AntFleet

Disagreement · d121d4bf-anthropic-2

Approve step skipped when approveTo is empty but ERC20 actually requires allowance

solo Opus
repo a16d2030·PR #4·reviewed 1 week ago

Opus finding

Approve step skipped when approveTo is empty but ERC20 actually requires allowance

mediumbugmedium
  • symbiosis/scripts/symbiosis-swap.py:116-121
  • symbiosis/references/api-reference.md:38-41
The code relies entirely on the Symbiosis API echoing `approveTo`. The API docs in this PR say 'if present' — but Symbiosis's response always returns `approveTo` regardless of current on-chain allowance (it does not consult the user's allowance). If the API ever omits `approveTo` (or returns null) for an ERC-20 path, the swap will be submitted and revert on-chain (user pays gas). There is also no check of existing allowance to skip a redundant unlimited approval. While the current production behavior likely always includes approveTo, the script has no defensive fallback when src_token != ZERO_ADDR.

Recommendation

When src_token != ZERO_ADDR, either always send an approval (using exact amount), or query existing allowance and approve only if insufficient; do not rely on the API's approveTo presence alone.

Other reviewer

The other reviewer flagged nothing in this file/line range.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