tapchannel: support HTLC revocation sweeps

[GeorgeTsagk]

Description

This PR adds support for sweeping revoked HTLC outputs in Taproot Asset channels.

The aux sweeper is extended with resolution logic for revoked offered/accepted HTLCs and second-level HTLC revocations. The signing path is updated to handle breach scenarios, where inputs are spent via key spend rather than script spend, with the HTLC index applied as a tweak to match the commitment's taproot internal key.

Additionally, the NotifyBroadcast interface gains a skipBroadcast flag. During breach resolution, LND crafts multiple competing justice transactions as a pinning mitigation. Rather than notifying tapd at time, LND now notifies after confirmation — the flag signals that the tx is already on-chain and proof finalization can proceed without re-broadcasting.

Depends on https://github.com/lightningnetwork/lnd/pull/10583/commits

[gemini-code-assist]

Summary of Changes

Hello @GeorgeTsagk, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the 'tapchannel' functionality by introducing robust support for sweeping revoked HTLC outputs in Taproot Asset channels. It refines the auxiliary sweeper's resolution capabilities to manage various types of revoked HTLCs and adapts the signing path to correctly handle key spend operations required for breach recovery. Furthermore, it optimizes transaction broadcasting during breach events by allowing the system to skip broadcasting for already confirmed transactions, which is crucial for pinning mitigation.

Highlights

• HTLC Revocation Sweeps: Implemented support for sweeping revoked HTLC outputs within Taproot Asset channels, enabling recovery in breach scenarios.
• Auxiliary Sweeper Enhancements: Extended the auxiliary sweeper with specific resolution logic for offered, accepted, and second-level revoked HTLCs.
• Breach Scenario Signing Path: Updated the signing process to correctly handle key spend for breach scenarios, applying the HTLC index as a tweak to the commitment's taproot internal key.
• Conditional Transaction Broadcasting: Introduced a 'skipBroadcast' flag to the NotifyBroadcast interface, allowing tapd to avoid re-broadcasting transactions already on-chain during breach resolution.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• go.mod
  • Updated Go language version to 1.25.5.
  • Added temporary replace directives for 'github.com/lightningnetwork/lnd' and 'github.com/lightningnetwork/lnd/sqldb' to a specific commit by GeorgeTsagk.
• go.sum
  • Updated checksums to reflect the Go version change and the new LND replace directives.
• server.go
  • Modified the 'NotifyBroadcast' method signature to include a 'skipBroadcast' boolean parameter.
  • Updated the logging for 'NotifyBroadcast' to include the 'skipBroadcast' status.
  • Passed the new 'skipBroadcast' parameter to the underlying auxiliary sweeper's 'NotifyBroadcast' method.
• tapchannel/aux_closer.go
  • Modified the 'shipChannelTxn' function signature to accept a 'skipBroadcast' boolean parameter.
  • Updated the creation of 'PreAnchoredParcel' to use the new 'skipBroadcast' parameter.
  • Passed 'false' for 'skipBroadcast' when calling 'shipChannelTxn' from 'FinalizeClose'.
• tapchannel/aux_leaf_signer.go
  • Refactored 'applySignDescToVIn' to distinguish between key spend (breach scenarios) and script spend.
  • For key spend, it now applies 'DoubleTweak' (revocation key) first, then 'SingleTweak' (HTLC index) to the signing key.
  • Adjusted the return value for 'leafToSign' to be empty for key spend scenarios.
  • Updated comments to clarify the tweak application order for breach scenarios.
• tapchannel/aux_sweeper.go
  • Added a 'skipBroadcast' field to the 'broadcastReq' struct.
  • Imported the 'encoding/binary' package.
  • Modified 'signSweepVpackets' to handle key spend scenarios for HTLC revocations, applying the HTLC index as a 'SingleTweak' and setting the correct 'signMethod' and 'signingKey' for verification.
  • Introduced 'htlcOfferedRevokeSweepDesc', 'htlcAcceptedRevokeSweepDesc', and 'htlcSecondLevelRevokeSweepDesc' functions to generate sweep descriptors for various revoked HTLC types, ensuring correct key tweaking.
  • Updated 'importCommitTx' to pass 'true' for 'skipBroadcast' when shipping commitment transactions, indicating they are already on-chain.
  • Added 'errNoHtlcID' error constant.
  • Extended the 'resolveContract' function to include new resolution types for 'TaprootHtlcOfferedRevoke', 'TaprootHtlcAcceptedRevoke', and 'TaprootHtlcSecondLevelRevoke', filtering assets by HTLC ID and generating appropriate sweep descriptors.
  • Modified 'registerAndBroadcastSweep' and 'NotifyBroadcast' to accept and pass through the 'skipBroadcast' parameter.

