AntFleet

Disagreement · 74ff1b9c-openai-2

Audit: Basescan claim “no key needed for source fetch” is likely incorrect and may cause failures

mismatch
repo 6f7fc663·PR #28·reviewed 1 week ago

Primary finding

Audit: Basescan claim “no key needed for source fetch” is likely incorrect and may cause failures

mediumdocs-gapmedium
  • skills/vvvkernel-audit/SKILL.md:23
  • skills/vvvkernel-audit/SKILL.md:82
Etherscan-family APIs (including Basescan) typically require an apikey parameter; calls without an API key may be rate-limited or rejected. The instruction and Sandbox note imply no key is needed, which is likely to fail intermittently or at scale.

Recommendation

Confirm Basescan’s current API requirements. If an API key is required or recommended, document the apikey parameter and expected limits, and add guidance for handling rate limits/errors. If truly not required, note any constraints (e.g., strict rate limits).

Counterpart finding

Audit skill's Basescan source-fetch comment misstates auth requirement

lowdocs-gaphigh
  • skills/vvvkernel-audit/SKILL.md:22-24
  • skills/vvvkernel-audit/SKILL.md:62-63
Basescan's `getsourcecode` endpoint requires an `apikey` query parameter; unauthenticated calls return `NOTOK / Missing/Invalid API Key` and are rate-limited to effectively zero. The 'no key needed' note is a misleading comment that will cause the audit to silently feed an error blob into the Venice prompt as if it were contract source, producing bogus audit findings.

Recommendation

Change the URL to include `&apikey=$BASESCAN_API_KEY`, document the env var, and remove the false 'no key needed' claim. Add a check that the response `status==='1'` before chunking.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