Only generate a post-close lock ChannelMonitorUpdate if we need one

TheBlueMatt · TheBlueMatt · commit 6749a0767469 · 2025-03-05T18:26:33.000Z
If a channel is closed on startup, but we find that the
`ChannelMonitor` isn't aware of this, we generate a
`ChannelMonitorUpdate` containing a
`ChannelMonitorUpdateStep::ChannelForceClosed`. This ensures that
the `ChannelMonitor` will not accept any future updates in case we
somehow load up a previous `ChannelManager` (though that really
shouldn't happen).

Previously, we'd apply this update only if we detected that the
`ChannelManager` had not yet informed the `ChannelMonitor` about
the channel's closure, even if the `ChannelMonitor` would already
refuse any other updates because it detected a channel closure
on chain.

This doesn't accomplish anything but an extra I/O write, so we
remove it here.

Further, a user reported that, in regtest, they could:
 (a) coop close a channel (not generating a `ChannelMonitorUpdate`)
 (b) wait just under 4032 blocks (on regtest, taking only a day)
 (c) restart the `ChannelManager`, generating the above update
 (d) connect a block or two (during the startup sequence), making
     the `ChannelMonitor` eligible for archival,
 (d) restart the `ChannelManager` again (without applying the
     update from (c), but after having archived the
     `ChannelMonitor`, leading to a failure to deserialize as we
     have a pending `ChannelMonitorUpdate` for a `ChannelMonitor`
     that has been archived.

Though it seems very unlikely this would happen on mainnet, it is
theoretically possible.
diff --git a/lightning/src/chain/channelmonitor.rs b/lightning/src/chain/channelmonitor.rs
@@ -1737,10 +1737,14 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitor<Signer> {
 		self.inner.lock().unwrap().get_cur_holder_commitment_number()
 	}
 
-	/// Gets whether we've been notified that this channel is closed by the `ChannelManager` (i.e.
-	/// via a [`ChannelMonitorUpdateStep::ChannelForceClosed`]).
-	pub(crate) fn offchain_closed(&self) -> bool {
-		self.inner.lock().unwrap().lockdown_from_offchain
+	/// Fetches whether this monitor has marked the channel as closed and will refuse any further
+	/// updates to the commitment transactions.
+	///
+	/// It can be marked closed in a few different ways, including via a
+	/// [`ChannelMonitorUpdateStep::ChannelForceClosed`] or if the channel has been closed
+	/// on-chain.
+	pub(crate) fn no_further_updates_allowed(&self) -> bool {
+		self.inner.lock().unwrap().no_further_updates_allowed()
 	}
 
 	/// Gets the `node_id` of the counterparty for this channel.
@@ -3278,12 +3282,16 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
 			}
 		}
 
-		if ret.is_ok() && (self.funding_spend_seen || self.lockdown_from_offchain || self.holder_tx_signed) && is_pre_close_update {
+		if ret.is_ok() && self.no_further_updates_allowed() && is_pre_close_update {
 			log_error!(logger, "Refusing Channel Monitor Update as counterparty attempted to update commitment after funding was spent");
 			Err(())
 		} else { ret }
 	}
 
+	fn no_further_updates_allowed(&self) -> bool {
+		self.funding_spend_seen || self.lockdown_from_offchain || self.holder_tx_signed
+	}
+
 	fn get_latest_update_id(&self) -> u64 {
 		self.latest_update_id
 	}
@@ -4227,7 +4235,7 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
 			}
 		}
 
