019b3836-24d7-73a9-8b25-f729a127fa1e
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 689 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 690 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 44303 | analysis.bundle | complete | 1 / 3 | 1 week ago |
| 44304 | capability.graph | complete | 1 / 3 | 1 week ago |
| 44305 | detector.run | complete | 1 / 3 | 1 week ago |
| 44306 | validation.fork | complete | 1 / 3 | 1 week ago |
| 113228 | report.consolidate | complete | 1 / 6 | 1 week ago |
No slither job recorded yet.
{"no_findings":false,"summary":"Bytecode-only review found one concrete low-severity issue: the runtime appears to accept ETH on all entrypoints and on the fallback path, but no withdrawal/rescue path is present. The detector-reported `CALL` at `pc:0x195` does not look like an untrusted user-controlled external interaction; it is in the shared dynamic-string return helper used by `name()`/`symbol()` and the nearby literal `0x04` is consistent with the identity precompile. Selector inference is best-effort, but I did not find evidence of reentrancy, delegatecall, proxy upgrade slots, or privileged storage writes.","findings":[{"severity":"low","category":"other","title":"Contract appears payable and can permanently lock ETH","exploit_scenario":"A user can send ETH directly to the contract address or attach `msg.value` to calls such as `transfer(address,uint256)`. Because the runtime shows no obvious withdrawal, sweep, or selfdestruct path, that ETH would remain trapped in the contract indefinitely.","recommendation":"If this contract can still be changed, make public functions/fallback nonpayable or add an explicit ownerless/authorized rescue path for accidental ETH. If it is immutable, document clearly that ETH must never be sent to this address and protect integrators/UI from attaching value.","evidence":"The dispatcher falls through to `STOP` on unknown selectors (`pc:0x45` -> `pc:0x46`) instead of reverting, and no `CALLVALUE` guard is present in the runtime. The only outbound `CALL` is at `pc:0x195`, inside the string-return helper reached from `name()`/`symbol()`, with a nearby literal `0x04`, which is consistent with the identity precompile rather than an ETH-withdrawal path. No other `CALL`, `DELEGATECALL`, `SELFDESTRUCT`, or upgrade-slot write was identified in `BYTECODE_BUNDLE.json`.","locations":["pc:0x0","pc:0x45","selector:0x06fdde03","selector:0x313ce567","selector:0x70a08231","selector:0x95d89b41","selector:0xa9059cbb"]}]}
OpenAI Codex v0.118.0 (research preview)
--------
workdir: /tmp/codex-lmfef02c
model: gpt-5.4
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: none
session id: 019d5b5e-e97b-72b1-8f55-cee2a0ea9632
--------
user
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
warning: Codex could not find system bubblewrap on PATH. Please install bubblewrap with your package manager. Codex will use the vendored bubblewrap in the meantime.
exec
/bin/bash -lc "pwd && rg --files -g 'BYTECODE_BUNDLE.json' -g 'AGENTS.md' -g '*.json'" in /tmp/codex-lmfef02c
succeeded in 0ms:
/tmp/codex-lmfef02c
codex-output-schema.json
BYTECODE_BUNDLE.json
→ Locate and read BYTECODE_BUNDLE.json and any nearby instructions/artifacts
• Analyze bytecode evidence for concrete security issues with uncertainty noted
• Produce JSON findings matching the required schema
exec
/bin/bash -lc "sed -n '1,260p' BYTECODE_BUNDLE.json" in /tmp/codex-lmfef02c
succeeded in 0ms:
{
"analysis_artifact": {
"address": "0x94f27b5141e17dd8816242d752c7be8e6764bd22",
"artifact_hash": "0xc7cad475210619a4bee493ef7e565a4c6b9b9094c14ff42ad5316359afded243",
"artifact_json": {
"auth": {
"guards": []
},
"basic_blocks": [
{
"end_pc": 24,
"hash": "0x6a350686911b120d699f8e8d1e9440d4ce17c4434492baee43484e2ef083a112",
"opcodes": [
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"PUSH1",
"EXP",
"PUSH1",
"CALLDATALOAD",
"DIV",
"PUSH4",
"OP_81",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 0
},
{
"end_pc": 35,
"hash": "0x09fc75e3aa8fb02b98e24881cc463925488c7dfa7ef308570a5930c5c420c614",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 25
},
{
"end_pc": 46,
"hash": "0x976103db32485bde438fb5c3f9f54ee02f48623f2e3b08249411cd4aee3c334a",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 36
},
{
"end_pc": 57,
"hash": "0x3c19c073e27395dc44272beb525b6373ad140a4045aabbd1b653e498e1806824",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 47
},
{
"end_pc": 68,
"hash": "0x3a122683470ea7901e31e80e6378780a829a06da64b04e691b5d5c5621392507",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 58
},
{
"end_pc": 70,
"hash": "0x55afd043d32294d5f0189f5a0aa04f3174e4c087a31c85396f49b5f17813cb96",
"opcodes": [
"JUMPDEST",
"STOP"
],
"start_pc": 69
},
{
"end_pc": 136,
"hash": "0xcf426f299c4f9fd31c99557f3087df005281fb6475c126c87028881a4a2330be",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"OP_80",
"SLOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"OP_83",
"AND",
"ISZERO",
"PUSH2",
"MUL",
"PUSH1",
"NOT",
"ADD",
"OP_90",
"OP_92",
"AND",
"OP_91",
"OP_90",
"OP_91",
"DIV",
"PUSH1",
"OP_81",
"ADD",
"OP_82",
"OP_90",
"DIV",
"OP_90",
"OP_91",
"MUL",
"PUSH1",
"OP_90",
"OP_81",
"ADD",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_82",
"OP_81",
"MSTORE",
"OP_92",
"OP_91",
"OP_90",
"OP_82",
"OP_82",
"OP_80",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 71
},
{
"end_pc": 144,
"hash": "0x7e0c9c73d9106b622c5ce1c835f6118bd40d5da3c8a1bef9f3c6bf21a71f24b3",
"opcodes": [
"OP_80",
"PUSH1",
"LT",
"PUSH2",
"JUMPI"
],
"start_pc": 137
},
{
"end_pc": 163,
"hash": "0x2dfc1d3eb8729ce11e86a703a97580f12e943c6ddb50908245c552a6d4868886",
"opcodes": [
"PUSH2",
"OP_80",
"OP_83",
"SLOAD",
"DIV",
"MUL",
"OP_83",
"MSTORE",
"OP_91",
"PUSH1",
"ADD",
"OP_91",
"PUSH2",
"JUMP"
],
"start_pc": 145
},
{
"end_pc": 175,
"hash": "0x6dd913550e2d374feb5ff277c46b413eb9ef79a7dae1b7c5659f2c0d4fe4ed09",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"SLOAD",
"PUSH1",
"AND",
"OP_81",
"JUMP"
],
"start_pc": 164
},
{
"end_pc": 199,
"hash": "0xa5d15b4687324f59988c5bd96c68fcd7990c0770ed538f53e294dd743c00cb93",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"CALLDATALOAD",
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"OP_90",
"SHA3",
"SLOAD",
"OP_81",
"JUMP"
],
"start_pc": 176
},
{
"end_pc": 263,
"hash": "0x3f2b82d4e4d2dfe95d426c15a1dd818400154814b8c3fe7aa51bc962354114a6",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"OP_80",
"SLOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"PUSH1",
"NOT",
"PUSH2",
"OP_85",
"OP_87",
"AND",
"ISZERO",
"MUL",
"ADD",
"OP_90",
"OP_93",
"AND",
"OP_92",
"OP_90",
"OP_92",
"DIV",
"OP_91",
"OP_82",
"ADD",
"OP_81",
"OP_90",
"DIV",
"MUL",
"PUSH1",
"OP_90",
"OP_81",
"ADD",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_82",
exec
/bin/bash -lc "sed -n '1,200p' codex-output-schema.json" in /tmp/codex-lmfef02c
succeeded in 0ms:
{"type": "object", "additionalProperties": false, "required": ["no_findings", "summary", "findings"], "properties": {"no_findings": {"type": "boolean"}, "summary": {"type": "string"}, "findings": {"type": "array", "items": {"type": "object", "additionalProperties": false, "required": ["severity", "category", "title", "evidence", "locations", "exploit_scenario", "recommendation"], "properties": {"severity": {"type": "string", "enum": ["info", "low", "medium", "high", "critical"]}, "category": {"type": "string", "enum": ["access_control", "reentrancy", "math", "oracle", "upgradeability", "auth", "other"]}, "title": {"type": "string"}, "exploit_scenario": {"type": "string"}, "recommendation": {"type": "string"}, "evidence": {"type": "string"}, "locations": {"type": "array", "items": {"type": "string"}}}}}}}
