019b3836-3313-7038-99db-1df5438c8f46
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 3049 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 3050 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 45932 | analysis.bundle | complete | 1 / 3 | 1 week ago |
| 45933 | capability.graph | complete | 1 / 3 | 1 week ago |
| 45934 | detector.run | complete | 1 / 3 | 1 week ago |
| 45935 | validation.fork | complete | 1 / 3 | 1 week ago |
| 113253 | report.consolidate | complete | 1 / 6 | 1 week ago |
No slither job recorded yet.
{"no_findings":false,"summary":"Bytecode shows a non-proxy token-like contract with `name()`, `symbol()`, `decimals()`, `balanceOf()`, and `transfer()`. The only `CALL` sink at `pc:0x0370` matches the identity precompile copy pattern (gas formula `3 + 15*ceil(len/32)`, address `0x04`), so I did not treat the detector's untrusted-call alert as a confirmed external-call risk. The meaningful issues are unchecked token accounting and multiple unauthenticated state-mutating entrypoints.","findings":[{"severity":"critical","category":"access_control","title":"Unauthenticated balance-setting and reinitialization entrypoints","exploit_scenario":"Any external account can call `0x7207c19f` to overwrite its own balance with an arbitrary calldata value, call `0x9287b654` to set its balance to the hardcoded constant `0x01406f40`, and likely call `0xe6a55699` to set its balance plus mutate metadata fields. An attacker can mint themselves spendable tokens and, on the inferred initializer path, also rewrite token metadata to mislead integrators or buyers.","recommendation":"Remove these runtime setters, or gate them behind strict admin authorization. If `0xe6a55699` is intended as an initializer, protect it with a one-time initialized flag and constructor/factory-only access. Any balance minting should update explicit supply/accounting invariants and emit appropriate events.","evidence":"`0x7207c19f` (`pc:0x00ef`) computes `keccak256(caller, 0x00)` and performs a direct `SSTORE` of `CALLDATALOAD(0x04)` at `pc:0x0108`, with no guard branch. `0x9287b654` (`pc:0x0111`) computes the same caller balance slot and stores constant `0x01406f40` at `pc:0x012d`, again without any guard. Best-effort selector inference for `0xe6a55699` shows it parsing multiple user-controlled arguments, defaulting one amount-like argument to `0x0f4240` when zero (`pc:0x0290`-`pc:0x029e`), writing `keccak256(caller,0)` at `pc:0x02b8`, then rewriting storage slots `0x01`, `0x02`, and low byte of slot `0x03` across `pc:0x02bc`-`pc:0x04cf`. No authorization heuristic was detected anywhere in these paths.","locations":["selector:0x7207c19f","pc:0x0108","selector:0x9287b654","pc:0x012d","selector:0xe6a55699","pc:0x02b8","pc:0x04c7"]},{"severity":"critical","category":"math","title":"`transfer` uses unchecked arithmetic and permits balance underflow/overflow","exploit_scenario":"A caller with zero or insufficient balance can call `transfer(address,uint256)` with any positive amount. Because the sender balance is updated with raw `SUB` and no preceding bounds check, the sender balance wraps to a huge `uint256` value instead of reverting. The recipient is then credited with unchecked `ADD`. This breaks token accounting and lets arbitrary users manufacture effectively unlimited balances.","recommendation":"Enforce `balance >= amount` before subtraction and use checked arithmetic for both debit and credit paths. In practice this means Solidity >=0.8 revert semantics or explicit SafeMath-style checks if compiling older bytecode.","evidence":"In `selector:0xa9059cbb`, the contract loads the sender balance from `keccak256(caller,0)` at `pc:0x01b5`, subtracts the transfer amount with raw `SUB` at `pc:0x01b8`, and immediately stores the result at `pc:0x01ba`. There is no `LT`/`GT`-based guard or conditional revert before this subtraction. The recipient balance is then loaded at `pc:0x01c5`, incremented with raw `ADD` at `pc:0x01c8`, and stored at `pc:0x01ca`, also without overflow protection.","locations":["selector:0xa9059cbb","pc:0x01b5","pc:0x01b8","pc:0x01ba","pc:0x01c5","pc:0x01c8","pc:0x01ca"]}]}
OpenAI Codex v0.118.0 (research preview)
--------
workdir: /tmp/codex-zyt0riu5
model: gpt-5.4
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: none
session id: 019d5bab-14da-7dc3-80d6-b2e2cc39ea9d
--------
user
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
warning: Codex could not find system bubblewrap on PATH. Please install bubblewrap with your package manager. Codex will use the vendored bubblewrap in the meantime.
exec
/bin/bash -lc pwd in /tmp/codex-zyt0riu5
succeeded in 0ms:
/tmp/codex-zyt0riu5
exec
/bin/bash -lc 'rg --files' in /tmp/codex-zyt0riu5
succeeded in 0ms:
BYTECODE_BUNDLE.json
codex-output-schema.json
exec
/bin/bash -lc "sed -n '1,240p' BYTECODE_BUNDLE.json" in /tmp/codex-zyt0riu5
succeeded in 0ms:
{
"analysis_artifact": {
"address": "0x216f59605793807b0ab628d04fcc58f645fc2a5d",
"artifact_hash": "0xf01a3f88fee77e7c643fbc099d03826e951faca86266a6f9bb9be8e135e9985d",
"artifact_json": {
"auth": {
"guards": []
},
"basic_blocks": [
{
"end_pc": 10,
"hash": "0x700ae68e6e48f29f5039c54f12674c3a4ca8c5c3a2f54ca417214312e0b28325",
"opcodes": [
"PUSH1",
"PUSH1",
"MSTORE",
"CALLDATASIZE",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 0
},
{
"end_pc": 30,
"hash": "0xc5d2d9018f44c9798db58704c146f444aa7c36148d4d03add4dde639335caee4",
"opcodes": [
"PUSH1",
"PUSH1",
"EXP",
"PUSH1",
"CALLDATALOAD",
"DIV",
"PUSH4",
"OP_81",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 11
},
{
"end_pc": 41,
"hash": "0x3c8bda37e791432b0c2714a48e475d9ad82f7eab7dc24c560a144605c3789a8d",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 31
},
{
"end_pc": 52,
"hash": "0x10dd5f0e621e64512278a8d00a42d943f9b284ff94edb47b506485bbeaa22245",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 42
},
{
"end_pc": 63,
"hash": "0xef246480443a90b9a700d21f2ff483336bcf55def77f917b7b00ddfc2680a5b1",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 53
},
{
"end_pc": 74,
"hash": "0x0c615eef4dedfa68f16e21b8d003b36583ec2873926c644521252fd1600e28f0",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 64
},
{
"end_pc": 85,
"hash": "0x77dfca92ead5023fcc1644e5b19943cccff87e2a02e4fbee9901a5798d7a11e4",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 75
},
{
"end_pc": 96,
"hash": "0x1d84b73226893df2d35d19ae18a45e4e560dcc7d70ddfbdffdd1cc9064eaab1d",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 86
},
{
"end_pc": 107,
"hash": "0xe7e7a5df8becf96b0d3fc466211a18836ca1bc914557b5e4393cce29b2348e0c",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 97
},
{
"end_pc": 109,
"hash": "0x164513d58d0e1fdc349cb6a47ed167046211dc21eb6029fd6ca04f78122f4a83",
"opcodes": [
"JUMPDEST",
"STOP"
],
"start_pc": 108
},
{
"end_pc": 175,
"hash": "0x55ac2f6bf88ee30fd9b9cddbbcf4e542fe45f04870cc853cbccfd2e0acfbde7b",
"opcodes": [
"JUMPDEST",
"PUSH1",
"OP_80",
"MLOAD",
"PUSH1",
"OP_80",
"SLOAD",
"PUSH1",
"PUSH1",
"OP_82",
"OP_84",
"AND",
"ISZERO",
"PUSH2",
"MUL",
"PUSH1",
"NOT",
"ADD",
"OP_90",
"OP_92",
"AND",
"OP_91",
"OP_90",
"OP_91",
"DIV",
"PUSH1",
"OP_81",
"ADD",
"OP_82",
"OP_90",
"DIV",
"OP_82",
"MUL",
"OP_84",
"ADD",
"OP_82",
"ADD",
"OP_90",
"OP_94",
"MSTORE",
"OP_83",
"OP_83",
"MSTORE",
"PUSH2",
"OP_93",
"OP_90",
"OP_83",
"ADD",
"OP_82",
"OP_82",
"OP_80",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 110
},
{
"end_pc": 183,
"hash": "0x26d9409a1d6040849d191b6f90d30f027f49638d1d295ad97e0072cd3ab184e5",
"opcodes": [
"OP_80",
"PUSH1",
"LT",
"PUSH2",
"JUMPI"
],
"start_pc": 176
},
{
"end_pc": 202,
"hash": "0x6a3b64e0437e50c241163eb2a9ef6b217a82f22e119dffa855aead14bd2b145a",
"opcodes": [
"PUSH2",
"OP_80",
"OP_83",
"SLOAD",
"DIV",
"MUL",
"OP_83",
"MSTORE",
"OP_91",
"PUSH1",
"ADD",
"OP_91",
"PUSH2",
"JUMP"
],
"start_pc": 184
},
{
"end_pc": 214,
"hash": "0x59663643490910fcb2530478c7a8102e7a699962b50f3a6283b0752fbba710b4",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"SLOAD",
"PUSH1",
"AND",
"OP_81",
"JUMP"
exec
/bin/bash -lc "sed -n '1,240p' codex-output-schema.json" in /tmp/codex-zyt0riu5
succeeded in 0ms:
{"type": "object", "additionalProperties": false, "required": ["no_findings", "summary", "findings"], "properties": {"no_findings": {"type": "boolean"}, "summary": {"type": "string"}, "findings": {"type": "array", "items": {"type": "object", "additionalProperties": false, "required": ["severity", "category", "title", "evidence", "locations", "exploit_scenario", "recommendation"], "properties": {"severity": {"type": "string", "enum": ["info", "low", "medium", "high", "critical"]}, "category": {"type": "string", "enum": ["access_control", "reentrancy", "math", "oracle", "upgradeability", "auth", "other"]}, "title": {"type": "string"}, "exploit_scenario": {"type": "string"}, "recommendation": {"type": "string"}, "evidence": {"type": "string"}, "locations": {"type": "array", "items": {"type": "string"}}}}}}}
exec
/bin/bash -lc "jq 'keys' BYTECODE_BUNDLE.json" in /tmp/codex-zyt0riu5
succeeded in 0ms:
[
"analysis_artifact",
"analysis_run",
"artifact",
"capability_graph",
"detector_findings",
"heuristics_summary"
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json | keys' BYTECODE_BUNDLE.json" in /tmp/codex-zyt0riu5
succeeded in 0ms:
[
"auth",
"basic_blocks",
"callsites",
"cfg_edges",
"cfg_hash",
"dispatcher_type",
"function_entries",
"functions",
"selectors",
"sinks",
"storage",
"version"
]
exec
/bin/bash -lc "jq '.heuristics_summary' BYTECODE_BUNDLE.json" in /tmp/codex-zyt0riu5
succeeded in 0ms:
{
"create2_count": 0,
"delegatecall_count": 0,
"flags": [],
"selfdestruct_count": 0
}
exec
/bin/bash -lc "jq '.detector_findings' BYTECODE_BUNDLE.json" in /tmp/codex-zyt0riu5
succeeded in 0ms:
[
{
"confidence": 60,
"evidence_json": {
"call_count": 1,
"examples": [
{
"opcode": "CALL",
"pc": 880,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": [],
"untrusted_call_count": 1
},
"normalized_json": {
"sink": "CALL"
},
"severity": "high",
"title": "Untrusted CALL target/value reachable",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x216f59605793807b0ab628d04fcc58f645fc2a5d"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x256508f8f8c2b60709a2c246e6e755a85872a7fc54b53ebfcfbc54a844565894",
"trace_mode": "callTracer"
}
},
{
"confidence": 55,
"evidence_json": {
"eth_value_calls": 1,
"examples": [
{
"opcode": "CALL",
"pc": 880,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": []
},
"normalized_json": {
"sink": "CALL",
"value": "nonzero"
},
"severity": "high",
"title": "ETH value transfer possible",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x216f59605793807b0ab628d04fcc58f645fc2a5d"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x256508f8f8c2b60709a2c246e6e755a85872a7fc54b53ebfcfbc54a844565894",
"trace_mode": "callTracer"
}
}
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.selectors' BYTECODE_BUNDLE.json" in /tmp/codex-zyt0riu5
succeeded in 0ms:
[
"0x06fdde03",
"0x313ce567",
"0x70a08231",
"0x7207c19f",
"0x9287b654",
"0x95d89b41",
"0xa9059cbb",
"0xe6a55699"
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.function_entries' BYTECODE_BUNDLE.json" in /tmp/codex-zyt0riu5
succeeded in 0ms:
[
{
"entry_pc": null,
"selector": "0x06fdde03"
},
{
"entry_pc": 1889567281,
"selector": "0x313ce567"
},
{
"entry_pc": 1913110943,
"selector": "0x70a08231"
},
{
"entry_pc": 2458367572,
"selector": "0x7207c19f"
},
{
"entry_pc": 2514000705,
"selector": "0x9287b654"
},
{
"entry_pc": 2835717307,
"selector": "0x95d89b41"
},
{
"entry_pc": 3869595289,
"selector": "0xa9059cbb"
},
{
"entry_pc": null,
"selector": "0xe6a55699"
}
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.functions' BYTECODE_BUNDLE.json" in /tmp/codex-zyt0riu5
succeeded in 0ms:
[
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0x06fdde03",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 12,
"slots": [
{
"op": "SLOAD",
"pc": 118,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 189,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 209,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
},
{
"op": "SLOAD",
"pc": 316,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 386,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 704,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 1223,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
}
],
"writes": 13
}
},
{
"auth": {
"guards": []
},
"entry_pc": 1889567281,
"selector": "0x313ce567",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 12,
"slots": [
{
"op": "SLOAD",
"pc": 118,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 189,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 209,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
},
{
"op": "SLOAD",
"pc": 316,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 386,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 704,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 1223,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
}
],
"writes": 13
}
},
{
"auth": {
"guards": []
},
"entry_pc": 1913110943,
"selector": "0x70a08231",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 12,
"slots": [
{
"op": "SLOAD",
"pc": 118,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 189,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 209,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
},
{
"op": "SLOAD",
"pc": 316,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 386,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 704,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 1223,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
}
],
"writes": 13
}
},
{
"auth": {
"guards": []
},
"entry_pc": 2458367572,
"selector": "0x7207c19f",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 12,
"slots": [
{
"op": "SLOAD",
"pc": 118,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 189,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 209,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
},
{
"op": "SLOAD",
"pc": 316,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 386,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 704,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 1223,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
}
],
"writes": 13
}
},
{
"auth": {
"guards": []
},
"entry_pc": 2514000705,
"selector": "0x9287b654",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 12,
"slots": [
{
"op": "SLOAD",
"pc": 118,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 189,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 209,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
},
{
"op": "SLOAD",
"pc": 316,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 386,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 704,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 1223,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
}
],
"writes": 13
}
},
{
"auth": {
"guards": []
},
"entry_pc": 2835717307,
"selector": "0x95d89b41",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 12,
"slots": [
{
"op": "SLOAD",
"pc": 118,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 189,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 209,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
},
{
"op": "SLOAD",
"pc": 316,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 386,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 704,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 1223,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
}
],
"writes": 13
}
},
{
"auth": {
"guards": []
},
"entry_pc": 3869595289,
"selector": "0xa9059cbb",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 12,
"slots": [
{
"op": "SLOAD",
"pc": 118,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 189,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 209,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
},
{
"op": "SLOAD",
"pc": 316,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 386,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 704,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 1223,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
}
],
"writes": 13
}
},
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0xe6a55699",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 12,
"slots": [
{
"op": "SLOAD",
"pc": 118,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 189,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 209,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
},
{
"op": "SLOAD",
"pc": 316,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 386,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 704,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 1223,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
}
],
"writes": 13
}
}
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.callsites' BYTECODE_BUNDLE.json" in /tmp/codex-zyt0riu5
succeeded in 0ms:
[
{
"opcode": "CALL",
"pc": 880,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.storage' BYTECODE_BUNDLE.json" in /tmp/codex-zyt0riu5
succeeded in 0ms:
{
"keccak_count": 8,
"reads": 12,
"slots": [
{
"op": "SLOAD",
"pc": 118,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 189,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 209,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
},
{
"op": "SLOAD",
"pc": 316,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 386,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 704,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 1223,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
}
],
"writes": 13
}
exec
/bin/bash -lc "jq '.artifact | keys' BYTECODE_BUNDLE.json" in /tmp/codex-zyt0riu5
succeeded in 0ms:
[
"codehash",
"compiler_json",
"implementation_address",
"is_proxy",
"runtime_bytecode",
"verified_source"
]
exec
/bin/bash -lc "jq '.analysis_run | keys' BYTECODE_BUNDLE.json" in /tmp/codex-zyt0riu5
succeeded in 0ms:
[
"address",
"block_number",
"chain_id",
"child_links",
"created_at",
"id",
"parent_links",
"status",
"updated_at"
]
exec
/bin/bash -lc "jq '.capability_graph | keys' BYTECODE_BUNDLE.json" in /tmp/codex-zyt0riu5
succeeded in 0ms:
[
"address",
"block_number",
"chain_id",
"codehash",
"created_at",
"graph_hash",
"graph_json",
"id",
"updated_at",
"version"
]
exec
/bin/bash -lc 'command -v evm || command -v cast || command -v python3 || command -v node' in /tmp/codex-zyt0riu5
succeeded in 0ms:
/home/noahkuhn/.foundry/bin/cast
exec
/bin/bash -lc "jq -r '.artifact.runtime_bytecode' BYTECODE_BUNDLE.json | wc -c" in /tmp/codex-zyt0riu5
succeeded in 0ms:
2565
exec
/bin/bash -lc "jq -r '.artifact.compiler_json, .artifact.is_proxy, .artifact.implementation_address, .artifact.verified_source' BYTECODE_BUNDLE.json" in /tmp/codex-zyt0riu5
succeeded in 0ms:
{
"etherscan": {
"skipped": true
}
}
false
null
false
exec
/bin/bash -lc "cast --help | sed -n '1,160p'" in /tmp/codex-zyt0riu5
succeeded in 0ms:
A Swiss Army knife for interacting with Ethereum applications from the command line
Usage: cast [OPTIONS] <COMMAND>
Commands:
4byte Get the function signatures for the given selector from
<https://openchain.xyz> [aliases: 4, 4b]
4byte-calldata Decode ABI-encoded calldata using <https://openchain.xyz> [aliases: 4c,
4bc]
4byte-event Get the event signature for a given topic 0 from <https://openchain.xyz>
[aliases: 4e, 4be, topic0-event, t0e]
abi-encode ABI encode the given function argument, excluding the selector [aliases:
ae]
abi-encode-event ABI encode an event and its arguments to generate topics and data [aliases:
aee]
access-list Create an access list for a transaction [aliases: ac, acl]
address-zero Prints the zero address [aliases: --address-zero, az]
admin Fetch the EIP-1967 admin account [aliases: adm]
age Get the timestamp of a block [aliases: a]
artifact Generate an artifact file, that can be used to deploy a contract locally
[aliases: ar]
b2e-payload Convert Beacon payload to execution payload [aliases: b2e]
balance Get the balance of an account in wei [aliases: b]
base-fee Get the basefee of a block [aliases: ba, fee, basefee]
bind Generate a rust binding from a given ABI [aliases: bi]
block Get information about a block [aliases: bl]
block-number Get the latest block number [aliases: bn]
call Perform a call on an account without publishing a transaction [aliases: c]
calldata ABI-encode a function with arguments [aliases: cd]
chain Get the symbolic name of the current chain
chain-id Get the Ethereum chain ID [aliases: ci, cid]
client Get the current client version [aliases: cl]
code Get the runtime bytecode of a contract [aliases: co]
codehash Get the codehash for an account
codesize Get the runtime bytecode size of a contract [aliases: cs]
completions Generate shell completions script [aliases: com]
compute-address Compute the contract address from a given nonce and deployer address
[aliases: ca]
concat-hex Concatenate hex strings [aliases: --concat-hex, ch]
constructor-args Display constructor arguments used for the contract initialization
[aliases: cra]
create2 Generate a deterministic contract address using CREATE2 [aliases: c2]
creation-code Download a contract creation code from Etherscan and RPC [aliases: cc]
da-estimate Estimates the data availability size of a given opstack block
