019b3836-2d7f-71dc-9831-d21ecfe711e8
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 2107 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 2108 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 45256 | analysis.bundle | complete | 1 / 3 | 1 week ago |
| 45257 | capability.graph | complete | 1 / 3 | 1 week ago |
| 45258 | detector.run | complete | 1 / 3 | 1 week ago |
| 45259 | validation.fork | complete | 1 / 3 | 1 week ago |
| 113239 | report.consolidate | complete | 1 / 6 | 1 week ago |
No slither job recorded yet.
{"no_findings":false,"summary":"Runtime bytecode is best interpreted as an old ERC20-like token exposing 0x06fdde03/0x95d89b41/0x313ce567/0x70a08231/0xa9059cbb. I did not find evidence of proxy logic, delegatecall, privileged admin branches, signature validation, or a meaningful reentrancy surface. The detector-reported CALL at pc 0x188 is very likely Solidity’s identity-precompile copy helper (fixed target 0x04, zero value), so the untrusted-call/ETH-transfer alerts appear to be false positives. The concrete issues are low-severity integration/funds-safety problems in the fallback path and transfer ABI/error semantics.","findings":[{"severity":"low","category":"other","title":"Fallback silently accepts arbitrary calldata and ETH","exploit_scenario":"Because unmatched selectors fall through to a STOP instead of REVERT, a user can accidentally send ETH to the token contract and it will be accepted with no recovery path evident in the bytecode. Likewise, an external system using low-level call semantics could treat unsupported token operations as successful no-ops, creating accounting mistakes on the integrator side.","recommendation":"Make the fallback/receive path revert by default, or add an explicit recovery/withdraw mechanism if ETH reception is intended. Integrators should not rely on low-level call success alone when interacting with this contract.","evidence":"The dispatcher compares only five selectors, then falls through to pc 0x45 where execution halts with STOP rather than REVERT. There is no CALLVALUE check anywhere in the dispatch path, so plain ETH transfers are accepted. No withdrawal, selfdestruct, proxy, or other ETH-recovery path is evidenced in the bundle. This is a strong bytecode-level observation, though source-level intent is unknown.","locations":["pc:0x45"]},{"severity":"low","category":"other","title":"`transfer` is non-standard: no boolean return and throw-style failures consume all gas","exploit_scenario":"Integrations that expect ERC20-compliant `transfer(address,uint256) returns (bool)` behavior may revert or mis-handle this token. Failed transfers also appear to use an invalid jump rather than REVERT, so error cases can consume all remaining gas and break gas-sensitive flows.","recommendation":"If the contract can be replaced/upgraded, return a 32-byte `true` value from `transfer` and use REVERT for failure paths. Otherwise, integrations should use SafeERC20-style wrappers and avoid assumptions about returndata or cheap failure semantics.","evidence":"The `0xa9059cbb` path executes balance updates and event emission, then jumps to pc 0x45 (STOP) with no RETURN payload, so no bool is returned. The insufficient-balance and overflow checks branch via `PUSH2 0x0002; JUMP` at pcs 0x14e and 0x21b; pc 0x0002 is not a JUMPDEST, so those paths exceptional-halt instead of REVERT. Selector inference is best-effort, but this pattern strongly matches an old ERC20-style transfer implementation.","locations":["selector:0xa9059cbb","pc:0x14e","pc:0x21b","pc:0x45"]}]}
OpenAI Codex v0.118.0 (research preview)
--------
workdir: /tmp/codex-6rjf0o6s
model: gpt-5.4
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: none
session id: 019d5b7d-b580-7c23-8ad1-568a8a20aa22
--------
user
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
warning: Codex could not find system bubblewrap on PATH. Please install bubblewrap with your package manager. Codex will use the vendored bubblewrap in the meantime.
exec
/bin/bash -lc "pwd && rg --files -g 'BYTECODE_BUNDLE.json' -g 'AGENTS.md' -g '*.json'" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
/tmp/codex-6rjf0o6s
codex-output-schema.json
BYTECODE_BUNDLE.json
exec
/bin/bash -lc 'cat codex-output-schema.json' in /tmp/codex-6rjf0o6s
succeeded in 0ms:
{"type": "object", "additionalProperties": false, "required": ["no_findings", "summary", "findings"], "properties": {"no_findings": {"type": "boolean"}, "summary": {"type": "string"}, "findings": {"type": "array", "items": {"type": "object", "additionalProperties": false, "required": ["severity", "category", "title", "evidence", "locations", "exploit_scenario", "recommendation"], "properties": {"severity": {"type": "string", "enum": ["info", "low", "medium", "high", "critical"]}, "category": {"type": "string", "enum": ["access_control", "reentrancy", "math", "oracle", "upgradeability", "auth", "other"]}, "title": {"type": "string"}, "exploit_scenario": {"type": "string"}, "recommendation": {"type": "string"}, "evidence": {"type": "string"}, "locations": {"type": "array", "items": {"type": "string"}}}}}}}
exec
/bin/bash -lc "wc -c BYTECODE_BUNDLE.json && jq 'keys' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
44930 BYTECODE_BUNDLE.json
[
"analysis_artifact",
"analysis_run",
"artifact",
"capability_graph",
"detector_findings",
"heuristics_summary"
]
exec
/bin/bash -lc "jq '.artifact | keys' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
[
"codehash",
"compiler_json",
"implementation_address",
"is_proxy",
"runtime_bytecode",
"verified_source"
