Fix native coin forward gas buffer (#3529)

* Fix native coin forward gas buffer to prevent stuck transactions

Increase gas fee buffer from 1.00001x to 2x when calculating the send
amount for native coin forwards. The previous 0.001% buffer was
insufficient to handle gas price fluctuations between the cached fee
estimation and actual send, causing value + gas to exceed the wallet
balance. This resulted in transactions being dropped from the mempool
and an infinite forward/timeout/reset loop.

* Use fresh gas cost for native coin forward amount calculation

Instead of relying on a cached fee estimate (30s TTL) to calculate
the send amount, fetch the current gas cost at dispatch time. This
eliminates the race condition where gas price changes between the
cached estimation and actual send, causing value + gas > balance
and the transaction to be dropped from the mempool.

* Reduce gas buffer from 1.5x to 1.05x

Fresh gas cost is fetched milliseconds before the actual send,
so only a minimal buffer is needed for potential block boundary
gas price changes (max 12.5% per block via EIP-1559).

* Apply fresh gas cost deduction to both forward and return paths

The return path for native coins had no gas deduction at all,
which would cause the same value + gas > balance issue when
chargebackAmount equals the full deposit amount.

* Update handlebars 4.7.8 → 4.7.9 to fix critical vulnerability

Resolves 8 security advisories including JS injection, prototype
pollution, and DoS via malformed decorator syntax.

Author: TaprootFreak

package-lock.json

@@ -98,7 +98,7 @@
     "geoip-lite2": "^2.2.7",
     "graphql": "^16.11.0",
     "graphql-request": "^6.1.0",
-    "handlebars": "^4.7.8",
+    "handlebars": "^4.7.9",
     "helmet": "^6.2.0",
     "ibantools": "^4.5.1",
     "jszip": "^3.10.1",

package.json

@@ -23,6 +23,10 @@ export abstract class PayInEvmService {
     return this.#client.sendTokenFromAccount(account, addressTo, tokenName, amount);
   }
 
+  async getGasCostForCoinTransaction(): Promise<number> {
+    return this.#client.getCurrentGasCostForCoinTransaction();
+  }
+
   async checkTransactionCompletion(txHash: string, minConfirmations: number): Promise<boolean> {
     return this.#client.isTxComplete(txHash, minConfirmations);
   }

src/subdomains/supporting/payin/services/base/payin-evm.service.ts

@@ -41,12 +41,14 @@ export abstract class EvmCoinStrategy extends EvmStrategy {
     payInGroup.status = PayInStatus.PREPARED;
   }
 
-  protected dispatchSend(payInGroup: SendGroup, type: SendType, estimatedNativeFee: number): Promise<string> {
+  protected async dispatchSend(payInGroup: SendGroup, type: SendType, estimatedNativeFee: number): Promise<string> {
     const { account, destinationAddress } = payInGroup;
 
     const groupAmount = this.getTotalGroupAmount(payInGroup, type);
-    // subtract fee for forwarding
-    const amount = type === SendType.FORWARD ? Util.round(groupAmount - estimatedNativeFee * 1.00001, 12) : groupAmount;
+    // use fresh gas cost (not cached estimate) to avoid value + gas > balance
+    const freshGasCost = await this.payInEvmService.getGasCostForCoinTransaction();
+    const gasCost = Math.max(freshGasCost, estimatedNativeFee);
+    const amount = Util.round(groupAmount - gasCost * 1.05, 12);
 
     return this.payInEvmService.sendNativeCoin(account, destinationAddress, amount);
   }