Disagreement · cf4e74ac-anthropic-3

Float-based USDC conversion can truncate or inflate raw units

solo Opus

repo a16d2030·PR #1·reviewed 1 week ago

Opus finding

Float-based USDC conversion can truncate or inflate raw units

mediumbughigh

agenticbets/scripts/agenticbets.py:195

Multiplying a float by 1e6 then int() truncates and can be off by one due to IEEE-754. E.g., float('0.1')*1e6 = 100000.00000000001 → 100000 (fine), but float('1.1')*1e6 = 1100000.0000000001 → 1100000 (fine); however float('2.3')*1e6 = 2299999.9999999995 → 2299999, costing the user one micro-USDC and producing surprising on-chain amounts. For a financial CLI, Decimal should be used. Worse: there's no validation that amount > 0 or that the parsed float succeeded; negative or zero amounts would still encode and submit.

Recommendation

Use `decimal.Decimal(amount) * Decimal(10**USDC_DECIMALS)` and quantize; reject amount_raw < 1_000_000 (the documented minimum) before submitting any approve tx.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