registry  /  @gearbox-protocol/sdk  /  14.11.6

@gearbox-protocol/sdk@14.11.6

Gearbox SDK

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. Shipped network calls are explicit SDK features for remote protocol configuration, oracle price payloads, and rewards lookups.

Static reason
No blocking static signals were detected.
Trigger
Consumer invokes remote-config, price-update, or rewards API methods.
Impact
Fetches protocol data; no local mutation, credential harvesting, remote code execution, or persistence observed.
Mechanism
User-invoked HTTPS/API requests through axios or fetch.
Rationale
Static inspection shows a blockchain SDK with user-invoked, package-aligned network features. No concrete malicious execution, exfiltration, persistence, or install-time foreign control-surface mutation was found.
Evidence
package.jsondist/cjs/sdk/index.jsdist/cjs/plugins/remote-configs/RemoteConfigSource.jsdist/cjs/sdk/market/pricefeeds/updates/fetchPythPayloads.jsdist/cjs/rewards/rewards/merkl-api.jsdist/cjs/rewards/rewards/api.jsdist/cjs/dev/providers.js
Network endpoints5
static.gearbox.finance/client-v3/configs/pools/pools.jsonstatic.gearbox.finance/client-v3/configs/strategies/strategies.jsonhermes.pyth.network/v2/updates/price/api.merkl.xyzapi-merkl.angle.money

Decision evidence

public snapshot
AI called this Clean at 97.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • `package.json` has only a `prepare: husky` development hook; no preinstall/install/postinstall or bin entry.
    • `dist/cjs/sdk/index.js` only re-exports SDK modules and contains no import-time network, filesystem, or process execution.
    • No shipped `dist` code imports Node child-process/filesystem modules or uses eval/Function execution; dynamic import only loads optional `viem-deal`.
    • `RemoteConfigSource` fetches documented Gearbox pool/strategy JSON only when its methods are invoked.
    • `fetchPythPayloads` performs explicit price-update requests to Pyth; rewards API sends caller-supplied key only to Merkl endpoints.
    • No executable files, hidden configuration, credential harvesting, persistence, or AI-agent-control-surface paths found.
    Behavioral surface
    Source
    Network
    Supply chain
    HighEntropyStringsUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 1,324 file(s), 5.68 MB of source, external domains: api-merkl.angle.money, api.berascan.com, api.gearbox.foundation, api.merkl.xyz, api.sonicscan.org, berascan.com, hermes.pyth.network, monadscan.com, sonicscan.org, state-cache.gearbox.foundation, static.gearbox.finance

    Source & flagged code

    0 flagged
    No flagged code excerpts are attached to this scan.

    Findings

    1 Medium4 Low
    MediumNetwork
    LowNon Install Lifecycle Scripts
    LowScripts Present
    LowHigh Entropy Strings
    LowUrl Strings