Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/dex/router.zig`:
- Around line 83-116: The probe and binary search can skip valid inputs: change
the initial probe so small_amount is not a hardcoded 1000 but e.g. small_amount
= (max_input > 0) ? std.math.min(u256(1), max_input) or at least min(max_input,
1000) and call quoteExactInput only if max_input > 0 (return null when max_input
== 0); adjust the binary search to avoid losing the upper endpoint by using a
loop condition like while (lo + 1 < hi) and computing mid = lo + (hi - lo) / 2
(remove the mid == lo break), and after the loop evaluate both candidates lo and
hi using quoteExactInput and pick the best as optimal (use quoteExactInput and
compare outputs), referencing small_amount, max_input, quoteExactInput, lo, hi,
mid, and optimal in your changes.

In `@src/dex/v2.zig`:
- Around line 28-43: Check and reject invalid pool/fee inputs before computing
V2 formulas: in getAmountOut (and likewise in getAmountIn) validate that
reserve_in != 0, reserve_out != 0, and fee_denominator != 0 (and optionally that
fee_numerator <= fee_denominator) and return 0 (or otherwise fail early) when
any of these conditions are not met so the function does not produce misleading
full-reserve or panicking results; add these guards at the start of getAmountOut
and getAmountIn using the existing parameter names (amount_in, reserve_in,
reserve_out, fee_numerator, fee_denominator) so downstream router/multi-hop
logic treats bad hops as invalid.
- Around line 119-127: The test "getAmountOut matches legacy" is tautological
because uint256_mod.getAmountOut now delegates to src/dex/v2.zig.getAmountOut
with the same fee params; replace the dynamic legacy_result call with a
hardcoded expected numeric value for the given inputs and assert v2_result
equals that constant instead (locate the test and the getAmountOut calls:
getAmountOut(amount_in, reserve_in, reserve_out, 997, 1000) and
uint256_mod.getAmountOut and remove/replace the latter with the known expected
output for these params).

In `@src/dex/v3.zig`:
- Around line 259-291: Add upfront guards in the public helpers to avoid
divide-by-zero / zero-price results: in getNextSqrtPriceFromAmount0RoundingUp
check if liquidity == 0 or sqrt_price_x96 == 0 and return null (keeping the
existing early return for amount == 0); do the same in
getNextSqrtPriceFromAmount1RoundingDown (the symmetric helper referenced around
297-317). This ensures both functions immediately return null for zero liquidity
or zero sqrt_price_x96 before any divisions or multiplications that can produce
incorrect zero/exceptional results.
- Around line 487-505: simulateSwap drops remaining input when ticks.len == 0 or
when the loop finishes with amount_remaining > 0 and active liquidity; after the
for (ticks) |tick_info| loop (and similarly at the other location around lines
539-544) add a terminal-step branch: if amount_remaining > 0 and
current_liquidity != 0, call computeSwapStep one more time using the appropriate
terminal sqrt-price (the min or max sentinel sqrt price for the swap direction)
in place of tick_info.sqrt_price_x96, then deduct consumed (step.amount_in +
step.fee_amount) from amount_remaining (or zero it), and add step.amount_out to
total_amount_out; reference functions/vars: simulateSwap, ticks,
computeSwapStep, current_sqrt_price, current_liquidity, amount_remaining,
total_amount_out to locate where to apply this final unbounded swap step.
- Around line 355-443: The function computeSwapStep uses 1_000_000 - `@as`(u256,
fee_pips) in fee math but never verifies fee_pips, allowing values > 1_000_000
to corrupt calculations; add an early guard in computeSwapStep (e.g.,
assert(fee_pips <= 1_000_000) or an explicit error return) at the top of the
function to fail fast when fee_pips is out of range, and ensure all subsequent
uses (mulDiv, mulDivRoundingUp) occur only after this validation.
- Around line 509-536: The loop that handles tick boundary updates (the branch
comparing current_sqrt_price == tick_info.sqrt_price_x96) must stop advancing
once current_liquidity reaches zero to avoid further calls to computeSwapStep
and crossing zero-liquidity gaps; after updating current_liquidity in both the
zero_for_one and else branches (where you adjust by tick_info.liquidity_net),
add a guard that checks if current_liquidity == 0 and, if so, break out of the
walk (or set the loop’s termination condition) so no further ticks are crossed
or computeSwapStep is invoked; refer to current_liquidity,
tick_info.liquidity_net, zero_for_one, computeSwapStep, and ticks_crossed to
locate where to insert this short-circuit.

In `@src/http_transport.zig`:
- Around line 64-92: The HTTP fetch code uses the wrong API: replace the
Allocating writer with a std.ArrayList(u8) and pass it via the client.fetch
.response_storage field (dynamic = &response_body) rather than .response_writer;
specifically, in requestBatch (and the same pattern in request), change var
response_body: std.Io.Writer.Allocating = .init(self.allocator) to var
response_body = std.ArrayList(u8).init(self.allocator), keep errdefer/deinit,
call client.fetch with .response_storage = .{ .dynamic = &response_body }, then
check res.status and return response_body.toOwnedSlice() (or return appropriate
errors) instead of using the nonexistent writer APIs.

---

Nitpick comments:
In `@docs/content/docs/dex-math.mdx`:
- Around line 48-50: Update the multi-hop example to clarify token decimal
handling: next to the reserves array (the two entries with
.reserve_in/.reserve_out for the ETH->USDC and USDC->DAI hops) add a brief
inline comment stating that USDC uses 6 decimals (e.g., amounts like 300_000e6
represent 300,000 USDC) while DAI/ETH use 18 decimals (e.g., 50e18 represents 50
DAI), and note that you must scale amounts when converting between tokens with
different precisions; keep the numeric values unchanged but add this
clarification so readers understand the unit scaling between USDC and DAI.
- Around line 77-84: The examples call getSqrtRatioAtTick and getTickAtSqrtRatio
with .? unwraps but don’t document null returns; update the docs to state these
functions return null for out-of-range ticks (outside MIN_TICK/MAX_TICK) and
show/mention safe handling (check for null or branch before unwrapping) so users
avoid runtime panics when using eth.dex_v3.getSqrtRatioAtTick(...) and
eth.dex_v3.getTickAtSqrtRatio(...).

In `@src/provider.zig`:
- Around line 467-475: Remove the unnecessary length checks and the `@constCast`
in freeBatchResults: change RpcErrorData.message from []const u8 to []u8 so it
is freed directly, then in freeBatchResults call allocator.free(data) for
.success and allocator.free(e.message) for .rpc_error without checking .len or
casting; finally free the results slice as before. Ensure any places
constructing RpcErrorData allocate a mutable []u8 (not []const u8) to match the
new field type.
- Around line 344-349: addCall currently stores the caller-provided slice
reference (data: []const u8) into BatchCaller.calldata without copying, which
can lead to UB if the original buffer is mutated/freed before execute; either
explicitly document the ownership contract on addCall/BatchCaller/execute (that
calldata must remain valid until execute returns) or change addCall to allocate
and copy the slice into BatchCaller.calldata using the BatchCaller.allocator so
execute owns stable memory; reference the addCall function, the BatchCaller
type, the calldata field, and the execute function when making the change or
adding the doc comment.
- Around line 394-465: The parseBatchResponse function currently leaves entries
set to a sentinel RPC error (code = -1, message = "") when an expected ID is not
found; update parseBatchResponse to detect those sentinels after parsing and
handle them explicitly: either return a distinct error (e.g., return
error.MissingResponse) if any results entry still has the sentinel, or add a new
variant to BatchCallResult (e.g., .missing_response) and set that variant for
those indices so callers can distinguish missing responses from real RPC errors;
implement this by iterating over results after the JSON loop, checking for the
sentinel (code == -1 && message == "") and then either returning
error.MissingResponse or replacing the sentinel with .missing_response (ensure
the allocator ownership is correct when mutating results and free/avoid duping
strings accordingly).

In `@src/uint256.zig`:
- Around line 634-659: The check "if (denominator == 0) return null;" inside
mulDivRoundingUp is redundant because mulDiv(a, b, denominator) already returns
null for a zero denominator; remove that line from the mulDivRoundingUp function
(in src/uint256.zig) so control flow relies on mulDiv's null return, keeping the
rest of the logic (u256ToLimbs, mulWide, remainder comparison, MAX check and
result+1) unchanged.

