assets: add support for co-signing a zero-fee deposit HTLC spend

bhandras · bhandras · commit 39e7af6d2a20 · 2025-07-17T15:27:48.000+02:00
This commit extends the deposit manager and sweeper to support generating
a zero-fee HTLC transaction that spends a selected deposit. Once the HTLC
is prepared, it is partially signed by the client and can be handed to the
server as a safety measure before using the deposit in a trustless swap.

This typically occurs after the client has accepted the swap payment.
If the client becomes unresponsive during the swap process, the server
can use the zero-fee HTLC as part of a recovery package.
diff --git a/assets/deposit/manager.go b/assets/deposit/manager.go
@@ -1,20 +1,24 @@
 package deposit
 
 import (
+	"bytes"
 	"context"
 	"errors"
 	"fmt"
 	"time"
 
 	"github.com/btcsuite/btcd/btcec/v2"
+	"github.com/btcsuite/btcd/btcec/v2/schnorr/musig2"
 	"github.com/btcsuite/btcd/chaincfg"
 	"github.com/btcsuite/btcd/wire"
+	"github.com/btcsuite/btcwallet/wallet"
 	"github.com/lightninglabs/lndclient"
 	"github.com/lightninglabs/loop/assets"
 	"github.com/lightninglabs/loop/swapserverrpc"
 	"github.com/lightninglabs/taproot-assets/address"
 	"github.com/lightninglabs/taproot-assets/asset"
 	"github.com/lightninglabs/taproot-assets/taprpc"
+	"github.com/lightningnetwork/lnd/lntypes"
 )
 
 var (
@@ -1169,3 +1173,68 @@ func (m *Manager) RevealDepositKeys(ctx context.Context,
 
 	return err
 }
+
+// CoSignHTLC will partially a deposit spending zero-fee HTLC and send the
+// resulting signature to the swap server.
+func (m *Manager) CoSignHTLC(ctx context.Context, depositID string,
+	serverNonce [musig2.PubNonceSize]byte, hash lntypes.Hash,
+	csvExpiry uint32) error {
+
+	done, err := m.scheduleNextCall()
+	if err != nil {
+		return err
+	}
+	defer done()
+
+	deposit, ok := m.deposits[depositID]
+	if !ok {
+		return fmt.Errorf("deposit %v not available", depositID)
+	}
+
+	_, htlcPkt, _, _, _, err := m.sweeper.GetHTLC(
+		ctx, deposit.Kit, deposit.Proof, deposit.Amount, hash,
+		csvExpiry,
+	)
+	if err != nil {
+		log.Errorf("Unable to get HTLC packet: %v", err)
+
+		return err
+	}
+
+	prevOutFetcher := wallet.PsbtPrevOutputFetcher(htlcPkt)
+	sigHash, err := getSigHash(htlcPkt.UnsignedTx, 0, prevOutFetcher)
+	if err != nil {
+		return err
+	}
+
+	nonce, partialSig, err := m.sweeper.PartialSignMuSig2(
+		ctx, deposit.Kit, deposit.AnchorRootHash, serverNonce, sigHash,
+	)
+	if err != nil {
+		log.Errorf("Unable to partial sign HTLC: %v", err)
+
+		return err
+	}
+
+	var pktBuf bytes.Buffer
+	err = htlcPkt.Serialize(&pktBuf)
+	if err != nil {
+		log.Errorf("Unable to write HTLC packet: %v", err)
+		return err
+	}
+
+	_, err = m.depositServiceClient.PushAssetDepositHtlcSigs(
+		ctx, &swapserverrpc.PushAssetDepositHtlcSigsReq{
+			PartialSigs: []*swapserverrpc.AssetDepositPartialSig{
+				{
+					DepositId:  depositID,
+					Nonce:      nonce[:],
+					PartialSig: partialSig,
+				},
+			},
+			HtlcPsbt: pktBuf.Bytes(),
+		},
+	)
+
+	return err
+}
diff --git a/assets/deposit/server.go b/assets/deposit/server.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/lightninglabs/loop/looprpc"
 	"github.com/lightninglabs/taproot-assets/asset"
+	"github.com/lightningnetwork/lnd/lntypes"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 )
@@ -172,5 +173,18 @@ func (s *Server) TestCoSignAssetDepositHTLC(ctx context.Context,
 	in *looprpc.TestCoSignAssetDepositHTLCRequest) (
 	*looprpc.TestCoSignAssetDepositHTLCResponse, error) {
 
-	return nil, status.Error(codes.Unimplemented, "unimplemented")
+	// Values for testing.
+	serverNonce := secNonceToPubNonce(tmpServerSecNonce)
+	preimage := lntypes.Preimage{1, 2, 3}
+	swapHash := preimage.Hash()
+	htlcExpiry := uint32(100)
+
+	err := s.manager.CoSignHTLC(
+		ctx, in.DepositId, serverNonce, swapHash, htlcExpiry,
+	)
+	if err != nil {
+		return nil, status.Error(codes.Internal, err.Error())
+	}
+
+	return &looprpc.TestCoSignAssetDepositHTLCResponse{}, nil
 }
diff --git a/assets/deposit/sweeper.go b/assets/deposit/sweeper.go
@@ -9,18 +9,24 @@ import (
 
 	"github.com/btcsuite/btcd/btcec/v2"
 	"github.com/btcsuite/btcd/btcec/v2/schnorr"
+	"github.com/btcsuite/btcd/btcec/v2/schnorr/musig2"
 	"github.com/btcsuite/btcd/btcutil/psbt"
 	"github.com/btcsuite/btcd/txscript"
 	"github.com/btcsuite/btcd/wire"
 	"github.com/btcsuite/btcwallet/wallet"
 	"github.com/btcsuite/btcwallet/wtxmgr"
 	"github.com/lightninglabs/lndclient"
 	"github.com/lightninglabs/loop/assets"
+	"github.com/lightninglabs/loop/assets/htlc"
 	"github.com/lightninglabs/loop/utils"
 	"github.com/lightninglabs/taproot-assets/address"
 	"github.com/lightninglabs/taproot-assets/proof"
+	"github.com/lightninglabs/taproot-assets/tappsbt"
 	"github.com/lightninglabs/taproot-assets/taprpc"
+	"github.com/lightninglabs/taproot-assets/taprpc/assetwalletrpc"
 	"github.com/lightningnetwork/lnd/input"
+	"github.com/lightningnetwork/lnd/keychain"
+	"github.com/lightningnetwork/lnd/lntypes"
 	"github.com/lightningnetwork/lnd/lnwallet/chainfee"
 )
 
