v0.0.118

0.0.118 - Oct 23, 2023 - "Just the Twelve Sinks"

API Updates

• BOLT12 sending and receiving is now supported as an alpha feature. You may
  run into unexpected issues and will need to have a direct connection with
  the offer's blinded path introduction points as messages are not yet routed.
  We are seeking feedback from early testers (#2578, #2039).
• ConfirmationTarget has been rewritten to provide information about the
  specific use LDK needs the feerate estimate for, rather than the generic
  low-, medium-, and high-priority estimates. This allows LDK users to more
  accurately target their feerate estimates (#2660). For those wishing to
  retain their existing behavior, see the table below for conversion.
• ChainHash is now used in place of BlockHash where it represents the
  genesis block (#2662).
• lightning-invoice payment utilities now take a Deref to
  AChannelManager (#2652).
• peel_onion is provided to statelessly decode an OnionMessage (#2599).
• ToSocketAddrs + Display are now impl'd for SocketAddress (#2636, #2670)
• Display is now implemented for OutPoint (#2649).
• Features::from_be_bytes is now provided (#2640).

For those moving to the new ConfirmationTarget, the new variants in terms of
the old mempool/low/medium/high priorities are as follows:

• OnChainSweep = HighPriority
• MaxAllowedNonAnchorChannelRemoteFee = max(25 * 250, HighPriority * 10)
• MinAllowedAnchorChannelRemoteFee = MempoolMinimum
• MinAllowedNonAnchorChannelRemoteFee = Background - 250
• AnchorChannelFee = Background
• NonAnchorChannelFee = Normal
• ChannelCloseMinimum = Background

Bug Fixes

• Calling ChannelManager::close_channel[_with_feerate_and_script] on a
  channel which did not exist would immediately hang holding several key
  ChannelManager-internal locks (#2657).
• Channel information updates received from a failing HTLC are no longer
  applied to our NetworkGraph. This prevents a node which we attempted to
  route a payment through from being able to learn the sender of the payment.
  In some rare cases, this may result in marginally reduced payment success
  rates (#2666).
• Anchor outputs are now properly considered when calculating the amount
  available to send in HTLCs. This can prevent force-closes in anchor channels
  when sending payments which overflow the available balance (#2674).
• A peer that sends an update_fulfill_htlc message for a forwarded HTLC,
  then reconnects prior to sending a commitment_signed (thus retransmitting
  their update_fulfill_htlc) may result in the channel stalling and being
  unable to make progress (#2661).
• In exceedingly rare circumstances, messages intended to be sent to a peer
  prior to reconnection can be sent after reconnection. This could result in
  undefined channel state and force-closes (#2663).

Backwards Compatibility

• Creating a blinded path to receive a payment then downgrading to LDK prior to
  0.0.117 may result in failure to receive the payment (#2413).
• Calling ChannelManager::pay_for_offer or
  ChannelManager::create_refund_builder may prevent downgrading to LDK prior
  to 0.0.118 until the payment times out and has been removed (#2039).

Node Compatibility

• LDK now sends a bogus channel_reestablish message to peers when they ask to
  resume an unknown channel. This should cause LND nodes to force-close and
  broadcast the latest channel state to the chain. In order to trigger this
  when we wish to force-close a channel, LDK now disconnects immediately after
  sending a channel-closing error message. This should result in cooperative
  peers also working to confirm the latest commitment transaction when we wish
  to force-close (#2658).

Security

0.0.118 expands mitigations against transaction cycling attacks to non-anchor
channels, though note that no mitigations which exist today are considered robust
to prevent the class of attacks.

• In order to mitigate against transaction cycling attacks, non-anchor HTLC
  transactions are now properly re-signed before broadcasting (#2667).

In total, this release features 61 files changed, 3470 insertions, 1503
deletions in 85 commits from 12 authors, in alphabetical order:

• Antonio Yang
• Elias Rohrer
• Evan Feenstra
• Fedeparma74
• Gursharan Singh
• Jeffrey Czyz
• Matt Corallo
• Sergi Delgado Segura
• Vladimir Fomene
• Wilmer Paulino
• benthecarman
• slanesuke

v0.0.117

0.0.117 - Oct 3, 2023 - "Everything but the Twelve Sinks"

API Updates

• ProbabilisticScorer's internal models have been substantially improved,
  including better decaying (#1789), a more granular historical channel
  liquidity tracker (#2176) and a now-default option to make our estimate for a
  channel's current liquidity nonlinear in the channel's capacity (#2547). In
  total, these changes should result in improved payment success rates at the
  cost of slightly worse routefinding performance.
• Support for custom TLVs for recipients of HTLCs has been added (#2308).
• Support for generating transactions for third-party watchtowers has been
  added to ChannelMonitor/Updates (#2337).
• KVStorePersister has been replaced with a more generic and featureful
  KVStore interface (#2472).
• A new MonitorUpdatingPersister is provided which wraps a KVStore and
  implements Persist by writing differential updates rather than full
  ChannelMonitors (#2359).
• Batch funding of outbound channels is now supported using the new
  ChannelManager::batch_funding_transaction_generated method (#2486).
• ChannelManager::send_preflight_probes has been added to probe a payment's
  potential paths while a user is providing approval for a payment (#2534).
• Fully asynchronous ChannelMonitor updating is available as an alpha
  preview. There remain a few known but incredibly rare race conditions which
  may lead to loss of funds (#2112, #2169, #2562).
• ChannelMonitorUpdateStatus::PermanentFailure has been removed in favor of a
  new ChannelMonitorUpdateStatus::UnrecoverableError. The new variant panics
  on use, rather than force-closing a channel in an unsafe manner, which the
  previous variant did (#2562). Rather than panicking with the new variant,
  users may wish to use the new asynchronous ChannelMonitor updating using
  ChannelMonitorUpdateStatus::InProgress.
• RouteParameters::max_total_routing_fee_msat was added to limit the fees
  paid when routing, defaulting to 1% + 50sats when using the new
  from_payment_params_and_value constructor (#2417, #2603, #2604).
• Implementations of UtxoSource are now provided in lightning-block-sync.
  Those running with a full node should use this to validate gossip (#2248).
• LockableScore now supports read locking for parallel routefinding (#2197).
• ChannelMonitor::get_spendable_outputs was added to allow for re-generation
  of SpendableOutputDescriptors for a channel after they were provided via
  Event::SpendableOutputs (#2609, #2624).
• [u8; 32] has been replaced with a ChannelId newtype for chan ids (#2485).
• NetAddress was renamed SocketAddress (#2549) and FromStr impl'd (#2134)
• For no-std users, parse_onion_address was added which creates a
  NetAddress from a "...onion" string and port (#2134, #2633).
• HTLC information is now provided in Event::PaymentClaimed::htlcs (#2478).
• The success probability used in historical penalties when scoring is now
  available via historical_estimated_payment_success_probability (#2466).
• RecentPaymentDetails::*::payment_id has been added (#2567).
• Route now contains a RouteParameters rather than a PaymentParameters,
  tracking the original arguments passed to routefinding (#2555).
• Balance::*::claimable_amount_satoshis was renamed amount_satoshis (#2460)
• *Features::set_*_feature_bit have been added for non-custom flags (#2522).
• channel_id was added to SpendableOutputs events (#2511).
• counterparty_node_id and channel_capacity_sats were added to
  ChannelClosed events (#2387).
• ChannelMonitor now implements Clone for Cloneable signers (#2448).
• create_onion_message was added to build an onion message (#2583, #2595).
• HTLCDescriptor now implements Writeable/Readable (#2571).
• SpendableOutputDescriptor now implements Hash (#2602).
• MonitorUpdateId now implements Debug (#2594).
• Payment{Hash,Id,Preimage} now implement Display (#2492).
• NodeSigner::sign_bolt12_invoice{,request} were added for future use (#2432)

