fix(cch): check HTLC expiry delta before sending outgoing payment#1148
Open
doitian wants to merge 4 commits intonervosnetwork:developfrom
Open
fix(cch): check HTLC expiry delta before sending outgoing payment#1148doitian wants to merge 4 commits intonervosnetwork:developfrom
doitian wants to merge 4 commits intonervosnetwork:developfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a dynamic HTLC/TLC expiry-budget check at outgoing-payment dispatch time to prevent cross-chain fund loss when the total outbound route timelock exceeds the remaining inbound timelock (issue #1000).
Changes:
- Compute remaining inbound expiry time at dispatch time and reserve half for settling inbound after preimage receipt.
- Enforce a route-wide expiry cap on outgoing payments (LND
cltv_limit, Fibertlc_expiry_limit) and fail orders early when insufficient. - Add/update specs documentation and introduce new actor tests covering insufficient/sufficient expiry scenarios.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| docs/specs/cch-expiry-dependency.md | Documents the new dynamic outgoing route-expiry cap and the reasoning behind it. |
| crates/fiber-lib/src/cch/actions/send_outgoing_payment.rs | Implements remaining-time computation, sufficiency validation, and route-expiry caps for outbound payments. |
| crates/fiber-lib/src/cch/tests/actor_tests.rs | Adds harness configurability and tests for failure/success cases around the new expiry logic. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
doitian
force-pushed
the
safe-cch-expiry-check-before-sending-payment
branch
from
87f4514 to
1d3039c
Compare
quake
approved these changes
Mar 3, 2026
Member
|
@doitian need to resolve conflicts |
doitian
force-pushed
the
safe-cch-expiry-check-before-sending-payment
branch
2 times, most recently
from
bfbc2b0 to
7ad93ff
Compare
…rvosnetwork#1000) Add a dynamic expiry check when dispatching outgoing payments to prevent fund loss when the outgoing route's total expiry exceeds the incoming payment's remaining time. Previously, CCH only compared final_tlc_expiry_delta values statically at order creation. This missed the case where multiple routing hops accumulate enough expiry delta to exceed the incoming payment's expiry. Changes: - Compute remaining incoming time and allocate half for outgoing route - Fail the order if remaining time is insufficient for outgoing invoice's minimum final expiry delta - Set cltv_limit (LND) and tlc_expiry_limit (Fiber) on outgoing payments to cap the route expiry Tests: - test_send_btc_fails_insufficient_expiry_delta - test_receive_btc_fails_insufficient_expiry_delta - test_send_btc_passes_sufficient_expiry_delta Fixes nervosnetwork#1000
doitian
force-pushed
the
safe-cch-expiry-check-before-sending-payment
branch
from
7ad93ff to
7e622ea
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add a dynamic expiry check when dispatching outgoing payments to prevent fund loss when the outgoing route's total expiry (including all routing hops) exceeds the incoming payment's remaining time.
Problem
Previously, CCH only compared
final_tlc_expiry_deltavalues statically at order creation time. This missed the scenario described in #1000: if there are many routing nodes for the outbound payment, the accumulatedtlc_expiry_deltaof the entire route can exceed theinbound.final_tlc_expiry_delta, causing the inbound payment to expire before CCH can settle it.Solution
When dispatching the outgoing payment (after incoming is accepted):
incoming_final_expiry_delta - elapsed_since_order_creationmax_outgoing = remaining / 2(other half reserved for settling incoming)max_outgoingis less than the outgoing invoice's minimum final expiry delta, fail the order immediatelycltv_limitonSendPaymentRequesttlc_expiry_limitonSendPaymentCommandTests
test_send_btc_fails_insufficient_expiry_delta— SendBTC order with insufficient remaining incoming timetest_receive_btc_fails_insufficient_expiry_delta— ReceiveBTC order with outgoing CKB TLC expiry exceeding available timetest_send_btc_passes_sufficient_expiry_delta— Verifies valid orders pass the checkFixes #1000