Unilateral closure due to HTLC deadline does not fail upstream HTLCs

[whitslack]

Issue and Steps to Reproduce

1. A routed payment arrives on channel A and is forwarded out over channel B.
2. The HTLC added to channel B gets stuck in the RCVD_ADD_REVOCATION state because the peer is a buggy LND that never sends a new commitment.
3. Eventually a different HTLC on channel B hits its deadline, causing channel B to be unilaterally closed by the local node.
4. The original incoming HTLC on channel A does not get failed/removed.
5. Eventually the HTLC on channel A hits its deadline, causing channel A to be unilaterally closed by the peer.

Case Study

And now, some annotated log excerpts demonstrating a real-world example of this scenario:

Routed payment arrives on channel A

2021-07-10T20:44:56.567Z DEBUG   03…f0-channeld-chan#151792: peer_in WIRE_UPDATE_ADD_HTLC
2021-07-10T20:44:56.567Z DEBUG   03…f0-channeld-chan#151792: NEW:: HTLC REMOTE 5111 = RCVD_ADD_HTLC/SENT_ADD_HTLC
2021-07-10T20:44:56.677Z DEBUG   03…f0-channeld-chan#151792: peer_in WIRE_COMMITMENT_SIGNED
2021-07-10T20:44:56.678Z DEBUG   03…f0-channeld-chan#151792: htlc 5111: RCVD_ADD_HTLC->RCVD_ADD_COMMIT
2021-07-10T20:44:56.681Z DEBUG   03…f0-channeld-chan#151792: htlc 5111: RCVD_ADD_COMMIT->SENT_ADD_REVOCATION
2021-07-10T20:44:56.703Z DEBUG   03…f0-channeld-chan#151792: peer_out WIRE_REVOKE_AND_ACK
2021-07-10T20:44:56.704Z DEBUG   03…f0-channeld-chan#151792: htlc 5111: SENT_ADD_REVOCATION->SENT_ADD_ACK_COMMIT
2021-07-10T20:44:56.725Z DEBUG   03…f0-channeld-chan#151792: peer_out WIRE_COMMITMENT_SIGNED
2021-07-10T20:44:56.963Z DEBUG   03…f0-channeld-chan#151792: peer_in WIRE_REVOKE_AND_ACK
2021-07-10T20:44:56.964Z DEBUG   03…f0-channeld-chan#151792: htlc 5111: SENT_ADD_ACK_COMMIT->RCVD_ADD_ACK_REVOCATION

Forwarded payment goes out over channel B

2021-07-10T20:44:56.979Z DEBUG   03…59-channeld-chan#152031: NEW:: HTLC LOCAL 1542 = SENT_ADD_HTLC/RCVD_ADD_HTLC
2021-07-10T20:44:56.979Z DEBUG   03…59-channeld-chan#152031: Adding HTLC 1542 amount=50002152msat cltv=690638 gave CHANNEL_ERR_ADD_OK
2021-07-10T20:44:56.980Z DEBUG   03…59-channeld-chan#152031: peer_out WIRE_UPDATE_ADD_HTLC
2021-07-10T20:44:56.990Z DEBUG   03…59-channeld-chan#152031: htlc 1542: SENT_ADD_HTLC->SENT_ADD_COMMIT
2021-07-10T20:44:57.018Z DEBUG   03…59-channeld-chan#152031: peer_out WIRE_COMMITMENT_SIGNED

Due to lightningnetwork/lnd#5506, the peer did not respond with a WIRE_REVOKE_AND_ACK (and indeed had gone out to lunch for the remainder of this connection).

Downstream peer reconnects and ACKs the downstream HTLC

2021-07-10T21:51:33.199Z DEBUG   03…59-connectd: Connect IN
2021-07-10T21:51:33.200Z DEBUG   03…59-connectd: peer_out WIRE_INIT
2021-07-10T21:51:33.319Z DEBUG   03…59-connectd: peer_in WIRE_INIT
2021-07-10T21:51:33.405Z DEBUG   03…59-channeld-chan#152031: Restoring HTLC 0/3: id=1542 amount=50002152msat cltv=690638 payment_hash=f5…eb
2021-07-10T21:51:33.406Z DEBUG   03…59-channeld-chan#152031: NEW:: HTLC LOCAL 1542 = SENT_ADD_COMMIT/RCVD_ADD_COMMIT
2021-07-10T21:51:33.406Z DEBUG   03…59-channeld-chan#152031: Restoring HTLC 1/3: id=1541 amount=315667351msat cltv=690971 payment_hash=64…57
2021-07-10T21:51:33.406Z DEBUG   03…59-channeld-chan#152031: NEW:: HTLC LOCAL 1541 = RCVD_ADD_REVOCATION/SENT_ADD_REVOCATION
2021-07-10T21:51:33.407Z DEBUG   03…59-channeld-chan#152031: Restoring HTLC 2/3: id=1540 amount=738655msat cltv=690679 payment_hash=f3…3b
2021-07-10T21:51:33.407Z DEBUG   03…59-channeld-chan#152031: NEW:: HTLC LOCAL 1540 = RCVD_ADD_REVOCATION/SENT_ADD_REVOCATION
2021-07-10T21:51:33.408Z DEBUG   03…59-channeld-chan#152031: peer_out WIRE_CHANNEL_REESTABLISH
2021-07-10T21:51:33.896Z DEBUG   03…59-channeld-chan#152031: peer_in WIRE_CHANNEL_REESTABLISH
2021-07-10T21:51:33.898Z DEBUG   03…59-channeld-chan#152031: peer_out WIRE_UPDATE_ADD_HTLC
2021-07-10T21:51:33.923Z DEBUG   03…59-channeld-chan#152031: peer_out WIRE_COMMITMENT_SIGNED
2021-07-10T21:51:33.926Z DEBUG   03…59-channeld-chan#152031: peer_out WIRE_ANNOUNCEMENT_SIGNATURES
2021-07-10T21:51:34.701Z DEBUG   03…59-channeld-chan#152031: peer_in WIRE_REVOKE_AND_ACK
2021-07-10T21:51:34.702Z DEBUG   03…59-channeld-chan#152031: htlc 1542: SENT_ADD_COMMIT->RCVD_ADD_REVOCATION

However, the buggy peer never sends a new commitment, so the downstream HTLC never transitions into the RCVD_ADD_ACK_COMMIT state.

Downstream channel is forced closed by a different HTLC hitting its deadline

2021-07-11T13:54:46.650Z UNUSUAL 03…59-chan#152031: Peer permanent failure in CHANNELD_NORMAL: Offered HTLC 1543 RCVD_ADD_REVOCATION cltv 690584 hit deadline
2021-07-11T13:54:46.656Z INFO    03…59-chan#152031: State changed from CHANNELD_NORMAL to AWAITING_UNILATERAL

Here is the bug! Despite that the downstream channel got unilaterally closed here, the upstream HTLC was never failed/removed from the upstream channel.

Please note, the HTLC that hit its deadline was 1543, not 1542 that we've been following. (The fact that it's a different HTLC may or may not be relevant to the bug.)

Upstream peer reconnects

2021-07-12T06:15:57.865Z DEBUG   03…f0-chan#151792: Peer has reconnected, state CHANNELD_NORMAL
2021-07-12T06:15:58.030Z DEBUG   03…f0-channeld-chan#151792: Restoring HTLC 0/1: id=5111 amount=50002253msat cltv=690672 payment_hash=f5…eb
2021-07-12T06:15:58.033Z DEBUG   03…f0-channeld-chan#151792: NEW:: HTLC REMOTE 5111 = RCVD_ADD_ACK_REVOCATION/SENT_ADD_ACK_REVOCATION
2021-07-12T06:15:58.036Z DEBUG   03…f0-channeld-chan#151792: peer_out WIRE_CHANNEL_REESTABLISH
2021-07-12T06:15:58.040Z DEBUG   03…f0-channeld-chan#151792: peer_in WIRE_CHANNEL_REESTABLISH
2021-07-12T06:15:58.139Z DEBUG   03…f0-channeld-chan#151792: peer_out WIRE_ANNOUNCEMENT_SIGNATURES

