fix(audit/M03): revert with FixedDecimalOverflow on toFixedDecimalLossy uint256 overflow

[thedavidmeister]

Closes #192.

Summary

toFixedDecimalLossy used to scale up via checked-math unsignedCoefficient * scale, panicking with the bare 0x11 selector when either 10 ** finalExponent or coefficient * scale overflowed uint256.

Both complaints: the panic carries no structured info about which inputs caused it, and returning silent (0, false) would decapitate the high bits of a real value that callers may need to rescale.

Adds FixedDecimalOverflow(signedCoefficient, exponent, decimals) and two pre-checks in the positive-exponent branch:

1. finalExponent > 77 — 10 ** finalExponent would itself overflow uint256.
2. unsignedCoefficient > uint256.max / scale — the multiplication would overflow.

The now-safe multiplication is wrapped in unchecked since both overflow paths are guarded.

Regression tests

• testToFixedDecimalLossyPositiveExponentScaleOverflow — finalExponent = 78.
• testToFixedDecimalLossyPositiveExponentMulOverflow — int224.max coefficient at finalExponent = 50.

Each guard mutation-tested independently — removing one trips its corresponding test only.

Updates the existing testToFixedDecimalLossyScaleUpOverflow fuzz to expect FixedDecimalOverflow instead of stdError.arithmeticError.

Rust crate's DecimalFloatErrorSelector enum and FixedBytes<4> dispatch gain a FixedDecimalOverflow variant.

Deploy

Manual deploy workflow triggered on this branch; constants will be bumped once the run lands and testDeployAddress / testExpectedCodeHashDecimalFloat regenerate.

🤖 Generated with Claude Code

[coderabbitai]

Warning

Rate limit exceeded

@thedavidmeister has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 17 minutes and 6 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: c35c187f-71b7-4749-8c51-0f8792718ddf

📥 Commits

Reviewing files that changed from the base of the PR and between ba70a3d and dd70d08.

📒 Files selected for processing (7)

• crates/float/abi/DecimalFloat.json
• crates/float/src/error.rs
• src/error/ErrDecimalFloat.sol
• src/lib/LibDecimalFloat.sol
• src/lib/deploy/LibDecimalFloatDeploy.sol
• test/src/concrete/DecimalFloat.toFixedDecimalLossy.t.sol
• test/src/lib/LibDecimalFloat.decimal.t.sol

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 2026-05-10-192-tofixed-lossy

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

@coderabbitai assess this PR size classification for the totality of the PR with the following criterias and report it in your comment:

S/M/L PR Classification Guidelines:

This guide helps classify merged pull requests by effort and complexity rather than just line count. The goal is to assess the difficulty and scope of changes after they have been completed.

Small (S)

Characteristics:

• Simple bug fixes, typos, or minor refactoring
• Single-purpose changes affecting 1-2 files
• Documentation updates
• Configuration tweaks
• Changes that require minimal context to review

Review Effort: Would have taken 5-10 minutes

Examples:

• Fix typo in variable name
• Update README with new instructions
• Adjust configuration values
• Simple one-line bug fixes
• Import statement cleanup

Medium (M)

Characteristics:

• Feature additions or enhancements
• Refactoring that touches multiple files but maintains existing behavior
• Breaking changes with backward compatibility
• Changes requiring some domain knowledge to review

Review Effort: Would have taken 15-30 minutes

Examples:

• Add new feature or component
• Refactor common utility functions
• Update dependencies with minor breaking changes
• Add new component with tests
• Performance optimizations
• More complex bug fixes

Large (L)

Characteristics:

• Major feature implementations
• Breaking changes or API redesigns
• Complex refactoring across multiple modules
• New architectural patterns or significant design changes
• Changes requiring deep context and multiple review rounds

Review Effort: Would have taken 45+ minutes

Examples:

• Complete new feature with frontend/backend changes
• Protocol upgrades or breaking changes
• Major architectural refactoring
• Framework or technology upgrades

Additional Factors to Consider

When deciding between sizes, also consider:

• Test coverage impact: More comprehensive test changes lean toward larger classification
• Risk level: Changes to critical systems bump up a size category
• Team familiarity: Novel patterns or technologies increase complexity

Notes:

• the assessment must be for the totality of the PR, that means comparing the base branch to the last commit of the PR
• the assessment output must be exactly one of: S, M or L (single-line comment) in format of: SIZE={S/M/L}
• do not include any additional text, only the size classification
• your assessment comment must not include tips or additional sections
• do NOT tag me or anyone else on your comment