AntFleet

Anatomy · 09a05e58-0

Fund wallet URL contains unencoded JSON breaking Coinbase Pay link

mediumbug
repo 5149da9d·PR #1·reviewed 2 days ago

The vulnerable code

desktop/renderer/src/components/wallet/WalletView.tsx:197-201

Code snippet unavailable.

The reasoning

Opus

Fund wallet URL contains unencoded JSON breaking Coinbase Pay link

mediumbughigh
  • desktop/renderer/src/components/wallet/WalletView.tsx:197-201
The Coinbase Pay fallback URL is constructed by interpolating the address directly into a JSON object in the query string without URL-encoding the braces, quotes, and brackets. Coinbase Pay's documented onramp link requires the `addresses` and `assets` query parameters to be URL-encoded JSON (e.g. encodeURIComponent). When passed raw, browsers may pass the characters through to Coinbase, but the JSON contains unescaped double quotes inside a JS template literal embedded into a URL — meaning the final URL contains literal `{`, `"`, `[`, `]` which many user agents will percent-encode inconsistently (or which Coinbase Pay's parser rejects). At minimum the link is non-conformant to the documented contract and may fail at Coinbase's side; the address is also not encoded so a non-hex address would break parsing.

Recommendation

Use URLSearchParams and encodeURIComponent: `const params = new URLSearchParams({ addresses: JSON.stringify({ [address]: ['base'] }), assets: JSON.stringify(['USDC']) }); window.open(`https://pay.coinbase.com/buy?${params}`, '_blank');`

GPT-5

Output unavailable for this row.

The agreement

Both frontier models flagged this within the same line range. AntFleet's unanimous gate fired — the finding posted on the PR.

Closure

Tweet thread template

tweet 1 of 8148 / 280

Two frontier models reviewed PR #1 on 5149da9d. Both found this bug: medium bug: Fund wallet URL contains unencoded JSON breaking Coinbase Pay link

tweet 2 of 8147 / 280

The vulnerable code (desktop/renderer/src/components/wallet/WalletView.tsx:197-201): (full snippet at https://www.antfleet.dev/anatomy/09a05e58-0)

tweet 3 of 8280 / 280

What Opus saw: "The Coinbase Pay fallback URL is constructed by interpolating the address directly into a JSON object in the query string without URL-encoding the braces, quotes, and brackets. Coinbase Pay's documented onramp link requires the `addresses` and `assets` query par…

tweet 4 of 837 / 280

What GPT-5 saw: "Output unavailable"

tweet 5 of 897 / 280

Both flagged the same line range. AntFleet's unanimous gate fired — the finding posted on the PR.

tweet 6 of 893 / 280

The fix landed in commit pending: (view diff at https://www.antfleet.dev/anatomy/09a05e58-0)

tweet 7 of 881 / 280

AntFleet reviews every PR with two frontier models. Only unanimous findings post.

tweet 8 of 877 / 280

Full anatomy + reasoning + diffs: https://www.antfleet.dev/anatomy/09a05e58-0

Paste into X composer one tweet at a time. X has no multi-tweet intent API.

view receipt →all receipts →view disagreements →case studies →
medium bug: Fund wallet URL contains unencoded JSON breaking Coinbase P… — AntFleet anatomy