mirror of
https://github.com/bitcoin/bitcoin.git
synced 2025-01-25 18:53:23 -03:00
1dc03dda05
Our RBF policy is different from the rules specified in BIP125. For example, the BIP does not mention Rule 6, and our Rule 4 uses the (configurable) incremental relay feerate (distinct from the minimum relay feerate). Those interested in our policy should refer to doc/policy/mempool-replacements.md instead. These rules may also continue to diverge with package RBF and other RBF improvements. Keep references to the BIP125 signaling wrt sequence numbers, since that is still correct and widely used. It is helpful to refer to this as "BIP125 signaling" since it is unambiguous and succint, especially if we have multiple ways to signal replaceability in the future. The rule numbers in doc/policy/mempool-replacements.md correspond largely to those of BIP 125, so we can still refer to them like "Rule 5."
119 lines
6.9 KiB
Markdown
119 lines
6.9 KiB
Markdown
# Package Mempool Accept
|
|
|
|
## Definitions
|
|
|
|
A **package** is an ordered list of transactions, representable by a connected Directed Acyclic
|
|
Graph (a directed edge exists between a transaction that spends the output of another transaction).
|
|
|
|
For every transaction `t` in a **topologically sorted** package, if any of its parents are present
|
|
in the package, they appear somewhere in the list before `t`.
|
|
|
|
A **child-with-unconfirmed-parents** package is a topologically sorted package that consists of
|
|
exactly one child and all of its unconfirmed parents (no other transactions may be present).
|
|
The last transaction in the package is the child, and its package can be canonically defined based
|
|
on the current state: each of its inputs must be available in the UTXO set as of the current chain
|
|
tip or some preceding transaction in the package.
|
|
|
|
## Package Mempool Acceptance Rules
|
|
|
|
The following rules are enforced for all packages:
|
|
|
|
* Packages cannot exceed `MAX_PACKAGE_COUNT=25` count and `MAX_PACKAGE_SIZE=101KvB` total size
|
|
(#20833)
|
|
|
|
- *Rationale*: This is already enforced as mempool ancestor/descendant limits. If
|
|
transactions in a package are all related, exceeding this limit would mean that the package
|
|
can either be split up or it wouldn't pass individual mempool policy.
|
|
|
|
- Note that, if these mempool limits change, package limits should be reconsidered. Users may
|
|
also configure their mempool limits differently.
|
|
|
|
* Packages must be topologically sorted. (#20833)
|
|
|
|
* Packages cannot have conflicting transactions, i.e. no two transactions in a package can spend
|
|
the same inputs. Packages cannot have duplicate transactions. (#20833)
|
|
|
|
* No transaction in a package can conflict with a mempool transaction. Replace By Fee is
|
|
currently disabled for packages. (#20833)
|
|
|
|
- Package RBF may be enabled in the future.
|
|
|
|
* When packages are evaluated against ancestor/descendant limits, the union of all transactions'
|
|
descendants and ancestors is considered. (#21800)
|
|
|
|
- *Rationale*: This is essentially a "worst case" heuristic intended for packages that are
|
|
heavily connected, i.e. some transaction in the package is the ancestor or descendant of all
|
|
the other transactions.
|
|
|
|
The following rules are only enforced for packages to be submitted to the mempool (not enforced for
|
|
test accepts):
|
|
|
|
* Packages must be child-with-unconfirmed-parents packages. This also means packages must contain at
|
|
least 2 transactions. (#22674)
|
|
|
|
- *Rationale*: This allows for fee-bumping by CPFP. Allowing multiple parents makes it possible
|
|
to fee-bump a batch of transactions. Restricting packages to a defined topology is easier to
|
|
reason about and simplifies the validation logic greatly.
|
|
|
|
- Warning: Batched fee-bumping may be unsafe for some use cases. Users and application developers
|
|
should take caution if utilizing multi-parent packages.
|
|
|
|
* Transactions in the package that have the same txid as another transaction already in the mempool
|
|
will be removed from the package prior to submission ("deduplication").
|
|
|
|
- *Rationale*: Node operators are free to set their mempool policies however they please, nodes
|
|
may receive transactions in different orders, and malicious counterparties may try to take
|
|
advantage of policy differences to pin or delay propagation of transactions. As such, it's
|
|
possible for some package transaction(s) to already be in the mempool, and there is no need to
|
|
repeat validation for those transactions or double-count them in fees.
|
|
|
|
- *Rationale*: We want to prevent potential censorship vectors. We should not reject entire
|
|
packages because we already have one of the transactions. Also, if an attacker first broadcasts
|
|
a competing package or transaction with a mutated witness, even though the two
|
|
same-txid-different-witness transactions are conflicting and cannot replace each other, the
|
|
honest package should still be considered for acceptance.
|
|
|
|
### Package Fees and Feerate
|
|
|
|
*Package Feerate* is the total modified fees (base fees + any fee delta from
|
|
`prioritisetransaction`) divided by the total virtual size of all transactions in the package.
|
|
If any transactions in the package are already in the mempool, they are not submitted again
|
|
("deduplicated") and are thus excluded from this calculation.
|
|
|
|
To meet the two feerate requirements of a mempool, i.e., the pre-configured minimum relay feerate
|
|
(`-minrelaytxfee`) and the dynamic mempool minimum feerate, the total package feerate is used instead
|
|
of the individual feerate. The individual transactions are allowed to be below the feerate
|
|
requirements if the package meets the feerate requirements. For example, the parent(s) in the
|
|
package can pay no fees but be paid for by the child.
|
|
|
|
*Rationale*: This can be thought of as "CPFP within a package," solving the issue of a parent not
|
|
meeting minimum fees on its own. This would allow contracting applications to adjust their fees at
|
|
broadcast time instead of overshooting or risking becoming stuck or pinned.
|
|
|
|
*Rationale*: It would be incorrect to use the fees of transactions that are already in the mempool, as
|
|
we do not want a transaction's fees to be double-counted.
|
|
|
|
Implementation Note: Transactions within a package are always validated individually first, and
|
|
package validation is used for the transactions that failed. Since package feerate is only
|
|
calculated using transactions that are not in the mempool, this implementation detail affects the
|
|
outcome of package validation.
|
|
|
|
*Rationale*: Packages are intended for incentive-compatible fee-bumping: transaction B is a
|
|
"legitimate" fee-bump for transaction A only if B is a descendant of A and has a *higher* feerate
|
|
than A. We want to prevent "parents pay for children" behavior; fees of parents should not help
|
|
their children, since the parents can be mined without the child. More generally, if transaction A
|
|
is not needed in order for transaction B to be mined, A's fees cannot help B. In a
|
|
child-with-parents package, simply excluding any parent transactions that meet feerate requirements
|
|
individually is sufficient to ensure this.
|
|
|
|
*Rationale*: We must not allow a low-feerate child to prevent its parent from being accepted; fees
|
|
of children should not negatively impact their parents, since they are not necessary for the parents
|
|
to be mined. More generally, if transaction B is not needed in order for transaction A to be mined,
|
|
B's fees cannot harm A. In a child-with-parents package, simply validating parents individually
|
|
first is sufficient to ensure this.
|
|
|
|
*Rationale*: As a principle, we want to avoid accidentally restricting policy in order to be
|
|
backward-compatible for users and applications that rely on p2p transaction relay. Concretely,
|
|
package validation should not prevent the acceptance of a transaction that would otherwise be
|
|
policy-valid on its own. By always accepting a transaction that passes individual validation before
|
|
trying package validation, we prevent any unintentional restriction of policy.
|