019b3836-2695-700f-a0d0-7f5a831b9921
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 947 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 948 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 44431 | analysis.bundle | complete | 1 / 3 | 1 week ago |
| 44432 | capability.graph | complete | 1 / 3 | 1 week ago |
| 44433 | detector.run | complete | 1 / 3 | 1 week ago |
| 44434 | validation.fork | complete | 1 / 3 | 1 week ago |
| 113232 | report.consolidate | complete | 1 / 6 | 1 week ago |
No slither job recorded yet.
{"no_findings":false,"summary":"Bytecode analysis indicates a fallback-only ETH forwarder with no storage, no delegatecall, and no proxy/upgradability surface. The main meaningful risk is that its only external ETH transfer is stipend-based and its success value is ignored, so ETH can be silently stranded if the hardcoded recipient cannot accept the transfer.","findings":[{"severity":"medium","category":"other","title":"Unchecked hardcoded ETH sweep can silently trap funds","exploit_scenario":"Any call into the contract reaches the fallback and attempts to send the entire contract balance to the fixed address 0x0047a8033cc6d6ca2ed5044674fd421f44884de8 using CALL with zero supplied gas. Because CALL with nonzero value only provides stipend-level gas in this shape, a recipient contract that reverts or needs more than the stipend will cause the transfer to fail. The bytecode then discards the success flag and stops, so callers get no failure signal and there is no visible alternate withdrawal path in the runtime analyzed. This is conditional because bytecode alone cannot prove whether the recipient is an EOA or a payable contract.","recommendation":"Revert when the ETH transfer fails instead of discarding the CALL result. If the hardcoded recipient is intentional, verify it can always receive stipend-based ETH transfers; otherwise use an explicit withdrawal function with configurable recipient validation and deliberate gas/reentrancy handling.","evidence":"From BYTECODE_BUNDLE.json, the runtime is fallback-only and contains a single CALL at pc 0x44. Stack reconstruction of the sequence around pc 0x0b..0x44 shows CALL(gas=0,to=0x0047a8033cc6d6ca2ed5044674fd421f44884de8,value=BALANCE(address(this)),inOffset=0x60,inSize=0,outOffset=0x60,outSize=0). The success bit returned by CALL is immediately discarded by POP instructions at pc 0x45..0x49. No storage writes, auth guards, or alternate callable selectors were detected in the artifact.","locations":["selector:fallback","pc:0x44","pc:0x45"]}]}
OpenAI Codex v0.118.0 (research preview)
--------
workdir: /tmp/codex-0c4ilp4l
model: gpt-5.4
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: none
session id: 019d5b69-880a-7cc2-a07c-7aebb9316ab9
--------
user
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
warning: Codex could not find system bubblewrap on PATH. Please install bubblewrap with your package manager. Codex will use the vendored bubblewrap in the meantime.
exec
/bin/bash -lc pwd in /tmp/codex-0c4ilp4l
succeeded in 0ms:
/tmp/codex-0c4ilp4l
exec
/bin/bash -lc 'rg --files' in /tmp/codex-0c4ilp4l
succeeded in 0ms:
BYTECODE_BUNDLE.json
codex-output-schema.json
exec
/bin/bash -lc "sed -n '1,260p' BYTECODE_BUNDLE.json" in /tmp/codex-0c4ilp4l
succeeded in 0ms:
{
"analysis_artifact": {
"address": "0xb5eb68417e27752b4da0aaf835b7fb3d74b46371",
"artifact_hash": "0x85400b79285f9a7104daa50a9022f6a776ff3fbe7398cc84f772d4072f357816",
"artifact_json": {
"auth": {
"guards": []
},
"basic_blocks": [
{
"end_pc": 9,
"hash": "0x56f6410e5dccbc7c45f37b206aed959b9d4b216feb25c960495aadcc94210055",
"opcodes": [
"PUSH1",
"PUSH1",
"MSTORE",
"CALLDATASIZE",
"ISZERO",
"PUSH1",
"JUMPI"
],
"start_pc": 0
},
{
"end_pc": 74,
"hash": "0x29382bd2547440d7775f2c5d91dfc34f421f921d27afc7a1d80f7fb77f24ad46",
"opcodes": [
"JUMPDEST",
"PUSH1",
"PUSH19",
"PUSH1",
"ADDRESS",
"PUSH20",
"AND",
"BALANCE",
"PUSH1",
"OP_82",
"OP_81",
"OP_81",
"OP_81",
"OP_85",
"OP_88",
"OP_83",
"CALL",
"POP",
"POP",
"POP",
"POP",
"POP",
"JUMP"
],
"start_pc": 10
},
{
"end_pc": 76,
"hash": "0xb924fbe00e003ea2d854c3093b6cd6cf4765953f7e4bbf2dad30fb6197566799",
"opcodes": [
"JUMPDEST",
"STOP"
],
"start_pc": 75
}
],
"callsites": [
{
"opcode": "CALL",
"pc": 68,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"cfg_edges": [
{
"from": "bb:0",
"to": "bb:10",
"type": "control_flow"
},
{
"from": "bb:0",
"to": "bb:10",
"type": "control_flow_fallthrough"
}
],
"cfg_hash": "0x9e9dc805105b36bb077b1962c434d933fbba80bf888f69eb62138808399e0d32",
"dispatcher_type": "fallback_only",
"function_entries": [
{
"entry_pc": 0,
"selector": "fallback"
}
],
"functions": [
{
"auth": {
"guards": []
},
"entry_pc": 0,
"selector": "fallback",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 0,
"slots": [],
"writes": 0
}
}
],
"selectors": [],
"sinks": {
"call": 1,
"create": 0,
"create2": 0,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0,
"upgrade_slot_write_suspected": false
},
"storage": {
"keccak_count": 0,
"reads": 0,
"slots": [],
"writes": 0
},
"version": "analysis_artifact_v1"
},
"block_number": null,
"chain_id": 1,
"codehash": "0x581c06cfb181b0cf5bd63d3ac5463664e9effa7d65eaaa5bd898aac3d0b99272",
"created_at": "2026-04-04T19:47:11.000000Z",
"id": 1767,
"updated_at": "2026-04-04T19:47:11.000000Z",
"version": "analysis_artifact_v1"
},
"analysis_run": {
"address": "0xb5eb68417e27752b4da0aaf835b7fb3d74b46371",
"block_number": null,
"chain_id": 1,
"child_links": [],
"created_at": "2025-12-19T20:03:51.000000Z",
"id": "019b3836-2695-700f-a0d0-7f5a831b9921",
"parent_links": [],
"status": "running",
"updated_at": "2026-04-04T19:47:11.000000Z"
},
"artifact": {
"codehash": "0x581c06cfb181b0cf5bd63d3ac5463664e9effa7d65eaaa5bd898aac3d0b99272",
"compiler_json": {
"etherscan": {
"skipped": true
}
},
"implementation_address": null,
"is_proxy": false,
"runtime_bytecode": {
"full": "0x60606040523615600a575b604b7247a8033cc6d6ca2ed5044674fd421f44884de860003073ffffffffffffffffffffffffffffffffffffffff1631606082818181858883f15050505050565b00",
"head": null,
"length": 156,
"tail": null,
"truncated": false
},
"verified_source": false
},
"capability_graph": {
"address": "0xb5eb68417e27752b4da0aaf835b7fb3d74b46371",
"block_number": null,
"chain_id": 1,
"codehash": "0x581c06cfb181b0cf5bd63d3ac5463664e9effa7d65eaaa5bd898aac3d0b99272",
"created_at": "2026-04-04T19:47:11.000000Z",
"graph_hash": "0xed17671f7b61fe7e303b712623e139e67a39bb6d13850250eefc18fca615c574",
"graph_json": {
"edges": [
{
"from": "bb:0",
"to": "bb:10",
"type": "control_flow"
},
{
"from": "bb:0",
"to": "bb:10",
"type": "control_flow_fallthrough"
},
{
"from": "fn:fallback",
"to": "bb:0",
"type": "entry"
},
{
"from": "bb:10",
"to": "call:68",
"type": "contains"
},
{
"from": "call:68",
"to": "sink:call",
"type": "capability"
}
],
"nodes": [
{
"end_pc": 9,
