Require swap claims to pay recipient the full amount#72
Open
1440000bytes wants to merge 4 commits into
Open
Conversation
Collaborator
|
Thanks for the contribution! There are a few CI failures to address — mostly formatting and similar minor issues. Once those are fixed, I'll go ahead and merge. |
1440000bytes
force-pushed
the
fix/swap-claim-amount
branch
from
a3c4ecf to
c2bbebf
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Built on top of #71
validate_swap_claimonly checked that some output paid the swap recipient, with no amount requirement. Because the address-binding check onSwapPendinginputs is intentionally skipped for claims, anyone can author a claim that spends aReadyToClaimswap's locked output, pay the recipient a token amount, and keep the rest. This requires no mining, the claim passes mempool validation and relays normally. This PR requires the recipient to receive at least the swapped amount.For an L2 - L1 swap, the
SwapPendingoutput holdsl2_amountand the recipient is owedl2_amountin exchange for the L1 payment they already made. The claim check was:So a claimer (not necessarily the recipient claims skip the input address check) can spend the locked output, send 1 sat to the recipient, and direct
l2_amount - 1to themselves. Value conservation still holds, so nothing else rejects it. The recipient, who already paid the L1 side, is left with dust.Fix
Require the recipient to receive at least
swap.l2_amount. A shared helper sums the value of all outputs paying the recipient and compares against the swapped amount:validate_swap_claim(mempool) enforces it for every claim.validate_swap_claim_consensus(block path) enforces it for pre-specified swaps, where both recipient and amount are fixed at creation and therefore deterministic. Open swaps derive their recipient from node-local L1 monitoring, so that binding stays in the mempool check.Tests
New unit tests in
lib/state/swap.rs:block_validation_rejects_underpaying_claim— a pre-specified claim paying the recipient 1 sat and keeping the rest is rejectedmempool_claim_rejects_underpayment— the mempool validator rejects an underpaying claimmempool_claim_accepts_full_payment— a full-amount claim still passes