Reject RBF with non-confirming feerate after several attempts

After a few RBF attempts, both our own and the counterparty's RBF
should target a feerate that will actually confirm. Reject attempts
with feerates below the fee estimator's NonAnchorChannelFee target
to prevent exhausting the RBF budget at low feerates.

The spec requires: "MUST set a high enough feerate to ensure quick
confirmation."

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: jkczyz

lightning/src/ln/channel.rs

@@ -3100,6 +3100,22 @@ impl PendingFunding {
 		}
 	}
 
+	/// After several RBF attempts, checks that the feerate is high enough to confirm. Returns
+	/// `true` if the feerate is sufficient or the threshold hasn't been reached.
+	///
+	/// The spec requires: "MUST set a high enough feerate to ensure quick confirmation."
+	fn is_rbf_feerate_sufficient<F: FeeEstimator>(
+		&self, feerate_sat_per_kw: u32, fee_estimator: &LowerBoundedFeeEstimator<F>,
+	) -> bool {
+		const MAX_LOW_FEERATE_RBF_ATTEMPTS: usize = 3;
+		if self.negotiated_candidates.len() <= MAX_LOW_FEERATE_RBF_ATTEMPTS {
+			return true;
+		}
+		let min_feerate =
+			fee_estimator.bounded_sat_per_1000_weight(ConfirmationTarget::NonAnchorChannelFee);
+		feerate_sat_per_kw >= min_feerate
+	}
+
 	fn contributed_inputs(&self) -> impl Iterator<Item = bitcoin::OutPoint> + '_ {
 		self.contributions.iter().flat_map(|c| c.contributed_inputs())
 	}
@@ -12153,8 +12169,9 @@ where
 			.expect("feerate compatibility already checked")
 	}
 
-	pub fn funding_contributed<L: Logger>(
-		&mut self, contribution: FundingContribution, locktime: LockTime, logger: &L,
+	pub fn funding_contributed<F: FeeEstimator, L: Logger>(
+		&mut self, contribution: FundingContribution, locktime: LockTime,
+		fee_estimator: &LowerBoundedFeeEstimator<F>, logger: &L,
 	) -> Result<Option<msgs::Stfu>, QuiescentError> {
 		debug_assert!(contribution.is_splice());
 
@@ -12229,6 +12246,23 @@ where
 			return Err(QuiescentError::FailSplice(self.splice_funding_failed_for(contribution)));
 		}
 
+		if let Some(pending_splice) = self.pending_splice.as_ref() {
+			if !pending_splice.is_rbf_feerate_sufficient(
+				contribution.feerate().to_sat_per_kwu() as u32,
+				fee_estimator,
+			) {
+				log_error!(
+					logger,
+					"Channel {} RBF feerate {} below fee estimator minimum",
+					self.context.channel_id(),
+					contribution.feerate(),
+				);
+				return Err(QuiescentError::FailSplice(
+					self.splice_funding_failed_for(contribution),
+				));
+			}
+		}
+
 		// If a pending splice exists with negotiated candidates, attempt to adjust the
 		// contribution's feerate to the minimum RBF feerate so it can proceed as an RBF immediately
 		// rather than waiting for the splice to lock.
@@ -12682,6 +12716,10 @@ where
 			return Err(ChannelError::Abort(AbortReason::InsufficientRbfFeerate));
 		}
 
+		if !pending_splice.is_rbf_feerate_sufficient(new_feerate, fee_estimator) {
+			return Err(ChannelError::Abort(AbortReason::InsufficientRbfFeerate));
+		}
+
 		let their_funding_contribution = match msg.funding_output_contribution {
 			Some(value) => SignedAmount::from_sat(value),
 			None => SignedAmount::ZERO,

lightning/src/ln/channelmanager.rs

@@ -6633,7 +6633,12 @@ impl<
 							locktime.unwrap_or_else(|| self.current_best_block().height),
 						);
 						let logger = WithChannelContext::from(&self.logger, chan.context(), None);
-						match chan.funding_contributed(contribution, locktime, &&logger) {
+						match chan.funding_contributed(
+							contribution,
+							locktime,
+							&self.fee_estimator,
+							&&logger,
+						) {
 							Ok(msg_opt) => {
 								if let Some(msg) = msg_opt {
 									peer_state.pending_msg_events.push(