"hash": "0x56f6410e5dccbc7c45f37b206aed959b9d4b216feb25c960495aadcc94210055",
"id": "bb:0",
"start_pc": 0,
"type": "basic_block"
},
{
"end_pc": 74,
"hash": "0x29382bd2547440d7775f2c5d91dfc34f421f921d27afc7a1d80f7fb77f24ad46",
"id": "bb:10",
"start_pc": 10,
"type": "basic_block"
},
{
"end_pc": 76,
"hash": "0xb924fbe00e003ea2d854c3093b6cd6cf4765953f7e4bbf2dad30fb6197566799",
"id": "bb:75",
"start_pc": 75,
"type": "basic_block"
},
{
"id": "call:68",
"opcode": "CALL",
"pc": 68,
"type": "callsite"
},
{
"id": "sink:call",
"type": "sink"
},
{
"entry_pc": 0,
"id": "fn:fallback",
"selector": "fallback",
"type": "function"
}
],
"version": "capability_graph_v1"
},
"id": 1767,
"updated_at": "2026-04-04T19:47:11.000000Z",
"version": "capability_graph_v1"
},
"detector_findings": [
{
"confidence": 60,
"evidence_json": {
"call_count": 1,
"examples": [
{
"opcode": "CALL",
"pc": 68,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
exec
/bin/bash -lc "sed -n '261,520p' BYTECODE_BUNDLE.json" in /tmp/codex-0c4ilp4l
succeeded in 0ms:
],
"guards_detected": [],
"untrusted_call_count": 1
},
"normalized_json": {
"sink": "CALL"
},
"severity": "high",
"title": "Untrusted CALL target/value reachable",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0047a8033cc6d6ca2ed5044674fd421f44884de8",
"0xb5eb68417e27752b4da0aaf835b7fb3d74b46371"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0xbe97999d3a2676905dfa4e9ef9cad1214fb2675ffa229f13e5fb8ff224a6ec6f",
"trace_mode": "callTracer"
}
},
{
"confidence": 55,
"evidence_json": {
"eth_value_calls": 1,
"examples": [
{
"opcode": "CALL",
"pc": 68,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": []
},
"normalized_json": {
"sink": "CALL",
"value": "nonzero"
},
"severity": "high",
"title": "ETH value transfer possible",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0047a8033cc6d6ca2ed5044674fd421f44884de8",
"0xb5eb68417e27752b4da0aaf835b7fb3d74b46371"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0xbe97999d3a2676905dfa4e9ef9cad1214fb2675ffa229f13e5fb8ff224a6ec6f",
"trace_mode": "callTracer"
}
}
],
"heuristics_summary": {
"create2_count": 0,
"delegatecall_count": 0,
"flags": [],
"selfdestruct_count": 0
}
}
→ Inspect BYTECODE_BUNDLE.json and reconstruct fallback control flow/call semantics
• Assess whether the confirmed CALL implies exploitable issues or expected bytecode behavior
• Produce JSON findings with explicit uncertainty and bytecode evidence
exec
js_repl in /tmp/codex-0c4ilp4l
succeeded in 92ms:
exec
js_repl in /tmp/codex-0c4ilp4l
succeeded in 3ms:
exec
js_repl in /tmp/codex-0c4ilp4l
succeeded in 5ms:
0 PUSH1 0x60
2 PUSH1 0x40
4 MSTORE
5 CALLDATASIZE
6 ISZERO
7 PUSH1 0x0a
9 JUMPI
10 JUMPDEST
11 PUSH1 0x4b
13 PUSH19 0x47a8033cc6d6ca2ed5044674fd421f44884de8
33 PUSH1 0x00
35 ADDRESS
36 PUSH20 0xffffffffffffffffffffffffffffffffffffffff
57 AND
58 BALANCE
59 PUSH1 0x60
61 DUP3
62 DUP2
63 DUP2
64 DUP2
65 DUP6
66 DUP9
67 DUP4
68 CALL
69 POP
70 POP
71 POP
72 POP
73 POP
74 JUMP
75 JUMPDEST
76 STOP
exec
js_repl in /tmp/codex-0c4ilp4l
succeeded in 8ms:
{
gas: '0x00',
to: '0x47a8033cc6d6ca2ed5044674fd421f44884de8',
value: 'balance((address(this)&0xffffffffffffffffffffffffffffffffffffffff))',
inOff: '0x60',
inSize: '0x00',
outOff: '0x60',
outSize: '0x00',
before: [
'0x0a',
'0x4b',
'0x47a8033cc6d6ca2ed5044674fd421f44884de8',
'0x00',
'balance((address(this)&0xffffffffffffffffffffffffffffffffffffffff))',
'0x60'
]
}
exec
js_repl in /tmp/codex-0c4ilp4l
