019b3836-3005-71b8-a8ef-ecd5ea5d9540
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 2539 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 2540 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 45692 | analysis.bundle | complete | 1 / 3 | 1 week ago |
| 45693 | capability.graph | complete | 1 / 3 | 1 week ago |
| 45694 | detector.run | complete | 1 / 3 | 1 week ago |
| 45695 | validation.fork | complete | 1 / 3 | 1 week ago |
| 113248 | report.consolidate | complete | 1 / 6 | 1 week ago |
No slither job recorded yet.
{"no_findings":false,"summary":"The meaningful issue in this bytecode is an unprotected initializer-style entrypoint: selector inference suggests `0xb50a89f3` can set caller balance and overwrite token metadata without any detected guard. The detector-reported `CALL` at `pc:0x2d1` looks like the identity precompile (`0x04`) used for memory copying, so I did not treat it as a standalone untrusted-call exploit; however, the contract also appears implicitly payable and may trap ETH.","findings":[{"severity":"critical","category":"access_control","title":"Public initializer-style function can assign arbitrary balance and rewrite metadata","exploit_scenario":"A public caller invokes the unknown selector `0xb50a89f3` with crafted arguments. The routine appears to write `balances[msg.sender]` in the slot-3 mapping, with a zero amount defaulting to `0x0f4240` (1,000,000), and then rewrites the dynamic data stored in slots 0 and 1 plus the low byte of slot 2. Because no owner check or one-time initialization guard is evident, any attacker can repeatedly mint/reassign their own balance and change name/symbol/decimals-like metadata after deployment.","recommendation":"Treat this path as an initializer/admin function and protect it accordingly: restrict it to deployment/constructor time or a privileged role, add a single-use initialized flag, and separate metadata initialization from user-callable runtime logic.","evidence":"Selector inference is best-effort, but the jump table routes `0xb50a89f3` to `pc:0x166`. No auth guards were detected in the artifact. Inside that routine, `CALLER` is masked and hashed with storage slot `0x03`, then stored via `SSTORE` at `pc:0x21e`, indicating a caller-indexed balance write. The amount appears to come from calldata, with a zero input replaced by `0x0f4240` at `pc:0x1fb-0x1ff`. The same routine then writes dynamic storage associated with slots 0 and 1 (`pc:0x27e`, `pc:0x473`) and updates the low byte of slot 2 at `pc:0x4c2`, consistent with metadata/decimals initialization.","locations":["selector:0xb50a89f3","pc:0x166","pc:0x1fb","pc:0x21e","pc:0x27e","pc:0x473","pc:0x4c2"]},{"severity":"low","category":"other","title":"Contract appears payable and may permanently lock ETH","exploit_scenario":"A user sends ETH directly to the contract or includes `msg.value` when calling one of its functions. The bytecode shows no `CALLVALUE` rejection anywhere, and the fallback/default path stops successfully instead of reverting. Since the only observed `CALL` appears to target precompile `0x04` for internal memory-copy behavior rather than an outbound payment path, accidentally sent ETH may become unrecoverable.","recommendation":"If ETH should never be held, add a non-payable fallback/receive behavior (or explicit value checks) so ETH-bearing calls revert. If ETH custody is intended, add an explicit, access-controlled withdrawal path.","evidence":"There is no `CALLVALUE` opcode in the runtime bytecode, so functions/fallback are implicitly payable. The dispatcher falls through to `STOP` at `pc:0x56` for empty/unmatched calldata. The sole callsite is `pc:0x2d1`; the surrounding sequence includes fixed pushes `PUSH1 0x00`, `PUSH1 0x04`, then `CALL`, which is consistent with the identity precompile rather than a user-controlled payout. This conclusion is based on bytecode pattern matching only.","locations":["pc:0x56","pc:0x2d1"]}]}
OpenAI Codex v0.118.0 (research preview)
--------
workdir: /tmp/codex-0lj1x8r2
model: gpt-5.4
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: none
session id: 019d5b9b-d6d8-7da0-8a39-39dc6aba808d
--------
user
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
warning: Codex could not find system bubblewrap on PATH. Please install bubblewrap with your package manager. Codex will use the vendored bubblewrap in the meantime.
exec
/bin/bash -lc "pwd && ls -la && rg --files -g 'BYTECODE_BUNDLE.json' -g 'AGENTS.md'" in /tmp/codex-0lj1x8r2
succeeded in 0ms:
/tmp/codex-0lj1x8r2
total 112
drwx------ 2 noahkuhn noahkuhn 4096 Apr 5 03:07 .
drwxrwxrwt 270 nobody nogroup 24576 Apr 5 03:07 ..
-rw-rw-r-- 1 noahkuhn noahkuhn 73847 Apr 5 03:07 BYTECODE_BUNDLE.json
-rw-rw-r-- 1 noahkuhn noahkuhn 815 Apr 5 03:07 codex-output-schema.json
BYTECODE_BUNDLE.json
exec
/bin/bash -lc "sed -n '1,260p' BYTECODE_BUNDLE.json" in /tmp/codex-0lj1x8r2
succeeded in 0ms:
{
"analysis_artifact": {
"address": "0x0d90b565cd67733f70c21fe38f355e3469012856",
"artifact_hash": "0x2dd5a0551c20bb19b66cc1d5879891b20ed98033b2d2d558f1245abe92a197f6",
"artifact_json": {
"auth": {
"guards": []
},
"basic_blocks": [
{
"end_pc": 10,
"hash": "0xd3735ca9c20e935b30a407d576a537251104b99507f47da2b56ac0d6547da5e0",
"opcodes": [
"PUSH1",
"PUSH1",
"MSTORE",
"CALLDATASIZE",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 0
},
{
"end_pc": 30,
"hash": "0x7c80318ec140e5347a61cf378e96af69c7c6fb0ddb816f96bc65f60e482b95b3",
"opcodes": [
"PUSH1",
"PUSH1",
"EXP",
"PUSH1",
"CALLDATALOAD",
"DIV",
"PUSH4",
"OP_81",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 11
},
{
"end_pc": 41,
"hash": "0xec314bd444043325aca44df4a0fc7a8084014dfb252c1a26f4fd87ec87394ed8",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 31
},
{
"end_pc": 52,
"hash": "0xc3c70c63fca2254f6427823412690a3a46ebd41190d57160679fe0211d944b9c",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 42
},
{
"end_pc": 63,
"hash": "0x89706dd25dd3a38f0e843175a71b5d07c1c9a3be698c1bc8515367773b424ff6",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 53
},
{
"end_pc": 74,
"hash": "0xdb01cc10e93e459d97860d8644def4fc74c4eef976870bfe5051b5e78117ee3c",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 64
},
{
"end_pc": 85,
"hash": "0xb5f5cce93152760281d040e318c0c47b65b48f7084e4c8aef4524d0697a56bdc",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 75
},
{
"end_pc": 87,
"hash": "0x5f16f1452b945fe2013a5da2a330eeba5ff0e75bc87856dd3fe9b41c091b9e59",
"opcodes": [
"JUMPDEST",
"STOP"
],
"start_pc": 86
},
{
"end_pc": 154,
"hash": "0xf733fabdc27bde7553bb230603d6bfd6c84570232223c913be26ee3dc129a229",
"opcodes": [
"JUMPDEST",
"PUSH1",
"OP_80",
"MLOAD",
"PUSH1",
"OP_80",
"SLOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"OP_83",
"AND",
"ISZERO",
"PUSH2",
"MUL",
"PUSH1",
"NOT",
"ADD",
"OP_90",
"OP_92",
"AND",
"OP_91",
"OP_90",
"OP_91",
"DIV",
"PUSH1",
"OP_81",
"ADD",
"OP_82",
"OP_90",
"DIV",
"OP_82",
"MUL",
"OP_84",
"ADD",
"OP_82",
"ADD",
"OP_90",
"OP_94",
"MSTORE",
"OP_83",
"OP_83",
"MSTORE",
"PUSH2",
"OP_93",
"OP_90",
"OP_83",
"ADD",
"OP_82",
"OP_82",
"OP_80",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 88
},
{
"end_pc": 162,
"hash": "0xd6379d4712e636be9562ae8cb904aeedf6063a12e4ea1f3dc9f2de7cfb20909c",
"opcodes": [
"OP_80",
"PUSH1",
"LT",
"PUSH2",
"JUMPI"
],
"start_pc": 155
},
{
"end_pc": 181,
"hash": "0x354e7f61111647c532a7332c854fa2d3a611c75f6e152c467fcc24a93b85109e",
"opcodes": [
"PUSH2",
"OP_80",
"OP_83",
"SLOAD",
"DIV",
"MUL",
"OP_83",
"MSTORE",
"OP_91",
"PUSH1",
"ADD",
"OP_91",
"PUSH2",
"JUMP"
],
"start_pc": 163
},
{
"end_pc": 193,
"hash": "0x359bbd8b0a39840aed95740f2e8a4c8e7ab48f6fb7ac4d98a41d7c0b31aa81f6",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"SLOAD",
"PUSH1",
"AND",
"OP_81",
"JUMP"
],
"start_pc": 182
},
{
"end_pc": 217,
"hash": "0x28a01eb2d8340227ad5e726d3e32d442a52f2b422314b842ed4f3588fabfe8e6",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"CALLDATALOAD",
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"OP_90",
"SHA3",
"SLOAD",
"OP_81",
"JUMP"
],
"start_pc": 194
},
{
"end_pc": 283,
"hash": "0x093cd160697e3795cfe1367ffa81339f37d0600861eaca48428a279720d8fbe9",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"OP_80",
"SLOAD",
"PUSH1",
"OP_80",
"MLOAD",
"PUSH1",
"PUSH1",
"OP_84",
"OP_86",
"AND",
exec
/bin/bash -lc "sed -n '261,520p' BYTECODE_BUNDLE.json" in /tmp/codex-0lj1x8r2
succeeded in 0ms:
"ISZERO",
"PUSH2",
"MUL",
"PUSH1",
"NOT",
"ADD",
"OP_90",
"OP_94",
"AND",
"OP_93",
"OP_90",
"OP_93",
"DIV",
"PUSH1",
"OP_81",
"ADD",
"OP_84",
"OP_90",
"DIV",
"OP_84",
"MUL",
"OP_82",
"ADD",
"OP_84",
"ADD",
"OP_90",
"OP_92",
"MSTORE",
"OP_81",
"OP_81",
"MSTORE",
"OP_92",
"OP_91",
"OP_83",
"ADD",
"OP_82",
"OP_82",
"OP_80",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 218
},
{
"end_pc": 291,
"hash": "0x8eb2d6f763341073d5d79dcb93d77e7af1134a6e4a8c8765b5ecf441d0792a60",
"opcodes": [
"OP_80",
"PUSH1",
"LT",
"PUSH2",
"JUMPI"
],
"start_pc": 284
},
{
"end_pc": 310,
"hash": "0xbf29b71b24249c306c07e69c592f157d458fb4ba203af32f100d5b7bc65755ca",
"opcodes": [
"PUSH2",
"OP_80",
"OP_83",
"SLOAD",
"DIV",
"MUL",
"OP_83",
"MSTORE",
"OP_91",
"PUSH1",
"ADD",
"OP_91",
"PUSH2",
"JUMP"
],
"start_pc": 292
},
{
"end_pc": 353,
"hash": "0x8998036da8b986221ef7858753b3b485d7464da0034b21c1ffb28320c63e3de4",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"CALLDATALOAD",
"PUSH1",
"CALLDATALOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"CALLER",
"AND",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_90",
"SHA3",
"SLOAD",
"OP_81",
"OP_90",
"LT",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 311
},
{
"end_pc": 357,
"hash": "0x11f56092e1a7d5e59904ee1d1da8bc3620f0ed30cb7c1713c40992e650a4b318",
"opcodes": [
"PUSH2",
"JUMP"
