[Server] Optmization of embedded wallet and forfeit tx validation (#453)

* Cache forfeit addr at unlock

* Move forfeit txs sigs verification at round finalization

* Fixes

* Add latency logs

* Make forfeit txs sigs validation concurrent

Author: altafan

server/internal/core/application/covenant.go

@@ -5,6 +5,7 @@ import (
 	"context"
 	"encoding/hex"
 	"fmt"
+	"runtime"
 	"sync"
 	"time"
 
@@ -707,6 +708,12 @@ func (s *covenantService) finalizeRound() {
 		return
 	}
 
+	if err := s.verifyForfeitTxsSigs(forfeitTxs); err != nil {
+		changes = round.Fail(err)
+		log.WithError(err).Warn("failed to validate forfeit txs")
+		return
+	}
+
 	log.Debugf("signing round transaction %s\n", round.Id)
 
 	boardingInputs := make([]int, 0)
@@ -1218,6 +1225,52 @@ func (s *covenantService) extractVtxosScripts(vtxos []domain.Vtxo) ([]string, er
 	return scripts, nil
 }
 
+func (s *covenantService) verifyForfeitTxsSigs(txs []string) error {
+	nbWorkers := runtime.NumCPU()
+	jobs := make(chan string, len(txs))
+	errChan := make(chan error, 1)
+	wg := sync.WaitGroup{}
+	wg.Add(nbWorkers)
+
+	for i := 0; i < nbWorkers; i++ {
+		go func() {
+			defer wg.Done()
+
+			for tx := range jobs {
+				valid, txid, err := s.builder.VerifyTapscriptPartialSigs(tx)
+				if err != nil {
+					errChan <- fmt.Errorf("failed to validate forfeit tx %s: %s", txid, err)
+					return
+				}
+
+				if !valid {
+					errChan <- fmt.Errorf("invalid signature for forfeit tx %s", txid)
+					return
+				}
+			}
+		}()
+	}
+
+	for _, tx := range txs {
+		select {
+		case err := <-errChan:
+			return err
+		default:
+			jobs <- tx
+		}
+	}
+	close(jobs)
+	wg.Wait()
+
+	select {
+	case err := <-errChan:
+		return err
+	default:
+		close(errChan)
+		return nil
+	}
+}
+
 func (s *covenantService) saveEvents(
 	ctx context.Context, id string, events []domain.RoundEvent,
 ) error {

server/internal/core/application/covenantless.go

@@ -5,6 +5,7 @@ import (
 	"context"
 	"encoding/hex"
 	"fmt"
+	"runtime"
 	"strings"
 	"sync"
 	"time"
@@ -417,7 +418,7 @@ func (s *covenantlessService) SubmitRedeemTx(
 	}
 
 	// verify the tapscript signatures
-	if valid, err := s.builder.VerifyTapscriptPartialSigs(redeemTx); err != nil || !valid {
+	if valid, _, err := s.builder.VerifyTapscriptPartialSigs(redeemTx); err != nil || !valid {
 		return "", "", fmt.Errorf("invalid tx signature: %s", err)
 	}
 
@@ -1401,6 +1402,12 @@ func (s *covenantlessService) finalizeRound(notes []note.Note) {
 		return
 	}
 
+	if err := s.verifyForfeitTxsSigs(forfeitTxs); err != nil {
+		changes = round.Fail(err)
+		log.WithError(err).Warn("failed to validate forfeit txs")
+		return
+	}
+
 	log.Debugf("signing round transaction %s\n", round.Id)
 
 	boardingInputsIndexes := make([]int, 0)
@@ -1939,6 +1946,52 @@ func (s *covenantlessService) markAsRedeemed(ctx context.Context, vtxo domain.Vt
 	return nil
 }
 
+func (s *covenantlessService) verifyForfeitTxsSigs(txs []string) error {
+	nbWorkers := runtime.NumCPU()
+	jobs := make(chan string, len(txs))
+	errChan := make(chan error, 1)
+	wg := sync.WaitGroup{}
+	wg.Add(nbWorkers)
+
+	for i := 0; i < nbWorkers; i++ {
+		go func() {
+			defer wg.Done()
+
+			for tx := range jobs {
+				valid, txid, err := s.builder.VerifyTapscriptPartialSigs(tx)
+				if err != nil {
+					errChan <- fmt.Errorf("failed to validate forfeit tx %s: %s", txid, err)
+					return
+				}
+
+				if !valid {
+					errChan <- fmt.Errorf("invalid signature for forfeit tx %s", txid)
+					return
+				}
+			}
+		}()
+	}
+
+	for _, tx := range txs {
+		select {
+		case err := <-errChan:
+			return err
+		default:
+			jobs <- tx
+		}
+	}
+	close(jobs)
+	wg.Wait()
+
+	select {
+	case err := <-errChan:
+		return err
+	default:
+		close(errChan)
+		return nil
+	}
+}
+
 func findForfeitTxBitcoin(
 	forfeits []string, connectorTxid string, connectorVout uint32, vtxo domain.VtxoKey,
 ) (string, error) {

server/internal/core/ports/tx_builder.go

@@ -52,7 +52,7 @@ type TxBuilder interface {
 	BuildSweepTx(inputs []SweepInput) (signedSweepTx string, err error)
 	GetSweepInput(node tree.Node) (vtxoTreeExpiry *common.RelativeLocktime, sweepInput SweepInput, err error)
 	FinalizeAndExtract(tx string) (txhex string, err error)
-	VerifyTapscriptPartialSigs(tx string) (valid bool, err error)
+	VerifyTapscriptPartialSigs(tx string) (valid bool, txid string, err error)
 	// FindLeaves returns all the leaves txs that are reachable from the given outpoint
 	FindLeaves(vtxoTree tree.VtxoTree, fromtxid string, vout uint32) (leaves []tree.Node, err error)
 	VerifyAndCombinePartialTx(dest string, src string) (string, error)

server/internal/infrastructure/tx-builder/covenant/builder.go

@@ -125,14 +125,6 @@ func (b *txBuilder) VerifyForfeitTxs(vtxos []domain.Vtxo, connectors []string, f
 			return nil, fmt.Errorf("invalid forfeit tx, expect 2 inputs, got %d", len(pset.Inputs))
 		}
 
