Merge pull request #1796 from lightninglabs/wip/supplyverify/disable-output-watch

Roasbeef · web-flow · commit cbf1dff264de · 2025-09-12T18:41:42.000-07:00
tapd: add universe.disable-supply-verifier-chain-watch config flag
diff --git a/docs/release-notes/release-notes-0.7.0.md b/docs/release-notes/release-notes-0.7.0.md
@@ -74,6 +74,7 @@
    - https://github.com/lightninglabs/taproot-assets/pull/1674
    - https://github.com/lightninglabs/taproot-assets/pull/1784
    - https://github.com/lightninglabs/taproot-assets/pull/1777
+   - https://github.com/lightninglabs/taproot-assets/pull/1796
 
 - A new [address version 2 was introduced that supports grouped assets and
   custom (sender-defined)
diff --git a/itest/tapd_harness.go b/itest/tapd_harness.go
@@ -138,6 +138,13 @@ type harnessOpts struct {
 	// sendPriceHint indicates whether the tapd should send price hints from
 	// the local oracle to the counterparty when requesting a quote.
 	sendPriceHint bool
+
+	// disableSupplyVerifierChainWatch when true prevents the supply
+	// verifier from starting state machines to watch on-chain outputs for
+	// spends. This option is intended for universe servers, where supply
+	// verification should only occur for commitments submitted by peers,
+	// not via on-chain spend detection.
+	disableSupplyVerifierChainWatch bool
 }
 
 type harnessOption func(*harnessOpts)
@@ -154,6 +161,16 @@ func withOracleAddress(addr string) harnessOption {
 	}
 }
 
+// withDisableSupplyVerifierChainWatch is a functional option that disables
+// the supply verifier chain watch functionality. This is intended for universe
+// servers where supply verification should only occur for commitments submitted
+// by peers, not via on-chain spend detection.
+func withDisableSupplyVerifierChainWatch() harnessOption {
+	return func(ho *harnessOpts) {
+		ho.disableSupplyVerifierChainWatch = true
+	}
+}
+
 // newTapdHarness creates a new tapd server harness with the given
 // configuration.
 func newTapdHarness(t *testing.T, ht *harnessTest, cfg tapdConfig,
@@ -234,6 +251,11 @@ func newTapdHarness(t *testing.T, ht *harnessTest, cfg tapdConfig,
 	// was not set, this will be false, which is the default.
 	tapCfg.AddrBook.DisableSyncer = opts.addrAssetSyncerDisable
 
+	// Pass through the supply verifier chain watch disable flag. If the option
+	// was not set, this will be false, which is the default.
+	// nolint: lll
+	tapCfg.Universe.DisableSupplyVerifierChainWatch = opts.disableSupplyVerifierChainWatch
+
 	switch {
 	case len(opts.oracleServerAddress) > 0:
 		tapCfg.Experimental.Rfq.PriceOracleAddress =
diff --git a/itest/universe_server_harness.go b/itest/universe_server_harness.go
@@ -23,10 +23,12 @@ type universeServerHarness struct {
 func newUniverseServerHarness(t *testing.T, ht *harnessTest,
 	lndHarness *node.HarnessNode) *universeServerHarness {
 
-	service, err := newTapdHarness(t, ht, tapdConfig{
-		NetParams: harnessNetParams,
-		LndNode:   lndHarness,
-	})
+	service, err := newTapdHarness(
+		t, ht, tapdConfig{
+			NetParams: harnessNetParams,
+			LndNode:   lndHarness,
+		}, withDisableSupplyVerifierChainWatch(),
+	)
 	require.NoError(t, err)
 
 	return &universeServerHarness{
diff --git a/sample-tapd.conf b/sample-tapd.conf
@@ -379,6 +379,13 @@
 ; LRU cache.
 ; universe.supply-ignore-cache-size=10000
 
+; Disable chain outpoint watching in supply verifier. If true, the supply
+; verifier will not start state machines to watch on-chain outputs for spends.
+; This option is intended for universe servers, where supply verification should
+; only occur for commitments submitted by peers, not via on-chain spend
+; detection.
+; universe.disable-supply-verifier-chain-watch=false
+
 [multiverse-caches]
 
 ; The number of proofs that are cached per universe. (default: 5)
diff --git a/tapcfg/config.go b/tapcfg/config.go
@@ -304,6 +304,8 @@ type UniverseConfig struct {
 	MultiverseCaches *tapdb.MultiverseCacheConfig `group:"multiverse-caches" namespace:"multiverse-caches"`
 
 	SupplyIgnoreCacheSize uint64 `long:"supply-ignore-cache-size" description:"The maximum number of entries in the supply ignore checker's negative lookup LRU cache."`
+
+	DisableSupplyVerifierChainWatch bool `long:"disable-supply-verifier-chain-watch" description:"Disable chain outpoint watching in supply verifier. If true, the supply verifier will not start state machines to watch on-chain outputs for spends. This option is intended for universe servers, where supply verification should only occur for commitments submitted by peers, not via on-chain spend detection."`
 }
 