Here, we can see that the upstream HTLC is still in the RCVD_ADD_ACK_REVOCATION state over 33 hours after it was added. C-Lightning should have sent a WIRE_UPDATE_FAIL_HTLC for this HTLC when it unilaterally closed the downstream channel, but it did not.

Upstream peer unilaterally closes due to HTLC deadline

2021-07-12T06:19:01.775Z DEBUG   03…f0-chan#151792: Got UTXO spend for a7…4a:23: 6c…71
2021-07-12T06:19:01.775Z UNUSUAL 03…f0-chan#151792: Peer permanent failure in CHANNELD_NORMAL: Funding transaction spent
2021-07-12T06:19:01.892Z INFO    03…f0-chan#151792: State changed from CHANNELD_NORMAL to AWAITING_UNILATERAL
2021-07-12T06:19:01.895Z INFO    03…f0-chan#151792: State changed from AWAITING_UNILATERAL to FUNDING_SPEND_SEEN

Damn.

getinfo output

This is on version 0.10.0. No other getinfo output is relevant.

[rustyrussell]

We can't close the HTLC upstream until close out the HTLC downstream. That means seeing the commitment onchain to a certain depth: remember, we sent a signature for the HTLC, so the peer might drop a commitment tx containing it.

So, what's onchaind doing? I expect it would see our own commitment tx (I'm guessing the peer doesn't close at the same time), and then after 3 confirms it is happy that the HTLC is definitely missing and close it out upstream. For the other HTLC (1543) it's presumably in the commitment tx, so that will actually need to be spent after it times out (again, by onchaind), which once it reaches "reasonable depth" (3), should get closed out.

Of course, it's possible that our timings are too tight (insufficient HTLC delay), or we're lowballing on fees for various things (e.g. HTLC spend), but it would be good to check that is indeed what is happening?

[whitslack]

@rustyrussell: I thought you might say something like that, but no: even after my node had observed 3 confirmations on its commitment transaction (which contained no HTLCs), it still didn't fail the upstream HTLC.

2021-07-11T14:51:51.607Z DEBUG   03…59-chan#152031: Got depth change 2->3 for 15…9a
2021-07-11T14:51:51.653Z DEBUG   03…59-onchaind-chan#152031: Got new message WIRE_ONCHAIND_DEPTH
2021-07-11T14:51:51.654Z DEBUG   03…59-onchaind-chan#152031: Sending 0 missing htlc messages
2021-07-11T14:51:51.654Z DEBUG   03…59-onchaind-chan#152031: FUNDING_TRANSACTION/FUNDING_OUTPUT->OUR_UNILATERAL depth 3
2021-07-11T14:51:51.655Z DEBUG   03…59-onchaind-chan#152031: OUR_UNILATERAL/OUTPUT_TO_THEM->SELF depth 3

It may be worth noting (I'm not sure what it means) that, at the time of the above log messages, channeld for the upstream channel was logging every 30 seconds:

2021-07-11T14:51:27.057Z DEBUG   03…f0-channeld-chan#151792: Trying commit
2021-07-11T14:51:27.069Z DEBUG   03…f0-channeld-chan#151792: Can't send commit: nothing to send, feechange not wanted ({ SENT_ADD_ACK_REVOCATION:253 })
2021-07-11T14:51:57.234Z DEBUG   03…f0-channeld-chan#151792: Trying commit
2021-07-11T14:51:57.234Z DEBUG   03…f0-channeld-chan#151792: Can't send commit: nothing to send, feechange not wanted ({ SENT_ADD_ACK_REVOCATION:253 })

[whitslack]

For the other HTLC (1543) it's presumably in the commitment tx

To be clear: the downstream node was hosed and never sent any new commitments after HTLC 1539 (which was successfully removed), so HTLCs 1540, 1541, 1542, 1543, and 1544 were not in the commitment that my node dropped to chain because I had never received from the peer any new commitment containing them.

[whitslack]

@rustyrussell: I have another occurrence of this same bug. It's not an issue of on-chain confirmations taking too long. There is a real bug in C-Lightning. Allow me to elucidate.

This occurrence was brought to my attention by the operator of the upstream LND node, c-otto.de, which was forced to unilaterally close a channel with my C-Lightning node because my node had neglected to fail an upstream HTLC at the appropriate time after an associated downstream channel had been unilaterally closed by a downstream peer.

The play-by-play

The upstream node adds HTLC 44689:

2021-09-09T18:56:15.334Z DEBUG   [upstream]: peer_in WIRE_UPDATE_ADD_HTLC
2021-09-09T18:56:15.335Z DEBUG   [upstream]: NEW:: HTLC REMOTE 44689 = RCVD_ADD_HTLC/SENT_ADD_HTLC
2021-09-09T18:56:15.606Z DEBUG   [upstream]: peer_in WIRE_COMMITMENT_SIGNED
2021-09-09T18:56:15.628Z DEBUG   [upstream]: peer_out WIRE_REVOKE_AND_ACK
2021-09-09T18:56:15.650Z DEBUG   [upstream]: peer_out WIRE_COMMITMENT_SIGNED
2021-09-09T18:56:15.978Z DEBUG   [upstream]: peer_in WIRE_REVOKE_AND_ACK

We add HTLC 5245 to the downstream channel:

2021-09-09T18:56:15.998Z DEBUG   [downstream]: Adding HTLC 5245 amount=100000101msat cltv=700017 gave CHANNEL_ERR_ADD_OK
2021-09-09T18:56:16.000Z DEBUG   [downstream]: peer_out WIRE_UPDATE_ADD_HTLC
2021-09-09T18:56:16.031Z DEBUG   [downstream]: peer_out WIRE_COMMITMENT_SIGNED

The downstream node never responds with its revocation. In fact, it never sends us any more messages in the current connection. At this point, we cannot be certain whether the downstream node has seen our new commitment.

Some time later, another payment comes in from another upstream node, to be forwarded over the same downstream node, so we add HTLC 5246 to the downstream channel:

2021-09-09T19:09:46.997Z DEBUG   [downstream]: Adding HTLC 5246 amount=227083934msat cltv=700137 gave CHANNEL_ERR_ADD_OK
2021-09-09T19:09:46.997Z DEBUG   [downstream]: peer_out WIRE_UPDATE_ADD_HTLC

This time we didn't send a commitment. Note that we actually haven't heard anything from the downstream node in quite some time at this point.

Eventually, our attempt to add downstream HTLC 5246 times out, and we kill our connection with the downstream node. We correctly fail HTLC 5246 (and indeed correctly fail the corresponding upstream HTLC), but we cannot fail HTLC 5245 at this point because we don't know whether the downstream node has seen our new commitment.

