cases (#1758).- Asynchronously performing the initial
ChannelMonitor
persistence is now safe (#1678). - Redundantly applying rapid gossip sync updates no longer
Err
s (#1764). - Nodes which inform us via payment failures that they should no longer be used are now removed from the network graph. Some LND nodes spuriously generate this error and may remove themselves from our graph (#1649).
In total, this release features 134 files changed, 6598 insertions, 4370 deletions in 109 commits from 13 authors, in alphabetical order:
- Duncan Dean
- Elias Rohrer
- Gabriel Comte
- Gursharan Singh
- Jeffrey Czyz
- Jurvis Tan
- Matt Corallo
- Max Fang
- Paul Miller
- Valentine Wallace
- Viktor Tigerström
- Wilmer Paulino
- acid-bit
- Support for relaying onion messages has been added via a new
OnionMessenger
struct when passed as theOnionMessageHandler
to aPeerManager
. Pre-encoded onion messages can also be sent and received (#1503, #1650, #1652, #1688). - Rate-limiting of outbound gossip syncs has been rewritten to utilize less buffering inside LDK. The new rate-limiting is also used for onion messages to avoid delaying other messages (#1604. #1660, #1683).
- Rather than spawning a full OS thread,
lightning-background-processor
has a newprocess_events_async
method which takes the place of aBackgroundProcessor
for those using Rust's async (#1657). ChannelManager::get_persistable_update_future
has been added to block on a ChannelManager needing re-persistence in a Rust async environment (#1657).- The
Filter::register_output
return value has been removed, as it was very difficult to correctly implement (i.e., without blocking). Users previously using it should instead pass dependent transactions in via additionalchain::Confirm::transactions_confirmed
calls (#1663). ChannelHandshakeConfig::their_channel_reserve_proportional_millionths
has been added to allow configuring counterparty reserve values (#1619).KeysInterface::ecdh
has been added as an ECDH oracle (#1503, #1658).- The
rust-bitcoin
dependency has been updated 0.29 (#1658). - The
bitcoin_hashes
dependency has been updated 0.11 (#1677). ChannelManager::broadcast_node_announcement
has been moved toPeerManager
(#1699).channel_
andnode_announcement
s are now rebroadcast automatically to all new peers which connect (#1699).{Init,Node}Features
sent to peers/broadcasted are now fetched via the various*MessageHandler
traits, rather than hard-coded (#1701, #1688).Event::PaymentPathFailed::rejected_by_dest
has been renamedpayment_failed_permanently
(#1702).Invoice
now derives the stdHash
trait (#1575).{Signed,}RawInvoice::hash
have been renamedsignable_hash
(#1714).chain::AccessError
now derives the stdDebug
trait (#1709).ReadOnlyNetworkGraph::list_{channels,nodes}
have been added largely for users of downstream bindings (#1651).ChannelMonitor::get_counterparty_node_id
is now available (#1635).
- The script compared with that returned from
chain::Access
was incorrect ~half of the time, causing spurious gossip rejection (#1666). - Pending in-flight HTLCs are now considered when calculating new routes, ensuring, e.g. MPP retries do not take known-saturated paths (#1643).
- Counterparty-revoked outputs are now included in
get_claimable_balance
output via a newBalance::CounterpartyRevokedOutputClaimable
(#1495). - Inbound HTLCs for which we do not (yet) have a preimage are now included in
get_claimable_balance
via aBalance::MaybePreimageClaimableHTLC
(#1673). - Probes that fail prior to being sent over their first hop are correctly
failed with a
Event::ProbeFailed
rather than aPaymentPathFailed
(#1704). - Pending
Event::HTLCHandlingFailed
s are no longer lost on restart (#1700). - HTLCs that fail prior to being sent over their first hop are now marked as
retryable via
!PaymentPathFailed::payment_failed_permanently
(#1702). - Dust HTLCs are now considered failed in the payment tracking logic after the commitment transaction confirms, allowing retry on restart (#1691).
- On machines with buggy "monotonic" clocks, LDK will no longer panic if time goes backwards (#1692).
- The new
current_time
argument toPeerManager
constructors must be set to a UNIX timestamp for upgraded nodes; new nodes may use a counter (#1699). Balance::CounterpartyRevokedOutputClaimable
will never be generated for channels that were observed to go on-chain with LDK versions prior to 0.0.111 (#1495).ChannelMonitor::get_counterparty_node_id
will returnNone
for all channels opened on a version of LDK prior to 0.0.110 (#1635).- Setting
their_channel_reserve_proportional_millionths
to any value other than the default will cause LDK versions prior to 0.0.104 to be unable to read the serializedChannelManager
(#1619).
0.0.111 fixes a denial-of-service vulnerability which is reachable from untrusted input in deployments accepting 0conf channels, or via a race-condition in deployments creating outbound 0conf channels.
- LDK versions prior to 0.0.111 may spuriously panic when receiving a block if they are awaiting the construction of a funding transaction for a 0-conf channel (#1711). 0-conf support was added in LDK version 0.0.107.
In total, this release features 84 files changed, 6306 insertions, 1960 deletions in 121 commits from 11 authors, in alphabetical order:
- Arik Sosman
- Devrandom
- Duncan Dean
- Elias Rohrer
- Gursharan Singh
- Matt Corallo
- NicolaLS
- Valentine Wallace
- Viktor Tigerström
- jurvis
- ok300
ChannelManager::send_probe
andScore::probe_{failed,successful}
have been added to make probing more explicit, as well as newEvent::Probe{Failed,Successful}
events (#1567).ProbabilisticScoringParameters::banned_nodes
has been renamedmanual_node_penalties
and changed to take msat penalties (#1592).- Per-payment tracking of failed paths was added to enable configuration of
ProbabilisticScoringParameters::considered_impossible_penalty_msat
(#1600) ProbabilisticScoringParameters::base_penalty_amount_multiplier_msat
was added to allow a penalty that is only amount-dependent (#1617).ProbabilisticScoringParameters::amount_penalty_multiplier_msat
was renamedliquidity_penalty_amount_multiplier_msat
(#1617).- A new
Event::HTLCHandlingFailed
has been added which provides visibility into failures to forward/claim accepted HTLCs (#1403). - Support has been added for DNS hostnames in the
NetAddress
type, see BOLT PR #911 (#1553). GossipSync
now hasrapid
,p2p
, andnone
constructors (#1618).lightning-net-tokio
no longer requires types to be inArc
s (#1623).- The
htlc_maximum_msat
field is now required inChannelUpdate
gossip messages. In tests this rejects < 1% of channels (#1519). ReadOnlyNetworkGraph::{channel,node}
have been added to query for individual channel/node data, primarily for bindings users (#1543).FeeEstimator
implementations are now wrapped internally to ensure values below 253 sats/kW are never used (#1552).- Route selection no longer attempts to randomize path selection. This is unlikely to lead to a material change in the paths selected (#1610).
