Anatomy · d9ae4fa5-1

Budget config and record/restore accept invalid values leading to NaN/Infinity and inconsistent state

mediumapi-contract

repo 56f59a0d·PR #3·reviewed 4 days ago

The vulnerable code

src/budget.ts:58-68

Code snippet unavailable.

The reasoning

Opus

BudgetCheck.exhausted optional field not provided in early-return when budget disabled (type/contract gap)

lowapi-contracthigh

src/budget.ts:28-36
src/budget.ts:86-92

Actually the disabled branch DOES return exhausted: false — that's fine. But the interface declares exhausted as REQUIRED while at least one usage site (formatWarning) destructures `{ warning, ok, tokensPercent, turnsPercent }` and never checks `exhausted`. This is harmless but worth noting only briefly. More importantly: BudgetCheck has `reason?: string` and `exhausted: boolean` — callers cannot tell from the type whether to expect a reason on !ok. No real bug. Withdrawing.

Recommendation

No action; consider documenting that reason is always present when ok=false.

GPT-5

Budget config and record/restore accept invalid values leading to NaN/Infinity and inconsistent state

mediumapi-contracthigh

src/budget.ts:58-68
src/budget.ts:90-95
src/budget.ts:70-75
src/budget.ts:77-82
src/budget.ts:131-144

No validation prevents zero/negative/NaN values for maxTokens, maxTurns, or costs. Division by zero yields Infinity; NaN inputs propagate through percentages and costs; negative tokens/costs produce nonsensical snapshots. record/restore also allow negative or NaN, enabling inconsistent internal state.

Recommendation

Validate and clamp config: require maxTokens/maxTurns > 0; clamp warnAtPercent to [0,100]; require costs >= 0. In record/restore, coerce inputs to non-negative finite numbers and reject/throw on invalid values.

The agreement

Both frontier models flagged this within the same line range. AntFleet's unanimous gate fired — the finding posted on the PR.

Closure

Tweet thread template

tweet 1 of 8192 / 280

Two frontier models reviewed PR #3 on 56f59a0d. Both found this bug: medium api-contract: Budget config and record/restore accept invalid values leading to NaN/Infinity and inconsistent state

tweet 2 of 8105 / 280

The vulnerable code (src/budget.ts:58-68): (full snippet at https://www.antfleet.dev/anatomy/d9ae4fa5-1)

tweet 3 of 8280 / 280

What Opus saw: "Actually the disabled branch DOES return exhausted: false — that's fine. But the interface declares exhausted as REQUIRED while at least one usage site (formatWarning) destructures `{ warning, ok, tokensPercent, turnsPercent }` and never checks `exhausted`. This…

tweet 4 of 8280 / 280

What GPT-5 saw: "No validation prevents zero/negative/NaN values for maxTokens, maxTurns, or costs. Division by zero yields Infinity; NaN inputs propagate through percentages and costs; negative tokens/costs produce nonsensical snapshots. record/restore also allow negative or N…

tweet 5 of 897 / 280

Both flagged the same line range. AntFleet's unanimous gate fired — the finding posted on the PR.

tweet 6 of 893 / 280

The fix landed in commit pending: (view diff at https://www.antfleet.dev/anatomy/d9ae4fa5-1)

tweet 7 of 881 / 280

AntFleet reviews every PR with two frontier models. Only unanimous findings post.

tweet 8 of 877 / 280

Full anatomy + reasoning + diffs: https://www.antfleet.dev/anatomy/d9ae4fa5-1

Paste into X composer one tweet at a time. X has no multi-tweet intent API.

view receipt →all receipts →view disagreements →case studies →