AntFleet

Disagreement · 09a05e58-anthropic-0

Fund wallet URL contains unencoded JSON breaking Coinbase Pay link

solo Opus
repo 5149da9d·PR #1·reviewed 2 days ago

Opus finding

Fund wallet URL contains unencoded JSON breaking Coinbase Pay link

mediumbughigh
  • desktop/renderer/src/components/wallet/WalletView.tsx:197-201
The Coinbase Pay fallback URL is constructed by interpolating the address directly into a JSON object in the query string without URL-encoding the braces, quotes, and brackets. Coinbase Pay's documented onramp link requires the `addresses` and `assets` query parameters to be URL-encoded JSON (e.g. encodeURIComponent). When passed raw, browsers may pass the characters through to Coinbase, but the JSON contains unescaped double quotes inside a JS template literal embedded into a URL — meaning the final URL contains literal `{`, `"`, `[`, `]` which many user agents will percent-encode inconsistently (or which Coinbase Pay's parser rejects). At minimum the link is non-conformant to the documented contract and may fail at Coinbase's side; the address is also not encoded so a non-hex address would break parsing.

Recommendation

Use URLSearchParams and encodeURIComponent: `const params = new URLSearchParams({ addresses: JSON.stringify({ [address]: ['base'] }), assets: JSON.stringify(['USDC']) }); window.open(`https://pay.coinbase.com/buy?${params}`, '_blank');`

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