Anatomy · 74ff1b9c-0

Audit: Basescan claim “no key needed for source fetch” is likely incorrect and may cause failures

mediumdocs-gap

repo 6f7fc663·PR #28·reviewed 1 week ago

The vulnerable code

skills/vvvkernel-audit/SKILL.md:23-23

Code snippet unavailable.

The reasoning

Opus

Audit skill's Basescan source-fetch comment misstates auth requirement

lowdocs-gaphigh

skills/vvvkernel-audit/SKILL.md:22-24
skills/vvvkernel-audit/SKILL.md:62-63

Basescan's `getsourcecode` endpoint requires an `apikey` query parameter; unauthenticated calls return `NOTOK / Missing/Invalid API Key` and are rate-limited to effectively zero. The 'no key needed' note is a misleading comment that will cause the audit to silently feed an error blob into the Venice prompt as if it were contract source, producing bogus audit findings.

Recommendation

Change the URL to include `&apikey=$BASESCAN_API_KEY`, document the env var, and remove the false 'no key needed' claim. Add a check that the response `status==='1'` before chunking.

GPT-5

Audit: Basescan claim “no key needed for source fetch” is likely incorrect and may cause failures

mediumdocs-gapmedium

skills/vvvkernel-audit/SKILL.md:23
skills/vvvkernel-audit/SKILL.md:82

Etherscan-family APIs (including Basescan) typically require an apikey parameter; calls without an API key may be rate-limited or rejected. The instruction and Sandbox note imply no key is needed, which is likely to fail intermittently or at scale.

Recommendation

Confirm Basescan’s current API requirements. If an API key is required or recommended, document the apikey parameter and expected limits, and add guidance for handling rate limits/errors. If truly not required, note any constraints (e.g., strict rate limits).

The agreement

Both frontier models flagged this within the same line range. AntFleet's unanimous gate fired — the finding posted on the PR.

Closure

Tweet thread template

tweet 1 of 8185 / 280

Two frontier models reviewed PR #28 on 6f7fc663. Both found this bug: medium docs-gap: Audit: Basescan claim “no key needed for source fetch” is likely incorrect and may cause failures

tweet 2 of 8123 / 280

The vulnerable code (skills/vvvkernel-audit/SKILL.md:23-23): (full snippet at https://www.antfleet.dev/anatomy/74ff1b9c-0)

tweet 3 of 8280 / 280

What Opus saw: "Basescan's `getsourcecode` endpoint requires an `apikey` query parameter; unauthenticated calls return `NOTOK / Missing/Invalid API Key` and are rate-limited to effectively zero. The 'no key needed' note is a misleading comment that will cause the audit to silen…

tweet 4 of 8267 / 280

What GPT-5 saw: "Etherscan-family APIs (including Basescan) typically require an apikey parameter; calls without an API key may be rate-limited or rejected. The instruction and Sandbox note imply no key is needed, which is likely to fail intermittently or at scale."

tweet 5 of 897 / 280

Both flagged the same line range. AntFleet's unanimous gate fired — the finding posted on the PR.

tweet 6 of 893 / 280

The fix landed in commit pending: (view diff at https://www.antfleet.dev/anatomy/74ff1b9c-0)

tweet 7 of 881 / 280

AntFleet reviews every PR with two frontier models. Only unanimous findings post.

tweet 8 of 877 / 280

Full anatomy + reasoning + diffs: https://www.antfleet.dev/anatomy/74ff1b9c-0

Paste into X composer one tweet at a time. X has no multi-tweet intent API.

view receipt →all receipts →view disagreements →case studies →