019b3836-2209-72d4-9ba8-38d2afe67531
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 211 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 212 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 43419 | analysis.bundle | complete | 1 / 3 | 1 week ago |
| 43420 | capability.graph | complete | 1 / 3 | 1 week ago |
| 43421 | detector.run | complete | 1 / 3 | 1 week ago |
| 43422 | validation.fork | complete | 1 / 3 | 1 week ago |
| 78222 | report.consolidate | complete | 1 / 6 | 1 week ago |
No slither job recorded yet.
{"no_findings":false,"summary":"Bytecode-only review indicates a balance-mapping contract with three CALL sites, no proxy/delegatecall behavior, and a privileged external dependency at 0x3c94923400ccc528e8ab0f849edafca06fe332e5. The main risks are a call-before-write payout path and an unchecked low-level CALL that can break accounting if ETH delivery fails.","findings":[{"severity":"medium","category":"reentrancy","title":"Value-bearing external call happens before the balance slot is updated","exploit_scenario":"On selector 0x0553e156, the contract first authenticates a hardcoded external caller, then reads a per-address slot, computes a payout, performs a low-level CALL, and only afterward writes storage. If the payout recipient is a contract, reentrant control is exposed while the old balance is still live. Exploitability is reduced by the hardcoded-caller gate, but if that privileged external contract is compromised, upgradeable, or can be induced to recurse, the stale slot can be consumed multiple times before the write lands.","recommendation":"Apply checks-effects-interactions on this path: update or zero the balance slot before the external CALL, add a reentrancy guard, and prefer pull-based withdrawals over inline ETH sends.","evidence":"Selector 0x0553e156 reaches the payout branch at pc 0x2a3. That branch loads the mapping value with SLOAD at pc 0x2c5, multiplies by 5 at pc 0x2c9, executes CALL at pc 0x2d2, and only later performs SSTORE at pc 0x2f1. The same selector is gated by a hardcoded caller check against 0x3c94923400ccc528e8ab0f849edafca06fe332e5 around pc 0x12b-0x14a.","locations":["selector:0x0553e156","pc:0x2c5","pc:0x2d2","pc:0x2f1"]},{"severity":"medium","category":"other","title":"Unchecked low-level CALL can desynchronize storage from actual ETH delivery","exploit_scenario":"The payout CALL on selector 0x0553e156 does not have an observed success check before execution continues into storage mutation. A recipient contract can deliberately revert or otherwise make the CALL fail, yet the function can still proceed to mutate the tracked slot as if payment succeeded, causing lost funds or broken internal accounting. This is especially concerning on a balance-like mapping, since getters expose the slot directly.","recommendation":"Require the low-level CALL to succeed before mutating storage, or revert on failure and leave the slot unchanged. If best-effort delivery is intended, separate accounting from delivery and record failed withdrawals explicitly.","evidence":"At pc 0x2d2 the contract executes a CALL, then only POPs stack values and falls through to SSTORE at pc 0x2f1; there is no ISZERO/JUMPI-style success check on this path. By contrast, the fixed-address CALL at pc 0x230 is followed by an explicit failure branch at pc 0x232-0x235, which highlights the absence of equivalent handling here.","locations":["selector:0x0553e156","pc:0x2d2","pc:0x2f1","pc:0x230"]}]}
OpenAI Codex v0.118.0 (research preview)
--------
workdir: /tmp/codex-5xex25yk
model: gpt-5.4
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: none
session id: 019d5a76-adac-7b21-8d15-9e02073ebbdd
--------
user
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
warning: Codex could not find system bubblewrap on PATH. Please install bubblewrap with your package manager. Codex will use the vendored bubblewrap in the meantime.
exec
/bin/bash -lc "sed -n '1,260p' BYTECODE_BUNDLE.json" in /tmp/codex-5xex25yk
succeeded in 0ms:
{
"analysis_artifact": {
"address": "0x4abc539ee0c73725256391bf0eb3fda72e8a59ad",
"artifact_hash": "0x1b3a13265e0f53d71eaf4c82df7d229706a89c0715287a1f5fe26d43e77d4c77",
"artifact_json": {
"auth": {
"guards": []
},
"basic_blocks": [
{
"end_pc": 24,
"hash": "0x93ca4665dbfe330c821288cd6949b9310be4f2728d53964a22fdd590ad592f89",
"opcodes": [
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"PUSH1",
"EXP",
"PUSH1",
"CALLDATALOAD",
"DIV",
"PUSH4",
"OP_81",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 0
},
{
"end_pc": 35,
"hash": "0xb5d7f780179bc9755f01f90857eeca31fdee433acdebcd1796f56b8b147e1665",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 25
},
{
"end_pc": 46,
"hash": "0x50456060237dd3ce9c62e417d037a547761b1e236a40f941860776e484f9a361",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 36
},
{
"end_pc": 57,
"hash": "0x9daae73a044ed9b1f5413bdddef37e8651653994af1b2113b9903da19f6cdea8",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 47
},
{
"end_pc": 59,
"hash": "0x7c03713fe289920bcbc645467e3c26e308b928c57f7f20b00dcee82e881fecf3",
"opcodes": [
"JUMPDEST",
"STOP"
],
"start_pc": 58
},
{
"end_pc": 284,
"hash": "0x5ffa83adc3fa7e881ab549b7c4e2f11c5b60ee48ca60b808c105c1da34efff27",
"opcodes": [
"JUMPDEST",
"PUSH1",
"PUSH1",
"PUSH1",
"OP_80",
"CALLDATALOAD",
"OP_90",
"OP_81",
"ADD",
"CALLDATALOAD",
"PUSH1",
"OP_81",
"ADD",
"OP_83",
"OP_90",
"DIV",
"OP_90",
"OP_92",
"MUL",
"OP_83",
"ADD",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_82",
"OP_81",
"MSTORE",
"PUSH2",
"OP_93",
"PUSH1",
"OP_93",
"OP_91",
"OP_92",
"OP_84",
"ADD",
"OP_91",
"OP_90",
"OP_81",
"OP_90",
"OP_83",
"OP_82",
"OP_80",
"OP_82",
"OP_84",
"CALLDATACOPY",
"POP",
"POP",
"PUSH1",
"OP_80",
"MLOAD",
"PUSH1",
"OP_88",
"CALLDATALOAD",
"PUSH1",
"OP_81",
"ADD",
"CALLDATALOAD",
"PUSH1",
"OP_81",
"ADD",
"OP_83",
"OP_90",
"DIV",
"OP_83",
"MUL",
"OP_84",
"ADD",
"OP_83",
"ADD",
"OP_90",
"OP_94",
"MSTORE",
"OP_83",
"OP_83",
"MSTORE",
"OP_97",
"OP_98",
"PUSH1",
"OP_98",
"OP_92",
"OP_97",
"POP",
"OP_91",
"OP_90",
"OP_91",
"ADD",
"OP_94",
"POP",
"OP_90",
"OP_92",
"POP",
"OP_82",
"OP_91",
"POP",
"OP_84",
"ADD",
"OP_83",
"OP_82",
"OP_80",
"OP_82",
"OP_84",
"CALLDATACOPY",
"POP",
"POP",
"PUSH1",
"OP_80",
"MLOAD",
"PUSH1",
"OP_97",
"CALLDATALOAD",
"PUSH1",
"OP_81",
"ADD",
"CALLDATALOAD",
"PUSH1",
"OP_81",
"ADD",
"OP_8A",
"OP_90",
"DIV",
"OP_8A",
"MUL",
"OP_83",
"ADD",
"OP_8A",
"ADD",
"OP_90",
"OP_93",
"MSTORE",
"OP_82",
"OP_82",
"MSTORE",
"OP_96",
"OP_97",
"PUSH1",
"OP_97",
"OP_91",
"OP_96",
"POP",
"PUSH1",
"OP_91",
"OP_90",
"OP_91",
"ADD",
"OP_94",
"POP",
"OP_90",
"OP_92",
"POP",
"OP_82",
"OP_91",
"POP",
"OP_84",
"ADD",
"OP_83",
"OP_82",
"OP_80",
"OP_82",
"OP_84",
"CALLDATACOPY",
"POP",
"OP_94",
"OP_95",
"CALLDATALOAD",
"OP_94",
"POP",
"POP",
"POP",
"POP",
"POP",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"CALLER",
"AND",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
exec
/bin/bash -lc 'pwd && ls -la && rg --files' in /tmp/codex-5xex25yk
succeeded in 0ms:
/tmp/codex-5xex25yk
total 76
drwx------ 2 noahkuhn noahkuhn 4096 Apr 4 21:47 .
drwxrwxrwt 270 nobody nogroup 24576 Apr 4 21:47 ..
