fix: Prevent arithmetic overflow in substractions

ovitrif · ovitrif · commit 8422ef92ee6d · 2025-11-28T04:10:56.000+01:00
diff --git a/app/src/main/java/to/bitkit/ext/Numbers.kt b/app/src/main/java/to/bitkit/ext/Numbers.kt
@@ -9,10 +9,3 @@ fun ULong.toActivityItemDate(): String {
 fun ULong.toActivityItemTime(): String {
     return Instant.ofEpochSecond(this.toLong()).formatted(DatePattern.ACTIVITY_TIME)
 }
-
-// TODO replace all usages of faulty `(ULong - ULong).coerceAtLeast(0u)`
-/**
- * Safely subtracts [other] from this ULong, returning 0 if the result would be negative,
- * to prevent ULong wraparound by checking before subtracting, same as `x.saturating_sub(y)` in Rust.
- */
-infix fun ULong.minusOrZero(other: ULong): ULong = if (this >= other) this - other else 0uL
diff --git a/app/src/main/java/to/bitkit/models/USat.kt b/app/src/main/java/to/bitkit/models/USat.kt
@@ -0,0 +1,16 @@
+package to.bitkit.models
+
+/**
+ * A wrapper for ULong that provides safe arithmetic operations.
+ * The minus operator returns 0 instead of overflowing when the result would be negative.
+ */
+@JvmInline
+value class USat(val value: ULong) {
+    /**
+     * Safely subtracts [other] from this ULong, returning 0 if the result would be negative,
+     * to prevent ULong wraparound by checking before subtracting, same as `x.saturating_sub(y)` in Rust.
+     */
+    operator fun minus(other: USat): USat = USat(value minusOrZero other.value)
+
+    private infix fun ULong.minusOrZero(other: ULong): ULong = if (this >= other) this - other else 0uL
+}
diff --git a/app/src/main/java/to/bitkit/usecases/DeriveBalanceStateUseCase.kt b/app/src/main/java/to/bitkit/usecases/DeriveBalanceStateUseCase.kt
@@ -5,9 +5,9 @@ import org.lightningdevkit.ldknode.BalanceDetails
 import org.lightningdevkit.ldknode.ChannelDetails
 import to.bitkit.data.SettingsStore
 import to.bitkit.data.entities.TransferEntity
+import to.bitkit.models.USat
 import to.bitkit.ext.amountSats
 import to.bitkit.ext.channelId
-import to.bitkit.ext.minusOrZero
 import to.bitkit.ext.totalNextOutboundHtlcLimitSats
 import to.bitkit.models.BalanceState
 import to.bitkit.repositories.LightningRepo
@@ -35,9 +35,8 @@ class DeriveBalanceStateUseCase @Inject constructor(
         val toSpendingAmount = paidOrdersSats + pendingChannelsSats
 
         val totalOnchainSats = balanceDetails.totalOnchainBalanceSats
-        val totalLightningSats = balanceDetails.totalLightningBalanceSats
-            .minusOrZero(pendingChannelsSats)
-            .minusOrZero(toSavingsAmount)
+        val totalLightningSats =
+            (USat(balanceDetails.totalLightningBalanceSats) - USat(pendingChannelsSats) - USat(toSavingsAmount)).value
 
         val balanceState = BalanceState(
             totalOnchainSats = totalOnchainSats,
@@ -113,7 +112,7 @@ class DeriveBalanceStateUseCase @Inject constructor(
             Logger.debug("Could not calculate max send amount, using fallback of: $fallback", context = TAG)
         }.getOrDefault(fallback)
 
-        return spendableOnchainSats.minusOrZero(fee)
+        return (USat(spendableOnchainSats) - USat(fee)).value
     }
 
     companion object {
diff --git a/app/src/main/java/to/bitkit/viewmodels/TransferViewModel.kt b/app/src/main/java/to/bitkit/viewmodels/TransferViewModel.kt
@@ -31,6 +31,7 @@ import to.bitkit.R
 import to.bitkit.data.CacheStore
 import to.bitkit.data.SettingsStore
 import to.bitkit.env.Env
+import to.bitkit.models.USat
 import to.bitkit.ext.amountOnClose
 import to.bitkit.models.EUR_CURRENCY
 import to.bitkit.models.Toast
@@ -380,11 +381,11 @@ class TransferViewModel @Inject constructor(
         val maxChannelSize1 = (maxChannelSizeSat.toDouble() * 0.98).roundToLong().toULong()
 
         // The maximum channel size the user can open including existing channels
-        val maxChannelSize2 = (maxChannelSize1 - channelsSize).coerceAtLeast(0u)
+        val maxChannelSize2 = (USat(maxChannelSize1) - USat(channelsSize)).value
         val maxChannelSizeAvailableToIncrease = min(maxChannelSize1, maxChannelSize2)
 
         val minLspBalance = getMinLspBalance(clientBalanceSat, minChannelSizeSat)
-        val maxLspBalance = (maxChannelSizeAvailableToIncrease - clientBalanceSat).coerceAtLeast(0u)
+        val maxLspBalance = (USat(maxChannelSizeAvailableToIncrease) - USat(clientBalanceSat)).value
         val defaultLspBalance = getDefaultLspBalance(clientBalanceSat, maxLspBalance)
         val maxClientBalance = getMaxClientBalance(maxChannelSizeAvailableToIncrease)
 
diff --git a/app/src/test/java/to/bitkit/models/USatTest.kt b/app/src/test/java/to/bitkit/models/USatTest.kt
@@ -0,0 +1,43 @@
+package to.bitkit.models
+
+import org.junit.Test
+import kotlin.test.assertEquals
+
+class USatTest {
+
+    @Test
+    fun `minus returns difference when a greater than b`() {
+        val result = USat(10uL) - USat(5uL)
+        assertEquals(5uL, result.value)
+    }
+
+    @Test
+    fun `minus returns zero when a equals b`() {
+        val result = USat(5uL) - USat(5uL)
+        assertEquals(0uL, result.value)
+    }
+
+    @Test
+    fun `minus returns zero when would overflow`() {
+        val result = USat(5uL) - USat(10uL)
+        assertEquals(0uL, result.value)
+    }
+
+    @Test
+    fun `minus handles max ULong values`() {
+        val result = USat(0uL) - USat(ULong.MAX_VALUE)
+        assertEquals(0uL, result.value)
+    }
+
+    @Test
+    fun `chained minus operations work correctly`() {
+        val result = USat(100uL) - USat(30uL) - USat(20uL)
+        assertEquals(50uL, result.value)
+    }
+
+    @Test
+    fun `chained minus returns zero when intermediate would overflow`() {
+        val result = USat(10uL) - USat(20uL) - USat(5uL)
+        assertEquals(0uL, result.value)
+    }
+}
