019b3836-24ca-7168-9a2d-3c548ff7765c
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 681 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 682 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 44487 | analysis.bundle | complete | 1 / 3 | 1 week ago |
| 44488 | capability.graph | complete | 1 / 3 | 1 week ago |
| 44489 | detector.run | complete | 1 / 3 | 1 week ago |
| 44490 | validation.fork | complete | 1 / 3 | 1 week ago |
| 113233 | report.consolidate | complete | 1 / 6 | 1 week ago |
No slither job recorded yet.
{"no_findings":false,"summary":"The bytecode does not show a proxy/delegatecall surface, and the detector-reported CALL at pc:0x195 appears to be the standard identity-precompile copy path used when returning dynamic strings rather than a user-controlled external call. The one actionable issue visible from runtime bytecode is low severity: the contract accepts ETH but no recovery path is evident, so ETH sent to it is likely trapped.","findings":[{"severity":"low","category":"other","title":"Contract accepts ETH with no visible recovery path","exploit_scenario":"A user or integrating contract sends non-zero ETH either to the fallback path or while calling an exposed function such as `transfer(address,uint256)`. Because the runtime does not appear to reject `msg.value`, the ETH is accepted. From the visible bytecode there is no owner/admin withdrawal function and no outbound ETH-transfer path, so that ETH is likely unrecoverable once sent.","recommendation":"Reject ETH at entrypoints unless the contract is intentionally payable. In practice this means adding a `CALLVALUE` check that reverts, or providing an explicit, access-controlled rescue path for ETH. If the contract is already deployed and immutable, warn integrators and users never to attach ETH to calls.","evidence":"The dispatcher exposes only selectors `0x06fdde03`, `0x313ce567`, `0x70a08231`, `0x95d89b41`, and `0xa9059cbb`, plus a fallback that reaches `STOP` at pc:0x45. The analyzed basic blocks contain no `CALLVALUE` opcode, so non-zero `msg.value` is not explicitly rejected. The only runtime `CALL` is at pc:0x195; stack-pattern analysis indicates it targets precompile `0x04` with value `0` as part of dynamic-string return handling, so it is not a visible ETH-withdrawal path. This is bytecode-only analysis, so hidden intent cannot be proven, but no ETH recovery function is visible in the runtime.","locations":["pc:0x45","pc:0x195","selector:0xa9059cbb"]}]}
OpenAI Codex v0.118.0 (research preview)
--------
workdir: /tmp/codex-nv7o3z9b
model: gpt-5.4
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: none
session id: 019d5b6b-7d51-7300-9d4e-2dcc85256ca1
--------
user
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
warning: Codex could not find system bubblewrap on PATH. Please install bubblewrap with your package manager. Codex will use the vendored bubblewrap in the meantime.
exec
/bin/bash -lc "pwd && ls -la && rg --files -g 'BYTECODE_BUNDLE.json' -g 'AGENTS.md'" in /tmp/codex-nv7o3z9b
succeeded in 0ms:
/tmp/codex-nv7o3z9b
total 80
drwx------ 2 noahkuhn noahkuhn 4096 Apr 5 02:14 .
drwxrwxrwt 270 nobody nogroup 24576 Apr 5 02:14 ..
-rw-rw-r-- 1 noahkuhn noahkuhn 41554 Apr 5 02:14 BYTECODE_BUNDLE.json
-rw-rw-r-- 1 noahkuhn noahkuhn 815 Apr 5 02:14 codex-output-schema.json
BYTECODE_BUNDLE.json
exec
/bin/bash -lc 'cat codex-output-schema.json' in /tmp/codex-nv7o3z9b
succeeded in 0ms:
{"type": "object", "additionalProperties": false, "required": ["no_findings", "summary", "findings"], "properties": {"no_findings": {"type": "boolean"}, "summary": {"type": "string"}, "findings": {"type": "array", "items": {"type": "object", "additionalProperties": false, "required": ["severity", "category", "title", "evidence", "locations", "exploit_scenario", "recommendation"], "properties": {"severity": {"type": "string", "enum": ["info", "low", "medium", "high", "critical"]}, "category": {"type": "string", "enum": ["access_control", "reentrancy", "math", "oracle", "upgradeability", "auth", "other"]}, "title": {"type": "string"}, "exploit_scenario": {"type": "string"}, "recommendation": {"type": "string"}, "evidence": {"type": "string"}, "locations": {"type": "array", "items": {"type": "string"}}}}}}}
exec
/bin/bash -lc "jq 'keys' BYTECODE_BUNDLE.json" in /tmp/codex-nv7o3z9b
succeeded in 0ms:
[
"analysis_artifact",
"analysis_run",
"artifact",
"capability_graph",
"detector_findings",
"heuristics_summary"
]
exec
/bin/bash -lc "jq '.detector_findings // .detectors // .findings // empty' BYTECODE_BUNDLE.json" in /tmp/codex-nv7o3z9b
succeeded in 0ms:
[
{
"confidence": 60,
"evidence_json": {
"call_count": 1,
"examples": [
{
"opcode": "CALL",
"pc": 405,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": [],
"untrusted_call_count": 1
},
"normalized_json": {
"sink": "CALL"
},
"severity": "high",
"title": "Untrusted CALL target/value reachable",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x87adf4d3e1eb630d41405c6ea5c0021c5b6614ff"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x1dc200b20862d599f0014268b25217af0e390adee30ff0bff309833d991c18f5",
"trace_mode": "callTracer"
}
},
{
"confidence": 55,
"evidence_json": {
"eth_value_calls": 1,
"examples": [
{
"opcode": "CALL",
"pc": 405,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": []
},
"normalized_json": {
"sink": "CALL",
"value": "nonzero"
},
"severity": "high",
"title": "ETH value transfer possible",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x87adf4d3e1eb630d41405c6ea5c0021c5b6614ff"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x1dc200b20862d599f0014268b25217af0e390adee30ff0bff309833d991c18f5",
"trace_mode": "callTracer"
}
}
]
exec
/bin/bash -lc "rg -n 'selector|delegatecall|proxy|1967|beacon|reentr|CALL|pc\\\": 405|storage|slot|fallback|receive' BYTECODE_BUNDLE.json" in /tmp/codex-nv7o3z9b
succeeded in 0ms:
21: "CALLDATALOAD",
201: "CALLDATALOAD",
315: "CALLDATALOAD",
317: "CALLDATALOAD",
319: "CALLER",
398: "CALL",
513: "CALLER",
605: "opcode": "CALL",
606: "pc": 405,
760: "dispatcher_type": "selector_jump_table",
764: "selector": "0x06fdde03"
768: "selector": "0x313ce567"
772: "selector": "0x70a08231"
776: "selector": "0x95d89b41"
780: "selector": "0xa9059cbb"
789: "selector": "0x06fdde03",
792: "delegatecall": 0,
796: "storage": {
798: "slots": [
802: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
807: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
812: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
817: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
822: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
833: "selector": "0x313ce567",
836: "delegatecall": 0,
840: "storage": {
842: "slots": [
846: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
851: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
856: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
861: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
866: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
877: "selector": "0x70a08231",
880: "delegatecall": 0,
884: "storage": {
886: "slots": [
890: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
895: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
900: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
905: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
910: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
921: "selector": "0x95d89b41",
924: "delegatecall": 0,
928: "storage": {
930: "slots": [
934: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
939: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
944: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
949: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
954: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
965: "selector": "0xa9059cbb",
968: "delegatecall": 0,
972: "storage": {
974: "slots": [
978: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
983: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
988: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
993: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
998: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1005: "selectors": [
1016: "delegatecall": 0,
1019: "upgrade_slot_write_suspected": false
1021: "storage": {
1024: "slots": [
1028: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1033: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1038: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
1043: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
1048: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1082: "is_proxy": false,
1450: "opcode": "CALL",
1451: "pc": 405,
1461: "selector": "0x06fdde03",
1467: "selector": "0x313ce567",
1473: "selector": "0x70a08231",
1479: "selector": "0x95d89b41",
1485: "selector": "0xa9059cbb",
1502: "opcode": "CALL",
1503: "pc": 405,
1513: "sink": "CALL"
1516: "title": "Untrusted CALL target/value reachable",
1528: "sink": "CALL",
1541: "opcode": "CALL",
1542: "pc": 405,
1551: "sink": "CALL",
1567: "sink": "CALL",
1577: "delegatecall_count": 0,
exec
/bin/bash -lc "jq '.analysis_artifact | keys' BYTECODE_BUNDLE.json" in /tmp/codex-nv7o3z9b
succeeded in 0ms:
[
"address",
"artifact_hash",
"artifact_json",
"block_number",
"chain_id",
"codehash",
"created_at",
"id",
"updated_at",
"version"
]
exec
/bin/bash -lc "jq '.heuristics_summary' BYTECODE_BUNDLE.json" in /tmp/codex-nv7o3z9b
succeeded in 0ms:
{
"create2_count": 0,
"delegatecall_count": 0,
"flags": [],
"selfdestruct_count": 0
}
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.summary // .analysis_artifact.artifact_json.contract_summary // .analysis_artifact.artifact_json' BYTECODE_BUNDLE.json | sed -n '1,220p'" in /tmp/codex-nv7o3z9b
succeeded in 0ms:
{
"auth": {
"guards": []
},
"basic_blocks": [
{
"end_pc": 24,
"hash": "0x6a350686911b120d699f8e8d1e9440d4ce17c4434492baee43484e2ef083a112",
"opcodes": [
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"PUSH1",
"EXP",
"PUSH1",
"CALLDATALOAD",
"DIV",
"PUSH4",
"OP_81",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 0
},
{
"end_pc": 35,
"hash": "0x09fc75e3aa8fb02b98e24881cc463925488c7dfa7ef308570a5930c5c420c614",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 25
},
{
"end_pc": 46,
"hash": "0x976103db32485bde438fb5c3f9f54ee02f48623f2e3b08249411cd4aee3c334a",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 36
},
{
"end_pc": 57,
"hash": "0x3c19c073e27395dc44272beb525b6373ad140a4045aabbd1b653e498e1806824",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 47
},
{
"end_pc": 68,
"hash": "0x3a122683470ea7901e31e80e6378780a829a06da64b04e691b5d5c5621392507",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 58
},
{
"end_pc": 70,
"hash": "0x55afd043d32294d5f0189f5a0aa04f3174e4c087a31c85396f49b5f17813cb96",
"opcodes": [
"JUMPDEST",
"STOP"
],
"start_pc": 69
},
{
"end_pc": 136,
"hash": "0xac6537d7b91b231bbac2ae8639ed2f1a1da6bf05008aa06a3ed77d152f70020d",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"OP_80",
"SLOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"OP_83",
"AND",
"ISZERO",
"PUSH2",
"MUL",
"PUSH1",
"NOT",
"ADD",
"OP_90",
"OP_92",
"AND",
"OP_91",
"OP_90",
"OP_91",
"DIV",
"PUSH1",
"OP_81",
"ADD",
"OP_82",
"OP_90",
"DIV",
"OP_90",
"OP_91",
"MUL",
"PUSH1",
"OP_90",
"OP_81",
"ADD",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_82",
"OP_81",
"MSTORE",
"OP_92",
"OP_91",
"OP_90",
"OP_82",
"OP_82",
"OP_80",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 71
},
{
"end_pc": 144,
"hash": "0x62826063265f7b0a1361ae5c76928a673321264a2a99d0d24c9e3f562d187b06",
"opcodes": [
"OP_80",
"PUSH1",
"LT",
"PUSH2",
"JUMPI"
],
"start_pc": 137
},
{
"end_pc": 163,
"hash": "0x881e9667f8478852b896c5118f25369529937526d5c1163711e5bb613d49d442",
"opcodes": [
"PUSH2",
"OP_80",
"OP_83",
"SLOAD",
"DIV",
"MUL",
"OP_83",
"MSTORE",
"OP_91",
"PUSH1",
"ADD",
"OP_91",
"PUSH2",
"JUMP"
],
"start_pc": 145
},
{
"end_pc": 175,
"hash": "0x6dd913550e2d374feb5ff277c46b413eb9ef79a7dae1b7c5659f2c0d4fe4ed09",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"SLOAD",
"PUSH1",
"AND",
"OP_81",
"JUMP"
],
"start_pc": 164
},
{
"end_pc": 199,
"hash": "0xa5d15b4687324f59988c5bd96c68fcd7990c0770ed538f53e294dd743c00cb93",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"CALLDATALOAD",
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"OP_90",
"SHA3",
"SLOAD",
"OP_81",
"JUMP"
],
"start_pc": 176
},
{
"end_pc": 263,
"hash": "0x3d607cf5c369c365d079afbfc2fb540c910951b66b39949f2183906bb778c929",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
exec
/bin/bash -lc "jq '.artifact // .analysis_artifact.artifact_json.meta // empty' BYTECODE_BUNDLE.json | sed -n '1,220p'" in /tmp/codex-nv7o3z9b
succeeded in 0ms:
{
"codehash": "0xa81094f2cc770c7af4e87578dfd47661017af78a25faf932e2cde89931a52dc5",
"compiler_json": {
"etherscan": {
"skipped": true
}
},
"implementation_address": null,
"is_proxy": false,
"runtime_bytecode": {
"full": "0x606060405260e060020a600035046306fdde038114610047578063313ce567146100a457806370a08231146100b057806395d89b41146100c8578063a9059cbb14610123575b005b61015f60008054602060026001831615610100026000190190921691909104601f810182900490910260809081016040526060828152929190828280156102685780601f1061023d57610100808354040283529160200191610268565b6101cd60025460ff1681565b6101cd60043560036020526000908152604090205481565b61015f600180546020601f6002600019610100858716150201909316929092049182018190040260809081016040526060828152929190828280156102685780601f1061023d57610100808354040283529160200191610268565b6101cd60043560243573ffffffffffffffffffffffffffffffffffffffff3316600090815260036020526040812054829010156101d757610002565b60405180806020018281038252838181518152602001915080519060200190808383829060006004602084601f0104600302600f01f150905090810190601f1680156101bf5780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b6060908152602090f35b60408082208054849003905573ffffffffffffffffffffffffffffffffffffffff808516808452918320805485019055606084815233909116907fddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef90602090a392915050565b820191906000526020600020905b81548152906001019060200180831161024b57829003601f168201915b50505050508156",
"head": null,
"length": 1250,
"tail": null,
"truncated": false
},
"verified_source": false
}
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.functions // .analysis_artifact.artifact_json.selectors // empty' BYTECODE_BUNDLE.json | sed -n '1,260p'" in /tmp/codex-nv7o3z9b
succeeded in 0ms:
[
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0x06fdde03",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 10,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 1889567281,
"selector": "0x313ce567",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 10,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 2514000705,
"selector": "0x70a08231",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 10,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 2835717307,
"selector": "0x95d89b41",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 10,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0xa9059cbb",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 10,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
}
]
exec
/bin/bash -lc "jq -r '.artifact.runtime_bytecode.full' BYTECODE_BUNDLE.json | sed 's/"'^0x//'"' | fold -w2 | nl -ba | sed -n '1,220p'" in /tmp/codex-nv7o3z9b
succeeded in 0ms:
1 60
2 60
3 60
4 40
5 52
6 60
7 e0
8 60
9 02
10 0a
11 60
12 00
13 35
14 04
15 63
16 06
17 fd
18 de
19 03
20 81
21 14
22 61
23 00
24 47
25 57
26 80
27 63
28 31
29 3c
30 e5
31 67
32 14
33 61
34 00
35 a4
36 57
37 80
38 63
39 70
40 a0
41 82
42 31
43 14
44 61
45 00
46 b0
47 57
48 80
49 63
50 95
51 d8
52 9b
53 41
54 14
55 61
56 00
57 c8
58 57
59 80
60 63
61 a9
62 05
63 9c
64 bb
65 14
66 61
67 01
68 23
69 57
70 5b
71 00
72 5b
73 61
74 01
75 5f
76 60
77 00
78 80
79 54
80 60
81 20
82 60
83 02
84 60
85 01
86 83
87 16
88 15
89 61
90 01
91 00
92 02
93 60
94 00
95 19
96 01
97 90
98 92
99 16
100 91
101 90
102 91
103 04
104 60
105 1f
106 81
107 01
108 82
109 90
110 04
111 90
112 91
113 02
114 60
115 80
116 90
117 81
118 01
119 60
120 40
121 52
122 60
123 60
124 82
125 81
126 52
127 92
128 91
129 90
130 82
131 82
132 80
133 15
134 61
135 02
136 68
137 57
138 80
139 60
140 1f
141 10
142 61
143 02
144 3d
145 57
146 61
147 01
148 00
149 80
150 83
151 54
152 04
153 02
154 83
155 52
156 91
157 60
158 20
159 01
160 91
161 61
162 02
163 68
164 56
165 5b
166 61
167 01
168 cd
169 60
170 02
171 54
172 60
173 ff
174 16
175 81
176 56
177 5b
178 61
179 01
180 cd
181 60
182 04
183 35
184 60
185 03
186 60
187 20
188 52
189 60
190 00
191 90
192 81
193 52
194 60
195 40
196 90
197 20
198 54
199 81
200 56
201 5b
202 61
203 01
204 5f
205 60
206 01
207 80
208 54
209 60
210 20
211 60
212 1f
213 60
214 02
215 60
216 00
217 19
218 61
219 01
220 00
exec
/bin/bash -lc "jq -r '.artifact.runtime_bytecode.full' BYTECODE_BUNDLE.json | sed 's/"'^0x//'"' | fold -w2 | nl -ba | sed -n '221,520p'" in /tmp/codex-nv7o3z9b
succeeded in 0ms:
221 85
222 87
223 16
224 15
225 02
226 01
227 90
228 93
229 16
230 92
231 90
232 92
233 04
234 91
235 82
236 01
237 81
238 90
239 04
240 02
241 60
242 80
243 90
244 81
245 01
246 60
247 40
248 52
249 60
250 60
251 82
252 81
253 52
254 92
255 91
256 90
257 82
258 82
259 80
260 15
261 61
262 02
263 68
264 57
265 80
266 60
267 1f
268 10
269 61
270 02
271 3d
272 57
273 61
274 01
275 00
276 80
277 83
278 54
279 04
280 02
281 83
282 52
283 91
284 60
285 20
286 01
287 91
288 61
289 02
290 68
291 56
292 5b
293 61
294 01
295 cd
296 60
297 04
298 35
299 60
300 24
301 35
302 73
303 ff
304 ff
305 ff
306 ff
307 ff
308 ff
309 ff
310 ff
311 ff
312 ff
313 ff
314 ff
315 ff
316 ff
317 ff
318 ff
319 ff
320 ff
321 ff
322 ff
323 33
324 16
325 60
326 00
327 90
328 81
329 52
330 60
331 03
332 60
333 20
334 52
335 60
336 40
337 81
338 20
339 54
340 82
341 90
342 10
343 15
344 61
345 01
346 d7
347 57
348 61
349 00
350 02
351 56
352 5b
353 60
354 40
355 51
356 80
357 80
358 60
359 20
360 01
361 82
362 81
363 03
364 82
365 52
366 83
367 81
368 81
369 51
370 81
371 52
372 60
373 20
374 01
375 91
376 50
377 80
378 51
379 90
380 60
381 20
382 01
383 90
384 80
385 83
386 83
387 82
388 90
389 60
390 00
391 60
392 04
393 60
394 20
395 84
396 60
397 1f
398 01
399 04
400 60
401 03
402 02
403 60
404 0f
405 01
406 f1
407 50
408 90
409 50
410 90
411 81
412 01
413 90
414 60
415 1f
416 16
417 80
418 15
419 61
420 01
421 bf
422 57
423 80
424 82
425 03
426 80
427 51
428 60
429 01
430 83
431 60
432 20
433 03
434 61
435 01
436 00
437 0a
438 03
439 19
440 16
441 81
442 52
443 60
444 20
445 01
446 91
447 50
448 5b
449 50
450 92
451 50
452 50
453 50
454 60
455 40
456 51
457 80
458 91
459 03
460 90
461 f3
462 5b
463 60
464 60
465 90
466 81
467 52
468 60
469 20
470 90
471 f3
472 5b
473 60
474 40
475 80
476 82
477 20
478 80
479 54
480 84
481 90
482 03
483 90
484 55
485 73
486 ff
487 ff
488 ff
489 ff
490 ff
491 ff
492 ff
493 ff
494 ff
495 ff
496 ff
497 ff
498 ff
499 ff
500 ff
501 ff
502 ff
503 ff
504 ff
505 ff
506 80
507 85
508 16
509 80
510 84
511 52
512 91
513 83
514 20
515 80
516 54
517 85
518 01
519 90
520 55
exec
/bin/bash -lc "jq -r '.artifact.runtime_bytecode.full' BYTECODE_BUNDLE.json | sed 's/"'^0x//'"' | fold -w2 | nl -ba | sed -n '521,760p'" in /tmp/codex-nv7o3z9b
