Family Wallet: i128 overflow safety audit for spending limits and precision tracker arithmetic

[Baskarayelu]

Description

FamilyWallet performs i128 arithmetic across check_spending_limit, validate_precision_spending, update_spending_limit, and the SPND_TRK tracker accumulation. Although the release profile sets overflow-checks = true, panics on overflow are a denial-of-service vector and silently saturating logic could mis-account spending. Every add/subtract on amounts and accumulated spend must use checked_* operations with explicit Error returns rather than relying on panic-abort.

Requirements and context

• Secure: Replace raw +/- on amounts with checked_add/checked_sub returning a defined Error variant.
• Tested: Tests pushing values near i128::MAX and asserting graceful error rather than panic.
• Documented: Add an overflow-safety note in docs/fw-overflow-safety.md.
• Reference SpendingTracker, PrecisionSpendingLimit, SPND_TRK, PREC_LIM, check_spending_limit, validate_precision_spending.

Suggested execution

Create branch feature/fw-overflow-safety.

• Modify arithmetic in family_wallet/src/lib.rs to use checked operations.
• Write tests in family_wallet/src/test.rs for near-max amounts.
• Add docs docs/fw-overflow-safety.md.
• Add /// comments on checked helpers.
• Validate no arithmetic panics on hostile inputs.

Test and commit

• Run cargo test -p family_wallet.
• Cover edge cases: amount overflow, accumulated-spend overflow, negative amount.
• Include test output and security notes.

Example commit message

feat: use checked i128 arithmetic across family wallet spending paths

Guidelines

• Minimum 95% test coverage
• Clear documentation
• Timeframe: 96 hours

[web3nova]

@web3nova has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hello, a full stack developer with hands-on experience building with variety of tools including Nextjs, nodejs, nestjs, React, Typescript and more

I focus on writing clear, maintainable code and making sure features work as expected end to end, not just in isolation. I communicate progress regularly and keep things transparent as I work. I’m confident I can complete this task within an ETA of 4 HOURS

ℹ️ Repo Maintainers: To accept this application, review their application or assign @web3nova to this issue.

[drips-wave]

Congratulations, @web3nova! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 2, 2026.

🧑‍💻 @web3nova: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