AntFleet

Disagreement · 1e8fb4a1-anthropic-5

Bundler.bundle uses contract's entire ETH balance, allowing trapped/donated ETH to be routed via router

solo Opus
repo a7cc2ed7·PR #1·reviewed 1 week ago

Opus finding

Bundler.bundle uses contract's entire ETH balance, allowing trapped/donated ETH to be routed via router

mediumsecuritymedium
  • src/Bundler.sol:155-170
Bundler uses `address(this).balance` (not `msg.value`) to fund the router execution. Bundler has no receive() function (so unsolicited ETH cannot be sent), but any leftover ETH from prior interactions (e.g. via selfdestruct or Airlock callback in future versions) could be consumed by the next caller. More importantly, the final `safeTransferETH(msg.sender, ethBalance)` sends ALL remaining ETH (including any pre-existing leftover) to the caller, which means a user who happens to call bundle could receive ETH that was 'stuck' from prior reverts. This is a minor griefing/economic concern but not catastrophic because Bundler has no `receive()`. However, `airlock.create` returns ETH? No it shouldn't. Still, using `msg.value` would be safer.

Recommendation

Use msg.value for router.execute and refund msg.value - spent, or explicitly validate balance == msg.value before execution.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