019b3836-22f2-7323-a0f4-cbc79d8a01c5
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 381 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 382 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 43747 | analysis.bundle | complete | 1 / 3 | 1 week ago |
| 43748 | capability.graph | complete | 1 / 3 | 1 week ago |
| 43749 | detector.run | complete | 1 / 3 | 1 week ago |
| 43750 | validation.fork | complete | 1 / 3 | 1 week ago |
| 102999 | report.consolidate | complete | 1 / 6 | 1 week ago |
No slither job recorded yet.
{"no_findings":false,"summary":"Bytecode-only review found no proxy/delegatecall/selfdestruct behavior, and most CALL sites appear to be identity-precompile (0x04) buffer copies rather than value-moving interactions. The meaningful risk is selector 0x4ae00041: it appears to accept a caller-controlled external target, forwards almost all gas in a raw CALL, and then stores the returned 32-byte word into a keccak-derived storage slot without any detected guard. A second, lower-confidence risk is reentrancy because that CALL happens before the storage write and no guard is visible in the artifact.","findings":[{"severity":"high","category":"access_control","title":"Unguarded arbitrary CALL gadget can write attacker-chosen data into storage","exploit_scenario":"A caller invokes selector 0x4ae00041 with a helper contract as the first argument and arbitrary calldata as the dynamic argument. The helper returns any 32-byte value the attacker wants. Because the contract performs a raw CALL to the caller-supplied target and then stores the returned word into a keccak-derived slot keyed by another caller-controlled calldata word, any user can overwrite mapping-like state. Selector 0x9305414a later reads the same keccak-derived storage pattern and gates behavior on whether the loaded word is zero, so this write primitive changes contract behavior for arbitrary keys.","recommendation":"Add explicit authorization on selector 0x4ae00041, restrict the callable target to a trusted contract, and do not let callers choose arbitrary storage keys. If this is meant to cache external results, bind keys to trusted inputs and validate the external target and expected ABI before persisting returndata.","evidence":"From bytecode only, selector inference is best-effort, but the flow is strong: selector 0x4ae00041 stores calldata word 0x04 at memory 0x01a0 and later uses `PUSH2 0x01a0; MLOAD` as the CALL target just before `CALL` at pc 0x22c. After that CALL, the code executes `PUSH2 0x0220; MLOAD` and finally computes `SHA3` then `SSTORE` at pc 0x25f, using a mapping-like keccak slot. The analysis artifact reports no detected guards on this function. Selector 0x9305414a also computes a keccak-derived slot and `SLOAD`s it at pcs 0x70 and 0xce, showing the written state is subsequently consumed.","locations":["selector:0x4ae00041","pc:0x22c","pc:0x25f","selector:0x9305414a","pc:0x70","pc:0xce"]},{"severity":"medium","category":"reentrancy","title":"State update happens after an attacker-controlled external CALL with no visible reentrancy guard","exploit_scenario":"A malicious target supplied to selector 0x4ae00041 receives nearly all gas during the raw CALL and can reenter this contract before the pending storage update is committed. During reentrancy it can invoke selector 0x4ae00041 again to race nested writes, or invoke selector 0x9305414a while the cached value for the chosen key is still stale. The exact business impact is uncertain from bytecode alone, but the ordering clearly exposes the contract to reentrant control flow.","recommendation":"Apply checks-effects-interactions: commit any necessary state before the external call, or add a reentrancy guard around selector 0x4ae00041. If external execution is required, isolate it from shared mutable state used by other entrypoints.","evidence":"The only non-precompile-looking external interaction is the raw `CALL` at pc 0x22c in selector 0x4ae00041. The artifact shows no guards, and the storage write does not occur until `SSTORE` at pc 0x25f, after the external call returns. The CALL uses `GAS; SUB` immediately before invocation, so it forwards almost all remaining gas to the target. That is a classic reentrancy-enabling pattern even though the precise invariant being broken cannot be fully recovered from bytecode alone.","locations":["selector:0x4ae00041","pc:0x22c","pc:0x25f"]}]}
OpenAI Codex v0.118.0 (research preview)
--------
workdir: /tmp/codex-d5rumlyj
model: gpt-5.4
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: none
session id: 019d5b33-7291-7732-b776-bf6a11a2df53
--------
user
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
warning: Codex could not find system bubblewrap on PATH. Please install bubblewrap with your package manager. Codex will use the vendored bubblewrap in the meantime.
exec
/bin/bash -lc pwd in /tmp/codex-d5rumlyj
succeeded in 0ms:
/tmp/codex-d5rumlyj
exec
/bin/bash -lc 'rg --files' in /tmp/codex-d5rumlyj
succeeded in 0ms:
BYTECODE_BUNDLE.json
codex-output-schema.json
exec
/bin/bash -lc 'wc -c BYTECODE_BUNDLE.json codex-output-schema.json' in /tmp/codex-d5rumlyj
succeeded in 0ms:
29900 BYTECODE_BUNDLE.json
815 codex-output-schema.json
30715 total
exec
/bin/bash -lc "sed -n '1,220p' codex-output-schema.json" in /tmp/codex-d5rumlyj
succeeded in 0ms:
{"type": "object", "additionalProperties": false, "required": ["no_findings", "summary", "findings"], "properties": {"no_findings": {"type": "boolean"}, "summary": {"type": "string"}, "findings": {"type": "array", "items": {"type": "object", "additionalProperties": false, "required": ["severity", "category", "title", "evidence", "locations", "exploit_scenario", "recommendation"], "properties": {"severity": {"type": "string", "enum": ["info", "low", "medium", "high", "critical"]}, "category": {"type": "string", "enum": ["access_control", "reentrancy", "math", "oracle", "upgradeability", "auth", "other"]}, "title": {"type": "string"}, "exploit_scenario": {"type": "string"}, "recommendation": {"type": "string"}, "evidence": {"type": "string"}, "locations": {"type": "array", "items": {"type": "string"}}}}}}}
exec
/bin/bash -lc "sed -n '1,260p' BYTECODE_BUNDLE.json" in /tmp/codex-d5rumlyj
succeeded in 0ms:
{
"analysis_artifact": {
"address": "0xc861fc8dc9537159d94acbd662439046ea407166",
"artifact_hash": "0xa2696c36439a10f4cefdaeb317088903f77cd5927e623e38a2511b7828975d84",
"artifact_json": {
"auth": {
"guards": []
},
"basic_blocks": [
{
"end_pc": 51,
"hash": "0xa1d96f3ecc5dfece9cfaa0f55c581e0849ba3e61e57c4ecb49d6b559ee8e48b9",
"opcodes": [
"PUSH1",
"PUSH2",
"MSTORE8",
"PUSH29",
"PUSH1",
"CALLDATALOAD",
"DIV",
"PUSH4",
"OP_81",
"EQ",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 0
},
{
"end_pc": 117,
"hash": "0x949a9302ff378dcc64a2c0e5cb2c1e234c4a35c4da6742a8532e6ab5422327d8",
"opcodes": [
"CALLDATASIZE",
"MSIZE",
"OP_90",
"MSIZE",
"ADD",
"PUSH1",
"OP_90",
"MSTORE",
"CALLDATASIZE",
"PUSH1",
"OP_82",
"CALLDATACOPY",
"PUSH1",
"CALLDATALOAD",
"PUSH1",
"OP_82",
"ADD",
"ADD",
"PUSH1",
"MSTORE",
"PUSH1",
"CALLDATALOAD",
"PUSH1",
"MSTORE",
"POP",
"PUSH1",
"PUSH1",
"MSIZE",
"OP_90",
"MSIZE",
"ADD",
"PUSH1",
"OP_90",
"MSTORE",
"PUSH1",
"OP_81",
"MSTORE",
"PUSH1",
"MLOAD",
"OP_81",
"PUSH1",
"ADD",
"MSTORE",
"OP_80",
"OP_90",
"POP",
"SHA3",
"SLOAD",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 52
},
{
"end_pc": 240,
"hash": "0x696ce78531f3f894c6571638442b3d7e323d7a42d6293d1d9ed91eeba9dd18af",
"opcodes": [
"PUSH1",
"PUSH1",
"PUSH1",
"MSIZE",
"OP_90",
"MSIZE",
"ADD",
"PUSH1",
"OP_90",
"MSTORE",
"ADD",
"PUSH1",
"MLOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"OP_83",
"SUB",
"MLOAD",
"ADD",
"DIV",
"PUSH1",
"MUL",
"PUSH1",
"ADD",
"OP_83",
"OP_83",
"MSTORE",
"PUSH1",
"OP_82",
"SUB",
"PUSH1",
"OP_84",
"ADD",
"MSTORE",
"OP_80",
"PUSH1",
"OP_84",
"ADD",
"MSTORE",
"OP_80",
"OP_84",
"ADD",
"OP_93",
"POP",
"POP",
"POP",
"PUSH1",
"PUSH1",
"MSIZE",
"OP_90",
"MSIZE",
"ADD",
"PUSH1",
"OP_90",
"MSTORE",
"PUSH1",
"OP_81",
"MSTORE",
"PUSH1",
"MLOAD",
"OP_81",
"PUSH1",
"ADD",
"MSTORE",
