Fail HTLCs from late counterparty commitment updates in ChannelMonitor

[joostjager]

Closes #4431

[ldk-reviews-bot]

👋 Thanks for assigning @wpaulino as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

[codecov]

Codecov Report

❌ Patch coverage is 92.72388% with 39 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.05%. Comparing base (90b79e4) to head (56c813f).
⚠️ Report is 31 commits behind head on main.

Files with missing lines	Patch %	Lines
lightning/src/chain/chainmonitor.rs	90.22%	22 Missing and 4 partials ⚠️
lightning/src/chain/channelmonitor.rs	91.66%	7 Missing and 3 partials ⚠️
lightning/src/util/test_utils.rs	96.87%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4434      +/-   ##
==========================================
+ Coverage   85.97%   86.05%   +0.08%     
==========================================
  Files         159      159              
  Lines      104722   105759    +1037     
  Branches   104722   105759    +1037     
==========================================
+ Hits        90030    91013     +983     
- Misses      12191    12227      +36     
- Partials     2501     2519      +18     

Flag	Coverage Δ
tests	86.05% <92.72%> (+0.08%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ldk-reviews-bot]

👋 The first review has been submitted!

Do you think this PR is ready for a second reviewer? If so, click here to assign a second reviewer.

[TheBlueMatt]

Hmmmmmmmmm, its really not quite so simple. If a monitor update is InProgress we generally expect the in-memory ChannelMonitor to have actually seen the new state update (though we expect that on restart there's a good chance it won't have that information and it'll be replayed). That means the monitor is theoretically "in charge" of resolving the HTLCs in question. While I think this patch is correct, I'm a bit hesitant to end up with two things in charge of resolving a specific HTLC. ISTM it also wouldn't be so complicated to immediately mark HTLCs as failed in the monitor upon receiving updates that try to add new HTLCs after a channel has been closed.

[joostjager]

ISTM it also wouldn't be so complicated to immediately mark HTLCs as failed in the monitor upon receiving updates that try to add new HTLCs after a channel has been closed.

Isn't the problem with this that the monitor can't see whether the commitment was already sent to the peer or blocked by async persistence?

[TheBlueMatt]

Right, the monitor has to assume it may have been sent to the peer. That's fine, though, it should be able to fail the HTLC(s) once the commitment transaction is locked.

[joostjager]

Hmm, it seems that the original issue isn't an issue then. I confirmed that mining the force close commitment tx indeed generates the payment failed event. Or is there still something missing?

[TheBlueMatt]

In the general case (ChannelMonitor in-memory in the same machine that runs ChannelManager) I believe there is not a runtime issue, no. I was thinking you'd identified an issue in the crash case, though (where we crash without persisting the monitor update and on restart lose it) but actually I'm not sure this is any different from existing payments logic - if you start a payment and nothing persists on restart its expected to be gone and downstream code has to handle that.

[joostjager]

The one that I identified wasn't a crash case. An assertion in the fuzzer identified that a payment was lost, but with current understanding I think it's just that the fuzzer didn't push the force-close forward enough (mine). Will close it for now and can look again if the payment remains lost even with confirmation of the commit tx. Unit test did confirm that it should just work.

[joostjager]

Reopening as this fix is now required for #4351.

[joostjager]

Hmmmmmmmmm, its really not quite so simple. If a monitor update is InProgress we generally expect the in-memory ChannelMonitor to have actually seen the new state update (though we expect that on restart there's a good chance it won't have that information and it'll be replayed). That means the monitor is theoretically "in charge" of resolving the HTLCs in question. While I think this patch is correct, I'm a bit hesitant to end up with two things in charge of resolving a specific HTLC. ISTM it also wouldn't be so complicated to immediately mark HTLCs as failed in the monitor upon receiving updates that try to add new HTLCs after a channel has been closed.

Now that we've decided that for deferred writes we no longer want to expect the in-memory ChannelMonitor to have seen the changes, I think the above doesn't apply anymore, and we might have to accept that two things are in charge for resolving a specific HTLC.

[TheBlueMatt]

Now that we've decided that for deferred writes we no longer want to expect the in-memory ChannelMonitor to have seen the changes, I think the above doesn't apply anymore, and we might have to accept that two things are in charge for resolving a specific HTLC.

I don't think so. Instead, what we'll need to do is detect a new local counterparty state ChannelMontiorUpdate after the channel has close and track it to fail the HTLCs from it once the commitment transaction has 6 confs.

[TheBlueMatt]

Oh actually no I don't think we need to wait for 6 confs since we never sent the message, ie we can fail it immediately.

[joostjager]

Oh actually no I don't think we need to wait for 6 confs since we never sent the message, ie we can fail it immediately.

Does the monitor know that a message was never sent? #4434 (comment) suggests that we should assume we did send.

I steered Claude to a potential fix: main...joostjager:rust-lightning:chain-mon-internal-deferred-writes-fix-contract. I based it on the deferred writes branch so that tests can get delayed in-memory updates.

