Cluster size 2 package rbf

[instagibbs]

based on #30072 , please review that one first

Allows any 2 transaction package with no in-mempool ancestors to do package RBF when directly conflicting with other mempool clusters of size two or less.

Proposed validation steps:

1. If the transaction package is of size 1, legacy rbf rules apply.
2. Otherwise the transaction package consists of a (parent, child) pair with no other in-mempool ancestors (or descendants, obviously), so it is also going to create a cluster of size 2. If larger, fail.
3. The package rbf may not evict more than 100 transactions from the mempool(bip125 rule 5)
4. The package is a single chunk
5. Every directly conflicted mempool transaction is connected to at most 1 other in-mempool transaction (ie the cluster size of the conflict is at most 2).
6. Diagram check: We ensure that the replacement is strictly superior, improving the mempool
7. The total fee of the package, minus the total fee of what is being evicted, is at least the minrelayfee * size of the package (equivalent to bip125 rule 3 and 4)

Post-cluster mempool this will likely be expanded to general package rbf, but this is what we can safely support today.

[DrahtBot]

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage

For detailed information about the code coverage, see the test coverage report.

Reviews

See the guideline for information on the review process.

Type	Reviewers
Concept ACK	murchandamus, glozow
Stale ACK	ismaelsadeeq

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

Conflicts

Reviewers, this pull request conflicts with the following ones:

• #29680 (wallet: fix unrelated parent conflict doesn't cause child tx to be marked as conflict by Eunovo)
• #29641 (scripted-diff: Use LogInfo/LogDebug over LogPrintf/LogPrint by maflcko)
• #29086 (refactor: Simply include CTxMemPool::Options in CTxMemPool directly rather than duplicating definition by luke-jr)
• #27432 (contrib: add tool to convert compact-serialized UTXO set to SQLite database by theStack)
• #26593 (tracing: Only prepare tracepoint arguments when actually tracing by 0xB10C)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

[glozow]

Added this to the tracking issue

[instagibbs]

this can't be hit yet; post-v3 it can. I can remove this, or leave a note, or both. It makes some package rbfs more useful

(edit: it's used in #29001 functional tests )

[sdaftuar]

So thinking conceptually about this, I'm most concerned by the new CheckMinerScores() criterion, where we only check the replacement package's feerate against the ancestor feerates of the indirect conflicts.

I think there are two issues with this approach:

1. If you look at GetModFeesWithAncestors()/GetSizeWithAncestors(), that can be greater than the transaction's individual feerate (ie if the parent of a transaction has a higher feerate than the child you're conflicting with). So this can cause the test to be too conservative and introduce some kind of weird pinning. Granted, this is a new replacement functionality so maybe not the end of the world if it is sometimes too conservative, but it seems like a bug.

2. Also if you look at the ancestor feerate of a transaction, that can underestimate its mining score, such as if some low feerate ancestor is being paid for by another transaction. So that can allow for replacements that are not incentive compatible (similar to how this is possible today with our current single-transaction RBF rules).

Even though the current RBF logic is broken already, I'd prefer to avoid adding on to that while rolling out the package RBF implementation, just so that users don't get used to some kinds of replacements working that really shouldn't be.

So I was wondering, can we deal with this by just restricting the topology of what we allow a package RBF to conflict with? Let's say we allow a replacement if the conflict set consists of either (1) a single transaction with no ancestors (and of course no descendants, since any descendants would be in the conflict set as well), or (2) two transactions that are in a parent-child topology, and that have no other in-mempool ancestors (or descendants, of course).

In those situations, the maximum miner score you would have to consider is either the individual feerate of the parent tx or the ancestor feerate of the child, so the new logic should work perfectly.

[instagibbs]

After offline discussion with @sdaftuar , I've worked on a set of prospective changes and pushed them to this branch as follow-on commits.

Key change is that we will now only allow package RBF when the conflicted transactions are all in "clusters" of up to size 2. This allows us to calculate mining scores for each conflicted transaction, which means that post-cluster mempool, if we did this right, IIUC, the behavior should match with more general package RBF.

[glozow]

yeah, I think PCKG_POLICY is fine given 6119f76. Just need to make sure the MempoolAcceptResults are correct so that we are attributing the failures correctly

[glozow]

in b86487c

The comments + error string are a bit contradictory ("child only paying anti-DoS" and "parent paying for child anti-DoS") unless maybe I'm misunderstanding?