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.detectors // .analysis_artifact.artifact_json.detector_findings // .detectors // .detector_findings' BYTECODE_BUNDLE.json" in /tmp/codex-lmfef02c
succeeded in 0ms:
[
{
"confidence": 60,
"evidence_json": {
"call_count": 1,
"examples": [
{
"opcode": "CALL",
"pc": 405,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": [],
"untrusted_call_count": 1
},
"normalized_json": {
"sink": "CALL"
},
"severity": "high",
"title": "Untrusted CALL target/value reachable",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x94f27b5141e17dd8816242d752c7be8e6764bd22"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0xd2ec54ba90b8393dd0bec772e89ee6a07c120b82588e94ba866039188ef67727",
"trace_mode": "callTracer"
}
},
{
"confidence": 55,
"evidence_json": {
"eth_value_calls": 1,
"examples": [
{
"opcode": "CALL",
"pc": 405,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": []
},
"normalized_json": {
"sink": "CALL",
"value": "nonzero"
},
"severity": "high",
"title": "ETH value transfer possible",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x94f27b5141e17dd8816242d752c7be8e6764bd22"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0xd2ec54ba90b8393dd0bec772e89ee6a07c120b82588e94ba866039188ef67727",
"trace_mode": "callTracer"
}
}
]
exec
/bin/bash -lc "jq 'keys' BYTECODE_BUNDLE.json && printf '\\n---\\n' && jq '.analysis_artifact.artifact_json | keys' BYTECODE_BUNDLE.json" in /tmp/codex-lmfef02c
succeeded in 0ms:
[
"analysis_artifact",
"analysis_run",
"artifact",
"capability_graph",
"detector_findings",
"heuristics_summary"
]
---
[
"auth",
"basic_blocks",
"callsites",
"cfg_edges",
"cfg_hash",
"dispatcher_type",
"function_entries",
"functions",
"selectors",
"sinks",
"storage",
"version"
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.selectors, .analysis_artifact.artifact_json.function_entries, .analysis_artifact.artifact_json.functions' BYTECODE_BUNDLE.json" in /tmp/codex-lmfef02c
succeeded in 0ms:
[
"0x06fdde03",
"0x313ce567",
"0x70a08231",
"0x95d89b41",
"0xa9059cbb"
]
[
{
"entry_pc": null,
"selector": "0x06fdde03"
},
{
"entry_pc": 1889567281,
"selector": "0x313ce567"
},
{
"entry_pc": 2514000705,
"selector": "0x70a08231"
},
{
"entry_pc": 2835717307,
"selector": "0x95d89b41"
},
{
"entry_pc": null,
"selector": "0xa9059cbb"
}
]
[
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0x06fdde03",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 10,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 1889567281,
"selector": "0x313ce567",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 10,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 2514000705,
"selector": "0x70a08231",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 10,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 2835717307,
"selector": "0x95d89b41",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 10,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0xa9059cbb",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 10,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
}
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.callsites, .analysis_artifact.artifact_json.sinks, .analysis_artifact.artifact_json.storage, .heuristics_summary, .capability_graph' BYTECODE_BUNDLE.json" in /tmp/codex-lmfef02c
succeeded in 0ms:
[
{
"opcode": "CALL",
"pc": 405,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
]
{
"call": 1,
"create": 0,
"create2": 0,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0,
"upgrade_slot_write_suspected": false
}
{
"keccak_count": 5,
"reads": 10,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
{
"create2_count": 0,
"delegatecall_count": 0,
"flags": [],
"selfdestruct_count": 0
}
{
"address": "0x94f27b5141e17dd8816242d752c7be8e6764bd22",
"block_number": null,
"chain_id": 1,
"codehash": "0x7f3a1e625a654d5204a7c1738f111d6716ebed652afb00f0eb387c7b2a0d4b00",
"created_at": "2026-04-04T19:46:57.000000Z",
"graph_hash": "0x4d82148fce01c9491bb37a44d667fc44fb3a22544a340232e33835bc55149ba4",
"graph_json": {
"edges": [
{
"from": "bb:0",
"to": "bb:71",
"type": "control_flow"
},
{
"from": "bb:0",
"to": "bb:25",
"type": "control_flow_fallthrough"
},
{
"from": "bb:25",
"to": "bb:164",
"type": "control_flow"
},
{
"from": "bb:25",
"to": "bb:36",
"type": "control_flow_fallthrough"
},
{
"from": "bb:36",
"to": "bb:176",
"type": "control_flow"
},
{
"from": "bb:36",
"to": "bb:47",
"type": "control_flow_fallthrough"
},
{
"from": "bb:47",
"to": "bb:200",
"type": "control_flow"
},
{
"from": "bb:47",
"to": "bb:58",
"type": "control_flow_fallthrough"
},
{
"from": "bb:58",
"to": "bb:291",
"type": "control_flow"
},
{
"from": "bb:58",
"to": "bb:69",
"type": "control_flow_fallthrough"
},
{
"from": "bb:71",
"to": "bb:514",
"type": "control_flow"
},
{
"from": "bb:71",
"to": "bb:137",
"type": "control_flow_fallthrough"
},
{
"from": "bb:137",
"to": "bb:471",
"type": "control_flow"
},
{
"from": "bb:137",
"to": "bb:145",
"type": "control_flow_fallthrough"
},
{
"from": "bb:145",
"to": "bb:514",
"type": "control_flow"
},
{
"from": "bb:200",
"to": "bb:514",
"type": "control_flow"
},
{
"from": "bb:200",
"to": "bb:264",
"type": "control_flow_fallthrough"
},
{
"from": "bb:264",
"to": "bb:471",
"type": "control_flow"
},
{
"from": "bb:264",
"to": "bb:272",
"type": "control_flow_fallthrough"
},
{
"from": "bb:272",
"to": "bb:514",
"type": "control_flow"
},
{
"from": "bb:291",
"to": "bb:522",
"type": "control_flow"
},
{
"from": "bb:291",
"to": "bb:347",
"type": "control_flow_fallthrough"
},
{
"from": "bb:351",
"to": "bb:447",
"type": "control_flow"
},
{
"from": "bb:351",
"to": "bb:422",
"type": "control_flow_fallthrough"
},
{
"from": "bb:422",
"to": "bb:447",
"type": "control_flow_fallthrough"
},
{
"from": "bb:471",
"to": "bb:485",
"type": "control_flow_fallthrough"
},
{
"from": "bb:485",
"to": "bb:485",
"type": "control_flow"
},
{
"from": "bb:485",
"to": "bb:505",
"type": "control_flow_fallthrough"
},
{
"from": "bb:505",
"to": "bb:514",
"type": "control_flow_fallthrough"
},
{
"from": "fn:0x313ce567",
"to": "bb:1889567281",
"type": "entry"
},
{
"from": "fn:0x70a08231",
"to": "bb:2514000705",
"type": "entry"
},
{
"from": "fn:0x95d89b41",
"to": "bb:2835717307",
"type": "entry"
},
{
"from": "bb:351",
"to": "call:405",
"type": "contains"
},
{
"from": "call:405",
"to": "sink:call",
"type": "capability"
}
],
"nodes": [
{
"end_pc": 24,
"hash": "0x6a350686911b120d699f8e8d1e9440d4ce17c4434492baee43484e2ef083a112",
"id": "bb:0",
"start_pc": 0,
"type": "basic_block"
},
{
"end_pc": 35,
"hash": "0x09fc75e3aa8fb02b98e24881cc463925488c7dfa7ef308570a5930c5c420c614",
"id": "bb:25",
"start_pc": 25,
"type": "basic_block"
},
{
"end_pc": 46,
"hash": "0x976103db32485bde438fb5c3f9f54ee02f48623f2e3b08249411cd4aee3c334a",
"id": "bb:36",
"start_pc": 36,
"type": "basic_block"
},
{
"end_pc": 57,
"hash": "0x3c19c073e27395dc44272beb525b6373ad140a4045aabbd1b653e498e1806824",
"id": "bb:47",
"start_pc": 47,
"type": "basic_block"
},
{
"end_pc": 68,
"hash": "0x3a122683470ea7901e31e80e6378780a829a06da64b04e691b5d5c5621392507",
"id": "bb:58",
"start_pc": 58,
"type": "basic_block"
},
{
"end_pc": 70,
"hash": "0x55afd043d32294d5f0189f5a0aa04f3174e4c087a31c85396f49b5f17813cb96",
"id": "bb:69",
"start_pc": 69,
"type": "basic_block"
},
{
"end_pc": 136,
"hash": "0xcf426f299c4f9fd31c99557f3087df005281fb6475c126c87028881a4a2330be",
"id": "bb:71",
"start_pc": 71,
"type": "basic_block"
},
{
"end_pc": 144,
"hash": "0x7e0c9c73d9106b622c5ce1c835f6118bd40d5da3c8a1bef9f3c6bf21a71f24b3",
"id": "bb:137",
"start_pc": 137,
"type": "basic_block"
},
{
"end_pc": 163,
"hash": "0x2dfc1d3eb8729ce11e86a703a97580f12e943c6ddb50908245c552a6d4868886",
"id": "bb:145",
"start_pc": 145,
"type": "basic_block"
},
{
"end_pc": 175,
"hash": "0x6dd913550e2d374feb5ff277c46b413eb9ef79a7dae1b7c5659f2c0d4fe4ed09",
"id": "bb:164",
"start_pc": 164,
"type": "basic_block"
},
{
"end_pc": 199,
"hash": "0xa5d15b4687324f59988c5bd96c68fcd7990c0770ed538f53e294dd743c00cb93",
"id": "bb:176",
"start_pc": 176,
"type": "basic_block"
},
{
"end_pc": 263,
"hash": "0x3f2b82d4e4d2dfe95d426c15a1dd818400154814b8c3fe7aa51bc962354114a6",
"id": "bb:200",
"start_pc": 200,
"type": "basic_block"
},
{
"end_pc": 271,
"hash": "0x9bf3fc5fd85eadcae2c2271a65f521a9d0a3527050090386e332c60b702c20ee",
"id": "bb:264",
"start_pc": 264,
"type": "basic_block"
},
{
"end_pc": 290,
"hash": "0x04fe5d9f15c84337558051ada92331604ec3424d441ed01e4a50830aa9ddae4d",
"id": "bb:272",
"start_pc": 272,
"type": "basic_block"
},
{
"end_pc": 346,
"hash": "0xa7333dc5620e9a44e4278893b59f95a26526105a8f02e77a775751809229c008",
"id": "bb:291",
"start_pc": 291,
"type": "basic_block"
},
{
"end_pc": 350,
"hash": "0x7a09aaa54f7a88e8701a7be70d663114263e3b4c4f1a8cacc003208768553d29",
"id": "bb:347",
"start_pc": 347,
"type": "basic_block"
},
{
"end_pc": 421,
"hash": "0x350fdeec274b9125de6d1d70c8deb41a8d2e078367f9bb61fb85f672bedaced7",
"id": "bb:351",
"start_pc": 351,
"type": "basic_block"
},
{
"end_pc": 446,
"hash": "0x868d33b0622f90ef14f8988b49e62843484d5268b1a9c45187e747fbb0863d6b",
"id": "bb:422",
"start_pc": 422,
"type": "basic_block"
},
{
"end_pc": 460,
"hash": "0x4b9584e78b59ff0651f211cf92ba35019bc4f3f14ae218ff60bcaa0a72bc68fe",
"id": "bb:447",
"start_pc": 447,
"type": "basic_block"
},
{
"end_pc": 470,
"hash": "0x46246dda680f915139d854d3bbb280092e3f508736a5bfcf71cb5ca44f4baaa8",
"id": "bb:461",
"start_pc": 461,
"type": "basic_block"
},
{
"end_pc": 484,
"hash": "0x85225624bac7d43fce0c0028ed21850012b8c4f0556c6de6adaa77f1961f5e5e",
"id": "bb:471",
"start_pc": 471,
"type": "basic_block"
},
{
"end_pc": 504,
"hash": "0x363d6fea26422f107ba9df25c397a292d6446d35f54c96c882e251b8d3ed77a1",
"id": "bb:485",
"start_pc": 485,
"type": "basic_block"
},
{
"end_pc": 513,
"hash": "0x4dea9e4300869997d432560cfd50b91e77ec17ef6bb11b63b4010ff007a83d84",
"id": "bb:505",
"start_pc": 505,
"type": "basic_block"
},
{
"end_pc": 521,
"hash": "0xf46d7fd3645ac4711d9a79cd7c77350e1e3506f5c296d672dcdcc161d19fe473",
"id": "bb:514",
"start_pc": 514,
"type": "basic_block"
},
{
"end_pc": 623,
"hash": "0x5cb6d93934362f7c4a2b0e0cd17bf4eaec8b60c47242cd4571ab531b425b8688",
"id": "bb:522",
"start_pc": 522,
"type": "basic_block"
},
{
"id": "call:405",
"opcode": "CALL",
"pc": 405,
"type": "callsite"
},
{
"id": "sink:call",
"type": "sink"
},
{
"entry_pc": null,
"id": "fn:0x06fdde03",
"selector": "0x06fdde03",
"type": "function"
},
{
"entry_pc": 1889567281,
"id": "fn:0x313ce567",
"selector": "0x313ce567",
"type": "function"
},
{
"entry_pc": 2514000705,
"id": "fn:0x70a08231",
"selector": "0x70a08231",
"type": "function"
},
{
"entry_pc": 2835717307,
"id": "fn:0x95d89b41",
"selector": "0x95d89b41",
"type": "function"
},
{
"entry_pc": null,
"id": "fn:0xa9059cbb",
"selector": "0xa9059cbb",
"type": "function"
}
],
"version": "capability_graph_v1"
},
"id": 1735,
"updated_at": "2026-04-04T19:46:57.000000Z",
"version": "capability_graph_v1"
}
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.basic_blocks[] | select(.start_pc>=291) | {start_pc,end_pc,opcodes}' BYTECODE_BUNDLE.json" in /tmp/codex-lmfef02c
succeeded in 0ms:
{
"start_pc": 291,
"end_pc": 346,
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"CALLDATALOAD",
"PUSH1",
"CALLDATALOAD",
"PUSH20",
"CALLER",
"AND",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_81",
"SHA3",
"SLOAD",
"OP_82",
"OP_90",
"LT",
"ISZERO",
"PUSH2",
"JUMPI"
]
}
{
"start_pc": 347,
"end_pc": 350,
"opcodes": [
"PUSH2",
"JUMP"
]
}
{
"start_pc": 351,
"end_pc": 421,
"opcodes": [
"JUMPDEST",
"PUSH1",
"MLOAD",
"OP_80",
"OP_80",
"PUSH1",
"ADD",
"OP_82",
"OP_81",
"SUB",
"OP_82",
"MSTORE",
"OP_83",
"OP_81",
"OP_81",
"MLOAD",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP",
"OP_80",
"MLOAD",
"OP_90",
"PUSH1",
"ADD",
"OP_90",
"OP_80",
"OP_83",
"OP_83",
"OP_82",
"OP_90",
"PUSH1",
"PUSH1",
"PUSH1",
"OP_84",
"PUSH1",
"ADD",
"DIV",
"PUSH1",
"MUL",
"PUSH1",
"ADD",
"CALL",
"POP",
"OP_90",
"POP",
"OP_90",
"OP_81",
"ADD",
"OP_90",
"PUSH1",
"AND",
"OP_80",
"ISZERO",
"PUSH2",
"JUMPI"
]
}
{
"start_pc": 422,
"end_pc": 446,
"opcodes": [
"OP_80",
"OP_82",
"SUB",
"OP_80",
"MLOAD",
"PUSH1",
"OP_83",
"PUSH1",
"SUB",
"PUSH2",
"EXP",
"SUB",
"NOT",
"AND",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP"
]
}
{
"start_pc": 447,
"end_pc": 460,
"opcodes": [
"JUMPDEST",
"POP",
"OP_92",
"POP",
"POP",
"POP",
"PUSH1",
"MLOAD",
"OP_80",
"OP_91",
"SUB",
"OP_90",
"RETURN"
]
}
{
"start_pc": 461,
"end_pc": 470,
"opcodes": [
"JUMPDEST",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"OP_90",
"RETURN"
]
}
{
"start_pc": 471,
"end_pc": 484,
"opcodes": [
"JUMPDEST",
"OP_82",
"ADD",
"OP_91",
"OP_90",
"PUSH1",
"MSTORE",
"PUSH1",
"PUSH1",
"SHA3",
"OP_90"
]
}
{
"start_pc": 485,
"end_pc": 504,
"opcodes": [
"JUMPDEST",
"OP_81",
"SLOAD",
"OP_81",
"MSTORE",
"OP_90",
"PUSH1",
"ADD",
"OP_90",
"PUSH1",
"ADD",
"OP_80",
"OP_83",
"GT",
"PUSH2",
"JUMPI"
]
}
{
"start_pc": 505,
"end_pc": 513,
"opcodes": [
"OP_82",
"OP_90",
"SUB",
"PUSH1",
"AND",
"OP_82",
"ADD",
"OP_91"
]
}
{
"start_pc": 514,
"end_pc": 521,
"opcodes": [
"JUMPDEST",
"POP",
"POP",
"POP",
"POP",
"POP",
"OP_81",
"JUMP"
]
}
{
"start_pc": 522,
"end_pc": 623,
"opcodes": [
"JUMPDEST",
"PUSH1",
"OP_80",
"OP_82",
"SHA3",
"OP_80",
"SLOAD",
"OP_84",
"OP_90",
"SUB",
"OP_90",
"SSTORE",
"PUSH20",
"OP_80",
"OP_85",
"AND",
"OP_80",
"OP_84",
"MSTORE",
"OP_91",
"OP_83",
"SHA3",
"OP_80",
"SLOAD",
"OP_85",
"ADD",
"OP_90",
"SSTORE",
"PUSH1",
"OP_84",
"OP_81",
"MSTORE",
"CALLER",
"OP_90",
"OP_91",
"AND",
"OP_90",
"PUSH32",
"OP_90",
"PUSH1",
"OP_90",
"OP_A3",
"OP_92",
"OP_91",
"POP",
"POP",
"JUMP"
]
}
exec
/bin/bash -lc "jq '.artifact // .analysis_run // empty' BYTECODE_BUNDLE.json" in /tmp/codex-lmfef02c
succeeded in 0ms:
{
"codehash": "0x7f3a1e625a654d5204a7c1738f111d6716ebed652afb00f0eb387c7b2a0d4b00",
"compiler_json": {
"etherscan": {
"skipped": true
}
},
"implementation_address": null,
"is_proxy": false,
"runtime_bytecode": {
"full": "0x606060405260e060020a600035046306fdde038114610047578063313ce567146100a457806370a08231146100b057806395d89b41146100c8578063a9059cbb14610123575b005b61015f60008054602060026001831615610100026000190190921691909104601f810182900490910260809081016040526060828152929190828280156102025780601f106101d757610100808354040283529160200191610202565b6101cd60025460ff1681565b6101cd60043560036020526000908152604090205481565b61015f600180546020601f6002600019610100858716150201909316929092049182018190040260809081016040526060828152929190828280156102025780601f106101d757610100808354040283529160200191610202565b6101cd60043560243573ffffffffffffffffffffffffffffffffffffffff33166000908152600360205260408120548290101561020a57610002565b60405180806020018281038252838181518152602001915080519060200190808383829060006004602084601f0104600302600f01f150905090810190601f1680156101bf5780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b6060908152602090f35b820191906000526020600020905b8154815290600101906020018083116101e557829003601f168201915b505050505081565b60408082208054849003905573ffffffffffffffffffffffffffffffffffffffff808516808452918320805485019055606084815233909116907fddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef90602090a39291505056",
"head": null,
"length": 1250,
"tail": null,
"truncated": false
},
"verified_source": false
}
I have the runtime and detector outputs. Next I’m decoding the transfer path around `pc:0x195`/`405` to separate a real arbitrary external call risk from normal ERC20 behavior.
✓ Locate and read BYTECODE_BUNDLE.json and any nearby instructions/artifacts
→ Analyze bytecode evidence for concrete security issues with uncertainty noted
• Produce JSON findings matching the required schema
exec
js_repl in /tmp/codex-lmfef02c
succeeded in 108ms:
0122 JUMP
0123 JUMPDEST
0124 PUSH2 01cd
0127 PUSH1 04
0129 CALLDATALOAD
012a PUSH1 24
012c CALLDATALOAD
012d PUSH20 ffffffffffffffffffffffffffffffffffffffff
0142 CALLER
0143 AND
0144 PUSH1 00
0146 SWAP1
0147 DUP2
0148 MSTORE
0149 PUSH1 03
014b PUSH1 20
014d MSTORE
014e PUSH1 40
0150 DUP2
0151 SHA3
0152 SLOAD
0153 DUP3
0154 SWAP1
0155 LT
0156 ISZERO
0157 PUSH2 020a
015a JUMPI
015b PUSH2 0002
015e JUMP
015f JUMPDEST
0160 PUSH1 40
0162 MLOAD
0163 DUP1
0164 DUP1
0165 PUSH1 20
0167 ADD
0168 DUP3
0169 DUP2
016a SUB
016b DUP3
016c MSTORE
016d DUP4
016e DUP2
016f DUP2
0170 MLOAD
0171 DUP2
0172 MSTORE
0173 PUSH1 20
0175 ADD
0176 SWAP2
0177 POP
0178 DUP1
0179 MLOAD
017a SWAP1
017b PUSH1 20
017d ADD
017e SWAP1
017f DUP1
0180 DUP4
0181 DUP4
0182 DUP3
0183 SWAP1
0184 PUSH1 00
0186 PUSH1 04
0188 PUSH1 20
018a DUP5
018b PUSH1 1f
018d ADD
018e DIV
018f PUSH1 03
0191 MUL
0192 PUSH1 0f
0194 ADD
0195 CALL
0196 POP
0197 SWAP1
0198 POP
0199 SWAP1
019a DUP2
019b ADD
019c SWAP1
019d PUSH1 1f
019f AND
01a0 DUP1
01a1 ISZERO
01a2 PUSH2 01bf
01a5 JUMPI
01a6 DUP1
01a7 DUP3
01a8 SUB
01a9 DUP1
01aa MLOAD
01ab PUSH1 01
01ad DUP4
01ae PUSH1 20
01b0 SUB
01b1 PUSH2 0100
01b4 EXP
01b5 SUB
01b6 NOT
01b7 AND
01b8 DUP2
01b9 MSTORE
01ba PUSH1 20
01bc ADD
01bd SWAP2
01be POP
01bf JUMPDEST
01c0 POP
01c1 SWAP3
01c2 POP
01c3 POP
01c4 POP
01c5 PUSH1 40
01c7 MLOAD
01c8 DUP1
01c9 SWAP2
01ca SUB
01cb SWAP1
01cc RETURN
01cd JUMPDEST
01ce PUSH1 60
01d0 SWAP1
01d1 DUP2
01d2 MSTORE
01d3 PUSH1 20
01d5 SWAP1
01d6 RETURN
01d7 JUMPDEST
01d8 DUP3
01d9 ADD
01da SWAP2
01db SWAP1
01dc PUSH1 00
01de MSTORE
01df PUSH1 20
01e1 PUSH1 00
01e3 SHA3
01e4 SWAP1
01e5 JUMPDEST
01e6 DUP2
01e7 SLOAD
01e8 DUP2
01e9 MSTORE
01ea SWAP1
01eb PUSH1 01
01ed ADD
01ee SWAP1
01ef PUSH1 20
01f1 ADD
01f2 DUP1
01f3 DUP4
01f4 GT
01f5 PUSH2 01e5
01f8 JUMPI
01f9 DUP3
01fa SWAP1
01fb SUB
01fc PUSH1 1f
01fe AND
01ff DUP3
0200 ADD
0201 SWAP2
0202 JUMPDEST
0203 POP
0204 POP
0205 POP
0206 POP
0207 POP
0208 DUP2
0209 JUMP
020a JUMPDEST
020b PUSH1 40
020d DUP1
020e DUP3
020f SHA3
0210 DUP1
exec
js_repl in /tmp/codex-lmfef02c
succeeded in 1ms:
020a JUMPDEST
020b PUSH1 40
020d DUP1
020e DUP3
020f SHA3
0210 DUP1
0211 SLOAD
0212 DUP5
0213 SWAP1
0214 SUB
0215 SWAP1
0216 SSTORE
0217 PUSH20 ffffffffffffffffffffffffffffffffffffffff
022c DUP1
022d DUP6
022e AND
022f DUP1
0230 DUP5
0231 MSTORE
0232 SWAP2
0233 DUP4
0234 SHA3
0235 DUP1
0236 SLOAD
0237 DUP6
0238 ADD
0239 SWAP1
023a SSTORE
023b PUSH1 60
023d DUP5
023e DUP2
023f MSTORE
0240 CALLER
0241 SWAP1
0242 SWAP2
0243 AND
0244 SWAP1
0245 PUSH32 ddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef
0266 SWAP1
0267 PUSH1 20
0269 SWAP1
026a LOG3
026b SWAP3
026c SWAP2
026d POP
026e POP
026f JUMP
exec
js_repl in /tmp/codex-lmfef02c
succeeded in 5ms:
0000 PUSH1 60
0002 PUSH1 40
0004 MSTORE
0005 PUSH1 e0
0007 PUSH1 02
0009 EXP
000a PUSH1 00
000c CALLDATALOAD
000d DIV
000e PUSH4 06fdde03
0013 DUP2
0014 EQ
0015 PUSH2 0047
0018 JUMPI
0019 DUP1
001a PUSH4 313ce567
001f EQ
0020 PUSH2 00a4
0023 JUMPI
0024 DUP1
0025 PUSH4 70a08231
002a EQ
002b PUSH2 00b0
002e JUMPI
002f DUP1
0030 PUSH4 95d89b41
0035 EQ
0036 PUSH2 00c8
0039 JUMPI
003a DUP1
003b PUSH4 a9059cbb
0040 EQ
0041 PUSH2 0123
0044 JUMPI
0045 JUMPDEST
0046 STOP
0047 JUMPDEST
0048 PUSH2 015f
004b PUSH1 00
004d DUP1
004e SLOAD
004f PUSH1 20
0051 PUSH1 02
0053 PUSH1 01
0055 DUP4
0056 AND
0057 ISZERO
0058 PUSH2 0100
005b MUL
005c PUSH1 00
005e NOT
005f ADD
0060 SWAP1
0061 SWAP3
0062 AND
0063 SWAP2
0064 SWAP1
0065 SWAP2
0066 DIV
0067 PUSH1 1f
0069 DUP2
006a ADD
006b DUP3
006c SWAP1
006d DIV
006e SWAP1
006f SWAP2
0070 MUL
0071 PUSH1 80
0073 SWAP1
0074 DUP2
0075 ADD
0076 PUSH1 40
0078 MSTORE
0079 PUSH1 60
007b DUP3
007c DUP2
007d MSTORE
007e SWAP3
007f SWAP2
0080 SWAP1
0081 DUP3
0082 DUP3
0083 DUP1
0084 ISZERO
0085 PUSH2 0202
0088 JUMPI
0089 DUP1
008a PUSH1 1f
008c LT
008d PUSH2 01d7
0090 JUMPI
0091 PUSH2 0100
0094 DUP1
0095 DUP4
0096 SLOAD
0097 DIV
0098 MUL
0099 DUP4
009a MSTORE
009b SWAP2
009c PUSH1 20
009e ADD
009f SWAP2
00a0 PUSH2 0202
00a3 JUMP
00a4 JUMPDEST
00a5 PUSH2 01cd
00a8 PUSH1 02
00aa SLOAD
00ab PUSH1 ff
00ad AND
00ae DUP2
00af JUMP
00b0 JUMPDEST
00b1 PUSH2 01cd
00b4 PUSH1 04
00b6 CALLDATALOAD
00b7 PUSH1 03
00b9 PUSH1 20
00bb MSTORE
00bc PUSH1 00
00be SWAP1
00bf DUP2
00c0 MSTORE
00c1 PUSH1 40
00c3 SWAP1
00c4 SHA3
00c5 SLOAD
00c6 DUP2
00c7 JUMP
00c8 JUMPDEST
00c9 PUSH2 015f
00cc PUSH1 01
00ce DUP1
00cf SLOAD
00d0 PUSH1 20
00d2 PUSH1 1f
00d4 PUSH1 02
00d6 PUSH1 00
00d8 NOT
00d9 PUSH2 0100
00dc DUP6
00dd DUP8
00de AND
00df ISZERO
00e0 MUL
00e1 ADD
00e2 SWAP1
00e3 SWAP4
00e4 AND
00e5 SWAP3
00e6 SWAP1
00e7 SWAP3
00e8 DIV
00e9 SWAP2
00ea DUP3
00eb ADD
00ec DUP2
00ed SWAP1
00ee DIV
00ef MUL
00f0 PUSH1 80
00f2 SWAP1
00f3 DUP2
00f4 ADD
00f5 PUSH1 40
00f7 MSTORE
00f8 PUSH1 60
00fa DUP3
00fb DUP2
00fc MSTORE
00fd SWAP3
00fe SWAP2
00ff SWAP1
0100 DUP3
0101 DUP3
0102 DUP1
0103 ISZERO
0104 PUSH2 0202
0107 JUMPI
0108 DUP1
0109 PUSH1 1f
010b LT
010c PUSH2 01d7
010f JUMPI
0110 PUSH2 0100
0113 DUP1
0114 DUP4
0115 SLOAD
0116 DIV
0117 MUL
0118 DUP4
0119 MSTORE
011a SWAP2
011b PUSH1 20
011d ADD
011e SWAP2
011f PUSH2 0202
0122 JUMP
0123 JUMPDEST
0124 PUSH2 01cd
0127 PUSH1 04
0129 CALLDATALOAD
012a PUSH1 24
012c CALLDATALOAD
012d PUSH20 ffffffffffffffffffffffffffffffffffffffff
exec
js_repl in /tmp/codex-lmfef02c
succeeded in 11ms:
15f JUMPDEST => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...)