-		if self.lockdown_from_offchain || self.funding_spend_seen || self.holder_tx_signed {
+		if self.no_further_updates_allowed() {
 			// Fail back HTLCs on backwards channels if they expire within
 			// `LATENCY_GRACE_PERIOD_BLOCKS` blocks and the channel is closed (i.e. we're at a
 			// point where no further off-chain updates will be accepted). If we haven't seen the
diff --git a/lightning/src/ln/channelmanager.rs b/lightning/src/ln/channelmanager.rs
@@ -13364,8 +13364,8 @@ where
 					// claim.
 					// Note that a `ChannelMonitor` is created with `update_id` 0 and after we
 					// provide it with a closure update its `update_id` will be at 1.
-					if !monitor.offchain_closed() || monitor.get_latest_update_id() > 1 {
-						should_queue_fc_update = !monitor.offchain_closed();
+					if !monitor.no_further_updates_allowed() || monitor.get_latest_update_id() > 1 {
+						should_queue_fc_update = !monitor.no_further_updates_allowed();
 						let mut latest_update_id = monitor.get_latest_update_id();
 						if should_queue_fc_update {
 							latest_update_id += 1;

Original file line number	Diff line number	Diff line change
`@@ -1737,10 +1737,14 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitor<Signer> {`
`1737`	`1737`	`self.inner.lock().unwrap().get_cur_holder_commitment_number()`
`1738`	`1738`	`}`
`1739`	`1739`
`1740`		- /// Gets whether we've been notified that this channel is closed by the `ChannelManager` (i.e.
`1741`		- /// via a [`ChannelMonitorUpdateStep::ChannelForceClosed`]).
`1742`		`- pub(crate) fn offchain_closed(&self) -> bool {`
`1743`		`- self.inner.lock().unwrap().lockdown_from_offchain`
	`1740`	`+ /// Fetches whether this monitor has marked the channel as closed and will refuse any further`
	`1741`	`+ /// updates to the commitment transactions.`
	`1742`	`+ ///`
	`1743`	`+ /// It can be marked closed in a few different ways, including via a`
	`1744`	+ /// [`ChannelMonitorUpdateStep::ChannelForceClosed`] or if the channel has been closed
	`1745`	`+ /// on-chain.`
	`1746`	`+ pub(crate) fn no_further_updates_allowed(&self) -> bool {`
	`1747`	`+ self.inner.lock().unwrap().no_further_updates_allowed()`
`1744`	`1748`	`}`
`1745`	`1749`
`1746`	`1750`	/// Gets the `node_id` of the counterparty for this channel.
`@@ -3278,12 +3282,16 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {`
`3278`	`3282`	`}`
`3279`	`3283`	`}`
`3280`	`3284`
`3281`		`- if ret.is_ok() && (self.funding_spend_seen \|\| self.lockdown_from_offchain \|\| self.holder_tx_signed) && is_pre_close_update {`
	`3285`	`+ if ret.is_ok() && self.no_further_updates_allowed() && is_pre_close_update {`
`3282`	`3286`	`log_error!(logger, "Refusing Channel Monitor Update as counterparty attempted to update commitment after funding was spent");`
`3283`	`3287`	`Err(())`
`3284`	`3288`	`} else { ret }`
`3285`	`3289`	`}`
`3286`	`3290`
	`3291`	`+ fn no_further_updates_allowed(&self) -> bool {`
	`3292`	`+ self.funding_spend_seen \|\| self.lockdown_from_offchain \|\| self.holder_tx_signed`
	`3293`	`+ }`
	`3294`	`+`
`3287`	`3295`	`fn get_latest_update_id(&self) -> u64 {`
`3288`	`3296`	`self.latest_update_id`
`3289`	`3297`	`}`
`@@ -4227,7 +4235,7 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {`
`4227`	`4235`	`}`
`4228`	`4236`	`}`
`4229`	`4237`
`4230`		`- if self.lockdown_from_offchain \|\| self.funding_spend_seen \|\| self.holder_tx_signed {`
	`4238`	`+ if self.no_further_updates_allowed() {`
`4231`	`4239`	`// Fail back HTLCs on backwards channels if they expire within`
`4232`	`4240`	// `LATENCY_GRACE_PERIOD_BLOCKS` blocks and the channel is closed (i.e. we're at a
`4233`	`4241`	`// point where no further off-chain updates will be accepted). If we haven't seen the`