rpc: include_unsafe option for fundrawtransaction

[t-bast]

Allow RPC users to opt-in to unsafe inputs when funding a raw transaction.

Applications that need to manage a complex RBF flow (such as lightning nodes using anchor outputs) are very limited if they can only use safe inputs.

I also added this option to send and walletcreatefundedpsbt who internally delegate to fundrawtransaction.

Fixes #21299

[DrahtBot]

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

Reviewers, this pull request conflicts with the following ones:

• MOVEONLY: CWallet transaction code out of wallet.cpp/.h #21207 (MOVEONLY: CWallet transaction code out of wallet.cpp/.h by ryanofsky)
• refactor: Make CWalletTx sync state type-safe #21206 (refactor: Make CWalletTx sync state type-safe by ryanofsky)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

[t-bast]

We could remove the fOnlySafe argument to AvailableCoins now that this is provided by coin_control.

The only gotcha is that AvailableCoins can be called without a coin_control, but I checked the codebase and in all the places where that happens fOnlySafe is set to true, so we could set it inside AvailableCoins to const bool only_safe = {coinControl ? !coinControl->m_include_unsafe_inputs : true};.

Do you want me to apply that change in this PR?

[t-bast]

@achow101 @luke-jr would you have some time to give a quick pass to this hopefully very simple PR and let me know if there's a concept ACK and it's worth pursuing? 🙏

I know, Taproot is happening (is it?), I understand if you don't have much time available 😄

[achow101]

ACK 16076bb2a8517c6a8b101ad04e220ad3b3f71bcf

[t-bast]

Is there something I can do to help this PR move forward?

We really need it to unblock anchor outputs in lightning (we can run a modified bitcoind with this patch applied for our own node, but we can't ask our users to run a non-release bitcoind version).

[renepickhardt]

Looks good to me.

Could there go anything other wrong than a transaction becoming invalid because an input disappeared? (this of course would not be really wrong)

[t-bast]

Could there go anything other wrong than a transaction becoming invalid because an input disappeared?

It's a very good question, it's part of my "unknown unknowns" and why I'm curious to get feedback from more people here.
It seems to me that there isn't anything else, but there are many things I don't know so I wouldn't rely on my instincts only ¯_(ツ)_/¯

[jonatack]

ACK 4e4d7c01b4134ea3b920345ee2a62e2b06cd458e

Some comments below.

[jonatack]

ACK 0709545365d045b24563b4683881f65a2b34afdd

[jonatack]

ACK a5c3d9cc4cafef3434c97656ab0d4b4fe4727d51

Happy to re-ack for #21359 (comment) and #21359 (comment).

[jonatack]

re-ACK 1b1dad3efbbdf86f5426bf9c43902f40cb9a06c0

[ariard]

I think "opt-in RBF" is better than "replacement" to qualify transactions which may be evicted of the mempool due to bip 125 rules.

[t-bast]

It took the definition of fSafe here:

bitcoin/src/wallet/wallet.h

Line 595 in 2b45cf0

bool fSafe;

Is there consensus on updating this in every place where it's used?

[ariard]

Did we already consider for spending replacement transactions from our wallets before this PR ? isRBFOptIndoesn't seem used in FundTransaction path. Unsafe inputs definition doesn't seem to be tied to replaceability only key externality ?

[t-bast]

I'm not 100% I understand your comment. Are you saying that FundTransaction doesn't check isRBFOptIn, which means that the wallet may currently use unconfirmed outputs from replaceable txs if they're our own txs (which could be an issue because we could replace that tx and invalidate its children)?

[DrahtBot]

🕵️ @harding has been requested to review this pull request as specified in the REVIEWERS file.

[laanwj]

Code review ACK 11d6459