TransactionBuilder: add fee safety

[dcousens]

edit: For future reference, the merged constant is a maximum, minimum fee-rate, of 1000 satoshis per byte.

[dcousens]

Maybe this is how we should handle addInput universally for SegWit and the upcoming changes?
Looks like a good balance of positional and named IMHO

[afk11]

indeed, looks good!

[dcousens]

I could probably just pass txIn here as options, haha

[dcousens]

Should this be TransactionBuilder.ABSURD_FEE or similar?

[dcousens]

I also don't think anything beyond a hard-coded constant is reasonable without being annoying in actual use cases

[dcousens]

Also, is this value suitable?

[afk11]

• 👍 for exporting the constant.
• Not sure if it's suitable at all :D

If it's not a requirement to provide a value, it seems fee can be negative which would cause the function to declare an absurd fee. Is it intended to introduce this behavior in here? https://github.com/bitcoinjs/bitcoinjs-lib/pull/696/files#diff-52af0f8b5da51627aa8d01193636ba73R384

[dcousens]

it seems fee can be negative which would cause the function to declare an absurd fee

What? How?
The fee can be negative, but that is fine. It will still return false as it it less than absurd.

[afk11]

Oops, my mistake

[dcousens]

This was annoying me

[dcousens]

Smallest transaction I've ever seen

[dcousens]

ping @afk11 for ACK/NACK

[afk11]

indeed, looks good!

[afk11]

Is there any way to disable this?

[dcousens]

No, but why would you?
This is assuming you are building a "final" transaction.
There is never a case where this isn't suitable?

[afk11]

The fee wouldn't be absurd if the transaction is very large, or you really want it to confirm. It feels it should be possible without setting allowIncomplete = true

[dcousens]

@afk11 if you're doing 150kb transactions 120 satoshis/byte, only then, will you hit this limit.
With a constant TransactionBuilder.ABSURD_FEERATE, a user could change that to by-pass these limits themselves, as they will be a very select few people.

[afk11]

• 👍 for exporting the constant.
• Not sure if it's suitable at all :D

If it's not a requirement to provide a value, it seems fee can be negative which would cause the function to declare an absurd fee. Is it intended to introduce this behavior in here? https://github.com/bitcoinjs/bitcoinjs-lib/pull/696/files#diff-52af0f8b5da51627aa8d01193636ba73R384

[afk11]

I guess my questions are:

• Can the check be disabled?
• Should we require the value going forward?
  The output value is optional even with segwit (it's not always required, so can safely allow the user not to provide it in those cases), but we can make it required going forward since we're introducing a break?
• It doesn't seem to check the transaction size, which could explain such a large fee. Could maybe use ABSURD_FEERATE instead?
  We can determine what the signature size should be for each standard signable type (knowing the scriptPubKey/rs/ws). Can we infer the full size of a transaction, and if provided all values we check if the fee-rate is like 100x some current minimum fee rate?

[dcousens]

Can the check be disabled?

In the cases where you wouldn't want it (incomplete transactions), it is avoided by using buildIncomplete.

Should we require the value going forward?

No? Its optional obviously.

We can determine what the signature size should be for each standard signable type (knowing the scriptPubKey/rs/ws). Can we infer the full size of a transaction, and if provided all values we check if the fee-rate is like 100x some current minimum fee rate?
... It doesn't seem to check the transaction size, which could explain such a large fee. Could maybe use ABSURD_FEERATE instead?

We have the signatures at this point, so it should be straight forward to use fee rate instead.

[dcousens]

• Change to ABSURD_FEERATE instead of ABSURD_FEE
• Expose as constant on TransactionBuilder
• Add canModifyOutputs check which would stop this from being correct

[dcousens]

The assumptions this makes is:

• Inputs values are undefined or > 0
• Output values are all > 0, with no more outputs to be added (may need to add a !canModifyOutputs() before checking)
• fee = incoming - outgoing

If we have any input values, and their sum is larger than the outgoing, we can determine the minimum fee for the transaction (not the actual fee, the minimum).

At that point, we can say, if the minimum is absurd, it doesn't matter what the rest of the inputs are, because they only make it worse.

Naturally, in most cases, the [detected] minimum fee for the transaction is negative, because .value is undefined (and treated as 0).
But, that is fine, because this isn't to be relied on, its simply an aid to prevent [potential] algorithmic mistakes if a user did provide us that information.

[dcousens]

I think an absurd fee rate of >1000 satoshis per byte is a good limit for now.
That is 20 times the average fee rate for the last 6 months (~50 satoshis/byte).

We could easily adjust it up-wards in patch releases.

[dcousens]

The only remaining part of the TODO for this PR is:

Add canModifyOutputs check which would stop this from being correct

Personally, I can't decide if this is a good or a bad thing... so I'm going to leave it to a patch PR later rather than do it.

[dcousens]

Merging once Travis passes.

[dcousens]

@afk11 this works a treat 👍
See a93e82c

[dcousens]

ping @afk11 to review 6a019ee and then merge (if OK).

[afk11]

ACK 6a019ee