Skip to content

Conversation

tankyleo
Copy link
Contributor

@tankyleo tankyleo commented Aug 14, 2025

    Check v2 reserves after `funding_contribution_satoshis` is applied

    We check this when validating `splice_init`, `splice_ack` messages, and
    also when validating user-specified contributions.

    From BOLT 2:
    ```
    - If `funding_contribution_satoshis` is negative and its absolute value
      is greater than the sending node's current channel balance:
      - MUST send a `warning` and close the connection or send an `error`
        and fail the channel.
    ```

    and further down:
    ```
    If a side does not meet the reserve requirements, that's OK: but if they
    take funds out of the channel, they must ensure that they do meet them.
    If your peer adds a massive amount to the channel, then you only have
    to add more reserve if you want to contribute to the splice (and you
    can use `tx_remove_output` and/or `tx_remove_input` part-way through if
    this happens).
    ```

    Therefore, we check the v2 reserve anytime
    `funding_contribution_satoshis` is not equal to zero.

    We allow parties to draw from their previous reserve, as long as they
    satisfy their v2 reserve.

@ldk-reviews-bot
Copy link

ldk-reviews-bot commented Aug 14, 2025

👋 Thanks for assigning @wpaulino as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

@tankyleo tankyleo changed the title Validate negative funding contributions in splice_ack and splice_init messages Validate negative funding contributions in splice_init and splice_ack messages Aug 14, 2025
@tankyleo tankyleo force-pushed the splice-reserve-check branch from 6d6b07c to 93965c6 Compare August 14, 2025 01:24
@tankyleo tankyleo requested a review from wpaulino August 14, 2025 01:25
Copy link

codecov bot commented Aug 14, 2025

Codecov Report

❌ Patch coverage is 38.09524% with 13 lines in your changes missing coverage. Please review.
✅ Project coverage is 88.77%. Comparing base (bf87832) to head (85a02ca).
⚠️ Report is 8 commits behind head on main.

Files with missing lines Patch % Lines
lightning/src/sign/tx_builder.rs 38.09% 13 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #4011      +/-   ##
==========================================
+ Coverage   88.76%   88.77%   +0.01%     
==========================================
  Files         176      176              
  Lines      129345   129357      +12     
  Branches   129345   129357      +12     
==========================================
+ Hits       114812   114836      +24     
+ Misses      11925    11921       -4     
+ Partials     2608     2600       -8     
Flag Coverage Δ
fuzzing 22.00% <23.80%> (-0.01%) ⬇️
tests 88.60% <38.09%> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@tankyleo tankyleo self-assigned this Aug 14, 2025
@ldk-reviews-bot
Copy link

🔔 1st Reminder

Hey @wpaulino! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

@ldk-reviews-bot
Copy link

🔔 2nd Reminder

Hey @wpaulino! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

@wpaulino wpaulino mentioned this pull request Aug 18, 2025
@tankyleo
Copy link
Contributor Author

On hold until splice-out PR gets in.

@ldk-reviews-bot
Copy link

🔔 3rd Reminder

Hey @wpaulino! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

@tankyleo tankyleo removed the request for review from wpaulino August 20, 2025 01:37
@tankyleo tankyleo marked this pull request as draft August 20, 2025 01:38
@tankyleo tankyleo force-pushed the splice-reserve-check branch from 93965c6 to d0023e3 Compare August 26, 2025 22:14
@tankyleo tankyleo marked this pull request as ready for review August 26, 2025 22:14
@tankyleo tankyleo requested review from wpaulino and removed request for valentinewallace August 26, 2025 22:15
@ldk-reviews-bot
Copy link

👋 The first review has been submitted!

Do you think this PR is ready for a second reviewer? If so, click here to assign a second reviewer.

@tankyleo tankyleo force-pushed the splice-reserve-check branch from d0023e3 to 835b67b Compare August 27, 2025 02:26
@tankyleo
Copy link
Contributor Author

tankyleo commented Aug 27, 2025

Rebase on merge-base (diff):

  • Always run the reserve check, not just when the funding contribution is negative.
  • Make sure that the funder of the channel can pay for an additional nondust HTLC after the contributions are applied.
  • Emit WarnAndDisconnect if the balance is exhausted.
  • Style improvements.

@tankyleo tankyleo requested a review from wpaulino August 27, 2025 02:37
@tankyleo tankyleo changed the title Validate negative funding contributions in splice_init and splice_ack messages Validate funding contributions reserves in splice_init and splice_ack handling Aug 27, 2025
@tankyleo tankyleo force-pushed the splice-reserve-check branch from 835b67b to 453a211 Compare August 27, 2025 05:51
@tankyleo
Copy link
Contributor Author

Amend: (diff)

  • Run the reserve check anytime the funding contribution is not zero.

@tankyleo
Copy link
Contributor Author

Rebasing now to fix conflict...