],
"start_pc": 354
},
{
"end_pc": 506,
"hash": "0x9e9363cbd84edef147dd2f71438a15386473a97dfacf94da55363959483c454f",
"opcodes": [
"JUMPDEST",
"PUSH1",
"OP_80",
"MLOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"OP_80",
"CALLDATALOAD",
"OP_82",
"OP_81",
"ADD",
"CALLDATALOAD",
"PUSH1",
"OP_81",
"ADD",
"OP_85",
"OP_90",
"DIV",
"OP_85",
"MUL",
"OP_86",
"ADD",
"OP_85",
"ADD",
"OP_90",
"OP_96",
"MSTORE",
"OP_85",
"OP_85",
"MSTORE",
"PUSH2",
"OP_95",
"OP_83",
"CALLDATALOAD",
"OP_95",
"OP_93",
"OP_94",
"PUSH1",
"OP_94",
"OP_93",
"OP_92",
"OP_90",
"OP_92",
"ADD",
"OP_91",
"OP_81",
"OP_90",
"OP_84",
"ADD",
"OP_83",
"OP_82",
"OP_80",
"OP_82",
"OP_84",
"CALLDATACOPY",
"POP",
"POP",
"PUSH1",
"OP_80",
"MLOAD",
"PUSH1",
"OP_97",
"CALLDATALOAD",
"OP_80",
"OP_8A",
"ADD",
"CALLDATALOAD",
"PUSH1",
"OP_81",
"ADD",
"OP_8A",
"OP_90",
"DIV",
"OP_8A",
"MUL",
"OP_83",
"ADD",
"OP_8A",
"ADD",
"OP_90",
"OP_93",
"MSTORE",
"OP_82",
"OP_82",
"MSTORE",
"OP_96",
"OP_98",
"OP_97",
"PUSH1",
"OP_97",
"OP_91",
"OP_96",
"POP",
"PUSH1",
"OP_91",
"OP_90",
"OP_91",
"ADD",
"OP_94",
"POP",
"OP_90",
"OP_92",
"POP",
"OP_82",
"OP_91",
"POP",
"OP_84",
"ADD",
"OP_83",
"OP_82",
"OP_80",
"OP_82",
"OP_84",
"CALLDATACOPY",
"POP",
"OP_94",
"OP_96",
"POP",
"POP",
"OP_93",
"CALLDATALOAD",
"OP_93",
"POP",
"POP",
"POP",
"POP",
"OP_83",
"PUSH1",
"EQ",
"ISZERO",
"PUSH2",
"JUMPI"
exec
/bin/bash -lc "sed -n '521,780p' BYTECODE_BUNDLE.json" in /tmp/codex-0lj1x8r2
succeeded in 0ms:
],
"start_pc": 358
},
{
"end_pc": 512,
"hash": "0x9455849fe92d5b8edc3be99581f7fb0c9b448aaf6a67f03d03b383fb0227a41c",
"opcodes": [
"PUSH3",
"OP_93",
"POP"
],
"start_pc": 507
},
{
"end_pc": 626,
"hash": "0x042ec318b9622f9030a052928085c1aa8a425ad455e8a68510cdb6b115651bc3",
"opcodes": [
"JUMPDEST",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"CALLER",
"AND",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"OP_82",
"SHA3",
"OP_86",
"OP_90",
"SSTORE",
"OP_84",
"MLOAD",
"OP_82",
"SLOAD",
"OP_83",
"OP_80",
"MSTORE",
"PUSH1",
"PUSH1",
"OP_82",
"AND",
"ISZERO",
"PUSH2",
"MUL",
"PUSH1",
"NOT",
"ADD",
"OP_90",
"OP_91",
"AND",
"DIV",
"PUSH1",
"OP_90",
"OP_81",
"ADD",
"OP_83",
"OP_90",
"DIV",
"PUSH32",
"OP_90",
"OP_81",
"ADD",
"OP_93",
"OP_90",
"OP_91",
"OP_90",
"OP_88",
"ADD",
"OP_90",
"OP_83",
"OP_90",
"LT",
"PUSH2",
"JUMPI"
],
"start_pc": 513
},
{
"end_pc": 638,
"hash": "0xa9af3320b27e4b2b25ae8a0837dc00d4689925395f201ab658bf155ec25360df",
"opcodes": [
"OP_80",
"MLOAD",
"PUSH1",
"NOT",
"AND",
"OP_83",
"OP_80",
"ADD",
"OR",
"OP_85",
"SSTORE"
],
"start_pc": 627
},
{
"end_pc": 646,
"hash": "0x3e1323da7f7e9a8e61be328ec697d839daa069f0a9d52bc77995885a112189b4",
"opcodes": [
"JUMPDEST",
"POP",
"PUSH2",
"OP_92",
"OP_91",
"POP"
],
"start_pc": 639
},
{
"end_pc": 655,
"hash": "0xf27e154876319923b47aa481d707aabdf13244632f0b4bfa2a5bc82273a1e02a",
"opcodes": [
"JUMPDEST",
"OP_80",
"OP_82",
"GT",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 647
},
{
"end_pc": 666,
"hash": "0x4afcf834c50690bc207c4d77fd24d18aaf7fa03a8fb31c75ca893e9a41a07834",
"opcodes": [
"PUSH1",
"OP_81",
"SSTORE",
"PUSH1",
"ADD",
"PUSH2",
"JUMP"
],
"start_pc": 656
},
{
"end_pc": 737,
"hash": "0xb9d80aa2d2ef200e4c1e3cc9cd0c0e1a9f2951b84c61565374ba8cabefc08e7a",
"opcodes": [
"JUMPDEST",
"PUSH1",
"MLOAD",
"OP_80",
"OP_80",
"PUSH1",
"ADD",
"OP_82",
"OP_81",
"SUB",
"OP_82",
"MSTORE",
"OP_83",
"OP_81",
"OP_81",
"MLOAD",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP",
"OP_80",
"MLOAD",
"OP_90",
"PUSH1",
"ADD",
"OP_90",
"OP_80",
"OP_83",
"OP_83",
"OP_82",
"OP_90",
"PUSH1",
"PUSH1",
"PUSH1",
"OP_84",
"PUSH1",
"ADD",
"DIV",
"PUSH1",
"MUL",
"PUSH1",
"ADD",
"CALL",
"POP",
"OP_90",
"POP",
"OP_90",
"OP_81",
"ADD",
"OP_90",
"PUSH1",
"AND",
"OP_80",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 667
},
{
"end_pc": 762,
"hash": "0x3b3e9d61e37813c3ba5e542843a55d07c0acf47ebe97e2df2dc001d1589a4bd0",
"opcodes": [
"OP_80",
"OP_82",
"SUB",
"OP_80",
"MLOAD",
"PUSH1",
"OP_83",
"PUSH1",
"SUB",
"PUSH2",
"EXP",
"SUB",
"NOT",
"AND",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP"
],
"start_pc": 738
},
{
"end_pc": 776,
"hash": "0x2a9e7e201baa8234276fec3f32b071e10e03336117a4a23dcc4b19760d4bf03d",
"opcodes": [
"JUMPDEST",
"POP",
"OP_92",
"POP",
"POP",
"POP",
"PUSH1",
"MLOAD",
"OP_80",
"OP_91",
"SUB",
"OP_90",
"RETURN"
],
"start_pc": 763
},
{
"end_pc": 799,
exec
/bin/bash -lc "sed -n '781,1040p' BYTECODE_BUNDLE.json" in /tmp/codex-0lj1x8r2
succeeded in 0ms:
"hash": "0x5c05c1b62019ccf7faac5be7ac6501bca9f63ba0ad0edb5548020ee7175166a5",
"opcodes": [
"JUMPDEST",
"PUSH1",
"OP_80",
"MLOAD",
"PUSH1",
"OP_92",
"OP_90",
"OP_92",
"AND",
"OP_82",
"MSTORE",
"MLOAD",
"OP_90",
"OP_81",
"OP_90",
"SUB",
"PUSH1",
"ADD",
"OP_90",
"RETURN"
],
"start_pc": 777
},
{
"end_pc": 817,
"hash": "0x30d589990a283329b1920662cd11ed745720c1d4c080e33ec029602e0d950519",
"opcodes": [
"JUMPDEST",
"PUSH1",
"OP_80",
"MLOAD",
"OP_91",
"OP_82",
"MSTORE",
"MLOAD",
"OP_90",
"OP_81",
"OP_90",
"SUB",
"PUSH1",
"ADD",
"OP_90",
"RETURN"
],
"start_pc": 800
},
{
"end_pc": 831,
"hash": "0x8937d07327202147e091333dd69a7988827be8b5bd24cb76724eaaeb4848cb41",
"opcodes": [
"JUMPDEST",
"OP_82",
"ADD",
"OP_91",
"OP_90",
"PUSH1",
"MSTORE",
"PUSH1",
"PUSH1",
"SHA3",
"OP_90"
],
"start_pc": 818
},
{
"end_pc": 851,
"hash": "0x011147dd2d4d741f6d3d625a76936cec4cfaee40840801b97e2582da43a9eb80",
"opcodes": [
"JUMPDEST",
"OP_81",
"SLOAD",
"OP_81",
"MSTORE",
"OP_90",
"PUSH1",
"ADD",
"OP_90",
"PUSH1",
"ADD",
"OP_80",
"OP_83",
"GT",
"PUSH2",
"JUMPI"
],
"start_pc": 832
},
{
"end_pc": 860,
"hash": "0x40a6d65b54718011c2b6a19cf750d9039a083b10c1ff3fdfdf28f68345ec6c57",
"opcodes": [
"OP_82",
"OP_90",
"SUB",
"PUSH1",
"AND",
"OP_82",
"ADD",
"OP_91"
],
"start_pc": 852
},
{
"end_pc": 868,
"hash": "0xccae53486cc51b866042c9df2a20d0fcb5ccd1f3ebe28797f97e9fc0235c4c00",
"opcodes": [
"JUMPDEST",
"POP",
"POP",
"POP",
"POP",
"POP",
"OP_81",
"JUMP"
],
"start_pc": 861
},
{
"end_pc": 903,
"hash": "0xdb432b29e8da47630f0568fc37189ef65cc73959110a131cf8058045f1a35bd5",
"opcodes": [
"JUMPDEST",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"OP_82",
"AND",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_90",
"SHA3",
"SLOAD",
"OP_80",
"OP_82",
"ADD",
"LT",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 869
},
{
"end_pc": 907,
"hash": "0x673dad131e400f9cdb92f040c9f2dbda95004ca4086e8a820487d885122d5a1e",
"opcodes": [
"PUSH2",
"JUMP"
],
"start_pc": 904
},
{
"end_pc": 1014,
"hash": "0x398ccc8db1a9fb9508b87293837da1c92c2b741a60c2e545e8796a2ba8ad0c70",
"opcodes": [
"JUMPDEST",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"CALLER",
"OP_81",
"AND",
"PUSH1",
"OP_81",
"OP_81",
"MSTORE",
"PUSH1",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"OP_80",
"OP_83",
"SHA3",
"OP_80",
"SLOAD",
"OP_87",
"OP_90",
"SUB",
"OP_90",
"SSTORE",
"OP_93",
"OP_86",
"AND",
"OP_80",
"OP_83",
"MSTORE",
"OP_91",
"OP_84",
"OP_90",
"SHA3",
"OP_80",
"SLOAD",
"OP_86",
"ADD",
"OP_90",
"SSTORE",
"OP_83",
"MLOAD",
"OP_85",
"OP_81",
"MSTORE",
"OP_93",
"MLOAD",
"OP_91",
"OP_93",
"PUSH32",
"OP_92",
"OP_90",
"OP_81",
"OP_90",
"SUB",
"OP_90",
"OP_91",
"ADD",
"OP_90",
"OP_A3",
"POP",
"POP",
"JUMP"
],
"start_pc": 908
},
{
"end_pc": 1029,
"hash": "0x8859489407b26b483a4a07653d307961bc2bda28aca742b3de4798ec07318503",
"opcodes": [
"JUMPDEST",
"OP_82",
"OP_80",
"ADD",
"PUSH1",
"ADD",
"OP_85",
"SSTORE",
"OP_82",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 1015
},
{
"end_pc": 1032,
"hash": "0xfaff68196a15f2abf1db4fd482c57bcd2c416ab228c2702145cd34ffee3c8709",
"opcodes": [
"OP_91",
exec
/bin/bash -lc "sed -n '1041,1300p' BYTECODE_BUNDLE.json" in /tmp/codex-0lj1x8r2
succeeded in 0ms:
"OP_82",
"ADD"
],
"start_pc": 1030
},
{
"end_pc": 1041,
"hash": "0xe3cbf43ffc8aa2f94665cc0742b26a37fab5918b737af0e65213ffaedd690480",
"opcodes": [
"JUMPDEST",
"OP_82",
"OP_81",
"GT",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 1033
},
{
"end_pc": 1062,
"hash": "0xf18dbc048d17293694cfc19a7e265d8589bbd0e1de673795a093e8614b8b3d71",
"opcodes": [
"OP_82",
"MLOAD",
"OP_82",
"PUSH1",
"POP",
"SSTORE",
"OP_91",
"PUSH1",
"ADD",
"OP_91",
"OP_90",
"PUSH1",
"ADD",
"OP_90",
"PUSH2",
"JUMP"
],
"start_pc": 1042
},
{
"end_pc": 1127,
"hash": "0xc87860ff16201f3d3db3f369e3146b88e3df5e134a95c6140f46b98dbefaf45d",
"opcodes": [
"JUMPDEST",
"POP",
"POP",
"OP_81",
"PUSH1",
"PUSH1",
"POP",
"OP_90",
"OP_80",
"MLOAD",
"OP_90",
"PUSH1",
"ADD",
"OP_90",
"OP_82",
"OP_80",
"SLOAD",
"PUSH1",
"OP_81",
"PUSH1",
"AND",
"ISZERO",
"PUSH2",
"MUL",
"SUB",
"AND",
"PUSH1",
"OP_90",
"DIV",
"OP_90",
"PUSH1",
"MSTORE",
"PUSH1",
"PUSH1",
"SHA3",
"OP_90",
"PUSH1",
"ADD",
"PUSH1",
"OP_90",
"DIV",
"OP_81",
"ADD",
"OP_92",
"OP_82",
"PUSH1",
"LT",
"PUSH2",
"JUMPI"
],
"start_pc": 1063
},
{
"end_pc": 1139,
"hash": "0xf08ad7db06f67669dd83273e780dee909df866c41edab0c3f98d9c14d7fc0d64",
"opcodes": [
"OP_80",
"MLOAD",
"PUSH1",
"NOT",
"AND",
"OP_83",
"OP_80",
"ADD",
"OR",
"OP_85",
"SSTORE"
],
"start_pc": 1128
},
{
"end_pc": 1151,
"hash": "0x8f3e9de7897fc8ecf909c51057d50789ae8316c7c04eb993301ad4815e852b7c",
"opcodes": [
"JUMPDEST",
"POP",
"PUSH2",
"OP_92",
"OP_91",
"POP",
"PUSH2",
"JUMP"
],
"start_pc": 1140
},
{
"end_pc": 1155,
"hash": "0x6c8bced0b251108f896811ee30d95eb75dee28b0889da48f68949f8355edbe08",
"opcodes": [
"JUMPDEST",
"POP",
"OP_90",
"JUMP"
],
"start_pc": 1152
},
{
"end_pc": 1170,
"hash": "0x2b9a10ea7796e2ea9007e9aade777139cc47bc96b4bc4150754e5efb8620c682",
"opcodes": [
"JUMPDEST",
"OP_82",
"OP_80",
"ADD",
"PUSH1",
"ADD",
"OP_85",
"SSTORE",
"OP_82",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 1156
},
{
"end_pc": 1173,
"hash": "0x4e540ba2fa7a3eab3d132ed5c77378c7f9457ce493e03ef0a1d81696d5cf328b",
"opcodes": [
"OP_91",
"OP_82",
"ADD"
],
"start_pc": 1171
},
{
"end_pc": 1182,
"hash": "0xd4f812f40d6c3449cb67a385d347ac6080eb0e857f253a1e0f5afa6dacf514a1",
