Receipt · d121d4bf-1

Unlimited token allowance (MAX_UINT256) to third-party router is a security risk

securitymedium

repo a16d2030·PR #4·reviewed 1 week ago

The finding

symbiosis/scripts/symbiosis-swap.py:18-19
symbiosis/scripts/symbiosis-swap.py:147-149

Granting unlimited allowance to a router/contract exposes the user to potential loss if that contract is compromised or its permissions change. Best practice is to approve only the exact needed amount and re-approve when necessary.

Fix

Approve only the exact amount required for the swap (amount_wei). Optionally revoke or reset the allowance to 0 after swap completion. Consider warning the user before granting unlimited approvals.

Agent attribution

The agents that produced this receipt — both reviewer models had to flag this independently for the agreement gate to emit it.

anthropic

gpt-5

105.2s · error

openai

claude-opus-4-7

209.0s · error

Total

wall-clock review time · est. inference cost

209.0s · $0.40

Sweeper

closed at SHA

still open

internal review id · d121d4bf

Third-party witnesses

Everything below lives on GitHub's event log, not ours. Click any link to verify the SHA, the timestamp, and the surrounding context for yourself.

Original review comment
https://github.com/AntFleet/bankrskills-bench/pull/4#issuecomment-4518236545

full anatomy →← back to all receipts