Fail HTLCs from late counterparty commitment updates in ChannelMonitor

[joostjager]

Closes #4431

Builds on top of #4351

[ldk-reviews-bot]

👋 Thanks for assigning @wpaulino as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

[codecov]

Codecov Report

❌ Patch coverage is 92.72388% with 39 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.05%. Comparing base (90b79e4) to head (56c813f).
⚠️ Report is 31 commits behind head on main.

Files with missing lines	Patch %	Lines
lightning/src/chain/chainmonitor.rs	90.22%	22 Missing and 4 partials ⚠️
lightning/src/chain/channelmonitor.rs	91.66%	7 Missing and 3 partials ⚠️
lightning/src/util/test_utils.rs	96.87%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4434      +/-   ##
==========================================
+ Coverage   85.97%   86.05%   +0.08%     
==========================================
  Files         159      159              
  Lines      104722   105759    +1037     
  Branches   104722   105759    +1037     
==========================================
+ Hits        90030    91013     +983     
- Misses      12191    12227      +36     
- Partials     2501     2519      +18     

Flag	Coverage Δ
tests	86.05% <92.72%> (+0.08%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ldk-reviews-bot]

👋 The first review has been submitted!

Do you think this PR is ready for a second reviewer? If so, click here to assign a second reviewer.

[TheBlueMatt]

Hmmmmmmmmm, its really not quite so simple. If a monitor update is InProgress we generally expect the in-memory ChannelMonitor to have actually seen the new state update (though we expect that on restart there's a good chance it won't have that information and it'll be replayed). That means the monitor is theoretically "in charge" of resolving the HTLCs in question. While I think this patch is correct, I'm a bit hesitant to end up with two things in charge of resolving a specific HTLC. ISTM it also wouldn't be so complicated to immediately mark HTLCs as failed in the monitor upon receiving updates that try to add new HTLCs after a channel has been closed.

[joostjager]

ISTM it also wouldn't be so complicated to immediately mark HTLCs as failed in the monitor upon receiving updates that try to add new HTLCs after a channel has been closed.

Isn't the problem with this that the monitor can't see whether the commitment was already sent to the peer or blocked by async persistence?

[TheBlueMatt]

Right, the monitor has to assume it may have been sent to the peer. That's fine, though, it should be able to fail the HTLC(s) once the commitment transaction is locked.

[joostjager]

Hmm, it seems that the original issue isn't an issue then. I confirmed that mining the force close commitment tx indeed generates the payment failed event. Or is there still something missing?

[TheBlueMatt]

In the general case (ChannelMonitor in-memory in the same machine that runs ChannelManager) I believe there is not a runtime issue, no. I was thinking you'd identified an issue in the crash case, though (where we crash without persisting the monitor update and on restart lose it) but actually I'm not sure this is any different from existing payments logic - if you start a payment and nothing persists on restart its expected to be gone and downstream code has to handle that.

[joostjager]

The one that I identified wasn't a crash case. An assertion in the fuzzer identified that a payment was lost, but with current understanding I think it's just that the fuzzer didn't push the force-close forward enough (mine). Will close it for now and can look again if the payment remains lost even with confirmation of the commit tx. Unit test did confirm that it should just work.

[joostjager]

Reopening as this fix is now required for #4351.

[joostjager]

Hmmmmmmmmm, its really not quite so simple. If a monitor update is InProgress we generally expect the in-memory ChannelMonitor to have actually seen the new state update (though we expect that on restart there's a good chance it won't have that information and it'll be replayed). That means the monitor is theoretically "in charge" of resolving the HTLCs in question. While I think this patch is correct, I'm a bit hesitant to end up with two things in charge of resolving a specific HTLC. ISTM it also wouldn't be so complicated to immediately mark HTLCs as failed in the monitor upon receiving updates that try to add new HTLCs after a channel has been closed.

Now that we've decided that for deferred writes we no longer want to expect the in-memory ChannelMonitor to have seen the changes, I think the above doesn't apply anymore, and we might have to accept that two things are in charge for resolving a specific HTLC.

[TheBlueMatt]

Now that we've decided that for deferred writes we no longer want to expect the in-memory ChannelMonitor to have seen the changes, I think the above doesn't apply anymore, and we might have to accept that two things are in charge for resolving a specific HTLC.

I don't think so. Instead, what we'll need to do is detect a new local counterparty state ChannelMontiorUpdate after the channel has close and track it to fail the HTLCs from it once the commitment transaction has 6 confs.

[TheBlueMatt]

Oh actually no I don't think we need to wait for 6 confs since we never sent the message, ie we can fail it immediately.

[joostjager]

Oh actually no I don't think we need to wait for 6 confs since we never sent the message, ie we can fail it immediately.

Does the monitor know that a message was never sent? #4434 (comment) suggests that we should assume we did send.

I steered Claude to a potential fix: main...joostjager:rust-lightning:chain-mon-internal-deferred-writes-fix-contract. I based it on the deferred writes branch so that tests can get delayed in-memory updates.

Is this the direction you have in mind? It is unfortunate that we need to add this extra logic to a system that is already complicated.

[TheBlueMatt]

Okay two more commits then the last commit looks good, will circle back to the dependent PR so we can land the stack.

[ldk-reviews-bot]

🔔 1st Reminder

Hey @wpaulino! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 1st Reminder

Hey @wpaulino! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 2nd Reminder

Hey @wpaulino! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 3rd Reminder

Hey @wpaulino! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[wpaulino]

LGTM, though CI is sad likely due to the failed_back_htlc_ids change.

[joostjager]

The round-trip check failed because failed_back_htlc_ids is not serialized. We work around it by temporarily copying the set onto the deserialized monitor before comparison, then clearing it. It's ugly but avoids modifying production code beyond making the field pub(crate).

[ldk-claude-review-bot]

In release builds, this silently returns without logging when count exceeds the queue length. This can happen if flush is called concurrently (e.g., from TestChainMonitor::release_pending_monitor_events auto-flush racing with the background processor's explicit flush). A log_error! before the return would make such races observable in production, rather than silently under-flushing:

Suggested change

	None => {
	debug_assert!(false, "flush count exceeded queue length");
	return;
	},
	None => {
	debug_assert!(false, "flush count exceeded queue length");
	log_error!(logger, "flush count exceeded queue length");
	return;
	},

[joostjager]

ADded

[ldk-claude-review-bot]

Automated Review

After thorough analysis of the deferred monitor operation queuing/flushing mechanism and the fail_htlcs_from_update_after_funding_spend HTLC failure logic, the core correctness of this PR holds up well. Lock ordering is consistent (pending_ops → monitors), the is_source_known check correctly identifies pre-existing HTLCs via prev_counterparty_commitment_txid, and the BackgroundProcessor integration properly ensures CM persistence before monitor flush.

Prior review comments about the breaking public API (ChainMonitor::new signature change), lock contention during NewMonitor flush (holding pending_ops across persistence I/O), repeated Transaction cloning inside the HTLC failure loop, and missing defensive validation in the deferred update_channel path still apply.

No new major issues found in this pass.

🤖 Generated with Claude Code

[TheBlueMatt]

I think feel free to squash so we can land this. Claude had one comment that might be worth fixing, up to you.

[joostjager]

Squashed, but needs to be rebased after #4351. Added the Claude suggestion to also log excessive flush count.

[ldk-claude-review-bot]

Nit/perf: pending_spend_entry.clone().unwrap() is called inside the per-HTLC loop, cloning the Option<Transaction> each iteration. For a commitment with many HTLCs, this does N clones of potentially large transaction data. Consider destructuring once before the loop:

Suggested change

	let (txid, transaction, height, block_hash) = pending_spend_entry.clone().unwrap();
	let pending_data = pending_spend_entry.clone();
	for (source, payment_hash, amount_msat) in htlcs {
	if is_source_known(source) {
	continue;
	}
	if self.counterparty_fulfilled_htlcs.get(&SentHTLCId::from_source(source)).is_some() {
	continue;
	}
	let htlc_value_satoshis = Some(amount_msat / 1000);
	let logger = WithContext::from(logger, None, None, Some(payment_hash));
	// Defensively mark the HTLC as failed back so the expiry-based failure
	// path in `block_connected` doesn't generate a duplicate `HTLCUpdate`
	// event for the same source.
	self.failed_back_htlc_ids.insert(SentHTLCId::from_source(source));
	if let Some(confirmed_txid) = self.funding_spend_confirmed {

Or alternatively, extract the pending_data tuple once and clone only transaction per entry (Txid and BlockHash are Copy).

[ldk-claude-review-bot]

The deferred update_channel path blindly queues without checking whether channel_id exists in self.monitors or has a corresponding NewMonitor in pending_ops. Compare with watch_channel which carefully validates against both.

While the ChannelManager guarantees ordering (always watch_channel before update_channel), an explicit check here would catch bugs earlier — especially since update_channel_internal panics in debug builds if the monitor doesn't exist, and that panic would be deferred to flush time (far from the call site), making it harder to diagnose.

Consider adding a debug_assert! that the channel_id is either in self.monitors or has a pending NewMonitor:

debug_assert!(
    self.monitors.read().unwrap().contains_key(&channel_id)
        || pending_ops.iter().any(|op| matches!(op, PendingMonitorOp::NewMonitor { channel_id: id, .. } if *id == channel_id)),
    "update_channel called for unknown channel"
);

[ldk-claude-review-bot]

The is_source_known closure only checks prev_counterparty_commitment_txid (what was current before this update), not all entries in counterparty_claimable_outpoints. The comment at line 4413 explains the reasoning, and the holder commitment fallback covers additional cases.

Just want to confirm a subtle assumption: this correctness relies on the fact that the monitor always holds the immediately-prior counterparty commitment in prev after the update is applied (line 3502). If a single ChannelMonitorUpdate ever contained two LatestCounterpartyCommitment steps, the second step's iteration here would check prev (which is now the first step's commitment, not the original pre-batch state), and HTLCs from the first step would appear "known" even if they were truly new. The code is correct as long as each ChannelMonitorUpdate contains at most one counterparty commitment step — is that guaranteed at the ChannelManager level?