AntFleet · publish-signal.sh ignores --chain for verification and only uses Base RPC; Solana/Ethereum/Polygon claims are misleading

GPT-5 finding

publish-signal.sh ignores --chain for verification and only uses Base RPC; Solana/Ethereum/Polygon claims are misleading

mediumapi-contracthigh

bankr-signals/scripts/publish-signal.sh:19-21
bankr-signals/scripts/publish-signal.sh:61-66
bankr-signals/references/signal-format.md:13-16

The script accepts --chain but always verifies via BASE_RPC_URL. Any non-Base TX will likely be “not found,” and the script will still publish with a warning. Additionally, verifying a Solana transaction with Ethereum JSON-RPC is impossible. This mismatch leads to false negatives and undermines the advertised multi-chain support.

Recommendation

- Select RPC by chain similarly to verify-trade.sh (base, ethereum, polygon). If Solana is supported, implement a Solana RPC path (getConfirmedTransaction) or remove Solana from supported options. - Fail closed (do not publish) when verification fails, or gate that behavior behind a --allow-unverified flag so default behavior is secure. - Ensure CHAIN validation rejects unsupported values.

publish-signal.sh ignores --chain for verification and only uses Base RPC; Solana/Ethereum/Polygon claims are misleading

publish-signal.sh ignores --chain for verification and only uses Base RPC; Solana/Ethereum/Polygon claims are misleading

Why this didn't post

From the same review