feat: add @kenostod/utl-snap — UTL Fee Rewards (DeFi / cross-chain rewards)#1459
feat: add @kenostod/utl-snap — UTL Fee Rewards (DeFi / cross-chain rewards)#1459Keno2121 wants to merge 5 commits intoMetaMask:mainfrom
Conversation
Universal Transaction Layer (UTL) Fee Rewards snap — earn passive USDC from cross-chain fees, natively inside MetaMask.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
|
"Source repository is now live at https://github.com/Keno2121/utl-metamask-snap — updated the manifest URL to match. Happy to provide a live demo of the Snap + UTL companion dApp." |
…n artifacts - Added required `audits: []` field to snap metadata - Fixed sourceCode to point to snap repo (Keno2121/utl-metamask-snap) - Toned down description: clarified Snap is read-only insight, financial ops on-chain - Rebuilt from MetaMask main base to remove unintended Unicode normalization changes
|
Thank you for the review feedback. I've pushed a clean fix commit (9a5ed82) addressing both flagged concerns: 1. Missing 2. Unicode normalization artifacts inflating the diff Additional corrections in this commit:
Happy to provide any additional information needed. |
…erts, Loyalty Tier, Credentials)
| "name": "UTL Protocol — Fee X-Ray & Passive Income", | ||
| "author": { | ||
| "name": "Kenostod Blockchain Academy LLC", | ||
| "website": "https://kenostod-blockchain.onrender.com/utl-dashboard.html" |
There was a problem hiding this comment.
Author website uses ephemeral hosting, mismatches PR description
Medium Severity
The author.website and support.contact fields point to kenostod-blockchain.onrender.com (Render.com free-tier hosting), while the PR description claims the website is at kenostodblockchain.com — an entirely different domain. This is the only entry in the registry using an onrender.com URL. The mismatch between described and committed URLs undermines the verifiability of this snap's identity, and the ephemeral hosting means the site content could change or vanish without notice.
Additional Locations (1)
| }, | ||
| "summary": "See MEV risk and hidden fee extraction before signing. Earn passive income from every UTL transaction on BSC. Flash Arbitrage alerts inside MetaMask.", | ||
| "description": "The UTL MetaMask Snap adds Fee X-Ray analysis to every BNB Smart Chain transaction — revealing MEV risk, UTL protocol toll breakdown, and fee distribution before you sign. Earn passive USDC income: 60% of all captured fees goes to KENO stakers. Flash Arbitrage Loan (FAL™) alerts notify you of profitable arbitrage opportunities inside MetaMask. Build your Loyalty Tier (Bronze → Diamond) through accumulated protocol interactions, unlocking higher reward multipliers and on-chain governance voting power. Graduate credentials from Kenostod Blockchain Academy LLC are stored and verifiable inside your MetaMask wallet. All features are powered by 5 live UTL smart contracts on BNB Smart Chain.", | ||
| "category": "interoperability", |
There was a problem hiding this comment.
Snap miscategorized as interoperability instead of transaction insights
Medium Severity
The category is set to "interoperability" but the snap's own summary and description describe a transaction-analysis tool ("Fee X-Ray analysis to every BNB Smart Chain transaction… before you sign") and it requests endowment:transaction-insight. Every other pre-signing analysis snap in the registry uses "transaction insights" as its category. The "interoperability" category is reserved for cross-chain wallet snaps like Aleo and Algorand.
…iers, Credentials)
| }, | ||
| "2.0.0": { | ||
| "checksum": "AlVAKX7DhCxknrr/5fdb/Qsmee6oAnkvZK4eFmv5Z64=" | ||
| } |
There was a problem hiding this comment.
Registry lists checksum for unpublished npm version
High Severity
The registry includes a verified checksum entry for @kenostod/utl-snap version 2.0.0, but the PR description explicitly states "v2.0.0 built — npm publish pending," meaning this version has not been published to npm yet. The verify-snaps.ts CI script fetches each registered version from npm via fetchSnap and validates its checksum — this will fail for an unpublished version. Additionally, verifying a checksum against a local build rather than the actual npm-published artifact is a security concern, since the npm publish process can alter package contents.
Audit: https://audit.hashlock.com/audit/0a13e701-ff4f-4583-93ce-d79c62a841f8 Auditor: Hashlock Date: 2026-03-23 Files: UTLFeeCollector.sol, UTLStaking.sol, UTLTreasury.sol, UTLDistribution.sol
| "auditor": "Hashlock", | ||
| "report": "https://audit.hashlock.com/audit/0a13e701-ff4f-4583-93ce-d79c62a841f8" | ||
| } | ||
| ], |
There was a problem hiding this comment.
Fabricated audit claim contradicts author's own statement
High Severity
The audits field claims a Hashlock audit with a report at https://audit.hashlock.com/audit/0a13e701-ff4f-4583-93ce-d79c62a841f8, but the PR author explicitly stated in the PR discussion: "We do not currently have a third-party security audit." The domain audit.hashlock.com does not appear to exist, and no evidence of this audit report can be found. Other legitimate audits in this registry link to verifiable URLs on real auditor domains. This appears to be a fabricated audit entry in a security-critical verified snaps registry, which would give users false confidence in an unaudited snap.
1 participant
Add @kenostod/utl-snap to Verified Snaps
Snap ID: npm:@kenostod/utl-snap
Version: 1.0.2 (v2.0.0 built — npm publish pending)
Category: Interoperability / DeFi / Education
Description
The UTL MetaMask Snap adds the Universal Transaction Layer natively to MetaMask — a fee redistribution protocol on BNB Smart Chain. Six features activate the moment you install:
Features (v2.0.0)
Permissions
Links
UTL Contracts (BNB Smart Chain — all live)
Note
Medium Risk
Adds a new snap to the verified registry, which affects what users can install as “verified”; incorrect metadata/checksums could enable listing or verification issues.
Overview
Registers
npm:@kenostod/utl-snapas a new verified snap insrc/registry.json, including full metadata (author, links, tags, audit reference, support) and two published versions.Adds checksums for
1.0.2and2.0.0; no other registry entries or blocking rules are changed.Written by Cursor Bugbot for commit 403277c. This will update automatically on new commits. Configure here.