Use realistic dummy-hop defaults in blinded path admission

Replace the zeroed DummyTlvs defaults with stable relay-like fee, CLTV,
and HTLC minimum values, and reuse the same minimum aggregation logic
in both blinded payinfo construction and router-created blinded path
admission.

Dummy hops only provide cover if they resemble plausible forwarding
hops. Once those defaults become non-trivial, the router also has to
reject candidate blinded paths whose requested amount falls below the
minimum implied by the hidden tail; otherwise path admission and
advertised payinfo can diverge.

Document the default constants in code, share the helper that folds
downstream minimums backward through relay fees, and add router
coverage for the under-minimum admission case.

Co-Authored-By: OpenAI Codex <codex@openai.com>

Author: shaavan

lightning/src/blinded_path/payment.rs

@@ -392,15 +392,57 @@ pub struct DummyTlvs {
 	pub payment_constraints: PaymentConstraints,
 }
 
-impl Default for DummyTlvs {
-	fn default() -> Self {
-		let payment_relay =
-			PaymentRelay { cltv_expiry_delta: 0, fee_proportional_millionths: 0, fee_base_msat: 0 };
+// Default parameters used for dummy hops in blinded paths.
+//
+// These values are chosen to resemble typical forwarding hops while remaining
+// stable and predictable for tests.
+
+/// Adds a realistic but stable CLTV cost per dummy hop.
+///
+/// The router folds this into the blinded path's advertised CLTV delta, so it must
+/// be non-trivial enough to model hidden relay latency while remaining predictable
+/// for tests and callers reasoning about timeout budgets.
+pub(crate) const DEFAULT_DUMMY_HOP_CLTV_EXPIRY_DELTA: u16 = 80;
+
+/// Keeps dummy-hop fee aggregation linear and deterministic.
+///
+/// A non-zero proportional fee would compound across dummy hops and introduce rounding
+/// effects into blinded payinfo. The base fee still makes dummy hops look like plausible relays.
+pub(crate) const DEFAULT_DUMMY_HOP_FEE_PROPORTIONAL_MILLIONTHS: u32 = 0;
+
+/// Matches the default relay base fee used by the standard test channel configuration.
+///
+/// This keeps dummy hops aligned with typical forwarding hops in tests rather than
+/// making them appear unrealistically cheap or expensive.
+pub(crate) const DEFAULT_DUMMY_HOP_FEE_BASE_MSAT: u32 = 1000;
 
-		let payment_constraints =
-			PaymentConstraints { max_cltv_expiry: u32::MAX, htlc_minimum_msat: 0 };
+/// Leaves the dummy hop's absolute CLTV ceiling effectively unbounded by default.
+///
+/// `PaymentConstraints::max_cltv_expiry` is interpreted as an absolute block height, so using a
+/// fixed low value here would cause dummy hops to reject otherwise-valid payments on live chains.
+pub(crate) const DEFAULT_DUMMY_HOP_MAX_CLTV_EXPIRY: u32 = u32::MAX;
+
+/// Matches the default test channel HTLC minimum.
+///
+/// The router takes the max of the introduction node's inbound HTLC minimum and this value,
+/// so keeping them aligned prevents dummy hops from unexpectedly tightening or loosening
+/// admission.
+pub(crate) const DEFAULT_DUMMY_HOP_HTLC_MINIMUM_MSAT: u64 = 1000;
 
-		Self { payment_relay, payment_constraints }
+impl Default for DummyTlvs {
+	/// Returns the documented default relay requirements and constraints for synthetic hops.
+	fn default() -> Self {
+		Self {
+			payment_relay: PaymentRelay {
+				cltv_expiry_delta: DEFAULT_DUMMY_HOP_CLTV_EXPIRY_DELTA,
+				fee_proportional_millionths: DEFAULT_DUMMY_HOP_FEE_PROPORTIONAL_MILLIONTHS,
+				fee_base_msat: DEFAULT_DUMMY_HOP_FEE_BASE_MSAT,
+			},
+			payment_constraints: PaymentConstraints {
+				max_cltv_expiry: DEFAULT_DUMMY_HOP_MAX_CLTV_EXPIRY,
+				htlc_minimum_msat: DEFAULT_DUMMY_HOP_HTLC_MINIMUM_MSAT,
+			},
+		}
 	}
 }
 
@@ -791,6 +833,20 @@ pub(crate) fn amt_to_forward_msat(
 	u64::try_from(amt_to_forward).ok()
 }
 