"OP_80",
"OP_90",
"POP",
"SHA3",
"SLOAD",
"PUSH1",
"OP_82",
"ADD",
"MSTORE",
"OP_81",
"PUSH1",
"ADD",
"MSIZE",
"OP_90",
"MSIZE",
"ADD",
"PUSH1",
"OP_90",
"MSTORE",
"PUSH1",
"OP_81",
"PUSH1",
"OP_84",
"PUSH1",
"PUSH1",
"PUSH1",
"CALL",
"PUSH2",
"JUMPI"
],
"start_pc": 118
},
{
"end_pc": 241,
"hash": "0x6af58a8ebc5f87bd8a792e6c49392861e6576301cf84d15d4bb5559b5a041bfd",
"opcodes": [
"INVALID"
],
"start_pc": 241
},
{
"end_pc": 278,
"hash": "0x2b081800f9ba7971cea88bf8b978dd4878bd10c3a8376589469cb5967d5b234a",
"opcodes": [
"JUMPDEST",
"PUSH1",
"OP_81",
"ADD",
"OP_92",
"POP",
"PUSH1",
"OP_82",
"ADD",
"MLOAD",
"OP_80",
"OP_80",
"OP_85",
"OP_82",
"PUSH1",
"OP_87",
"ADD",
"MLOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"OP_87",
"SDIV",
"PUSH1",
"ADD",
"CALL",
"PUSH2",
"JUMPI"
],
"start_pc": 242
},
{
"end_pc": 279,
"hash": "0x53c39234c1da15924f913a37504fbc2cdca93cdb57edfc5fa6a443cdf3759940",
"opcodes": [
"INVALID"
],
"start_pc": 279
},
{
"end_pc": 330,
"hash": "0x377aee90bc4da858793411c8d3a7ddbd4fc6f35143bcb006d18e60d15ec18a96",
"opcodes": [
"JUMPDEST",
"POP",
"OP_80",
"OP_84",
"ADD",
"OP_93",
"POP",
"POP",
"OP_80",
"OP_83",
"SUB",
"PUSH32",
"OP_81",
"OP_83",
"OP_A1",
"POP",
"POP",
exec
/bin/bash -lc "sed -n '261,520p' BYTECODE_BUNDLE.json" in /tmp/codex-d5rumlyj
succeeded in 0ms:
"POP",
"POP"
],
"start_pc": 280
},
{
"end_pc": 331,
"hash": "0x99d6de8dc4df4d20322cb513cbffb59a2fbb88308f947beaa8c2ddc7fdc4fc7f",
"opcodes": [
"JUMPDEST"
],
"start_pc": 331
},
{
"end_pc": 344,
"hash": "0xa0905946494ca595d3c2c276ade9fe41ec413da24893e633d0e38f5c884142f2",
"opcodes": [
"JUMPDEST",
"PUSH4",
"OP_81",
"EQ",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 332
},
{
"end_pc": 488,
"hash": "0xe2ccb3506d40bcc5f0d536d59bf088fef3e9c78de3c1072dd39d8c57960b1745",
"opcodes": [
"CALLDATASIZE",
"MSIZE",
"OP_90",
"MSIZE",
"ADD",
"PUSH1",
"OP_90",
"MSTORE",
"CALLDATASIZE",
"PUSH1",
"OP_82",
"CALLDATACOPY",
"PUSH1",
"CALLDATALOAD",
"PUSH2",
"MSTORE",
"PUSH1",
"CALLDATALOAD",
"PUSH1",
"OP_82",
"ADD",
"ADD",
"PUSH2",
"MSTORE",
"PUSH1",
"CALLDATALOAD",
"PUSH2",
"MSTORE",
"POP",
"PUSH1",
"PUSH1",
"PUSH1",
"MSIZE",
"OP_90",
"MSIZE",
"ADD",
"PUSH1",
"OP_90",
"MSTORE",
"ADD",
"PUSH4",
"PUSH1",
"OP_82",
"SUB",
"MSTORE",
"PUSH2",
"MLOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"OP_83",
"SUB",
"MLOAD",
"ADD",
"DIV",
"PUSH1",
"MUL",
"PUSH1",
"ADD",
"OP_83",
"PUSH1",
"OP_84",
"ADD",
"MSTORE",
"PUSH1",
"OP_82",
"SUB",
"PUSH1",
"OP_84",
"ADD",
"MSTORE",
"OP_80",
"PUSH1",
"OP_84",
"ADD",
"MSTORE",
"OP_80",
"OP_84",
"ADD",
"OP_93",
"POP",
"POP",
"POP",
"OP_81",
"PUSH1",
"ADD",
"MSIZE",
"OP_90",
"MSIZE",
"ADD",
"PUSH1",
"OP_90",
"MSTORE",
"PUSH1",
"OP_81",
"PUSH1",
"OP_84",
"PUSH1",
"PUSH1",
"PUSH1",
"CALL",
"PUSH2",
"JUMPI"
],
"start_pc": 345
},
{
"end_pc": 489,
"hash": "0x1925a6fe3e5e79a896b73b89f445389069ea4f91620e1db7dcb8fdb33ba85b1c",
"opcodes": [
"INVALID"
],
"start_pc": 489
},
{
"end_pc": 526,
"hash": "0xa3d065fceff82d5346ef1d4dc388601964b60ec773081f3a5123046e687a6545",
"opcodes": [
"JUMPDEST",
"PUSH1",
"OP_81",
"ADD",
"OP_92",
"POP",
"PUSH1",
"OP_82",
"ADD",
"MLOAD",
"OP_80",
"OP_80",
"OP_85",
"OP_82",
"PUSH1",
"OP_87",
"ADD",
"MLOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"OP_87",
"SDIV",
"PUSH1",
"ADD",
"CALL",
"PUSH2",
"JUMPI"
],
"start_pc": 490
},
{
"end_pc": 527,
"hash": "0xf015c1bf426f03e24dc46db50eb76c1d17939b28a9cf926ad2d80b76c9e5c5bc",
"opcodes": [
"INVALID"
],
"start_pc": 527
},
{
"end_pc": 607,
"hash": "0x550167e11dfd21c64a4da49073c36883cc3ac1c79e5f123292ad3c958c14f034",
"opcodes": [
"JUMPDEST",
"POP",
"OP_80",
"OP_84",
"ADD",
"OP_93",
"POP",
"POP",
"OP_80",
"OP_83",
"SUB",
"PUSH1",
"PUSH2",
"OP_82",
"OP_84",
"PUSH1",
"PUSH2",
"MLOAD",
"PUSH1",
"GAS",
"SUB",
"CALL",
"POP",
"PUSH2",
"MLOAD",
"OP_90",
"POP",
"OP_90",
"POP",
"OP_90",
"POP",
"OP_90",
"POP",
"PUSH2",
"MSTORE",
"PUSH2",
"MLOAD",
"PUSH1",
"PUSH1",
"MSIZE",
"OP_90",
"MSIZE",
"ADD",
"PUSH1",
"OP_90",
"MSTORE",
"PUSH1",
"OP_81",
"MSTORE",
"PUSH2",
"MLOAD",
"OP_81",
"PUSH1",
"ADD",
"MSTORE",
"OP_80",
"OP_90",
"POP",
"SHA3",
"SSTORE"
],
"start_pc": 528
},
{
"end_pc": 609,
"hash": "0x86446e738049159e558df4d43d9a6280498d8c44a8d218a2f81a1981670705a9",
"opcodes": [
"JUMPDEST",
exec
/bin/bash -lc "sed -n '521,780p' BYTECODE_BUNDLE.json" in /tmp/codex-d5rumlyj
succeeded in 0ms:
"POP"
],
"start_pc": 608
}
],
"callsites": [
{
"opcode": "CALL",
"pc": 236,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "constant"
},
{
"opcode": "CALL",
"pc": 274,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 484,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "constant"
},
{
"opcode": "CALL",
"pc": 522,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 556,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"cfg_edges": [
{
"from": "bb:0",
"to": "bb:332",
"type": "control_flow"
},
{
"from": "bb:0",
"to": "bb:52",
"type": "control_flow_fallthrough"
},
{
"from": "bb:52",
"to": "bb:331",
"type": "control_flow"
},
{
"from": "bb:52",
"to": "bb:118",
"type": "control_flow_fallthrough"
},
{
"from": "bb:118",
"to": "bb:242",
"type": "control_flow"
},
{
"from": "bb:118",
"to": "bb:241",
"type": "control_flow_fallthrough"
},
{
"from": "bb:242",
"to": "bb:280",
"type": "control_flow"
},
{
"from": "bb:242",
"to": "bb:279",
"type": "control_flow_fallthrough"
},
{
"from": "bb:280",
"to": "bb:331",
"type": "control_flow_fallthrough"
},
{
"from": "bb:331",
"to": "bb:332",
"type": "control_flow_fallthrough"
},
{
"from": "bb:332",
"to": "bb:608",
"type": "control_flow"
},
{
"from": "bb:332",
"to": "bb:345",
"type": "control_flow_fallthrough"
},
{
"from": "bb:345",
"to": "bb:490",
"type": "control_flow"
},
{
"from": "bb:345",
"to": "bb:489",
"type": "control_flow_fallthrough"
},
{
"from": "bb:490",
"to": "bb:528",
"type": "control_flow"
},
{
"from": "bb:490",
"to": "bb:527",
"type": "control_flow_fallthrough"
},
{
"from": "bb:528",
"to": "bb:608",
"type": "control_flow_fallthrough"
}
],
"cfg_hash": "0x07f1505d0f808cadf57350f4a3db28e89465fd82c6f8a8bfc9070d5cadbc6547",
"dispatcher_type": "selector_jump_table",
"function_entries": [
{
"entry_pc": null,
"selector": "0x9305414a"
},
{
"entry_pc": null,
"selector": "0x4ae00041"
}
],
"functions": [
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0x9305414a",
"sinks": {
"call": 5,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 2,
"slots": [],
"writes": 1
}
},
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0x4ae00041",
"sinks": {
"call": 5,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 2,
"slots": [],
"writes": 1
}
}
],
"selectors": [
"0x9305414a",
"0x4ae00041"
],
"sinks": {
"call": 5,
"create": 0,
"create2": 0,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0,
"upgrade_slot_write_suspected": false
},
"storage": {
"keccak_count": 3,
"reads": 2,
"slots": [],
"writes": 1
},
"version": "analysis_artifact_v1"
},
"block_number": null,
"chain_id": 1,
"codehash": "0x6efe08518e72074bd72e0c01a48edca98ab60ee9935fa8b833e4945b882c2cf7",
"created_at": "2026-04-04T19:45:52.000000Z",
"id": 1597,
"updated_at": "2026-04-04T19:45:52.000000Z",
"version": "analysis_artifact_v1"
},
"analysis_run": {
"address": "0xc861fc8dc9537159d94acbd662439046ea407166",
"block_number": null,
"chain_id": 1,
"child_links": [],
"created_at": "2025-12-19T20:03:50.000000Z",
"id": "019b3836-22f2-7323-a0f4-cbc79d8a01c5",
"parent_links": [],
"status": "running",
"updated_at": "2026-04-04T19:45:52.000000Z"
},
"artifact": {
"codehash": "0x6efe08518e72074bd72e0c01a48edca98ab60ee9935fa8b833e4945b882c2cf7",
"compiler_json": {
"etherscan": {
"skipped": true
}
},
"implementation_address": null,
"is_proxy": false,
"runtime_bytecode": {
