sdk(batchDistribution): `createBatches` infinite-loops on `batchSize <= 0`; `maxRecipientsPerBatch` is never validated

[pragmaticAweds]

Summary

createBatches(array, batchSize) increments the loop counter by batchSize. If a caller (directly or via BatchDistributionConfig.maxRecipientsPerBatch) passes 0, the loop is infinite (i += 0 never advances) and the process hangs. If they pass a negative number, the loop body never executes and the function silently returns [] — i.e. zero transactions, no error — even though the caller asked for a real distribution.

prepareBatchEqualDistribution and prepareBatchWeightedDistribution accept maxRecipientsPerBatch straight from user-supplied config with ?? 100 and pass it through without any sanity check.

Where

packages/sdk/src/utils/batchDistribution.ts:343-351

export function createBatches<T>(array: T[], batchSize: number): T[][] {
  const batches: T[][] = [];
  for (let i = 0; i < array.length; i += batchSize) {  // batchSize=0 → infinite loop
    batches.push(array.slice(i, i + batchSize));
  }
  return batches;
}

packages/sdk/src/utils/batchDistribution.ts:199, 282

const maxRecipientsPerBatch = config.maxRecipientsPerBatch ?? 100;
// ... no validation that maxRecipientsPerBatch > 0 ...
const recipientBatches = createBatches(recipients, maxRecipientsPerBatch);

Impact

• Infinite loop on 0: the entire process (Node script, browser tab) hangs. No way to recover without a kill. Easy to hit by accident with Number(formInput) where the form was empty.
• Silent no-op on negative: prepareBatch* returns { transactions: [], batchCount: 0 }. Callers who don't check batchCount will believe the distribution succeeded with no on-chain effect.
• Non-integer values (e.g. 100.5) produce overlapping/short slices and double-charge recipients in adjacent batches.

Fix

Validate at the public entry points and in createBatches:

function assertPositiveInt(n: number, name: string): void {
  if (!Number.isInteger(n) || n <= 0) {
    throw new Error(\`\${name} must be a positive integer (got \${n})\`);
  }
}

• Call assertPositiveInt(maxRecipientsPerBatch, 'config.maxRecipientsPerBatch') at the top of prepareBatchEqualDistribution and prepareBatchWeightedDistribution.
• Add the same check in createBatches for defense-in-depth (since it's exported).

Acceptance criteria

• createBatches([1,2,3], 0) throws synchronously with a clear message.
• createBatches([1,2,3], -1) throws.
• createBatches([1,2,3], 1.5) throws.
• prepareBatchEqualDistribution/prepareBatchWeightedDistribution reject invalid maxRecipientsPerBatch before any RPC calls.
• Tests cover each rejection case.

[solomonokeke012-bot]

@solomonokeke012-bot has applied to work on this issue as part of the Stellar Wave Program's 4th wave.

Hello Maintainer, I'm interested in tackling this issue. I'll make

ℹ️ Repo Maintainers: To accept this application, review their application or assign @solomonokeke012-bot to this issue.

[khanavi272-spec]

@khanavi272-spec has applied to work on this issue as part of the Stellar Wave Program's 4th wave.

I would like to work on this issue

ℹ️ Repo Maintainers: To accept this application, review their application or assign @khanavi272-spec to this issue.

[Jumongweb]

@Jumongweb has applied to work on this issue as part of the Stellar Wave Program's 4th wave.

Hi maintainer, i will like to solve this issue

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Jumongweb to this issue.

[chigozirim007]

@chigozirim007 has applied to work on this issue as part of the Stellar Wave Program's 4th wave.

can i work on this?

ℹ️ Repo Maintainers: To accept this application, review their application or assign @chigozirim007 to this issue.

[answndud]

I would like to work on this issue as part of the Stellar Wave Program.

I verified the bug on the current main branch in packages/sdk/src/utils/batchDistribution.ts:

• createBatches<T>(array, batchSize) increments the loop with i += batchSize, so batchSize <= 0 can hang indefinitely.
• prepareBatchEqualDistribution and prepareBatchWeightedDistribution pass config.maxRecipientsPerBatch directly into createBatches, so invalid public config values are not rejected before transaction assembly.

My intended fix is small and scoped: validate that both batchSize and maxRecipientsPerBatch are positive integers, then add regression tests covering zero, negative, fractional, and valid batch sizes.

Please assign me if this is still available, and I will submit the PR against this issue.

[AbuTuraab]

@AbuTuraab has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hi,

I’d like to request assignment to this issue.

As a full-stack developer working actively in the Stellar ecosystem, I understand how important robust automation is for projects that combine Soroban smart contracts, backend services, and frontend applications. A reliable CI/CD pipeline is the backbone of safe contract development, deterministic builds, and predictable testnet releases.

During the previous waves of contributions, I worked on several Stellar-related repos where I resolved issues such as:
Frontend implementations.
Misconfigured GitHub Actions leading to failing builds
Missing or incomplete Soroban contract test pipelines
Frontend pipelines that didn’t catch build/lint errors
Inefficient caching (Rust, pnpm) that slowed down CI
Incorrect workflow permissions affecting deployment and artifact uploads
These issues helped me develop a strong sense of what healthy CI/CD should look like for blockchain projects.

Relevant Skills
Full-stack expertise with Soroban, Rust, TypeScript, and modern frontend tooling
Strong experience designing and maintaining GitHub Actions workflows
Familiar with contract testing, reproducible builds, and blockchain dev best practices
Experience with pnpm-based frontend CI pipelines (install, lint, type-check, build)
Comfortable implementing secure deployment flows, secret management, and workflow permission hardening
Confident in making pipelines faster and more reliable using smart caching strategies

ℹ️ Repo Maintainers: To accept this application, review their application or assign @AbuTuraab to this issue.