decode-abi Decode ABI-encoded input or output data [aliases: abi-decode, --abi-decode,
ad]
decode-calldata Decode ABI-encoded input data [aliases: calldata-decode, --calldata-decode,
cdd]
decode-error Decode custom error data [aliases: error-decode, --error-decode, erd]
decode-event Decode event data [aliases: event-decode, --event-decode, ed]
decode-string Decode ABI-encoded string [aliases: string-decode, --string-decode, sd]
decode-transaction Decodes a raw signed EIP 2718 typed transaction [aliases: dt, decode-tx]
disassemble Disassembles a hex-encoded bytecode into a human-readable representation
[aliases: da]
erc20-token ERC20 token operations [aliases: erc20]
estimate Estimate the gas cost of a transaction [aliases: e]
find-block Get the block number closest to the provided timestamp [aliases: f]
format-bytes32-string Formats a string into bytes32 encoding [aliases: --format-bytes32-string]
format-units Format a number from smallest unit to decimal with arbitrary decimals
[aliases: --format-units, fun]
from-bin Convert binary data into hex data [aliases: --from-bin, from-binx, fb]
from-fixed-point Convert a fixed point number into an integer [aliases: --from-fix, ff]
from-rlp Decodes RLP hex-encoded data [aliases: --from-rlp]
from-utf8 Convert UTF8 text to hex [aliases: --from-ascii, --from-utf8, from-ascii,
fu, fa]
from-wei Convert wei into an ETH amount [aliases: --from-wei, fw]
gas-price Get the current gas price [aliases: g]
hash-message Hash a message according to EIP-191 [aliases: --hash-message, hm]
hash-zero Prints the zero hash [aliases: --hash-zero, hz]
help Print this message or the help of the given subcommand(s)
implementation Fetch the EIP-1967 implementation for a contract Can read from the
implementation slot or the beacon slot [aliases: impl]
index Compute the storage slot for an entry in a mapping [aliases: in]
index-erc7201 Compute storage slots as specified by `ERC-7201: Namespaced Storage Layout`
[aliases: index7201, in7201]
interface Generate a Solidity interface from a given ABI [aliases: i]
keccak Hash arbitrary data using Keccak-256 [aliases: k, keccak256]
logs Get logs by signature or topic [aliases: l]
lookup-address Perform an ENS reverse lookup [aliases: la]
max-int Prints the maximum value of the given integer type [aliases: --max-int,
maxi]
max-uint Prints the maximum value of the given integer type [aliases: --max-uint,
maxu]
min-int Prints the minimum value of the given integer type [aliases: --min-int,
mini]
mktx Build and sign a transaction [aliases: m]
namehash Calculate the ENS namehash of a name [aliases: na, nh]
nonce Get the nonce for an account [aliases: n]
pad Pads hex data to a specified length [aliases: pd]
parse-bytes32-address Parses a checksummed address from bytes32 encoding. [aliases:
--parse-bytes32-address]
parse-bytes32-string Parses a string from bytes32 encoding [aliases: --parse-bytes32-string]
parse-units Convert a number from decimal to smallest unit with arbitrary decimals
[aliases: --parse-units, pun]
pretty-calldata Pretty print calldata [aliases: pc]
proof Generate a storage proof for a given storage slot [aliases: pr]
publish Publish a raw transaction to the network [aliases: p]
receipt Get the transaction receipt for a transaction [aliases: re]
recover-authority Recovery an EIP-7702 authority from a Authorization JSON string [aliases:
decode-auth]
resolve-name Perform an ENS lookup [aliases: rn]
rpc Perform a raw JSON-RPC request [aliases: rp]
run Runs a published transaction in a local environment and prints the trace
[aliases: r]
selectors Extracts function selectors and arguments from bytecode [aliases: sel]
send Sign and publish a transaction [aliases: s]
shl Perform a left shifting operation
shr Perform a right shifting operation
sig Get the selector for a function [aliases: si]
sig-event Generate event signatures from event string [aliases: se]
source Get the source code of a contract from a block explorer [aliases: et, src]
storage Get the raw value of a contract's storage slot [aliases: st]
storage-root Get the storage root for an account [aliases: sr]
to-ascii Convert hex data to an ASCII string [aliases: --to-ascii, tas, 2as]
to-base Converts a number of one base to another [aliases: --to-base, --to-radix,
to-radix, tr, 2r]
to-bytes32 Right-pads hex data to 32 bytes [aliases: --to-bytes32, tb, 2b]
to-check-sum-address Convert an address to a checksummed format (EIP-55) [aliases:
--to-checksum-address, --to-checksum, to-checksum, ta, 2a]
to-dec Converts a number of one base to decimal [aliases: --to-dec, td, 2d]
to-fixed-point Convert an integer into a fixed point number [aliases: --to-fix, tf, 2f]
to-hex Converts a number of one base to another [aliases: --to-hex, th, 2h]
to-hexdata Normalize the input to lowercase, 0x-prefixed hex [aliases: --to-hexdata,
thd, 2hd]
to-int256 Convert a number to a hex-encoded int256 [aliases: --to-int256, ti, 2i]
to-rlp RLP encodes hex data, or an array of hex data [aliases: --to-rlp]
to-uint256 Convert a number to a hex-encoded uint256 [aliases: --to-uint256, tu, 2u]
to-unit Convert an ETH amount into another unit (ether, gwei or wei) [aliases:
--to-unit, tun, 2un]
to-utf8 Convert hex data to a utf-8 string [aliases: --to-utf8, tu8, 2u8]
to-wei Convert an ETH amount to wei [aliases: --to-wei, tw, 2w]
trace CLI arguments for `cast trace`
tx Get information about a transaction [aliases: t]
tx-pool Inspect the TxPool of a node [aliases: tp]
upload-signature Upload the given signatures to <https://openchain.xyz> [aliases: ups]
wallet Wallet management utilities [aliases: w]
Options:
-h, --help
Print help (see a summary with '-h')
-j, --threads <THREADS>
Number of threads to use. Specifying 0 defaults to the number of logical cores
[aliases: --jobs]
-V, --version
Print version
Display options:
--color <COLOR>
The color of the log messages
Possible values:
- auto: Intelligently guess whether to use color output (default)
- always: Force color output
- never: Force disable color output
--json
Format log messages as JSON
exec
/bin/bash -lc 'cast disassemble $(jq -r '"'.artifact.runtime_bytecode' BYTECODE_BUNDLE.json) | sed -n '1,220p'" in /tmp/codex-zyt0riu5
succeeded in 0ms:
error: unexpected argument '"full":' found
Usage: cast disassemble [OPTIONS] [BYTECODE]
For more information, try '--help'.
exec
/bin/bash -lc "jq '.artifact.runtime_bytecode' BYTECODE_BUNDLE.json | sed -n '1,120p'" in /tmp/codex-zyt0riu5
succeeded in 0ms:
{
"full": "0x6060604052361561006c5760e060020a600035046306fdde03811461006e578063313ce567146100cb57806370a08231146100d75780637207c19f146100ef5780639287b6541461011157806395d89b4114610135578063a9059cbb14610190578063e6a5569914610202575b005b60408051600180546020600282841615610100026000190190921691909104601f810182900482028401820190945283835261033a93908301828280156103fc5780601f106103d1576101008083540402835291602001916103fc565b6103a860035460ff1681565b6103bf60043560006020819052908152604090205481565b33600160a060020a03166000908152602081905260409020600435905561006c565b61006c600160a060020a03331660009081526020819052604090206301406f409055565b61033a6002805460408051602060018416156101000260001901909316849004601f810184900484028201840190925281815292918301828280156103fc5780601f106103d1576101008083540402835291602001916103fc565b61006c600435602435600160a060020a0333811660008181526020818152604080832080548790039055938616808352918490208054860190558351858152935191937fddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef929081900390910190a35050565b60408051602060046024803582810135601f810185900485028601850190965285855261006c958335959394604494939290920191819084018382808284375050604080516020606435808b0135601f81018390048302840183019094528383529799983598976084975091955060249190910193509091508190840183828082843750949650505050505050836000141561029f57620f424093505b600160a060020a03331660009081526020818152604082208690558451600180549381905292600281851615610100026000190190911604601f9081018390047fb10e2d527612073b26eecdfd717e6a320cf44b4afac2b0732d9fcbe2b7fa0cf69081019390919088019083901061040457805160ff19168380011785555b506104349291505b8082111561048d5760008155600101610326565b60405180806020018281038252838181518152602001915080519060200190808383829060006004602084601f0104600f02600301f150905090810190601f16801561039a5780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b6040805160ff929092168252519081900360200190f35b60408051918252519081900360200190f35b820191906000526020600020905b8154815290600101906020018083116103df57829003601f168201915b505050505081565b8280016001018555821561031e579182015b8281111561031e578251826000505591602001919060010190610416565b50508060026000509080519060200190828054600181600116156101000203166002900490600052602060002090601f016020900481019282601f1061049157805160ff19168380011785555b506104c1929150610326565b5090565b82800160010185558215610481579182015b828111156104815782518260005055916020019190600101906104a3565b50506003805460ff1916831790555050505056",
"head": null,
"length": 2476,
"tail": null,
"truncated": false
}
exec
/bin/bash -lc 'cast disassemble $(jq -r '"'.artifact.runtime_bytecode.full' BYTECODE_BUNDLE.json) | sed -n '1,260p'" in /tmp/codex-zyt0riu5
succeeded in 0ms:
00000000: PUSH1 0x60
00000002: PUSH1 0x40
00000004: MSTORE
00000005: CALLDATASIZE
00000006: ISZERO
00000007: PUSH2 0x006c
0000000a: JUMPI
0000000b: PUSH1 0xe0
0000000d: PUSH1 0x02
0000000f: EXP
00000010: PUSH1 0x00
00000012: CALLDATALOAD
00000013: DIV
00000014: PUSH4 0x06fdde03
00000019: DUP2
0000001a: EQ
0000001b: PUSH2 0x006e
0000001e: JUMPI
0000001f: DUP1
00000020: PUSH4 0x313ce567
00000025: EQ
00000026: PUSH2 0x00cb
00000029: JUMPI
0000002a: DUP1
0000002b: PUSH4 0x70a08231
00000030: EQ
00000031: PUSH2 0x00d7
00000034: JUMPI
00000035: DUP1
00000036: PUSH4 0x7207c19f
0000003b: EQ
0000003c: PUSH2 0x00ef
0000003f: JUMPI
00000040: DUP1
00000041: PUSH4 0x9287b654
00000046: EQ
00000047: PUSH2 0x0111
0000004a: JUMPI
0000004b: DUP1
0000004c: PUSH4 0x95d89b41
00000051: EQ
00000052: PUSH2 0x0135
00000055: JUMPI
00000056: DUP1
00000057: PUSH4 0xa9059cbb
0000005c: EQ
0000005d: PUSH2 0x0190
00000060: JUMPI
00000061: DUP1
00000062: PUSH4 0xe6a55699
00000067: EQ
00000068: PUSH2 0x0202
0000006b: JUMPI
0000006c: JUMPDEST
0000006d: STOP
0000006e: JUMPDEST
0000006f: PUSH1 0x40
00000071: DUP1
00000072: MLOAD
00000073: PUSH1 0x01
00000075: DUP1
00000076: SLOAD
00000077: PUSH1 0x20
00000079: PUSH1 0x02
0000007b: DUP3
0000007c: DUP5
0000007d: AND
0000007e: ISZERO
0000007f: PUSH2 0x0100
00000082: MUL
00000083: PUSH1 0x00
00000085: NOT
00000086: ADD
00000087: SWAP1
00000088: SWAP3
00000089: AND
0000008a: SWAP2
