From Inbound Discounts to Negative Forward Fees.

[feelancer21]

Introduction

In the review process of #6703, there was a discussion about allowing overall negative forward fees. At that point, it seemed better to prevent node runners from losing money by not allowing this feature. However, I think it seems feasible to implement them in a way with limited user risks. I am looking for review especially on the mathematical part and wondering if an implementation with such checks would have success on a merge or are there any other safety concerns?

Overall, the current implementation of inbound discount is a great feature, but it is more likely to incentivize incoming forwards from sinks in the middle of the fee spectrum. However, it is unlikely that they serve as a price signal to high-end sinks.

Negative fees pose two challenges: preventing users from losing money and ensuring pathfinding algorithms find optimal routes. I won't delve deeply into pathfinding, as it seems solvable with other algos, but complex. Without adjusting the pathfinder, however, it makes no sense to introduce negative fees, as they would have no influence on the optimal solution.

User Safety

There are three possibilities of how a user can lose money with negative forward fees.

1. Inbound and outbound fees are in such a bad relationship that an attacker can extract money from the node by sending sats back and forth, so all channels but one have the same liquidity as before. Ideally, the attacker can repeat this until all sats are extracted. In the next section, we show which checks must be performed during policy updates to prevent this.
2. The checks for 1. won't prevent a user from losing money if there is an accidentally set low inbound fee rate in one-way forwards. The only way to mitigate this risk is by setting a floor in the config for the inbound fee rate and the inbound base fee.
3. A user could also lose money by a poorly timed policy update. For example, after paying high negative forward fees, they could lower the outbound fee, making it impossible to recoup the cost. This risk is more comparable to bad rebalancing strategies and isn't something lnd needs to check. However, we could introduce a command-line option and deactivate the negative fee feature by default.

Aside from this global activation option, on a channel level, it should also be possible to either follow the current behavior of flooring the inbound fee by the outbound fee or use the new behavior. We also need a flag to distinguish gossip messages, but this is also necessary for backward compatibility with older lnd senders.

Policy Checks and Mathematical Proof

Let $c$ be a channel, $r_{c,i}$, $r_{c,o}$ the inbound and outbound fee rates in decimals (e.g., 1000ppm = 0.001), $b_{c,i}$, $b_{c,o}$ the base fees in msat, and $x$ the amount a node wants to receive in msat. We define two functions, calculating the amount including inbound or outbound fees.:

$$ f_{c,i}(x):= (1+r_{c,i})\cdot x + b_{c,i} $$

and

$$ f_{c,o}(x):= (1+r_{c,o})\cdot x+ b_{c,o} $$

Moreover, we define two compositions $f_{c,oi}:=f_{c,o}\circ f_{c,i}$ and $f_{c,io}:=f_{c,i}\circ f_{c,o}$.

Now, we want to analyze what conditions are sufficient to ensure that the following attack doesn’t lead to a profit for the attacker. We assume that the attacker controls all nodes of the channel's parties, hence they can send sats from one node to another without incurring additional hop costs. The attacker chooses an arbitrary sequence of channels $c_1, \dots, c_n$ with $n\ge 2$ and $c_1=c_n$. They send an amount $x_1$ from $c_1$ to $c_2$, so they receive $x_2$ in $c_2$. They proceed by sending $x_2$ from $c_2$ to $c_3$, receiving $x_3$, etc. Our goal is to find a condition that implies $x_1\ge x_n$.

The main idea is to ensure that $r_{c,o}+r_{c,i}$ and $b_{c,o}+b_{c,i}$ are sufficiently positive for each channel $c$, as the attacker must always pay both inbound and outbound fees for each channel.

