019b3836-258e-70dc-8c36-57a18d72465b
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 793 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 794 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 44163 | analysis.bundle | complete | 1 / 3 | 1 week ago |
| 44164 | capability.graph | complete | 1 / 3 | 1 week ago |
| 44165 | detector.run | complete | 1 / 3 | 1 week ago |
| 44166 | validation.fork | complete | 1 / 3 | 1 week ago |
| 113226 | report.consolidate | complete | 1 / 6 | 1 week ago |
No slither job recorded yet.
{"no_findings":false,"summary":"Minimal ERC20-like runtime with selectors consistent with `name`, `symbol`, `decimals`, `balanceOf`, and `transfer`. I do not see proxy/admin/delegatecall logic. The detector-reported CALLs at `pc:0x168` and `pc:0x373` match legacy string-return helper code that appears to call precompile `0x04`, so I do not treat them as the primary issue. The meaningful bytecode-level findings are a non-standard `transfer` return value and unchecked recipient-balance addition. Bytecode-only caveat: selector inference is best-effort, and overflow reachability depends on unknown deployment-time supply/balances.","findings":[{"severity":"low","category":"other","title":"`transfer` appears to return `false` even when balances are updated successfully","exploit_scenario":"A protocol that uses standard ERC-20 semantics, such as `require(token.transfer(...))` or a SafeERC20-style wrapper, will observe `false` and revert. That makes the token unusable in many integrations even though this contract already updated balances and emitted `Transfer` before returning.","recommendation":"Return canonical boolean `true` on successful transfers, or document/wrap the token as non-standard before integrating it anywhere that expects ERC-20-compliant return values.","evidence":"Selector `0xa9059cbb` dispatches into the transfer routine at `pc:0x1e2`. The routine pushes `0` at `pc:0x1e3` and never writes `1` on the success path. After storage updates and the `Transfer` log, cleanup at `pc:0x2ff`-`pc:0x303` returns with that original `0` left as the ABI return word. This is a direct bytecode inference, not source-level confirmation.","locations":["selector:0xa9059cbb","pc:0x1e3","pc:0x2ff","pc:0x303"]},{"severity":"low","category":"math","title":"Recipient balance credit uses unchecked addition","exploit_scenario":"If the deployment ever has a recipient balance near `2^256-1`, transferring additional tokens into that account will wrap the stored balance and break accounting. Because I only have runtime bytecode, I cannot determine whether the initial supply/balance distribution makes this reachable in practice, so severity stays low.","recommendation":"Use checked arithmetic for the recipient credit path, or compile with Solidity 0.8+ semantics / SafeMath-equivalent protections.","evidence":"The transfer path only checks `senderBalance >= amount` at `pc:0x215`-`pc:0x21b`. The recipient update later performs raw `ADD` at `pc:0x291` and writes the result with `SSTORE` at `pc:0x297`, with no overflow check visible in the bytecode artifact.","locations":["selector:0xa9059cbb","pc:0x215","pc:0x21b","pc:0x291","pc:0x297"]}]}
OpenAI Codex v0.118.0 (research preview)
--------
workdir: /tmp/codex-ft7v4ero
model: gpt-5.4
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: none
session id: 019d5b5a-c0ff-7c22-bb78-9168e454c653
--------
user
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
warning: Codex could not find system bubblewrap on PATH. Please install bubblewrap with your package manager. Codex will use the vendored bubblewrap in the meantime.
exec
/bin/bash -lc pwd in /tmp/codex-ft7v4ero
succeeded in 0ms:
/tmp/codex-ft7v4ero
exec
/bin/bash -lc 'rg --files' in /tmp/codex-ft7v4ero
succeeded in 0ms:
BYTECODE_BUNDLE.json
codex-output-schema.json
exec
/bin/bash -lc 'wc -c BYTECODE_BUNDLE.json' in /tmp/codex-ft7v4ero
succeeded in 0ms:
61633 BYTECODE_BUNDLE.json
exec
/bin/bash -lc "sed -n '1,220p' codex-output-schema.json" in /tmp/codex-ft7v4ero
succeeded in 0ms:
{"type": "object", "additionalProperties": false, "required": ["no_findings", "summary", "findings"], "properties": {"no_findings": {"type": "boolean"}, "summary": {"type": "string"}, "findings": {"type": "array", "items": {"type": "object", "additionalProperties": false, "required": ["severity", "category", "title", "evidence", "locations", "exploit_scenario", "recommendation"], "properties": {"severity": {"type": "string", "enum": ["info", "low", "medium", "high", "critical"]}, "category": {"type": "string", "enum": ["access_control", "reentrancy", "math", "oracle", "upgradeability", "auth", "other"]}, "title": {"type": "string"}, "exploit_scenario": {"type": "string"}, "recommendation": {"type": "string"}, "evidence": {"type": "string"}, "locations": {"type": "array", "items": {"type": "string"}}}}}}}
exec
/bin/bash -lc "sed -n '1,260p' BYTECODE_BUNDLE.json" in /tmp/codex-ft7v4ero
succeeded in 0ms:
{
"analysis_artifact": {
"address": "0xac514f05160d2723aa7fb27bf98abf347dd26d2d",
"artifact_hash": "0x08177c2e94d90325c6931d31c238e6f443578de3102143e4b17e5bf85103c3bc",
"artifact_json": {
"auth": {
"guards": []
},
"basic_blocks": [
{
"end_pc": 50,
"hash": "0xa4ab65b57ab5db0e57ef86ac0e763e13a8d273712c384c26347c9bb70ec08d76",
"opcodes": [
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"CALLDATALOAD",
"PUSH29",
"OP_90",
"DIV",
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 0
},
{
"end_pc": 61,
"hash": "0x0a3822448e80d3aa8092f4b4e041fa2728089f25fe2f7b283ccc7085a99a5058",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 51
},
{
"end_pc": 72,
"hash": "0x8d997f9a24c76d3c871403accc12146ef638633385f7a0c9fd25d120d9bb6a8a",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 62
},
{
"end_pc": 83,
"hash": "0x557746912bf7ec4316cb73c2be2db047b5faf991c021166040ed2eff5d1b0bfe",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 73
},
{
"end_pc": 94,
"hash": "0x7ca8d9de4970197eb5b5ee6204e78466977bfd06b544dc0d4115b330fd0be4d2",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 84
},
{
"end_pc": 98,
"hash": "0xb6b79067bc3bbbe72ede22081143fe034ab03a3c04a25dcedf132bfdc85e73e8",
"opcodes": [
"PUSH2",
"JUMP"
],
"start_pc": 95
},
{
"end_pc": 100,
"hash": "0x8fec8678ea5c198c6fae824bb3aec57bc59e3e3bd1af5574375919c6689727d4",
"opcodes": [
"JUMPDEST",
"STOP"
],
"start_pc": 99
},
{
"end_pc": 113,
"hash": "0x2f60546cf8ce6311e1c1fbe895fc6c79c9735fbafafc57d38183aadc4eefc354",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"OP_80",
"POP",
"POP",
"PUSH2",
"JUMP"
],
"start_pc": 101
},
{
"end_pc": 184,
"hash": "0x45a6526d39443c05a9dc2f61d755066d40cf50a722122ffecb2359d77c9dfd1f",
"opcodes": [
"JUMPDEST",
"PUSH1",
"MLOAD",
"OP_80",
"OP_80",
"PUSH1",
"ADD",
"OP_82",
"OP_81",
"SUB",
"OP_82",
"MSTORE",
"OP_83",
"OP_81",
"OP_81",
"MLOAD",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP",
"OP_80",
"MLOAD",
"OP_90",
"PUSH1",
"ADD",
"OP_90",
"OP_80",
"OP_83",
"OP_83",
"OP_82",
"OP_90",
"PUSH1",
"PUSH1",
"PUSH1",
"OP_84",
"PUSH1",
"ADD",
"DIV",
"PUSH1",
"MUL",
"PUSH1",
"ADD",
"CALL",
"POP",
"OP_90",
"POP",
"OP_90",
"OP_81",
"ADD",
"OP_90",
"PUSH1",
"AND",
"OP_80",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 114
},
{
"end_pc": 209,
"hash": "0x8abb31e1955b9502230f27b55196e8a323e8c0c4654224fa3096f8b286cbcdf4",
"opcodes": [
"OP_80",
"OP_82",
"SUB",
"OP_80",
"MLOAD",
"PUSH1",
"OP_83",
"PUSH1",
"SUB",
"PUSH2",
"EXP",
"SUB",
"NOT",
"AND",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP"
],
"start_pc": 185
},
{
"end_pc": 223,
"hash": "0x694dafcb66e1ebd81ebe111e068cfb6f00fa5297d321a0240e9aa1fbb03d4766",
"opcodes": [
"JUMPDEST",
"POP",
"OP_92",
"POP",
"POP",
"POP",
"PUSH1",
"MLOAD",
"OP_80",
"OP_91",
"SUB",
"OP_90",
"RETURN"
],
"start_pc": 210
},
{
"end_pc": 236,
"hash": "0xf2e720cd7574eb3d88c671ff853e2cd743251bbe441168c8991e490291af27eb",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"OP_80",
"POP",
"POP",
"PUSH2",
"JUMP"
],
"start_pc": 224
},
{
"end_pc": 261,
"hash": "0xe95b2f7793f7e50e95ae66d6159a3cf3ce73eb630beceb8a03022bc5275484ff",
"opcodes": [
"JUMPDEST",
"PUSH1",
"MLOAD",
"OP_80",
"OP_82",
"PUSH1",
"AND",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP",
"POP",
"PUSH1",
"MLOAD",
"OP_80",
"OP_91",
"SUB",
exec
/bin/bash -lc "sed -n '261,520p' BYTECODE_BUNDLE.json" in /tmp/codex-ft7v4ero
succeeded in 0ms:
"OP_90",
"RETURN"
],
"start_pc": 237
},
{
"end_pc": 283,
"hash": "0x62d8b899133b1c2095a996dfa3e20fd3dd47ffd01f76730b8f0e1d1c4fd96673",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"OP_80",
"OP_80",
"CALLDATALOAD",
"OP_90",
"PUSH1",
"ADD",
"OP_90",