- Fixed a panic when deserializing
ChannelDetails
objects (#1588). - When routing, channels are no longer fully saturated before MPP splits are
generated, instead a configuration knob was added as
PaymentParameters::max_channel_saturation_power_of_half
(#1605). - Fixed a panic which occurred in
ProbabilisticScorer
when wallclock time goes backwards across a restart (#1603).
- All new fields are ignored by prior versions of LDK. All new fields are not present when reading objects serialized by prior versions of LDK.
- Channel information written in the
NetworkGraph
which is missinghtlc_maximum_msat
may be dropped on deserialization (#1519). - Similarly, node information written in the
NetworkGraph
which contains an invalid hostname may be dropped on deserialization (#1519).
In total, this release features 79 files changed, 2935 insertions, 1363 deletions in 52 commits from 9 authors, in alphabetical order:
- Duncan Dean
- Elias Rohrer
- Jeffrey Czyz
- Matt Corallo
- Max Fang
- Viktor Tigerström
- Willem Van Lint
- Wilmer Paulino
- jurvis
ChannelManager::update_channel_config
has been added to allow the fields inChannelConfig
to be changed in a given channel after open (#1527).- If we reconnect to a peer which proves we have a stale channel state, rather than force-closing we will instead panic to provide an opportunity to switch to the latest state and continue operating without channel loss (#1564).
- A
NodeAlias
struct has been added which handles string sanitization for node aliases via theDisplay
trait (#1544). ProbabilisticScoringParameters
now has abanned_nodes
set which we will never route through during path finding (#1550).ProbabilisticScoringParameters
now offers ananti_probing_penalty_msat
option to prefer channels which afford better privacy when routing (#1555).ProbabilisticScorer
now provides access to its estimated liquidity range for a given channel viaestimated_channel_liquidity_range
(#1549).ChannelManager::force_close_channel
has been renamedforce_close_broadcasting_latest_txn
andforce_close_without_broadcasting_txn
has been added (#1564).- Options which cannot be changed at runtime have been moved from
ChannelConfig
toChannelHandshakeConfig
(#1529). find_route
takes&NetworkGraph
instead of `ReadOnlyNetworkGraph (#1583).ChannelDetails
now contains a copy of the currentChannelConfig
(#1527).- The
lightning-invoice
crate now optionally depends onserde
, withInvoice
implementingserde::{Deserialize,Serialize}
if enabled (#1548). - Several fields in
UserConfig
have been renamed for clarity (#1540).
find_route
no longer selects routes with more thanPaymentParameters::max_mpp_path_count
paths, andChannelManager::send_payment
no longer refuses to send along routes with more than ten paths (#1526).- Fixed two cases where HTLCs pending at the time a counterparty broadcasts a revoked commitment transaction are considered resolved prior to their actual resolution on-chain, possibly passing the update to another channel (#1486).
- HTLCs which are relayed through LDK may now have a total expiry time two weeks in the future, up from one, reducing forwarding failures (#1532).
- All new fields are ignored by prior versions of LDK. All new fields are not present when reading objects serialized by prior versions of LDK.
ChannelConfig
's serialization format has changed and is not compatible with any previous version of LDK. Attempts to read values written by a previous version of LDK will fail and attempts to read newly written objects using a previous version of LDK will fail. It is not expected that users are serializingChannelConfig
using the LDK serialization API, however, if a backward compatibility wrapper is required, please open an issue.
0.0.109 fixes a denial-of-service vulnerability which is reachable from untrusted input in some application deployments.
- Third parties which are allowed to open channels with an LDK-based node may
fund a channel with a bogus and maliciously-crafted transaction which, when
spent, can cause a panic in the channel's corresponding
ChannelMonitor
. Such a channel is never usable as it cannot be funded with a funding transaction which matches the required output script, allowing theChannelMonitor
for such channels to be safely purged as a workaround on previous versions of LDK. Thanks to Eugene Siegel for reporting this issue.
In total, this release features 32 files changed, 1948 insertions, 532 deletions in 33 commits from 9 authors, in alphabetical order:
- Antoine Riard
- Daniel Granhão
- Elias Rohrer
- Jeffrey Czyz
- Matt Corallo
- Matt Faltyn
- NicolaLS
- Valentine Wallace
- Wilmer Paulino
- Fixed
lightning-background-processor
build in release mode.
In total, this release features 9 files changed, 120 insertions, 74 deletions in 5 commits from 4 authors, in alphabetical order:
- Elias Rohrer
- Matt Corallo
- Max Fang
- Viktor Tigerström
- Channels larger than 16777215 sats (Wumbo!) are now supported and can be
enabled for inbound channels using
ChannelHandshakeLimits::max_funding_satoshis
(#1425). - Support for feature
option_zeroconf
, allowing immediate forwarding of payments after channel opening. This is configured for outbound channels usingChannelHandshakeLimits::trust_own_funding_0conf
whereasChannelManager::accept_inbound_channel_from_trusted_peer_0conf
has to be used for accepting inbound channels (#1401, #1505). ChannelManager::claim_funds
no longer returns abool
to indicate success. Instead, anEvent::PaymentClaimed
is generated if the claim was successful. Likewise,ChannelManager::fail_htlc_backwards
no longer has a return value (#1434).lightning-rapid-gossip-sync
is a new crate for syncing gossip data from a server, primarily aimed at mobile devices (#1155).RapidGossipSync
can be passed toBackgroundProcessor
in order to persist theNetworkGraph
and handleNetworkUpdate
s during event handling (#1433, #1517).NetGraphMsgHandler
has been renamed toP2PGossipSync
, thenetwork_graph
module has been renamed togossip
, andNetworkUpdate::ChannelClosed
has been renamedNetworkUpdate::ChannelFailure
(#1159).- Added a
filtered_block_connected
method tochain::Listen
and a default implementation ofblock_connected
for those fetching filtered instead of full blocks (#1453). - The
lightning-block-sync
crate'sBlockSource
trait methods now take&self
instead of&mut self
(#1307). inbound_payment
module is now public to allow for creating invoices without aChannelManager
(#1384).lightning-block-sync
'sinit
andpoll
modules support&dyn BlockSource
which can be determined at runtime (#1423).lightning-invoice
crate'sutils
now accept an expiration time (#1422, #1474).Event::PaymentForwarded
includesprev_channel_id
andnext_channel_id
(#1419, #1475).chain::Watch::release_pending_monitor_events
' return type now associatesMonitorEvent
s with fundingOutPoints
(#1475).lightning-background-processor
crate'sPersister
trait has been moved tolightning
crate'sutil::persist
module, which now has a generalKVStorePersister
trait. Blanket implementations ofPersister
andchainmonitor::Persist
are given for types implementingKVStorePersister
.lightning-persister
'sFilesystemPersister
implementsKVStorePersister
(#1417).ChannelDetails
andChannelCounterparty
include fields for HTLC minimum and maximum values (#1378).- Added a
max_inbound_htlc_value_in_flight_percent_of_channel
field toChannelHandshakeConfig
, capping the total value of outstanding inbound HTLCs for a channel (#1444). ProbabilisticScorer
is parameterized by aLogger
, which it uses to log channel liquidity updates or lack thereof (#1405).ChannelDetails
has anoutbound_htlc_limit_msat
field, which should be used in routing instead ofoutbound_capacity_msat
(#1435).ProbabilisticScorer
's channel liquidities can be logged viadebug_log_liquidity_stats
(#1460).BackgroundProcessor
now takes an optionalWriteableScore
which it will persist using thePersister
trait's newpersist_scorer
method (#1416).- Upgraded to
bitcoin
crate version 0.28.1 (#1389). ShutdownScript::new_witness_program
now takes aWitnessVersion
instead of aNonZeroU8
(#1389).- Channels will no longer be automatically force closed when the counterparty is disconnected due to incompatibility (#1429).