160 PUSH1 40 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | 0x40
162 MLOAD => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40]
163 DUP1 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40]
164 DUP1 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | mem[0x40]
165 PUSH1 20 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | mem[0x40] | 0x20
167 ADD => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | (mem[0x40] + 0x20)
168 DUP3 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | (mem[0x40] + 0x20) | mem[0x40]
169 DUP2 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | (mem[0x40] + 0x20) | mem[0x40] | (mem[0x40] + 0x20)
16a SUB => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | (mem[0x40] + 0x20) | (mem[0x40] - (mem[0x40] + 0x20))
16b DUP3 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | (mem[0x40] + 0x20) | (mem[0x40] - (mem[0x40] + 0x20)) | mem[0x40]
16c MSTORE => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | (mem[0x40] + 0x20)
16d DUP4 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | (mem[0x40] + 0x20) | JUMPDEST(...)
16e DUP2 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | (mem[0x40] + 0x20) | JUMPDEST(...) | (mem[0x40] + 0x20)
16f DUP2 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | (mem[0x40] + 0x20) | JUMPDEST(...) | (mem[0x40] + 0x20) | JUMPDEST(...)
170 MLOAD => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | (mem[0x40] + 0x20) | JUMPDEST(...) | (mem[0x40] + 0x20) | mem[JUMPDEST(...)]
171 DUP2 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | (mem[0x40] + 0x20) | JUMPDEST(...) | (mem[0x40] + 0x20) | mem[JUMPDEST(...)] | (mem[0x40] + 0x20)
172 MSTORE => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | (mem[0x40] + 0x20) | JUMPDEST(...) | (mem[0x40] + 0x20)
173 PUSH1 20 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | (mem[0x40] + 0x20) | JUMPDEST(...) | (mem[0x40] + 0x20) | 0x20
175 ADD => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | (mem[0x40] + 0x20) | JUMPDEST(...) | ((mem[0x40] + 0x20) + 0x20)
176 SWAP2 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | ((mem[0x40] + 0x20) + 0x20) | JUMPDEST(...) | (mem[0x40] + 0x20)
177 POP => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | ((mem[0x40] + 0x20) + 0x20) | JUMPDEST(...)
178 DUP1 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | ((mem[0x40] + 0x20) + 0x20) | JUMPDEST(...) | JUMPDEST(...)
179 MLOAD => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | ((mem[0x40] + 0x20) + 0x20) | JUMPDEST(...) | mem[JUMPDEST(...)]
17a SWAP1 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | ((mem[0x40] + 0x20) + 0x20) | mem[JUMPDEST(...)] | JUMPDEST(...)
17b PUSH1 20 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | ((mem[0x40] + 0x20) + 0x20) | mem[JUMPDEST(...)] | JUMPDEST(...) | 0x20
17d ADD => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | ((mem[0x40] + 0x20) + 0x20) | mem[JUMPDEST(...)] | (JUMPDEST(...) + 0x20)
17e SWAP1 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | ((mem[0x40] + 0x20) + 0x20) | (JUMPDEST(...) + 0x20) | mem[JUMPDEST(...)]
17f DUP1 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | ((mem[0x40] + 0x20) + 0x20) | (JUMPDEST(...) + 0x20) | mem[JUMPDEST(...)] | mem[JUMPDEST(...)]
180 DUP4 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | ((mem[0x40] + 0x20) + 0x20) | (JUMPDEST(...) + 0x20) | mem[JUMPDEST(...)] | mem[JUMPDEST(...)] | ((mem[0x40] + 0x20) + 0x20)
181 DUP4 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | ((mem[0x40] + 0x20) + 0x20) | (JUMPDEST(...) + 0x20) | mem[JUMPDEST(...)] | mem[JUMPDEST(...)] | ((mem[0x40] + 0x20) + 0x20) | (JUMPDEST(...) + 0x20)
182 DUP3 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | ((mem[0x40] + 0x20) + 0x20) | (JUMPDEST(...) + 0x20) | mem[JUMPDEST(...)] | mem[JUMPDEST(...)] | ((mem[0x40] + 0x20) + 0x20) | (JUMPDEST(...) + 0x20) | mem[JUMPDEST(...)]
183 SWAP1 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | ((mem[0x40] + 0x20) + 0x20) | (JUMPDEST(...) + 0x20) | mem[JUMPDEST(...)] | mem[JUMPDEST(...)] | ((mem[0x40] + 0x20) + 0x20) | mem[JUMPDEST(...)] | (JUMPDEST(...) + 0x20)
184 PUSH1 00 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | ((mem[0x40] + 0x20) + 0x20) | (JUMPDEST(...) + 0x20) | mem[JUMPDEST(...)] | mem[JUMPDEST(...)] | ((mem[0x40] + 0x20) + 0x20) | mem[JUMPDEST(...)] | (JUMPDEST(...) + 0x20) | 0x00
186 PUSH1 04 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | ((mem[0x40] + 0x20) + 0x20) | (JUMPDEST(...) + 0x20) | mem[JUMPDEST(...)] | mem[JUMPDEST(...)] | ((mem[0x40] + 0x20) + 0x20) | mem[JUMPDEST(...)] | (JUMPDEST(...) + 0x20) | 0x00 | 0x04
188 PUSH1 20 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | ((mem[0x40] + 0x20) + 0x20) | (JUMPDEST(...) + 0x20) | mem[JUMPDEST(...)] | mem[JUMPDEST(...)] | ((mem[0x40] + 0x20) + 0x20) | mem[JUMPDEST(...)] | (JUMPDEST(...) + 0x20) | 0x00 | 0x04 | 0x20
18a DUP5 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | ((mem[0x40] + 0x20) + 0x20) | (JUMPDEST(...) + 0x20) | mem[JUMPDEST(...)] | mem[JUMPDEST(...)] | ((mem[0x40] + 0x20) + 0x20) | mem[JUMPDEST(...)] | (JUMPDEST(...) + 0x20) | 0x00 | 0x04 | 0x20 | mem[JUMPDEST(...)]
18b PUSH1 1f => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | ((mem[0x40] + 0x20) + 0x20) | (JUMPDEST(...) + 0x20) | mem[JUMPDEST(...)] | mem[JUMPDEST(...)] | ((mem[0x40] + 0x20) + 0x20) | mem[JUMPDEST(...)] | (JUMPDEST(...) + 0x20) | 0x00 | 0x04 | 0x20 | mem[JUMPDEST(...)] | 0x1f
18d ADD => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | ((mem[0x40] + 0x20) + 0x20) | (JUMPDEST(...) + 0x20) | mem[JUMPDEST(...)] | mem[JUMPDEST(...)] | ((mem[0x40] + 0x20) + 0x20) | mem[JUMPDEST(...)] | (JUMPDEST(...) + 0x20) | 0x00 | 0x04 | 0x20 | (mem[JUMPDEST(...)] + 0x1f)
18e DIV => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | ((mem[0x40] + 0x20) + 0x20) | (JUMPDEST(...) + 0x20) | mem[JUMPDEST(...)] | mem[JUMPDEST(...)] | ((mem[0x40] + 0x20) + 0x20) | mem[JUMPDEST(...)] | (JUMPDEST(...) + 0x20) | 0x00 | 0x04 | (0x20 / (mem[JUMPDEST(...)] + 0x1f))
18f PUSH1 03 => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | ((mem[0x40] + 0x20) + 0x20) | (JUMPDEST(...) + 0x20) | mem[JUMPDEST(...)] | mem[JUMPDEST(...)] | ((mem[0x40] + 0x20) + 0x20) | mem[JUMPDEST(...)] | (JUMPDEST(...) + 0x20) | 0x00 | 0x04 | (0x20 / (mem[JUMPDEST(...)] + 0x1f)) | 0x03
191 MUL => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | ((mem[0x40] + 0x20) + 0x20) | (JUMPDEST(...) + 0x20) | mem[JUMPDEST(...)] | mem[JUMPDEST(...)] | ((mem[0x40] + 0x20) + 0x20) | mem[JUMPDEST(...)] | (JUMPDEST(...) + 0x20) | 0x00 | 0x04 | ((0x20 / (mem[JUMPDEST(...)] + 0x1f)) * 0x03)
192 PUSH1 0f => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | ((mem[0x40] + 0x20) + 0x20) | (JUMPDEST(...) + 0x20) | mem[JUMPDEST(...)] | mem[JUMPDEST(...)] | ((mem[0x40] + 0x20) + 0x20) | mem[JUMPDEST(...)] | (JUMPDEST(...) + 0x20) | 0x00 | 0x04 | ((0x20 / (mem[JUMPDEST(...)] + 0x1f)) * 0x03) | 0x0f
194 ADD => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | ((mem[0x40] + 0x20) + 0x20) | (JUMPDEST(...) + 0x20) | mem[JUMPDEST(...)] | mem[JUMPDEST(...)] | ((mem[0x40] + 0x20) + 0x20) | mem[JUMPDEST(...)] | (JUMPDEST(...) + 0x20) | 0x00 | 0x04 | (((0x20 / (mem[JUMPDEST(...)] + 0x1f)) * 0x03) + 0x0f)
195 CALL => ret=0x1cd | to | amount | tmp0 | JUMPDEST(...) | mem[0x40] | mem[0x40] | ((mem[0x40] + 0x20) + 0x20) | (JUMPDEST(...) + 0x20) | mem[JUMPDEST(...)] | mem[JUMPDEST(...)] | ((mem[0x40] + 0x20) + 0x20) | mem[JUMPDEST(...)] | (JUMPDEST(...) + 0x20) | 0x00 | 0x04 | (((0x20 / (mem[JUMPDEST(...)] + 0x1f)) * 0x03) + 0x0f) | CALL(...)
exec
js_repl in /tmp/codex-lmfef02c
succeeded in 13ms:
{
"pc": 405,
"preCallStack": [
"ret=0x1cd",
"to",
"amount",
0,
128,
128,
192,
32,
"mem[0]",
"mem[0]",
192,
"mem[0]",
32,
0,
4,
"(((32 / (mem[0] + 31)) * 3) + 15)"
],
"mem": [
[
64,
128
],
[
128,
-32
],
[
160,
"mem[0]"
]
]
}
exec
js_repl in /tmp/codex-lmfef02c
succeeded in 5ms:
0123 JUMPDEST stack= []
0124 PUSH2 01cd stack= [461]
0127 PUSH1 04 stack= [461,4]
0129 CALLDATALOAD stack= [461,"to"]
012a PUSH1 24 stack= [461,"to",36]
012c CALLDATALOAD stack= [461,"to","amount"]
012d PUSH20 ffffffffffffffffffffffffffffffffffffffff stack= [461,"to","amount",1.461501637330903e+48]
0142 CALLER stack= [461,"to","amount",1.461501637330903e+48,"caller"]
0143 AND stack= [461,"to","amount","mask(caller)"]
0144 PUSH1 00 stack= [461,"to","amount","mask(caller)",0]
0146 SWAP1 stack= [461,"to","amount",0,"mask(caller)"]
0147 DUP2 stack= [461,"to","amount",0,"mask(caller)",0]
0148 MSTORE stack= [461,"to","amount",0]
0149 PUSH1 03 stack= [461,"to","amount",0,3]
014b PUSH1 20 stack= [461,"to","amount",0,3,32]
014d MSTORE stack= [461,"to","amount",0]
014e PUSH1 40 stack= [461,"to","amount",0,64]
0150 DUP2 stack= [461,"to","amount",0,64,0]
0151 SHA3 stack= [461,"to","amount",0,"keccak(mem[0:64])"]
0152 SLOAD stack= [461,"to","amount",0,"sload(keccak(mem[0:64]))"]
0153 DUP3 stack= [461,"to","amount",0,"sload(keccak(mem[0:64]))","amount"]
0154 SWAP1 stack= [461,"to","amount",0,"amount","sload(keccak(mem[0:64]))"]
0155 LT stack= [461,"to","amount",0,"(sload(keccak(mem[0:64])) < amount)"]
0156 ISZERO stack= [461,"to","amount",0,"iszero((sload(keccak(mem[0:64])) < amount))"]
0157 PUSH2 020a stack= [461,"to","amount",0,"iszero((sload(keccak(mem[0:64])) < amount))",522]
JUMPI to 522 if iszero((sload(keccak(mem[0:64])) < amount))
015a JUMPI stack= [461,"to","amount",0]
015b PUSH2 0002 stack= [461,"to","amount",0,2]
JUMP 2
015e JUMP stack= [461,"to","amount",0]
015f JUMPDEST stack= [461,"to","amount",0]
0160 PUSH1 40 stack= [461,"to","amount",0,64]
0162 MLOAD stack= [461,"to","amount",0,128]
0163 DUP1 stack= [461,"to","amount",0,128,128]
0164 DUP1 stack= [461,"to","amount",0,128,128,128]
0165 PUSH1 20 stack= [461,"to","amount",0,128,128,128,32]
0167 ADD stack= [461,"to","amount",0,128,128,160]
0168 DUP3 stack= [461,"to","amount",0,128,128,160,128]
0169 DUP2 stack= [461,"to","amount",0,128,128,160,128,160]
016a SUB stack= [461,"to","amount",0,128,128,160,-32]
016b DUP3 stack= [461,"to","amount",0,128,128,160,-32,128]
016c MSTORE stack= [461,"to","amount",0,128,128,160]
016d DUP4 stack= [461,"to","amount",0,128,128,160,0]
016e DUP2 stack= [461,"to","amount",0,128,128,160,0,160]
016f DUP2 stack= [461,"to","amount",0,128,128,160,0,160,0]
0170 MLOAD stack= [461,"to","amount",0,128,128,160,0,160,"mask(caller)"]
0171 DUP2 stack= [461,"to","amount",0,128,128,160,0,160,"mask(caller)",160]
0172 MSTORE stack= [461,"to","amount",0,128,128,160,0,160]
0173 PUSH1 20 stack= [461,"to","amount",0,128,128,160,0,160,32]
0175 ADD stack= [461,"to","amount",0,128,128,160,0,192]
0176 SWAP2 stack= [461,"to","amount",0,128,128,192,0,160]
0177 POP stack= [461,"to","amount",0,128,128,192,0]
0178 DUP1 stack= [461,"to","amount",0,128,128,192,0,0]
0179 MLOAD stack= [461,"to","amount",0,128,128,192,0,"mask(caller)"]
017a SWAP1 stack= [461,"to","amount",0,128,128,192,"mask(caller)",0]
017b PUSH1 20 stack= [461,"to","amount",0,128,128,192,"mask(caller)",0,32]
017d ADD stack= [461,"to","amount",0,128,128,192,"mask(caller)",32]
017e SWAP1 stack= [461,"to","amount",0,128,128,192,32,"mask(caller)"]
017f DUP1 stack= [461,"to","amount",0,128,128,192,32,"mask(caller)","mask(caller)"]
0180 DUP4 stack= [461,"to","amount",0,128,128,192,32,"mask(caller)","mask(caller)",192]
0181 DUP4 stack= [461,"to","amount",0,128,128,192,32,"mask(caller)","mask(caller)",192,32]
0182 DUP3 stack= [461,"to","amount",0,128,128,192,32,"mask(caller)","mask(caller)",192,32,"mask(caller)"]
0183 SWAP1 stack= [461,"to","amount",0,128,128,192,32,"mask(caller)","mask(caller)",192,"mask(caller)",32]
0184 PUSH1 00 stack= [461,"to","amount",0,128,128,192,32,"mask(caller)","mask(caller)",192,"mask(caller)",32,0]
0186 PUSH1 04 stack= [461,"to","amount",0,128,128,192,32,"mask(caller)","mask(caller)",192,"mask(caller)",32,0,4]
0188 PUSH1 20 stack= [461,"to","amount",0,128,128,192,32,"mask(caller)","mask(caller)",192,"mask(caller)",32,0,4,32]
018a DUP5 stack= [461,"to","amount",0,128,128,192,32,"mask(caller)","mask(caller)",192,"mask(caller)",32,0,4,32,"mask(caller)"]
018b PUSH1 1f stack= [461,"to","amount",0,128,128,192,32,"mask(caller)","mask(caller)",192,"mask(caller)",32,0,4,32,"mask(caller)",31]
018d ADD stack= [461,"to","amount",0,128,128,192,32,"mask(caller)","mask(caller)",192,"mask(caller)",32,0,4,32,"(mask(caller) + 31)"]
018e DIV stack= [461,"to","amount",0,128,128,192,32,"mask(caller)","mask(caller)",192,"mask(caller)",32,0,4,"(32 / (mask(caller) + 31))"]
018f PUSH1 03 stack= [461,"to","amount",0,128,128,192,32,"mask(caller)","mask(caller)",192,"mask(caller)",32,0,4,"(32 / (mask(caller) + 31))",3]
0191 MUL stack= [461,"to","amount",0,128,128,192,32,"mask(caller)","mask(caller)",192,"mask(caller)",32,0,4,"((32 / (mask(caller) + 31)) * 3)"]
0192 PUSH1 0f stack= [461,"to","amount",0,128,128,192,32,"mask(caller)","mask(caller)",192,"mask(caller)",32,0,4,"((32 / (mask(caller) + 31)) * 3)",15]
0194 ADD stack= [461,"to","amount",0,128,128,192,32,"mask(caller)","mask(caller)",192,"mask(caller)",32,0,4,"(((32 / (mask(caller) + 31)) * 3) + 15)"]
PRECALL STACK [
461,
"to",
"amount",
0,
128,
128,
192,
32,
"mask(caller)",
"mask(caller)",
192,
"mask(caller)",
32,
0,
4,
"(((32 / (mask(caller) + 31)) * 3) + 15)"
]
MEM [
[
64,
128
],
[
0,
"mask(caller)"
],
[
32,
3
],
[
128,
-32
],
[
160,
"mask(caller)"
]
]
exec
/bin/bash -lc "jq -r '.artifact.runtime_bytecode.full' BYTECODE_BUNDLE.json | grep -oi '34' | head" in /tmp/codex-lmfef02c
succeeded in 0ms:
The only `CALL` at `pc:0x195` sits in the shared string-return helper used by `name()`/`symbol()`, and the nearby literal `0x04` strongly indicates the identity precompile rather than an untrusted external target. I found one concrete low-severity issue instead: every selector path and the fallback accept ETH, but the runtime exposes no withdrawal path.
