It let call sethseed while being disconnected, which may be blameworthty but as createwallet let you already generate a HD wallet without checking for IBD, we should go either way or the other, i.e can generate HD-seed without out-of-IBD or can't generate HD-seed without out-of-IBD. Thoughts ?

The reason that you had to be out of IBD in order to set an HD seed is because by setting a new HD seed, no new keys would ever be generated from the old seed. So if there were a transaction that involved a key that hadn't been generated yet and was in a block after where you were currently synced, setting a new HD seed would mean that you don't detect that transaction. That would be bad.

With createwallet, the difference is that it's a completely new wallet with no history at all so it is safe to make a new wallet when you are behind.

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

Reviewers, this pull request conflicts with the following ones:

• Use shared pointers only in validation interface #18354 (Use shared pointers only in validation interface by bvbfan)
• wallet: always do avoid partial spends if fees are within a specified range #14582 (wallet: always do avoid partial spends if fees are within a specified range by kallewoof)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

So if there were a transaction that involved a key that hadn't been generated yet and was in a block after where you were currently synced

You're talking about a key derived from the old seed here ? I didn't dig in code but if I understand when we set a new seed we discard checking keys for old one right ? Node is getting out of IBD at tip N - DEFAULT_TIP_AGE(~144), which means you can set a new seed at N - 144, but you're not going to see a tx with an old key in block N - 100 for example, so is this mechanism reliable ?

You're talking about a key derived from the old seed here ? I didn't dig in code but if I understand when we set a new seed we discard checking keys for old one right ?

Yes, I'm talking about keys derived from the old seed. Any key that has already been derived and added to the wallet (i.e. it was in the keypool or already marked as used) will still be checked for. Setting a new seed doesn't change that. Setting a new seed only makes it so that no new keys will be derived from the old seed.

Node is getting out of IBD at tip N - DEFAULT_TIP_AGE(~144), which means you can set a new seed at N - 144, but you're not going to see a tx with an old key in block N - 100 for example, so is this mechanism reliable ?

I think it's reasonably reliable as I think it is unlikely that someone used the entire keypool in 144 blocks.

Thanks @achow101 for your insights, I'm going to hold-on this PR once the wallet init its state asynchronously like thanks to change here https://github.com/ariard/bitcoin/commits/2019-08-rescan-index-refactor so it would avoid behavior change on the point you raised.

Thanks for your review @jonatack, will fix comments once PR gets Concept ACK.

Concept ACK.

@achow101 to be clear, is the failure scenario as follows:

1. user has an HD wallet
2. user makes a backup from the wallet
3. user hands out more keys then they have in their keypool (currently 1000, previously 100) and receives payments to keys handed out after the initial keypool was drained
4. user restores original backup wallet on unsync'ed node, then calls sethdseed before the node has synced. The payments to the keys handed out after the initial keypool was drained are lost.

(1) must be an HD wallet because restoring a non-HD wallet backup that has drained its initial keypool keys always results in funds loss
(3) must drain the initial keypool because setting a new HD seed does not remove the initial keypool from the wallet. It simply marks them as not in the keypool

Not allowing sethdseed to be called before we're out of IBD isn't perfect protection against this. If many addresses (more than in the initial keypool) have been handed out, the user could still receive a payment to one of those addresses after they've changed their hdseed and lose the payment.

@ariard - is it possible to change this so m_is_ibd initializes to true and then call Chain::isInitialBlockDownload() once on wallet start-up?

For some context about the IBD and sethdseed stuff: #12560 (comment)

is the failure scenario as follows:

Yes.

@achow101 Thanks for the cross-reference 🙏

can we either check that we're fully synced before allowing an HD master rotate or keep around old HD keys for key derivation? I'd prefer the second

Keeping the old key for key derivation definitely seems like the correct fix. How complex is that (and does descriptor wallets do that automatically?)

Keeping the old key for key derivation definitely seems like the correct fix. How complex is that

I don't think it would be too complex. Although I think it would be a fairly large change. We would need to keep track of the old hd seeds and keep track of where we've derived up to for a particular seed. And a bunch of things that do things on the seed would need to be changed to do things on any seed. We would have to add several more records to the wallet.

