Check funding txout format when transaction is confirmed in channel

Author: TheBlueMatt

fuzz/fuzz_targets/channel_target.rs

@@ -3,7 +3,7 @@ extern crate lightning;
 extern crate secp256k1;
 
 use bitcoin::blockdata::block::BlockHeader;
-use bitcoin::blockdata::transaction::Transaction;
+use bitcoin::blockdata::transaction::{Transaction, TxOut};
 use bitcoin::util::hash::Sha256dHash;
 use bitcoin::network::serialize::{serialize, BitcoinHash};
 
@@ -166,18 +166,22 @@ pub fn do_test(data: &[u8]) {
 
 	let their_pubkey = get_pubkey!();
 
-	let tx = Transaction { version: 0, lock_time: 0, input: Vec::new(), output: Vec::new() };
-	let funding_output = (Sha256dHash::from_data(&serialize(&tx).unwrap()[..]), 0);
+	let mut tx = Transaction { version: 0, lock_time: 0, input: Vec::new(), output: Vec::new() };
 
 	let mut channel = if get_slice!(1)[0] != 0 {
-		let mut chan = Channel::new_outbound(&fee_est, their_pubkey, slice_to_be24(get_slice!(3)), get_slice!(1)[0] == 0, slice_to_be64(get_slice!(8)));
+		let chan_value = slice_to_be24(get_slice!(3));
+		let mut chan = Channel::new_outbound(&fee_est, their_pubkey, chan_value, get_slice!(1)[0] == 0, slice_to_be64(get_slice!(8)));
 		chan.get_open_channel(Sha256dHash::from(get_slice!(32)), &fee_est).unwrap();
 		let accept_chan = if get_slice!(1)[0] == 0 {
 			decode_msg_with_len16!(msgs::AcceptChannel, 270, 1)
 		} else {
 			decode_msg!(msgs::AcceptChannel, 270)
 		};
 		return_err!(chan.accept_channel(&accept_chan));
+
+		tx.output.push(TxOut{ value: chan_value, script_pubkey: chan.get_funding_redeemscript().to_v0_p2wsh() });
+		let funding_output = (Sha256dHash::from_data(&serialize(&tx).unwrap()[..]), 0);
+
 		chan.get_outbound_funding_created(funding_output.0.clone(), funding_output.1).unwrap();
 		let funding_signed = decode_msg!(msgs::FundingSigned, 32+64);
 		return_err!(chan.funding_signed(&funding_signed));
@@ -193,6 +197,10 @@ pub fn do_test(data: &[u8]) {
 			Err(_) => return,
 		};
 		chan.get_accept_channel().unwrap();
+
+		tx.output.push(TxOut{ value: open_chan.funding_satoshis, script_pubkey: chan.get_funding_redeemscript().to_v0_p2wsh() });
+		let funding_output = (Sha256dHash::from_data(&serialize(&tx).unwrap()[..]), 0);
+
 		let mut funding_created = decode_msg!(msgs::FundingCreated, 32+32+2+64);
 		funding_created.funding_txid = funding_output.0.clone();
 		funding_created.funding_output_index = funding_output.1;

src/ln/channel.rs

@@ -1639,10 +1639,16 @@ impl Channel {
 		if non_shutdown_state & !(ChannelState::TheirFundingLocked as u32) == ChannelState::FundingSent as u32 {
 			for (ref tx, index_in_block) in txn_matched.iter().zip(indexes_of_txn_matched) {
 				if tx.txid() == self.channel_monitor.get_funding_txo().unwrap().0 {
-					self.funding_tx_confirmations = 1;
-					self.short_channel_id = Some(((height as u64)          << (5*8)) |
-					                             ((*index_in_block as u64) << (2*8)) |
-					                             ((self.channel_monitor.get_funding_txo().unwrap().1 as u64) << (2*8)));
+					let txo_idx = self.channel_monitor.get_funding_txo().unwrap().1 as usize;
+					if txo_idx >= tx.output.len() || tx.output[txo_idx].script_pubkey != self.get_funding_redeemscript().to_v0_p2wsh() ||
+						tx.output[txo_idx].value != self.channel_value_satoshis {
+						self.channel_state = ChannelState::ShutdownComplete as u32;
+					} else {
+						self.funding_tx_confirmations = 1;
+						self.short_channel_id = Some(((height as u64)          << (5*8)) |
+						                             ((*index_in_block as u64) << (2*8)) |
+						                             ((self.channel_monitor.get_funding_txo().unwrap().1 as u64) << (2*8)));
+					}
 				}
 			}
 		}

src/ln/channelmanager.rs

@@ -906,6 +906,7 @@ impl ChainListener for ChannelManager {
 					},
 					None => {}
 				}
+				//TODO: Check if channel was closed (or disabled) here
 			}
 			for to_insert in short_to_ids_to_insert {
 				channel_state.short_to_id.insert(to_insert.0, to_insert.1);
@@ -1496,7 +1497,7 @@ mod tests {
 	use bitcoin::util::hash::Sha256dHash;
 	use bitcoin::util::uint::Uint256;
 	use bitcoin::blockdata::block::BlockHeader;
-	use bitcoin::blockdata::transaction::Transaction;
+	use bitcoin::blockdata::transaction::{Transaction, TxOut};
 	use bitcoin::network::constants::Network;
 	use bitcoin::network::serialize::serialize;
 	use bitcoin::network::serialize::BitcoinHash;
@@ -1680,16 +1681,21 @@ mod tests {
 		node_a.handle_accept_channel(&node_b.get_our_node_id(), &accept_chan).unwrap();
 
 		let chan_id = unsafe { CHAN_COUNT };
-		let tx = Transaction { version: chan_id as u32, lock_time: 0, input: Vec::new(), output: Vec::new() };
-		let funding_output = (Sha256dHash::from_data(&serialize(&tx).unwrap()[..]), chan_id);
+		let tx;
+		let funding_output;
 
 		let events_1 = node_a.get_and_clear_pending_events();
 		assert_eq!(events_1.len(), 1);
 		match events_1[0] {
-			Event::FundingGenerationReady { ref temporary_channel_id, ref channel_value_satoshis, output_script: _, user_channel_id } => {
+			Event::FundingGenerationReady { ref temporary_channel_id, ref channel_value_satoshis, ref output_script, user_channel_id } => {
 				assert_eq!(*channel_value_satoshis, 100000);
 				assert_eq!(user_channel_id, 42);
 
+				tx = Transaction { version: chan_id as u32, lock_time: 0, input: Vec::new(), output: vec![TxOut {
+					value: *channel_value_satoshis, script_pubkey: output_script.clone(),
+				}]};
+				funding_output = (Sha256dHash::from_data(&serialize(&tx).unwrap()[..]), 0);
+
 				node_a.funding_transaction_generated(&temporary_channel_id, funding_output.clone());
 				//TODO: Check that we got added to chan_monitor_a!
 			},