-rw-rw-r-- 1 noahkuhn noahkuhn 37441 Apr 4 21:47 BYTECODE_BUNDLE.json
-rw-rw-r-- 1 noahkuhn noahkuhn 815 Apr 4 21:47 codex-output-schema.json
BYTECODE_BUNDLE.json
codex-output-schema.json
exec
/bin/bash -lc "sed -n '261,520p' BYTECODE_BUNDLE.json" in /tmp/codex-5xex25yk
succeeded in 0ms:
"PUSH1",
"OP_81",
"OP_90",
"MSTORE",
"PUSH1",
"OP_81",
"SHA3",
"SLOAD",
"OP_81",
"OP_90",
"OP_81",
"OP_90",
"GT",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 60
},
{
"end_pc": 288,
"hash": "0x642cc68938b66be4efea09837f8f50199940b35a0fed039a0b002c619b89ca4c",
"opcodes": [
"PUSH2",
"JUMP"
],
"start_pc": 285
},
{
"end_pc": 334,
"hash": "0x7a4b724a9079f9888500d6bdbbf1bb1e4c6379dc32b0bc544ae96350c3cab56c",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"CALLDATALOAD",
"PUSH1",
"CALLDATALOAD",
"PUSH20",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"CALLER",
"AND",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 289
},
{
"end_pc": 338,
"hash": "0xa803d3f2f02d4eaf6625471db4d6220744b092dc943d02a2ba6276a7e7c169df",
"opcodes": [
"PUSH2",
"JUMP"
],
"start_pc": 335
},
{
"end_pc": 362,
"hash": "0xfd9bf5c76eef38972a9f9f4fd2610c82da04ae111a0f1220e4eeeddee8747a30",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"CALLDATALOAD",
"PUSH1",
"PUSH1",
"OP_81",
"OP_90",
"MSTORE",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"OP_90",
"SHA3",
"SLOAD",
"OP_81",
"JUMP"
],
"start_pc": 339
},
{
"end_pc": 388,
"hash": "0xf5a53136e6b605b7ad8d11cbe70e391adc3ae329ba2eb0054e9502d19b29ff7c",
"opcodes": [
"JUMPDEST",
"CALLER",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"AND",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"OP_81",
"OP_90",
"MSTORE",
"PUSH1",
"OP_90",
"SHA3",
"SLOAD"
],
"start_pc": 363
},
{
"end_pc": 406,
"hash": "0x661ed498ae0390ab965cd36e27112c2cd827ade4e73bb467128d705126f87546",
"opcodes": [
"JUMPDEST",
"PUSH1",
"OP_80",
"MLOAD",
"OP_91",
"OP_82",
"MSTORE",
"MLOAD",
"OP_90",
"OP_81",
"OP_90",
"SUB",
"PUSH1",
"ADD",
"OP_90",
"RETURN"
],
"start_pc": 389
},
{
"end_pc": 565,
"hash": "0x71f0f8b20514ba271190d183aab3e478ddccdadb85c6e52202529b6e86a81419",
"opcodes": [
"JUMPDEST",
"POP",
"PUSH1",
"OP_80",
"MLOAD",
"PUSH32",
"OP_81",
"MSTORE",
"PUSH1",
"OP_81",
"ADD",
"OP_83",
"OP_90",
"MSTORE",
"PUSH1",
"OP_81",
"ADD",
"OP_83",
"OP_90",
"MSTORE",
"PUSH1",
"OP_81",
"ADD",
"OP_83",
"OP_90",
"MSTORE",
"PUSH1",
"OP_81",
"ADD",
"OP_83",
"OP_90",
"MSTORE",
"PUSH1",
"OP_81",
"ADD",
"OP_83",
"OP_90",
"MSTORE",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"CALLER",
"AND",
"PUSH1",
"OP_82",
"ADD",
"MSTORE",
"PUSH1",
"OP_81",
"ADD",
"OP_83",
"OP_90",
"MSTORE",
"OP_90",
"MLOAD",
"PUSH20",
"OP_91",
"OP_82",
"OP_91",
"PUSH4",
"OP_91",
"PUSH1",
"OP_80",
"OP_82",
"ADD",
"OP_92",
"OP_87",
"OP_92",
"OP_90",
"OP_91",
"OP_90",
"OP_82",
"OP_90",
"SUB",
"ADD",
"OP_81",
"OP_83",
"OP_87",
"PUSH2",
"GAS",
"SUB",
"CALL",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 407
},
{
"end_pc": 607,
"hash": "0x7eaed978a65edabb3c7c68f4f41e5611d422ffa786fb8ab46fd458cdd26d2232",
"opcodes": [
"POP",
"POP",
"POP",
"CALLVALUE",
"PUSH1",
"PUSH1",
"POP",
"PUSH1",
"CALLER",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"AND",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"PUSH1",
"SHA3",
exec
/bin/bash -lc "sed -n '521,780p' BYTECODE_BUNDLE.json" in /tmp/codex-5xex25yk
succeeded in 0ms:
"PUSH1",
"POP",
"OP_81",
"OP_90",
"SSTORE",
"POP"
],
"start_pc": 566
},
{
"end_pc": 616,
"hash": "0xad370784d3d661bb137ce5eed8b468a5d5bffc5590963421f0aa67c77da70b11",
"opcodes": [
"JUMPDEST",
"POP",
"OP_94",
"OP_93",
"POP",
"POP",
"POP",
"POP",
"JUMP"
],
"start_pc": 608
},
{
"end_pc": 638,
"hash": "0xb44e6d3e618d2e3f5731f1289f7027584f49381bfc1c65c37c9e21b8e0c9693a",
"opcodes": [
"JUMPDEST",
"CALLVALUE",
"PUSH1",
"MUL",
"ADDRESS",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"AND",
"BALANCE",
"LT",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 617
},
{
"end_pc": 674,
"hash": "0x8f3d70d7533344ffc3d7ac55fce2b1b9d7942c5c8876daa664df785573140805",
"opcodes": [
"PUSH1",
"MLOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"CALLER",
"AND",
"OP_90",
"OP_82",
"OP_90",
"CALLVALUE",
"OP_90",
"OP_82",
"OP_81",
"OP_81",
"OP_81",
"OP_85",
"OP_88",
"OP_83",
"CALL",
"OP_93",
"POP",
"POP",
"POP",
"POP",
"POP",
"PUSH2",
"JUMP"
],
"start_pc": 639
},
{
"end_pc": 684,
"hash": "0x011dff5f6fe7a8fb23f3db50fa5492ea668a1c354e24f77c65e3e6d150e23d7a",
"opcodes": [
"JUMPDEST",
"PUSH1",
"OP_81",
"GT",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 675
},
{
"end_pc": 727,
"hash": "0x987c81223e3d66a6fd0f138684d82dff0b056c9a766ff72635e5f2aea6722985",
"opcodes": [
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"OP_82",
"AND",
"PUSH1",
"OP_81",
"OP_81",
"MSTORE",
"PUSH1",
"OP_81",
"OP_90",
"MSTORE",
"PUSH1",
"OP_81",
"SHA3",
"SLOAD",
"PUSH1",
"MUL",
"PUSH1",
"OP_82",
"OP_81",
"OP_81",
"OP_81",
"OP_85",
"OP_88",
"OP_83",
"CALL",
"POP",
"POP",
"POP",
"POP",
"POP"
],
"start_pc": 685
},
{
"end_pc": 753,
"hash": "0xe2face7c116fa35622d8f07446bf3d29ff604655c3e88d267b6213995ab72254",
"opcodes": [
"JUMPDEST",
"PUSH1",
"PUSH1",
"OP_90",
"OP_81",
"SHA3",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"OP_84",
"AND",
"OP_82",
"MSTORE",
"PUSH1",
"OP_82",
"OP_90",
"MSTORE",
"SSTORE"
],
"start_pc": 728
},
{
"end_pc": 757,
"hash": "0x0fc16daef83faf16834bace48487c9d21887917e99abfd1830b5cfefdb3b7d82",
"opcodes": [
"JUMPDEST",
"POP",
"POP",
"JUMP"
],
"start_pc": 754
}
],
"callsites": [
{
"opcode": "CALL",
"pc": 560,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 664,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 722,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"cfg_edges": [
{
"from": "bb:0",
"to": "bb:60",
"type": "control_flow"
},
{
"from": "bb:0",
"to": "bb:25",
"type": "control_flow_fallthrough"
},
{
"from": "bb:25",
"to": "bb:289",
"type": "control_flow"
},
{
"from": "bb:25",
"to": "bb:36",
"type": "control_flow_fallthrough"
},
{
"from": "bb:36",
"to": "bb:339",
"type": "control_flow"
},
{
"from": "bb:36",
"to": "bb:47",
"type": "control_flow_fallthrough"
},
{
"from": "bb:47",
"to": "bb:363",
"type": "control_flow"
},
{
"from": "bb:47",
"to": "bb:58",
"type": "control_flow_fallthrough"
},
{
"from": "bb:60",
"to": "bb:617",
"type": "control_flow"
},
{
"from": "bb:60",
"to": "bb:285",
"type": "control_flow_fallthrough"
},
{
"from": "bb:285",
"to": "bb:608",
"type": "control_flow"
},
{
exec
/bin/bash -lc "rg -n 'selectors|detector|evidence|storage|proxy|slot|function|selector|delegatecall|findings|summary|implementation|1967|beacon|minimal|callsites' BYTECODE_BUNDLE.json" in /tmp/codex-5xex25yk
succeeded in 0ms:
701: "callsites": [
847: "dispatcher_type": "selector_jump_table",
848: "function_entries": [
851: "selector": "0x02110d25"
855: "selector": "0x0553e156"
859: "selector": "0x27e235e3"
863: "selector": "0x6d4ce63c"
866: "functions": [
872: "selector": "0x02110d25",
875: "delegatecall": 0,
879: "storage": {
881: "slots": [],
890: "selector": "0x0553e156",
893: "delegatecall": 0,
897: "storage": {
899: "slots": [],
908: "selector": "0x27e235e3",
911: "delegatecall": 0,
915: "storage": {
917: "slots": [],
926: "selector": "0x6d4ce63c",
929: "delegatecall": 0,
933: "storage": {
935: "slots": [],
940: "selectors": [
950: "delegatecall": 0,
953: "upgrade_slot_write_suspected": false
955: "storage": {
958: "slots": [],
989: "implementation_address": null,
990: "is_proxy": false,
1343: "selector": "0x02110d25",
1344: "type": "function"
1349: "selector": "0x0553e156",
1350: "type": "function"
1355: "selector": "0x27e235e3",
1356: "type": "function"
1361: "selector": "0x6d4ce63c",
1362: "type": "function"
1371: "detector_findings": [
1374: "evidence_json": {
1427: "evidence_json": {
1479: "heuristics_summary": {
1481: "delegatecall_count": 0,
exec
/bin/bash -lc "sed -n '781,1180p' BYTECODE_BUNDLE.json" in /tmp/codex-5xex25yk
succeeded in 0ms:
"from": "bb:289",
"to": "bb:675",
"type": "control_flow"
},
{
"from": "bb:289",
"to": "bb:335",
"type": "control_flow_fallthrough"
},
{
"from": "bb:335",
"to": "bb:754",
"type": "control_flow"
},
{
"from": "bb:363",
"to": "bb:389",
"type": "control_flow_fallthrough"
},
{
"from": "bb:407",
"to": "bb:566",
"type": "control_flow_fallthrough"
},
{
"from": "bb:566",
"to": "bb:608",
"type": "control_flow_fallthrough"
},
{
"from": "bb:617",
"to": "bb:407",
"type": "control_flow"