"opcodes": [
"JUMPDEST",
"OP_82",
"OP_81",
"GT",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 1174
},
{
"end_pc": 1203,
"hash": "0xec4ad89b72c52fd2384171a241470dc69ed383976e99b99e9fc899efd6913d83",
"opcodes": [
"OP_82",
"MLOAD",
"OP_82",
"PUSH1",
"POP",
"SSTORE",
"OP_91",
"PUSH1",
"ADD",
"OP_91",
"OP_90",
"PUSH1",
"ADD",
"OP_90",
"PUSH2",
"JUMP"
],
"start_pc": 1183
},
{
"end_pc": 1223,
"hash": "0x010f0b1d63302d829668848a47edee892a934a5bdd2775589606030af92c5387",
"opcodes": [
"JUMPDEST",
"POP",
"POP",
"PUSH1",
"OP_80",
"SLOAD",
"PUSH1",
"NOT",
"AND",
"OP_82",
"OR",
"OP_90",
"SSTORE",
"POP",
"POP",
"POP",
"POP",
"JUMP"
],
"start_pc": 1204
}
],
"callsites": [
{
"opcode": "CALL",
"pc": 721,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"cfg_edges": [
{
"from": "bb:0",
"to": "bb:86",
"type": "control_flow"
},
{
"from": "bb:0",
"to": "bb:11",
"type": "control_flow_fallthrough"
},
{
"from": "bb:11",
"to": "bb:88",
"type": "control_flow"
},
{
exec
/bin/bash -lc "sed -n '1301,1560p' BYTECODE_BUNDLE.json" in /tmp/codex-0lj1x8r2
succeeded in 0ms:
"from": "bb:11",
"to": "bb:31",
"type": "control_flow_fallthrough"
},
{
"from": "bb:31",
"to": "bb:182",
"type": "control_flow"
},
{
"from": "bb:31",
"to": "bb:42",
"type": "control_flow_fallthrough"
},
{
"from": "bb:42",
"to": "bb:194",
"type": "control_flow"
},
{
"from": "bb:42",
"to": "bb:53",
"type": "control_flow_fallthrough"
},
{
"from": "bb:53",
"to": "bb:218",
"type": "control_flow"
},
{
"from": "bb:53",
"to": "bb:64",
"type": "control_flow_fallthrough"
},
{
"from": "bb:64",
"to": "bb:311",
"type": "control_flow"
},
{
"from": "bb:64",
"to": "bb:75",
"type": "control_flow_fallthrough"
},
{
"from": "bb:75",
"to": "bb:358",
"type": "control_flow"
},
{
"from": "bb:75",
"to": "bb:86",
"type": "control_flow_fallthrough"
},
{
"from": "bb:88",
"to": "bb:861",
"type": "control_flow"
},
{
"from": "bb:88",
"to": "bb:155",
"type": "control_flow_fallthrough"
},
{
"from": "bb:155",
"to": "bb:818",
"type": "control_flow"
},
{
"from": "bb:155",
"to": "bb:163",
"type": "control_flow_fallthrough"
},
{
"from": "bb:163",
"to": "bb:861",
"type": "control_flow"
},
{
"from": "bb:218",
"to": "bb:861",
"type": "control_flow"
},
{
"from": "bb:218",
"to": "bb:284",
"type": "control_flow_fallthrough"
},
{
"from": "bb:284",
"to": "bb:818",
"type": "control_flow"
},
{
"from": "bb:284",
"to": "bb:292",
"type": "control_flow_fallthrough"
},
{
"from": "bb:292",
"to": "bb:861",
"type": "control_flow"
},
{
"from": "bb:311",
"to": "bb:869",
"type": "control_flow"
},
{
"from": "bb:311",
"to": "bb:354",
"type": "control_flow_fallthrough"
},
{
"from": "bb:358",
"to": "bb:513",
"type": "control_flow"
},
{
"from": "bb:358",
"to": "bb:507",
"type": "control_flow_fallthrough"
},
{
"from": "bb:507",
"to": "bb:513",
"type": "control_flow_fallthrough"
},
{
"from": "bb:513",
"to": "bb:1015",
"type": "control_flow"
},
{
"from": "bb:513",
"to": "bb:627",
"type": "control_flow_fallthrough"
},
{
"from": "bb:627",
"to": "bb:639",
"type": "control_flow_fallthrough"
},
{
"from": "bb:639",
"to": "bb:647",
"type": "control_flow_fallthrough"
},
{
"from": "bb:647",
"to": "bb:1152",
"type": "control_flow"
},
{
"from": "bb:647",
"to": "bb:656",
"type": "control_flow_fallthrough"
},
{
"from": "bb:656",
"to": "bb:647",
"type": "control_flow"
},
{
"from": "bb:667",
"to": "bb:763",
"type": "control_flow"
},
{
"from": "bb:667",
"to": "bb:738",
"type": "control_flow_fallthrough"
},
{
"from": "bb:738",
"to": "bb:763",
"type": "control_flow_fallthrough"
},
{
"from": "bb:818",
"to": "bb:832",
"type": "control_flow_fallthrough"
},
{
"from": "bb:832",
"to": "bb:832",
"type": "control_flow"
},
{
"from": "bb:832",
"to": "bb:852",
"type": "control_flow_fallthrough"
},
{
"from": "bb:852",
"to": "bb:861",
"type": "control_flow_fallthrough"
},
{
"from": "bb:869",
"to": "bb:908",
"type": "control_flow"
},
{
"from": "bb:869",
"to": "bb:904",
"type": "control_flow_fallthrough"
},
{
"from": "bb:1015",
"to": "bb:639",
"type": "control_flow"
},
{
"from": "bb:1015",
"to": "bb:1030",
"type": "control_flow_fallthrough"
},
{
"from": "bb:1030",
"to": "bb:1033",
"type": "control_flow_fallthrough"
},
{
"from": "bb:1033",
"to": "bb:639",
"type": "control_flow"
},
{
"from": "bb:1033",
"to": "bb:1042",
"type": "control_flow_fallthrough"
},
{
"from": "bb:1042",
"to": "bb:1033",
"type": "control_flow"
},
{
"from": "bb:1063",
"to": "bb:1156",
"type": "control_flow"
},
{
"from": "bb:1063",
"to": "bb:1128",
"type": "control_flow_fallthrough"
},
{
"from": "bb:1128",
"to": "bb:1140",
"type": "control_flow_fallthrough"
},
{
"from": "bb:1140",
"to": "bb:647",
"type": "control_flow"
},
{
exec
/bin/bash -lc "sed -n '1561,1820p' BYTECODE_BUNDLE.json" in /tmp/codex-0lj1x8r2
succeeded in 0ms:
"from": "bb:1156",
"to": "bb:1140",
"type": "control_flow"
},
{
"from": "bb:1156",
"to": "bb:1171",
"type": "control_flow_fallthrough"
},
{
"from": "bb:1171",
"to": "bb:1174",
"type": "control_flow_fallthrough"
},
{
"from": "bb:1174",
"to": "bb:1140",
"type": "control_flow"
},
{
"from": "bb:1174",
"to": "bb:1183",
"type": "control_flow_fallthrough"
},
{
"from": "bb:1183",
"to": "bb:1174",
"type": "control_flow"
}
],
"cfg_hash": "0xff22a033ceac3ea807bf88439fb49c32c7ca6c614a37cbc039677cba6f342cd0",
"dispatcher_type": "selector_jump_table",
"function_entries": [
{
"entry_pc": null,
"selector": "0x06fdde03"
},
{
"entry_pc": 1889567281,
"selector": "0x313ce567"
},
{
"entry_pc": 2514000705,
"selector": "0x70a08231"
},
{
"entry_pc": 2835717307,
"selector": "0x95d89b41"
},
{
"entry_pc": 3037366771,
"selector": "0xa9059cbb"
},
{
"entry_pc": null,
"selector": "0xb50a89f3"
}
],
"functions": [
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0x06fdde03",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 14,
"slots": [
{
"op": "SLOAD",
"pc": 96,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 168,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 188,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 225,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 297,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 1210,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
}
],
"writes": 11
}
},
{
"auth": {
"guards": []
},
"entry_pc": 1889567281,
"selector": "0x313ce567",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 14,
"slots": [
{
"op": "SLOAD",
"pc": 96,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 168,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 188,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 225,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 297,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 1210,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
}
],
"writes": 11
}
},
{
"auth": {
"guards": []
},
"entry_pc": 2514000705,
"selector": "0x70a08231",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 14,
"slots": [
{
"op": "SLOAD",
"pc": 96,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 168,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 188,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 225,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 297,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 1210,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
}
],
"writes": 11
}
},
{
"auth": {
"guards": []
},
"entry_pc": 2835717307,
"selector": "0x95d89b41",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 14,
"slots": [
{
"op": "SLOAD",
"pc": 96,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 168,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 188,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 225,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 297,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 1210,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
}
],
"writes": 11
}
},
{
"auth": {
"guards": []
},
"entry_pc": 3037366771,
exec
/bin/bash -lc "sed -n '1821,2080p' BYTECODE_BUNDLE.json" in /tmp/codex-0lj1x8r2
succeeded in 0ms:
"selector": "0xa9059cbb",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 14,
"slots": [
{
"op": "SLOAD",
"pc": 96,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 168,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 188,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 225,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 297,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 1210,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
}
],
"writes": 11
}
},
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0xb50a89f3",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 14,
"slots": [
{
"op": "SLOAD",
"pc": 96,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 168,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 188,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 225,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 297,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 1210,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
}
],
"writes": 11
}
}
],
"selectors": [
"0x06fdde03",
"0x313ce567",
"0x70a08231",
"0x95d89b41",
"0xa9059cbb",
"0xb50a89f3"
],
"sinks": {
"call": 1,
"create": 0,
"create2": 0,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0,
"upgrade_slot_write_suspected": false
},
"storage": {
"keccak_count": 8,
"reads": 14,
"slots": [
{
"op": "SLOAD",
"pc": 96,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 168,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 188,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 225,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 297,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 1210,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
}
],
"writes": 11
},
"version": "analysis_artifact_v1"
},
