AntFleet

Disagreement · b6cf244f-openai-0

Auto-copy risk limits are not enforced; daily loss calculation uses a non-existent field and no cutoff check

mismatch
repo a16d2030·PR #5·reviewed 1 week ago

Primary finding

Auto-copy risk limits are not enforced; daily loss calculation uses a non-existent field and no cutoff check

highapi-contracthigh
  • bankr-signals/scripts/auto-copy.sh:99-107
  • bankr-signals/scripts/auto-copy.sh:125-136
  • bankr-signals/SKILL.md:182-187
The script prints daily spend vs. limit but never blocks execution if the limit is exceeded. Moreover, it sums a field usd_amount which is never written to the log, causing DAILY_SPENT to always be 0. This violates the advertised “mandatory risk limits” and can allow unbounded copying beyond configured caps.

Recommendation

- Compute the USD amount for each copy (e.g., fetch price via a reliable source or read it from the Bankr result) and write it to the log as usd_amount. - Before executing, compute prospective total (DAILY_SPENT + new_usd_amount) and abort if it exceeds daily_loss_limit. - If USD cannot be derived, enforce a hard stop on number of copy trades or on amount_pct sum as a fallback. - Add explicit guard: if DAILY_SPENT >= CONFIGURED_LOSS then exit with an error.

Counterpart finding

auto-copy.sh grep on copy-log.jsonl is unanchored, can cross-match dates and inflate/deflate spend

lowbughigh
  • bankr-signals/scripts/auto-copy.sh:96-99
Filtering by `grep "$TODAY"` matches the date anywhere in the JSON line. If timestamp or original_tx happen to contain today's date string, lines from other days could match (and vice versa). Should filter the structured field via jq.

Recommendation

`jq -s --arg today "$TODAY" '[.[] | select(.date == $today) | .usd_amount // 0] | add // 0' "$COPY_LOG"`

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