+pub(crate) fn compute_next_htlc_minimum_msat(
+	htlc_minimum_msat: u64, payment_constraints: &PaymentConstraints, payment_relay: &PaymentRelay,
+) -> u64 {
+	// Fold the next hop's minimum backwards through its relay fees to recover the minimum amount the
+	// previous hop must receive.
+	amt_to_forward_msat(
+		core::cmp::max(payment_constraints.htlc_minimum_msat, htlc_minimum_msat),
+		payment_relay,
+	)
+	// If reversing the fee calculation would require less than 1 msat, clamp to 1 since any
+	// positive incoming amount already satisfies the next hop's minimum once fees are accounted for.
+	.unwrap_or(1)
+}
+
 // Returns (aggregated_base_fee, aggregated_proportional_fee)
 pub(crate) fn compute_aggregated_base_prop_fee<I>(hops_fees: I) -> Result<(u64, u64), ()>
 where
@@ -854,14 +910,14 @@ pub(super) fn compute_payinfo(
 		cltv_expiry_delta =
 			cltv_expiry_delta.checked_add(node.tlvs.payment_relay.cltv_expiry_delta).ok_or(())?;
 
-		// The min htlc for an intermediate node is that node's min minus the fees charged by all of the
-		// following hops for forwarding that min, since that fee amount will automatically be included
-		// in the amount that this node receives and contribute towards reaching its min.
-		htlc_minimum_msat = amt_to_forward_msat(
-			core::cmp::max(node.tlvs.payment_constraints.htlc_minimum_msat, htlc_minimum_msat),
+		// The min htlc for an intermediate node is that node's min minus the fees charged by all of
+		// the following hops for forwarding that min, since that fee amount will automatically be
+		// included in the amount that this node receives and contribute towards reaching its min.
+		htlc_minimum_msat = compute_next_htlc_minimum_msat(
+			htlc_minimum_msat,
+			&node.tlvs.payment_constraints,
 			&node.tlvs.payment_relay,
-		)
-		.unwrap_or(1); // If underflow occurs, we definitely reached this node's min
+		);
 		htlc_maximum_msat = amt_to_forward_msat(
 			core::cmp::min(node.htlc_maximum_msat, htlc_maximum_msat),
 			&node.tlvs.payment_relay,
@@ -872,11 +928,11 @@ pub(super) fn compute_payinfo(
 		cltv_expiry_delta =
 			cltv_expiry_delta.checked_add(dummy_tlvs.payment_relay.cltv_expiry_delta).ok_or(())?;
 
-		htlc_minimum_msat = amt_to_forward_msat(
-			core::cmp::max(dummy_tlvs.payment_constraints.htlc_minimum_msat, htlc_minimum_msat),
+		htlc_minimum_msat = compute_next_htlc_minimum_msat(
+			htlc_minimum_msat,
+			&dummy_tlvs.payment_constraints,
 			&dummy_tlvs.payment_relay,
-		)
-		.unwrap_or(1); // If underflow occurs, we definitely reached this node's min
+		);
 	}
 	htlc_minimum_msat =
 		core::cmp::max(payee_tlvs.payment_constraints.htlc_minimum_msat, htlc_minimum_msat);

lightning/src/ln/async_payments_tests.rs

@@ -11,7 +11,9 @@ use crate::blinded_path::message::{
 	BlindedMessagePath, MessageContext, NextMessageHop, OffersContext,
 };
 use crate::blinded_path::payment::{AsyncBolt12OfferContext, BlindedPaymentTlvs};
-use crate::blinded_path::payment::{DummyTlvs, PaymentContext};
+use crate::blinded_path::payment::{
+	DummyTlvs, PaymentContext, DEFAULT_DUMMY_HOP_CLTV_EXPIRY_DELTA,
+};
 use crate::chain::channelmonitor::{HTLC_FAIL_BACK_BUFFER, LATENCY_GRACE_PERIOD_BLOCKS};
 use crate::events::{
 	Event, EventsProvider, HTLCHandlingFailureReason, HTLCHandlingFailureType, PaidBolt12Invoice,
@@ -3034,11 +3036,16 @@ fn held_htlc_timeout() {
 	// Extract the release_htlc_om, but don't deliver it to the sender's LSP.
 	let _ = extract_release_htlc_oms(recipient, &[sender, sender_lsp, invoice_server]);
 
+	// Dummy hops add to the blinded path's total advertised CLTV delta.
+	let additional_cltv_expiry =
+		DEFAULT_PAYMENT_DUMMY_HOPS as u32 * DEFAULT_DUMMY_HOP_CLTV_EXPIRY_DELTA as u32;
+
 	// Connect blocks to the sender's LSP until they timeout the HTLC.
 	connect_blocks(
 		sender_lsp,
 		MIN_CLTV_EXPIRY_DELTA as u32
 			+ TEST_FINAL_CLTV
+			+ additional_cltv_expiry
 			+ HTLC_FAIL_BACK_BUFFER
 			+ LATENCY_GRACE_PERIOD_BLOCKS,
 	);

lightning/src/routing/router.rs

@@ -13,8 +13,8 @@ use bitcoin::secp256k1::{self, PublicKey, Secp256k1};
 use lightning_invoice::Bolt11Invoice;
 
 use crate::blinded_path::payment::{
-	BlindedPaymentPath, DummyTlvs, ForwardTlvs, PaymentConstraints, PaymentForwardNode,
-	PaymentRelay, ReceiveTlvs,
+	compute_next_htlc_minimum_msat, BlindedPaymentPath, DummyTlvs, ForwardTlvs, PaymentConstraints,
+	PaymentForwardNode, PaymentRelay, ReceiveTlvs,
 };
 use crate::blinded_path::{BlindedHop, Direction, IntroductionNode};
 use crate::crypto::chacha20::ChaCha20;
@@ -150,6 +150,7 @@ where
 		let network_graph = self.network_graph.deref().read_only();
 		let is_recipient_announced =
 			network_graph.nodes().contains_key(&NodeId::from_pubkey(&recipient));
+		let dummy_tlvs = DummyTlvs::default();
 
 		let paths = first_hops.into_iter()
 			.filter(|details| details.counterparty.features.supports_route_blinding())
@@ -176,12 +177,32 @@ where
 					None => return None,
 				};
 
-				let cltv_expiry_delta = payment_relay.cltv_expiry_delta as u32;
+				let cltv_expiry_delta = payment_relay.cltv_expiry_delta as u32
+					+ dummy_tlvs.payment_relay.cltv_expiry_delta as u32 * DEFAULT_PAYMENT_DUMMY_HOPS as u32;
+				let dummy_hops_htlc_minimum_msat = [dummy_tlvs; DEFAULT_PAYMENT_DUMMY_HOPS]
+					.iter()
+					.fold(1, |htlc_minimum_msat, dummy_tlvs| {
+						compute_next_htlc_minimum_msat(
+							htlc_minimum_msat,
+							&dummy_tlvs.payment_constraints,
+							&dummy_tlvs.payment_relay,
+						)
+					});
+				let htlc_minimum_msat = cmp::max(
+					details.inbound_htlc_minimum_msat.unwrap_or(0),
+					cmp::max(
+						tlvs.payment_constraints.htlc_minimum_msat,
+						dummy_hops_htlc_minimum_msat,
+					),
+				);
+				if amount_msats.unwrap_or(u64::MAX) < htlc_minimum_msat {
+					return None;
+				}
 				let payment_constraints = PaymentConstraints {
 					max_cltv_expiry: tlvs.payment_constraints
 						.max_cltv_expiry
 						.saturating_add(cltv_expiry_delta),
-					htlc_minimum_msat: details.inbound_htlc_minimum_msat.unwrap_or(0),
+					htlc_minimum_msat,
 				};
 				Some(PaymentForwardNode {
 					tlvs: ForwardTlvs {
@@ -197,7 +218,7 @@ where
 			})
 			.map(|forward_node| {
 				BlindedPaymentPath::new_with_dummy_hops(
-					&[forward_node], recipient, &[DummyTlvs::default(); DEFAULT_PAYMENT_DUMMY_HOPS],
+					&[forward_node], recipient, &[dummy_tlvs; DEFAULT_PAYMENT_DUMMY_HOPS],
 					local_node_receive_key, tlvs.clone(), u64::MAX, MIN_FINAL_CLTV_EXPIRY_DELTA, &self.entropy_source, secp_ctx
 				)
 			})
@@ -209,7 +230,7 @@ where
 			_ => {
 				if network_graph.nodes().contains_key(&NodeId::from_pubkey(&recipient)) {
 					BlindedPaymentPath::new_with_dummy_hops(
-						&[], recipient, &[DummyTlvs::default(); DEFAULT_PAYMENT_DUMMY_HOPS],
+						&[], recipient, &[dummy_tlvs; DEFAULT_PAYMENT_DUMMY_HOPS],
 						local_node_receive_key, tlvs, u64::MAX, MIN_FINAL_CLTV_EXPIRY_DELTA, &self.entropy_source, secp_ctx
 					).map(|path| vec![path])
 				} else {
@@ -4077,21 +4098,26 @@ fn build_route_from_hops_internal<L: Logger>(
 
