AntFleet

Disagreement · b6cf244f-anthropic-0

publish-signal.sh always verifies TX against Base RPC, even when --chain is ethereum/polygon/solana

mismatch
repo a16d2030·PR #5·reviewed 1 week ago

Primary finding

publish-signal.sh always verifies TX against Base RPC, even when --chain is ethereum/polygon/solana

highbughigh
  • bankr-signals/scripts/publish-signal.sh:75-95
The script accepts --chain base|ethereum|polygon|solana (per SKILL.md and signal-format.md). However, the TX hash verification step hard-codes RPC_URL to BASE_RPC_URL regardless of the --chain argument. A user submitting an Ethereum or Polygon TX hash will get verification against Base, which will almost always return null (TX not found). The code then prints a 'Warning: could not verify' but still publishes. For Solana the call would be meaningless as eth_getTransactionReceipt isn't a Solana RPC method. Worse, a failed Ethereum trade will silently be accepted because the receipt lookup on Base returns null instead of revealing status 0x0. This means failed trades from non-Base chains can be published as signals — exactly the failure the README claims is impossible ('You cannot publish a signal for a trade that didn't happen').

Recommendation

Switch on $CHAIN to choose the correct RPC URL (mirroring verify-trade.sh), or simply delegate verification to verify-trade.sh which already handles the chain selection. Treat 'cannot verify' as fatal rather than a warning, since the README/skill explicitly guarantees onchain verification.

Counterpart finding

Docs claim signals cannot be published for nonexistent trades, but publish-signal.sh allows unverified publishing

highdocs-gaphigh
  • bankr-signals/SKILL.md:138-141
  • bankr-signals/scripts/publish-signal.sh:68-71
The implementation explicitly allows publishing when transaction verification fails. This directly contradicts the documentation, weakening trust in the signal feed and potentially enabling fake signals.

Recommendation

Change default behavior to abort on unverifiable TX unless explicitly overridden by a flag (e.g., --allow-unverified). Update docs accordingly if unverified publishing is permitted, or implement required verification to match current docs.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