AntFleet

Anatomy · cf4e74ac-0

Hardcoded AGBETS→V2 routing contradicts skill's own guidance and risks future breakage

mediummaintainabilityclosed in 24c537d
repo a16d2030·PR #1·reviewed 1 week ago·closed 1 week ago

The vulnerable code

agenticbets/scripts/agenticbets.py:100-104

100        MARKETS_API,
101        headers={"Accept": "application/json", "User-Agent": "agenticbets-bankr-skill/1.0"},
102    )
103    try:
104        with urllib.request.urlopen(req, timeout=30) as resp:

The reasoning

Opus

Hardcoded AGBETS→V2 routing contradicts skill's own guidance and risks future breakage

mediummaintainabilityhigh
  • agenticbets/scripts/agenticbets.py:100-104
  • agenticbets/references/agent-usage.md
The agent-usage.md explicitly tells agents NOT to hardcode AGBETS→V2 routing and to read `predictionContract` from the Markets API. However, the very script the docs describe does exactly that: it ignores the `predictionContract` field returned by /api/bankr/markets and routes by hardcoded address. This is a deceptive/misleading doc-vs-code mismatch, and the code will silently route to the wrong contract if AGBETS ever migrates to V3 or if a new token is added to V2.

Recommendation

Replace get_prediction_contract with `market.get('predictionContract') or fallback`. Use the constant only as a fallback when the API field is missing.

GPT-5

Output unavailable for this row.

The agreement

Both frontier models flagged this within the same line range. AntFleet's unanimous gate fired — the finding posted on the PR. Closed in 24c537d.

The fix

100        MARKETS_API,
101        headers={"Accept": "application/json", "User-Agent": "agenticbets-bankr-skill/1.0"},
102    )
103    try:
104        with urllib.request.urlopen(req, timeout=30) as resp:

Closure

Closed 1 week ago

SHA: 24c537d16fd561f3417259090b34da1e2ba82136

View closure receipt on GitHub →

Tweet thread template

tweet 1 of 8180 / 280

Two frontier models reviewed PR #1 on a16d2030. Both found this bug: medium maintainability: Hardcoded AGBETS→V2 routing contradicts skill's own guidance and risks future breakage

tweet 2 of 8128 / 280

The vulnerable code (agenticbets/scripts/agenticbets.py:100-104): (full snippet at https://www.antfleet.dev/anatomy/cf4e74ac-0)

tweet 3 of 8280 / 280

What Opus saw: "The agent-usage.md explicitly tells agents NOT to hardcode AGBETS→V2 routing and to read `predictionContract` from the Markets API. However, the very script the docs describe does exactly that: it ignores the `predictionContract` field returned by /api/bankr/mar…

tweet 4 of 837 / 280

What GPT-5 saw: "Output unavailable"

tweet 5 of 897 / 280

Both flagged the same line range. AntFleet's unanimous gate fired — the finding posted on the PR.

tweet 6 of 893 / 280

The fix landed in commit 24c537d: (view diff at https://www.antfleet.dev/anatomy/cf4e74ac-0)

tweet 7 of 881 / 280

AntFleet reviews every PR with two frontier models. Only unanimous findings post.

tweet 8 of 877 / 280

Full anatomy + reasoning + diffs: https://www.antfleet.dev/anatomy/cf4e74ac-0

Paste into X composer one tweet at a time. X has no multi-tweet intent API.

view receipt →all receipts →view disagreements →case studies →