succeeded in 0ms:
521 60
522 60
523 84
524 81
525 52
526 33
527 90
528 91
529 16
530 90
531 7f
532 dd
533 f2
534 52
535 ad
536 1b
537 e2
538 c8
539 9b
540 69
541 c2
542 b0
543 68
544 fc
545 37
546 8d
547 aa
548 95
549 2b
550 a7
551 f1
552 63
553 c4
554 a1
555 16
556 28
557 f5
558 5a
559 4d
560 f5
561 23
562 b3
563 ef
564 90
565 60
566 20
567 90
568 a3
569 92
570 91
571 50
572 50
573 56
574 5b
575 82
576 01
577 91
578 90
579 60
580 00
581 52
582 60
583 20
584 60
585 00
586 20
587 90
588 5b
589 81
590 54
591 81
592 52
593 90
594 60
595 01
596 01
597 90
598 60
599 20
600 01
601 80
602 83
603 11
604 61
605 02
606 4b
607 57
608 82
609 90
610 03
611 60
612 1f
613 16
614 82
615 01
616 91
617 5b
618 50
619 50
620 50
621 50
622 50
623 81
624 56
exec
/bin/bash -lc "jq '.capability_graph' BYTECODE_BUNDLE.json | sed -n '1,260p'" in /tmp/codex-nv7o3z9b
succeeded in 0ms:
{
"address": "0x87adf4d3e1eb630d41405c6ea5c0021c5b6614ff",
"block_number": null,
"chain_id": 1,
"codehash": "0xa81094f2cc770c7af4e87578dfd47661017af78a25faf932e2cde89931a52dc5",
"created_at": "2026-04-04T19:47:17.000000Z",
"graph_hash": "0x31c4f44b7912916ec325fb68fd69d5cadb257d74c9d81fb12fc0142fa6bfd971",
"graph_json": {
"edges": [
{
"from": "bb:0",
"to": "bb:71",
"type": "control_flow"
},
{
"from": "bb:0",
"to": "bb:25",
"type": "control_flow_fallthrough"
},
{
"from": "bb:25",
"to": "bb:164",
"type": "control_flow"
},
{
"from": "bb:25",
"to": "bb:36",
"type": "control_flow_fallthrough"
},
{
"from": "bb:36",
"to": "bb:176",
"type": "control_flow"
},
{
"from": "bb:36",
"to": "bb:47",
"type": "control_flow_fallthrough"
},
{
"from": "bb:47",
"to": "bb:200",
"type": "control_flow"
},
{
"from": "bb:47",
"to": "bb:58",
"type": "control_flow_fallthrough"
},
{
"from": "bb:58",
"to": "bb:291",
"type": "control_flow"
},
{
"from": "bb:58",
"to": "bb:69",
"type": "control_flow_fallthrough"
},
{
"from": "bb:71",
"to": "bb:616",
"type": "control_flow"
},
{
"from": "bb:71",
"to": "bb:137",
"type": "control_flow_fallthrough"
},
{
"from": "bb:137",
"to": "bb:573",
"type": "control_flow"
},
{
"from": "bb:137",
"to": "bb:145",
"type": "control_flow_fallthrough"
},
{
"from": "bb:145",
"to": "bb:616",
"type": "control_flow"
},
{
"from": "bb:200",
"to": "bb:616",
"type": "control_flow"
},
{
"from": "bb:200",
"to": "bb:264",
"type": "control_flow_fallthrough"
},
{
"from": "bb:264",
"to": "bb:573",
"type": "control_flow"
},
{
"from": "bb:264",
"to": "bb:272",
"type": "control_flow_fallthrough"
},
{
"from": "bb:272",
"to": "bb:616",
"type": "control_flow"
},
{
"from": "bb:291",
"to": "bb:471",
"type": "control_flow"
},
{
"from": "bb:291",
"to": "bb:347",
"type": "control_flow_fallthrough"
},
{
"from": "bb:351",
"to": "bb:447",
"type": "control_flow"
},
{
"from": "bb:351",
"to": "bb:422",
"type": "control_flow_fallthrough"
},
{
"from": "bb:422",
"to": "bb:447",
"type": "control_flow_fallthrough"
},
{
"from": "bb:573",
"to": "bb:587",
"type": "control_flow_fallthrough"
},
{
"from": "bb:587",
"to": "bb:587",
"type": "control_flow"
},
{
"from": "bb:587",
"to": "bb:607",
"type": "control_flow_fallthrough"
},
{
"from": "bb:607",
"to": "bb:616",
"type": "control_flow_fallthrough"
},
{
"from": "fn:0x313ce567",
"to": "bb:1889567281",
"type": "entry"
},
{
"from": "fn:0x70a08231",
"to": "bb:2514000705",
"type": "entry"
},
{
"from": "fn:0x95d89b41",
"to": "bb:2835717307",
"type": "entry"
},
{
"from": "bb:351",
"to": "call:405",
"type": "contains"
},
{
"from": "call:405",
"to": "sink:call",
"type": "capability"
}
],
"nodes": [
{
"end_pc": 24,
"hash": "0x6a350686911b120d699f8e8d1e9440d4ce17c4434492baee43484e2ef083a112",
"id": "bb:0",
"start_pc": 0,
"type": "basic_block"
},
{
"end_pc": 35,
"hash": "0x09fc75e3aa8fb02b98e24881cc463925488c7dfa7ef308570a5930c5c420c614",
"id": "bb:25",
"start_pc": 25,
"type": "basic_block"
},
{
"end_pc": 46,
"hash": "0x976103db32485bde438fb5c3f9f54ee02f48623f2e3b08249411cd4aee3c334a",
"id": "bb:36",
"start_pc": 36,
"type": "basic_block"
},
{
"end_pc": 57,
"hash": "0x3c19c073e27395dc44272beb525b6373ad140a4045aabbd1b653e498e1806824",
"id": "bb:47",
"start_pc": 47,
"type": "basic_block"
},
{
"end_pc": 68,
"hash": "0x3a122683470ea7901e31e80e6378780a829a06da64b04e691b5d5c5621392507",
"id": "bb:58",
"start_pc": 58,
"type": "basic_block"
},
{
"end_pc": 70,
"hash": "0x55afd043d32294d5f0189f5a0aa04f3174e4c087a31c85396f49b5f17813cb96",
"id": "bb:69",
"start_pc": 69,
"type": "basic_block"
},
{
"end_pc": 136,
"hash": "0xac6537d7b91b231bbac2ae8639ed2f1a1da6bf05008aa06a3ed77d152f70020d",
"id": "bb:71",
"start_pc": 71,
"type": "basic_block"
},
{
"end_pc": 144,
"hash": "0x62826063265f7b0a1361ae5c76928a673321264a2a99d0d24c9e3f562d187b06",
"id": "bb:137",
"start_pc": 137,
"type": "basic_block"
},
{
"end_pc": 163,
"hash": "0x881e9667f8478852b896c5118f25369529937526d5c1163711e5bb613d49d442",
"id": "bb:145",
"start_pc": 145,
"type": "basic_block"
},
{
"end_pc": 175,
"hash": "0x6dd913550e2d374feb5ff277c46b413eb9ef79a7dae1b7c5659f2c0d4fe4ed09",
"id": "bb:164",
"start_pc": 164,
"type": "basic_block"
},
{
"end_pc": 199,
"hash": "0xa5d15b4687324f59988c5bd96c68fcd7990c0770ed538f53e294dd743c00cb93",
"id": "bb:176",
"start_pc": 176,
"type": "basic_block"
},
{
"end_pc": 263,
exec
/bin/bash -lc "jq '.. | objects | select(has(\"pc\") and .pc==405)' BYTECODE_BUNDLE.json" in /tmp/codex-nv7o3z9b
succeeded in 0ms:
{
"opcode": "CALL",
"pc": 405,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
{
"id": "call:405",
"opcode": "CALL",
"pc": 405,
"type": "callsite"
}
{
"opcode": "CALL",
"pc": 405,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
{
"opcode": "CALL",
"pc": 405,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
exec
/bin/bash -lc "jq '.. | objects | select(has(\"selector\"))' BYTECODE_BUNDLE.json | sed -n '1,260p'" in /tmp/codex-nv7o3z9b
succeeded in 0ms:
{
"entry_pc": null,
"selector": "0x06fdde03"
}
{
"entry_pc": 1889567281,
"selector": "0x313ce567"
}
{
"entry_pc": 2514000705,
"selector": "0x70a08231"
}
{
"entry_pc": 2835717307,
"selector": "0x95d89b41"
}
{
"entry_pc": null,
"selector": "0xa9059cbb"
}
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0x06fdde03",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 10,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
}
{
"auth": {
"guards": []
},
"entry_pc": 1889567281,
"selector": "0x313ce567",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 10,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
}
{
"auth": {
"guards": []
},
"entry_pc": 2514000705,
"selector": "0x70a08231",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 10,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
}
{
"auth": {
"guards": []
},
"entry_pc": 2835717307,
"selector": "0x95d89b41",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 10,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
}
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0xa9059cbb",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 10,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
}
{
"entry_pc": null,
"id": "fn:0x06fdde03",
"selector": "0x06fdde03",
"type": "function"
}
{
"entry_pc": 1889567281,
"id": "fn:0x313ce567",
"selector": "0x313ce567",
"type": "function"
}
{
"entry_pc": 2514000705,
"id": "fn:0x70a08231",
"selector": "0x70a08231",
"type": "function"
}
{
"entry_pc": 2835717307,
exec
js_repl in /tmp/codex-nv7o3z9b
succeeded in 122ms:
291: JUMPDEST
292: PUSH2 0x01cd
295: PUSH1 0x04
297: CALLDATALOAD
298: PUSH1 0x24
300: CALLDATALOAD
301: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
322: CALLER
323: AND
324: PUSH1 0x00
326: SWAP1
327: DUP2
328: MSTORE
329: PUSH1 0x03
331: PUSH1 0x20
333: MSTORE
334: PUSH1 0x40
336: DUP2
337: SHA3
338: SLOAD
339: DUP3
340: SWAP1
341: LT
342: ISZERO
343: PUSH2 0x01d7
346: JUMPI
347: PUSH2 0x0002
350: JUMP
351: JUMPDEST
352: PUSH1 0x40
354: MLOAD
355: DUP1
356: DUP1
357: PUSH1 0x20
359: ADD
360: DUP3
361: DUP2
362: SUB
363: DUP3
364: MSTORE
365: DUP4
366: DUP2
367: DUP2
368: MLOAD
369: DUP2
370: MSTORE
371: PUSH1 0x20
373: ADD
374: SWAP2
375: POP
376: DUP1
377: MLOAD
378: SWAP1
379: PUSH1 0x20
381: ADD
382: SWAP1
383: DUP1
384: DUP4
385: DUP4
386: DUP3
387: SWAP1
388: PUSH1 0x00
390: PUSH1 0x04
392: PUSH1 0x20
394: DUP5
395: PUSH1 0x1f
397: ADD
398: DIV
399: PUSH1 0x03
401: MUL
402: PUSH1 0x0f
404: ADD
405: CALL
406: POP
407: SWAP1
408: POP
409: SWAP1
410: DUP2
411: ADD
412: SWAP1
413: PUSH1 0x1f
415: AND
416: DUP1
417: ISZERO
418: PUSH2 0x01bf
421: JUMPI
422: DUP1
423: DUP3
424: SUB
425: DUP1
426: MLOAD
427: PUSH1 0x01
429: DUP4
430: PUSH1 0x20
432: SUB
433: PUSH2 0x0100
436: EXP
437: SUB
438: NOT
439: AND
440: DUP2
441: MSTORE
442: PUSH1 0x20
444: ADD
445: SWAP2
446: POP
447: JUMPDEST
448: POP
449: SWAP3
450: POP
451: POP
452: POP
453: PUSH1 0x40
455: MLOAD
456: DUP1
457: SWAP2
458: SUB
459: SWAP1
460: RETURN
461: JUMPDEST
exec
js_repl in /tmp/codex-nv7o3z9b
succeeded in 3ms:
461: JUMPDEST
462: PUSH1 0x60
464: SWAP1
465: DUP2
466: MSTORE
467: PUSH1 0x20
469: SWAP1
470: RETURN
471: JUMPDEST
472: PUSH1 0x40
474: DUP1
475: DUP3
476: SHA3
477: DUP1
478: SLOAD
479: DUP5
480: SWAP1
481: SUB
482: SWAP1
483: SSTORE
484: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
505: DUP1
506: DUP6
507: AND
508: DUP1
509: DUP5
510: MSTORE
511: SWAP2
512: DUP4
513: SHA3
514: DUP1
515: SLOAD
516: DUP6
517: ADD
518: SWAP1
519: SSTORE
520: PUSH1 0x60
522: DUP5
523: DUP2
524: MSTORE
525: CALLER
526: SWAP1
527: SWAP2
528: AND
529: SWAP1
530: PUSH32 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef
563: SWAP1
564: PUSH1 0x20
566: SWAP1
567: LOG3
568: SWAP3
569: SWAP2
570: POP
571: POP
572: JUMP
573: JUMPDEST
574: DUP3
575: ADD
576: SWAP2
577: SWAP1
578: PUSH1 0x00
580: MSTORE
581: PUSH1 0x20
583: PUSH1 0x00
585: SHA3
586: SWAP1
587: JUMPDEST
588: DUP2
589: SLOAD
590: DUP2
591: MSTORE
592: SWAP1
593: PUSH1 0x01
595: ADD
596: SWAP1
597: PUSH1 0x20
599: ADD
600: DUP1
601: DUP4
602: GT
603: PUSH2 0x024b
606: JUMPI
607: DUP3
608: SWAP1
609: SUB
610: PUSH1 0x1f
612: AND
613: DUP3
614: ADD
615: SWAP2
616: JUMPDEST
617: POP
618: POP
619: POP
620: POP
621: POP
622: DUP2
623: JUMP
exec
js_repl in /tmp/codex-nv7o3z9b
succeeded in 9ms:
unsupported 200 JUMPDEST stack
exec
js_repl in /tmp/codex-nv7o3z9b
succeeded in 5ms:
263 JUMPI 0x0268 iszero(((s[0x01] & ((iszero((0x01 & s[0x01])) * 0x0100) + not(0x00))) / 0x02)) stack ((s[0x01] & ((iszero((0x01 & s[0x01])) * 0x0100) + not(0x00))) / 0x02) | 0x01 | 0x80 | ((s[0x01] & ((iszero((0x01 & s[0x01])) * 0x0100) + not(0x00))) / 0x02) | 0x01 | 0x60 | 0x015f
271 JUMPI 0x023d (0x1f < ((s[0x01] & ((iszero((0x01 & s[0x01])) * 0x0100) + not(0x00))) / 0x02)) stack ((s[0x01] & ((iszero((0x01 & s[0x01])) * 0x0100) + not(0x00))) / 0x02) | 0x01 | 0x80 | ((s[0x01] & ((iszero((0x01 & s[0x01])) * 0x0100) + not(0x00))) / 0x02) | 0x01 | 0x60 | 0x015f
290 JUMP 0x0268 stack ((s[0x01] & ((iszero((0x01 & s[0x01])) * 0x0100) + not(0x00))) / 0x02) | 0x01 | (0x20 + 0x80) | ((s[0x01] & ((iszero((0x01 & s[0x01])) * 0x0100) + not(0x00))) / 0x02) | 0x01 | 0x60 | 0x015f
346 JUMPI 0x01d7 iszero((s[keccak(0x00,0x40)] < calldata[0x24])) stack 0x00 | calldata[0x24] | calldata[0x04] | 0x01cd | ((s[0x01] & ((iszero((0x01 & s[0x01])) * 0x0100) + not(0x00))) / 0x02) | 0x01 | (0x20 + 0x80) | ((s[0x01] & ((iszero((0x01 & s[0x01])) * 0x0100) + not(0x00))) / 0x02) | 0x01 | 0x60
350 JUMP 0x0002 stack 0x00 | calldata[0x24] | calldata[0x04] | 0x01cd | ((s[0x01] & ((iszero((0x01 & s[0x01])) * 0x0100) + not(0x00))) / 0x02) | 0x01 | (0x20 + 0x80) | ((s[0x01] & ((iszero((0x01 & s[0x01])) * 0x0100) + not(0x00))) / 0x02) | 0x01 | 0x60
CALL at 405 {
gas: '(0x0f + (0x03 * ((0x1f + (caller & 0xffffffffffffffffffffffffffffffffffffffff)) / 0x20)))',
to: '0x04',
value: '0x00',
inOffset: '(0x20 + 0x00)',
inSize: '(caller & 0xffffffffffffffffffffffffffffffffffffffff)',
outOffset: '(0x20 + (0x20 + (0x80 + (((((s[0x01] & ((iszero((0x01 & s[0x01])) * 0x0100) + not(0x00))) / 0x02) + 0x1f) / 0x20) * 0x20))))',
outSize: '(caller & 0xffffffffffffffffffffffffffffffffffffffff)',
stack: 'call((0x0f + (0x03 * ((0x1f + (caller & 0xffffffffffffffffffffffffffffffffffffffff)) / 0x20))),0x04,0x00,(0x20 + 0x00),(caller & 0xffffffffffffffffffffffffffffffffffffffff),(0x20 + (0x20 + (0x80 + (((((s[0x01] & ((iszero((0x01 & s[0x01])) * 0x0100) + not(0x00))) / 0x02) + 0x1f) / 0x20) * 0x20)))),(caller & 0xffffffffffffffffffffffffffffffffffffffff)) | (caller & 0xffffffffffffffffffffffffffffffffffffffff) | (0x20 + 0x00) | (0x20 + (0x20 + (0x80 + (((((s[0x01] & ((iszero((0x01 & s[0x01])) * 0x0100) + not(0x00))) / 0x02) + 0x1f) / 0x20) * 0x20)))) | (0x80 + (((((s[0x01] & ((iszero((0x01 & s[0x01])) * 0x0100) + not(0x00))) / 0x02) + 0x1f) / 0x20) * 0x20)) | (0x80 + (((((s[0x01] & ((iszero((0x01 & s[0x01])) * 0x0100) + not(0x00))) / 0x02) + 0x1f) / 0x20) * 0x20)) | 0x00 | calldata[0x24] | calldata[0x04] | 0x01cd'