Also maybe error str "package RBF failed: parent paying for child replacement" and debug str "package feerate is X while parent feerate is Y" ?

[instagibbs]

done

[glozow]

b86487c

I wonder if PaysForRBF and ImprovesFeerateDiagram should be swapped in the order of checks?

ImprovesFeerateDiagram is a more expensive, is a superset of the rules, and a less intuitive error (I'd have an easier time guessing what went wrong with "pays less fees" vs "does not improve feerate diagram". Especially looking at the functional tests which switched out the error strings due to this check being earlier.

[instagibbs]

is a superset of the rules

PaysForRBF has incremental rate on top, so ImprovesFeerateDiagram is not a strict superset fwiw.

That said, I don't think swapping the order is a problem and would indeed be cheaper.

[glozow]

True, it's only a superset of Rule 3 👍

[instagibbs]

swapped them and updated tests accordingly

[glozow]

Suggested change

	return package_state.Invalid(PackageValidationResult::PCKG_POLICY, "package RBF failed: replacing cluster with ancestors not size two");
	return package_state.Invalid(PackageValidationResult::PCKG_POLICY, "package RBF failed: new transaction cannot have mempool ancestors");

[instagibbs]

done

[glozow]

Maybe you can mention that this replaces PaysMoreForConflicts function from ReplacementChecks?

[instagibbs]

done

[glozow]

I don't think it's very clear which cluster isn't size two in this str

Suggested change

	return package_state.Invalid(PackageValidationResult::PCKG_POLICY, "package RBF failed: replacing cluster not size two");
	return package_state.Invalid(PackageValidationResult::PCKG_POLICY, "package RBF failed: package must be 1-parent-1-child");

[instagibbs]

done

[glozow]

Could add more detailed docs for what the rules are in package RBF?

• all to-be-replaced signal (bip125 or v3)
• package is 1p1c, only in clusters up to size 2
• to-be-replaced all in clusters up to size 2
• no more than 100 total to-be-replaced
• total fees of package > all fees being replaced, at incremental relay feerate
• must improve feerate diagram
• parent feerate must be < package feerate

[instagibbs]

@glozow pushed some more detailed docs, thanks!

[instagibbs]

@glozow thanks for the review, all comments addressed

[DrahtBot]

🚧 At least one of the CI tasks failed. Make sure to run all tests locally, according to the
documentation.

Possibly this is due to a silent merge conflict (the changes in this pull request being
incompatible with the current code in the target branch). If so, make sure to rebase on the latest
commit of the target branch.

Leave a comment here, if you need help tracking down a confusing failure.

_{Debug: https://github.com/bitcoin/bitcoin/runs/24790654138}

[instagibbs]

silent merge conflict with #29939

[glozow]

some test review

[glozow]

nit: you change the fee in the last successful one, which is a little bit sus since fee shouldn't matter in this test

Maybe create 2 constants for the parent fee_per_output and child fee/feerate, and use them for each round?

[instagibbs]

I turned off maxfeerate, jacked up the child feerates, and made constants for both

[glozow]

I don't really understand what's being tested here - this doesn't have anything to do with package RBF? This isn't a topologically valid package since the transactions aren't related to each other in addition to being double spends. #30066 seems closer to what this is going for?

[instagibbs]

Agreed, it's perhaps an older badly done version of #30066, removed

[glozow]

These 2 things are contradictory. AFAICT fee_rate is ignored, delete?

[instagibbs]

removed a series of these ignored args

[glozow]

nit: more varied fees for the packages for the wrong_conflict_cluster_size_* tests, could also use constant

[instagibbs]

picked a constant and used it

[glozow]

This is now in mempool_util (= linter complaint)

[instagibbs]

done

[glozow]

nit; make reference not copy

Suggested change

	const Txid child_hash = child_ws.m_ptx->GetHash();
	const Txid& child_hash = child_ws.m_ptx->GetHash();

[instagibbs]

done

[glozow]

Sorry to nit my own previous suggestion, but I think "parent paying for child replacement" might still be too specific, since it could be that the child has nothing to replace but is lower feerate (like package_txns6 in the functional test).