-		valid, err := b.verifyTapscriptPartialSigs(pset)
-		if err != nil {
-			return nil, err
-		}
-		if !valid {
-			return nil, fmt.Errorf("invalid forfeit tx signature")
-		}
-
 		vtxoInput := pset.Inputs[1]
 
 		vtxoKey := domain.VtxoKey{
@@ -512,38 +504,38 @@ func (b *txBuilder) GetSweepInput(node tree.Node) (vtxoTreeExpiry *common.Relati
 
 	return vtxoTreeExpiry, sweepInput, nil
 }
-func (b *txBuilder) VerifyTapscriptPartialSigs(tx string) (bool, error) {
+func (b *txBuilder) VerifyTapscriptPartialSigs(tx string) (bool, string, error) {
 	pset, err := psetv2.NewPsetFromBase64(tx)
 	if err != nil {
-		return false, err
+		return false, "", err
 	}
 
 	return b.verifyTapscriptPartialSigs(pset)
 }
 
-func (b *txBuilder) verifyTapscriptPartialSigs(pset *psetv2.Pset) (bool, error) {
+func (b *txBuilder) verifyTapscriptPartialSigs(pset *psetv2.Pset) (bool, string, error) {
 	utx, _ := pset.UnsignedTx()
 	txid := utx.TxHash().String()
 
 	serverPubkey, err := b.wallet.GetPubkey(context.Background())
 	if err != nil {
-		return false, err
+		return false, "", err
 	}
 
 	for index, input := range pset.Inputs {
 		if len(input.TapLeafScript) == 0 {
 			continue
 		}
 		if input.WitnessUtxo == nil {
-			return false, fmt.Errorf("missing witness utxo for input %d, cannot verify signature", index)
+			return false, txid, fmt.Errorf("missing prevout for input %d", index)
 		}
 
 		// verify taproot leaf script
 		tapLeaf := input.TapLeafScript[0]
 
 		closure, err := tree.DecodeClosure(tapLeaf.Script)
 		if err != nil {
-			return false, err
+			return false, txid, err
 		}
 
 		keys := make(map[string]bool)
@@ -564,16 +556,16 @@ func (b *txBuilder) verifyTapscriptPartialSigs(pset *psetv2.Pset) (bool, error)
 		case *tree.ConditionMultisigClosure:
 			witness, err := tree.GetConditionWitness(input)
 			if err != nil {
-				return false, err
+				return false, txid, err
 			}
 
 			result, err := tree.ExecuteBoolScript(c.Condition, witness)
 			if err != nil {
-				return false, err
+				return false, txid, err
 			}
 
 			if !result {
-				return false, fmt.Errorf("condition not met for input %d", index)
+				return false, txid, fmt.Errorf("condition not met for input %d", index)
 			}
 
 			for _, key := range c.PubKeys {
@@ -589,11 +581,11 @@ func (b *txBuilder) verifyTapscriptPartialSigs(pset *psetv2.Pset) (bool, error)
 
 		pkscript, err := common.P2TRScript(tapKeyFromControlBlock)
 		if err != nil {
-			return false, err
+			return false, txid, err
 		}
 
 		if !bytes.Equal(pkscript, input.WitnessUtxo.Script) {
-			return false, fmt.Errorf("invalid control block for input %d", index)
+			return false, txid, fmt.Errorf("invalid control block for input %d", index)
 		}
 
 		leafHash := taproot.NewBaseTapElementsLeaf(tapLeaf.Script).TapHash()
@@ -604,22 +596,22 @@ func (b *txBuilder) verifyTapscriptPartialSigs(pset *psetv2.Pset) (bool, error)
 			&leafHash,
 		)
 		if err != nil {
-			return false, err
+			return false, txid, err
 		}
 
 		for _, tapScriptSig := range input.TapScriptSig {
 			sig, err := schnorr.ParseSignature(tapScriptSig.Signature)
 			if err != nil {
-				return false, err
+				return false, txid, err
 			}
 
 			pubkey, err := schnorr.ParsePubKey(tapScriptSig.PubKey)
 			if err != nil {
-				return false, err
+				return false, txid, err
 			}
 
 			if !sig.Verify(preimage, pubkey) {
-				return false, fmt.Errorf("invalid signature for tx %s", txid)
+				return false, txid, nil
 			}
 
 			keys[hex.EncodeToString(schnorr.SerializePubKey(pubkey))] = true
@@ -633,11 +625,11 @@ func (b *txBuilder) verifyTapscriptPartialSigs(pset *psetv2.Pset) (bool, error)
 		}
 
 		if missingSigs > 0 {
-			return false, fmt.Errorf("missing %d signatures", missingSigs)
+			return false, txid, fmt.Errorf("missing %d signatures", missingSigs)
 		}
 	}
 
-	return true, nil
+	return true, txid, nil
 }
 
 func (b *txBuilder) FinalizeAndExtract(tx string) (string, error) {