0000008b: SWAP1
0000008c: SWAP2
0000008d: DIV
0000008e: PUSH1 0x1f
00000090: DUP2
00000091: ADD
00000092: DUP3
00000093: SWAP1
00000094: DIV
00000095: DUP3
00000096: MUL
00000097: DUP5
00000098: ADD
00000099: DUP3
0000009a: ADD
0000009b: SWAP1
0000009c: SWAP5
0000009d: MSTORE
0000009e: DUP4
0000009f: DUP4
000000a0: MSTORE
000000a1: PUSH2 0x033a
000000a4: SWAP4
000000a5: SWAP1
000000a6: DUP4
000000a7: ADD
000000a8: DUP3
000000a9: DUP3
000000aa: DUP1
000000ab: ISZERO
000000ac: PUSH2 0x03fc
000000af: JUMPI
000000b0: DUP1
000000b1: PUSH1 0x1f
000000b3: LT
000000b4: PUSH2 0x03d1
000000b7: JUMPI
000000b8: PUSH2 0x0100
000000bb: DUP1
000000bc: DUP4
000000bd: SLOAD
000000be: DIV
000000bf: MUL
000000c0: DUP4
000000c1: MSTORE
000000c2: SWAP2
000000c3: PUSH1 0x20
000000c5: ADD
000000c6: SWAP2
000000c7: PUSH2 0x03fc
000000ca: JUMP
000000cb: JUMPDEST
000000cc: PUSH2 0x03a8
000000cf: PUSH1 0x03
000000d1: SLOAD
000000d2: PUSH1 0xff
000000d4: AND
000000d5: DUP2
000000d6: JUMP
000000d7: JUMPDEST
000000d8: PUSH2 0x03bf
000000db: PUSH1 0x04
000000dd: CALLDATALOAD
000000de: PUSH1 0x00
000000e0: PUSH1 0x20
000000e2: DUP2
000000e3: SWAP1
000000e4: MSTORE
000000e5: SWAP1
000000e6: DUP2
000000e7: MSTORE
000000e8: PUSH1 0x40
000000ea: SWAP1
000000eb: KECCAK256
000000ec: SLOAD
000000ed: DUP2
000000ee: JUMP
000000ef: JUMPDEST
000000f0: CALLER
000000f1: PUSH1 0x01
000000f3: PUSH1 0xa0
000000f5: PUSH1 0x02
000000f7: EXP
000000f8: SUB
000000f9: AND
000000fa: PUSH1 0x00
000000fc: SWAP1
000000fd: DUP2
000000fe: MSTORE
000000ff: PUSH1 0x20
00000101: DUP2
00000102: SWAP1
00000103: MSTORE
00000104: PUSH1 0x40
00000106: SWAP1
00000107: KECCAK256
00000108: PUSH1 0x04
0000010a: CALLDATALOAD
0000010b: SWAP1
0000010c: SSTORE
0000010d: PUSH2 0x006c
00000110: JUMP
00000111: JUMPDEST
00000112: PUSH2 0x006c
00000115: PUSH1 0x01
00000117: PUSH1 0xa0
00000119: PUSH1 0x02
0000011b: EXP
0000011c: SUB
0000011d: CALLER
0000011e: AND
0000011f: PUSH1 0x00
00000121: SWAP1
00000122: DUP2
00000123: MSTORE
00000124: PUSH1 0x20
00000126: DUP2
00000127: SWAP1
00000128: MSTORE
00000129: PUSH1 0x40
0000012b: SWAP1
0000012c: KECCAK256
0000012d: PUSH4 0x01406f40
00000132: SWAP1
00000133: SSTORE
00000134: JUMP
00000135: JUMPDEST
00000136: PUSH2 0x033a
00000139: PUSH1 0x02
0000013b: DUP1
0000013c: SLOAD
0000013d: PUSH1 0x40
0000013f: DUP1
00000140: MLOAD
00000141: PUSH1 0x20
00000143: PUSH1 0x01
00000145: DUP5
00000146: AND
00000147: ISZERO
00000148: PUSH2 0x0100
0000014b: MUL
0000014c: PUSH1 0x00
0000014e: NOT
0000014f: ADD
00000150: SWAP1
00000151: SWAP4
00000152: AND
00000153: DUP5
00000154: SWAP1
00000155: DIV
00000156: PUSH1 0x1f
00000158: DUP2
00000159: ADD
0000015a: DUP5
0000015b: SWAP1
0000015c: DIV
0000015d: DUP5
0000015e: MUL
0000015f: DUP3
00000160: ADD
00000161: DUP5
00000162: ADD
00000163: SWAP1
00000164: SWAP3
00000165: MSTORE
00000166: DUP2
00000167: DUP2
00000168: MSTORE
00000169: SWAP3
0000016a: SWAP2
0000016b: DUP4
0000016c: ADD
0000016d: DUP3
0000016e: DUP3
0000016f: DUP1
00000170: ISZERO
00000171: PUSH2 0x03fc
00000174: JUMPI
00000175: DUP1
00000176: PUSH1 0x1f
00000178: LT
00000179: PUSH2 0x03d1
0000017c: JUMPI
exec
/bin/bash -lc 'cast disassemble $(jq -r '"'.artifact.runtime_bytecode.full' BYTECODE_BUNDLE.json) | sed -n '260,520p'" in /tmp/codex-zyt0riu5
succeeded in 0ms:
0000017c: JUMPI
0000017d: PUSH2 0x0100
00000180: DUP1
00000181: DUP4
00000182: SLOAD
00000183: DIV
00000184: MUL
00000185: DUP4
00000186: MSTORE
00000187: SWAP2
00000188: PUSH1 0x20
0000018a: ADD
0000018b: SWAP2
0000018c: PUSH2 0x03fc
0000018f: JUMP
00000190: JUMPDEST
00000191: PUSH2 0x006c
00000194: PUSH1 0x04
00000196: CALLDATALOAD
00000197: PUSH1 0x24
00000199: CALLDATALOAD
0000019a: PUSH1 0x01
0000019c: PUSH1 0xa0
0000019e: PUSH1 0x02
000001a0: EXP
000001a1: SUB
000001a2: CALLER
000001a3: DUP2
000001a4: AND
000001a5: PUSH1 0x00
000001a7: DUP2
000001a8: DUP2
000001a9: MSTORE
000001aa: PUSH1 0x20
000001ac: DUP2
000001ad: DUP2
000001ae: MSTORE
000001af: PUSH1 0x40
000001b1: DUP1
000001b2: DUP4
000001b3: KECCAK256
000001b4: DUP1
000001b5: SLOAD
000001b6: DUP8
000001b7: SWAP1
000001b8: SUB
000001b9: SWAP1
000001ba: SSTORE
000001bb: SWAP4
000001bc: DUP7
000001bd: AND
000001be: DUP1
000001bf: DUP4
000001c0: MSTORE
000001c1: SWAP2
000001c2: DUP5
000001c3: SWAP1
000001c4: KECCAK256
000001c5: DUP1
000001c6: SLOAD
000001c7: DUP7
000001c8: ADD
000001c9: SWAP1
000001ca: SSTORE
000001cb: DUP4
000001cc: MLOAD
000001cd: DUP6
000001ce: DUP2
000001cf: MSTORE
000001d0: SWAP4
000001d1: MLOAD
000001d2: SWAP2
000001d3: SWAP4
000001d4: PUSH32 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef
000001f5: SWAP3
000001f6: SWAP1
000001f7: DUP2
000001f8: SWAP1
000001f9: SUB
000001fa: SWAP1
000001fb: SWAP2
000001fc: ADD
000001fd: SWAP1
000001fe: LOG3
000001ff: POP
00000200: POP
00000201: JUMP
00000202: JUMPDEST
00000203: PUSH1 0x40
00000205: DUP1
00000206: MLOAD
00000207: PUSH1 0x20
00000209: PUSH1 0x04
0000020b: PUSH1 0x24
0000020d: DUP1
0000020e: CALLDATALOAD
0000020f: DUP3
00000210: DUP2
00000211: ADD
00000212: CALLDATALOAD
00000213: PUSH1 0x1f
00000215: DUP2
00000216: ADD
00000217: DUP6
00000218: SWAP1
00000219: DIV
0000021a: DUP6
0000021b: MUL
0000021c: DUP7
0000021d: ADD
0000021e: DUP6
0000021f: ADD
00000220: SWAP1
00000221: SWAP7
00000222: MSTORE
00000223: DUP6
00000224: DUP6
00000225: MSTORE
00000226: PUSH2 0x006c
00000229: SWAP6
0000022a: DUP4
0000022b: CALLDATALOAD
0000022c: SWAP6
0000022d: SWAP4
0000022e: SWAP5
0000022f: PUSH1 0x44
00000231: SWAP5
00000232: SWAP4
00000233: SWAP3
00000234: SWAP1
00000235: SWAP3
00000236: ADD
00000237: SWAP2
00000238: DUP2
00000239: SWAP1
0000023a: DUP5
0000023b: ADD
0000023c: DUP4
0000023d: DUP3
0000023e: DUP1
0000023f: DUP3
00000240: DUP5
00000241: CALLDATACOPY
00000242: POP
00000243: POP
00000244: PUSH1 0x40
00000246: DUP1
00000247: MLOAD
00000248: PUSH1 0x20
0000024a: PUSH1 0x64
0000024c: CALLDATALOAD
0000024d: DUP1
0000024e: DUP12
0000024f: ADD
00000250: CALLDATALOAD
00000251: PUSH1 0x1f
00000253: DUP2
00000254: ADD
00000255: DUP4
00000256: SWAP1
00000257: DIV
00000258: DUP4
00000259: MUL
0000025a: DUP5
0000025b: ADD
0000025c: DUP4
0000025d: ADD
0000025e: SWAP1
0000025f: SWAP5
00000260: MSTORE
00000261: DUP4
00000262: DUP4
00000263: MSTORE
00000264: SWAP8
00000265: SWAP10
00000266: SWAP9
00000267: CALLDATALOAD
00000268: SWAP9
00000269: SWAP8
0000026a: PUSH1 0x84
0000026c: SWAP8
0000026d: POP
0000026e: SWAP2
0000026f: SWAP6
00000270: POP
00000271: PUSH1 0x24
00000273: SWAP2
00000274: SWAP1
00000275: SWAP2
00000276: ADD
00000277: SWAP4
00000278: POP
00000279: SWAP1
0000027a: SWAP2
0000027b: POP
0000027c: DUP2
0000027d: SWAP1
0000027e: DUP5
0000027f: ADD
00000280: DUP4
00000281: DUP3
00000282: DUP1
00000283: DUP3
00000284: DUP5
00000285: CALLDATACOPY
00000286: POP
00000287: SWAP5
00000288: SWAP7
00000289: POP
0000028a: POP
0000028b: POP
0000028c: POP
0000028d: POP
0000028e: POP
0000028f: POP
00000290: DUP4
00000291: PUSH1 0x00
00000293: EQ
00000294: ISZERO
00000295: PUSH2 0x029f
00000298: JUMPI
00000299: PUSH3 0x0f4240
0000029d: SWAP4
0000029e: POP
0000029f: JUMPDEST
000002a0: PUSH1 0x01
000002a2: PUSH1 0xa0
000002a4: PUSH1 0x02
000002a6: EXP
000002a7: SUB
000002a8: CALLER
000002a9: AND
000002aa: PUSH1 0x00
000002ac: SWAP1
000002ad: DUP2
000002ae: MSTORE
000002af: PUSH1 0x20
000002b1: DUP2
000002b2: DUP2
000002b3: MSTORE
000002b4: PUSH1 0x40
000002b6: DUP3
000002b7: KECCAK256
000002b8: DUP7
000002b9: SWAP1
000002ba: SSTORE
000002bb: DUP5
000002bc: MLOAD
000002bd: PUSH1 0x01
000002bf: DUP1
000002c0: SLOAD
000002c1: SWAP4
000002c2: DUP2
000002c3: SWAP1
000002c4: MSTORE
000002c5: SWAP3
000002c6: PUSH1 0x02
000002c8: DUP2
000002c9: DUP6
000002ca: AND
000002cb: ISZERO
exec
/bin/bash -lc 'cast disassemble $(jq -r '"'.artifact.runtime_bytecode.full' BYTECODE_BUNDLE.json) | sed -n '520,780p'" in /tmp/codex-zyt0riu5
succeeded in 0ms:
000002cb: ISZERO
000002cc: PUSH2 0x0100
000002cf: MUL
000002d0: PUSH1 0x00
000002d2: NOT
000002d3: ADD
000002d4: SWAP1
000002d5: SWAP2
000002d6: AND
000002d7: DIV
000002d8: PUSH1 0x1f
000002da: SWAP1
000002db: DUP2
000002dc: ADD
000002dd: DUP4
000002de: SWAP1
000002df: DIV
000002e0: PUSH32 0xb10e2d527612073b26eecdfd717e6a320cf44b4afac2b0732d9fcbe2b7fa0cf6
00000301: SWAP1
00000302: DUP2
00000303: ADD
00000304: SWAP4
00000305: SWAP1
00000306: SWAP2
00000307: SWAP1
00000308: DUP9
00000309: ADD
0000030a: SWAP1
0000030b: DUP4
0000030c: SWAP1
0000030d: LT
0000030e: PUSH2 0x0404
00000311: JUMPI
00000312: DUP1
00000313: MLOAD
00000314: PUSH1 0xff
00000316: NOT
00000317: AND
00000318: DUP4
00000319: DUP1
0000031a: ADD
0000031b: OR
0000031c: DUP6
0000031d: SSTORE
0000031e: JUMPDEST
0000031f: POP
00000320: PUSH2 0x0434
00000323: SWAP3
00000324: SWAP2
00000325: POP
00000326: JUMPDEST
00000327: DUP1
00000328: DUP3
00000329: GT
0000032a: ISZERO
0000032b: PUSH2 0x048d
0000032e: JUMPI
0000032f: PUSH1 0x00
00000331: DUP2
00000332: SSTORE
00000333: PUSH1 0x01
00000335: ADD
00000336: PUSH2 0x0326
00000339: JUMP
0000033a: JUMPDEST
0000033b: PUSH1 0x40
0000033d: MLOAD
0000033e: DUP1
0000033f: DUP1
00000340: PUSH1 0x20
00000342: ADD
00000343: DUP3
00000344: DUP2
00000345: SUB
00000346: DUP3
00000347: MSTORE
00000348: DUP4
00000349: DUP2
0000034a: DUP2
0000034b: MLOAD
0000034c: DUP2
0000034d: MSTORE
0000034e: PUSH1 0x20
00000350: ADD
00000351: SWAP2
00000352: POP
00000353: DUP1
00000354: MLOAD
00000355: SWAP1
00000356: PUSH1 0x20
00000358: ADD
00000359: SWAP1
0000035a: DUP1
0000035b: DUP4
0000035c: DUP4
0000035d: DUP3
0000035e: SWAP1
0000035f: PUSH1 0x00
00000361: PUSH1 0x04
00000363: PUSH1 0x20
00000365: DUP5
00000366: PUSH1 0x1f
00000368: ADD
00000369: DIV
0000036a: PUSH1 0x0f
0000036c: MUL
0000036d: PUSH1 0x03
0000036f: ADD
00000370: CALL
00000371: POP
00000372: SWAP1
00000373: POP
00000374: SWAP1
00000375: DUP2
00000376: ADD
00000377: SWAP1
00000378: PUSH1 0x1f
0000037a: AND
0000037b: DUP1
0000037c: ISZERO
0000037d: PUSH2 0x039a
00000380: JUMPI
00000381: DUP1
00000382: DUP3
00000383: SUB
00000384: DUP1
00000385: MLOAD
00000386: PUSH1 0x01
00000388: DUP4
00000389: PUSH1 0x20
0000038b: SUB
0000038c: PUSH2 0x0100
0000038f: EXP
00000390: SUB
00000391: NOT
00000392: AND
00000393: DUP2
00000394: MSTORE
00000395: PUSH1 0x20
00000397: ADD
00000398: SWAP2
00000399: POP
0000039a: JUMPDEST
0000039b: POP
0000039c: SWAP3
0000039d: POP
0000039e: POP
0000039f: POP
000003a0: PUSH1 0x40
000003a2: MLOAD
000003a3: DUP1
000003a4: SWAP2
000003a5: SUB
000003a6: SWAP1
000003a7: RETURN
000003a8: JUMPDEST
000003a9: PUSH1 0x40
000003ab: DUP1
000003ac: MLOAD
000003ad: PUSH1 0xff
000003af: SWAP3
000003b0: SWAP1
000003b1: SWAP3
000003b2: AND
