Stay Safe With Smart Contracts and Javascript Number (floating points generally)

Yes. um… so if anyone is making contracts using javascript, you really absolutely must be aware that values over 2^53 are not safe for integer calculations using the standard javascript Number primitive. The number is directly accessible through Number.MAX_SAFE_INTEGER.

Cashscript forces bigints in appropriate places now I believe, at least on the cashtokens upgrade version. But generally speaking you will have to take care of those safety boundaries yourself. The risk is that your app or library makes temporarily unredeemable (e.g. until app/library upgrade) or permanently unredeemable (e.g. putting money in a contract that will end up calculating negative outputs or less than dust outputs etc) contracts.

Smart contracts doing any BCH-value calculations can run into this, and especially now with cashtokens, it will be easy to do bad calculations on fungible tokens that use values larger than the javascript safe 53-bit range.

It has been less of an issue until now because all the satoshis in the chain fit in 51 bits. But start to do multiplication, division, etc. or work with large cashtoken amounts and you can easily break it.

Stay safe.

5 Likes

Yeah, with the Cashscript v0.8.0 release, BigInt is now used everywhere (for satoshi, token amounts and contract integer arguments) so this is no longer a problem for smart contracts made with the latest version of the CashScript JS SDK.

1 Like