019b3836-3266-71ee-9fc6-e14487ac5853
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 2949 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 2950 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 45796 | analysis.bundle | complete | 1 / 3 | 1 week ago |
| 45797 | capability.graph | complete | 1 / 3 | 1 week ago |
| 45798 | detector.run | complete | 1 / 3 | 1 week ago |
| 45799 | validation.fork | complete | 1 / 3 | 1 week ago |
| 113250 | report.consolidate | complete | 1 / 6 | 1 week ago |
No slither job recorded yet.
{"no_findings":false,"summary":"Bytecode-only review suggests a minimal ERC20-like runtime with best-effort selector inference for `name` (`0x06fdde03`), `decimals` (`0x313ce567`), `balanceOf` (`0x70a08231`), `symbol` (`0x95d89b41`), and `transfer` (`0xa9059cbb`). I did not find concrete evidence of reentrancy, upgradeability, delegatecall, or privileged admin paths. The lone `CALL` at `pc:0x188` is more consistent with a shared dynamic-bytes/string return helper than with the transfer/accounting path, so I do not treat the detector's untrusted-call alert as a confirmed exploit. The one supported issue is that the runtime appears to accept ETH on arbitrary calls or fallback without an observable recovery path, although selector inference is incomplete and a hidden recovery selector cannot be ruled out from bytecode alone.","findings":[{"severity":"low","category":"other","title":"Contract appears to accept ETH without an observable withdrawal or recovery path","exploit_scenario":"A user or integrating contract sends ETH alongside `transfer(...)` or to an unmatched selector/empty calldata. Because the runtime shows no `CALLVALUE` rejection logic and the default path falls through to `STOP`, the call can succeed while the ETH remains on the token contract. In the analyzed selector set there is no visible withdrawal/admin function, and there is no `SELFDESTRUCT` capability, so the ETH may become permanently stranded.","recommendation":"Add an explicit non-payable guard (`CALLVALUE` -> revert) on all non-ETH entrypoints, and make the fallback/receive path revert unless intentional ETH receipt is required. If ETH must be receivable, expose a clearly controlled withdrawal path and document it.","evidence":"Across all recovered basic blocks, the artifact shows zero `CALLVALUE`, `REVERT`, or `INVALID` opcodes, and the unmatched-dispatch path ends at `pc:0x45` with `STOP`. The recovered selector set is limited to token-style read/transfer functions, `auth.guards` is empty, `sinks.selfdestruct` is 0, and no upgrade/admin capability is indicated. This is bytecode-only evidence, so a hidden selector is still theoretically possible, but the visible runtime strongly suggests accidental ETH can be accepted and trapped.","locations":["pc:0x0","pc:0x45","selector:0xa9059cbb"]}]}
OpenAI Codex v0.118.0 (research preview)
--------
workdir: /tmp/codex-mx1uukw2
model: gpt-5.4
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: none
session id: 019d5ba1-f645-7392-9713-a234be90dbeb
--------
user
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
warning: Codex could not find system bubblewrap on PATH. Please install bubblewrap with your package manager. Codex will use the vendored bubblewrap in the meantime.
→ Inspect BYTECODE_BUNDLE.json and repository contents to understand available bytecode analysis artifacts
• Assess evidence for concrete security issues with explicit uncertainty from bytecode-only context
• Produce schema-valid JSON findings with precise evidence and locations
exec
/bin/bash -lc "pwd && rg --files -g 'BYTECODE_BUNDLE.json' -g 'AGENTS.md' -g '*.json'" in /tmp/codex-mx1uukw2
succeeded in 0ms:
/tmp/codex-mx1uukw2
codex-output-schema.json
BYTECODE_BUNDLE.json
exec
/bin/bash -lc "sed -n '1,260p' BYTECODE_BUNDLE.json" in /tmp/codex-mx1uukw2
succeeded in 0ms:
{
"analysis_artifact": {
"address": "0x5a4127a9109ac0878f07c099dd1cd328620e053b",
"artifact_hash": "0x809753134b52255340a33f9ed532d71297ef581feb31e0abb2d615c60b41d701",
"artifact_json": {
"auth": {
"guards": []
},
"basic_blocks": [
{
"end_pc": 24,
"hash": "0x6a350686911b120d699f8e8d1e9440d4ce17c4434492baee43484e2ef083a112",
"opcodes": [
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"PUSH1",
"EXP",
"PUSH1",
"CALLDATALOAD",
"DIV",
"PUSH4",
"OP_81",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 0
},
{
"end_pc": 35,
"hash": "0x09fc75e3aa8fb02b98e24881cc463925488c7dfa7ef308570a5930c5c420c614",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 25
},
{
"end_pc": 46,
"hash": "0x976103db32485bde438fb5c3f9f54ee02f48623f2e3b08249411cd4aee3c334a",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 36
},
{
"end_pc": 57,
"hash": "0x3c19c073e27395dc44272beb525b6373ad140a4045aabbd1b653e498e1806824",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 47
},
{
"end_pc": 68,
"hash": "0x3a122683470ea7901e31e80e6378780a829a06da64b04e691b5d5c5621392507",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 58
},
{
"end_pc": 70,
"hash": "0x55afd043d32294d5f0189f5a0aa04f3174e4c087a31c85396f49b5f17813cb96",
"opcodes": [
"JUMPDEST",
"STOP"
],
"start_pc": 69
},
{
"end_pc": 136,
"hash": "0xfc01f99e3d71612bfaa85e2bb57cdd9403eabce7b9348bcac405b7924f1b1f2d",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"OP_80",
"SLOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"OP_83",
"AND",
"ISZERO",
"PUSH2",
"MUL",
"PUSH1",
"NOT",
"ADD",
"OP_90",
"OP_92",
"AND",
"OP_91",
"OP_90",
"OP_91",
"DIV",
"PUSH1",
"OP_81",
"ADD",
"OP_82",
"OP_90",
"DIV",
"OP_90",
"OP_91",
"MUL",
"PUSH1",
"OP_90",
"OP_81",
"ADD",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_82",
"OP_81",
"MSTORE",
"OP_92",
"OP_91",
"OP_90",
"OP_82",
"OP_82",
"OP_80",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 71
},
{
"end_pc": 144,
"hash": "0x94766029cd41199d0239fbf67bb17d1e452d9bb9f7b63a80357531b66475e6d3",
"opcodes": [
"OP_80",
"PUSH1",
"LT",
"PUSH2",
"JUMPI"
],
"start_pc": 137
},
{
"end_pc": 163,
"hash": "0x7a9c5e28ca72e7db26993eb4591b942a2bd83baf5200667721f5598807ec92a5",
"opcodes": [
"PUSH2",
"OP_80",
"OP_83",
"SLOAD",
"DIV",
"MUL",
"OP_83",
"MSTORE",
"OP_91",
"PUSH1",
"ADD",
"OP_91",
"PUSH2",
"JUMP"
],
"start_pc": 145
},
{
"end_pc": 175,
"hash": "0x938aee19a0e1094c19b5a9528f839968d51c237564158e673ab6899436584f6e",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"SLOAD",
"PUSH1",
"AND",
"OP_81",
"JUMP"
],
"start_pc": 164
},
{
"end_pc": 199,
"hash": "0x7b0565c261db3d55c39f20ac0ee4d4710d6951f51b6844e361a4647909dcfc38",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"CALLDATALOAD",
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"OP_90",
"SHA3",
"SLOAD",
"OP_81",
"JUMP"
],
"start_pc": 176
},
{
"end_pc": 263,
"hash": "0x05bb2b1cf28e868299a2692b981f091c16cd0b0ff5f325436e762172d3967632",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"OP_80",
"SLOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"PUSH1",
"NOT",
"PUSH2",
"OP_85",
"OP_87",
"AND",
"ISZERO",
"MUL",
"ADD",
"OP_90",
"OP_93",
"AND",
"OP_92",
"OP_90",
"OP_92",
"DIV",
"OP_91",
"OP_82",
"ADD",
"OP_81",
"OP_90",
"DIV",
"MUL",
"PUSH1",
"OP_90",
"OP_81",
"ADD",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_82",
exec
/bin/bash -lc "sed -n '1,220p' codex-output-schema.json" in /tmp/codex-mx1uukw2
succeeded in 0ms:
{"type": "object", "additionalProperties": false, "required": ["no_findings", "summary", "findings"], "properties": {"no_findings": {"type": "boolean"}, "summary": {"type": "string"}, "findings": {"type": "array", "items": {"type": "object", "additionalProperties": false, "required": ["severity", "category", "title", "evidence", "locations", "exploit_scenario", "recommendation"], "properties": {"severity": {"type": "string", "enum": ["info", "low", "medium", "high", "critical"]}, "category": {"type": "string", "enum": ["access_control", "reentrancy", "math", "oracle", "upgradeability", "auth", "other"]}, "title": {"type": "string"}, "exploit_scenario": {"type": "string"}, "recommendation": {"type": "string"}, "evidence": {"type": "string"}, "locations": {"type": "array", "items": {"type": "string"}}}}}}}
exec
/bin/bash -lc "jq 'keys, .analysis_artifact.artifact_json | keys' BYTECODE_BUNDLE.json" in /tmp/codex-mx1uukw2
succeeded in 0ms:
[
0,
1,
2,
3,
4,
5
]
[
"auth",
"basic_blocks",
"callsites",
"cfg_edges",
"cfg_hash",
"dispatcher_type",
"function_entries",
"functions",
"selectors",
"sinks",
"storage",
"version"
]
exec
/bin/bash -lc "jq '{top_keys: keys, artifact_meta: .analysis_artifact | {address, artifact_hash}, dispatcher_type: .analysis_artifact.artifact_json.dispatcher_type, selectors: .analysis_artifact.artifact_json.selectors, function_entries: .analysis_artifact.artifact_json.function_entries, functions: .analysis_artifact.artifact_json.functions, callsites: .analysis_artifact.artifact_json.callsites, sinks: .analysis_artifact.artifact_json.sinks, storage: .analysis_artifact.artifact_json.storage, auth: .analysis_artifact.artifact_json.auth, detector_findings: .detector_findings, evidence_bundle: .evidence_bundle}' BYTECODE_BUNDLE.json" in /tmp/codex-mx1uukw2
succeeded in 0ms:
{
"top_keys": [
"analysis_artifact",
"analysis_run",
"artifact",
"capability_graph",
"detector_findings",
"heuristics_summary"
],
"artifact_meta": {
"address": "0x5a4127a9109ac0878f07c099dd1cd328620e053b",
"artifact_hash": "0x809753134b52255340a33f9ed532d71297ef581feb31e0abb2d615c60b41d701"
},
"dispatcher_type": "selector_jump_table",
"selectors": [
"0x06fdde03",
"0x313ce567",
"0x70a08231",
"0x95d89b41",
"0xa9059cbb"
],
"function_entries": [
{
"entry_pc": null,
"selector": "0x06fdde03"
},
{
"entry_pc": 1889567281,
"selector": "0x313ce567"
},
{
"entry_pc": 2514000705,
"selector": "0x70a08231"
},
{
"entry_pc": 2835717307,
"selector": "0x95d89b41"
},
{
"entry_pc": null,
"selector": "0xa9059cbb"
}
],
"functions": [
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0x06fdde03",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 1889567281,
"selector": "0x313ce567",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 2514000705,
"selector": "0x70a08231",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 2835717307,
"selector": "0x95d89b41",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0xa9059cbb",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
}
],
"callsites": [
{
"opcode": "CALL",
"pc": 392,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"sinks": {
"call": 1,
"create": 0,
"create2": 0,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0,
"upgrade_slot_write_suspected": false
},
"storage": {
"keccak_count": 6,
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
},
"auth": {
"guards": []
},
"detector_findings": [
{
"confidence": 60,
"evidence_json": {
"call_count": 1,
"examples": [
{
"opcode": "CALL",
"pc": 392,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": [],
"untrusted_call_count": 1
},
"normalized_json": {
"sink": "CALL"
},
"severity": "high",
"title": "Untrusted CALL target/value reachable",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x5a4127a9109ac0878f07c099dd1cd328620e053b"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0xe7d02e2088fde6daba41e9c9ba51f6ea4e9f8221a12da59b86228e50d4d0490b",
"trace_mode": "callTracer"
}
},
{
"confidence": 55,
"evidence_json": {
"eth_value_calls": 1,
"examples": [
{
"opcode": "CALL",
"pc": 392,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": []
},
"normalized_json": {
"sink": "CALL",
"value": "nonzero"
},
"severity": "high",
"title": "ETH value transfer possible",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x5a4127a9109ac0878f07c099dd1cd328620e053b"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0xe7d02e2088fde6daba41e9c9ba51f6ea4e9f8221a12da59b86228e50d4d0490b",
"trace_mode": "callTracer"
}
}
],
"evidence_bundle": null
}
exec
/bin/bash -lc "wc -c BYTECODE_BUNDLE.json && jq '.analysis_artifact.artifact_json.basic_blocks | length' BYTECODE_BUNDLE.json" in /tmp/codex-mx1uukw2
succeeded in 0ms:
44930 BYTECODE_BUNDLE.json
27
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.basic_blocks' BYTECODE_BUNDLE.json" in /tmp/codex-mx1uukw2
succeeded in 0ms:
[
{
"end_pc": 24,
"hash": "0x6a350686911b120d699f8e8d1e9440d4ce17c4434492baee43484e2ef083a112",
"opcodes": [
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"PUSH1",
"EXP",
"PUSH1",
"CALLDATALOAD",
"DIV",
"PUSH4",
"OP_81",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 0
},
{
"end_pc": 35,
"hash": "0x09fc75e3aa8fb02b98e24881cc463925488c7dfa7ef308570a5930c5c420c614",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 25
},
{
"end_pc": 46,
"hash": "0x976103db32485bde438fb5c3f9f54ee02f48623f2e3b08249411cd4aee3c334a",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 36
},
{
"end_pc": 57,
"hash": "0x3c19c073e27395dc44272beb525b6373ad140a4045aabbd1b653e498e1806824",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 47
},
{
"end_pc": 68,
"hash": "0x3a122683470ea7901e31e80e6378780a829a06da64b04e691b5d5c5621392507",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 58
},
{
"end_pc": 70,
"hash": "0x55afd043d32294d5f0189f5a0aa04f3174e4c087a31c85396f49b5f17813cb96",
"opcodes": [
"JUMPDEST",
"STOP"
],
"start_pc": 69
},
{
"end_pc": 136,
"hash": "0xfc01f99e3d71612bfaa85e2bb57cdd9403eabce7b9348bcac405b7924f1b1f2d",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"OP_80",
"SLOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"OP_83",
"AND",
"ISZERO",
"PUSH2",
"MUL",
"PUSH1",
"NOT",
"ADD",
"OP_90",
"OP_92",
"AND",
"OP_91",
"OP_90",
"OP_91",
"DIV",
"PUSH1",
"OP_81",
"ADD",
"OP_82",
"OP_90",
"DIV",
"OP_90",
