[Security] Float-to-String Conversion in Financial Parameters (No Decimal Support)

[mefai-dev]

Bug Name

Float-to-String Conversion in Financial Parameters (No Decimal Support)

Attack Scenario

Financial values are converted using Python native float type and str(val) in the make_serializable function. Python float has IEEE 754 double-precision limitations. str(0.1 + 0.2) produces 0.30000000000000004.

Impact

Users who pass Python float values through the SDK may encounter precision issues causing order rejection or unintended quantities.

Components

File: common/src/binance_common/utils.py (lines 146-147, in make_serializable).

Reproduction

1. Pass a float value like 0.1 + 0.2 as a price parameter.
2. Observe the serialized value is 0.30000000000000004 instead of 0.3.

Fix

Document that users should pass financial values as strings. Consider adding optional Decimal support.

Details

Finding ID: SEC-07
Severity: Informational

---

Researcher: Independent Security Researcher -- Mefai Security Team