Primary finding
to_smallest_units mishandles empty integer part and signs, producing wrong on-chain amounts
highbughigh
- symbiosis/scripts/symbiosis-quote.py:18-23
- symbiosis/scripts/symbiosis-swap.py:22-27
If a user passes `.1` (no leading 0) the integer part is the empty string, then `int(integer + frac)` becomes `int("100000000000000000")` which works, but if integer is empty and frac is also empty (e.g. amount=".") this raises ValueError with a non-user-friendly traceback. More importantly, the function silently truncates the fractional component past `decimals` digits without any warning (e.g., 0.1234567 USDC with 6 decimals becomes 0.123456, dropping value), and it silently accepts arbitrary garbage like '1e3', '1,5', '-1', etc. A negative amount '-1' would be coerced to int('-1...') and sent to the API as a negative smallest-units string, which is then signed by the user; while the API will likely reject it, there is no input validation in the script. Combined with no docs warning, this is a real correctness/data-loss risk because the swap amount the user typed is not what gets sent.
Recommendation
Validate `amount` matches a positive decimal regex; reject negatives and non-numeric values; raise a clear error if the user provides more fractional digits than `decimals` (or at least warn). Also handle the empty-integer case explicitly.