Allow cancellation of pending splice funding negotiations by wpaulino · Pull Request #4490 · lightningdevkit/rust-lightning

wpaulino · 2026-03-17T18:00:37Z

A user may wish to cancel an in-flight funding negotiation for whatever reason (e.g., mempool feerates have gone down, inability to sign, etc.), so we should make it possible for them to do so. Note that this can only be done for splice funding negotiations for which the user has made a contribution to.

ldk-reviews-bot · 2026-03-17T18:00:40Z

👋 Thanks for assigning @TheBlueMatt as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

ldk-claude-review-bot · 2026-03-17T18:37:25Z

+						let splice_funding_failed = splice_funding_failed
+							.expect("Only splices with local contributions can be canceled");


This .expect() can panic in release builds. While cancel_splice in channel.rs verifies made_contribution is true, the maybe_create_splice_funding_failed! macro additionally subtracts contributions that overlap with prior RBF rounds (via prior_contributed_inputs/outputs). For a non-initiator who reuses the same UTXOs across RBF attempts with no explicit output contributions, the subtraction can empty the lists, causing the macro to return None (line 6740-6742 of channel.rs: if !is_initiator && contributed_inputs.is_empty() && contributed_outputs.is_empty() { return None; }).

The debug_assert!(splice_funding_failed.is_some()) at channel.rs:12323 catches this in debug, but this expect will crash in release for that edge case. Consider handling None gracefully, e.g. by returning an APIError or skipping the events.

@jkczyz looks like that if statement it's referring to is indeed happening after the filtering. We should check whether the contribution is empty prior to filtering. I also noticed that we'll always emit DiscardFunding even when both contributed inputs and outputs are empty, we should only do so when there is actually something to discard.

@jkczyz looks like that if statement it's referring to is indeed happening after the filtering. We should check whether the contribution is empty prior to filtering.

Hmm... we may want to base this on #4514. It refactors that code a bit and removes maybe_create_splice_funding_failed!. I believe the new splice_funding_failed_for! macro does it correctly now (dc0609d)

I also noticed that we'll always emit DiscardFunding even when both contributed inputs and outputs are empty, we should only do so when there is actually something to discard.

I believe that is fixed in #4514, too. Can't recall if it's the same commit, but the PR should consolidate the filtering logic to FundingContribution::into_unique_contributions.

ldk-claude-review-bot · 2026-03-17T18:37:51Z

After a thorough review of the entire PR diff, I confirm that my previously flagged issues remain applicable and no new issues were found in this review pass. All call sites for the counterparty_aborted → allow_resumption rename are correctly inverted. The cancel_funding_contributed logic is sound across all FundingNegotiation states and the quiescent_action early path.

Review Summary

No new issues found beyond the four previously flagged. All prior issues remain applicable to the current diff:

Previously posted inline comments (still active):

lightning/src/ln/channel.rs:12795 — debug_assert!(splice_funding_failed.is_some()) can fire in release for non-initiator RBF edge case where maybe_create_splice_funding_failed! filters all contributions.
lightning/src/ln/channel.rs:12759 — has_local_contribution() vs contributed_inputs()/contributed_outputs() use different computation paths for the same semantic check across FundingNegotiation variants.
lightning/src/ln/channelmanager.rs:4941 — PersistenceNotifierGuard::manually_notify does not set needs_persist_flag. The explicit event_persist_notifier.notify() at line 4983 ensures event delivery, but channel state changes (splice reset, quiescence exit) may not be persisted until the next unrelated trigger. Consider optionally_notify to match funding_contributed and funding_transaction_signed.
lightning/src/ln/splicing_tests.rs:3007 — Dead code: if state == 0 branch is unreachable because state 0 returns early at line 2990.

Verification notes:

The counterparty_aborted → allow_resumption boolean inversion is correct across all 8 call sites.
The quiescent_action early path in cancel_funding_contributed correctly handles both WarnAndDisconnect (stfu/quiescent flags set → disconnect cleans up) and Abort (no flags → tx_abort is harmlessly ignored by counterparty with no active negotiation).
The stashed commitment_signed invariant ensures has_received_commitment_signed() remains false until after funding_transaction_signed(), making the reset_pending_splice_state debug_assert pass for the AwaitingSignatures cancel path.
Serialization preserves quiescence for AwaitingSignatures, enabling post-reconnect cancellation.

jkczyz · 2026-03-19T17:53:36Z

 		}
+
+		debug_assert!(self.context.channel_state.is_quiescent());
+		let splice_funding_failed = self.reset_pending_splice_state();


Do we need to worry about updating PendingFunding::contributions when reseting? This may be a pre-existing issue, though.

Already fixed in a547960.

ldk-reviews-bot · 2026-04-11T00:00:36Z

🔔 1st Reminder