succeeded in 12ms:
JUMPI { dest: undefined, cond: undefined }
{
gas: undefined,
to: undefined,
value: undefined,
inOff: undefined,
inSize: undefined,
outOff: undefined,
outSize: undefined,
before: []
}
JUMP undefined
exec
js_repl in /tmp/codex-0c4ilp4l
succeeded in 12ms:
MSTORE { offset: '0x40', val: '0x60' }
JUMPI { dest: '0x0a', cond: 'iszero(calldatasize)' }
CALL {
gas: '0x00',
to: '0x47a8033cc6d6ca2ed5044674fd421f44884de8',
value: 'balance((address(this)&0xffffffffffffffffffffffffffffffffffffffff))',
inOff: '0x60',
inSize: '0x00',
outOff: '0x60',
outSize: '0x00',
before: [
'0x4b',
'0x47a8033cc6d6ca2ed5044674fd421f44884de8',
'0x00',
'balance((address(this)&0xffffffffffffffffffffffffffffffffffffffff))',
'0x60'
]
}
JUMP 0x4b
[]
exec
js_repl in /tmp/codex-0c4ilp4l
succeeded in 2ms:
before CALL bottom->top
0:0x4b
1:0x47a8033cc6d6ca2ed5044674fd421f44884de8
2:0x00
3:balance((address(this)&0xffffffffffffffffffffffffffffffffffffffff))
4:0x60
5:0x00
6:0x60
7:0x00
8:0x60
9:balance((address(this)&0xffffffffffffffffffffffffffffffffffffffff))
10:0x47a8033cc6d6ca2ed5044674fd421f44884de8
11:0x00
exec
/bin/bash -lc 'cat codex-output-schema.json' in /tmp/codex-0c4ilp4l
succeeded in 0ms:
{"type": "object", "additionalProperties": false, "required": ["no_findings", "summary", "findings"], "properties": {"no_findings": {"type": "boolean"}, "summary": {"type": "string"}, "findings": {"type": "array", "items": {"type": "object", "additionalProperties": false, "required": ["severity", "category", "title", "evidence", "locations", "exploit_scenario", "recommendation"], "properties": {"severity": {"type": "string", "enum": ["info", "low", "medium", "high", "critical"]}, "category": {"type": "string", "enum": ["access_control", "reentrancy", "math", "oracle", "upgradeability", "auth", "other"]}, "title": {"type": "string"}, "exploit_scenario": {"type": "string"}, "recommendation": {"type": "string"}, "evidence": {"type": "string"}, "locations": {"type": "array", "items": {"type": "string"}}}}}}}
✓ Inspect BYTECODE_BUNDLE.json and reconstruct fallback control flow/call semantics
✓ Assess whether the confirmed CALL implies exploitable issues or expected bytecode behavior
→ Produce JSON findings with explicit uncertainty and bytecode evidence
codex
{"no_findings":false,"summary":"Bytecode analysis indicates a fallback-only ETH forwarder with no storage, no delegatecall, and no proxy/upgradability surface. The main meaningful risk is that its only external ETH transfer is stipend-based and its success value is ignored, so ETH can be silently stranded if the hardcoded recipient cannot accept the transfer.","findings":[{"severity":"medium","category":"other","title":"Unchecked hardcoded ETH sweep can silently trap funds","exploit_scenario":"Any call into the contract reaches the fallback and attempts to send the entire contract balance to the fixed address 0x0047a8033cc6d6ca2ed5044674fd421f44884de8 using CALL with zero supplied gas. Because CALL with nonzero value only provides stipend-level gas in this shape, a recipient contract that reverts or needs more than the stipend will cause the transfer to fail. The bytecode then discards the success flag and stops, so callers get no failure signal and there is no visible alternate withdrawal path in the runtime analyzed. This is conditional because bytecode alone cannot prove whether the recipient is an EOA or a payable