}
exec
/bin/bash -lc "jq -r '.analysis_artifact.artifact_json.basic_blocks[].opcodes[]' BYTECODE_BUNDLE.json | sort | uniq -c | rg 'CALLVALUE|DELEGATECALL|SELFDESTRUCT|CALL|STOP|JUMPDEST|SSTORE'" in /tmp/codex-nv7o3z9b
succeeded in 0ms:
1 CALL
4 CALLDATALOAD
2 CALLER
13 JUMPDEST
2 SSTORE
1 STOP
exec
/bin/bash -lc "jq '{address: .artifact.codehash, is_proxy: .artifact.is_proxy, selectors: .analysis_artifact.artifact_json.selectors, detector_findings: .detector_findings}' BYTECODE_BUNDLE.json | sed -n '1,260p'" in /tmp/codex-nv7o3z9b
succeeded in 0ms:
{
"address": "0xa81094f2cc770c7af4e87578dfd47661017af78a25faf932e2cde89931a52dc5",
"is_proxy": false,
"selectors": [
"0x06fdde03",
"0x313ce567",
"0x70a08231",
"0x95d89b41",
"0xa9059cbb"
],
"detector_findings": [
{
"confidence": 60,
"evidence_json": {
"call_count": 1,
"examples": [
{
"opcode": "CALL",
"pc": 405,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": [],
"untrusted_call_count": 1
},
"normalized_json": {
"sink": "CALL"
},
"severity": "high",
"title": "Untrusted CALL target/value reachable",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x87adf4d3e1eb630d41405c6ea5c0021c5b6614ff"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x1dc200b20862d599f0014268b25217af0e390adee30ff0bff309833d991c18f5",
"trace_mode": "callTracer"
}
},
{
"confidence": 55,
"evidence_json": {
"eth_value_calls": 1,
"examples": [
{
"opcode": "CALL",
"pc": 405,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": []
},
"normalized_json": {
"sink": "CALL",
"value": "nonzero"
},
"severity": "high",
"title": "ETH value transfer possible",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x87adf4d3e1eb630d41405c6ea5c0021c5b6614ff"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x1dc200b20862d599f0014268b25217af0e390adee30ff0bff309833d991c18f5",
"trace_mode": "callTracer"
}
}
]
}
codex
{"no_findings":false,"summary":"The bytecode does not show a proxy/delegatecall surface, and the detector-reported CALL at pc:0x195 appears to be the standard identity-precompile copy path used when returning dynamic strings rather than a user-controlled external call. The one actionable issue visible from runtime bytecode is low severity: the contract accepts ETH but no recovery path is evident, so ETH sent to it is likely trapped.","findings":[{"severity":"low","category":"other","title":"Contract accepts ETH with no visible recovery path","exploit_scenario":"A user or integrating contract sends non-zero ETH either to the fallback path or while calling an exposed function such as `transfer(address,uint256)`. Because the runtime does not appear to reject `msg.value`, the ETH is accepted. From the visible bytecode there is no owner/admin withdrawal function and no outbound ETH-transfer path, so that ETH is likely unrecoverable once sent.","recommendation":"Reject ETH at entrypoints unless the contract is intentionally payable. In practice this means adding a `CALLVALUE` check that reverts, or providing an explicit, access-controlled rescue path for ETH. If the contract is already deployed and immutable, warn integrators and users never to attach ETH to calls.","evidence":"The dispatcher exposes only selectors `0x06fdde03`, `0x313ce567`, `0x70a08231`, `0x95d89b41`, and `0xa9059cbb`, plus a fallback that reaches `STOP` at pc:0x45. The analyzed basic blocks contain no `CALLVALUE` opcode, so non-zero `msg.value` is not explicitly rejected. The only runtime `CALL` is at pc:0x195; stack-pattern analysis indicates it targets precompile `0x04` with value `0` as part of dynamic-string return handling, so it is not a visible ETH-withdrawal path. This is bytecode-only analysis, so hidden intent cannot be proven, but no ETH recovery function is visible in the runtime.","locations":["pc:0x45","pc:0x195","selector:0xa9059cbb"]}]}
tokens used
56,818
{
"codex": {
"ran_at": "2026-04-05T02:17:33.079868+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 1250,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "The bytecode does not show a proxy/delegatecall surface, and the detector-reported CALL at pc:0x195 appears to be the standard identity-precompile copy path used when returning dynamic strings rather than a user-controlled external call. The one actionable issue visible from runtime bytecode is low severity: the contract accepts ETH but no recovery path is evident, so ETH sent to it is likely trapped.",
"raw_final": {
"summary": "The bytecode does not show a proxy/delegatecall surface, and the detector-reported CALL at pc:0x195 appears to be the standard identity-precompile copy path used when returning dynamic strings rather than a user-controlled external call. The one actionable issue visible from runtime bytecode is low severity: the contract accepts ETH but no recovery path is evident, so ETH sent to it is likely trapped.",
"findings": [
{
"title": "Contract accepts ETH with no visible recovery path",
"category": "other",
"evidence": "The dispatcher exposes only selectors `0x06fdde03`, `0x313ce567`, `0x70a08231`, `0x95d89b41`, and `0xa9059cbb`, plus a fallback that reaches `STOP` at pc:0x45. The analyzed basic blocks contain no `CALLVALUE` opcode, so non-zero `msg.value` is not explicitly rejected. The only runtime `CALL` is at pc:0x195; stack-pattern analysis indicates it targets precompile `0x04` with value `0` as part of dynamic-string return handling, so it is not a visible ETH-withdrawal path. This is bytecode-only analysis, so hidden intent cannot be proven, but no ETH recovery function is visible in the runtime.",
"severity": "low",
"locations": [
"pc:0x45",
"pc:0x195",
"selector:0xa9059cbb"
],
"recommendation": "Reject ETH at entrypoints unless the contract is intentionally payable. In practice this means adding a `CALLVALUE` check that reverts, or providing an explicit, access-controlled rescue path for ETH. If the contract is already deployed and immutable, warn integrators and users never to attach ETH to calls.",
"exploit_scenario": "A user or integrating contract sends non-zero ETH either to the fallback path or while calling an exposed function such as `transfer(address,uint256)`. Because the runtime does not appear to reject `msg.value`, the ETH is accepted. From the visible bytecode there is no owner/admin withdrawal function and no outbound ETH-transfer path, so that ETH is likely unrecoverable once sent."