},
{
"from": "bb:617",
"to": "bb:639",
"type": "control_flow_fallthrough"
},
{
"from": "bb:639",
"to": "bb:608",
"type": "control_flow"
},
{
"from": "bb:675",
"to": "bb:728",
"type": "control_flow"
},
{
"from": "bb:675",
"to": "bb:685",
"type": "control_flow_fallthrough"
},
{
"from": "bb:685",
"to": "bb:728",
"type": "control_flow_fallthrough"
},
{
"from": "bb:728",
"to": "bb:754",
"type": "control_flow_fallthrough"
}
],
"cfg_hash": "0x1d68bae0edbf4be4b6a5277fb6774c265d89d3463615b5745530dfaad9bc049e",
"dispatcher_type": "selector_jump_table",
"function_entries": [
{
"entry_pc": null,
"selector": "0x02110d25"
},
{
"entry_pc": 669136355,
"selector": "0x0553e156"
},
{
"entry_pc": 1833756220,
"selector": "0x27e235e3"
},
{
"entry_pc": null,
"selector": "0x6d4ce63c"
}
],
"functions": [
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0x02110d25",
"sinks": {
"call": 3,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 4,
"slots": [],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 669136355,
"selector": "0x0553e156",
"sinks": {
"call": 3,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 4,
"slots": [],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 1833756220,
"selector": "0x27e235e3",
"sinks": {
"call": 3,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 4,
"slots": [],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0x6d4ce63c",
"sinks": {
"call": 3,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 4,
"slots": [],
"writes": 2
}
}
],
"selectors": [
"0x02110d25",
"0x0553e156",
"0x27e235e3",
"0x6d4ce63c"
],
"sinks": {
"call": 3,
"create": 0,
"create2": 0,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0,
"upgrade_slot_write_suspected": false
},
"storage": {
"keccak_count": 6,
"reads": 4,
"slots": [],
"writes": 2
},
"version": "analysis_artifact_v1"
},
"block_number": null,
"chain_id": 1,
"codehash": "0x7b48ed6c2c5c167f194ba6a013e8339a33ac3c665de3bd98b8fd121e70b415db",
"created_at": "2026-04-04T19:45:14.000000Z",
"id": 1516,
"updated_at": "2026-04-04T19:45:14.000000Z",
"version": "analysis_artifact_v1"
},
"analysis_run": {
"address": "0x4abc539ee0c73725256391bf0eb3fda72e8a59ad",
"block_number": null,
"chain_id": 1,
"child_links": [],
"created_at": "2025-12-19T20:03:50.000000Z",
"id": "019b3836-2209-72d4-9ba8-38d2afe67531",
"parent_links": [],
"status": "running",
"updated_at": "2026-04-04T19:45:14.000000Z"
},
"artifact": {
"codehash": "0x7b48ed6c2c5c167f194ba6a013e8339a33ac3c665de3bd98b8fd121e70b415db",
"compiler_json": {
"etherscan": {
"skipped": true
}
},
"implementation_address": null,
"is_proxy": false,
"runtime_bytecode": {
"full": "0x606060405260e060020a600035046302110d25811461003c5780630553e1561461012157806327e235e3146101535780636d4ce63c1461016b575b005b608060206004803590810135601f810183900490920283016040526060828152610185936024939192840191908190838280828437505060408051602088356004810135601f810183900483028401830190945283835297986044989297509190910194509092508291508401838280828437505060408051602097356004810135601f81018a90048a0283018a0190935282825296976064979196506024919091019450909250829150840183828082843750949535945050505050600160a060020a03331660009081526020819052604081205481908190111561026957610260565b61003a600435602435733c94923400ccc528e8ab0f849edafca06fe332e5600160a060020a033316146102a3576102f2565b61018560043560006020819052908152604090205481565b33600160a060020a03166000908152602081905260409020545b60408051918252519081900360200190f35b50604080517f285bdabf0000000000000000000000000000000000000000000000000000000081526004810183905260248101839052604481018390526064810183905260848101839052600160a060020a03331660a482015260c481018390529051733c94923400ccc528e8ab0f849edafca06fe332e591829163285bdabf9160e4808201928792909190829003018183876161da5a03f11561000257505050346000600050600033600160a060020a03168152602001908152602001600020600050819055505b50949350505050565b3460050230600160a060020a031631101561019757604051600160a060020a033316908290349082818181858883f1935050505050610260565b60008111156102d857600160a060020a038216600081815260208190526040812054600502606082818181858883f150505050505b60406000908120600160a060020a03841682526020829052555b505056",
"head": null,
"length": 1518,
"tail": null,
"truncated": false
},
"verified_source": false
},
"capability_graph": {
"address": "0x4abc539ee0c73725256391bf0eb3fda72e8a59ad",
"block_number": null,
"chain_id": 1,
"codehash": "0x7b48ed6c2c5c167f194ba6a013e8339a33ac3c665de3bd98b8fd121e70b415db",
"created_at": "2026-04-04T19:45:14.000000Z",
"graph_hash": "0x54e3228ca0764fdd64dd40adc6155425c0943a8a77e0f2c45971b3506b4aff94",
"graph_json": {
"edges": [
{
"from": "bb:0",
"to": "bb:60",
"type": "control_flow"
},
{
"from": "bb:0",
"to": "bb:25",
"type": "control_flow_fallthrough"
},
{
"from": "bb:25",
"to": "bb:289",
"type": "control_flow"
},
{
"from": "bb:25",
"to": "bb:36",
"type": "control_flow_fallthrough"
},
{
"from": "bb:36",
"to": "bb:339",
"type": "control_flow"
},
{
"from": "bb:36",
"to": "bb:47",
"type": "control_flow_fallthrough"
},
{
"from": "bb:47",
"to": "bb:363",
"type": "control_flow"
},
{
"from": "bb:47",
"to": "bb:58",
"type": "control_flow_fallthrough"
},
{
"from": "bb:60",
"to": "bb:617",
"type": "control_flow"
},
{
"from": "bb:60",
"to": "bb:285",
"type": "control_flow_fallthrough"
},
{
"from": "bb:285",
"to": "bb:608",
"type": "control_flow"
},
{
"from": "bb:289",
"to": "bb:675",
"type": "control_flow"
},
{
"from": "bb:289",
"to": "bb:335",
"type": "control_flow_fallthrough"
},
{
"from": "bb:335",
"to": "bb:754",
"type": "control_flow"
},
{
"from": "bb:363",
"to": "bb:389",
"type": "control_flow_fallthrough"
},
{
"from": "bb:407",
"to": "bb:566",
"type": "control_flow_fallthrough"
},
{
"from": "bb:566",
"to": "bb:608",
"type": "control_flow_fallthrough"
},
{
"from": "bb:617",
"to": "bb:407",
"type": "control_flow"
},
{
"from": "bb:617",
"to": "bb:639",
"type": "control_flow_fallthrough"
},
{
"from": "bb:639",
"to": "bb:608",
"type": "control_flow"
},
{
"from": "bb:675",
"to": "bb:728",
"type": "control_flow"
},
{
"from": "bb:675",
"to": "bb:685",
"type": "control_flow_fallthrough"
},
{
"from": "bb:685",
"to": "bb:728",
"type": "control_flow_fallthrough"
},
{
"from": "bb:728",
"to": "bb:754",
"type": "control_flow_fallthrough"
},
{
"from": "fn:0x0553e156",
"to": "bb:669136355",
"type": "entry"
},
{
"from": "fn:0x27e235e3",
"to": "bb:1833756220",
"type": "entry"
},
{
"from": "bb:407",
"to": "call:560",
"type": "contains"
},
{
"from": "call:560",
"to": "sink:call",
"type": "capability"
},
{
"from": "bb:639",
"to": "call:664",
"type": "contains"
},
{
"from": "call:664",
"to": "sink:call",
"type": "capability"
},
{
"from": "bb:685",
"to": "call:722",
"type": "contains"
},
{
"from": "call:722",
"to": "sink:call",
"type": "capability"
}
],
"nodes": [
{
"end_pc": 24,
"hash": "0x93ca4665dbfe330c821288cd6949b9310be4f2728d53964a22fdd590ad592f89",
"id": "bb:0",
"start_pc": 0,
"type": "basic_block"
},
{
"end_pc": 35,
"hash": "0xb5d7f780179bc9755f01f90857eeca31fdee433acdebcd1796f56b8b147e1665",
exec
/bin/bash -lc "sed -n '1181,1545p' BYTECODE_BUNDLE.json" in /tmp/codex-5xex25yk
succeeded in 0ms:
"id": "bb:25",
"start_pc": 25,
"type": "basic_block"
},
{
"end_pc": 46,
"hash": "0x50456060237dd3ce9c62e417d037a547761b1e236a40f941860776e484f9a361",
"id": "bb:36",
"start_pc": 36,
"type": "basic_block"
},
{
"end_pc": 57,
"hash": "0x9daae73a044ed9b1f5413bdddef37e8651653994af1b2113b9903da19f6cdea8",
"id": "bb:47",
"start_pc": 47,
"type": "basic_block"
},
{
"end_pc": 59,
"hash": "0x7c03713fe289920bcbc645467e3c26e308b928c57f7f20b00dcee82e881fecf3",
"id": "bb:58",
"start_pc": 58,
"type": "basic_block"
},
{
"end_pc": 284,
"hash": "0x5ffa83adc3fa7e881ab549b7c4e2f11c5b60ee48ca60b808c105c1da34efff27",
"id": "bb:60",
"start_pc": 60,
"type": "basic_block"
},
{
"end_pc": 288,
"hash": "0x642cc68938b66be4efea09837f8f50199940b35a0fed039a0b002c619b89ca4c",
"id": "bb:285",
"start_pc": 285,
"type": "basic_block"
},
{
"end_pc": 334,
"hash": "0x7a4b724a9079f9888500d6bdbbf1bb1e4c6379dc32b0bc544ae96350c3cab56c",
"id": "bb:289",
"start_pc": 289,
"type": "basic_block"
},
{
"end_pc": 338,
"hash": "0xa803d3f2f02d4eaf6625471db4d6220744b092dc943d02a2ba6276a7e7c169df",
"id": "bb:335",
"start_pc": 335,
"type": "basic_block"
},
{
"end_pc": 362,
"hash": "0xfd9bf5c76eef38972a9f9f4fd2610c82da04ae111a0f1220e4eeeddee8747a30",
"id": "bb:339",
"start_pc": 339,
