Skip to content

Fix update_id gap during force_shutdown #3858

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 24, 2025
Merged

Fix update_id gap during force_shutdown #3858

merged 1 commit into from
Jun 24, 2025

Conversation

whfuyn
Copy link
Contributor

@whfuyn whfuyn commented Jun 13, 2025

When a channel is force-closed, there might be blocked monitor updates not yet applied. But latest_monitor_update_id has been incremented and assigned to these updates. This results in a panic when trying to apply the ChannelForceClosed update. Use the unblocked update id instead.

Resolves: #3857

@ldk-reviews-bot
Copy link

ldk-reviews-bot commented Jun 13, 2025
edited
Loading

👋 Thanks for assigning @TheBlueMatt as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

@ldk-reviews-bot ldk-reviews-bot requested a review from jkczyz June 13, 2025 14:42
wpaulino
wpaulino reviewed Jun 13, 2025
View reviewed changes
Copy link
Contributor

@wpaulino wpaulino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! This should work, but do you mind including a test?

There are other scenarios where we also increment by 1, but those should not result in a panic as they are queued in blocked_monitor_updates. The force close update is the only one we let fly through regardless of blocked_monitor_updates.

@wpaulino wpaulino removed the request for review from jkczyz June 13, 2025 16:25
@whfuyn whfuyn force-pushed the fix-update-id-gap branch from 446155b to 5e6e74c Compare June 13, 2025 17:23
@whfuyn
Copy link
Contributor Author

whfuyn commented Jun 13, 2025

Got it! Will add a test later.

@codecov Codecov
Copy link

codecov bot commented Jun 13, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 89.62%. Comparing base (c48e0a8) to head (ceb5a55).
Report is 4 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3858      +/-   ##
==========================================
- Coverage   89.65%   89.62%   -0.04%     
==========================================
  Files         164      164              
  Lines      134658   134661       +3     
  Branches   134658   134661       +3     
==========================================
- Hits       120734   120688      -46     
- Misses      11246    11292      +46     
- Partials     2678     2681       +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

TheBlueMatt
TheBlueMatt previously approved these changes Jun 16, 2025
View reviewed changes
Copy link
Collaborator

@TheBlueMatt TheBlueMatt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. I think there's a few more changes I want to make to this pipeline but this change by itself looks good.

@wpaulino
Copy link
Contributor

@whfuyn do you mind rebasing this? We're going to merge this as is to include it in a release and follow up with a test later.

@whfuyn whfuyn force-pushed the fix-update-id-gap branch from 5e6e74c to 0866405 Compare June 24, 2025 04:06
@whfuyn
Fix update_id gap during force_shutdown
ceb5a55 
When a channel is force-closed, there might be blocked monitor updates
not yet applied. But `latest_monitor_update_id` has been incremented and
assigned to these updates. This results in a panic when trying to apply
the `ChannelForceClosed` update. Use the unblocked update id instead.

Resolves: lightningdevkit#3857
@whfuyn whfuyn force-pushed the fix-update-id-gap branch from 0866405 to ceb5a55 Compare June 24, 2025 04:11
@whfuyn
Copy link
Contributor Author

whfuyn commented Jun 24, 2025

@wpaulino Sorry for the late response.

I had some trouble constructing a proper test without using MPP or multi-hop payments. My original test that triggered this problem only involved sending payments between two nodes connected by a single direct channel. However, when I searched the code related to blocked_monitor_updates, it seems only MPP and multi-hop payments can cause monitor updates to be blocked. This feels strange.

I've rebased this PR.

@wpaulino
Copy link
Contributor

A revoke_and_ack monitor update can also become blocked until the PaymentSent event is handled.

@wpaulino wpaulino requested a review from TheBlueMatt June 24, 2025 17:54
@TheBlueMatt TheBlueMatt merged commit 0fe51c5 into lightningdevkit:main Jun 24, 2025
27 of 28 checks passed
@TheBlueMatt TheBlueMatt mentioned this pull request Jul 15, 2025
Merged
@TheBlueMatt
Copy link
Collaborator

Backported in #3932

TheBlueMatt added a commit to TheBlueMatt/rust-lightning that referenced this pull request Jul 24, 2025
@TheBlueMatt
Merge tag 'v0.1.5' into 2025-07-0.1.5-bindings
c106074 
v0.1.5 - Jul 16, 2025 - "Async Path Reduction"

Performance Improvements
========================

 * `NetworkGraph`'s expensive internal consistency checks have now been
   disabled in debug builds in addition to release builds (lightningdevkit#3687).

Bug Fixes
=========

 * Pathfinding which results in a multi-path payment is now substantially
   smarter, using fewer paths and better optimizing fees and successes (lightningdevkit#3890).
 * A counterparty delaying claiming multiple HTLCs with different expiries can
   no longer cause our `ChannelMonitor` to continuously rebroadcast invalid
   transactions or RBF bump attempts (lightningdevkit#3923).
 * Reorgs can no longer cause us to fail to claim HTLCs after a counterparty
   delayed claiming multiple HTLCs with different expiries (lightningdevkit#3923).
 * Force-closing a channel while it is blocked on another channel's async
   `ChannelMonitorUpdate` can no longer lead to a panic (lightningdevkit#3858).
 * `ChannelMonitorUpdate`s can no longer be released to storage too early when
   doing async updates or on restart. This only impacts async
   `ChannelMonitorUpdate` persistence and can lead to loss of funds only in rare
   cases with `ChannelMonitorUpdate` persistence order inversions (lightningdevkit#3907).

Security
========

0.1.5 fixes a vulnerability which could allow a peer to overdraw their reserve
value, potentially cutting into commitment transaction fees on channels with a
low reserve.
 * Due to a bug in checking whether an HTLC is dust during acceptance, near-dust
   HTLCs were not counted towards the commitment transaction fee, but did
   eventually contribute to it when we built a commitment transaction. This can
   be used by a counterparty to overdraw their reserve value, or, for channels
   with a low reserve value, cut into the commitment transaction fee (lightningdevkit#3933).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TheBlueMatt TheBlueMatt TheBlueMatt approved these changes

@wpaulino wpaulino wpaulino approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Panic when applying monitor update during channel force close
4 participants
@whfuyn @ldk-reviews-bot @wpaulino @TheBlueMatt