"block_number": null,
"chain_id": 1,
"codehash": "0x6a55aab98dc6663cacc55bdd983f51001626c9a38e8dc73bdcfbda7a9fe13c73",
"created_at": "2026-04-04T19:53:59.000000Z",
"id": 2080,
"updated_at": "2026-04-04T19:53:59.000000Z",
"version": "analysis_artifact_v1"
},
"analysis_run": {
"address": "0x0d90b565cd67733f70c21fe38f355e3469012856",
"block_number": null,
"chain_id": 1,
"child_links": [],
"created_at": "2025-12-19T20:03:53.000000Z",
"id": "019b3836-3005-71b8-a8ef-ecd5ea5d9540",
"parent_links": [],
"status": "running",
"updated_at": "2026-04-04T19:53:59.000000Z"
},
"artifact": {
"codehash": "0x6a55aab98dc6663cacc55bdd983f51001626c9a38e8dc73bdcfbda7a9fe13c73",
"compiler_json": {
"etherscan": {
"skipped": true
}
},
"implementation_address": null,
"is_proxy": false,
"runtime_bytecode": {
"full": "0x606060405236156100565760e060020a600035046306fdde038114610058578063313ce567146100b657806370a08231146100c257806395d89b41146100da578063a9059cbb14610137578063b50a89f314610166575b005b6040805160008054602060026001831615610100026000190190921691909104601f810182900482028401820190945283835261029b939083018282801561035d5780601f106103325761010080835404028352916020019161035d565b61030960025460ff1681565b61032060043560036020526000908152604090205481565b61029b60018054604080516020600284861615610100026000190190941693909304601f8101849004840282018401909252818152929183018282801561035d5780601f106103325761010080835404028352916020019161035d565b610056600435602435600160a060020a0333166000908152600360205260409020548190101561036557610002565b60408051602060046024803582810135601f81018590048502860185019096528585526100569583359593946044949392909201918190840183828082843750506040805160209735808a0135601f81018a90048a0283018a0190935282825296989760649791965060249190910194509092508291508401838280828437509496505093359350505050836000141561020157620f424093505b600160a060020a033316600090815260036020908152604082208690558451825483805260026001821615610100026000190190911604601f9081018390047f290decd9548b62a8d60345a988386fc84ba6bc95484008f6362f93160ef3e563908101939091908801908390106103f757805160ff19168380011785555b506104279291505b808211156104805760008155600101610287565b60405180806020018281038252838181518152602001915080519060200190808383829060006004602084601f0104600f02600301f150905090810190601f1680156102fb5780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b6040805160ff929092168252519081900360200190f35b60408051918252519081900360200190f35b820191906000526020600020905b81548152906001019060200180831161034057829003601f168201915b505050505081565b600160a060020a038216600090815260036020526040902054808201101561038c57610002565b600160a060020a03338116600081815260036020908152604080832080548790039055938616808352918490208054860190558351858152935191937fddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef929081900390910190a35050565b8280016001018555821561027f579182015b8281111561027f578251826000505591602001919060010190610409565b50508160016000509080519060200190828054600181600116156101000203166002900490600052602060002090601f016020900481019282601f1061048457805160ff19168380011785555b506104b4929150610287565b5090565b82800160010185558215610474579182015b82811115610474578251826000505591602001919060010190610496565b50506002805460ff1916821790555050505056",
"head": null,
"length": 2450,
"tail": null,
"truncated": false
},
"verified_source": false
},
"capability_graph": {
"address": "0x0d90b565cd67733f70c21fe38f355e3469012856",
"block_number": null,
"chain_id": 1,
"codehash": "0x6a55aab98dc6663cacc55bdd983f51001626c9a38e8dc73bdcfbda7a9fe13c73",
"created_at": "2026-04-04T19:53:59.000000Z",
"graph_hash": "0xf8f4f872391157fc03e34e71d8bae21895d4e9520e94a3c6bb360f765b3958b0",
"graph_json": {
"edges": [
{
"from": "bb:0",
"to": "bb:86",
"type": "control_flow"
},
{
"from": "bb:0",
"to": "bb:11",
"type": "control_flow_fallthrough"
},
{
"from": "bb:11",
"to": "bb:88",
"type": "control_flow"
},
{
"from": "bb:11",
"to": "bb:31",
"type": "control_flow_fallthrough"
},
{
"from": "bb:31",
"to": "bb:182",
"type": "control_flow"
},
{
"from": "bb:31",
"to": "bb:42",
"type": "control_flow_fallthrough"
},
{
"from": "bb:42",
"to": "bb:194",
"type": "control_flow"
},
{
"from": "bb:42",
"to": "bb:53",
"type": "control_flow_fallthrough"
},
{
"from": "bb:53",
"to": "bb:218",
"type": "control_flow"
},
{
"from": "bb:53",
"to": "bb:64",
"type": "control_flow_fallthrough"
},
{
"from": "bb:64",
"to": "bb:311",
"type": "control_flow"
},
{
"from": "bb:64",
"to": "bb:75",
"type": "control_flow_fallthrough"
},
{
"from": "bb:75",
"to": "bb:358",
"type": "control_flow"
exec
/bin/bash -lc "rg -n 'detector|evidence|finding|slot|selector|event' BYTECODE_BUNDLE.json" in /tmp/codex-0lj1x8r2
succeeded in 0ms:
1592: "dispatcher_type": "selector_jump_table",
1596: "selector": "0x06fdde03"
1600: "selector": "0x313ce567"
1604: "selector": "0x70a08231"
1608: "selector": "0x95d89b41"
1612: "selector": "0xa9059cbb"
1616: "selector": "0xb50a89f3"
1625: "selector": "0x06fdde03",
1634: "slots": [
1638: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1643: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1648: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
1653: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
1658: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1663: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
1674: "selector": "0x313ce567",
1683: "slots": [
1687: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1692: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1697: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
1702: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
1707: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1712: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
1723: "selector": "0x70a08231",
1732: "slots": [
1736: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1741: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1746: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
1751: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
1756: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1761: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
1772: "selector": "0x95d89b41",
1781: "slots": [
1785: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1790: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1795: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
1800: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
1805: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1810: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
1821: "selector": "0xa9059cbb",
1830: "slots": [
1834: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1839: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1844: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
1849: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
1854: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1859: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
1870: "selector": "0xb50a89f3",
1879: "slots": [
1883: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1888: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1893: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
1898: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
1903: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1908: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
1915: "selectors": [
1930: "upgrade_slot_write_suspected": false
1935: "slots": [
1939: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1944: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1949: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
1954: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
1959: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1964: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
2717: "selector": "0x06fdde03",
2723: "selector": "0x313ce567",
2729: "selector": "0x70a08231",
2735: "selector": "0x95d89b41",
2741: "selector": "0xa9059cbb",
2747: "selector": "0xb50a89f3",
2757: "detector_findings": [
2760: "evidence_json": {
2799: "evidence_json": {
exec
/bin/bash -lc "sed -n '2680,2860p' BYTECODE_BUNDLE.json" in /tmp/codex-0lj1x8r2
succeeded in 0ms:
"start_pc": 1171,
"type": "basic_block"
},
{
"end_pc": 1182,
"hash": "0xd4f812f40d6c3449cb67a385d347ac6080eb0e857f253a1e0f5afa6dacf514a1",
"id": "bb:1174",
"start_pc": 1174,
"type": "basic_block"
},
{
"end_pc": 1203,
"hash": "0xec4ad89b72c52fd2384171a241470dc69ed383976e99b99e9fc899efd6913d83",
"id": "bb:1183",
"start_pc": 1183,
"type": "basic_block"
},
{
"end_pc": 1223,
"hash": "0x010f0b1d63302d829668848a47edee892a934a5bdd2775589606030af92c5387",
"id": "bb:1204",
"start_pc": 1204,
"type": "basic_block"
},
{
"id": "call:721",
"opcode": "CALL",
"pc": 721,
"type": "callsite"
},
{
"id": "sink:call",
"type": "sink"
},
{
"entry_pc": null,
"id": "fn:0x06fdde03",
"selector": "0x06fdde03",
"type": "function"
},
{
"entry_pc": 1889567281,
"id": "fn:0x313ce567",
"selector": "0x313ce567",
"type": "function"
},
{
"entry_pc": 2514000705,
"id": "fn:0x70a08231",
"selector": "0x70a08231",
"type": "function"
},
{
"entry_pc": 2835717307,
"id": "fn:0x95d89b41",
"selector": "0x95d89b41",
"type": "function"
},
{
"entry_pc": 3037366771,
"id": "fn:0xa9059cbb",
"selector": "0xa9059cbb",
"type": "function"
},
{
"entry_pc": null,
"id": "fn:0xb50a89f3",
"selector": "0xb50a89f3",
"type": "function"
}
],
"version": "capability_graph_v1"
},
"id": 2080,
"updated_at": "2026-04-04T19:53:59.000000Z",
"version": "capability_graph_v1"
},
"detector_findings": [
{
"confidence": 60,
"evidence_json": {
"call_count": 1,
"examples": [
{
"opcode": "CALL",
"pc": 721,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": [],
"untrusted_call_count": 1
},
"normalized_json": {
"sink": "CALL"
},
"severity": "high",