✓ Locate and read BYTECODE_BUNDLE.json and any nearby instructions/artifacts
✓ Analyze bytecode evidence for concrete security issues with uncertainty noted
→ Produce JSON findings matching the required schema
codex
{"no_findings":false,"summary":"Bytecode-only review found one concrete low-severity issue: the runtime appears to accept ETH on all entrypoints and on the fallback path, but no withdrawal/rescue path is present. The detector-reported `CALL` at `pc:0x195` does not look like an untrusted user-controlled external interaction; it is in the shared dynamic-string return helper used by `name()`/`symbol()` and the nearby literal `0x04` is consistent with the identity precompile. Selector inference is best-effort, but I did not find evidence of reentrancy, delegatecall, proxy upgrade slots, or privileged storage writes.","findings":[{"severity":"low","category":"other","title":"Contract appears payable and can permanently lock ETH","exploit_scenario":"A user can send ETH directly to the contract address or attach `msg.value` to calls such as `transfer(address,uint256)`. Because the runtime shows no obvious withdrawal, sweep, or selfdestruct path, that ETH would remain trapped in the contract indefinitely.","recommendation":"If this contract can still be changed, make public functions/fallback nonpayable or add an explicit ownerless/authorized rescue path for accidental ETH. If it is immutable, document clearly that ETH must never be sent to this address and protect integrators/UI from attaching value.","evidence":"The dispatcher falls through to `STOP` on unknown selectors (`pc:0x45` -> `pc:0x46`) instead of reverting, and no `CALLVALUE` guard is present in the runtime. The only outbound `CALL` is at `pc:0x195`, inside the string-return helper reached from `name()`/`symbol()`, with a nearby literal `0x04`, which is consistent with the identity precompile rather than an ETH-withdrawal path. No other `CALL`, `DELEGATECALL`, `SELFDESTRUCT`, or upgrade-slot write was identified in `BYTECODE_BUNDLE.json`.","locations":["pc:0x0","pc:0x45","selector:0x06fdde03","selector:0x313ce567","selector:0x70a08231","selector:0x95d89b41","selector:0xa9059cbb"]}]}
tokens used
60,013
{
"codex": {
"ran_at": "2026-04-05T02:05:33.972329+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 1250,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "Bytecode-only review found one concrete low-severity issue: the runtime appears to accept ETH on all entrypoints and on the fallback path, but no withdrawal/rescue path is present. The detector-reported `CALL` at `pc:0x195` does not look like an untrusted user-controlled external interaction; it is in the shared dynamic-string return helper used by `name()`/`symbol()` and the nearby literal `0x04` is consistent with the identity precompile. Selector inference is best-effort, but I did not find evidence of reentrancy, delegatecall, proxy upgrade slots, or privileged storage writes.",
"raw_final": {
"summary": "Bytecode-only review found one concrete low-severity issue: the runtime appears to accept ETH on all entrypoints and on the fallback path, but no withdrawal/rescue path is present. The detector-reported `CALL` at `pc:0x195` does not look like an untrusted user-controlled external interaction; it is in the shared dynamic-string return helper used by `name()`/`symbol()` and the nearby literal `0x04` is consistent with the identity precompile. Selector inference is best-effort, but I did not find evidence of reentrancy, delegatecall, proxy upgrade slots, or privileged storage writes.",
"findings": [
{
"title": "Contract appears payable and can permanently lock ETH",
"category": "other",
"evidence": "The dispatcher falls through to `STOP` on unknown selectors (`pc:0x45` -> `pc:0x46`) instead of reverting, and no `CALLVALUE` guard is present in the runtime. The only outbound `CALL` is at `pc:0x195`, inside the string-return helper reached from `name()`/`symbol()`, with a nearby literal `0x04`, which is consistent with the identity precompile rather than an ETH-withdrawal path. No other `CALL`, `DELEGATECALL`, `SELFDESTRUCT`, or upgrade-slot write was identified in `BYTECODE_BUNDLE.json`.",
"severity": "low",
"locations": [
"pc:0x0",
"pc:0x45",
"selector:0x06fdde03",
"selector:0x313ce567",
"selector:0x70a08231",
"selector:0x95d89b41",
"selector:0xa9059cbb"
],
"recommendation": "If this contract can still be changed, make public functions/fallback nonpayable or add an explicit ownerless/authorized rescue path for accidental ETH. If it is immutable, document clearly that ETH must never be sent to this address and protect integrators/UI from attaching value.",
"exploit_scenario": "A user can send ETH directly to the contract address or attach `msg.value` to calls such as `transfer(address,uint256)`. Because the runtime shows no obvious withdrawal, sweep, or selfdestruct path, that ETH would remain trapped in the contract indefinitely."
}
],
"no_findings": false
},
"no_findings": false,
"schema_version": 1
}
00000000: PUSH1 0x60 00000002: PUSH1 0x40 00000004: MSTORE 00000005: PUSH1 0xe0 00000007: PUSH1 0x02 00000009: EXP 0000000a: PUSH1 0x00 0000000c: CALLDATALOAD 0000000d: DIV 0000000e: PUSH4 0x06fdde03 00000013: DUP2 00000014: EQ 00000015: PUSH2 0x0047 00000018: JUMPI 00000019: DUP1 0000001a: PUSH4 0x313ce567 0000001f: EQ 00000020: PUSH2 0x00a4 00000023: JUMPI 00000024: DUP1 00000025: PUSH4 0x70a08231 0000002a: EQ 0000002b: PUSH2 0x00b0 0000002e: JUMPI 0000002f: DUP1 00000030: PUSH4 0x95d89b41 00000035: EQ 00000036: PUSH2 0x00c8 00000039: JUMPI 0000003a: DUP1 0000003b: PUSH4 0xa9059cbb 00000040: EQ 00000041: PUSH2 0x0123 00000044: JUMPI 00000045: JUMPDEST 00000046: STOP 00000047: JUMPDEST 00000048: PUSH2 0x015f 0000004b: PUSH1 0x00 0000004d: DUP1 0000004e: SLOAD 0000004f: PUSH1 0x20 00000051: PUSH1 0x02 00000053: PUSH1 0x01 00000055: DUP4 00000056: AND 00000057: ISZERO 00000058: PUSH2 0x0100 0000005b: MUL 0000005c: PUSH1 0x00 0000005e: NOT 0000005f: ADD 00000060: SWAP1 00000061: SWAP3 00000062: AND 00000063: SWAP2 00000064: SWAP1 00000065: SWAP2 00000066: DIV 00000067: PUSH1 0x1f 00000069: DUP2 0000006a: ADD 0000006b: DUP3 0000006c: SWAP1 0000006d: DIV 0000006e: SWAP1 0000006f: SWAP2 00000070: MUL 00000071: PUSH1 0x80 00000073: SWAP1 00000074: DUP2 00000075: ADD 00000076: PUSH1 0x40 00000078: MSTORE 00000079: PUSH1 0x60 0000007b: DUP3 0000007c: DUP2 0000007d: MSTORE 0000007e: SWAP3 0000007f: SWAP2 00000080: SWAP1 00000081: DUP3 00000082: DUP3 00000083: DUP1 00000084: ISZERO 00000085: PUSH2 0x0202 00000088: JUMPI 00000089: DUP1 0000008a: PUSH1 0x1f 0000008c: LT 0000008d: PUSH2 0x01d7 00000090: JUMPI 00000091: PUSH2 0x0100 00000094: DUP1 00000095: DUP4 00000096: SLOAD 00000097: DIV 00000098: MUL 00000099: DUP4 0000009a: MSTORE 0000009b: SWAP2 0000009c: PUSH1 0x20 0000009e: ADD 0000009f: SWAP2 000000a0: PUSH2 0x0202 000000a3: JUMP 000000a4: JUMPDEST 000000a5: PUSH2 0x01cd 000000a8: PUSH1 0x02 000000aa: SLOAD 000000ab: PUSH1 0xff 000000ad: AND 000000ae: DUP2 000000af: JUMP 000000b0: JUMPDEST 000000b1: PUSH2 0x01cd 000000b4: PUSH1 0x04 000000b6: CALLDATALOAD 000000b7: PUSH1 0x03 000000b9: PUSH1 0x20 000000bb: MSTORE 000000bc: PUSH1 0x00 000000be: SWAP1 000000bf: DUP2 000000c0: MSTORE 000000c1: PUSH1 0x40 000000c3: SWAP1 000000c4: KECCAK256 000000c5: SLOAD 000000c6: DUP2 000000c7: JUMP 000000c8: JUMPDEST 000000c9: PUSH2 0x015f 000000cc: PUSH1 0x01 000000ce: DUP1 000000cf: SLOAD 000000d0: PUSH1 0x20 000000d2: PUSH1 0x1f 000000d4: PUSH1 0x02 000000d6: PUSH1 0x00 000000d8: NOT 000000d9: PUSH2 0x0100 000000dc: DUP6 000000dd: DUP8 000000de: AND 000000df: ISZERO 000000e0: MUL 000000e1: ADD 000000e2: SWAP1 000000e3: SWAP4 000000e4: AND 000000e5: SWAP3 000000e6: SWAP1 000000e7: SWAP3 000000e8: DIV 000000e9: SWAP2 000000ea: DUP3 000000eb: ADD 000000ec: DUP2 000000ed: SWAP1 000000ee: DIV 000000ef: MUL 000000f0: PUSH1 0x80 000000f2: SWAP1 000000f3: DUP2 000000f4: ADD 000000f5: PUSH1 0x40 000000f7: MSTORE 000000f8: PUSH1 0x60 000000fa: DUP3 000000fb: DUP2 000000fc: MSTORE 000000fd: SWAP3 000000fe: SWAP2 000000ff: SWAP1 00000100: DUP3 00000101: DUP3 00000102: DUP1 00000103: ISZERO 00000104: PUSH2 0x0202 00000107: JUMPI 00000108: DUP1 00000109: PUSH1 0x1f 0000010b: LT 0000010c: PUSH2 0x01d7 0000010f: JUMPI 00000110: PUSH2 0x0100 00000113: DUP1 00000114: DUP4 00000115: SLOAD 00000116: DIV 00000117: MUL 00000118: DUP4 00000119: MSTORE 0000011a: SWAP2 0000011b: PUSH1 0x20 0000011d: ADD 0000011e: SWAP2 0000011f: PUSH2 0x0202 00000122: JUMP 00000123: JUMPDEST 00000124: PUSH2 0x01cd 00000127: PUSH1 0x04 00000129: CALLDATALOAD 0000012a: PUSH1 0x24 0000012c: CALLDATALOAD 0000012d: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000142: CALLER 00000143: AND 00000144: PUSH1 0x00 00000146: SWAP1 00000147: DUP2 00000148: MSTORE 00000149: PUSH1 0x03 0000014b: PUSH1 0x20 0000014d: MSTORE 0000014e: PUSH1 0x40 00000150: DUP2 00000151: KECCAK256 00000152: SLOAD 00000153: DUP3 00000154: SWAP1 00000155: LT 00000156: ISZERO 00000157: PUSH2 0x020a 0000015a: JUMPI 0000015b: PUSH2 0x0002 0000015e: JUMP 0000015f: JUMPDEST 00000160: PUSH1 0x40 00000162: MLOAD 00000163: DUP1 00000164: DUP1 00000165: PUSH1 0x20 00000167: ADD 00000168: DUP3 00000169: DUP2 0000016a: SUB 0000016b: DUP3 0000016c: MSTORE 0000016d: DUP4 0000016e: DUP2 0000016f: DUP2 00000170: MLOAD 00000171: DUP2 00000172: MSTORE 00000173: PUSH1 0x20 00000175: ADD 00000176: SWAP2 00000177: POP 00000178: DUP1 00000179: MLOAD 0000017a: SWAP1 0000017b: PUSH1 0x20 0000017d: ADD 0000017e: SWAP1 0000017f: DUP1 00000180: DUP4 00000181: DUP4 00000182: DUP3 00000183: SWAP1 00000184: PUSH1 0x00 00000186: PUSH1 0x04 00000188: PUSH1 0x20 0000018a: DUP5 0000018b: PUSH1 0x1f 0000018d: ADD 0000018e: DIV 0000018f: PUSH1 0x03 00000191: MUL 00000192: PUSH1 0x0f 00000194: ADD 00000195: CALL 00000196: POP 00000197: SWAP1 00000198: POP 00000199: SWAP1 0000019a: DUP2 0000019b: ADD 0000019c: SWAP1 0000019d: PUSH1 0x1f 0000019f: AND 000001a0: DUP1 000001a1: ISZERO 000001a2: PUSH2 0x01bf 000001a5: JUMPI 000001a6: DUP1 000001a7: DUP3 000001a8: SUB 000001a9: DUP1 000001aa: MLOAD 000001ab: PUSH1 0x01 000001ad: DUP4 000001ae: PUSH1 0x20 000001b0: SUB 000001b1: PUSH2 0x0100 000001b4: EXP 000001b5: SUB 000001b6: NOT 000001b7: AND 000001b8: DUP2 000001b9: MSTORE 000001ba: PUSH1 0x20 000001bc: ADD 000001bd: SWAP2 000001be: POP 000001bf: JUMPDEST 000001c0: POP 000001c1: SWAP3 000001c2: POP 000001c3: POP 000001c4: POP 000001c5: PUSH1 0x40 000001c7: MLOAD 000001c8: DUP1 000001c9: SWAP2 000001ca: SUB 000001cb: SWAP1 000001cc: RETURN 000001cd: JUMPDEST 000001ce: PUSH1 0x60 000001d0: SWAP1 000001d1: DUP2 000001d2: MSTORE 000001d3: PUSH1 0x20 000001d5: SWAP1 000001d6: RETURN 000001d7: JUMPDEST 000001d8: DUP3 000001d9: ADD 000001da: SWAP2 000001db: SWAP1 000001dc: PUSH1 0x00 000001de: MSTORE 000001df: PUSH1 0x20 000001e1: PUSH1 0x00 000001e3: KECCAK256 000001e4: SWAP1 000001e5: JUMPDEST 000001e6: DUP2 000001e7: SLOAD 000001e8: DUP2 000001e9: MSTORE 000001ea: SWAP1 000001eb: PUSH1 0x01 000001ed: ADD 000001ee: SWAP1 000001ef: PUSH1 0x20 000001f1: ADD 000001f2: DUP1 000001f3: DUP4 000001f4: GT 000001f5: PUSH2 0x01e5 000001f8: JUMPI 000001f9: DUP3 000001fa: SWAP1 000001fb: SUB 000001fc: PUSH1 0x1f 000001fe: AND 000001ff: DUP3 00000200: ADD 00000201: SWAP2 00000202: JUMPDEST 00000203: POP 00000204: POP 00000205: POP 00000206: POP 00000207: POP 00000208: DUP2 00000209: JUMP 0000020a: JUMPDEST 0000020b: PUSH1 0x40 0000020d: DUP1 0000020e: DUP3 0000020f: KECCAK256 00000210: DUP1 00000211: SLOAD 00000212: DUP5 00000213: SWAP1 00000214: SUB 00000215: SWAP1 00000216: SSTORE 00000217: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000022c: DUP1 0000022d: DUP6 0000022e: AND 0000022f: DUP1 00000230: DUP5 00000231: MSTORE 00000232: SWAP2 00000233: DUP4 00000234: KECCAK256 00000235: DUP1 00000236: SLOAD 00000237: DUP6 00000238: ADD 00000239: SWAP1 0000023a: SSTORE 0000023b: PUSH1 0x60 0000023d: DUP5 0000023e: DUP2 0000023f: MSTORE 00000240: CALLER 00000241: SWAP1 00000242: SWAP2 00000243: AND 00000244: SWAP1 00000245: PUSH32 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef 00000266: SWAP1 00000267: PUSH1 0x20 00000269: SWAP1 0000026a: LOG3 0000026b: SWAP3 0000026c: SWAP2 0000026d: POP 0000026e: POP 0000026f: JUMP
Warning: This is a nightly build of Foundry. It is recommended to use the latest stable version. To mute this warning set `FOUNDRY_DISABLE_NIGHTLY_WARNING` in your environment.
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | other | detector | Untrusted CALL target/value reachable | 60 | yes | yes |
viewtrace_id: 0xd2ec54ba90b8393dd0bec772e89ee6a07c120b82588e94ba866039188ef67727
call_targets:
0x0000000000000000000000000000000000000004, 0x94f27b5141e17dd8816242d752c7be8e6764bd22
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0xd2ec54ba90b8393dd0bec772e89ee6a07c120b82588e94ba866039188ef67727",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x94f27b5141e17dd8816242d752c7be8e6764bd22"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa9059cbb",
"selector": "0xa9059cbb",
"calldata_variants": [
"0xa9059cbb",
"0xa9059cbb0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 405,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 1,
"guards_detected": [],
"untrusted_call_count": 1
}
|
| high | other | detector | ETH value transfer possible | 55 | yes | yes |
viewtrace_id: 0xd2ec54ba90b8393dd0bec772e89ee6a07c120b82588e94ba866039188ef67727
call_targets:
0x0000000000000000000000000000000000000004, 0x94f27b5141e17dd8816242d752c7be8e6764bd22
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0xd2ec54ba90b8393dd0bec772e89ee6a07c120b82588e94ba866039188ef67727",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x94f27b5141e17dd8816242d752c7be8e6764bd22"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa9059cbb",
"selector": "0xa9059cbb",
"calldata_variants": [
"0xa9059cbb",
"0xa9059cbb0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 405,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 1,
"guards_detected": []
}
|
| low | other | codex | Contract appears payable and can permanently lock ETH | 65 | no | — |
viewevidence_json{
"evidence": "The dispatcher falls through to `STOP` on unknown selectors (`pc:0x45` -> `pc:0x46`) instead of reverting, and no `CALLVALUE` guard is present in the runtime. The only outbound `CALL` is at `pc:0x195`, inside the string-return helper reached from `name()`/`symbol()`, with a nearby literal `0x04`, which is consistent with the identity precompile rather than an ETH-withdrawal path. No other `CALL`, `DELEGATECALL`, `SELFDESTRUCT`, or upgrade-slot write was identified in `BYTECODE_BUNDLE.json`.",
"locations": [
"pc:0x0",
"pc:0x45",
"selector:0x06fdde03",
"selector:0x313ce567",
"selector:0x70a08231",
"selector:0x95d89b41",
"selector:0xa9059cbb"
],
"recommendation": "If this contract can still be changed, make public functions/fallback nonpayable or add an explicit ownerless/authorized rescue path for accidental ETH. If it is immutable, document clearly that ETH must never be sent to this address and protect integrators/UI from attaching value.",
"exploit_scenario": "A user can send ETH directly to the contract address or attach `msg.value` to calls such as `transfer(address,uint256)`. Because the runtime shows no obvious withdrawal, sweep, or selfdestruct path, that ETH would remain trapped in the contract indefinitely."
}
|