000003b3: DUP3
000003b4: MSTORE
000003b5: MLOAD
000003b6: SWAP1
000003b7: DUP2
000003b8: SWAP1
000003b9: SUB
000003ba: PUSH1 0x20
000003bc: ADD
000003bd: SWAP1
000003be: RETURN
000003bf: JUMPDEST
000003c0: PUSH1 0x40
000003c2: DUP1
000003c3: MLOAD
000003c4: SWAP2
000003c5: DUP3
000003c6: MSTORE
000003c7: MLOAD
000003c8: SWAP1
000003c9: DUP2
000003ca: SWAP1
000003cb: SUB
000003cc: PUSH1 0x20
000003ce: ADD
000003cf: SWAP1
000003d0: RETURN
000003d1: JUMPDEST
000003d2: DUP3
000003d3: ADD
000003d4: SWAP2
000003d5: SWAP1
000003d6: PUSH1 0x00
000003d8: MSTORE
000003d9: PUSH1 0x20
000003db: PUSH1 0x00
000003dd: KECCAK256
000003de: SWAP1
000003df: JUMPDEST
000003e0: DUP2
000003e1: SLOAD
000003e2: DUP2
000003e3: MSTORE
000003e4: SWAP1
000003e5: PUSH1 0x01
000003e7: ADD
000003e8: SWAP1
000003e9: PUSH1 0x20
000003eb: ADD
000003ec: DUP1
000003ed: DUP4
000003ee: GT
000003ef: PUSH2 0x03df
000003f2: JUMPI
000003f3: DUP3
000003f4: SWAP1
000003f5: SUB
000003f6: PUSH1 0x1f
000003f8: AND
000003f9: DUP3
000003fa: ADD
000003fb: SWAP2
000003fc: JUMPDEST
000003fd: POP
000003fe: POP
000003ff: POP
00000400: POP
00000401: POP
00000402: DUP2
00000403: JUMP
00000404: JUMPDEST
00000405: DUP3
00000406: DUP1
00000407: ADD
00000408: PUSH1 0x01
0000040a: ADD
0000040b: DUP6
0000040c: SSTORE
0000040d: DUP3
0000040e: ISZERO
0000040f: PUSH2 0x031e
00000412: JUMPI
00000413: SWAP2
00000414: DUP3
00000415: ADD
00000416: JUMPDEST
00000417: DUP3
00000418: DUP2
00000419: GT
0000041a: ISZERO
0000041b: PUSH2 0x031e
0000041e: JUMPI
0000041f: DUP3
00000420: MLOAD
00000421: DUP3
00000422: PUSH1 0x00
00000424: POP
exec
/bin/bash -lc 'cast disassemble $(jq -r '"'.artifact.runtime_bytecode.full' BYTECODE_BUNDLE.json) | sed -n '780,920p'" in /tmp/codex-zyt0riu5
succeeded in 0ms:
00000424: POP
00000425: SSTORE
00000426: SWAP2
00000427: PUSH1 0x20
00000429: ADD
0000042a: SWAP2
0000042b: SWAP1
0000042c: PUSH1 0x01
0000042e: ADD
0000042f: SWAP1
00000430: PUSH2 0x0416
00000433: JUMP
00000434: JUMPDEST
00000435: POP
00000436: POP
00000437: DUP1
00000438: PUSH1 0x02
0000043a: PUSH1 0x00
0000043c: POP
0000043d: SWAP1
0000043e: DUP1
0000043f: MLOAD
00000440: SWAP1
00000441: PUSH1 0x20
00000443: ADD
00000444: SWAP1
00000445: DUP3
00000446: DUP1
00000447: SLOAD
00000448: PUSH1 0x01
0000044a: DUP2
0000044b: PUSH1 0x01
0000044d: AND
0000044e: ISZERO
0000044f: PUSH2 0x0100
00000452: MUL
00000453: SUB
00000454: AND
00000455: PUSH1 0x02
00000457: SWAP1
00000458: DIV
00000459: SWAP1
0000045a: PUSH1 0x00
0000045c: MSTORE
0000045d: PUSH1 0x20
0000045f: PUSH1 0x00
00000461: KECCAK256
00000462: SWAP1
00000463: PUSH1 0x1f
00000465: ADD
00000466: PUSH1 0x20
00000468: SWAP1
00000469: DIV
0000046a: DUP2
0000046b: ADD
0000046c: SWAP3
0000046d: DUP3
0000046e: PUSH1 0x1f
00000470: LT
00000471: PUSH2 0x0491
00000474: JUMPI
00000475: DUP1
00000476: MLOAD
00000477: PUSH1 0xff
00000479: NOT
0000047a: AND
0000047b: DUP4
0000047c: DUP1
0000047d: ADD
0000047e: OR
0000047f: DUP6
00000480: SSTORE
00000481: JUMPDEST
00000482: POP
00000483: PUSH2 0x04c1
00000486: SWAP3
00000487: SWAP2
00000488: POP
00000489: PUSH2 0x0326
0000048c: JUMP
0000048d: JUMPDEST
0000048e: POP
0000048f: SWAP1
00000490: JUMP
00000491: JUMPDEST
00000492: DUP3
00000493: DUP1
00000494: ADD
00000495: PUSH1 0x01
00000497: ADD
00000498: DUP6
00000499: SSTORE
0000049a: DUP3
0000049b: ISZERO
0000049c: PUSH2 0x0481
0000049f: JUMPI
000004a0: SWAP2
000004a1: DUP3
000004a2: ADD
000004a3: JUMPDEST
000004a4: DUP3
000004a5: DUP2
000004a6: GT
000004a7: ISZERO
000004a8: PUSH2 0x0481
000004ab: JUMPI
000004ac: DUP3
000004ad: MLOAD
000004ae: DUP3
000004af: PUSH1 0x00
000004b1: POP
000004b2: SSTORE
000004b3: SWAP2
000004b4: PUSH1 0x20
000004b6: ADD
000004b7: SWAP2
000004b8: SWAP1
000004b9: PUSH1 0x01
000004bb: ADD
000004bc: SWAP1
000004bd: PUSH2 0x04a3
000004c0: JUMP
000004c1: JUMPDEST
000004c2: POP
000004c3: POP
000004c4: PUSH1 0x03
000004c6: DUP1
000004c7: SLOAD
000004c8: PUSH1 0xff
000004ca: NOT
000004cb: AND
000004cc: DUP4
000004cd: OR
000004ce: SWAP1
000004cf: SSTORE
000004d0: POP
000004d1: POP
000004d2: POP
000004d3: POP
000004d4: JUMP
codex
{"no_findings":false,"summary":"Bytecode shows a non-proxy token-like contract with `name()`, `symbol()`, `decimals()`, `balanceOf()`, and `transfer()`. The only `CALL` sink at `pc:0x0370` matches the identity precompile copy pattern (gas formula `3 + 15*ceil(len/32)`, address `0x04`), so I did not treat the detector's untrusted-call alert as a confirmed external-call risk. The meaningful issues are unchecked token accounting and multiple unauthenticated state-mutating entrypoints.","findings":[{"severity":"critical","category":"access_control","title":"Unauthenticated balance-setting and reinitialization entrypoints","exploit_scenario":"Any external account can call `0x7207c19f` to overwrite its own balance with an arbitrary calldata value, call `0x9287b654` to set its balance to the hardcoded constant `0x01406f40`, and likely call `0xe6a55699` to set its balance plus mutate metadata fields. An attacker can mint themselves spendable tokens and, on the inferred initializer path, also rewrite token metadata to mislead integrators or buyers.","recommendation":"Remove these runtime setters, or gate them behind strict admin authorization. If `0xe6a55699` is intended as an initializer, protect it with a one-time initialized flag and constructor/factory-only access. Any balance minting should update explicit supply/accounting invariants and emit appropriate events.","evidence":"`0x7207c19f` (`pc:0x00ef`) computes `keccak256(caller, 0x00)` and performs a direct `SSTORE` of `CALLDATALOAD(0x04)` at `pc:0x0108`, with no guard branch. `0x9287b654` (`pc:0x0111`) computes the same caller balance slot and stores constant `0x01406f40` at `pc:0x012d`, again without any guard. Best-effort selector inference for `0xe6a55699` shows it parsing multiple user-controlled arguments, defaulting one amount-like argument to `0x0f4240` when zero (`pc:0x0290`-`pc:0x029e`), writing `keccak256(caller,0)` at `pc:0x02b8`, then rewriting storage slots `0x01`, `0x02`, and low byte of slot `0x03` across `pc:0x02bc`-`pc:0x04cf`. No authorization heuristic was detected anywhere in these paths.","locations":["selector:0x7207c19f","pc:0x0108","selector:0x9287b654","pc:0x012d","selector:0xe6a55699","pc:0x02b8","pc:0x04c7"]},{"severity":"critical","category":"math","title":"`transfer` uses unchecked arithmetic and permits balance underflow/overflow","exploit_scenario":"A caller with zero or insufficient balance can call `transfer(address,uint256)` with any positive amount. Because the sender balance is updated with raw `SUB` and no preceding bounds check, the sender balance wraps to a huge `uint256` value instead of reverting. The recipient is then credited with unchecked `ADD`. This breaks token accounting and lets arbitrary users manufacture effectively unlimited balances.","recommendation":"Enforce `balance >= amount` before subtraction and use checked arithmetic for both debit and credit paths. In practice this means Solidity >=0.8 revert semantics or explicit SafeMath-style checks if compiling older bytecode.","evidence":"In `selector:0xa9059cbb`, the contract loads the sender balance from `keccak256(caller,0)` at `pc:0x01b5`, subtracts the transfer amount with raw `SUB` at `pc:0x01b8`, and immediately stores the result at `pc:0x01ba`. There is no `LT`/`GT`-based guard or conditional revert before this subtraction. The recipient balance is then loaded at `pc:0x01c5`, incremented with raw `ADD` at `pc:0x01c8`, and stored at `pc:0x01ca`, also without overflow protection.","locations":["selector:0xa9059cbb","pc:0x01b5","pc:0x01b8","pc:0x01ba","pc:0x01c5","pc:0x01c8","pc:0x01ca"]}]}
tokens used
51,789
{
"codex": {
"ran_at": "2026-04-05T03:25:49.238036+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 2476,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "Bytecode shows a non-proxy token-like contract with `name()`, `symbol()`, `decimals()`, `balanceOf()`, and `transfer()`. The only `CALL` sink at `pc:0x0370` matches the identity precompile copy pattern (gas formula `3 + 15*ceil(len/32)`, address `0x04`), so I did not treat the detector's untrusted-call alert as a confirmed external-call risk. The meaningful issues are unchecked token accounting and multiple unauthenticated state-mutating entrypoints.",
"raw_final": {
"summary": "Bytecode shows a non-proxy token-like contract with `name()`, `symbol()`, `decimals()`, `balanceOf()`, and `transfer()`. The only `CALL` sink at `pc:0x0370` matches the identity precompile copy pattern (gas formula `3 + 15*ceil(len/32)`, address `0x04`), so I did not treat the detector's untrusted-call alert as a confirmed external-call risk. The meaningful issues are unchecked token accounting and multiple unauthenticated state-mutating entrypoints.",
"findings": [
{
"title": "Unauthenticated balance-setting and reinitialization entrypoints",
"category": "access_control",
"evidence": "`0x7207c19f` (`pc:0x00ef`) computes `keccak256(caller, 0x00)` and performs a direct `SSTORE` of `CALLDATALOAD(0x04)` at `pc:0x0108`, with no guard branch. `0x9287b654` (`pc:0x0111`) computes the same caller balance slot and stores constant `0x01406f40` at `pc:0x012d`, again without any guard. Best-effort selector inference for `0xe6a55699` shows it parsing multiple user-controlled arguments, defaulting one amount-like argument to `0x0f4240` when zero (`pc:0x0290`-`pc:0x029e`), writing `keccak256(caller,0)` at `pc:0x02b8`, then rewriting storage slots `0x01`, `0x02`, and low byte of slot `0x03` across `pc:0x02bc`-`pc:0x04cf`. No authorization heuristic was detected anywhere in these paths.",
"severity": "critical",
"locations": [
"selector:0x7207c19f",
"pc:0x0108",
"selector:0x9287b654",
"pc:0x012d",
"selector:0xe6a55699",
"pc:0x02b8",
"pc:0x04c7"
],
"recommendation": "Remove these runtime setters, or gate them behind strict admin authorization. If `0xe6a55699` is intended as an initializer, protect it with a one-time initialized flag and constructor/factory-only access. Any balance minting should update explicit supply/accounting invariants and emit appropriate events.",
"exploit_scenario": "Any external account can call `0x7207c19f` to overwrite its own balance with an arbitrary calldata value, call `0x9287b654` to set its balance to the hardcoded constant `0x01406f40`, and likely call `0xe6a55699` to set its balance plus mutate metadata fields. An attacker can mint themselves spendable tokens and, on the inferred initializer path, also rewrite token metadata to mislead integrators or buyers."