"OP_91",
"OP_90",
"POP",
"POP",
"PUSH2",
"JUMP"
],
"start_pc": 262
},
{
"end_pc": 305,
"hash": "0x2f178dadd3f578ca9d57d21c101205c08be7856f126b1df2872aa0d8c6a9987b",
"opcodes": [
"JUMPDEST",
"PUSH1",
"MLOAD",
"OP_80",
"OP_82",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP",
"POP",
"PUSH1",
"MLOAD",
"OP_80",
"OP_91",
"SUB",
"OP_90",
"RETURN"
],
"start_pc": 284
},
{
"end_pc": 318,
"hash": "0x04037a3d50fb581c2473f93cf19ebd5cb2a2dbb572ee018e22c858286c44c83e",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"OP_80",
"POP",
"POP",
"PUSH2",
"JUMP"
],
"start_pc": 306
},
{
"end_pc": 389,
"hash": "0x42979d5f43c2f8318afccb24e95b2c2fd3b47a02ccd623e386dea9cfe194b828",
"opcodes": [
"JUMPDEST",
"PUSH1",
"MLOAD",
"OP_80",
"OP_80",
"PUSH1",
"ADD",
"OP_82",
"OP_81",
"SUB",
"OP_82",
"MSTORE",
"OP_83",
"OP_81",
"OP_81",
"MLOAD",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP",
"OP_80",
"MLOAD",
"OP_90",
"PUSH1",
"ADD",
"OP_90",
"OP_80",
"OP_83",
"OP_83",
"OP_82",
"OP_90",
"PUSH1",
"PUSH1",
"PUSH1",
"OP_84",
"PUSH1",
"ADD",
"DIV",
"PUSH1",
"MUL",
"PUSH1",
"ADD",
"CALL",
"POP",
"OP_90",
"POP",
"OP_90",
"OP_81",
"ADD",
"OP_90",
"PUSH1",
"AND",
"OP_80",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 319
},
{
"end_pc": 414,
"hash": "0x2f1f0d6dc419b3eb3f401c25eb2e1e93091c0fdf699a0e794169df0786eab5a0",
"opcodes": [
"OP_80",
"OP_82",
"SUB",
"OP_80",
"MLOAD",
"PUSH1",
"OP_83",
"PUSH1",
"SUB",
"PUSH2",
"EXP",
"SUB",
"NOT",
"AND",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP"
],
"start_pc": 390
},
{
"end_pc": 428,
"hash": "0x220f8664b77ee7c6b9ae83619dcca2c59507d3ae35aca5576729859572768908",
"opcodes": [
"JUMPDEST",
"POP",
"OP_92",
"POP",
"POP",
"POP",
"PUSH1",
"MLOAD",
"OP_80",
"OP_91",
"SUB",
"OP_90",
"RETURN"
],
"start_pc": 415
},
{
"end_pc": 459,
"hash": "0x6b1eeb886ea8b826e8a76d7b7042c05c5deded31108f2d35d0e09a908c7cb07a",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"OP_80",
"OP_80",
"CALLDATALOAD",
"OP_90",
"PUSH1",
"ADD",
"OP_90",
"OP_91",
"OP_90",
"OP_80",
"CALLDATALOAD",
"OP_90",
"PUSH1",
"ADD",
"OP_90",
"OP_91",
"OP_90",
"POP",
"POP",
"PUSH2",
"JUMP"
],
"start_pc": 429
},
{
"end_pc": 481,
"hash": "0xb61fac527c68f84988b5b4e99e237d9d1edd2980996038ba2504a520f67e6e1c",
"opcodes": [
"JUMPDEST",
"PUSH1",
"MLOAD",
"OP_80",
"OP_82",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP",
"POP",
"PUSH1",
"MLOAD",
"OP_80",
"OP_91",
"SUB",
"OP_90",
"RETURN"
],
"start_pc": 460
},
{
"end_pc": 539,
"hash": "0xc133efda67d30b095defb950686d632e467ff4e15cda85a17845880d888a0e9e",
"opcodes": [
"JUMPDEST",
"PUSH1",
"OP_81",
"PUSH1",
"PUSH1",
"POP",
"PUSH1",
"CALLER",
"PUSH20",
"AND",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
exec
/bin/bash -lc "sed -n '521,780p' BYTECODE_BUNDLE.json" in /tmp/codex-ft7v4ero
succeeded in 0ms:
"ADD",
"PUSH1",
"SHA3",
"PUSH1",
"POP",
"SLOAD",
"LT",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 482
},
{
"end_pc": 543,
"hash": "0x2c1647b23d446f8e02016085dab42958068ce5c228a287e23bfb0af24124e8bc",
"opcodes": [
"PUSH2",
"JUMP"
],
"start_pc": 540
},
{
"end_pc": 765,
"hash": "0x9bb1681316a38ecef47576e9bb779c097782783d4143ed79e434e0a8ebbaf20c",
"opcodes": [
"JUMPDEST",
"OP_81",
"PUSH1",
"PUSH1",
"POP",
"PUSH1",
"CALLER",
"PUSH20",
"AND",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"PUSH1",
"SHA3",
"PUSH1",
"OP_82",
"OP_82",
"OP_82",
"POP",
"SLOAD",
"SUB",
"OP_92",
"POP",
"POP",
"OP_81",
"OP_90",
"SSTORE",
"POP",
"OP_81",
"PUSH1",
"PUSH1",
"POP",
"PUSH1",
"OP_85",
"PUSH20",
"AND",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"PUSH1",
"SHA3",
"PUSH1",
"OP_82",
"OP_82",
"OP_82",
"POP",
"SLOAD",
"ADD",
"OP_92",
"POP",
"POP",
"OP_81",
"OP_90",
"SSTORE",
"POP",
"OP_82",
"PUSH20",
"AND",
"CALLER",
"PUSH20",
"AND",
"PUSH32",
"OP_84",
"PUSH1",
"MLOAD",
"OP_80",
"OP_82",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP",
"POP",
"PUSH1",
"MLOAD",
"OP_80",
"OP_91",
"SUB",
"OP_90",
"OP_A3"
],
"start_pc": 544
},
{
"end_pc": 771,
"hash": "0xb316ab411c23c0424fa4ece8d73250f88685fc19e64549ef9affc39a9e54b467",
"opcodes": [
"JUMPDEST",
"OP_92",
"OP_91",
"POP",
"POP",
"JUMP"
],
"start_pc": 766
},
{
"end_pc": 854,
"hash": "0xdad89d7b2f30a36f156b3888179a0b02b44168d8f1635fad06a747f5a4a8ff80",
"opcodes": [
"JUMPDEST",
"PUSH1",
"PUSH1",
"POP",
"OP_80",
"SLOAD",
"PUSH1",
"OP_81",
"PUSH1",
"AND",
"ISZERO",
"PUSH2",
"MUL",
"SUB",
"AND",
"PUSH1",
"OP_90",
"DIV",
"OP_80",
"PUSH1",
"ADD",
"PUSH1",
"OP_80",
"OP_91",
"DIV",
"MUL",
"PUSH1",
"ADD",
"PUSH1",
"MLOAD",
"OP_90",
"OP_81",
"ADD",
"PUSH1",
"MSTORE",
"OP_80",
"OP_92",
"OP_91",
"OP_90",
"OP_81",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_82",
"OP_80",
"SLOAD",
"PUSH1",
"OP_81",
"PUSH1",
"AND",
"ISZERO",
"PUSH2",
"MUL",
"SUB",
"AND",
"PUSH1",
"OP_90",
"DIV",
"OP_80",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 772
},
{
"end_pc": 862,
"hash": "0xcff02455f2dd78fac34e4bdec9f0c9e67f602c99fb43e6b90f5e4115fec420ad",
"opcodes": [
"OP_80",
"PUSH1",
"LT",
"PUSH2",
"JUMPI"
],
"start_pc": 855
},
{
"end_pc": 881,
"hash": "0xf666ddddb6aab3b3179e4536527b781348b5a865b67ab5f99e99c3a0ca643ce8",
"opcodes": [
"PUSH2",
"OP_80",
"OP_83",
"SLOAD",
"DIV",
"MUL",
"OP_83",
"MSTORE",
"OP_91",
"PUSH1",
"ADD",
"OP_91",
"PUSH2",
"JUMP"
],
"start_pc": 863
},
{
"end_pc": 895,
"hash": "0xa03e2cfee1f5235085e5962aad18c17d0fd5ba0cd2f3c38fcb6dc4c5ee0201a2",
"opcodes": [
"JUMPDEST",
"OP_82",
"ADD",
"OP_91",
"OP_90",
"PUSH1",
"MSTORE",
"PUSH1",
"PUSH1",
"SHA3",
"OP_90"
],
"start_pc": 882
},
{
"end_pc": 915,
"hash": "0x6defff4976b7943f9808b0e48d40fdcd6f1d41a2e0b7fc6441ed6eea0f24dd37",
"opcodes": [
exec
/bin/bash -lc "sed -n '781,1040p' BYTECODE_BUNDLE.json" in /tmp/codex-ft7v4ero
succeeded in 0ms:
"JUMPDEST",
"OP_81",
"SLOAD",
"OP_81",
"MSTORE",
"OP_90",
"PUSH1",
"ADD",
"OP_90",
"PUSH1",
"ADD",
"OP_80",
"OP_83",
"GT",
"PUSH2",
"JUMPI"
],
"start_pc": 896
},
{
"end_pc": 924,
"hash": "0xd7380b6784c3c41b5b7687f476409d816bcbce62b571d956cf89c4b2c8e16e30",
"opcodes": [
"OP_82",
"OP_90",
"SUB",
"PUSH1",
"AND",
"OP_82",
"ADD",
"OP_91"
],
"start_pc": 916
},
{
"end_pc": 932,
"hash": "0x26c337416e9dc574563da150770062b5ab34603bf991f473891ed15bf72940ac",
"opcodes": [
"JUMPDEST",
"POP",
"POP",
"POP",
"POP",
"POP",
"OP_81",
"JUMP"
],
"start_pc": 925
},
{
"end_pc": 1015,
"hash": "0x3ef13c5cab241b260d3a69a6070960165450811f4b1c27e2146a5be8749b2b62",
"opcodes": [
"JUMPDEST",
"PUSH1",
"PUSH1",
"POP",
"OP_80",
"SLOAD",
"PUSH1",
"OP_81",
"PUSH1",
"AND",
"ISZERO",
"PUSH2",
"MUL",
"SUB",
"AND",
"PUSH1",
"OP_90",
"DIV",
"OP_80",
"PUSH1",
"ADD",
"PUSH1",
"OP_80",
"OP_91",
"DIV",
"MUL",
"PUSH1",
"ADD",
"PUSH1",
"MLOAD",
"OP_90",
"OP_81",
"ADD",
"PUSH1",
"MSTORE",
"OP_80",
"OP_92",
"OP_91",
"OP_90",
"OP_81",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_82",
"OP_80",
"SLOAD",
"PUSH1",
"OP_81",
"PUSH1",
"AND",
"ISZERO",
"PUSH2",
"MUL",
"SUB",
"AND",
"PUSH1",
"OP_90",
"DIV",
"OP_80",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 933
},
{
"end_pc": 1023,
"hash": "0x64b44d5ddcfef32e33832eccd9c0afebf842f06db305e92d6a0964692a138d51",
"opcodes": [
"OP_80",
"PUSH1",
"LT",
"PUSH2",
"JUMPI"
],
"start_pc": 1016
},
{
"end_pc": 1042,
"hash": "0x7d5b02ae4f569e3d87ecaac85a51a6b023c976b7c8e5b38d5af5684af67f1f07",
"opcodes": [
"PUSH2",
"OP_80",
"OP_83",
"SLOAD",
"DIV",
"MUL",
"OP_83",
"MSTORE",
"OP_91",
"PUSH1",
"ADD",
"OP_91",
"PUSH2",
"JUMP"
],
"start_pc": 1024
},
{
"end_pc": 1056,
"hash": "0xd15640f3a18c4d10374c9057570c26e561cfbd326f427152107daf9f34d5c540",
"opcodes": [
"JUMPDEST",
"OP_82",
"ADD",
"OP_91",
"OP_90",
"PUSH1",
"MSTORE",
"PUSH1",
"PUSH1",
"SHA3",
"OP_90"
],
"start_pc": 1043
},
{
"end_pc": 1076,
"hash": "0x22003b7f0193ba69d9a28e643fe940be7a23b8f85c87d890aa8462882e2e9cee",
"opcodes": [
"JUMPDEST",
"OP_81",
"SLOAD",
"OP_81",
"MSTORE",
"OP_90",
"PUSH1",
"ADD",
"OP_90",
"PUSH1",
"ADD",
"OP_80",
"OP_83",
"GT",
"PUSH2",
"JUMPI"
],
"start_pc": 1057
},
{
"end_pc": 1085,
"hash": "0xa512fa250afe2f655bfb0f233ff6d3825744b83680c7a369705a9facacad6767",
"opcodes": [
"OP_82",
"OP_90",
"SUB",
"PUSH1",
"AND",
"OP_82",
"ADD",
"OP_91"
],
"start_pc": 1077
},
{
"end_pc": 1093,
"hash": "0x997fe7f8b81958698eb8a95fad83436f67840379d52590de27245ec88087880c",
"opcodes": [
"JUMPDEST",
"POP",
"POP",
"POP",
"POP",
"POP",
"OP_81",
"JUMP"
],
"start_pc": 1086
},
{
"end_pc": 1112,
"hash": "0xe36aa79198713fd574b476c834dc682ba03fda8be7e08386fb8e12a8bc56c496",
"opcodes": [
"JUMPDEST",
"PUSH1",
"PUSH1",
"OP_90",
"SLOAD",
"OP_90",
"PUSH2",
"EXP",
"OP_90",
"DIV",
"PUSH1",
"AND",
"OP_81",
"JUMP"
],
"start_pc": 1094
},
{
"end_pc": 1139,
"hash": "0xdd71eb9c3daf03b2ff2cf6c4ca59569f38214d9b953ca3ad5af0be324f26e65a",
"opcodes": [
"JUMPDEST",