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/provider.zig`:
- Around line 424-427: The current switch on id_val uses `@intCast` on an i64
which will panic for negative ids; in the block handling .integer (referencing
id_val and the id: u64 variable and the `@intCast` call) add a guard to ensure the
parsed integer is non-negative (and optionally <= `@intCast`(u64, `@maxValue`(u64)))
before casting, and if it fails the guard skip/continue (or handle the error)
instead of calling `@intCast` directly; this prevents panics from negative or
out-of-range JSON-RPC "id" values.

---

Nitpick comments:
In `@src/dex/router.zig`:
- Around line 77-80: The current doc for findArbOpportunity incorrectly implies
the binary-search concavity guarantee holds for all Pool hops; update the
comment for pub fn findArbOpportunity(hops: []const Pool, max_input: u256)
?ArbOpportunity to note that the concavity/marginal-output monotonicity
assumption only holds for constant-product (V2) AMMs and is not guaranteed for
V3 concentrated-liquidity hops, so the binary-search optimizer is only
guaranteed to find the global optimum for all-V2 paths; also indicate expected
behavior for mixed or V3-only paths (e.g., return null, require an explicit
check that all Pool entries are V2 before using binary search, or fall back to
sampling/global search) and reference Pool and ArbOpportunity in the comment.

In `@src/dex/v3.zig`:
- Around line 495-546: The loop over ticks can stall if current_liquidity
becomes zero mid-iteration; add an early guard at the top of the for (ticks)
|tick_info| loop to break if current_liquidity == 0 (or if amount_remaining == 0
already handled) before calling computeSwapStep. Locate the loop that uses
computeSwapStep, check current_liquidity at its start and exit the loop
immediately when it's zero so computeSwapStep is never invoked with zero
liquidity and the loop cannot hang.

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/provider.zig`:
- Around line 471-479: The leak occurs because RPC error messages use an empty
string literal sentinel instead of a nullable/optional heap pointer, so
zero-length heap allocations (allocator.dupe(u8, "")) are skipped by the
`e.message.len > 0` check in freeBatchResults; change the message field's type
to an optional slice (e.g., ?[]u8 or ?[]const u8) where the sentinel is null for
non-allocated messages, update any places that construct the sentinel (use
.message = null) and places that duplicate/assign messages to set Some(buffer)
or null, and then modify freeBatchResults (in the .rpc_error arm) to free the
message only when it is not null (e.g., if (e.message)
allocator.free(e.message.*)). Ensure all callers and the
BatchCallResult/rpc_error constructor are updated to the new optional message
type.
- Around line 363-380: The defer currently frees all entries in bodies even if
some entries remain uninitialized on partial failure; change the
allocation/cleanup to track how many bodies were successfully created (e.g.,
maintain a local var like created_count or replace bodies with an ArrayList of
[]u8) and on error/free only iterate and free bodies[0..created_count], then
free the bodies container; ensure the same pattern is applied around params
(formatCallParams) and use the unique symbols bodies, ids, base_id,
provider.formatCallParams, HttpTransport.buildRequestBody, and
self.allocator.alloc to locate and update the loop so that only initialized
pointers are freed in the defer/cleanup path.

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/provider.zig`:
- Around line 402-409: The code allocates `results` (BatchCallResult array) and
fills a sentinel value but doesn't free `results` if `std.json.parseFromSlice`
or later decoding fails, leaking memory; add an `errdefer
freeBatchResults(allocator, results);` immediately after the sentinel
initialization (right after the for-loop that sets each `r.* = .{ .rpc_error =
.{ .code = -1, .message = null } };`) so any early error path (e.g., the call to
`std.json.parseFromSlice` or subsequent validation) will free the partially
populated `results`; ensure you cancel or clear that errdefer when you take
ownership of `results` for normal success returns.

---

Nitpick comments:
In `@src/provider.zig`:
- Around line 430-438: The batch parser currently does a linear scan of the ids
slice per response item (variables ids, idx, index), resulting in O(n²)
behavior; instead build a one-time id→index lookup before iterating responses
(e.g., a hashmap or array map keyed by id mapping to its usize index), populate
it once from ids, and replace the per-item for-loop and idx assignment with a
constant-time lookup of id to index inside the response loop; ensure the lookup
handles missing ids the same way the current `index = idx orelse continue` does.