HTLCs have a different timeout (cltv_expiry) than the regular timeout that we use for penalty transactions (to_self_delay). That is the reason why we use a separate transaction stage (HTLC success/HTLC timeout) to allow our counterparty sufficient time to exercise their right to get the entire balance of the channel in case we broadcast the previous state of the channel.
To elaborate further, when your counterparty tells you to add a HTLC, your version of the commitment transaction will have 3 outputs:
- Paying to your counterparty immediately
- Paying to self, guarded by the revocation key for
to_self_delay time
- Received HTLC output like below
# To remote node with revocation key
OP_DUP OP_HASH160 <RIPEMD160(SHA256(revocationpubkey))> OP_EQUAL
OP_IF
OP_CHECKSIG
OP_ELSE
<remote_htlcpubkey> OP_SWAP OP_SIZE 32 OP_EQUAL
OP_IF
# To local node via HTLC-success transaction.
OP_HASH160 <RIPEMD160(payment_hash)> OP_EQUALVERIFY
2 OP_SWAP <local_htlcpubkey> 2 OP_CHECKMULTISIG
OP_ELSE
# To remote node after timeout.
OP_DROP <cltv_expiry> OP_CHECKLOCKTIMEVERIFY OP_DROP
OP_CHECKSIG
OP_ENDIF
OP_ENDIF
When you supply the HTLC pre-image to your counterparty the transaction gets resolved. However, even after successful resolution of the HTLC with your counterparty, let us say you decide to cheat them by force closing the earlier state of the commitment transaction containing the HTLC. As soon as you publish this commitment transaction, you publish the HTLC success transaction that consumes the OP_IF part inside the OP_ELSE. Since the HTLC success transaction is consuming an output that is not timelocked, you are not providing enough time for your counterparty to use their right of the revocation key which is in the received HTLC output. That is the reason there is a second stage, where your spending from the offered HTLC output to yourself is locked until to_self_delay which allows your counterparty to use the revocation secret.
Now you might wonder, why the revocation exists in the commitment transaction received HTLC output if it is provided in the HTLC success/timeout transactions. Let us take the above case to explain it. You added the HTLC and signed the commitment transaction. That HTLC was settled by you providing the pre-image to your counterparty and the commitment transaction containing that HTLC was revoked. Despite that, assume you try to broadcast the previous commitment transaction containing the HTLC and refrains from publishing the HTLC success transaction. If revocation did not exist in the commitment transaction, the counterparty might not be able to get their funds back until the cltv_expiry which might extend to hundreds of blocks (couple of days) if there are a number of hops. This is cumbersome since that HTLC was already settled (especially if there are number of previously satisfied HTLCs), and the provision of revocation in the commitment transaction allows the counterparty to settle them immediately.
The revocation part is designed so that your counterparty never suffers because of the actions you decide to take to cheat them. The presence of revocation in commitment transaction and the HTLC success/HTLC timeout transaction help protect the Lightning Network participants from frauds committed their peers.
If you publish an old commitment tx with 1 received HTLC, the counterparty can enter the timeout process as specified in
cltv_expiryand then collect the money via HTLC-timeout anyway? So your point is that we don't want the counterparty to wait that long if you cheat? You don't seem to have a good reason to publish this tx though pure harm may be wanted. – yyforyongyu – 2019-10-29T10:10:13.040@yyforyongyu (1) Yes, you are correct that the counterparty can collect after the time-out process, but the local node (who is cheating) can spend it immediately using the HTLC success transaction (since it has the pre-image). (2) it is not just pure harm but you are definitely economically incentivized to publish it. You got the funds from your counterparty by providing the pre-image for the HTLC. Suppose after that you provided some funds to your counterparty for some good you bought from them. The previous state that included the HTLC is more beneficial to you so you publish that,. – Ugam Kamat – 2019-10-29T10:14:45.887
Let's say I'm the local node who is cheating. I have to spend it via a HTLC-success tx, which has a revocation inside it. Once I spend the commitment tx, I have to wait
to_self_delaytime before I can spend the HTLC-success tx, meanwhile, the counterparty can take the money via the revocation? – yyforyongyu – 2019-10-29T10:32:19.667@yyforyongyu Yes. Since you can spend the commitment transaction HTLC output immediately (for HTLC success) you will not be providing any time for your counterparty to react. As a result the
to_self_delaywithin the HTLC success output allows the counterparty to use the revocation and then spend the money. – Ugam Kamat – 2019-10-29T10:34:13.360interesting. This goes back to the original question, if the counterparty can take the money via revocation inside the HTLC-success tx, what's the point of having a revocation inside the commitment tx? – yyforyongyu – 2019-10-29T10:43:19.063
@yyforyongyu That's answered in the second last paragraph of my answer (i tried to make it more clearer). What if the cheater never publishes the HTLC success transaction? Even though that HTLC is settled, the counterparty might have to wait couple hundred blocks to get it settled (if there are number of hops). Imagine if it contained multiple such HTLCs and you have to wait for each of them to time out despite the fact that all of them have been settled. – Ugam Kamat – 2019-10-29T11:08:53.113