fix(tron): keep TRC-20 amounts as strings through dApp sign path

decodeTronTx was holding the decoded TRC-20 amount as BigInt, then
casting to Number before stashing it on DecodedTronTx.sunAmount and
passing it to signTronViaRest + the approval event. Any 18-decimal
token (most non-stablecoin TRC-20s) exceeds Number.MAX_SAFE_INTEGER
in base units, so the value silently rounds before the vault sees it
— firmware displays the wrong amount on-device and the signed tx
spends the wrong amount on-chain.

Changes:
- DecodedTronTx.sunAmount (number) → amountRaw (decimal string).
  Renamed to signal "this is base units not native sun".
- TransferContract decode emits String(v.amount); TRC-20 decode emits
  BigInt.toString(); contract-call emits String(callValue). All paths
  preserve precision.
- signTronViaRest signature widened to `string | number | bigint`.
  Internal stringification uses bigint.toString() when applicable so
  nothing re-enters the Number casting path.
- Approval event now carries amountRaw (not sun) so downstream UIs
  that display the raw-unit hint get the untruncated value.

Native TRX amounts never overflow Number (max 90B TRX in sun = 9e16,
fits in 2^53 comfortably), but the change makes that path uniform
and the code easier to audit.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>

Author: BitHighlander

chrome-extension/src/background/chains/tronHandler.ts

@@ -186,7 +186,11 @@ async function buildTronTransfer(from: string, to: string, sunAmount: number): P
  * The vault's handler emulates emuWrap for the device, so this call may block
  * until the user confirms on the KeepKey.
  */
-async function signTronViaRest(rawDataHex: string, toAddress: string, sunAmount: number): Promise<string> {
+async function signTronViaRest(
+  rawDataHex: string,
+  toAddress: string,
+  amountRaw: string | number | bigint,
+): Promise<string> {
   const apiKey = getApiKey();
   let resp: Response;
   try {
@@ -200,7 +204,10 @@ async function signTronViaRest(rawDataHex: string, toAddress: string, sunAmount:
         addressNList: TRON_ADDRESS_N,
         raw_tx: rawDataHex,
         to_address: toAddress,
-        amount: String(sunAmount),
+        // Stringify without going through Number — 18-decimal TRC-20
+        // amounts exceed Number.MAX_SAFE_INTEGER in base units and
+        // would silently round before hitting the vault.
+        amount: typeof amountRaw === 'bigint' ? amountRaw.toString() : String(amountRaw),
       }),
       signal: AbortSignal.timeout(60000),
     });
@@ -274,7 +281,11 @@ interface DecodedTronTx {
   kind: 'trx-transfer' | 'trc20-transfer' | 'contract-call';
   ownerAddress: string; // base58
   toAddress: string; // base58 — recipient for transfers, contract address for generic calls
-  sunAmount: number; // native TRX in sun, TRC20 in token base units, contract-call in call_value (TRX)
+  // Raw base-units as a DECIMAL STRING so 18-decimal TRC-20 amounts
+  // survive the trip to the vault. Going through Number would truncate
+  // at ~2^53 base units (9e15 — fine for 6-decimal TRX/USDT, broken
+  // for 18-decimal tokens).
+  amountRaw: string;
   displayAmount: string; // human-readable
   contractAddress?: string; // base58, non-native
   functionSelector?: string; // hex, contract-call only
@@ -312,7 +323,7 @@ async function decodeTronTx(tx: any): Promise<DecodedTronTx> {
       kind: 'trx-transfer',
       ownerAddress: await normalizeAddr(v.owner_address),
       toAddress: await normalizeAddr(v.to_address),
-      sunAmount: v.amount,
+      amountRaw: String(v.amount),
       displayAmount: String(v.amount / 1_000_000),
     };
   }
@@ -340,7 +351,7 @@ async function decodeTronTx(tx: any): Promise<DecodedTronTx> {
         kind: 'trc20-transfer',
         ownerAddress,
         toAddress: recipientBase58,
-        sunAmount: Number(amount),
+        amountRaw: amount.toString(),
         displayAmount: amount.toString(),
         contractAddress,
       };
@@ -349,14 +360,14 @@ async function decodeTronTx(tx: any): Promise<DecodedTronTx> {
     // Generic contract call (swaps, stake, approve, etc.). The firmware
     // parses the raw_data itself and signs based on what it finds; our
     // hints here are purely for the side-panel approval UI. Route
-    // `call_value` (TRX attached to the call) to sunAmount so swaps that
-    // spend native TRX display the right outgoing amount.
+    // `call_value` (TRX attached to the call) to amountRaw so swaps
+    // that spend native TRX display the right outgoing amount.
     const callValue = typeof v.call_value === 'number' ? v.call_value : 0;
     return {
       kind: 'contract-call',
       ownerAddress,
       toAddress: contractAddress,
-      sunAmount: callValue,
+      amountRaw: String(callValue),
       displayAmount: String(callValue / 1_000_000),
       contractAddress,
       functionSelector: selector,
@@ -455,7 +466,8 @@ export const handleTronRequest = async (
         from: sender,
         to: decoded.toAddress,
         amount: decoded.displayAmount,
-        sun: decoded.sunAmount,
+        // String, not number — preserves precision for 18-decimal TRC-20.
+        amountRaw: decoded.amountRaw,
         contractAddress: decoded.contractAddress,
         functionSelector: decoded.functionSelector,
         tronGridTx: tx,
@@ -471,7 +483,7 @@ export const handleTronRequest = async (
         throw createProviderRpcError(4001, 'User denied transaction');
       }
 
-      const signatureHex = await signTronViaRest(tx.raw_data_hex, decoded.toAddress, decoded.sunAmount);
+      const signatureHex = await signTronViaRest(tx.raw_data_hex, decoded.toAddress, decoded.amountRaw);
 
       // Preserve any existing `signature` array from the dApp (multi-sig
       // case) and append ours; most dApps pass in an unsigned tx so this