ChannelManager
methods for funding, accepting, and closing channels now take acounterparty_node_id
parameter, which has also been added as a field toEvent::FundingGenerationReady
(#1479, #1485).InvoicePayer::new
now takes aRetry
enum (replacing theRetryAttempts
struct), which supports both attempt- and timeout-based retrying (#1418).Score::channel_penalty_msat
takes aChannelUsage
struct, which contains the capacity as anEffectiveCapacity
enum and any potential in-flight HTLC value, rather than a singleu64
. Used byProbabilisticScorer
for more accurate penalties (#1456).build_route_from_hops
is a new function useful for constructing aRoute
given a specific list of public keys (#1491).FundingLocked
message has been renamedChannelReady
, and related identifiers have been renamed accordingly (#1506).core2::io
orstd::io
(depending on feature flagsno-std
orstd
) is exported as alightning::io
module (#1504).- The deprecated
Scorer
has been removed in favor orProbabilisticScorer
(#1512).
lightning-persister
crate'sFilesystemPersister
is faster by 15x (#1404).- Log gossip query messages at
GOSSIP
instead ofTRACE
to avoid overwhelming default logging (#1421). PeerManager
supports processing messages from different peers in parallel, and this is taken advantage of in gossip processing (#1023).- Greatly reduced per-channel and per-node memory usage due to upgrade of
secp256k1
crate to 0.22.1 andbitcoin
crate to 0.28.1 - Reduced per-peer memory usage in
PeerManager
(#1472).
find_route
now assumes variable-length onions by default for nodes where support for the feature is unknown (#1414).- A
warn
message is now sent when receiving achannel_reestablish
with an old commitment transaction number rather than immediately force-closing the channel (#1430). - When a
channel_update
message is included in an onion error'sfailuremsg
, its message type is now encoded. Reading such messages is also supported (#1465).
- Fixed a bug where crashing while persisting a
ChannelMonitorUpdate
for a part of a multi-path payment could cause loss of funds due to a partial payment claim on restart (#1434). BackgroundProcessor
has been fixed to improve serialization reliability on slow systems which can avoid force-closes (#1436).gossip_timestamp_filter
filters are now honored when sending gossip to peers (#1452).- During a reorg, only force-close a channel if its funding transaction is unconfirmed rather than as it loses confirmations (#1461).
- Fixed a rare panic in
lightning-net-tokio
when fetching a peer's socket address after the connection has been closed caused by a race condition (#1449). find_route
will no longer return routes that would cause onion construction to fail in some cases (#1476).ProbabilisticScorer
uses more precision when approximatinglog10
(#1406).
- All above new events/fields are ignored by prior clients. All above new events/fields are not present when reading objects serialized by prior versions of the library.
ChannelManager
serialization is no longer compatible with versions prior to 0.0.99 (#1401).- Channels with
option_zeroconf
feature enabled (not required for 0-conf channel use) will be unreadable by versions prior to 0.0.107 (#1401, #1505).
In total, this release features 96 files changed, 9304 insertions, 4503 deletions in 153 commits from 18 authors, in alphabetical order:
- Arik Sosman
- Devrandom
- Duncan Dean
- Elias Rohrer
- Jeffrey Czyz
- John Cantrell
- John Corser
- Jurvis Tan
- Justin Moon
- KaFai Choi
- Matt Faltyn
- Matt Corallo
- Valentine Wallace
- Viktor Tigerström
- Vincenzo Palazzo
- atalw
- dependabot[bot]
- shamardy
- Minimum supported rust version (MSRV) is now 1.41.1 (#1310).
- Lightning feature
option_scid_alias
is now supported and may be negotiated when opening a channel with a peer. It can be configured viaChannelHandshakeConfig::negotiate_scid_privacy
and is off by default but will be on by default in the future (#1351). OpenChannelRequest
now has achannel_type
field indicating the features the channel will operate with and should be used to filter channels with undesirable features (#1351). See the Serialization Compatibility section.ChannelManager
supports sending and receiving short channel id aliases in thefunding_locked
message. These are used when forwarding payments and constructing invoice route hints for improved privacy.ChannelDetails
has ainbound_scid_alias
field and aget_inbound_payment_scid
method to support the latter (#1311).DefaultRouter
andfind_route
take an additional random seed to improve privacy by adding a random CLTV expiry offset to each path's final hop. This helps obscure the intended recipient from adversarial intermediate hops (#1286). The seed is also used to randomize candidate paths during route selection (#1359).- The
lightning-block-sync
crate'sinit::synchronize_listeners
method interface has been relaxed to support multithreaded environments (#1349). ChannelManager::create_inbound_payment_for_hash
's documentation has been corrected to remove the one-year restriction oninvoice_expiry_delta_secs
, which is only applicable to the deprecatedcreate_inbound_payment_legacy
andcreate_inbound_payment_for_hash_legacy
methods (#1341).Features
mutator methods now takeself
by reference instead of by value (#1331).- The CLTV of the last hop in a path is now included when comparing against
RouteParameters::max_total_cltv_expiry_delta
(#1358). - Invoice creation functions in
lightning-invoice
crate'sutils
module include versions that accept a description hash instead of only a description (#1361). RoutingMessageHandler::sync_routing_table
has been renamedpeer_connected
(#1368).MessageSendEvent::SendGossipTimestampFilter
has been added to indicate that agossip_timestamp_filter
should be sent (#1368).PeerManager
takes an optionalNetAddress
innew_outbound_connection
andnew_inbound_connection
, which is used to report back the remote address to the connecting peer in theinit
message (#1326).ChannelManager::accept_inbound_channel
now takes auser_channel_id
, which is used in a similar manner as in outbound channels. (#1381).BackgroundProcessor
now persistsNetworkGraph
on a timer and upon shutdown as part of a newPersister
trait, which also includesChannelManager
persistence (#1376).ProbabilisticScoringParameters
now has abase_penalty_msat
option, which default to 500 msats. It is applied at each hop to help avoid longer paths (#1375).ProbabilisticScoringParameters::liquidity_penalty_multiplier_msat
's default value is now 40,000 msats instead of 10,000 msats (#1375).- The
lightning
crate has agrind_signatures
feature used to produce signatures with low r-values for more predictable transaction weight. This feature is on by default (#1388). ProbabilisticScoringParameters
now has aamount_penalty_multiplier_msat
option, which is used to further penalize large amounts (#1399).PhantomRouteHints
,FixedPenaltyScorer
, andScoringParameters
now implementClone
(#1346).
