Analysis Run

00e62a53-8575-4729-8d8e-0cc98548c4a2

complete

Chain ID

1

Address

0x000000000035b5e5ad9019092c665357240f594e

Block Number

—

Created

Fri, Jan 2, 2026 6:15 AM

Review Summary

What survived the funnel

Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?

back to vulns open contract

Confirmed

1

Validated

1

Source

Bytecode only

Review Backing

Not yet

Best current signal

Untrusted DELEGATECALL target reachable

crit 0 high 1 direct contract

Review Checklist

1. Read the findings table first. Ignore raw jobs until the result looks real.

2. Confirm attacker control, not just the existence of a sink.

3. Confirm money or privilege impact.

4. Keep it if the behavior is real. Kill it if this is normal proxy, admin, or upgrade plumbing.

Processing Jobs

Status & attempts

ID	Type	Status	Attempts	Heartbeat
31248	report.consolidate	complete	1 / 1	3 months ago
104747	artifact.fetch	complete	1 / 3	1 week ago
104748	tool.cast_disasm	complete	1 / 3	1 week ago
104749	analysis.bundle	complete	1 / 3	1 week ago
104750	capability.graph	complete	1 / 3	1 week ago
104751	detector.run	complete	1 / 3	1 week ago
104752	validation.fork	complete	1 / 3	1 week ago

Artifact

Runtime bytecode: available

Creation TX: —

Deployer: —

Proxy: no

Implementation:

—

Verified Source: no

Slither

tool.slither

No slither job recorded yet.

Codex

report.consolidate

Job Status

complete

Attempts

1 / 1

Findings

0

No findings?

yes

Summary

Analyzed runtime bytecode; it is a minimal proxy with DELEGATECALL to an implementation stored at constant slot 0xabcd…, and a single upgrade function guarded by hardcoded caller 0x3376…; no unprotected value transfer, selfdestruct, or writable upgrade path is visible, so no concrete profit path from bytecode alone.

