Skip to content

[0.2] Backport of #4580#4686

Open
tankyleo wants to merge 3 commits into
lightningdevkit:0.2from
tankyleo:2026-06-reserve-greater-than-channel-value
Open

[0.2] Backport of #4580#4686
tankyleo wants to merge 3 commits into
lightningdevkit:0.2from
tankyleo:2026-06-reserve-greater-than-channel-value

Conversation

@tankyleo

@tankyleo tankyleo commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

No description provided.

tankyleo added 3 commits June 12, 2026 07:50
@tankyleo
Remove debug assert reachable if splicing a 0FC channel
c7a28da 
This was a drive-by fix in a4bf94a
@tankyleo
Error if the calculated v2 reserve is greater than the channel value
aabcbcc 
In 0FC channels, capping the reserve to the total value of the channel
allowed a splice initiator to withdraw past their reserve in case the
acceptor had no balance in the channel.

This is because the post-splice value of the channel was equal to the
initiator's post splice balance. Hence, this post splice balance always
matched the reserve, even though the reserve was below the dust limit.

The only thing that prevented the initiator from withdrawing all their
balance was the script dust limit check in
`interactivetxs::NegotiationContext::receive_tx_add_output`.

In case the splice acceptor had any balance in the channel, or there
were HTLCs in the channel, or the channel was not 0FC, the
splice initiator's post-splice balance was always below the full channel
value. Hence when the reserve was capped at the channel value, the
post-splice balance was always below the reserve, and the splice was
rejected.

Also, in `validate_splice_contributions`, to determine the
`counterparty_selected_channel_reserve`, we now read the holder's dust
limit from the context, instead of the current global constant.

Backport of 3835f84
@tankyleo
Error if the calculated v1 reserve is greater than the channel value
5eb859d 
We made the same change to the calculation of the v2 reserve in the
previous commit.

Backport of 53e156a

Here their `dust_limit_satoshis` can never be greater than
`MIN_THEIR_CHAN_RESERVE_SATOSHIS`, so by making sure that
`channel_value_satoshis` is greater than
`MIN_THEIR_CHAN_RESERVE_SATOSHIS`, we also make sure that
`channel_value_satoshis` is greater than their `dust_limit_satoshis`.
@ldk-reviews-bot

ldk-reviews-bot commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown

👋 Thanks for assigning @TheBlueMatt as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

@tankyleo tankyleo requested a review from TheBlueMatt June 12, 2026 08:01
@ldk-claude-review-bot

ldk-claude-review-bot commented Jun 12, 2026

Copy link
Copy Markdown
Collaborator

I reviewed all changes thoroughly. The reserve helper refactor (Result-returning, prop-millionths cap at 1M, removed cmp::min cap) is safe — return values are still bounded by channel_value_satoshis given the new Err guards. The dust-limit "crossover" (counterparty reserve ← holder dust limit, holder reserve ← counterparty dust limit) is applied consistently across FundingScope::for_splice, validate_splice_contributions, and new_inbound v2; the apparent swap in v2 inbound is a fix, not a regression. The .expect("ran in validate_splice_contributions") calls are safe — both splice call sites invoke validate_splice_contributions with identical contributions and post_channel_value before for_splice. All Result callers (prod + tests) handle the new error type, and the removed debug_assert in tx_builder.rs is a genuinely reachable assertion for 0FC splices.

No issues found.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TheBlueMatt TheBlueMatt Awaiting requested review from TheBlueMatt

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tankyleo @ldk-reviews-bot @ldk-claude-review-bot