Skip to content

Manual audit packet: community-wave8 stage2 (5 repos, 5 findings) #33

Open
Open
Manual audit packet: community-wave8 stage2 (5 repos, 5 findings)#33
@omarespejel

Description

@omarespejel
omarespejel
opened on Mar 9, 2026

Manual Audit Packet: Community Wave 8 (Stage-2)

This issue packages everything needed for independent manual review of the latest external community run.

1) Scope (commit-pinned)

  1. avnu-labs/avnu-contracts-v2@006e3ddd9ddae28be73336842684f7db55273a2f
  2. lambdaclass/yet-another-swap@f3ee03a3564a37698e9589f564ac63aa59dab283
  3. milancermak/cairo-4626@67a9e7605928d69000b538f71239a2dea23f8daa
  4. briqNFT/briq-protocol@5db5f812812b3039e94ecce96506fe8dd94a1c69
  5. eqlabs/starknet-multisig@4bb825585521a53cf0bd6947b4ebb8a049ef67de

2) Repro command

cd starknet-skills
./starkskills audit external \
  --repos avnu-labs/avnu-contracts-v2 lambdaclass/yet-another-swap \
          milancermak/cairo-4626 briqNFT/briq-protocol eqlabs/starknet-multisig \
  --scan-id community-wave8-2026-03-09-stage2 \
  --prepare-stage2

3) Run summary

  • Repos scanned: 5
  • Production Cairo files scanned: 229
  • Actionable findings: 5
  • Low-confidence findings: 0
  • Suppressed by gate: 0

4) Findings to manually triage

finding_id repo ref file class_id severity confidence_score
LESSKNOWNI-001 avnu-labs/avnu-contracts-v2 006e3ddd9ddae28be73336842684f7db55273a2f src/components/fee.cairo FEES_RECIPIENT_ZERO_DOS high 100
LESSKNOWNI-002 lambdaclass/yet-another-swap f3ee03a3564a37698e9589f564ac63aa59dab283 crates/yas_core/src/contracts/yas_factory.cairo CRITICAL_ADDRESS_INIT_WITHOUT_NONZERO_GUARD medium 100
LESSKNOWNI-003 lambdaclass/yet-another-swap f3ee03a3564a37698e9589f564ac63aa59dab283 crates/yas_core/src/contracts/yas_pool.cairo CRITICAL_ADDRESS_INIT_WITHOUT_NONZERO_GUARD medium 100
LESSKNOWNI-004 lambdaclass/yet-another-swap f3ee03a3564a37698e9589f564ac63aa59dab283 crates/yas_faucet/src/yas_faucet.cairo CRITICAL_ADDRESS_INIT_WITHOUT_NONZERO_GUARD medium 100
LESSKNOWNI-005 lambdaclass/yet-another-swap f3ee03a3564a37698e9589f564ac63aa59dab283 crates/yas_faucet/src/yas_faucet.cairo IRREVOCABLE_ADMIN low 75

5) CSV for direct editing

finding_id,repo,ref,file,class_id,scope,predicted_detect,severity,confidence_score,confidence_tier,actionability,gate_status,gate_reason,manual_verdict,manual_notes
LESSKNOWNI-001,avnu-labs/avnu-contracts-v2,006e3ddd9ddae28be73336842684f7db55273a2f,src/components/fee.cairo,FEES_RECIPIENT_ZERO_DOS,prod_scan,True,high,100,high,actionable,pass,,,
LESSKNOWNI-002,lambdaclass/yet-another-swap,f3ee03a3564a37698e9589f564ac63aa59dab283,crates/yas_core/src/contracts/yas_factory.cairo,CRITICAL_ADDRESS_INIT_WITHOUT_NONZERO_GUARD,prod_scan,True,medium,100,high,actionable,pass,,,
LESSKNOWNI-003,lambdaclass/yet-another-swap,f3ee03a3564a37698e9589f564ac63aa59dab283,crates/yas_core/src/contracts/yas_pool.cairo,CRITICAL_ADDRESS_INIT_WITHOUT_NONZERO_GUARD,prod_scan,True,medium,100,high,actionable,pass,,,
LESSKNOWNI-004,lambdaclass/yet-another-swap,f3ee03a3564a37698e9589f564ac63aa59dab283,crates/yas_faucet/src/yas_faucet.cairo,CRITICAL_ADDRESS_INIT_WITHOUT_NONZERO_GUARD,prod_scan,True,medium,100,high,actionable,pass,,,
LESSKNOWNI-005,lambdaclass/yet-another-swap,f3ee03a3564a37698e9589f564ac63aa59dab283,crates/yas_faucet/src/yas_faucet.cairo,IRREVOCABLE_ADMIN,prod_scan,True,low,75,medium,actionable,pass,,,

6) Auditor instructions

For each row, set:

  • manual_verdict: tp or fp
  • manual_notes: short justification, and if fp, cite the concrete guard/safe path

Please keep (repo, ref, file, class_id) unchanged so we can score automatically.

7) Next step after labels

Once labels are posted, we will score and publish:

  • Precision / recall on this wave
  • Per-class hit/miss breakdown
  • TP/FP/FN trend against prior waves

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions