I won't comment about the code, but i have opinion about problem mentioned by Peter Todd.
1) It's dumb. If I do a CPFP on an old transaction, I want that
transaction to get mined and am willing to pay money. It's silly to make
me jump through the hoop of rebroadcasting it again when it expires.
Unless the old transaction is about to be dropped (either because lower fee rate compared with other TX on mempool or almost 2 weeks since broadcasted), doing proper CPFP allows all involved TX confirmed within next few blocks.
2) It's a free-relay DoS attack: just prior to A expiring, I could
broadcast B, a very large transaction, and use up bandwidth for "free".
Frankly, I'm not very concerned about this. But if you care, you
should fix this.
This is definitely concerning, but it assume major mining pool use default behavior (such as 300MB mempool and drop TX on mempool after 2 weeks). There's possibility attacker lose small amount of money if one or more mining pool modify the behavior (to >300MB and >2 week limit.
And looking at
https://ninjastic.space/post/65006434, he also forget to copy last part of Peter Todd's post.