AntFleet

Disagreement · cf4e74ac-anthropic-2

submit_tx returns 'success' even when API response lacks status/hash; no validation of success flag

mismatch
repo a16d2030·PR #1·reviewed 1 week ago

Primary finding

submit_tx returns 'success' even when API response lacks status/hash; no validation of success flag

mediumbughigh
  • agenticbets/scripts/agenticbets.py:70-81
submit_tx only warns on status=='reverted' and returns the hash. For any other non-success status (e.g., 'pending', 'failed', 'unknown', or success:false), the script prints 'Done!' and exits 0. After an approve that returns status='pending' but isn't actually mined, the subsequent bet() can revert with 'transfer amount exceeds allowance' — but the user sees 'Done!' on the approve step. Additionally, the SKILL.md documents `success: true` as part of the response shape but the script never checks `result['success']`.

Recommendation

Check result.get('success') is True and status in {'success','confirmed'}; sys.exit nonzero (after the approve step in particular) if not — to prevent placing a bet whose approval failed.

Counterpart finding

Bankr HTTP client does not handle URLError/timeouts; process may crash with an unhandled exception

lowmaintainabilityhigh
  • agenticbets/scripts/agenticbets.py:62-68
Only HTTPError is caught. URLError (DNS failure, connection timeout) or socket.timeout will raise and bubble up, likely printing a traceback instead of a clean error. fetch_markets properly catches Exception; bankr_request should mirror that resilience.

Recommendation

Catch urllib.error.URLError and socket.timeout; print a clear error and exit non-zero. Optionally retry transient errors with backoff.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