- Fixed a compilation error in
ProbabilisticScorer
under--feature=no-std
(#1347). - Invoice creation functions in
lightning-invoice
crate'sutils
module filter invoice hints in order to limit the invoice size (#1325). - Fixed a bug where a
funding_locked
message was delayed by a block if the funding transaction was confirmed while offline, depending on the ordering ofConfirm::transactions_confirmed
calls when brought back online (#1363). - Fixed a bug in
NetGraphMsgHandler
where it didn't continue to receive gossip messages from peers after initial connection (#1368, #1382). ChannelManager::timer_tick_occurred
will now timeout a received multi-path payment (MPP) after three ticks if not received in full instead of waiting until near the HTLC timeout block(#1353).- Fixed an issue with
find_route
causing it to be overly aggressive in using MPP over channels to the same first hop (#1370). - Reduced time spent processing
channel_update
messages by checking signatures after checking if no newer messages have already been processed (#1380). - Fixed a few issues in
find_route
which caused preferring paths with a higher cost (#1398). - Fixed an issue in
ProbabilisticScorer
where a channel with not enough liquidity could still be used when retrying a failed payment if it was on a path with an overall lower cost (#1399).
- Channels open with
option_scid_alias
negotiated will be incompatible with prior releases (#1351). This may occur in the following cases:- Outbound channels when
ChannelHandshakeConfig::negotiate_scid_privacy
is enabled. - Inbound channels when automatically accepted from an
OpenChannel
message with achannel_type
that hasChannelTypeFeatures::supports_scid_privacy
return true. SeeUserConfig::accept_inbound_channels
. - Inbound channels when manually accepted from an
OpenChannelRequest
with achannel_type
that hasChannelTypeFeatures::supports_scid_privacy
return true. SeeUserConfig::manually_accept_inbound_channels
.
- Outbound channels when
In total, this release features 43 files changed, 4052 insertions, 1274 deletions in 75 commits from 11 authors, in alphabetical order:
- Devrandom
- Duncan Dean
- Elias Rohrer
- Jeffrey Czyz
- Jurvis Tan
- Luiz Parreira
- Matt Corallo
- Omar Shamardy
- Viktor Tigerström
- dependabot[bot]
- psycho-pirate
Phantom node
payments are now supported, allowing receipt of a payment on any one of multiple nodes without any coordination across the nodes being required. See the newPhantomKeysManager
's docs for more, as well as requirements onKeysInterface::get_inbound_payment_key_material
andlightning_invoice::utils::create_phantom_invoice
(#1199).- In order to support phantom node payments, several
KeysInterface
methods now accept aRecipient
parameter to select between the localnode_id
and a phantom-specific one. ProbabilisticScorer
, aScore
based on learning the current balances of channels in the network, was added. It attempts to better capture payment success probability than the existingScorer
, though may underperform on nodes with low payment volume. We welcome feedback on performance (#1227).Score::channel_penalty_msat
now always takes the channel value, instead of anOption
(#1227).UserConfig::manually_accept_inbound_channels
was added which, when set, generates a newEvent::OpenChannelRequest
, which allows manual acceptance or rejection of incoming channels on a per-channel basis (#1281).Payee
has been renamed toPaymentParameters
(#1271).PaymentParameters
now has amax_total_cltv_expiry_delta
field. This defaults to 1008 and limits the maximum amount of time an HTLC can be pending before it will either fail or be claimed (#1234).- The
lightning-invoice
crate now supports no-std environments. This required numerous API changes around timestamp handling and std+no-std versions of several methods that previously assumed knowledge of the time (#1223, #1230). lightning-invoice
now supports parsing invoices with expiry times of more than one year. This required changing the semantics ofExpiryTime
(#1273).- The
CounterpartyCommitmentSecrets
is now public, allowing external uses of theBOLT 3
secret storage scheme (#1299). - Several
Sign
methods now receive HTLC preimages as proof of state transition, see new documentation for more (#1251). KeysInterface::sign_invoice
now provides the HRP and other invoice data separately to make it simpler for external signers to parse (#1272).Sign::sign_channel_announcement
now returns both the node's signature and the per-channel signature.InMemorySigner
now requires the node's secret key in order to implement this (#1179).ChannelManager
deserialization will now fail if theKeysInterface
used has a differentnode_id
than theChannelManager
expects (#1250).- A new
ErrorAction
variant was added to sendwarning
messages (#1013). - Several references to
chain::Listen
objects inlightning-block-sync
no longer require a mutable reference (#1304).
- Fixed a regression introduced in 0.0.104 where
ChannelManager
's internal locks could have an order violation leading to a deadlock (#1238). - Fixed cases where slow code (including user I/O) could cause us to
disconnect peers with ping timeouts in
BackgroundProcessor
(#1269). - Now persist the
ChannelManager
prior toBackgroundProcessor
stopping, preventing race conditions where channels are closed on startup even with a clean shutdown. This requires that users stop network processing and disconnect peers prior toBackgroundProcessor
shutdown (#1253). - Fields in
ChannelHandshakeLimits
provided via theoverride_config
tocreate_channel
are now applied instead of the default config (#1292). - Fixed the generation of documentation on docs.rs to include API surfaces which are hidden behind feature flags (#1303).
