019b3836-2d76-71c8-97dc-996004a4b3cf
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 2101 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 2102 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 45224 | analysis.bundle | complete | 1 / 3 | 1 week ago |
| 45225 | capability.graph | complete | 1 / 3 | 1 week ago |
| 45226 | detector.run | complete | 1 / 3 | 1 week ago |
| 45227 | validation.fork | complete | 1 / 3 | 1 week ago |
| 113237 | report.consolidate | complete | 1 / 6 | 1 week ago |
No slither job recorded yet.
{"no_findings":false,"summary":"Bytecode looks like a small legacy ERC20-style token with `name`, `symbol`, `decimals`, `balanceOf`, and `transfer`. I did not find evidence of proxy logic, `DELEGATECALL`, owner-only admin paths, or a meaningful reentrancy surface. The reported high-severity `CALL` at `pc:0x188` is better explained as an old Solidity string-return helper that appears to hit precompile `0x04`; I do not treat that detector hit as a standalone vulnerability. The meaningful bytecode-level issues are legacy ABI/payability behaviors: transfers are decoded without explicit calldata-length checks, and the contract appears to accept ETH with no visible recovery path.","findings":[{"severity":"low","category":"other","title":"`transfer` decodes calldata without an explicit length check","exploit_scenario":"A third-party integration that builds malformed calldata can trigger classic short-calldata/short-address style misdecoding. In that case the contract will zero-pad missing bytes instead of rejecting the call, so the decoded recipient and/or amount can differ from what the integration intended, potentially causing unintended token movements for that integration's users.","recommendation":"Reject undersized calldata before decoding arguments, or redeploy behind a modern compiler/ABI decoder that enforces argument length. If the contract is immutable, only expose it through wrappers/integrations that validate calldata length before forwarding.","evidence":"In the `0xa9059cbb` path, arguments are read directly with `CALLDATALOAD` at `pc:0x129` and `pc:0x12c`. I do not see a selector-specific `CALLDATASIZE` guard before those loads; the dispatcher simply routes by selector and falls through to execution. From bytecode alone I cannot prove a currently exploitable caller, so severity is kept low, but the decode pattern is the legacy one associated with short-calldata risk.","locations":["selector:0xa9059cbb","pc:0x129","pc:0x12c"]},{"severity":"low","category":"other","title":"Contract appears payable and can trap ETH permanently","exploit_scenario":"A user or integration accidentally sends ETH either directly to the contract or alongside a token call. The call appears to succeed, increasing the contract's ETH balance, but there is no visible bytecode path to withdraw or recover that ETH, so the value becomes stuck.","recommendation":"Add a `msg.value == 0` check on all entrypoints or provide an authorized recovery/sweep function. If the code is immutable, document clearly that ETH must never be sent to this address.","evidence":"The runtime contains no `CALLVALUE` check, and the unknown-selector / fallback path ends in `STOP` at `pc:0x45` rather than reverting. I also do not see any admin, withdraw, proxy, or selfdestruct path in the artifact; the only `CALL` sink is the string-return helper at `pc:0x188`, which is consistent with a precompile-assisted memory copy rather than an ETH recovery function. This is bytecode-only reasoning, so the conclusion is limited to visible runtime behavior.","locations":["pc:0x0","pc:0x45","pc:0x188"]}]}
OpenAI Codex v0.118.0 (research preview)
--------
workdir: /tmp/codex-vpms2yxl
model: gpt-5.4
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: none
session id: 019d5b77-e8f2-7ca1-877b-af14983ed4c3
--------
user
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
warning: Codex could not find system bubblewrap on PATH. Please install bubblewrap with your package manager. Codex will use the vendored bubblewrap in the meantime.
→ Inspect BYTECODE_BUNDLE.json and related artifacts to understand contract structure and detector evidence
• Assess potential vulnerabilities from bytecode evidence with explicit uncertainty
• Produce final JSON report matching the required schema
exec
/bin/bash -lc pwd in /tmp/codex-vpms2yxl
succeeded in 0ms:
/tmp/codex-vpms2yxl
exec
/bin/bash -lc 'rg --files' in /tmp/codex-vpms2yxl
succeeded in 0ms:
BYTECODE_BUNDLE.json
codex-output-schema.json
exec
/bin/bash -lc "sed -n '1,260p' BYTECODE_BUNDLE.json" in /tmp/codex-vpms2yxl
succeeded in 0ms:
{
"analysis_artifact": {
"address": "0xbd247894dc95d7022363ac7c12a507a5db2e689c",
"artifact_hash": "0x6837c46bf74b1e53cbda8c75cdac4a2af785b3b0e5a3ee41bbda5eabd02513f3",
"artifact_json": {
"auth": {
"guards": []
},
"basic_blocks": [
{
"end_pc": 24,
"hash": "0x6a350686911b120d699f8e8d1e9440d4ce17c4434492baee43484e2ef083a112",
"opcodes": [
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"PUSH1",
"EXP",
"PUSH1",
"CALLDATALOAD",
"DIV",
"PUSH4",
"OP_81",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 0
},
{
"end_pc": 35,
"hash": "0x09fc75e3aa8fb02b98e24881cc463925488c7dfa7ef308570a5930c5c420c614",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 25
},
{
"end_pc": 46,
"hash": "0x976103db32485bde438fb5c3f9f54ee02f48623f2e3b08249411cd4aee3c334a",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 36
},
{
"end_pc": 57,
"hash": "0x3c19c073e27395dc44272beb525b6373ad140a4045aabbd1b653e498e1806824",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 47
},
{
"end_pc": 68,
"hash": "0x3a122683470ea7901e31e80e6378780a829a06da64b04e691b5d5c5621392507",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 58
},
{
"end_pc": 70,
"hash": "0x55afd043d32294d5f0189f5a0aa04f3174e4c087a31c85396f49b5f17813cb96",
"opcodes": [
"JUMPDEST",
"STOP"
],
"start_pc": 69
},
{
"end_pc": 136,
"hash": "0xec67f3874a81e276f4497a4f9168afd2521b3b861d4cc15c8da4a0556656b752",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"OP_80",
"SLOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"OP_83",
"AND",
"ISZERO",
"PUSH2",
"MUL",
"PUSH1",
"NOT",
"ADD",
"OP_90",
"OP_92",
"AND",
"OP_91",
"OP_90",
"OP_91",
"DIV",
"PUSH1",
"OP_81",
"ADD",
"OP_82",
"OP_90",
"DIV",
"OP_90",
"OP_91",
"MUL",
"PUSH1",
"OP_90",
"OP_81",
"ADD",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_82",
"OP_81",
"MSTORE",
"OP_92",
"OP_91",
"OP_90",
"OP_82",
"OP_82",
"OP_80",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 71
},
{
"end_pc": 144,
"hash": "0x38fe7e3cebe2dd28488c693680c8c0a0a5a5585741c1ccbdb984bb79acc2d6d5",
"opcodes": [
"OP_80",
"PUSH1",
"LT",
"PUSH2",
"JUMPI"
],
"start_pc": 137
},
{
"end_pc": 163,
"hash": "0x39d82d062f67a4ee303cb8ba95f6d709cb38320623002519adc99ca3f1c5bac0",
"opcodes": [
"PUSH2",
"OP_80",
"OP_83",
"SLOAD",
"DIV",
"MUL",
"OP_83",
"MSTORE",
"OP_91",
"PUSH1",
"ADD",
"OP_91",
"PUSH2",
"JUMP"
],
"start_pc": 145
},
{
"end_pc": 175,
"hash": "0x938aee19a0e1094c19b5a9528f839968d51c237564158e673ab6899436584f6e",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"SLOAD",
