Skip to content

Validate funding contributions reserves in splice_init and splice_ack handling #4011

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Validate funding contributions reserves in splice_init and splice_ack handling #4011

wants to merge 7 commits into from
+178 −89

Conversation

tankyleo
Copy link
Contributor 

From BOLT 2:

- If `funding_contribution_satoshis` is negative and its absolute value
  is greater than the sending node's current channel balance:
  - MUST send a `warning` and close the connection or send an `error`
    and fail the channel.

We allow the remote to be below the new reserve as long as their
funding contribution is not negative; we don't care whether they were
above or below the previous funding reserve.

@ldk-reviews-bot
Copy link

ldk-reviews-bot commented Aug 14, 2025
edited
Loading

👋 Thanks for assigning @wpaulino as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

@tankyleo tankyleo changed the title Validate negative funding contributions in splice_ack and splice_init messages Validate negative funding contributions in splice_init and splice_ack messages Aug 14, 2025
@tankyleo tankyleo force-pushed the splice-reserve-check branch from 6d6b07c to 93965c6 Compare August 14, 2025 01:24
@tankyleo tankyleo requested a review from wpaulino August 14, 2025 01:25
@codecov Codecov
Copy link

codecov bot commented Aug 14, 2025
edited
Loading

Codecov Report

❌ Patch coverage is 42.10526% with 11 lines in your changes missing coverage. Please review.
✅ Project coverage is 88.77%. Comparing base (e664b7e) to head (7a56757).
⚠️ Report is 65 commits behind head on main.

Files with missing lines Patch % Lines
lightning/src/sign/tx_builder.rs 42.10% 11 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4011      +/-   ##
==========================================
+ Coverage   88.74%   88.77%   +0.02%     
==========================================
  Files         176      176              
  Lines      128638   128710      +72     
  Branches   128638   128710      +72     
==========================================
+ Hits       114164   114262      +98     
+ Misses      11877    11859      -18     
+ Partials     2597     2589       -8
Flag Coverage Δ
fuzzing 21.96% <26.31%> (+0.12%) ⬆️
tests 88.60% <42.10%> (+0.02%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@tankyleo tankyleo self-assigned this Aug 14, 2025
@ldk-reviews-bot
Copy link

🔔 1st Reminder

Hey @wpaulino! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

@ldk-reviews-bot
Copy link

🔔 2nd Reminder

Hey @wpaulino! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

@wpaulino wpaulino mentioned this pull request Aug 18, 2025
Merged
@tankyleo
Copy link
Contributor Author

On hold until splice-out PR gets in.

@ldk-reviews-bot
Copy link

🔔 3rd Reminder

Hey @wpaulino! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

@tankyleo tankyleo removed the request for review from wpaulino August 20, 2025 01:37
@tankyleo tankyleo marked this pull request as draft August 20, 2025 01:38
@jkczyz jkczyz mentioned this pull request Aug 21, 2025
Open
7 tasks
@tankyleo tankyleo force-pushed the splice-reserve-check branch from 93965c6 to d0023e3 Compare August 26, 2025 22:14
@tankyleo tankyleo marked this pull request as ready for review August 26, 2025 22:14
@tankyleo tankyleo requested review from wpaulino and removed request for valentinewallace August 26, 2025 22:15
wpaulino
wpaulino reviewed Aug 26, 2025
View reviewed changes
lightning/src/sign/tx_builder.rs Outdated
impl NextCommitmentStats {
pub(crate) fn get_balances_including_fee_msat(&self) -> (Option<u64>, Option<u64>) {
let holder_balance_incl_fee_msat = if self.is_outbound_from_holder {
self.holder_balance_before_fee_msat
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this already have the anchor outputs value subtracted?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes

lightning/src/ln/channel.rs Outdated

// TODO(splicing): Pre-check for reserve requirement
// (Note: It should also be checked later at tx_complete)
if their_funding_contribution.is_negative() {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's also the case where we make a positive contribution and the counterparty does too, but a much larger one, bringing the reserve high enough that even after our contribution we still are not able to meet it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From my reading of the spec, seems a party should only complain in cases where the counterparty's funding contribution is negative.

Did we want to be stricter than the spec here ?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is in the spec actually: https://github.com/lightning/bolts/pull/1160/files#diff-ed04ca2c673fd6aabde69389511fa9ee60cb44d6b2ef6c88b549ffaa753d6afeR1792

lightning/src/ln/channel.rs

// Reserve check on local commitment transaction

let splice_local_commitment_stats = self.context.get_next_local_commitment_stats(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "next" naming is odd here because we're actually building an alternative version of the current commitment transaction

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed :) If a squint a little, the "next" commitment transaction will have different to_local, to_remote balances, that's the one we are validating here. As far as I see at this point, this "alternative" commitment transaction is the one we will sign "next" ?

This is from 3921 feel free to take a look.

@ldk-reviews-bot
Copy link

👋 The first review has been submitted!

Do you think this PR is ready for a second reviewer? If so, click here to assign a second reviewer.

@tankyleo tankyleo force-pushed the splice-reserve-check branch from d0023e3 to 835b67b Compare August 27, 2025 02:26
@tankyleo
Copy link
Contributor Author

tankyleo commented Aug 27, 2025
edited
Loading

Rebase on merge-base (diff):

  • Always run the reserve check, not just when the funding contribution is negative.
  • Make sure that the funder of the channel can pay for an additional nondust HTLC after the contributions are applied.
  • Emit WarnAndDisconnect if the balance is exhausted.
  • Style improvements.

@tankyleo tankyleo requested a review from wpaulino August 27, 2025 02:37
@tankyleo tankyleo changed the title Validate negative funding contributions in splice_init and splice_ack messages Validate funding contributions reserves in splice_init and splice_ack handling Aug 27, 2025
@tankyleo tankyleo force-pushed the splice-reserve-check branch from 835b67b to 453a211 Compare August 27, 2025 05:51
@tankyleo
Copy link
Contributor Author

Amend: (diff)

  • Run the reserve check anytime the funding contribution is not zero.

graphite-app[bot]
graphite-app bot reviewed Aug 27, 2025
View reviewed changes
@tankyleo
Copy link
Contributor Author

Rebasing now to fix conflict...

@tankyleo tankyleo force-pushed the splice-reserve-check branch from 453a211 to 9798f7a Compare August 27, 2025 16:33
graphite-app[bot]
graphite-app bot reviewed Aug 27, 2025
View reviewed changes
@tankyleo
Finish validation in splice_ack before taking a &mut self
09926fe 
As much as possible, we want to only mutate state once we are done with
input validation.

This also removes complaints when helper functions during validation
take a `&self`.
@tankyleo
Add validate_splice_ack helper function
6fd902a 
As in `splice_init`, this helps clearly delineate `splice_ack` message
validation from the subsequent state mutations.

This is a code-move.
@tankyleo
Make for_splice infallible
e55084c
@tankyleo
Let validate_splice_contribution construct the new FundingScope
0aa19d9 
We will validate the reserve requirements on the new `FundingScope` in
`validate_splice_contribution`.
@tankyleo
Add NextCommitmentStats::get_balances_including_fee
7cb581e 
`NextCommitmentStats` provides the commitment transaction fee as a
separate value to assist with applying a multiplier on it in
`can_accept_incoming_htlc`.

Nonetheless in most cases, we want the balances to include the
commitment transaction fee, so here we add a helper that gives us these
balances.
@tankyleo
Cleanup the style of tx_builder::subtract_addl_outputs
79c2645 
Makes it consistent with `get_balances_including_fee`, itself added in
the previous commit.
@tankyleo
Check reserves after funding_contribution_satoshis is applied
7a56757 
This applies to both `splice_init` and `splice_ack` messages.

From BOLT 2:
```
- If `funding_contribution_satoshis` is negative and its absolute value
  is greater than the sending node's current channel balance:
  - MUST send a `warning` and close the connection or send an `error`
    and fail the channel.
```

Further down also:
```
If a side does not meet the reserve requirements, that's OK: but if they
take funds out of the channel, they must ensure that they do meet them.
If your peer adds a massive amount to the channel, then you only have
to add more reserve if you want to contribute to the splice (and you
can use `tx_remove_output` and/or `tx_remove_input` part-way through if
this happens).
```

Therefore, we run the reserve check anytime the contribution is not
equal to zero.
@tankyleo tankyleo force-pushed the splice-reserve-check branch from 9798f7a to 7a56757 Compare August 27, 2025 16:55
@tankyleo
Copy link
Contributor Author

Pushed from the wrong machine, we should be good now, see this aggregate diff, , rebased on d55b4f8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@graphite-app graphite-app[bot] graphite-app[bot] left review comments

@wpaulino wpaulino Awaiting requested review from wpaulino

At least 1 approving review is required to merge this pull request.

Assignees

@tankyleo tankyleo

Labels
None yet
Projects
Weekly Goals
Status: No status
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tankyleo @ldk-reviews-bot @wpaulino