[200pts] Fix POST /transactions/withdraw DTO mismatch — frontend sends walletAddress but backend DTO likely expects destinationAddress

[portableDD]

Summary

The frontend client (lib/api/transactions.ts in the web repo) sends { currency, amount, walletAddress } when creating a withdrawal. Based on a cross-reference of the backend CreateWithdrawalDto and Stellar transaction patterns, the backend likely expects the destination field to be named destinationAddress. Because the endpoint returns 401 for unauthenticated probes, the exact mismatch could not be confirmed with a live 400 response — but the field name discrepancy is present in code. Every withdrawal submitted by an authenticated user is expected to fail with a 400.

Impact

• Withdrawal is a core financial feature — if the DTO is mismatched, no user can successfully withdraw funds from the platform.
• The failure manifests as a 400 after the user fills out the withdrawal form and submits — a silent or confusing failure from the user's perspective.

What Needs to Be Done

• Backend team: confirm and document the exact field names expected by CreateWithdrawalDto
• If the backend field is destinationAddress:
  • Update CreateWithdrawalDto with a clear JSDoc comment: // The recipient's Stellar public key or fiat destination
  • Ensure the DTO is exported and documented in the API spec / README so the frontend team can match it
• Add input validation to the DTO:

  export class CreateWithdrawalDto {
    @IsString()
    @IsNotEmpty()
    destinationAddress: string; // or walletAddress — confirm and standardise
  
    @IsNumber()
    @Min(0.01)
    amount: number;
  
    @IsString()
    @IsNotEmpty()
    currency: string;
  }

• Return a detailed 400 validation error when any required field is missing or invalid — not a generic message
• Add a unit test for the withdrawal service that asserts 400 with a clear error when destinationAddress is missing

Key Files

• src/transactions/dto/create-withdrawal.dto.ts
• src/transactions/transactions.controller.ts — createWithdrawal() method
• src/transactions/transactions.service.ts

Acceptance Criteria

• The exact field name expected by the backend (destinationAddress or walletAddress) is confirmed and documented in a JSDoc comment on the DTO
• POST /transactions/withdraw with a missing destination field returns 400 with a descriptive validation message (not a generic error)
• POST /transactions/withdraw with all correct fields and a valid auth token returns 201
• The DTO field name is communicated to the frontend team so lib/api/transactions.ts can be updated to match

Constraints

• The DTO field name must be agreed between backend and frontend before either side merges a fix — coordinate via this issue
• Do not accept both walletAddress AND destinationAddress — pick one canonical name and enforce it
• Complexity: High — 200 points

[Cjay-Cyber-2]

@Cjay-Cyber-2 has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

please give this to me 🙏

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Cjay-Cyber-2 to this issue.

[drips-wave]

Congratulations, @Cjay-Cyber-2! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 2, 2026.

🧑‍💻 @Cjay-Cyber-2: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