staticaddr: guard channel open and withdraw against unconfirmed deposits

Now that Deposited includes mempool outputs, channel opens and
withdrawals must explicitly reject unconfirmed deposits
(ConfirmationHeight <= 0) since both operations require confirmed
inputs.

Author: hieblmi

loopd/swapclient_server.go

@@ -1754,7 +1754,7 @@ func (s *swapClientServer) WithdrawDeposits(ctx context.Context,
 			return nil, err
 		}
 
-		for _, d := range deposits {
+		for _, d := range confirmedDeposits(deposits) {
 			outpoints = append(outpoints, d.OutPoint)
 		}
 

loopd/swapclient_server_deposit_test.go

@@ -1,6 +1,10 @@
 package loopd
 
-import "testing"
+import (
+	"testing"
+
+	"github.com/lightninglabs/loop/staticaddr/deposit"
+)
 
 // TestDepositBlocksUntilExpiry checks blocks-until-expiry handling for
 // confirmed and unconfirmed deposits.
@@ -19,3 +23,24 @@ func TestDepositBlocksUntilExpiry(t *testing.T) {
 		}
 	})
 }
+
+// TestConfirmedDeposits checks that helpers for bulk operations only keep
+// deposits that can actually be spent on-chain.
+func TestConfirmedDeposits(t *testing.T) {
+	t.Run("filters unconfirmed", func(t *testing.T) {
+		deposits := []*deposit.Deposit{
+			{},
+			{
+				ConfirmationHeight: 123,
+			},
+		}
+
+		filtered := confirmedDeposits(deposits)
+		if len(filtered) != 1 {
+			t.Fatalf("expected 1 confirmed deposit, got %d", len(filtered))
+		}
+		if filtered[0].ConfirmationHeight != 123 {
+			t.Fatal("expected confirmed deposit to remain")
+		}
+	})
+}

staticaddr/openchannel/manager.go

@@ -310,6 +310,10 @@ func (m *Manager) OpenChannel(ctx context.Context,
 			return nil, err
 		}
 
+		// Automatic channel funding must ignore mempool deposits because
+		// they cannot yet be used as funding inputs.
+		deposits = filterConfirmedDeposits(deposits)
+
 		if req.LocalFundingAmount != 0 {
 			deposits, err = staticutil.SelectDeposits(
 				deposits, req.LocalFundingAmount,
@@ -325,6 +329,14 @@ func (m *Manager) OpenChannel(ctx context.Context,
 		}
 	}
 
+	for _, d := range deposits {
+		// Deposited now includes mempool outputs for static loop-ins, but
+		// channel opens still require the deposit input to be confirmed.
+		if d.ConfirmationHeight <= 0 {
+			return nil, ErrOpeningChannelUnavailableDeposits
+		}
+	}
+
 	// Pre-check: calculate the channel funding amount and the optional
 	// change before locking deposits. This ensures the selected deposits
 	// can cover the funding amount plus fees.
@@ -399,6 +411,22 @@ func (m *Manager) OpenChannel(ctx context.Context,
 	return nil, err
 }
 
+// filterConfirmedDeposits filters the given deposits and returns only those
+// that have a positive confirmation height, i.e. deposits that have been
+// confirmed on-chain.
+func filterConfirmedDeposits(deposits []*deposit.Deposit) []*deposit.Deposit {
+	confirmed := make([]*deposit.Deposit, 0, len(deposits))
+	for _, d := range deposits {
+		if d.ConfirmationHeight <= 0 {
+			continue
+		}
+
+		confirmed = append(confirmed, d)
+	}
+
+	return confirmed
+}
+
 // openChannelPsbt starts an interactive channel open protocol that uses a
 // partially signed bitcoin transaction (PSBT) to fund the channel output. The
 // protocol involves several steps between the loop client and the server:

staticaddr/openchannel/manager_test.go

@@ -29,6 +29,7 @@ type transitionCall struct {
 }
 
 type mockDepositManager struct {
+	activeDeposits  []*deposit.Deposit
 	openingDeposits []*deposit.Deposit
 	getErr          error
 	transitionErrs  map[fsm.EventType]error
@@ -44,15 +45,19 @@ func (m *mockDepositManager) AllOutpointsActiveDeposits([]wire.OutPoint,
 func (m *mockDepositManager) GetActiveDepositsInState(stateFilter fsm.StateType) (
 	[]*deposit.Deposit, error) {
 
-	if stateFilter != deposit.OpeningChannel {
-		return nil, nil
-	}
+	switch stateFilter {
+	case deposit.Deposited:
+		return m.activeDeposits, nil
+
+	case deposit.OpeningChannel:
+		if m.getErr != nil {
+			return nil, m.getErr
+		}
 