"full": "0x600061025f537c010000000000000000000000000000000000000000000000000000000060003504639305414a81141561014c57365990590160009052366004823760043560208201016060526024356080525060406040599059016000905260008152608051816020015280905020541561014b576040601c60e05990590160009052016060516020601f602083035101046020026020018383526020820360408401528060808401528084019350505060406040599059016000905260008152608051816020015280905020546020820152816004015990590160009052604081604084600060046018f16100f257fe5b604081019250608082015180808582604087015160006004600a8705601201f161011857fe5b508084019350508083037ff7eba460ce397de720ba4749bd9c125fec27d45ef68e15fffe706e8c211a7f5c8183a1505050505b5b634ae000418114156102605736599059016000905236600482376004356101a05260243560208201016101c0526044356101e052506020601c608c59905901600090520163693ec85e601c8203526101c0516020601f6020830351010460200260200183600484015260208203602484015280604884015280840193505050816004015990590160009052602481602484600060046015f16101ea57fe5b602481019250604882015180808582602487015160006004600a8705601201f161021057fe5b508084019350508083036020610220828460006101a051602d5a03f150610220519050905090509050610200526101e0516040604059905901600090526000815261020051816020015280905020555b50",
"head": null,
"length": 1222,
"tail": null,
"truncated": false
},
"verified_source": false
},
"capability_graph": {
"address": "0xc861fc8dc9537159d94acbd662439046ea407166",
"block_number": null,
"chain_id": 1,
"codehash": "0x6efe08518e72074bd72e0c01a48edca98ab60ee9935fa8b833e4945b882c2cf7",
"created_at": "2026-04-04T19:45:52.000000Z",
"graph_hash": "0x3343d2c1080535157510ef95afc2f630a0e9c7bb5fcf439fd1525d0cfaa6c19a",
"graph_json": {
"edges": [
{
"from": "bb:0",
"to": "bb:332",
"type": "control_flow"
},
{
"from": "bb:0",
"to": "bb:52",
"type": "control_flow_fallthrough"
},
{
"from": "bb:52",
"to": "bb:331",
"type": "control_flow"
exec
/bin/bash -lc "sed -n '781,1040p' BYTECODE_BUNDLE.json" in /tmp/codex-d5rumlyj
succeeded in 0ms:
},
{
"from": "bb:52",
"to": "bb:118",
"type": "control_flow_fallthrough"
},
{
"from": "bb:118",
"to": "bb:242",
"type": "control_flow"
},
{
"from": "bb:118",
"to": "bb:241",
"type": "control_flow_fallthrough"
},
{
"from": "bb:242",
"to": "bb:280",
"type": "control_flow"
},
{
"from": "bb:242",
"to": "bb:279",
"type": "control_flow_fallthrough"
},
{
"from": "bb:280",
"to": "bb:331",
"type": "control_flow_fallthrough"
},
{
"from": "bb:331",
"to": "bb:332",
"type": "control_flow_fallthrough"
},
{
"from": "bb:332",
"to": "bb:608",
"type": "control_flow"
},
{
"from": "bb:332",
"to": "bb:345",
"type": "control_flow_fallthrough"
},
{
"from": "bb:345",
"to": "bb:490",
"type": "control_flow"
},
{
"from": "bb:345",
"to": "bb:489",
"type": "control_flow_fallthrough"
},
{
"from": "bb:490",
"to": "bb:528",
"type": "control_flow"
},
{
"from": "bb:490",
"to": "bb:527",
"type": "control_flow_fallthrough"
},
{
"from": "bb:528",
"to": "bb:608",
"type": "control_flow_fallthrough"
},
{
"from": "bb:118",
"to": "call:236",
"type": "contains"
},
{
"from": "call:236",
"to": "sink:call",
"type": "capability"
},
{
"from": "bb:242",
"to": "call:274",
"type": "contains"
},
{
"from": "call:274",
"to": "sink:call",
"type": "capability"
},
{
"from": "bb:345",
"to": "call:484",
"type": "contains"
},
{
"from": "call:484",
"to": "sink:call",
"type": "capability"
},
{
"from": "bb:490",
"to": "call:522",
"type": "contains"
},
{
"from": "call:522",
"to": "sink:call",
"type": "capability"
},
{
"from": "bb:528",
"to": "call:556",
"type": "contains"
},
{
"from": "call:556",
"to": "sink:call",
"type": "capability"
}
],
"nodes": [
{
"end_pc": 51,
"hash": "0xa1d96f3ecc5dfece9cfaa0f55c581e0849ba3e61e57c4ecb49d6b559ee8e48b9",
"id": "bb:0",
"start_pc": 0,
"type": "basic_block"
},
{
"end_pc": 117,
"hash": "0x949a9302ff378dcc64a2c0e5cb2c1e234c4a35c4da6742a8532e6ab5422327d8",
"id": "bb:52",
"start_pc": 52,
"type": "basic_block"
},
{
"end_pc": 240,
"hash": "0x696ce78531f3f894c6571638442b3d7e323d7a42d6293d1d9ed91eeba9dd18af",
"id": "bb:118",
"start_pc": 118,
"type": "basic_block"
},
{
"end_pc": 241,
"hash": "0x6af58a8ebc5f87bd8a792e6c49392861e6576301cf84d15d4bb5559b5a041bfd",
"id": "bb:241",
"start_pc": 241,
"type": "basic_block"
},
{
"end_pc": 278,
"hash": "0x2b081800f9ba7971cea88bf8b978dd4878bd10c3a8376589469cb5967d5b234a",
"id": "bb:242",
"start_pc": 242,
"type": "basic_block"
},
{
"end_pc": 279,
"hash": "0x53c39234c1da15924f913a37504fbc2cdca93cdb57edfc5fa6a443cdf3759940",
"id": "bb:279",
"start_pc": 279,
"type": "basic_block"
},
{
"end_pc": 330,
"hash": "0x377aee90bc4da858793411c8d3a7ddbd4fc6f35143bcb006d18e60d15ec18a96",
"id": "bb:280",
"start_pc": 280,
"type": "basic_block"
},
{
"end_pc": 331,
"hash": "0x99d6de8dc4df4d20322cb513cbffb59a2fbb88308f947beaa8c2ddc7fdc4fc7f",
"id": "bb:331",
"start_pc": 331,
"type": "basic_block"
},
{
"end_pc": 344,
"hash": "0xa0905946494ca595d3c2c276ade9fe41ec413da24893e633d0e38f5c884142f2",
"id": "bb:332",
"start_pc": 332,
"type": "basic_block"
},
{
"end_pc": 488,
"hash": "0xe2ccb3506d40bcc5f0d536d59bf088fef3e9c78de3c1072dd39d8c57960b1745",
"id": "bb:345",
"start_pc": 345,
"type": "basic_block"
},
{
"end_pc": 489,
"hash": "0x1925a6fe3e5e79a896b73b89f445389069ea4f91620e1db7dcb8fdb33ba85b1c",
"id": "bb:489",
"start_pc": 489,
"type": "basic_block"
},
{
"end_pc": 526,
"hash": "0xa3d065fceff82d5346ef1d4dc388601964b60ec773081f3a5123046e687a6545",
"id": "bb:490",
"start_pc": 490,
"type": "basic_block"
},
{
"end_pc": 527,
"hash": "0xf015c1bf426f03e24dc46db50eb76c1d17939b28a9cf926ad2d80b76c9e5c5bc",
"id": "bb:527",
"start_pc": 527,
"type": "basic_block"
},
{
"end_pc": 607,
"hash": "0x550167e11dfd21c64a4da49073c36883cc3ac1c79e5f123292ad3c958c14f034",
"id": "bb:528",
"start_pc": 528,
"type": "basic_block"
},
{
"end_pc": 609,
"hash": "0x86446e738049159e558df4d43d9a6280498d8c44a8d218a2f81a1981670705a9",
"id": "bb:608",
"start_pc": 608,
"type": "basic_block"
},
{
"id": "call:236",
"opcode": "CALL",
"pc": 236,
"type": "callsite"
},
{
"id": "call:274",
"opcode": "CALL",
"pc": 274,
"type": "callsite"
},
{
"id": "call:484",
"opcode": "CALL",
"pc": 484,
"type": "callsite"
},
{
"id": "call:522",
"opcode": "CALL",
"pc": 522,
"type": "callsite"
},
{
"id": "call:556",
"opcode": "CALL",
"pc": 556,
"type": "callsite"
},
{
"id": "sink:call",
exec
/bin/bash -lc "sed -n '1041,1300p' BYTECODE_BUNDLE.json" in /tmp/codex-d5rumlyj
succeeded in 0ms:
"type": "sink"
},
{
"entry_pc": null,
"id": "fn:0x9305414a",
"selector": "0x9305414a",
"type": "function"
},
{
"entry_pc": null,
"id": "fn:0x4ae00041",
"selector": "0x4ae00041",
"type": "function"
}
],
"version": "capability_graph_v1"
},
"id": 1597,
"updated_at": "2026-04-04T19:45:52.000000Z",
"version": "capability_graph_v1"
},
"detector_findings": [
{
"confidence": 60,
"evidence_json": {
"call_count": 5,
"examples": [
{
"opcode": "CALL",
"pc": 236,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "constant"
},
{
"opcode": "CALL",
"pc": 274,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 484,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "constant"
}
],
"guards_detected": [],
"untrusted_call_count": 5
},
"normalized_json": {
"sink": "CALL"
},
"severity": "high",
"title": "Untrusted CALL target/value reachable",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0xc861fc8dc9537159d94acbd662439046ea407166"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x2cf8a7c39a02f488e103e3ee7b4dbfd1493212afe5cb03eca1a6da21e078d0ac",
"trace_mode": "callTracer"
}
},
{
"confidence": 55,
"evidence_json": {
"eth_value_calls": 5,
"examples": [
{
"opcode": "CALL",
"pc": 236,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "constant"
},
{
"opcode": "CALL",
"pc": 274,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 484,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "constant"
}
],
"guards_detected": []
},
"normalized_json": {
"sink": "CALL",
"value": "nonzero"
},
"severity": "high",
"title": "ETH value transfer possible",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0xc861fc8dc9537159d94acbd662439046ea407166"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x2cf8a7c39a02f488e103e3ee7b4dbfd1493212afe5cb03eca1a6da21e078d0ac",
"trace_mode": "callTracer"
}
}
],
"heuristics_summary": {
"create2_count": 0,
"delegatecall_count": 0,
"flags": [],
"selfdestruct_count": 0
}
}
I’ve loaded the bundle. Next I’m reconstructing the control flow around the five CALL sites and the lone SSTORE to determine whether the detector hits are real vulnerabilities or just expected contract behavior.
