Skip to content

feat(boltz): Boltz submarine & reverse swaps#116

Open
coreyphillips wants to merge 14 commits into
masterfrom
feat/boltz-swaps-deterministic-keys
Open

feat(boltz): Boltz submarine & reverse swaps#116
coreyphillips wants to merge 14 commits into
masterfrom
feat/boltz-swaps-deterministic-keys

Conversation

@coreyphillips

Copy link
Copy Markdown
Collaborator

Summary

Adds a boltz module integrating Boltz submarine (onchain → Lightning) and reverse (Lightning → onchain) swaps behind the UniFFI surface, for iOS/Android/Python.

The dangerous cryptography (MuSig2 Taproot cooperative signing, swap scripts, claim/refund tx construction) is delegated to the boltz-client crate. This module adds deterministic key management, SQLite persistence, lifecycle tracking, automatic claiming, and the FFI surface.

Key design decision: deterministic keys, no stored secrets

Swap keys and reverse-swap preimages are derived from the wallet seed via Boltz's BIP85 scheme (SwapMasterKey/derive_swapkey, Preimage::from_swap_key) — never random, never persisted. boltz.db stores only a monotonic per-swap derivation index.

Consequences:

  • A leaked database cannot move funds (it holds no key material).
  • Swaps are recoverable two ways: same-device (index + in-memory seed), or seed-only via Boltz's rescue API if boltz.db is lost.
  • The wallet mnemonic (+ optional BIP39 passphrase) now flows through the create/claim/refund/start-updates FFI calls. The background updates stream holds the mnemonic in memory only for its lifetime (dropped on stop) to auto-claim. The passphrase must match the wallet's, or derived keys won't control the funds.

Reviewers: please confirm threading the seed through these entry points fits Bitkit's key-handling conventions on the Swift/Kotlin side.

What's included

  • Submarine create/refund and reverse create/claim, with cooperative key-path → script-path fallback.
  • Managed WebSocket updates stream; auto-claims reverse swaps on transaction.confirmed (not mempool, to avoid revealing the preimage against an unconfirmed lockup).
  • Atomic, collision-free swap-index reservation; PRAGMA user_version migration anchor; input validation on create.
  • Idempotent claim/refund — returns the recorded txid without re-broadcasting.
  • Typed lifecycle status with forward-compatible Unknown { raw }; recovery/listing APIs.
  • Only one updates stream (one network) runs at a time — documented.

Testing

cargo build, all 9 boltz unit tests, clippy, and fmt are clean. Tests cover status mapping, DB round-trip/recovery, monotonic index reservation, and deterministic derivation. An ignored live E2E test creates a real reverse swap and cryptographically validates the locally-derived redeem script + invoice against Boltz's response (no broadcast).

Known follow-up: the claim/refund broadcast paths are not yet covered by an automated test — they need a regtest Boltz + Electrum stack. Recommended as a follow-up.

Integrate Boltz submarine (onchain -> Lightning) and reverse
(Lightning -> onchain) swaps behind the UniFFI surface.

Swap keys and reverse-swap preimages are derived deterministically from
the wallet seed via Boltz's BIP85 scheme (SwapMasterKey/derive_swapkey,
Preimage::from_swap_key). No key material is persisted: boltz.db stores
only a monotonic per-swap derivation index, so a leaked database cannot
move funds and swaps are recoverable from the seed alone (or via Boltz's
rescue API if boltz.db is lost).

- Submarine create/refund and reverse create/claim, with cooperative
  key-path then script-path fallback (delegated to boltz-client).
- Managed WebSocket updates stream that auto-claims confirmed reverse
  swaps; mnemonic held in memory only for the stream's lifetime.
- Atomic, collision-free swap-index reservation; schema user_version
  anchor; input validation on create.
- Idempotent claim/refund (returns the recorded txid without
  re-broadcasting).
- SQLite persistence, typed lifecycle status with forward-compatible
  Unknown { raw }, and recovery/listing APIs.
- Unit tests for status mapping, DB round-trip, index reservation, and
  deterministic derivation; ignored live E2E test against the Boltz API.
@coreyphillips coreyphillips changed the title feat(boltz): Boltz submarine & reverse swaps with deterministic keys feat(boltz): Boltz submarine & reverse swaps Jun 26, 2026

@ovitrif ovitrif left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reviewed the current draft, added a few considerations in scoped review comments

Comment thread src/modules/boltz/api.rs
Comment thread src/lib.rs
Comment thread src/lib.rs Outdated
Add fee_rate_sat_per_vb to boltz_start_swap_updates so the wallet provides
the fee rate used for automatic reverse-swap claims; core does no fee
estimation. The rate is threaded through AutoClaimConfig into the auto-claim
and falls back to the conservative default when None. Update the README
signature and examples accordingly.
set_claim_tx and set_refund_tx previously updated only the tx id column, so a claimed or refunded swap kept its pre-claim status (the status column is otherwise advanced only by the live updates stream). They now also set the terminal transaction.claimed / transaction.refunded status, so claimed and refunded swaps report the correct state and drop out of the pending set.
Recording a claim or refund tx id now also advances the swap to its
terminal status, so the test assertions for the pre-claim status and the
pending set were stale. Also covers set_refund_tx, which was untested.
Rebuild the swap script from our own key and check it against the address
Boltz returned, before the record is stored or the response reaches the
caller. A submarine caller is about to fund the lockup address and a
reverse caller is about to pay the invoice, so validating any later would
still let the app act on a bad response.
Reading claim_tx_id, broadcasting, then recording the txid spans several
await points, so the automatic claim from the updates stream and a manual
recovery call could both see no recorded txid and both broadcast. Route
both through guarded entry points that hold a per-swap lock across the
whole read-broadcast-record sequence and re-read the record under it, so
the second caller returns the first one's txid instead of broadcasting
again.
Adds new public API (the boltz exports), so this is a minor bump. The
iOS, Android and Python bindings now carry the boltz surface, which the
checked-in artifacts were missing.

Stop tracking the xcframework's static libraries. Linking boltz-client
grew them past GitHub's 100 MB file limit, and they only duplicate the
compressed copies inside BitkitCore.xcframework.zip, which is the archive
Package.swift downloads from the release.
@coreyphillips
coreyphillips marked this pull request as ready for review July 14, 2026 16:16
…terministic-keys

# Conflicts:
#	Cargo.lock
#	Cargo.toml
#	Package.swift
#	bindings/android/gradle.properties
#	bindings/android/lib/src/main/jniLibs/arm64-v8a/libbitkitcore.so
#	bindings/android/lib/src/main/jniLibs/armeabi-v7a/libbitkitcore.so
#	bindings/android/lib/src/main/jniLibs/x86/libbitkitcore.so
#	bindings/android/lib/src/main/jniLibs/x86_64/libbitkitcore.so
#	bindings/ios/BitkitCore.xcframework.zip
#	bindings/ios/BitkitCore.xcframework/ios-arm64-simulator/libbitkitcore.a
#	bindings/ios/BitkitCore.xcframework/ios-arm64/libbitkitcore.a
#	bindings/python/bitkitcore/libbitkitcore.dylib
#	bindings/python/setup.py
@coreyphillips

coreyphillips commented Jul 15, 2026

Copy link
Copy Markdown
Collaborator Author

Latest release for testing can be found as v0.5.1 here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants