Handle attribution data for trampoline payments #3107
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
thomash-acinq
force-pushed
the
trampoline-attribution
branch
4 times, most recently
from
83493b4 to
0e15be3
Compare
thomash-acinq
commented
Jun 16, 2025
eclair-core/src/test/scala/fr/acinq/eclair/payment/PaymentPacketSpec.scala
Outdated
Show resolved
Hide resolved
| fail | ||
| } | ||
|
|
||
| // Alice is able to decrypt the failure using the outer onion and trampoline onion shared secrets. | ||
| val Right(decrypted) = Sphinx.FailurePacket.decrypt(failureForAlice.reason, failureForAlice.attribution_opt, sharedSecretsAlice ++ trampolineOnion.sharedSecrets).failure | ||
| val Sphinx.HtlcFailure(holdTimes, Right(decrypted)) = Sphinx.FailurePacket.decrypt(failureForAlice.reason, failureForAlice.attribution_opt, sharedSecretsAlice ++ trampolineOnion.sharedSecrets) | ||
| assert(holdTimes == List(Sphinx.HoldTime(14 millis, b), Sphinx.HoldTime(12 millis, c))) | ||
| assert(decrypted.failureMessage == failure) |
There was a problem hiding this comment.
Shouldn't the true failure be hidden as it comes from inside a blinded route?
There was a problem hiding this comment.
I think it is just a side-effect of the test, because we're making Carol encrypt the failure "normally" whereas since she's the introduction node, she should drop downstream data? I need to take a better look at this though.
We add support for the official version of trampoline payments, as specified in lightning/bolts#836. We keep supporting trampoline payments that use the legacy protocol to allow a smooth transition. We hardcode the legacy feature bit 149 in a few places to make this work, which is a bit hacky but simple and should be removed 6 months after releasing the official version. We also keep supporting payments from trampoline wallets to nodes that don't support trampoline: this is bad from a privacy standpoint, but will be fixed when recipients start supporting Bolt 12.
We add support for trampoline payments to blinded recipients, where each node of the blinded path is used as trampoline node. This is particularly useful to include custom TLVs from the payer to the recipient.
When returning trampoline failures for the payer (the creator of the trampoline onion), they must be encrypted using the sphinx shared secret of the trampoline onion. When relaying a trampoline payment, we re-wrap the (peeled) trampoline onion inside a payment onion: if we receive a failure for the outgoing payment, it can be either coming from before the next trampoline node or after them. If it's coming from before, we can decrypt that error using the shared secrets we created for the payment onion: depending on the error, we can then return our own error to the payer. If it's coming from after the next trampoline onion, it will be encrypted for the payer, so we cannot decrypt it. We must peel the shared secrets of our payment onion, and then re-encrypted with the shared secret of the incoming trampoline onion. This way only the payer will be able to decrypt the failure, which is relayed back through each intermediate trampoline node.
t-bast
force-pushed
the
trampoline-spec-version
branch
from
d405c1a to
0e7d664
Compare
t-bast
reviewed
Jun 24, 2025
There was a problem hiding this comment.
I integrated this in my latest rebase of #2819 but the trampoline hold times aren't correctly decrypted (the tests in PaymentPacketSpec.scala are failing), can you take a look?
Also, we're not yet returning attribution data for trampoline fulfills, can you take a look at this as well?
thomash-acinq
force-pushed
the
trampoline-attribution
branch
from
0e15be3 to
e739f6d
Compare
The trampoline node must unwrap the attribution data with its shared secrets and use what's remaining as the attribution data from the next trampoline node.
thomash-acinq
force-pushed
the
trampoline-attribution
branch
from
e739f6d to
5030f95
Compare
thomash-acinq
commented
Jun 27, 2025
eclair-core/src/main/scala/fr/acinq/eclair/wire/internal/CommandCodecs.scala
Show resolved
Hide resolved
t-bast
force-pushed
the
trampoline-spec-version
branch
2 times, most recently
from
ddbe7f0 to
7d669ff
Compare
|
Thanks, this has been integrated in #2819 in the latest rebase! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The trampoline node must unwrap the attribution data with its shared secrets and use what's remaining as the attribution data from the next trampoline node.