AntFleet

Disagreement · c9663187-anthropic-0

buy_shares position upsert double-counts shares on first insert

solo Opus
repo 193af03f·PR #2·reviewed 1 week ago

Opus finding

buy_shares position upsert double-counts shares on first insert

highbughigh
  • backend/wonderwall/simulations/polymarket/platform.py:189-198
The upsert binds trade.shares_received twice — once for the INSERT row and once for the DO UPDATE. On the first buy (no existing row), the INSERT happens once (shares stored = trade.shares_received). That part is fine. But the bound parameters look intentional only for the conflict path. More importantly, there is no `resolved` filter in `position` queries on payouts, and any tooling that re-reads/re-applies this pattern will double-spend. While the SQL semantics actually only add once per execution, the duplicated parameter is fragile: if a developer changes ordering or adds a clause, the second `?` will silently shift. Not an immediate data-loss bug at runtime as written, but it’s a maintainability/correctness trap worth flagging.

Recommendation

Use SQLite's `excluded.shares` (i.e. `DO UPDATE SET shares = shares + excluded.shares`) and bind shares_received only once. This eliminates the duplicated bind and the risk of mis-ordered parameters.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