-	if m.getErr != nil {
-		return nil, m.getErr
+		return m.openingDeposits, nil
 	}
 
-	return m.openingDeposits, nil
+	return nil, nil
 }
 
 func (m *mockDepositManager) TransitionDeposits(_ context.Context,
@@ -464,6 +469,97 @@ func TestOpenChannelDuplicateOutpoints(t *testing.T) {
 	require.ErrorContains(t, err, "duplicate outpoint")
 }
 
+// TestOpenChannelSkipsUnconfirmedAutoSelection verifies that automatic coin
+// selection ignores mempool deposits and keeps using confirmed ones.
+func TestOpenChannelSkipsUnconfirmedAutoSelection(t *testing.T) {
+	t.Parallel()
+
+	confirmedA := &deposit.Deposit{
+		OutPoint:           testOutPoint(1),
+		Value:              160_000,
+		ConfirmationHeight: 10,
+	}
+	confirmedB := &deposit.Deposit{
+		OutPoint:           testOutPoint(2),
+		Value:              140_000,
+		ConfirmationHeight: 11,
+	}
+	unconfirmed := &deposit.Deposit{
+		OutPoint: testOutPoint(3),
+		Value:    500_000,
+	}
+
+	depositManager := &mockDepositManager{
+		activeDeposits: []*deposit.Deposit{
+			unconfirmed, confirmedA, confirmedB,
+		},
+		transitionErrs: map[fsm.EventType]error{
+			deposit.OnOpeningChannel: errors.New("stop after selection"),
+		},
+	}
+	manager := &Manager{
+		cfg: &Config{
+			DepositManager: depositManager,
+		},
+	}
+
+	req := &lnrpc.OpenChannelRequest{
+		NodePubkey:         make([]byte, 33),
+		LocalFundingAmount: 100_000,
+		SatPerVbyte:        10,
+	}
+
+	_, err := manager.OpenChannel(context.Background(), req)
+	require.ErrorContains(t, err, "stop after selection")
+	require.Len(t, depositManager.calls, 1)
+	require.Equal(t, deposit.OnOpeningChannel, depositManager.calls[0].event)
+	require.NotContains(t, depositManager.calls[0].outpoints, unconfirmed.OutPoint)
+}
+
+// TestOpenChannelFundMaxSkipsUnconfirmed verifies that fundmax only locks
+// confirmed deposits.
+func TestOpenChannelFundMaxSkipsUnconfirmed(t *testing.T) {
+	t.Parallel()
+
+	confirmed := &deposit.Deposit{
+		OutPoint:           testOutPoint(1),
+		Value:              200_000,
+		ConfirmationHeight: 10,
+	}
+	unconfirmed := &deposit.Deposit{
+		OutPoint: testOutPoint(2),
+		Value:    300_000,
+	}
+
+	depositManager := &mockDepositManager{
+		activeDeposits: []*deposit.Deposit{
+			unconfirmed, confirmed,
+		},
+		transitionErrs: map[fsm.EventType]error{
+			deposit.OnOpeningChannel: errors.New("stop after selection"),
+		},
+	}
+	manager := &Manager{
+		cfg: &Config{
+			DepositManager: depositManager,
+		},
+	}
+
+	req := &lnrpc.OpenChannelRequest{
+		NodePubkey:  make([]byte, 33),
+		FundMax:     true,
+		SatPerVbyte: 10,
+	}
+
+	_, err := manager.OpenChannel(context.Background(), req)
+	require.ErrorContains(t, err, "stop after selection")
+	require.Len(t, depositManager.calls, 1)
+	require.Equal(
+		t, []wire.OutPoint{confirmed.OutPoint},
+		depositManager.calls[0].outpoints,
+	)
+}
+
 // TestValidateInitialPsbtFlags verifies that request fields incompatible with
 // PSBT funding are rejected early, before any deposits are locked.
 func TestValidateInitialPsbtFlags(t *testing.T) {

staticaddr/withdraw/manager.go

@@ -381,6 +381,15 @@ func (m *Manager) WithdrawDeposits(ctx context.Context,
 		}
 	}
 
+	for _, d := range deposits {
+		// Deposited now includes mempool outputs for static loop-ins, but
+		// withdrawals still require the deposit input to be confirmed.
+		if d.ConfirmationHeight <= 0 {
+			return "", "", fmt.Errorf("can't withdraw, " +
+				"unconfirmed deposits can't be withdrawn")
+		}
+	}
+
 	var (
 		withdrawalAddress btcutil.Address
 		err               error