→ Decode the dispatcher, callsites, and storage flow from BYTECODE_BUNDLE.json
• Assess concrete risks around access control, reentrancy, and value-moving external calls
• Produce the final JSON report with conservative findings and evidence
exec
js_repl in /tmp/codex-d5rumlyj
succeeded in 158ms:
0 PUSH1 0x00
2 PUSH2 0x025f
5 MSTORE8
6 PUSH29 0x0100000000000000000000000000000000000000000000000000000000
36 PUSH1 0x00
38 CALLDATALOAD
39 DIV
40 PUSH4 0x9305414a
45 DUP2
46 EQ
47 ISZERO
48 PUSH2 0x014c
51 JUMPI
52 CALLDATASIZE
53 MSIZE
54 SWAP1
55 MSIZE
56 ADD
57 PUSH1 0x00
59 SWAP1
60 MSTORE
61 CALLDATASIZE
62 PUSH1 0x04
64 DUP3
65 CALLDATACOPY
66 PUSH1 0x04
68 CALLDATALOAD
69 PUSH1 0x20
71 DUP3
72 ADD
73 ADD
74 PUSH1 0x60
76 MSTORE
77 PUSH1 0x24
79 CALLDATALOAD
80 PUSH1 0x80
82 MSTORE
83 POP
84 PUSH1 0x40
86 PUSH1 0x40
88 MSIZE
89 SWAP1
90 MSIZE
91 ADD
92 PUSH1 0x00
94 SWAP1
95 MSTORE
96 PUSH1 0x00
98 DUP2
99 MSTORE
100 PUSH1 0x80
102 MLOAD
103 DUP2
104 PUSH1 0x20
106 ADD
107 MSTORE
108 DUP1
109 SWAP1
110 POP
111 SHA3
112 SLOAD
113 ISZERO
114 PUSH2 0x014b
117 JUMPI
118 PUSH1 0x40
120 PUSH1 0x1c
122 PUSH1 0xe0
124 MSIZE
125 SWAP1
126 MSIZE
127 ADD
128 PUSH1 0x00
130 SWAP1
131 MSTORE
132 ADD
133 PUSH1 0x60
135 MLOAD
136 PUSH1 0x20
138 PUSH1 0x1f
140 PUSH1 0x20
142 DUP4
143 SUB
144 MLOAD
145 ADD
146 DIV
147 PUSH1 0x20
149 MUL
150 PUSH1 0x20
152 ADD
153 DUP4
154 DUP4
155 MSTORE
156 PUSH1 0x20
158 DUP3
159 SUB
160 PUSH1 0x40
162 DUP5
163 ADD
164 MSTORE
165 DUP1
166 PUSH1 0x80
168 DUP5
169 ADD
170 MSTORE
171 DUP1
172 DUP5
173 ADD
174 SWAP4
175 POP
176 POP
177 POP
178 PUSH1 0x40
180 PUSH1 0x40
182 MSIZE
183 SWAP1
184 MSIZE
185 ADD
186 PUSH1 0x00
188 SWAP1
189 MSTORE
190 PUSH1 0x00
192 DUP2
193 MSTORE
194 PUSH1 0x80
196 MLOAD
197 DUP2
198 PUSH1 0x20
200 ADD
201 MSTORE
202 DUP1
203 SWAP1
204 POP
205 SHA3
206 SLOAD
207 PUSH1 0x20
209 DUP3
210 ADD
211 MSTORE
212 DUP2
213 PUSH1 0x04
215 ADD
216 MSIZE
217 SWAP1
218 MSIZE
219 ADD
220 PUSH1 0x00
222 SWAP1
223 MSTORE
224 PUSH1 0x40
226 DUP2
227 PUSH1 0x40
229 DUP5
230 PUSH1 0x00
232 PUSH1 0x04
234 PUSH1 0x18
236 CALL
237 PUSH2 0x00f2
240 JUMPI
241 INVALID
242 JUMPDEST
exec
js_repl in /tmp/codex-d5rumlyj
succeeded in 7ms:
243 PUSH1 0x40
245 DUP2
246 ADD
247 SWAP3
248 POP
249 PUSH1 0x80
251 DUP3
252 ADD
253 MLOAD
254 DUP1
255 DUP1
256 DUP6
257 DUP3
258 PUSH1 0x40
260 DUP8
261 ADD
262 MLOAD
263 PUSH1 0x00
265 PUSH1 0x04
267 PUSH1 0x0a
269 DUP8
270 SDIV
271 PUSH1 0x12
273 ADD
274 CALL
275 PUSH2 0x0118
278 JUMPI
279 INVALID
280 JUMPDEST
281 POP
282 DUP1
283 DUP5
284 ADD
285 SWAP4
286 POP
287 POP
288 DUP1
289 DUP4
290 SUB
291 PUSH32 0xf7eba460ce397de720ba4749bd9c125fec27d45ef68e15fffe706e8c211a7f5c
324 DUP2
325 DUP4
326 LOG1
327 POP
328 POP
329 POP
330 POP
331 JUMPDEST
332 JUMPDEST
333 PUSH4 0x4ae00041
338 DUP2
339 EQ
340 ISZERO
341 PUSH2 0x0260
344 JUMPI
345 CALLDATASIZE
346 MSIZE
347 SWAP1
348 MSIZE
349 ADD
350 PUSH1 0x00
352 SWAP1
353 MSTORE
354 CALLDATASIZE
355 PUSH1 0x04
357 DUP3
358 CALLDATACOPY
359 PUSH1 0x04
361 CALLDATALOAD
362 PUSH2 0x01a0
365 MSTORE
366 PUSH1 0x24
368 CALLDATALOAD
369 PUSH1 0x20
371 DUP3
372 ADD
373 ADD
374 PUSH2 0x01c0
377 MSTORE
378 PUSH1 0x44
380 CALLDATALOAD
381 PUSH2 0x01e0
384 MSTORE
385 POP
386 PUSH1 0x20
388 PUSH1 0x1c
390 PUSH1 0x8c
392 MSIZE
393 SWAP1
394 MSIZE
395 ADD
396 PUSH1 0x00
398 SWAP1
399 MSTORE
400 ADD
401 PUSH4 0x693ec85e
406 PUSH1 0x1c
408 DUP3
409 SUB
410 MSTORE
411 PUSH2 0x01c0
414 MLOAD
415 PUSH1 0x20
417 PUSH1 0x1f
419 PUSH1 0x20
421 DUP4
422 SUB
423 MLOAD
424 ADD
425 DIV
426 PUSH1 0x20
428 MUL
429 PUSH1 0x20
431 ADD
432 DUP4
433 PUSH1 0x04
435 DUP5
436 ADD
437 MSTORE
438 PUSH1 0x20
440 DUP3
441 SUB
442 PUSH1 0x24
444 DUP5
445 ADD
446 MSTORE
447 DUP1
448 PUSH1 0x48
450 DUP5
451 ADD
452 MSTORE
453 DUP1
454 DUP5
455 ADD
456 SWAP4
457 POP
458 POP
459 POP
460 DUP2
461 PUSH1 0x04
463 ADD
464 MSIZE
465 SWAP1
466 MSIZE
467 ADD
468 PUSH1 0x00
470 SWAP1
471 MSTORE
472 PUSH1 0x24
474 DUP2
475 PUSH1 0x24
477 DUP5
478 PUSH1 0x00
480 PUSH1 0x04
482 PUSH1 0x15
484 CALL
485 PUSH2 0x01ea
488 JUMPI
489 INVALID
490 JUMPDEST
491 PUSH1 0x24
493 DUP2
494 ADD
495 SWAP3
496 POP
497 PUSH1 0x48
499 DUP3
500 ADD
501 MLOAD
502 DUP1
503 DUP1
504 DUP6
505 DUP3
506 PUSH1 0x24
508 DUP8
509 ADD
510 MLOAD
511 PUSH1 0x00
513 PUSH1 0x04
515 PUSH1 0x0a
517 DUP8
518 SDIV
519 PUSH1 0x12
521 ADD
522 CALL
523 PUSH2 0x0210
526 JUMPI
527 INVALID
528 JUMPDEST
529 POP
530 DUP1
531 DUP5
532 ADD
533 SWAP4
534 POP
535 POP
536 DUP1
537 DUP4
538 SUB
539 PUSH1 0x20
541 PUSH2 0x0220
544 DUP3
545 DUP5
546 PUSH1 0x00
548 PUSH2 0x01a0
551 MLOAD
552 PUSH1 0x2d
554 GAS
555 SUB
556 CALL
557 POP
558 PUSH2 0x0220
561 MLOAD
562 SWAP1
563 POP
564 SWAP1
565 POP
566 SWAP1
567 POP
568 SWAP1
569 POP
570 PUSH2 0x0200
573 MSTORE
574 PUSH2 0x01e0
577 MLOAD
578 PUSH1 0x40
580 PUSH1 0x40
582 MSIZE
583 SWAP1
584 MSIZE
585 ADD
586 PUSH1 0x00
588 SWAP1
589 MSTORE
590 PUSH1 0x00
592 DUP2
593 MSTORE
594 PUSH2 0x0200
597 MLOAD
598 DUP2
599 PUSH1 0x20
601 ADD
602 MSTORE
603 DUP1
604 SWAP1
605 POP
606 SHA3
607 SSTORE
608 JUMPDEST
609 POP
exec
js_repl in /tmp/codex-d5rumlyj
succeeded in 10ms:
52 CALLDATASIZE
53 MSIZE
54 SWAP1
55 MSIZE
56 ADD
57 PUSH1 0x00
59 SWAP1
60 MSTORE
61 CALLDATASIZE
62 PUSH1 0x04
64 DUP3
65 CALLDATACOPY
66 PUSH1 0x04
68 CALLDATALOAD
69 PUSH1 0x20
71 DUP3
72 ADD
73 ADD
74 PUSH1 0x60
76 MSTORE
77 PUSH1 0x24
79 CALLDATALOAD
80 PUSH1 0x80
82 MSTORE
83 POP
84 PUSH1 0x40
86 PUSH1 0x40
88 MSIZE
89 SWAP1
90 MSIZE
91 ADD
92 PUSH1 0x00
94 SWAP1
95 MSTORE
96 PUSH1 0x00
98 DUP2
99 MSTORE
100 PUSH1 0x80
102 MLOAD
103 DUP2
104 PUSH1 0x20
106 ADD
107 MSTORE
108 DUP1
109 SWAP1
110 POP
111 SHA3
112 SLOAD
113 ISZERO
114 PUSH2 0x014b
117 JUMPI
118 PUSH1 0x40
120 PUSH1 0x1c
122 PUSH1 0xe0
124 MSIZE
125 SWAP1
126 MSIZE
127 ADD
128 PUSH1 0x00
130 SWAP1
131 MSTORE
132 ADD
133 PUSH1 0x60
135 MLOAD
136 PUSH1 0x20
138 PUSH1 0x1f
140 PUSH1 0x20
142 DUP4
143 SUB
144 MLOAD
145 ADD
146 DIV
147 PUSH1 0x20
149 MUL
150 PUSH1 0x20
152 ADD
153 DUP4
154 DUP4
155 MSTORE
156 PUSH1 0x20
158 DUP3
159 SUB
160 PUSH1 0x40
162 DUP5
163 ADD
164 MSTORE
165 DUP1
166 PUSH1 0x80
168 DUP5
169 ADD
170 MSTORE
171 DUP1
172 DUP5
173 ADD
174 SWAP4
175 POP
176 POP
177 POP
178 PUSH1 0x40
180 PUSH1 0x40
182 MSIZE
183 SWAP1
184 MSIZE
185 ADD
186 PUSH1 0x00
188 SWAP1
189 MSTORE
190 PUSH1 0x00
192 DUP2
193 MSTORE
194 PUSH1 0x80
196 MLOAD
197 DUP2
198 PUSH1 0x20
200 ADD
201 MSTORE
202 DUP1
203 SWAP1
204 POP
205 SHA3
206 SLOAD
207 PUSH1 0x20
209 DUP3
210 ADD
211 MSTORE
212 DUP2
213 PUSH1 0x04
215 ADD
216 MSIZE
217 SWAP1
218 MSIZE
219 ADD
220 PUSH1 0x00
222 SWAP1
223 MSTORE
224 PUSH1 0x40
226 DUP2
227 PUSH1 0x40
229 DUP5
230 PUSH1 0x00
232 PUSH1 0x04
234 PUSH1 0x18
236 CALL
237 PUSH2 0x00f2
240 JUMPI
exec
js_repl in /tmp/codex-d5rumlyj
succeeded in 37ms:
[
{
"pc": 65,
"op": "CALLDATACOPY",
"args": [
"MSIZE(0x0)",
"0x4",
"CALLDATASIZE"
]
},
{
"pc": 117,
"op": "JUMPI",
"dest": "0x14b",
"cond": "{\"op\":\"ISZERO\",\"a\":{\"op\":\"SLOAD\",\"a\":{\"op\":\"SHA3\",\"a\":{\"op\":\"MSIZE\",\"a\":2}}}}",
"stack": [
"selector",
"0x40"
]
},
{
"pc": 236,
"op": "CALL",
"gas": "0x18",
"to": "0x4",
"value": "0x0",
"inOffset": "0x40",
"inSize": "0x40",
"outOffset": "MSIZE(0x8)",
"outSize": "0x40",
"stack": [
"selector",
"0x40",
"((((0x20 DIV (0x1f ADD MLOAD((0x20 SUB (CALLDATALOAD(0x4) ADD (0x20 ADD MSIZE(0x0))))))) MUL 0x20) ADD 0x20) ADD 0x40)",
"(0x1c ADD MSIZE(0x4))",
"0x40",
"MSIZE(0x8)"
]
},
{
"pc": 240,
"op": "JUMPI",
"dest": "0xf2",
"cond": "{\"op\":\"CALLRET\",\"pc\":236}",
"stack": [
"selector",
"0x40",
"((((0x20 DIV (0x1f ADD MLOAD((0x20 SUB (CALLDATALOAD(0x4) ADD (0x20 ADD MSIZE(0x0))))))) MUL 0x20) ADD 0x20) ADD 0x40)",
"(0x1c ADD MSIZE(0x4))",
"0x40",
"MSIZE(0x8)"
]
}
]
exec
js_repl in /tmp/codex-d5rumlyj
succeeded in 6ms:
[
{
"pc": 274,
"op": "CALL",
"gas": "((0xa SDIV MLOAD((0x80 ADD 0x40))) ADD 0x12)",
"to": "0x4",
"value": "0x0",
"inOffset": "MLOAD((0x40 ADD 0x40))",
"inSize": "MLOAD((0x80 ADD 0x40))",
"outOffset": "(0x40 ADD MSIZE(0x8))",
"outSize": "MLOAD((0x80 ADD 0x40))",
"stack": [
"selector",
"0x40",
"((((0x20 DIV (0x1f ADD MLOAD((0x20 SUB (CALLDATALOAD(0x4) ADD (0x20 ADD MSIZE(0x0))))))) MUL 0x20) ADD 0x20) ADD 0x40)",
"(0x40 ADD MSIZE(0x8))",
"0x40",
"MSIZE(0x8)",
"MLOAD((0x80 ADD 0x40))",
"MLOAD((0x80 ADD 0x40))"
]
},
{
"pc": 278,
"op": "JUMPI",
"dest": "0x118",
"cond": "{\"op\":\"CALLRET\",\"pc\":274}",
"stack": [
"selector",
"0x40",
"((((0x20 DIV (0x1f ADD MLOAD((0x20 SUB (CALLDATALOAD(0x4) ADD (0x20 ADD MSIZE(0x0))))))) MUL 0x20) ADD 0x20) ADD 0x40)",
"(0x40 ADD MSIZE(0x8))",
"0x40",
"MSIZE(0x8)",
"MLOAD((0x80 ADD 0x40))",
"MLOAD((0x80 ADD 0x40))"
]
},
{
"pc": 326,
"op": "LOG1",
"mstart": "MSIZE(0x8)",
"msize": "(MSIZE(0x8) SUB (MLOAD((0x80 ADD 0x40)) ADD (0x40 ADD MSIZE(0x8))))",
"topic1": "0xf7eba460ce398000000000000000000000000000000000000000000000000000",
"stack": [
"selector",
"0x40",
"((((0x20 DIV (0x1f ADD MLOAD((0x20 SUB (CALLDATALOAD(0x4) ADD (0x20 ADD MSIZE(0x0))))))) MUL 0x20) ADD 0x20) ADD 0x40)",
"(MLOAD((0x80 ADD 0x40)) ADD (0x40 ADD MSIZE(0x8)))",
"0x40",
"MSIZE(0x8)",
"(MSIZE(0x8) SUB (MLOAD((0x80 ADD 0x40)) ADD (0x40 ADD MSIZE(0x8))))"
]
}
]
exec
js_repl in /tmp/codex-d5rumlyj
succeeded in 1ms:
[
{
"pc": 358,
"op": "CALLDATACOPY",
"args": [
"MSIZE(0x0)",
"0x4",
"CALLDATASIZE"
]
},
{
"pc": 484,
"op": "CALL",
"gas": "0x15",
"to": "0x4",
"value": "0x0",
"inOffset": "(0x1c ADD MSIZE(0x2))",
"inSize": "0x24",
"outOffset": "MSIZE(0x4)",
"outSize": "0x24",
"stack": [
"selector",
"((((0x20 DIV (0x1f ADD MLOAD((0x20 SUB (CALLDATALOAD(0x24) ADD (0x20 ADD MSIZE(0x0))))))) MUL 0x20) ADD 0x20) ADD 0x20)",
"(0x1c ADD MSIZE(0x2))",
"MSIZE(0x4)"
]
},
{
"pc": 488,
"op": "JUMPI",
"dest": "0x1ea",
"cond": "{\"op\":\"CALLRET\",\"pc\":484}",
"stack": [
"selector",
"((((0x20 DIV (0x1f ADD MLOAD((0x20 SUB (CALLDATALOAD(0x24) ADD (0x20 ADD MSIZE(0x0))))))) MUL 0x20) ADD 0x20) ADD 0x20)",
"(0x1c ADD MSIZE(0x2))",
"MSIZE(0x4)"
]
}
]
exec
js_repl in /tmp/codex-d5rumlyj
succeeded in 1ms:
[
{
"pc": 522,
"op": "CALL",
"gas": "((0xa SDIV MLOAD((0x48 ADD (0x1c ADD MSIZE(0x2))))) ADD 0x12)",
"to": "0x4",
"value": "0x0",
"inOffset": "MLOAD((0x24 ADD (0x1c ADD MSIZE(0x2))))",
"inSize": "MLOAD((0x48 ADD (0x1c ADD MSIZE(0x2))))",
"outOffset": "(0x24 ADD MSIZE(0x4))",
"outSize": "MLOAD((0x48 ADD (0x1c ADD MSIZE(0x2))))",
"stack": [
"selector",
"(0x24 ADD MSIZE(0x4))",
"(0x1c ADD MSIZE(0x2))",
"MSIZE(0x4)",
"MLOAD((0x48 ADD (0x1c ADD MSIZE(0x2))))",
"MLOAD((0x48 ADD (0x1c ADD MSIZE(0x2))))"
]
},
{
"pc": 526,
"op": "JUMPI",
"dest": "0x210",
"cond": "{\"op\":\"CALLRET\",\"pc\":522}",
"stack": [
"selector",
"(0x24 ADD MSIZE(0x4))",
"(0x1c ADD MSIZE(0x2))",
"MSIZE(0x4)",
"MLOAD((0x48 ADD (0x1c ADD MSIZE(0x2))))",
"MLOAD((0x48 ADD (0x1c ADD MSIZE(0x2))))"
]
},
{
"pc": 556,
"op": "CALL",
"gas": "(0x2d SUB GAS)",
"to": "MLOAD(0x1a0)",
"value": "0x0",
"inOffset": "MSIZE(0x4)",
"inSize": "(MSIZE(0x4) SUB (MLOAD((0x48 ADD (0x1c ADD MSIZE(0x2)))) ADD (0x24 ADD MSIZE(0x4))))",
"outOffset": "0x220",
"outSize": "0x20",
"stack": [
"selector",
"(MLOAD((0x48 ADD (0x1c ADD MSIZE(0x2)))) ADD (0x24 ADD MSIZE(0x4)))",
"(0x1c ADD MSIZE(0x2))",
"MSIZE(0x4)",
"(MSIZE(0x4) SUB (MLOAD((0x48 ADD (0x1c ADD MSIZE(0x2)))) ADD (0x24 ADD MSIZE(0x4))))"
]
},
{
"pc": 607,
"op": "SSTORE",
"key": "SHA3(MSIZE(0x0))",
"val": "0x40",
"stack": [
"selector",
"MLOAD(0x1e0)"
]
}
]
exec
js_repl in /tmp/codex-d5rumlyj
succeeded in 3ms:
528 JUMPDEST
529 POP
530 DUP1
531 DUP5
532 ADD
533 SWAP4
534 POP
535 POP
536 DUP1
537 DUP4
538 SUB
539 PUSH1 0x20
541 PUSH2 0x0220
544 DUP3
545 DUP5
546 PUSH1 0x00
548 PUSH2 0x01a0
551 MLOAD
552 PUSH1 0x2d
554 GAS
555 SUB
556 CALL
557 POP
558 PUSH2 0x0220
561 MLOAD
562 SWAP1
563 POP
564 SWAP1
565 POP
566 SWAP1
567 POP
568 SWAP1
569 POP
570 PUSH2 0x0200
573 MSTORE
574 PUSH2 0x01e0
577 MLOAD
578 PUSH1 0x40
580 PUSH1 0x40
582 MSIZE
583 SWAP1
584 MSIZE
585 ADD
586 PUSH1 0x00
588 SWAP1
589 MSTORE
590 PUSH1 0x00
592 DUP2
593 MSTORE
594 PUSH2 0x0200
597 MLOAD
598 DUP2
599 PUSH1 0x20
601 ADD
602 MSTORE
603 DUP1
604 SWAP1
605 POP
606 SHA3
607 SSTORE
exec
js_repl in /tmp/codex-d5rumlyj
succeeded in 6ms:
84 PUSH1 0x40
86 PUSH1 0x40
88 MSIZE
89 SWAP1
90 MSIZE
91 ADD
92 PUSH1 0x00
94 SWAP1
95 MSTORE
96 PUSH1 0x00
98 DUP2
99 MSTORE
100 PUSH1 0x80
102 MLOAD
103 DUP2
104 PUSH1 0x20
106 ADD
107 MSTORE
108 DUP1
109 SWAP1
110 POP
111 SHA3
112 SLOAD
113 ISZERO
114 PUSH2 0x014b
117 JUMPI
---
178 PUSH1 0x40
180 PUSH1 0x40
182 MSIZE
183 SWAP1
184 MSIZE
185 ADD
186 PUSH1 0x00
188 SWAP1
189 MSTORE
190 PUSH1 0x00
192 DUP2
193 MSTORE
194 PUSH1 0x80
196 MLOAD
197 DUP2
198 PUSH1 0x20
200 ADD
201 MSTORE
202 DUP1
203 SWAP1
204 POP
205 SHA3
206 SLOAD
207 PUSH1 0x20
209 DUP3
210 ADD
211 MSTORE
212 DUP2
213 PUSH1 0x04
215 ADD
216 MSIZE
217 SWAP1
218 MSIZE
219 ADD
220 PUSH1 0x00
222 SWAP1
223 MSTORE
224 PUSH1 0x40
226 DUP2
227 PUSH1 0x40
229 DUP5
230 PUSH1 0x00
232 PUSH1 0x04
234 PUSH1 0x18
236 CALL
codex
{"no_findings":false,"summary":"Bytecode-only review found no proxy/delegatecall/selfdestruct behavior, and most CALL sites appear to be identity-precompile (0x04) buffer copies rather than value-moving interactions. The meaningful risk is selector 0x4ae00041: it appears to accept a caller-controlled external target, forwards almost all gas in a raw CALL, and then stores the returned 32-byte word into a keccak-derived storage slot without any detected guard. A second, lower-confidence risk is reentrancy because that CALL happens before the storage write and no guard is visible in the artifact.","findings":[{"severity":"high","category":"access_control","title":"Unguarded arbitrary CALL gadget can write attacker-chosen data into storage","exploit_scenario":"A caller invokes selector 0x4ae00041 with a helper contract as the first argument and arbitrary calldata as the dynamic argument. The helper returns any 32-byte value the attacker wants. Because the contract performs a raw CALL to the caller-supplied target and then stores the returned word into a keccak-derived slot keyed by another caller-controlled calldata word, any user can overwrite mapping-like state. Selector 0x9305414a later reads the same keccak-derived storage pattern and gates behavior on whether the loaded word is zero, so this write primitive changes contract behavior for arbitrary keys.","recommendation":"Add explicit authorization on selector 0x4ae00041, restrict the callable target to a trusted contract, and do not let callers choose arbitrary storage keys. If this is meant to cache external results, bind keys to trusted inputs and validate the external target and expected ABI before persisting returndata.","evidence":"From bytecode only, selector inference is best-effort, but the flow is strong: selector 0x4ae00041 stores calldata word 0x04 at memory 0x01a0 and later uses `PUSH2 0x01a0; MLOAD` as the CALL target just before `CALL` at pc 0x22c. After that CALL, the code executes `PUSH2 0x0220; MLOAD` and finally computes `SHA3` then `SSTORE` at pc 0x25f, using a mapping-like keccak slot. The analysis artifact reports no detected guards on this function. Selector 0x9305414a also computes a keccak-derived slot and `SLOAD`s it at pcs 0x70 and 0xce, showing the written state is subsequently consumed.","locations":["selector:0x4ae00041","pc:0x22c","pc:0x25f","selector:0x9305414a","pc:0x70","pc:0xce"]},{"severity":"medium","category":"reentrancy","title":"State update happens after an attacker-controlled external CALL with no visible reentrancy guard","exploit_scenario":"A malicious target supplied to selector 0x4ae00041 receives nearly all gas during the raw CALL and can reenter this contract before the pending storage update is committed. During reentrancy it can invoke selector 0x4ae00041 again to race nested writes, or invoke selector 0x9305414a while the cached value for the chosen key is still stale. The exact business impact is uncertain from bytecode alone, but the ordering clearly exposes the contract to reentrant control flow.","recommendation":"Apply checks-effects-interactions: commit any necessary state before the external call, or add a reentrancy guard around selector 0x4ae00041. If external execution is required, isolate it from shared mutable state used by other entrypoints.","evidence":"The only non-precompile-looking external interaction is the raw `CALL` at pc 0x22c in selector 0x4ae00041. The artifact shows no guards, and the storage write does not occur until `SSTORE` at pc 0x25f, after the external call returns. The CALL uses `GAS; SUB` immediately before invocation, so it forwards almost all remaining gas to the target. That is a classic reentrancy-enabling pattern even though the precise invariant being broken cannot be fully recovered from bytecode alone.","locations":["selector:0x4ae00041","pc:0x22c","pc:0x25f"]}]}
tokens used
94,111
{
"codex": {
"ran_at": "2026-04-05T01:16:08.615288+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 1222,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "Bytecode-only review found no proxy/delegatecall/selfdestruct behavior, and most CALL sites appear to be identity-precompile (0x04) buffer copies rather than value-moving interactions. The meaningful risk is selector 0x4ae00041: it appears to accept a caller-controlled external target, forwards almost all gas in a raw CALL, and then stores the returned 32-byte word into a keccak-derived storage slot without any detected guard. A second, lower-confidence risk is reentrancy because that CALL happens before the storage write and no guard is visible in the artifact.",
"raw_final": {
"summary": "Bytecode-only review found no proxy/delegatecall/selfdestruct behavior, and most CALL sites appear to be identity-precompile (0x04) buffer copies rather than value-moving interactions. The meaningful risk is selector 0x4ae00041: it appears to accept a caller-controlled external target, forwards almost all gas in a raw CALL, and then stores the returned 32-byte word into a keccak-derived storage slot without any detected guard. A second, lower-confidence risk is reentrancy because that CALL happens before the storage write and no guard is visible in the artifact.",
"findings": [
{
"title": "Unguarded arbitrary CALL gadget can write attacker-chosen data into storage",
"category": "access_control",
"evidence": "From bytecode only, selector inference is best-effort, but the flow is strong: selector 0x4ae00041 stores calldata word 0x04 at memory 0x01a0 and later uses `PUSH2 0x01a0; MLOAD` as the CALL target just before `CALL` at pc 0x22c. After that CALL, the code executes `PUSH2 0x0220; MLOAD` and finally computes `SHA3` then `SSTORE` at pc 0x25f, using a mapping-like keccak slot. The analysis artifact reports no detected guards on this function. Selector 0x9305414a also computes a keccak-derived slot and `SLOAD`s it at pcs 0x70 and 0xce, showing the written state is subsequently consumed.",
"severity": "high",
"locations": [
"selector:0x4ae00041",
"pc:0x22c",
"pc:0x25f",
"selector:0x9305414a",
"pc:0x70",
"pc:0xce"
],
"recommendation": "Add explicit authorization on selector 0x4ae00041, restrict the callable target to a trusted contract, and do not let callers choose arbitrary storage keys. If this is meant to cache external results, bind keys to trusted inputs and validate the external target and expected ABI before persisting returndata.",
"exploit_scenario": "A caller invokes selector 0x4ae00041 with a helper contract as the first argument and arbitrary calldata as the dynamic argument. The helper returns any 32-byte value the attacker wants. Because the contract performs a raw CALL to the caller-supplied target and then stores the returned word into a keccak-derived slot keyed by another caller-controlled calldata word, any user can overwrite mapping-like state. Selector 0x9305414a later reads the same keccak-derived storage pattern and gates behavior on whether the loaded word is zero, so this write primitive changes contract behavior for arbitrary keys."