lightning/src/ln/splicing_tests.rs

@@ -6304,3 +6304,153 @@ fn test_splice_revalidation_at_quiescence() {
 
 	expect_splice_failed_events(&nodes[0], &channel_id, contribution);
 }
+
+#[test]
+fn test_splice_rbf_rejects_low_feerate_after_several_attempts() {
+	// After several RBF attempts, the counterparty's RBF feerate must be high enough to
+	// confirm (per the fee estimator). Early attempts at low feerates are accepted, but
+	// once the threshold is crossed and the fee estimator expects a higher feerate, the
+	// attempt is rejected.
+	let chanmon_cfgs = create_chanmon_cfgs(2);
+	let node_cfgs = create_node_cfgs(2, &chanmon_cfgs);
+	let node_chanmgrs = create_node_chanmgrs(2, &node_cfgs, &[None, None]);
+	let nodes = create_network(2, &node_cfgs, &node_chanmgrs);
+
+	let node_id_0 = nodes[0].node.get_our_node_id();
+	let node_id_1 = nodes[1].node.get_our_node_id();
+
+	let initial_channel_value_sat = 100_000;
+	let (_, _, channel_id, _) =
+		create_announced_chan_between_nodes_with_value(&nodes, 0, 1, initial_channel_value_sat, 0);
+
+	let added_value = Amount::from_sat(50_000);
+	provide_utxo_reserves(&nodes, 2, added_value * 2);
+
+	// Round 0: Initial splice-in at floor feerate (253).
+	let funding_contribution = do_initiate_splice_in(&nodes[0], &nodes[1], channel_id, added_value);
+	let (_, new_funding_script) =
+		splice_channel(&nodes[0], &nodes[1], channel_id, funding_contribution);
+
+	// Feerate progression: 253 → 264 → 275 → 287 → 300
+	let feerate_1 = (FEERATE_FLOOR_SATS_PER_KW as u64 * 25).div_ceil(24);
+	let feerate_2 = (feerate_1 * 25).div_ceil(24);
+	let feerate_3 = (feerate_2 * 25).div_ceil(24);
+	let feerate_4 = (feerate_3 * 25).div_ceil(24);
+
+	// Rounds 1-3: RBF at minimum bump. Accepted (at or below threshold).
+	for feerate in [feerate_1, feerate_2, feerate_3] {
+		provide_utxo_reserves(&nodes, 2, added_value * 2);
+		let rbf_feerate = FeeRate::from_sat_per_kwu(feerate);
+		let contribution =
+			do_initiate_rbf_splice_in(&nodes[0], &nodes[1], channel_id, added_value, rbf_feerate);
+		complete_rbf_handshake(&nodes[0], &nodes[1]);
+		complete_interactive_funding_negotiation(
+			&nodes[0],
+			&nodes[1],
+			channel_id,
+			contribution,
+			new_funding_script.clone(),
+		);
+		let (_, splice_locked) = sign_interactive_funding_tx(&nodes[0], &nodes[1], false);
+		assert!(splice_locked.is_none());
+		expect_splice_pending_event(&nodes[0], &node_id_1);
+		expect_splice_pending_event(&nodes[1], &node_id_0);
+	}
+
+	// Now 4 negotiated candidates (round 0 + rounds 1-3). Bump the fee estimator on node 1
+	// (the RBF receiver) so the next minimum RBF feerate (300) is below it.
+	let high_feerate = 1000;
+	*chanmon_cfgs[1].fee_estimator.sat_per_kw.lock().unwrap() = high_feerate;
+
+	// Round 4: RBF at minimum bump (300). Should be rejected because 300 < 1000.
+	provide_utxo_reserves(&nodes, 2, added_value * 2);
+	let rbf_feerate_3 = FeeRate::from_sat_per_kwu(feerate_4);
+	let _contribution =
+		do_initiate_rbf_splice_in(&nodes[0], &nodes[1], channel_id, added_value, rbf_feerate_3);
+	let stfu_0 = get_event_msg!(nodes[0], MessageSendEvent::SendStfu, node_id_1);
+	nodes[1].node.handle_stfu(node_id_0, &stfu_0);
+	let stfu_1 = get_event_msg!(nodes[1], MessageSendEvent::SendStfu, node_id_0);
+	nodes[0].node.handle_stfu(node_id_1, &stfu_1);
+
+	// Node 0 sends tx_init_rbf. Node 1 rejects the low feerate after the threshold.
+	let tx_init_rbf = get_event_msg!(nodes[0], MessageSendEvent::SendTxInitRbf, node_id_1);
+	nodes[1].node.handle_tx_init_rbf(node_id_0, &tx_init_rbf);
+	get_event_msg!(nodes[1], MessageSendEvent::SendTxAbort, node_id_0);
+}
+
