Re-validate contribution at quiescence time

Outbound HTLCs can be sent between funding_contributed and quiescence,
reducing the holder's balance. Re-validate the contribution when
quiescence is achieved and balances are stable. On failure, emit
SpliceFailed + DiscardFunding events and disconnect the peer so both
sides cleanly exit quiescence.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: jkczyz

lightning/src/ln/channel.rs

@@ -6796,24 +6796,30 @@ where
 		shutdown_result
 	}
 
+	/// Builds a [`SpliceFundingFailed`] from a contribution, filtering out inputs/outputs
+	/// that are still committed to a prior splice round.
+	fn splice_funding_failed_for(&self, contribution: FundingContribution) -> SpliceFundingFailed {
+		let (mut inputs, mut outputs) = contribution.into_contributed_inputs_and_outputs();
+		if let Some(ref pending_splice) = self.pending_splice {
+			for input in pending_splice.contributed_inputs() {
+				inputs.retain(|i| *i != input);
+			}
+			for output in pending_splice.contributed_outputs() {
+				outputs.retain(|o| o.script_pubkey != output.script_pubkey);
+			}
+		}
+		SpliceFundingFailed {
+			funding_txo: None,
+			channel_type: None,
+			contributed_inputs: inputs,
+			contributed_outputs: outputs,
+		}
+	}
+
 	fn quiescent_action_into_error(&self, action: QuiescentAction) -> QuiescentError {
 		match action {
 			QuiescentAction::Splice { contribution, .. } => {
-				let (mut inputs, mut outputs) = contribution.into_contributed_inputs_and_outputs();
-				if let Some(ref pending_splice) = self.pending_splice {
-					for input in pending_splice.contributed_inputs() {
-						inputs.retain(|i| *i != input);
-					}
-					for output in pending_splice.contributed_outputs() {
-						outputs.retain(|o| o.script_pubkey != output.script_pubkey);
-					}
-				}
-				QuiescentError::FailSplice(SpliceFundingFailed {
-					funding_txo: None,
-					channel_type: None,
-					contributed_inputs: inputs,
-					contributed_outputs: outputs,
-				})
+				QuiescentError::FailSplice(self.splice_funding_failed_for(contribution))
 			},
 			#[cfg(any(test, fuzzing, feature = "_test_utils"))]
 			QuiescentAction::DoNothing => QuiescentError::DoNothing,
@@ -13692,27 +13698,27 @@ where
 	#[rustfmt::skip]
 	pub fn stfu<L: Logger>(
 		&mut self, msg: &msgs::Stfu, logger: &L
-	) -> Result<Option<StfuResponse>, ChannelError> {
+	) -> Result<Option<StfuResponse>, (ChannelError, QuiescentError)> {
 		if self.context.channel_state.is_quiescent() {
-			return Err(ChannelError::Warn("Channel is already quiescent".to_owned()));
+			return Err((ChannelError::Warn("Channel is already quiescent".to_owned()), QuiescentError::DoNothing));
 		}
 		if self.context.channel_state.is_remote_stfu_sent() {
-			return Err(ChannelError::Warn(
+			return Err((ChannelError::Warn(
 				"Peer sent `stfu` when they already sent it and we've yet to become quiescent".to_owned()
-			));
+			), QuiescentError::DoNothing));
 		}
 
 		if !self.context.is_live() {
-			return Err(ChannelError::Warn(
+			return Err((ChannelError::Warn(
 				"Peer sent `stfu` when we were not in a live state".to_owned()
-			));
+			), QuiescentError::DoNothing));
 		}
 
 		if !self.context.channel_state.is_local_stfu_sent() {
 			if !msg.initiator {
-				return Err(ChannelError::WarnAndDisconnect(
+				return Err((ChannelError::WarnAndDisconnect(
 					"Peer sent unexpected `stfu` without signaling as initiator".to_owned()
-				));
+				), QuiescentError::DoNothing));
 			}
 