Maybe

Suggested change

	"package RBF failed: parent paying for child replacement",
	strprintf("package feerate is %s while parent feerate is %s", package_feerate.ToString(), parent_feerate.ToString()));
	"package RBF failed: package feerate is less than parent feerate",
	strprintf("package feerate %s <= parent feerate %s", package_feerate.ToString(), parent_feerate.ToString()));

[instagibbs]

taken

[glozow]

Given that fee_delta is a multiple of DEFAULT_FEE and you're using fee_delta / 2 here... I think the general readability of this test would be improved if you created a constant base unit FEE which was equal to, say, DEFAULT_FEE / 10 (or 104 * 10 which would give most of the transactions whole number feerates), and then used FEE, 2*FEE, 8*FEE, etc. in all the tests.

[instagibbs]

I created DEFAULT_CHILD_FEE and used that pretty much everywhere it made sense

[glozow]

with rebase

Suggested change

	fill_mempool(self, self.nodes[0], self.wallet)
	fill_mempool(self, self.nodes[0])

[instagibbs]

done

[glozow]

Maybe there should be some v3 test coverage (including nice 0fee parent package RBF)?

diff --git a/test/functional/mempool_accept_v3.py b/test/functional/mempool_accept_v3.py
index 8285b82c19..990d36359e 100755
--- a/test/functional/mempool_accept_v3.py
+++ b/test/functional/mempool_accept_v3.py
@@ -579,6 +579,32 @@ class MempoolAcceptV3(BitcoinTestFramework):
         )
         self.check_mempool([tx_with_multi_children["txid"], tx_with_sibling3_rbf["txid"], tx_with_sibling2["txid"]])
 
+    @cleanup(extra_args=["-acceptnonstdtxn=1"])
+    def test_package_rbf(self):
+        self.log.info("Test package RBF: v3 0-fee parent + high-fee child replaces parent's conflicts")
+        node = self.nodes[0]
+        # Reuse the same coins so that the transactions conflict with one another.
+        parent_coin = self.wallet.get_utxo(confirmed_only=True)
+
+        # package1 pays default fee on both transactions
+        parent1 = self.wallet.create_self_transfer(utxo_to_spend=parent_coin, version=3)
+        child1 = self.wallet.create_self_transfer(utxo_to_spend=parent1["new_utxo"], version=3)
+        package_hex1 = [parent1["hex"], child1["hex"]]
+        fees_package1 = parent1["fee"] + child1["fee"]
+        submitres1 = node.submitpackage(package_hex1)
+        assert_equal(submitres1["package_msg"], "success")
+        self.check_mempool([parent1["txid"], child1["txid"]])
+
+        # package2 has a 0-fee parent (conflicting with package1) and very high fee child
+        parent2 = self.wallet.create_self_transfer(utxo_to_spend=parent_coin, fee=0, fee_rate=0, version=3)
+        child2 = self.wallet.create_self_transfer(utxo_to_spend=parent2["new_utxo"], fee=fees_package1*10, version=3)
+        package_hex2 = [parent2["hex"], child2["hex"]]
+
+        submitres2 = node.submitpackage(package_hex2)
+        assert_equal(submitres2["package_msg"], "success")
+        assert_equal(set(submitres2["replaced-transactions"]), set([parent1["txid"], child1["txid"]]))
+        self.check_mempool([parent2["txid"], child2["txid"]])
+
 
     def run_test(self):
         self.log.info("Generate blocks to create UTXOs")
@@ -598,6 +624,7 @@ class MempoolAcceptV3(BitcoinTestFramework):
         self.test_reorg_2child_rbf()
         self.test_v3_sibling_eviction()
         self.test_reorg_sibling_eviction_1p2c()
+        self.test_package_rbf()
 
 
 if __name__ == "__main__":

[instagibbs]

was wondering about this case, added with some modifications for test simplicity

[instagibbs]

rebased due to conflict

[t-bast]

While I wouldn't trust myself to correctly code-review this PR, I'd be happy to work on e2e tests that would leverage this for lightning channels fee-bumping (based on eclair) if it can help validate the logic and get this PR merged.

I'd like to highlight again how important this feature is for lightning (and probably for many other L2 protocols on top of bitcoin today). This is the critical step that allows us to mitigate pinning of a commitment transaction, and guarantee that we're able to set the fees of our commitment package to a value that should ensure timely confirmation.

[instagibbs]

sorry forgot to link #30072 here, added to OP