AntFleet

Anatomy · cf4e74ac-1

cmd_claimable is documented as performing an on-chain read but actually does nothing

mediumdocs-gapclosed in 24c537d
repo a16d2030·PR #1·reviewed 1 week ago·closed 1 week ago

The vulnerable code

agenticbets/scripts/agenticbets.py:235-246

235        approve_data,
236        description=f"Approve ${amount} USDC for AgenticBets {market['symbol']} bet",
237    )
238    print(f"  Approve tx: https://basescan.org/tx/{approve_hash}")
239
240    # 2. Place bet
241    print("  Submitting bet...")
242    bet_data = encode_bet(token, amount_raw, position)
243    bet_hash = submit_tx(
244        prediction,
245        bet_data,
246        description=f"Place ${amount} {direction_label} bet on {market['symbol']} epoch {market['epoch']}",

The reasoning

Opus

Hardcoded AGBETS→V2 routing contradicts skill's own guidance and risks future breakage

mediummaintainabilityhigh
  • agenticbets/scripts/agenticbets.py:100-104
  • agenticbets/references/agent-usage.md
The agent-usage.md explicitly tells agents NOT to hardcode AGBETS→V2 routing and to read `predictionContract` from the Markets API. However, the very script the docs describe does exactly that: it ignores the `predictionContract` field returned by /api/bankr/markets and routes by hardcoded address. This is a deceptive/misleading doc-vs-code mismatch, and the code will silently route to the wrong contract if AGBETS ever migrates to V3 or if a new token is added to V2.

Recommendation

Replace get_prediction_contract with `market.get('predictionContract') or fallback`. Use the constant only as a fallback when the API field is missing.

GPT-5

Missing preflight validation before submitting transactions (market status and minimum amount) leads to avoidable reverts and gas loss

mediumapi-contracthigh
  • agenticbets/scripts/agenticbets.py:215-249
  • agenticbets/references/agent-usage.md:46-49
  • agenticbets/references/agent-usage.md:100-101
The CLI submits approval and bet without checking if the market is still open or if the amount satisfies the on-chain minimum of 1 USDC. This can lead to reverted transactions and wasted gas. The usage guide recommends confirming the market is open before betting and notes BelowMinBet for <1 USDC.

Recommendation

- Validate market['status'] == 'open' and market.get('secondsToLock', 0) > 10s (or configurable threshold) before submitting. - Enforce amount >= 1.0 USDC in CLI and fail fast with a clear message. - Optionally prompt the user to confirm when secondsToLock is very low.

The agreement

Both frontier models flagged this within the same line range. AntFleet's unanimous gate fired — the finding posted on the PR. Closed in 24c537d.

The fix

235        approve_data,
236        description=f"Approve ${amount} USDC for AgenticBets {market['symbol']} bet",
237    )
238    print(f"  Approve tx: https://basescan.org/tx/{approve_hash}")
239
240    # 2. Place bet
241    print("  Submitting bet...")
242    bet_data = encode_bet(token, amount_raw, position)
243    bet_hash = submit_tx(
244        prediction,
245        bet_data,
246        description=f"Place ${amount} {direction_label} bet on {market['symbol']} epoch {market['epoch']}",

Closure

Closed 1 week ago

SHA: 24c537d16fd561f3417259090b34da1e2ba82136

View closure receipt on GitHub →

Tweet thread template

tweet 1 of 8171 / 280

Two frontier models reviewed PR #1 on a16d2030. Both found this bug: medium docs-gap: cmd_claimable is documented as performing an on-chain read but actually does nothing

tweet 2 of 8128 / 280

The vulnerable code (agenticbets/scripts/agenticbets.py:235-246): (full snippet at https://www.antfleet.dev/anatomy/cf4e74ac-1)

tweet 3 of 8280 / 280

What Opus saw: "The agent-usage.md explicitly tells agents NOT to hardcode AGBETS→V2 routing and to read `predictionContract` from the Markets API. However, the very script the docs describe does exactly that: it ignores the `predictionContract` field returned by /api/bankr/mar…

tweet 4 of 8280 / 280

What GPT-5 saw: "The CLI submits approval and bet without checking if the market is still open or if the amount satisfies the on-chain minimum of 1 USDC. This can lead to reverted transactions and wasted gas. The usage guide recommends confirming the market is open before betti…

tweet 5 of 897 / 280

Both flagged the same line range. AntFleet's unanimous gate fired — the finding posted on the PR.

tweet 6 of 893 / 280

The fix landed in commit 24c537d: (view diff at https://www.antfleet.dev/anatomy/cf4e74ac-1)

tweet 7 of 881 / 280

AntFleet reviews every PR with two frontier models. Only unanimous findings post.

tweet 8 of 877 / 280

Full anatomy + reasoning + diffs: https://www.antfleet.dev/anatomy/cf4e74ac-1

Paste into X composer one tweet at a time. X has no multi-tweet intent API.

view receipt →all receipts →view disagreements →case studies →