refactor(swap): replace atomic two-leg intercept with HODL-invoice flow#4
Draft
Arshia-r-m wants to merge 1 commit into
Draft
refactor(swap): replace atomic two-leg intercept with HODL-invoice flow#4Arshia-r-m wants to merge 1 commit into
Arshia-r-m wants to merge 1 commit into
Conversation
The previous swap mechanism required three coordinated calls
(maker_init → taker whitelist → maker_execute) and a custom
HTLCIntercepted path keyed on an IS_SWAP_SCID flag to fire both
legs atomically.
Swaps now use a HODL BOLT11 invoice plus a forward keysend:
* maker_init takes a taker_pubkey, generates its own preimage,
builds a HODL invoice for qty_from, and stores the swap
(taker_pubkey lives in SwapInfo at TLV 5, and the swapstring
is extended to 7 fields).
* The taker pays the invoice with plain /sendpayment — no
whitelist.
* On PaymentClaimable for a maker-swap HODL, the maker validates
the incoming amount and fires a single-leg spontaneous payment
(carrying the RGB asset when qty_to is RGB) to taker_pubkey,
encoding the HODL hash in PaymentId so the follow-up events
can correlate.
* PaymentSent on the forward leg triggers claim_funds on the
HODL; PaymentClaimed finalises the swap and updates the RGB
channel balance. PaymentFailed (or an immediate send failure)
calls fail_htlc_backwards to refund the taker and marks the
swap Failed.
Deletes maker_execute, the /taker whitelist requirement (the
endpoint is kept for optional taker-side bookkeeping), the
HTLCIntercepted swap branch, IS_SWAP_SCID, and the
swap_roundtrip_fail_whitelist test. Also drops a handful of
now-dead helpers (get_route, Router/Scorer type aliases,
DEFAULT_FINAL_CLTV_EXPIRY_DELTA, the UnlockedAppState.router
field) that were only reachable from the removed paths.
All swap tests are rewritten around the new helpers
(taker_pay_invoice replaces taker + maker_execute) and channel-
balance assertions are updated to reflect that each leg is now
a separate LN payment with a single forwarding fee at the middle
hop (and sub-dust receiver balances for tiny-msat forward legs).
Trade-off: the atomic two-HTLC property is gone. If the maker
crashes after the HODL is claimable but before claim_funds runs,
manual recovery via the existing claim_hodl_invoice endpoint is
required — the standard HODL-invoice tradeoff.
Verified: cargo build --tests is warning-free; all 17 swap tests
pass (1003s wall time).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The previous swap mechanism required three coordinated calls (maker_init → taker whitelist → maker_execute) and a custom HTLCIntercepted path keyed on an IS_SWAP_SCID flag to fire both legs atomically.
Swaps now use a HODL BOLT11 invoice plus a forward keysend:
Deletes maker_execute, the /taker whitelist requirement (the endpoint is kept for optional taker-side bookkeeping), the HTLCIntercepted swap branch, IS_SWAP_SCID, and the swap_roundtrip_fail_whitelist test. Also drops a handful of now-dead helpers (get_route, Router/Scorer type aliases, DEFAULT_FINAL_CLTV_EXPIRY_DELTA, the UnlockedAppState.router field) that were only reachable from the removed paths.
All swap tests are rewritten around the new helpers (taker_pay_invoice replaces taker + maker_execute) and channel- balance assertions are updated to reflect that each leg is now a separate LN payment with a single forwarding fee at the middle hop (and sub-dust receiver balances for tiny-msat forward legs).
Trade-off: the atomic two-HTLC property is gone. If the maker crashes after the HODL is claimable but before claim_funds runs, manual recovery via the existing claim_hodl_invoice endpoint is required — the standard HODL-invoice tradeoff.
Verified: cargo build --tests is warning-free; all 17 swap tests pass (1003s wall time).