fix(legacy-refunds): support going the spending path on refund #2280
Conversation
modularize these funcs and introdcue a new error type to filter errors and possible retrys. tests are not yet adapted.
not finished and on successful checking swaps are removed. these tests were used to check that we error on recover funds when: - swap is not finished yet: there is not reason not to try recover funds still - swap was successful (determined the existance of taker/maker payment spend): we should still attempt to recover funds in this case as the tx might be re-orged or some weird thing happned. there is no downside of retrying. also test_recover_funds_maker_swap_maker_payment_refunded was used to test that we check local data to determine that the swap failed. again this isn't the followed approach here. even if we store maker_payment_refund tx locally (so we should have sent it when the swap was running) we will still attempt to run recover funds and look for the tx on-chain. this test could have been adapted but then it looks exactly like test_recover_funds_maker_payment_refund_already_refunded, so there is no point of that.
namely, we do try to refund (maker payment) or spend (taker payment), which ever is possible. we might want to change refund_maker_payment name to recover or something
same as what's done with the maker. thought much more useful here because on the maker side we can't really miss spending the taker's payment while getting our own payment spent :p
|
@mariocynicys could you please fix PR lint |
mariocynicys
changed the title
sorry, but amending this would break the links i just shared :). thanks for your undertanding, reader.
There was a problem hiding this comment.
Thanks for the PR. First review iteration!
A few suggestions/discussion points:
- Maybe we should add start/stop swap rpc for @cipig to use to stop endlessly failing swaps until we fix the bugs that lead to this.
- We will need this for TPU, please add it to an issue checklist.
| .maker_coin | ||
| .can_refund_htlc(maker_payment_lock) | ||
| .await | ||
| .map_err(RecoverSwapError::Irrecoverable)?; |
There was a problem hiding this comment.
can_refund_htlc can sometimes return a recoverable error, please check utxo implementation for this ref.
| // Roll back to confirming the maker payment spend. | ||
| RecoveredSwapAction::SpentOtherPayment => { | ||
| info!("Refund canceled. Maker payment spend tx {:02x}", tx_ident.tx_hash); | ||
| // TODO: We prepared for refund but didn't finalize refund. This must be breaking something for lightning. |
There was a problem hiding this comment.
Will we ever hit this code in lightning? I guess it can happen for taker swap code but it's not a big problem anyways since the finalize refund is just to allow the maker get his payment back instantly instead of waiting for the timelock to expire, and if we spend it, it means it can't be failed backwards. For maker swap code it's a different case, maker fails the htlc backwards before this step, so we will never hit this code.
Usually such things in code is a cue for a needed refactor but not in this PR of course.
There was a problem hiding this comment.
looks like this is only relevant for lightning receiving maker. and yeah if the maker fails the HTLC then we can't hit SpentOtherPayment.
removed the todo 70afcde
| // FIXME: We should try to `recover_funds` again after locktime. The taker payment might have been | ||
| // spent by the maker at this point and we should go for spending the maker payment instead. |
There was a problem hiding this comment.
Well, wait_for_htlc_refund for lightning doesn't depend on locktime, but this is a general code and we should handle this case. For the lightning case, if we got payment successful from here
komodo-defi-framework/mm2src/coins/lightning.rs
Lines 824 to 828 in f401497
It means that we should be spending the maker payment.
There was a problem hiding this comment.
i think that makes sense in the general sense. if the wait_for_htlc_refund fails we can try to recover again.
There was a problem hiding this comment.
there is one case that comes to my mind where it would be bad to retry endlessly: if the initial tx was reverted because of too low gas (so basically a misconfiguration from our side)... if you retry that tx, you will spend gas again, but the result will be the same if you haven't increased gas limits... so you loose the txfees every time you try
idk if we want/should account for this case, but thought i mention it
There was a problem hiding this comment.
yeah that's a good reason to have a start/stop rpc.
There was a problem hiding this comment.
A start/stop rpc doesn't solve this, as too much gas might have been already spent until the user or @cipig is aware of this, this could drain the user's wallet which is really bad. We need to mark swap as failed for this and this is one of the situations where we will still require manual recover funds usage. @cipig are you aware of other situations like this one, we shouldn't release this PR/fix unless we are sure it's completely safe to retry forever and all edge cases are covered.