"title": "Untrusted CALL target/value reachable",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x0d90b565cd67733f70c21fe38f355e3469012856"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0xe9145b591c812f6840ff9251fa1bc8e099547a1408d0bf5d2327d598a42600c4",
"trace_mode": "callTracer"
}
},
{
"confidence": 55,
"evidence_json": {
"eth_value_calls": 1,
"examples": [
{
"opcode": "CALL",
"pc": 721,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": []
},
"normalized_json": {
"sink": "CALL",
"value": "nonzero"
},
"severity": "high",
"title": "ETH value transfer possible",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x0d90b565cd67733f70c21fe38f355e3469012856"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0xe9145b591c812f6840ff9251fa1bc8e099547a1408d0bf5d2327d598a42600c4",
"trace_mode": "callTracer"
}
}
],
"heuristics_summary": {
"create2_count": 0,
"delegatecall_count": 0,
"flags": [],
"selfdestruct_count": 0
}
}
exec
/bin/bash -lc "node - <<'NODE'
const fs=require('fs');
const data=JSON.parse(fs.readFileSync('BYTECODE_BUNDLE.json','utf8'));
const hex=data.artifact.runtime_bytecode.full.slice(2);
const opcodes={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT',0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4'};
for(let i=1;i<=32;i++){opcodes[0x5f+i]='PUSH'+i;opcodes[0x7f+i]='DUP'+i;opcodes[0x8f+i]='SWAP'+i;}
for(let i=0;i<hex.length;){const pc=i/2; const op=parseInt(hex.slice(i,i+2),16); let name=opcodes[op]||('OP_'+op.toString(16)); let arg=''; i+=2; if(op>=0x60&&op<=0x7f){const n=op-0x5f; arg=hex.slice(i,i+2*n); i+=2*n;} if(pc>=660&&pc<=730) console.log(pc.toString().padStart(4), name.padEnd(10), arg);}
NODE" in /tmp/codex-0lj1x8r2
succeeded in 0ms:
660 PUSH1 01
662 ADD
663 PUSH2 0287
666 JUMP
667 JUMPDEST
668 PUSH1 40
670 MLOAD
671 DUP1
672 DUP1
673 PUSH1 20
675 ADD
676 DUP3
677 DUP2
678 SUB
679 DUP3
680 MSTORE
681 DUP4
682 DUP2
683 DUP2
684 MLOAD
685 DUP2
686 MSTORE
687 PUSH1 20
689 ADD
690 DUP18
691 POP
692 DUP1
693 MLOAD
694 DUP17
695 PUSH1 20
697 ADD
698 DUP17
699 DUP1
700 DUP4
701 DUP4
702 DUP3
703 DUP17
704 PUSH1 00
706 PUSH1 04
708 PUSH1 20
710 DUP5
711 PUSH1 1f
713 ADD
714 DIV
715 PUSH1 0f
717 MUL
718 PUSH1 03
720 ADD
721 CALL
722 POP
723 DUP17
724 POP
725 DUP17
726 DUP2
727 ADD
728 DUP17
729 PUSH1 1f
exec
/bin/bash -lc "node - <<'NODE'
const fs=require('fs');
const data=JSON.parse(fs.readFileSync('BYTECODE_BUNDLE.json','utf8'));
const hex=data.artifact.runtime_bytecode.full.slice(2);
const opcodes={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT',0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4'};
for(let i=1;i<=32;i++){opcodes[0x5f+i]='PUSH'+i;opcodes[0x7f+i]='DUP'+i;opcodes[0x8f+i]='SWAP'+i;}
for(let i=0;i<hex.length;){const pc=i/2; const op=parseInt(hex.slice(i,i+2),16); let name=opcodes[op]||('OP_'+op.toString(16)); let arg=''; i+=2; if(op>=0x60&&op<=0x7f){const n=op-0x5f; arg=hex.slice(i,i+2*n); i+=2*n;} if(pc<=130) console.log(pc.toString().padStart(4), name.padEnd(10), arg);}
NODE" in /tmp/codex-0lj1x8r2
succeeded in 0ms:
0 PUSH1 60
2 PUSH1 40
4 MSTORE
5 CALLDATASIZE
6 ISZERO
7 PUSH2 0056
10 JUMPI
11 PUSH1 e0
13 PUSH1 02
15 EXP
16 PUSH1 00
18 CALLDATALOAD
19 DIV
20 PUSH4 06fdde03
25 DUP2
26 EQ
27 PUSH2 0058
30 JUMPI
31 DUP1
32 PUSH4 313ce567
37 EQ
38 PUSH2 00b6
41 JUMPI
42 DUP1
43 PUSH4 70a08231
48 EQ
49 PUSH2 00c2
52 JUMPI
53 DUP1
54 PUSH4 95d89b41
59 EQ
60 PUSH2 00da
63 JUMPI
64 DUP1
65 PUSH4 a9059cbb
70 EQ
71 PUSH2 0137
74 JUMPI
75 DUP1
76 PUSH4 b50a89f3
81 EQ
82 PUSH2 0166
85 JUMPI
86 JUMPDEST
87 STOP
88 JUMPDEST
89 PUSH1 40
91 DUP1
92 MLOAD
93 PUSH1 00
95 DUP1
96 SLOAD
97 PUSH1 20
99 PUSH1 02
101 PUSH1 01
103 DUP4
104 AND
105 ISZERO
106 PUSH2 0100
109 MUL
110 PUSH1 00
112 NOT
113 ADD
114 DUP17
115 DUP19
116 AND
117 DUP18
118 DUP17
119 DUP18
120 DIV
121 PUSH1 1f
123 DUP2
124 ADD
125 DUP3
126 DUP17
127 DIV
128 DUP3
129 MUL
130 DUP5
exec
/bin/bash -lc "node - <<'NODE'
const fs=require('fs');
const data=JSON.parse(fs.readFileSync('BYTECODE_BUNDLE.json','utf8'));
const hex=data.artifact.runtime_bytecode.full.slice(2);
const opcodes={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT',0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4'};
for(let i=1;i<=32;i++){opcodes[0x5f+i]='PUSH'+i;opcodes[0x7f+i]='DUP'+i;opcodes[0x8f+i]='SWAP'+i;}
for(let i=0;i<hex.length;){const pc=i/2; const op=parseInt(hex.slice(i,i+2),16); let name=opcodes[op]||('OP_'+op.toString(16)); let arg=''; i+=2; if(op>=0x60&&op<=0x7f){const n=op-0x5f; arg=hex.slice(i,i+2*n); i+=2*n;} if(pc>=350&&pc<=650) console.log(pc.toString().padStart(4), name.padEnd(10), arg);}
NODE" in /tmp/codex-0lj1x8r2
succeeded in 0ms:
350 PUSH2 0365
353 JUMPI
354 PUSH2 0002
357 JUMP
358 JUMPDEST
359 PUSH1 40
361 DUP1
362 MLOAD
363 PUSH1 20
365 PUSH1 04
367 PUSH1 24
369 DUP1
370 CALLDATALOAD
371 DUP3
372 DUP2
373 ADD
374 CALLDATALOAD
375 PUSH1 1f
377 DUP2
378 ADD
379 DUP6
380 DUP17
381 DIV
382 DUP6
383 MUL
384 DUP7
385 ADD
386 DUP6
387 ADD
388 DUP17
389 DUP23
390 MSTORE
391 DUP6
392 DUP6
393 MSTORE
394 PUSH2 0056
397 DUP22
398 DUP4
399 CALLDATALOAD
400 DUP22
401 DUP20
402 DUP21
403 PUSH1 44
405 DUP21
406 DUP20
407 DUP19
408 DUP17
409 DUP19
410 ADD
411 DUP18
412 DUP2
413 DUP17
414 DUP5
415 ADD
416 DUP4
417 DUP3
418 DUP1
419 DUP3
420 DUP5
421 CALLDATACOPY
422 POP
423 POP
424 PUSH1 40
426 DUP1
427 MLOAD
428 PUSH1 20
430 DUP24
431 CALLDATALOAD
432 DUP1
433 DUP11
434 ADD
435 CALLDATALOAD
436 PUSH1 1f
438 DUP2
439 ADD
440 DUP11
441 DUP17
442 DIV
443 DUP11
444 MUL
445 DUP4
446 ADD
447 DUP11
448 ADD
449 DUP17
450 DUP20
451 MSTORE
452 DUP3
453 DUP3
454 MSTORE
455 DUP23
456 DUP25
457 DUP24
458 PUSH1 64
460 DUP24
461 DUP18
462 DUP23
463 POP
464 PUSH1 24
466 DUP18
467 DUP17
468 DUP18
469 ADD
470 DUP21
471 POP
472 DUP17
473 DUP19
474 POP
475 DUP3
476 DUP18
477 POP
478 DUP5
479 ADD
480 DUP4
481 DUP3
482 DUP1
483 DUP3
484 DUP5
485 CALLDATACOPY
486 POP
487 DUP21
488 DUP23
489 POP
490 POP
491 DUP20
492 CALLDATALOAD
493 DUP20
494 POP
495 POP
496 POP
497 POP
498 DUP4
499 PUSH1 00
501 EQ
502 ISZERO
503 PUSH2 0201
506 JUMPI
507 PUSH3 0f4240
511 DUP20
512 POP
513 JUMPDEST
514 PUSH1 01
516 PUSH1 a0
518 PUSH1 02
520 EXP
521 SUB
522 CALLER
523 AND
524 PUSH1 00
526 DUP17
527 DUP2
528 MSTORE
529 PUSH1 03
531 PUSH1 20
533 DUP17
534 DUP2
535 MSTORE
536 PUSH1 40
538 DUP3
539 SHA3
540 DUP7
541 DUP17
542 SSTORE
543 DUP5
544 MLOAD
545 DUP3
546 SLOAD
547 DUP4
548 DUP1
549 MSTORE
550 PUSH1 02
552 PUSH1 01
554 DUP3
555 AND
556 ISZERO
557 PUSH2 0100
560 MUL
561 PUSH1 00
563 NOT
564 ADD
565 DUP17
566 DUP18
567 AND
568 DIV
569 PUSH1 1f
571 DUP17
572 DUP2
573 ADD
574 DUP4
575 DUP17
576 DIV
577 PUSH32 290decd9548b62a8d60345a988386fc84ba6bc95484008f6362f93160ef3e563
610 DUP17
611 DUP2
612 ADD
613 DUP20
614 DUP17
615 DUP18
616 DUP17
617 DUP9
618 ADD
619 DUP17
620 DUP4
621 DUP17
622 LT
623 PUSH2 03f7
626 JUMPI
627 DUP1
628 MLOAD
629 PUSH1 ff
631 NOT
632 AND
633 DUP4
634 DUP1
635 ADD
636 OR
637 DUP6
638 SSTORE
639 JUMPDEST
640 POP
641 PUSH2 0427
644 DUP19
645 DUP18
646 POP
647 JUMPDEST
648 DUP1
649 DUP3
650 GT
exec
/bin/bash -lc "node - <<'NODE'
const fs=require('fs');
const data=JSON.parse(fs.readFileSync('BYTECODE_BUNDLE.json','utf8'));
const hex=data.artifact.runtime_bytecode.full.slice(2);
const opcodes={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT',0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4'};
for(let i=1;i<=32;i++){opcodes[0x5f+i]='PUSH'+i;opcodes[0x7f+i]='DUP'+i;opcodes[0x8f+i]='SWAP'+i;}
for(let i=0;i<hex.length;){const pc=i/2; const op=parseInt(hex.slice(i,i+2),16); let name=opcodes[op]||('OP_'+op.toString(16)); let arg=''; i+=2; if(op>=0x60&&op<=0x7f){const n=op-0x5f; arg=hex.slice(i,i+2*n); i+=2*n;} if((pc>=1000&&pc<=1225)|| (pc>=900&&pc<=1020)) console.log(pc.toString().padStart(4), name.padEnd(10), arg);}
NODE" in /tmp/codex-0lj1x8r2
succeeded in 0ms:
900 PUSH2 038c
903 JUMPI
904 PUSH2 0002
907 JUMP
908 JUMPDEST
909 PUSH1 01
911 PUSH1 a0
913 PUSH1 02
915 EXP
916 SUB
917 CALLER
918 DUP2
919 AND
920 PUSH1 00
922 DUP2
923 DUP2
924 MSTORE
925 PUSH1 03
927 PUSH1 20
929 DUP17
930 DUP2
931 MSTORE
932 PUSH1 40
934 DUP1
935 DUP4
936 SHA3
937 DUP1
938 SLOAD
939 DUP8
940 DUP17
941 SUB
942 DUP17
943 SSTORE
944 DUP20
945 DUP7
946 AND
947 DUP1
948 DUP4
949 MSTORE
950 DUP18
951 DUP5
952 DUP17
953 SHA3
954 DUP1
955 SLOAD
956 DUP7
957 ADD
958 DUP17
959 SSTORE
960 DUP4
961 MLOAD
962 DUP6
963 DUP2
964 MSTORE
965 DUP20
966 MLOAD
967 DUP18
968 DUP20
969 PUSH32 ddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef
1002 DUP19
1003 DUP17
1004 DUP2
1005 DUP17
1006 SUB
1007 DUP17
1008 DUP18
1009 ADD
1010 DUP17
1011 SWAP20
1012 POP
1013 POP
1014 JUMP
1015 JUMPDEST
1016 DUP3
1017 DUP1
1018 ADD
1019 PUSH1 01
1021 ADD
1022 DUP6
1023 SSTORE
1024 DUP3
1025 ISZERO
1026 PUSH2 027f
1029 JUMPI
1030 DUP18
1031 DUP3
1032 ADD
1033 JUMPDEST
1034 DUP3
1035 DUP2
1036 GT
1037 ISZERO
1038 PUSH2 027f
1041 JUMPI
1042 DUP3
1043 MLOAD
1044 DUP3
1045 PUSH1 00
1047 POP
1048 SSTORE
1049 DUP18
1050 PUSH1 20
1052 ADD
1053 DUP18
1054 DUP17
1055 PUSH1 01
1057 ADD
1058 DUP17
1059 PUSH2 0409
1062 JUMP
1063 JUMPDEST
1064 POP
1065 POP
1066 DUP2
1067 PUSH1 01
1069 PUSH1 00
1071 POP
1072 DUP17
1073 DUP1
1074 MLOAD
1075 DUP17
1076 PUSH1 20
1078 ADD
1079 DUP17
1080 DUP3
1081 DUP1
1082 SLOAD
1083 PUSH1 01
1085 DUP2
1086 PUSH1 01
1088 AND
1089 ISZERO
1090 PUSH2 0100
1093 MUL
1094 SUB
1095 AND
1096 PUSH1 02
1098 DUP17
1099 DIV
1100 DUP17
1101 PUSH1 00
1103 MSTORE
1104 PUSH1 20
1106 PUSH1 00
1108 SHA3
1109 DUP17
1110 PUSH1 1f
1112 ADD
1113 PUSH1 20
1115 DUP17
1116 DIV
1117 DUP2
1118 ADD
1119 DUP19
1120 DUP3
1121 PUSH1 1f
1123 LT
1124 PUSH2 0484
1127 JUMPI
1128 DUP1
1129 MLOAD
1130 PUSH1 ff
1132 NOT
1133 AND
1134 DUP4
1135 DUP1
1136 ADD
1137 OR
1138 DUP6
1139 SSTORE
1140 JUMPDEST
1141 POP
1142 PUSH2 04b4