"OP_91",
"MUL",
"PUSH1",
"OP_90",
"OP_81",
"ADD",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_82",
"OP_81",
"MSTORE",
"OP_92",
"OP_91",
"OP_90",
"OP_82",
"OP_82",
"OP_80",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 71
},
{
"end_pc": 144,
"hash": "0x94766029cd41199d0239fbf67bb17d1e452d9bb9f7b63a80357531b66475e6d3",
"opcodes": [
"OP_80",
"PUSH1",
"LT",
"PUSH2",
"JUMPI"
],
"start_pc": 137
},
{
"end_pc": 163,
"hash": "0x7a9c5e28ca72e7db26993eb4591b942a2bd83baf5200667721f5598807ec92a5",
"opcodes": [
"PUSH2",
"OP_80",
"OP_83",
"SLOAD",
"DIV",
"MUL",
"OP_83",
"MSTORE",
"OP_91",
"PUSH1",
"ADD",
"OP_91",
"PUSH2",
"JUMP"
],
"start_pc": 145
},
{
"end_pc": 175,
"hash": "0x938aee19a0e1094c19b5a9528f839968d51c237564158e673ab6899436584f6e",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"SLOAD",
"PUSH1",
"AND",
"OP_81",
"JUMP"
],
"start_pc": 164
},
{
"end_pc": 199,
"hash": "0x7b0565c261db3d55c39f20ac0ee4d4710d6951f51b6844e361a4647909dcfc38",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"CALLDATALOAD",
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"OP_90",
"SHA3",
"SLOAD",
"OP_81",
"JUMP"
],
"start_pc": 176
},
{
"end_pc": 263,
"hash": "0x05bb2b1cf28e868299a2692b981f091c16cd0b0ff5f325436e762172d3967632",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"OP_80",
"SLOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"PUSH1",
"NOT",
"PUSH2",
"OP_85",
"OP_87",
"AND",
"ISZERO",
"MUL",
"ADD",
"OP_90",
"OP_93",
"AND",
"OP_92",
"OP_90",
"OP_92",
"DIV",
"OP_91",
"OP_82",
"ADD",
"OP_81",
"OP_90",
"DIV",
"MUL",
"PUSH1",
"OP_90",
"OP_81",
"ADD",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_82",
"OP_81",
"MSTORE",
"OP_92",
"OP_91",
"OP_90",
"OP_82",
"OP_82",
"OP_80",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 200
},
{
"end_pc": 271,
"hash": "0x21b49c68f1af8b85acdfbc3ef26289b590ab67ebb18271dfc552d3d38c161349",
"opcodes": [
"OP_80",
"PUSH1",
"LT",
"PUSH2",
"JUMPI"
],
"start_pc": 264
},
{
"end_pc": 290,
"hash": "0xae7e4932e7d3455de45f6fa310bc61e816c4075510a405b25c6797cfa8308dd4",
"opcodes": [
"PUSH2",
"OP_80",
"OP_83",
"SLOAD",
"DIV",
"MUL",
"OP_83",
"MSTORE",
"OP_91",
"PUSH1",
"ADD",
"OP_91",
"PUSH2",
"JUMP"
],
"start_pc": 272
},
{
"end_pc": 333,
"hash": "0x695d244bc0789518ea2be8b9593ab18c4b31efe9b0bb2b4a99b09bfa0bd4168d",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"CALLDATALOAD",
"PUSH1",
"CALLDATALOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"CALLER",
"AND",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_90",
"SHA3",
"SLOAD",
"OP_81",
"OP_90",
"LT",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 291
},
{
"end_pc": 337,
"hash": "0x5ebda49c75a90269902080f51db6f1c7b1af883a7fd6baf1d61b81a8b96dcdca",
"opcodes": [
"PUSH2",
"JUMP"
],
"start_pc": 334
},
{
"end_pc": 408,
"hash": "0x8260bcfbd4c1d49f77b482640c6297cd133661f3ada7f52d07e1835f240b06d3",
"opcodes": [
"JUMPDEST",
"PUSH1",
"MLOAD",
"OP_80",
"OP_80",
"PUSH1",
"ADD",
"OP_82",
"OP_81",
"SUB",
"OP_82",
"MSTORE",
"OP_83",
"OP_81",
"OP_81",
"MLOAD",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP",
"OP_80",
"MLOAD",
"OP_90",
"PUSH1",
"ADD",
"OP_90",
"OP_80",
"OP_83",
"OP_83",
"OP_82",
"OP_90",
"PUSH1",
"PUSH1",
"PUSH1",
"OP_84",
"PUSH1",
"ADD",
"DIV",
"PUSH1",
"MUL",
"PUSH1",
"ADD",
"CALL",
"POP",
"OP_90",
"POP",
"OP_90",
"OP_81",
"ADD",
"OP_90",
"PUSH1",
"AND",
"OP_80",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 338
},
{
"end_pc": 433,
"hash": "0xc0a703c2254334f9171c8126ae06fea5cf289341f4c19c890fa2f6b928c400e4",
"opcodes": [
"OP_80",
"OP_82",
"SUB",
"OP_80",
"MLOAD",
"PUSH1",
"OP_83",
"PUSH1",
"SUB",
"PUSH2",
"EXP",
"SUB",
"NOT",
"AND",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP"
],
"start_pc": 409
},
{
"end_pc": 447,
"hash": "0xbbf38bd955ec6188d491c8a752950f390e38b6a9203b6891438ecf3d66b81c51",
"opcodes": [
"JUMPDEST",
"POP",
"OP_92",
"POP",
"POP",
"POP",
"PUSH1",
"MLOAD",
"OP_80",
"OP_91",
"SUB",
"OP_90",
"RETURN"
],
"start_pc": 434
},
{
"end_pc": 457,
"hash": "0xe40870dc717cbfdedea9fbb4d2473ca373d3dd88734eda3a8e7ff7e0a08a80de",
"opcodes": [
"JUMPDEST",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"OP_90",
"RETURN"
],
"start_pc": 448
},
{
"end_pc": 471,
"hash": "0x712f7aabde4f2b6cb8fd21b243449d960bb2bde97dfa68f99a6793a74191755f",
"opcodes": [
"JUMPDEST",
"OP_82",
"ADD",
"OP_91",
"OP_90",
"PUSH1",
"MSTORE",
"PUSH1",
"PUSH1",
"SHA3",
"OP_90"
],
"start_pc": 458
},
{
"end_pc": 491,
"hash": "0xb72355893dc85ba3dba3d8450e06bc619269717a95c970bc878e9b20fda0e6a2",
"opcodes": [
"JUMPDEST",
"OP_81",
"SLOAD",
"OP_81",
"MSTORE",
"OP_90",
"PUSH1",
"ADD",
"OP_90",
"PUSH1",
"ADD",
"OP_80",
"OP_83",
"GT",
"PUSH2",
"JUMPI"
],
"start_pc": 472
},
{
"end_pc": 500,
"hash": "0x44d3956d843a32ee50717833fa8ec9dbfa425cdf8dcb23848e44acae24f05d14",
"opcodes": [
"OP_82",
"OP_90",
"SUB",
"PUSH1",
"AND",
"OP_82",
"ADD",
"OP_91"
],
"start_pc": 492
},
{
"end_pc": 508,
"hash": "0xfc2ec825a8f178aa5a5c70c694abf2c3132e519e33d00850e8769ebb62cf186a",
"opcodes": [
"JUMPDEST",
"POP",
"POP",
"POP",
"POP",
"POP",
"OP_81",
"JUMP"
],
"start_pc": 501
},
{
"end_pc": 538,
"hash": "0xa75c05a5c67571b18cbd868879dec0d7c57966797b1df8756504756360d24fa1",
"opcodes": [
"JUMPDEST",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"OP_82",
"AND",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"OP_90",
"SHA3",
"SLOAD",
"OP_80",
"OP_82",
"ADD",
"LT",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 509
},
{
"end_pc": 542,
"hash": "0xee4e5c2be823ee6e569c01a0bf832422eaf7ebbf27bd4c5f027d970c75b8c6f9",
"opcodes": [
"PUSH2",
"JUMP"
],
"start_pc": 539
},
{
"end_pc": 715,
"hash": "0x55470c341be9e608b9f37871022d25fc911758efeacc5d69b28df302da0d728e",
"opcodes": [
"JUMPDEST",
"OP_80",
"PUSH1",
"PUSH1",
"POP",
"PUSH1",
"CALLER",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"AND",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"PUSH1",
"SHA3",
"PUSH1",
"OP_82",
"OP_82",
"OP_82",
"POP",
"SLOAD",
"SUB",
"OP_92",
"POP",
"POP",
"OP_81",
"OP_90",
"SSTORE",
"POP",
"OP_80",
"PUSH1",
"PUSH1",
"POP",
"PUSH1",
"OP_84",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"AND",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"PUSH1",
"SHA3",
"PUSH1",
"OP_82",
"OP_82",
"OP_82",
"POP",
"SLOAD",
"ADD",
"OP_92",
"POP",
"POP",
"OP_81",
"OP_90",
"SSTORE",
"POP",
"OP_81",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"AND",
"CALLER",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"AND",
"PUSH32",
"OP_83",
"PUSH1",
"MLOAD",
"OP_80",
"OP_82",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP",
"POP",
"PUSH1",
"MLOAD",
"OP_80",
"OP_91",
"SUB",
"OP_90",
"OP_A3",
"POP",
"POP",
"JUMP"
],
"start_pc": 543
}
]
exec
/bin/bash -lc "jq '{heuristics_summary, analysis_run, artifact: .artifact | {bytecode_len: (.deployed_bytecode|length), deployed_bytecode: (.deployed_bytecode[:120])}}' BYTECODE_BUNDLE.json" in /tmp/codex-mx1uukw2