"PUSH1",
"PUSH1",
"POP",
"PUSH1",
"MSTORE",
"OP_80",
"PUSH1",
"MSTORE",
"PUSH1",
"PUSH1",
"SHA3",
exec
/bin/bash -lc "sed -n '1041,1300p' BYTECODE_BUNDLE.json" in /tmp/codex-ft7v4ero
succeeded in 0ms:
"PUSH1",
"OP_91",
"POP",
"OP_90",
"POP",
"SLOAD",
"OP_81",
"JUMP"
],
"start_pc": 1113
}
],
"callsites": [
{
"opcode": "CALL",
"pc": 168,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 373,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"cfg_edges": [
{
"from": "bb:0",
"to": "bb:101",
"type": "control_flow"
},
{
"from": "bb:0",
"to": "bb:51",
"type": "control_flow_fallthrough"
},
{
"from": "bb:51",
"to": "bb:224",
"type": "control_flow"
},
{
"from": "bb:51",
"to": "bb:62",
"type": "control_flow_fallthrough"
},
{
"from": "bb:62",
"to": "bb:262",
"type": "control_flow"
},
{
"from": "bb:62",
"to": "bb:73",
"type": "control_flow_fallthrough"
},
{
"from": "bb:73",
"to": "bb:306",
"type": "control_flow"
},
{
"from": "bb:73",
"to": "bb:84",
"type": "control_flow_fallthrough"
},
{
"from": "bb:84",
"to": "bb:429",
"type": "control_flow"
},
{
"from": "bb:84",
"to": "bb:95",
"type": "control_flow_fallthrough"
},
{
"from": "bb:95",
"to": "bb:99",
"type": "control_flow"
},
{
"from": "bb:101",
"to": "bb:772",
"type": "control_flow"
},
{
"from": "bb:114",
"to": "bb:210",
"type": "control_flow"
},
{
"from": "bb:114",
"to": "bb:185",
"type": "control_flow_fallthrough"
},
{
"from": "bb:185",
"to": "bb:210",
"type": "control_flow_fallthrough"
},
{
"from": "bb:224",
"to": "bb:1094",
"type": "control_flow"
},
{
"from": "bb:262",
"to": "bb:1113",
"type": "control_flow"
},
{
"from": "bb:306",
"to": "bb:933",
"type": "control_flow"
},
{
"from": "bb:319",
"to": "bb:415",
"type": "control_flow"
},
{
"from": "bb:319",
"to": "bb:390",
"type": "control_flow_fallthrough"
},
{
"from": "bb:390",
"to": "bb:415",
"type": "control_flow_fallthrough"
},
{
"from": "bb:429",
"to": "bb:482",
"type": "control_flow"
},
{
"from": "bb:482",
"to": "bb:544",
"type": "control_flow"
},
{
"from": "bb:482",
"to": "bb:540",
"type": "control_flow_fallthrough"
},
{
"from": "bb:544",
"to": "bb:766",
"type": "control_flow_fallthrough"
},
{
"from": "bb:772",
"to": "bb:925",
"type": "control_flow"
},
{
"from": "bb:772",
"to": "bb:855",
"type": "control_flow_fallthrough"
},
{
"from": "bb:855",
"to": "bb:882",
"type": "control_flow"
},
{
"from": "bb:855",
"to": "bb:863",
"type": "control_flow_fallthrough"
},
{
"from": "bb:863",
"to": "bb:925",
"type": "control_flow"
},
{
"from": "bb:882",
"to": "bb:896",
"type": "control_flow_fallthrough"
},
{
"from": "bb:896",
"to": "bb:896",
"type": "control_flow"
},
{
"from": "bb:896",
"to": "bb:916",
"type": "control_flow_fallthrough"
},
{
"from": "bb:916",
"to": "bb:925",
"type": "control_flow_fallthrough"
},
{
"from": "bb:933",
"to": "bb:1086",
"type": "control_flow"
},
{
"from": "bb:933",
"to": "bb:1016",
"type": "control_flow_fallthrough"
},
{
"from": "bb:1016",
"to": "bb:1043",
"type": "control_flow"
},
{
"from": "bb:1016",
"to": "bb:1024",
"type": "control_flow_fallthrough"
},
{
"from": "bb:1024",
"to": "bb:1086",
"type": "control_flow"
},
{
"from": "bb:1043",
"to": "bb:1057",
"type": "control_flow_fallthrough"
},
{
"from": "bb:1057",
"to": "bb:1057",
"type": "control_flow"
},
{
"from": "bb:1057",
"to": "bb:1077",
"type": "control_flow_fallthrough"
},
{
"from": "bb:1077",
"to": "bb:1086",
"type": "control_flow_fallthrough"
}
],
"cfg_hash": "0x15725efb98442ce168b92a66b408bc05cb06cbdd69be632556bc55ab486b1f6d",
"dispatcher_type": "selector_jump_table",
"function_entries": [
{
"entry_pc": 826074471,
"selector": "0x06fdde03"
},
{
"entry_pc": 1889567281,
"selector": "0x313ce567"
},
{
"entry_pc": 2514000705,
"selector": "0x70a08231"
},
exec
/bin/bash -lc "sed -n '1301,1560p' BYTECODE_BUNDLE.json" in /tmp/codex-ft7v4ero
succeeded in 0ms:
{
"entry_pc": 2835717307,
"selector": "0x95d89b41"
},
{
"entry_pc": null,
"selector": "0xa9059cbb"
}
],
"functions": [
{
"auth": {
"guards": []
},
"entry_pc": 826074471,
"selector": "0x06fdde03",
"sinks": {
"call": 2,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 13,
"slots": [
{
"op": "SLOAD",
"pc": 779,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 868,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 940,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 1029,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 1100,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 1137,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 1889567281,
"selector": "0x313ce567",
"sinks": {
"call": 2,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 13,
"slots": [
{
"op": "SLOAD",
"pc": 779,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 868,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 940,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 1029,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 1100,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 1137,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 2514000705,
"selector": "0x70a08231",
"sinks": {
"call": 2,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 13,
"slots": [
{
"op": "SLOAD",
"pc": 779,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 868,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 940,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 1029,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 1100,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 1137,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 2835717307,
"selector": "0x95d89b41",
"sinks": {
"call": 2,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 13,
"slots": [
{
"op": "SLOAD",
"pc": 779,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 868,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 940,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 1029,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 1100,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 1137,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0xa9059cbb",
"sinks": {
"call": 2,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 13,
"slots": [
{
"op": "SLOAD",
"pc": 779,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 868,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 940,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 1029,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 1100,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 1137,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
}
],
"writes": 2
}
}
],
"selectors": [
"0x06fdde03",
"0x313ce567",
"0x70a08231",
exec
/bin/bash -lc "sed -n '1561,1820p' BYTECODE_BUNDLE.json" in /tmp/codex-ft7v4ero
succeeded in 0ms:
"0x95d89b41",
"0xa9059cbb"
],
"sinks": {
"call": 2,
"create": 0,
"create2": 0,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0,
"upgrade_slot_write_suspected": false
},
"storage": {
"keccak_count": 6,
"reads": 13,
"slots": [
{
"op": "SLOAD",
"pc": 779,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 868,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 940,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 1029,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 1100,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 1137,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
}
],
"writes": 2
},
"version": "analysis_artifact_v1"
},
"block_number": null,
"chain_id": 1,
"codehash": "0xfa149e2aff43aa4f3d65196a108a0b9a8c6c4bf76e8f61e7e5bdca9cd35852c5",
"created_at": "2026-04-04T19:46:39.000000Z",
"id": 1700,
"updated_at": "2026-04-04T19:46:39.000000Z",
"version": "analysis_artifact_v1"
},
"analysis_run": {
"address": "0xac514f05160d2723aa7fb27bf98abf347dd26d2d",
"block_number": null,
"chain_id": 1,
"child_links": [],
"created_at": "2025-12-19T20:03:51.000000Z",
"id": "019b3836-258e-70dc-8c36-57a18d72465b",
"parent_links": [],
"status": "running",
"updated_at": "2026-04-04T19:46:39.000000Z"
},
"artifact": {
"codehash": "0xfa149e2aff43aa4f3d65196a108a0b9a8c6c4bf76e8f61e7e5bdca9cd35852c5",
"compiler_json": {
"etherscan": {
"skipped": true
}
},
"implementation_address": null,
"is_proxy": false,
"runtime_bytecode": {
"full": "0x60606040526000357c01000000000000000000000000000000000000000000000000000000009004806306fdde0314610065578063313ce567146100e057806370a082311461010657806395d89b4114610132578063a9059cbb146101ad57610063565b005b6100726004805050610304565b60405180806020018281038252838181518152602001915080519060200190808383829060006004602084601f0104600302600f01f150905090810190601f1680156100d25780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b6100ed6004805050610446565b604051808260ff16815260200191505060405180910390f35b61011c6004808035906020019091905050610459565b6040518082815260200191505060405180910390f35b61013f60048050506103a5565b60405180806020018281038252838181518152602001915080519060200190808383829060006004602084601f0104600302600f01f150905090810190601f16801561019f5780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b6101cc60048080359060200190919080359060200190919050506101e2565b6040518082815260200191505060405180910390f35b600081600360005060003373ffffffffffffffffffffffffffffffffffffffff16815260200190815260200160002060005054101561022057610002565b81600360005060003373ffffffffffffffffffffffffffffffffffffffff16815260200190815260200160002060008282825054039250508190555081600360005060008573ffffffffffffffffffffffffffffffffffffffff1681526020019081526020016000206000828282505401925050819055508273ffffffffffffffffffffffffffffffffffffffff163373ffffffffffffffffffffffffffffffffffffffff167fddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef846040518082815260200191505060405180910390a35b92915050565b60006000508054600181600116156101000203166002900480601f01602080910402602001604051908101604052809291908181526020018280546001816001161561010002031660029004801561039d5780601f106103725761010080835404028352916020019161039d565b820191906000526020600020905b81548152906001019060200180831161038057829003601f168201915b505050505081565b60016000508054600181600116156101000203166002900480601f01602080910402602001604051908101604052809291908181526020018280546001816001161561010002031660029004801561043e5780601f106104135761010080835404028352916020019161043e565b820191906000526020600020905b81548152906001019060200180831161042157829003601f168201915b505050505081565b600260009054906101000a900460ff1681565b6003600050602052806000526040600020600091509050548156",
"head": null,
"length": 2282,
"tail": null,
"truncated": false
},
"verified_source": false
},
"capability_graph": {
"address": "0xac514f05160d2723aa7fb27bf98abf347dd26d2d",
"block_number": null,
"chain_id": 1,
"codehash": "0xfa149e2aff43aa4f3d65196a108a0b9a8c6c4bf76e8f61e7e5bdca9cd35852c5",
"created_at": "2026-04-04T19:46:40.000000Z",
"graph_hash": "0x305e1d5f0e7978a4abbc0af728dbb87cc58234529c9ae57a32dbe67a5b9acd35",
"graph_json": {
"edges": [
{
"from": "bb:0",
"to": "bb:101",
"type": "control_flow"
},
{
"from": "bb:0",
"to": "bb:51",
"type": "control_flow_fallthrough"
},
{
"from": "bb:51",
"to": "bb:224",
"type": "control_flow"
},
{
"from": "bb:51",
"to": "bb:62",
"type": "control_flow_fallthrough"
},
{
"from": "bb:62",
"to": "bb:262",
"type": "control_flow"
},
{
"from": "bb:62",
"to": "bb:73",
"type": "control_flow_fallthrough"
},
{
"from": "bb:73",
"to": "bb:306",
"type": "control_flow"
},
{
"from": "bb:73",
"to": "bb:84",
"type": "control_flow_fallthrough"
},
{
"from": "bb:84",
"to": "bb:429",
"type": "control_flow"
},
{
"from": "bb:84",
"to": "bb:95",
"type": "control_flow_fallthrough"
},
{
"from": "bb:95",
"to": "bb:99",
"type": "control_flow"
},
{
"from": "bb:101",
"to": "bb:772",
"type": "control_flow"
},
{
"from": "bb:114",
"to": "bb:210",
"type": "control_flow"
},
{
"from": "bb:114",
"to": "bb:185",
"type": "control_flow_fallthrough"
},
{
"from": "bb:185",
"to": "bb:210",
"type": "control_flow_fallthrough"
},
{
"from": "bb:224",
"to": "bb:1094",
"type": "control_flow"
},
{
"from": "bb:262",
"to": "bb:1113",
"type": "control_flow"
},
{
"from": "bb:306",
"to": "bb:933",
"type": "control_flow"
},
{
"from": "bb:319",
"to": "bb:415",
"type": "control_flow"
},
{
"from": "bb:319",
"to": "bb:390",
"type": "control_flow_fallthrough"
},
{
"from": "bb:390",
"to": "bb:415",
"type": "control_flow_fallthrough"
},
{
"from": "bb:429",
"to": "bb:482",
"type": "control_flow"
},
{
"from": "bb:482",
"to": "bb:544",
"type": "control_flow"
},
{
"from": "bb:482",
"to": "bb:540",
"type": "control_flow_fallthrough"
},
{
"from": "bb:544",
"to": "bb:766",
"type": "control_flow_fallthrough"
},
{
"from": "bb:772",
"to": "bb:925",
"type": "control_flow"
},
{
"from": "bb:772",
"to": "bb:855",
"type": "control_flow_fallthrough"
},
{
"from": "bb:855",
"to": "bb:882",
"type": "control_flow"
},
{
"from": "bb:855",
"to": "bb:863",
"type": "control_flow_fallthrough"
},
{
"from": "bb:863",
"to": "bb:925",
"type": "control_flow"
},
{
"from": "bb:882",
"to": "bb:896",
"type": "control_flow_fallthrough"
},
{
"from": "bb:896",
"to": "bb:896",
"type": "control_flow"
},
{
"from": "bb:896",
"to": "bb:916",
exec
/bin/bash -lc "rg -n 'detector|evidence|finding|transfer|approve|allowance|owner|proxy|delegatecall|callsite|slot' BYTECODE_BUNDLE.json" in /tmp/codex-ft7v4ero
succeeded in 0ms:
1053: "callsites": [
1319: "delegatecall": 0,
1325: "slots": [
1329: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1334: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1339: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
1344: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1349: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1354: "slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
1368: "delegatecall": 0,
1374: "slots": [
1378: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1383: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1388: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
1393: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1398: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1403: "slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
1417: "delegatecall": 0,
1423: "slots": [
1427: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1432: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1437: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
1442: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1447: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1452: "slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
1466: "delegatecall": 0,
1472: "slots": [
1476: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1481: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1486: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
1491: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1496: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1501: "slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
1515: "delegatecall": 0,
1521: "slots": [
1525: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1530: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1535: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
1540: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1545: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1550: "slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
1568: "delegatecall": 0,
1571: "upgrade_slot_write_suspected": false
1576: "slots": [
1580: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1585: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1590: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
1595: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1600: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1605: "slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
1639: "is_proxy": false,
2206: "type": "callsite"
2212: "type": "callsite"
2255: "detector_findings": [
2258: "evidence_json": {
2304: "evidence_json": {
2329: "title": "ETH value transfer possible",
2351: "delegatecall_count": 0,
exec
/bin/bash -lc "jq 'keys' BYTECODE_BUNDLE.json" in /tmp/codex-ft7v4ero
succeeded in 0ms:
[
"analysis_artifact",
"analysis_run",
"artifact",
"capability_graph",
"detector_findings",
"heuristics_summary"
]
exec
/bin/bash -lc "sed -n '2180,2385p' BYTECODE_BUNDLE.json" in /tmp/codex-ft7v4ero
succeeded in 0ms:
},
{
"end_pc": 1093,
"hash": "0x997fe7f8b81958698eb8a95fad83436f67840379d52590de27245ec88087880c",
"id": "bb:1086",
"start_pc": 1086,
"type": "basic_block"
},
{
"end_pc": 1112,
"hash": "0xe36aa79198713fd574b476c834dc682ba03fda8be7e08386fb8e12a8bc56c496",
"id": "bb:1094",
"start_pc": 1094,
"type": "basic_block"
},
{
"end_pc": 1139,
"hash": "0xdd71eb9c3daf03b2ff2cf6c4ca59569f38214d9b953ca3ad5af0be324f26e65a",
"id": "bb:1113",
"start_pc": 1113,
"type": "basic_block"
},
{
"id": "call:168",
"opcode": "CALL",
"pc": 168,
"type": "callsite"
},
{
"id": "call:373",
"opcode": "CALL",
"pc": 373,
"type": "callsite"
},
{
"id": "sink:call",
"type": "sink"
},
{
"entry_pc": 826074471,
"id": "fn:0x06fdde03",
"selector": "0x06fdde03",
"type": "function"
},
{
"entry_pc": 1889567281,
"id": "fn:0x313ce567",
"selector": "0x313ce567",
"type": "function"
},
{
"entry_pc": 2514000705,
"id": "fn:0x70a08231",
"selector": "0x70a08231",
"type": "function"
},
{
"entry_pc": 2835717307,
"id": "fn:0x95d89b41",
"selector": "0x95d89b41",
"type": "function"
},
{
"entry_pc": null,
"id": "fn:0xa9059cbb",
"selector": "0xa9059cbb",
"type": "function"
}
],
"version": "capability_graph_v1"
},
"id": 1700,
"updated_at": "2026-04-04T19:46:40.000000Z",
"version": "capability_graph_v1"
},
"detector_findings": [
{
"confidence": 60,
"evidence_json": {
"call_count": 2,
"examples": [
{
"opcode": "CALL",
"pc": 168,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 373,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": [],
"untrusted_call_count": 2
},
"normalized_json": {
"sink": "CALL"
},
"severity": "high",
"title": "Untrusted CALL target/value reachable",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0xac514f05160d2723aa7fb27bf98abf347dd26d2d"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x3e6ad4b5d354721bae75b7438e5be73db807e93cf650d3d0fec19c4ec94c1d50",
"trace_mode": "callTracer"
}
},
{
"confidence": 55,
"evidence_json": {
"eth_value_calls": 2,
"examples": [
{
"opcode": "CALL",
"pc": 168,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 373,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": []
},
"normalized_json": {
"sink": "CALL",
"value": "nonzero"
},
"severity": "high",
"title": "ETH value transfer possible",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0xac514f05160d2723aa7fb27bf98abf347dd26d2d"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x3e6ad4b5d354721bae75b7438e5be73db807e93cf650d3d0fec19c4ec94c1d50",
"trace_mode": "callTracer"
}
}
],
"heuristics_summary": {
"create2_count": 0,
"delegatecall_count": 0,
"flags": [],
"selfdestruct_count": 0
}
}
exec
/bin/bash -lc "jq '.detector_findings, .heuristics_summary' BYTECODE_BUNDLE.json" in /tmp/codex-ft7v4ero
succeeded in 0ms:
[
{
"confidence": 60,
"evidence_json": {
"call_count": 2,
"examples": [
{
"opcode": "CALL",
"pc": 168,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 373,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": [],
"untrusted_call_count": 2
},
"normalized_json": {
"sink": "CALL"
},
"severity": "high",
"title": "Untrusted CALL target/value reachable",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0xac514f05160d2723aa7fb27bf98abf347dd26d2d"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x3e6ad4b5d354721bae75b7438e5be73db807e93cf650d3d0fec19c4ec94c1d50",
"trace_mode": "callTracer"
}
},
{
"confidence": 55,
"evidence_json": {
"eth_value_calls": 2,
"examples": [
{
"opcode": "CALL",
"pc": 168,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 373,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": []
},
"normalized_json": {
"sink": "CALL",
"value": "nonzero"
},
"severity": "high",
"title": "ETH value transfer possible",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0xac514f05160d2723aa7fb27bf98abf347dd26d2d"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x3e6ad4b5d354721bae75b7438e5be73db807e93cf650d3d0fec19c4ec94c1d50",
"trace_mode": "callTracer"
}
}
]
{
"create2_count": 0,
"delegatecall_count": 0,
"flags": [],
"selfdestruct_count": 0
}
exec
/bin/bash -lc 'which evm' in /tmp/codex-ft7v4ero
exited 1 in 0ms:
exec
/bin/bash -lc "node -e 'const b=require(\"./BYTECODE_BUNDLE.json\").artifact.runtime_bytecode.full.slice(2); for(let i=0;i<b.length;i+=2) process.stdout.write(b.slice(i,i+2)+((i/2+1)%16?\" \":\"\\n\"))'" in /tmp/codex-ft7v4ero
succeeded in 0ms:
60 60 60 40 52 60 00 35 7c 01 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 90 04 80 63 06 fd de 03 14 61
00 65 57 80 63 31 3c e5 67 14 61 00 e0 57 80 63
70 a0 82 31 14 61 01 06 57 80 63 95 d8 9b 41 14
61 01 32 57 80 63 a9 05 9c bb 14 61 01 ad 57 61
00 63 56 5b 00 5b 61 00 72 60 04 80 50 50 61 03
04 56 5b 60 40 51 80 80 60 20 01 82 81 03 82 52
83 81 81 51 81 52 60 20 01 91 50 80 51 90 60 20
01 90 80 83 83 82 90 60 00 60 04 60 20 84 60 1f
01 04 60 03 02 60 0f 01 f1 50 90 50 90 81 01 90
60 1f 16 80 15 61 00 d2 57 80 82 03 80 51 60 01
83 60 20 03 61 01 00 0a 03 19 16 81 52 60 20 01
91 50 5b 50 92 50 50 50 60 40 51 80 91 03 90 f3
5b 61 00 ed 60 04 80 50 50 61 04 46 56 5b 60 40
51 80 82 60 ff 16 81 52 60 20 01 91 50 50 60 40
51 80 91 03 90 f3 5b 61 01 1c 60 04 80 80 35 90
60 20 01 90 91 90 50 50 61 04 59 56 5b 60 40 51
80 82 81 52 60 20 01 91 50 50 60 40 51 80 91 03
90 f3 5b 61 01 3f 60 04 80 50 50 61 03 a5 56 5b
60 40 51 80 80 60 20 01 82 81 03 82 52 83 81 81
51 81 52 60 20 01 91 50 80 51 90 60 20 01 90 80
83 83 82 90 60 00 60 04 60 20 84 60 1f 01 04 60
03 02 60 0f 01 f1 50 90 50 90 81 01 90 60 1f 16
80 15 61 01 9f 57 80 82 03 80 51 60 01 83 60 20
03 61 01 00 0a 03 19 16 81 52 60 20 01 91 50 5b
50 92 50 50 50 60 40 51 80 91 03 90 f3 5b 61 01
cc 60 04 80 80 35 90 60 20 01 90 91 90 80 35 90
60 20 01 90 91 90 50 50 61 01 e2 56 5b 60 40 51
80 82 81 52 60 20 01 91 50 50 60 40 51 80 91 03
90 f3 5b 60 00 81 60 03 60 00 50 60 00 33 73 ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff 16 81 52 60 20 01 90 81 52 60 20 01 60
00 20 60 00 50 54 10 15 61 02 20 57 61 00 02 56
5b 81 60 03 60 00 50 60 00 33 73 ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 16
81 52 60 20 01 90 81 52 60 20 01 60 00 20 60 00
82 82 82 50 54 03 92 50 50 81 90 55 50 81 60 03
60 00 50 60 00 85 73 ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff 16 81 52 60 20
01 90 81 52 60 20 01 60 00 20 60 00 82 82 82 50
54 01 92 50 50 81 90 55 50 82 73 ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 16
33 73 ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff 16 7f dd f2 52 ad 1b e2 c8 9b
69 c2 b0 68 fc 37 8d aa 95 2b a7 f1 63 c4 a1 16
28 f5 5a 4d f5 23 b3 ef 84 60 40 51 80 82 81 52
60 20 01 91 50 50 60 40 51 80 91 03 90 a3 5b 92
91 50 50 56 5b 60 00 60 00 50 80 54 60 01 81 60
01 16 15 61 01 00 02 03 16 60 02 90 04 80 60 1f
01 60 20 80 91 04 02 60 20 01 60 40 51 90 81 01
60 40 52 80 92 91 90 81 81 52 60 20 01 82 80 54
60 01 81 60 01 16 15 61 01 00 02 03 16 60 02 90
04 80 15 61 03 9d 57 80 60 1f 10 61 03 72 57 61
01 00 80 83 54 04 02 83 52 91 60 20 01 91 61 03
9d 56 5b 82 01 91 90 60 00 52 60 20 60 00 20 90
5b 81 54 81 52 90 60 01 01 90 60 20 01 80 83 11
61 03 80 57 82 90 03 60 1f 16 82 01 91 5b 50 50
50 50 50 81 56 5b 60 01 60 00 50 80 54 60 01 81
60 01 16 15 61 01 00 02 03 16 60 02 90 04 80 60
1f 01 60 20 80 91 04 02 60 20 01 60 40 51 90 81
01 60 40 52 80 92 91 90 81 81 52 60 20 01 82 80
54 60 01 81 60 01 16 15 61 01 00 02 03 16 60 02
90 04 80 15 61 04 3e 57 80 60 1f 10 61 04 13 57
61 01 00 80 83 54 04 02 83 52 91 60 20 01 91 61
04 3e 56 5b 82 01 91 90 60 00 52 60 20 60 00 20
90 5b 81 54 81 52 90 60 01 01 90 60 20 01 80 83
11 61 04 21 57 82 90 03 60 1f 16 82 01 91 5b 50
50 50 50 50 81 56 5b 60 02 60 00 90 54 90 61 01
00 0a 90 04 60 ff 16 81 56 5b 60 03 60 00 50 60
20 52 80 60 00 52 60 40 60 00 20 60 00 91 50 90
50 54 81 56
exec
js_repl in /tmp/codex-ft7v4ero
succeeded in 102ms:
PUSH ret => ["ret"]
PUSH 4 => ["ret",4]
DUP 1 => ["ret",4,4]
DUP 1 => ["ret",4,4,4]
CALLDATALOAD => ["ret",4,4,"calldata@4"]
SWAP 1 => ["ret",4,"calldata@4",4]
PUSH 32 => ["ret",4,"calldata@4",4,32]
ADD => ["ret",4,"calldata@4","(4+32)"]
SWAP 1 => ["ret",4,"(4+32)","calldata@4"]
SWAP 2 => ["ret","calldata@4","(4+32)",4]
SWAP 1 => ["ret","calldata@4",4,"(4+32)"]
DUP 1 => ["ret","calldata@4",4,"(4+32)","(4+32)"]
CALLDATALOAD => ["ret","calldata@4",4,"(4+32)","calldata@(4+32)"]
SWAP 1 => ["ret","calldata@4",4,"calldata@(4+32)","(4+32)"]
PUSH 32 => ["ret","calldata@4",4,"calldata@(4+32)","(4+32)",32]
ADD => ["ret","calldata@4",4,"calldata@(4+32)","((4+32)+32)"]
SWAP 1 => ["ret","calldata@4",4,"((4+32)+32)","calldata@(4+32)"]
SWAP 2 => ["ret","calldata@4","calldata@(4+32)","((4+32)+32)",4]
SWAP 1 => ["ret","calldata@4","calldata@(4+32)",4,"((4+32)+32)"]
POP => ["ret","calldata@4","calldata@(4+32)",4]
POP => ["ret","calldata@4","calldata@(4+32)"]
exec
js_repl in /tmp/codex-ft7v4ero
2026-04-05T01:57:54.918913Z ERROR codex_core::tools::router: error=require is not defined
exited 1 in 9ms:
require is not defined
exec
js_repl in /tmp/codex-ft7v4ero
succeeded in 14ms:
01e2 JUMPDEST
01e3 PUSH1 00
01e5 DUP2
01e6 PUSH1 03
01e8 PUSH1 00
01ea POP
01eb PUSH1 00
01ed CALLER
01ee PUSH20 ffffffffffffffffffffffffffffffffffffffff
0203 AND
0204 DUP2
0205 MSTORE
0206 PUSH1 20
0208 ADD
0209 SWAP1
020a DUP2
020b MSTORE
020c PUSH1 20
020e ADD
020f PUSH1 00
0211 SHA3
0212 PUSH1 00
0214 POP
0215 SLOAD
0216 LT
0217 ISZERO
0218 PUSH2 0220
021b JUMPI
021c PUSH2 0002
021f JUMP
0220 JUMPDEST
0221 DUP2
0222 PUSH1 03
0224 PUSH1 00
0226 POP
0227 PUSH1 00
0229 CALLER
022a PUSH20 ffffffffffffffffffffffffffffffffffffffff
023f AND
0240 DUP2
0241 MSTORE
0242 PUSH1 20
0244 ADD
0245 SWAP1
0246 DUP2
0247 MSTORE
0248 PUSH1 20
024a ADD
024b PUSH1 00
024d SHA3
024e PUSH1 00
0250 DUP3
0251 DUP3
0252 DUP3
0253 POP
0254 SLOAD
0255 SUB
0256 SWAP3
0257 POP
0258 POP
0259 DUP2