"PUSH1",
"AND",
"OP_81",
"JUMP"
],
"start_pc": 164
},
{
"end_pc": 199,
"hash": "0x7b0565c261db3d55c39f20ac0ee4d4710d6951f51b6844e361a4647909dcfc38",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"CALLDATALOAD",
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"OP_90",
"SHA3",
"SLOAD",
"OP_81",
"JUMP"
],
"start_pc": 176
},
{
"end_pc": 263,
"hash": "0x2dd3321e3d3cee3d8772c60a1b65a39fac69bc39f743fc4373df122a940b48c8",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"OP_80",
"SLOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"PUSH1",
"NOT",
"PUSH2",
"OP_85",
"OP_87",
"AND",
"ISZERO",
"MUL",
"ADD",
"OP_90",
"OP_93",
"AND",
"OP_92",
"OP_90",
"OP_92",
"DIV",
"OP_91",
"OP_82",
"ADD",
"OP_81",
"OP_90",
"DIV",
"MUL",
"PUSH1",
"OP_90",
"OP_81",
"ADD",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_82",
exec
/bin/bash -lc "sed -n '1,220p' codex-output-schema.json" in /tmp/codex-vpms2yxl
succeeded in 0ms:
{"type": "object", "additionalProperties": false, "required": ["no_findings", "summary", "findings"], "properties": {"no_findings": {"type": "boolean"}, "summary": {"type": "string"}, "findings": {"type": "array", "items": {"type": "object", "additionalProperties": false, "required": ["severity", "category", "title", "evidence", "locations", "exploit_scenario", "recommendation"], "properties": {"severity": {"type": "string", "enum": ["info", "low", "medium", "high", "critical"]}, "category": {"type": "string", "enum": ["access_control", "reentrancy", "math", "oracle", "upgradeability", "auth", "other"]}, "title": {"type": "string"}, "exploit_scenario": {"type": "string"}, "recommendation": {"type": "string"}, "evidence": {"type": "string"}, "locations": {"type": "array", "items": {"type": "string"}}}}}}}
exec
/bin/bash -lc "jq 'keys' BYTECODE_BUNDLE.json" in /tmp/codex-vpms2yxl
succeeded in 0ms:
[
"analysis_artifact",
"analysis_run",
"artifact",
"capability_graph",
"detector_findings",
"heuristics_summary"
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json | keys' BYTECODE_BUNDLE.json" in /tmp/codex-vpms2yxl
succeeded in 0ms:
[
"auth",
"basic_blocks",
"callsites",
"cfg_edges",
"cfg_hash",
"dispatcher_type",
"function_entries",
"functions",
"selectors",
"sinks",
"storage",
"version"
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.detectors // empty' BYTECODE_BUNDLE.json" in /tmp/codex-vpms2yxl
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.selectors // empty' BYTECODE_BUNDLE.json" in /tmp/codex-vpms2yxl
succeeded in 0ms:
succeeded in 0ms:
[
"0x06fdde03",
"0x313ce567",
"0x70a08231",
"0x95d89b41",
"0xa9059cbb"
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.function_entries' BYTECODE_BUNDLE.json" in /tmp/codex-vpms2yxl
succeeded in 0ms:
[
{
"entry_pc": null,
"selector": "0x06fdde03"
},
{
"entry_pc": 1889567281,
"selector": "0x313ce567"
},
{
"entry_pc": 2514000705,
"selector": "0x70a08231"
},
{
"entry_pc": 2835717307,
"selector": "0x95d89b41"
},
{
"entry_pc": null,
"selector": "0xa9059cbb"
}
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.functions' BYTECODE_BUNDLE.json" in /tmp/codex-vpms2yxl
succeeded in 0ms:
[
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0x06fdde03",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 1889567281,
"selector": "0x313ce567",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 2514000705,
"selector": "0x70a08231",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 2835717307,
"selector": "0x95d89b41",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0xa9059cbb",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
}
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.callsites' BYTECODE_BUNDLE.json" in /tmp/codex-vpms2yxl
succeeded in 0ms:
[
{
"opcode": "CALL",
"pc": 392,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.storage' BYTECODE_BUNDLE.json" in /tmp/codex-vpms2yxl
succeeded in 0ms:
{
"keccak_count": 6,
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
exec
/bin/bash -lc "jq '.detector_findings' BYTECODE_BUNDLE.json" in /tmp/codex-vpms2yxl
succeeded in 0ms:
[
{
"confidence": 60,
"evidence_json": {
"call_count": 1,
"examples": [
{
"opcode": "CALL",
"pc": 392,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": [],
"untrusted_call_count": 1
},
"normalized_json": {
"sink": "CALL"
},
"severity": "high",
"title": "Untrusted CALL target/value reachable",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0xbd247894dc95d7022363ac7c12a507a5db2e689c"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x9d132b36b9df7d489b16da31efba4682bd87d8729dd2caa4a8e3db2e69132a95",
"trace_mode": "callTracer"
}
},
{
"confidence": 55,
"evidence_json": {
"eth_value_calls": 1,
"examples": [
{
"opcode": "CALL",
"pc": 392,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": []
},
"normalized_json": {
"sink": "CALL",
"value": "nonzero"
},
"severity": "high",
"title": "ETH value transfer possible",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0xbd247894dc95d7022363ac7c12a507a5db2e689c"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x9d132b36b9df7d489b16da31efba4682bd87d8729dd2caa4a8e3db2e69132a95",
"trace_mode": "callTracer"
}
}
]
exec
/bin/bash -lc "jq '.heuristics_summary' BYTECODE_BUNDLE.json" in /tmp/codex-vpms2yxl
succeeded in 0ms:
{
"create2_count": 0,
"delegatecall_count": 0,
"flags": [],
"selfdestruct_count": 0
}
exec
/bin/bash -lc "jq '.artifact | keys' BYTECODE_BUNDLE.json" in /tmp/codex-vpms2yxl
succeeded in 0ms:
[
"codehash",
"compiler_json",
"implementation_address",
"is_proxy",
"runtime_bytecode",
"verified_source"
]
exec
/bin/bash -lc "jq '.artifact.is_proxy, .artifact.implementation_address, .artifact.compiler_json, .artifact.verified_source' BYTECODE_BUNDLE.json" in /tmp/codex-vpms2yxl
succeeded in 0ms:
false
null
{
"etherscan": {
"skipped": true
}
}
false
exec
/bin/bash -lc "jq '.capability_graph' BYTECODE_BUNDLE.json" in /tmp/codex-vpms2yxl
succeeded in 0ms:
{
"address": "0xbd247894dc95d7022363ac7c12a507a5db2e689c",
"block_number": null,
"chain_id": 1,
"codehash": "0x2d0d94bc8df800def9388324c0e757f6698e1ac7cb0759d76291296932c88a18",
"created_at": "2026-04-04T19:53:06.000000Z",
"graph_hash": "0x0d5a018eb2c8f4c399af48c44d6f56fb7ee6742d663fdfebd8b747e191439b42",
"graph_json": {
"edges": [
{
"from": "bb:0",
"to": "bb:71",
"type": "control_flow"
},
{
"from": "bb:0",
"to": "bb:25",
"type": "control_flow_fallthrough"
},
{
"from": "bb:25",
"to": "bb:164",
"type": "control_flow"
},
{
"from": "bb:25",
"to": "bb:36",
"type": "control_flow_fallthrough"
},
{
"from": "bb:36",
"to": "bb:176",
"type": "control_flow"
},
{
"from": "bb:36",
"to": "bb:47",
"type": "control_flow_fallthrough"
},
{
"from": "bb:47",
"to": "bb:200",
"type": "control_flow"
},
{
"from": "bb:47",
"to": "bb:58",
"type": "control_flow_fallthrough"
},
{
"from": "bb:58",
"to": "bb:291",
"type": "control_flow"
},
{
"from": "bb:58",
"to": "bb:69",
"type": "control_flow_fallthrough"
},
{
"from": "bb:71",
"to": "bb:708",
"type": "control_flow"
},
{
"from": "bb:71",
"to": "bb:137",
"type": "control_flow_fallthrough"
},
{
"from": "bb:137",
"to": "bb:665",
"type": "control_flow"
},
{
"from": "bb:137",
"to": "bb:145",
"type": "control_flow_fallthrough"
},
{
"from": "bb:145",
"to": "bb:708",
"type": "control_flow"
},
{
"from": "bb:200",
"to": "bb:708",
"type": "control_flow"
},
{
"from": "bb:200",
"to": "bb:264",
"type": "control_flow_fallthrough"
},
{
"from": "bb:264",
"to": "bb:665",
"type": "control_flow"
},
{
"from": "bb:264",
"to": "bb:272",
"type": "control_flow_fallthrough"
},
{
"from": "bb:272",
"to": "bb:708",
"type": "control_flow"
},
{
"from": "bb:291",
"to": "bb:458",
"type": "control_flow"
},
{
"from": "bb:291",
"to": "bb:334",
"type": "control_flow_fallthrough"
},
{
"from": "bb:338",
"to": "bb:434",
"type": "control_flow"
},
{
"from": "bb:338",
"to": "bb:409",
"type": "control_flow_fallthrough"
},
{
"from": "bb:409",
"to": "bb:434",
"type": "control_flow_fallthrough"
},
{
"from": "bb:458",
"to": "bb:492",
"type": "control_flow"
},
{
"from": "bb:458",
"to": "bb:488",
"type": "control_flow_fallthrough"
},
{
"from": "bb:665",
"to": "bb:679",
"type": "control_flow_fallthrough"
},
{
"from": "bb:679",
"to": "bb:679",
"type": "control_flow"
},
{
"from": "bb:679",
"to": "bb:699",
"type": "control_flow_fallthrough"
},
{
"from": "bb:699",
"to": "bb:708",
"type": "control_flow_fallthrough"
},
{
"from": "fn:0x313ce567",
"to": "bb:1889567281",
"type": "entry"
},
{
"from": "fn:0x70a08231",
"to": "bb:2514000705",
"type": "entry"
},
{
"from": "fn:0x95d89b41",
"to": "bb:2835717307",
"type": "entry"
},
{
"from": "bb:338",
"to": "call:392",
"type": "contains"
},
{
"from": "call:392",
"to": "sink:call",
"type": "capability"
}
],
"nodes": [
{
"end_pc": 24,
"hash": "0x6a350686911b120d699f8e8d1e9440d4ce17c4434492baee43484e2ef083a112",
"id": "bb:0",
"start_pc": 0,
"type": "basic_block"
},
{
"end_pc": 35,
"hash": "0x09fc75e3aa8fb02b98e24881cc463925488c7dfa7ef308570a5930c5c420c614",
"id": "bb:25",
"start_pc": 25,
"type": "basic_block"
},
{
"end_pc": 46,
"hash": "0x976103db32485bde438fb5c3f9f54ee02f48623f2e3b08249411cd4aee3c334a",
"id": "bb:36",
"start_pc": 36,
"type": "basic_block"
},
{
"end_pc": 57,
"hash": "0x3c19c073e27395dc44272beb525b6373ad140a4045aabbd1b653e498e1806824",
"id": "bb:47",
"start_pc": 47,
"type": "basic_block"
},
{
"end_pc": 68,
"hash": "0x3a122683470ea7901e31e80e6378780a829a06da64b04e691b5d5c5621392507",
"id": "bb:58",
"start_pc": 58,
"type": "basic_block"
},
{
"end_pc": 70,
"hash": "0x55afd043d32294d5f0189f5a0aa04f3174e4c087a31c85396f49b5f17813cb96",
"id": "bb:69",
"start_pc": 69,
"type": "basic_block"
},
{
"end_pc": 136,
"hash": "0xec67f3874a81e276f4497a4f9168afd2521b3b861d4cc15c8da4a0556656b752",
"id": "bb:71",
"start_pc": 71,
"type": "basic_block"
},
{
"end_pc": 144,
"hash": "0x38fe7e3cebe2dd28488c693680c8c0a0a5a5585741c1ccbdb984bb79acc2d6d5",
"id": "bb:137",
"start_pc": 137,
"type": "basic_block"
},
{
"end_pc": 163,
"hash": "0x39d82d062f67a4ee303cb8ba95f6d709cb38320623002519adc99ca3f1c5bac0",
"id": "bb:145",
"start_pc": 145,
"type": "basic_block"
},
{
"end_pc": 175,
"hash": "0x938aee19a0e1094c19b5a9528f839968d51c237564158e673ab6899436584f6e",
"id": "bb:164",
"start_pc": 164,
"type": "basic_block"
},
{
"end_pc": 199,
"hash": "0x7b0565c261db3d55c39f20ac0ee4d4710d6951f51b6844e361a4647909dcfc38",
"id": "bb:176",
"start_pc": 176,
"type": "basic_block"
},
{
"end_pc": 263,
"hash": "0x2dd3321e3d3cee3d8772c60a1b65a39fac69bc39f743fc4373df122a940b48c8",
"id": "bb:200",
"start_pc": 200,
"type": "basic_block"
},
{
"end_pc": 271,
"hash": "0xf48897fe83e8a1c08c2d0a4c53c8e3efbe26a20090e2685c70de180198db9cd6",
"id": "bb:264",
"start_pc": 264,
"type": "basic_block"
},
{
"end_pc": 290,
"hash": "0x104a032d4fc7353fcb25eead7bbb8424937000b97270e2a1e39430f6e1787b82",
"id": "bb:272",
"start_pc": 272,
"type": "basic_block"
},
{
"end_pc": 333,
"hash": "0x3701c3a8e82a5d4ddfedacd82f061822678b81cd9b3e04365c3d36dbf3fdbf1e",
"id": "bb:291",
"start_pc": 291,
"type": "basic_block"
},
{
"end_pc": 337,
"hash": "0x5ebda49c75a90269902080f51db6f1c7b1af883a7fd6baf1d61b81a8b96dcdca",
"id": "bb:334",
"start_pc": 334,
"type": "basic_block"
},
{
"end_pc": 408,
"hash": "0x8260bcfbd4c1d49f77b482640c6297cd133661f3ada7f52d07e1835f240b06d3",
"id": "bb:338",
"start_pc": 338,
"type": "basic_block"
},
{
"end_pc": 433,
"hash": "0xc0a703c2254334f9171c8126ae06fea5cf289341f4c19c890fa2f6b928c400e4",
"id": "bb:409",
"start_pc": 409,
"type": "basic_block"
},
{
"end_pc": 447,
"hash": "0xbbf38bd955ec6188d491c8a752950f390e38b6a9203b6891438ecf3d66b81c51",
"id": "bb:434",
"start_pc": 434,
"type": "basic_block"
},
{
"end_pc": 457,
"hash": "0xe40870dc717cbfdedea9fbb4d2473ca373d3dd88734eda3a8e7ff7e0a08a80de",
"id": "bb:448",
"start_pc": 448,
"type": "basic_block"
},
{
"end_pc": 487,
"hash": "0x418b0fde511679c511110cd65c959067f3759b652c05b9b5da7482388254699e",
"id": "bb:458",
"start_pc": 458,
"type": "basic_block"
},
{
"end_pc": 491,
"hash": "0x8f4bf7636b663e8793c58303ec18606236d677f96f3ca2e04c131b00709b1be1",
"id": "bb:488",
"start_pc": 488,
"type": "basic_block"
},
{
"end_pc": 664,
"hash": "0xc9d850040a439217133da6682d76ee8c6d05277a847fb1bb17bd89529d66c1b9",
"id": "bb:492",
"start_pc": 492,
"type": "basic_block"
},
{
"end_pc": 678,
"hash": "0x4ebd3e4182c294e7e0cfcee32fa54a9c518a3bf7316c128ec5f3adae1aea52d7",
"id": "bb:665",
"start_pc": 665,
"type": "basic_block"
},
{
"end_pc": 698,
"hash": "0xdbd538713982294e8d700fcb95e735f41532da59590c25f6e1bcf58812962b6c",
"id": "bb:679",
"start_pc": 679,
"type": "basic_block"
},
{
"end_pc": 707,
"hash": "0x3d326e1ae9b5522da4b7bc7795b735c25eed77ef0d3716ee451b8ba034d2046e",
"id": "bb:699",
"start_pc": 699,
"type": "basic_block"
},
{
"end_pc": 715,
"hash": "0x0fbc397827201e77529cd13bfad147697e40ac8cbd7c51e40d923a2dd215bc23",
"id": "bb:708",
"start_pc": 708,
"type": "basic_block"
},
{
"id": "call:392",
"opcode": "CALL",
"pc": 392,
"type": "callsite"
},
{
"id": "sink:call",
"type": "sink"
},
{
"entry_pc": null,
"id": "fn:0x06fdde03",
"selector": "0x06fdde03",
"type": "function"
},
{
"entry_pc": 1889567281,
"id": "fn:0x313ce567",
"selector": "0x313ce567",
"type": "function"
},
{
"entry_pc": 2514000705,
"id": "fn:0x70a08231",
"selector": "0x70a08231",
"type": "function"
},
{
"entry_pc": 2835717307,
"id": "fn:0x95d89b41",
"selector": "0x95d89b41",
"type": "function"
},
{
"entry_pc": null,
"id": "fn:0xa9059cbb",
"selector": "0xa9059cbb",
"type": "function"
}
],
"version": "capability_graph_v1"
},
"id": 1964,
"updated_at": "2026-04-04T19:53:06.000000Z",
"version": "capability_graph_v1"
}
exec
/bin/bash -lc "jq '.analysis_run' BYTECODE_BUNDLE.json" in /tmp/codex-vpms2yxl
succeeded in 0ms:
{
"address": "0xbd247894dc95d7022363ac7c12a507a5db2e689c",
"block_number": null,
"chain_id": 1,
"child_links": [],
"created_at": "2025-12-19T20:03:53.000000Z",
"id": "019b3836-2d76-71c8-97dc-996004a4b3cf",
"parent_links": [],
"status": "running",
"updated_at": "2026-04-04T19:53:06.000000Z"
}
I’ve confirmed the bundle exposes a single `CALL` sink at pc `0x188`/392 and ERC20-like selectors. Next I’m disassembling the transfer path around that sink to determine whether it is an actual external-value transfer, a precompile call, or detector noise.
✓ Inspect BYTECODE_BUNDLE.json and related artifacts to understand contract structure and detector evidence
→ Assess potential vulnerabilities from bytecode evidence with explicit uncertainty
• Produce final JSON report matching the required schema
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
code=obj['artifact']['runtime_bytecode']
print('len_bytes', (len(code)-2)//2)
print(code[:120])
print(code[-120:])
PY" in /tmp/codex-vpms2yxl
exited 1 in 0ms:
len_bytes 1
Traceback (most recent call last):
File "<stdin>", line 6, in <module>
KeyError: slice(None, 120, None)
exec
/bin/bash -lc "jq '.artifact.runtime_bytecode' BYTECODE_BUNDLE.json" in /tmp/codex-vpms2yxl
succeeded in 0ms:
{
"full": "0x606060405260e060020a600035046306fdde038114610047578063313ce567146100a457806370a08231146100b057806395d89b41146100c8578063a9059cbb14610123575b005b61015260008054602060026001831615610100026000190190921691909104601f810182900490910260809081016040526060828152929190828280156102c45780601f10610299576101008083540402835291602001916102c4565b6101c060025460ff1681565b6101c060043560036020526000908152604090205481565b610152600180546020601f6002600019610100858716150201909316929092049182018190040260809081016040526060828152929190828280156102c45780601f10610299576101008083540402835291602001916102c4565b610045600435602435600160a060020a033316600090815260036020526040902054819010156101ca57610002565b60405180806020018281038252838181518152602001915080519060200190808383829060006004602084601f0104600f02600301f150905090810190601f1680156101b25780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b6060908152602090f35b600160a060020a0382166000908152604090205480820110156101ec57610002565b806003600050600033600160a060020a03168152602001908152602001600020600082828250540392505081905550806003600050600084600160a060020a0316815260200190815260200160002060008282825054019250508190555081600160a060020a031633600160a060020a03167fddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef836040518082815260200191505060405180910390a35050565b820191906000526020600020905b8154815290600101906020018083116102a757829003601f168201915b50505050508156",
"head": null,
"length": 1434,
"tail": null,
"truncated": false
}
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
code=obj['artifact']['runtime_bytecode']['full'][2:]
b=bytes.fromhex(code)
ops={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'}
for i in range(1,33): ops[0x5f+i]=f'PUSH{i}'
for i in range(1,17): ops[0x7f+i]=f'DUP{i}'
for i in range(1,17): ops[0x8f+i]=f'SWAP{i}'
for i in range(0,5): ops[0xa0+i]=f'LOG{i}'
pc=0
rows=[]
while pc < len(b):
op=b[pc]
name=ops.get(op,f'OP_{op:02x}')
if name.startswith('PUSH'):
n=int(name[4:])
arg=b[pc+1:pc+1+n]
rows.append((pc,name,'0x'+arg.hex()))
pc += 1+n
else:
rows.append((pc,name,''))
pc += 1
for start,end in [(0,90),(90,220),(220,420),(420,520),(520,760)]:
print('\\n--',start,end,'--')
for pc,name,arg in rows:
if start <= pc < end:
print(f'{pc:04x}: {name:12} {arg}')
PY" in /tmp/codex-vpms2yxl
succeeded in 0ms:
-- 0 90 --
0000: PUSH1 0x60
0002: PUSH1 0x40
0004: MSTORE
0005: PUSH1 0xe0
0007: PUSH1 0x02
0009: EXP
000a: PUSH1 0x00
000c: CALLDATALOAD
000d: DIV
000e: PUSH4 0x06fdde03
0013: DUP2
0014: EQ
0015: PUSH2 0x0047
0018: JUMPI
0019: DUP1
001a: PUSH4 0x313ce567
001f: EQ
0020: PUSH2 0x00a4
0023: JUMPI
0024: DUP1
0025: PUSH4 0x70a08231
002a: EQ
002b: PUSH2 0x00b0
002e: JUMPI
002f: DUP1
0030: PUSH4 0x95d89b41
0035: EQ
0036: PUSH2 0x00c8
0039: JUMPI
003a: DUP1
003b: PUSH4 0xa9059cbb
0040: EQ
0041: PUSH2 0x0123
0044: JUMPI
0045: JUMPDEST
0046: STOP
0047: JUMPDEST
0048: PUSH2 0x0152
004b: PUSH1 0x00
004d: DUP1
004e: SLOAD
004f: PUSH1 0x20
0051: PUSH1 0x02
0053: PUSH1 0x01
0055: DUP4
0056: AND
0057: ISZERO
0058: PUSH2 0x0100
-- 90 220 --
005b: MUL
005c: PUSH1 0x00
005e: NOT
005f: ADD
0060: SWAP1
0061: SWAP3
0062: AND
0063: SWAP2
0064: SWAP1
0065: SWAP2
0066: DIV
0067: PUSH1 0x1f
0069: DUP2
006a: ADD
006b: DUP3
006c: SWAP1
006d: DIV
006e: SWAP1
006f: SWAP2
0070: MUL
0071: PUSH1 0x80
0073: SWAP1
0074: DUP2
0075: ADD
0076: PUSH1 0x40
0078: MSTORE
0079: PUSH1 0x60
007b: DUP3
007c: DUP2
007d: MSTORE
007e: SWAP3
007f: SWAP2
0080: SWAP1
0081: DUP3
0082: DUP3
0083: DUP1
0084: ISZERO
0085: PUSH2 0x02c4
0088: JUMPI
0089: DUP1
008a: PUSH1 0x1f
008c: LT
008d: PUSH2 0x0299
0090: JUMPI
0091: PUSH2 0x0100
0094: DUP1
0095: DUP4
0096: SLOAD
0097: DIV
0098: MUL
0099: DUP4
009a: MSTORE
009b: SWAP2
009c: PUSH1 0x20
009e: ADD
009f: SWAP2
00a0: PUSH2 0x02c4
00a3: JUMP
00a4: JUMPDEST
00a5: PUSH2 0x01c0
00a8: PUSH1 0x02
00aa: SLOAD
00ab: PUSH1 0xff
00ad: AND
00ae: DUP2
00af: JUMP
00b0: JUMPDEST
00b1: PUSH2 0x01c0
00b4: PUSH1 0x04
00b6: CALLDATALOAD
00b7: PUSH1 0x03
00b9: PUSH1 0x20
00bb: MSTORE
00bc: PUSH1 0x00
00be: SWAP1
00bf: DUP2
00c0: MSTORE
00c1: PUSH1 0x40
00c3: SWAP1
00c4: SHA3
00c5: SLOAD
00c6: DUP2
00c7: JUMP
00c8: JUMPDEST
00c9: PUSH2 0x0152
00cc: PUSH1 0x01
00ce: DUP1
00cf: SLOAD
00d0: PUSH1 0x20
00d2: PUSH1 0x1f
00d4: PUSH1 0x02
00d6: PUSH1 0x00
00d8: NOT
00d9: PUSH2 0x0100
-- 220 420 --
00dc: DUP6
00dd: DUP8
00de: AND
00df: ISZERO
00e0: MUL
00e1: ADD
00e2: SWAP1
00e3: SWAP4
00e4: AND
00e5: SWAP3
00e6: SWAP1
00e7: SWAP3
00e8: DIV
00e9: SWAP2
00ea: DUP3
00eb: ADD
00ec: DUP2
00ed: SWAP1
00ee: DIV
00ef: MUL
00f0: PUSH1 0x80
00f2: SWAP1
00f3: DUP2
00f4: ADD
00f5: PUSH1 0x40
00f7: MSTORE
00f8: PUSH1 0x60
00fa: DUP3
00fb: DUP2
00fc: MSTORE
00fd: SWAP3
00fe: SWAP2
00ff: SWAP1
0100: DUP3
0101: DUP3
0102: DUP1
0103: ISZERO
0104: PUSH2 0x02c4
0107: JUMPI
0108: DUP1
0109: PUSH1 0x1f
010b: LT
010c: PUSH2 0x0299
010f: JUMPI
0110: PUSH2 0x0100
0113: DUP1
0114: DUP4
0115: SLOAD
0116: DIV
0117: MUL
0118: DUP4
0119: MSTORE
011a: SWAP2
011b: PUSH1 0x20
011d: ADD
011e: SWAP2
