MCP-03: Floating-Point Precision Loss in HMAC Client Order Quantities
Severity: HIGH
Affected File(s): client.py:210-239, spot_client.py:129-161
Description
The HMAC futures client and spot client use Python float type for quantity and price parameters. IEEE 754 double-precision cannot exactly represent many decimal values. The V3 client (v3_client.py:274) correctly uses str(quantity), confirming the developers recognized this issue. PR #1 converts to str but then back to float() before passing to the HMAC client, so the fix is incomplete.
Vulnerable Code
def create_order(self, symbol, side, order_type, quantity: float, price: Optional[float] = None):
params = {"quantity": quantity, ...}
Impact
Order rejections or unintended amounts for tokens with high precision requirements. Sub-satoshi amounts and certain decimal values cannot be exactly represented.
Proof of Concept
quantity=0.001 as float is stored as 0.0010000000000000000208 in memory. For high-precision tokens this can cause unexpected behavior.
Recommended Fix
Change quantity and price parameters to str type in client.py and spot_client.py, matching the V3 client pattern:
def create_order(self, ..., quantity: str, price: Optional[str] = None):
params = {"quantity": quantity, ...}
Methodology: Triple-verification static analysis -- each finding verified across three independent code review passes.
MCP-03: Floating-Point Precision Loss in HMAC Client Order Quantities
Severity: HIGH
Affected File(s):
client.py:210-239, spot_client.py:129-161Description
The HMAC futures client and spot client use Python float type for quantity and price parameters. IEEE 754 double-precision cannot exactly represent many decimal values. The V3 client (v3_client.py:274) correctly uses str(quantity), confirming the developers recognized this issue. PR #1 converts to str but then back to float() before passing to the HMAC client, so the fix is incomplete.
Vulnerable Code
Impact
Order rejections or unintended amounts for tokens with high precision requirements. Sub-satoshi amounts and certain decimal values cannot be exactly represented.
Proof of Concept
Recommended Fix
Change quantity and price parameters to str type in client.py and spot_client.py, matching the V3 client pattern:
def create_order(self, ..., quantity: str, price: Optional[str] = None):
params = {"quantity": quantity, ...}
Methodology: Triple-verification static analysis -- each finding verified across three independent code review passes.