FilterIter API redesign

[ValuedMammal]

Previously FilterIter did not detect or handle reorgs between next calls, meaning that if a reorg occurred, we might process blocks from a stale fork potentially resulting in an invalid wallet state. This PR aims to fix that by adding logic to explicitly check for and respond to a reorg on every call to next.

Notes to the reviewers

The old implementation required storing block IDs of scanned blocks before creating a checkpoint update, but because the interface was split across different methods, it introduced a timing risk between method calls which, when we consider the possibility of reorgs, made the implementation somewhat brittle.

To address this, we make sure that 1) Finding the start block and 2) Updating the internal checkpoint are directly tied to the logic of next. Since the checkpoint in practice is derived from a clone of the local chain, this ensures that the checkpoint returned by next can always find a connection point with the receiver. Additionally we now emit a checkpoint at every height to ensure that any "must-include" heights are not missing.

For example usage see examples/filter_iter.rs

fixes #1848

Changelog notice

Fixed
- `FilterIter` now handles reorgs to ensure consistency of the header chain.

Changed
- `Event` is now a struct instead of enum

Added
- `FilterIter::new` constructor that takes as input a reference to the RPC client, checkpoint, and a list of SPKs.
- `Error::TryFromInt` variant

Removed
- `FilterIter::new_with_height`
- `FilterIter::new_with_checkpoint`
- `EventInner` type
- `FilterIter::get_tip`
- `FilterIter::chain_update`
- `Error::NoScripts` variant

Checklists

All Submissions:

• I followed the contribution guidelines

New Features:

• I've added tests for the new feature
• I've added docs for the new feature

Bugfixes:

• This pull request breaks the existing API
• I've added tests to reproduce the issue which are now passing
• I'm linking the issue being fixed by this PR

[evanlinjin]

I understand that the main motivation for this is to protect against attacks from a malicious/faulty node?

This is not going to work as BDK does not check PoW (not currently). The node can just cheaply construct multiple <100 block reorgs and exhaust resources that way.

The only way to protect against attacks is to check PoW.

Note that I've already mentioned this here: #1985 (comment)

[evanlinjin]

I still need to understand the rationale of this PR (since we already had #1985 going). If you can expand on this, it would be appreciated.

I can see how the reorg-logic is simpler here (since it uses the pre-cached headers instead of having the check both the checkpoints/headers). Is this the main reasoning?

I'm assuming the main rationale for header-caching is so that it will be easier/faster to emit CheckPoints with Headers once that becomes available. Is this correct?

[evanlinjin]

I've demonstrated that the chain-update construction logic is unsound with the following test: 21fa815.

My intuition tells me that making the FilterIter checkpoint-centric would make it easier to ensure correctness here. To make this current approach work would mean copying everying in the CheckPoint into FilterIter::headers which would be counter-intuitive.

[evanlinjin]

Can we include a rationale for this?

From my understanding, this will make it faster to find the "point of agreement" if there is a reorg of depth < 10.

On second though, I'm not sure how impactful this is - reorgs are relatively rare and rescanning blocks should be pretty fast with filters?

[evanlinjin]

This is how I propose we move forward with #2000/#1985:

• Make the internals CheckPoint-centric. This will solve the chain-update-may-not-connect problem at it's core.
• Use getblockheader (verbose = true) to fetch blocks (instead of calling getblockhash+getblockheader). This reduces round trips and the getblockheader (verbose = true) result contains confirmations+nextblockhash+previousblockhash information which can be used reorg-detection (Note that confirmations == -1 means the block is not in the best chain).
• Emit CheckPoint as part of the Event (for matched blocks). Only add on checkpoints for matched blocks and tip.
• Remove stop-height from internals. Stop when there is no nextblockhash.

Reorg logic

Backtrack using previousblockhash until confirmations >= 0. Purge all checkpoints with a height >= current.

No need to cache multiple headers/blockhashes. Just keep track of the last emitted header/blockhash.

No need to have Self::matched. Matched checkpoints are emitted straight away.

[evanlinjin]

To address the claim that there is a bug in LocalChain:

I updated the test to print the update chain and the original chain (and also added block of height 50 to the original chain to show that it's not some sort of "genesis block problem"): 4f55f2f

• Heights of the original chain: 0, 50, 101.
• Heights of the update chain: 101, 102.

Note that the block hash of the block at height 101 are not the same between original and update. With this limited information, the checkpoint/localchain logic cannot connect the update to the original chain. In other words, how can we be certain that 50 and 102 exist on the same chain?

To have the update connect, the chain source should include 50.

[evanlinjin]

@ValuedMammal Sorry I pushed 4f55f2f on the wrong remote! Feel free to get rid of it.

[ValuedMammal]

You're right I take back the claim. I was thinking along the lines of a "transitive invalidation with no point of agreement", but since we traverse over height 50 of the original (which is still valid) the update is ambiguous.

Emit CheckPoint as part of the Event (for matched blocks). Only add on checkpoints for matched blocks and tip.

Good idea - only thing is that the caller might eventually wish to collect the headers?

[evanlinjin]

Good idea - only thing is that the caller might eventually wish to collect the headers?

@ValuedMammal What would be the usecase of these headers? Would the caller want headers from every single block or just the relevant blocks?

[ValuedMammal]

@ValuedMammal What would be the usecase of these headers? Would the caller want headers from every single block or just the relevant blocks?

Still just the relevant ones. Maybe a better way to state the question is if CheckPoint becomes generic, the implementation needs to decide whether to emit checkpoints containing headers or just the classic checkpoint. Can probably be considered for future work.

[evanlinjin]

@ValuedMammal yes I think it should be considered later down the line. Since the blockhash is "stable" per height, we can take in a closure for constructing any checkpoint type.

[evanlinjin]

Concept ACK.

This is looking really good.

[evanlinjin]

Addresses some pain points in making LocalChain updates apply reliably.

P.S. Hopefully this highlights the value of the BlockGraph work you’ve been leading.

[evanlinjin]

There is an unfortunate restriction with LocalChain (as it exists currently). The only safe way to ensure two CheckPoint chains connect is if the update chain contains all heights of the original chain from the point of agreement. We probably need to keep track of these must-be-included-heights internally in the FilterIter.

We probably also need to change how we structure an Event since non-matching blocks which are not tips may need to return a CheckPoint update. I propose the following:

type SyncPoint {
    CheckPoint(CheckPoint),
    BlockId(BlockId),
} 

type Event {
    at: SyncPoint,
    match_block: Option<Block>,
}

// Suggestions for helper methods.
impl Event {
    pub fn checkpoint(&self) -> Option<CheckPoint> { /*TODO*/ }
    pub fn block_id(&self) -> BlockId { /*TODO*/ }
    pub fn height(&self) -> u32 { /*TODO*/ }
    pub fn is_match(&self) -> bool { /*TODO*/ }
}

Let me know what you think.

---

Additionally, what do you think about changing the find_base logic to call get_block_header_info against cp.hash (so no need for a separate get_block_hash call)? However, we may need to look at the RPC error code for if a block does not exist (instead of directly returning the error).

[evanlinjin]

We'll need to keep track of the heights we have removed to ensure the checkpoint update connects.

[ValuedMammal]

Will it be easier to just include the checkpoint with every event?

/// Event returned by [`FilterIter`].
#[derive(Debug, Clone)]
pub struct Event {
    /// Checkpoint
    pub cp: CheckPoint,
    /// Block, will be `Some(..)` for matching blocks.
    pub block: Option<Block>,
}

[ValuedMammal]

I added a commit ff92f30 and rebased.

[evanlinjin]

Will it be easier to just include the checkpoint with every event?

/// Event returned by [`FilterIter`].
#[derive(Debug, Clone)]
pub struct Event {
    /// Checkpoint
    pub cp: CheckPoint,
    /// Block, will be `Some(..)` for matching blocks.
    pub block: Option<Block>,
}

@ValuedMammal yes, but the caller can't easily determine the height of non-matching events.

In which case, maybe we should only emit matched blocks + tip? This ensures that the cp and block of an event refers to the same block.