Don't trim HTLCs when calculating the commit tx fee including the fee spike multiple

[tankyleo]

We previously accounted for HTLC trims at the spiked feerate when calculating the reserved commitment transaction fees.

This could cause an underestimate of the real current commitment fee at the current channel feerate. This is because a 2x increase in the feerate could trim enough HTLCs to result in a smaller commitment transaction fee.

Also, the previous code only reserved the fee for an exact 2x increase in the feerate, instead of reserving the fee for any increase in the feerate between 1x to 2x.

Fixes #4563.

[ldk-reviews-bot]

👋 Thanks for assigning @carlaKC as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

[codecov]

Codecov Report

❌ Patch coverage is 94.44444% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.40%. Comparing base (964a84f) to head (deb51ae).
⚠️ Report is 76 commits behind head on main.

Files with missing lines	Patch %	Lines
lightning/src/ln/channel.rs	84.21%	2 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4574      +/-   ##
==========================================
+ Coverage   86.18%   86.40%   +0.22%     
==========================================
  Files         156      158       +2     
  Lines      108528   109127     +599     
  Branches   108528   109127     +599     
==========================================
+ Hits        93532    94295     +763     
+ Misses      12386    12288      -98     
+ Partials     2610     2544      -66     

Flag	Coverage Δ
fuzzing-fake-hashes	5.09% <0.00%> (?)
fuzzing-real-hashes	22.78% <84.90%> (?)
tests	86.13% <94.44%> (-0.05%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ldk-claude-review-bot]

The is_outbound_from_holder guard has been removed from the spiked feerate calculation. Previously, only the channel funder (outbound) applied the 2x fee spike buffer here; now it applies to both funder and fundee channels.

This is a behavioral change beyond the stated fix: for non-anchor inbound (fundee) channels, spiked_feerate was previously just feerate_per_kw, and now it's feerate_per_kw * 2. This affects downstream calculations including:

• local_max_commit_tx_fee_sat / local_min_commit_tx_fee_sat (though only used in the outbound branch)
• get_next_splice_out_maximum_sat (uses spiked_feerate for the has_output check)
• Both adjust_boundaries_if_max_dust_htlc_produces_no_output calls (now use 2x feerate for inbound channels)

This makes capacity reporting more conservative for fundee channels, which may be intentional (aligning reported capacity with what can_accept_incoming_htlc actually accepts). If so, it would be good to mention this in the PR description / commit message as a deliberate secondary change.

[ldk-claude-review-bot]

Identifying HTLCs by hardcoded first-byte values of payment hashes (0x75, 0x64, 0x72, 0x66) is fragile. This depends on the internal deterministic hash generation of the test framework, and will panic at the unwrap() if the test infrastructure changes how payment hashes are derived.

Consider tracking payment hashes directly from the route_payment return values instead. For example, store them in a Vec as they are created, and reference them by index to build htlcs_in_tx.

[ldk-claude-review-bot]

I've completed a thorough re-review of the entire PR diff, examining every changed file and hunk. I verified the core logic, all caller sites, parameter threading, and test correctness.

Review Summary

No new bugs or security issues found beyond what was flagged in prior review comments.

Prior inline comments (already posted)

• lightning/src/sign/tx_builder.rs:469 — Behavioral change: spiked feerate now applies to inbound (fundee) channels in get_next_commitment_stats via assume_fee_spike, not just outbound channels
• lightning/src/ln/htlc_reserve_unit_tests.rs:3738 — Fragile hardcoded payment hash first-byte matching (0x75, 0x64, 0x72, 0x66)
• lightning/src/ln/htlc_reserve_unit_tests.rs:3446 — Test DUST_LIMIT_MSAT / scenario coverage question (may be resolved if the constant was corrected since the prior review)
• lightning/src/ln/htlc_reserve_unit_tests.rs:3501 — Comment corrections

Verification of correctness

1. Two-step check in get_next_commitment_stats: Step 1 (has_output) correctly uses spiked_nondust_htlc_count with spiked_feerate. Step 2 (fee affordability) correctly uses nondust_htlc_count (base feerate) with spiked_feerate. The math is sound: since nondust_htlc_count >= spiked_nondust_htlc_count and spiked_feerate >= f for all f in [1x, 2x], commit_tx_fee_sat(spiked_feerate, nondust_htlc_count + addl, ...) is an upper bound on the fee at any intermediate feerate.