},
{
"title": "`transfer` uses unchecked arithmetic and permits balance underflow/overflow",
"category": "math",
"evidence": "In `selector:0xa9059cbb`, the contract loads the sender balance from `keccak256(caller,0)` at `pc:0x01b5`, subtracts the transfer amount with raw `SUB` at `pc:0x01b8`, and immediately stores the result at `pc:0x01ba`. There is no `LT`/`GT`-based guard or conditional revert before this subtraction. The recipient balance is then loaded at `pc:0x01c5`, incremented with raw `ADD` at `pc:0x01c8`, and stored at `pc:0x01ca`, also without overflow protection.",
"severity": "critical",
"locations": [
"selector:0xa9059cbb",
"pc:0x01b5",
"pc:0x01b8",
"pc:0x01ba",
"pc:0x01c5",
"pc:0x01c8",
"pc:0x01ca"
],
"recommendation": "Enforce `balance >= amount` before subtraction and use checked arithmetic for both debit and credit paths. In practice this means Solidity >=0.8 revert semantics or explicit SafeMath-style checks if compiling older bytecode.",
"exploit_scenario": "A caller with zero or insufficient balance can call `transfer(address,uint256)` with any positive amount. Because the sender balance is updated with raw `SUB` and no preceding bounds check, the sender balance wraps to a huge `uint256` value instead of reverting. The recipient is then credited with unchecked `ADD`. This breaks token accounting and lets arbitrary users manufacture effectively unlimited balances."
}
],
"no_findings": false
},
"no_findings": false,
"schema_version": 1
}
00000000: PUSH1 0x60 00000002: PUSH1 0x40 00000004: MSTORE 00000005: CALLDATASIZE 00000006: ISZERO 00000007: PUSH2 0x006c 0000000a: JUMPI 0000000b: PUSH1 0xe0 0000000d: PUSH1 0x02 0000000f: EXP 00000010: PUSH1 0x00 00000012: CALLDATALOAD 00000013: DIV 00000014: PUSH4 0x06fdde03 00000019: DUP2 0000001a: EQ 0000001b: PUSH2 0x006e 0000001e: JUMPI 0000001f: DUP1 00000020: PUSH4 0x313ce567 00000025: EQ 00000026: PUSH2 0x00cb 00000029: JUMPI 0000002a: DUP1 0000002b: PUSH4 0x70a08231 00000030: EQ 00000031: PUSH2 0x00d7 00000034: JUMPI 00000035: DUP1 00000036: PUSH4 0x7207c19f 0000003b: EQ 0000003c: PUSH2 0x00ef 0000003f: JUMPI 00000040: DUP1 00000041: PUSH4 0x9287b654 00000046: EQ 00000047: PUSH2 0x0111 0000004a: JUMPI 0000004b: DUP1 0000004c: PUSH4 0x95d89b41 00000051: EQ 00000052: PUSH2 0x0135 00000055: JUMPI 00000056: DUP1 00000057: PUSH4 0xa9059cbb 0000005c: EQ 0000005d: PUSH2 0x0190 00000060: JUMPI 00000061: DUP1 00000062: PUSH4 0xe6a55699 00000067: EQ 00000068: PUSH2 0x0202 0000006b: JUMPI 0000006c: JUMPDEST 0000006d: STOP 0000006e: JUMPDEST 0000006f: PUSH1 0x40 00000071: DUP1 00000072: MLOAD 00000073: PUSH1 0x01 00000075: DUP1 00000076: SLOAD 00000077: PUSH1 0x20 00000079: PUSH1 0x02 0000007b: DUP3 0000007c: DUP5 0000007d: AND 0000007e: ISZERO 0000007f: PUSH2 0x0100 00000082: MUL 00000083: PUSH1 0x00 00000085: NOT 00000086: ADD 00000087: SWAP1 00000088: SWAP3 00000089: AND 0000008a: SWAP2 0000008b: SWAP1 0000008c: SWAP2 0000008d: DIV 0000008e: PUSH1 0x1f 00000090: DUP2 00000091: ADD 00000092: DUP3 00000093: SWAP1 00000094: DIV 00000095: DUP3 00000096: MUL 00000097: DUP5 00000098: ADD 00000099: DUP3 0000009a: ADD 0000009b: SWAP1 0000009c: SWAP5 0000009d: MSTORE 0000009e: DUP4 0000009f: DUP4 000000a0: MSTORE 000000a1: PUSH2 0x033a 000000a4: SWAP4 000000a5: SWAP1 000000a6: DUP4 000000a7: ADD 000000a8: DUP3 000000a9: DUP3 000000aa: DUP1 000000ab: ISZERO 000000ac: PUSH2 0x03fc 000000af: JUMPI 000000b0: DUP1 000000b1: PUSH1 0x1f 000000b3: LT 000000b4: PUSH2 0x03d1 000000b7: JUMPI 000000b8: PUSH2 0x0100 000000bb: DUP1 000000bc: DUP4 000000bd: SLOAD 000000be: DIV 000000bf: MUL 000000c0: DUP4 000000c1: MSTORE 000000c2: SWAP2 000000c3: PUSH1 0x20 000000c5: ADD 000000c6: SWAP2 000000c7: PUSH2 0x03fc 000000ca: JUMP 000000cb: JUMPDEST 000000cc: PUSH2 0x03a8 000000cf: PUSH1 0x03 000000d1: SLOAD 000000d2: PUSH1 0xff 000000d4: AND 000000d5: DUP2 000000d6: JUMP 000000d7: JUMPDEST 000000d8: PUSH2 0x03bf 000000db: PUSH1 0x04 000000dd: CALLDATALOAD 000000de: PUSH1 0x00 000000e0: PUSH1 0x20 000000e2: DUP2 000000e3: SWAP1 000000e4: MSTORE 000000e5: SWAP1 000000e6: DUP2 000000e7: MSTORE 000000e8: PUSH1 0x40 000000ea: SWAP1 000000eb: KECCAK256 000000ec: SLOAD 000000ed: DUP2 000000ee: JUMP 000000ef: JUMPDEST 000000f0: CALLER 000000f1: PUSH1 0x01 000000f3: PUSH1 0xa0 000000f5: PUSH1 0x02 000000f7: EXP 000000f8: SUB 000000f9: AND 000000fa: PUSH1 0x00 000000fc: SWAP1 000000fd: DUP2 000000fe: MSTORE 000000ff: PUSH1 0x20 00000101: DUP2 00000102: SWAP1 00000103: MSTORE 00000104: PUSH1 0x40 00000106: SWAP1 00000107: KECCAK256 00000108: PUSH1 0x04 0000010a: CALLDATALOAD 0000010b: SWAP1 0000010c: SSTORE 0000010d: PUSH2 0x006c 00000110: JUMP 00000111: JUMPDEST 00000112: PUSH2 0x006c 00000115: PUSH1 0x01 00000117: PUSH1 0xa0 00000119: PUSH1 0x02 0000011b: EXP 0000011c: SUB 0000011d: CALLER 0000011e: AND 0000011f: PUSH1 0x00 00000121: SWAP1 00000122: DUP2 00000123: MSTORE 00000124: PUSH1 0x20 00000126: DUP2 00000127: SWAP1 00000128: MSTORE 00000129: PUSH1 0x40 0000012b: SWAP1 0000012c: KECCAK256 0000012d: PUSH4 0x01406f40 00000132: SWAP1 00000133: SSTORE 00000134: JUMP 00000135: JUMPDEST 00000136: PUSH2 0x033a 00000139: PUSH1 0x02 0000013b: DUP1 0000013c: SLOAD 0000013d: PUSH1 0x40 0000013f: DUP1 00000140: MLOAD 00000141: PUSH1 0x20 00000143: PUSH1 0x01 00000145: DUP5 00000146: AND 00000147: ISZERO 00000148: PUSH2 0x0100 0000014b: MUL 0000014c: PUSH1 0x00 0000014e: NOT 0000014f: ADD 00000150: SWAP1 00000151: SWAP4 00000152: AND 00000153: DUP5 00000154: SWAP1 00000155: DIV 00000156: PUSH1 0x1f 00000158: DUP2 00000159: ADD 0000015a: DUP5 0000015b: SWAP1 0000015c: DIV 0000015d: DUP5 0000015e: MUL 0000015f: DUP3 00000160: ADD 00000161: DUP5 00000162: ADD 00000163: SWAP1 00000164: SWAP3 00000165: MSTORE 00000166: DUP2 00000167: DUP2 00000168: MSTORE 00000169: SWAP3 0000016a: SWAP2 0000016b: DUP4 0000016c: ADD 0000016d: DUP3 0000016e: DUP3 0000016f: DUP1 00000170: ISZERO 00000171: PUSH2 0x03fc 00000174: JUMPI 00000175: DUP1 00000176: PUSH1 0x1f 00000178: LT 00000179: PUSH2 0x03d1 0000017c: JUMPI 0000017d: PUSH2 0x0100 00000180: DUP1 00000181: DUP4 00000182: SLOAD 00000183: DIV 00000184: MUL 00000185: DUP4 00000186: MSTORE 00000187: SWAP2 00000188: PUSH1 0x20 0000018a: ADD 0000018b: SWAP2 0000018c: PUSH2 0x03fc 0000018f: JUMP 00000190: JUMPDEST 00000191: PUSH2 0x006c 00000194: PUSH1 0x04 00000196: CALLDATALOAD 00000197: PUSH1 0x24 00000199: CALLDATALOAD 0000019a: PUSH1 0x01 0000019c: PUSH1 0xa0 0000019e: PUSH1 0x02 000001a0: EXP 000001a1: SUB 000001a2: CALLER 000001a3: DUP2 000001a4: AND 000001a5: PUSH1 0x00 000001a7: DUP2 000001a8: DUP2 000001a9: MSTORE 000001aa: PUSH1 0x20 000001ac: DUP2 000001ad: DUP2 000001ae: MSTORE 000001af: PUSH1 0x40 000001b1: DUP1 000001b2: DUP4 000001b3: KECCAK256 000001b4: DUP1 000001b5: SLOAD 000001b6: DUP8 000001b7: SWAP1 000001b8: SUB 000001b9: SWAP1 000001ba: SSTORE 000001bb: SWAP4 000001bc: DUP7 000001bd: AND 000001be: DUP1 000001bf: DUP4 000001c0: MSTORE 000001c1: SWAP2 000001c2: DUP5 000001c3: SWAP1 000001c4: KECCAK256 000001c5: DUP1 000001c6: SLOAD 000001c7: DUP7 000001c8: ADD 000001c9: SWAP1 000001ca: SSTORE 000001cb: DUP4 000001cc: MLOAD 000001cd: DUP6 000001ce: DUP2 000001cf: MSTORE 000001d0: SWAP4 000001d1: MLOAD 000001d2: SWAP2 000001d3: SWAP4 000001d4: PUSH32 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef 000001f5: SWAP3 000001f6: SWAP1 000001f7: DUP2 000001f8: SWAP1 000001f9: SUB 000001fa: SWAP1 000001fb: SWAP2 000001fc: ADD 000001fd: SWAP1 000001fe: LOG3 000001ff: POP 00000200: POP 00000201: JUMP 00000202: JUMPDEST 00000203: PUSH1 0x40 00000205: DUP1 00000206: MLOAD 00000207: PUSH1 0x20 