025a SWAP1
025b SSTORE
025c POP
025d DUP2
025e PUSH1 03
0260 PUSH1 00
0262 POP
0263 PUSH1 00
0265 DUP6
0266 PUSH20 ffffffffffffffffffffffffffffffffffffffff
027b AND
027c DUP2
027d MSTORE
027e PUSH1 20
0280 ADD
0281 SWAP1
0282 DUP2
0283 MSTORE
0284 PUSH1 20
0286 ADD
0287 PUSH1 00
0289 SHA3
028a PUSH1 00
028c DUP3
028d DUP3
028e DUP3
028f POP
0290 SLOAD
0291 ADD
0292 SWAP3
0293 POP
0294 POP
0295 DUP2
0296 SWAP1
0297 SSTORE
0298 POP
0299 DUP3
029a PUSH20 ffffffffffffffffffffffffffffffffffffffff
02af AND
02b0 CALLER
02b1 PUSH20 ffffffffffffffffffffffffffffffffffffffff
02c6 AND
02c7 PUSH32 ddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef
02e8 DUP5
02e9 PUSH1 40
02eb MLOAD
02ec DUP1
02ed DUP3
02ee DUP2
02ef MSTORE
02f0 PUSH1 20
02f2 ADD
02f3 SWAP2
02f4 POP
02f5 POP
02f6 PUSH1 40
02f8 MLOAD
02f9 DUP1
02fa SWAP2
02fb SUB
02fc SWAP1
02fd LOG3
02fe JUMPDEST
02ff SWAP3
exec
js_repl in /tmp/codex-ft7v4ero
succeeded in 2ms:
02ff SWAP3
0300 SWAP2
0301 POP
0302 POP
0303 JUMP
0304 JUMPDEST
exec
js_repl in /tmp/codex-ft7v4ero
2026-04-05T01:58:22.467424Z ERROR codex_core::tools::router: error=Identifier 'st' has already been declared
exited 1 in 24ms:
Identifier 'st' has already been declared
exec
js_repl in /tmp/codex-ft7v4ero
succeeded in 4ms:
before sstore1 ["ret","to","val",0,"(val-SLOAD(keccak(((0+32)+32),0)))","(val-SLOAD(keccak(((0+32)+32),0)))","keccak(((0+32)+32),0)"]
after sstore1 ["ret","to","val",0]
before sstore2 ["ret","to","val",0,"(val+SLOAD(keccak(((0+32)+32),0)))","(val+SLOAD(keccak(((0+32)+32),0)))","keccak(((0+32)+32),0)"]
after sstore2 ["ret","to","val",0]
exec
js_repl in /tmp/codex-ft7v4ero
succeeded in 8ms:
after log before final cleanup ["ret","to","val",0] [
'm40',
'(m40-(m40+32))',
'TransferTopic',
'(caller&mask)',
'(to&mask)'
]
before jump [0,"ret"] dest ret retval 0
exec
js_repl in /tmp/codex-ft7v4ero
succeeded in 3ms:
--- 90
0090 ADD
0091 SWAP1
0092 DUP1
0093 DUP4
0094 DUP4
0095 DUP3
0096 SWAP1
0097 PUSH1 00
0099 PUSH1 04
009b PUSH1 20
009d DUP5
009e PUSH1 1f
00a0 ADD
00a1 DIV
00a2 PUSH1 03
00a4 MUL
00a5 PUSH1 0f
00a7 ADD
00a8 CALL
00a9 POP
00aa SWAP1
00ab POP
00ac SWAP1
00ad DUP2
00ae ADD
00af SWAP1
--- 170
0170 SUB
0171 MUL
0172 PUSH1 0f
0174 ADD
0175 CALL
0176 POP
0177 SWAP1
0178 POP
0179 SWAP1
017a DUP2
017b ADD
017c SWAP1
017d PUSH1 1f
017f AND
0180 DUP1
0181 ISZERO
0182 PUSH2 019f
0185 JUMPI
0186 DUP1
0187 DUP3
0188 SUB
0189 DUP1
018a MLOAD
018b PUSH1 01
018d DUP4
018e PUSH1 20
codex
{"no_findings":false,"summary":"Minimal ERC20-like runtime with selectors consistent with `name`, `symbol`, `decimals`, `balanceOf`, and `transfer`. I do not see proxy/admin/delegatecall logic. The detector-reported CALLs at `pc:0x168` and `pc:0x373` match legacy string-return helper code that appears to call precompile `0x04`, so I do not treat them as the primary issue. The meaningful bytecode-level findings are a non-standard `transfer` return value and unchecked recipient-balance addition. Bytecode-only caveat: selector inference is best-effort, and overflow reachability depends on unknown deployment-time supply/balances.","findings":[{"severity":"low","category":"other","title":"`transfer` appears to return `false` even when balances are updated successfully","exploit_scenario":"A protocol that uses standard ERC-20 semantics, such as `require(token.transfer(...))` or a SafeERC20-style wrapper, will observe `false` and revert. That makes the token unusable in many integrations even though this contract already updated balances and emitted `Transfer` before returning.","recommendation":"Return canonical boolean `true` on successful transfers, or document/wrap the token as non-standard before integrating it anywhere that expects ERC-20-compliant return values.","evidence":"Selector `0xa9059cbb` dispatches into the transfer routine at `pc:0x1e2`. The routine pushes `0` at `pc:0x1e3` and never writes `1` on the success path. After storage updates and the `Transfer` log, cleanup at `pc:0x2ff`-`pc:0x303` returns with that original `0` left as the ABI return word. This is a direct bytecode inference, not source-level confirmation.","locations":["selector:0xa9059cbb","pc:0x1e3","pc:0x2ff","pc:0x303"]},{"severity":"low","category":"math","title":"Recipient balance credit uses unchecked addition","exploit_scenario":"If the deployment ever has a recipient balance near `2^256-1`, transferring additional tokens into that account will wrap the stored balance and break accounting. Because I only have runtime bytecode, I cannot determine whether the initial supply/balance distribution makes this reachable in practice, so severity stays low.","recommendation":"Use checked arithmetic for the recipient credit path, or compile with Solidity 0.8+ semantics / SafeMath-equivalent protections.","evidence":"The transfer path only checks `senderBalance >= amount` at `pc:0x215`-`pc:0x21b`. The recipient update later performs raw `ADD` at `pc:0x291` and writes the result with `SSTORE` at `pc:0x297`, with no overflow check visible in the bytecode artifact.","locations":["selector:0xa9059cbb","pc:0x215","pc:0x21b","pc:0x291","pc:0x297"]}]}
tokens used
61,023
{
"codex": {
"ran_at": "2026-04-05T01:59:30.002517+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 2282,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "Minimal ERC20-like runtime with selectors consistent with `name`, `symbol`, `decimals`, `balanceOf`, and `transfer`. I do not see proxy/admin/delegatecall logic. The detector-reported CALLs at `pc:0x168` and `pc:0x373` match legacy string-return helper code that appears to call precompile `0x04`, so I do not treat them as the primary issue. The meaningful bytecode-level findings are a non-standard `transfer` return value and unchecked recipient-balance addition. Bytecode-only caveat: selector inference is best-effort, and overflow reachability depends on unknown deployment-time supply/balances.",
"raw_final": {
"summary": "Minimal ERC20-like runtime with selectors consistent with `name`, `symbol`, `decimals`, `balanceOf`, and `transfer`. I do not see proxy/admin/delegatecall logic. The detector-reported CALLs at `pc:0x168` and `pc:0x373` match legacy string-return helper code that appears to call precompile `0x04`, so I do not treat them as the primary issue. The meaningful bytecode-level findings are a non-standard `transfer` return value and unchecked recipient-balance addition. Bytecode-only caveat: selector inference is best-effort, and overflow reachability depends on unknown deployment-time supply/balances.",
"findings": [
{
"title": "`transfer` appears to return `false` even when balances are updated successfully",
"category": "other",
"evidence": "Selector `0xa9059cbb` dispatches into the transfer routine at `pc:0x1e2`. The routine pushes `0` at `pc:0x1e3` and never writes `1` on the success path. After storage updates and the `Transfer` log, cleanup at `pc:0x2ff`-`pc:0x303` returns with that original `0` left as the ABI return word. This is a direct bytecode inference, not source-level confirmation.",
"severity": "low",
"locations": [
"selector:0xa9059cbb",
"pc:0x1e3",
"pc:0x2ff",
"pc:0x303"
],
"recommendation": "Return canonical boolean `true` on successful transfers, or document/wrap the token as non-standard before integrating it anywhere that expects ERC-20-compliant return values.",
"exploit_scenario": "A protocol that uses standard ERC-20 semantics, such as `require(token.transfer(...))` or a SafeERC20-style wrapper, will observe `false` and revert. That makes the token unusable in many integrations even though this contract already updated balances and emitted `Transfer` before returning."
},
{
"title": "Recipient balance credit uses unchecked addition",
"category": "math",
"evidence": "The transfer path only checks `senderBalance >= amount` at `pc:0x215`-`pc:0x21b`. The recipient update later performs raw `ADD` at `pc:0x291` and writes the result with `SSTORE` at `pc:0x297`, with no overflow check visible in the bytecode artifact.",
"severity": "low",
"locations": [
"selector:0xa9059cbb",
"pc:0x215",
"pc:0x21b",
"pc:0x291",
"pc:0x297"
],
"recommendation": "Use checked arithmetic for the recipient credit path, or compile with Solidity 0.8+ semantics / SafeMath-equivalent protections.",
"exploit_scenario": "If the deployment ever has a recipient balance near `2^256-1`, transferring additional tokens into that account will wrap the stored balance and break accounting. Because I only have runtime bytecode, I cannot determine whether the initial supply/balance distribution makes this reachable in practice, so severity stays low."