Like in pathfinding, we derive the amount $x_{k-1}$ from $x_k$. If all channels allow negative forward fees, we have the following recursive relationship:

$$ x_{k-1} := (f_{c_{k-i},i}\circ f_{c_k,o})(x_k) $$

Now we can construct $x_1$ from $x_n$ through multiple compositions of these functions:

$$ x_1 = (f_{c_{1},i}\circ f_{c_2,o})\circ\dots\circ(f_{c_{n-2},i}\circ f_{c_{n-1},o})\circ(f_{c_{n-1},i}\circ f_{c_{n},o})(x_n) $$

Using the fact that composition is associative and with applying our definitions, we have:

$$ x_1 = (f_{c_{1},i}\circ (f_{c_2,o}\circ f_{c_2,i})\circ\dots\circ(f_{c_{n-1},o}\circ f_{c_{n-1},i})\circ f_{c_{n},o})(x_n) = (f_{c_{1},i}\circ (f_{c_2,oi}\circ\dots\circ f_{c_{n-1},oi})\circ f_{c_{1},o})(x_n) $$

If we assume that $f_{c,oi}(x)\ge x$ for each channel $c$ and every possible amount $x$, then the inequality also holds for any composition of such functions in sequence. As consequence there exists a $\Delta\ge 0$ such that:

$$ (f_{c_2,oi}\circ\dots\circ f_{c_{n-1},oi}) (f_{c_{1},o}(x_n))=f_{c_{1},o}(x_n)+\Delta $$

Hence:

$$ x_1 = f_{c_{1},i}(f_{c_{1},o}(x_n)+\Delta) = f_{c_{1},i}(f_{c_{1},o}(x_n))+\Delta\cdot(1+r_{c_1,i})=f_{c_{1},io}(x_n)+\Delta\cdot(1+r_{c_1,i})\ge f_{c_{1},io}(x_n) $$

The last inequality holds because $r_{c,i}\ge -1=-100$%. If we also assume that $f_{c,io}(x)\ge x$ for each channel $c$ and amount $x$, then $x_1\ge f_{c_{1},io}(x_n)\ge x_n$, proving that the attacker cannot gain money, independently of the chosen channel sequence.

We consider that:

$$ f_{c,io}(x) = x + (r_{c,o}+r_{c,i}+r_{c,o}\cdot r_{c,i})\cdot x + b_{c,o} + b_{c,i} + b_{c,o}\cdot r_{c,i} $$

and

$$ f_{c,oi}(x) = x + (r_{c,o}+r_{c,i}+r_{c,o}\cdot r_{c,i})\cdot x + b_{c,o} + b_{c,i} + b_{c,i}\cdot r_{c,o}. $$

Then, for a specific channel $c$, it is sufficient to have $f_{c,io}(x)\ge x$ and $f_{c,oi}(x)\ge x$ for all $x$ if the following three conditions are satisfied:

1. $r_{c,o} + r_{c,i}+r_{c,o}\cdot r_{c,i}\ge 0$
2. $b_{c,o} + b_{c,i} + b_{c,o}\cdot r_{c,i}\ge 0$
3. $b_{c,o} + b_{c,i} + b_{c,i}\cdot r_{c,o}\ge 0$

We can interpret the left-hand sides of these inequalities as margins that the node runner earns when routing forth and back through the same channel. The first term is a relative margin in ppm and the second and third terms are absolute margins in msat. These three inequalities could be checked during a policy update, as only the current channel fees are required. However, we must consider that the derived conditions are only correct if the fee rates are real numbers. lnd uses integers for fees, which can lead to rounding effects. Thus, it seems safer for the right-hand sides to be configurable non-negative minimum margins rather than zeros. In addition, a minimum margin would reduce the risk of money losses after a policy has been updated.

Note that the proof also holds if some of the channels $c_1,\dots c_n$ floor the inbound fee by the previous outbound fee.

The inequalities do not guarantee that a user cannot lose money by setting the inbound fee rates too low. For example, if $r_{c,o} = 0.5$ and $r_{c,i} = -0.33$, the first inequality holds, but it seems impossible to earn a 50% outbound fee after paying a 33% inbound fee. This demonstrates the importance of having a lower bound for the inbound fee rate.