1145 DUP19
1146 DUP18
1147 POP
1148 PUSH2 0287
1151 JUMP
1152 JUMPDEST
1153 POP
1154 DUP17
1155 JUMP
1156 JUMPDEST
1157 DUP3
1158 DUP1
1159 ADD
1160 PUSH1 01
1162 ADD
1163 DUP6
1164 SSTORE
1165 DUP3
1166 ISZERO
1167 PUSH2 0474
1170 JUMPI
1171 DUP18
1172 DUP3
1173 ADD
1174 JUMPDEST
1175 DUP3
1176 DUP2
1177 GT
1178 ISZERO
1179 PUSH2 0474
1182 JUMPI
1183 DUP3
1184 MLOAD
1185 DUP3
1186 PUSH1 00
1188 POP
1189 SSTORE
1190 DUP18
1191 PUSH1 20
1193 ADD
1194 DUP18
1195 DUP17
1196 PUSH1 01
1198 ADD
1199 DUP17
1200 PUSH2 0496
1203 JUMP
1204 JUMPDEST
1205 POP
1206 POP
1207 PUSH1 02
1209 DUP1
1210 SLOAD
1211 PUSH1 ff
1213 NOT
1214 AND
1215 DUP3
1216 OR
1217 DUP17
1218 SSTORE
1219 POP
1220 POP
1221 POP
1222 POP
1223 JUMP
exec
/bin/bash -lc "node - <<'NODE'
const fs=require('fs');
const data=JSON.parse(fs.readFileSync('BYTECODE_BUNDLE.json','utf8'));
const hex=data.artifact.runtime_bytecode.full.slice(2);
for(let i=0;i<hex.length;){const pc=i/2; const op=parseInt(hex.slice(i,i+2),16); i+=2; if(op>=0x60&&op<=0x7f){i+=2*(op-0x5f);} if(op===0x34) console.log('CALLVALUE at pc',pc);}
NODE" in /tmp/codex-0lj1x8r2
succeeded in 0ms:
codex
{"no_findings":false,"summary":"The meaningful issue in this bytecode is an unprotected initializer-style entrypoint: selector inference suggests `0xb50a89f3` can set caller balance and overwrite token metadata without any detected guard. The detector-reported `CALL` at `pc:0x2d1` looks like the identity precompile (`0x04`) used for memory copying, so I did not treat it as a standalone untrusted-call exploit; however, the contract also appears implicitly payable and may trap ETH.","findings":[{"severity":"critical","category":"access_control","title":"Public initializer-style function can assign arbitrary balance and rewrite metadata","exploit_scenario":"A public caller invokes the unknown selector `0xb50a89f3` with crafted arguments. The routine appears to write `balances[msg.sender]` in the slot-3 mapping, with a zero amount defaulting to `0x0f4240` (1,000,000), and then rewrites the dynamic data stored in slots 0 and 1 plus the low byte of slot 2. Because no owner check or one-time initialization guard is evident, any attacker can repeatedly mint/reassign their own balance and change name/symbol/decimals-like metadata after deployment.","recommendation":"Treat this path as an initializer/admin function and protect it accordingly: restrict it to deployment/constructor time or a privileged role, add a single-use initialized flag, and separate metadata initialization from user-callable runtime logic.","evidence":"Selector inference is best-effort, but the jump table routes `0xb50a89f3` to `pc:0x166`. No auth guards were detected in the artifact. Inside that routine, `CALLER` is masked and hashed with storage slot `0x03`, then stored via `SSTORE` at `pc:0x21e`, indicating a caller-indexed balance write. The amount appears to come from calldata, with a zero input replaced by `0x0f4240` at `pc:0x1fb-0x1ff`. The same routine then writes dynamic storage associated with slots 0 and 1 (`pc:0x27e`, `pc:0x473`) and updates the low byte of slot 2 at `pc:0x4c2`, consistent with metadata/decimals initialization.","locations":["selector:0xb50a89f3","pc:0x166","pc:0x1fb","pc:0x21e","pc:0x27e","pc:0x473","pc:0x4c2"]},{"severity":"low","category":"other","title":"Contract appears payable and may permanently lock ETH","exploit_scenario":"A user sends ETH directly to the contract or includes `msg.value` when calling one of its functions. The bytecode shows no `CALLVALUE` rejection anywhere, and the fallback/default path stops successfully instead of reverting. Since the only observed `CALL` appears to target precompile `0x04` for internal memory-copy behavior rather than an outbound payment path, accidentally sent ETH may become unrecoverable.","recommendation":"If ETH should never be held, add a non-payable fallback/receive behavior (or explicit value checks) so ETH-bearing calls revert. If ETH custody is intended, add an explicit, access-controlled withdrawal path.","evidence":"There is no `CALLVALUE` opcode in the runtime bytecode, so functions/fallback are implicitly payable. The dispatcher falls through to `STOP` at `pc:0x56` for empty/unmatched calldata. The sole callsite is `pc:0x2d1`; the surrounding sequence includes fixed pushes `PUSH1 0x00`, `PUSH1 0x04`, then `CALL`, which is consistent with the identity precompile rather than a user-controlled payout. This conclusion is based on bytecode pattern matching only.","locations":["pc:0x56","pc:0x2d1"]}]}
tokens used
61,479
{
"codex": {
"ran_at": "2026-04-05T03:10:13.458132+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 2450,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "The meaningful issue in this bytecode is an unprotected initializer-style entrypoint: selector inference suggests `0xb50a89f3` can set caller balance and overwrite token metadata without any detected guard. The detector-reported `CALL` at `pc:0x2d1` looks like the identity precompile (`0x04`) used for memory copying, so I did not treat it as a standalone untrusted-call exploit; however, the contract also appears implicitly payable and may trap ETH.",
"raw_final": {
"summary": "The meaningful issue in this bytecode is an unprotected initializer-style entrypoint: selector inference suggests `0xb50a89f3` can set caller balance and overwrite token metadata without any detected guard. The detector-reported `CALL` at `pc:0x2d1` looks like the identity precompile (`0x04`) used for memory copying, so I did not treat it as a standalone untrusted-call exploit; however, the contract also appears implicitly payable and may trap ETH.",
"findings": [
{
"title": "Public initializer-style function can assign arbitrary balance and rewrite metadata",
"category": "access_control",
"evidence": "Selector inference is best-effort, but the jump table routes `0xb50a89f3` to `pc:0x166`. No auth guards were detected in the artifact. Inside that routine, `CALLER` is masked and hashed with storage slot `0x03`, then stored via `SSTORE` at `pc:0x21e`, indicating a caller-indexed balance write. The amount appears to come from calldata, with a zero input replaced by `0x0f4240` at `pc:0x1fb-0x1ff`. The same routine then writes dynamic storage associated with slots 0 and 1 (`pc:0x27e`, `pc:0x473`) and updates the low byte of slot 2 at `pc:0x4c2`, consistent with metadata/decimals initialization.",
"severity": "critical",
"locations": [
"selector:0xb50a89f3",
"pc:0x166",
"pc:0x1fb",
"pc:0x21e",
"pc:0x27e",
"pc:0x473",
"pc:0x4c2"
],
"recommendation": "Treat this path as an initializer/admin function and protect it accordingly: restrict it to deployment/constructor time or a privileged role, add a single-use initialized flag, and separate metadata initialization from user-callable runtime logic.",
"exploit_scenario": "A public caller invokes the unknown selector `0xb50a89f3` with crafted arguments. The routine appears to write `balances[msg.sender]` in the slot-3 mapping, with a zero amount defaulting to `0x0f4240` (1,000,000), and then rewrites the dynamic data stored in slots 0 and 1 plus the low byte of slot 2. Because no owner check or one-time initialization guard is evident, any attacker can repeatedly mint/reassign their own balance and change name/symbol/decimals-like metadata after deployment."
},
{
"title": "Contract appears payable and may permanently lock ETH",
"category": "other",
"evidence": "There is no `CALLVALUE` opcode in the runtime bytecode, so functions/fallback are implicitly payable. The dispatcher falls through to `STOP` at `pc:0x56` for empty/unmatched calldata. The sole callsite is `pc:0x2d1`; the surrounding sequence includes fixed pushes `PUSH1 0x00`, `PUSH1 0x04`, then `CALL`, which is consistent with the identity precompile rather than a user-controlled payout. This conclusion is based on bytecode pattern matching only.",
"severity": "low",
"locations": [
"pc:0x56",
"pc:0x2d1"
],
"recommendation": "If ETH should never be held, add a non-payable fallback/receive behavior (or explicit value checks) so ETH-bearing calls revert. If ETH custody is intended, add an explicit, access-controlled withdrawal path.",
"exploit_scenario": "A user sends ETH directly to the contract or includes `msg.value` when calling one of its functions. The bytecode shows no `CALLVALUE` rejection anywhere, and the fallback/default path stops successfully instead of reverting. Since the only observed `CALL` appears to target precompile `0x04` for internal memory-copy behavior rather than an outbound payment path, accidentally sent ETH may become unrecoverable."
}
],
"no_findings": false
},
"no_findings": false,
"schema_version": 1
}