},
{
"title": "State update happens after an attacker-controlled external CALL with no visible reentrancy guard",
"category": "reentrancy",
"evidence": "The only non-precompile-looking external interaction is the raw `CALL` at pc 0x22c in selector 0x4ae00041. The artifact shows no guards, and the storage write does not occur until `SSTORE` at pc 0x25f, after the external call returns. The CALL uses `GAS; SUB` immediately before invocation, so it forwards almost all remaining gas to the target. That is a classic reentrancy-enabling pattern even though the precise invariant being broken cannot be fully recovered from bytecode alone.",
"severity": "medium",
"locations": [
"selector:0x4ae00041",
"pc:0x22c",
"pc:0x25f"
],
"recommendation": "Apply checks-effects-interactions: commit any necessary state before the external call, or add a reentrancy guard around selector 0x4ae00041. If external execution is required, isolate it from shared mutable state used by other entrypoints.",
"exploit_scenario": "A malicious target supplied to selector 0x4ae00041 receives nearly all gas during the raw CALL and can reenter this contract before the pending storage update is committed. During reentrancy it can invoke selector 0x4ae00041 again to race nested writes, or invoke selector 0x9305414a while the cached value for the chosen key is still stale. The exact business impact is uncertain from bytecode alone, but the ordering clearly exposes the contract to reentrant control flow."
}
],
"no_findings": false
},
"no_findings": false,
"schema_version": 1
}
00000000: PUSH1 0x00 00000002: PUSH2 0x025f 00000005: MSTORE8 00000006: PUSH29 0x0100000000000000000000000000000000000000000000000000000000 00000024: PUSH1 0x00 00000026: CALLDATALOAD 00000027: DIV 00000028: PUSH4 0x9305414a 0000002d: DUP2 0000002e: EQ 0000002f: ISZERO 00000030: PUSH2 0x014c 00000033: JUMPI 00000034: CALLDATASIZE 00000035: MSIZE 00000036: SWAP1 00000037: MSIZE 00000038: ADD 00000039: PUSH1 0x00 0000003b: SWAP1 0000003c: MSTORE 0000003d: CALLDATASIZE 0000003e: PUSH1 0x04 00000040: DUP3 00000041: CALLDATACOPY 00000042: PUSH1 0x04 00000044: CALLDATALOAD 00000045: PUSH1 0x20 00000047: DUP3 00000048: ADD 00000049: ADD 0000004a: PUSH1 0x60 0000004c: MSTORE 0000004d: PUSH1 0x24 0000004f: CALLDATALOAD 00000050: PUSH1 0x80 00000052: MSTORE 00000053: POP 00000054: PUSH1 0x40 00000056: PUSH1 0x40 00000058: MSIZE 00000059: SWAP1 0000005a: MSIZE 0000005b: ADD 0000005c: PUSH1 0x00 0000005e: SWAP1 0000005f: MSTORE 00000060: PUSH1 0x00 00000062: DUP2 00000063: MSTORE 00000064: PUSH1 0x80 00000066: MLOAD 00000067: DUP2 00000068: PUSH1 0x20 0000006a: ADD 0000006b: MSTORE 0000006c: DUP1 0000006d: SWAP1 0000006e: POP 0000006f: KECCAK256 00000070: SLOAD 00000071: ISZERO 00000072: PUSH2 0x014b 00000075: JUMPI 00000076: PUSH1 0x40 00000078: PUSH1 0x1c 0000007a: PUSH1 0xe0 0000007c: MSIZE 0000007d: SWAP1 0000007e: MSIZE 0000007f: ADD 00000080: PUSH1 0x00 00000082: SWAP1 00000083: MSTORE 00000084: ADD 00000085: PUSH1 0x60 00000087: MLOAD 00000088: PUSH1 0x20 0000008a: PUSH1 0x1f 0000008c: PUSH1 0x20 0000008e: DUP4 0000008f: SUB 00000090: MLOAD 00000091: ADD 00000092: DIV 00000093: PUSH1 0x20 00000095: MUL 00000096: PUSH1 0x20 00000098: ADD 00000099: DUP4 0000009a: DUP4 0000009b: MSTORE 0000009c: PUSH1 0x20 0000009e: DUP3 0000009f: SUB 000000a0: PUSH1 0x40 000000a2: DUP5 000000a3: ADD 000000a4: MSTORE 000000a5: DUP1 000000a6: PUSH1 0x80 000000a8: DUP5 000000a9: ADD 000000aa: MSTORE 000000ab: DUP1 000000ac: DUP5 000000ad: ADD 000000ae: SWAP4 000000af: POP 000000b0: POP 000000b1: POP 000000b2: PUSH1 0x40 000000b4: PUSH1 0x40 000000b6: MSIZE 000000b7: SWAP1 000000b8: MSIZE 000000b9: ADD 000000ba: PUSH1 0x00 000000bc: SWAP1 000000bd: MSTORE 000000be: PUSH1 0x00 000000c0: DUP2 000000c1: MSTORE 000000c2: PUSH1 0x80 000000c4: MLOAD 000000c5: DUP2 000000c6: PUSH1 0x20 000000c8: ADD 000000c9: MSTORE 000000ca: DUP1 000000cb: SWAP1 000000cc: POP 000000cd: KECCAK256 000000ce: SLOAD 000000cf: PUSH1 0x20 000000d1: DUP3 000000d2: ADD 000000d3: MSTORE 000000d4: DUP2 000000d5: PUSH1 0x04 000000d7: ADD 000000d8: MSIZE 000000d9: SWAP1 000000da: MSIZE 000000db: ADD 000000dc: PUSH1 0x00 000000de: SWAP1 000000df: MSTORE 000000e0: PUSH1 0x40 000000e2: DUP2 000000e3: PUSH1 0x40 000000e5: DUP5 000000e6: PUSH1 0x00 000000e8: PUSH1 0x04 000000ea: PUSH1 0x18 000000ec: CALL 000000ed: PUSH2 0x00f2 000000f0: JUMPI 000000f1: INVALID 000000f2: JUMPDEST 000000f3: PUSH1 0x40 000000f5: DUP2 000000f6: ADD 000000f7: SWAP3 000000f8: POP 000000f9: PUSH1 0x80 000000fb: DUP3 000000fc: ADD 000000fd: MLOAD 000000fe: DUP1 000000ff: DUP1 00000100: DUP6 00000101: DUP3 00000102: PUSH1 0x40 00000104: DUP8 00000105: ADD 00000106: MLOAD 00000107: PUSH1 0x00 00000109: PUSH1 0x04 0000010b: PUSH1 0x0a 0000010d: DUP8 0000010e: SDIV 0000010f: PUSH1 0x12 00000111: ADD 00000112: CALL 00000113: PUSH2 0x0118 00000116: JUMPI 00000117: INVALID 00000118: JUMPDEST 00000119: POP 0000011a: DUP1 0000011b: DUP5 0000011c: ADD 0000011d: SWAP4 0000011e: POP 0000011f: POP 00000120: DUP1 00000121: DUP4 00000122: SUB 00000123: PUSH32 0xf7eba460ce397de720ba4749bd9c125fec27d45ef68e15fffe706e8c211a7f5c 00000144: DUP2 00000145: DUP4 00000146: LOG1 00000147: POP 00000148: POP 00000149: POP 0000014a: POP 0000014b: JUMPDEST 0000014c: JUMPDEST 0000014d: PUSH4 0x4ae00041 00000152: DUP2 00000153: EQ 00000154: ISZERO 00000155: PUSH2 0x0260 00000158: JUMPI 00000159: CALLDATASIZE 0000015a: MSIZE 0000015b: SWAP1 0000015c: MSIZE 0000015d: ADD 0000015e: PUSH1 0x00 00000160: SWAP1 00000161: MSTORE 00000162: CALLDATASIZE 00000163: PUSH1 0x04 00000165: DUP3 00000166: CALLDATACOPY 00000167: PUSH1 0x04 00000169: CALLDATALOAD 0000016a: PUSH2 0x01a0 0000016d: MSTORE 0000016e: PUSH1 0x24 00000170: CALLDATALOAD 00000171: PUSH1 0x20 00000173: DUP3 00000174: ADD 00000175: ADD 00000176: PUSH2 0x01c0 00000179: MSTORE 0000017a: PUSH1 0x44 0000017c: CALLDATALOAD 0000017d: PUSH2 0x01e0 00000180: MSTORE 00000181: POP 00000182: PUSH1 0x20 00000184: PUSH1 0x1c 00000186: PUSH1 0x8c 00000188: MSIZE 00000189: SWAP1 0000018a: MSIZE 0000018b: ADD 0000018c: PUSH1 0x00 0000018e: SWAP1 0000018f: MSTORE 00000190: ADD 00000191: PUSH4 0x693ec85e 00000196: PUSH1 0x1c 00000198: DUP3 00000199: SUB 0000019a: MSTORE 0000019b: PUSH2 0x01c0 0000019e: MLOAD 0000019f: PUSH1 0x20 000001a1: PUSH1 0x1f 000001a3: PUSH1 0x20 000001a5: DUP4 000001a6: SUB 000001a7: MLOAD 000001a8: ADD 000001a9: DIV 000001aa: PUSH1 0x20 000001ac: MUL 000001ad: PUSH1 0x20 000001af: ADD 000001b0: DUP4 000001b1: PUSH1 0x04 000001b3: DUP5 000001b4: ADD 000001b5: MSTORE 000001b6: PUSH1 0x20 000001b8: DUP3 000001b9: SUB 000001ba: PUSH1 0x24 000001bc: DUP5 000001bd: ADD 000001be: MSTORE 000001bf: DUP1 000001c0: PUSH1 0x48 000001c2: DUP5 000001c3: ADD 000001c4: MSTORE 000001c5: DUP1 000001c6: DUP5 000001c7: ADD 000001c8: SWAP4 000001c9: POP 000001ca: POP 000001cb: POP 000001cc: DUP2 000001cd: PUSH1 0x04 000001cf: ADD 000001d0: MSIZE 000001d1: SWAP1 000001d2: MSIZE 000001d3: ADD 000001d4: PUSH1 0x00 000001d6: SWAP1 000001d7: MSTORE 000001d8: PUSH1 0x24 000001da: DUP2 000001db: PUSH1 0x24 000001dd: DUP5 000001de: PUSH1 0x00 000001e0: PUSH1 0x04 000001e2: PUSH1 0x15 000001e4: CALL 000001e5: PUSH2 0x01ea 000001e8: JUMPI 000001e9: INVALID 000001ea: JUMPDEST 000001eb: PUSH1 0x24 000001ed: DUP2 000001ee: ADD 000001ef: SWAP3 