Skip to content

[UTXO-BUG] MED-3: Float precision loss in transfer endpoint — systematic rounding errors#2072

Open
ArokyaMatthew wants to merge 1 commit intoScottcjn:mainfrom
ArokyaMatthew:utxo-bug/med3-float-precision-loss
Open

[UTXO-BUG] MED-3: Float precision loss in transfer endpoint — systematic rounding errors#2072
ArokyaMatthew wants to merge 1 commit intoScottcjn:mainfrom
ArokyaMatthew:utxo-bug/med3-float-precision-loss

Conversation

@ArokyaMatthew
Copy link
Copy Markdown
Contributor

@ArokyaMatthew ArokyaMatthew commented Apr 5, 2026

Vulnerability Class

Medium — Fee calculation exploit (50 RTC bounty)

The Bug

The transfer endpoint converts RTC amounts using float multiplication:

amount_nrtc = int(amount_rtc * UNIT)  # float * int → float → int

Floating-point imprecision means:

python

int(0.1 * 100_000_000)
9999999 # WRONG — should be 10_000_000
int() truncates toward zero, so every transaction with a non-round RTC amount loses 1 nanoRTC. Over thousands of transactions, the cumulative error is non-trivial and is silently absorbed as miner fee.

Fix
Use Decimal for exact conversion:

python
from decimal import Decimal
amount_nrtc = int(Decimal(str(amount_rtc)) * UNIT)
Test Added
test_transfer_float_precision — transfers 0.1 RTC and asserts recipient gets exactly 10,000,000 nanoRTC
All 16 endpoint tests pass.

Files Changed
node/utxo_endpoints.py — 2 lines changed + Decimal import
node/test_utxo_endpoints.py — 1 test added
Ref: Bounty #2819

MY WALLET IS aroky-x86-miner

@ArokyaMatthew
[UTXO-BUG] MED-3: Float precision loss in transfer endpoint — systema…
02c58e7 
…tic rounding errors

int(amount_rtc * UNIT) uses float multiplication which truncates:
  int(0.1 * 100_000_000) = 9_999_999 instead of 10_000_000
Over thousands of transactions, the lost nanoRTC accumulates as
implicit fee absorbed by miners.
Fix: use Decimal(str(amount_rtc)) * UNIT for exact conversion.
Test added:
- test_transfer_float_precision (transfers 0.1 RTC, verifies exact 10_000_000 nanoRTC)
All 16 endpoint tests pass.
Bounty: #2819 (Medium, 50 RTC)
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 5, 2026

Welcome to RustChain! Thanks for your first pull request.

Before we review, please make sure:

  • Your PR has a BCOS-L1 or BCOS-L2 label
  • New code files include an SPDX license header
  • You've tested your changes against the live node

Bounty tiers: Micro (1-10 RTC) | Standard (20-50) | Major (75-100) | Critical (100-150)

A maintainer will review your PR soon. Thanks for contributing!

@github-actions github-actions bot added BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) node Node server related size/S PR: 11-50 lines labels Apr 5, 2026
@ArokyaMatthew ArokyaMatthew mentioned this pull request Apr 5, 2026
Open
@zhuzhushiwojia
Copy link
Copy Markdown

zhuzhushiwojia commented Apr 5, 2026

Important fix! Float precision issues can cause significant problems in financial systems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) node Node server related size/S PR: 11-50 lines

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ArokyaMatthew @zhuzhushiwojia