Skip to content

feat: validate amount/duration upper bounds in create_commitment#544

Merged
1nonlypiece merged 2 commits into
Commitlabs-Org:masterfrom
egwujiohaifesinachiperpetual-max:master
May 29, 2026
Merged

feat: validate amount/duration upper bounds in create_commitment#544
1nonlypiece merged 2 commits into
Commitlabs-Org:masterfrom
egwujiohaifesinachiperpetual-max:master

Conversation

@egwujiohaifesinachiperpetual-max
Copy link
Copy Markdown
Contributor

@egwujiohaifesinachiperpetual-max egwujiohaifesinachiperpetual-max commented May 28, 2026
edited
Loading

Closes #469

This PR #469
addresses security and correctness in the escrow smart contract by adding input validation and overflow prevention for commitment parameters.

🛡️ Security & Correctness Enhancements

  1. Upper-Bound Sanity Validation: Enforced boundary limits on commitment parameters to align with backend CommitmentLimits:
    • MAX_AMOUNT: 1_000_000_000_000 (1T tokens)
    • MAX_DURATION_DAYS: 365 (1 year)
    • MAX_PENALTY_BPS: 10_000 (100% basis points early-exit limit)
  2. Checked Arithmetic: Replaced simple addition/multiplication in maturity calculation (now + duration * SECONDS_PER_DAY) with safe checked_add and checked_mul to eliminate integer overflow attacks.
  3. Structured Errors: Returns InvalidAmount or InvalidDuration if upper bounds or maturity calculations fail validation.

🧪 Robust Test Coverage

  • Refactoring: Fixed a nested syntax issue in the test suite to ensure helper tests are declared correctly at the module level.
  • New Unit Tests:
    • create_rejects_overflow_duration: Safely triggers maturity multiplication overflows to assert error handling.
    • create_rejects_excessive_amount: Asserts values above MAX_AMOUNT fail.
    • create_rejects_excessive_duration: Asserts durations above MAX_DURATION_DAYS fail.

📚 Documentation

  • Added a new Commitment limits section to contracts/README.md to document the constants and error conditions.

Verification & Build Results

A standalone MinGW/GNU toolchain was configured to successfully compile the smart contract and execute all tests locally:

running 13 tests
.............
test result: ok. 13 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.38s


---
### 📂 Walkthrough File Created
I have generated a walkthrough artifact detailing all of the implementation details, verification results, and design choices. You can review it at:  
📄 [walkthrough.md](file:///C:/Users/TOSHIBA/.gemini/antigravity/brain/8a2105ec-79c6-4173-93fe-74726584a49e/walkthrough.md)

@egwujiohaifesinachiperpetual-max
Merge pull request #1 from egwujiohaifesinachiperpetual-max/feature/c…
1077984 
…ontracts-log-context-propagation

feat: propagate logging context and add input validation for escrow contract
@egwujiohaifesinachiperpetual-max
Merge pull request #2 from egwujiohaifesinachiperpetual-max/feature/c…
f716922 
…reate-commitment-upper-bounds

feat: validate amount/duration upper bounds in create_commitment
@vercel
Copy link
Copy Markdown

vercel Bot commented May 28, 2026

@egwujiohaifesinachiperpetual-max is attempting to deploy a commit to the 1nonly's projects Team on Vercel.

A member of the Team first needs to authorize it.

@1nonlypiece 1nonlypiece merged commit f6978cc into Commitlabs-Org:master May 29, 2026
0 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Contracts - Add input validation for duration and amount upper bounds in create_commitment

2 participants

@egwujiohaifesinachiperpetual-max @1nonlypiece