]
exec
/bin/bash -lc "jq '.analysis_artifact | keys' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
[
"address",
"artifact_hash",
"artifact_json",
"block_number",
"chain_id",
"codehash",
"created_at",
"id",
"updated_at",
"version"
]
exec
/bin/bash -lc "jq '.detector_findings | keys' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
[
0,
1
]
exec
/bin/bash -lc "jq '.heuristics_summary | keys' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
[
"create2_count",
"delegatecall_count",
"flags",
"selfdestruct_count"
]
exec
/bin/bash -lc "jq '{address: .analysis_artifact.address, chain_id: .analysis_artifact.chain_id, block_number: .analysis_artifact.block_number, is_proxy: .artifact.is_proxy, implementation_address: .artifact.implementation_address, flags: .heuristics_summary.flags, delegatecall_count: .heuristics_summary.delegatecall_count, selfdestruct_count: .heuristics_summary.selfdestruct_count, create2_count: .heuristics_summary.create2_count}' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
{
"address": "0x6e724ccc59c1a72f733a31b41c8594413363d80b",
"chain_id": 1,
"block_number": null,
"is_proxy": false,
"implementation_address": null,
"flags": [],
"delegatecall_count": 0,
"selfdestruct_count": 0,
"create2_count": 0
}
exec
/bin/bash -lc "jq '.detector_findings' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
[
{
"confidence": 60,
"evidence_json": {
"call_count": 1,
"examples": [
{
"opcode": "CALL",
"pc": 392,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": [],
"untrusted_call_count": 1
},
"normalized_json": {
"sink": "CALL"
},
"severity": "high",
"title": "Untrusted CALL target/value reachable",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x6e724ccc59c1a72f733a31b41c8594413363d80b"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x63cd94dc2b900409aa6488032881b6cfe5214b94c9790e7cb4953c603e64e60f",
"trace_mode": "callTracer"
}
},
{
"confidence": 55,
"evidence_json": {
"eth_value_calls": 1,
"examples": [
{
"opcode": "CALL",
"pc": 392,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": []
},
"normalized_json": {
"sink": "CALL",
"value": "nonzero"
},
"severity": "high",
"title": "ETH value transfer possible",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x6e724ccc59c1a72f733a31b41c8594413363d80b"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x63cd94dc2b900409aa6488032881b6cfe5214b94c9790e7cb4953c603e64e60f",
"trace_mode": "callTracer"
}
}
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json | type' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
"object"
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json | fromjson | keys' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
exited 5 in 0ms:
jq: error (at BYTECODE_BUNDLE.json:1722): object ({"auth":{"g...) only strings can be parsed
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json | keys' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
[
"auth",
"basic_blocks",
"callsites",
"cfg_edges",
"cfg_hash",
"dispatcher_type",
"function_entries",
"functions",
"selectors",
"sinks",
"storage",
"version"
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.auth | keys' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
[
"guards"
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.calls | keys' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
exited 5 in 0ms:
jq: error (at BYTECODE_BUNDLE.json:1722): null (null) has no keys
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.storage | keys' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
[
"keccak_count",
"reads",
"slots",
"writes"
]
The bundle is non-proxy bytecode with one confirmed dynamic CALL. I’m now checking whether storage writes or selector layout make that CALL exploitable or whether the detector is overfitting to expected precompile/self-call behavior.
✓ Inspect bytecode bundle structure, selectors, sinks, guards, and storage evidence
→ Assess concrete exploit hypotheses from callsites and storage usage
• Produce JSON findings with conservative severity and explicit uncertainty
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.selectors' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
[
"0x06fdde03",
"0x313ce567",
"0x70a08231",
"0x95d89b41",
"0xa9059cbb"
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.function_entries' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
[
{
"entry_pc": null,
"selector": "0x06fdde03"
},
{
"entry_pc": 1889567281,
"selector": "0x313ce567"
},
{
"entry_pc": 2514000705,
"selector": "0x70a08231"
},
{
"entry_pc": 2835717307,
"selector": "0x95d89b41"
},
{
"entry_pc": null,
"selector": "0xa9059cbb"
}
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.sinks' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
{
"call": 1,
"create": 0,
"create2": 0,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0,
"upgrade_slot_write_suspected": false
}
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.callsites' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
[
{
"opcode": "CALL",
"pc": 392,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
]
exec
/bin/bash -lc "jq '.artifact.compiler_json' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
{
"etherscan": {
"skipped": true
}
}
exec
/bin/bash -lc "jq '.artifact.verified_source' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
false
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.auth.guards' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
[]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.storage' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
{
