lightningdevkit · joostjager · Nov 14, 2025 · Nov 21, 2025 · Nov 11, 2025 · Nov 21, 2025
diff --git a/ci/ci-tests.sh b/ci/ci-tests.sh
@@ -46,6 +46,11 @@ cargo test -p lightning --verbose --color always --features dnssec
 cargo check -p lightning --verbose --color always --features dnssec
 cargo doc -p lightning --document-private-items --features dnssec
 
+echo -e "\n\nChecking and testing lightning with safe_channels"
+cargo test -p lightning --verbose --color always --features safe_channels
+cargo check -p lightning --verbose --color always --features safe_channels
+cargo doc -p lightning --document-private-items --features safe_channels
+
 echo -e "\n\nChecking and testing Block Sync Clients with features"
 
 cargo test -p lightning-block-sync --verbose --color always --features rest-client

diff --git a/lightning/Cargo.toml b/lightning/Cargo.toml
@@ -23,6 +23,7 @@ _externalize_tests = ["inventory", "_test_utils"]
 # Allow signing of local transactions that may have been revoked or will be revoked, for functional testing (e.g. justice tx handling).
 # This is unsafe to use in production because it may result in the counterparty publishing taking our funds.
 unsafe_revoked_tx_signing = []
+safe_channels = []
 
 std = []
 

diff --git a/lightning/src/chain/channelmonitor.rs b/lightning/src/chain/channelmonitor.rs
@@ -50,6 +50,8 @@ use crate::ln::chan_utils::{
 	self, ChannelTransactionParameters, CommitmentTransaction, CounterpartyCommitmentSecrets,
 	HTLCClaim, HTLCOutputInCommitment, HolderCommitmentTransaction,
 };
+#[cfg(feature = "safe_channels")]
+use crate::ln::channel::FundedChannelState;
 use crate::ln::channel::INITIAL_COMMITMENT_NUMBER;
 use crate::ln::channel_keys::{
 	DelayedPaymentBasepoint, DelayedPaymentKey, HtlcBasepoint, HtlcKey, RevocationBasepoint,
@@ -111,8 +113,28 @@ pub struct ChannelMonitorUpdate {
 	/// Will be `None` for `ChannelMonitorUpdate`s constructed on LDK versions prior to 0.0.121 and
 	/// always `Some` otherwise.
 	pub channel_id: Option<ChannelId>,
+
+	/// The channel state associated with this ChannelMonitorUpdate, if any.
+	#[cfg(feature = "safe_channels")]
+	pub channel_state: Option<UpdateChannelState>,
+}
+
+/// The state of a channel to be stored alongside a ChannelMonitor. For closed channels, no state is stored.
+#[cfg(feature = "safe_channels")]
+#[derive(Clone, Debug, PartialEq, Eq)]
+pub enum UpdateChannelState {
+	/// Open channel in funded state.
+	Funded(FundedChannelState),
+	/// Closed channel.
+	Closed,
 }
 
+#[cfg(feature = "safe_channels")]
+impl_writeable_tlv_based_enum!(UpdateChannelState,
+	(1, Closed) => {},
+	{0, Funded} => (),
+);
+
 impl ChannelMonitorUpdate {
 	pub(crate) fn internal_renegotiated_funding_data(
 		&self,
@@ -156,10 +178,17 @@ impl Writeable for ChannelMonitorUpdate {
 		for update_step in self.updates.iter() {
 			update_step.write(w)?;
 		}
+		#[cfg(not(feature = "safe_channels"))]
 		write_tlv_fields!(w, {
 			// 1 was previously used to store `counterparty_node_id`
 			(3, self.channel_id, option),
 		});
+		#[cfg(feature = "safe_channels")]
+		write_tlv_fields!(w, {
+			// 1 was previously used to store `counterparty_node_id`
+			(3, self.channel_id, option),
+			(5, self.channel_state, option)
+		});
 		Ok(())
 	}
 }
@@ -176,11 +205,24 @@ impl Readable for ChannelMonitorUpdate {
 			}
 		}
 		let mut channel_id = None;
+		#[cfg(not(feature = "safe_channels"))]
 		read_tlv_fields!(r, {
 			// 1 was previously used to store `counterparty_node_id`
 			(3, channel_id, option),
 		});
-		Ok(Self { update_id, updates, channel_id })
+		#[cfg(feature = "safe_channels")]
+		let mut channel_state = None;
+		#[cfg(feature = "safe_channels")]
+		read_tlv_fields!(r, {
+			// 1 was previously used to store `counterparty_node_id`
+			(3, channel_id, option),
+			(5, channel_state, option)
+		});
+		Ok(Self {
+			update_id, updates, channel_id,
+			#[cfg(feature = "safe_channels")]
+			channel_state
+		})
 	}
 }
 