"type": "basic_block"
},
{
"end_pc": 388,
"hash": "0xf5a53136e6b605b7ad8d11cbe70e391adc3ae329ba2eb0054e9502d19b29ff7c",
"id": "bb:363",
"start_pc": 363,
"type": "basic_block"
},
{
"end_pc": 406,
"hash": "0x661ed498ae0390ab965cd36e27112c2cd827ade4e73bb467128d705126f87546",
"id": "bb:389",
"start_pc": 389,
"type": "basic_block"
},
{
"end_pc": 565,
"hash": "0x71f0f8b20514ba271190d183aab3e478ddccdadb85c6e52202529b6e86a81419",
"id": "bb:407",
"start_pc": 407,
"type": "basic_block"
},
{
"end_pc": 607,
"hash": "0x7eaed978a65edabb3c7c68f4f41e5611d422ffa786fb8ab46fd458cdd26d2232",
"id": "bb:566",
"start_pc": 566,
"type": "basic_block"
},
{
"end_pc": 616,
"hash": "0xad370784d3d661bb137ce5eed8b468a5d5bffc5590963421f0aa67c77da70b11",
"id": "bb:608",
"start_pc": 608,
"type": "basic_block"
},
{
"end_pc": 638,
"hash": "0xb44e6d3e618d2e3f5731f1289f7027584f49381bfc1c65c37c9e21b8e0c9693a",
"id": "bb:617",
"start_pc": 617,
"type": "basic_block"
},
{
"end_pc": 674,
"hash": "0x8f3d70d7533344ffc3d7ac55fce2b1b9d7942c5c8876daa664df785573140805",
"id": "bb:639",
"start_pc": 639,
"type": "basic_block"
},
{
"end_pc": 684,
"hash": "0x011dff5f6fe7a8fb23f3db50fa5492ea668a1c354e24f77c65e3e6d150e23d7a",
"id": "bb:675",
"start_pc": 675,
"type": "basic_block"
},
{
"end_pc": 727,
"hash": "0x987c81223e3d66a6fd0f138684d82dff0b056c9a766ff72635e5f2aea6722985",
"id": "bb:685",
"start_pc": 685,
"type": "basic_block"
},
{
"end_pc": 753,
"hash": "0xe2face7c116fa35622d8f07446bf3d29ff604655c3e88d267b6213995ab72254",
"id": "bb:728",
"start_pc": 728,
"type": "basic_block"
},
{
"end_pc": 757,
"hash": "0x0fc16daef83faf16834bace48487c9d21887917e99abfd1830b5cfefdb3b7d82",
"id": "bb:754",
"start_pc": 754,
"type": "basic_block"
},
{
"id": "call:560",
"opcode": "CALL",
"pc": 560,
"type": "callsite"
},
{
"id": "call:664",
"opcode": "CALL",
"pc": 664,
"type": "callsite"
},
{
"id": "call:722",
"opcode": "CALL",
"pc": 722,
"type": "callsite"
},
{
"id": "sink:call",
"type": "sink"
},
{
"entry_pc": null,
"id": "fn:0x02110d25",
"selector": "0x02110d25",
"type": "function"
},
{
"entry_pc": 669136355,
"id": "fn:0x0553e156",
"selector": "0x0553e156",
"type": "function"
},
{
"entry_pc": 1833756220,
"id": "fn:0x27e235e3",
"selector": "0x27e235e3",
"type": "function"
},
{
"entry_pc": null,
"id": "fn:0x6d4ce63c",
"selector": "0x6d4ce63c",
"type": "function"
}
],
"version": "capability_graph_v1"
},
"id": 1516,
"updated_at": "2026-04-04T19:45:14.000000Z",
"version": "capability_graph_v1"
},
"detector_findings": [
{
"confidence": 60,
"evidence_json": {
"call_count": 3,
"examples": [
{
"opcode": "CALL",
"pc": 560,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 664,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 722,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": [],
"untrusted_call_count": 3
},
"normalized_json": {
"sink": "CALL"
},
"severity": "high",
"title": "Untrusted CALL target/value reachable",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x3c94923400ccc528e8ab0f849edafca06fe332e5",
"0x4abc539ee0c73725256391bf0eb3fda72e8a59ad"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x1875aab3cf795c27a3fc6a70fed980723834ecaf9edc64db60bec00bc34c51ef",
"trace_mode": "callTracer"
}
},
{
"confidence": 55,
"evidence_json": {
"eth_value_calls": 3,
"examples": [
{
"opcode": "CALL",
"pc": 560,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 664,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 722,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": []
},
"normalized_json": {
"sink": "CALL",
"value": "nonzero"
},
"severity": "high",
"title": "ETH value transfer possible",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x3c94923400ccc528e8ab0f849edafca06fe332e5",
"0x4abc539ee0c73725256391bf0eb3fda72e8a59ad"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x1875aab3cf795c27a3fc6a70fed980723834ecaf9edc64db60bec00bc34c51ef",
"trace_mode": "callTracer"
}
}
],
"heuristics_summary": {
"create2_count": 0,
"delegatecall_count": 0,
"flags": [],
"selfdestruct_count": 0
}
}
exec
/bin/bash -lc "node -e \"const fs=require('fs');const j=JSON.parse(fs.readFileSync('BYTECODE_BUNDLE.json','utf8')); console.log(JSON.stringify({detector_findings:j.detector_findings, heuristics_summary:j.heuristics_summary, evidence_bundle:j.evidence_bundle}, null, 2));\"" in /tmp/codex-5xex25yk
succeeded in 0ms:
{
"detector_findings": [
{
"confidence": 60,
"evidence_json": {
"call_count": 3,
"examples": [
{
"opcode": "CALL",
"pc": 560,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 664,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 722,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": [],
"untrusted_call_count": 3
},
"normalized_json": {
"sink": "CALL"
},
"severity": "high",
"title": "Untrusted CALL target/value reachable",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x3c94923400ccc528e8ab0f849edafca06fe332e5",
"0x4abc539ee0c73725256391bf0eb3fda72e8a59ad"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x1875aab3cf795c27a3fc6a70fed980723834ecaf9edc64db60bec00bc34c51ef",
"trace_mode": "callTracer"
}
},
{
"confidence": 55,
"evidence_json": {
"eth_value_calls": 3,
"examples": [
{
"opcode": "CALL",
"pc": 560,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 664,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 722,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": []
},
"normalized_json": {
"sink": "CALL",
"value": "nonzero"
},
"severity": "high",
"title": "ETH value transfer possible",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x3c94923400ccc528e8ab0f849edafca06fe332e5",
"0x4abc539ee0c73725256391bf0eb3fda72e8a59ad"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x1875aab3cf795c27a3fc6a70fed980723834ecaf9edc64db60bec00bc34c51ef",
"trace_mode": "callTracer"
}
}
],
"heuristics_summary": {
"create2_count": 0,
"delegatecall_count": 0,
"flags": [],
"selfdestruct_count": 0
}
}
exec
/bin/bash -lc "node - <<'NODE'
const fs=require('fs');
const j=JSON.parse(fs.readFileSync('BYTECODE_BUNDLE.json','utf8'));
const hex=j.artifact.runtime_bytecode.full.slice(2);
const opnames={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'};
for(let i=1;i<=32;i++){opnames[0x5f+i]='PUSH'+i;opnames[0x7f+i]='DUP'+i;opnames[0x8f+i]='SWAP'+i;}
for(let i=0;i<hex.length;){
const pc=i/2; const op=parseInt(hex.slice(i,i+2),16); i+=2;
let name=opnames[op]||('OP_'+op.toString(16));
if(op>=0x60 && op<=0x7f){const n=op-0x5f; const data=hex.slice(i,i+2*n); i+=2*n; console.log(pc.toString().padStart(4), name.padEnd(8), data);}
else console.log(pc.toString().padStart(4), name);
}
NODE" in /tmp/codex-5xex25yk
succeeded in 0ms:
0 PUSH1 60
2 PUSH1 40
4 MSTORE
5 PUSH1 e0
7 PUSH1 02
9 EXP
10 PUSH1 00
12 CALLDATALOAD
13 DIV
14 PUSH4 02110d25
19 DUP2
20 EQ
21 PUSH2 003c
24 JUMPI
25 DUP1
26 PUSH4 0553e156
31 EQ
32 PUSH2 0121
35 JUMPI
36 DUP1
37 PUSH4 27e235e3
42 EQ
43 PUSH2 0153
46 JUMPI
47 DUP1
48 PUSH4 6d4ce63c
53 EQ
54 PUSH2 016b
57 JUMPI
58 JUMPDEST
59 STOP
60 JUMPDEST
61 PUSH1 80
63 PUSH1 20
65 PUSH1 04
67 DUP1
68 CALLDATALOAD
69 DUP17
70 DUP2
71 ADD
72 CALLDATALOAD
73 PUSH1 1f
75 DUP2
76 ADD
77 DUP4
78 DUP17
79 DIV
80 DUP17
81 DUP19
82 MUL
83 DUP4
84 ADD
85 PUSH1 40
87 MSTORE
88 PUSH1 60
90 DUP3
91 DUP2
92 MSTORE
93 PUSH2 0185
96 DUP20
97 PUSH1 24
99 DUP20
100 DUP18
101 DUP19
102 DUP5
103 ADD
104 DUP18
105 DUP17
106 DUP2
107 DUP17
108 DUP4
109 DUP3
110 DUP1
111 DUP3
112 DUP5
113 CALLDATACOPY
114 POP
115 POP
116 PUSH1 40
118 DUP1
119 MLOAD
120 PUSH1 20
122 DUP9
123 CALLDATALOAD
124 PUSH1 04
126 DUP2
127 ADD
128 CALLDATALOAD
129 PUSH1 1f
131 DUP2
132 ADD
133 DUP4
134 DUP17
135 DIV
136 DUP4
137 MUL
138 DUP5
139 ADD
140 DUP4
141 ADD
142 DUP17
143 DUP21
144 MSTORE
145 DUP4
146 DUP4
147 MSTORE
148 DUP24
149 DUP25
150 PUSH1 44
152 DUP25
153 DUP19
154 DUP24
155 POP
156 DUP18
157 DUP17
158 DUP18
159 ADD
160 DUP21
161 POP
162 DUP17
163 DUP19
164 POP
165 DUP3
166 DUP18
167 POP
168 DUP5
169 ADD
170 DUP4
171 DUP3
172 DUP1
173 DUP3
174 DUP5
175 CALLDATACOPY
176 POP
177 POP
178 PUSH1 40
180 DUP1
181 MLOAD
182 PUSH1 20
184 DUP24
185 CALLDATALOAD
186 PUSH1 04
188 DUP2
189 ADD
190 CALLDATALOAD
191 PUSH1 1f
193 DUP2
194 ADD
195 DUP11
196 DUP17
197 DIV
198 DUP11
199 MUL
200 DUP4
201 ADD
202 DUP11
203 ADD
204 DUP17
205 DUP20
206 MSTORE
207 DUP3
208 DUP3
209 MSTORE
210 DUP23
211 DUP24
212 PUSH1 64
214 DUP24
215 DUP18
216 DUP23
217 POP
218 PUSH1 24