Backwards Compatibility

• Users migrating to the new KVStore can use a concatentation of
  [{primary_namespace}/[{secondary_namespace}/]]{key} to build a key
  compatible with the previous KVStorePersister interface (#2472).
• Downgrading after receipt of a payment with custom HTLC TLVs may result in
  unintentionally accepting payments with TLVs you do not understand (#2308).
• Route objects (including pending payments) written by LDK versions prior
  to 0.0.117 won't be retryable after being deserialized by LDK 0.0.117 or
  above (#2555).
• Users of the MonitorUpdatingPersister can upgrade seamlessly from the
  default KVStore Persist implementation, however the stored
  ChannelMonitors are deliberately unreadable by the default Persist. This
  ensures the correct downgrade procedure is followed, which is: (#2359)
  • First, make a backup copy of all channel state,
  • then ensure all ChannelMonitorUpdates stored are fully applied to the
    relevant ChannelMonitor,
  • finally, write each full ChannelMonitor using your new Persist impl.

Bug Fixes

• Anchor channels which were closed by a counterparty broadcasting its
  commitment transaction (i.e. force-closing) would previously not generate a
  SpendableOutputs event for our to_remote (i.e. non-HTLC-encumbered)
  balance. Those with such balances available should fetch the missing
  SpendableOutputDescriptors using the new
  ChannelMonitor::get_spendable_outputs method (#2605).
• Anchor channels may result in spurious or missing Balance entries for HTLC
  balances (#2610).
• ChannelManager::send_spontaneous_payment_with_retry spuriously did not
  provide the recipient with enough information to claim the payment, leading
  to all spontaneous payments failing (#2475).
  send_spontaneous_payment_with_route was unaffected.
• The keysend feature on node announcements was spuriously un-set in 0.0.112
  and has been re-enabled (#2465).
• Fixed several races which could lead to deadlock when force-closing a channel
  (#2597). These races have not been seen in production.
• The ChannelManager is persisted substantially less when it has not changed,
  leading to substantially less I/O traffic for it (#2521, #2617).
• Passing new block data to ChainMonitor no longer results in all other
  monitor operations being blocked until it completes (#2528).
• When retrying payments, any excess amount sent to the recipient in order to
  meet an htlc_minimum constraint on the path is now no longer included in
  the amount we send in the retry (#2575).
• Several edge cases in route-finding around HTLC minimums were fixed which
  could have caused invalid routes or panics when built with debug assertions
  (#2570, #2575).
• Several edge cases in route-finding around HTLC minimums and route hints
  were fixed which would spuriously result in no route found (#2575, #2604).
• The user_channel_id passed to SignerProvider::generate_channel_keys_id
  for inbound channels is now correctly using the one passed to
  ChannelManager::accept_inbound_channel rather than a default value (#2428).
• Users of impl_writeable_tlv_based! no longer have use requirements (#2506).
• No longer force-close channels when counterparties send a channel_update
  with a bogus htlc_minimum_msat, which LND users can manually build (#2611).

Node Compatibility

• LDK now ignores error messages generated by LND in response to a
  shutdown message, avoiding force-closes due to LND bug 6039. This may
  lead to non-trivial bandwidth usage with LND peers exhibiting this bug
  during the cooperative shutdown process (#2507).

Security

0.0.117 fixes several loss-of-funds vulnerabilities in anchor output channels,
support for which was added in 0.0.116, in reorg handling, and when accepting
channel(s) from counterparties which are miners.

• When a counterparty broadcasts their latest commitment transaction for a
  channel with anchor outputs, we'd previously fail to build claiming
  transactions against any HTLC outputs in that transaction. This could lead
  to loss of funds if the counterparty is able to eventually claim the HTLC
  after a timeout (#2606).
• Anchor channels HTLC claims on-chain previously spent the entire value of any
  HTLCs as fee, which has now been fixed (#2587).
• If a channel is closed via an on-chain commitment transaction confirmation
  with a pending outbound HTLC in the commitment transaction, followed by a
  reorg which replaces the confirmed commitment transaction with a different
  (but non-revoked) commitment transaction, all before we learn the payment
  preimage for this HTLC, we may previously have not generated a proper
  claiming transaction for the HTLC's value (#2623).
• 0.0.117 now correctly handles channels for which our counterparty funded the
  channel with a coinbase transaction. As such transactions are not spendable
  until they've reached 100 confirmations, this could have resulted in
  accepting HTLC(s) which are not enforcible on-chain (#1924).

In total, this release features 121 files changed, 20477 insertions, 8184
deletions in 381 commits from 27 authors, in alphabetical order:

• Alec Chen
• Allan Douglas R. de Oliveira
• Antonio Yang
• Arik Sosman
• Chris Waterson
• David Caseria
• DhananjayPurohit
• Dom Zippilli
• Duncan Dean
• Elias Rohrer
• Erik De Smedt
• Evan Feenstra
• Gabor Szabo
• Gursharan Singh
• Jeffrey Czyz
• Joseph Goulden
• Lalitmohansharma1
• Matt Corallo
• Rachel Malonson
• Sergi Delgado Segura
• Valentine Wallace
• Vladimir Fomene
• Willem Van Lint
  ...

v0.0.116

0.0.116 - Jul 21, 2023 - "Anchoring the Roadmap"

API Updates

• Support for zero-HTLC-fee anchor output channels has been added and is now
  considered beta (#2367). Users who set
  ChannelHandshakeConfig::negotiate_anchors_zero_fee_htlc_tx should be
  prepared to handle the new Event::BumpTransaction, e.g. via the
  BumpTransactionEventHandler (#2089). Note that in order to do so you must
  ensure you always have a reserve of available unspent on-chain funds to use
  for CPFP. LDK currently makes no attempt to ensure this for you.
• Users who set ChannelHandshakeConfig::negotiate_anchors_zero_fee_htlc_tx
  and wish to accept inbound anchor-based channels must do so manually by
  setting UserConfig::manually_accept_inbound_channels (#2368).
• Support forwarding and accepting HTLCs with a reduced amount has been added,
  to support LSPs skimming a fee on the penultimate hop (#2319).
• BOLT11 and BOLT12 Invoice and related types have been renamed to include a
  BOLTNN prefix, ensuring uniqueness in lightning{,-invoice} crates (#2416).
• Scorers now have an associated type which represents a parameter passed
  when calculating penalties. This allows for the same Scorer to be used with
  different penalty calculation parameters (#2237).
• DefaultRouter is no longer restrained to a Mutex-wrapped Score,
  allowing it to be used in no-std builds (#2383).
• CustomMessageHandler::provided_{node,init}_features and various custom
  feature bit methods on *Features were added (#2204).
• Keysend/push payments using MPP are now supported when receiving if
  UserConfig::accept_mpp_keysend is set and when sending if specified in the
  PaymentParameters. Note that not all recipients support this (#2156).
• A new ConfirmationTarget::MempoolMinimum has been added (#2415).
• SpendableOutputDescriptor::to_psbt_input was added (#2286).
• ChannelManager::update_partial_channel_config was added (#2330).
• ChannelDetails::channel_shutdown_state was added (#2347).
• The shutdown script can now be provided at shutdown time via
  ChannelManager::close_channel_with_feerate_and_script (#2219).
• BroadcasterInterface now takes multiple transactions at once. While not
  available today, in the future single calls should be passed to a full node
  via a single batch/package transaction acceptance API (#2272).
• Balance::claimable_amount_satoshis was added (#2333).
• payment_{hash,preimage} have been added to some Balance variants (#2217).
• The lightning::chain::keysinterface is now lightning::sign (#2246).
• Routing to a blinded path has been implemented, though sending to such a
  route is not yet supported in ChannelManager (#2120).
• OffersMessageHandler was added for offers-related onion messages (#2294).
• The CustomMessageHandler parameter to PeerManager has moved to
  MessageHandler from PeerManager::new explicitly (#2249).
• Various P2P messages for dual funding channel establishment have been added,
  though handling for them is not yet in ChannelManager (#1794)
• Script-fetching methods in sign interfaces can now return errors, see docs
  for the implications of failing (#2213).
• The data_loss_protect option is now required when reading
  channel_reestablish messages, as many others have done (#2253).
• InFlightHtlcs::add_inflight_htlc has been added (#2042).
• The init message networks field is now written and checked (#2329).
• PeerManager generics have been simplified with the introduction of the
  APeerManager trait (#2249).
• ParitalOrd and Ord are now implemented for Invoice (#2279).
• ParitalEq and Debug are now implemented for InMemorySigner (#2328).
• ParitalEq and Eq are now implemented for PaymentError (#2316).
• NetworkGraph::update_channel_from_announcement_no_lookup was added (#2222).
• lightning::routing::gossip::verify_{channel,node}_announcement was added
  (#2307).

Backwards Compatibility

• PaymentParameters written with blinded path info using LDK 0.0.115 will not
  be readable in LDK 0.0.116, and vice versa.
• Forwarding less than Event::HTLCIntercepted::expected_outbound_amount_msat
  in ChannelManager::forward_intercepted_htlc may prevent the
  ChannelManager from being read by LDK prior to 0.0.116 (#2319)
• Setting ChannelConfig::accept_underpaying_htlcs may prevent the
  ChannelManager from being read by LDK prior to 0.0.116 and un-setting the
  parameter between restarts may lead to payment failures (#2319).
• ChannelManager::create_inbound_payment{,_for_hash}_legacy has been removed,
  removing the ability to create inbound payments which are claimable after
  downgrade to LDK 0.0.103 and prior. In the future handling such payments will
  also be removed (#2351).
• Some fields required by LDK 0.0.103 and earlier are no longer written, thus
  deserializing objects written by 0.0.116 with 0.0.103 may now fail (#2351).

Bug Fixes

• ChannelDetails::next_outbound_htlc_limit_msat was made substantially more
  accurate and a corresponding next_outbound_htlc_minimum_msat was added.
  This resolves issues where unpayable routes were generated due to
  overestimation of the amount which is payable over one of our channels as
  the first hop (#2312).
• A rare case where delays in processing Events generated by
  ChannelMonitors could lead to loss of those events in case of an untimely
  crash. This could lead to the loss of an Event::SpendableOutputs (#2369).
• Fixed a regression in 0.0.115 which caused PendingHTLCsForwardable events
  to be missed when processing phantom node receives. This caused such
  payments to be delayed until a further, unrelated HTLC came in (#2395).
• Peers which are unresponsive to channel messages for several timer ticks are
  now disconnected to allow for on-reconnection state machine reset. This
  works around some issues in LND prior to 16.3 which can cause channels to
  hang and eventually force-close (#2293).
• ChannelManager::new now requires the current time (either from a recent
  block header or the system clock), ensuring invoices created immediately
  after startup aren't already expired (#2372).
• Resolved an issue where reading a ProbabilisticScorer on some platforms
  (e.g. iOS) can lead to a panic (#2322).
• ChannelConfig::max_dust_htlc_exposure is now allowed to scale based on
  current fees, and the default has been updated to do so. This substantially
  reduces the chance of force-closure due to dust exposure. Note that existing
  channels will retain their current value and you may wish to update the
  value on your existing channels on upgrade (#2354).
• PeerManager::process_events no longer blocks in any case. This fixes a bug
  where reentrancy from PeerManager into user code which eventually calls
  process_events could lead to a deadlock (#2280).
• The persist timing of network graph and scoring in
  lightning-background-processor has been tweaked to provide more reliable
  persistence after updates to either (#2226).
• The number of route hints added to BOLT 11 invoices by the
  lightning-invoice::utils builders has been reduced to three to ensure
  invoices can be represented in scan-able QR codes (#2044).
• Fixed sending large onion messages, which would previously have resulted in
  an HMAC error on the second hop (#2277).
• Fixed a memory leak that may occur when a ChannelManager or
  ChannelMonitor is droped (#2233).
• A potential deadlock in calling NetworkGraph::eq was resolved (#2284).
• Fixed an overflow which prevented disconnecting peers in some minor cases
  with more than 31 peers (#2245).
• Gossip messages with an unknown chain hash are now ignored (#2230).
• Rapid Gossip Sync processing now fails on an unknown chain hash (#2324).
• RouteHintHop::htlc_maximum_msat is now enforced. Note that BOLT11 route
  hints do not have such a field so this code is generally unused (#2305).

Security

0.0.116 fixes a denial-of-service vulnerability which is reachable from
untrusted input from channel counterparties if a 0-conf channel exists with
that counterparty.

• A premature announcement_signatures message from a peer prior to a 0-conf
  channel's funding transaction receiving any confirmations would panic in any
  version since 0-conf channels were introduced (#2439).

In total, this release features 142 files changed, 21033 insertions, 11066
deletions in 327 commits from 21 authors, in alphabetical order:

• Alec Chen
• Andrei
• Antoine Riard
• Arik Sosman
• Chad Upjohn
• Daniel Granhão
• Duncan Dean
• Elias Rohrer
• Fred Walker
• Gleb Naumenko
• Jeffrey Czyz
• Martin Habovstiak
• Matt Corallo
• Tony Giorgio
• Valentine Wallace
• Vladimir Fomene
• Willem Van Lint
• Wilmer Paulino
• benthecarman
• ff
• henghonglee

v0.0.115

0.0.115 - Apr 24, 2023 - "Rebroadcast the Bugfixes"

API Updates

• The MSRV of the main LDK crates has been increased to 1.48 (#2107).
• Attempting to claim an un-expired payment on a channel which has closed no
  longer fails. The expiry time of payments is exposed via
  PaymentClaimable::claim_deadline (#2148).
• payment_metadata is now supported in Invoice deserialization, sending,
  and receiving (via a new RecipientOnionFields struct) (#2139, #2127).
• Event::PaymentFailed now exposes a failure reason (#2142).
• BOLT12 messages now support stateless generation and validation (#1989).
• The NetworkGraph is now pruned of stale data after RGS processing (#2161).
• Max inbound HTLCs in-flight can be changed in the handshake config (#2138).
• lightning-transaction-sync feature esplora-async-https was added (#2085).
• A ChannelPending event is now emitted after the initial handshake (#2098).
• PaymentForwarded::outbound_amount_forwarded_msat was added (#2136).
• ChannelManager::list_channels_by_counterparty was added (#2079).
• ChannelDetails::feerate_sat_per_1000_weight was added (#2094).
• Invoice::fallback_addresses was added to fetch bitcoin types (#2023).
• The offer/refund description is now exposed in Invoice{,Request} (#2206).

Backwards Compatibility

• Payments sent with the legacy *_with_route methods on LDK 0.0.115+ will no
  longer be retryable via the LDK 0.0.114- retry_payment method (#2139).
• Event::PaymentPathFailed::retry was removed and will always be None for
  payments initiated on 0.0.115 which fail on an earlier version (#2063).
• Routes and PaymentParameters with blinded path information will not be
  readable on prior versions of LDK. Such objects are not currently constructed
  by LDK, but may be when processing BOLT12 data in a coming release (#2146).
• Providing ChannelMonitorUpdates generated by LDK 0.0.115 to a
  ChannelMonitor on 0.0.114 or before may panic (#2059). Note that this is
  in general unsupported, and included here only for completeness.

Bug Fixes

• Fixed a case where process_events_async may poll a Future which has
  already completed (#2081).
• Fixed deserialization of u16 arrays. This bug may have previously corrupted
  the historical buckets in a ProbabilisticScorer. Users relying on the
  historical buckets may wish to wipe their scorer on upgrade to remove corrupt
  data rather than waiting on it to decay (#2191).
• The process_events_async task is now Send and can thus be polled on a
  multi-threaded runtime (#2199).
• Fixed a missing macro export causing
  impl_writeable_tlv_based_enum{,_upgradable} calls to not compile (#2091).
• Fixed compilation of lightning-invoice with both no-std and serde (#2187)
• Fix an issue where the background-processor would not wake when a
  ChannelMonitorUpdate completed asynchronously, causing delays (#2090).
• Fix an issue where process_events_async would exit immediately (#2145).
• Router calls from the ChannelManager now call find_route_with_id rather
  than find_route, as was intended and described in the API (#2092).
• Ensure process_events_async always exits if any sleep future returns true,
  not just if all sleep futures repeatedly return true (#2145).
• channel_update messages no longer set the disable bit unless the peer has
  been disconnected for some time. This should resolve cases where channels are
  disabled for extended periods of time (#2198).
• We no longer remove CLN nodes from the network graph for violating the BOLT
  spec in some cases after failing to pay through them (#2220).
• Fixed a debug assertion which may panic under heavy load (#2172).
• CounterpartyForceClosed::peer_msg is now wrapped in UntrustedString (#2114)
• Fixed a potential deadlock in funding_transaction_generated (#2158).

Security

• Transaction re-broadcasting is now substantially more aggressive, including a
  new regular rebroadcast feature called on a timer from the
  background-processor or from ChainMonitor::rebroadcast_pending_claims.
  This should substantially increase transaction confirmation reliability
  without relying on downstream TransactionBroadcaster implementations for
  rebroadcasting (#2203, #2205, #2208).
• Implemented the changes from BOLT PRs #1031, #1032, and #1040 which resolve a
  privacy vulnerability which allows an intermediate node on the path to
  discover the final destination for a payment (#2062).

In total, this release features 110 files changed, 11928 insertions, 6368
deletions in 215 commits from 21 authors, in alphabetical order:

• Advait
• Alan Cohen
• Alec Chen
• Allan Douglas R. de Oliveira
• Arik Sosman
• Elias Rohrer
• Evan Feenstra
• Jeffrey Czyz
• John Cantrell
• Lucas Soriano del Pino
• Marc Tyndel
• Matt Corallo
• Paul Miller
• Steven
• Steven Williamson
• Steven Zhao
• Tony Giorgio
• Valentine Wallace
• Wilmer Paulino
• benthecarman
• munjesi

v0.0.114

0.0.114 - Mar 3, 2023 - "Faster Async BOLT12 Retries"

API Updates

• InvoicePayer has been removed and its features moved directly into
  ChannelManager. As such it now requires a simplified Router and supports
  send_payment_with_retry (and friends). ChannelManager::retry_payment was
  removed in favor of the automated retries. Invoice payment utilities in
  lightning-invoice now call the new code (#1812, #1916, #1929, #2007, etc).
• Sign/BaseSign has been renamed ChannelSigner, with EcdsaChannelSigner
  split out in anticipation of future schnorr/taproot support (#1967).
• The catch-all KeysInterface was split into EntropySource, NodeSigner,
  and SignerProvider. KeysManager implements all three (#1910, #1930).
• KeysInterface::get_node_secret is now KeysManager::get_node_secret_key
  and is no longer required for external signers (#1951, #2070).
• A lightning-transaction-sync crate has been added which implements keeping
  LDK in sync with the chain via an esplora server (#1870). Note that it can
  only be used on nodes that never ran a previous version of LDK.
• Score is updated in BackgroundProcessor instead of via Router (#1996).
• ChainAccess::get_utxo (now UtxoAccess) can now be resolved async (#1980).
• BOLT12 Offer, InvoiceRequest, Invoice and Refund structs as well as
  associated builders have been added. Such invoices cannot yet be paid due to
  missing support for blinded path payments (#1927, #1908, #1926).
• A lightning-custom-message crate has been added to make combining multiple
  custom messages into one enum/handler easier (#1832).
• Event::PaymentPathFailure is now generated for failure to send an HTLC
  over the first hop on our local channel (#2014, #2043).
• lightning-net-tokio no longer requires an Arc on PeerManager (#1968).
• ChannelManager::list_recent_payments was added (#1873).
• lightning-background-processor std is now optional in async mode (#1962).
• create_phantom_invoice can now be used in no-std (#1985).
• The required final CLTV delta on inbound payments is now configurable (#1878)
• bitcoind RPC error code and message are now surfaced in block-sync (#2057).
• Get historical_estimated_channel_liquidity_probabilities was added (#1961).
• ChannelManager::fail_htlc_backwards_with_reason was added (#1948).
• Macros which implement serialization using TLVs or straight writing of struct
  fields are now public (#1823, #1976, #1977).

Backwards Compatibility

• Any inbound payments with a custom final CLTV delta will be rejected by LDK
  if you downgrade prior to receipt (#1878).
• Event::PaymentPathFailed::network_update will always be None if an
  0.0.114-generated event is read by a prior version of LDK (#2043).
• Event::PaymentPathFailed::all_paths_removed will always be false if an
  0.0.114-generated event is read by a prior version of LDK. Users who rely on
  it to determine payment retries should migrate to Event::PaymentFailed, in
  a separate release prior to upgrading to LDK 0.0.114 if downgrading is
  supported (#2043).

Performance Improvements

• Channel data is now stored per-peer and channel updates across multiple
  peers can be operated on simultaneously (#1507).
• Routefinding is roughly 1.5x faster (#1799).
• Deserializing a NetworkGraph is roughly 6x faster (#2016).
• Memory usage for a NetworkGraph has been reduced substantially (#2040).
• KeysInterface::get_secure_random_bytes is roughly 200x faster (#1974).

Bug Fixes

• Fixed a bug where a delay in processing a PaymentSent event longer than the
  time taken to persist a ChannelMonitor update, when occurring immediately
  prior to a crash, may result in the PaymentSent event being lost (#2048).
• Fixed spurious rejections of rapid gossip sync data when the graph has been
  updated by other means between gossip syncs (#2046).
• Fixed a panic in KeysManager when the high bit of starting_time_nanos
  is set (#1935).
• Resolved an issue where the ChannelManager::get_persistable_update_future
  future would fail to wake until a second notification occurs (#2064).
• Resolved a memory leak when using ChannelManager::send_probe (#2037).
• Fixed a deadlock on some platforms at least when using async ChannelMonitor
  updating (#2006).
• Removed debug-only assertions which were reachable in threaded code (#1964).
• In some cases when payment sending fails on our local channel retries no
  longer take the same path and thus never succeed (#2014).
• Retries for spontaneous payments have been fixed (#2002).
• Return an Err if lightning-persister fails to read the directory listing
  rather than panicing (#1943).
• peer_disconnected will now never be called without peer_connected (#2035)

Security

0.0.114 fixes several denial-of-service vulnerabilities which are reachable from
untrusted input from channel counterparties or in deployments accepting inbound
connections or channels. It also fixes a denial-of-service vulnerability in rare
cases in the route finding logic.

• The number of pending un-funded channels as well as peers without funded
  channels is now limited to avoid denial of service (#1988).
• A second channel_ready message received immediately after the first could
  lead to a spurious panic (#2071). This issue was introduced with 0conf
  support in LDK 0.0.107.
• A division-by-zero issue was fixed in the ProbabilisticScorer if the amount
  being sent (including previous-hop fees) is equal to a channel's capacity
  while walking the graph (#2072). The division-by-zero was introduced with
  historical data tracking in LDK 0.0.112.

In total, this release features 130 files changed, 21457 insertions, 10113
deletions in 343 commits from 18 authors, in alphabetical order:

• Alec Chen
• Allan Douglas R. de Oliveira
• Andrei
• Arik Sosman
• Daniel Granhão
• Duncan Dean
• Elias Rohrer
• Jeffrey Czyz
• John Cantrell
• Kurtsley
• Matt Corallo
• Max Fang
• Omer Yacine
• Valentine Wallace
• Viktor Tigerström
• Wilmer Paulino
• benthecarman
• jurvis

v0.0.113

0.0.113 - Dec 16, 2022 - "Big Movement Intercepted"

API Updates

• ChannelManager::send_payment now takes an explicit PaymentId which is a
  loose idempotency token. See send_payment docs for more (#1761, #1826).
• HTLCs bound for SCIDs from ChannelManager::get_intercept_scid are now
  intercepted and can be forwarded manually over any channel (#1835, #1893).
• Confirm::get_relevant_txids now returns a BlockHash, expanding the set
  of cases where transaction_unconfirmed must be called, see docs (#1796).
• Pending outbound payments are no longer automatically timed-out a few blocks
  after failure. Thus, in order to avoid leaking memory, you MUST call
  ChannelManager::abandon_payment when you no longer wish to retry (#1761).
• ChannelManager::abandon_payment docs were updated to note that the payment
  may return to pending after a restart if no persistence occurs (#1907).
• Event::PaymentReceived has been renamed Event::PaymentClaimable (#1891).
• Event handling is now optionally async for Rust users (#1787).
• user_channel_id is now a u128 and random for inbound channels (#1790).
• A new ChannelReady event is generated whenever a channel becomes ready to
  be used, i.e., after both sides sent the channel_ready message (#1743).
• NetworkGraph now prunes channels where either node is offline for 2 weeks
  and refuses to accept re-announcements of pruned channels (#1735).
• Onion messages are now read in CustomOnionMessageHandler rather than via
  MaybeReadableArgs (#1809).
• Added a new util to generate an invoice with a custom hash (#1894) -
  create_invoice_from_channelmanager_and_duration_since_epoch_with_payment_hash
• Signers are now by default re-derived using KeysInterface's new
  derive_channel_signer rather than read_chan_signer (#1867).
• Confirm::transactions_confirmed is now idempotent (#1861).
• ChannelManager::compute_inflight_htlcs has been added to fetch in-flight
  HTLCs for scoring. Note that InvoicePayer does this for you (#1830).
• Added PaymentClaimable::via_channel_id (#1856).
• Added the node_id (phantom or regular) to payment events (#1766).
• Added the funding transaction confirmations to ChannelDetails (#1856).
• BlindedRoute has been renamed BlindedPath (#1918).
• Support for the BOLT 4 "legacy" onion format has been removed, in line with
  its removal in the spec and vanishingly rare use (#1413).
• ChainMonitor::list_pending_monitor_updates was added (#1834).
• Signing for non-zero-fee anchor commitments is supported again (#1828).
• Several helpers for transaction matching and generation are now pub (#1839).

Bug Fixes

• Fixed a rare race where a crash may result in a pending HTLC not being
  failed backwards, leading to a force-closure by our counterparty (#1857).
• Avoid incorrectly assigning a lower-bound on channel liquidity when routing
  fails due to a closed channel earlier in the path (#1817).
• If a counterparty increases the channel fee, but not enough per our own fee
  estimator, we no longer force-close the channel (#1852).
• Several bugs in the lightning-background-processor future feature were
  fixed, including requirements doc corrections (#1843, #1845, #1851).
• Some failure messages sent back when failing an HTLC were corrected (#1895).
• rapid-gossip-sync no longer errors if an update is applied duplicatively
  or in rare cases when the graph is updated from payment failures (#1833).
• Sending onion messages to a blinded path in which we're the introduction
  node no longer fails (#1791).

Backwards Compatibility

• No ChannelReady events will be generated for previously existing channels,
  including those which become ready after upgrading to 0.0.113 (#1743).
• Once UserConfig::accept_intercept_htlcs is set, downgrades to LDK versions
  prior to 0.0.113 are not supported (#1835).
• Existing payments may see a PaymentClaimable::user_channel_id of 0 (#1856)
• When downgrading to a version of LDK prior to 0.0.113 when there are
  resolved payments waiting for a small timeout, the payments may not be
  removed, preventing payments with the same PaymentId (#1761).

In total, this release features 76 files changed, 11639 insertions, 6067
deletions in 210 commits from 18 authors, in alphabetical order:

• Antoine Riard
• Arik Sosman
• Devrandom
• Duncan Dean
• Elias Rohrer
• Gleb Naumenko
• Jeffrey Czyz
• John Cantrell
• Matt Corallo
• Tee8z
• Tobin C. Harding
• Tristan F
• Valentine Wallace
• Viktor Tigerström
• Wilmer Paulino
• benthecarman
• jurvis
• ssbright

v0.0.112

0.0.112 - Oct 25, 2022 - "History Matters"

API Updates

• Result<(), ChannelMonitorUpdateErr> return values have been replaced with
  a ChannelMonitorUpdateStatus trinary enum. This better denotes that
  ChannelMonitorUpdateStatus::InProgress is not an error, but asynchronous
  persistence of a monitor update. Note that asynchronous persistence still
  has some edge cases and is not yet recommended for production (#1106).
• ChannelMonitor persistence failure no longer automatically broadcasts the
  latest commitment transaction. See the
  ChannelMonitorUpdateStatus::PermanentFailure docs for more info (#1106).
• *Features::known has been replaced with individual
  *MessageHandler::provided_*_features methods (#1707).
• OnionMessenger now takes a CustomOnionMessageHandler implementation,
  allowing you to send and receive custom onion messages (#1748).
• ProbabilisticScorer now tracks the historical distribution of liquidity
  estimates for channels. See new historical_* parameters in
  ProbabilisticScoringParameters for more details (#1625).
• lightning-block-sync's BlockSource trait now supports BIP 157/158
  filtering clients by returning only header data for some blocks (#1706).
• lightning-invoice's Router trait now accepts an InFlightHtlcs to
  ensure we do not over-use a remote channel's funds during routing (#1694).
  Note that this was previously backported to 0.0.111 for bindings users.
• NetworkGraph::remove_stale_channels has been renamed
  NetworkGraph::remove_stale_channels_and_tracking as NetworkGraph now
  refuses to re-add nodes and channels that were recently removed (#1649).
• The lightning-rapid-gossip-sync crate now supports no-std (#1708).
• The default ProbabilisticScoringParameters::liquidity_offset_half_life has
  been increased to six hours from one (#1754).
• All commitment transaction building logic for anchor outputs now assumes the
  no-HTLC-tx-fee variant (#1685).
• A number of missing Eq implementations were added (#1763).