contract.","recommendation":"Revert when the ETH transfer fails instead of discarding the CALL result. If the hardcoded recipient is intentional, verify it can always receive stipend-based ETH transfers; otherwise use an explicit withdrawal function with configurable recipient validation and deliberate gas/reentrancy handling.","evidence":"From BYTECODE_BUNDLE.json, the runtime is fallback-only and contains a single CALL at pc 0x44. Stack reconstruction of the sequence around pc 0x0b..0x44 shows CALL(gas=0,to=0x0047a8033cc6d6ca2ed5044674fd421f44884de8,value=BALANCE(address(this)),inOffset=0x60,inSize=0,outOffset=0x60,outSize=0). The success bit returned by CALL is immediately discarded by POP instructions at pc 0x45..0x49. No storage writes, auth guards, or alternate callable selectors were detected in the artifact.","locations":["selector:fallback","pc:0x44","pc:0x45"]}]}
tokens used
36,001
{
"codex": {
"ran_at": "2026-04-05T02:14:23.863177+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 156,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "Bytecode analysis indicates a fallback-only ETH forwarder with no storage, no delegatecall, and no proxy/upgradability surface. The main meaningful risk is that its only external ETH transfer is stipend-based and its success value is ignored, so ETH can be silently stranded if the hardcoded recipient cannot accept the transfer.",
"raw_final": {
"summary": "Bytecode analysis indicates a fallback-only ETH forwarder with no storage, no delegatecall, and no proxy/upgradability surface. The main meaningful risk is that its only external ETH transfer is stipend-based and its success value is ignored, so ETH can be silently stranded if the hardcoded recipient cannot accept the transfer.",
"findings": [
{
"title": "Unchecked hardcoded ETH sweep can silently trap funds",
"category": "other",
"evidence": "From BYTECODE_BUNDLE.json, the runtime is fallback-only and contains a single CALL at pc 0x44. Stack reconstruction of the sequence around pc 0x0b..0x44 shows CALL(gas=0,to=0x0047a8033cc6d6ca2ed5044674fd421f44884de8,value=BALANCE(address(this)),inOffset=0x60,inSize=0,outOffset=0x60,outSize=0). The success bit returned by CALL is immediately discarded by POP instructions at pc 0x45..0x49. No storage writes, auth guards, or alternate callable selectors were detected in the artifact.",
"severity": "medium",
"locations": [
"selector:fallback",
"pc:0x44",
"pc:0x45"
],
"recommendation": "Revert when the ETH transfer fails instead of discarding the CALL result. If the hardcoded recipient is intentional, verify it can always receive stipend-based ETH transfers; otherwise use an explicit withdrawal function with configurable recipient validation and deliberate gas/reentrancy handling.",
"exploit_scenario": "Any call into the contract reaches the fallback and attempts to send the entire contract balance to the fixed address 0x0047a8033cc6d6ca2ed5044674fd421f44884de8 using CALL with zero supplied gas. Because CALL with nonzero value only provides stipend-level gas in this shape, a recipient contract that reverts or needs more than the stipend will cause the transfer to fail. The bytecode then discards the success flag and stops, so callers get no failure signal and there is no visible alternate withdrawal path in the runtime analyzed. This is conditional because bytecode alone cannot prove whether the recipient is an EOA or a payable contract."