}
],
"no_findings": false
},
"no_findings": false,
"schema_version": 1
}
00000000: PUSH1 0x60 00000002: PUSH1 0x40 00000004: MSTORE 00000005: PUSH1 0x00 00000007: CALLDATALOAD 00000008: PUSH29 0x0100000000000000000000000000000000000000000000000000000000 00000026: SWAP1 00000027: DIV 00000028: DUP1 00000029: PUSH4 0x06fdde03 0000002e: EQ 0000002f: PUSH2 0x0065 00000032: JUMPI 00000033: DUP1 00000034: PUSH4 0x313ce567 00000039: EQ 0000003a: PUSH2 0x00e0 0000003d: JUMPI 0000003e: DUP1 0000003f: PUSH4 0x70a08231 00000044: EQ 00000045: PUSH2 0x0106 00000048: JUMPI 00000049: DUP1 0000004a: PUSH4 0x95d89b41 0000004f: EQ 00000050: PUSH2 0x0132 00000053: JUMPI 00000054: DUP1 00000055: PUSH4 0xa9059cbb 0000005a: EQ 0000005b: PUSH2 0x01ad 0000005e: JUMPI 0000005f: PUSH2 0x0063 00000062: JUMP 00000063: JUMPDEST 00000064: STOP 00000065: JUMPDEST 00000066: PUSH2 0x0072 00000069: PUSH1 0x04 0000006b: DUP1 0000006c: POP 0000006d: POP 0000006e: PUSH2 0x0304 00000071: JUMP 00000072: JUMPDEST 00000073: PUSH1 0x40 00000075: MLOAD 00000076: DUP1 00000077: DUP1 00000078: PUSH1 0x20 0000007a: ADD 0000007b: DUP3 0000007c: DUP2 0000007d: SUB 0000007e: DUP3 0000007f: MSTORE 00000080: DUP4 00000081: DUP2 00000082: DUP2 00000083: MLOAD 00000084: DUP2 00000085: MSTORE 00000086: PUSH1 0x20 00000088: ADD 00000089: SWAP2 0000008a: POP 0000008b: DUP1 0000008c: MLOAD 0000008d: SWAP1 0000008e: PUSH1 0x20 00000090: ADD 00000091: SWAP1 00000092: DUP1 00000093: DUP4 00000094: DUP4 00000095: DUP3 00000096: SWAP1 00000097: PUSH1 0x00 00000099: PUSH1 0x04 0000009b: PUSH1 0x20 0000009d: DUP5 0000009e: PUSH1 0x1f 000000a0: ADD 000000a1: DIV 000000a2: PUSH1 0x03 000000a4: MUL 000000a5: PUSH1 0x0f 000000a7: ADD 000000a8: CALL 000000a9: POP 000000aa: SWAP1 000000ab: POP 000000ac: SWAP1 000000ad: DUP2 000000ae: ADD 000000af: SWAP1 000000b0: PUSH1 0x1f 000000b2: AND 000000b3: DUP1 000000b4: ISZERO 000000b5: PUSH2 0x00d2 000000b8: JUMPI 000000b9: DUP1 000000ba: DUP3 000000bb: SUB 000000bc: DUP1 000000bd: MLOAD 000000be: PUSH1 0x01 000000c0: DUP4 000000c1: PUSH1 0x20 000000c3: SUB 000000c4: PUSH2 0x0100 000000c7: EXP 000000c8: SUB 000000c9: NOT 000000ca: AND 000000cb: DUP2 000000cc: MSTORE 000000cd: PUSH1 0x20 000000cf: ADD 000000d0: SWAP2 000000d1: POP 000000d2: JUMPDEST 000000d3: POP 000000d4: SWAP3 000000d5: POP 000000d6: POP 000000d7: POP 000000d8: PUSH1 0x40 000000da: MLOAD 000000db: DUP1 000000dc: SWAP2 000000dd: SUB 000000de: SWAP1 000000df: RETURN 000000e0: JUMPDEST 000000e1: PUSH2 0x00ed 000000e4: PUSH1 0x04 000000e6: DUP1 000000e7: POP 000000e8: POP 000000e9: PUSH2 0x0446 000000ec: JUMP 000000ed: JUMPDEST 000000ee: PUSH1 0x40 000000f0: MLOAD 000000f1: DUP1 000000f2: DUP3 000000f3: PUSH1 0xff 000000f5: AND 000000f6: DUP2 000000f7: MSTORE 000000f8: PUSH1 0x20 000000fa: ADD 000000fb: SWAP2 000000fc: POP 000000fd: POP 000000fe: PUSH1 0x40 00000100: MLOAD 00000101: DUP1 00000102: SWAP2 00000103: SUB 00000104: SWAP1 00000105: RETURN 00000106: JUMPDEST 00000107: PUSH2 0x011c 0000010a: PUSH1 0x04 0000010c: DUP1 0000010d: DUP1 0000010e: CALLDATALOAD 0000010f: SWAP1 00000110: PUSH1 0x20 00000112: ADD 00000113: SWAP1 00000114: SWAP2 00000115: SWAP1 00000116: POP 00000117: POP 00000118: PUSH2 0x0459 0000011b: JUMP 0000011c: JUMPDEST 0000011d: PUSH1 0x40 0000011f: MLOAD 00000120: DUP1 00000121: DUP3 00000122: DUP2 00000123: MSTORE 00000124: PUSH1 0x20 00000126: ADD 00000127: SWAP2 00000128: POP 00000129: POP 0000012a: PUSH1 0x40 0000012c: MLOAD 0000012d: DUP1 0000012e: SWAP2 0000012f: SUB 00000130: SWAP1 00000131: RETURN 00000132: JUMPDEST 00000133: PUSH2 0x013f 00000136: PUSH1 0x04 00000138: DUP1 00000139: POP 0000013a: POP 0000013b: PUSH2 0x03a5 0000013e: JUMP 0000013f: JUMPDEST 00000140: PUSH1 0x40 00000142: MLOAD 00000143: DUP1 00000144: DUP1 00000145: PUSH1 0x20 00000147: ADD 00000148: DUP3 00000149: DUP2 0000014a: SUB 0000014b: DUP3 0000014c: MSTORE 0000014d: DUP4 0000014e: DUP2 0000014f: DUP2 00000150: MLOAD 00000151: DUP2 00000152: MSTORE 00000153: PUSH1 0x20 00000155: ADD 00000156: SWAP2 00000157: POP 00000158: DUP1 00000159: MLOAD 0000015a: SWAP1 0000015b: PUSH1 0x20 0000015d: ADD 0000015e: SWAP1 0000015f: DUP1 00000160: DUP4 00000161: DUP4 00000162: DUP3 00000163: SWAP1 00000164: PUSH1 0x00 00000166: PUSH1 0x04 00000168: PUSH1 0x20 0000016a: DUP5 0000016b: PUSH1 0x1f 0000016d: ADD 0000016e: DIV 0000016f: PUSH1 0x03 00000171: MUL 00000172: PUSH1 0x0f 00000174: ADD 00000175: CALL 00000176: POP 00000177: SWAP1 00000178: POP 00000179: SWAP1 0000017a: DUP2 0000017b: ADD 0000017c: SWAP1 0000017d: PUSH1 0x1f 0000017f: AND 00000180: DUP1 00000181: ISZERO 00000182: PUSH2 0x019f 00000185: JUMPI 00000186: DUP1 00000187: DUP3 00000188: SUB 00000189: DUP1 0000018a: MLOAD 0000018b: PUSH1 0x01 0000018d: DUP4 0000018e: PUSH1 0x20 00000190: SUB 00000191: PUSH2 0x0100 00000194: EXP 00000195: SUB 00000196: NOT 00000197: AND 00000198: DUP2 00000199: MSTORE 0000019a: PUSH1 0x20 0000019c: ADD 0000019d: SWAP2 0000019e: POP 0000019f: JUMPDEST 000001a0: POP 000001a1: SWAP3 000001a2: POP 000001a3: POP 000001a4: POP 000001a5: PUSH1 0x40 000001a7: MLOAD 000001a8: DUP1 000001a9: SWAP2 000001aa: SUB 000001ab: SWAP1 000001ac: RETURN 000001ad: JUMPDEST 000001ae: PUSH2 0x01cc 000001b1: PUSH1 0x04 000001b3: DUP1 000001b4: DUP1 000001b5: CALLDATALOAD 000001b6: SWAP1 000001b7: PUSH1 0x20 000001b9: ADD 000001ba: SWAP1 000001bb: SWAP2 000001bc: SWAP1 000001bd: DUP1 000001be: CALLDATALOAD 000001bf: SWAP1 000001c0: PUSH1 0x20 000001c2: ADD 000001c3: SWAP1 000001c4: SWAP2 000001c5: SWAP1 000001c6: POP 000001c7: POP 000001c8: PUSH2 0x01e2 000001cb: JUMP 000001cc: JUMPDEST 000001cd: PUSH1 0x40 000001cf: MLOAD 000001d0: DUP1 000001d1: DUP3 000001d2: DUP2 000001d3: MSTORE 000001d4: PUSH1 0x20 000001d6: ADD 000001d7: SWAP2 000001d8: POP 000001d9: POP 000001da: PUSH1 0x40 000001dc: MLOAD 000001dd: DUP1 000001de: SWAP2 000001df: SUB 000001e0: SWAP1 000001e1: RETURN 000001e2: JUMPDEST 000001e3: PUSH1 0x00 000001e5: DUP2 000001e6: PUSH1 0x03 000001e8: PUSH1 0x00 000001ea: POP 000001eb: PUSH1 0x00 000001ed: CALLER 000001ee: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000203: AND 00000204: DUP2 00000205: MSTORE 00000206: PUSH1 0x20 00000208: ADD 00000209: SWAP1 0000020a: DUP2 0000020b: MSTORE 0000020c: PUSH1 0x20 0000020e: ADD 0000020f: PUSH1 0x00 00000211: KECCAK256 00000212: PUSH1 0x00 00000214: POP 00000215: SLOAD 00000216: LT 00000217: ISZERO 00000218: PUSH2 0x0220 0000021b: JUMPI 0000021c: PUSH2 0x0002 0000021f: JUMP 00000220: JUMPDEST 00000221: DUP2 00000222: PUSH1 0x03 00000224: PUSH1 0x00 00000226: POP 00000227: PUSH1 0x00 00000229: CALLER 0000022a: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000023f: AND 00000240: DUP2 00000241: MSTORE 00000242: PUSH1 0x20 00000244: ADD 00000245: SWAP1 00000246: DUP2 00000247: MSTORE 00000248: PUSH1 0x20 0000024a: ADD 0000024b: PUSH1 0x00 0000024d: KECCAK256 0000024e: PUSH1 0x00 00000250: DUP3 00000251: DUP3 00000252: DUP3 00000253: POP 00000254: SLOAD 00000255: SUB 00000256: SWAP3 00000257: POP 00000258: POP 00000259: DUP2 0000025a: SWAP1 0000025b: SSTORE 0000025c: POP 0000025d: DUP2 0000025e: PUSH1 0x03 00000260: PUSH1 0x00 00000262: POP 00000263: PUSH1 0x00 00000265: DUP6 00000266: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000027b: AND 0000027c: DUP2 0000027d: MSTORE 0000027e: PUSH1 0x20 00000280: ADD 00000281: SWAP1 00000282: DUP2 00000283: MSTORE 00000284: PUSH1 0x20 00000286: ADD 00000287: PUSH1 0x00 00000289: KECCAK256 0000028a: PUSH1 0x00 0000028c: DUP3 0000028d: DUP3 0000028e: DUP3 0000028f: POP 00000290: SLOAD 00000291: ADD 00000292: SWAP3 00000293: POP 00000294: POP 00000295: DUP2 00000296: SWAP1 00000297: SSTORE 00000298: POP 00000299: DUP3 0000029a: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000002af: AND 000002b0: CALLER 000002b1: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000002c6: AND 000002c7: PUSH32 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef 000002e8: DUP5 000002e9: PUSH1 0x40 000002eb: MLOAD 000002ec: DUP1 000002ed: DUP3 000002ee: DUP2 000002ef: MSTORE 000002f0: PUSH1 0x20 000002f2: ADD 000002f3: SWAP2 000002f4: POP 000002f5: POP 000002f6: PUSH1 0x40 000002f8: MLOAD 000002f9: DUP1 000002fa: SWAP2 000002fb: SUB 000002fc: SWAP1 000002fd: LOG3 000002fe: JUMPDEST 000002ff: SWAP3 00000300: SWAP2 00000301: POP 00000302: POP 00000303: JUMP 00000304: JUMPDEST 00000305: PUSH1 0x00 00000307: PUSH1 0x00 00000309: POP 0000030a: DUP1 0000030b: SLOAD 0000030c: PUSH1 0x01 0000030e: DUP2 0000030f: PUSH1 0x01 00000311: AND 00000312: ISZERO 00000313: PUSH2 0x0100 00000316: MUL 00000317: SUB 00000318: AND 00000319: PUSH1 0x02 0000031b: SWAP1 0000031c: DIV 0000031d: DUP1 0000031e: PUSH1 0x1f 00000320: ADD 00000321: PUSH1 0x20 00000323: DUP1 00000324: SWAP2 00000325: DIV 00000326: MUL 00000327: PUSH1 0x20 00000329: ADD 0000032a: PUSH1 0x40 0000032c: MLOAD 0000032d: SWAP1 0000032e: DUP2 0000032f: ADD 00000330: PUSH1 0x40 00000332: MSTORE 00000333: DUP1 00000334: SWAP3 00000335: SWAP2 00000336: SWAP1 00000337: DUP2 00000338: DUP2 00000339: MSTORE 0000033a: PUSH1 0x20 0000033c: ADD 0000033d: DUP3 0000033e: DUP1 0000033f: SLOAD 00000340: PUSH1 0x01 00000342: DUP2 00000343: PUSH1 0x01 00000345: AND 00000346: ISZERO 00000347: PUSH2 0x0100 0000034a: MUL 0000034b: SUB 0000034c: AND 0000034d: PUSH1 0x02 0000034f: SWAP1 00000350: DIV 00000351: DUP1 00000352: ISZERO 00000353: PUSH2 0x039d 00000356: JUMPI 00000357: DUP1 00000358: PUSH1 0x1f 0000035a: LT 0000035b: PUSH2 0x0372 0000035e: JUMPI 0000035f: PUSH2 0x0100 00000362: DUP1 00000363: DUP4 00000364: SLOAD 00000365: DIV 00000366: MUL 00000367: DUP4 00000368: MSTORE 00000369: SWAP2 0000036a: PUSH1 0x20 0000036c: ADD 0000036d: SWAP2 0000036e: PUSH2 0x039d 00000371: JUMP 00000372: JUMPDEST 00000373: DUP3 00000374: ADD 00000375: SWAP2 00000376: SWAP1 00000377: PUSH1 0x00 00000379: MSTORE 0000037a: PUSH1 0x20 0000037c: PUSH1 0x00 0000037e: KECCAK256 0000037f: SWAP1 00000380: JUMPDEST 00000381: DUP2 00000382: SLOAD 00000383: DUP2 00000384: MSTORE 00000385: SWAP1 00000386: PUSH1 0x01 00000388: ADD 00000389: SWAP1 0000038a: PUSH1 0x20 0000038c: ADD 0000038d: DUP1 0000038e: DUP4 0000038f: GT 00000390: PUSH2 0x0380 00000393: JUMPI 00000394: DUP3 00000395: SWAP1 00000396: SUB 00000397: PUSH1 0x1f 00000399: AND 0000039a: DUP3 0000039b: ADD 0000039c: SWAP2 0000039d: JUMPDEST 0000039e: POP 0000039f: POP 000003a0: POP 000003a1: POP 000003a2: POP 000003a3: DUP2 000003a4: JUMP 000003a5: JUMPDEST 000003a6: PUSH1 0x01 000003a8: PUSH1 0x00 000003aa: POP 000003ab: DUP1 000003ac: SLOAD 000003ad: PUSH1 0x01 000003af: DUP2 000003b0: PUSH1 0x01 000003b2: AND 000003b3: ISZERO 000003b4: PUSH2 0x0100 000003b7: MUL 000003b8: SUB 000003b9: AND 000003ba: PUSH1 0x02 000003bc: SWAP1 000003bd: DIV 000003be: DUP1 000003bf: PUSH1 0x1f 000003c1: ADD 000003c2: PUSH1 0x20 000003c4: DUP1 000003c5: SWAP2 000003c6: DIV 000003c7: MUL 000003c8: PUSH1 0x20 000003ca: ADD 000003cb: PUSH1 0x40 000003cd: MLOAD 000003ce: SWAP1 000003cf: DUP2 000003d0: ADD 000003d1: PUSH1 0x40 000003d3: MSTORE 000003d4: DUP1 000003d5: SWAP3 000003d6: SWAP2 000003d7: SWAP1 000003d8: DUP2 000003d9: DUP2 000003da: MSTORE 000003db: PUSH1 0x20 000003dd: ADD 000003de: DUP3 000003df: DUP1 000003e0: SLOAD 000003e1: PUSH1 0x01 000003e3: DUP2 000003e4: PUSH1 0x01 000003e6: AND 000003e7: ISZERO 000003e8: PUSH2 0x0100 000003eb: MUL 000003ec: SUB 000003ed: AND 000003ee: PUSH1 0x02 000003f0: SWAP1 000003f1: DIV 000003f2: DUP1 000003f3: ISZERO 000003f4: PUSH2 0x043e 000003f7: JUMPI 000003f8: DUP1 000003f9: PUSH1 0x1f 000003fb: LT 000003fc: PUSH2 0x0413 000003ff: JUMPI 00000400: PUSH2 0x0100 00000403: DUP1 00000404: DUP4 00000405: SLOAD 00000406: DIV 00000407: MUL 00000408: DUP4 00000409: MSTORE 0000040a: SWAP2 0000040b: PUSH1 0x20 0000040d: ADD 0000040e: SWAP2 0000040f: PUSH2 0x043e 00000412: JUMP 00000413: JUMPDEST 00000414: DUP3 00000415: ADD 00000416: SWAP2 00000417: SWAP1 00000418: PUSH1 0x00 0000041a: MSTORE 0000041b: PUSH1 0x20 0000041d: PUSH1 0x00 0000041f: KECCAK256 00000420: SWAP1 00000421: JUMPDEST 00000422: DUP2 00000423: SLOAD 00000424: DUP2 00000425: MSTORE 00000426: SWAP1 00000427: PUSH1 0x01 00000429: ADD 0000042a: SWAP1 0000042b: PUSH1 0x20 0000042d: ADD 0000042e: DUP1 0000042f: DUP4 00000430: GT 00000431: PUSH2 0x0421 00000434: JUMPI 00000435: DUP3 00000436: SWAP1 00000437: SUB 00000438: PUSH1 0x1f 0000043a: AND 0000043b: DUP3 0000043c: ADD 0000043d: SWAP2 0000043e: JUMPDEST 0000043f: POP 00000440: POP 00000441: POP 00000442: POP 00000443: POP 00000444: DUP2 00000445: JUMP 00000446: JUMPDEST 00000447: PUSH1 0x02 00000449: PUSH1 0x00 0000044b: SWAP1 0000044c: SLOAD 0000044d: SWAP1 0000044e: PUSH2 0x0100 00000451: EXP 00000452: SWAP1 00000453: DIV 00000454: PUSH1 0xff 00000456: AND 00000457: DUP2 00000458: JUMP 00000459: JUMPDEST 0000045a: PUSH1 0x03 0000045c: PUSH1 0x00 0000045e: POP 0000045f: PUSH1 0x20 00000461: MSTORE 00000462: DUP1 00000463: PUSH1 0x00 00000465: MSTORE 00000466: PUSH1 0x40 00000468: PUSH1 0x00 0000046a: KECCAK256 0000046b: PUSH1 0x00 0000046d: SWAP2 0000046e: POP 0000046f: SWAP1 00000470: POP 00000471: SLOAD 00000472: DUP2 00000473: JUMP
Warning: This is a nightly build of Foundry. It is recommended to use the latest stable version. To mute this warning set `FOUNDRY_DISABLE_NIGHTLY_WARNING` in your environment.
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | other | detector | Untrusted CALL target/value reachable | 60 | yes | yes |
viewtrace_id: 0x3e6ad4b5d354721bae75b7438e5be73db807e93cf650d3d0fec19c4ec94c1d50
call_targets:
0x0000000000000000000000000000000000000004, 0xac514f05160d2723aa7fb27bf98abf347dd26d2d
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x3e6ad4b5d354721bae75b7438e5be73db807e93cf650d3d0fec19c4ec94c1d50",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0xac514f05160d2723aa7fb27bf98abf347dd26d2d"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa9059cbb",
"selector": "0xa9059cbb",
"calldata_variants": [
"0xa9059cbb",
"0xa9059cbb0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 168,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 373,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 2,
"guards_detected": [],
"untrusted_call_count": 2
}
|
| high | other | detector | ETH value transfer possible | 55 | yes | yes |
viewtrace_id: 0x3e6ad4b5d354721bae75b7438e5be73db807e93cf650d3d0fec19c4ec94c1d50
call_targets:
0x0000000000000000000000000000000000000004, 0xac514f05160d2723aa7fb27bf98abf347dd26d2d
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x3e6ad4b5d354721bae75b7438e5be73db807e93cf650d3d0fec19c4ec94c1d50",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0xac514f05160d2723aa7fb27bf98abf347dd26d2d"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa9059cbb",
"selector": "0xa9059cbb",
"calldata_variants": [
"0xa9059cbb",
"0xa9059cbb0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 168,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 373,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 2,
"guards_detected": []
}
|
| low | other | codex | `transfer` appears to return `false` even when balances are updated successfully | 65 | no | — |
viewevidence_json{
"evidence": "Selector `0xa9059cbb` dispatches into the transfer routine at `pc:0x1e2`. The routine pushes `0` at `pc:0x1e3` and never writes `1` on the success path. After storage updates and the `Transfer` log, cleanup at `pc:0x2ff`-`pc:0x303` returns with that original `0` left as the ABI return word. This is a direct bytecode inference, not source-level confirmation.",
"locations": [
"selector:0xa9059cbb",
"pc:0x1e3",
"pc:0x2ff",
"pc:0x303"
],
"recommendation": "Return canonical boolean `true` on successful transfers, or document/wrap the token as non-standard before integrating it anywhere that expects ERC-20-compliant return values.",
"exploit_scenario": "A protocol that uses standard ERC-20 semantics, such as `require(token.transfer(...))` or a SafeERC20-style wrapper, will observe `false` and revert. That makes the token unusable in many integrations even though this contract already updated balances and emitted `Transfer` before returning."
}
|
| low | math | codex | Recipient balance credit uses unchecked addition | 65 | no | — |
viewevidence_json{
"evidence": "The transfer path only checks `senderBalance >= amount` at `pc:0x215`-`pc:0x21b`. The recipient update later performs raw `ADD` at `pc:0x291` and writes the result with `SSTORE` at `pc:0x297`, with no overflow check visible in the bytecode artifact.",
"locations": [
"selector:0xa9059cbb",
"pc:0x215",
"pc:0x21b",
"pc:0x291",
"pc:0x297"
],
"recommendation": "Use checked arithmetic for the recipient credit path, or compile with Solidity 0.8+ semantics / SafeMath-equivalent protections.",
"exploit_scenario": "If the deployment ever has a recipient balance near `2^256-1`, transferring additional tokens into that account will wrap the stored balance and break accounting. Because I only have runtime bytecode, I cannot determine whether the initial supply/balance distribution makes this reachable in practice, so severity stays low."
}
|