@@ -333,3 +339,110 @@ func getSigHash(tx *wire.MsgTx, idx int,
 
 	return sigHash, nil
 }
+
+// GetHTLC creates a new zero-fee HTLC packet to be able to partially sign it
+// and send it to the server for further processing.
+//
+// TODO(bhandras): add support for spending multiple deposits into the HTLC.
+func (s *Sweeper) GetHTLC(ctx context.Context, deposit *Kit,
+	depositProof *proof.Proof, amount uint64, hash lntypes.Hash,
+	csvExpiry uint32) (*htlc.SwapKit, *psbt.Packet, []*tappsbt.VPacket,
+	[]*tappsbt.VPacket, *assetwalletrpc.CommitVirtualPsbtsResponse, error) {
+
+	// Genearate the HTLC address that will be used to sweep the deposit to
+	// in case the client is uncooperative.
+	rpcHtlcAddr, swapKit, err := deposit.NewHtlcAddr(
+		ctx, s.tapdClient, amount, hash, csvExpiry,
+	)
+	if err != nil {
+		return nil, nil, nil, nil, nil, fmt.Errorf("unable to create "+
+			"htlc addr: %v", err)
+	}
+
+	htlcAddr, err := address.DecodeAddress(
+		rpcHtlcAddr.Encoded, &s.addressParams,
+	)
+	if err != nil {
+		return nil, nil, nil, nil, nil, err
+	}
+
+	// Now we can create the sweep vpacket that'd sweep the deposited
+	// assets to the HTLC output.
+	depositSpendVpkt, err := assets.CreateOpTrueSweepVpkt(
+		ctx, []*proof.Proof{depositProof}, htlcAddr, &s.addressParams,
+	)
+	if err != nil {
+		return nil, nil, nil, nil, nil, fmt.Errorf("unable to create "+
+			"deposit spend vpacket: %v", err)
+	}
+
+	// By committing the virtual transaction to the BTC template we
+	// created, our lnd node will fund the BTC level transaction with an
+	// input to pay for the fees. We'll further add a change output to the
+	// transaction that will be generated using the above key descriptor.
+	feeRate := chainfee.SatPerVByte(0)
+
+	// Use an empty lock ID, as we don't need to lock any UTXOs for this
+	// operation.
+	lockID := wtxmgr.LockID{}
+
+	htlcBtcPkt, activeAssets, passiveAssets, commitResp, err :=
+		s.tapdClient.PrepareAndCommitVirtualPsbts(
+			ctx, depositSpendVpkt, feeRate, nil,
+			s.addressParams.Params, nil, &lockID,
+			time.Duration(0),
+		)
+	if err != nil {
+		return nil, nil, nil, nil, nil, fmt.Errorf("deposit spend "+
+			"HTLC prepare and commit failed: %v", err)
+	}
+
+	htlcBtcPkt.UnsignedTx.Version = 3
+
+	return swapKit, htlcBtcPkt, activeAssets, passiveAssets, commitResp, nil
+}
+
+// PartialSignMuSig2 is used to partially sign a message hash with the deposit's
+// keys.
+func (s *Sweeper) PartialSignMuSig2(ctx context.Context, d *Kit,
+	anchorRootHash []byte, cosignerNonce [musig2.PubNonceSize]byte,
+	message [32]byte) ([musig2.PubNonceSize]byte, []byte, error) {
+
+	signers := [][]byte{
+		d.FunderInternalKey.SerializeCompressed(),
+		d.CoSignerInternalKey.SerializeCompressed(),
+	}
+
+	session, err := s.signer.MuSig2CreateSession(
+		ctx, input.MuSig2Version100RC2,
+		&keychain.KeyLocator{
+			Family: d.KeyLocator.Family,
+			Index:  d.KeyLocator.Index,
+		}, signers, lndclient.MuSig2TaprootTweakOpt(
+			anchorRootHash, false,
+		),
+	)
+	if err != nil {
+		return [musig2.PubNonceSize]byte{}, nil, err
+	}
+
+	_, err = s.signer.MuSig2RegisterNonces(
+		ctx, session.SessionID,
+		[][musig2.PubNonceSize]byte{cosignerNonce},
+	)
+	if err != nil {
+		return [musig2.PubNonceSize]byte{}, nil, err
+	}
+
+	clientPartialSig, err := s.signer.MuSig2Sign(
+		ctx, session.SessionID, message, true,
+	)
+	if err != nil {
+		return [musig2.PubNonceSize]byte{}, nil, err
+	}
+
+	fmt.Printf("!!! client partial sig: %x\n", clientPartialSig)
+	fmt.Printf("!!! client nonce: %x\n", session.PublicNonce)
+
+	return session.PublicNonce, clientPartialSig, nil
+}
diff --git a/assets/deposit/testing.go b/assets/deposit/testing.go
@@ -0,0 +1,57 @@
+package deposit
+
+import (
+	"github.com/btcsuite/btcd/btcec/v2"
+	"github.com/btcsuite/btcd/btcec/v2/schnorr/musig2"
+)
+
+var (
+	// tmpServerSecNonce is a secret nonce used for testing.
+	// TODO(bhandras): remove once package spending works e2e.
+	tmpServerSecNonce = [musig2.SecNonceSize]byte{
+		// First 32 bytes: scalar k1
+		0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88,
+		0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff, 0x00,
+		0x10, 0x20, 0x30, 0x40, 0x50, 0x60, 0x70, 0x80,
+		0x90, 0xa0, 0xb0, 0xc0, 0xd0, 0xe0, 0xf0, 0x01,
+
+		// Second 32 bytes: scalar k2
+		0x02, 0x13, 0x24, 0x35, 0x46, 0x57, 0x68, 0x79,
+		0x8a, 0x9b, 0xac, 0xbd, 0xce, 0xdf, 0xf1, 0x02,
+		0x14, 0x26, 0x38, 0x4a, 0x5c, 0x6e, 0x70, 0x82,
+		0x94, 0xa6, 0xb8, 0xca, 0xdc, 0xee, 0xf1, 0x03,
+	}
+)
+
+// secNonceToPubNonce takes our two secret nonces, and produces their two
+// corresponding EC points, serialized in compressed format.
+func secNonceToPubNonce(
+	secNonce [musig2.SecNonceSize]byte) [musig2.PubNonceSize]byte {
+
+	var k1Mod, k2Mod btcec.ModNScalar
+	k1Mod.SetByteSlice(secNonce[:btcec.PrivKeyBytesLen])
+	k2Mod.SetByteSlice(secNonce[btcec.PrivKeyBytesLen:])
+
+	var r1, r2 btcec.JacobianPoint
+	btcec.ScalarBaseMultNonConst(&k1Mod, &r1)
+	btcec.ScalarBaseMultNonConst(&k2Mod, &r2)
+
+	// Next, we'll convert the key in jacobian format to a normal public
+	// key expressed in affine coordinates.
+	r1.ToAffine()
+	r2.ToAffine()
+	r1Pub := btcec.NewPublicKey(&r1.X, &r1.Y)
+	r2Pub := btcec.NewPublicKey(&r2.X, &r2.Y)
+
+	var pubNonce [musig2.PubNonceSize]byte
+
+	// The public nonces are serialized as: R1 || R2, where both keys are
+	// serialized in compressed format.
+	copy(pubNonce[:], r1Pub.SerializeCompressed())
+	copy(
+		pubNonce[btcec.PubKeyBytesLenCompressed:],
+		r2Pub.SerializeCompressed(),
+	)
+
+	return pubNonce
+}
