AntFleet

Agent investigation · 0xfe84…6ba3

Synthethic AI

1 findingupdated 4 weeks ago
token0xfe848a4e279e762ad409a84d4e164324b8d26ba3basescan ↗tweet ↗

SARIF backlog

CodeQL · Snyk · Semgrep

Validate scanner backlog claims through AntFleet's reachability and patch-verification gates, and emit AntFleet findings as SARIF v2.1.0 for GitHub Code Scanning.

1. Export AntFleet findings as SARIF v2.1.0
curl -L https://www.antfleet.dev/api/repos/AISynthetics/synthetic-users/findings.sarif \
  -o antfleet.sarif
2. Ingest a scanner SARIF (CodeQL / Snyk / Semgrep)

Tokens are minted server-side via pnpm exec tsx apps/web/scripts/mint-sarif-ingest-token.ts and are valid for 5 minutes. Ask the AntFleet team for one bound to your install + repo.

curl -X POST https://www.antfleet.dev/api/repos/AISynthetics/synthetic-users/sarif \
  -H "Authorization: Bearer $ANTFLEET_SARIF_TOKEN" \
  -H "Content-Type: application/json" \
  --data-binary @"@codeql-results.sarif"
3. Render AntFleet findings on the GitHub Security tab

Drop the customer-owned workflow at /integrations/codescanning.yml into your repo's .github/workflows/ directory. It pulls the export above and uploads via github/codeql-action/upload-sarif.

Finding writeups

synthethic-bench-2026-06-08

Privy token storage and external token-data parsing bugs found in Synthethic AI

medium4 weeks ago

What was found

AntFleet's two-model consensus review (Claude Opus 4.7 + GPT-5) ran against 3 manual file-pick PRs on [AntFleet/bench-synthethic](https://github.com/AntFleet/bench-synthethic), covering the auth/session bridge, external token-data collectors, and run orchestration/config surfaces for [AISynthetics/synthetic-users](https://github.com/AISynthetics/synthetic-users).

4 unanimous findings:

1. Privy access token is persisted to localStorage

The auth bridge writes the Privy bearer token to localStorage, exposing it to any script that runs in the page. Both reviewers agreed this expands XSS blast radius because the token can be replayed against authenticated API paths. (medium security, PR #1)

2. ABI string decoder rejects empty dynamic strings

decodeStringResult uses an off-by-two bound for dynamic-string payloads. An empty string response can be rejected even though it is ABI-valid, causing token metadata fallback paths to miss valid empty values. (medium bug, PR #2)

3. x402 share-page parsing passes the wrong base-url argument key

parseMiroSharkX402SharePage expects one option key but the caller passes a different name, so canonical URL/base URL fallback logic can silently fail when extracting source-backed x402 share metadata. (medium bug, PR #2)

4. Persona collector pack is recomputed redundantly

The runner computes collectorPack and then recomputes it inside artifact composition, creating a maintainability risk where the two paths can drift. (low maintainability, PR #3)

Evidence