Disagreement · 1e8fb4a1-anthropic-10

StreamableFeesLockerV2.lock allows beneficiaries' addresses but does not validate them against the protocol owner that is forcibly inserted via _storeBeneficiaries

solo Opus

repo a7cc2ed7·PR #1·reviewed 1 week ago

Opus finding

StreamableFeesLockerV2.lock allows beneficiaries' addresses but does not validate them against the protocol owner that is forcibly inserted via _storeBeneficiaries

lowmaintainabilitylow

src/StreamableFeesLockerV2.sol:104-117

`_storeBeneficiaries` is delegated to a helper `storeBeneficiaries` in `BeneficiaryData` which presumably handles ownership share enforcement. Without seeing that file, the correctness of the protocol-owner injection cannot be assessed. Flagging for verification rather than asserting a bug.

Recommendation

Verify that storeBeneficiaries (in src/types/BeneficiaryData.sol) properly enforces MIN_PROTOCOL_OWNER_SHARES and rejects duplicate beneficiaries.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