220 DUP18
221 DUP17
222 DUP18
223 ADD
224 DUP21
225 POP
226 DUP17
227 DUP19
228 POP
229 DUP3
230 DUP18
231 POP
232 DUP5
233 ADD
234 DUP4
235 DUP3
236 DUP1
237 DUP3
238 DUP5
239 CALLDATACOPY
240 POP
241 DUP21
242 DUP22
243 CALLDATALOAD
244 DUP21
245 POP
246 POP
247 POP
248 POP
249 POP
250 PUSH1 01
252 PUSH1 a0
254 PUSH1 02
256 EXP
257 SUB
258 CALLER
259 AND
260 PUSH1 00
262 DUP17
263 DUP2
264 MSTORE
265 PUSH1 20
267 DUP2
268 DUP17
269 MSTORE
270 PUSH1 40
272 DUP2
273 SHA3
274 SLOAD
275 DUP2
276 DUP17
277 DUP2
278 DUP17
279 GT
280 ISZERO
281 PUSH2 0269
284 JUMPI
285 PUSH2 0260
288 JUMP
289 JUMPDEST
290 PUSH2 003a
293 PUSH1 04
295 CALLDATALOAD
296 PUSH1 24
298 CALLDATALOAD
299 PUSH20 3c94923400ccc528e8ab0f849edafca06fe332e5
320 PUSH1 01
322 PUSH1 a0
324 PUSH1 02
326 EXP
327 SUB
328 CALLER
329 AND
330 EQ
331 PUSH2 02a3
334 JUMPI
335 PUSH2 02f2
338 JUMP
339 JUMPDEST
340 PUSH2 0185
343 PUSH1 04
345 CALLDATALOAD
346 PUSH1 00
348 PUSH1 20
350 DUP2
351 DUP17
352 MSTORE
353 DUP17
354 DUP2
355 MSTORE
356 PUSH1 40
358 DUP17
359 SHA3
360 SLOAD
361 DUP2
362 JUMP
363 JUMPDEST
364 CALLER
365 PUSH1 01
367 PUSH1 a0
369 PUSH1 02
371 EXP
372 SUB
373 AND
374 PUSH1 00
376 DUP17
377 DUP2
378 MSTORE
379 PUSH1 20
381 DUP2
382 DUP17
383 MSTORE
384 PUSH1 40
386 DUP17
387 SHA3
388 SLOAD
389 JUMPDEST
390 PUSH1 40
392 DUP1
393 MLOAD
394 DUP18
395 DUP3
396 MSTORE
397 MLOAD
398 DUP17
399 DUP2
400 DUP17
401 SUB
402 PUSH1 20
404 ADD
405 DUP17
406 RETURN
407 JUMPDEST
408 POP
409 PUSH1 40
411 DUP1
412 MLOAD
413 PUSH32 285bdabf00000000000000000000000000000000000000000000000000000000
446 DUP2
447 MSTORE
448 PUSH1 04
450 DUP2
451 ADD
452 DUP4
453 DUP17
454 MSTORE
455 PUSH1 24
457 DUP2
458 ADD
459 DUP4
460 DUP17
461 MSTORE
462 PUSH1 44
464 DUP2
465 ADD
466 DUP4
467 DUP17
468 MSTORE
469 PUSH1 64
471 DUP2
472 ADD
473 DUP4
474 DUP17
475 MSTORE
476 PUSH1 84
478 DUP2
479 ADD
480 DUP4
481 DUP17
482 MSTORE
483 PUSH1 01
485 PUSH1 a0
487 PUSH1 02
489 EXP
490 SUB
491 CALLER
492 AND
493 PUSH1 a4
495 DUP3
496 ADD
497 MSTORE
498 PUSH1 c4
500 DUP2
501 ADD
502 DUP4
503 DUP17
504 MSTORE
505 DUP17
506 MLOAD
507 PUSH20 3c94923400ccc528e8ab0f849edafca06fe332e5
528 DUP18
529 DUP3
530 DUP18
531 PUSH4 285bdabf
536 DUP18
537 PUSH1 e4
539 DUP1
540 DUP3
541 ADD
542 DUP19
543 DUP8
544 DUP19
545 DUP17
546 DUP18
547 DUP17
548 DUP3
549 DUP17
550 SUB
551 ADD
552 DUP2
553 DUP4
554 DUP8
555 PUSH2 61da
558 GAS
559 SUB
560 CALL
561 ISZERO
562 PUSH2 0002
565 JUMPI
566 POP
567 POP
568 POP
569 CALLVALUE
570 PUSH1 00
572 PUSH1 00
574 POP
575 PUSH1 00
577 CALLER
578 PUSH1 01
580 PUSH1 a0
582 PUSH1 02
584 EXP
585 SUB
586 AND
587 DUP2
588 MSTORE
589 PUSH1 20
591 ADD
592 DUP17
593 DUP2
594 MSTORE
595 PUSH1 20
597 ADD
598 PUSH1 00
600 SHA3
601 PUSH1 00
603 POP
604 DUP2
605 DUP17
606 SSTORE
607 POP
608 JUMPDEST
609 POP
610 DUP21
611 DUP20
612 POP
613 POP
614 POP
615 POP
616 JUMP
617 JUMPDEST
618 CALLVALUE
619 PUSH1 05
621 MUL
622 ADDRESS
623 PUSH1 01
625 PUSH1 a0
627 PUSH1 02
629 EXP
630 SUB
631 AND
632 BALANCE
633 LT
634 ISZERO
635 PUSH2 0197
638 JUMPI
639 PUSH1 40
641 MLOAD
642 PUSH1 01
644 PUSH1 a0
646 PUSH1 02
648 EXP
649 SUB
650 CALLER
651 AND
652 DUP17
653 DUP3
654 DUP17
655 CALLVALUE
656 DUP17
657 DUP3
658 DUP2
659 DUP2
660 DUP2
661 DUP6
662 DUP9
663 DUP4
664 CALL
665 DUP20
666 POP
667 POP
668 POP
669 POP
670 POP
671 PUSH2 0260
674 JUMP
675 JUMPDEST
676 PUSH1 00
678 DUP2
679 GT
680 ISZERO
681 PUSH2 02d8
684 JUMPI
685 PUSH1 01
687 PUSH1 a0
689 PUSH1 02
691 EXP
692 SUB
693 DUP3
694 AND
695 PUSH1 00
697 DUP2
698 DUP2
699 MSTORE
700 PUSH1 20
702 DUP2
703 DUP17
704 MSTORE
705 PUSH1 40
707 DUP2
708 SHA3
709 SLOAD
710 PUSH1 05
712 MUL
713 PUSH1 60
715 DUP3
716 DUP2
717 DUP2
718 DUP2
719 DUP6
720 DUP9
721 DUP4
722 CALL
723 POP
724 POP
725 POP
726 POP
727 POP
728 JUMPDEST
729 PUSH1 40
731 PUSH1 00
733 DUP17
734 DUP2
735 SHA3
736 PUSH1 01
738 PUSH1 a0
740 PUSH1 02
742 EXP
743 SUB
744 DUP5
745 AND
746 DUP3
747 MSTORE
748 PUSH1 20
750 DUP3
751 DUP17
752 MSTORE
753 SSTORE
754 JUMPDEST
755 POP
756 POP
757 JUMP
exec
/bin/bash -lc "node - <<'NODE'
const fs=require('fs');
const j=JSON.parse(fs.readFileSync('BYTECODE_BUNDLE.json','utf8'));
const hex=j.artifact.runtime_bytecode.full.slice(2);
const opnames={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0xf1:'CALL',0xf3:'RETURN'};
for(let i=1;i<=32;i++){opnames[0x5f+i]='PUSH'+i;opnames[0x7f+i]='DUP'+i;opnames[0x8f+i]='SWAP'+i;}
let ops=[]; for(let i=0;i<hex.length;){ const pc=i/2; const op=parseInt(hex.slice(i,i+2),16); i+=2; let arg=null; if(op>=0x60&&op<=0x7f){const n=op-0x5f; arg='0x'+hex.slice(i,i+2*n); i+=2*n;} ops.push({pc,op,name:opnames[op]||('OP_'+op.toString(16)),arg}); }
function segment(start,end){return ops.filter(o=>o.pc>=start&&o.pc<=end);}
function sim(start,end,depth=25){
let st=[]; for(let i=0;i<depth;i++) st.push('s'+i); // bottom..top
let mem={};
const seg=segment(start,end);
function pop(){return st.pop();}
function push(x){st.push(x);}
for(const o of seg){
const n=o.name;
if(n.startsWith('PUSH')) push(o.arg);
else if(n.startsWith('DUP')) {const k=+n.slice(3); push(st[st.length-k]);}
else if(n.startsWith('SWAP')) {const k=+n.slice(4); const a=st.length-1,b=st.length-1-k; [st[a],st[b]]=[st[b],st[a]];}
else if(['ADD','SUB','MUL','DIV','AND','EQ','LT','GT'].includes(n)){const a=pop(),b=pop(); push("'`(${b} ${n} ${a})`);}
else if(n==='"'ISZERO'){const a=pop(); push("'`iszero(${a})`);}
else if(n==='"'MLOAD'){const a=pop(); push("'`m[${a}]`);}
else if(n==='"'MSTORE'){const a=pop(), b=pop(); mem[a]=b; }
else if(n==='SHA3'){const a=pop(),b=pop(); push("'`sha3(${b},${a})`);}
else if(n==='"'SLOAD'){const a=pop(); push("'`sload(${a})`);}
else if(n==='"'SSTORE'){const a=pop(),b=pop(); console.log('SSTORE key',a,'val',b);}
else if(n==='CALL'){const gas=pop(),to=pop(),value=pop(),inOfs=pop(),inSz=pop(),outOfs=pop(),outSz=pop(); push("'`call(${to}, value=${value}, gas=${gas}, in=${inOfs}/${inSz}, out=${outOfs}/${outSz})`); console.log('"'CALL at',o.pc,{gas,to,value,inOfs,inSz,outOfs,outSz}); }
else if(n==='CALLER') push('CALLER');
else if(n==='CALLVALUE') push('CALLVALUE');
else if(n==='ADDRESS') push('ADDRESS');
else if(n==='BALANCE'){const a=pop(); push("'`balance(${a})`);}
else if(n==='"'POP'){pop();}
else if(n==='JUMPI'){const dst=pop(), cond=pop(); console.log('JUMPI',o.pc,'dst',dst,'cond',cond);}
else if(n==='JUMP'){const dst=pop(); console.log('JUMP',o.pc,'dst',dst);}
else if(n==='JUMPDEST'||n==='STOP'||n==='RETURN') {}
else {console.log('unhandled',o.pc,n); break;}
}
console.log('final stack top',st.slice(-12));
}
console.log('Segment 617-664'); sim(617,664,30);
console.log('Segment 675-753'); sim(675,753,30);
NODE" in /tmp/codex-5xex25yk
succeeded in 0ms:
Segment 617-664
unhandled 629 EXP
final stack top [
's23',
's24',
's25',
's26',
's27',
's28',
's29',
'(CALLVALUE MUL 0x05)',
'ADDRESS',
'0x01',
'0xa0',
'0x02'
]
Segment 675-753
JUMPI 684 dst 0x02d8 cond iszero((0x00 GT s29))
unhandled 691 EXP
final stack top [
's21', 's22', 's23',
's24', 's25', 's26',
's27', 's28', 's29',
'0x01', '0xa0', '0x02'
]
exec
/bin/bash -lc "node - <<'NODE'
const fs=require('fs');
const j=JSON.parse(fs.readFileSync('BYTECODE_BUNDLE.json','utf8'));
const hex=j.artifact.runtime_bytecode.full.slice(2);
const opnames={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x37:'CALLDATACOPY',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x5a:'GAS',0x5b:'JUMPDEST',0xf1:'CALL',0xf3:'RETURN'};
for(let i=1;i<=32;i++){opnames[0x5f+i]='PUSH'+i;opnames[0x7f+i]='DUP'+i;opnames[0x8f+i]='SWAP'+i;}
let ops=[]; for(let i=0;i<hex.length;){ const pc=i/2; const op=parseInt(hex.slice(i,i+2),16); i+=2; let arg=null; if(op>=0x60&&op<=0x7f){const n=op-0x5f; arg='0x'+hex.slice(i,i+2*n); i+=2*n;} ops.push({pc,op,name:opnames[op]||('OP_'+op.toString(16)),arg}); }
function segment(start,end){return ops.filter(o=>o.pc>=start&&o.pc<=end);}
function bin(name,a,b){return '('+b+' '+name+' '+a+')';}
function sim(start,end,depth=30){
let st=[]; for(let i=0;i<depth;i++) st.push('s'+i); // bottom..top
const seg=segment(start,end);
function pop(){return st.pop();}
function push(x){st.push(x);}
for(const o of seg){
const n=o.name;
if(n.startsWith('PUSH')) push(o.arg);
else if(n.startsWith('DUP')) {const k=+n.slice(3); push(st[st.length-k]);}
else if(n.startsWith('SWAP')) {const k=+n.slice(4); const a=st.length-1,b=st.length-1-k; [st[a],st[b]]=[st[b],st[a]];}