Bug Fixes

• lightning-background-processor now builds without error with the futures
  feature (#1744).
• ChannelManager::get_persistable_update_future's returned Future has been
  corrected to not fail to be awoken in some cases (#1758).
• Asynchronously performing the initial ChannelMonitor persistence is now
  safe (#1678).
• Redundantly applying rapid gossip sync updates no longer Errs (#1764).
• Nodes which inform us via payment failures that they should no longer be
  used are now removed from the network graph. Some LND nodes spuriously
  generate this error and may remove themselves from our graph (#1649).

In total, this release features 134 files changed, 6598 insertions, 4370
deletions in 109 commits from 13 authors, in alphabetical order:

• Duncan Dean
• Elias Rohrer
• Gabriel Comte
• Gursharan Singh
• Jeffrey Czyz
• Jurvis Tan
• Matt Corallo
• Max Fang
• Paul Miller
• Valentine Wallace
• Viktor Tigerström
• Wilmer Paulino
• acid-bit

v0.0.111

"Saturated with Messages"

API Updates

• Support for relaying onion messages has been added via a new
  OnionMessenger struct when passed as the OnionMessageHandler to a
  PeerManager. Pre-encoded onion messages can also be sent and received
  (#1503, #1650, #1652, #1688).
• Rate-limiting of outbound gossip syncs has been rewritten to utilize less
  buffering inside LDK. The new rate-limiting is also used for onion messages
  to avoid delaying other messages (#1604. #1660, #1683).
• Rather than spawning a full OS thread, lightning-background-processor has
  a new process_events_async method which takes the place of a
  BackgroundProcessor for those using Rust's async (#1657).
• ChannelManager::get_persistable_update_future has been added to block on
  a ChannelManager needing re-persistence in a Rust async environment (#1657).
• The Filter::register_output return value has been removed, as it was
  very difficult to correctly implement (i.e., without blocking). Users
  previously using it should instead pass dependent transactions in via
  additional chain::Confirm::transactions_confirmed calls (#1663).
• ChannelHandshakeConfig::their_channel_reserve_proportional_millionths has
  been added to allow configuring counterparty reserve values (#1619).
• KeysInterface::ecdh has been added as an ECDH oracle (#1503, #1658).
• The rust-bitcoin dependency has been updated 0.29 (#1658).
• The bitcoin_hashes dependency has been updated 0.11 (#1677).
• ChannelManager::broadcast_node_announcement has been moved to
  PeerManager (#1699).
• channel_ and node_announcements are now rebroadcast automatically to all
  new peers which connect (#1699).
• {Init,Node}Features sent to peers/broadcasted are now fetched via the
  various *MessageHandler traits, rather than hard-coded (#1701, #1688).
• Event::PaymentPathFailed::rejected_by_dest has been renamed
  payment_failed_permanently (#1702).
• Invoice now derives the std Hash trait (#1575).
• {Signed,}RawInvoice::hash have been renamed signable_hash (#1714).
• chain::AccessError now derives the std Debug trait (#1709).
• ReadOnlyNetworkGraph::list_{channels,nodes} have been added largely for
  users of downstream bindings (#1651).
• ChannelMonitor::get_counterparty_node_id is now available (#1635).

Bug Fixes

• The script compared with that returned from chain::Access was incorrect
  ~half of the time, causing spurious gossip rejection (#1666).
• Pending in-flight HTLCs are now considered when calculating new routes,
  ensuring, e.g. MPP retries do not take known-saturated paths (#1643).
• Counterparty-revoked outputs are now included in get_claimable_balance
  output via a new Balance::CounterpartyRevokedOutputClaimable (#1495).
• Inbound HTLCs for which we do not (yet) have a preimage are now included in
  get_claimable_balance via a Balance::MaybePreimageClaimableHTLC (#1673).
• Probes that fail prior to being sent over their first hop are correctly
  failed with a Event::ProbeFailed rather than a PaymentPathFailed (#1704).
• Pending Event::HTLCHandlingFaileds are no longer lost on restart (#1700).
• HTLCs that fail prior to being sent over their first hop are now marked as
  retryable via !PaymentPathFailed::payment_failed_permanently (#1702).
• Dust HTLCs are now considered failed in the payment tracking logic after the
  commitment transaction confirms, allowing retry on restart (#1691).
• On machines with buggy "monotonic" clocks, LDK will no longer panic if time
  goes backwards (#1692).

Backwards Compatibility

• The new current_time argument to PeerManager constructors must be set to
  a UNIX timestamp for upgraded nodes; new nodes may use a counter (#1699).
• Balance::CounterpartyRevokedOutputClaimable will never be generated for
  channels that were observed to go on-chain with LDK versions prior to
  0.0.111 (#1495).
• ChannelMonitor::get_counterparty_node_id will return None for all
  channels opened on a version of LDK prior to 0.0.110 (#1635).
• Setting their_channel_reserve_proportional_millionths to any value other
  than the default will cause LDK versions prior to 0.0.104 to be unable to
  read the serialized ChannelManager (#1619).

Security

0.0.111 fixes a denial-of-service vulnerability which is reachable from
untrusted input in deployments accepting 0conf channels, or via a race-condition
in deployments creating outbound 0conf channels.

• LDK versions prior to 0.0.111 may spuriously panic when receiving a block if
  they are awaiting the construction of a funding transaction for a 0-conf
  channel (#1711). 0-conf support was added in LDK version 0.0.107.

