feat(common): overflow-safe deposit->token reconciliation scaling (#5)#47
Merged
elizabetheonoja-art merged 1 commit intoJun 25, 2026
Conversation
…ility-Protocol#5) Reconciling deposits to token supply computes deposit_amount * TOKEN_SCALE_FACTOR (10^18) / ASSET_PRECISION. A naive u128 implementation overflows the intermediate product (e.g. deposit = u128::MAX, precision = 1) and wraps silently, minting wildly wrong amounts. Add contracts/common/src/scaling.rs (pure no_std, no new deps), built on the exact 256-bit mul_div_floor from the weighted_rate module: - reconcile_tokens(deposit, precision) -> Result<u128, ScaleError>: validates ASSET_PRECISION in [1, 10^12], computes with 256-bit intermediate precision (never wraps), returns Err(Overflow) when the true result exceeds u128 instead of a silently wrapped value; floor rounding so it never over-mints - scale(amount, scale_factor, precision): generic variant - is_valid_precision / is_safe_deposit / MAX_SAFE_DEPOSIT helpers - tests: simple conversions, precision-bounds rejection, the crafted u128::MAX overflow rejected-not-wrapped, MAX_SAFE_DEPOSIT boundary, large deposit + large precision, floor-never-over-mints, and a 5000-iter property sweep asserting exact equality with a native reference docs/specs/reconciliation-scaling.md documents the strategy and why 256-bit mul_div suffices (no 512-bit uint dependency needed). Note: no reconcile_deposit contract exists in the repo (issue paths are fictional); the verified primitive lands in common for a future entry point to call.
elizabetheonoja-art
approved these changes
Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
feat(common): overflow-safe deposit → token reconciliation scaling
Closes #5
Solution
contracts/common/src/scaling.rs(pure#![no_std], no new dependencies),built on the exact 256-bit
mul_div_floorfromcrate::weighted_rate:reconcile_tokens(deposit_amount, asset_precision) -> Result<u128, ScaleError>ASSET_PRECISION ∈ [1, 10¹²]→Err(InvalidPrecision);deposit × 10¹⁸in full 256-bit precision and divides exactly — itnever wraps;
Err(Overflow)when the mathematically-correct token amount exceedsu128::MAX, instead of a silently wrapped value;unit).
scale(amount, scale_factor, precision)— generic variant.is_valid_precision,is_safe_deposit,MAX_SAFE_DEPOSIT— conservativeearly-reject helpers for callers that want them.
Files
contracts/common/src/scaling.rs(new)contracts/common/src/lib.rs(register module)contracts/docs/specs/reconciliation-scaling.md(new)