else if(['ADD','SUB','MUL','DIV','AND','EQ','LT','GT','EXP'].includes(n)){const a=pop(),b=pop(); push(bin(n,a,b));}
else if(n==='ISZERO'){const a=pop(); push('iszero('+a+')');}
else if(n==='MLOAD'){const a=pop(); push('m['+a+']');}
else if(n==='MSTORE'){const ofs=pop(), val=pop(); /* ignore */ }
else if(n==='SHA3'){const size=pop(),ofs=pop(); push('sha3('+ofs+','+size+')');}
else if(n==='SLOAD'){const a=pop(); push('sload('+a+')');}
else if(n==='SSTORE'){const key=pop(),val=pop(); console.log('SSTORE at',o.pc,'key',key,'val',val);}
else if(n==='CALL'){const gas=pop(),to=pop(),value=pop(),inOfs=pop(),inSz=pop(),outOfs=pop(),outSz=pop(); console.log('CALL at',o.pc,{gas,to,value,inOfs,inSz,outOfs,outSz}); push('callret');}
else if(n==='CALLER') push('CALLER');
else if(n==='CALLVALUE') push('CALLVALUE');
else if(n==='ADDRESS') push('ADDRESS');
else if(n==='BALANCE'){const a=pop(); push('balance('+a+')');}
else if(n==='POP'){pop();}
else if(n==='JUMPI'){const dst=pop(), cond=pop(); console.log('JUMPI at',o.pc,'dst',dst,'cond',cond);}
else if(n==='JUMP'){const dst=pop(); console.log('JUMP at',o.pc,'dst',dst);}
else if(n==='GAS') push('GAS');
else if(n==='JUMPDEST'||n==='STOP'||n==='RETURN') {}
else {console.log('unhandled',o.pc,n); break;}
}
console.log('top',st.slice(-15));
}
console.log('617-664'); sim(617,664,35);
console.log('675-753'); sim(675,753,35);
console.log('407-607'); sim(407,607,40);
NODE" in /tmp/codex-5xex25yk
succeeded in 0ms:
617-664
JUMPI at 638 dst 0x0197 cond iszero(((CALLVALUE MUL 0x05) LT balance((ADDRESS AND (0x01 SUB (0xa0 EXP 0x02))))))
CALL at 664 {
gas: 's22',
to: 'm[0x40]',
value: 'CALLVALUE',
inOfs: 's24',
inSz: 's22',
outOfs: 's24',
outSz: 's22'
}
top [
's28',
's29',
's30',
's31',
's32',
's33',
's34',
'm[0x40]',
'((0x01 SUB (0xa0 EXP 0x02)) AND CALLER)',
's20',
'm[0x40]',
's22',
'CALLVALUE',
's24',
'callret'
]
675-753
JUMPI at 684 dst 0x02d8 cond iszero((0x00 GT s34))
CALL at 722 {
gas: '0x20',
to: '0x00',
value: '(sload(sha3(0x40,0x20)) MUL 0x05)',
inOfs: '0x60',
inSz: '0x20',
outOfs: '0x60',
outSz: '0x20'
}
SSTORE at 753 key 0x20 val sha3(s21,0x00)
top [
's23',
's24',
's25',
's26',
's27',
's28',
's29',
's30',
's31',
's32',
's33',
's34',
'((0x01 SUB (0xa0 EXP 0x02)) AND s33)',
'0x40',
'0x00'
]
407-607
CALL at 560 {
gas: '(0x61da SUB GAS)',
to: 's37',
value: '(0x24 ADD (0x04 ADD m[0x40]))',
inOfs: '(0x24 ADD (0x04 ADD m[0x40]))',
inSz: '((0x64 ADD (0x44 ADD (0x24 ADD (0x04 ADD m[0x40])))) ADD ((0x24 ADD (0x04 ADD m[0x40])) SUB (0xc4 ADD (0x84 ADD (0x64 ADD (0x44 ADD (0x24 ADD (0x04 ADD m[0x40]))))))))',
outOfs: '(0x24 ADD (0x04 ADD m[0x40]))',
outSz: '(0x24 ADD (0x04 ADD m[0x40]))'
}
JUMPI at 565 dst 0x0002 cond iszero(callret)
SSTORE at 606 key (0x44 ADD (0x24 ADD (0x04 ADD m[0x40]))) val 0x00
top [
'(0x44 ADD (0x24 ADD (0x04 ADD m[0x40])))',
'(0x64 ADD (0x44 ADD (0x24 ADD (0x04 ADD m[0x40]))))',
'(0x84 ADD (0x64 ADD (0x44 ADD (0x24 ADD (0x04 ADD m[0x40])))))',
'(0xc4 ADD (0x84 ADD (0x64 ADD (0x44 ADD (0x24 ADD (0x04 ADD m[0x40]))))))',
'm[s30]',
'0x3c94923400ccc528e8ab0f849edafca06fe332e5',
's31',
'm[s30]',
's33',
'0x285bdabf',
's35',
'0xe4',
'(0xe4 ADD s35)',
'CALLVALUE',
'0x00'
]
codex
{"no_findings":false,"summary":"Bytecode-only review indicates a balance-mapping contract with three CALL sites, no proxy/delegatecall behavior, and a privileged external dependency at 0x3c94923400ccc528e8ab0f849edafca06fe332e5. The main risks are a call-before-write payout path and an unchecked low-level CALL that can break accounting if ETH delivery fails.","findings":[{"severity":"medium","category":"reentrancy","title":"Value-bearing external call happens before the balance slot is updated","exploit_scenario":"On selector 0x0553e156, the contract first authenticates a hardcoded external caller, then reads a per-address slot, computes a payout, performs a low-level CALL, and only afterward writes storage. If the payout recipient is a contract, reentrant control is exposed while the old balance is still live. Exploitability is reduced by the hardcoded-caller gate, but if that privileged external contract is compromised, upgradeable, or can be induced to recurse, the stale slot can be consumed multiple times before the write lands.","recommendation":"Apply checks-effects-interactions on this path: update or zero the balance slot before the external CALL, add a reentrancy guard, and prefer pull-based withdrawals over inline ETH sends.","evidence":"Selector 0x0553e156 reaches the payout branch at pc 0x2a3. That branch loads the mapping value with SLOAD at pc 0x2c5, multiplies by 5 at pc 0x2c9, executes CALL at pc 0x2d2, and only later performs SSTORE at pc 0x2f1. The same selector is gated by a hardcoded caller check against 0x3c94923400ccc528e8ab0f849edafca06fe332e5 around pc 0x12b-0x14a.","locations":["selector:0x0553e156","pc:0x2c5","pc:0x2d2","pc:0x2f1"]},{"severity":"medium","category":"other","title":"Unchecked low-level CALL can desynchronize storage from actual ETH delivery","exploit_scenario":"The payout CALL on selector 0x0553e156 does not have an observed success check before execution continues into storage mutation. A recipient contract can deliberately revert or otherwise make the CALL fail, yet the function can still proceed to mutate the tracked slot as if payment succeeded, causing lost funds or broken internal accounting. This is especially concerning on a balance-like mapping, since getters expose the slot directly.","recommendation":"Require the low-level CALL to succeed before mutating storage, or revert on failure and leave the slot unchanged. If best-effort delivery is intended, separate accounting from delivery and record failed withdrawals explicitly.","evidence":"At pc 0x2d2 the contract executes a CALL, then only POPs stack values and falls through to SSTORE at pc 0x2f1; there is no ISZERO/JUMPI-style success check on this path. By contrast, the fixed-address CALL at pc 0x230 is followed by an explicit failure branch at pc 0x232-0x235, which highlights the absence of equivalent handling here.","locations":["selector:0x0553e156","pc:0x2d2","pc:0x2f1","pc:0x230"]}]}
tokens used
60,219
{
"codex": {
"ran_at": "2026-04-04T21:50:53.903600+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 1518,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "Bytecode-only review indicates a balance-mapping contract with three CALL sites, no proxy/delegatecall behavior, and a privileged external dependency at 0x3c94923400ccc528e8ab0f849edafca06fe332e5. The main risks are a call-before-write payout path and an unchecked low-level CALL that can break accounting if ETH delivery fails.",
"raw_final": {
"summary": "Bytecode-only review indicates a balance-mapping contract with three CALL sites, no proxy/delegatecall behavior, and a privileged external dependency at 0x3c94923400ccc528e8ab0f849edafca06fe332e5. The main risks are a call-before-write payout path and an unchecked low-level CALL that can break accounting if ETH delivery fails.",
"findings": [
{
"title": "Value-bearing external call happens before the balance slot is updated",
"category": "reentrancy",
"evidence": "Selector 0x0553e156 reaches the payout branch at pc 0x2a3. That branch loads the mapping value with SLOAD at pc 0x2c5, multiplies by 5 at pc 0x2c9, executes CALL at pc 0x2d2, and only later performs SSTORE at pc 0x2f1. The same selector is gated by a hardcoded caller check against 0x3c94923400ccc528e8ab0f849edafca06fe332e5 around pc 0x12b-0x14a.",
"severity": "medium",
"locations": [
"selector:0x0553e156",
"pc:0x2c5",
"pc:0x2d2",
"pc:0x2f1"
],
"recommendation": "Apply checks-effects-interactions on this path: update or zero the balance slot before the external CALL, add a reentrancy guard, and prefer pull-based withdrawals over inline ETH sends.",
"exploit_scenario": "On selector 0x0553e156, the contract first authenticates a hardcoded external caller, then reads a per-address slot, computes a payout, performs a low-level CALL, and only afterward writes storage. If the payout recipient is a contract, reentrant control is exposed while the old balance is still live. Exploitability is reduced by the hardcoded-caller gate, but if that privileged external contract is compromised, upgradeable, or can be induced to recurse, the stale slot can be consumed multiple times before the write lands."
