Preserve anchor reserve during RBF

RBF can spend fee increases from the original transaction's change
output.

Check the replacement fee increase against the current anchor-channel
reserve before signing. This prevents high manual fee rates from
consuming funds reserved for anchor spends.

This finding was discovered by Project Loupe.

Co-Authored-By: HAL 9000

Author: tnull

src/payment/onchain.rs

@@ -134,11 +134,18 @@ impl OnchainPayment {
 	/// The new transaction will have the same outputs as the original but with a
 	/// higher fee, resulting in faster confirmation potential.
 	///
+	/// This will respect any on-chain reserve we need to keep, i.e., won't allow to cut into
+	/// [`BalanceDetails::total_anchor_channels_reserve_sats`].
+	///
 	/// Returns the [`Txid`] of the new replacement transaction if successful.
+	///
+	/// [`BalanceDetails::total_anchor_channels_reserve_sats`]: crate::BalanceDetails::total_anchor_channels_reserve_sats
 	pub fn bump_fee_rbf(
 		&self, payment_id: PaymentId, fee_rate: Option<FeeRate>,
 	) -> Result<Txid, Error> {
+		let cur_anchor_reserve_sats =
+			crate::total_anchor_channels_reserve_sats(&self.channel_manager, &self.config);
 		let fee_rate_opt = maybe_map_fee_rate_opt!(fee_rate);
-		self.wallet.bump_fee_rbf(payment_id, fee_rate_opt)
+		self.wallet.bump_fee_rbf(payment_id, fee_rate_opt, cur_anchor_reserve_sats)
 	}
 }

src/wallet/mod.rs

@@ -1259,7 +1259,7 @@ impl Wallet {
 
 	#[allow(deprecated)]
 	pub(crate) fn bump_fee_rbf(
-		&self, payment_id: PaymentId, fee_rate: Option<FeeRate>,
+		&self, payment_id: PaymentId, fee_rate: Option<FeeRate>, cur_anchor_reserve_sats: u64,
 	) -> Result<Txid, Error> {
 		let payment = self.payment_store.get(&payment_id).ok_or_else(|| {
 			log_error!(self.logger, "Payment {} not found in payment store", payment_id);
@@ -1407,6 +1407,41 @@ impl Wallet {
 			}?
 		};
 
+		let old_fee_sats = locked_wallet
+			.calculate_fee(&old_tx)
+			.map_err(|e| {
+				log_error!(self.logger, "Failed to calculate fee of transaction {}: {}", txid, e);
+				Error::WalletOperationFailed
+			})?
+			.to_sat();
+		let replacement_fee_sats = locked_wallet
+			.calculate_fee(&psbt.unsigned_tx)
+			.map_err(|e| {
+				log_error!(
+					self.logger,
+					"Failed to calculate fee of replacement transaction for {}: {}",
+					txid,
+					e
+				);
+				Error::WalletOperationFailed
+			})?
+			.to_sat();
+		let additional_fee_sats = replacement_fee_sats.saturating_sub(old_fee_sats);
+		let balance = locked_wallet.balance();
+		let spendable_amount_sats =
+			self.get_balances_inner(balance, cur_anchor_reserve_sats).map(|(_, s)| s).unwrap_or(0);
+		if spendable_amount_sats < additional_fee_sats {
+			log_error!(
+				self.logger,
+				"Unable to bump fee due to insufficient reserve-preserving funds. \
+					Available: {}sats, required additional fee: {}sats, reserve: {}sats",
+				spendable_amount_sats,
+				additional_fee_sats,
+				cur_anchor_reserve_sats,
+			);
+			return Err(Error::InsufficientFunds);
+		}
+
 		match locked_wallet.sign(&mut psbt, SignOptions::default()) {
 			Ok(finalized) => {
 				if !finalized {

tests/integration_tests_rust.rs

@@ -2920,6 +2920,55 @@ async fn onchain_fee_bump_rbf() {
 	assert_eq!(node_a_received_payment[0].status, PaymentStatus::Succeeded);
 }
 
+#[tokio::test(flavor = "multi_thread", worker_threads = 1)]
+async fn onchain_fee_bump_rbf_respects_anchor_reserve() {
+	let (bitcoind, electrsd) = setup_bitcoind_and_electrsd();
+	let chain_source = random_chain_source(&bitcoind, &electrsd);
+	let (node_a, node_b) = setup_two_nodes(&chain_source, false, true, false);
+
+	let addr_a = node_a.onchain_payment().new_address().unwrap();
+	let addr_b = node_b.onchain_payment().new_address().unwrap();
+
+	let premine_amount_sat = 1_000_000;
+	premine_and_distribute_funds(
+		&bitcoind.client,
+		&electrsd.client,
+		vec![addr_a.clone(), addr_b],
+		Amount::from_sat(premine_amount_sat),
+	)
+	.await;
+
+	node_a.sync_wallets().unwrap();
+	node_b.sync_wallets().unwrap();
+
+	open_channel(&node_b, &node_a, 200_000, false, &electrsd).await;
+	generate_blocks_and_wait(&bitcoind.client, &electrsd.client, 6).await;
+	node_a.sync_wallets().unwrap();
+	node_b.sync_wallets().unwrap();
+	expect_channel_ready_event!(node_b, node_a.node_id());
+
+	let balances_before = node_b.list_balances();
+	let reserve = balances_before.total_anchor_channels_reserve_sats;
+	assert!(reserve > 0, "Anchor reserve should be non-zero after channel open");
+	let spendable_before = balances_before.spendable_onchain_balance_sats;
+
+	let buffer_sats = 5_000;
+	assert!(spendable_before > buffer_sats);
+	let amount_to_send_sats = spendable_before - buffer_sats;
+	let txid =
+		node_b.onchain_payment().send_to_address(&addr_a, amount_to_send_sats, None).unwrap();
+	wait_for_tx(&electrsd.client, txid).await;
+	tokio::time::sleep(std::time::Duration::from_secs(5)).await;
+	node_b.sync_wallets().unwrap();
+
+	let payment_id = PaymentId(txid.to_byte_array());
+	let high_fee_rate = bitcoin::FeeRate::from_sat_per_kwu(20_000);
+	assert_eq!(
+		Err(NodeError::InsufficientFunds),
+		node_b.onchain_payment().bump_fee_rbf(payment_id, Some(high_fee_rate))
+	);
+}
+
 #[tokio::test(flavor = "multi_thread", worker_threads = 1)]
 async fn open_channel_with_all_with_anchors() {
 	let (bitcoind, electrsd) = setup_bitcoind_and_electrsd();