View stderr

[codex:558668] OpenAI Codex v0.77.0 (research preview)
[codex:558668] --------
[codex:558668] workdir: /tmp/codex-multi-bo3m2f52
[codex:558668] model: gpt-5.2-codex
[codex:558668] provider: openai
[codex:558668] approval: never
[codex:558668] sandbox: read-only
[codex:558668] reasoning effort: xhigh
[codex:558668] reasoning summaries: auto
[codex:558668] session id: 019b7d56-0699-79a1-b5b0-7abfea86a71f
[codex:558668] --------
[codex:558668] user
[codex:558668] You are a profit-focused exploit hunter analyzing EVM bytecode. Your ONLY goal is finding ways to extract value (ETH, tokens, NFTs) from this contract.
[codex:558668] 
[codex:558668] Read `BYTECODE_BUNDLE.txt` completely before concluding.
[codex:558668] 
[codex:558668] ONLY REPORT if you find a CONCRETE, EXPLOITABLE path to profit. We do NOT care about:
[codex:558668] - Gas inefficiency, code quality, or best practices
[codex:558668] - Theoretical vulnerabilities without a clear extraction path
[codex:558668] - Generic footguns (unchecked return values, etc.) unless they enable theft
[codex:558668] - Issues requiring social engineering or off-chain coordination
[codex:558668] 
[codex:558668] PATTERNS WORTH INVESTIGATING in bytecode:
[codex:558668] - CALL/DELEGATECALL with controllable destination or calldata
[codex:558668] - Value transfers (CALL with non-zero value) without prior CALLER/ORIGIN checks
[codex:558668] - SSTORE to low slots (0-10) that might be owner/admin storage
[codex:558668] - ecrecover (signature validation) - look for missing nonce/replay protection
[codex:558668] - External calls before state updates (reentrancy)
[codex:558668] - SELFDESTRUCT with controllable beneficiary
[codex:558668] - Proxy patterns (DELEGATECALL to storage slot) with unprotected upgrade paths
[codex:558668] 
[codex:558668] For each finding, you MUST explain:
[codex:558668] 1. The specific bytecode pattern/offsets that indicate the vulnerability
[codex:558668] 2. The concrete sequence of transactions to extract value
[codex:558668] 3. Why you believe this is exploitable (not just suspicious)
[codex:558668] 
[codex:558668] If you cannot identify a concrete profit path from bytecode alone: set no_findings=true.
[codex:558668] Do NOT hallucinate. Bytecode-only analysis is limited - be honest about uncertainty.
[codex:558668] 
[codex:558668] Output MUST be valid JSON matching the provided schema.
[codex:558668] - severity: info, low, medium, high, critical (use high/critical ONLY for clear extraction paths)
[codex:558668] - category: access_control, reentrancy, math, oracle, upgradeability, auth, other
[codex:558668] mcp startup: no servers
[codex:558668] 
[codex:558668] thinking
[codex:558668] **Choosing method to read file**
[codex:558668] exec
[codex:558668] /bin/bash -lc ls in /tmp/codex-multi-bo3m2f52 succeeded in 5ms:
[codex:558668] BYTECODE_BUNDLE.txt
[codex:558668] codex-output-schema.json
[codex:558668] exec
[codex:558668] /bin/bash -lc 'cat BYTECODE_BUNDLE.txt' in /tmp/codex-multi-bo3m2f52 succeeded in 5ms:
[codex:558668] Runtime bytecode bundle for best-effort auditing.
[codex:558668] Note: without verified source, conclusions are low-confidence unless a concrete pattern is visible.
[codex:558668] 
[codex:558668] FILE: runtime_bytecode.hex