Activity

• No specific activity (comments, reviews, progress updates) was provided in the context for this pull request.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces support for sweeping revoked HTLC outputs in Taproot Asset channels, a crucial feature for channel security. The changes are extensive, primarily affecting the tapchannel package. Key modifications include extending the auxiliary sweeper with resolution logic for various HTLC revocation scenarios and updating the signing path to handle breach scenarios via key-path spends. A skipBroadcast flag has also been added to the NotifyBroadcast interface to handle transactions that are already on-chain, such as justice transactions. The code is generally well-structured and includes detailed comments explaining the complex logic, especially around cryptographic tweaks. I've identified a couple of areas for improvement: one for enhancing code maintainability by reducing duplication, and another to make the HTLC lookup logic more robust. Overall, this is a solid contribution that adds significant functionality.

[gemini-code-assist]

If the HTLC is not found in OutgoingHtlcAssets, the code proceeds to check IncomingHtlcAssets. However, if it's not found there either, assetOutputs will be empty, and the function will proceed without error, likely resulting in an empty resolution blob later on. It would be more robust to return an error if the HTLC cannot be found in either list, to make debugging easier in case of an unexpected state.

		if len(assetOutputs) == 0 {
			htlcOutputs = commitState.IncomingHtlcAssets.Val
			assetOutputs = htlcOutputs.FilterByHtlcIndex(htlcID)
			if len(assetOutputs) == 0 {
				return lfn.Errf[returnType](
					"htlc with id %d not found", htlcID,
				)
			}
		}

[Roasbeef]

At the very least should log here. Invariants further up the stack should prevent this though.

[coveralls]

Pull Request Test Coverage Report for Build 22064145876

Details

• 0 of 344 (0.0%) changed or added relevant lines in 4 files are covered.
• 8349 unchanged lines in 129 files lost coverage.
• Overall coverage decreased (-6.9%) to 49.529%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
tapchannel/aux_closer.go	0	3	0.0%
server.go	0	6	0.0%
tapchannel/aux_leaf_signer.go	0	75	0.0%
tapchannel/aux_sweeper.go	0	260	0.0%

Files with Coverage Reduction	New Missed Lines	%
tapchannel/aux_closer.go	1	1.21%
authmailbox/client.go	2	69.84%
commitment/proof.go	2	87.29%
fn/retry.go	2	92.5%
fn/errors.go	3	90.32%
itest/multisig.go	3	97.46%
universe/archive.go	3	81.05%
universe/interface.go	3	74.21%
commitment/encoding.go	4	68.75%
mssmt/encoding.go	4	76.67%

Totals
Change from base Build 22061897493:	-6.9%
Covered Lines:	58972
Relevant Lines:	119066

---

💛 - Coveralls

[Roasbeef]

Why does the ordering matter here? The operation should be commutative.

[GeorgeTsagk]

Ah you're right. The append order of PSBT unknowns is indeed irrelevant since the signer identifies them by key type, not position.

[Roasbeef]

There aren't two diff enum types for accepted vs offered here?

[GeorgeTsagk]

Right, LND's TaprootHtlcSecondLevelRevoke doesn't distinguish offered vs accepted (unlike first-level which has separate TaprootHtlcOfferedRevoke/TaprootHtlcAcceptedRevoke). We handle this by trying outgoing assets first, then falling back to incoming. HTLC IDs are unique within a commitment so at most one lookup succeeds. If neither has assets for that HTLC ID, it's a non-asset HTLC and doesn't need asset-level resolution.

[Roasbeef]

At the very least should log here. Invariants further up the stack should prevent this though.

[Roasbeef]

We should add tests here.