011f: PUSH2 0x02c4
0122: JUMP
0123: JUMPDEST
0124: PUSH2 0x0045
0127: PUSH1 0x04
0129: CALLDATALOAD
012a: PUSH1 0x24
012c: CALLDATALOAD
012d: PUSH1 0x01
012f: PUSH1 0xa0
0131: PUSH1 0x02
0133: EXP
0134: SUB
0135: CALLER
0136: AND
0137: PUSH1 0x00
0139: SWAP1
013a: DUP2
013b: MSTORE
013c: PUSH1 0x03
013e: PUSH1 0x20
0140: MSTORE
0141: PUSH1 0x40
0143: SWAP1
0144: SHA3
0145: SLOAD
0146: DUP2
0147: SWAP1
0148: LT
0149: ISZERO
014a: PUSH2 0x01ca
014d: JUMPI
014e: PUSH2 0x0002
0151: JUMP
0152: JUMPDEST
0153: PUSH1 0x40
0155: MLOAD
0156: DUP1
0157: DUP1
0158: PUSH1 0x20
015a: ADD
015b: DUP3
015c: DUP2
015d: SUB
015e: DUP3
015f: MSTORE
0160: DUP4
0161: DUP2
0162: DUP2
0163: MLOAD
0164: DUP2
0165: MSTORE
0166: PUSH1 0x20
0168: ADD
0169: SWAP2
016a: POP
016b: DUP1
016c: MLOAD
016d: SWAP1
016e: PUSH1 0x20
0170: ADD
0171: SWAP1
0172: DUP1
0173: DUP4
0174: DUP4
0175: DUP3
0176: SWAP1
0177: PUSH1 0x00
0179: PUSH1 0x04
017b: PUSH1 0x20
017d: DUP5
017e: PUSH1 0x1f
0180: ADD
0181: DIV
0182: PUSH1 0x0f
0184: MUL
0185: PUSH1 0x03
0187: ADD
0188: CALL
0189: POP
018a: SWAP1
018b: POP
018c: SWAP1
018d: DUP2
018e: ADD
018f: SWAP1
0190: PUSH1 0x1f
0192: AND
0193: DUP1
0194: ISZERO
0195: PUSH2 0x01b2
0198: JUMPI
0199: DUP1
019a: DUP3
019b: SUB
019c: DUP1
019d: MLOAD
019e: PUSH1 0x01
01a0: DUP4
01a1: PUSH1 0x20
01a3: SUB
-- 420 520 --
01a4: PUSH2 0x0100
01a7: EXP
01a8: SUB
01a9: NOT
01aa: AND
01ab: DUP2
01ac: MSTORE
01ad: PUSH1 0x20
01af: ADD
01b0: SWAP2
01b1: POP
01b2: JUMPDEST
01b3: POP
01b4: SWAP3
01b5: POP
01b6: POP
01b7: POP
01b8: PUSH1 0x40
01ba: MLOAD
01bb: DUP1
01bc: SWAP2
01bd: SUB
01be: SWAP1
01bf: RETURN
01c0: JUMPDEST
01c1: PUSH1 0x60
01c3: SWAP1
01c4: DUP2
01c5: MSTORE
01c6: PUSH1 0x20
01c8: SWAP1
01c9: RETURN
01ca: JUMPDEST
01cb: PUSH1 0x01
01cd: PUSH1 0xa0
01cf: PUSH1 0x02
01d1: EXP
01d2: SUB
01d3: DUP3
01d4: AND
01d5: PUSH1 0x00
01d7: SWAP1
01d8: DUP2
01d9: MSTORE
01da: PUSH1 0x40
01dc: SWAP1
01dd: SHA3
01de: SLOAD
01df: DUP1
01e0: DUP3
01e1: ADD
01e2: LT
01e3: ISZERO
01e4: PUSH2 0x01ec
01e7: JUMPI
01e8: PUSH2 0x0002
01eb: JUMP
01ec: JUMPDEST
01ed: DUP1
01ee: PUSH1 0x03
01f0: PUSH1 0x00
01f2: POP
01f3: PUSH1 0x00
01f5: CALLER
01f6: PUSH1 0x01
01f8: PUSH1 0xa0
01fa: PUSH1 0x02
01fc: EXP
01fd: SUB
01fe: AND
01ff: DUP2
0200: MSTORE
0201: PUSH1 0x20
0203: ADD
0204: SWAP1
0205: DUP2
0206: MSTORE
0207: PUSH1 0x20
-- 520 760 --
0209: ADD
020a: PUSH1 0x00
020c: SHA3
020d: PUSH1 0x00
020f: DUP3
0210: DUP3
0211: DUP3
0212: POP
0213: SLOAD
0214: SUB
0215: SWAP3
0216: POP
0217: POP
0218: DUP2
0219: SWAP1
021a: SSTORE
021b: POP
021c: DUP1
021d: PUSH1 0x03
021f: PUSH1 0x00
0221: POP
0222: PUSH1 0x00
0224: DUP5
0225: PUSH1 0x01
0227: PUSH1 0xa0
0229: PUSH1 0x02
022b: EXP
022c: SUB
022d: AND
022e: DUP2
022f: MSTORE
0230: PUSH1 0x20
0232: ADD
0233: SWAP1
0234: DUP2
0235: MSTORE
0236: PUSH1 0x20
0238: ADD
0239: PUSH1 0x00
023b: SHA3
023c: PUSH1 0x00
023e: DUP3
023f: DUP3
0240: DUP3
0241: POP
0242: SLOAD
0243: ADD
0244: SWAP3
0245: POP
0246: POP
0247: DUP2
0248: SWAP1
0249: SSTORE
024a: POP
024b: DUP2
024c: PUSH1 0x01
024e: PUSH1 0xa0
0250: PUSH1 0x02
0252: EXP
0253: SUB
0254: AND
0255: CALLER
0256: PUSH1 0x01
0258: PUSH1 0xa0
025a: PUSH1 0x02
025c: EXP
025d: SUB
025e: AND
025f: PUSH32 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef
0280: DUP4
0281: PUSH1 0x40
0283: MLOAD
0284: DUP1
0285: DUP3
0286: DUP2
0287: MSTORE
0288: PUSH1 0x20
028a: ADD
028b: SWAP2
028c: POP
028d: POP
028e: PUSH1 0x40
0290: MLOAD
0291: DUP1
0292: SWAP2
0293: SUB
0294: SWAP1
0295: LOG3
0296: POP
0297: POP
0298: JUMP
0299: JUMPDEST
029a: DUP3
029b: ADD
029c: SWAP2
029d: SWAP1
029e: PUSH1 0x00
02a0: MSTORE
02a1: PUSH1 0x20
02a3: PUSH1 0x00
02a5: SHA3
02a6: SWAP1
02a7: JUMPDEST
02a8: DUP2
02a9: SLOAD
02aa: DUP2
02ab: MSTORE
02ac: SWAP1
02ad: PUSH1 0x01
02af: ADD
02b0: SWAP1
02b1: PUSH1 0x20
02b3: ADD
02b4: DUP1
02b5: DUP4
02b6: GT
02b7: PUSH2 0x02a7
02ba: JUMPI
02bb: DUP3
02bc: SWAP1
02bd: SUB
02be: PUSH1 0x1f
02c0: AND
02c1: DUP3
02c2: ADD
02c3: SWAP2
02c4: JUMPDEST
02c5: POP
02c6: POP
02c7: POP
02c8: POP
02c9: POP
02ca: DUP2
02cb: JUMP
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
code=bytes.fromhex(obj['artifact']['runtime_bytecode']['full'][2:])
print([i for i,b in enumerate(code) if b==0x34])
PY" in /tmp/codex-vpms2yxl
succeeded in 0ms:
[]
codex
{"no_findings":false,"summary":"Bytecode looks like a small legacy ERC20-style token with `name`, `symbol`, `decimals`, `balanceOf`, and `transfer`. I did not find evidence of proxy logic, `DELEGATECALL`, owner-only admin paths, or a meaningful reentrancy surface. The reported high-severity `CALL` at `pc:0x188` is better explained as an old Solidity string-return helper that appears to hit precompile `0x04`; I do not treat that detector hit as a standalone vulnerability. The meaningful bytecode-level issues are legacy ABI/payability behaviors: transfers are decoded without explicit calldata-length checks, and the contract appears to accept ETH with no visible recovery path.","findings":[{"severity":"low","category":"other","title":"`transfer` decodes calldata without an explicit length check","exploit_scenario":"A third-party integration that builds malformed calldata can trigger classic short-calldata/short-address style misdecoding. In that case the contract will zero-pad missing bytes instead of rejecting the call, so the decoded recipient and/or amount can differ from what the integration intended, potentially causing unintended token movements for that integration's users.","recommendation":"Reject undersized calldata before decoding arguments, or redeploy behind a modern compiler/ABI decoder that enforces argument length. If the contract is immutable, only expose