There was a problem hiding this comment.
there is this #1567, but there you don't loose any fees when you retry forever
i guess reverted "out of gas" txes on EVM chains are the only problem where you loose money if you retry forever
there may be other reasons why a EVM chain reverts your tx, but i haven't encountered any other that would always fail
so short answer is "no", just this case :-)
There was a problem hiding this comment.
covered here: a28c768
for the gas issue with reverted txs: what about retrying the refund in an exponential backoff manner? this greatly reduces the amount of failed recoveries and doesn't hurt the perf/speed that much.
There was a problem hiding this comment.
Strictly speaking, 'reverted' means that tx was cancelled due to errors during the contract execution (for e.g. locktime has not been passed yet), so the tx may be retried yet.
A tx can be cancelled due to out of gas. To prevent retries in this case, I think, we may analyse the tx receipt in eth code and return some unrecoverable error to the swap code.
There was a problem hiding this comment.
A tx can be cancelled due to out of gas. To prevent retries in this case, I think, we may analyse the tx receipt in eth code and return some unrecoverable error to the swap code.
gas spikes on Ethereum are typically temporary nope? and a transaction being "out of gas" is not necessarily a permanent failure.
I would suggest to mark swap failed in this case and stop the process, but allow user to retry spend-or-refun process later and start it manually. And also allow to stop if it takes too long time for them. If retry faced "out of gas" again, then mark as failed and stop process.
I suppose you're referencing to this issue #1895 ? We have lots of lists, so I just want to clarify. I also added eth coin todos here. |
this field was convereted to a hashmap instead of a vector for easy access to the swap. also we now manually delete the swap from running swaps when the swap is finished/inturepted (memory leak fix). as a consequence to manuallly deleting the swap from running_swaps, we can now store them as arcs instead of weakrefs, which simplifies a lot of .upgrade calls.
mariocynicys
force-pushed
the
robust-swaps
branch
from
10e4192 to
245ea93
Compare
This reverts commit 5c1bb6f.
| ))); | ||
| }, | ||
| }; | ||
| let taker_coin = match swap.taker_coin_ticker() { |
There was a problem hiding this comment.
Code repetition for finding maker_coin and taker_coin.
(BTW could we just use lp_coinfind_or_err in all such cases?)
There was a problem hiding this comment.
thanks. i didn't like it either but needed some assertion xD
This reverts commit 245ea93.
mm2src/mm2_main/src/lp_swap.rs
Outdated
| @@ -516,7 +532,7 @@ struct LockedAmountInfo { | |||
| } | |||
|
|
|||
| struct SwapsContext { | |||
| running_swaps: Mutex<Vec<Weak<dyn AtomicSwap>>>, | |||
| running_swaps: Mutex<Vec<(Weak<dyn AtomicSwap>, AbortOnDropHandle)>>, | |||
There was a problem hiding this comment.
Could you tell why do we need this change?
Is it related to some review note? may be I missed smth
There was a problem hiding this comment.
nah actually, not discussed in review. @shamardy just told me we need the swaps to be stoppable via rpc (since we now do a run forever recovery), that's why we record their abort handles to be able to stop them mid-recover (or even mid-swap).
laruh
added
the
priority: medium
| }; | ||
| // Run the swap in an abortable task and wait for it to finish. | ||
| let (swap_ended_notifier, swap_ended_notification) = oneshot::channel(); | ||
| let abortable_swap = spawn_abortable(async move { |
There was a problem hiding this comment.
Here we create an abortable future to run the swap loop (for using this in the new stop rpc I believe).
But run_taker_swap fn, where we are now, is also wrapped in an abortable future. Could we use this one in the stop rpc?
There was a problem hiding this comment.
but how will we grab that abort handle and supply it to run_taker_swap in the first place?
also kickstart_thread_handler uses run_taker_swap inline (without spawning it), well eventually if u follow the usage ofc u will find kickstart_thread_handler is itself being spawned somewhere. but it's hard to propagate these handles all the way down to the swap runner methods.
There was a problem hiding this comment.
I think it's a bit odd when we use different futures to stop the same swap in different use cases (abort_all and stop_swap_rpc). Maybe we could get the handle for a future from the abortable_system for stop_swap_rpc, so we would use same abort technique in both cases. Maybe some modification for AbortableQueue is needed for that
|
test_mm2_stops_immediately seems not working btw. I guess clear_running_swaps() is needed here too? |
yup. I'll just wait till we finish reviewing the mem leak PR and merge it and then merge this with dev. |
| _touch = touch_loop => unreachable!("Touch loop can not stop!"), | ||
| }; | ||
| // Run the swap in an abortable task and wait for it to finish. | ||
| let (swap_ended_notifier, swap_ended_notification) = oneshot::channel(); |
There was a problem hiding this comment.
