Ignore stale splice initial commitment_signed

[wpaulino]

After we complete a splice negotiation and see a FundingTransactionReadyForSigning event, the counterparty may already have sent its initial commitment_signed for the splice funding transaction. If we then cancel the funding contribution, our local channel state no longer tracks the pending splice attempt and queues tx_abort, but the in-flight commitment_signed can still arrive first. Handling that message against the post-abort channel state attempts to validate a signature for the now-stale splice funding transaction and can force-close the still-live channel.

We fix this by checking the optional funding_txid (which we expect all implementations to always include by default) included in commitment_signed before validating the commitment signature. If it does not match the channel's locked funding txid, we can safely ignore the stale message.

Fixes #4730.

[ldk-reviews-bot]

👋 Thanks for assigning @jkczyz as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

[ldk-claude-review-bot]

No issues found.

The fix is correct and backward-compatible:

• The new funding_txid check (channel.rs:8617-8625) only runs in the single (non-batch) commitment_signed path, which is reached only when pending_funding() is empty.
• The .expect("funded channel must have known txid") cannot panic: commitment_signed is always preceded by commitment_signed_check_state (channel.rs:8610), which requires ChannelState::ChannelReady, guaranteeing a set funding outpoint.
• msg.funding_txid is an optional TLV, so peers that omit it skip the check and retain prior behavior — no regression for legacy/non-splice channels.
• The stale aborted-splice commitment_signed carries the discarded splice funding txid, which won't match the still-locked funding txid, so it is correctly ignored rather than validated/force-closing the channel.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.94%. Comparing base (6965bc9) to head (b3e2dc8).
⚠️ Report is 3224 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4751      +/-   ##
==========================================
+ Coverage   84.55%   86.94%   +2.38%     
==========================================
  Files         137      161      +24     
  Lines       77617   111643   +34026     
  Branches    77617   111643   +34026     
==========================================
+ Hits        65627    97065   +31438     
- Misses       9948    12071    +2123     
- Partials     2042     2507     +465     

Flag	Coverage Δ
fuzzing-fake-hashes	8.43% <0.00%> (?)
fuzzing-real-hashes	32.41% <55.55%> (?)
tests	86.26% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jkczyz]

Do we need to do this in commitment_signed_batch, too? If so, should we move the check to validate_commitment_signed?

[wpaulino]

The initial commitment_signed should never go through that path, and commitment_signed_batch should already ignore stale funding attempts.

[ldk-reviews-bot]

👋 The first review has been submitted!

Do you think this PR is ready for a second reviewer? If so, click here to assign a second reviewer.