succeeded in 0ms:
{
"heuristics_summary": {
"create2_count": 0,
"delegatecall_count": 0,
"flags": [],
"selfdestruct_count": 0
},
"analysis_run": {
"address": "0x5a4127a9109ac0878f07c099dd1cd328620e053b",
"block_number": null,
"chain_id": 1,
"child_links": [],
"created_at": "2025-12-19T20:03:54.000000Z",
"id": "019b3836-3266-71ee-9fc6-e14487ac5853",
"parent_links": [],
"status": "running",
"updated_at": "2026-04-04T19:54:12.000000Z"
},
"artifact": {
"bytecode_len": 0,
"deployed_bytecode": null
}
}
exec
/bin/bash -lc "jq '.capability_graph' BYTECODE_BUNDLE.json" in /tmp/codex-mx1uukw2
succeeded in 0ms:
{
"address": "0x5a4127a9109ac0878f07c099dd1cd328620e053b",
"block_number": null,
"chain_id": 1,
"codehash": "0x9c955d6fcbfcbaebc1eba76ca0b918c6f34cf6cc3f5c33f4a4a83a88440f4e9f",
"created_at": "2026-04-04T19:54:12.000000Z",
"graph_hash": "0x2ee0f252132699f51924d69c5f1c6dfb4e7637cad6f24f07a9a7a4cd1120fbb1",
"graph_json": {
"edges": [
{
"from": "bb:0",
"to": "bb:71",
"type": "control_flow"
},
{
"from": "bb:0",
"to": "bb:25",
"type": "control_flow_fallthrough"
},
{
"from": "bb:25",
"to": "bb:164",
"type": "control_flow"
},
{
"from": "bb:25",
"to": "bb:36",
"type": "control_flow_fallthrough"
},
{
"from": "bb:36",
"to": "bb:176",
"type": "control_flow"
},
{
"from": "bb:36",
"to": "bb:47",
"type": "control_flow_fallthrough"
},
{
"from": "bb:47",
"to": "bb:200",
"type": "control_flow"
},
{
"from": "bb:47",
"to": "bb:58",
"type": "control_flow_fallthrough"
},
{
"from": "bb:58",
"to": "bb:291",
"type": "control_flow"
},
{
"from": "bb:58",
"to": "bb:69",
"type": "control_flow_fallthrough"
},
{
"from": "bb:71",
"to": "bb:501",
"type": "control_flow"
},
{
"from": "bb:71",
"to": "bb:137",
"type": "control_flow_fallthrough"
},
{
"from": "bb:137",
"to": "bb:458",
"type": "control_flow"
},
{
"from": "bb:137",
"to": "bb:145",
"type": "control_flow_fallthrough"
},
{
"from": "bb:145",
"to": "bb:501",
"type": "control_flow"
},
{
"from": "bb:200",
"to": "bb:501",
"type": "control_flow"
},
{
"from": "bb:200",
"to": "bb:264",
"type": "control_flow_fallthrough"
},
{
"from": "bb:264",
"to": "bb:458",
"type": "control_flow"
},
{
"from": "bb:264",
"to": "bb:272",
"type": "control_flow_fallthrough"
},
{
"from": "bb:272",
"to": "bb:501",
"type": "control_flow"
},
{
"from": "bb:291",
"to": "bb:509",
"type": "control_flow"
},
{
"from": "bb:291",
"to": "bb:334",
"type": "control_flow_fallthrough"
},
{
"from": "bb:338",
"to": "bb:434",
"type": "control_flow"
},
{
"from": "bb:338",
"to": "bb:409",
"type": "control_flow_fallthrough"
},
{
"from": "bb:409",
"to": "bb:434",
"type": "control_flow_fallthrough"
},
{
"from": "bb:458",
"to": "bb:472",
"type": "control_flow_fallthrough"
},
{
"from": "bb:472",
"to": "bb:472",
"type": "control_flow"
},
{
"from": "bb:472",
"to": "bb:492",
"type": "control_flow_fallthrough"
},
{
"from": "bb:492",
"to": "bb:501",
"type": "control_flow_fallthrough"
},
{
"from": "bb:509",
"to": "bb:543",
"type": "control_flow"
},
{
"from": "bb:509",
"to": "bb:539",
"type": "control_flow_fallthrough"
},
{
"from": "fn:0x313ce567",
"to": "bb:1889567281",
"type": "entry"
},
{
"from": "fn:0x70a08231",
"to": "bb:2514000705",
"type": "entry"
},
{
"from": "fn:0x95d89b41",
"to": "bb:2835717307",
"type": "entry"
},
{
"from": "bb:338",
"to": "call:392",
"type": "contains"
},
{
"from": "call:392",
"to": "sink:call",
"type": "capability"
}
],
"nodes": [
{
"end_pc": 24,
"hash": "0x6a350686911b120d699f8e8d1e9440d4ce17c4434492baee43484e2ef083a112",
"id": "bb:0",
"start_pc": 0,
"type": "basic_block"
},
{
"end_pc": 35,
"hash": "0x09fc75e3aa8fb02b98e24881cc463925488c7dfa7ef308570a5930c5c420c614",
"id": "bb:25",
"start_pc": 25,
"type": "basic_block"
},
{
"end_pc": 46,
"hash": "0x976103db32485bde438fb5c3f9f54ee02f48623f2e3b08249411cd4aee3c334a",
"id": "bb:36",
"start_pc": 36,
"type": "basic_block"
},
{
"end_pc": 57,
"hash": "0x3c19c073e27395dc44272beb525b6373ad140a4045aabbd1b653e498e1806824",
"id": "bb:47",
"start_pc": 47,
"type": "basic_block"
},
{
"end_pc": 68,
"hash": "0x3a122683470ea7901e31e80e6378780a829a06da64b04e691b5d5c5621392507",
"id": "bb:58",
"start_pc": 58,
"type": "basic_block"
},
{
"end_pc": 70,
"hash": "0x55afd043d32294d5f0189f5a0aa04f3174e4c087a31c85396f49b5f17813cb96",
"id": "bb:69",
"start_pc": 69,
"type": "basic_block"
},
{
"end_pc": 136,
"hash": "0xfc01f99e3d71612bfaa85e2bb57cdd9403eabce7b9348bcac405b7924f1b1f2d",
"id": "bb:71",
"start_pc": 71,
"type": "basic_block"
},
{
"end_pc": 144,
"hash": "0x94766029cd41199d0239fbf67bb17d1e452d9bb9f7b63a80357531b66475e6d3",
"id": "bb:137",
"start_pc": 137,
"type": "basic_block"
},
{
"end_pc": 163,
"hash": "0x7a9c5e28ca72e7db26993eb4591b942a2bd83baf5200667721f5598807ec92a5",
"id": "bb:145",
"start_pc": 145,
"type": "basic_block"
},
{
"end_pc": 175,
"hash": "0x938aee19a0e1094c19b5a9528f839968d51c237564158e673ab6899436584f6e",
"id": "bb:164",
"start_pc": 164,
"type": "basic_block"
},
{
"end_pc": 199,
"hash": "0x7b0565c261db3d55c39f20ac0ee4d4710d6951f51b6844e361a4647909dcfc38",
"id": "bb:176",
"start_pc": 176,
"type": "basic_block"
},
{
"end_pc": 263,
"hash": "0x05bb2b1cf28e868299a2692b981f091c16cd0b0ff5f325436e762172d3967632",
"id": "bb:200",
"start_pc": 200,
"type": "basic_block"
},
{
"end_pc": 271,
"hash": "0x21b49c68f1af8b85acdfbc3ef26289b590ab67ebb18271dfc552d3d38c161349",
"id": "bb:264",
"start_pc": 264,
"type": "basic_block"
},
{
"end_pc": 290,
"hash": "0xae7e4932e7d3455de45f6fa310bc61e816c4075510a405b25c6797cfa8308dd4",
"id": "bb:272",
"start_pc": 272,
"type": "basic_block"
},
{
"end_pc": 333,
"hash": "0x695d244bc0789518ea2be8b9593ab18c4b31efe9b0bb2b4a99b09bfa0bd4168d",
"id": "bb:291",
"start_pc": 291,
"type": "basic_block"
},
{
"end_pc": 337,
"hash": "0x5ebda49c75a90269902080f51db6f1c7b1af883a7fd6baf1d61b81a8b96dcdca",
"id": "bb:334",
"start_pc": 334,
"type": "basic_block"
},
{
"end_pc": 408,
"hash": "0x8260bcfbd4c1d49f77b482640c6297cd133661f3ada7f52d07e1835f240b06d3",
"id": "bb:338",
"start_pc": 338,
"type": "basic_block"
},
{
"end_pc": 433,
"hash": "0xc0a703c2254334f9171c8126ae06fea5cf289341f4c19c890fa2f6b928c400e4",
"id": "bb:409",
"start_pc": 409,
"type": "basic_block"
},
{
"end_pc": 447,
"hash": "0xbbf38bd955ec6188d491c8a752950f390e38b6a9203b6891438ecf3d66b81c51",
"id": "bb:434",
"start_pc": 434,
"type": "basic_block"
},
{
"end_pc": 457,
"hash": "0xe40870dc717cbfdedea9fbb4d2473ca373d3dd88734eda3a8e7ff7e0a08a80de",
"id": "bb:448",
"start_pc": 448,
"type": "basic_block"
},
{
"end_pc": 471,
"hash": "0x712f7aabde4f2b6cb8fd21b243449d960bb2bde97dfa68f99a6793a74191755f",
"id": "bb:458",
"start_pc": 458,
"type": "basic_block"
},
{
"end_pc": 491,
"hash": "0xb72355893dc85ba3dba3d8450e06bc619269717a95c970bc878e9b20fda0e6a2",
"id": "bb:472",
"start_pc": 472,