00000209: PUSH1 0x04 0000020b: PUSH1 0x24 0000020d: DUP1 0000020e: CALLDATALOAD 0000020f: DUP3 00000210: DUP2 00000211: ADD 00000212: CALLDATALOAD 00000213: PUSH1 0x1f 00000215: DUP2 00000216: ADD 00000217: DUP6 00000218: SWAP1 00000219: DIV 0000021a: DUP6 0000021b: MUL 0000021c: DUP7 0000021d: ADD 0000021e: DUP6 0000021f: ADD 00000220: SWAP1 00000221: SWAP7 00000222: MSTORE 00000223: DUP6 00000224: DUP6 00000225: MSTORE 00000226: PUSH2 0x006c 00000229: SWAP6 0000022a: DUP4 0000022b: CALLDATALOAD 0000022c: SWAP6 0000022d: SWAP4 0000022e: SWAP5 0000022f: PUSH1 0x44 00000231: SWAP5 00000232: SWAP4 00000233: SWAP3 00000234: SWAP1 00000235: SWAP3 00000236: ADD 00000237: SWAP2 00000238: DUP2 00000239: SWAP1 0000023a: DUP5 0000023b: ADD 0000023c: DUP4 0000023d: DUP3 0000023e: DUP1 0000023f: DUP3 00000240: DUP5 00000241: CALLDATACOPY 00000242: POP 00000243: POP 00000244: PUSH1 0x40 00000246: DUP1 00000247: MLOAD 00000248: PUSH1 0x20 0000024a: PUSH1 0x64 0000024c: CALLDATALOAD 0000024d: DUP1 0000024e: DUP12 0000024f: ADD 00000250: CALLDATALOAD 00000251: PUSH1 0x1f 00000253: DUP2 00000254: ADD 00000255: DUP4 00000256: SWAP1 00000257: DIV 00000258: DUP4 00000259: MUL 0000025a: DUP5 0000025b: ADD 0000025c: DUP4 0000025d: ADD 0000025e: SWAP1 0000025f: SWAP5 00000260: MSTORE 00000261: DUP4 00000262: DUP4 00000263: MSTORE 00000264: SWAP8 00000265: SWAP10 00000266: SWAP9 00000267: CALLDATALOAD 00000268: SWAP9 00000269: SWAP8 0000026a: PUSH1 0x84 0000026c: SWAP8 0000026d: POP 0000026e: SWAP2 0000026f: SWAP6 00000270: POP 00000271: PUSH1 0x24 00000273: SWAP2 00000274: SWAP1 00000275: SWAP2 00000276: ADD 00000277: SWAP4 00000278: POP 00000279: SWAP1 0000027a: SWAP2 0000027b: POP 0000027c: DUP2 0000027d: SWAP1 0000027e: DUP5 0000027f: ADD 00000280: DUP4 00000281: DUP3 00000282: DUP1 00000283: DUP3 00000284: DUP5 00000285: CALLDATACOPY 00000286: POP 00000287: SWAP5 00000288: SWAP7 00000289: POP 0000028a: POP 0000028b: POP 0000028c: POP 0000028d: POP 0000028e: POP 0000028f: POP 00000290: DUP4 00000291: PUSH1 0x00 00000293: EQ 00000294: ISZERO 00000295: PUSH2 0x029f 00000298: JUMPI 00000299: PUSH3 0x0f4240 0000029d: SWAP4 0000029e: POP 0000029f: JUMPDEST 000002a0: PUSH1 0x01 000002a2: PUSH1 0xa0 000002a4: PUSH1 0x02 000002a6: EXP 000002a7: SUB 000002a8: CALLER 000002a9: AND 000002aa: PUSH1 0x00 000002ac: SWAP1 000002ad: DUP2 000002ae: MSTORE 000002af: PUSH1 0x20 000002b1: DUP2 000002b2: DUP2 000002b3: MSTORE 000002b4: PUSH1 0x40 000002b6: DUP3 000002b7: KECCAK256 000002b8: DUP7 000002b9: SWAP1 000002ba: SSTORE 000002bb: DUP5 000002bc: MLOAD 000002bd: PUSH1 0x01 000002bf: DUP1 000002c0: SLOAD 000002c1: SWAP4 000002c2: DUP2 000002c3: SWAP1 000002c4: MSTORE 000002c5: SWAP3 000002c6: PUSH1 0x02 000002c8: DUP2 000002c9: DUP6 000002ca: AND 000002cb: ISZERO 000002cc: PUSH2 0x0100 000002cf: MUL 000002d0: PUSH1 0x00 000002d2: NOT 000002d3: ADD 000002d4: SWAP1 000002d5: SWAP2 000002d6: AND 000002d7: DIV 000002d8: PUSH1 0x1f 000002da: SWAP1 000002db: DUP2 000002dc: ADD 000002dd: DUP4 000002de: SWAP1 000002df: DIV 000002e0: PUSH32 0xb10e2d527612073b26eecdfd717e6a320cf44b4afac2b0732d9fcbe2b7fa0cf6 00000301: SWAP1 00000302: DUP2 00000303: ADD 00000304: SWAP4 00000305: SWAP1 00000306: SWAP2 00000307: SWAP1 00000308: DUP9 00000309: ADD 0000030a: SWAP1 0000030b: DUP4 0000030c: SWAP1 0000030d: LT 0000030e: PUSH2 0x0404 00000311: JUMPI 00000312: DUP1 00000313: MLOAD 00000314: PUSH1 0xff 00000316: NOT 00000317: AND 00000318: DUP4 00000319: DUP1 0000031a: ADD 0000031b: OR 0000031c: DUP6 0000031d: SSTORE 0000031e: JUMPDEST 0000031f: POP 00000320: PUSH2 0x0434 00000323: SWAP3 00000324: SWAP2 00000325: POP 00000326: JUMPDEST 00000327: DUP1 00000328: DUP3 00000329: GT 0000032a: ISZERO 0000032b: PUSH2 0x048d 0000032e: JUMPI 0000032f: PUSH1 0x00 00000331: DUP2 00000332: SSTORE 00000333: PUSH1 0x01 00000335: ADD 00000336: PUSH2 0x0326 00000339: JUMP 0000033a: JUMPDEST 0000033b: PUSH1 0x40 0000033d: MLOAD 0000033e: DUP1 0000033f: DUP1 00000340: PUSH1 0x20 00000342: ADD 00000343: DUP3 00000344: DUP2 00000345: SUB 00000346: DUP3 00000347: MSTORE 00000348: DUP4 00000349: DUP2 0000034a: DUP2 0000034b: MLOAD 0000034c: DUP2 0000034d: MSTORE 0000034e: PUSH1 0x20 00000350: ADD 00000351: SWAP2 00000352: POP 00000353: DUP1 00000354: MLOAD 00000355: SWAP1 00000356: PUSH1 0x20 00000358: ADD 00000359: SWAP1 0000035a: DUP1 0000035b: DUP4 0000035c: DUP4 0000035d: DUP3 0000035e: SWAP1 0000035f: PUSH1 0x00 00000361: PUSH1 0x04 00000363: PUSH1 0x20 00000365: DUP5 00000366: PUSH1 0x1f 00000368: ADD 00000369: DIV 0000036a: PUSH1 0x0f 0000036c: MUL 0000036d: PUSH1 0x03 0000036f: ADD 00000370: CALL 00000371: POP 00000372: SWAP1 00000373: POP 00000374: SWAP1 00000375: DUP2 00000376: ADD 00000377: SWAP1 00000378: PUSH1 0x1f 0000037a: AND 0000037b: DUP1 0000037c: ISZERO 0000037d: PUSH2 0x039a 00000380: JUMPI 00000381: DUP1 00000382: DUP3 00000383: SUB 00000384: DUP1 00000385: MLOAD 00000386: PUSH1 0x01 00000388: DUP4 00000389: PUSH1 0x20 0000038b: SUB 0000038c: PUSH2 0x0100 0000038f: EXP 00000390: SUB 00000391: NOT 00000392: AND 00000393: DUP2 00000394: MSTORE 00000395: PUSH1 0x20 00000397: ADD 00000398: SWAP2 00000399: POP 0000039a: JUMPDEST 0000039b: POP 0000039c: SWAP3 0000039d: POP 0000039e: POP 0000039f: POP 000003a0: PUSH1 0x40 000003a2: MLOAD 000003a3: DUP1 000003a4: SWAP2 000003a5: SUB 000003a6: SWAP1 000003a7: RETURN 000003a8: JUMPDEST 000003a9: PUSH1 0x40 000003ab: DUP1 000003ac: MLOAD 000003ad: PUSH1 0xff 000003af: SWAP3 000003b0: SWAP1 000003b1: SWAP3 000003b2: AND 000003b3: DUP3 000003b4: MSTORE 000003b5: MLOAD 000003b6: SWAP1 000003b7: DUP2 000003b8: SWAP1 000003b9: SUB 000003ba: PUSH1 0x20 000003bc: ADD 000003bd: SWAP1 000003be: RETURN 000003bf: JUMPDEST 000003c0: PUSH1 0x40 000003c2: DUP1 000003c3: MLOAD 000003c4: SWAP2 000003c5: DUP3 000003c6: MSTORE 000003c7: MLOAD 000003c8: SWAP1 000003c9: DUP2 000003ca: SWAP1 000003cb: SUB 000003cc: PUSH1 0x20 000003ce: ADD 000003cf: SWAP1 000003d0: RETURN 000003d1: JUMPDEST 000003d2: DUP3 000003d3: ADD 000003d4: SWAP2 000003d5: SWAP1 000003d6: PUSH1 0x00 000003d8: MSTORE 000003d9: PUSH1 0x20 000003db: PUSH1 0x00 000003dd: KECCAK256 000003de: SWAP1 000003df: JUMPDEST 000003e0: DUP2 000003e1: SLOAD 000003e2: DUP2 000003e3: MSTORE 000003e4: SWAP1 000003e5: PUSH1 0x01 000003e7: ADD 000003e8: SWAP1 000003e9: PUSH1 0x20 000003eb: ADD 000003ec: DUP1 000003ed: DUP4 000003ee: GT 000003ef: PUSH2 0x03df 000003f2: JUMPI 000003f3: DUP3 000003f4: SWAP1 000003f5: SUB 000003f6: PUSH1 0x1f 000003f8: AND 000003f9: DUP3 000003fa: ADD 000003fb: SWAP2 000003fc: JUMPDEST 000003fd: POP 000003fe: POP 000003ff: POP 00000400: POP 00000401: POP 00000402: DUP2 00000403: JUMP 00000404: JUMPDEST 00000405: DUP3 00000406: DUP1 00000407: ADD 00000408: PUSH1 0x01 0000040a: ADD 0000040b: DUP6 0000040c: SSTORE 0000040d: DUP3 0000040e: ISZERO 0000040f: PUSH2 0x031e 00000412: JUMPI 00000413: SWAP2 00000414: DUP3 00000415: ADD 00000416: JUMPDEST 00000417: DUP3 00000418: DUP2 00000419: GT 0000041a: ISZERO 0000041b: PUSH2 0x031e 0000041e: JUMPI 0000041f: DUP3 00000420: MLOAD 00000421: DUP3 00000422: PUSH1 0x00 00000424: POP 00000425: SSTORE 00000426: SWAP2 00000427: PUSH1 0x20 00000429: ADD 0000042a: SWAP2 0000042b: SWAP1 0000042c: PUSH1 0x01 0000042e: ADD 0000042f: SWAP1 00000430: PUSH2 0x0416 00000433: JUMP 00000434: JUMPDEST 00000435: POP 00000436: POP 00000437: DUP1 00000438: PUSH1 0x02 0000043a: PUSH1 0x00 0000043c: POP 0000043d: SWAP1 0000043e: DUP1 0000043f: MLOAD 00000440: SWAP1 00000441: PUSH1 0x20 00000443: ADD 00000444: SWAP1 00000445: DUP3 00000446: DUP1 00000447: SLOAD 00000448: PUSH1 0x01 0000044a: DUP2 