2021-09-09T19:10:16.996Z UNUSUAL [downstream]: Adding HTLC 5246 too slow: killing connection
2021-09-09T19:10:16.997Z DEBUG   [downstream]: Failing HTLC 5246 due to peer death

When the downstream node reconnects, we attempt to restore downstream HTLC 5245, but the downstream node is still borked and never sends a revocation:

2021-09-09T19:10:18.491Z DEBUG   [downstream]: Connect IN
2021-09-09T19:10:18.492Z DEBUG   [downstream]: peer_out WIRE_INIT
2021-09-09T19:10:18.494Z DEBUG   [downstream]: peer_in WIRE_INIT
2021-09-09T19:10:18.553Z DEBUG   [downstream]: Restoring HTLC 1/2: id=5245 amount=100000101msat cltv=700017 payment_hash=4b…ef
2021-09-09T19:10:18.554Z DEBUG   [downstream]: peer_out WIRE_CHANNEL_REESTABLISH
2021-09-09T19:10:18.600Z DEBUG   [downstream]: peer_in WIRE_CHANNEL_REESTABLISH
2021-09-09T19:10:18.603Z DEBUG   [downstream]: peer_out WIRE_UPDATE_ADD_HTLC
2021-09-09T19:10:18.604Z DEBUG   [downstream]: peer_out WIRE_UPDATE_FEE
2021-09-09T19:10:18.606Z DEBUG   [downstream]: peer_out WIRE_COMMITMENT_SIGNED
2021-09-09T19:10:18.610Z DEBUG   [downstream]: peer_out WIRE_ANNOUNCEMENT_SIGNATURES
2021-09-09T19:10:18.617Z DEBUG   [downstream]: peer_out WIRE_GOSSIP_TIMESTAMP_FILTER

It's like talking to a brick wall. Ahhh, LND.

Some time later, the downstream node unilaterally closes the channel, and we correctly note that we need to know whether downstream HTLC 5245 was included in the commitment that was broadcast to the Bitcoin network:

2021-09-09T22:31:05.286Z DEBUG   [downstream]: Got UTXO spend for 7b…23:1: 15…5d
2021-09-09T22:31:05.287Z UNUSUAL [downstream]: Peer permanent failure in CHANNELD_NORMAL: Funding transaction spent
2021-09-09T22:31:08.114Z DEBUG   [downstream]: We want to know if htlc 5245 is missing (later)

We analyze the on-chain transaction and find that downstream HTLC 5245 was not included. (There are only two outputs.)

2021-09-09T22:31:08.283Z DEBUG   [downstream]: Got depth change 0->1 for 15…5d
2021-09-09T22:31:11.636Z DEBUG   [downstream]: Output 0: 00…11
2021-09-09T22:31:11.636Z DEBUG   [downstream]: Output 1: 00…e0
2021-09-09T22:31:11.637Z DEBUG   [downstream]: Script to-them: 432: 00…11 (63…ac)
2021-09-09T22:31:11.638Z DEBUG   [downstream]: Script to-me: 00…e0
2021-09-09T22:31:11.639Z DEBUG   [downstream]: Tracking output 0 of 15…5d: THEIR_UNILATERAL/DELAYED_OUTPUT_TO_THEM
2021-09-09T22:31:11.639Z DEBUG   [downstream]: Ignoring output 0 of 15…5d: THEIR_UNILATERAL/DELAYED_OUTPUT_TO_THEM
2021-09-09T22:31:11.640Z DEBUG   [downstream]: Tracking output 1 of 15…5d: THEIR_UNILATERAL/OUTPUT_TO_US
2021-09-09T22:31:11.640Z DEBUG   [downstream]: Ignoring output 1 of 15…5d: THEIR_UNILATERAL/OUTPUT_TO_US
2021-09-09T22:31:11.645Z DEBUG   [downstream]: adding utxo to watch 15…5d:1, csv 1
2021-09-09T22:31:11.653Z DEBUG   [downstream]: chain_movements...recording chain fees for unilateral. our msat balance 989312098msat, funding 1000000sat, their_outs 10678sat, our outs 989129sat
2021-09-09T22:31:11.653Z DEBUG   [downstream]: logging 'chain fees' for unilateral (trimmed) 183098msat
2021-09-09T22:31:11.657Z DEBUG   [downstream]: billboard: All outputs resolved: waiting 100 more blocks before forgetting channel

So now we wait for two more confirmations:

2021-09-09T22:36:48.058Z DEBUG   [downstream]: Got depth change 1->2 for 15…5d
2021-09-09T23:02:22.988Z DEBUG   [downstream]: Got depth change 2->3 for 15…5d
2021-09-09T23:02:23.051Z DEBUG   [downstream]: Sending 1 missing htlc messages

Now at 3 confirmations, despite noting the missing downstream HTLC, we never fail the corresponding upstream HTLC as we ought to.