}
],
"no_findings": false
},
"no_findings": false,
"schema_version": 1
}
00000000: PUSH1 0x60 00000002: PUSH1 0x40 00000004: MSTORE 00000005: PUSH1 0xe0 00000007: PUSH1 0x02 00000009: EXP 0000000a: PUSH1 0x00 0000000c: CALLDATALOAD 0000000d: DIV 0000000e: PUSH4 0x06fdde03 00000013: DUP2 00000014: EQ 00000015: PUSH2 0x0047 00000018: JUMPI 00000019: DUP1 0000001a: PUSH4 0x313ce567 0000001f: EQ 00000020: PUSH2 0x00a4 00000023: JUMPI 00000024: DUP1 00000025: PUSH4 0x70a08231 0000002a: EQ 0000002b: PUSH2 0x00b0 0000002e: JUMPI 0000002f: DUP1 00000030: PUSH4 0x95d89b41 00000035: EQ 00000036: PUSH2 0x00c8 00000039: JUMPI 0000003a: DUP1 0000003b: PUSH4 0xa9059cbb 00000040: EQ 00000041: PUSH2 0x0123 00000044: JUMPI 00000045: JUMPDEST 00000046: STOP 00000047: JUMPDEST 00000048: PUSH2 0x015f 0000004b: PUSH1 0x00 0000004d: DUP1 0000004e: SLOAD 0000004f: PUSH1 0x20 00000051: PUSH1 0x02 00000053: PUSH1 0x01 00000055: DUP4 00000056: AND 00000057: ISZERO 00000058: PUSH2 0x0100 0000005b: MUL 0000005c: PUSH1 0x00 0000005e: NOT 0000005f: ADD 00000060: SWAP1 00000061: SWAP3 00000062: AND 00000063: SWAP2 00000064: SWAP1 00000065: SWAP2 00000066: DIV 00000067: PUSH1 0x1f 00000069: DUP2 0000006a: ADD 0000006b: DUP3 0000006c: SWAP1 0000006d: DIV 0000006e: SWAP1 0000006f: SWAP2 00000070: MUL 00000071: PUSH1 0x80 00000073: SWAP1 00000074: DUP2 00000075: ADD 00000076: PUSH1 0x40 00000078: MSTORE 00000079: PUSH1 0x60 0000007b: DUP3 0000007c: DUP2 0000007d: MSTORE 0000007e: SWAP3 0000007f: SWAP2 00000080: SWAP1 00000081: DUP3 00000082: DUP3 00000083: DUP1 00000084: ISZERO 00000085: PUSH2 0x0268 00000088: JUMPI 00000089: DUP1 0000008a: PUSH1 0x1f 0000008c: LT 0000008d: PUSH2 0x023d 00000090: JUMPI 00000091: PUSH2 0x0100 00000094: DUP1 00000095: DUP4 00000096: SLOAD 00000097: DIV 00000098: MUL 00000099: DUP4 0000009a: MSTORE 0000009b: SWAP2 0000009c: PUSH1 0x20 0000009e: ADD 0000009f: SWAP2 000000a0: PUSH2 0x0268 000000a3: JUMP 000000a4: JUMPDEST 000000a5: PUSH2 0x01cd 000000a8: PUSH1 0x02 000000aa: SLOAD 000000ab: PUSH1 0xff 000000ad: AND 000000ae: DUP2 000000af: JUMP 000000b0: JUMPDEST 000000b1: PUSH2 0x01cd 000000b4: PUSH1 0x04 000000b6: CALLDATALOAD 000000b7: PUSH1 0x03 000000b9: PUSH1 0x20 000000bb: MSTORE 000000bc: PUSH1 0x00 000000be: SWAP1 000000bf: DUP2 000000c0: MSTORE 000000c1: PUSH1 0x40 000000c3: SWAP1 000000c4: KECCAK256 000000c5: SLOAD 000000c6: DUP2 000000c7: JUMP 000000c8: JUMPDEST 000000c9: PUSH2 0x015f 000000cc: PUSH1 0x01 000000ce: DUP1 000000cf: SLOAD 000000d0: PUSH1 0x20 000000d2: PUSH1 0x1f 000000d4: PUSH1 0x02 000000d6: PUSH1 0x00 000000d8: NOT 000000d9: PUSH2 0x0100 000000dc: DUP6 000000dd: DUP8 000000de: AND 000000df: ISZERO 000000e0: MUL 000000e1: ADD 000000e2: SWAP1 000000e3: SWAP4 000000e4: AND 000000e5: SWAP3 000000e6: SWAP1 000000e7: SWAP3 000000e8: DIV 000000e9: SWAP2 000000ea: DUP3 000000eb: ADD 000000ec: DUP2 000000ed: SWAP1 000000ee: DIV 000000ef: MUL 000000f0: PUSH1 0x80 000000f2: SWAP1 000000f3: DUP2 000000f4: ADD 000000f5: PUSH1 0x40 000000f7: MSTORE 000000f8: PUSH1 0x60 000000fa: DUP3 000000fb: DUP2 000000fc: MSTORE 000000fd: SWAP3 000000fe: SWAP2 000000ff: SWAP1 00000100: DUP3 00000101: DUP3 00000102: DUP1 00000103: ISZERO 00000104: PUSH2 0x0268 00000107: JUMPI 00000108: DUP1 00000109: PUSH1 0x1f 0000010b: LT 0000010c: PUSH2 0x023d 0000010f: JUMPI 00000110: PUSH2 0x0100 00000113: DUP1 00000114: DUP4 00000115: SLOAD 00000116: DIV 00000117: MUL 00000118: DUP4 00000119: MSTORE 0000011a: SWAP2 0000011b: PUSH1 0x20 0000011d: ADD 0000011e: SWAP2 0000011f: PUSH2 0x0268 00000122: JUMP 00000123: JUMPDEST 00000124: PUSH2 0x01cd 00000127: PUSH1 0x04 00000129: CALLDATALOAD 0000012a: PUSH1 0x24 0000012c: CALLDATALOAD 0000012d: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000142: CALLER 00000143: AND 00000144: PUSH1 0x00 00000146: SWAP1 00000147: DUP2 00000148: MSTORE 00000149: PUSH1 0x03 0000014b: PUSH1 0x20 0000014d: MSTORE 0000014e: PUSH1 0x40 00000150: DUP2 00000151: KECCAK256 00000152: SLOAD 00000153: DUP3 00000154: SWAP1 00000155: LT 00000156: ISZERO 00000157: PUSH2 0x01d7 0000015a: JUMPI 0000015b: PUSH2 0x0002 0000015e: JUMP 0000015f: JUMPDEST 00000160: PUSH1 0x40 00000162: MLOAD 00000163: DUP1 00000164: DUP1 00000165: PUSH1 0x20 00000167: ADD 00000168: DUP3 00000169: DUP2 0000016a: SUB 0000016b: DUP3 0000016c: MSTORE 0000016d: DUP4 0000016e: DUP2 0000016f: DUP2 00000170: MLOAD 00000171: DUP2 00000172: MSTORE 00000173: PUSH1 0x20 00000175: ADD 00000176: SWAP2 00000177: POP 00000178: DUP1 00000179: MLOAD 0000017a: SWAP1 0000017b: PUSH1 0x20 0000017d: ADD 0000017e: SWAP1 0000017f: DUP1 00000180: DUP4 00000181: DUP4 00000182: DUP3 00000183: SWAP1 00000184: PUSH1 0x00 00000186: PUSH1 0x04 00000188: PUSH1 0x20 0000018a: DUP5 0000018b: PUSH1 0x1f 0000018d: ADD 0000018e: DIV 0000018f: PUSH1 0x03 00000191: MUL 00000192: PUSH1 0x0f 00000194: ADD 00000195: CALL 00000196: POP 00000197: SWAP1 00000198: POP 00000199: SWAP1 0000019a: DUP2 0000019b: ADD 0000019c: SWAP1 0000019d: PUSH1 0x1f 0000019f: AND 000001a0: DUP1 000001a1: ISZERO 000001a2: PUSH2 0x01bf 000001a5: JUMPI 000001a6: DUP1 000001a7: DUP3 000001a8: SUB 000001a9: DUP1 000001aa: MLOAD 000001ab: PUSH1 0x01 000001ad: DUP4 000001ae: PUSH1 0x20 000001b0: SUB 000001b1: PUSH2 0x0100 000001b4: EXP 000001b5: SUB 000001b6: NOT 000001b7: AND 