AFIACT, this would fail in prod, as it's using an enum, but that value isn't handled by this func: https://github.com/lightningnetwork/lnd/blob/0b00c662318c4960a0f8f814e16e43155029ca35/input/script_utils.go#L1754-L1771

[Roasbeef]

Unless we've changed something here, this should also just be a keyspend: https://github.com/lightningnetwork/lnd/blob/0b00c662318c4960a0f8f814e16e43155029ca35/input/script_utils.go#L1782-L1805

[Roasbeef]

Yeah we should add unit level tests here to ensure that this func is able to sign+verify using the same routines used to create the txns+scripts in the first place.

[GeorgeTsagk]

Added a gist explaining the 2nd level situation, focused around the sighash of the pre-signed 2nd level HTLC transaction: https://gist.github.com/GeorgeTsagk/9775947b6b9d8cc07cd23e038a246719

Will soon push a version using the sighash_all approach (HTLCs pay their own fee)

[GeorgeTsagk]

Breach itest has now been moved here, no need for a Lit PR

[GeorgeTsagk]

Had to update some of the test assertions

Now that we bump DefaultOnChainHtlcSat amount some of the test expectations had to reflect the change.

[GeorgeTsagk]

Realized that some of the custom channels itests failures on CI aren't flakes: Some actual test assertions need to change since the HTLC anchor amount was bumped.

Will address them asap, shouldn't be a blocker for reviewers.

[gijswijs]

So I did a thorough review of this PR.

The core cryptographic operations are sound but the surrounding infrastructure needs rework.

I've pointed out all issues with inline comments. I also have some nits wrt the commits (commitnit), which you'll find below:

Typos in commit message for commit d728fae:

The tricky part for taproot assets related to the call sequence of "NotifyBroadcast".

Shouldn't that read "is related"?

we need to signal to the NotifyBroadcast call that we do not wish to broadcast, as that is prone to fail.

prone to fail is an understatement. It will fail and makes no sense whatsoever.

[gijswijs]

Nice dedup guard here. The same pattern is needed in registerAndBroadcastSweep — it also goes through shipChannelTxn → LogPendingParcel → InsertAssetTransfer (plain INSERT), so duplicate NotifyBroadcast calls after restart will insert duplicate transfer rows. See the existing TODO at line 3048.

[gijswijs]

nit:
I don't like this comment. "special" does a lot of heavy lifting without clarifying what ismeant by it.

// This is a normal scriptspend (not a breach keyspend), so the witness follows the standard structure.
// Set the control block on the leaf script that applySignDescToVIn prepared

[gijswijs]

nit:
Why are we carrying the AuxLeaf value here. It has no actual usage here, it's only there because we are reusing the lnd stuct.

[gijswijs]

ultranit: This comment is way longer than the comment at the same step in htlcOfferedRevokeSweepDesc. Shouldn't both comments be similar?

[gijswijs]

Why not remove the argument altogether? This does validate my earlier point about carrying the auxLeaf value. At the ASSET-level auxLeaf has no meaning.

[gijswijs]

Similar comment as with AssumeVerifiedAnnotatedProofs. This is a public function with no enforcement that it's only used for confirmed channel transactions. Could allow importing proofs where the same asset appears in multiple outputs.

Consider requiring a confirmation check parameter, or (in this case possible, not with AssumeVerifiedAnnotatedProofs) consider making this private.

[gijswijs]

Nothing prevents these proofs from being later re-verified, exported, or served to peers where they would fail verification, right?

[gijswijs]

Instead of manually deriving the private key, construct a full virtual packet with both tweak unknowns set via applySignDescToVIn, then call SignVirtualPacket (the actual production signer), and verify the resulting signature against the expected public key. That closes the loop — you'd be testing that the PSBT signer interprets the unknowns the same way applySignDescToVIn intends.

[gijswijs]

Consider logging singleTweak and signingKey at Trace level instead of Info.

[gijswijs]

secondLevelTxns populated and logged but never asserted. Add require.NotEmpty.

[GeorgeTsagk]

Rebased on main

[lightninglabs-deploy]

@Roasbeef: review reminder
@gijswijs: review reminder
@GeorgeTsagk, remember to re-request review from reviewers when ready

[Hunterstech]

Great Job

[GeorgeTsagk]

Rebased on latest main