Disagreement · cf4e74ac-openai-0

Negative amounts/epochs produce malformed ABI calldata due to hex(-n)[2:] usage (can lead to failing or unintended transactions)

mismatch

repo a16d2030·PR #1·reviewed 1 week ago

Primary finding

Negative amounts/epochs produce malformed ABI calldata due to hex(-n)[2:] usage (can lead to failing or unintended transactions)

criticalbughigh

agenticbets/scripts/agenticbets.py:226
agenticbets/scripts/agenticbets.py:133-134
agenticbets/scripts/agenticbets.py:141-143
agenticbets/scripts/agenticbets.py:151-154
agenticbets/scripts/agenticbets.py:161-163

Python’s hex() for negative integers returns strings like '-0x5'. Slicing with [2:] yields 'x5', which is not valid hex. The code passes user-provided amount/epoch values directly into hex()[2:], so negative inputs lead to malformed calldata for approve/bet/claim/claimable. This can cause wallet submit failures or unintended values if not rejected upstream. Amounts below 1 USDC should also be rejected preflight to avoid on-chain reverts and wasted gas.

Recommendation

- Validate inputs before encoding: - For bet: ensure amount is a positive number and at least 1 USDC; reject zero/negative/NaN with a clear error. - For claim: ensure epochs are positive integers (>= 0). - Guard against negative values before calling hex(); raise on invalid input. - Consider using a minimal ABI encoder or library to avoid manual mistakes. - Add explicit checks and helpful error messages for BelowMinBet (>= 1 USDC).

Counterpart finding

cmd_list 'time_left' suppresses zero-second windows and rounds bullPct lossily

lowbugmedium

agenticbets/scripts/agenticbets.py:122-128
agenticbets/scripts/agenticbets.py:120-121

(1) `secondsToLock and >0` treats 0 as falsy — at exactly t=0 the display shows '-', conflating 'just locked' with 'not open'. The API doc says null means not-open, so the existence check should be `is not None`. (2) `bear = 100 - round(bullPct)` ignores the actual bearPct from the API and can show e.g. UP 50%/DOWN 50% when the real split is 49.4/50.6 due to rounding. For a strategy tool this is misleading; use the real values.

Recommendation

Use `m['secondsToLock'] is not None and m['secondsToLock'] >= 0`. Use real `bearPct` from the API instead of `100 - round(bullPct)`.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreements view public receipts see unanimous findings + anatomies →

Tweet ↗