0000044b: PUSH1 0x01 0000044d: AND 0000044e: ISZERO 0000044f: PUSH2 0x0100 00000452: MUL 00000453: SUB 00000454: AND 00000455: PUSH1 0x02 00000457: SWAP1 00000458: DIV 00000459: SWAP1 0000045a: PUSH1 0x00 0000045c: MSTORE 0000045d: PUSH1 0x20 0000045f: PUSH1 0x00 00000461: KECCAK256 00000462: SWAP1 00000463: PUSH1 0x1f 00000465: ADD 00000466: PUSH1 0x20 00000468: SWAP1 00000469: DIV 0000046a: DUP2 0000046b: ADD 0000046c: SWAP3 0000046d: DUP3 0000046e: PUSH1 0x1f 00000470: LT 00000471: PUSH2 0x0491 00000474: JUMPI 00000475: DUP1 00000476: MLOAD 00000477: PUSH1 0xff 00000479: NOT 0000047a: AND 0000047b: DUP4 0000047c: DUP1 0000047d: ADD 0000047e: OR 0000047f: DUP6 00000480: SSTORE 00000481: JUMPDEST 00000482: POP 00000483: PUSH2 0x04c1 00000486: SWAP3 00000487: SWAP2 00000488: POP 00000489: PUSH2 0x0326 0000048c: JUMP 0000048d: JUMPDEST 0000048e: POP 0000048f: SWAP1 00000490: JUMP 00000491: JUMPDEST 00000492: DUP3 00000493: DUP1 00000494: ADD 00000495: PUSH1 0x01 00000497: ADD 00000498: DUP6 00000499: SSTORE 0000049a: DUP3 0000049b: ISZERO 0000049c: PUSH2 0x0481 0000049f: JUMPI 000004a0: SWAP2 000004a1: DUP3 000004a2: ADD 000004a3: JUMPDEST 000004a4: DUP3 000004a5: DUP2 000004a6: GT 000004a7: ISZERO 000004a8: PUSH2 0x0481 000004ab: JUMPI 000004ac: DUP3 000004ad: MLOAD 000004ae: DUP3 000004af: PUSH1 0x00 000004b1: POP 000004b2: SSTORE 000004b3: SWAP2 000004b4: PUSH1 0x20 000004b6: ADD 000004b7: SWAP2 000004b8: SWAP1 000004b9: PUSH1 0x01 000004bb: ADD 000004bc: SWAP1 000004bd: PUSH2 0x04a3 000004c0: JUMP 000004c1: JUMPDEST 000004c2: POP 000004c3: POP 000004c4: PUSH1 0x03 000004c6: DUP1 000004c7: SLOAD 000004c8: PUSH1 0xff 000004ca: NOT 000004cb: AND 000004cc: DUP4 000004cd: OR 000004ce: SWAP1 000004cf: SSTORE 000004d0: POP 000004d1: POP 000004d2: POP 000004d3: POP 000004d4: JUMP
Warning: This is a nightly build of Foundry. It is recommended to use the latest stable version. To mute this warning set `FOUNDRY_DISABLE_NIGHTLY_WARNING` in your environment.
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| critical | access_control | codex | Unauthenticated balance-setting and reinitialization entrypoints | 90 | no | — |
viewevidence_json{
"evidence": "`0x7207c19f` (`pc:0x00ef`) computes `keccak256(caller, 0x00)` and performs a direct `SSTORE` of `CALLDATALOAD(0x04)` at `pc:0x0108`, with no guard branch. `0x9287b654` (`pc:0x0111`) computes the same caller balance slot and stores constant `0x01406f40` at `pc:0x012d`, again without any guard. Best-effort selector inference for `0xe6a55699` shows it parsing multiple user-controlled arguments, defaulting one amount-like argument to `0x0f4240` when zero (`pc:0x0290`-`pc:0x029e`), writing `keccak256(caller,0)` at `pc:0x02b8`, then rewriting storage slots `0x01`, `0x02`, and low byte of slot `0x03` across `pc:0x02bc`-`pc:0x04cf`. No authorization heuristic was detected anywhere in these paths.",
"locations": [
"selector:0x7207c19f",
"pc:0x0108",
"selector:0x9287b654",
"pc:0x012d",
"selector:0xe6a55699",
"pc:0x02b8",
"pc:0x04c7"
],
"recommendation": "Remove these runtime setters, or gate them behind strict admin authorization. If `0xe6a55699` is intended as an initializer, protect it with a one-time initialized flag and constructor/factory-only access. Any balance minting should update explicit supply/accounting invariants and emit appropriate events.",
"exploit_scenario": "Any external account can call `0x7207c19f` to overwrite its own balance with an arbitrary calldata value, call `0x9287b654` to set its balance to the hardcoded constant `0x01406f40`, and likely call `0xe6a55699` to set its balance plus mutate metadata fields. An attacker can mint themselves spendable tokens and, on the inferred initializer path, also rewrite token metadata to mislead integrators or buyers."
}
|
| critical | math | codex | `transfer` uses unchecked arithmetic and permits balance underflow/overflow | 90 | no | — |
viewevidence_json{
"evidence": "In `selector:0xa9059cbb`, the contract loads the sender balance from `keccak256(caller,0)` at `pc:0x01b5`, subtracts the transfer amount with raw `SUB` at `pc:0x01b8`, and immediately stores the result at `pc:0x01ba`. There is no `LT`/`GT`-based guard or conditional revert before this subtraction. The recipient balance is then loaded at `pc:0x01c5`, incremented with raw `ADD` at `pc:0x01c8`, and stored at `pc:0x01ca`, also without overflow protection.",
"locations": [
"selector:0xa9059cbb",
"pc:0x01b5",
"pc:0x01b8",
"pc:0x01ba",
"pc:0x01c5",
"pc:0x01c8",
"pc:0x01ca"
],
"recommendation": "Enforce `balance >= amount` before subtraction and use checked arithmetic for both debit and credit paths. In practice this means Solidity >=0.8 revert semantics or explicit SafeMath-style checks if compiling older bytecode.",
"exploit_scenario": "A caller with zero or insufficient balance can call `transfer(address,uint256)` with any positive amount. Because the sender balance is updated with raw `SUB` and no preceding bounds check, the sender balance wraps to a huge `uint256` value instead of reverting. The recipient is then credited with unchecked `ADD`. This breaks token accounting and lets arbitrary users manufacture effectively unlimited balances."
}
|
| high | other | detector | Untrusted CALL target/value reachable | 60 | yes | yes |
viewtrace_id: 0x256508f8f8c2b60709a2c246e6e755a85872a7fc54b53ebfcfbc54a844565894
call_targets:
0x0000000000000000000000000000000000000004, 0x216f59605793807b0ab628d04fcc58f645fc2a5d
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x256508f8f8c2b60709a2c246e6e755a85872a7fc54b53ebfcfbc54a844565894",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x216f59605793807b0ab628d04fcc58f645fc2a5d"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x7207c19f",
"selector": "0x7207c19f",
"calldata_variants": [
"0x7207c19f",
"0x7207c19f0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x9287b654",
"selector": "0x9287b654",
"calldata_variants": [
"0x9287b654",
"0x9287b6540000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa9059cbb",
"selector": "0xa9059cbb",
"calldata_variants": [
"0xa9059cbb",
"0xa9059cbb0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xe6a55699",
"selector": "0xe6a55699",
"calldata_variants": [
"0xe6a55699",
"0xe6a556990000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 880,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 1,
"guards_detected": [],
"untrusted_call_count": 1
}
|
| high | other | detector | ETH value transfer possible | 55 | yes | yes |
viewtrace_id: 0x256508f8f8c2b60709a2c246e6e755a85872a7fc54b53ebfcfbc54a844565894
call_targets:
0x0000000000000000000000000000000000000004, 0x216f59605793807b0ab628d04fcc58f645fc2a5d
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x256508f8f8c2b60709a2c246e6e755a85872a7fc54b53ebfcfbc54a844565894",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x216f59605793807b0ab628d04fcc58f645fc2a5d"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x7207c19f",
"selector": "0x7207c19f",
"calldata_variants": [
"0x7207c19f",
"0x7207c19f0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x9287b654",
"selector": "0x9287b654",
"calldata_variants": [
"0x9287b654",
"0x9287b6540000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa9059cbb",
"selector": "0xa9059cbb",
"calldata_variants": [
"0xa9059cbb",
"0xa9059cbb0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xe6a55699",
"selector": "0xe6a55699",
"calldata_variants": [
"0xe6a55699",
"0xe6a556990000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 880,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 1,
"guards_detected": []
}
|