"keccak_count": 6,
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.storage.reads, .analysis_artifact.artifact_json.storage.writes' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
11
2
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.functions | length' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
5
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.functions[0:20]' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
[
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0x06fdde03",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 1889567281,
"selector": "0x313ce567",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 2514000705,
"selector": "0x70a08231",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 2835717307,
"selector": "0x95d89b41",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0xa9059cbb",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
}
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.basic_blocks | length' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
27
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
code=obj['artifact']['runtime_bytecode']
if code.startswith('0x'): code=code[2:]
print('bytes', len(code)//2)
# EVM opcode table minimal
opcodes={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0x5f:'PUSH0',0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'}
bs=bytes.fromhex(code)
pc=0
while pc < len(bs) and pc < 520:
b=bs[pc]
name=opcodes.get(b, f'OP{b:02x}')
if 0x60 <= b <= 0x7f:
n=b-0x5f
data=bs[pc+1:pc+1+n]
print(f'{pc:04x}: {name} 0x{data.hex()}')
pc += 1+n
else:
print(f'{pc:04x}: {name}')
pc += 1
PY" in /tmp/codex-6rjf0o6s
exited 1 in 0ms:
Traceback (most recent call last):
File "<stdin>", line 5, in <module>
AttributeError: 'dict' object has no attribute 'startswith'
exec
/bin/bash -lc "jq '.artifact.runtime_bytecode | type, .artifact.runtime_bytecode' BYTECODE_BUNDLE.json | head -c 5000" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
"object"
null
exec
/bin/bash -lc "jq '.artifact' BYTECODE_BUNDLE.json" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
{
"codehash": "0x9c955d6fcbfcbaebc1eba76ca0b918c6f34cf6cc3f5c33f4a4a83a88440f4e9f",
"compiler_json": {
"etherscan": {
"skipped": true
}
},
"implementation_address": null,
"is_proxy": false,
"runtime_bytecode": {
"full": "0x606060405260e060020a600035046306fdde038114610047578063313ce567146100a457806370a08231146100b057806395d89b41146100c8578063a9059cbb14610123575b005b61015260008054602060026001831615610100026000190190921691909104601f810182900490910260809081016040526060828152929190828280156101f55780601f106101ca576101008083540402835291602001916101f5565b6101c060025460ff1681565b6101c060043560036020526000908152604090205481565b610152600180546020601f6002600019610100858716150201909316929092049182018190040260809081016040526060828152929190828280156101f55780601f106101ca576101008083540402835291602001916101f5565b610045600435602435600160a060020a033316600090815260036020526040902054819010156101fd57610002565b60405180806020018281038252838181518152602001915080519060200190808383829060006004602084601f0104600f02600301f150905090810190601f1680156101b25780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b6060908152602090f35b820191906000526020600020905b8154815290600101906020018083116101d857829003601f168201915b505050505081565b600160a060020a03821660009081526040902054808201101561021f57610002565b806003600050600033600160a060020a03168152602001908152602001600020600082828250540392505081905550806003600050600084600160a060020a0316815260200190815260200160002060008282825054019250508190555081600160a060020a031633600160a060020a03167fddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef836040518082815260200191505060405180910390a3505056",
"head": null,
"length": 1434,
"tail": null,
"truncated": false
},
"verified_source": false
}
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
code=obj['artifact']['runtime_bytecode']['full']
if code.startswith('0x'): code=code[2:]
print('bytes', len(code)//2)
opcodes={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0x5f:'PUSH0',0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'}
bs=bytes.fromhex(code)
pc=0
while pc < len(bs):
b=bs[pc]
name=opcodes.get(b, f'OP{b:02x}')
if 0x60 <= b <= 0x7f:
n=b-0x5f
data=bs[pc+1:pc+1+n]
print(f'{pc:04x}: {name:<8} 0x{data.hex()}')
pc += 1+n
else:
print(f'{pc:04x}: {name}')
pc += 1
PY" in /tmp/codex-6rjf0o6s
succeeded in 0ms:
bytes 716
0000: PUSH1 0x60
0002: PUSH1 0x40
0004: MSTORE
0005: PUSH1 0xe0
0007: PUSH1 0x02
0009: EXP
000a: PUSH1 0x00
000c: CALLDATALOAD
000d: DIV
000e: PUSH4 0x06fdde03
0013: DUP2
0014: EQ
0015: PUSH2 0x0047
0018: JUMPI
0019: DUP1
001a: PUSH4 0x313ce567
001f: EQ
0020: PUSH2 0x00a4
0023: JUMPI
0024: DUP1
0025: PUSH4 0x70a08231
002a: EQ
002b: PUSH2 0x00b0
002e: JUMPI
002f: DUP1
0030: PUSH4 0x95d89b41
0035: EQ
0036: PUSH2 0x00c8
0039: JUMPI
003a: DUP1
003b: PUSH4 0xa9059cbb
0040: EQ
0041: PUSH2 0x0123
0044: JUMPI
0045: JUMPDEST
0046: STOP
0047: JUMPDEST
0048: PUSH2 0x0152
004b: PUSH1 0x00
004d: DUP1
004e: SLOAD
004f: PUSH1 0x20
0051: PUSH1 0x02
0053: PUSH1 0x01
0055: DUP4
0056: AND
0057: ISZERO
0058: PUSH2 0x0100
005b: MUL
005c: PUSH1 0x00
005e: NOT
005f: ADD
0060: SWAP1
0061: SWAP3
0062: AND
0063: SWAP2
0064: SWAP1
0065: SWAP2
0066: DIV
0067: PUSH1 0x1f
0069: DUP2
006a: ADD
006b: DUP3
006c: SWAP1
006d: DIV
006e: SWAP1
006f: SWAP2
0070: MUL
0071: PUSH1 0x80
0073: SWAP1
0074: DUP2
0075: ADD
0076: PUSH1 0x40
0078: MSTORE
0079: PUSH1 0x60
007b: DUP3
007c: DUP2
007d: MSTORE
007e: SWAP3
007f: SWAP2
0080: SWAP1
0081: DUP3
0082: DUP3
0083: DUP1
0084: ISZERO
0085: PUSH2 0x01f5
0088: JUMPI
0089: DUP1
008a: PUSH1 0x1f
008c: LT
008d: PUSH2 0x01ca
0090: JUMPI
0091: PUSH2 0x0100
0094: DUP1
0095: DUP4
0096: SLOAD
0097: DIV
0098: MUL
0099: DUP4
009a: MSTORE
009b: SWAP2
009c: PUSH1 0x20
009e: ADD
009f: SWAP2
00a0: PUSH2 0x01f5
00a3: JUMP
00a4: JUMPDEST
00a5: PUSH2 0x01c0
00a8: PUSH1 0x02
00aa: SLOAD
00ab: PUSH1 0xff
00ad: AND
00ae: DUP2
00af: JUMP
00b0: JUMPDEST
00b1: PUSH2 0x01c0
00b4: PUSH1 0x04
00b6: CALLDATALOAD
00b7: PUSH1 0x03
00b9: PUSH1 0x20
00bb: MSTORE
00bc: PUSH1 0x00
00be: SWAP1
00bf: DUP2
00c0: MSTORE
00c1: PUSH1 0x40
00c3: SWAP1
00c4: SHA3
00c5: SLOAD
00c6: DUP2
00c7: JUMP
00c8: JUMPDEST
00c9: PUSH2 0x0152
00cc: PUSH1 0x01
00ce: DUP1
00cf: SLOAD
00d0: PUSH1 0x20
00d2: PUSH1 0x1f
00d4: PUSH1 0x02
00d6: PUSH1 0x00
00d8: NOT
00d9: PUSH2 0x0100
00dc: DUP6
00dd: DUP8
00de: AND
00df: ISZERO
00e0: MUL
00e1: ADD
00e2: SWAP1
00e3: SWAP4
00e4: AND
00e5: SWAP3
00e6: SWAP1
00e7: SWAP3
00e8: DIV
00e9: SWAP2
00ea: DUP3
00eb: ADD
00ec: DUP2
00ed: SWAP1
00ee: DIV
00ef: MUL
00f0: PUSH1 0x80
00f2: SWAP1
00f3: DUP2
00f4: ADD
00f5: PUSH1 0x40
00f7: MSTORE
00f8: PUSH1 0x60
00fa: DUP3
00fb: DUP2
00fc: MSTORE
00fd: SWAP3
00fe: SWAP2
00ff: SWAP1
0100: DUP3
0101: DUP3
0102: DUP1
0103: ISZERO
0104: PUSH2 0x01f5
0107: JUMPI
0108: DUP1
0109: PUSH1 0x1f
010b: LT
010c: PUSH2 0x01ca
010f: JUMPI
0110: PUSH2 0x0100
0113: DUP1
0114: DUP4
0115: SLOAD
0116: DIV
0117: MUL
0118: DUP4
0119: MSTORE
011a: SWAP2
011b: PUSH1 0x20
011d: ADD
011e: SWAP2
011f: PUSH2 0x01f5
0122: JUMP
0123: JUMPDEST
0124: PUSH2 0x0045
0127: PUSH1 0x04
0129: CALLDATALOAD
012a: PUSH1 0x24
012c: CALLDATALOAD
012d: PUSH1 0x01
012f: PUSH1 0xa0
0131: PUSH1 0x02
0133: EXP
0134: SUB
0135: CALLER
0136: AND
0137: PUSH1 0x00
0139: SWAP1
013a: DUP2
013b: MSTORE
013c: PUSH1 0x03
013e: PUSH1 0x20
0140: MSTORE
0141: PUSH1 0x40
0143: SWAP1
0144: SHA3
0145: SLOAD
0146: DUP2
0147: SWAP1
0148: LT
0149: ISZERO
014a: PUSH2 0x01fd
014d: JUMPI
014e: PUSH2 0x0002
0151: JUMP
0152: JUMPDEST
0153: PUSH1 0x40
0155: MLOAD
0156: DUP1
0157: DUP1
0158: PUSH1 0x20
015a: ADD
015b: DUP3
015c: DUP2
015d: SUB
015e: DUP3
015f: MSTORE
0160: DUP4
0161: DUP2
0162: DUP2
0163: MLOAD
0164: DUP2
0165: MSTORE
0166: PUSH1 0x20
0168: ADD
0169: SWAP2
016a: POP
016b: DUP1
016c: MLOAD
016d: SWAP1
016e: PUSH1 0x20
0170: ADD
0171: SWAP1
0172: DUP1
0173: DUP4
0174: DUP4
0175: DUP3
0176: SWAP1
0177: PUSH1 0x00
0179: PUSH1 0x04
017b: PUSH1 0x20
017d: DUP5
017e: PUSH1 0x1f
0180: ADD
0181: DIV
0182: PUSH1 0x0f
0184: MUL
0185: PUSH1 0x03
0187: ADD
0188: CALL
0189: POP
018a: SWAP1
018b: POP
018c: SWAP1
018d: DUP2
018e: ADD
018f: SWAP1
0190: PUSH1 0x1f
0192: AND
0193: DUP1
0194: ISZERO
0195: PUSH2 0x01b2
0198: JUMPI
0199: DUP1
019a: DUP3
019b: SUB
019c: DUP1
019d: MLOAD
019e: PUSH1 0x01
01a0: DUP4
01a1: PUSH1 0x20
01a3: SUB
01a4: PUSH2 0x0100
01a7: EXP
01a8: SUB
01a9: NOT
01aa: AND
01ab: DUP2
01ac: MSTORE
01ad: PUSH1 0x20
01af: ADD
01b0: SWAP2
01b1: POP
01b2: JUMPDEST
01b3: POP
01b4: SWAP3
01b5: POP
01b6: POP
01b7: POP
01b8: PUSH1 0x40
01ba: MLOAD
01bb: DUP1
01bc: SWAP2
01bd: SUB
01be: SWAP1
01bf: RETURN
01c0: JUMPDEST
01c1: PUSH1 0x60
01c3: SWAP1
01c4: DUP2
01c5: MSTORE
01c6: PUSH1 0x20
01c8: SWAP1
01c9: RETURN
01ca: JUMPDEST
01cb: DUP3
01cc: ADD
01cd: SWAP2
01ce: SWAP1
01cf: PUSH1 0x00
01d1: MSTORE
01d2: PUSH1 0x20
01d4: PUSH1 0x00
01d6: SHA3
01d7: SWAP1
01d8: JUMPDEST
01d9: DUP2
01da: SLOAD
01db: DUP2
01dc: MSTORE
01dd: SWAP1
01de: PUSH1 0x01
01e0: ADD
01e1: SWAP1
01e2: PUSH1 0x20
01e4: ADD
01e5: DUP1
01e6: DUP4
01e7: GT
01e8: PUSH2 0x01d8
01eb: JUMPI
01ec: DUP3
01ed: SWAP1
01ee: SUB
01ef: PUSH1 0x1f
01f1: AND
01f2: DUP3
01f3: ADD
01f4: SWAP2
01f5: JUMPDEST
01f6: POP
01f7: POP
01f8: POP
01f9: POP
01fa: POP
01fb: DUP2
01fc: JUMP
01fd: JUMPDEST
01fe: PUSH1 0x01
0200: PUSH1 0xa0
0202: PUSH1 0x02
0204: EXP
0205: SUB
0206: DUP3
0207: AND
0208: PUSH1 0x00
020a: SWAP1
020b: DUP2
020c: MSTORE
020d: PUSH1 0x40
020f: SWAP1
0210: SHA3
0211: SLOAD
0212: DUP1
0213: DUP3
0214: ADD
0215: LT
0216: ISZERO
0217: PUSH2 0x021f
021a: JUMPI
021b: PUSH2 0x0002
021e: JUMP
021f: JUMPDEST
0220: DUP1
0221: PUSH1 0x03
0223: PUSH1 0x00
0225: POP
0226: PUSH1 0x00
0228: CALLER
0229: PUSH1 0x01
022b: PUSH1 0xa0
022d: PUSH1 0x02
022f: EXP
0230: SUB
0231: AND
0232: DUP2
0233: MSTORE
0234: PUSH1 0x20
0236: ADD
0237: SWAP1
0238: DUP2
0239: MSTORE
023a: PUSH1 0x20
023c: ADD
023d: PUSH1 0x00
023f: SHA3
0240: PUSH1 0x00
0242: DUP3
0243: DUP3
0244: DUP3
0245: POP
0246: SLOAD
0247: SUB
0248: SWAP3
0249: POP
024a: POP
024b: DUP2
024c: SWAP1
024d: SSTORE
024e: POP
024f: DUP1
0250: PUSH1 0x03
0252: PUSH1 0x00
0254: POP
0255: PUSH1 0x00
0257: DUP5
0258: PUSH1 0x01
025a: PUSH1 0xa0
025c: PUSH1 0x02
025e: EXP
025f: SUB
0260: AND
0261: DUP2
0262: MSTORE
0263: PUSH1 0x20
0265: ADD
0266: SWAP1
0267: DUP2
0268: MSTORE
0269: PUSH1 0x20
026b: ADD
026c: PUSH1 0x00
026e: SHA3
026f: PUSH1 0x00
0271: DUP3
0272: DUP3
0273: DUP3
0274: POP
0275: SLOAD
0276: ADD
0277: SWAP3
0278: POP
0279: POP
027a: DUP2
027b: SWAP1
027c: SSTORE
027d: POP
027e: DUP2
027f: PUSH1 0x01
0281: PUSH1 0xa0
0283: PUSH1 0x02
0285: EXP
0286: SUB
0287: AND
0288: CALLER
0289: PUSH1 0x01
028b: PUSH1 0xa0
028d: PUSH1 0x02
028f: EXP
0290: SUB
0291: AND
0292: PUSH32 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef
02b3: DUP4
02b4: PUSH1 0x40
02b6: MLOAD
02b7: DUP1
02b8: DUP3
02b9: DUP2
02ba: MSTORE
02bb: PUSH1 0x20
02bd: ADD
02be: SWAP2
02bf: POP
02c0: POP
02c1: PUSH1 0x40
02c3: MLOAD
02c4: DUP1
02c5: SWAP2
02c6: SUB
02c7: SWAP1
02c8: LOG3
02c9: POP
02ca: POP
02cb: JUMP
codex
{"no_findings":false,"summary":"Runtime bytecode is best interpreted as an old ERC20-like token exposing 0x06fdde03/0x95d89b41/0x313ce567/0x70a08231/0xa9059cbb. I did not find evidence of proxy logic, delegatecall, privileged admin branches, signature validation, or a meaningful reentrancy surface. The detector-reported CALL at pc 0x188 is very likely Solidity’s identity-precompile copy helper (fixed target 0x04, zero value), so the untrusted-call/ETH-transfer alerts appear to be false positives. The concrete issues are low-severity integration/funds-safety problems in the fallback path and transfer ABI/error semantics.","findings":[{"severity":"low","category":"other","title":"Fallback silently accepts arbitrary calldata and ETH","exploit_scenario":"Because unmatched selectors fall through to a STOP instead of REVERT, a user can accidentally send ETH to the token contract and it will be accepted with no recovery path evident in the bytecode. Likewise, an external system using low-level call semantics could treat unsupported token operations as successful no-ops, creating accounting mistakes on the integrator side.","recommendation":"Make the fallback/receive path revert by default, or add an explicit recovery/withdraw mechanism if ETH reception is intended. Integrators should not rely on low-level call success alone when interacting with this contract.","evidence":"The dispatcher compares only five selectors, then falls through to pc 0x45 where execution halts with STOP rather than REVERT. There is no CALLVALUE check anywhere in the dispatch path, so plain ETH transfers are accepted. No withdrawal, selfdestruct, proxy, or other ETH-recovery path is evidenced in the bundle. This is a strong bytecode-level observation, though source-level intent is unknown.","locations":["pc:0x45"]},{"severity":"low","category":"other","title":"`transfer` is non-standard: no boolean return and throw-style failures consume all gas","exploit_scenario":"Integrations that expect ERC20-compliant `transfer(address,uint256) returns (bool)` behavior may revert or mis-handle this token. Failed transfers also appear to use an invalid jump rather than REVERT, so error cases can consume all remaining gas and break gas-sensitive flows.","recommendation":"If the contract can be replaced/upgraded, return a 32-byte `true` value from `transfer` and use REVERT for failure paths. Otherwise, integrations should use SafeERC20-style wrappers and avoid assumptions about returndata or cheap failure semantics.","evidence":"The `0xa9059cbb` path executes balance updates and event emission, then jumps to pc 0x45 (STOP) with no RETURN payload, so no bool is returned. The insufficient-balance and overflow checks branch via `PUSH2 0x0002; JUMP` at pcs 0x14e and 0x21b; pc 0x0002 is not a JUMPDEST, so those paths exceptional-halt instead of REVERT. Selector inference is best-effort, but this pattern strongly matches an old ERC20-style transfer implementation.","locations":["selector:0xa9059cbb","pc:0x14e","pc:0x21b","pc:0x45"]}]}
tokens used
47,997
{
"codex": {
"ran_at": "2026-04-05T02:37:01.565669+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 1434,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "Runtime bytecode is best interpreted as an old ERC20-like token exposing 0x06fdde03/0x95d89b41/0x313ce567/0x70a08231/0xa9059cbb. I did not find evidence of proxy logic, delegatecall, privileged admin branches, signature validation, or a meaningful reentrancy surface. The detector-reported CALL at pc 0x188 is very likely Solidity\u2019s identity-precompile copy helper (fixed target 0x04, zero value), so the untrusted-call/ETH-transfer alerts appear to be false positives. The concrete issues are low-severity integration/funds-safety problems in the fallback path and transfer ABI/error semantics.",
"raw_final": {
"summary": "Runtime bytecode is best interpreted as an old ERC20-like token exposing 0x06fdde03/0x95d89b41/0x313ce567/0x70a08231/0xa9059cbb. I did not find evidence of proxy logic, delegatecall, privileged admin branches, signature validation, or a meaningful reentrancy surface. The detector-reported CALL at pc 0x188 is very likely Solidity\u2019s identity-precompile copy helper (fixed target 0x04, zero value), so the untrusted-call/ETH-transfer alerts appear to be false positives. The concrete issues are low-severity integration/funds-safety problems in the fallback path and transfer ABI/error semantics.",
"findings": [
{
"title": "Fallback silently accepts arbitrary calldata and ETH",
"category": "other",
"evidence": "The dispatcher compares only five selectors, then falls through to pc 0x45 where execution halts with STOP rather than REVERT. There is no CALLVALUE check anywhere in the dispatch path, so plain ETH transfers are accepted. No withdrawal, selfdestruct, proxy, or other ETH-recovery path is evidenced in the bundle. This is a strong bytecode-level observation, though source-level intent is unknown.",
"severity": "low",
"locations": [
"pc:0x45"
],
"recommendation": "Make the fallback/receive path revert by default, or add an explicit recovery/withdraw mechanism if ETH reception is intended. Integrators should not rely on low-level call success alone when interacting with this contract.",
"exploit_scenario": "Because unmatched selectors fall through to a STOP instead of REVERT, a user can accidentally send ETH to the token contract and it will be accepted with no recovery path evident in the bytecode. Likewise, an external system using low-level call semantics could treat unsupported token operations as successful no-ops, creating accounting mistakes on the integrator side."
},
{
"title": "`transfer` is non-standard: no boolean return and throw-style failures consume all gas",
"category": "other",
"evidence": "The `0xa9059cbb` path executes balance updates and event emission, then jumps to pc 0x45 (STOP) with no RETURN payload, so no bool is returned. The insufficient-balance and overflow checks branch via `PUSH2 0x0002; JUMP` at pcs 0x14e and 0x21b; pc 0x0002 is not a JUMPDEST, so those paths exceptional-halt instead of REVERT. Selector inference is best-effort, but this pattern strongly matches an old ERC20-style transfer implementation.",
"severity": "low",
"locations": [
"selector:0xa9059cbb",
"pc:0x14e",
"pc:0x21b",
"pc:0x45"
],
"recommendation": "If the contract can be replaced/upgraded, return a 32-byte `true` value from `transfer` and use REVERT for failure paths. Otherwise, integrations should use SafeERC20-style wrappers and avoid assumptions about returndata or cheap failure semantics.",
"exploit_scenario": "Integrations that expect ERC20-compliant `transfer(address,uint256) returns (bool)` behavior may revert or mis-handle this token. Failed transfers also appear to use an invalid jump rather than REVERT, so error cases can consume all remaining gas and break gas-sensitive flows."
}
],
"no_findings": false
},
"no_findings": false,
"schema_version": 1
}
00000000: PUSH1 0x60 00000002: PUSH1 0x40 00000004: MSTORE 00000005: PUSH1 0xe0 00000007: PUSH1 0x02 00000009: EXP 0000000a: PUSH1 0x00 0000000c: CALLDATALOAD 0000000d: DIV 0000000e: PUSH4 0x06fdde03 00000013: DUP2 00000014: EQ 00000015: PUSH2 0x0047 00000018: JUMPI 00000019: DUP1 0000001a: PUSH4 0x313ce567 0000001f: EQ 00000020: PUSH2 0x00a4 00000023: JUMPI 00000024: DUP1 00000025: PUSH4 0x70a08231 0000002a: EQ 0000002b: PUSH2 0x00b0 0000002e: JUMPI 0000002f: DUP1 00000030: PUSH4 0x95d89b41 00000035: EQ 00000036: PUSH2 0x00c8 00000039: JUMPI 0000003a: DUP1 0000003b: PUSH4 0xa9059cbb 00000040: EQ 00000041: PUSH2 0x0123 00000044: JUMPI 00000045: JUMPDEST 00000046: STOP 00000047: JUMPDEST 00000048: PUSH2 0x0152 0000004b: PUSH1 0x00 0000004d: DUP1 0000004e: SLOAD 0000004f: PUSH1 0x20 00000051: PUSH1 0x02 00000053: PUSH1 0x01 00000055: DUP4 00000056: AND 00000057: ISZERO 00000058: PUSH2 0x0100 0000005b: MUL 0000005c: PUSH1 0x00 0000005e: NOT 0000005f: ADD 00000060: SWAP1 00000061: SWAP3 00000062: AND 00000063: SWAP2 00000064: SWAP1 00000065: SWAP2 00000066: DIV 00000067: PUSH1 0x1f 00000069: DUP2 0000006a: ADD 0000006b: DUP3 0000006c: SWAP1 0000006d: DIV 0000006e: SWAP1 0000006f: SWAP2 00000070: MUL 00000071: PUSH1 0x80 00000073: SWAP1 00000074: DUP2 00000075: ADD 00000076: PUSH1 0x40 00000078: MSTORE 00000079: PUSH1 0x60 0000007b: DUP3 0000007c: DUP2 0000007d: MSTORE 0000007e: SWAP3 0000007f: SWAP2 00000080: SWAP1 00000081: DUP3 00000082: DUP3 00000083: DUP1 00000084: ISZERO 00000085: PUSH2 0x01f5 00000088: JUMPI 00000089: DUP1 0000008a: PUSH1 0x1f 0000008c: LT 0000008d: PUSH2 0x01ca 00000090: JUMPI 00000091: PUSH2 0x0100 00000094: DUP1 00000095: DUP4 00000096: SLOAD 00000097: DIV 00000098: MUL 00000099: DUP4 0000009a: MSTORE 0000009b: SWAP2 0000009c: PUSH1 0x20 0000009e: ADD 0000009f: SWAP2 000000a0: PUSH2 0x01f5 000000a3: JUMP 000000a4: JUMPDEST 000000a5: PUSH2 0x01c0 000000a8: PUSH1 0x02 000000aa: SLOAD 000000ab: PUSH1 0xff 000000ad: AND 000000ae: DUP2 000000af: JUMP 000000b0: JUMPDEST 000000b1: PUSH2 0x01c0 000000b4: PUSH1 0x04 000000b6: CALLDATALOAD 000000b7: PUSH1 0x03 000000b9: PUSH1 0x20 000000bb: MSTORE 000000bc: PUSH1 0x00 000000be: SWAP1 000000bf: DUP2 000000c0: MSTORE 000000c1: PUSH1 0x40 000000c3: SWAP1 000000c4: KECCAK256 000000c5: SLOAD 000000c6: DUP2 000000c7: JUMP 000000c8: JUMPDEST 000000c9: PUSH2 0x0152 000000cc: PUSH1 0x01 000000ce: DUP1 000000cf: SLOAD 000000d0: PUSH1 0x20 000000d2: PUSH1 0x1f 000000d4: PUSH1 0x02 000000d6: PUSH1 0x00 000000d8: NOT 000000d9: PUSH2 0x0100 000000dc: DUP6 000000dd: DUP8 000000de: AND 000000df: ISZERO 000000e0: MUL 000000e1: ADD 000000e2: SWAP1 000000e3: SWAP4 000000e4: AND 000000e5: SWAP3 000000e6: SWAP1 000000e7: SWAP3 000000e8: DIV 000000e9: SWAP2 000000ea: DUP3 000000eb: ADD 000000ec: DUP2 000000ed: SWAP1 000000ee: DIV 000000ef: MUL 000000f0: PUSH1 0x80 000000f2: SWAP1 000000f3: DUP2 000000f4: ADD 000000f5: PUSH1 0x40 000000f7: MSTORE 000000f8: PUSH1 0x60 000000fa: DUP3 000000fb: DUP2 000000fc: MSTORE 000000fd: SWAP3 000000fe: SWAP2 000000ff: SWAP1 00000100: DUP3 00000101: DUP3 00000102: DUP1 00000103: ISZERO 00000104: PUSH2 0x01f5 00000107: JUMPI 00000108: DUP1 00000109: PUSH1 0x1f 0000010b: LT 0000010c: PUSH2 0x01ca 0000010f: JUMPI 00000110: PUSH2 0x0100 00000113: DUP1 00000114: DUP4 00000115: SLOAD 00000116: DIV 00000117: MUL 00000118: DUP4 00000119: MSTORE 0000011a: SWAP2 0000011b: PUSH1 0x20 0000011d: ADD 0000011e: SWAP2 