lightning: skip resolved HTLC claim replays

Filter regenerated HTLC claim requests only after ChannelMonitor has
persisted final HTLC resolution for the commitment output.

This keeps replayed preimage updates from recreating claims once the
monitor has durable resolution state, while preserving live conflicting
claims before final resolution so they can be retried if a counterparty
spend reorgs out.

Author: joostjager

lightning/src/chain/channelmonitor.rs

@@ -4936,7 +4936,10 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
 			.iter()
 			.filter_map(|(htlc, _)| {
 				if let Some(transaction_output_index) = htlc.transaction_output_index {
-					if htlc.offered && htlc.payment_hash == matching_payment_hash {
+					if htlc.offered
+						&& htlc.payment_hash == matching_payment_hash
+						&& !self.is_htlc_output_spent_on_chain(htlc)
+					{
 						let htlc_data = PackageSolvingData::CounterpartyOfferedHTLCOutput(
 							CounterpartyOfferedHTLCOutput::build(
 								per_commitment_point,
@@ -4962,6 +4965,21 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
 			.collect()
 	}
 
+	fn is_htlc_output_spent_on_chain(&self, htlc: &HTLCOutputInCommitment) -> bool {
+		if let Some(transaction_output_index) = htlc.transaction_output_index {
+			// Only suppress claims once the monitor has persisted final HTLC
+			// resolution. While a conflicting spend is still awaiting anti-reorg
+			// confirmation, a replayed preimage may create a live conflicting
+			// claim; keeping that claim in OnchainTxHandler preserves retry state
+			// if the spend reorgs out.
+			self.htlcs_resolved_on_chain.iter().any(|resolved_htlc| {
+				resolved_htlc.commitment_tx_output_idx == Some(transaction_output_index)
+			})
+		} else {
+			false
+		}
+	}
+
 	/// Returns the HTLC claim requests and the counterparty output info.
 	fn get_counterparty_output_claim_info(
 		&self, funding_spent: &FundingScope, commitment_number: u64, commitment_txid: Txid,
@@ -5009,6 +5027,9 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
 					// per_commitment_data is corrupt or our commitment signing key leaked!
 					return (claimable_outpoints, to_counterparty_output_info);
 				}
+				if self.is_htlc_output_spent_on_chain(htlc) {
+					continue;
+				}
 				let preimage = if htlc.offered {
 					if let Some((p, _)) = self.payment_preimages.get(&htlc.payment_hash) {
 						Some(*p)
@@ -5110,6 +5131,9 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
 		let mut htlcs = Vec::with_capacity(holder_tx.nondust_htlcs().len());
 		debug_assert_eq!(holder_tx.nondust_htlcs().len(), holder_tx.counterparty_htlc_sigs.len());
 		for (htlc, counterparty_sig) in holder_tx.nondust_htlcs().iter().zip(holder_tx.counterparty_htlc_sigs.iter()) {
+			if self.is_htlc_output_spent_on_chain(htlc) {
+				continue;
+			}
 			assert!(htlc.transaction_output_index.is_some(), "Expected transaction output index for non-dust HTLC");
 
 			let preimage = if htlc.offered {

lightning/src/ln/monitor_tests.rs

@@ -2391,12 +2391,15 @@ fn test_restored_packages_retry() {
 fn do_test_duplicate_delayed_holder_htlc_claims_after_claim_funds_replay(p2a_anchor: bool) {
 	let chanmon_cfgs = create_chanmon_cfgs(2);
 	let node_cfgs = create_node_cfgs(2, &chanmon_cfgs);
+	let persister;
+	let new_chain_monitor;
+	let node_deserialized;
 	let mut anchors_config = test_default_channel_config();
 	anchors_config.channel_handshake_config.negotiate_anchors_zero_fee_htlc_tx = true;
 	anchors_config.channel_handshake_config.negotiate_anchor_zero_fee_commitments = p2a_anchor;
 	let node_chanmgrs =
 		create_node_chanmgrs(2, &node_cfgs, &[Some(anchors_config.clone()), Some(anchors_config)]);
-	let nodes = create_network(2, &node_cfgs, &node_chanmgrs);
+	let mut nodes = create_network(2, &node_cfgs, &node_chanmgrs);
 
 	let coinbase_tx = provide_anchor_reserves(&nodes);
 	let (_, _, chan_id, funding_tx) =
@@ -2475,11 +2478,14 @@ fn do_test_duplicate_delayed_holder_htlc_claims_after_claim_funds_replay(p2a_anc
 	// the delayed package's outpoints.
 	connect_blocks(&nodes[0], TEST_FINAL_CLTV + 1);
 