000001b8: DUP2 000001b9: MSTORE 000001ba: PUSH1 0x20 000001bc: ADD 000001bd: SWAP2 000001be: POP 000001bf: JUMPDEST 000001c0: POP 000001c1: SWAP3 000001c2: POP 000001c3: POP 000001c4: POP 000001c5: PUSH1 0x40 000001c7: MLOAD 000001c8: DUP1 000001c9: SWAP2 000001ca: SUB 000001cb: SWAP1 000001cc: RETURN 000001cd: JUMPDEST 000001ce: PUSH1 0x60 000001d0: SWAP1 000001d1: DUP2 000001d2: MSTORE 000001d3: PUSH1 0x20 000001d5: SWAP1 000001d6: RETURN 000001d7: JUMPDEST 000001d8: PUSH1 0x40 000001da: DUP1 000001db: DUP3 000001dc: KECCAK256 000001dd: DUP1 000001de: SLOAD 000001df: DUP5 000001e0: SWAP1 000001e1: SUB 000001e2: SWAP1 000001e3: SSTORE 000001e4: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000001f9: DUP1 000001fa: DUP6 000001fb: AND 000001fc: DUP1 000001fd: DUP5 000001fe: MSTORE 000001ff: SWAP2 00000200: DUP4 00000201: KECCAK256 00000202: DUP1 00000203: SLOAD 00000204: DUP6 00000205: ADD 00000206: SWAP1 00000207: SSTORE 00000208: PUSH1 0x60 0000020a: DUP5 0000020b: DUP2 0000020c: MSTORE 0000020d: CALLER 0000020e: SWAP1 0000020f: SWAP2 00000210: AND 00000211: SWAP1 00000212: PUSH32 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef 00000233: SWAP1 00000234: PUSH1 0x20 00000236: SWAP1 00000237: LOG3 00000238: SWAP3 00000239: SWAP2 0000023a: POP 0000023b: POP 0000023c: JUMP 0000023d: JUMPDEST 0000023e: DUP3 0000023f: ADD 00000240: SWAP2 00000241: SWAP1 00000242: PUSH1 0x00 00000244: MSTORE 00000245: PUSH1 0x20 00000247: PUSH1 0x00 00000249: KECCAK256 0000024a: SWAP1 0000024b: JUMPDEST 0000024c: DUP2 0000024d: SLOAD 0000024e: DUP2 0000024f: MSTORE 00000250: SWAP1 00000251: PUSH1 0x01 00000253: ADD 00000254: SWAP1 00000255: PUSH1 0x20 00000257: ADD 00000258: DUP1 00000259: DUP4 0000025a: GT 0000025b: PUSH2 0x024b 0000025e: JUMPI 0000025f: DUP3 00000260: SWAP1 00000261: SUB 00000262: PUSH1 0x1f 00000264: AND 00000265: DUP3 00000266: ADD 00000267: SWAP2 00000268: JUMPDEST 00000269: POP 0000026a: POP 0000026b: POP 0000026c: POP 0000026d: POP 0000026e: DUP2 0000026f: JUMP
Warning: This is a nightly build of Foundry. It is recommended to use the latest stable version. To mute this warning set `FOUNDRY_DISABLE_NIGHTLY_WARNING` in your environment.
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | other | detector | Untrusted CALL target/value reachable | 60 | yes | yes |
viewtrace_id: 0x1dc200b20862d599f0014268b25217af0e390adee30ff0bff309833d991c18f5
call_targets:
0x0000000000000000000000000000000000000004, 0x87adf4d3e1eb630d41405c6ea5c0021c5b6614ff
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x1dc200b20862d599f0014268b25217af0e390adee30ff0bff309833d991c18f5",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x87adf4d3e1eb630d41405c6ea5c0021c5b6614ff"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa9059cbb",
"selector": "0xa9059cbb",
"calldata_variants": [
"0xa9059cbb",
"0xa9059cbb0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 405,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 1,
"guards_detected": [],
"untrusted_call_count": 1
}
|
| high | other | detector | ETH value transfer possible | 55 | yes | yes |
viewtrace_id: 0x1dc200b20862d599f0014268b25217af0e390adee30ff0bff309833d991c18f5
call_targets:
0x0000000000000000000000000000000000000004, 0x87adf4d3e1eb630d41405c6ea5c0021c5b6614ff
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x1dc200b20862d599f0014268b25217af0e390adee30ff0bff309833d991c18f5",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x87adf4d3e1eb630d41405c6ea5c0021c5b6614ff"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa9059cbb",
"selector": "0xa9059cbb",
"calldata_variants": [
"0xa9059cbb",
"0xa9059cbb0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 405,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 1,
"guards_detected": []
}
|
| low | other | codex | Contract accepts ETH with no visible recovery path | 65 | no | — |
viewevidence_json{
"evidence": "The dispatcher exposes only selectors `0x06fdde03`, `0x313ce567`, `0x70a08231`, `0x95d89b41`, and `0xa9059cbb`, plus a fallback that reaches `STOP` at pc:0x45. The analyzed basic blocks contain no `CALLVALUE` opcode, so non-zero `msg.value` is not explicitly rejected. The only runtime `CALL` is at pc:0x195; stack-pattern analysis indicates it targets precompile `0x04` with value `0` as part of dynamic-string return handling, so it is not a visible ETH-withdrawal path. This is bytecode-only analysis, so hidden intent cannot be proven, but no ETH recovery function is visible in the runtime.",
"locations": [
"pc:0x45",
"pc:0x195",
"selector:0xa9059cbb"
],
"recommendation": "Reject ETH at entrypoints unless the contract is intentionally payable. In practice this means adding a `CALLVALUE` check that reverts, or providing an explicit, access-controlled rescue path for ETH. If the contract is already deployed and immutable, warn integrators and users never to attach ETH to calls.",
"exploit_scenario": "A user or integrating contract sends non-zero ETH either to the fallback path or while calling an exposed function such as `transfer(address,uint256)`. Because the runtime does not appear to reject `msg.value`, the ETH is accepted. From the visible bytecode there is no owner/admin withdrawal function and no outbound ETH-transfer path, so that ETH is likely unrecoverable once sent."
}
|