Skip to content

Use saturating_mul when multiplying feerates by the fee spike buf#4554

Merged
tnull merged 1 commit intolightningdevkit:mainfrom
TheBlueMatt:2026-04-feerate-overflows
Apr 13, 2026
Merged

Use saturating_mul when multiplying feerates by the fee spike buf#4554
tnull merged 1 commit intolightningdevkit:mainfrom
TheBlueMatt:2026-04-feerate-overflows

Conversation

@TheBlueMatt
Copy link
Copy Markdown
Collaborator

@TheBlueMatt TheBlueMatt commented Apr 12, 2026
edited
Loading

In theory a channel's feerate could be set to some absurd value (millions of satoshis per vB) and we'd overflow the fee spike buffer, accepting the absurd fee and ignoring our fee spike buffer check. This is harmless - the counterparty has much easier ways of bricking the channel if they want, and paying several BTC in fees is probably not the best way. Our commitment transaction and dust fee exposure logic all correctly map the u32 to a u64 before multiplying, making them overflow-safe.

Still, its good to fix overflows because it is a remotely-reachable crash in debug builds.

Reported by Jordan Mecom of Block's Security Team

@ldk-reviews-bot
Copy link
Copy Markdown

ldk-reviews-bot commented Apr 12, 2026
edited
Loading

I've assigned @wpaulino as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

@TheBlueMatt TheBlueMatt force-pushed the 2026-04-feerate-overflows branch from 76d1774 to a40e360 Compare April 12, 2026 23:40
@ldk-claude-review-bot
Copy link
Copy Markdown
Collaborator

ldk-claude-review-bot commented Apr 12, 2026
edited
Loading

I've reviewed the full diff and surrounding context. The three saturating_mul changes are correct: saturation to u32::MAX produces conservative behavior (over-estimating fees, rejecting HTLCs) in all three call sites, which is the safe direction. The prior review already noted the fuzz code in chanmon_consistency.rs.

No new issues found.

@TheBlueMatt
Use saturating_mul when multiplying feerates by the fee spike buf
b98d7b8 
In theory a channel's feerate could be set to some absurd value
(millions of satoshis per vB) and we'd overflow the fee spike
buffer, accepting the absurd fee and ignoring our fee spike buffer
check. This is harmless - the counterparty has much easier ways of
bricking the channel if they want, and paying several BTC in fees
is probably not the best way. Our commitment transaction and dust
fee exposure logic all correctly map the `u32` to a `u64` before
multiplying, making them overflow-safe.

Still, its good to fix overflows because it is a remotely-reachable
crash in debug builds.

Reported by Jordan Mecom of Block's Security Team
@TheBlueMatt TheBlueMatt force-pushed the 2026-04-feerate-overflows branch from a40e360 to b98d7b8 Compare April 13, 2026 01:25
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 13, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.97%. Comparing base (2ebc372) to head (b98d7b8).
⚠️ Report is 13 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4554      +/-   ##
==========================================
- Coverage   87.01%   86.97%   -0.05%     
==========================================
  Files         163      163              
  Lines      108682   108683       +1     
  Branches   108682   108683       +1     
==========================================
- Hits        94572    94524      -48     
- Misses      11631    11678      +47     
- Partials     2479     2481       +2
Flag Coverage Δ
fuzzing 40.26% <100.00%> (+0.02%) ⬆️
tests 86.06% <100.00%> (-0.04%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

tnull
tnull approved these changes Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@tnull tnull left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking forward to get rid of the entire class of bug by migrating to FeeRate in v0.4. :)

@tnull tnull merged commit ed02087 into lightningdevkit:main Apr 13, 2026
23 of 25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tnull tnull tnull approved these changes

@wpaulino wpaulino Awaiting requested review from wpaulino

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@TheBlueMatt @ldk-reviews-bot @ldk-claude-review-bot @tnull