"type": "basic_block"
},
{
"end_pc": 500,
"hash": "0x44d3956d843a32ee50717833fa8ec9dbfa425cdf8dcb23848e44acae24f05d14",
"id": "bb:492",
"start_pc": 492,
"type": "basic_block"
},
{
"end_pc": 508,
"hash": "0xfc2ec825a8f178aa5a5c70c694abf2c3132e519e33d00850e8769ebb62cf186a",
"id": "bb:501",
"start_pc": 501,
"type": "basic_block"
},
{
"end_pc": 538,
"hash": "0xa75c05a5c67571b18cbd868879dec0d7c57966797b1df8756504756360d24fa1",
"id": "bb:509",
"start_pc": 509,
"type": "basic_block"
},
{
"end_pc": 542,
"hash": "0xee4e5c2be823ee6e569c01a0bf832422eaf7ebbf27bd4c5f027d970c75b8c6f9",
"id": "bb:539",
"start_pc": 539,
"type": "basic_block"
},
{
"end_pc": 715,
"hash": "0x55470c341be9e608b9f37871022d25fc911758efeacc5d69b28df302da0d728e",
"id": "bb:543",
"start_pc": 543,
"type": "basic_block"
},
{
"id": "call:392",
"opcode": "CALL",
"pc": 392,
"type": "callsite"
},
{
"id": "sink:call",
"type": "sink"
},
{
"entry_pc": null,
"id": "fn:0x06fdde03",
"selector": "0x06fdde03",
"type": "function"
},
{
"entry_pc": 1889567281,
"id": "fn:0x313ce567",
"selector": "0x313ce567",
"type": "function"
},
{
"entry_pc": 2514000705,
"id": "fn:0x70a08231",
"selector": "0x70a08231",
"type": "function"
},
{
"entry_pc": 2835717307,
"id": "fn:0x95d89b41",
"selector": "0x95d89b41",
"type": "function"
},
{
"entry_pc": null,
"id": "fn:0xa9059cbb",
"selector": "0xa9059cbb",
"type": "function"
}
],
"version": "capability_graph_v1"
},
"id": 2106,
"updated_at": "2026-04-04T19:54:12.000000Z",
"version": "capability_graph_v1"
}
exec
/bin/bash -lc "jq '.detector_findings' BYTECODE_BUNDLE.json" in /tmp/codex-mx1uukw2
succeeded in 0ms:
[
{
"confidence": 60,
"evidence_json": {
"call_count": 1,
"examples": [
{
"opcode": "CALL",
"pc": 392,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": [],
"untrusted_call_count": 1
},
"normalized_json": {
"sink": "CALL"
},
"severity": "high",
"title": "Untrusted CALL target/value reachable",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x5a4127a9109ac0878f07c099dd1cd328620e053b"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0xe7d02e2088fde6daba41e9c9ba51f6ea4e9f8221a12da59b86228e50d4d0490b",
"trace_mode": "callTracer"
}
},
{
"confidence": 55,
"evidence_json": {
"eth_value_calls": 1,
"examples": [
{
"opcode": "CALL",
"pc": 392,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": []
},
"normalized_json": {
"sink": "CALL",
"value": "nonzero"
},
"severity": "high",
"title": "ETH value transfer possible",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x5a4127a9109ac0878f07c099dd1cd328620e053b"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0xe7d02e2088fde6daba41e9c9ba51f6ea4e9f8221a12da59b86228e50d4d0490b",
"trace_mode": "callTracer"
}
}
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.cfg_edges' BYTECODE_BUNDLE.json" in /tmp/codex-mx1uukw2
succeeded in 0ms:
[
{
"from": "bb:0",
"to": "bb:71",
"type": "control_flow"
},
{
"from": "bb:0",
"to": "bb:25",
"type": "control_flow_fallthrough"
},
{
"from": "bb:25",
"to": "bb:164",
"type": "control_flow"
},
{
"from": "bb:25",
"to": "bb:36",
"type": "control_flow_fallthrough"
},
{
"from": "bb:36",
"to": "bb:176",
"type": "control_flow"
},
{
"from": "bb:36",
"to": "bb:47",
"type": "control_flow_fallthrough"
},
{
"from": "bb:47",
"to": "bb:200",
"type": "control_flow"
},
{
"from": "bb:47",
"to": "bb:58",
"type": "control_flow_fallthrough"
},
{
"from": "bb:58",
"to": "bb:291",
"type": "control_flow"
},
{
"from": "bb:58",
"to": "bb:69",
"type": "control_flow_fallthrough"
},
{
"from": "bb:71",
"to": "bb:501",
"type": "control_flow"
},
{
"from": "bb:71",
"to": "bb:137",
"type": "control_flow_fallthrough"
},
{
"from": "bb:137",
"to": "bb:458",
"type": "control_flow"
},
{
"from": "bb:137",
"to": "bb:145",
"type": "control_flow_fallthrough"
},
{
"from": "bb:145",
"to": "bb:501",
"type": "control_flow"
},
{
"from": "bb:200",
"to": "bb:501",
"type": "control_flow"
},
{
"from": "bb:200",
"to": "bb:264",
"type": "control_flow_fallthrough"
},
{
"from": "bb:264",
"to": "bb:458",
"type": "control_flow"
},
{
"from": "bb:264",
"to": "bb:272",
"type": "control_flow_fallthrough"
},
{
"from": "bb:272",
"to": "bb:501",
"type": "control_flow"
},
{
"from": "bb:291",
"to": "bb:509",
"type": "control_flow"
},
{
"from": "bb:291",
"to": "bb:334",
"type": "control_flow_fallthrough"
},
{
"from": "bb:338",
"to": "bb:434",
"type": "control_flow"
},
{
"from": "bb:338",
"to": "bb:409",
"type": "control_flow_fallthrough"
},
{
"from": "bb:409",
"to": "bb:434",
"type": "control_flow_fallthrough"
},
{
"from": "bb:458",
"to": "bb:472",
"type": "control_flow_fallthrough"
},
{
"from": "bb:472",
"to": "bb:472",
"type": "control_flow"
},
{
"from": "bb:472",
"to": "bb:492",
"type": "control_flow_fallthrough"
},
{
"from": "bb:492",
"to": "bb:501",
"type": "control_flow_fallthrough"
},
{
"from": "bb:509",
"to": "bb:543",
"type": "control_flow"
},
{
"from": "bb:509",
"to": "bb:539",
"type": "control_flow_fallthrough"
}
]
exec
/bin/bash -lc 'command -v evm || command -v cast || command -v hevm || command -v python3' in /tmp/codex-mx1uukw2
succeeded in 0ms:
/home/noahkuhn/.foundry/bin/cast
exec
/bin/bash -lc "jq -r '.. | .deployed_bytecode? // empty, .. | .runtime_bytecode? // empty, .. | .bytecode? // empty' BYTECODE_BUNDLE.json | head -n 5" in /tmp/codex-mx1uukw2
succeeded in 0ms:
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.version' BYTECODE_BUNDLE.json" in /tmp/codex-mx1uukw2
succeeded in 0ms:
"analysis_artifact_v1"
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.storage.slots, .analysis_artifact.artifact_json.callsites' BYTECODE_BUNDLE.json" in /tmp/codex-mx1uukw2
succeeded in 0ms:
[
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
]
[
{
"opcode": "CALL",
"pc": 392,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
]
exec
/bin/bash -lc "jq '[.analysis_artifact.artifact_json.basic_blocks[].opcodes[] | select(.==\"CALLVALUE\")] | length' BYTECODE_BUNDLE.json" in /tmp/codex-mx1uukw2
succeeded in 0ms:
0
exec
/bin/bash -lc "jq '{callvalue_count: ([.analysis_artifact.artifact_json.basic_blocks[].opcodes[] | select(.==\"CALLVALUE\")] | length), revert_count: ([.analysis_artifact.artifact_json.basic_blocks[].opcodes[] | select(.==\"REVERT\")] | length), invalid_count: ([.analysis_artifact.artifact_json.basic_blocks[].opcodes[] | select(.==\"INVALID\")] | length)}' BYTECODE_BUNDLE.json" in /tmp/codex-mx1uukw2
succeeded in 0ms:
{
"callvalue_count": 0,
"revert_count": 0,
"invalid_count": 0
}
The artifact looks like a minimal ERC20-like runtime. I checked the only CALL sink against the CFG and storage usage; it appears to belong to shared string-return logic rather than the transfer path. The only concrete issue supported by the bundle is that the contract appears to accept ETH on arbitrary calls/fallback with no visible recovery path.