+#[test]
+fn test_splice_rbf_rejects_own_low_feerate_after_several_attempts() {
+	// Same as test_splice_rbf_rejects_low_feerate_after_several_attempts, but for our own
+	// initiated RBF. The spec requires: "MUST set a high enough feerate to ensure quick
+	// confirmation." After several attempts, funding_contributed should reject our contribution
+	// if the feerate is below the fee estimator's target.
+	let chanmon_cfgs = create_chanmon_cfgs(2);
+	let node_cfgs = create_node_cfgs(2, &chanmon_cfgs);
+	let node_chanmgrs = create_node_chanmgrs(2, &node_cfgs, &[None, None]);
+	let nodes = create_network(2, &node_cfgs, &node_chanmgrs);
+
+	let node_id_0 = nodes[0].node.get_our_node_id();
+	let node_id_1 = nodes[1].node.get_our_node_id();
+
+	let initial_channel_value_sat = 100_000;
+	let (_, _, channel_id, _) =
+		create_announced_chan_between_nodes_with_value(&nodes, 0, 1, initial_channel_value_sat, 0);
+
+	let added_value = Amount::from_sat(50_000);
+	provide_utxo_reserves(&nodes, 2, added_value * 2);
+
+	// Round 0: Initial splice-in at floor feerate (253).
+	let funding_contribution = do_initiate_splice_in(&nodes[0], &nodes[1], channel_id, added_value);
+	let (_, new_funding_script) =
+		splice_channel(&nodes[0], &nodes[1], channel_id, funding_contribution);
+
+	// Feerate progression: 253 → 264 → 275 → 287 → 300
+	let feerate_1 = (FEERATE_FLOOR_SATS_PER_KW as u64 * 25).div_ceil(24);
+	let feerate_2 = (feerate_1 * 25).div_ceil(24);
+	let feerate_3 = (feerate_2 * 25).div_ceil(24);
+	let feerate_4 = (feerate_3 * 25).div_ceil(24);
+
+	// Rounds 1-3: RBF at minimum bump. Accepted.
+	for feerate in [feerate_1, feerate_2, feerate_3] {
+		provide_utxo_reserves(&nodes, 2, added_value * 2);
+		let rbf_feerate = FeeRate::from_sat_per_kwu(feerate);
+		let contribution =
+			do_initiate_rbf_splice_in(&nodes[0], &nodes[1], channel_id, added_value, rbf_feerate);
+		complete_rbf_handshake(&nodes[0], &nodes[1]);
+		complete_interactive_funding_negotiation(
+			&nodes[0],
+			&nodes[1],
+			channel_id,
+			contribution,
+			new_funding_script.clone(),
+		);
+		let (_, splice_locked) = sign_interactive_funding_tx(&nodes[0], &nodes[1], false);
+		assert!(splice_locked.is_none());
+		expect_splice_pending_event(&nodes[0], &node_id_1);
+		expect_splice_pending_event(&nodes[1], &node_id_0);
+	}
+
+	// Bump node 0's fee estimator so the next minimum RBF feerate (300) is below it.
+	let high_feerate = 1000;
+	*chanmon_cfgs[0].fee_estimator.sat_per_kw.lock().unwrap() = high_feerate;
+
+	// Round 4: Our own RBF at minimum bump (300). funding_contributed should reject it.
+	provide_utxo_reserves(&nodes, 2, added_value * 2);
+	let rbf_feerate = FeeRate::from_sat_per_kwu(feerate_4);
+	let funding_template = nodes[0].node.splice_channel(&channel_id, &node_id_1).unwrap();
+	let wallet = WalletSync::new(Arc::clone(&nodes[0].wallet_source), nodes[0].logger);
+	let contribution =
+		funding_template.splice_in_sync(added_value, rbf_feerate, FeeRate::MAX, &wallet).unwrap();
+
+	let result = nodes[0].node.funding_contributed(&channel_id, &node_id_1, contribution, None);
+	assert!(result.is_err(), "Expected rejection for low feerate: {:?}", result);
+
+	// SpliceFailed is emitted. DiscardFunding is not emitted because all inputs/outputs
+	// are filtered out (same UTXOs reused for RBF, still committed to the prior splice tx).
+	let events = nodes[0].node.get_and_clear_pending_events();
+	assert_eq!(events.len(), 1, "{events:?}");
+	match &events[0] {
+		Event::SpliceFailed { channel_id: cid, .. } => assert_eq!(*cid, channel_id),
+		other => panic!("Expected SpliceFailed, got {:?}", other),
+	}
+}