 			// We don't check `is_waiting_on_peer_pending_channel_update` prior to setting the flag
@@ -13742,9 +13748,9 @@ where
 			// have a monitor update pending if we've processed a message from the counterparty, but
 			// we don't consider this when becoming quiescent since the states are not mutually
 			// exclusive.
-			return Err(ChannelError::WarnAndDisconnect(
+			return Err((ChannelError::WarnAndDisconnect(
 				"Received counterparty stfu while having pending counterparty updates".to_owned()
-			));
+			), QuiescentError::DoNothing));
 		}
 
 		self.context.channel_state.clear_local_stfu_sent();
@@ -13757,14 +13763,40 @@ where
 		);
 
 		if is_holder_quiescence_initiator {
+			// Re-validate the contribution before consuming it. Outbound HTLCs may
+			// have been sent between funding_contributed and quiescence, reducing
+			// the holder's balance. If invalid, disconnect — peer_disconnected will
+			// abandon the quiescent action and emit SpliceFailed + DiscardFunding.
 			match self.quiescent_action.take() {
 				None => {
 					debug_assert!(false);
-					return Err(ChannelError::WarnAndDisconnect(
+					return Err((ChannelError::WarnAndDisconnect(
 						"Internal Error: Didn't have anything to do after reaching quiescence".to_owned()
-					));
+					), QuiescentError::DoNothing));
 				},
 				Some(QuiescentAction::Splice { contribution, locktime }) => {
+					// Re-validate the contribution now that we're quiescent and
+					// balances are stable. Outbound HTLCs may have been sent between
+					// funding_contributed and quiescence, reducing the holder's
+					// balance. If invalid, disconnect and return the contribution so
+					// the user can reclaim their inputs.
+					if let Err(e) = contribution.validate().and_then(|()| {
+						let our_funding_contribution = contribution.net_value();
+						self.validate_splice_contributions(
+							our_funding_contribution,
+							SignedAmount::ZERO,
+						)
+					}) {
+						let failed = self.splice_funding_failed_for(contribution);
+						return Err((
+							ChannelError::WarnAndDisconnect(format!(
+								"Channel {} contribution no longer valid at quiescence: {}",
+								self.context.channel_id(),
+								e,
+							)),
+							QuiescentError::FailSplice(failed),
+						));
+					}
 					let prior_contribution = contribution.clone();
 					let prev_funding_input = self.funding.to_splice_funding_input();
 					let our_funding_contribution = contribution.net_value();

lightning/src/ln/channelmanager.rs

@@ -6487,6 +6487,53 @@ impl<
 		result
 	}
 
+	/// Emits events for a [`QuiescentError`], if applicable.
+	fn handle_quiescent_error(
+		&self, channel_id: ChannelId, counterparty_node_id: PublicKey, user_channel_id: u128,
+		error: QuiescentError,
+	) {
+		match error {
+			QuiescentError::DoNothing => {},
+			QuiescentError::DiscardFunding { inputs, outputs } => {
+				self.pending_events.lock().unwrap().push_back((
+					events::Event::DiscardFunding {
+						channel_id,
+						funding_info: FundingInfo::Contribution { inputs, outputs },
+					},
+					None,
+				));
+			},
+			QuiescentError::FailSplice(SpliceFundingFailed {
+				funding_txo,
+				channel_type,
+				contributed_inputs,
+				contributed_outputs,
+			}) => {
+				let pending_events = &mut self.pending_events.lock().unwrap();
+				pending_events.push_back((
+					events::Event::SpliceFailed {
+						channel_id,
+						counterparty_node_id,
+						user_channel_id,
+						abandoned_funding_txo: funding_txo,
+						channel_type,
+					},
+					None,
+				));
+				pending_events.push_back((
+					events::Event::DiscardFunding {
+						channel_id,
+						funding_info: FundingInfo::Contribution {
+							inputs: contributed_inputs,
+							outputs: contributed_outputs,
+						},
+					},
+					None,
+				));
+			},
+		}
+	}
+
 	/// Adds or removes funds from the given channel as specified by a [`FundingContribution`].
 	///
 	/// Used after [`ChannelManager::splice_channel`] by constructing a [`FundingContribution`]
@@ -6593,62 +6640,29 @@ impl<
 									);
 								}
 							},
-							Err(QuiescentError::DoNothing) => {
-								result = Err(APIError::APIMisuseError {
-									err: format!(
-										"Duplicate funding contribution for channel {}",
-										channel_id
-									),
-								});
-							},
-							Err(QuiescentError::DiscardFunding { inputs, outputs }) => {
-								self.pending_events.lock().unwrap().push_back((
-									events::Event::DiscardFunding {
-										channel_id: *channel_id,
-										funding_info: FundingInfo::Contribution { inputs, outputs },
-									},
-									None,
-								));
+							Err(e) => {
 								result = Err(APIError::APIMisuseError {
-									err: format!(
-										"Channel {} already has a pending funding contribution",
-										channel_id
-									),
-								});
-							},
-							Err(QuiescentError::FailSplice(SpliceFundingFailed {
-								funding_txo,
-								channel_type,
-								contributed_inputs,
-								contributed_outputs,
-							})) => {
-								let pending_events = &mut self.pending_events.lock().unwrap();
-								pending_events.push_back((
-									events::Event::SpliceFailed {
-										channel_id: *channel_id,
-										counterparty_node_id: *counterparty_node_id,
-										user_channel_id: channel.context().get_user_id(),
-										abandoned_funding_txo: funding_txo,
-										channel_type,
-									},
-									None,
-								));
-								pending_events.push_back((
-									events::Event::DiscardFunding {
-										channel_id: *channel_id,
-										funding_info: FundingInfo::Contribution {
-											inputs: contributed_inputs,
-											outputs: contributed_outputs,
-										},
+									err: match &e {
+										QuiescentError::DoNothing => format!(
+											"Duplicate funding contribution for channel {}",
+											channel_id,
+										),
+										QuiescentError::DiscardFunding { .. } => format!(
+											"Channel {} already has a pending funding contribution",
+											channel_id,
+										),
+										QuiescentError::FailSplice(_) => format!(
+											"Channel {} cannot accept funding contribution",
+											channel_id,
+										),
 									},
-									None,
-								));
-								result = Err(APIError::APIMisuseError {
-									err: format!(
-										"Channel {} cannot accept funding contribution",
-										channel_id
-									),
 								});
+								self.handle_quiescent_error(
+									*channel_id,
+									*counterparty_node_id,
+									channel.context().get_user_id(),
+									e,
+								);
 							},
 						}
 
@@ -12793,6 +12807,16 @@ This indicates a bug inside LDK. Please report this error at https://github.com/
 					);
 
 					let res = chan.stfu(&msg, &&logger);
+					let (res, quiescent_error) = match res {
+						Ok(resp) => (Ok(resp), QuiescentError::DoNothing),
+						Err((chan_err, quiescent_err)) => (Err(chan_err), quiescent_err),
+					};
+					self.handle_quiescent_error(
+						chan_entry.get().context().channel_id(),
+						*counterparty_node_id,
+						chan_entry.get().context().get_user_id(),
+						quiescent_error,
+					);
 					let resp = try_channel_entry!(self, peer_state, res, chan_entry);
 					match resp {
 						None => Ok(false),

lightning/src/ln/funding.rs

@@ -176,6 +176,16 @@ pub(super) struct PriorContribution {
 	contribution: FundingContribution,
 	/// The holder's balance, used for feerate adjustment. `None` when the balance computation
 	/// fails, in which case adjustment is skipped and coin selection is re-run.
+	///
+	/// This value is captured at [`ChannelManager::splice_channel`] time and may become stale
+	/// if balances change before the contribution is used. Staleness is acceptable here because
+	/// this is only used as an optimization to determine if the prior contribution can be
+	/// reused with adjusted fees — the contribution is re-validated at
+	/// [`ChannelManager::funding_contributed`] time and again at quiescence time against the
+	/// current balances.
+	///
+	/// [`ChannelManager::splice_channel`]: crate::ln::channelmanager::ChannelManager::splice_channel
+	/// [`ChannelManager::funding_contributed`]: crate::ln::channelmanager::ChannelManager::funding_contributed
 	holder_balance: Option<Amount>,
 }