Skip to content

Throttle LSPS5 lifecycle cooldown resets#4668

Open
tnull wants to merge 1 commit into
lightningdevkit:mainfrom
tnull:2026-06-lsps5-webhook-cooldown
Open

Throttle LSPS5 lifecycle cooldown resets#4668
tnull wants to merge 1 commit into
lightningdevkit:mainfrom
tnull:2026-06-lsps5-webhook-cooldown

Conversation

@tnull

@tnull tnull commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

LSPS5 resets notification cooldowns when a peer reconnects so clients can receive prompt wake-ups after coming online. A peer can otherwise churn connections to clear the webhook cooldown repeatedly, turning the LSP into an amplification source for registered notification URLs.

Rate-limit how often peer lifecycle events may clear notification cooldowns while keeping the first reset immediate. Also make LSPSDateTime elapsed-time calculation directional so backwards clock movement does not make future timestamps look expired.

Co-Authored-By: HAL 9000

This finding was discovered by Project Loupe

@tnull
Throttle LSPS5 lifecycle cooldown resets
c6099a8 
LSPS5 resets notification cooldowns when a peer reconnects so clients
can receive prompt wake-ups after coming online. A peer can otherwise
churn connections to clear the webhook cooldown repeatedly, turning the
LSP into an amplification source for registered notification URLs.

Rate-limit how often peer lifecycle events may clear notification
cooldowns while keeping the first reset immediate. Also make
LSPSDateTime elapsed-time calculation directional so backwards clock
movement does not make future timestamps look expired.

Co-Authored-By: HAL 9000

This finding was discovered by Project Loupe
@ldk-reviews-bot

ldk-reviews-bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown

I've assigned @wpaulino as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

ldk-claude-review-bot
ldk-claude-review-bot reviewed Jun 10, 2026
View reviewed changes
Comment thread lightning-liquidity/src/lsps5/service.rs
/// This is distinct from [`NOTIFICATION_COOLDOWN_TIME`]: that cooldown protects the client from
/// repeated spammy wake-ups, while this reset throttle protects registered notification URLs from
/// amplification via rapid peer connect/disconnect churn.
const NOTIFICATION_COOLDOWN_RESET_INTERVAL: Duration = Duration::from_secs(10);

@ldk-claude-review-bot ldk-claude-review-bot Jun 10, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Design consideration: the reset throttle (10s) is much shorter than NOTIFICATION_COOLDOWN_TIME (60s). Since each allowed reset clears last_notification_sent and lets a fresh notification through, an attacker churning connections can still force a webhook POST roughly every 10s instead of the 60s the cooldown otherwise enforces — i.e. ~6x amplification per registered URL remains possible. If the goal is to bound amplification to the cooldown, consider setting this interval to (or deriving it from) NOTIFICATION_COOLDOWN_TIME, or otherwise document why 10s is the intended floor.

@ldk-claude-review-bot

ldk-claude-review-bot commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

I've re-reviewed the full diff and verified all duration_since call sites use the directional now.duration_since(&past) form (lsps5/service.rs:358, 620, 825, 841; lsps1/service.rs), so the directional change is safe. The throttle logic, TLV serialization, and both unit and integration tests trace correctly.

No new issues found beyond my prior review.

For reference, my previously posted findings still stand:

  • lightning-liquidity/src/lsps5/service.rs:93 — Design consideration: the 10s reset throttle is much shorter than the 60s NOTIFICATION_COOLDOWN_TIME, leaving ~6x residual webhook-POST amplification per registered URL via reconnect churn.
  • Cross-cutting: last_notification_cooldown_reset is non-persisted ((static_value, None)), dropping throttle state on restart — acceptable given the in-memory PeerState lifecycle, but it is security-relevant state.
  • Cross-cutting: peer_disconnected also consumes the throttle budget with no client-facing benefit (peer is offline), but this is not a functional bug.

@ldk-reviews-bot ldk-reviews-bot requested a review from wpaulino June 10, 2026 10:43
@tnull tnull self-assigned this Jun 11, 2026
@tnull tnull moved this to Goal: Merge in Weekly Goals Jun 11, 2026
@TheBlueMatt

TheBlueMatt commented Jun 11, 2026

Copy link
Copy Markdown
Collaborator

Please word-wrap your commit messages.

@tnull tnull force-pushed the 2026-06-lsps5-webhook-cooldown branch from 3bce88f to c6099a8 Compare June 11, 2026 16:43
@tnull

tnull commented Jun 11, 2026

Copy link
Copy Markdown
Contributor Author

Updated to line-wrap commit messages.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wpaulino wpaulino Awaiting requested review from wpaulino

1 more reviewer

@ldk-claude-review-bot ldk-claude-review-bot ldk-claude-review-bot left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@tnull tnull

Labels

None yet

Projects

Weekly Goals
Status: Goal: Merge

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tnull @ldk-reviews-bot @ldk-claude-review-bot @TheBlueMatt