[feature]: sweep: eliminate change address reuse

lightningnetwork / lnd

Lightning Network Daemon ⚡️

MIT License

7.58k stars 2.06k forks source link

[feature]: sweep: eliminate change address reuse #8753

Open morehouse opened 2 months ago

morehouse commented 2 months ago

When the sweeper generates multiple input sets for sweeping in a single block, it uses the same change address for all of them.

https://github.com/lightningnetwork/lnd/blob/9d358bc64934caef724108fc9704097db31658c4/sweep/sweeper.go#L796-L817

The change address is not updated until after the current wave of sweeps have been executed and one of the transactions has been successfully published.

https://github.com/lightningnetwork/lnd/blob/9d358bc64934caef724108fc9704097db31658c4/sweep/sweeper.go#L1686-L1707

For better privacy, each transaction should get a unique change address.

Roasbeef commented 2 months ago

The trade off here is "address inflation" (which is why we cache the address in the first place). If each attempt got a new change address, then we'll quickly start to exceed the default "look ahead" distance for address rescans, which can make it difficult for users to recover from seed (need to set a distance of 10k, etc).

morehouse commented 2 months ago

Address inflation is nice to avoid, but note that the current code does not prevent it entirely. It can still happen when BumpFee is used, or if a counterparty's competing transaction confirms instead of ours.

We can limit the amount of address inflation while eliminating reuse by:

ensuring that exclusive group inputs share the same change output
caching change outputs for in flight transactions until we get a Failed or Swept event. If we get a Failed event, we can reuse that change output.