✓ Inspect BYTECODE_BUNDLE.json and repository contents to understand available bytecode analysis artifacts
✓ Assess evidence for concrete security issues with explicit uncertainty from bytecode-only context
→ Produce schema-valid JSON findings with precise evidence and locations
codex
{"no_findings":false,"summary":"Bytecode-only review suggests a minimal ERC20-like runtime with best-effort selector inference for `name` (`0x06fdde03`), `decimals` (`0x313ce567`), `balanceOf` (`0x70a08231`), `symbol` (`0x95d89b41`), and `transfer` (`0xa9059cbb`). I did not find concrete evidence of reentrancy, upgradeability, delegatecall, or privileged admin paths. The lone `CALL` at `pc:0x188` is more consistent with a shared dynamic-bytes/string return helper than with the transfer/accounting path, so I do not treat the detector's untrusted-call alert as a confirmed exploit. The one supported issue is that the runtime appears to accept ETH on arbitrary calls or fallback without an observable recovery path, although selector inference is incomplete and a hidden recovery selector cannot be ruled out from bytecode alone.","findings":[{"severity":"low","category":"other","title":"Contract appears to accept ETH without an observable withdrawal or recovery path","exploit_scenario":"A user or integrating contract sends ETH alongside `transfer(...)` or to an unmatched selector/empty calldata. Because the runtime shows no `CALLVALUE` rejection logic and the default path falls through to `STOP`, the call can succeed while the ETH remains on the token contract. In the analyzed selector set there is no visible withdrawal/admin function, and there is no `SELFDESTRUCT` capability, so the ETH may become permanently stranded.","recommendation":"Add an explicit non-payable guard (`CALLVALUE` -> revert) on all non-ETH entrypoints, and make the fallback/receive path revert unless intentional ETH receipt is required. If ETH must be receivable, expose a clearly controlled withdrawal path and document it.","evidence":"Across all recovered basic blocks, the artifact shows zero `CALLVALUE`, `REVERT`, or `INVALID` opcodes, and the unmatched-dispatch path ends at `pc:0x45` with `STOP`. The recovered selector set is limited to token-style read/transfer functions, `auth.guards` is empty, `sinks.selfdestruct` is 0, and no upgrade/admin capability is indicated. This is bytecode-only evidence, so a hidden selector is still theoretically possible, but the visible runtime strongly suggests accidental ETH can be accepted and trapped.","locations":["pc:0x0","pc:0x45","selector:0xa9059cbb"]}]}
tokens used
49,659
{
"codex": {
"ran_at": "2026-04-05T03:16:28.102924+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 1434,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "Bytecode-only review suggests a minimal ERC20-like runtime with best-effort selector inference for `name` (`0x06fdde03`), `decimals` (`0x313ce567`), `balanceOf` (`0x70a08231`), `symbol` (`0x95d89b41`), and `transfer` (`0xa9059cbb`). I did not find concrete evidence of reentrancy, upgradeability, delegatecall, or privileged admin paths. The lone `CALL` at `pc:0x188` is more consistent with a shared dynamic-bytes/string return helper than with the transfer/accounting path, so I do not treat the detector's untrusted-call alert as a confirmed exploit. The one supported issue is that the runtime appears to accept ETH on arbitrary calls or fallback without an observable recovery path, although selector inference is incomplete and a hidden recovery selector cannot be ruled out from bytecode alone.",
"raw_final": {
"summary": "Bytecode-only review suggests a minimal ERC20-like runtime with best-effort selector inference for `name` (`0x06fdde03`), `decimals` (`0x313ce567`), `balanceOf` (`0x70a08231`), `symbol` (`0x95d89b41`), and `transfer` (`0xa9059cbb`). I did not find concrete evidence of reentrancy, upgradeability, delegatecall, or privileged admin paths. The lone `CALL` at `pc:0x188` is more consistent with a shared dynamic-bytes/string return helper than with the transfer/accounting path, so I do not treat the detector's untrusted-call alert as a confirmed exploit. The one supported issue is that the runtime appears to accept ETH on arbitrary calls or fallback without an observable recovery path, although selector inference is incomplete and a hidden recovery selector cannot be ruled out from bytecode alone.",
"findings": [
{
"title": "Contract appears to accept ETH without an observable withdrawal or recovery path",
"category": "other",
"evidence": "Across all recovered basic blocks, the artifact shows zero `CALLVALUE`, `REVERT`, or `INVALID` opcodes, and the unmatched-dispatch path ends at `pc:0x45` with `STOP`. The recovered selector set is limited to token-style read/transfer functions, `auth.guards` is empty, `sinks.selfdestruct` is 0, and no upgrade/admin capability is indicated. This is bytecode-only evidence, so a hidden selector is still theoretically possible, but the visible runtime strongly suggests accidental ETH can be accepted and trapped.",
"severity": "low",
"locations": [
"pc:0x0",
"pc:0x45",
"selector:0xa9059cbb"
],
"recommendation": "Add an explicit non-payable guard (`CALLVALUE` -> revert) on all non-ETH entrypoints, and make the fallback/receive path revert unless intentional ETH receipt is required. If ETH must be receivable, expose a clearly controlled withdrawal path and document it.",
"exploit_scenario": "A user or integrating contract sends ETH alongside `transfer(...)` or to an unmatched selector/empty calldata. Because the runtime shows no `CALLVALUE` rejection logic and the default path falls through to `STOP`, the call can succeed while the ETH remains on the token contract. In the analyzed selector set there is no visible withdrawal/admin function, and there is no `SELFDESTRUCT` capability, so the ETH may become permanently stranded."
