Voltar para Documentação

Docs Técnicas

Accounting Safety

TREA accounting safety comes from explicit journal intent plus ledger validation.

O conteúdo abaixo vem das fontes técnicas do repositório e é prerenderizado no site para leitura direta por pessoas, crawlers e agentes.

TREA accounting safety comes from explicit journal intent plus ledger validation.

Do Not Fake Balances

Avoid this pattern:

python
self.borrower_balance = self.borrower_balance + amount

Use ledger effects for financial meaning.

Prefer Product Helpers

For loans:

python
post(loan.origination_lines(ctx.asset, self.lender, self.borrower, amount))

This keeps spendable capacity and obligation recognition together.

Preserve Correction Lineage

Use correction helpers with source transaction ids.

Remember Ledger Policy

post(...) must pass runtime shape checks and ledger AllowedEdge checks.

Security Analysis API

The compiler exposes a two-level security analysis.

rust
analyze_contract_security(source) -> Result<ContractSecurityProfile, TreaError>
security_profile_for_module(module) -> ContractSecurityProfile

analyze_contract_security parses, verifies, and then runs the security analysis. It returns Err if the contract fails verification or contains a fatal security error.

security_profile_for_module skips verification and is useful for tooling on partially valid modules.

Security Findings

| Code | Severity | Trigger | | --- | --- | --- | | SEC-E001 | Error (fatal) | @tx writes a privileged field (owner, admin, controller, operator, authority) with no require/assert guard | | SEC-W001 | Warning | @tx mutates storage with no guard at all | | SEC-W002 | Warning | @tx performs arithmetic on u8u64/i64 storage fields; silent overflow risk | | SEC-W003 | Warning | Storage field is never read or written; likely dead field |

Errors block artifact publication. Warnings are advisory and surface via analyze_contract_security.

ContractSecurityProfile

rust
findings: Vec<SecurityFinding>   // each has code, severity, target, message
warnings()                        // filter to warnings only
errors()                          // filter to errors only
verdict                           // Clean | Advisory | Blocked
reentrancy_safe                   // always true in TREA v2
no_cross_contract_calls           // always true in TREA v2
caller_guarded_functions          // @tx functions that reference ctx.caller