 #[cfg(test)]
 mod tests {
-	use crate::blinded_path::payment::{BlindedPayInfo, BlindedPaymentPath};
+	use crate::blinded_path::payment::{
+		BlindedPayInfo, BlindedPaymentPath, Bolt12RefundContext, PaymentConstraints,
+		PaymentContext, ReceiveTlvs,
+	};
 	use crate::blinded_path::BlindedHop;
 	use crate::chain::transaction::OutPoint;
 	use crate::crypto::chacha20::ChaCha20;
 	use crate::ln::chan_utils::make_funding_redeemscript;
-	use crate::ln::channel_state::{ChannelCounterparty, ChannelDetails, ChannelShutdownState};
+	use crate::ln::channel_state::{
+		ChannelCounterparty, ChannelDetails, ChannelShutdownState, CounterpartyForwardingInfo,
+	};
 	use crate::ln::channelmanager;
 	use crate::ln::msgs::{UnsignedChannelUpdate, MAX_VALUE_MSAT};
 	use crate::ln::types::ChannelId;
 	use crate::routing::gossip::{EffectiveCapacity, NetworkGraph, NodeId, P2PGossipSync};
 	use crate::routing::router::{
 		add_random_cltv_offset, build_route_from_hops_internal, default_node_features, get_route,
-		BlindedPathCandidate, BlindedTail, CandidateRouteHop, InFlightHtlcs, Path,
+		BlindedPathCandidate, BlindedTail, CandidateRouteHop, DefaultRouter, InFlightHtlcs, Path,
 		PaymentParameters, PublicHopCandidate, Route, RouteHint, RouteHintHop, RouteHop,
-		RouteParameters, RoutingFees, ScorerAccountingForInFlightHtlcs,
+		RouteParameters, Router, RoutingFees, ScorerAccountingForInFlightHtlcs,
 		DEFAULT_MAX_TOTAL_CLTV_EXPIRY_DELTA, MAX_PATH_LENGTH_ESTIMATE,
 	};
 	use crate::routing::scoring::{
@@ -4101,6 +4127,7 @@ mod tests {
 	use crate::routing::test_utils::*;
 	use crate::routing::utxo::UtxoResult;
 	use crate::types::features::{BlindedHopFeatures, ChannelFeatures, InitFeatures, NodeFeatures};
+	use crate::types::payment::PaymentSecret;
 	use crate::util::config::UserConfig;
 	#[cfg(c_bindings)]
 	use crate::util::ser::Writer;
@@ -4120,7 +4147,8 @@ mod tests {
 
 	use crate::io::Cursor;
 	use crate::prelude::*;
-	use crate::sync::{Arc, Mutex};
+	use crate::sign::{RandomBytes, ReceiveAuthKey};
+	use crate::sync::{Arc, Mutex, RwLock};
 
 	#[rustfmt::skip]
 	fn get_channel_details(short_channel_id: Option<u64>, node_id: PublicKey,
@@ -8980,6 +9008,57 @@ mod tests {
 		} else { panic!() }
 	}
 
+	#[test]
+	fn blinded_path_creation_respects_dummy_tail_htlc_minimum() {
+		let secp_ctx = Secp256k1::new();
+		let logger = Arc::new(ln_test_utils::TestLogger::new());
+		let network_graph = Arc::new(NetworkGraph::new(Network::Testnet, Arc::clone(&logger)));
+		let scorer = Arc::new(RwLock::new(ln_test_utils::TestScorer::new()));
+		let router = DefaultRouter::new(
+			Arc::clone(&network_graph),
+			Arc::clone(&logger),
+			Arc::new(RandomBytes::new([42; 32])),
+			Arc::clone(&scorer),
+			Default::default(),
+		);
+		let config = UserConfig::default();
+
+		let mut first_hop = get_channel_details(
+			Some(42),
+			ln_test_utils::pubkey(43),
+			channelmanager::provided_init_features(&config),
+			1_000_000,
+		);
+		first_hop.inbound_capacity_msat = 1_000_000;
+		first_hop.inbound_htlc_minimum_msat = Some(1_000);
+		first_hop.inbound_htlc_maximum_msat = Some(1_000_000);
+		first_hop.counterparty.forwarding_info = Some(CounterpartyForwardingInfo {
+			fee_base_msat: 1_000,
+			fee_proportional_millionths: 0,
+			cltv_expiry_delta: 18,
+		});
+
+		let tlvs = ReceiveTlvs {
+			payment_secret: PaymentSecret([0; 32]),
+			payment_constraints: PaymentConstraints {
+				max_cltv_expiry: u32::MAX,
+				htlc_minimum_msat: 2_500,
+			},
+			payment_context: PaymentContext::Bolt12Refund(Bolt12RefundContext {}),
+		};
+
+		assert!(router
+			.create_blinded_payment_paths(
+				ln_test_utils::pubkey(44),
+				ReceiveAuthKey([41; 32]),
+				vec![first_hop],
+				tlvs,
+				Some(2_000),
+				&secp_ctx,
+			)
+			.is_err());
+	}
+
 	#[test]
 	#[rustfmt::skip]
 	fn path_contribution_includes_min_htlc_overpay() {