Check pending funding in send_update_fee

jkczyz · jkczyz · commit 1b783ce74572 · 2025-05-30T16:05:51.000-05:00
If there are any pending splices when an sending an update_fee message,
the new fee rate must be validated against each pending FundingScope.
Otherwise, it may be invalid once the splice is locked.
diff --git a/lightning/src/ln/channel.rs b/lightning/src/ln/channel.rs
@@ -6737,31 +6737,11 @@ impl<SP: Deref> FundedChannel<SP> where
 			panic!("Cannot update fee while peer is disconnected/we're awaiting a monitor update (ChannelManager should have caught this)");
 		}
 
-		// Before proposing a feerate update, check that we can actually afford the new fee.
-		let dust_exposure_limiting_feerate = self.context.get_dust_exposure_limiting_feerate(&fee_estimator);
-		let htlc_stats = self.context.get_pending_htlc_stats(&self.funding, Some(feerate_per_kw), dust_exposure_limiting_feerate);
-		let commitment_data = self.context.build_commitment_transaction(
-			&self.funding, self.holder_commitment_point.transaction_number(),
-			&self.holder_commitment_point.current_point(), true, true, logger,
-		);
-		let buffer_fee_msat = commit_tx_fee_sat(feerate_per_kw, commitment_data.tx.nondust_htlcs().len() + htlc_stats.on_holder_tx_outbound_holding_cell_htlcs_count as usize + CONCURRENT_INBOUND_HTLC_FEE_BUFFER as usize, self.funding.get_channel_type()) * 1000;
-		let holder_balance_msat = commitment_data.stats.local_balance_before_fee_anchors_msat - htlc_stats.outbound_holding_cell_msat;
-		if holder_balance_msat < buffer_fee_msat + commitment_data.stats.total_anchors_sat * 1000 + self.funding.counterparty_selected_channel_reserve_satoshis.unwrap() * 1000 {
-			//TODO: auto-close after a number of failures?
-			log_debug!(logger, "Cannot afford to send new feerate at {}", feerate_per_kw);
-			return None;
-		}
-
-		// Note, we evaluate pending htlc "preemptive" trimmed-to-dust threshold at the proposed `feerate_per_kw`.
-		let max_dust_htlc_exposure_msat = self.context.get_max_dust_htlc_exposure_msat(dust_exposure_limiting_feerate);
-		if htlc_stats.on_holder_tx_dust_exposure_msat > max_dust_htlc_exposure_msat {
-			log_debug!(logger, "Cannot afford to send new feerate at {} without infringing max dust htlc exposure", feerate_per_kw);
-			return None;
-		}
-		if htlc_stats.on_counterparty_tx_dust_exposure_msat > max_dust_htlc_exposure_msat {
-			log_debug!(logger, "Cannot afford to send new feerate at {} without infringing max dust htlc exposure", feerate_per_kw);
-			return None;
-		}
+		core::iter::once(&self.funding)
+			.chain(self.pending_funding.iter())
+			.map(|funding| self.validate_send_update_fee(funding, feerate_per_kw, fee_estimator, logger))
+			.collect::<Result<(), ()>>()
+			.ok()?;
 
 		// Some of the checks of `can_generate_new_commitment` have already been done above, but
 		// it's much more brittle to not use it in favor of checking the remaining flags left, as it
@@ -6784,6 +6764,43 @@ impl<SP: Deref> FundedChannel<SP> where
 		})
 	}
 
+	fn validate_send_update_fee<F: Deref, L: Deref>(
+		&self, funding: &FundingScope, feerate_per_kw: u32,
+		fee_estimator: &LowerBoundedFeeEstimator<F>, logger: &L,
+	) -> Result<(), ()>
+	where
+		F::Target: FeeEstimator,
+		L::Target: Logger,
+	{
+		// Before proposing a feerate update, check that we can actually afford the new fee.
+		let dust_exposure_limiting_feerate = self.context.get_dust_exposure_limiting_feerate(&fee_estimator);
+		let htlc_stats = self.context.get_pending_htlc_stats(funding, Some(feerate_per_kw), dust_exposure_limiting_feerate);
+		let commitment_data = self.context.build_commitment_transaction(
+			funding, self.holder_commitment_point.transaction_number(),
+			&self.holder_commitment_point.current_point(), true, true, logger,
+		);
+		let buffer_fee_msat = commit_tx_fee_sat(feerate_per_kw, commitment_data.tx.nondust_htlcs().len() + htlc_stats.on_holder_tx_outbound_holding_cell_htlcs_count as usize + CONCURRENT_INBOUND_HTLC_FEE_BUFFER as usize, funding.get_channel_type()) * 1000;
+		let holder_balance_msat = commitment_data.stats.local_balance_before_fee_anchors_msat - htlc_stats.outbound_holding_cell_msat;
+		if holder_balance_msat < buffer_fee_msat + commitment_data.stats.total_anchors_sat * 1000 + funding.counterparty_selected_channel_reserve_satoshis.unwrap() * 1000 {
+			//TODO: auto-close after a number of failures?
+			log_debug!(logger, "Cannot afford to send new feerate at {}", feerate_per_kw);
+			return Err(());
+		}
+
+		// Note, we evaluate pending htlc "preemptive" trimmed-to-dust threshold at the proposed `feerate_per_kw`.
+		let max_dust_htlc_exposure_msat = self.context.get_max_dust_htlc_exposure_msat(dust_exposure_limiting_feerate);
+		if htlc_stats.on_holder_tx_dust_exposure_msat > max_dust_htlc_exposure_msat {
+			log_debug!(logger, "Cannot afford to send new feerate at {} without infringing max dust htlc exposure", feerate_per_kw);
+			return Err(());
+		}
+		if htlc_stats.on_counterparty_tx_dust_exposure_msat > max_dust_htlc_exposure_msat {
+			log_debug!(logger, "Cannot afford to send new feerate at {} without infringing max dust htlc exposure", feerate_per_kw);
+			return Err(());
+		}
+
+		Ok(())
+	}
+
 	/// Removes any uncommitted inbound HTLCs and resets the state of uncommitted outbound HTLC
 	/// updates, to be used on peer disconnection. After this, update_*_htlc messages need to be
 	/// resent.