[codex:558668] 0x600436116046575b5f60605f8051602060898339815191525436603e575b8136915af43d90816035575b156031576060f35b6060fd5b815f60603e6029565b36838337601d565b5f3560e01c63adadadad0360075733733376ebc8dce3453a045a145ab7b1e728b2ed581e146072575f80fd5b60043560601c5f8051602060898339815191525500feabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcdabcd
[codex:558668] 
[codex:558668] 
[codex:558668] thinking
[codex:558668] **Decoding and analyzing Ethereum bytecode**
[codex:558668] thinking
[codex:558668] **Evaluating exploit possibilities in proxy logic**
[codex:558668] 
[codex:558668] I’m carefully examining whether the admin upgrade function can be bypassed or if delegatecall use might allow control over the implementation slot, but it seems well protected by a strict caller check and calldata size dispatch. I’m also checking the address extraction logic to ensure the admin parameter is correctly parsed and looking for any function selector collisions or fallback edge cases that might enable unintended access.
[codex:558668] exec
[codex:558668] /bin/bash -lc "python3 - <<'PY'
[codex:558668] import binascii
[codex:558668] hexstr=open('BYTECODE_BUNDLE.txt').read().split('0x',1)[1].split('\\n',1)[0].strip()
[codex:558668] # Actually file has 'FILE: runtime_bytecode.hex' line then hex line. Let's parse last line
[codex:558668] lines=open('BYTECODE_BUNDLE.txt').read().splitlines()
[codex:558668] for line in lines:
[codex:558668]     if line.startswith('0x'):
[codex:558668]         hexstr=line[2:]
[codex:558668]         break
[codex:558668] bs=binascii.unhexlify(hexstr)
[codex:558668] print('len',len(bs))
[codex:558668] # show bytes around 0x80-0xa0
[codex:558668] for i in range(0x80,0xa0):
[codex:558668]     if i>=len(bs):
[codex:558668]         break
[codex:558668]     print(hex(i),hex(bs[i]))
[codex:558668] # show 32 bytes from 0x89
[codex:558668] start=0x89
[codex:558668] print('slot bytes',bs[start:start+32].hex())
[codex:558668] PY" in /tmp/codex-multi-bo3m2f52 succeeded in 20ms:
[codex:558668] len 169
[codex:558668] 0x80 0x83
[codex:558668] 0x81 0x39
[codex:558668] 0x82 0x81
[codex:558668] 0x83 0x51
[codex:558668] 0x84 0x91
[codex:558668] 0x85 0x52
[codex:558668] 0x86 0x55
[codex:558668] 0x87 0x0
[codex:558668] 0x88 0xfe
[codex:558668] 0x89 0xab
[codex:558668] 0x8a 0xcd
[codex:558668] 0x8b 0xab
[codex:558668] 0x8c 0xcd
[codex:558668] 0x8d 0xab
[codex:558668] 0x8e 0xcd
[codex:558668] 0x8f 0xab
[codex:558668] 0x90 0xcd
[codex:558668] 0x91 0xab
[codex:558668] 0x92 0xcd
[codex:558668] 
[codex:558668] thinking
[codex:558668] **Analyzing proxy bytecode and potential exploits**
[codex:558668] codex
[codex:558668] {"no_findings":true,"summary":"Analyzed runtime bytecode; it is a minimal proxy with DELEGATECALL to an implementation stored at constant slot 0xabcd…, and a single upgrade function guarded by hardcoded caller 0x3376…; no unprotected value transfer, selfdestruct, or writable upgrade path is visible, so no concrete profit path from bytecode alone.","findings":[]}
[codex:558668] tokens used
[codex:558668] 16,474
[codex:558668] {"no_findings":true,"summary":"Analyzed runtime bytecode; it is a minimal proxy with DELEGATECALL to an implementation stored at constant slot 0xabcd…, and a single upgrade function guarded by hardcoded caller 0x3376…; no unprotected value transfer, selfdestruct, or writable upgrade path is visible, so no concrete profit path from bytecode alone.","findings":[]}