 // AddrBookConfig is the config that houses any address Book related config
@@ -467,8 +469,9 @@ func DefaultConfig() Config {
 			MultiverseCaches: fn.Ptr(
 				tapdb.DefaultMultiverseCacheConfig(),
 			),
-			MboxAuthTimeout:       defaultMailboxAuthTimeout,
-			SupplyIgnoreCacheSize: tapdb.DefaultNegativeLookupCacheSize,
+			MboxAuthTimeout:                 defaultMailboxAuthTimeout,
+			SupplyIgnoreCacheSize:           tapdb.DefaultNegativeLookupCacheSize,
+			DisableSupplyVerifierChainWatch: false,
 		},
 		AddrBook: &AddrBookConfig{
 			DisableSyncer: false,
diff --git a/tapcfg/server.go b/tapcfg/server.go
@@ -549,6 +549,8 @@ func genServerConfig(cfg *Config, cfgLogger btclog.Logger,
 
 	// Set up the supply verifier, which validates supply commitment leaves
 	// published by asset issuers.
+	//
+	// nolint: lll
 	supplyVerifyManager, err := supplyverifier.NewManager(
 		supplyverifier.ManagerCfg{
 			Chain:                 chainBridge,
@@ -560,6 +562,7 @@ func genServerConfig(cfg *Config, cfgLogger btclog.Logger,
 			GroupFetcher:          assetMintingStore,
 			IssuanceSubscriptions: universeSyncer,
 			DaemonAdapters:        lndFsmDaemonAdapters,
+			DisableChainWatch:     cfg.Universe.DisableSupplyVerifierChainWatch,
 		},
 	)
 	if err != nil {
diff --git a/universe/supplyverifier/manager.go b/universe/supplyverifier/manager.go
@@ -94,6 +94,13 @@ type ManagerCfg struct {
 
 	// ErrChan is the channel that is used to send errors to the caller.
 	ErrChan chan<- error
+
+	// DisableChainWatch, when true, prevents the supply verifier from
+	// starting state machines to watch on-chain outputs for spends. This
+	// option is intended for universe servers, where supply verification
+	// should only occur for commitments submitted by peers, not via
+	// on-chain spend detection.
+	DisableChainWatch bool
 }
 
 // Validate validates the ManagerCfg.
@@ -227,9 +234,19 @@ func (m *Manager) Start() error {
 	m.startOnce.Do(func() {
 		log.Infof("Starting supply verifier manager")
 
-		// Initialize the state machine cache.
+		// Initialize the state machine cache unconditionally to prevent
+		// potential nil pointer dereferences, even if it ends up
+		// unused.
 		m.smCache = newStateMachineCache()
 
+		// If chain watching is disabled, return early. We won't start
+		// any state machines in this mode.
+		if m.cfg.DisableChainWatch {
+			log.Infof("Supply verifier chain watch disabled, " +
+				"skip state machine initialization")
+			return
+		}
+
 		// Initialize state machines for each asset group that supports
 		// supply commitments.
 		err := m.InitStateMachines()
@@ -400,10 +417,18 @@ func (m *Manager) Stop() error {
 }
 
 // startAssetSM creates and starts a new supply commitment state machine for the
-// given asset specifier.
+// given asset specifier. If DisableChainWatch is true, an error is returned.
 func (m *Manager) startAssetSM(ctx context.Context,
 	assetSpec asset.Specifier) (*StateMachine, error) {
 
+	// If chain watching is disabled, return an error.
+	if m.cfg.DisableChainWatch {
+		log.Debugf("Supply verifier chain watch disabled, not "+
+			"starting state machine (asset=%s)", assetSpec.String())
+		return nil, fmt.Errorf("supply verifier chain watch is " +
+			"disabled")
+	}
+
 	log.Infof("Starting supply verifier state machine (asset=%s)",
 		assetSpec.String())
 
@@ -455,10 +480,18 @@ func (m *Manager) startAssetSM(ctx context.Context,
 
 // fetchStateMachine retrieves a state machine from the cache or creates a
 // new one if it doesn't exist. If a new state machine is created, it is also
-// started.
+// started. If DisableChainWatch is true, an error is returned.
 func (m *Manager) fetchStateMachine(assetSpec asset.Specifier) (*StateMachine,
 	error) {
 
+	// If chain watching is disabled, return an error.
+	if m.cfg.DisableChainWatch {
+		log.Debugf("Supply verifier chain watch disabled, not "+
+			"fetching state machine (asset=%s)", assetSpec.String())
+		return nil, fmt.Errorf("supply verifier chain watch is " +
+			"disabled")
+	}
+
 	groupKey, err := assetSpec.UnwrapGroupKeyOrErr()
 	if err != nil {
 		return nil, fmt.Errorf("asset specifier missing group key: %w",
@@ -894,6 +927,10 @@ func newStateMachineCache() *stateMachineCache {
 
 // StopAll stops all state machines in the cache.
 func (c *stateMachineCache) StopAll() {
+	if c == nil {
+		return
+	}
+
 	c.mu.RLock()
 	defer c.mu.RUnlock()
 