Alternatively we could have sethdseed make a new LegacyScriptPubKeyMan with the seed, but that may also require a bit of re-architecting as the primary assumption about LegacyScriptPubKeyMans will change. But we would have to wait for the full ScriptPubKeyMan and CWallet separation before that can happen.

and does descriptor wallets do that automatically?

Not the current implementation. But it also would be pretty trivial to do it.

@jnewbery

is it possible to change this so m_is_ibd initializes to true and then call Chain::isInitialBlockDownload() once on wallet start-up?

Yes but that removes PR interest of drying up the Chain interface. I think best it to wait wallet registering its sync state with the Chain::interface (https://github.com/ariard/bitcoin/commits/2019-08-rescan-index-refactor) at start-up so after rescan done wallet knows it's out of IBD.

can we either check that we're fully synced before allowing an HD master rotate or keep around old HD keys for key derivation? I'd prefer the second

I think by robustness we should go for the second option. Reading https://github.com/bitcoin-core/bitcoin-devwiki/wiki/Wallet-Class-Structure-Changes, best option is to have multiple Scri[tPubKeyMan or one with multiple hdChain ?

Reading https://github.com/bitcoin-core/bitcoin-devwiki/wiki/Wallet-Class-Structure-Changes, best option is to have multiple Scri[tPubKeyMan or one with multiple hdChain ?

I think you could have separate LegacyScriptPubKeyMan instances for each hdseed, but this would probably be more work than necessary, and not very related to what this PR is trying to do.

I think the minimal fix to prevent running out of keys for old hd seeds would be to do some extra checking and topping up inside LegacyScriptPubKeyMan::MarkUnusedAddresses. Add a check there to see if the affected key has metadata associated with an inactive hd seed. If it does and the key number in the metadata is close enough to the highest generated key on that hd path, generate more keys on the path and add them to the wallet. I don't think this would require very much code. To work efficiently the LegacyScriptPubKeyMan instance would need to have a new map from KeyOriginInfo hd path to the maximum generated key number on that path.

Actually, I think you would need to do what I just described even if you did want to instantiate different LegacyScriptPubKeyMan instances for each seed, because inactive hd seeds aren't going to have any pool data, so m_pool_key_to_index data will be empty and existing topup code won't work for them. So you'd need this new LegacyScriptPubKeyMan::MarkUnusedAddresses code anyway.

If it is desirable to have separate LegacyScriptPubKeyMan instances in the wallet, I think that might not be too hard to implement. The trickiest part would just be loading them. In walletdb.cpp as keys and scripts are loaded you would have to examine their metadata to figure out what seed they were associated with and load them into the appropriate keyman instance based on that seed.

I've dealt with the sethdseed stuff in #17681

Whoa awesome, will review #17681 !

Thanks @ryanofsky for call-up on this and #17443! I will rebase them tomorrow-ish but I think for this one it would be better for achow one to get first.

Concept ACK, will do full review when this is rebased.

Rebased the PR but this is not worthy to review now, after thinking a bit more I want to avoid behavior changes and for so, it would be better to get #15719 and its follow-up first to always ensure we are in-sync with node wrt to IBD after wallet startup.

This current PR may provoke issue if a privacy leak if user broadcast a transaction without being at tip.

Updated PR description in consequence.

🐙 This pull request conflicts with the target branch and needs rebase.

_{Want to unsubscribe from rebase notifications on this pull request? Just convert this pull request to a "draft".}

• Is it still relevant? ➡️ Please solve the conflicts to make it ready for review and to ensure the CI passes.
• Is it no longer relevant? ➡️ Please close.
• Did the author lose interest or time to work on this? ➡️ Please close it and mark it 'Up for grabs' with the label, so that it can be picked up in the future.

Looks like this depends on #15719

• Is it still relevant? ➡️ Please solve the conflicts to make it ready for review and to ensure the CI passes.
• Is it no longer relevant? ➡️ Please close.
• Did the author lose interest or time to work on this? ➡️ Please close it and mark it 'Up for grabs' with the label, so that it can be picked up in the future.