@@ -1402,6 +1444,11 @@ pub(crate) struct ChannelMonitorImpl<Signer: EcdsaChannelSigner> {
 	/// make deciding whether to do so simple, here we track whether this monitor was last written
 	/// prior to 0.1.
 	written_by_0_1_or_later: bool,
+
+	/// The channel state as provided via the last `ChannelMonitorUpdate` or via a call to
+	/// [`ChannelMonitor::update_channel_state`].
+	#[cfg(feature = "safe_channels")]
+	channel_state: Option<UpdateChannelState>,
 }
 
 // Returns a `&FundingScope` for the one we are currently observing/handling commitment transactions
@@ -1521,6 +1568,12 @@ const MIN_SERIALIZATION_VERSION: u8 = 1;
 pub(crate) fn write_chanmon_internal<Signer: EcdsaChannelSigner, W: Writer>(
 	channel_monitor: &ChannelMonitorImpl<Signer>, _is_stub: bool, writer: &mut W,
 ) -> Result<(), Error> {
+	// Check that the encoded channel (if present) is consistent with the rest of the monitor. This sets an invariant
+	// for the safe_channels feature.
+	#[cfg(feature = "safe_channels")]
+	if let Some(UpdateChannelState::Funded(ref channel_state)) = channel_monitor.channel_state {
+		channel_monitor.check_channel_state_consistency(channel_state);
+	}
 	write_ver_prefix!(writer, SERIALIZATION_VERSION, MIN_SERIALIZATION_VERSION);
 
 	channel_monitor.latest_update_id.write(writer)?;
@@ -1733,6 +1786,7 @@ pub(crate) fn write_chanmon_internal<Signer: EcdsaChannelSigner, W: Writer>(
 			_ => channel_monitor.pending_monitor_events.clone(),
 		};
 
+	#[cfg(not(feature = "safe_channels"))]
 	write_tlv_fields!(writer, {
 		(1, channel_monitor.funding_spend_confirmed, option),
 		(3, channel_monitor.htlcs_resolved_on_chain, required_vec),
@@ -1757,6 +1811,32 @@ pub(crate) fn write_chanmon_internal<Signer: EcdsaChannelSigner, W: Writer>(
 		(37, channel_monitor.funding_seen_onchain, required),
 	});
 
+	#[cfg(feature = "safe_channels")]
+	write_tlv_fields!(writer, {
+		(1, channel_monitor.funding_spend_confirmed, option),
+		(3, channel_monitor.htlcs_resolved_on_chain, required_vec),
+		(5, pending_monitor_events, required_vec),
+		(7, channel_monitor.funding_spend_seen, required),
+		(9, channel_monitor.counterparty_node_id, required),
+		(11, channel_monitor.confirmed_commitment_tx_counterparty_output, option),
+		(13, channel_monitor.spendable_txids_confirmed, required_vec),
+		(15, channel_monitor.counterparty_fulfilled_htlcs, required),
+		(17, channel_monitor.initial_counterparty_commitment_info, option),
+		(19, channel_monitor.channel_id, required),
+		(21, channel_monitor.balances_empty_height, option),
+		(23, channel_monitor.holder_pays_commitment_tx_fee, option),
+		(25, channel_monitor.payment_preimages, required),
+		(27, channel_monitor.first_negotiated_funding_txo, required),
+		(29, channel_monitor.initial_counterparty_commitment_tx, option),
+		(31, channel_monitor.funding.channel_parameters, required),
+		(32, channel_monitor.pending_funding, optional_vec),
+		(33, channel_monitor.htlcs_resolved_to_user, required),
+		(34, channel_monitor.alternative_funding_confirmed, option),
+		(35, channel_monitor.is_manual_broadcast, required),
+		(37, channel_monitor.funding_seen_onchain, required),
+		(39, channel_monitor.channel_state, option),
+	});
+
 	Ok(())
 }
 
