019b3836-333c-73df-8c9f-e39c4a7e4486
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 3071 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 3072 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 45728 | analysis.bundle | complete | 1 / 3 | 1 week ago |
| 45729 | capability.graph | complete | 1 / 3 | 1 week ago |
| 45730 | detector.run | complete | 1 / 3 | 1 week ago |
| 45731 | validation.fork | complete | 1 / 3 | 1 week ago |
| 113249 | report.consolidate | complete | 1 / 6 | 1 week ago |
No slither job recorded yet.
{"no_findings":false,"summary":"Bytecode evidence indicates a public finalize/refund routine with value-bearing external calls before completion state is set, unchecked refund/payout call results, and a payable fallback that appears to accept late contributions until finalization.","findings":[{"severity":"high","category":"reentrancy","title":"Refund finalization is reentrant before the contract is marked closed","exploit_scenario":"A malicious contributor can first enter through the empty-calldata payable path so their address/value are stored in the slot6-backed contributor array. After the time gate has passed and the contract takes the refund branch, selector 0x01cb3b20 iterates that array and sends ETH to each contributor at pc 0x449 before the slot7 close flag is set at pc 0x119. The recipient can reenter 0x01cb3b20 from its fallback and reach the same refund logic again, collecting the same refund multiple times until the contract balance is exhausted.","recommendation":"Set the finalized/refunding state before any external call, mark each refund as consumed before sending value, and prefer pull-based withdrawals or a reentrancy guard around the finalize/refund path.","evidence":"The only observed close/finalized bit is the low byte of slot7: it gates the payable fallback at pc 0x6c and is only written at pc 0x119. In selector 0x01cb3b20, the slot2 < slot1 branch jumps to pc 0x394 and then loops from pc 0x3b6, performing a value-bearing CALL at pc 0x449 to addresses loaded from the slot6-backed array, with no storage update that marks an entry refunded before the call.","locations":["selector:0x01cb3b20","pc:0x3b6","pc:0x449","pc:0x119","pc:0x6c"]},{"severity":"high","category":"other","title":"Failed refund calls are ignored and residual ETH is swept to slot0","exploit_scenario":"If a contributor's refund call fails or reverts, the loop continues without reverting and without preserving a claimable refund. When the loop finishes, control jumps to pc 0x00e9 and the contract sends its remaining balance to the slot0 address at pc 0x10a. A reverting recipient can therefore lose its refund while the leftover ETH is redirected to slot0.","recommendation":"Check the success of each refund call and record failed refunds as withdrawable balances instead of continuing. Do not sweep residual ETH to slot0 until all refunds are either completed or safely escrowed.","evidence":"The refund loop CALL at pc 0x449 is followed by stack cleanup and logging, not by a success-dependent branch. Loop exit at pc 0x3bd jumps directly to pc 0x00e9, where slot0 is loaded and ADDRESS/BALANCE are used for another CALL at pc 0x10a. The earlier CALL at pc 0xb8 is also unchecked, so the finalize path generally assumes success without proof.","locations":["selector:0x01cb3b20","pc:0x449","pc:0x3bd","pc:0x10a","pc:0xb8"]},{"severity":"medium","category":"other","title":"Payable fallback appears to accept contributions after the time gate","exploit_scenario":"If slot3 is intended to be the funding deadline, users can still send empty-calldata ETH transfers after that timestamp because the fallback path only checks slot7 and then appends the sender/value to the contributor array. Late deposits keep increasing the slot2 total and can change whether finalization goes down the refund branch or the payout branch.","recommendation":"Mirror the deadline and any funding-status checks in the payable fallback/receive path so contributions are rejected once the funding window has ended.","evidence":"The empty-calldata path at pc 0x6c checks slot7 and jumps to the contribution routine at pc 0x2ec with no TIMESTAMP comparison. By contrast, selector 0x01cb3b20 compares slot3 against TIMESTAMP at pc 0x83-0x8e before allowing finalization behavior. This deadline interpretation is still bytecode-level inference, but it is strongly suggested by the control flow.","locations":["pc:0x6c","pc:0x2ec","selector:0x01cb3b20","pc:0x83","pc:0x8c"]}]}
OpenAI Codex v0.118.0 (research preview)
--------
workdir: /tmp/codex-a3t5xbqz
model: gpt-5.4
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: none
session id: 019d5b9e-998c-7bd2-8e20-f26847122190
--------
user
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
warning: Codex could not find system bubblewrap on PATH. Please install bubblewrap with your package manager. Codex will use the vendored bubblewrap in the meantime.