- Added the
channel_type
field toaccept_channel
messages we send, which may avoid some future compatibility issues with other nodes (#1314). - Fixed a bug where, if a previous LDK run using
lightning-persister
crashed while persisting updated data, we may have failed to initialize (#1332). - Fixed a rare bug where having both pending inbound and outbound HTLCs on a
just-opened inbound channel could cause
ChannelDetails::balance_msat
to underflow and be reported as large, or cause panics in debug mode (#1268). - Moved more instances of verbose gossip logging from the
Trace
level to theGossip
level (#1220). - Delayed
announcement_signatures
until the channel has six confirmations, slightly improving propagation of channel announcements (#1179). - Several fixes in script and transaction weight calculations when anchor outputs are enabled (#1229).
- Using
ChannelManager
data written by versions prior to 0.0.105 will result in preimages for HTLCs that were pending at startup to be missing in calls toKeysInterface
methods (#1251). - Any phantom invoice payments received on a node that is not upgraded to 0.0.105 will fail with an "unknown channel" error. Further, downgrading to 0.0.104 or before and then upgrading again will invalidate existing phantom SCIDs which may be included in invoices (#1199).
0.0.105 fixes two denial-of-service vulnerabilities which may be reachable from untrusted input in certain application designs.
- Route calculation spuriously panics when a routing decision is made for a path where the second-to-last hop is a private channel, included due to a multi-hop route hint in an invoice.
ChannelMonitor::get_claimable_balances
spuriously panics in some scenarios when the LDK application's local commitment transaction is confirmed while HTLCs are still pending resolution.
In total, this release features 109 files changed, 7270 insertions, 2131 deletions in 108 commits from 15 authors, in alphabetical order:
- Conor Okus
- Devrandom
- Elias Rohrer
- Jeffrey Czyz
- Jurvis Tan
- Ken Sedgwick
- Matt Corallo
- Naveen
- Tibo-lg
- Valentine Wallace
- Viktor Tigerström
- dependabot[bot]
- hackerrdave
- naveen
- vss96
- A
PaymentFailed
event is now provided to indicate a payment has failed fully. This event is generated either afterChannelManager::abandon_payment
is called for a given payment, or the payment times out, and there are no further pending HTLCs for the payment. This event should be used to detect payment failure instead ofPaymentPathFailed::all_paths_failed
, unless no payment retries occur viaChannelManager::retry_payment
(#1202). - Payment secrets are now generated deterministically using material from
the new
KeysInterface::get_inbound_payment_key_material
(#1177). - A
PaymentPathSuccessful
event has been added to ease passing success info to a scorer, along with aScore::payment_path_successful
method to accept such info (#1178, #1197). Score::channel_penalty_msat
has additional arguments describing the channel's capacity and the HTLC amount being sent over the channel (#1166).- A new log level
Gossip
has been added, which is used for verbose information generated during network graph sync. Enabling themax_level_trace
feature or ignoringGossip
log entries reduces log growth during initial start up from many GiB to several MiB (#1145). - The
allow_wallclock_use
feature has been removed in favor of only using thestd
andno-std
features (#1212). NetworkGraph
can now remove channels that we haven't heard updates for in two weeks withNetworkGraph::remove_stale_channels{,with_time}
. The first is called automatically if aNetGraphMsgHandler
is passed toBackgroundProcessor::start
(#1212).InvoicePayer::pay_pubkey
was added to enable sending "keysend" payments to supported recipients, using theInvoicePayer
to handle retires (#1160).user_payment_id
has been removed fromPaymentPurpose
, andChannelManager::create_inbound_payment{,_for_hash}
(#1180).- Updated documentation for several
ChannelManager
functions to remove stale references to panics which no longer occur (#1201). - The
Score
andLockableScore
objects have moved into therouting::scoring
module instead of being in therouting
module (#1166). - The
Time
parameter toScorerWithTime
is no longer longer exposed, instead being fixed based on thestd
/no-std
feature (#1184). ChannelDetails::balance_msat
was added to fetch a channel's balance without subtracting the reserve values, lining up with on-chain claim amounts less on-chain fees (#1203).- An explicit
UserConfig::accept_inbound_channels
flag is now provided, removing the need to setmin_funding_satoshis
to > 21 million BTC (#1173). - Inbound channels that fail to see the funding transaction confirm within
2016 blocks are automatically force-closed with
ClosureReason::FundingTimedOut
(#1083). - We now accept a channel_reserve value of 0 from counterparties, as it is insecure for our counterparty but not us (#1163).
NetAddress::OnionV2
parsing was removed as version 2 onion services are no longer supported in modern Tor (#1204).- Generation and signing of anchor outputs is now supported in the
KeysInterface
, though no support for them exists in the channel itself (#1176)
- Fixed a race condition in
InvoicePayer
where paths may be retried after the retry count has been exceeded. In this case theEvent::PaymentPathFailed::all_paths_failed
field is not a reliable payment failure indicator. There was no acceptable alternative indicator,Event::PaymentFailed
as been added to provide one (#1202). - Reduced the blocks-before-timeout we expect of outgoing HTLCs before refusing to forward. This check was overly strict and resulted in refusing to forward som HTLCs to a next hop that had a lower security threshold than us (#1119).
- LDK no longer attempt to update the channel fee for outbound channels when we cannot afford the new fee. This could have caused force-closure by our channel counterparty (#1054).
- Fixed several bugs which may have prevented the reliable broadcast of our own channel announcements and updates (#1169).
- Fixed a rare bug which may have resulted in spurious route finding failures when using last-hop hints and MPP with large value payments (#1168).
KeysManager::spend_spendable_outputs
no longer adds a change output that is below the dust threshold for non-standard change scripts (#1131).- Fixed a minor memory leak when attempting to send a payment that fails due
to an error when updating the
ChannelMonitor
(#1143). - Fixed a bug where a
FeeEstimator
that returns values rounded to the next sat/vbyte may result in force-closures (#1208). - Handle MPP timeout HTLC error codes, instead of considering the recipient to have sent an invalid error, removing them from the network graph (#1148)
- All above new events/fields are ignored by prior clients. All above new events/fields are not present when reading objects serialized by prior versions of the library.
- Payment secrets are now generated deterministically. This reduces the memory
footprint for inbound payments, however, newly-generated inbound payments
using
ChannelManager::create_inbound_payment{,_for_hash}
will not be receivable using versions prior to 0.0.104.ChannelManager::create_inbound_payment{,_for_hash}_legacy
are provided for backwards compatibility (#1177). PaymentPurpose::InvoicePayment::user_payment_id
will be 0 when reading objects written with 0.0.104 when read by 0.0.103 and previous (#1180).
