[feature]: sweep: eliminate change address reuse

[morehouse]

When the sweeper generates multiple input sets for sweeping in a single block, it uses the same change address for all of them.

lnd/sweep/sweeper.go

Lines 796 to 817 in 9d358bc

	func (s *UtxoSweeper) sweep(set InputSet) error {
	// Generate an output script if there isn't an unused script available.
	if s.currentOutputScript == nil {
	pkScript, err := s.cfg.GenSweepScript()
	if err != nil {
	return fmt.Errorf("gen sweep script: %w", err)
	}
	s.currentOutputScript = pkScript
	}
	// Create a fee bump request and ask the publisher to broadcast it. The
	// publisher will then take over and start monitoring the tx for
	// potential fee bump.
	req := &BumpRequest{
	Inputs: set.Inputs(),
	Budget: set.Budget(),
	DeadlineHeight: set.DeadlineHeight(),
	DeliveryAddress: s.currentOutputScript,
	MaxFeeRate: s.cfg.MaxFeeRate.FeePerKWeight(),
	StartingFeeRate: set.StartingFeeRate(),
	// TODO(yy): pass the strategy here.
	}

The change address is not updated until after the current wave of sweeps have been executed and one of the transactions has been successfully published.

lnd/sweep/sweeper.go

Lines 1686 to 1707 in 9d358bc

	func (s *UtxoSweeper) handleBumpEventTxPublished(r *BumpResult) error {
	tx := r.Tx
	tr := &TxRecord{
	Txid: tx.TxHash(),
	FeeRate: uint64(r.FeeRate),
	Fee: uint64(r.Fee),
	}
	// Inputs have been successfully published so we update their
	// states.
	err := s.markInputsPublished(tr, tx.TxIn)
	if err != nil {
	return err
	}
	log.Debugf("Published sweep tx %v, num_inputs=%v, height=%v",
	tx.TxHash(), len(tx.TxIn), s.currentHeight)
	// If there's no error, remove the output script. Otherwise
	// keep it so that it can be reused for the next transaction
	// and causes no address inflation.
	s.currentOutputScript = nil

For better privacy, each transaction should get a unique change address.

[Roasbeef]

The trade off here is "address inflation" (which is why we cache the address in the first place). If each attempt got a new change address, then we'll quickly start to exceed the default "look ahead" distance for address rescans, which can make it difficult for users to recover from seed (need to set a distance of 10k, etc).

[morehouse]

Address inflation is nice to avoid, but note that the current code does not prevent it entirely. It can still happen when BumpFee is used, or if a counterparty's competing transaction confirms instead of ours.

We can limit the amount of address inflation while eliminating reuse by:

• ensuring that exclusive group inputs share the same change output
• caching change outputs for in flight transactions until we get a Failed or Swept event. If we get a Failed event, we can reuse that change output.