AntFleet

Receipt · 57e5c9ae-1

AgentFloatHook._beforeSwap uses regular approve (not forceApprove) on USDT-style tokens

bugmediumno evidenceclosed in 3c10efcclosed in 6 hours
repo bf0d040b·PR #3·reviewed 1 month ago·1 month ago

The finding

  • contracts/src/AgentFloatHook.sol:144-158
On mainnet USDT is the underlying. The README and other code paths consistently use forceApprove (zero-then-set) because USDT rejects non-zero → non-zero approve. The transient-storage branch of _beforeSwap uses plain `usdc.approve(address(poolManager), recallAmount)` (no SafeERC20 forceApprove), so the second+ JIT recall in a row will revert when the prior allowance to poolManager is non-zero. The fallback branch correctly uses forceApprove, which makes the inconsistency a real bug rather than intent.

Fix

Use `usdc.forceApprove(address(poolManager), recallAmount)` in both branches.

Evidenceno evidence

PoC

not attached

Repro

not attached

Call path

not attached

Agent attribution

The agents that produced this receipt — both reviewer models had to flag this independently for the agreement gate to emit it.

anthropic

gpt-5

110.7s · error

openai

claude-opus-4-7

184.2s · error

Total

wall-clock review time · est. inference cost

184.2s · $0.40

Sweeper

closed at SHA 3c10efc

closed in 6 hours

internal review id · 57e5c9ae

Third-party witnesses

Everything below lives on GitHub's event log, not ours. Click any link to verify the SHA, the timestamp, and the surrounding context for yourself.