2. get_available_balances changes: local_nondust_htlc_count (base feerate) correctly used for fee computation (local_max_commit_tx_fee_sat, local_min_commit_tx_fee_sat). local_spiked_nondust_htlc_count correctly used for has_output checks and boundary adjustments. Parameter reordering in adjust_boundaries_if_max_dust_htlc_produces_no_output correctly applied at both call sites.

3. PredictedNextFee safety: All callers that pass assume_fee_spike: true also pass addl_nondust_htlc_count >= 1, so the else branch re-queries with false, ensuring predicted fees match actual commitment fees.

4. manually_trigger_update_fail_htlc refactoring: Dynamic commitment numbers from signer state replace hardcoded INITIAL_COMMITMENT_NUMBER. Parameter change from channel_value_sat to value_to_self_msat is correctly plumbed from both callers.

Minor latent concern (not a current bug)

The PredictedNextFee test/fuzz assertion in get_next_local_commitment_stats / get_next_remote_commitment_stats implicitly requires that assume_fee_spike: true is never called with addl_nondust_htlc_count == 0 for non-anchor channels. If a future caller violates this, the stored commit_tx_fee_sat (at spiked feerate) would mismatch the actual commitment fee (at base feerate), causing a confusing assertion failure in build_commitment_transaction. A debug_assert!(!assume_fee_spike || addl_nondust_htlc_count > 0) in the test-only block would prevent this.

[joostjager]

Just noting that this is the last bigger PR that will make our fuzz tests green again

[ldk-reviews-bot]

🔔 1st Reminder

Hey @TheBlueMatt @carlaKC! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 1st Reminder

Hey @TheBlueMatt @carlaKC! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 2nd Reminder

Hey @TheBlueMatt @carlaKC! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[ldk-reviews-bot]

🔔 2nd Reminder

Hey @TheBlueMatt @carlaKC! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[TheBlueMatt]

didn't get through this yesterday but here's one comment.

[TheBlueMatt]

If the issue is just with legacy 0-reserve channels, should we not be restricting this more and maybe just banning 0-reserve non-anchor channels (seems kinda weird to do such a channel?).

[tankyleo]

I'd prefer to remove the if is_outbound_from_holder condition here rather than adding more checks to ban 0-reserve legacy channels.

[tankyleo]

I understand legacy 0-reserve channels are weird, but they still allow the fundee to spend all its balance so they do have their place I'm thinking.

[TheBlueMatt]

I mean other nodes are gonna start requiring anchors for all new channels (or already have?) and I kinda feel like we should be moving towards the same. I see the reason for them (I guess someone who doesn't want to deal with anchors but wants to have an LSP open to a client?) but non-anchors are just so borderline insecure...

[tankyleo]

See below I delete the first commit, and will add it to a standalone PR to ban legacy 0-reserve channels.

[TheBlueMatt]

Okay, yea, I think I'm good with this now. Needs a second reviewer tho.

[TheBlueMatt]

nit: can we call this something more descriptive? Like assuming_future_increased_feerate? I think the "fee spike multiple" is a bit of an inside-LDK thing and we eventually want this API to be public.

[ldk-reviews-bot]

🔔 3rd Reminder

Hey @carlaKC! This PR has been waiting for your review.
Please take a look when you have a chance. If you're unable to review, please let us know so we can find another reviewer.

[carlaKC]

For my understanding: This is an upper bound of the most HTLCs we can have and the highest feerate we're accounting for, right? If HTLCs are trimmed by the higher spiked feerate, we wouldn't actually end up with local_nondust_htlc_count on the commitment (it would be less).

[tankyleo]

Yes it's the upper bound. In the worst case, the HTLCs only get trimmed at exactly 2x the feerate, but we bump to eg 1.9x.

If HTLCs are trimmed by the higher spiked feerate, we wouldn't actually end up with local_nondust_htlc_count on the commitment (it would be less).

Yes correct

[carlaKC]

nit: assume_fee_spike to use the same terminology that we have in the codebase about fee spike buffers?

[tankyleo]

Thanks addressed below