In total, this release features 84 files changed, 6306 insertions, 1960
deletions in 121 commits from 11 authors, in alphabetical order:

• Arik Sosman
• Devrandom
• Duncan Dean
• Elias Rohrer
• Gursharan Singh
• Matt Corallo
• NicolaLS
• Valentine Wallace
• Viktor Tigerström
• jurvis
• ok300

v0.0.110

API Updates

• ChannelManager::send_probe and Score::probe_{failed,successful} have
  been added to make probing more explicit, as well as new
  Event::Probe{Failed,Successful} events (#1567).
• ProbabilisticScoringParameters::banned_nodes has been renamed
  manual_node_penalties and changed to take msat penalties (#1592).
• Per-payment tracking of failed paths was added to enable configuration of
  ProbabilisticScoringParameters::considered_impossible_penalty_msat (#1600)
• ProbabilisticScoringParameters::base_penalty_amount_multiplier_msat was
  added to allow a penalty that is only amount-dependent (#1617).
• ProbabilisticScoringParameters::amount_penalty_multiplier_msat was renamed
  liquidity_penalty_amount_multiplier_msat (#1617).
• A new Event::HTLCHandlingFailed has been added which provides visibility
  into failures to forward/claim accepted HTLCs (#1403).
• Support has been added for DNS hostnames in the NetAddress type, see
  BOLT PR #911 (#1553).
• GossipSync now has rapid, p2p, and none constructors (#1618).
• lightning-net-tokio no longer requires types to be in Arcs (#1623).
• The htlc_maximum_msat field is now required in ChannelUpdate gossip
  messages. In tests this rejects < 1% of channels (#1519).
• ReadOnlyNetworkGraph::{channel,node} have been added to query for
  individual channel/node data, primarily for bindings users (#1543).
• FeeEstimator implementations are now wrapped internally to ensure values
  below 253 sats/kW are never used (#1552).
• Route selection no longer attempts to randomize path selection. This is
  unlikely to lead to a material change in the paths selected (#1610).

Bug Fixes

• Fixed a panic when deserializing ChannelDetails objects (#1588).
• When routing, channels are no longer fully saturated before MPP splits are
  generated, instead a configuration knob was added as
  PaymentParameters::max_channel_saturation_power_of_half (#1605).
• Fixed a panic which occurred in ProbabilisticScorer when wallclock time
  goes backwards across a restart (#1603).

Serialization Compatibility

• All new fields are ignored by prior versions of LDK. All new fields are not
  present when reading objects serialized by prior versions of LDK.
• Channel information written in the NetworkGraph which is missing
  htlc_maximum_msat may be dropped on deserialization (#1519).
• Similarly, node information written in the NetworkGraph which contains an
  invalid hostname may be dropped on deserialization (#1519).

In total, this release features 79 files changed, 2935 insertions, 1363
deletions in 52 commits from 9 authors, in alphabetical order:

• Duncan Dean
• Elias Rohrer
• Jeffrey Czyz
• Matt Corallo
• Max Fang
• Viktor Tigerström
• Willem Van Lint
• Wilmer Paulino
• jurvis

0.0.109

API Updates

• ChannelManager::update_channel_config has been added to allow the fields
  in ChannelConfig to be changed in a given channel after open (#1527).
• If we reconnect to a peer which proves we have a stale channel state, rather
  than force-closing we will instead panic to provide an opportunity to switch
  to the latest state and continue operating without channel loss (#1564).
• A NodeAlias struct has been added which handles string sanitization for
  node aliases via the Display trait (#1544).
• ProbabilisticScoringParameters now has a banned_nodes set which we will
  never route through during path finding (#1550).
• ProbabilisticScoringParameters now offers an anti_probing_penalty_msat
  option to prefer channels which afford better privacy when routing (#1555).
• ProbabilisticScorer now provides access to its estimated liquidity range
  for a given channel via estimated_channel_liquidity_range (#1549).
• ChannelManager::force_close_channel has been renamed
  force_close_broadcasting_latest_txn and
  force_close_without_broadcasting_txn has been added (#1564).
• Options which cannot be changed at runtime have been moved from
  ChannelConfig to ChannelHandshakeConfig (#1529).
• find_route takes &NetworkGraph instead of `ReadOnlyNetworkGraph (#1583).
• ChannelDetails now contains a copy of the current ChannelConfig (#1527).
• The lightning-invoice crate now optionally depends on serde, with
  Invoice implementing serde::{Deserialize,Serialize} if enabled (#1548).
• Several fields in UserConfig have been renamed for clarity (#1540).

Bug Fixes

• find_route no longer selects routes with more than
  PaymentParameters::max_mpp_path_count paths, and
  ChannelManager::send_payment no longer refuses to send along routes with
  more than ten paths (#1526).
• Fixed two cases where HTLCs pending at the time a counterparty broadcasts a
  revoked commitment transaction are considered resolved prior to their actual
  resolution on-chain, possibly passing the update to another channel (#1486).
• HTLCs which are relayed through LDK may now have a total expiry time two
  weeks in the future, up from one, reducing forwarding failures (#1532).

Serialization Compatibility

• All new fields are ignored by prior versions of LDK. All new fields are not
  present when reading objects serialized by prior versions of LDK.
• ChannelConfig's serialization format has changed and is not compatible
  with any previous version of LDK. Attempts to read values written by a
  previous version of LDK will fail and attempts to read newly written objects
  using a previous version of LDK will fail. It is not expected that users are
  serializing ChannelConfig using the LDK serialization API, however, if a
  backward compatibility wrapper is required, please open an issue.

Security

0.0.109 fixes a denial-of-service vulnerability which is reachable from
untrusted input in some application deployments.

• Third parties which are allowed to open channels with an LDK-based node may
  fund a channel with a bogus and maliciously-crafted transaction which, when
  spent, can cause a panic in the channel's corresponding ChannelMonitor.
  Such a channel is never usable as it cannot be funded with a funding
  transaction which matches the required output script, allowing the
  ChannelMonitor for such channels to be safely purged as a workaround on
  previous versions of LDK. Thanks to Eugene Siegel for reporting this issue.

In total, this release features 32 files changed, 1948 insertions, 532
deletions in 33 commits from 9 authors, in alphabetical order:

• Antoine Riard
• Daniel Granhão
• Elias Rohrer
• Jeffrey Czyz
• Matt Corallo
• Matt Faltyn
• NicolaLS
• Valentine Wallace
• Wilmer Paulino