Could we simplify this code to eliminate oneshot::channel?
- let (swap_ended_notifier, swap_ended_notification) = oneshot::channel();
- let abortable_swap = spawn_abortable(async move {
+ let fut_with_touch = async move {
select! {
_swap = swap_fut => (), // swap finished normally
_touch = touch_loop => unreachable!("Touch loop can not stop!"),
- }
- if swap_ended_notifier.send(()).is_err() {
- error!("Swap listener stopped listening!");
- }
- });
- swap_ctx.running_swaps.lock().unwrap().push((weak_ref, abortable_swap));
- // Halt this function until the swap has finished (or interrupted, i.e. aborted/panic).
- swap_ended_notification.await.error_log_with_msg("Swap interrupted!");
+ };
+ };
+ let (abortable, handle) = abortable(fut_with_touch);
+ swap_ctx.running_swaps.lock().unwrap().push((weak_ref, handle.into()));
+ if let Err(Aborted) = abortable.await {
+ info!("Swap uuid={} interrupted!", uuid);
+ }
laruh
added
priority: high
|
@mariocynicys pr started to have conflicts |
This reverts commit 0ce3c93.
…inline we don't need a oneshot channel this way
| .fuse() | ||
| }); | ||
|
|
||
| let (abortable, handle) = abortable(async move { | ||
| select! { | ||
| _swap = swap_fut => (), // swap finished normally | ||
| _touch = touch_loop => unreachable!("Touch loop can not stop!"), | ||
| } | ||
| }); | ||
| let uuid = running_swap.uuid; | ||
| swap_ctx | ||
| .running_swaps | ||
| .lock() | ||
| .unwrap() | ||
| .insert(uuid, (running_swap, handle.into())); | ||
| // Wait until the swap has finished (or interrupted, i.e. aborted/panic). | ||
| if abortable.await.is_err() { | ||
| info!("Swap uuid={} interrupted!", uuid); | ||
| } | ||
| // Remove the swap from the running swaps map. | ||
| swap_ctx.running_swaps.lock().unwrap().remove(&uuid); |
There was a problem hiding this comment.
there is a side effect introduced in this PR that i don't like:
if the parent of this func call (run_maker_swap/run_taker_swap) aborts mid-way, the swap will not abort. one could still abort it ofc from the running_swaps map.
but i think it's more intuitive to have the swap aborted when run_maker_swap is aborted without the need to abort it via running_swaps map.
i think what i want is to be able to run the swap in the current abortable system while still be able to shut the swap using the aborthandle. so there is a 2-way shutdown mechanism or something like that.
cc/ @dimxy
There was a problem hiding this comment.
Yeah, I think maybe we should create an abortable future (swap_fut+ touch_loop) in run_taker_swap(), add its abort_handle to both the abortable_system and running_swaps.
Then spawn this abortable future and do not await for it.
| if abortable.await.is_err() { | ||
| info!("Swap uuid={} interrupted!", uuid); | ||
| } |
There was a problem hiding this comment.
why is the log level changed to info?
There was a problem hiding this comment.
yeah that should be error, thanks.
| if abortable.await.is_err() { | ||
| info!("Swap uuid={} interrupted!", uuid); | ||
| } |
| let swap = match SavedSwap::load_my_swap_from_db(&ctx, req.uuid).await { | ||
| Ok(Some(s)) => s, | ||
| Ok(None) => { | ||
| return MmError::err(KickStartSwapErr::NotFound); | ||
| }, | ||
| Err(e) => { | ||
| return MmError::err(KickStartSwapErr::Internal(format!( | ||
| "Error getting the swap from the DB: {e}" | ||
| ))) | ||
| }, | ||
| }; |
There was a problem hiding this comment.
