[wip] Restrict aggregation to max 25 HolderHTLCOutput in 0FC chans

tankyleo · tankyleo · commit 63e8f1c867d7 · 2025-09-26T11:51:51.000Z
diff --git a/lightning/src/chain/package.rs b/lightning/src/chain/package.rs
@@ -1249,14 +1249,11 @@ impl PackageTemplate {
 						// MUST be true, otherwise we are aggregating V2 tx claims with V3 tx claims
 						debug_assert!(self.inputs.iter().all(|(_, solving_data)| matches!(solving_data, PackageSolvingData::HolderHTLCOutput(_) )));
 						debug_assert!(other.inputs.iter().all(|(_, solving_data)| matches!(solving_data, PackageSolvingData::HolderHTLCOutput(_) )));
-						// See rust-bitcoin to_vbytes_ceil
-						let self_vbytes = (self.weight() + 3) / 4; // This is the weight of the witnesses alone, we need to add more here
-						let other_vbytes = (other.weight() + 3) / 4;
-						// What is a good offset to use here to leave room for the user-provided input-output pair?
-						// How much validation to do at coin-selection time in bump_transaction mod ?
-						// Just warn users in the docs not to use some really heavy witnesses to fee-bump their transactions?
-						// A 1-input-1-output p2wpkh-input p2wpkh-input transaction is 109.25vB.
-						if self_vbytes + other_vbytes < 10_000 - 200 {
+						// We aggregate max 25 holder HTLC outputs together to avoid hitting the max 10_000vB cap on TRUC singletons.
+						// Note we do not currently aggregate these with the anchor transaction that fee-bumps the 0-fee commitment transaction.
+						// Back-of-the-envelope, this lands us at max HTLC_SUCCESS_TX_WEIGHT.to_vbytes_ceil() * 25 ~= 4500 vB.
+						// You really have to try hard to provide a single 5_000vB input-output pair to fee-bump a 25-HTLC package.
+						if self.inputs.len() + other.inputs.len() <= 25 {
 							return true;
 						}
 					} else {
diff --git a/lightning/src/events/bump_transaction/mod.rs b/lightning/src/events/bump_transaction/mod.rs
@@ -971,6 +971,15 @@ where
 			assert!(signed_tx_fee >= expected_signed_tx_fee);
 		}
 
+		// We'll read the 0FC bit from `&[HTLCDescriptor]` above once the testing PR lands
+		if htlc_tx.vsize() > 10_000 {
+			log_error!(
+				self.logger,
+				"0FC HTLC transaction is too big, make the input-output pair you provided smaller"
+			);
+			return Err(());
+		}
+
 		log_info!(self.logger, "Broadcasting {}", log_tx!(htlc_tx));
 		self.broadcaster.broadcast_transactions(&[&htlc_tx]);
 		Ok(())
