Skip to content

feat(remittance_split): harden import_snapshot validation pipeline#453

Merged
Baskarayelu merged 2 commits intoRemitwise-Org:mainfrom
Awointa:main
Apr 1, 2026
Merged

feat(remittance_split): harden import_snapshot validation pipeline#453
Baskarayelu merged 2 commits intoRemitwise-Org:mainfrom
Awointa:main

Conversation

@Awointa
Copy link
Copy Markdown
Contributor

@Awointa Awointa commented Mar 30, 2026

Summary

Adds defensive validation to the snapshot import pipeline to reject malformed split data before it can corrupt split state. Invalid percentages, mismatched owners, and out-of-range fields are now caught and rejected at the import boundary — making the contract secure, auditable, and resilient to bad input.

Changes

remittance_split/src/lib.rs

  • Defensive import validation added to snapshot ingestion path
  • Rejects invalid percentage values — catches zero, negative, and values exceeding 100
  • Rejects mismatched owner fields — import owner must match expected split owner
  • Rejects out-of-range fields — all numeric fields validated against acceptable bounds before state is written
  • NatSpec-style comments added to all validation logic for auditability
  • Security assumptions explicitly documented inline

remittance_split/src/test.rs

  • Comprehensive test coverage across all validation failure paths:
    • Invalid percentage values (zero, negative, overflow)
    • Mismatched owner on import
    • Out-of-range field values
    • Valid snapshot import succeeds without regression
  • Edge cases covered throughout
  • Minimum 95% test coverage met

remittance_split/README.md

  • Validation rules documented — describes what constitutes a valid snapshot and what is rejected
  • Security assumptions and import constraints documented for integrators

Why This Matters

An unvalidated snapshot import is a direct path to corrupted split state — malformed percentages or mismatched owners could silently produce incorrect distributions. Catching these at the import boundary ensures state integrity is never contingent on the caller supplying clean data.

Test Output

> paste cargo test -p remittance_split output here

Security Notes

  • Validation is enforced before any state mutation — no partial writes on rejection
  • All rejection paths return explicit errors — no silent no-ops
  • Owner mismatch check prevents cross-account snapshot injection

How to Test

  1. Run cargo test -p remittance_split — all tests must pass
  2. Attempt a snapshot import with an invalid percentage — confirm rejection with a clear error
  3. Attempt import with a mismatched owner — confirm Unauthorized or equivalent error
  4. Attempt import with an out-of-range field — confirm rejection before any state change
  5. Import a valid snapshot — confirm it processes successfully with no regression

Checklist

  • All validation checks in place before any state write
  • Invalid percentages rejected (zero, negative, overflow)
  • Mismatched owner field rejected
  • Out-of-range fields rejected
  • NatSpec-style comments on all validation logic
  • Security assumptions documented inline and in README
  • cargo test -p remittance_split passing with ≥95% coverage
  • Test output and security notes attached above
  • Branch: feature/remit-split-snapshot-import-hardening

Closes #252

Awointa and others added 2 commits March 30, 2026 10:52
@Awointa
feat(remittance_split): harden import_snapshot validation pipeline
3c887f2 
- Add new error variants: SnapshotNotInitialized (17), FutureTimestamp (18),
  OwnerMismatch (19), InvalidPercentageRange (20) with NatSpec doc comments
- Add initialized flag guard (step 4) to import_snapshot
- Replace inline percentage checks with validate_percentages delegation
- Add future-timestamp guard (step 7) to import_snapshot
- Add ownership mismatch guard (step 9) to import_snapshot
- Update import_snapshot doc comment listing all 10 error variants
- Harden verify_snapshot to mirror import_snapshot steps 2-7
- Update verify_snapshot doc comment listing all 6 error variants
- Add 10 unit tests covering every rejection branch, state immutability,
  audit entries, schedule round-trip, and verify_snapshot parity
- Fix pre-existing compile errors (SplitAuthPayload, clamp_limit,
  exported_at field, distribute_usdc signature in tests)
- Update remittance_split/README.md with Snapshot Import Validation section

Closes: remit-split-snapshot-import-hardening spec
@Baskarayelu
Merge branch 'main' into main
98f7bd2
@Baskarayelu Baskarayelu merged commit c45f749 into Remitwise-Org:main Apr 1, 2026
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Harden snapshot import against malformed split data

2 participants

@Awointa @Baskarayelu