0000011f: PUSH2 0x01f5 00000122: JUMP 00000123: JUMPDEST 00000124: PUSH2 0x0045 00000127: PUSH1 0x04 00000129: CALLDATALOAD 0000012a: PUSH1 0x24 0000012c: CALLDATALOAD 0000012d: PUSH1 0x01 0000012f: PUSH1 0xa0 00000131: PUSH1 0x02 00000133: EXP 00000134: SUB 00000135: CALLER 00000136: AND 00000137: PUSH1 0x00 00000139: SWAP1 0000013a: DUP2 0000013b: MSTORE 0000013c: PUSH1 0x03 0000013e: PUSH1 0x20 00000140: MSTORE 00000141: PUSH1 0x40 00000143: SWAP1 00000144: KECCAK256 00000145: SLOAD 00000146: DUP2 00000147: SWAP1 00000148: LT 00000149: ISZERO 0000014a: PUSH2 0x01fd 0000014d: JUMPI 0000014e: PUSH2 0x0002 00000151: JUMP 00000152: JUMPDEST 00000153: PUSH1 0x40 00000155: MLOAD 00000156: DUP1 00000157: DUP1 00000158: PUSH1 0x20 0000015a: ADD 0000015b: DUP3 0000015c: DUP2 0000015d: SUB 0000015e: DUP3 0000015f: MSTORE 00000160: DUP4 00000161: DUP2 00000162: DUP2 00000163: MLOAD 00000164: DUP2 00000165: MSTORE 00000166: PUSH1 0x20 00000168: ADD 00000169: SWAP2 0000016a: POP 0000016b: DUP1 0000016c: MLOAD 0000016d: SWAP1 0000016e: PUSH1 0x20 00000170: ADD 00000171: SWAP1 00000172: DUP1 00000173: DUP4 00000174: DUP4 00000175: DUP3 00000176: SWAP1 00000177: PUSH1 0x00 00000179: PUSH1 0x04 0000017b: PUSH1 0x20 0000017d: DUP5 0000017e: PUSH1 0x1f 00000180: ADD 00000181: DIV 00000182: PUSH1 0x0f 00000184: MUL 00000185: PUSH1 0x03 00000187: ADD 00000188: CALL 00000189: POP 0000018a: SWAP1 0000018b: POP 0000018c: SWAP1 0000018d: DUP2 0000018e: ADD 0000018f: SWAP1 00000190: PUSH1 0x1f 00000192: AND 00000193: DUP1 00000194: ISZERO 00000195: PUSH2 0x01b2 00000198: JUMPI 00000199: DUP1 0000019a: DUP3 0000019b: SUB 0000019c: DUP1 0000019d: MLOAD 0000019e: PUSH1 0x01 000001a0: DUP4 000001a1: PUSH1 0x20 000001a3: SUB 000001a4: PUSH2 0x0100 000001a7: EXP 000001a8: SUB 000001a9: NOT 000001aa: AND 000001ab: DUP2 000001ac: MSTORE 000001ad: PUSH1 0x20 000001af: ADD 000001b0: SWAP2 000001b1: POP 000001b2: JUMPDEST 000001b3: POP 000001b4: SWAP3 000001b5: POP 000001b6: POP 000001b7: POP 000001b8: PUSH1 0x40 000001ba: MLOAD 000001bb: DUP1 000001bc: SWAP2 000001bd: SUB 000001be: SWAP1 000001bf: RETURN 000001c0: JUMPDEST 000001c1: PUSH1 0x60 000001c3: SWAP1 000001c4: DUP2 000001c5: MSTORE 000001c6: PUSH1 0x20 000001c8: SWAP1 000001c9: RETURN 000001ca: JUMPDEST 000001cb: DUP3 000001cc: ADD 000001cd: SWAP2 000001ce: SWAP1 000001cf: PUSH1 0x00 000001d1: MSTORE 000001d2: PUSH1 0x20 000001d4: PUSH1 0x00 000001d6: KECCAK256 000001d7: SWAP1 000001d8: JUMPDEST 000001d9: DUP2 000001da: SLOAD 000001db: DUP2 000001dc: MSTORE 000001dd: SWAP1 000001de: PUSH1 0x01 000001e0: ADD 000001e1: SWAP1 000001e2: PUSH1 0x20 000001e4: ADD 000001e5: DUP1 000001e6: DUP4 000001e7: GT 000001e8: PUSH2 0x01d8 000001eb: JUMPI 000001ec: DUP3 000001ed: SWAP1 000001ee: SUB 000001ef: PUSH1 0x1f 000001f1: AND 000001f2: DUP3 000001f3: ADD 000001f4: SWAP2 000001f5: JUMPDEST 000001f6: POP 000001f7: POP 000001f8: POP 000001f9: POP 000001fa: POP 000001fb: DUP2 000001fc: JUMP 000001fd: JUMPDEST 000001fe: PUSH1 0x01 00000200: PUSH1 0xa0 00000202: PUSH1 0x02 00000204: EXP 00000205: SUB 00000206: DUP3 00000207: AND 00000208: PUSH1 0x00 0000020a: SWAP1 0000020b: DUP2 0000020c: MSTORE 0000020d: PUSH1 0x40 0000020f: SWAP1 00000210: KECCAK256 00000211: SLOAD 00000212: DUP1 00000213: DUP3 00000214: ADD 00000215: LT 00000216: ISZERO 00000217: PUSH2 0x021f 0000021a: JUMPI 0000021b: PUSH2 0x0002 0000021e: JUMP 0000021f: JUMPDEST 00000220: DUP1 00000221: PUSH1 0x03 00000223: PUSH1 0x00 00000225: POP 00000226: PUSH1 0x00 00000228: CALLER 00000229: PUSH1 0x01 0000022b: PUSH1 0xa0 0000022d: PUSH1 0x02 0000022f: EXP 00000230: SUB 00000231: AND 00000232: DUP2 00000233: MSTORE 00000234: PUSH1 0x20 00000236: ADD 00000237: SWAP1 00000238: DUP2 00000239: MSTORE 0000023a: PUSH1 0x20 0000023c: ADD 0000023d: PUSH1 0x00 0000023f: KECCAK256 00000240: PUSH1 0x00 00000242: DUP3 00000243: DUP3 00000244: DUP3 00000245: POP 00000246: SLOAD 00000247: SUB 00000248: SWAP3 00000249: POP 0000024a: POP 0000024b: DUP2 0000024c: SWAP1 0000024d: SSTORE 0000024e: POP 0000024f: DUP1 00000250: PUSH1 0x03 00000252: PUSH1 0x00 00000254: POP 00000255: PUSH1 0x00 00000257: DUP5 00000258: PUSH1 0x01 0000025a: PUSH1 0xa0 0000025c: PUSH1 0x02 0000025e: EXP 0000025f: SUB 00000260: AND 00000261: DUP2 00000262: MSTORE 00000263: PUSH1 0x20 00000265: ADD 00000266: SWAP1 00000267: DUP2 00000268: MSTORE 00000269: PUSH1 0x20 0000026b: ADD 0000026c: PUSH1 0x00 0000026e: KECCAK256 0000026f: PUSH1 0x00 00000271: DUP3 00000272: DUP3 00000273: DUP3 00000274: POP 00000275: SLOAD 00000276: ADD 00000277: SWAP3 00000278: POP 00000279: POP 0000027a: DUP2 0000027b: SWAP1 0000027c: SSTORE 0000027d: POP 0000027e: DUP2 0000027f: PUSH1 0x01 00000281: PUSH1 0xa0 00000283: PUSH1 0x02 00000285: EXP 00000286: SUB 00000287: AND 00000288: CALLER 00000289: PUSH1 0x01 0000028b: PUSH1 0xa0 0000028d: PUSH1 0x02 0000028f: EXP 00000290: SUB 00000291: AND 00000292: PUSH32 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef 000002b3: DUP4 000002b4: PUSH1 0x40 000002b6: MLOAD 000002b7: DUP1 000002b8: DUP3 000002b9: DUP2 000002ba: MSTORE 000002bb: PUSH1 0x20 000002bd: ADD 000002be: SWAP2 000002bf: POP 000002c0: POP 000002c1: PUSH1 0x40 000002c3: MLOAD 000002c4: DUP1 000002c5: SWAP2 000002c6: SUB 000002c7: SWAP1 000002c8: LOG3 000002c9: POP 000002ca: POP 000002cb: JUMP