00000000: PUSH1 0x60 00000002: PUSH1 0x40 00000004: MSTORE 00000005: CALLDATASIZE 00000006: ISZERO 00000007: PUSH2 0x0056 0000000a: JUMPI 0000000b: PUSH1 0xe0 0000000d: PUSH1 0x02 0000000f: EXP 00000010: PUSH1 0x00 00000012: CALLDATALOAD 00000013: DIV 00000014: PUSH4 0x06fdde03 00000019: DUP2 0000001a: EQ 0000001b: PUSH2 0x0058 0000001e: JUMPI 0000001f: DUP1 00000020: PUSH4 0x313ce567 00000025: EQ 00000026: PUSH2 0x00b6 00000029: JUMPI 0000002a: DUP1 0000002b: PUSH4 0x70a08231 00000030: EQ 00000031: PUSH2 0x00c2 00000034: JUMPI 00000035: DUP1 00000036: PUSH4 0x95d89b41 0000003b: EQ 0000003c: PUSH2 0x00da 0000003f: JUMPI 00000040: DUP1 00000041: PUSH4 0xa9059cbb 00000046: EQ 00000047: PUSH2 0x0137 0000004a: JUMPI 0000004b: DUP1 0000004c: PUSH4 0xb50a89f3 00000051: EQ 00000052: PUSH2 0x0166 00000055: JUMPI 00000056: JUMPDEST 00000057: STOP 00000058: JUMPDEST 00000059: PUSH1 0x40 0000005b: DUP1 0000005c: MLOAD 0000005d: PUSH1 0x00 0000005f: DUP1 00000060: SLOAD 00000061: PUSH1 0x20 00000063: PUSH1 0x02 00000065: PUSH1 0x01 00000067: DUP4 00000068: AND 00000069: ISZERO 0000006a: PUSH2 0x0100 0000006d: MUL 0000006e: PUSH1 0x00 00000070: NOT 00000071: ADD 00000072: SWAP1 00000073: SWAP3 00000074: AND 00000075: SWAP2 00000076: SWAP1 00000077: SWAP2 00000078: DIV 00000079: PUSH1 0x1f 0000007b: DUP2 0000007c: ADD 0000007d: DUP3 0000007e: SWAP1 0000007f: DIV 00000080: DUP3 00000081: MUL 00000082: DUP5 00000083: ADD 00000084: DUP3 00000085: ADD 00000086: SWAP1 00000087: SWAP5 00000088: MSTORE 00000089: DUP4 0000008a: DUP4 0000008b: MSTORE 0000008c: PUSH2 0x029b 0000008f: SWAP4 00000090: SWAP1 00000091: DUP4 00000092: ADD 00000093: DUP3 00000094: DUP3 00000095: DUP1 00000096: ISZERO 00000097: PUSH2 0x035d 0000009a: JUMPI 0000009b: DUP1 0000009c: PUSH1 0x1f 0000009e: LT 0000009f: PUSH2 0x0332 000000a2: JUMPI 000000a3: PUSH2 0x0100 000000a6: DUP1 000000a7: DUP4 000000a8: SLOAD 000000a9: DIV 000000aa: MUL 000000ab: DUP4 000000ac: MSTORE 000000ad: SWAP2 000000ae: PUSH1 0x20 000000b0: ADD 000000b1: SWAP2 000000b2: PUSH2 0x035d 000000b5: JUMP 000000b6: JUMPDEST 000000b7: PUSH2 0x0309 000000ba: PUSH1 0x02 000000bc: SLOAD 000000bd: PUSH1 0xff 000000bf: AND 000000c0: DUP2 000000c1: JUMP 000000c2: JUMPDEST 000000c3: PUSH2 0x0320 000000c6: PUSH1 0x04 000000c8: CALLDATALOAD 000000c9: PUSH1 0x03 000000cb: PUSH1 0x20 000000cd: MSTORE 000000ce: PUSH1 0x00 000000d0: SWAP1 000000d1: DUP2 000000d2: MSTORE 000000d3: PUSH1 0x40 000000d5: SWAP1 000000d6: KECCAK256 000000d7: SLOAD 000000d8: DUP2 000000d9: JUMP 000000da: JUMPDEST 000000db: PUSH2 0x029b 000000de: PUSH1 0x01 000000e0: DUP1 000000e1: SLOAD 000000e2: PUSH1 0x40 000000e4: DUP1 000000e5: MLOAD 000000e6: PUSH1 0x20 000000e8: PUSH1 0x02 000000ea: DUP5 000000eb: DUP7 000000ec: AND 000000ed: ISZERO 000000ee: PUSH2 0x0100 000000f1: MUL 000000f2: PUSH1 0x00 000000f4: NOT 000000f5: ADD 000000f6: SWAP1 000000f7: SWAP5 000000f8: AND 000000f9: SWAP4 000000fa: SWAP1 000000fb: SWAP4 000000fc: DIV 000000fd: PUSH1 0x1f 000000ff: DUP2 00000100: ADD 00000101: DUP5 00000102: SWAP1 00000103: DIV 00000104: DUP5 00000105: MUL 00000106: DUP3 00000107: ADD 00000108: DUP5 00000109: ADD 0000010a: SWAP1 0000010b: SWAP3 0000010c: MSTORE 0000010d: DUP2 0000010e: DUP2 0000010f: MSTORE 00000110: SWAP3 00000111: SWAP2 00000112: DUP4 00000113: ADD 00000114: DUP3 00000115: DUP3 00000116: DUP1 00000117: ISZERO 00000118: PUSH2 0x035d 0000011b: JUMPI 0000011c: DUP1 0000011d: PUSH1 0x1f 0000011f: LT 00000120: PUSH2 0x0332 00000123: JUMPI 00000124: PUSH2 0x0100 00000127: DUP1 00000128: DUP4 00000129: SLOAD 0000012a: DIV 0000012b: MUL 0000012c: DUP4 0000012d: MSTORE 0000012e: SWAP2 0000012f: PUSH1 0x20 00000131: ADD 00000132: SWAP2 00000133: PUSH2 0x035d 00000136: JUMP 00000137: JUMPDEST 00000138: PUSH2 0x0056 0000013b: PUSH1 0x04 0000013d: CALLDATALOAD 0000013e: PUSH1 0x24 00000140: CALLDATALOAD 00000141: PUSH1 0x01 00000143: PUSH1 0xa0 00000145: PUSH1 0x02 00000147: EXP 00000148: SUB 00000149: CALLER 0000014a: AND 0000014b: PUSH1 0x00 0000014d: SWAP1 0000014e: DUP2 0000014f: MSTORE 00000150: PUSH1 0x03 00000152: PUSH1 0x20 00000154: MSTORE 00000155: PUSH1 0x40 00000157: SWAP1 00000158: KECCAK256 00000159: SLOAD 0000015a: DUP2 0000015b: SWAP1 0000015c: LT 0000015d: ISZERO 0000015e: PUSH2 0x0365 00000161: JUMPI 00000162: PUSH2 0x0002 00000165: JUMP 00000166: JUMPDEST 00000167: PUSH1 0x40 00000169: DUP1 0000016a: MLOAD 0000016b: PUSH1 0x20 0000016d: PUSH1 0x04 0000016f: PUSH1 0x24 00000171: DUP1 00000172: CALLDATALOAD 00000173: DUP3 00000174: DUP2 00000175: ADD 00000176: CALLDATALOAD 00000177: PUSH1 0x1f 00000179: DUP2 0000017a: ADD 0000017b: DUP6 0000017c: SWAP1 0000017d: DIV 0000017e: DUP6 0000017f: MUL 00000180: DUP7 00000181: ADD 00000182: DUP6 00000183: ADD 00000184: SWAP1 00000185: SWAP7 00000186: MSTORE 00000187: DUP6 00000188: DUP6 00000189: MSTORE 0000018a: PUSH2 0x0056 0000018d: SWAP6 0000018e: DUP4 0000018f: CALLDATALOAD 00000190: SWAP6 00000191: SWAP4 00000192: SWAP5 00000193: PUSH1 0x44 00000195: SWAP5 00000196: SWAP4 00000197: SWAP3 00000198: SWAP1 00000199: SWAP3 0000019a: ADD 0000019b: SWAP2 0000019c: DUP2 0000019d: SWAP1 0000019e: DUP5 0000019f: ADD 000001a0: DUP4 000001a1: DUP3 000001a2: DUP1 000001a3: DUP3 000001a4: DUP5 000001a5: CALLDATACOPY 000001a6: POP 000001a7: POP 000001a8: PUSH1 0x40 000001aa: DUP1 000001ab: MLOAD 000001ac: PUSH1 0x20 000001ae: SWAP8 000001af: CALLDATALOAD 000001b0: DUP1 000001b1: DUP11 000001b2: ADD 000001b3: CALLDATALOAD 000001b4: PUSH1 0x1f 000001b6: DUP2 000001b7: ADD 000001b8: DUP11 000001b9: SWAP1 000001ba: DIV 000001bb: DUP11 000001bc: MUL 000001bd: DUP4 000001be: ADD 000001bf: DUP11 000001c0: ADD 000001c1: SWAP1 000001c2: SWAP4 000001c3: MSTORE 000001c4: DUP3 000001c5: DUP3 000001c6: MSTORE 000001c7: SWAP7 000001c8: SWAP9 000001c9: SWAP8 000001ca: PUSH1 0x64 000001cc: SWAP8 000001cd: SWAP2 000001ce: SWAP7 000001cf: POP 000001d0: PUSH1 0x24 000001d2: SWAP2 000001d3: SWAP1 000001d4: SWAP2 000001d5: ADD 000001d6: SWAP5 000001d7: POP 000001d8: SWAP1 000001d9: SWAP3 000001da: POP 000001db: DUP3 000001dc: SWAP2 000001dd: POP 000001de: DUP5 000001df: ADD 000001e0: DUP4 000001e1: DUP3 000001e2: DUP1 000001e3: DUP3 000001e4: DUP5 000001e5: CALLDATACOPY 000001e6: POP 000001e7: SWAP5 000001e8: SWAP7 000001e9: POP 000001ea: POP 000001eb: SWAP4 000001ec: CALLDATALOAD 000001ed: SWAP4 000001ee: POP 000001ef: POP 000001f0: POP 000001f1: POP 000001f2: DUP4 000001f3: PUSH1 0x00 000001f5: EQ 000001f6: ISZERO 000001f7: PUSH2 0x0201 000001fa: JUMPI 000001fb: PUSH3 0x0f4240 000001ff: SWAP4 00000200: POP 00000201: JUMPDEST 00000202: PUSH1 0x01 00000204: PUSH1 0xa0 00000206: PUSH1 0x02 00000208: EXP 00000209: SUB 0000020a: CALLER 0000020b: AND 0000020c: PUSH1 0x00 0000020e: SWAP1 0000020f: DUP2 00000210: MSTORE 00000211: PUSH1 0x03 00000213: PUSH1 0x20 00000215: SWAP1 00000216: DUP2 00000217: MSTORE 00000218: PUSH1 0x40 0000021a: DUP3 0000021b: KECCAK256 0000021c: DUP7 0000021d: SWAP1 0000021e: SSTORE 0000021f: DUP5 00000220: MLOAD 00000221: DUP3 00000222: SLOAD 00000223: DUP4 00000224: DUP1 00000225: MSTORE 00000226: PUSH1 0x02 00000228: PUSH1 0x01 0000022a: DUP3 0000022b: AND 0000022c: ISZERO 0000022d: PUSH2 0x0100 00000230: MUL 00000231: PUSH1 0x00 00000233: NOT 00000234: ADD 00000235: SWAP1 00000236: SWAP2 00000237: AND 00000238: DIV 00000239: PUSH1 0x1f 0000023b: SWAP1 0000023c: DUP2 0000023d: ADD 0000023e: DUP4 0000023f: SWAP1 00000240: DIV 00000241: PUSH32 0x290decd9548b62a8d60345a988386fc84ba6bc95484008f6362f93160ef3e563 00000262: SWAP1 00000263: DUP2 00000264: ADD 00000265: SWAP4 00000266: SWAP1 00000267: SWAP2 00000268: SWAP1 00000269: DUP9 0000026a: ADD 0000026b: SWAP1 0000026c: DUP4 0000026d: SWAP1 0000026e: LT 0000026f: PUSH2 0x03f7 00000272: JUMPI 00000273: DUP1 00000274: MLOAD 00000275: PUSH1 0xff 00000277: NOT 00000278: AND 00000279: DUP4 0000027a: DUP1 0000027b: ADD 0000027c: OR 0000027d: DUP6 0000027e: SSTORE 0000027f: JUMPDEST 00000280: POP 00000281: PUSH2 0x0427 00000284: SWAP3 00000285: SWAP2 00000286: POP 00000287: JUMPDEST 00000288: DUP1 00000289: DUP3 0000028a: GT 0000028b: ISZERO 0000028c: PUSH2 0x0480 0000028f: JUMPI 00000290: PUSH1 0x00 00000292: DUP2 00000293: SSTORE 00000294: PUSH1 0x01 00000296: ADD 00000297: PUSH2 0x0287 0000029a: JUMP 0000029b: JUMPDEST 0000029c: PUSH1 0x40 0000029e: MLOAD 0000029f: DUP1 000002a0: DUP1 000002a1: PUSH1 0x20 000002a3: ADD 000002a4: DUP3 000002a5: DUP2 000002a6: SUB 000002a7: DUP3 000002a8: MSTORE 000002a9: DUP4 000002aa: DUP2 000002ab: DUP2 000002ac: MLOAD 000002ad: DUP2 000002ae: MSTORE 000002af: PUSH1 0x20 000002b1: ADD 000002b2: SWAP2 000002b3: POP 000002b4: DUP1 000002b5: MLOAD 000002b6: SWAP1 000002b7: PUSH1 0x20 000002b9: ADD 000002ba: SWAP1 000002bb: DUP1 000002bc: DUP4 000002bd: DUP4 000002be: DUP3 000002bf: SWAP1 000002c0: PUSH1 0x00 000002c2: PUSH1 0x04 000002c4: PUSH1 0x20 000002c6: DUP5 000002c7: PUSH1 0x1f 000002c9: ADD 000002ca: DIV 000002cb: PUSH1 0x0f 000002cd: MUL 000002ce: PUSH1 0x03 000002d0: ADD 000002d1: CALL 000002d2: POP 000002d3: SWAP1 000002d4: POP 000002d5: SWAP1 000002d6: DUP2 000002d7: ADD 000002d8: SWAP1 000002d9: PUSH1 0x1f 000002db: AND 000002dc: DUP1 000002dd: ISZERO 000002de: PUSH2 0x02fb 000002e1: JUMPI 000002e2: DUP1 000002e3: DUP3 000002e4: SUB 000002e5: DUP1 000002e6: MLOAD 000002e7: PUSH1 0x01 000002e9: DUP4 000002ea: PUSH1 0x20 000002ec: SUB 000002ed: PUSH2 0x0100 000002f0: EXP 000002f1: SUB 000002f2: NOT 000002f3: AND 000002f4: DUP2 000002f5: MSTORE 000002f6: PUSH1 0x20 000002f8: ADD 000002f9: SWAP2 000002fa: POP 000002fb: JUMPDEST 000002fc: POP 000002fd: SWAP3 000002fe: POP 000002ff: POP 00000300: POP 00000301: PUSH1 0x40 00000303: MLOAD 00000304: DUP1 00000305: SWAP2 00000306: SUB 00000307: SWAP1 00000308: RETURN 00000309: JUMPDEST 0000030a: PUSH1 0x40 0000030c: DUP1 0000030d: MLOAD 0000030e: PUSH1 0xff 00000310: SWAP3 00000311: SWAP1 00000312: SWAP3 00000313: AND 00000314: DUP3 00000315: MSTORE 00000316: MLOAD 00000317: SWAP1 00000318: DUP2 00000319: SWAP1 0000031a: SUB 0000031b: PUSH1 0x20 0000031d: ADD 0000031e: SWAP1 0000031f: RETURN 00000320: JUMPDEST 00000321: PUSH1 0x40 00000323: DUP1 00000324: MLOAD 00000325: SWAP2 00000326: DUP3 00000327: MSTORE 00000328: MLOAD 00000329: SWAP1 0000032a: DUP2 0000032b: SWAP1 0000032c: SUB 0000032d: PUSH1 0x20 0000032f: ADD 00000330: SWAP1 00000331: RETURN 00000332: JUMPDEST 00000333: DUP3 00000334: ADD 00000335: SWAP2 00000336: SWAP1 00000337: PUSH1 0x00 00000339: MSTORE 0000033a: PUSH1 0x20 0000033c: PUSH1 0x00 0000033e: KECCAK256 0000033f: SWAP1 00000340: JUMPDEST 00000341: DUP2 00000342: SLOAD 00000343: DUP2 00000344: MSTORE 00000345: SWAP1 00000346: PUSH1 0x01 00000348: ADD 00000349: SWAP1 0000034a: PUSH1 0x20 0000034c: ADD 0000034d: DUP1 0000034e: DUP4 0000034f: GT 00000350: PUSH2 0x0340 00000353: JUMPI 00000354: DUP3 00000355: SWAP1 00000356: SUB 00000357: PUSH1 0x1f 00000359: AND 0000035a: DUP3 0000035b: ADD 0000035c: SWAP2 0000035d: JUMPDEST 0000035e: POP 0000035f: POP 00000360: POP 00000361: POP 00000362: POP 00000363: DUP2 00000364: JUMP 00000365: JUMPDEST 00000366: PUSH1 0x01 00000368: PUSH1 0xa0 0000036a: PUSH1 0x02 0000036c: EXP 0000036d: SUB 0000036e: DUP3 0000036f: AND 00000370: PUSH1 0x00 00000372: SWAP1 00000373: DUP2 00000374: MSTORE 00000375: PUSH1 0x03 00000377: PUSH1 0x20 00000379: MSTORE 0000037a: PUSH1 0x40 0000037c: SWAP1 0000037d: KECCAK256 0000037e: SLOAD 0000037f: DUP1 00000380: DUP3 00000381: ADD 00000382: LT 00000383: ISZERO 00000384: PUSH2 0x038c 00000387: JUMPI 00000388: PUSH2 0x0002 0000038b: JUMP 0000038c: JUMPDEST 0000038d: PUSH1 0x01 0000038f: PUSH1 0xa0 00000391: PUSH1 0x02 00000393: EXP 00000394: SUB 00000395: CALLER 00000396: DUP2 00000397: AND 00000398: PUSH1 0x00 0000039a: DUP2 0000039b: DUP2 0000039c: MSTORE 0000039d: PUSH1 0x03 0000039f: PUSH1 0x20 000003a1: SWAP1 000003a2: DUP2 000003a3: MSTORE 000003a4: PUSH1 0x40 000003a6: DUP1 000003a7: DUP4 000003a8: KECCAK256 000003a9: DUP1 000003aa: SLOAD 000003ab: DUP8 000003ac: SWAP1 000003ad: SUB 000003ae: SWAP1 000003af: SSTORE 000003b0: SWAP4 000003b1: DUP7 000003b2: AND 000003b3: DUP1 000003b4: DUP4 000003b5: MSTORE 000003b6: SWAP2 000003b7: DUP5 000003b8: SWAP1 000003b9: KECCAK256 000003ba: DUP1 000003bb: SLOAD 000003bc: DUP7 000003bd: ADD 000003be: SWAP1 000003bf: SSTORE 000003c0: DUP4 000003c1: MLOAD 000003c2: DUP6 000003c3: DUP2 000003c4: MSTORE 000003c5: SWAP4 000003c6: MLOAD 000003c7: SWAP2 000003c8: SWAP4 000003c9: PUSH32 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef 000003ea: SWAP3 000003eb: SWAP1 000003ec: DUP2 000003ed: SWAP1 000003ee: SUB 000003ef: SWAP1 000003f0: SWAP2 000003f1: ADD 000003f2: SWAP1 000003f3: LOG3 000003f4: POP 000003f5: POP 000003f6: JUMP 000003f7: JUMPDEST 000003f8: DUP3 000003f9: DUP1 000003fa: ADD 000003fb: PUSH1 0x01 000003fd: ADD 000003fe: DUP6 000003ff: SSTORE 00000400: DUP3 00000401: ISZERO 00000402: PUSH2 0x027f 00000405: JUMPI 00000406: SWAP2 00000407: DUP3 00000408: ADD 00000409: JUMPDEST 0000040a: DUP3 0000040b: DUP2 0000040c: GT 0000040d: ISZERO 0000040e: PUSH2 0x027f 00000411: JUMPI 00000412: DUP3 00000413: MLOAD 00000414: DUP3 00000415: PUSH1 0x00 00000417: POP 00000418: SSTORE 00000419: SWAP2 0000041a: PUSH1 0x20 0000041c: ADD 0000041d: SWAP2 0000041e: SWAP1 0000041f: PUSH1 0x01 00000421: ADD 00000422: SWAP1 00000423: PUSH2 0x0409 00000426: JUMP 00000427: JUMPDEST 00000428: POP 00000429: POP 0000042a: DUP2 0000042b: PUSH1 0x01 0000042d: PUSH1 0x00 0000042f: POP 00000430: SWAP1 00000431: DUP1 00000432: MLOAD 00000433: SWAP1 00000434: PUSH1 0x20 00000436: ADD 00000437: SWAP1 00000438: DUP3 00000439: DUP1 0000043a: SLOAD 0000043b: PUSH1 0x01 0000043d: DUP2 0000043e: PUSH1 0x01 00000440: AND 00000441: ISZERO 00000442: PUSH2 0x0100 00000445: MUL 00000446: SUB 00000447: AND 00000448: PUSH1 0x02 0000044a: SWAP1 0000044b: DIV 0000044c: SWAP1 0000044d: PUSH1 0x00 0000044f: MSTORE 00000450: PUSH1 0x20 00000452: PUSH1 0x00 00000454: KECCAK256 00000455: SWAP1 00000456: PUSH1 0x1f 00000458: ADD 00000459: PUSH1 0x20 0000045b: SWAP1 0000045c: DIV 0000045d: DUP2 0000045e: ADD 0000045f: SWAP3 00000460: DUP3 00000461: PUSH1 0x1f 00000463: LT 00000464: PUSH2 0x0484 00000467: JUMPI 00000468: DUP1 00000469: MLOAD 0000046a: PUSH1 0xff 0000046c: NOT 0000046d: AND 0000046e: DUP4 0000046f: DUP1 00000470: ADD 00000471: OR 00000472: DUP6 00000473: SSTORE 00000474: JUMPDEST 00000475: POP 00000476: PUSH2 0x04b4 00000479: SWAP3 0000047a: SWAP2 0000047b: POP 0000047c: PUSH2 0x0287 0000047f: JUMP 00000480: JUMPDEST 00000481: POP 00000482: SWAP1 00000483: JUMP 00000484: JUMPDEST 00000485: DUP3 00000486: DUP1 00000487: ADD 00000488: PUSH1 0x01 0000048a: ADD 0000048b: DUP6 0000048c: SSTORE 0000048d: DUP3 0000048e: ISZERO 0000048f: PUSH2 0x0474 00000492: JUMPI 00000493: SWAP2 00000494: DUP3 00000495: ADD 00000496: JUMPDEST 00000497: DUP3 00000498: DUP2 00000499: GT 0000049a: ISZERO 0000049b: PUSH2 0x0474 0000049e: JUMPI 0000049f: DUP3 000004a0: MLOAD 000004a1: DUP3 000004a2: PUSH1 0x00 000004a4: POP 000004a5: SSTORE 000004a6: SWAP2 000004a7: PUSH1 0x20 000004a9: ADD 000004aa: SWAP2 000004ab: SWAP1 000004ac: PUSH1 0x01 000004ae: ADD 000004af: SWAP1 000004b0: PUSH2 0x0496 000004b3: JUMP 000004b4: JUMPDEST 000004b5: POP 000004b6: POP 000004b7: PUSH1 0x02 000004b9: DUP1 000004ba: SLOAD 000004bb: PUSH1 0xff 000004bd: NOT 000004be: AND 000004bf: DUP3 000004c0: OR 000004c1: SWAP1 000004c2: SSTORE 000004c3: POP 000004c4: POP 000004c5: POP 000004c6: POP 000004c7: JUMP
Warning: This is a nightly build of Foundry. It is recommended to use the latest stable version. To mute this warning set `FOUNDRY_DISABLE_NIGHTLY_WARNING` in your environment.
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| critical | access_control | codex | Public initializer-style function can assign arbitrary balance and rewrite metadata | 90 | no | — |
viewevidence_json{
"evidence": "Selector inference is best-effort, but the jump table routes `0xb50a89f3` to `pc:0x166`. No auth guards were detected in the artifact. Inside that routine, `CALLER` is masked and hashed with storage slot `0x03`, then stored via `SSTORE` at `pc:0x21e`, indicating a caller-indexed balance write. The amount appears to come from calldata, with a zero input replaced by `0x0f4240` at `pc:0x1fb-0x1ff`. The same routine then writes dynamic storage associated with slots 0 and 1 (`pc:0x27e`, `pc:0x473`) and updates the low byte of slot 2 at `pc:0x4c2`, consistent with metadata/decimals initialization.",
"locations": [
"selector:0xb50a89f3",
"pc:0x166",
"pc:0x1fb",
"pc:0x21e",
"pc:0x27e",
"pc:0x473",
"pc:0x4c2"
],
"recommendation": "Treat this path as an initializer/admin function and protect it accordingly: restrict it to deployment/constructor time or a privileged role, add a single-use initialized flag, and separate metadata initialization from user-callable runtime logic.",
"exploit_scenario": "A public caller invokes the unknown selector `0xb50a89f3` with crafted arguments. The routine appears to write `balances[msg.sender]` in the slot-3 mapping, with a zero amount defaulting to `0x0f4240` (1,000,000), and then rewrites the dynamic data stored in slots 0 and 1 plus the low byte of slot 2. Because no owner check or one-time initialization guard is evident, any attacker can repeatedly mint/reassign their own balance and change name/symbol/decimals-like metadata after deployment."
}
|
| high | other | detector | Untrusted CALL target/value reachable | 60 | yes | yes |
viewtrace_id: 0xe9145b591c812f6840ff9251fa1bc8e099547a1408d0bf5d2327d598a42600c4
call_targets:
0x0000000000000000000000000000000000000004, 0x0d90b565cd67733f70c21fe38f355e3469012856
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0xe9145b591c812f6840ff9251fa1bc8e099547a1408d0bf5d2327d598a42600c4",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x0d90b565cd67733f70c21fe38f355e3469012856"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa9059cbb",
"selector": "0xa9059cbb",
"calldata_variants": [
"0xa9059cbb",
"0xa9059cbb0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xb50a89f3",
"selector": "0xb50a89f3",
"calldata_variants": [
"0xb50a89f3",
"0xb50a89f30000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 721,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 1,
"guards_detected": [],
"untrusted_call_count": 1
}
|
| high | other | detector | ETH value transfer possible | 55 | yes | yes |
viewtrace_id: 0xe9145b591c812f6840ff9251fa1bc8e099547a1408d0bf5d2327d598a42600c4
call_targets:
0x0000000000000000000000000000000000000004, 0x0d90b565cd67733f70c21fe38f355e3469012856
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0xe9145b591c812f6840ff9251fa1bc8e099547a1408d0bf5d2327d598a42600c4",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x0d90b565cd67733f70c21fe38f355e3469012856"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa9059cbb",
"selector": "0xa9059cbb",
"calldata_variants": [
"0xa9059cbb",
"0xa9059cbb0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xb50a89f3",
"selector": "0xb50a89f3",
"calldata_variants": [
"0xb50a89f3",
"0xb50a89f30000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 721,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 1,
"guards_detected": []
}
|
| low | other | codex | Contract appears payable and may permanently lock ETH | 65 | no | — |
viewevidence_json{
"evidence": "There is no `CALLVALUE` opcode in the runtime bytecode, so functions/fallback are implicitly payable. The dispatcher falls through to `STOP` at `pc:0x56` for empty/unmatched calldata. The sole callsite is `pc:0x2d1`; the surrounding sequence includes fixed pushes `PUSH1 0x00`, `PUSH1 0x04`, then `CALL`, which is consistent with the identity precompile rather than a user-controlled payout. This conclusion is based on bytecode pattern matching only.",
"locations": [
"pc:0x56",
"pc:0x2d1"
],
"recommendation": "If ETH should never be held, add a non-payable fallback/receive behavior (or explicit value checks) so ETH-bearing calls revert. If ETH custody is intended, add an explicit, access-controlled withdrawal path.",
"exploit_scenario": "A user sends ETH directly to the contract or includes `msg.value` when calling one of its functions. The bytecode shows no `CALLVALUE` rejection anywhere, and the fallback/default path stops successfully instead of reverting. Since the only observed `CALL` appears to target precompile `0x04` for internal memory-copy behavior rather than an outbound payment path, accidentally sent ETH may become unrecoverable."
}
|