Timelock Recovery Extension (spesmilo#9589)

* Timelock Recovery Extension

* Timelock Recovery Extension tests

* Use fee_policy instead of fee_est

Following 3f327ee

* making tx with base_tx

Following ab14c3e

* move plugin metadata from __init__.py to manifest.json

* removing json large indentation

* timelock recovery icon

* timelock recovery plugin: fix typos

* timelock recovery plugin: use menu instead of status bar.

The status bar should be used for displaying status. For example,
hardware wallet plugins use it because their connection status is
changing and needs to be displayed.

* timelock recovery plugin: ask for password only once

* timelock recovery plugin: ask whether to create cancellation tx in the initial window

* remove unnecessary code.

(calling run_hook from a plugin does not make sense)

* show alert and cancellation address at the end.

skip unnecessary dialog

* timelock recovery plugin: do not show transactions one by one.

Set the fee policy in the first dialog, and use the same fee
policy for all tx. We could add 3 sliders to this dialog, if
different fees are needed, but I think this really isn't
really necessary.

* simplify default_wallet for tests

All the lightning-related stuff is irrelevant for
this plugin.

Also use a different destination address
for the test recovery-plan (an address
that does not belong to the same wallet).

* Fee selection should be above fee calculation

also show fee calculation result with "fee: " label.

* hide Sign and Broadcast buttons during view

* recalculate cancellation transaction

The checkbox could be clicked after the fee rate
has been set. Calling update_transactions() may seem
inefficient, but it's the simplest way to avoid such edge-cases.

Also set the context's cancellation transaction to None when the
checkbox is unset.

* use context.cancellation_tx instead of checkbox value

context.cancellation_tx will be None iff the checkbox was unset

* hide cancellation address if not used

* init monospace font correctly

* timelock recovery plugin: add input info at signing time.

Fixes trezor exception: 'Missing previous tx'

* timelock recovery: remove unused parameters

* avoid saving the tx in a separate var

fixing the assertions

* avoid caching recovery & cancellation inputs

* timelock recovery: separate help window from agreement.

move agreement at the end of the flow, rephrase it

* do not cache alert_tx_outputs

* do not crash when not enough funds

not enough funds can happen
when multiple addresses are specified
in payto_e, with an amount larger
than the wallet has - so we set
the payto_e color to red.

It can also happen when the user
selects a really high fee, but this
is not common in a "recovery"
wallet with significant funds.

* If files not saved - ask before closing

* move the checkbox above the save buttons

people read the text from top to
bottom and may not understand
why the buttons are disabled

---------

Co-authored-by: f321x <[email protected]>
Co-authored-by: ThomasV <[email protected]>

Author: 3 people

electrum/gui/qt/main_window.py

@@ -1118,8 +1118,17 @@ def show_transaction(
         *,
         external_keypairs: Mapping[bytes, bytes] = None,
         payment_identifier: PaymentIdentifier = None,
+        show_sign_button: bool = True,
+        show_broadcast_button: bool = True,
     ):
-        show_transaction(tx, parent=self, external_keypairs=external_keypairs, payment_identifier=payment_identifier)
+        show_transaction(
+            tx,
+            parent=self,
+            external_keypairs=external_keypairs,
+            payment_identifier=payment_identifier,
+            show_sign_button=show_sign_button,
+            show_broadcast_button=show_broadcast_button,
+        )
 
     def show_lightning_transaction(self, tx_item):
         from .lightning_tx_dialog import LightningTxDialog

electrum/gui/qt/transaction_dialog.py

@@ -411,6 +411,8 @@ def show_transaction(
     external_keypairs: Mapping[bytes, bytes] = None,
     payment_identifier: 'PaymentIdentifier' = None,
     on_closed: Callable[[], None] = None,
+    show_sign_button: bool = True,
+    show_broadcast_button: bool = True,
 ):
     try:
         d = TxDialog(
@@ -421,6 +423,10 @@ def show_transaction(
             payment_identifier=payment_identifier,
             on_closed=on_closed,
         )
+        if not show_sign_button:
+            d.sign_button.setVisible(False)
+        if not show_broadcast_button:
+            d.broadcast_button.setVisible(False)
     except SerializationError as e:
         _logger.exception('unable to deserialize the transaction')
         parent.show_critical(_("Electrum was unable to deserialize the transaction:") + "\n" + str(e))

