AntFleet

Disagreement · 2ee1c98c-openai-2

parseTokenId may select the wrong NFT if another ERC721 mint occurs in the same tx

solo GPT-5
repo 53606958·PR #5·reviewed 1 week ago

GPT-5 finding

parseTokenId may select the wrong NFT if another ERC721 mint occurs in the same tx

mediummaintainabilityhigh
  • scripts/reposition.ts:161-173
The selector matches any ERC721 Transfer(from=0x0, to=..., tokenId), without verifying the emitting contract address is NFPM. If a router/aggregator or another protocol also mints an NFT in the same transaction, this may capture the wrong tokenId and write an incorrect record.

Recommendation

Filter by the emitting contract address (ADDRESSES.NFPM_V3). Update parseTokenId to accept full receipt logs with the address field and require log.address.toLowerCase() === ADDRESSES.NFPM_V3.toLowerCase(). Alternatively, decode the return data from the mint call if available.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