In total, this release features 51 files changed, 5356 insertions, 2238 deletions in 107 commits from 9 authors, in alphabetical order:
- Antoine Riard
- Conor Okus
- Devrandom
- Duncan Dean
- Elias Rohrer
- Jeffrey Czyz
- Ken Sedgwick
- Matt Corallo
- Valentine Wallace
- This release is almost entirely focused on a new API in the
lightning-invoice
crate - theInvoicePayer
.InvoicePayer
is a struct which takes a reference to aChannelManager
and aRouter
and retries payments as paths fail. It limits retries to a configurable number, but is not serialized to disk and may retry additional times across a serialization/load. In order to learn about failed payments, it must receiveEvent
s directly from theChannelManager
, wrapping a user-providedEventHandler
which it provides all unhandled events to (#1059). get_route
has been renamedfind_route
(#1059) and now takes aRouteParameters
struct in replacement of a number of its long list of arguments (#1134). ThePayee
in theRouteParameters
is stored in theRoute
object returned and provided in theRouteParameters
contained inEvent::PaymentPathFailed
(#1059).ChannelMonitor
s must now be persisted after calls that provide new block data, prior toMonitorEvent
s being passed back toChannelManager
for processing. If you are using aChainMonitor
this is handled for you. ThePersist
API has been updated toOption
ally take theChannelMonitorUpdate
as persistence events that result from chain data no longer have a corresponding update (#1108).routing::Score
now has apayment_path_failed
method which it can use to learn which channels often fail payments. It is automatically called byInvoicePayer
for failed payment paths (#1144).- The default
Scorer
implementation is now a type alias to a type generic across different clocks and supports serialization to persist scoring data across restarts (#1146). Event::PaymentSent
now includes the full fee which was spent across all payment paths which were fulfilled or pending when the payment was fulfilled (#1142).Event::PaymentSent
andEvent::PaymentPathFailed
now include thePaymentId
which matches thePaymentId
returned fromChannelManager::send_payment
orInvoicePayer::pay_invoice
(#1059).NetGraphMsgHandler
now takes aDeref
to theNetworkGraph
, allowing for shared references to the graph data to make serialization and references to the graph data in theInvoicePayer
'sRouter
simpler (#1149).routing::Score::channel_penalty_msat
has been updated to provide theNodeId
of both the source and destination nodes of a channel (#1133).
- Previous versions would often disconnect peers during initial graph sync due to ping timeouts while processing large numbers of gossip messages. We now delay disconnecting peers if we receive messages from them even if it takes a while to receive a pong from them. Further, we avoid sending too many gossip messages between pings to ensure we should always receive pongs in a timely manner (#1137).
- If a payment was sent, creating an outbound HTLC and sending it to our
counterparty (implying the
ChannelMonitor
was persisted on disk), but theChannelManager
was not persisted prior to shutdown/crash, noEvent::PaymentPathFailed
event was generated if the HTLC was eventually failed on chain. Events are now consistent irrespective ofChannelManager
persistence or non-persistence (#1104).
- All above new Events/fields are ignored by prior clients. All above new Events/fields are not present when reading objects serialized by prior versions of the library.
- Payments for which a
Route
was generated using a previous version or for which the payment was originally sent by a previous version of the library will not be retried by anInvoicePayer
.
This release was singularly focused and some contributions by third parties were delayed. In total, this release features 38 files changed, 4414 insertions, and 969 deletions in 71 commits from 2 authors, in alphabetical order:
- Jeffrey Czyz
- Matt Corallo
get_route
now takes aScore
as an argument.Score
is queried during the route-finding process, returning the absolute amounts which you are willing to pay to avoid routing over a given channel. As a default, aScorer
is provided which returns a constant amount, with a suggested default of 500 msat. This translates to a willingness to pay up to 500 msat in additional fees per hop in order to avoid additional hops (#1124).Event::PaymentPathFailed
now contains ashort_channel_id
field which may be filled in with a channel that can be "blamed" for the payment failure. Payment retries should likely avoid the given channel for some time (#1077).PublicKey
s inNetworkGraph
have been replaced with aNodeId
struct which contains only a simple[u8; 33]
, substantially improvingNetworkGraph
deserialization performance (#1107).ChainMonitor
'sHashMap
ofChannelMonitor
s is now private, exposed viaChainmonitor::get_monitor
andChainMonitor::list_monitors
instead (#1112).- When an outbound channel is closed prior to the broadcasting of its funding
transaction, but after you call
ChannelManager::funding_transaction_generated
, a new event type,Event::DiscardFunding
, is generated, informing you the transaction was not broadcasted and that you can spend the same inputs again elsewhere (#1098). ChannelManager::create_channel
now returns the temporary channel ID which may later appear inEvent::ChannelClosed
orChannelDetails
prior to the channel being funded (#1121).Event::PaymentSent
now contains the payment hash as well as the payment preimage (#1062).ReadOnlyNetworkGraph::get_addresses
now returns ownedNetAddress
rather than references. As a side-effect this method is now exposed in foreign language bindings (#1115).- The
Persist
andChannelMonitorUpdateErr
types have moved to thelightning::chain::chainmonitor
andlightning::chain
modules, respectively (#1112). ChannelManager::send_payment
now returns aPaymentId
which identifies a payment (whether MPP or not) and can be used to retry the full payment or MPP parts throughretry_payment
(#1096). Note that doing so is currently not crash safe, and you may find yourself sending twice. It is recommended that you not use theretry_payment
API until the next release.
- Due to an earlier fix for the Lightning dust inflation vulnerability tracked in CVE-2021-41591/CVE-2021-41592/CVE-2021-41593 in 0.0.100, we required counterparties to accept a dust limit slightly lower than the dust limit now required by other implementations. This appeared as, at least, latest lnd always refusing to accept channels opened by LDK clients (#1065).
- If there are multiple channels available to the same counterparty,
get_route
would only consider the channel listed last as available for sending (#1100). Persist
implementations returningChannelMonitorUpdateErr::TemporaryFailure
fromwatch_channel
previously resulted in theChannelMonitor
not being stored at all, resulting in a panic after monitor updating is complete (#1112).- If payments are pending awaiting forwarding at startup, an
Event::PendingHTLCsForwardable
event will always be provided. This ensures user code callsChannelManager::process_pending_htlc_fowards
even if it shut down while awaiting the batching timer during the previous run (#1076). - If a call to
ChannelManager::send_payment
failed due to lack of availability of funds locally, LDK would store the payment as pending forever, with no ability to retry or fail it, leaking memory (#1109).
- All above new Events/fields are ignored by prior clients. All above new
Events/fields, except for
Event::PaymentSent::payment_hash
are not present when reading objects serialized by prior versions of the library.