000001f0: POP 000001f1: PUSH1 0x48 000001f3: DUP3 000001f4: ADD 000001f5: MLOAD 000001f6: DUP1 000001f7: DUP1 000001f8: DUP6 000001f9: DUP3 000001fa: PUSH1 0x24 000001fc: DUP8 000001fd: ADD 000001fe: MLOAD 000001ff: PUSH1 0x00 00000201: PUSH1 0x04 00000203: PUSH1 0x0a 00000205: DUP8 00000206: SDIV 00000207: PUSH1 0x12 00000209: ADD 0000020a: CALL 0000020b: PUSH2 0x0210 0000020e: JUMPI 0000020f: INVALID 00000210: JUMPDEST 00000211: POP 00000212: DUP1 00000213: DUP5 00000214: ADD 00000215: SWAP4 00000216: POP 00000217: POP 00000218: DUP1 00000219: DUP4 0000021a: SUB 0000021b: PUSH1 0x20 0000021d: PUSH2 0x0220 00000220: DUP3 00000221: DUP5 00000222: PUSH1 0x00 00000224: PUSH2 0x01a0 00000227: MLOAD 00000228: PUSH1 0x2d 0000022a: GAS 0000022b: SUB 0000022c: CALL 0000022d: POP 0000022e: PUSH2 0x0220 00000231: MLOAD 00000232: SWAP1 00000233: POP 00000234: SWAP1 00000235: POP 00000236: SWAP1 00000237: POP 00000238: SWAP1 00000239: POP 0000023a: PUSH2 0x0200 0000023d: MSTORE 0000023e: PUSH2 0x01e0 00000241: MLOAD 00000242: PUSH1 0x40 00000244: PUSH1 0x40 00000246: MSIZE 00000247: SWAP1 00000248: MSIZE 00000249: ADD 0000024a: PUSH1 0x00 0000024c: SWAP1 0000024d: MSTORE 0000024e: PUSH1 0x00 00000250: DUP2 00000251: MSTORE 00000252: PUSH2 0x0200 00000255: MLOAD 00000256: DUP2 00000257: PUSH1 0x20 00000259: ADD 0000025a: MSTORE 0000025b: DUP1 0000025c: SWAP1 0000025d: POP 0000025e: KECCAK256 0000025f: SSTORE 00000260: JUMPDEST 00000261: POP
Warning: This is a nightly build of Foundry. It is recommended to use the latest stable version. To mute this warning set `FOUNDRY_DISABLE_NIGHTLY_WARNING` in your environment.
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | other | detector | Untrusted CALL target/value reachable | 60 | yes | yes |
viewtrace_id: 0x2cf8a7c39a02f488e103e3ee7b4dbfd1493212afe5cb03eca1a6da21e078d0ac
call_targets:
0x0000000000000000000000000000000000000004, 0xc861fc8dc9537159d94acbd662439046ea407166
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x2cf8a7c39a02f488e103e3ee7b4dbfd1493212afe5cb03eca1a6da21e078d0ac",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0xc861fc8dc9537159d94acbd662439046ea407166"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x9305414a",
"selector": "0x9305414a",
"calldata_variants": [
"0x9305414a",
"0x9305414a0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x4ae00041",
"selector": "0x4ae00041",
"calldata_variants": [
"0x4ae00041",
"0x4ae000410000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 236,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "constant",
"target_expression_category": "computed"
},
{
"pc": 274,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 484,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "constant",
"target_expression_category": "computed"
}
],
"call_count": 5,
"guards_detected": [],
"untrusted_call_count": 5
}
|
| high | other | detector | ETH value transfer possible | 55 | yes | yes |
viewtrace_id: 0x2cf8a7c39a02f488e103e3ee7b4dbfd1493212afe5cb03eca1a6da21e078d0ac
call_targets:
0x0000000000000000000000000000000000000004, 0xc861fc8dc9537159d94acbd662439046ea407166
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x2cf8a7c39a02f488e103e3ee7b4dbfd1493212afe5cb03eca1a6da21e078d0ac",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0xc861fc8dc9537159d94acbd662439046ea407166"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x9305414a",
"selector": "0x9305414a",
"calldata_variants": [
"0x9305414a",
"0x9305414a0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x4ae00041",
"selector": "0x4ae00041",
"calldata_variants": [
"0x4ae00041",
"0x4ae000410000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 236,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "constant",
"target_expression_category": "computed"
},
{
"pc": 274,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 484,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "constant",
"target_expression_category": "computed"
}
],
"eth_value_calls": 5,
"guards_detected": []
}
|
| high | access_control | codex | Unguarded arbitrary CALL gadget can write attacker-chosen data into storage | 85 | no | — |
viewevidence_json{
"evidence": "From bytecode only, selector inference is best-effort, but the flow is strong: selector 0x4ae00041 stores calldata word 0x04 at memory 0x01a0 and later uses `PUSH2 0x01a0; MLOAD` as the CALL target just before `CALL` at pc 0x22c. After that CALL, the code executes `PUSH2 0x0220; MLOAD` and finally computes `SHA3` then `SSTORE` at pc 0x25f, using a mapping-like keccak slot. The analysis artifact reports no detected guards on this function. Selector 0x9305414a also computes a keccak-derived slot and `SLOAD`s it at pcs 0x70 and 0xce, showing the written state is subsequently consumed.",
"locations": [
"selector:0x4ae00041",
"pc:0x22c",
"pc:0x25f",
"selector:0x9305414a",
"pc:0x70",
"pc:0xce"
],
"recommendation": "Add explicit authorization on selector 0x4ae00041, restrict the callable target to a trusted contract, and do not let callers choose arbitrary storage keys. If this is meant to cache external results, bind keys to trusted inputs and validate the external target and expected ABI before persisting returndata.",
"exploit_scenario": "A caller invokes selector 0x4ae00041 with a helper contract as the first argument and arbitrary calldata as the dynamic argument. The helper returns any 32-byte value the attacker wants. Because the contract performs a raw CALL to the caller-supplied target and then stores the returned word into a keccak-derived slot keyed by another caller-controlled calldata word, any user can overwrite mapping-like state. Selector 0x9305414a later reads the same keccak-derived storage pattern and gates behavior on whether the loaded word is zero, so this write primitive changes contract behavior for arbitrary keys."
}
|
| medium | reentrancy | codex | State update happens after an attacker-controlled external CALL with no visible reentrancy guard | 75 | no | — |
viewevidence_json{
"evidence": "The only non-precompile-looking external interaction is the raw `CALL` at pc 0x22c in selector 0x4ae00041. The artifact shows no guards, and the storage write does not occur until `SSTORE` at pc 0x25f, after the external call returns. The CALL uses `GAS; SUB` immediately before invocation, so it forwards almost all remaining gas to the target. That is a classic reentrancy-enabling pattern even though the precise invariant being broken cannot be fully recovered from bytecode alone.",
"locations": [
"selector:0x4ae00041",
"pc:0x22c",
"pc:0x25f"
],
"recommendation": "Apply checks-effects-interactions: commit any necessary state before the external call, or add a reentrancy guard around selector 0x4ae00041. If external execution is required, isolate it from shared mutable state used by other entrypoints.",
"exploit_scenario": "A malicious target supplied to selector 0x4ae00041 receives nearly all gas during the raw CALL and can reenter this contract before the pending storage update is committed. During reentrancy it can invoke selector 0x4ae00041 again to race nested writes, or invoke selector 0x9305414a while the cached value for the chosen key is still stale. The exact business impact is uncertain from bytecode alone, but the ordering clearly exposes the contract to reentrant control flow."
}
|