@@ -1994,6 +2074,8 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitor<Signer> {
 			alternative_funding_confirmed: None,
 
 			written_by_0_1_or_later: true,
+			#[cfg(feature = "safe_channels")]
+			channel_state: None,
 		})
 	}
 
@@ -2114,6 +2196,19 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitor<Signer> {
 		inner.update_monitor(updates, broadcaster, fee_estimator, &logger)
 	}
 
+	/// Gets the encoded channel data, if any, associated with this ChannelMonitor.
+	#[cfg(feature = "safe_channels")]
+	pub fn get_channel_state(&self) -> Option<UpdateChannelState> {
+		self.inner.lock().unwrap().channel_state.clone()
+	}
+
+	/// Updates the encoded channel data associated with this ChannelMonitor. To clear the encoded channel data (for
+	/// example after shut down of a channel), pass `None`.
+	#[cfg(feature = "safe_channels")]
+	pub fn update_channel_state(&self, channel_state: UpdateChannelState) {
+		self.inner.lock().unwrap().update_channel_state(channel_state);
+	}
+
 	/// Gets the update_id from the latest ChannelMonitorUpdate which was applied to this
 	/// ChannelMonitor.
 	///
@@ -2719,6 +2814,48 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitor<Signer> {
 }
 
 impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
+	#[cfg(feature = "safe_channels")]
+	fn check_channel_state_consistency(&self, encoded: &FundedChannelState) {
+		debug_assert!(
+			encoded.get_cur_holder_commitment_transaction_number()
+				<= self.get_cur_holder_commitment_number(),
+			"cur_holder_commitment_transaction_number - channel: {} vs monitor: {}",
+			encoded.get_cur_holder_commitment_transaction_number(),
+			self.get_cur_holder_commitment_number()
+		);
+		debug_assert!(
+			encoded.get_revoked_counterparty_commitment_transaction_number()
+				<= self.get_min_seen_secret(),
+			"revoked_counterparty_commitment_transaction_number - channel: {} vs monitor: {}",
+			encoded.get_revoked_counterparty_commitment_transaction_number(),
+			self.get_min_seen_secret()
+		);
+		debug_assert!(
+			encoded.get_cur_counterparty_commitment_transaction_number()
+				<= self.get_cur_counterparty_commitment_number(),
+			"cur_counterparty_commitment_transaction_number - channel: {} vs monitor: {}",
+			encoded.get_cur_counterparty_commitment_transaction_number(),
+			self.get_cur_counterparty_commitment_number()
+		);
+		debug_assert!(
+			encoded.latest_monitor_update_id >= self.get_latest_update_id(),
+			"latest_monitor_update_id - channel: {} vs monitor: {}",
+			encoded.latest_monitor_update_id,
+			self.get_latest_update_id()
+		);
+	}
+
+	#[cfg(feature = "safe_channels")]
+	fn update_channel_state(&mut self, encoded: UpdateChannelState) {
+		if let UpdateChannelState::Funded(ref channel) = encoded {
+			// Check that the encoded channel is consistent with the rest of the monitor. This sets an invariant for the
+			// safe_channels feature.
+			self.check_channel_state_consistency(channel);
+		}
+
+		self.channel_state = Some(encoded);
+	}
+
 	/// Helper for get_claimable_balances which does the work for an individual HTLC, generating up
 	/// to one `Balance` for the HTLC.
 	#[rustfmt::skip]
@@ -4405,6 +4542,13 @@ impl<Signer: EcdsaChannelSigner> ChannelMonitorImpl<Signer> {
 			}
 		}
 
+		// Assume that if the update contains no encoded channel, that the channel remained unchanged. We
+		// therefore do not update the monitor.
+		#[cfg(feature="safe_channels")]
+		if let Some(channel_state) = updates.channel_state.as_ref() {
+			self.update_channel_state(channel_state.clone());
+		}
+
 		if ret.is_ok() && self.no_further_updates_allowed() && is_pre_close_update {
 			log_error!(logger, "Refusing Channel Monitor Update as counterparty attempted to update commitment after funding was spent");
 			Err(())
@@ -6644,6 +6788,33 @@ impl<'a, 'b, ES: EntropySource, SP: SignerProvider> ReadableArgs<(&'a ES, &'b SP
 		let mut alternative_funding_confirmed = None;
 		let mut is_manual_broadcast = RequiredWrapper(None);
 		let mut funding_seen_onchain = RequiredWrapper(None);
+		#[cfg(not(feature="safe_channels"))]
+		read_tlv_fields!(reader, {
+			(1, funding_spend_confirmed, option),
+			(3, htlcs_resolved_on_chain, optional_vec),
+			(5, pending_monitor_events, optional_vec),
+			(7, funding_spend_seen, option),
+			(9, counterparty_node_id, option),
+			(11, confirmed_commitment_tx_counterparty_output, option),
+			(13, spendable_txids_confirmed, optional_vec),
+			(15, counterparty_fulfilled_htlcs, option),
+			(17, initial_counterparty_commitment_info, option),
+			(19, channel_id, option),
+			(21, balances_empty_height, option),
+			(23, holder_pays_commitment_tx_fee, option),
+			(25, payment_preimages_with_info, option),
+			(27, first_negotiated_funding_txo, (default_value, outpoint)),
+			(29, initial_counterparty_commitment_tx, option),
+			(31, channel_parameters, (option: ReadableArgs, None)),
+			(32, pending_funding, optional_vec),
+			(33, htlcs_resolved_to_user, option),
+			(34, alternative_funding_confirmed, option),
+			(35, is_manual_broadcast, (default_value, false)),
+			(37, funding_seen_onchain, (default_value, true)),
+		});
+		#[cfg(feature="safe_channels")]
+		let mut channel_state = None;
+		#[cfg(feature="safe_channels")]
 		read_tlv_fields!(reader, {
 			(1, funding_spend_confirmed, option),
 			(3, htlcs_resolved_on_chain, optional_vec),
@@ -6666,6 +6837,7 @@ impl<'a, 'b, ES: EntropySource, SP: SignerProvider> ReadableArgs<(&'a ES, &'b SP
 			(34, alternative_funding_confirmed, option),
 			(35, is_manual_broadcast, (default_value, false)),
 			(37, funding_seen_onchain, (default_value, true)),
+			(39, channel_state, option),
 		});
 		// Note that `payment_preimages_with_info` was added (and is always written) in LDK 0.1, so
 		// we can use it to determine if this monitor was last written by LDK 0.1 or later.
@@ -6843,6 +7015,8 @@ impl<'a, 'b, ES: EntropySource, SP: SignerProvider> ReadableArgs<(&'a ES, &'b SP
 			alternative_funding_confirmed,
 
 			written_by_0_1_or_later,
+			#[cfg(feature="safe_channels")]
+			channel_state,
 		});
 
 		if counterparty_node_id.is_none() {

diff --git a/lightning/src/ln/chan_utils.rs b/lightning/src/ln/chan_utils.rs
@@ -400,8 +400,7 @@ pub fn build_closing_transaction(to_holder_value_sat: Amount, to_counterparty_va
 ///
 /// Allows us to keep track of all of the revocation secrets of our counterparty in just 50*32 bytes
 /// or so.
-#[derive(Clone)]
-#[cfg_attr(test, derive(Debug))]
+#[derive(Clone, Debug)]
 pub struct CounterpartyCommitmentSecrets {
 	old_secrets: [([u8; 32], u64); 49],
 }