AntFleet

Disagreement · d121d4bf-anthropic-6

fee.priceUsd assumed to be a multiplier of human fee amount; semantics likely wrong

mismatch
repo a16d2030·PR #4·reviewed 1 week ago

Primary finding

fee.priceUsd assumed to be a multiplier of human fee amount; semantics likely wrong

mediumbugmedium
  • symbiosis/scripts/symbiosis-quote.py:74-76
  • symbiosis/scripts/symbiosis-swap.py:109-111
  • symbiosis/references/api-reference.md:56-60
The code multiplies `fee_human` (token units) by `priceUsd` to get USD. That works only if `priceUsd` is the per-token USD price. The example response shows fee in USDC with priceUsd=1.0, which is ambiguous (also matches 'fee already in USD'). Float parsing of arbitrarily large fixed-point amounts via `float()` can also lose precision for large fee amounts (e.g., gas fee in ETH/wei). If `priceUsd` is actually the total fee in USD (which is more common in DEX APIs), the script double-counts. Without a canonical source documented in the PR (only the example), this is ambiguous and `${fee_usd:.4f}` could be wildly off for non-stable fee tokens.

Recommendation

Confirm semantics with the Symbiosis API docs and either trust priceUsd as a precomputed USD figure or compute via fee_human × priceUsd consistently; add a unit test fixture; avoid `float()` on smallest-units strings.

Counterpart finding

Network/JSON errors and missing-key cases are not handled; script may crash with stack traces

lowmaintainabilityhigh
  • symbiosis/scripts/symbiosis-swap.py:41-43
  • symbiosis/scripts/symbiosis-swap.py:60
  • symbiosis/scripts/symbiosis-swap.py:68
  • symbiosis/scripts/symbiosis-quote.py:42-44
  • symbiosis/scripts/symbiosis-quote.py:77-80
HTTP/network failures, non-JSON responses, or missing fields (e.g., no apiKey in config, no evmAddress in balances) will raise unhandled exceptions and print Python tracebacks. This degrades UX and makes recovery harder.

Recommendation

Wrap HTTP and JSON parsing in try/except blocks (URLError, HTTPError, JSONDecodeError). Validate presence of required keys (apiKey, evmAddress) with helpful error messages. Return non-zero exit with clear text rather than tracebacks.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →

From the same review

These findings passed the unanimous gate on the same PR review. The disagreement above was filtered out; the findings below were posted.

← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