From ac1a4fd19c62d50896d2c1ea22e967357a4f1a76 Mon Sep 17 00:00:00 2001
From: AMATH <116212274+amathxbt@users.noreply.github.com>
Date: Sun, 3 May 2026 02:37:47 -0700
Subject: [PATCH] fix: use checked_add for total_fee_requested in
 process_delegation_cleanup

In process_delegation_cleanup the per-commit fee (already protected by
checked_mul) was added to SESSION_FEE_LAMPORTS with a plain + operator:

    let total_fee_requested = commit_fee + SESSION_FEE_LAMPORTS;

For a long-lived delegation with a very large commit_count the result of
COMMIT_FEE_LAMPORTS * commit_count can approach u64::MAX. Adding the
constant SESSION_FEE_LAMPORTS on top of such a value overflows, wrapping
around to a small number and causing the protocol to charge far less than
it should, letting the validator escape paying the session fee.

Fix: use checked_add(...).ok_or(DlpError::Overflow) consistent with every
other arithmetic operation in this file.
---
 src/processor/fast/undelegate.rs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/processor/fast/undelegate.rs b/src/processor/fast/undelegate.rs
index a1fa4b1c..d963a106 100644
--- a/src/processor/fast/undelegate.rs
+++ b/src/processor/fast/undelegate.rs
@@ -377,7 +377,11 @@ fn process_delegation_cleanup(
     let commit_fee = COMMIT_FEE_LAMPORTS
         .checked_mul(commit_count)
         .ok_or(DlpError::Overflow)?;
-    let total_fee_requested = commit_fee + SESSION_FEE_LAMPORTS;
+    // Guard against overflow when adding the fixed session fee on top of the
+    // per-commit fee, which can be large for long-lived delegations.
+    let total_fee_requested = commit_fee
+        .checked_add(SESSION_FEE_LAMPORTS)
+        .ok_or(DlpError::Overflow)?;
     let total_lamports = delegation_record_account.lamports()
         + delegation_metadata_account.lamports();
     let mut fee_remaining = total_fee_requested.min(total_lamports);