[Bug] awardRecommendedMerge uses rec.xp_reward from the database without capping to the difficulty-tier maximum, enabling XP inflation

[anshul23102]

Summary

In src/inngest/functions/process-pr-event.ts, the awardRecommendedMerge function passes rec.xp_reward directly from the database into insertXpEvent as the xpDelta. There is no validation against the defined tier caps in XP_REWARDS.RECOMMENDED_MERGE.

Affected File

src/inngest/functions/process-pr-event.ts

Root Cause

The insert call reads:

const inserted = await insertXpEvent({
  userId: rec.user_id,
  source: XP_SOURCE.RECOMMENDED_MERGE,
  refType: 'pr',
  refId: refIds.pr(repo, pr.number),
  repo,
  difficulty,
  xpDelta: rec.xp_reward ?? xpForMerge(difficulty),
});

rec.xp_reward comes directly from a database row. The constants defined in src/lib/xp/sources.ts are:

export const XP_REWARDS = {
  RECOMMENDED_MERGE: { E: 50, M: 150, H: 400 },
  // ...
} as const;

These caps are never applied when rec.xp_reward is non-null. Any row in the recommendations table with an inflated xp_reward value (via direct database access, a compromised migration, or a future bug in a write path) will award that uncapped amount without any application-layer check.

Impact

• A rec.xp_reward of 999999 for an Easy PR would be awarded as-is; the defined cap of 50 is silently bypassed.
• The idempotency guard (UNIQUE on user_id, source, ref_id) prevents double-awarding the same PR, but it does not prevent a single inflated award from being committed.
• Leaderboard rankings and any downstream XP-gated features are directly affected.

Steps to Reproduce

1. Insert a recommendations row with xp_reward = 9999 and difficulty E.
2. Merge a PR that matches the recommendation.
3. Observe the awarded XP delta is 9999 rather than the expected cap of 50.

Expected Behaviour

xpDelta should be clamped to the tier ceiling before being persisted:

const tierCap = XP_REWARDS.RECOMMENDED_MERGE[difficulty as keyof typeof XP_REWARDS.RECOMMENDED_MERGE]
  ?? xpForMerge(difficulty);
const xpDelta = Math.min(rec.xp_reward ?? tierCap, tierCap);

Severity

High - This is a data-integrity issue in the reward pipeline. An uncapped write can corrupt leaderboard state and cannot be cleanly reversed once insertXpEvent succeeds (the idempotency key blocks a corrective re-award at the same refId).

[anshul23102]

@Sujini-kudupudi I would like to work on this issue as part of NSoC 2026. The fix is scoped to capping xpDelta against XP_REWARDS.RECOMMENDED_MERGE[difficulty] before the insertXpEvent call, with a test covering the inflated-reward scenario. Could you please assign this to me?

/assign

[github-actions]

Hey @anshul23102

You currently have 3 open issues assigned to you. The limit is 3 at a time.

Please close or get your existing work merged before picking up a new issue:

• [Security] Webhook INSERT failure leaks raw Supabase error fields (code, details, hint) in the HTTP 500 response body #218 - [Security] Webhook INSERT failure leaks raw Supabase error fields (code, details, hint) in the HTTP 500 response body
• Bug: TOCTOU race condition in claimRecommendation allows bypassing the 3-active-claim limit #205 - Bug: TOCTOU race condition in claimRecommendation allows bypassing the 3-active-claim limit
• Security: GitHub OAuth access token transmitted to Inngest and persisted in third-party event storage #204 - Security: GitHub OAuth access token transmitted to Inngest and persisted in third-party event storage

Once those are resolved, feel free to re-assign yourself here. Questions? Drop them in GitHub Discussions.

[Sujini-kudupudi]

Hi @Soumya-codr I’ve reviewed this issue and understood the root cause related to uncapped xp_reward values bypassing the difficulty-tier limits.

I would like to work on fixing this by validating and capping xpDelta against XP_REWARDS.RECOMMENDED_MERGE[difficulty] before calling insertXpEvent, along with adding test coverage for inflated reward scenarios.

Could you please assign this issue to me under GSSoC/NSoC 2026?

[Soumya-codr]

@anshul23102 i have assigned u the Issue @Sujini-kudupudi u can go for PR , very sorry to @anshul23102

[Sujini-kudupudi]

@anshul23102 i have assigned u the Issue @Sujini-kudupudi u can go for PR , very sorry to @anshul23102

can you add labels mam it would help me

[Soumya-codr]

@anshul23102 i have assigned u the Issue @Sujini-kudupudi u can go for PR , very sorry to @anshul23102

can you add labels mam it would help me

I am A boy yaar 😂 lol mam 😭

[Sujini-kudupudi]

@anshul23102 i have assigned u the Issue @Sujini-kudupudi u can go for PR , very sorry to @anshul23102

can you add labels mam it would help me

I am A boy yaar 😂 lol mam 😭

i am sooo sorry 😅😭 sir

[Soumya-codr]

@anshul23102 i have assigned u the Issue @Sujini-kudupudi u can go for PR , very sorry to @anshul23102

can you add labels mam it would help me

I am A boy yaar 😂 lol mam 😭

i am sooo sorry 😅😭 sir

U can call me by name dont call me sir i am in first yr 😭

[Sujini-kudupudi]

@anshul23102 i have assigned u the Issue @Sujini-kudupudi u can go for PR , very sorry to @anshul23102

can you add labels mam it would help me

I am A boy yaar 😂 lol mam 😭

i am sooo sorry 😅😭 sir

U can call me by name dont call me sir i am in first yr 😭

😭 seriouslyy , thats cool, can you add labels please !

[Soumya-codr]

Done Please check ur PR and dont worry since we have exams going on within somedays ur all PRs will get merged till then u can Try to PR for another issue as well if u found.....

Thanks