Warning: This is a nightly build of Foundry. It is recommended to use the latest stable version. To mute this warning set `FOUNDRY_DISABLE_NIGHTLY_WARNING` in your environment.
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | other | detector | Untrusted CALL target/value reachable | 60 | yes | yes |
viewtrace_id: 0x63cd94dc2b900409aa6488032881b6cfe5214b94c9790e7cb4953c603e64e60f
call_targets:
0x0000000000000000000000000000000000000004, 0x6e724ccc59c1a72f733a31b41c8594413363d80b
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x63cd94dc2b900409aa6488032881b6cfe5214b94c9790e7cb4953c603e64e60f",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x6e724ccc59c1a72f733a31b41c8594413363d80b"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa9059cbb",
"selector": "0xa9059cbb",
"calldata_variants": [
"0xa9059cbb",
"0xa9059cbb0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 392,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 1,
"guards_detected": [],
"untrusted_call_count": 1
}
|
| high | other | detector | ETH value transfer possible | 55 | yes | yes |
viewtrace_id: 0x63cd94dc2b900409aa6488032881b6cfe5214b94c9790e7cb4953c603e64e60f
call_targets:
0x0000000000000000000000000000000000000004, 0x6e724ccc59c1a72f733a31b41c8594413363d80b
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x63cd94dc2b900409aa6488032881b6cfe5214b94c9790e7cb4953c603e64e60f",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x6e724ccc59c1a72f733a31b41c8594413363d80b"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa9059cbb",
"selector": "0xa9059cbb",
"calldata_variants": [
"0xa9059cbb",
"0xa9059cbb0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 392,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 1,
"guards_detected": []
}
|
| low | other | codex | Fallback silently accepts arbitrary calldata and ETH | 65 | no | — |
viewevidence_json{
"evidence": "The dispatcher compares only five selectors, then falls through to pc 0x45 where execution halts with STOP rather than REVERT. There is no CALLVALUE check anywhere in the dispatch path, so plain ETH transfers are accepted. No withdrawal, selfdestruct, proxy, or other ETH-recovery path is evidenced in the bundle. This is a strong bytecode-level observation, though source-level intent is unknown.",
"locations": [
"pc:0x45"
],
"recommendation": "Make the fallback/receive path revert by default, or add an explicit recovery/withdraw mechanism if ETH reception is intended. Integrators should not rely on low-level call success alone when interacting with this contract.",
"exploit_scenario": "Because unmatched selectors fall through to a STOP instead of REVERT, a user can accidentally send ETH to the token contract and it will be accepted with no recovery path evident in the bytecode. Likewise, an external system using low-level call semantics could treat unsupported token operations as successful no-ops, creating accounting mistakes on the integrator side."
}
|
| low | other | codex | `transfer` is non-standard: no boolean return and throw-style failures consume all gas | 65 | no | — |
viewevidence_json{
"evidence": "The `0xa9059cbb` path executes balance updates and event emission, then jumps to pc 0x45 (STOP) with no RETURN payload, so no bool is returned. The insufficient-balance and overflow checks branch via `PUSH2 0x0002; JUMP` at pcs 0x14e and 0x21b; pc 0x0002 is not a JUMPDEST, so those paths exceptional-halt instead of REVERT. Selector inference is best-effort, but this pattern strongly matches an old ERC20-style transfer implementation.",
"locations": [
"selector:0xa9059cbb",
"pc:0x14e",
"pc:0x21b",
"pc:0x45"
],
"recommendation": "If the contract can be replaced/upgraded, return a 32-byte `true` value from `transfer` and use REVERT for failure paths. Otherwise, integrations should use SafeERC20-style wrappers and avoid assumptions about returndata or cheap failure semantics.",
"exploit_scenario": "Integrations that expect ERC20-compliant `transfer(address,uint256) returns (bool)` behavior may revert or mis-handle this token. Failed transfers also appear to use an invalid jump rather than REVERT, so error cases can consume all remaining gas and break gas-sensitive flows."
}
|