}
],
"no_findings": false
},
"no_findings": false,
"schema_version": 1
}
00000000: PUSH1 0x60 00000002: PUSH1 0x40 00000004: MSTORE 00000005: CALLDATASIZE 00000006: ISZERO 00000007: PUSH1 0x0a 00000009: JUMPI 0000000a: JUMPDEST 0000000b: PUSH1 0x4b 0000000d: PUSH19 0x47a8033cc6d6ca2ed5044674fd421f44884de8 00000021: PUSH1 0x00 00000023: ADDRESS 00000024: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000039: AND 0000003a: BALANCE 0000003b: PUSH1 0x60 0000003d: DUP3 0000003e: DUP2 0000003f: DUP2 00000040: DUP2 00000041: DUP6 00000042: DUP9 00000043: DUP4 00000044: CALL 00000045: POP 00000046: POP 00000047: POP 00000048: POP 00000049: POP 0000004a: JUMP 0000004b: JUMPDEST 0000004c: STOP
Warning: This is a nightly build of Foundry. It is recommended to use the latest stable version. To mute this warning set `FOUNDRY_DISABLE_NIGHTLY_WARNING` in your environment.
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | other | detector | Untrusted CALL target/value reachable | 60 | yes | yes |
viewtrace_id: 0xbe97999d3a2676905dfa4e9ef9cad1214fb2675ffa229f13e5fb8ff224a6ec6f
call_targets:
0x0047a8033cc6d6ca2ed5044674fd421f44884de8, 0xb5eb68417e27752b4da0aaf835b7fb3d74b46371
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0xbe97999d3a2676905dfa4e9ef9cad1214fb2675ffa229f13e5fb8ff224a6ec6f",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0047a8033cc6d6ca2ed5044674fd421f44884de8",
"0xb5eb68417e27752b4da0aaf835b7fb3d74b46371"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x",
"selector": "fallback",
"calldata_variants": [
"0x"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 68,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 1,
"guards_detected": [],
"untrusted_call_count": 1
}
|
| high | other | detector | ETH value transfer possible | 55 | yes | yes |
viewtrace_id: 0xbe97999d3a2676905dfa4e9ef9cad1214fb2675ffa229f13e5fb8ff224a6ec6f
call_targets:
0x0047a8033cc6d6ca2ed5044674fd421f44884de8, 0xb5eb68417e27752b4da0aaf835b7fb3d74b46371
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0xbe97999d3a2676905dfa4e9ef9cad1214fb2675ffa229f13e5fb8ff224a6ec6f",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0047a8033cc6d6ca2ed5044674fd421f44884de8",
"0xb5eb68417e27752b4da0aaf835b7fb3d74b46371"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x",
"selector": "fallback",
"calldata_variants": [
"0x"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 68,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 1,
"guards_detected": []
}
|
| medium | other | codex | Unchecked hardcoded ETH sweep can silently trap funds | 75 | no | — |
viewevidence_json{
"evidence": "From BYTECODE_BUNDLE.json, the runtime is fallback-only and contains a single CALL at pc 0x44. Stack reconstruction of the sequence around pc 0x0b..0x44 shows CALL(gas=0,to=0x0047a8033cc6d6ca2ed5044674fd421f44884de8,value=BALANCE(address(this)),inOffset=0x60,inSize=0,outOffset=0x60,outSize=0). The success bit returned by CALL is immediately discarded by POP instructions at pc 0x45..0x49. No storage writes, auth guards, or alternate callable selectors were detected in the artifact.",
"locations": [
"selector:fallback",
"pc:0x44",
"pc:0x45"
],
"recommendation": "Revert when the ETH transfer fails instead of discarding the CALL result. If the hardcoded recipient is intentional, verify it can always receive stipend-based ETH transfers; otherwise use an explicit withdrawal function with configurable recipient validation and deliberate gas/reentrancy handling.",
"exploit_scenario": "Any call into the contract reaches the fallback and attempts to send the entire contract balance to the fixed address 0x0047a8033cc6d6ca2ed5044674fd421f44884de8 using CALL with zero supplied gas. Because CALL with nonzero value only provides stipend-level gas in this shape, a recipient contract that reverts or needs more than the stipend will cause the transfer to fail. The bytecode then discards the success flag and stops, so callers get no failure signal and there is no visible alternate withdrawal path in the runtime analyzed. This is conditional because bytecode alone cannot prove whether the recipient is an EOA or a payable contract."
}
|