AntFleet

Disagreement · d121d4bf-anthropic-3

Wallet address is fetched only from Base balances; misleading for cross-chain calls

mismatch
repo a16d2030·PR #4·reviewed 1 week ago

Primary finding

Wallet address is fetched only from Base balances; misleading for cross-chain calls

mediumbughigh
  • symbiosis/scripts/symbiosis-swap.py:67-72
The script always hits `/agent/balances?chains=base` just to discover `evmAddress`. This is fine for EVM-only routes (same EOA across chains) but: (1) the call is wasteful and fragile if Base is temporarily unavailable, (2) it uses the EVM address as both `from` and `to` for cross-ecosystem destinations like Solana/TON/Bitcoin documented in SKILL.md — for non-EVM destinations the `to` address must be a chain-native address, so this script will silently produce a swap that sends funds to an unrecoverable EVM address on a non-EVM chain, OR the API will reject. SKILL.md advertises Solana/Bitcoin/TON routes ('Bridge ETH from Base to Solana') but the script provides no way to set a non-EVM destination address.

Recommendation

Add an optional `--to`/positional destination-address argument; for non-EVM destination chains require it. Replace the Base-balances probe with a dedicated wallet-address endpoint if one exists, or at least make the chain query parameter configurable.

Counterpart finding

Network/JSON errors and missing-key cases are not handled; script may crash with stack traces

lowmaintainabilityhigh
  • symbiosis/scripts/symbiosis-swap.py:41-43
  • symbiosis/scripts/symbiosis-swap.py:60
  • symbiosis/scripts/symbiosis-swap.py:68
  • symbiosis/scripts/symbiosis-quote.py:42-44
  • symbiosis/scripts/symbiosis-quote.py:77-80
HTTP/network failures, non-JSON responses, or missing fields (e.g., no apiKey in config, no evmAddress in balances) will raise unhandled exceptions and print Python tracebacks. This degrades UX and makes recovery harder.

Recommendation

Wrap HTTP and JSON parsing in try/except blocks (URLError, HTTPError, JSONDecodeError). Validate presence of required keys (apiKey, evmAddress) with helpful error messages. Return non-zero exit with clear text rather than tracebacks.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