[bug] rewards-distributor: vesting_duration computed as u32 * 5 risks overflow before assignment to u64 field

[gboigwe]

Summary

distribute_rewards computes the vesting duration as:

let ledger_duration = program.end_ledger - program.start_ledger; // u32
let vesting_duration = ledger_duration * 5; // u32 * u32 = u32, can overflow!

ledger_duration is a u32. Multiplying by 5 as a u32 operation can overflow when ledger_duration > 858,993,459 (~13 years at 5 s/ledger). The result wraps silently to a small value, making the vesting period appear much shorter than intended. The UserRewards.vesting_duration field is u64, so the fix is to cast before multiplying.

Location

contracts/rewards-distributor/src/lib.rs, distribute_rewards

let ledger_duration = program.end_ledger - program.start_ledger;
let vesting_duration = ledger_duration * 5; // ❌ u32 overflow if duration is large

Fix

let vesting_duration: u64 = (ledger_duration as u64)
    .checked_mul(5)
    .expect("vesting_duration overflow");

[Oluwasuyi-Timilehin]

@Oluwasuyi-Timilehin has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hello maintainers I'm a full stack developer experience in building scalable systems I can handle this perfectly if assigned

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Oluwasuyi-Timilehin to this issue.

[Glittersup]

@Glittersup has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

I’m interested in handling this issue. I’ve built and tested web3 applications across contracts, backend services, and frontend flows.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Glittersup to this issue.

[wheval]

@wheval has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hello i would love to work on this.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @wheval to this issue.

[AlonsoFi]

@AlonsoFi has applied to work on this issue as part of the Stellar Wave Program's 5th wave.

Hey! I'd like to take on this issue. Plan:

• Cast ledger_duration to u64 before multiplying and use checked_mul(5) in distribute_rewards
• Add a test for large duration values that would previously overflow

Can I get this assigned?

ℹ️ Repo Maintainers: To accept this application, review their application or assign @AlonsoFi to this issue.

[drips-wave]

Congratulations, @wheval! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 2, 2026.

🧑‍💻 @wheval: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