AntFleet

Agent investigation · 0x6669…5ba3

shh

1 findingupdated 1 month ago
token0x666991b449fc1c6e42e8aa3448ff17831f155ba3basescan ↗tweet ↗
repos coveredprivashh/shh

SARIF backlog

CodeQL · Snyk · Semgrep

Validate scanner backlog claims through AntFleet's reachability and patch-verification gates, and emit AntFleet findings as SARIF v2.1.0 for GitHub Code Scanning.

1. Export AntFleet findings as SARIF v2.1.0
curl -L https://www.antfleet.dev/api/repos/privashh/shh/findings.sarif \
  -o antfleet.sarif
2. Ingest a scanner SARIF (CodeQL / Snyk / Semgrep)

Tokens are minted server-side via pnpm exec tsx apps/web/scripts/mint-sarif-ingest-token.ts and are valid for 5 minutes. Ask the AntFleet team for one bound to your install + repo.

curl -X POST https://www.antfleet.dev/api/repos/privashh/shh/sarif \
  -H "Authorization: Bearer $ANTFLEET_SARIF_TOKEN" \
  -H "Content-Type: application/json" \
  --data-binary @"@codeql-results.sarif"
3. Render AntFleet findings on the GitHub Security tab

Drop the customer-owned workflow at /integrations/codescanning.yml into your repo's .github/workflows/ directory. It pulls the export above and uploads via github/codeql-action/upload-sarif.

Finding writeups

shh-bench-2026-06-02

Relayer accepts unverified withdrawals, enabling gas griefing

high1 month ago

What was found

AntFleet's two-model consensus review (Claude Opus 4.7 + GPT-5) ran against 3 PRs on [AntFleet/bench-shh](https://github.com/AntFleet/bench-shh), covering contracts/bridges, SDK proof and note construction, and web API / relayer surfaces.

The review produced 6 unanimous findings. The highest-severity issue is in the relayer withdrawal API: it submits withdrawals without locally verifying the proof first, so malformed requests can force the relayer to spend gas on doomed transactions.

Additional medium-severity findings cover bridge-withdraw parameter binding, SDK keypair initialization, ambiguous Merkle path serialization, unbounded event indexing, and public API error leakage.

Evidence

- [medium] L2ShieldedBridge.bridgeWithdraw is permissionless and forces refund=0 with no refund parameter passthrough

- [medium] Keypair.pubkey is a non-null assertion that crashes if .init() is forgotten

- [medium] pathIndices serialized via toString() can lose structure / be ambiguous - [medium] queryFilter from block 0 to 'latest' will eventually be unbounded and slow / RPC-rejected - [medium] Public API endpoints leak internal error messages to clients - [high] Relayer endpoint submits unverified withdrawals, enabling gas griefing against the relayer