}
],
"no_findings": false
},
"no_findings": false,
"schema_version": 1
}
00000000: PUSH1 0x60 00000002: PUSH1 0x40 00000004: MSTORE 00000005: PUSH1 0xe0 00000007: PUSH1 0x02 00000009: EXP 0000000a: PUSH1 0x00 0000000c: CALLDATALOAD 0000000d: DIV 0000000e: PUSH4 0x06fdde03 00000013: DUP2 00000014: EQ 00000015: PUSH2 0x0047 00000018: JUMPI 00000019: DUP1 0000001a: PUSH4 0x313ce567 0000001f: EQ 00000020: PUSH2 0x00a4 00000023: JUMPI 00000024: DUP1 00000025: PUSH4 0x70a08231 0000002a: EQ 0000002b: PUSH2 0x00b0 0000002e: JUMPI 0000002f: DUP1 00000030: PUSH4 0x95d89b41 00000035: EQ 00000036: PUSH2 0x00c8 00000039: JUMPI 0000003a: DUP1 0000003b: PUSH4 0xa9059cbb 00000040: EQ 00000041: PUSH2 0x0123 00000044: JUMPI 00000045: JUMPDEST 00000046: STOP 00000047: JUMPDEST 00000048: PUSH2 0x0152 0000004b: PUSH1 0x00 0000004d: DUP1 0000004e: SLOAD 0000004f: PUSH1 0x20 00000051: PUSH1 0x02 00000053: PUSH1 0x01 00000055: DUP4 00000056: AND 00000057: ISZERO 00000058: PUSH2 0x0100 0000005b: MUL 0000005c: PUSH1 0x00 0000005e: NOT 0000005f: ADD 00000060: SWAP1 00000061: SWAP3 00000062: AND 00000063: SWAP2 00000064: SWAP1 00000065: SWAP2 00000066: DIV 00000067: PUSH1 0x1f 00000069: DUP2 0000006a: ADD 0000006b: DUP3 0000006c: SWAP1 0000006d: DIV 0000006e: SWAP1 0000006f: SWAP2 00000070: MUL 00000071: PUSH1 0x80 00000073: SWAP1 00000074: DUP2 00000075: ADD 00000076: PUSH1 0x40 00000078: MSTORE 00000079: PUSH1 0x60 0000007b: DUP3 0000007c: DUP2 0000007d: MSTORE 0000007e: SWAP3 0000007f: SWAP2 00000080: SWAP1 00000081: DUP3 00000082: DUP3 00000083: DUP1 00000084: ISZERO 00000085: PUSH2 0x01f5 00000088: JUMPI 00000089: DUP1 0000008a: PUSH1 0x1f 0000008c: LT 0000008d: PUSH2 0x01ca 00000090: JUMPI 00000091: PUSH2 0x0100 00000094: DUP1 00000095: DUP4 00000096: SLOAD 00000097: DIV 00000098: MUL 00000099: DUP4 0000009a: MSTORE 0000009b: SWAP2 0000009c: PUSH1 0x20 0000009e: ADD 0000009f: SWAP2 000000a0: PUSH2 0x01f5 000000a3: JUMP 000000a4: JUMPDEST 000000a5: PUSH2 0x01c0 000000a8: PUSH1 0x02 000000aa: SLOAD 000000ab: PUSH1 0xff 000000ad: AND 000000ae: DUP2 000000af: JUMP 000000b0: JUMPDEST 000000b1: PUSH2 0x01c0 000000b4: PUSH1 0x04 000000b6: CALLDATALOAD 000000b7: PUSH1 0x03 000000b9: PUSH1 0x20 000000bb: MSTORE 000000bc: PUSH1 0x00 000000be: SWAP1 000000bf: DUP2 000000c0: MSTORE 000000c1: PUSH1 0x40 000000c3: SWAP1 000000c4: KECCAK256 000000c5: SLOAD 000000c6: DUP2 000000c7: JUMP 000000c8: JUMPDEST 000000c9: PUSH2 0x0152 000000cc: PUSH1 0x01 000000ce: DUP1 000000cf: SLOAD 000000d0: PUSH1 0x20 000000d2: PUSH1 0x1f 000000d4: PUSH1 0x02 000000d6: PUSH1 0x00 000000d8: NOT 000000d9: PUSH2 0x0100 000000dc: DUP6 000000dd: DUP8 000000de: AND 000000df: ISZERO 000000e0: MUL 000000e1: ADD 000000e2: SWAP1 000000e3: SWAP4 000000e4: AND 000000e5: SWAP3 000000e6: SWAP1 000000e7: SWAP3 000000e8: DIV 000000e9: SWAP2 000000ea: DUP3 000000eb: ADD 000000ec: DUP2 000000ed: SWAP1 000000ee: DIV 000000ef: MUL 000000f0: PUSH1 0x80 000000f2: SWAP1 000000f3: DUP2 000000f4: ADD 000000f5: PUSH1 0x40 000000f7: MSTORE 000000f8: PUSH1 0x60 000000fa: DUP3 000000fb: DUP2 000000fc: MSTORE 000000fd: SWAP3 000000fe: SWAP2 000000ff: SWAP1 00000100: DUP3 00000101: DUP3 00000102: DUP1 00000103: ISZERO 00000104: PUSH2 0x01f5 00000107: JUMPI 00000108: DUP1 00000109: PUSH1 0x1f 0000010b: LT 0000010c: PUSH2 0x01ca 0000010f: JUMPI 00000110: PUSH2 0x0100 00000113: DUP1 00000114: DUP4 00000115: SLOAD 00000116: DIV 00000117: MUL 00000118: DUP4 00000119: MSTORE 0000011a: SWAP2 0000011b: PUSH1 0x20 0000011d: ADD 0000011e: SWAP2 0000011f: PUSH2 0x01f5 00000122: JUMP 00000123: JUMPDEST 00000124: PUSH2 0x0045 00000127: PUSH1 0x04 00000129: CALLDATALOAD 0000012a: PUSH1 0x24 0000012c: CALLDATALOAD 0000012d: PUSH1 0x01 0000012f: PUSH1 0xa0 00000131: PUSH1 0x02 00000133: EXP 00000134: SUB 00000135: CALLER 00000136: AND 00000137: PUSH1 0x00 00000139: SWAP1 0000013a: DUP2 0000013b: MSTORE 0000013c: PUSH1 0x03 0000013e: PUSH1 0x20 00000140: MSTORE 00000141: PUSH1 0x40 00000143: SWAP1 00000144: KECCAK256 00000145: SLOAD 00000146: DUP2 00000147: SWAP1 00000148: LT 00000149: ISZERO 0000014a: PUSH2 0x01fd 0000014d: JUMPI 0000014e: PUSH2 0x0002 00000151: JUMP 00000152: JUMPDEST 00000153: PUSH1 0x40 00000155: MLOAD 00000156: DUP1 00000157: DUP1 00000158: PUSH1 0x20 0000015a: ADD 0000015b: DUP3 0000015c: DUP2 0000015d: SUB 0000015e: DUP3 0000015f: MSTORE 00000160: DUP4 00000161: DUP2 00000162: DUP2 00000163: MLOAD 00000164: DUP2 00000165: MSTORE 00000166: PUSH1 0x20 00000168: ADD 00000169: SWAP2 0000016a: POP 0000016b: DUP1 0000016c: MLOAD 0000016d: SWAP1 0000016e: PUSH1 0x20 00000170: ADD 00000171: SWAP1 00000172: DUP1 00000173: DUP4 00000174: DUP4 00000175: DUP3 00000176: SWAP1 00000177: PUSH1 0x00 00000179: PUSH1 0x04 0000017b: PUSH1 0x20 0000017d: DUP5 0000017e: PUSH1 0x1f 00000180: ADD 00000181: DIV 00000182: PUSH1 0x0f 00000184: MUL 00000185: PUSH1 0x03 00000187: ADD 00000188: CALL 00000189: POP 0000018a: SWAP1 0000018b: POP 0000018c: SWAP1 0000018d: DUP2 0000018e: ADD 0000018f: SWAP1 00000190: PUSH1 0x1f 00000192: AND 00000193: DUP1 00000194: ISZERO 00000195: PUSH2 0x01b2 00000198: JUMPI 00000199: DUP1 0000019a: DUP3 0000019b: SUB 0000019c: DUP1 0000019d: MLOAD 0000019e: PUSH1 0x01 000001a0: DUP4 000001a1: PUSH1 0x20 000001a3: SUB 000001a4: PUSH2 0x0100 000001a7: EXP 000001a8: SUB 000001a9: NOT 000001aa: AND 000001ab: DUP2 000001ac: MSTORE 000001ad: PUSH1 0x20 000001af: ADD 000001b0: SWAP2 000001b1: POP 000001b2: JUMPDEST 000001b3: POP 000001b4: SWAP3 000001b5: POP 000001b6: POP 000001b7: POP 000001b8: PUSH1 0x40 000001ba: MLOAD 000001bb: DUP1 000001bc: SWAP2 000001bd: SUB 000001be: SWAP1 000001bf: RETURN 000001c0: JUMPDEST 000001c1: PUSH1 0x60 000001c3: SWAP1 000001c4: DUP2 000001c5: MSTORE 000001c6: PUSH1 0x20 000001c8: SWAP1 000001c9: RETURN 000001ca: JUMPDEST 000001cb: DUP3 000001cc: ADD 000001cd: SWAP2 000001ce: SWAP1 000001cf: PUSH1 0x00 000001d1: MSTORE 000001d2: PUSH1 0x20 000001d4: PUSH1 0x00 000001d6: KECCAK256 000001d7: SWAP1 000001d8: JUMPDEST 000001d9: DUP2 000001da: SLOAD 000001db: DUP2 000001dc: MSTORE 000001dd: SWAP1 000001de: PUSH1 0x01 000001e0: ADD 000001e1: SWAP1 000001e2: PUSH1 0x20 000001e4: ADD 000001e5: DUP1 000001e6: DUP4 000001e7: GT 000001e8: PUSH2 0x01d8 000001eb: JUMPI 000001ec: DUP3 000001ed: SWAP1 000001ee: SUB 000001ef: PUSH1 0x1f 000001f1: AND 000001f2: DUP3 000001f3: ADD 000001f4: SWAP2 000001f5: JUMPDEST 000001f6: POP 000001f7: POP 000001f8: POP 000001f9: POP 000001fa: POP 000001fb: DUP2 000001fc: JUMP 000001fd: JUMPDEST 000001fe: PUSH1 0x01 00000200: PUSH1 0xa0 00000202: PUSH1 0x02 00000204: EXP 00000205: SUB 00000206: DUP3 00000207: AND 00000208: PUSH1 0x00 0000020a: SWAP1 0000020b: DUP2 0000020c: MSTORE 0000020d: PUSH1 0x40 0000020f: SWAP1 00000210: KECCAK256 00000211: SLOAD 00000212: DUP1 00000213: DUP3 00000214: ADD 00000215: LT 00000216: ISZERO 00000217: PUSH2 0x021f 0000021a: JUMPI 0000021b: PUSH2 0x0002 0000021e: JUMP 0000021f: JUMPDEST 00000220: DUP1 00000221: PUSH1 0x03 00000223: PUSH1 0x00 00000225: POP 00000226: PUSH1 0x00 00000228: CALLER 00000229: PUSH1 0x01 0000022b: PUSH1 0xa0 0000022d: PUSH1 0x02 0000022f: EXP 00000230: SUB 00000231: AND 00000232: DUP2 00000233: MSTORE 00000234: PUSH1 0x20 00000236: ADD 00000237: SWAP1 00000238: DUP2 00000239: MSTORE 0000023a: PUSH1 0x20 0000023c: ADD 0000023d: PUSH1 0x00 0000023f: KECCAK256 00000240: PUSH1 0x00 00000242: DUP3 00000243: DUP3 00000244: DUP3 00000245: POP 00000246: SLOAD 00000247: SUB 00000248: SWAP3 00000249: POP 0000024a: POP 0000024b: DUP2 0000024c: SWAP1 0000024d: SSTORE 0000024e: POP 0000024f: DUP1 00000250: PUSH1 0x03 00000252: PUSH1 0x00 00000254: POP 00000255: PUSH1 0x00 00000257: DUP5 00000258: PUSH1 0x01 0000025a: PUSH1 0xa0 0000025c: PUSH1 0x02 0000025e: EXP 0000025f: SUB 00000260: AND 00000261: DUP2 00000262: MSTORE 00000263: PUSH1 0x20 00000265: ADD 00000266: SWAP1 00000267: DUP2 00000268: MSTORE 00000269: PUSH1 0x20 0000026b: ADD 0000026c: PUSH1 0x00 0000026e: KECCAK256 0000026f: PUSH1 0x00 00000271: DUP3 00000272: DUP3 00000273: DUP3 00000274: POP 00000275: SLOAD 00000276: ADD 00000277: SWAP3 00000278: POP 00000279: POP 0000027a: DUP2 0000027b: SWAP1 0000027c: SSTORE 0000027d: POP 0000027e: DUP2 0000027f: PUSH1 0x01 00000281: PUSH1 0xa0 00000283: PUSH1 0x02 00000285: EXP 00000286: SUB 00000287: AND 00000288: CALLER 00000289: PUSH1 0x01 0000028b: PUSH1 0xa0 0000028d: PUSH1 0x02 0000028f: EXP 00000290: SUB 00000291: AND 00000292: PUSH32 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef 000002b3: DUP4 000002b4: PUSH1 0x40 000002b6: MLOAD 000002b7: DUP1 000002b8: DUP3 000002b9: DUP2 000002ba: MSTORE 000002bb: PUSH1 0x20 000002bd: ADD 000002be: SWAP2 000002bf: POP 000002c0: POP 000002c1: PUSH1 0x40 000002c3: MLOAD 000002c4: DUP1 000002c5: SWAP2 000002c6: SUB 000002c7: SWAP1 000002c8: LOG3 000002c9: POP 000002ca: POP 000002cb: JUMP
Warning: This is a nightly build of Foundry. It is recommended to use the latest stable version. To mute this warning set `FOUNDRY_DISABLE_NIGHTLY_WARNING` in your environment.
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | other | detector | Untrusted CALL target/value reachable | 60 | yes | yes |
viewtrace_id: 0xe7d02e2088fde6daba41e9c9ba51f6ea4e9f8221a12da59b86228e50d4d0490b
call_targets:
0x0000000000000000000000000000000000000004, 0x5a4127a9109ac0878f07c099dd1cd328620e053b
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0xe7d02e2088fde6daba41e9c9ba51f6ea4e9f8221a12da59b86228e50d4d0490b",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x5a4127a9109ac0878f07c099dd1cd328620e053b"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa9059cbb",
"selector": "0xa9059cbb",
"calldata_variants": [
"0xa9059cbb",
"0xa9059cbb0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 392,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 1,
"guards_detected": [],
"untrusted_call_count": 1
}
|
| high | other | detector | ETH value transfer possible | 55 | yes | yes |
viewtrace_id: 0xe7d02e2088fde6daba41e9c9ba51f6ea4e9f8221a12da59b86228e50d4d0490b
call_targets:
0x0000000000000000000000000000000000000004, 0x5a4127a9109ac0878f07c099dd1cd328620e053b
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0xe7d02e2088fde6daba41e9c9ba51f6ea4e9f8221a12da59b86228e50d4d0490b",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x5a4127a9109ac0878f07c099dd1cd328620e053b"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa9059cbb",
"selector": "0xa9059cbb",
"calldata_variants": [
"0xa9059cbb",
"0xa9059cbb0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 392,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 1,
"guards_detected": []
}
|
| low | other | codex | Contract appears to accept ETH without an observable withdrawal or recovery path | 65 | no | — |
viewevidence_json{
"evidence": "Across all recovered basic blocks, the artifact shows zero `CALLVALUE`, `REVERT`, or `INVALID` opcodes, and the unmatched-dispatch path ends at `pc:0x45` with `STOP`. The recovered selector set is limited to token-style read/transfer functions, `auth.guards` is empty, `sinks.selfdestruct` is 0, and no upgrade/admin capability is indicated. This is bytecode-only evidence, so a hidden selector is still theoretically possible, but the visible runtime strongly suggests accidental ETH can be accepted and trapped.",
"locations": [
"pc:0x0",
"pc:0x45",
"selector:0xa9059cbb"
],
"recommendation": "Add an explicit non-payable guard (`CALLVALUE` -> revert) on all non-ETH entrypoints, and make the fallback/receive path revert unless intentional ETH receipt is required. If ETH must be receivable, expose a clearly controlled withdrawal path and document it.",
"exploit_scenario": "A user or integrating contract sends ETH alongside `transfer(...)` or to an unmatched selector/empty calldata. Because the runtime shows no `CALLVALUE` rejection logic and the default path falls through to `STOP`, the call can succeed while the ETH remains on the token contract. In the analyzed selector set there is no visible withdrawal/admin function, and there is no `SELFDESTRUCT` capability, so the ETH may become permanently stranded."
}
|