AntFleet

Receipt · 57e5c9ae-2

FloatVault.withdraw ignores strategy’s actualOut and attempts to transfer requested amount regardless of received funds

bughighno evidenceclosed in 3c10efcclosed in 6 hours
repo bf0d040b·PR #3·reviewed 1 month ago·1 month ago

The finding

  • contracts/src/FloatVault.sol:91-118
If a strategy cannot return the full requested amount (e.g., a mock or real strategy under stress/rounding), IStrategy.withdraw will return a smaller actualOut. The vault ignores this value, then attempts to transfer ‘amount’ to the caller, which can revert due to insufficient balance or mis-account the vault’s funds.

Fix

Use the return value from IStrategy(activeStrategy).withdraw(amount) and transfer only actualOut to the caller. Consider reverting if actualOut < amount and the vault can’t make up the difference from its own balance. Update accounting consistently with the actualOut value.

Evidenceno evidence

PoC

not attached

Repro

not attached

Call path

not attached

Agent attribution

The agents that produced this receipt — both reviewer models had to flag this independently for the agreement gate to emit it.

anthropic

gpt-5

110.7s · error

openai

claude-opus-4-7

184.2s · error

Total

wall-clock review time · est. inference cost

184.2s · $0.40

Sweeper

closed at SHA 3c10efc

closed in 6 hours

internal review id · 57e5c9ae

Third-party witnesses

Everything below lives on GitHub's event log, not ours. Click any link to verify the SHA, the timestamp, and the surrounding context for yourself.