Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unsafe amount Argument Type in sendTrx and sendTrc10 Methods #587

Open
mykhailohordin opened this issue Dec 23, 2024 · 4 comments
Open

Unsafe amount Argument Type in sendTrx and sendTrc10 Methods #587

mykhailohordin opened this issue Dec 23, 2024 · 4 comments

Comments

@mykhailohordin
Copy link

tronweb version: 6.0.0

The sendTrx and sendTrc10 methods in TronWeb (with TS) accept the amount argument as a JavaScript number, which can be unsafe due to the limitations of JavaScript's Number type. The maximum safe integer in JavaScript (Number.MAX_SAFE_INTEGER) is 9,007,199,254,740,991.

Specific Concerns:
sendTrx Method:

The maximum value that can be safely passed to the amount parameter in sendTrx is 9,007,199,254.740992.

This value translates to nine billion seven million one hundred ninety-nine thousand two hundred fifty-four TRX and seven hundred forty thousand nine hundred ninety-two millionths.

However, the current TRX supply in MAINNET is 86,216,962,115 TRX, which translates to eighty-six billion two hundred sixteen million nine hundred sixty-two thousand one hundred fifteen TRX.

This is significantly higher than the maximum safe value for the sendTrx function, meaning transactions involving large amounts of TRX cannot be handled reliably.

FE:

Request:
tronWeb.transactionBuilder.sendTrx('address',  9007199254740991, 'address').then((tx) => {console.log(tx.raw_data.contract[0])});

Result:
{
  parameter: {
    value: {
      to_address: '---',
      owner_address: '---',
      amount: 9007199254740991
    },
    type_url: 'type.googleapis.com/protocol.TransferContract'
  },
  type: 'TransferContract'
}

Request:
tronWeb.transactionBuilder.sendTrx('address',  9007199254740992, 'address').then((tx) => {console.log(tx.raw_data.contract[0])});

Result:
{
  parameter: {
    value: {
      to_address: '---',
      owner_address: '---',
      amount: 9007199254740992
    },
    type_url: 'type.googleapis.com/protocol.TransferContract'
  },
  type: 'TransferContract'
}

Request:
tronWeb.transactionBuilder.sendTrx('address',  9007199254740993, 'address').then((tx) => {console.log(tx.raw_data.contract[0])});
Result:
{
  parameter: {
    value: {
      to_address: '---',
      owner_address: '---',
      amount: 9007199254740992
    },
    type_url: 'type.googleapis.com/protocol.TransferContract'
  },
  type: 'TransferContract'
}

sendTrc10:

TRC10 tokens can have a precision of up to 16 decimal places. When transferring large amounts of TRC10 tokens with high precision, the limitations of JavaScript's Number type can cause rounding errors or loss of accuracy.

Suggested Solution:
Change the amount argument type in sendTrx and sendTrc10 from number to string or BigInt to safely handle large and precise values.

Add validation and conversion mechanisms to ensure compatibility with the Tron blockchain's requirements for these amounts.

@Satan-web3
Copy link
Contributor

The api doesn't support bigint or string now. We'll update if the api support the feature in the future.

@Zsolt321
Copy link

Zsolt321 commented Jan 4, 2025

TVr2J8THtqNbXWwJbZF8px5yKxJmJ5MiTP

@DmytroShalaiev
Copy link

+1

@mykhailohordin
Copy link
Author

Even though, the API does not support strings and bigints, it can lead to problems:

  1. MAX_SAFE_INTEFER docs: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/MAX_SAFE_INTEGER
  2. Transfer Asset docs: https://developers.tron.network/reference/transferasset

MAX_SAFE_INTEGER has (2^53 – 1) value, while transfeAsset`s amount is int64 value. It would be still unsafe to use amounts exceeding MAX_SAFE_INTEGER.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants