Audit date: 2026-04-13
Scope: All source files in src/ (excluding src/demo/)
- USDC address
0xA0b86991...appeared in 4 files (strategy-engine, exit-executor, lp-manager, post-auction/index). Replaced with chain-awareUSDC_ADDRESSES[chainId]lookup from config. - Zero address
0x000...appeared in 4 files (config, discovery/index, bidding/index, post-auction/index). Replaced withADDRESS_ZEROconstant. - Comparable engine token addresses remain as a configurable default list with
knownTokensparameter override.
- Raw
1for Ethereum mainnet in cca-client.ts (2 occurrences), discovery/index.ts, bidding/index.ts. - Added
CHAIN_IDSconstant:{ ETHEREUM: 1, ARBITRUM: 42161, XLAYER: 196, BASE: 8453 }.
- All OKX API endpoint paths in okx-client.ts moved to
OKX_ENDPOINTSconstant in config.ts.
- Scoring weights (discovery/index.ts): extracted to
SCORING_WEIGHTS. - Fair value weights (fair-value.ts): 30+ magic numbers extracted to
FAIR_VALUE_WEIGHTS,TRAJECTORY_MULTIPLIERS,SIGNAL_MULTIPLIERS,SECURITY_RANGE,CONFIDENCE_WEIGHTS,BID_STRATEGIES. - Rate limiting (okx-client.ts):
334ms→OKX_RATE_LIMIT_MS. - Cache TTLs (okx-client.ts):
30_000/300_000→CACHE_TTL.MARKET/CACHE_TTL.SECURITY. - Block time (discovery/index.ts):
12→AVG_BLOCK_TIME[chainId](chain-aware). - Signal lookback (signal-analyzer.ts): 7-day window →
SIGNAL_LOOKBACK_MS. - Max signals (signal-analyzer.ts):
20→MAX_SIGNALS. - Trajectory threshold (cca-state-reader.ts):
100→TRAJECTORY_BLOCKS_THRESHOLD. - Lookback blocks (auction-scanner.ts):
50_000n→AUCTION_LOOKBACK_BLOCKS. - Caution score (security-filter.ts):
30→DEFAULT_CAUTION_SCORE. - Hold threshold (strategy-engine.ts):
90n→HOLD_THRESHOLD_PCT. - Max comparables (comparable-engine.ts):
5→MAX_COMPARABLES.
- medianMarketCap (fair-value.ts): was computing median of bottom 3 by market cap instead of true median. Fixed to sort descending and compute correct median over full array.
- blocksRemaining (discovery/index.ts): was using
totalBlocks(full duration) instead of blocks remaining. Renamed toestimatedBlocksRemainingwith clear documentation.
All simulation-mode stubs now log "Simulation mode: ..." messages:
- bid-submitter.ts:
"Simulation mode: bid recorded without on-chain submission" - claim-manager.ts:
"Simulation mode: claim recorded without on-chain execution" - swap-executor.ts:
"Simulation mode: swap recorded without on-chain execution" - x402-server.ts:
"Simulation mode: payment validation bypassed"
USDC_ADDRESSESper-chain lookup (Ethereum, Arbitrum, Base).AVG_BLOCK_TIMEper-chain (Ethereum 12s, Arbitrum 0.25s).OKX_DEFAULT_BASE_URLconstant.- Comparable engine accepts optional custom token list parameter.
- All new constants exported from
src/config.tsfor user override.
These are intentional for hackathon scope and documented with TODO comments:
- Bid submission — Simulated, not broadcast on-chain. Production: use wallet client + tx confirmation.
- Token claiming — Simulated. Production: check claimBlock, call claim(), parse TokensClaimed event.
- Swap execution — Simulated. Production: build Universal Router calldata or use OKX DEX aggregator.
- LP provision — Returns deep link only. Production: execute via Uniswap V4 position manager.
- x402 payment validation — Stub. Production: verify payment on X Layer.
- Pool security validation — Address format check only. Production: use v4-security-foundations skill.
- Comparable token data — Uses static reference list. Production: fetch live rankings from OKX API.
- Price trajectory — Simplified heuristic. Production: compare clearing prices across historical blocks.
pnpm lint— zero TypeScript errorspnpm test— 50/50 tests passingpnpm build— clean ESM + CJS + DTS outputpnpm demo— demo mode runs with realistic mock data