-	let mut htlc_event_sizes = nodes[0]
+	let events = nodes[0]
 		.chain_monitor
 		.chain_monitor
 		.get_and_clear_pending_events()
 		.into_iter()
+		.collect::<Vec<_>>();
+	let mut htlc_event_sizes = events
+		.iter()
 		.filter_map(|event| {
 			if let Event::BumpTransaction(BumpTransactionEvent::HTLCResolution {
 				htlc_descriptors, ..
@@ -2493,6 +2499,89 @@ fn do_test_duplicate_delayed_holder_htlc_claims_after_claim_funds_replay(p2a_anc
 		.collect::<Vec<_>>();
 	htlc_event_sizes.sort_unstable();
 	assert_eq!(htlc_event_sizes, vec![1, 2]);
+
+	// Drive only the replayed single-HTLC event on-chain. A preimage replay
+	// before its CSV-delayed output is final may create a live conflicting
+	// claim, so the final replay assertion below waits for the monitor's
+	// persisted resolution state instead.
+	for event in events {
+		if let Event::BumpTransaction(event) = event {
+			let is_single_htlc = if let BumpTransactionEvent::HTLCResolution {
+				ref htlc_descriptors,
+				..
+			} = event
+			{
+				htlc_descriptors.len() == 1
+			} else {
+				false
+			};
+			if is_single_htlc {
+				nodes[0].bump_tx_handler.handle_event(&event);
+				break;
+			}
+		}
+	}
+	let mut htlc_txn = nodes[0].tx_broadcaster.unique_txn_broadcast();
+	assert_eq!(htlc_txn.len(), 1);
+	let htlc_tx = htlc_txn.pop().unwrap();
+	mine_transaction(&nodes[0], &htlc_tx);
+	connect_blocks(&nodes[0], ANTI_REORG_DELAY - 1);
+	assert!(nodes[0].chain_monitor.chain_monitor.get_and_clear_pending_events().is_empty());
+
+	// The spend has passed OnchainTxHandler's anti-reorg cleanup, but its
+	// CSV-delayed output is not yet final according to the monitor. Replaying
+	// the preimage in this window creates a live conflicting claim, which is
+	// kept as retry state in case the spend reorgs out.
+	get_monitor!(nodes[0], chan_id).provide_payment_preimage_unsafe_legacy(
+		&claim_hash,
+		&claim_preimage,
+		&node_cfgs[0].tx_broadcaster,
+		&LowerBoundedFeeEstimator::new(node_cfgs[0].fee_estimator),
+		&nodes[0].logger,
+	);
+	let live_conflict_events = nodes[0]
+		.chain_monitor
+		.chain_monitor
+		.get_and_clear_pending_events()
+		.into_iter()
+		.collect::<Vec<_>>();
+	let mut live_conflict_htlc_event_sizes = live_conflict_events
+		.iter()
+		.filter_map(|event| {
+			if let Event::BumpTransaction(BumpTransactionEvent::HTLCResolution {
+				htlc_descriptors, ..
+			}) = event
+			{
+				Some(htlc_descriptors.len())
+			} else {
+				None
+			}
+		})
+		.collect::<Vec<_>>();
+	live_conflict_htlc_event_sizes.sort_unstable();
+	assert_eq!(live_conflict_htlc_event_sizes, vec![1]);
+
+	connect_blocks(&nodes[0], BREAKDOWN_TIMEOUT as u32 - ANTI_REORG_DELAY);
+	let _ = nodes[0].chain_monitor.chain_monitor.get_and_clear_pending_events();
+
+	// Reload before replaying the preimage so the regression covers persisted
+	// resolution state, not only in-memory filtering.
+	let serialized_channel_manager = nodes[0].node.encode();
+	let serialized_monitor = get_monitor!(nodes[0], chan_id).encode();
+	reload_node!(
+		nodes[0], &serialized_channel_manager, &[&serialized_monitor], persister,
+		new_chain_monitor, node_deserialized
+	);
+
+	// Replaying the preimage update must not regenerate a claim for the HTLC
+	// whose commitment output has final persisted resolution state.
+	get_monitor!(nodes[0], chan_id).provide_payment_preimage_unsafe_legacy(
+		&claim_hash, &claim_preimage, &node_cfgs[0].tx_broadcaster,
+		&LowerBoundedFeeEstimator::new(node_cfgs[0].fee_estimator), &nodes[0].logger,
+	);
+	assert!(nodes[0].chain_monitor.chain_monitor.get_and_clear_pending_events().is_empty());
+	expect_payment_claimed!(nodes[0], claim_hash, 12_000_000);
+	check_added_monitors(&nodes[0], 1);
 }
 
 #[test]