Skip to content

Enforce a global cumulative-fee cap so a single route cannot exceed a protocol-wide maximum charge #41

Open
#65
Open
Enforce a global cumulative-fee cap so a single route cannot exceed a protocol-wide maximum charge#41
#65
Assignees
1nonlypiece
Labels
GRANTFOX OSSGrantFox open-source campaign taskMAYBE REWARDEDMay be rewarded under the GrantFox campaignOFFICIAL CAMPAIGNOfficial GrantFox campaign issuearea:access-controlaccess controlarea:cicienhancementNew feature or requestgood first issueGood for newcomers

Description

@1nonlypiece
1nonlypiece
opened on Jun 23, 2026

Harden fee accrual with an absolute per-route fee ceiling

Description

Fees in src/lib.rs are purely proportional: amount * fee_bps / 10_000, capped only relatively by MAX_FEE_BPS (10%). There is no absolute ceiling on what a single route can be charged, so a large-amount route at the maximum bps yields an unbounded fee — and a misconfigured or compromised admin setting a high bps directly translates to extraction proportional to amount with no safety stop. This issue adds an optional absolute per-route fee cap that bounds the worst case independent of fee_bps.

Requirements and context

  • Repository scope: StableRoute-Org/Stableroute-contracts only.
  • Add DataKey::MaxFeeAbsolute (i128) plus admin-gated set_max_fee_absolute / get_max_fee_absolute; default = unset = no absolute cap (backward compatible).
  • In compute_route_fee and quote_route, after computing the proportional fee, clamp it to min(fee, max_fee_absolute) when the cap is set.
  • Emit a maxfee configuration event; keep RouterError append-only (a setter reusing existing sign validation is sufficient — reject negative caps).
  • Document the interaction with MAX_FEE_BPS (both bounds apply; the tighter wins).

Suggested execution

  • Fork the repo and create a branch
  • git checkout -b security/contracts-43-absolute-fee-cap
  • Implement changes
    • Write code in: src/lib.rsDataKey::MaxFeeAbsolute, setter/getter, and the clamp in the fee computation.
    • Write comprehensive tests in: src/lib.rs #[cfg(test)] mod test — assert fee is clamped when proportional fee exceeds the cap, unaffected below the cap, and unbounded when the cap is unset.
    • Add documentation: document the dual fee-bound model in README.md.
    • Include NatSpec-style doc comments (///) on the new entrypoints.
    • Validate security assumptions: cap cannot be negative; clamp applies identically in quote and compute; no overflow.
  • Test and commit

Test and commit

  • Run cargo fmt --all -- --check, cargo build, and cargo test.
  • Cover edge cases and failure paths: cap unset, fee below cap, fee above cap, cap at zero, quote-vs-compute parity under the cap.
  • Include the full cargo test output and a short security notes section in the PR description (threat model + mitigations).

Example commit message

feat: enforce absolute per-route fee ceiling with tests and docs

Guidelines

  • Minimum 95 percent test coverage for impacted modules.
  • Clear, reviewer-focused documentation.
  • Timeframe: 96 hours.

Community & contribution rewards

  • 💬 Join the StableRoute community on Discord for questions, reviews, and faster merges: https://discord.gg/37aCpusvx
  • ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.

Metadata

Metadata

Assignees

Labels

GRANTFOX OSSGrantFox open-source campaign taskMAYBE REWARDEDMay be rewarded under the GrantFox campaignOFFICIAL CAMPAIGNOfficial GrantFox campaign issuearea:access-controlaccess controlarea:cicienhancementNew feature or requestgood first issueGood for newcomers

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions