Detect channel spend by splice transaction

wpaulino · wpaulino · commit 0e7e0e7662e0 · 2025-07-18T15:20:01.000-07:00
A `ChannelMonitor` will always consider a channel closed once a
confirmed spend for the funding transaction is detected. This is no
longer the case with splicing, as the channel will remain open and
capable of accepting updates while its funding transaction is being
replaced.
diff --git a/lightning/src/chain/channelmonitor.rs b/lightning/src/chain/channelmonitor.rs
@@ -565,6 +565,12 @@ enum OnchainEvent {
 		/// output (and generate a SpendableOutput event).
 		on_to_local_output_csv: Option<u16>,
 	},
+	/// The txid of an alternative funding transaction (due to a splice) that has confirmed but is
+	/// not yet locked, invalidating the previous funding transaction as it now spent. Note that we
+	/// wait to promote the corresponding `FundingScope` until we see a
+	/// [`ChannelMonitorUpdateStep::RenegotiatedFundingLocked`] or if the alternative funding
+	/// transaction is irrevocably confirmed.
+	AlternativeFundingConfirmation {},
 }
 
 impl Writeable for OnchainEventEntry {
@@ -609,6 +615,7 @@ impl_writeable_tlv_based_enum_upgradable!(OnchainEvent,
 	(1, MaturingOutput) => {
 		(0, descriptor, required),
 	},
+	(2, AlternativeFundingConfirmation) => {},
 	(3, FundingSpendConfirmation) => {
 		(0, on_local_output_csv, option),
 		(1, commitment_tx_to_counterparty_output, option),
@@ -618,7 +625,6 @@ impl_writeable_tlv_based_enum_upgradable!(OnchainEvent,
 		(2, preimage, option),
 		(4, on_to_local_output_csv, option),
 	},
-
 );
 
 #[derive(Clone, Debug, PartialEq, Eq)]
@@ -4871,6 +4877,49 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
 				}
 			}
 
+			// A splice transaction has confirmed. We can't promote the splice's scope until we see
+			// the corresponding monitor update for it, but we track the txid so we know which
+			// holder commitment transaction we may need to broadcast.
+			if let Some(alternative_funding) = self.pending_funding.iter()
+				.find(|funding| funding.funding_txid() == txid)
+			{
+				debug_assert!(self.funding_spend_confirmed.is_none());
+				debug_assert!(
+					!self.onchain_events_awaiting_threshold_conf.iter()
+						.any(|e| matches!(e.event, OnchainEvent::FundingSpendConfirmation { .. }))
+				);
+				debug_assert_eq!(
+					self.funding.funding_outpoint().into_bitcoin_outpoint(),
+					tx.input[0].previous_output
+				);
+
+				let (desc, msg) = if alternative_funding.channel_parameters.splice_parent_funding_txid.is_some() {
+					("Splice", "splice_locked")
+				} else {
+					("RBF", "channel_ready")
+				};
+				let action = if self.no_further_updates_allowed() {
+					if self.holder_tx_signed {
+						", broadcasting post-splice holder commitment transaction".to_string()
+					} else {
+						"".to_string()
+					}
+				} else {
+					format!(", waiting for `{}` exchange", msg)
+				};
+				log_info!(logger, "{desc} for channel {} confirmed with txid {txid}{action}", self.channel_id());
+
+				self.onchain_events_awaiting_threshold_conf.push(OnchainEventEntry {
+					txid,
+					transaction: Some((*tx).clone()),
+					height,
+					block_hash: Some(block_hash),
+					event: OnchainEvent::AlternativeFundingConfirmation {},
+				});
+
+				continue 'tx_iter;
+			}
+
 			if tx.input.len() == 1 {
 				// Assuming our keys were not leaked (in which case we're screwed no matter what),
 				// commitment transactions and HTLC transactions will all only ever have one input
@@ -5002,7 +5051,7 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
 		let unmatured_htlcs: Vec<_> = self.onchain_events_awaiting_threshold_conf
 			.iter()
 			.filter_map(|entry| match &entry.event {
-				OnchainEvent::HTLCUpdate { source, .. } => Some(source),
+				OnchainEvent::HTLCUpdate { source, .. } => Some(source.clone()),
 				_ => None,
 			})
 			.collect();
@@ -5017,7 +5066,7 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
 					#[cfg(debug_assertions)]
 					{
 						debug_assert!(
-							!unmatured_htlcs.contains(&&source),
+							!unmatured_htlcs.contains(&source),
 							"An unmature HTLC transaction conflicts with a maturing one; failed to \
 							 call either transaction_unconfirmed for the conflicting transaction \
 							 or block_disconnected for a block containing it.");
@@ -5064,6 +5113,21 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
 					self.funding_spend_confirmed = Some(entry.txid);
 					self.confirmed_commitment_tx_counterparty_output = commitment_tx_to_counterparty_output;
 				},
+				OnchainEvent::AlternativeFundingConfirmation {} => {
+					// An alternative funding transaction has irrevocably confirmed. Locate the
+					// corresponding scope and promote it if the monitor is no longer allowing
+					// updates. Otherwise, we expect it to be promoted via
+					// [`ChannelMonitorUpdateStep::RenegotiatedFundingLocked`].
+					if self.no_further_updates_allowed() {
+						let funding_txid = entry.transaction
+							.expect("Transactions are always present for AlternativeFundingConfirmation entries")
+							.compute_txid();
+						debug_assert_ne!(self.funding.funding_txid(), funding_txid);
+						if let Err(_) = self.promote_funding(funding_txid) {
+							log_error!(logger, "Missing scope for alternative funding confirmation with txid {}", entry.txid);
+						}
+					}
+				},
 			}
 		}
 