electrum/plugins/timelock_recovery/__init__.py

@@ -0,0 +1,72 @@
+Timelock Recovery is a mechanism which, in case of a catastrophic event
+(death or loss of your master key), can send your Bitcoin to a secondary wallet of your choice
+within a time-window (i.e. 90 days).
+<br />
+During that time-window, you can see that the Timelock Recovery mechanism has been triggered (a
+transaction from your wallet to itself is created on the Bitcoin blockchain), and if this
+has happened against your will, you can use your master key to cancel the process (by moving
+the funds elsewhere before the time-window expires).
+<br />
+The implementation of Timelock Recovery is done with two transactions that are signed in advance,
+but broadcast only when needed:
+<ol>
+    <li>
+        An <i>Alert Transaction</i> which sends the funds from the wallet to itself (consolidating the UTXOs).
+    </li>
+    <li>
+        A <i>Recovery Transaction</i> which sends the funds to a secondary wallet of your choice and can
+        be added to the blockchain only X days after the <i>Alert Transaction</i> has been broadcast (and mined).
+    </li>
+</ol>
+Optionally, this extension will also let you sign-in-advance a <i>Cancellation Transaction</i> which can be
+used to cancel the Timelock Recovery process, by broadcasting it before the time-window expires.
+If the <i>Alert Transaction</i> has been broadcast, the Cancellation Transaction will send the funds again to
+the same wallet, which would invalidate the <i>Recovery Transaction</i> (technically: the <i>Recovery Transaction</i>
+will be seen as a transaction that is trying to spend a UTXO that has already been spent).
+<br />
+Timelock Recovery plans do not require any involvement of a third party.
+However, two precautions should be taken:
+<ol>
+    <li>
+        Due to the way Bitcoin transactions and UTXOs work, spending funds from the wallet might break
+        the entire Timelock Recovery plan.
+    </li>
+    <li>
+        Adding more funds to the wallet will not be covered by the Timelock Recovery plan.
+    </li>
+</ol>
+<br />
+Therefore it is highly recommended not to use the wallet for any purpose after creating a
+Timelock Recovery plan (other than long-term storage).
+Instead, for daily purposes use a separate wallet (with a seed in a place that
+your loved ones could easily find) and only after accumulating enough funds relevant for long-term
+storage, move them to a new highly secured wallet (i.e. with a long passphrase that only you memorize) for
+which you create a new Timelock Recovery plan (back to the daily-purpose wallet or to your inheritors' wallet).
+<br />
+Each accumulation should be done in a new highly secured wallet, but these are easy to create, i.e. you can
+memorize a long passphrase and add a counter at the end (1 for the first accumlation, 2 for the second, etc.).
+<br />
+For more details, visit: <a target="_blank" href="https://timelockrecovery.com" rel="noopener noreferrer">https://timelockrecovery.com</a>.
+<br />
+Before we begin, please note:
+<ol>
+    <li>
+        Please prepare in advance the addresses of your inheritors/backup-wallets.
+    </li>
+    <li>
+        Since we are preparing this recovery plan for the long future, it is hard
+        to estimate what the required mining fees will be.
+        If the fee is too low, your inheritors, who don't have access to the master
+        keys, will not be able to simply "replace-by-fee" and use a higher fee.
+        At the moment of writing this code (year 2025) this is not a big deal, because
+        there are acceleration-services, such as
+        <a target="_blank" href="https://mempool.space/accelerator" rel="noopener noreferrer">
+            mempool.space's accelerator
+        </a>, that allows to boost selected transactions for direct payment.
+        Just in case this service will not be available in the future, the
+        <i>Alert Transaction</i> will send a small amount of 600 sats to each
+        destination address. This will allow advance users to boost the
+        first transaction by spending their unmined UTXO in a mechanism called
+        Child-Pay-For-Parent.
+    </li>
+</ol>

electrum/plugins/timelock_recovery/intro.txt

@@ -0,0 +1,8 @@
+{
+  "fullname": "Timelock Recovery Utility",
+  "description": "<br/>This plug-in allows you to create Timelock Recovery Plans for your wallet. See: <a href='https://timelockrecovery.com'>timelockrecovery.com</a>",
+  "author": "[email protected]",
+  "available_for": ["qt"],
+  "icon":"timelock_recovery_60.png",
+  "version": "0.1.0"
+}