@tankyleo tankyleo requested review from TheBlueMatt and removed request for TheBlueMatt August 31, 2025 22:04
@tankyleo tankyleo force-pushed the splice-reserve-check branch 2 times, most recently from 8b3004e to ce4161c Compare September 1, 2025 07:38
let their_channel_balance = Amount::from_sat(self.funding.get_value_satoshis())
- Amount::from_sat(self.funding.get_value_to_self_msat() / 1000);
let post_channel_balance = AddSigned::checked_add_signed(
let adjusted_funding_contribution = if let Some((contribution, is_initiator, feerate)) =
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we sure this is right in the splice_ack case? In the splice_channel (initiate outbound splice) case, we pass the total contribution ignoring fees, which then mandates that we subtract the fee here. But then we go to test again in splice_ack and, AFAICT we pass the adjusted contribution at that point (which is what we send to our counterparty, or the their_funding_contribution used below), and then we shouldn't subtract the fee here. IMO we should pull this back out to the splice_channel method and keep this method strictly a symmetrical splice validation function that doesn't have any sender/recipient-specific logic at all. Once we make get_next_{local,remote}_commitment_stats fallible it'll just be a matter of calling that and checking the reserve, basically.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will look into it thank you

But then we go to test again in splice_ack and, AFAICT we pass the adjusted contribution at that point (which is what we send to our counterparty, or the their_funding_contribution used below), and then we shouldn't subtract the fee here.

When we receive splice_ack, we set this triple to None, and we don't subtract the fee here ?

I'll revisit this part in any case.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, sorry, duh, all the more confusing code tho :)

@TheBlueMatt TheBlueMatt added this to the 0.2 milestone Sep 1, 2025
@tankyleo tankyleo force-pushed the splice-reserve-check branch from 1ce710f to b6757a5 Compare September 2, 2025 07:23
@tankyleo tankyleo requested a review from TheBlueMatt September 2, 2025 07:25
Copy link
Collaborator

@TheBlueMatt TheBlueMatt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay, thanks for rewriting this four times 😅. Feel free to squash (looks like the latest fixup needs to get moved back a bit), I think this LGTM. cc @wpaulino

@TheBlueMatt
Copy link
Collaborator

Also sadly needs rebase.

@tankyleo tankyleo force-pushed the splice-reserve-check branch from b6757a5 to c96dba4 Compare September 2, 2025 22:05
@tankyleo
Copy link
Contributor Author

tankyleo commented Sep 2, 2025

First rebase: no diff, squash fixups, reorganize commits.

As much as possible, we want to only mutate state once we are done with
input validation.

This also removes complaints when helper functions during validation
take a `&self`.
As in `splice_init`, this helps clearly delineate `splice_ack` message
validation from the subsequent state mutations.

This is a code-move.
`NextCommitmentStats` provides the commitment transaction fee as a
separate value to assist with applying a multiplier on it in
`can_accept_incoming_htlc`.

Nonetheless in most cases, we want the balances to include the
commitment transaction fee, so here we add a helper that gives us these
balances.

Also make the style of `tx_builder::subtract_addl_outputs` consistent
with `get_balances_including_fee`.
The reserve we should maintain on our own transaction should be greater
than our own dust limit.
We check this when validating `splice_init`, `splice_ack` messages, and
also when validating user-specified contributions.

From BOLT 2:
```
- If `funding_contribution_satoshis` is negative and its absolute value
  is greater than the sending node's current channel balance:
  - MUST send a `warning` and close the connection or send an `error`
    and fail the channel.
```

and further down:
```
If a side does not meet the reserve requirements, that's OK: but if they
take funds out of the channel, they must ensure that they do meet them.
If your peer adds a massive amount to the channel, then you only have
to add more reserve if you want to contribute to the splice (and you
can use `tx_remove_output` and/or `tx_remove_input` part-way through if
this happens).
```

Therefore, we check the v2 reserve anytime
`funding_contribution_satoshis` is not equal to zero.

We allow parties to draw from their previous reserve, as long as they
satisfy their v2 reserve.
@tankyleo tankyleo force-pushed the splice-reserve-check branch from c96dba4 to 85a02ca Compare September 2, 2025 22:40
@tankyleo
Copy link
Contributor Author

tankyleo commented Sep 2, 2025

Second rebase: move base commit to bf87832 , use inline format arguments in some places.

Copy link
Collaborator

@TheBlueMatt TheBlueMatt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One question, otherwise LGTM

@@ -2298,12 +2298,12 @@ impl FundingScope {
.funding_pubkey = counterparty_funding_pubkey;

// New reserve values are based on the new channel value and are v2-specific
let counterparty_selected_channel_reserve_satoshis = Some(get_v2_channel_reserve_satoshis(
let counterparty_selected_channel_reserve_satoshis =
Some(get_v2_channel_reserve_satoshis(post_channel_value, MIN_CHAN_DUST_LIMIT_SATOSHIS));
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wait, I thin this is wrong (and also maybe reserves should be higher than both dust limits?). Not sure what the spec says, but the point of the reserve is to have something that we can be punished for when broadcasting our own stale transaction. Thus, the reserve we keep should really be higher than our own dust limit (which applies to our local commitment transactions that we can broadcast) so that if we broadcast a stale state we can be punished.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't that what we have here ?

MIN_CHAN_DUST_LIMIT_SATOSHIS: our own dust limit

counterparty_selected_channel_reserve_satoshis: we must keep at least these many sats "punishable" on our broadcastable transaction.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤦

@TheBlueMatt TheBlueMatt merged commit 9ddd25b into lightningdevkit:main Sep 3, 2025
25 checks passed
@github-project-automation github-project-automation bot moved this from Goal: Merge to Done in Weekly Goals Sep 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

4 participants