it through wrappers/integrations that validate calldata length before forwarding.","evidence":"In the `0xa9059cbb` path, arguments are read directly with `CALLDATALOAD` at `pc:0x129` and `pc:0x12c`. I do not see a selector-specific `CALLDATASIZE` guard before those loads; the dispatcher simply routes by selector and falls through to execution. From bytecode alone I cannot prove a currently exploitable caller, so severity is kept low, but the decode pattern is the legacy one associated with short-calldata risk.","locations":["selector:0xa9059cbb","pc:0x129","pc:0x12c"]},{"severity":"low","category":"other","title":"Contract appears payable and can trap ETH permanently","exploit_scenario":"A user or integration accidentally sends ETH either directly to the contract or alongside a token call. The call appears to succeed, increasing the contract's ETH balance, but there is no visible bytecode path to withdraw or recover that ETH, so the value becomes stuck.","recommendation":"Add a `msg.value == 0` check on all entrypoints or provide an authorized recovery/sweep function. If the code is immutable, document clearly that ETH must never be sent to this address.","evidence":"The runtime contains no `CALLVALUE` check, and the unknown-selector / fallback path ends in `STOP` at `pc:0x45` rather than reverting. I also do not see any admin, withdraw, proxy, or selfdestruct path in the artifact; the only `CALL` sink is the string-return helper at `pc:0x188`, which is consistent with a precompile-assisted memory copy rather than an ETH recovery function. This is bytecode-only reasoning, so the conclusion is limited to visible runtime behavior.","locations":["pc:0x0","pc:0x45","pc:0x188"]}]}
tokens used
49,239
{
"codex": {
"ran_at": "2026-04-05T02:30:45.479571+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 1434,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "Bytecode looks like a small legacy ERC20-style token with `name`, `symbol`, `decimals`, `balanceOf`, and `transfer`. I did not find evidence of proxy logic, `DELEGATECALL`, owner-only admin paths, or a meaningful reentrancy surface. The reported high-severity `CALL` at `pc:0x188` is better explained as an old Solidity string-return helper that appears to hit precompile `0x04`; I do not treat that detector hit as a standalone vulnerability. The meaningful bytecode-level issues are legacy ABI/payability behaviors: transfers are decoded without explicit calldata-length checks, and the contract appears to accept ETH with no visible recovery path.",
"raw_final": {
"summary": "Bytecode looks like a small legacy ERC20-style token with `name`, `symbol`, `decimals`, `balanceOf`, and `transfer`. I did not find evidence of proxy logic, `DELEGATECALL`, owner-only admin paths, or a meaningful reentrancy surface. The reported high-severity `CALL` at `pc:0x188` is better explained as an old Solidity string-return helper that appears to hit precompile `0x04`; I do not treat that detector hit as a standalone vulnerability. The meaningful bytecode-level issues are legacy ABI/payability behaviors: transfers are decoded without explicit calldata-length checks, and the contract appears to accept ETH with no visible recovery path.",
"findings": [
{
"title": "`transfer` decodes calldata without an explicit length check",
"category": "other",
"evidence": "In the `0xa9059cbb` path, arguments are read directly with `CALLDATALOAD` at `pc:0x129` and `pc:0x12c`. I do not see a selector-specific `CALLDATASIZE` guard before those loads; the dispatcher simply routes by selector and falls through to execution. From bytecode alone I cannot prove a currently exploitable caller, so severity is kept low, but the decode pattern is the legacy one associated with short-calldata risk.",
"severity": "low",
"locations": [
"selector:0xa9059cbb",
"pc:0x129",
"pc:0x12c"
],
"recommendation": "Reject undersized calldata before decoding arguments, or redeploy behind a modern compiler/ABI decoder that enforces argument length. If the contract is immutable, only expose it through wrappers/integrations that validate calldata length before forwarding.",
"exploit_scenario": "A third-party integration that builds malformed calldata can trigger classic short-calldata/short-address style misdecoding. In that case the contract will zero-pad missing bytes instead of rejecting the call, so the decoded recipient and/or amount can differ from what the integration intended, potentially causing unintended token movements for that integration's users."
},
{
"title": "Contract appears payable and can trap ETH permanently",
"category": "other",
"evidence": "The runtime contains no `CALLVALUE` check, and the unknown-selector / fallback path ends in `STOP` at `pc:0x45` rather than reverting. I also do not see any admin, withdraw, proxy, or selfdestruct path in the artifact; the only `CALL` sink is the string-return helper at `pc:0x188`, which is consistent with a precompile-assisted memory copy rather than an ETH recovery function. This is bytecode-only reasoning, so the conclusion is limited to visible runtime behavior.",
"severity": "low",
"locations": [
"pc:0x0",
"pc:0x45",
"pc:0x188"
],
"recommendation": "Add a `msg.value == 0` check on all entrypoints or provide an authorized recovery/sweep function. If the code is immutable, document clearly that ETH must never be sent to this address.",
"exploit_scenario": "A user or integration accidentally sends ETH either directly to the contract or alongside a token call. The call appears to succeed, increasing the contract's ETH balance, but there is no visible bytecode path to withdraw or recover that ETH, so the value becomes stuck."
