Fix/fee distribution rounding error

[caxtonacollins]

Pull Request | Trustless Work

1. Issue Link

• Closes Security Issue: Integer Division Rounding Error in Fee Distribution #79

---

2. Brief Description of the Issue

A critical accounting vulnerability was identified in the withdraw_remaining_funds and resolve_dispute functions. The contract transferred total fees upfront and then calculated each recipient's share using floor division. Due to rounding, the sum of individual fee shares was often less than the total fees transferred, leading to the contract attempting to distribute more funds than were actually available in its balance. This caused transaction reverts and potentially locked funds.

Solution

Implemented Strategy 1: Deduct Individual Fees First.
Instead of transferring the total estimated fees upfront, the contract now:

1. Calculates the individual fee shares (trustless work and platform) for each recipient.
2. Accumulates these floor-rounded individual shares into actual_trustless_fees and actual_platform_fees.
3. Calculates the net_amount for each recipient by subtracting their individual fee shares.
4. Transfers the actually accumulated fees and then the net amounts to recipients.

This ensures that actual_fees + sum(net_amounts) exactly equals the total amount being distributed, maintaining perfect accounting balance.

Changes

• [MODIFY] contracts/escrow/src/core/dispute.rs: Refactored withdraw_remaining_funds and resolve_dispute to use the new fee accumulation logic.
• [NEW] contracts/escrow/src/tests/dispute_tests.rs: Added test_dispute_resolution_rounding_edge_case to verify the fix with small amounts (2i128) that previously triggered reverts.

Verification

• Ran all existing tests (cargo test): Passed (19 tests).
• Ran new edge case test: Passed.
• Total tests passed: 20.

Branch

fix/fee-distribution-rounding-error

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[caxtonacollins]

@armandocodecr please review

[caxtonacollins]

@techrebelgit please review

[caxtonacollins]

@techrebelgit hellooo