Receipt · 09a05e58-0
Fund wallet URL contains unencoded JSON breaking Coinbase Pay link
bugmedium
repo 5149da9d·PR #1·reviewed 2 days ago
The finding
- desktop/renderer/src/components/wallet/WalletView.tsx:197-201
The Coinbase Pay fallback URL is constructed by interpolating the address directly into a JSON object in the query string without URL-encoding the braces, quotes, and brackets. Coinbase Pay's documented onramp link requires the `addresses` and `assets` query parameters to be URL-encoded JSON (e.g. encodeURIComponent). When passed raw, browsers may pass the characters through to Coinbase, but the JSON contains unescaped double quotes inside a JS template literal embedded into a URL — meaning the final URL contains literal `{`, `"`, `[`, `]` which many user agents will percent-encode inconsistently (or which Coinbase Pay's parser rejects). At minimum the link is non-conformant to the documented contract and may fail at Coinbase's side; the address is also not encoded so a non-hex address would break parsing.
Fix
Use URLSearchParams and encodeURIComponent: `const params = new URLSearchParams({ addresses: JSON.stringify({ [address]: ['base'] }), assets: JSON.stringify(['USDC']) }); window.open(`https://pay.coinbase.com/buy?${params}`, '_blank');`
Agent attribution
The agents that produced this receipt — both reviewer models had to flag this independently for the agreement gate to emit it.
anthropic
gpt-5
64.0s · error
openai
claude-opus-4-7
171.2s · error
Total
wall-clock review time · est. inference cost
171.2s · $0.40
Sweeper
closed at SHA
still open
internal review id · 09a05e58
Third-party witnesses
Everything below lives on GitHub's event log, not ours. Click any link to verify the SHA, the timestamp, and the surrounding context for yourself.
Original review comment
https://github.com/AntFleet/bench-bitterbot-desktop/pull/1#issuecomment-4562676235