Receipt · b6cf244f-0

verify-trade.sh prints “verified” without checking provider/sender match — README claim is misleading

docs-gapmedium

repo a16d2030·PR #5·reviewed 1 week ago

The finding

bankr-signals/scripts/verify-trade.sh:40-75
bankr-signals/SKILL.md:78-90

The README claims verify-trade.sh checks sender ↔ provider, token/direction, and timestamp. The script only checks the TX exists and status==0x1; it never receives, let alone validates, the provider address, token symbol, direction, or signal timestamp. auto-copy.sh therefore blindly trusts a provider-supplied TX hash that the provider didn't actually send — anyone could publish someone else's TX as their own 'signal'. The documentation actively misrepresents the security model.

Fix

Either implement the documented checks (accept --provider/--token/--action arguments and compare against the receipt's `from` and decoded input) or rewrite the README to describe the actual (weaker) verification. Until then this is a falsehood that undermines the entire 'you can't fake your track record' claim.

Agent attribution

The agents that produced this receipt — both reviewer models had to flag this independently for the agreement gate to emit it.

anthropic

gpt-5

122.4s · error

openai

claude-opus-4-7

203.0s · error

Total

wall-clock review time · est. inference cost

203.0s · $0.40

Sweeper

closed at SHA

still open

internal review id · b6cf244f

Third-party witnesses

Everything below lives on GitHub's event log, not ours. Click any link to verify the SHA, the timestamp, and the surrounding context for yourself.

Original review comment
https://github.com/AntFleet/bankrskills-bench/pull/5#issuecomment-4518137500

full anatomy →← back to all receipts