| let swap = match SavedSwap::load_my_swap_from_db(&ctx, req.uuid).await { | |
| Ok(Some(s)) => s, | |
| Ok(None) => { | |
| return MmError::err(KickStartSwapErr::NotFound); | |
| }, | |
| Err(e) => { | |
| return MmError::err(KickStartSwapErr::Internal(format!( | |
| "Error getting the swap from the DB: {e}" | |
| ))) | |
| }, | |
| }; | |
| let swap = SavedSwap::load_my_swap_from_db(&ctx, req.uuid) | |
| .await | |
| .mm_err(|e| KickStartSwapErr::Internal(format!("Error getting the swap from the DB: {e}")))? | |
| .or_mm_err(|| KickStartSwapErr::NotFound)?; |
| // Get the maker and taker coins. | ||
| let find_swap_coin = |ctx: MmArc, maybe_ticker: Result<String, String>, ticker_type: &'static str| async move { | ||
| match maybe_ticker { | ||
| Ok(coin) => match lp_coinfind(&ctx, &coin).await { | ||
| Ok(Some(coin)) => Ok(coin), | ||
| Ok(None) => MmError::err(KickStartSwapErr::NeedsCoinActivation(format!( | ||
| "{ticker_type} coin {} must be activated", | ||
| coin | ||
| ))), | ||
| Err(e) => MmError::err(KickStartSwapErr::Internal(format!( | ||
| "Error trying to find {ticker_type} coin: {e}" | ||
| ))), | ||
| }, | ||
| Err(e) => MmError::err(KickStartSwapErr::Internal(format!( | ||
| "Error getting {ticker_type} ticker of swap: {e}" | ||
| ))), | ||
| } | ||
| }; | ||
| let maker_coin = find_swap_coin(ctx.clone(), swap.maker_coin_ticker(), "maker").await?; | ||
| let taker_coin = find_swap_coin(ctx.clone(), swap.taker_coin_ticker(), "taker").await?; |
There was a problem hiding this comment.
I think this is better and this is too minimal to require cloning arc
| // Get the maker and taker coins. | |
| let find_swap_coin = |ctx: MmArc, maybe_ticker: Result<String, String>, ticker_type: &'static str| async move { | |
| match maybe_ticker { | |
| Ok(coin) => match lp_coinfind(&ctx, &coin).await { | |
| Ok(Some(coin)) => Ok(coin), | |
| Ok(None) => MmError::err(KickStartSwapErr::NeedsCoinActivation(format!( | |
| "{ticker_type} coin {} must be activated", | |
| coin | |
| ))), | |
| Err(e) => MmError::err(KickStartSwapErr::Internal(format!( | |
| "Error trying to find {ticker_type} coin: {e}" | |
| ))), | |
| }, | |
| Err(e) => MmError::err(KickStartSwapErr::Internal(format!( | |
| "Error getting {ticker_type} ticker of swap: {e}" | |
| ))), | |
| } | |
| }; | |
| let maker_coin = find_swap_coin(ctx.clone(), swap.maker_coin_ticker(), "maker").await?; | |
| let taker_coin = find_swap_coin(ctx.clone(), swap.taker_coin_ticker(), "taker").await?; | |
| let maker_coin = swap | |
| .maker_coin_ticker() | |
| .map_to_mm(|e| KickStartSwapErr::Internal(format!("Error getting maker ticker for swap: {e}")))?; | |
| let maker_coin = lp_coinfind(&ctx, &maker_coin) | |
| .await | |
| .map_to_mm(|e| KickStartSwapErr::Internal(format!("Error getting maker ticker for swap: {e}")))? | |
| .or_mm_err(|| KickStartSwapErr::NeedsCoinActivation(format!("maker coin {maker_coin} must be activated")))?; | |
| let taker_coin = swap | |
| .taker_coin_ticker() | |
| .map_to_mm(|e| KickStartSwapErr::Internal(format!("Error getting taker ticker for swap: {e}")))?; | |
| let taker_coin = lp_coinfind(&ctx, &taker_coin) | |
| .await | |
| .map_to_mm(|e| KickStartSwapErr::Internal(format!("Error getting taker ticker for swap: {e}")))? | |
| .or_mm_err(|| KickStartSwapErr::NeedsCoinActivation(format!("taker coin {taker_coin} must be activated")))?; | |
This PR attempts to follow a more robust recovery process by attempting both refunding OR spending if the swap goes the ugly way.
This is done by replacing the refund-only logic with refund-or-spend-logic (recovery,
recover_funds).Also
recover_fundshas been adapted to return more structured error types for information about retrials and such. Also removing some pre-checks that makes us fail early based on local data (e.g. is_swap_finished), as we should still query the rpc to make sure our recovery tx isn't lost or something.