Is this the direction you have in mind? It is unfortunate that we need to add this extra logic to a system that is already complicated.

[ldk-reviews-bot]

🔔 1st Reminder

Hey @wpaulino! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 2nd Reminder

Hey @wpaulino! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 3rd Reminder

Hey @wpaulino! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[wpaulino]

LGTM, though CI is sad likely due to the failed_back_htlc_ids change.

[joostjager]

The round-trip check failed because failed_back_htlc_ids is not serialized. We work around it by temporarily copying the set onto the deserialized monitor before comparison, then clearing it. It's ugly but avoids modifying production code beyond making the field pub(crate).

[ldk-claude-review-bot]

In release builds, this silently returns without logging when count exceeds the queue length. This can happen if flush is called concurrently (e.g., from TestChainMonitor::release_pending_monitor_events auto-flush racing with the background processor's explicit flush). A log_error! before the return would make such races observable in production, rather than silently under-flushing:

Suggested change

	None => {
	debug_assert!(false, "flush count exceeded queue length");
	return;
	},
	None => {
	debug_assert!(false, "flush count exceeded queue length");
	log_error!(logger, "flush count exceeded queue length");
	return;
	},

[joostjager]

ADded

[ldk-claude-review-bot]

[TheBlueMatt]

I think feel free to squash so we can land this. Claude had one comment that might be worth fixing, up to you.

[joostjager]

Squashed, but needs to be rebased after #4351. Added the Claude suggestion to also log excessive flush count.

[ldk-claude-review-bot]

Nit/perf: pending_spend_entry.clone().unwrap() is called inside the per-HTLC loop, cloning the Option<Transaction> each iteration. For a commitment with many HTLCs, this does N clones of potentially large transaction data. Consider destructuring once before the loop:

Suggested change

	let (txid, transaction, height, block_hash) = pending_spend_entry.clone().unwrap();
	let pending_data = pending_spend_entry.clone();
	for (source, payment_hash, amount_msat) in htlcs {
	if is_source_known(source) {
	continue;
	}
	if self.counterparty_fulfilled_htlcs.get(&SentHTLCId::from_source(source)).is_some() {
	continue;
	}
	let htlc_value_satoshis = Some(amount_msat / 1000);
	let logger = WithContext::from(logger, None, None, Some(payment_hash));
	// Defensively mark the HTLC as failed back so the expiry-based failure
	// path in `block_connected` doesn't generate a duplicate `HTLCUpdate`
	// event for the same source.
	self.failed_back_htlc_ids.insert(SentHTLCId::from_source(source));
	if let Some(confirmed_txid) = self.funding_spend_confirmed {

Or alternatively, extract the pending_data tuple once and clone only transaction per entry (Txid and BlockHash are Copy).

[joostjager]

Not sure if worth it, the tx is the large part of the clone anyway.

[ldk-claude-review-bot]

The is_source_known closure only checks prev_counterparty_commitment_txid (what was current before this update), not all entries in counterparty_claimable_outpoints. The comment at line 4413 explains the reasoning, and the holder commitment fallback covers additional cases.

Just want to confirm a subtle assumption: this correctness relies on the fact that the monitor always holds the immediately-prior counterparty commitment in prev after the update is applied (line 3502). If a single ChannelMonitorUpdate ever contained two LatestCounterpartyCommitment steps, the second step's iteration here would check prev (which is now the first step's commitment, not the original pre-batch state), and HTLCs from the first step would appear "known" even if they were truly new. The code is correct as long as each ChannelMonitorUpdate contains at most one counterparty commitment step — is that guaranteed at the ChannelManager level?

[joostjager]

Analysis shows it isn't possible to have two LatestCounterpartyCommitment in the same update. Interesting find though.

[joostjager]

Rebased after merge of #4351

[ldk-claude-review-bot]

Nit: The comment concludes "the HTLCs we care about can never appear in the holder commitment transaction" — yet lines 4443-4451 proceed to check them anyway. Could you rephrase to say this is a defensive/belt-and-suspenders check? Currently it reads like the check below shouldn't be needed at all.

[ldk-claude-review-bot]

Minor: is_source_known checks self.funding.prev_counterparty_commitment_txid but not self.pending_funding[*].prev_counterparty_commitment_txid. In a splice scenario where the confirmed funding spend is for a pending funding output, an HTLC that was already known in that pending funding's previous counterparty commitment would be incorrectly treated as "new" and failed. Worth a TODO or a check against pending funding scopes as well?

[ldk-claude-review-bot]

"FundingSpendConfirmation matures immediately (no CSV delay)" is misleading — FundingSpendConfirmation still requires ANTI_REORG_DELAY blocks to mature (the on_local_output_csv only adds additional delay beyond ANTI_REORG_DELAY). It appears that the payment failure events here actually come from the ChannelManager's force-close logic (failing the in-flight HTLC when CommitmentTxConfirmed is processed), not from the monitor's immediate HTLC failure path. Consider clarifying the comment.

[TheBlueMatt]

Thanks. Changes since @wpaulino's ACK are trivial so gonna land.