},
{
"title": "Unchecked low-level CALL can desynchronize storage from actual ETH delivery",
"category": "other",
"evidence": "At pc 0x2d2 the contract executes a CALL, then only POPs stack values and falls through to SSTORE at pc 0x2f1; there is no ISZERO/JUMPI-style success check on this path. By contrast, the fixed-address CALL at pc 0x230 is followed by an explicit failure branch at pc 0x232-0x235, which highlights the absence of equivalent handling here.",
"severity": "medium",
"locations": [
"selector:0x0553e156",
"pc:0x2d2",
"pc:0x2f1",
"pc:0x230"
],
"recommendation": "Require the low-level CALL to succeed before mutating storage, or revert on failure and leave the slot unchanged. If best-effort delivery is intended, separate accounting from delivery and record failed withdrawals explicitly.",
"exploit_scenario": "The payout CALL on selector 0x0553e156 does not have an observed success check before execution continues into storage mutation. A recipient contract can deliberately revert or otherwise make the CALL fail, yet the function can still proceed to mutate the tracked slot as if payment succeeded, causing lost funds or broken internal accounting. This is especially concerning on a balance-like mapping, since getters expose the slot directly."
}
],
"no_findings": false
},
"no_findings": false,
"schema_version": 1
}
00000000: PUSH1 0x60 00000002: PUSH1 0x40 00000004: MSTORE 00000005: PUSH1 0xe0 00000007: PUSH1 0x02 00000009: EXP 0000000a: PUSH1 0x00 0000000c: CALLDATALOAD 0000000d: DIV 0000000e: PUSH4 0x02110d25 00000013: DUP2 00000014: EQ 00000015: PUSH2 0x003c 00000018: JUMPI 00000019: DUP1 0000001a: PUSH4 0x0553e156 0000001f: EQ 00000020: PUSH2 0x0121 00000023: JUMPI 00000024: DUP1 00000025: PUSH4 0x27e235e3 0000002a: EQ 0000002b: PUSH2 0x0153 0000002e: JUMPI 0000002f: DUP1 00000030: PUSH4 0x6d4ce63c 00000035: EQ 00000036: PUSH2 0x016b 00000039: JUMPI 0000003a: JUMPDEST 0000003b: STOP 0000003c: JUMPDEST 0000003d: PUSH1 0x80 0000003f: PUSH1 0x20 00000041: PUSH1 0x04 00000043: DUP1 00000044: CALLDATALOAD 00000045: SWAP1 00000046: DUP2 00000047: ADD 00000048: CALLDATALOAD 00000049: PUSH1 0x1f 0000004b: DUP2 0000004c: ADD 0000004d: DUP4 0000004e: SWAP1 0000004f: DIV 00000050: SWAP1 00000051: SWAP3 00000052: MUL 00000053: DUP4 00000054: ADD 00000055: PUSH1 0x40 00000057: MSTORE 00000058: PUSH1 0x60 0000005a: DUP3 0000005b: DUP2 0000005c: MSTORE 0000005d: PUSH2 0x0185 00000060: SWAP4 00000061: PUSH1 0x24 00000063: SWAP4 00000064: SWAP2 00000065: SWAP3 00000066: DUP5 00000067: ADD 00000068: SWAP2 00000069: SWAP1 0000006a: DUP2 0000006b: SWAP1 0000006c: DUP4 0000006d: DUP3 0000006e: DUP1 0000006f: DUP3 00000070: DUP5 00000071: CALLDATACOPY 00000072: POP 00000073: POP 00000074: PUSH1 0x40 00000076: DUP1 00000077: MLOAD 00000078: PUSH1 0x20 0000007a: DUP9 0000007b: CALLDATALOAD 0000007c: PUSH1 0x04 0000007e: DUP2 0000007f: ADD 00000080: CALLDATALOAD 00000081: PUSH1 0x1f 00000083: DUP2 00000084: ADD 00000085: DUP4 00000086: SWAP1 00000087: DIV 00000088: DUP4 00000089: MUL 0000008a: DUP5 0000008b: ADD 0000008c: DUP4 0000008d: ADD 0000008e: SWAP1 0000008f: SWAP5 00000090: MSTORE 00000091: DUP4 00000092: DUP4 00000093: MSTORE 00000094: SWAP8 00000095: SWAP9 00000096: PUSH1 0x44 00000098: SWAP9 00000099: SWAP3 0000009a: SWAP8 0000009b: POP 0000009c: SWAP2 0000009d: SWAP1 0000009e: SWAP2 0000009f: ADD 000000a0: SWAP5 000000a1: POP 000000a2: SWAP1 000000a3: SWAP3 000000a4: POP 000000a5: DUP3 000000a6: SWAP2 000000a7: POP 000000a8: DUP5 000000a9: ADD 000000aa: DUP4 000000ab: DUP3 000000ac: DUP1 000000ad: DUP3 000000ae: DUP5 000000af: CALLDATACOPY 000000b0: POP 000000b1: POP 000000b2: PUSH1 0x40 000000b4: DUP1 000000b5: MLOAD 000000b6: PUSH1 0x20 000000b8: SWAP8 000000b9: CALLDATALOAD 000000ba: PUSH1 0x04 000000bc: DUP2 000000bd: ADD 000000be: CALLDATALOAD 000000bf: PUSH1 0x1f 000000c1: DUP2 000000c2: ADD 000000c3: DUP11 000000c4: SWAP1 000000c5: DIV 000000c6: DUP11 000000c7: MUL 000000c8: DUP4 000000c9: ADD 000000ca: DUP11 000000cb: ADD 000000cc: SWAP1 000000cd: SWAP4 000000ce: MSTORE 000000cf: DUP3 000000d0: DUP3 000000d1: MSTORE 000000d2: SWAP7 000000d3: SWAP8 000000d4: PUSH1 0x64 000000d6: SWAP8 000000d7: SWAP2 000000d8: SWAP7 000000d9: POP 000000da: PUSH1 0x24 000000dc: SWAP2 000000dd: SWAP1 000000de: SWAP2 000000df: ADD 000000e0: SWAP5 000000e1: POP 000000e2: SWAP1 000000e3: SWAP3 000000e4: POP 000000e5: DUP3 000000e6: SWAP2 000000e7: POP 000000e8: DUP5 000000e9: ADD 000000ea: DUP4 000000eb: DUP3 000000ec: DUP1 000000ed: DUP3 000000ee: DUP5 000000ef: CALLDATACOPY 000000f0: POP 000000f1: SWAP5 000000f2: SWAP6 000000f3: CALLDATALOAD 000000f4: SWAP5 000000f5: POP 000000f6: POP 000000f7: POP 000000f8: POP 000000f9: POP 000000fa: PUSH1 0x01 000000fc: PUSH1 0xa0 000000fe: PUSH1 0x02 00000100: EXP 00000101: SUB 00000102: CALLER 00000103: AND 00000104: PUSH1 0x00 00000106: SWAP1 00000107: DUP2 00000108: MSTORE 00000109: PUSH1 0x20 0000010b: DUP2 0000010c: SWAP1 0000010d: MSTORE 0000010e: PUSH1 0x40 00000110: DUP2 00000111: KECCAK256 00000112: SLOAD 00000113: DUP2 00000114: SWAP1 00000115: DUP2 00000116: SWAP1 00000117: GT 00000118: ISZERO 00000119: PUSH2 0x0269 0000011c: JUMPI 0000011d: PUSH2 0x0260 00000120: JUMP 00000121: JUMPDEST 00000122: PUSH2 0x003a 00000125: PUSH1 0x04 00000127: CALLDATALOAD 00000128: PUSH1 0x24 0000012a: CALLDATALOAD 0000012b: PUSH20 0x3c94923400ccc528e8ab0f849edafca06fe332e5 00000140: PUSH1 0x01 00000142: PUSH1 0xa0 00000144: PUSH1 0x02 00000146: EXP 00000147: SUB 00000148: CALLER 00000149: AND 0000014a: EQ 0000014b: PUSH2 0x02a3 0000014e: JUMPI 0000014f: PUSH2 0x02f2 00000152: JUMP 00000153: JUMPDEST 00000154: PUSH2 0x0185 00000157: PUSH1 0x04 00000159: CALLDATALOAD 0000015a: PUSH1 0x00 0000015c: PUSH1 0x20 0000015e: DUP2 0000015f: SWAP1 00000160: MSTORE 00000161: SWAP1 00000162: DUP2 00000163: MSTORE 00000164: PUSH1 0x40 00000166: SWAP1 00000167: KECCAK256 00000168: SLOAD 00000169: DUP2 0000016a: JUMP 0000016b: JUMPDEST 0000016c: CALLER 0000016d: PUSH1 0x01 0000016f: PUSH1 0xa0 00000171: PUSH1 0x02 00000173: EXP 00000174: SUB 00000175: AND 00000176: PUSH1 0x00 00000178: SWAP1 00000179: DUP2 0000017a: MSTORE 0000017b: PUSH1 0x20 0000017d: DUP2 0000017e: SWAP1 0000017f: MSTORE 00000180: PUSH1 0x40 00000182: SWAP1 00000183: KECCAK256 00000184: SLOAD 00000185: JUMPDEST 00000186: PUSH1 0x40 00000188: DUP1 00000189: MLOAD 0000018a: SWAP2 0000018b: DUP3 0000018c: MSTORE 0000018d: MLOAD 0000018e: SWAP1 0000018f: DUP2 00000190: SWAP1 00000191: SUB 00000192: PUSH1 0x20 00000194: ADD 00000195: SWAP1 00000196: RETURN 00000197: JUMPDEST 00000198: POP 00000199: PUSH1 0x40 0000019b: DUP1 0000019c: MLOAD 0000019d: PUSH32 0x285bdabf00000000000000000000000000000000000000000000000000000000 000001be: DUP2 000001bf: MSTORE 000001c0: PUSH1 0x04 000001c2: DUP2 000001c3: ADD 000001c4: DUP4 000001c5: SWAP1 000001c6: MSTORE 000001c7: PUSH1 0x24 000001c9: DUP2 000001ca: ADD 000001cb: DUP4 000001cc: SWAP1 000001cd: MSTORE 000001ce: PUSH1 0x44 000001d0: DUP2 000001d1: ADD 000001d2: DUP4 000001d3: SWAP1 000001d4: MSTORE 000001d5: PUSH1 0x64 000001d7: DUP2 000001d8: ADD 000001d9: DUP4 000001da: SWAP1 000001db: MSTORE 000001dc: PUSH1 0x84 000001de: DUP2 000001df: ADD 000001e0: DUP4 000001e1: SWAP1 000001e2: MSTORE 000001e3: PUSH1 0x01 000001e5: PUSH1 0xa0 000001e7: PUSH1 0x02 000001e9: EXP 000001ea: SUB 000001eb: CALLER 000001ec: AND 000001ed: PUSH1 0xa4 000001ef: DUP3 000001f0: ADD 000001f1: MSTORE 000001f2: PUSH1 0xc4 000001f4: DUP2 000001f5: ADD 000001f6: DUP4 000001f7: SWAP1 000001f8: MSTORE 000001f9: SWAP1 000001fa: MLOAD 000001fb: PUSH20 0x3c94923400ccc528e8ab0f849edafca06fe332e5 00000210: SWAP2 00000211: DUP3 00000212: SWAP2 00000213: PUSH4 0x285bdabf 00000218: SWAP2 00000219: PUSH1 0xe4 0000021b: DUP1 0000021c: DUP3 0000021d: ADD 0000021e: SWAP3 0000021f: DUP8 00000220: SWAP3 00000221: SWAP1 00000222: SWAP2 00000223: SWAP1 00000224: DUP3 00000225: SWAP1 00000226: SUB 00000227: ADD 00000228: DUP2 00000229: DUP4 0000022a: DUP8 0000022b: PUSH2 0x61da 0000022e: GAS 0000022f: SUB 00000230: CALL 00000231: ISZERO 00000232: PUSH2 0x0002 00000235: JUMPI 00000236: POP 00000237: POP 00000238: POP 00000239: CALLVALUE 0000023a: PUSH1 0x00 0000023c: PUSH1 0x00 0000023e: POP 0000023f: PUSH1 0x00 00000241: CALLER 00000242: PUSH1 0x01 00000244: PUSH1 0xa0 00000246: PUSH1 0x02 00000248: EXP 00000249: SUB 0000024a: AND 0000024b: DUP2 0000024c: MSTORE 0000024d: PUSH1 0x20 0000024f: ADD 00000250: SWAP1 00000251: DUP2 00000252: MSTORE 00000253: PUSH1 0x20 00000255: ADD 00000256: PUSH1 0x00 00000258: KECCAK256 00000259: PUSH1 0x00 0000025b: POP 0000025c: DUP2 0000025d: SWAP1 0000025e: SSTORE 0000025f: POP 00000260: JUMPDEST 00000261: POP 00000262: SWAP5 00000263: SWAP4 00000264: POP 00000265: POP 00000266: POP 00000267: POP 00000268: JUMP 00000269: JUMPDEST 0000026a: CALLVALUE 0000026b: PUSH1 0x05 0000026d: MUL 0000026e: ADDRESS 0000026f: PUSH1 0x01 00000271: PUSH1 0xa0 00000273: PUSH1 0x02 00000275: EXP 00000276: SUB 00000277: AND 00000278: BALANCE 00000279: LT 0000027a: ISZERO 0000027b: PUSH2 0x0197 0000027e: JUMPI 0000027f: PUSH1 0x40 00000281: MLOAD 00000282: PUSH1 0x01 00000284: PUSH1 0xa0 00000286: PUSH1 0x02 00000288: EXP 00000289: SUB 0000028a: CALLER 0000028b: AND 0000028c: SWAP1 0000028d: DUP3 0000028e: SWAP1 0000028f: CALLVALUE 00000290: SWAP1 00000291: DUP3 00000292: DUP2 00000293: DUP2 00000294: DUP2 00000295: DUP6 00000296: DUP9 00000297: DUP4 00000298: CALL 00000299: SWAP4 0000029a: POP 0000029b: POP 0000029c: POP 0000029d: POP 0000029e: POP 0000029f: PUSH2 0x0260 000002a2: JUMP 000002a3: JUMPDEST 000002a4: PUSH1 0x00 000002a6: DUP2 000002a7: GT 000002a8: ISZERO 000002a9: PUSH2 0x02d8 000002ac: JUMPI 000002ad: PUSH1 0x01 000002af: PUSH1 0xa0 000002b1: PUSH1 0x02 000002b3: EXP 000002b4: SUB 000002b5: DUP3 000002b6: AND 000002b7: PUSH1 0x00 000002b9: DUP2 000002ba: DUP2 000002bb: MSTORE 000002bc: PUSH1 0x20 000002be: DUP2 000002bf: SWAP1 000002c0: MSTORE 000002c1: PUSH1 0x40 000002c3: DUP2 000002c4: KECCAK256 000002c5: SLOAD 000002c6: PUSH1 0x05 000002c8: MUL 000002c9: PUSH1 0x60 000002cb: DUP3 000002cc: DUP2 000002cd: DUP2 000002ce: DUP2 000002cf: DUP6 000002d0: DUP9 000002d1: DUP4 000002d2: CALL 000002d3: POP 000002d4: POP 000002d5: POP 000002d6: POP 000002d7: POP 000002d8: JUMPDEST 000002d9: PUSH1 0x40 000002db: PUSH1 0x00 000002dd: SWAP1 000002de: DUP2 000002df: KECCAK256 000002e0: PUSH1 0x01 000002e2: PUSH1 0xa0 000002e4: PUSH1 0x02 000002e6: EXP 000002e7: SUB 000002e8: DUP5 000002e9: AND 000002ea: DUP3 000002eb: MSTORE 000002ec: PUSH1 0x20 000002ee: DUP3 000002ef: SWAP1 000002f0: MSTORE 000002f1: SSTORE 000002f2: JUMPDEST 000002f3: POP 000002f4: POP 000002f5: JUMP
Warning: This is a nightly build of Foundry. It is recommended to use the latest stable version. To mute this warning set `FOUNDRY_DISABLE_NIGHTLY_WARNING` in your environment.
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | other | detector | Untrusted CALL target/value reachable | 60 | yes | yes |
viewtrace_id: 0x1875aab3cf795c27a3fc6a70fed980723834ecaf9edc64db60bec00bc34c51ef
call_targets:
0x3c94923400ccc528e8ab0f849edafca06fe332e5, 0x4abc539ee0c73725256391bf0eb3fda72e8a59ad
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x1875aab3cf795c27a3fc6a70fed980723834ecaf9edc64db60bec00bc34c51ef",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x3c94923400ccc528e8ab0f849edafca06fe332e5",
"0x4abc539ee0c73725256391bf0eb3fda72e8a59ad"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x02110d25",
"selector": "0x02110d25",
"calldata_variants": [
"0x02110d25",
"0x02110d250000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x0553e156",
"selector": "0x0553e156",
"calldata_variants": [
"0x0553e156",
"0x0553e1560000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x27e235e3",
"selector": "0x27e235e3",
"calldata_variants": [
"0x27e235e3",
"0x27e235e30000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x6d4ce63c",
"selector": "0x6d4ce63c",
"calldata_variants": [
"0x6d4ce63c",
"0x6d4ce63c0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 560,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 664,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 722,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 3,
"guards_detected": [],
"untrusted_call_count": 3
}
|
| high | other | detector | ETH value transfer possible | 55 | yes | yes |
viewtrace_id: 0x1875aab3cf795c27a3fc6a70fed980723834ecaf9edc64db60bec00bc34c51ef
call_targets:
0x3c94923400ccc528e8ab0f849edafca06fe332e5, 0x4abc539ee0c73725256391bf0eb3fda72e8a59ad
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x1875aab3cf795c27a3fc6a70fed980723834ecaf9edc64db60bec00bc34c51ef",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x3c94923400ccc528e8ab0f849edafca06fe332e5",
"0x4abc539ee0c73725256391bf0eb3fda72e8a59ad"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x02110d25",
"selector": "0x02110d25",
"calldata_variants": [
"0x02110d25",
"0x02110d250000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x0553e156",
"selector": "0x0553e156",
"calldata_variants": [
"0x0553e156",
"0x0553e1560000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x27e235e3",
"selector": "0x27e235e3",
"calldata_variants": [
"0x27e235e3",
"0x27e235e30000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x6d4ce63c",
"selector": "0x6d4ce63c",
"calldata_variants": [
"0x6d4ce63c",
"0x6d4ce63c0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 560,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 664,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 722,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 3,
"guards_detected": []
}
|
| medium | reentrancy | codex | Value-bearing external call happens before the balance slot is updated | 75 | no | — |
viewevidence_json{
"evidence": "Selector 0x0553e156 reaches the payout branch at pc 0x2a3. That branch loads the mapping value with SLOAD at pc 0x2c5, multiplies by 5 at pc 0x2c9, executes CALL at pc 0x2d2, and only later performs SSTORE at pc 0x2f1. The same selector is gated by a hardcoded caller check against 0x3c94923400ccc528e8ab0f849edafca06fe332e5 around pc 0x12b-0x14a.",
"locations": [
"selector:0x0553e156",
"pc:0x2c5",
"pc:0x2d2",
"pc:0x2f1"
],
"recommendation": "Apply checks-effects-interactions on this path: update or zero the balance slot before the external CALL, add a reentrancy guard, and prefer pull-based withdrawals over inline ETH sends.",
"exploit_scenario": "On selector 0x0553e156, the contract first authenticates a hardcoded external caller, then reads a per-address slot, computes a payout, performs a low-level CALL, and only afterward writes storage. If the payout recipient is a contract, reentrant control is exposed while the old balance is still live. Exploitability is reduced by the hardcoded-caller gate, but if that privileged external contract is compromised, upgradeable, or can be induced to recurse, the stale slot can be consumed multiple times before the write lands."
}
|
| medium | other | codex | Unchecked low-level CALL can desynchronize storage from actual ETH delivery | 75 | no | — |
viewevidence_json{
"evidence": "At pc 0x2d2 the contract executes a CALL, then only POPs stack values and falls through to SSTORE at pc 0x2f1; there is no ISZERO/JUMPI-style success check on this path. By contrast, the fixed-address CALL at pc 0x230 is followed by an explicit failure branch at pc 0x232-0x235, which highlights the absence of equivalent handling here.",
"locations": [
"selector:0x0553e156",
"pc:0x2d2",
"pc:0x2f1",
"pc:0x230"
],
"recommendation": "Require the low-level CALL to succeed before mutating storage, or revert on failure and leave the slot unchanged. If best-effort delivery is intended, separate accounting from delivery and record failed withdrawals explicitly.",
"exploit_scenario": "The payout CALL on selector 0x0553e156 does not have an observed success check before execution continues into storage mutation. A recipient contract can deliberately revert or otherwise make the CALL fail, yet the function can still proceed to mutate the tracked slot as if payment succeeded, causing lost funds or broken internal accounting. This is especially concerning on a balance-like mapping, since getters expose the slot directly."
}
|