}
],
"no_findings": false
},
"no_findings": false,
"schema_version": 1
}
00000000: PUSH1 0x60 00000002: PUSH1 0x40 00000004: MSTORE 00000005: PUSH1 0xe0 00000007: PUSH1 0x02 00000009: EXP 0000000a: PUSH1 0x00 0000000c: CALLDATALOAD 0000000d: DIV 0000000e: PUSH4 0x06fdde03 00000013: DUP2 00000014: EQ 00000015: PUSH2 0x0047 00000018: JUMPI 00000019: DUP1 0000001a: PUSH4 0x313ce567 0000001f: EQ 00000020: PUSH2 0x00a4 00000023: JUMPI 00000024: DUP1 00000025: PUSH4 0x70a08231 0000002a: EQ 0000002b: PUSH2 0x00b0 0000002e: JUMPI 0000002f: DUP1 00000030: PUSH4 0x95d89b41 00000035: EQ 00000036: PUSH2 0x00c8 00000039: JUMPI 0000003a: DUP1 0000003b: PUSH4 0xa9059cbb 00000040: EQ 00000041: PUSH2 0x0123 00000044: JUMPI 00000045: JUMPDEST 00000046: STOP 00000047: JUMPDEST 00000048: PUSH2 0x0152 0000004b: PUSH1 0x00 0000004d: DUP1 0000004e: SLOAD 0000004f: PUSH1 0x20 00000051: PUSH1 0x02 00000053: PUSH1 0x01 00000055: DUP4 00000056: AND 00000057: ISZERO 00000058: PUSH2 0x0100 0000005b: MUL 0000005c: PUSH1 0x00 0000005e: NOT 0000005f: ADD 00000060: SWAP1 00000061: SWAP3 00000062: AND 00000063: SWAP2 00000064: SWAP1 00000065: SWAP2 00000066: DIV 00000067: PUSH1 0x1f 00000069: DUP2 0000006a: ADD 0000006b: DUP3 0000006c: SWAP1 0000006d: DIV 0000006e: SWAP1 0000006f: SWAP2 00000070: MUL 00000071: PUSH1 0x80 00000073: SWAP1 00000074: DUP2 00000075: ADD 00000076: PUSH1 0x40 00000078: MSTORE 00000079: PUSH1 0x60 0000007b: DUP3 0000007c: DUP2 0000007d: MSTORE 0000007e: SWAP3 0000007f: SWAP2 00000080: SWAP1 00000081: DUP3 00000082: DUP3 00000083: DUP1 00000084: ISZERO 00000085: PUSH2 0x02c4 00000088: JUMPI 00000089: DUP1 0000008a: PUSH1 0x1f 0000008c: LT 0000008d: PUSH2 0x0299 00000090: JUMPI 00000091: PUSH2 0x0100 00000094: DUP1 00000095: DUP4 00000096: SLOAD 00000097: DIV 00000098: MUL 00000099: DUP4 0000009a: MSTORE 0000009b: SWAP2 0000009c: PUSH1 0x20 0000009e: ADD 0000009f: SWAP2 000000a0: PUSH2 0x02c4 000000a3: JUMP 000000a4: JUMPDEST 000000a5: PUSH2 0x01c0 000000a8: PUSH1 0x02 000000aa: SLOAD 000000ab: PUSH1 0xff 000000ad: AND 000000ae: DUP2 000000af: JUMP 000000b0: JUMPDEST 000000b1: PUSH2 0x01c0 000000b4: PUSH1 0x04 000000b6: CALLDATALOAD 000000b7: PUSH1 0x03 000000b9: PUSH1 0x20 000000bb: MSTORE 000000bc: PUSH1 0x00 000000be: SWAP1 000000bf: DUP2 000000c0: MSTORE 000000c1: PUSH1 0x40 000000c3: SWAP1 000000c4: KECCAK256 000000c5: SLOAD 000000c6: DUP2 000000c7: JUMP 000000c8: JUMPDEST 000000c9: PUSH2 0x0152 000000cc: PUSH1 0x01 000000ce: DUP1 000000cf: SLOAD 000000d0: PUSH1 0x20 000000d2: PUSH1 0x1f 000000d4: PUSH1 0x02 000000d6: PUSH1 0x00 000000d8: NOT 000000d9: PUSH2 0x0100 000000dc: DUP6 000000dd: DUP8 000000de: AND 000000df: ISZERO 000000e0: MUL 000000e1: ADD 000000e2: SWAP1 000000e3: SWAP4 000000e4: AND 000000e5: SWAP3 000000e6: SWAP1 000000e7: SWAP3 000000e8: DIV 000000e9: SWAP2 000000ea: DUP3 000000eb: ADD 000000ec: DUP2 000000ed: SWAP1 000000ee: DIV 000000ef: MUL 000000f0: PUSH1 0x80 000000f2: SWAP1 000000f3: DUP2 000000f4: ADD 000000f5: PUSH1 0x40 000000f7: MSTORE 000000f8: PUSH1 0x60 000000fa: DUP3 000000fb: DUP2 000000fc: MSTORE 000000fd: SWAP3 000000fe: SWAP2 000000ff: SWAP1 00000100: DUP3 00000101: DUP3 00000102: DUP1 00000103: ISZERO 00000104: PUSH2 0x02c4 00000107: JUMPI 00000108: DUP1 00000109: PUSH1 0x1f 0000010b: LT 0000010c: PUSH2 0x0299 0000010f: JUMPI 00000110: PUSH2 0x0100 00000113: DUP1 00000114: DUP4 00000115: SLOAD 00000116: DIV 00000117: MUL 00000118: DUP4 00000119: MSTORE 0000011a: SWAP2 0000011b: PUSH1 0x20 0000011d: ADD 0000011e: SWAP2 0000011f: PUSH2 0x02c4 00000122: JUMP 00000123: JUMPDEST 00000124: PUSH2 0x0045 00000127: PUSH1 0x04 00000129: CALLDATALOAD 0000012a: PUSH1 0x24 0000012c: CALLDATALOAD 0000012d: PUSH1 0x01 0000012f: PUSH1 0xa0 00000131: PUSH1 0x02 00000133: EXP 00000134: SUB 00000135: CALLER 00000136: AND 00000137: PUSH1 0x00 00000139: SWAP1 0000013a: DUP2 0000013b: MSTORE 0000013c: PUSH1 0x03 0000013e: PUSH1 0x20 00000140: MSTORE 00000141: PUSH1 0x40 00000143: SWAP1 00000144: KECCAK256 00000145: SLOAD 00000146: DUP2 00000147: SWAP1 00000148: LT 00000149: ISZERO 0000014a: PUSH2 0x01ca 0000014d: JUMPI 0000014e: PUSH2 0x0002 00000151: JUMP 00000152: JUMPDEST 00000153: PUSH1 0x40 00000155: MLOAD 00000156: DUP1 00000157: DUP1 00000158: PUSH1 0x20 0000015a: ADD 0000015b: DUP3 0000015c: DUP2 0000015d: SUB 0000015e: DUP3 0000015f: MSTORE 00000160: DUP4 00000161: DUP2 00000162: DUP2 00000163: MLOAD 00000164: DUP2 00000165: MSTORE 00000166: PUSH1 0x20 00000168: ADD 00000169: SWAP2 0000016a: POP 0000016b: DUP1 0000016c: MLOAD 0000016d: SWAP1 0000016e: PUSH1 0x20 00000170: ADD 00000171: SWAP1 00000172: DUP1 00000173: DUP4 00000174: DUP4 00000175: DUP3 00000176: SWAP1 00000177: PUSH1 0x00 00000179: PUSH1 0x04 0000017b: PUSH1 0x20 0000017d: DUP5 0000017e: PUSH1 0x1f 00000180: ADD 00000181: DIV 00000182: PUSH1 0x0f 00000184: MUL 00000185: PUSH1 0x03 00000187: ADD 00000188: CALL 00000189: POP 0000018a: SWAP1 0000018b: POP 0000018c: SWAP1 0000018d: DUP2 0000018e: ADD 0000018f: SWAP1 00000190: PUSH1 0x1f 00000192: AND 00000193: DUP1 00000194: ISZERO 00000195: PUSH2 0x01b2 00000198: JUMPI 00000199: DUP1 0000019a: DUP3 0000019b: SUB 0000019c: DUP1 0000019d: MLOAD 0000019e: PUSH1 0x01 000001a0: DUP4 000001a1: PUSH1 0x20 000001a3: SUB 000001a4: PUSH2 0x0100 000001a7: EXP 000001a8: SUB 000001a9: NOT 000001aa: AND 000001ab: DUP2 000001ac: MSTORE 000001ad: PUSH1 0x20 000001af: ADD 000001b0: SWAP2 000001b1: POP 000001b2: JUMPDEST 000001b3: POP 000001b4: SWAP3 000001b5: POP 000001b6: POP 000001b7: POP 000001b8: PUSH1 0x40 000001ba: MLOAD 000001bb: DUP1 000001bc: SWAP2 000001bd: SUB 000001be: SWAP1 000001bf: RETURN 000001c0: JUMPDEST 000001c1: PUSH1 0x60 000001c3: SWAP1 000001c4: DUP2 000001c5: MSTORE 000001c6: PUSH1 0x20 000001c8: SWAP1 000001c9: RETURN 000001ca: JUMPDEST 000001cb: PUSH1 0x01 000001cd: PUSH1 0xa0 000001cf: PUSH1 0x02 000001d1: EXP 000001d2: SUB 000001d3: DUP3 000001d4: AND 000001d5: PUSH1 0x00 000001d7: SWAP1 000001d8: DUP2 000001d9: MSTORE 000001da: PUSH1 0x40 000001dc: SWAP1 000001dd: KECCAK256 000001de: SLOAD 000001df: DUP1 000001e0: DUP3 000001e1: ADD 000001e2: LT 000001e3: ISZERO 000001e4: PUSH2 0x01ec 000001e7: JUMPI 000001e8: PUSH2 0x0002 000001eb: JUMP 000001ec: JUMPDEST 000001ed: DUP1 000001ee: PUSH1 0x03 000001f0: PUSH1 0x00 000001f2: POP 000001f3: PUSH1 0x00 000001f5: CALLER 000001f6: PUSH1 0x01 000001f8: PUSH1 0xa0 000001fa: PUSH1 0x02 000001fc: EXP 000001fd: SUB 000001fe: AND 000001ff: DUP2 00000200: MSTORE 00000201: PUSH1 0x20 00000203: ADD 00000204: SWAP1 00000205: DUP2 00000206: MSTORE 00000207: PUSH1 0x20 00000209: ADD 0000020a: PUSH1 0x00 0000020c: KECCAK256 0000020d: PUSH1 0x00 0000020f: DUP3 00000210: DUP3 00000211: DUP3 00000212: POP 00000213: SLOAD 00000214: SUB 00000215: SWAP3 00000216: POP 00000217: POP 00000218: DUP2 00000219: SWAP1 0000021a: SSTORE 0000021b: POP 0000021c: DUP1 0000021d: PUSH1 0x03 0000021f: PUSH1 0x00 00000221: POP 00000222: PUSH1 0x00 00000224: DUP5 00000225: PUSH1 0x01 00000227: PUSH1 0xa0 00000229: PUSH1 0x02 0000022b: EXP 0000022c: SUB 0000022d: AND 0000022e: DUP2 0000022f: MSTORE 00000230: PUSH1 0x20 00000232: ADD 00000233: SWAP1 00000234: DUP2 00000235: MSTORE 00000236: PUSH1 0x20 00000238: ADD 00000239: PUSH1 0x00 0000023b: KECCAK256 0000023c: PUSH1 0x00 0000023e: DUP3 0000023f: DUP3 00000240: DUP3 00000241: POP 00000242: SLOAD 00000243: ADD 00000244: SWAP3 00000245: POP 00000246: POP 00000247: DUP2 00000248: SWAP1 00000249: SSTORE 0000024a: POP 0000024b: DUP2 0000024c: PUSH1 0x01 0000024e: PUSH1 0xa0 00000250: PUSH1 0x02 00000252: EXP 00000253: SUB 00000254: AND 00000255: CALLER 00000256: PUSH1 0x01 00000258: PUSH1 0xa0 0000025a: PUSH1 0x02 0000025c: EXP 0000025d: SUB 0000025e: AND 0000025f: PUSH32 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef 00000280: DUP4 00000281: PUSH1 0x40 00000283: MLOAD 00000284: DUP1 00000285: DUP3 00000286: DUP2 00000287: MSTORE 00000288: PUSH1 0x20 0000028a: ADD 0000028b: SWAP2 0000028c: POP 0000028d: POP 0000028e: PUSH1 0x40 00000290: MLOAD 00000291: DUP1 00000292: SWAP2 00000293: SUB 00000294: SWAP1 00000295: LOG3 00000296: POP 00000297: POP 00000298: JUMP 00000299: JUMPDEST 0000029a: DUP3 0000029b: ADD 0000029c: SWAP2 0000029d: SWAP1 0000029e: PUSH1 0x00 000002a0: MSTORE 000002a1: PUSH1 0x20 000002a3: PUSH1 0x00 000002a5: KECCAK256 000002a6: SWAP1 000002a7: JUMPDEST 000002a8: DUP2 000002a9: SLOAD 000002aa: DUP2 000002ab: MSTORE 000002ac: SWAP1 000002ad: PUSH1 0x01 000002af: ADD 000002b0: SWAP1 000002b1: PUSH1 0x20 000002b3: ADD 000002b4: DUP1 000002b5: DUP4 000002b6: GT 000002b7: PUSH2 0x02a7 000002ba: JUMPI 000002bb: DUP3 000002bc: SWAP1 000002bd: SUB 000002be: PUSH1 0x1f 000002c0: AND 000002c1: DUP3 000002c2: ADD 000002c3: SWAP2 000002c4: JUMPDEST 000002c5: POP 000002c6: POP 000002c7: POP 000002c8: POP 000002c9: POP 000002ca: DUP2 000002cb: JUMP
Warning: This is a nightly build of Foundry. It is recommended to use the latest stable version. To mute this warning set `FOUNDRY_DISABLE_NIGHTLY_WARNING` in your environment.
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | other | detector | Untrusted CALL target/value reachable | 60 | yes | yes |
viewtrace_id: 0x9d132b36b9df7d489b16da31efba4682bd87d8729dd2caa4a8e3db2e69132a95
call_targets:
0x0000000000000000000000000000000000000004, 0xbd247894dc95d7022363ac7c12a507a5db2e689c
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x9d132b36b9df7d489b16da31efba4682bd87d8729dd2caa4a8e3db2e69132a95",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0xbd247894dc95d7022363ac7c12a507a5db2e689c"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa9059cbb",
"selector": "0xa9059cbb",
"calldata_variants": [
"0xa9059cbb",
"0xa9059cbb0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 392,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 1,
"guards_detected": [],
"untrusted_call_count": 1
}
|
| high | other | detector | ETH value transfer possible | 55 | yes | yes |
viewtrace_id: 0x9d132b36b9df7d489b16da31efba4682bd87d8729dd2caa4a8e3db2e69132a95
call_targets:
0x0000000000000000000000000000000000000004, 0xbd247894dc95d7022363ac7c12a507a5db2e689c
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x9d132b36b9df7d489b16da31efba4682bd87d8729dd2caa4a8e3db2e69132a95",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0xbd247894dc95d7022363ac7c12a507a5db2e689c"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa9059cbb",
"selector": "0xa9059cbb",
"calldata_variants": [
"0xa9059cbb",
"0xa9059cbb0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 392,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 1,
"guards_detected": []
}
|
| low | other | codex | `transfer` decodes calldata without an explicit length check | 65 | no | — |
viewevidence_json{
"evidence": "In the `0xa9059cbb` path, arguments are read directly with `CALLDATALOAD` at `pc:0x129` and `pc:0x12c`. I do not see a selector-specific `CALLDATASIZE` guard before those loads; the dispatcher simply routes by selector and falls through to execution. From bytecode alone I cannot prove a currently exploitable caller, so severity is kept low, but the decode pattern is the legacy one associated with short-calldata risk.",
"locations": [
"selector:0xa9059cbb",
"pc:0x129",
"pc:0x12c"
],
"recommendation": "Reject undersized calldata before decoding arguments, or redeploy behind a modern compiler/ABI decoder that enforces argument length. If the contract is immutable, only expose it through wrappers/integrations that validate calldata length before forwarding.",
"exploit_scenario": "A third-party integration that builds malformed calldata can trigger classic short-calldata/short-address style misdecoding. In that case the contract will zero-pad missing bytes instead of rejecting the call, so the decoded recipient and/or amount can differ from what the integration intended, potentially causing unintended token movements for that integration's users."
}
|
| low | other | codex | Contract appears payable and can trap ETH permanently | 65 | no | — |
viewevidence_json{
"evidence": "The runtime contains no `CALLVALUE` check, and the unknown-selector / fallback path ends in `STOP` at `pc:0x45` rather than reverting. I also do not see any admin, withdraw, proxy, or selfdestruct path in the artifact; the only `CALL` sink is the string-return helper at `pc:0x188`, which is consistent with a precompile-assisted memory copy rather than an ETH recovery function. This is bytecode-only reasoning, so the conclusion is limited to visible runtime behavior.",
"locations": [
"pc:0x0",
"pc:0x45",
"pc:0x188"
],
"recommendation": "Add a `msg.value == 0` check on all entrypoints or provide an authorized recovery/sweep function. If the code is immutable, document clearly that ETH must never be sent to this address.",
"exploit_scenario": "A user or integration accidentally sends ETH either directly to the contract or alongside a token call. The call appears to succeed, increasing the contract's ETH balance, but there is no visible bytecode path to withdraw or recover that ETH, so the value becomes stuck."
}
|