We can even confirm that upstream HTLC 44689 is still pending at this point, as the connection with the upstream node was restarted a few hours later, and HTLC 44689 is noted…

2021-09-10T07:28:08.621Z DEBUG   [upstream]: Peer has reconnected, state CHANNELD_NORMAL
2021-09-10T07:28:09.397Z DEBUG   [upstream]: Restoring HTLC 0/1: id=44689 amount=100009591msat cltv=700051 payment_hash=4b…ef

Eventually, the upstream node is forced to unilaterally close the channel when upstream HTLC 44689 hits its deadline. This is our fault, as we should have failed that HTLC many hours ago.

[C-Otto]

It looks like this happened again last night. My channel to @whitslack was active, the nodes were connected, but my node still had to force-close the channel due to a HTLC timeout.

[whitslack]

@C-Otto: Apologies for any inconvenience/expense my node has caused for you. My node is in a very sorry state of affairs right now after Comcast changed my IP addresses about a week ago.

[C-Otto]

According to my logs the channel/connection was alive and healthy, though. As far as I can see, the IP troubles are unrelated to this bug.

[whitslack]

@C-Otto: Your connection with my node was alive and healthy, but that's not what this bug is about. This bug causes my node to neglect to fail an HTLC with your node after another of my channels with some other peer has to be force-closed.

[C-Otto]

Yes, exactly. The IP change issue caused your node to experience a force-close of some channel that was the next hop of some HTLC coming from my node. Due to this issue your node didn't fail the HTLC after the force-close, causing my node to force-close its channel to your node (so that a single HTLC lead to two force-closes on your node).

[whitslack]

@C-Otto: Yes, correct. Sorry, I thought you were arguing that my IP troubles were unrelated to our reoccurrence of this bug. This bug is unrelated to the node announcement propagation issue, but my inability to get reconnected to my channel peers is certainly increasing the likelihood that this bug will manifest.

[rustyrussell]

I have tried to reproduce this with no success :(

It seems onchaind is working, but we don't close the corresponding incoming. There are several cases where this can happen:

1. We don't know what onchaind is talking about, which shouldn't happen.
2. We know it, but it's already completed (can happen, for example if we have the preimage from an htlc message but it was dust, or onchaind is replaying after a restart).
3. There's no incoming htlc associated with the htlc. This can theoretically happen (if the incoming htlc is completely resolved) but if also very unusual.

None of these should happen here, and none do (I tried reconnecting or restarting, too). So it's a puzzle. I will definitely add more debugging in case this happens again, and tomorrow I'll do an audit and see if there are any unexpected ways these things could happen.

[rustyrussell]

My tree for testing is here, for those playing along at home:

https://github.com/rustyrussell/lightning/tree/guilt/htlc-upstream-close-test

[C-Otto]

I recently had a very similar issue with two lnd nodes (one of them mine), caused by a non-confirming/delayed force-close tx: lightningnetwork/lnd#4215

Could that also be the case here?

[whitslack]

I don't think so, because the force-close did confirm. Go back and read my play-by-play again. The upstream HTLC should have been failed when the downstream force-closure reached 3 confirmations, but it was not.

[rustyrussell]

Sorry this took so long!

I found an issue which can cause this problem! 8641a5b

Of course, I can't be sure that is the only problem, but I'm tentatively marking this fixed by that PR.

[whitslack]

@rustyrussell: Oh man. That absolutely looks like a smoking gun. Excellent find!