Metadata

{
    "codex": {
        "ran_at": "2026-01-02T06:15:22.941666+00:00",
        "returncode": 0
    },
    "summary": "Analyzed runtime bytecode; it is a minimal proxy with DELEGATECALL to an implementation stored at constant slot 0xabcd\u2026, and a single upgrade function guarded by hardcoded caller 0x3376\u2026; no unprotected value transfer, selfdestruct, or writable upgrade path is visible, so no concrete profit path from bytecode alone.",
    "raw_final": {
        "summary": "Analyzed runtime bytecode; it is a minimal proxy with DELEGATECALL to an implementation stored at constant slot 0xabcd\u2026, and a single upgrade function guarded by hardcoded caller 0x3376\u2026; no unprotected value transfer, selfdestruct, or writable upgrade path is visible, so no concrete profit path from bytecode alone.",
        "findings": [],
        "no_findings": true
    },
    "no_findings": true,
    "schema_version": 1
}

Opcode Heuristics

tool.cast_disasm

Delegatecall

1

Selfdestruct

0

CREATE2

0

CALL-family (heavy)

0

EXT*/BALANCE

0

Total opcodes

125

Flags

delegatecall_present

View cast disassembly output

00000000: PUSH1 0x04
00000002: CALLDATASIZE
00000003: GT
00000004: PUSH1 0x46
00000006: JUMPI
00000007: JUMPDEST
00000008: PUSH0
00000009: PUSH1 0x60
0000000b: PUSH0
0000000c: DUP1
0000000d: MLOAD
0000000e: PUSH1 0x20
00000010: PUSH1 0x89
00000012: DUP4
00000013: CODECOPY
00000014: DUP2
00000015: MLOAD
00000016: SWAP2
00000017: MSTORE
00000018: SLOAD
00000019: CALLDATASIZE
0000001a: PUSH1 0x3e
0000001c: JUMPI
0000001d: JUMPDEST
0000001e: DUP2
0000001f: CALLDATASIZE
00000020: SWAP2
00000021: GAS
00000022: DELEGATECALL
00000023: RETURNDATASIZE
00000024: SWAP1
00000025: DUP2
00000026: PUSH1 0x35
00000028: JUMPI
00000029: JUMPDEST
0000002a: ISZERO
0000002b: PUSH1 0x31
0000002d: JUMPI
0000002e: PUSH1 0x60
00000030: RETURN
00000031: JUMPDEST
00000032: PUSH1 0x60
00000034: REVERT
00000035: JUMPDEST
00000036: DUP2
00000037: PUSH0
00000038: PUSH1 0x60
0000003a: RETURNDATACOPY
0000003b: PUSH1 0x29
0000003d: JUMP
0000003e: JUMPDEST
0000003f: CALLDATASIZE
00000040: DUP4
00000041: DUP4
00000042: CALLDATACOPY
00000043: PUSH1 0x1d
00000045: JUMP
00000046: JUMPDEST
00000047: PUSH0
00000048: CALLDATALOAD
00000049: PUSH1 0xe0
0000004b: SHR
0000004c: PUSH4 0xadadadad
00000051: SUB
00000052: PUSH1 0x07
00000054: JUMPI
00000055: CALLER
00000056: PUSH20 0x3376ebc8dce3453a045a145ab7b1e728b2ed581e
0000006b: EQ
0000006c: PUSH1 0x72
0000006e: JUMPI
0000006f: PUSH0
00000070: DUP1
00000071: REVERT
00000072: JUMPDEST
00000073: PUSH1 0x04
00000075: CALLDATALOAD
00000076: PUSH1 0x60
00000078: SHR
00000079: PUSH0
0000007a: DUP1
0000007b: MLOAD
0000007c: PUSH1 0x20
0000007e: PUSH1 0x89
00000080: DUP4
00000081: CODECOPY
00000082: DUP2
00000083: MLOAD
00000084: SWAP2
00000085: MSTORE
00000086: SSTORE
00000087: STOP
00000088: INVALID
00000089: UNKNOWN(0xAB)
0000008a: UNKNOWN(0xCD)
0000008b: UNKNOWN(0xAB)
0000008c: UNKNOWN(0xCD)
0000008d: UNKNOWN(0xAB)
0000008e: UNKNOWN(0xCD)
0000008f: UNKNOWN(0xAB)
00000090: UNKNOWN(0xCD)
00000091: UNKNOWN(0xAB)
00000092: UNKNOWN(0xCD)
00000093: UNKNOWN(0xAB)
00000094: UNKNOWN(0xCD)
00000095: UNKNOWN(0xAB)
00000096: UNKNOWN(0xCD)
00000097: UNKNOWN(0xAB)
00000098: UNKNOWN(0xCD)
00000099: UNKNOWN(0xAB)
0000009a: UNKNOWN(0xCD)
0000009b: UNKNOWN(0xAB)
0000009c: UNKNOWN(0xCD)
0000009d: UNKNOWN(0xAB)
0000009e: UNKNOWN(0xCD)
0000009f: UNKNOWN(0xAB)
000000a0: UNKNOWN(0xCD)
000000a1: UNKNOWN(0xAB)
000000a2: UNKNOWN(0xCD)
000000a3: UNKNOWN(0xAB)
000000a4: UNKNOWN(0xCD)
000000a5: UNKNOWN(0xAB)
000000a6: UNKNOWN(0xCD)
000000a7: UNKNOWN(0xAB)
000000a8: UNKNOWN(0xCD)

Findings

validated = confirmed for call sinks; sink observed for others

Severity	Category	Tool	Title	Confidence	Validated	Confirmed	Details
high	upgradeability	detector	Untrusted DELEGATECALL target reachable	55	yes	yes	view trace_id: 0xdca700c472ab196931fc8a07f512eaf32a6e557e9969b5bdb5ae27e3ed2cdaea call_targets: 0x0000000011239a45196deff0fbd62245a77b363f, 0x522ccc5ff0935d2d8189fc59754ccb8b66a109a0 target_varies: yes classification: target_varies validation_json { "sink": "DELEGATECALL", "errors": 0, "status": "confirmed", "attempts": 1, "trace_id": "0xdca700c472ab196931fc8a07f512eaf32a6e557e9969b5bdb5ae27e3ed2cdaea", "confirmed": true, "trace_mode": "callTracer", "call_targets": [ "0x0000000011239a45196deff0fbd62245a77b363f", "0x522ccc5ff0935d2d8189fc59754ccb8b66a109a0" ], "matched_probe": null, "target_varies": true, "classification": "target_varies" } witness_json { "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata", "constraints": [], "entrypoints": [ { "calldata": "0xadadadad", "selector": "0xadadadad", "calldata_variants": [ "0xadadadad", "0xadadadad0000000000000000000000000000000000000000000000000000000000000000" ] } ] } evidence_json { "examples": [ { "pc": 34, "opcode": "DELEGATECALL", "returndata_checked": null, "value_expression_category": "n/a", "target_expression_category": "computed" } ], "guards_detected": [ { "pc": 107, "type": "msg_sender_eq_const", "value": 2.9381055698272e+47 }, { "pc": 85, "type": "msg_sender_eq_const", "value": "0x3376ebc8dce3453a045a145ab7b1e728b2ed581e" } ], "delegatecall_count": 1, "untrusted_delegatecall_count": 1 }
medium	upgradeability	cast	DELEGATECALL present	80	no	—	view evidence_json { "notes": "delegatecall enables execution in caller context; common in proxies/upgradeable patterns", "delegatecall_count": 1 }

Severity