Why this matters
The bug. as in Rust silently truncates between integer types. A u64 of 4_000_000_000 becomes i32 ≈ -294_967_296. The compiler will not complain. Your dashboard will say the user has -300M seconds left.
The fix. Use TryFrom / try_into. It returns Result and forces you to handle the overflow case explicitly.
Sister bug. subtract with overflow in limit - used if used > limit. In debug builds Rust panics; in release it wraps. Use checked_sub / saturating_sub.
Review heuristic
Any arithmetic on a number that came from input, including a length, a count, or a timestamp, should be reviewed for what happens at the type's max value. A 32-bit byte counter overflows after 4 GB.
External reference: CWE-190: Integer Overflow or Wraparound.