This commit adds optional cooperative musig2 sweep by calling the server
to create a partial signature for the sweep if we'd otherwise be allowed
to spend the htlc. If the cooperative musig2 spend fails, we always fall
back to use the scriptpath spend.
Taproot spends require a different sighash, so we update our HtlcScript
interface to provide the appropriate sighash when sweeping. We also add
distinct Timeout/Success Script functions to allow for tapleaf spends
which have different locking scripts for different paths. Note that the
timeout and success paths will be the same for segwit v0 htlcs, because
it has a single branched script containing all spend paths.
In future iterations, this differentiation of claim scripts can also
be used to use musig2 to collaboratively keyspend P2TR htlcs with the
server. This script can be expressed as PriorityScript (because we'll
try to keyspend as a priority, and then fall back to a tap leaf spend).
As we've done here, segwit v0 spends would just return their single
script for PriorityScript, and the claim would be no different from
our other claims.
Use of the Script() function is problematic when we introduce taproot
because our script will vary depending whether we use keyspend or a
tapleaf spend path (and on the tapleaf spent). This has not previously
been a problem for segwitv0 scripts, because they contain all of the
logical branches for each of our spend conditions in a single script.
This commit prepares for removal of the Script() function by moving
our address/pkScript/sigScript generation (which need Script()) into
each script's implementation of the HtlcScript interface so that
they have access to the script directly.
In this commit we add the version 3 htlc, which is implemented with
taproot script spending the two payment paths: the claim path case, and
the timeout case.
This commit fixes a possible exploit by the loop server, where
- in a loop out - the server could claim money off-chain, without
publishing an on-chain swap htlc.
The server could do this by responding with a regular invoice, whose hash
is different than the hash in the NewLoopOutSwap request. To prevent
the exploit, we validate that the hash of the swap invoice is equal to the
hash the client generated.
This commit fixes the generation of the htlc address. This bug didn't
affect the swap execution, because the htlc address is only used for
display to the user/caller.