DEV Community

Thank you @rushabdev - the most useful peer review MarketNow has received

Last week @rushabdev volunteered to peer-review two of the most sensitive parts of MarketNow: the payment system (USDC on Base + ACP/AP2 mandates) and the Sentinel audit pipeline (L1.5 → L2.5). He came back with 11 findings. All reproduced. All real. No fluff.

Severity Count Example
HIGH 1 README claimed "10/10" while only L1.5 results were actually committed
MEDIUM 4 txHash blocks but spend fails → user can lose USDC; internal mandates call over public internet; CORS * on audit endpoint; process.env flagged as malicious (false positives)
LOW 6 asset_type: 'native_token' should be 'erc20'; EIP-191 signatures publicly stored; 50KB file read cap; duplicate skills scoring conflict; writeDB() not imported; secret regex matches README examples

What I'm doing with the findings

The HIGH was fixed within 24h. The README now reflects what's actually committed - no more 10/10 claim without L2/L2.5 evidence to back it. The 5 payment findings are in the active fix queue. The 6 Sentinel findings inform the next iteration of the static analyzer (especially the process.env false-positive pattern, which is a real problem for any JS codebase scanner).

On the "paid relationship" line

Genuinely appreciated. I want to be straight with you and with anyone reading this: MarketNow is pre-revenue. Every Vercel deploy, every npm publish, every gVisor test run is out of pocket. There's no VC money, no runway, no customers paying yet. The 46K requests on Vercel last month were crawlers, agents probing /api/manifest, and a handful of curious humans - not paying customers.

So when there's real activity on the marketplace - agents actually buying skills, mandates actually being spent, USDC actually flowing - you'll be the first person I reach out to about a formal engagement. Until then, the door is open both ways:

  • If you want to keep poking at the sandbox, the ATC crypto layer, or the egress proxy, I'll read every word you write.
  • If you'd rather wait until there's a budget, that's completely understood too.

No bounties promised. No retainers dangled. Just: thank you for the work you already did, and you're on the radar.

Why I'm posting this publicly instead of DMing

Two reasons:

  • Credit where it's due. A pro bono review that finds a HIGH should not disappear into a private message thread. rushabdev's name is now on /trust as a community peer reviewer, and the 11 findings are public record.
  • The pattern matters. If MarketNow is going to claim "trust layer for agent commerce," then how we treat the people who audit our code IS the product. Ignoring, hiding, or underpaying reviewers would be the exact opposite of trust.

What's next

  • All 11 findings are tracked in the internal fix queue.
  • /trust page now lists @rushabdev as community peer reviewer (July 2026).
  • The Sentinel pipeline gets a v2.1 iteration to address the false-positive patterns he flagged.
  • The payment system gets a hardening pass before any real USDC touches the mandate spend path.

If you're building in MCP / agent commerce / security research and want to poke at the code, it's all public: github.com/edgarfloresguerra2011-a11y/marketnow. Findings welcome. No promise of payment, but every finding will be read, reproduced, and credited.

  • Edison Flores, AliceLabs LLC - MarketNow.site

Comments

No comments yet. Start the discussion.