In total, this release features 32 files changed, 2248 insertions, and 1483 deletions in 51 commits from 7 authors, in alphabetical order:
- 1nF0rmed
- Duncan Dean
- Elias Rohrer
- Galder Zamarreño
- Jeffrey Czyz
- Matt Corallo
- Valentine Wallace
- Custom message types are now supported directly in the
PeerManager
, allowing you to send and receive messages of any type that is not natively understood by LDK. This requires a new type bound onPeerManager
, aCustomMessageHandler
.IgnoringMessageHandler
provides a simple default for this new bound for ignoring unknown messages (#1031, #1074). - Route graph updates as a result of failed payments are no longer provided as
MessageSendEvent::PaymentFailureNetworkUpdate
but instead included in a new field in theEvent::PaymentFailed
events. Generally, this means route graph updates are no longer handled as a part of thePeerManager
but instead through the newEventHandler
implementation forNetGraphMsgHandler
. To make this easy, a new parameter tolightning-background-processor::BackgroundProcessor::start
is added, which contains anOption
alNetGraphmsgHandler
. If provided asSome
, relevant events will be processed by theNetGraphMsgHandler
prior to normal event handling (#1043). NetworkGraph
is now, itself, thread-safe. Accordingly, most functions now take&self
instead of&mut self
and the graph data can be accessed throughNetworkGraph.read_only
(#1043).- The balances available on-chain to claim after a channel has been closed are
now exposed via
ChannelMonitor::get_claimable_balances
andChainMonitor::get_claimable_balances
. The second can be used to get information about all closed channels which still have on-chain balances associated with them. See enum variants ofln::channelmonitor::Balance
and method documentation for the above methods for more information on the types of balances exposed (#1034). - When one HTLC of a multi-path payment fails, the new field
all_paths_failed
inEvent::PaymentFailed
is set tofalse
. This implies that the payment has not failed, but only one part. Payment resolution is only indicated by anEvent::PaymentSent
event or anEvent::PaymentFailed
withall_paths_failed
set totrue
, which is also set for the last remaining part of a multi-path payment (#1053). - To better capture the context described above,
Event::PaymentFailed
has been renamed toEvent::PaymentPathFailed
(#1084). - A new event,
ChannelClosed
, is provided byChannelManager
when a channel is closed, including a reason and error message (if relevant, #997). lightning-invoice
now considers invoices with sub-millisatoshi precision to be invalid, and requires millisatoshi values during construction (thus you must callamount_milli_satoshis
instead ofamount_pico_btc
, #1057).- The
BaseSign
interface now includes two new hooks which provide additional information about commitment transaction signatures and revocation secrets provided by our counterparty, allowing additional verification (#1039). - The
BaseSign
interface now includes additional information for cooperative close transactions, making it easier for a signer to verify requests (#1064). Route
has two additional helper methods to get fees and amounts (#1063).Txid
andTransaction
objects can now be deserialized from responses when using the HTTP client in thelightning-block-sync
crate (#1037, #1061).
- Fix a panic when reading a lightning invoice with a non-recoverable signature. Further, restrict lightning invoice parsing to require payment secrets and better handle a few edge cases as required by BOLT 11 (#1057).
- Fix a panic when receiving multiple messages (such as HTLC fulfill messages)
after a call to
chain::Watch::update_channel
returnedErr(ChannelMonitorUpdateErr::TemporaryFailure)
with noChannelManager::channel_monitor_updated
call in between (#1066). - For multi-path payments,
Event::PaymentSent
is no longer generated multiple times, once for each independent part (#1053). - Multi-hop route hints in invoices are now considered in the default router
provided via
get_route
(#1040). - The time peers have to respond to pings has been increased when building with debug assertions enabled. This avoids peer disconnections on slow hosts when running in debug mode (#1051).
- The timeout for the first byte of a response for requests from the
lightning-block-sync
crate has been increased to 300 seconds to better handle the long hangs in Bitcoin Core when it syncs to disk (#1090).
- Due to a bug in 0.0.100,
Event
s written by 0.0.101 which are of a type not understood by 0.0.100 may lead toErr(DecodeError::InvalidValue)
or corrupt deserialized objects in 0.100. SuchEvent
s will lead to anErr(DecodeError::InvalidValue)
in versions prior to 0.0.100. The only such new event written by 0.0.101 isEvent::ChannelClosed
(#1087). - Payments that were initiated in versions prior to 0.0.101 may still
generate duplicate
PaymentSent
Event
s or may have spurious values forEvent::PaymentPathFailed::all_paths_failed
(#1053). - The return values of
ChannelMonitor::get_claimable_balances
(and, thus,ChainMonitor::get_claimable_balances
) may be spurious for channels where the spend of the funding transaction appeared on chain while running a version prior to 0.0.101.Balance
information should only be relied upon for channels that were closed while running 0.0.101+ (#1034). - Payments failed while running versions prior to 0.0.101 will never have a
Some
for thenetwork_update
field (#1043).
In total, this release features 67 files changed, 4980 insertions, 1888 deletions in 89 commits from 12 authors, in alphabetical order:
- Antoine Riard
- Devrandom
- Galder Zamarreño
- Giles Cope
- Jeffrey Czyz
- Joseph Goulden
- Matt Corallo
- Sergi Delgado Segura
- Tibo-lg
- Valentine Wallace
- abhik-99
- vss96
- The
lightning
crate can now be built in no_std mode, making it easy to target embedded hardware for rust users. Note that mutexes are replaced with no-ops for such builds (#1008, #1028). - LDK now supports sending and receiving "keysend" payments. This includes
modifications to
lightning::util::events::Event::PaymentReceived
to indicate the type of payment (#967). - A new variant,
lightning::util::events::Event::PaymentForwarded
has been added which indicates a forwarded payment has been successfully claimed and we've received a forwarding fee (#1004). lightning::chain::keysinterface::KeysInterface::get_shutdown_pubkey
has been renamed toget_shutdown_scriptpubkey
, returns a script, and is now called on channel open only iflightning::util::config::ChannelConfig::commit_upfront_shutdown_pubkey
is set (#1019).- Closing-signed negotiation is now more configurable, with an explicit
lightning::util::config::ChannelConfig::force_close_avoidance_max_fee_satoshis
field allowing you to select the maximum amount you are willing to pay to avoid a force-closure. Further, we are now less restrictive on the fee placed on the closing transaction when we are not the party paying it. To control the feerate paid on a channel at close-time, useChannelManager::close_channel_with_target_feerate
instead ofclose_channel
(#1011). lightning_background_processor::BackgroundProcessor
now stops the background thread when dropped (#1007). It is marked#[must_use]
so that Rust users will receive a compile-time warning when it is immediately dropped after construction (#1029).- Total potential funds burn on force-close due to dust outputs is now limited
to
lightning::util::config::ChannelConfig::max_dust_htlc_exposure_msat
per channel (#1009). - The interval on which
lightning::ln::peer_handler::PeerManager::timer_tick_occurred
should be called has been reduced to once every five seconds (#1035) andlightning::ln::channelmanager::ChannelManager::timer_tick_occurred
should now be called on startup in addition to once per minute (#985). - The rust-bitcoin and bech32 dependencies have been updated to their respective latest versions (0.27 and 0.8, #1012).
- Fix panic when reading invoices generated by some versions of c-lightning (#1002 and #1003).
- Fix panic when attempting to validate a signed message of incorrect length (#1010).
- Do not ignore the route hints in invoices when the invoice is over 250k sats (#986).
- Fees are automatically updated on outbound channels to ensure commitment transactions are always broadcastable (#985).
- Fixes a rare case where a
lightning::util::events::Event::SpendableOutputs
event is not generated after a counterparty commitment transaction is confirmed in a reorg when a conflicting local commitment transaction is removed in the same reorg (#1022). - Fixes a remotely-triggerable force-closure of an origin channel after an HTLC was forwarded over a next-hop channel and the next-hop channel was force-closed by our counterparty (#1025).
- Fixes a rare force-closure case when sending a payment as a channel fundee when overdrawing our remaining balance. Instead the send will fail (#998).
- Fixes a rare force-closure case when a payment was claimed prior to a peer disconnection or restart, and later failed (#977).
- Pending inbound keysend payments which have neither been failed nor claimed
when serialized will result in a
ChannelManager
which is not readable on pre-0.0.100 clients (#967). - Because
lightning::chain::keysinterface::KeysInterface::get_shutdown_scriptpubkey
has been updated to return a script instead of only aPublicKey
,ChannelManager
s constructed with customKeysInterface
implementations on 0.0.100 and later versions will not be readable on previous versions.ChannelManager
s created with 0.0.99 and prior versions will remain readable even after the a serialization roundtrip on 0.0.100, as long as no new channels are opened. Further, users using alightning::chain::keysinterface::KeysManager
as theirKeysInterface
will haveChannelManager
s which are readable on prior versions as well (#1019). ChannelMonitorUpdate
s created by 0.0.100 and later for channels whenlightning::util::config::ChannelConfig::commit_upfront_shutdown_pubkey
is not set may not be readable by versions prior to 0.0.100 (#1019).- HTLCs which were in the process of being claimed on-chain when a pre-0.0.100
ChannelMonitor
was serialized may generatePaymentForwarded
events with spuriousfee_earned_msat
values. This only applies to payments which were unresolved at the time of the upgrade (#1004). - 0.0.100 clients with pending
Event::PaymentForwarded
events at serialization-time will generate serializedChannelManager
objects which 0.0.99 and earlier clients cannot read. The likelihood of this can be reduced by ensuring you process all pending events immediately before serialization (as is done by thelightning-background-processor
crate, #1004).
In total, this release features 59 files changed, 5861 insertions, and 2082 deletions in 95 commits from 6 authors.
lightning_block_sync::poll::Validate
is now public, allowing you to implement thelightning_block_sync::poll::Poll
trait withoutlightning_block_sync::poll::ChainPoller
(#956).lightning::ln::peer_handler::PeerManager
no longer requires that no calls are made to referencing the sameSocketDescriptor
afterdisconnect_socket
returns. This makes the API significantly less deadlock-prone and simplifiesSocketDescriptor
implementations significantly. The relevant changes have been made tolightning_net_tokio
andPeerManager
documentation has been substantially rewritten (#957).lightning::util::message_signing
'ssign
andverify
methods now take secret and public keys by reference instead of value (#974).- Substantially more information is now exposed about channels in
ChannelDetails
. See documentation for more info (#984 and #988). - The latest best block seen is now exposed in
ChannelManager::current_best_block
andChannelMonitor::current_best_block
(#984). - Feerates charged when forwarding payments over channels is now set in
ChannelConfig::fee_base_msat
when the channel is opened. For existing channels, the value is set to the value provided inChannelManagerReadArgs::default_config::channel_options
the first time theChannelManager
is loaded in 0.0.99 (#975). - We now reject HTLCs which are received to be forwarded over private channels
unless
UserConfig::accept_forwards_to_priv_channels
is set. Note thatUserConfig
is never serialized and must be provided viaChannelManagerReadArgs::default_config
at each start (#975).
- We now forward gossip messages to peers instead of only relaying locally-generated gossip or sending gossip messages during initial sync (#948).
- Correctly send
channel_update
messages to direct peers on private channels (#949). Without this, a private node connected to an LDK node over a private channel cannot receive funds as it does not know which fees the LDK node will charge. lightning::ln::channelmanager::ChannelManager
no longer expects to be persisted spuriously after we receive achannel_update
message about any channel in the routing gossip (#972).- Asynchronous
ChannelMonitor
updates (using theChannelMonitorUpdateErr::TemporaryFailure
return variant) no longer cause spurious HTLC forwarding failures (#954). - Transaction provided via
ChannelMonitor::transactions_confirmed
afterChannelMonitor::best_block_updated
was called for a much later block now trigger all relevant actions as of the later block. Previously some transaction broadcasts or other responses required an additional block be provided viaChannelMonitor::best_block_updated
(#970). - We no longer panic in rare cases when an invoice contained last-hop route hints which were unusable (#958).
- We now accept spurious
funding_locked
messages sent prior tochannel_reestablish
messages after reconnect. This is a known, long-standing bug in lnd (#966). - We now set the
first_blocknum
andnumber_of_blocks
fields inreply_channel_range
messages to values which c-lightning versions prior to 0.10 accepted. This avoids spurious force-closes from such nodes (#961).
- Due to a bug discovered in 0.0.98, if a
ChannelManager
is serialized on version 0.0.98 while anEvent::PaymentSent
is pending processing, theChannelManager
will fail to deserialize both on version 0.0.98 and later versions. If you have such aChannelManager
available, a simple patch will allow it to deserialize. Please file an issue if you need assistance (#973).
0.0.98 should be considered a release candidate to the first alpha release of Rust-Lightning and the broader LDK. It represents several years of work designing and fine-tuning a flexible API for integrating lightning into any application. LDK should make it easy to build a lightning node or client which meets specific requirements that other lightning node software cannot. As lightning continues to evolve, and new use-cases for lightning develop, the API of LDK will continue to change and expand. However, starting with version 0.1, objects serialized with prior versions will be readable with the latest LDK. While Rust-Lightning is approaching the 0.1 milestone, language bindings components of LDK available at https://github.com/lightningdevkit are still of varying quality. Some are also approaching an 0.1 release, while others are still much more experimental. Please note that, at 0.0.98, using Rust-Lightning on mainnet is strongly discouraged.