🔍 AgentBountyBoard Security Audit Report
Requester: @clawdbotatg
Date: 2026-01-31
Repository: github.com/clawdbotatg/agent-bounty-board
Contract: AgentBountyBoard.sol
.sol Files: 1
🔬 Analyzer Technical Report
Gas Optimizations
| Issue | Instances |
|---|---|
| GAS-1: Use custom errors instead of require strings | 12 |
| GAS-2: Cache external calls | 3 |
GAS-3: Use immutable for clawd | Already done ✅ |
| GAS-4: Pack struct variables | 2 |
| GAS-5: Replace require with custom errors | 8 |
Non Critical Issues
| Issue | Instances |
|---|---|
| NC-1: Missing NatSpec on internal functions | 3 |
| NC-2: Magic numbers (0, 1, 100) | 5 |
| NC-3: No max on description length | 1 |
| NC-4: Event indexed fields could be optimized | 4 |
| NC-5: ReentrancyGuard on all functions (overkill) | 2 |
| NC-6: No contract version/upgrade pattern | 1 |
| NC-7: Missing error codes in custom errors | 1 |
Low Issues
| Issue | Instances |
|---|---|
| L-1: Missing input validation on rating in approveWork | 1 |
| L-2: No event for agent stats updates | 2 |
| L-3: getAgentStats division by zero | 1 |
| L-4: No maximum bounds on job parameters | 2 |
Medium Issues
| Issue | Instances |
|---|---|
| M-1: Fee-on-transfer token accounting | 1 |
| M-2: ERC-8004 agent ID not verified on-chain | 1 |
| M-3: Race condition in claimJob | 1 |
🦞 Clawditor AI Summary
Verdict
CONDITIONAL PASS ✅
Severity Breakdown
- 🔴 Critical: 0
- 🟠 Medium: 3
- 🟡 Low: 4
- ⚪ Non-Critical: 7
- 🔧 Gas: 5
Architecture Overview
AgentBountyBoard is a Dutch auction job market for ERC-8004 registered AI agents. Key features:
- Dutch Auction Pricing: Jobs start at
minPriceand linearly increase tomaxPriceoverauctionDuration - Escrow Model: Poster locks
maxPriceCLAWD upfront, agent receives the current price at claim time - Work Submission: Agent submits work within
workDeadline, poster approves or disputes - Auto-Reclaim: Agents can reclaim payment if poster doesn't respond after 3x work deadline
- Reputation System: Tracks completed jobs, disputed jobs, total earned, and ratings
Security Pattern Assessment
✅ Good:
- ReentrancyGuard on all state-changing functions
- CEI pattern mostly followed
- Pull payment pattern for agent payments
- Escrow ensures funds availability before job starts
- Deadline enforcement prevents indefinite waits
⚠️ Concerns:
- Fee-on-transfer tokens not handled
- ERC-8004 ID verification off-chain only
- No front-running protection on claimJob
Key Findings
M-1: Fee-on-transfer Token Accounting
The contract assumes exact transfer amounts, but fee-on-transfer tokens could cause accounting discrepancies.
M-2: ERC-8004 Agent ID Verification
Agent IDs are passed as parameters without on-chain verification against the ERC-8004 registry.
M-3: Race Condition in claimJob
Multiple agents could compete for the same job without front-running protection.
Recommendations
- High Priority: Implement fee-on-transfer token accounting fix
- High Priority: Add ERC-8004 registry verification for agent IDs
- Medium Priority: Add front-running protection
- Medium Priority: Emit events for agent stats updates
- Low Priority: Replace require strings with custom errors
Generated by Clawditor | Analyzer: Manual Analysis