→ Inspect BYTECODE_BUNDLE.json and related artifacts to understand contract shape, callsites, storage, and detector output
• Assess likely vulnerabilities from bytecode evidence with explicit uncertainty
• Produce JSON findings matching the required schema
exec
/bin/bash -lc "pwd && ls -la && rg --files -g 'BYTECODE_BUNDLE.json' -g '*.json'" in /tmp/codex-a3t5xbqz
succeeded in 0ms:
/tmp/codex-a3t5xbqz
total 136
drwx------ 2 noahkuhn noahkuhn 4096 Apr 5 03:10 .
drwxrwxrwt 270 nobody nogroup 24576 Apr 5 03:10 ..
-rw-rw-r-- 1 noahkuhn noahkuhn 99593 Apr 5 03:10 BYTECODE_BUNDLE.json
-rw-rw-r-- 1 noahkuhn noahkuhn 815 Apr 5 03:10 codex-output-schema.json
codex-output-schema.json
BYTECODE_BUNDLE.json
exec
/bin/bash -lc "sed -n '1,260p' BYTECODE_BUNDLE.json" in /tmp/codex-a3t5xbqz
succeeded in 0ms:
{
"analysis_artifact": {
"address": "0xba8ee7ba243a363d1995812121bc3fdfa6052785",
"artifact_hash": "0x4c43f5e2f0822aafc55f031a9878b026d71d3fb0600a482248f04d850e67fc08",
"artifact_json": {
"auth": {
"guards": []
},
"basic_blocks": [
{
"end_pc": 10,
"hash": "0x700ae68e6e48f29f5039c54f12674c3a4ca8c5c3a2f54ca417214312e0b28325",
"opcodes": [
"PUSH1",
"PUSH1",
"MSTORE",
"CALLDATASIZE",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 0
},
{
"end_pc": 30,
"hash": "0x0b0826bbd06a9f98d2c39b550066216820846c6043069b1ceff18070694d069c",
"opcodes": [
"PUSH1",
"PUSH1",
"EXP",
"PUSH1",
"CALLDATALOAD",
"DIV",
"PUSH4",
"OP_81",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 11
},
{
"end_pc": 41,
"hash": "0x5b868c6bac2f00787a394063a907b266c6c729f12b0a439b24526735338a984a",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 31
},
{
"end_pc": 52,
"hash": "0x6e84592464c5fb6e2a6bb2201ccfacf3082ba0bb63e9940ff7f46c8a31071314",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 42
},
{
"end_pc": 63,
"hash": "0x0d5c6b3376fca4ed9f2e2844e4e069a312879f025c4222b5819daf16bd2b90a8",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 53
},
{
"end_pc": 74,
"hash": "0x335697324002b083b21ce8e7987d3087401ba6db992dc3cf5dd92b6ed938055e",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 64
},
{
"end_pc": 85,
"hash": "0x8bd4c4975a5af19feecf8f6564ca2343b5a5c68a8903932e26f978ed72664699",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 75
},
{
"end_pc": 96,
"hash": "0x5a205a683afbeb8479af2a5eab2c419d1d7affc0ffdb308b88c224134049969f",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 86
},
{
"end_pc": 107,
"hash": "0x9aa72d0cf1ba3fe662a66fb959e6e88cf37cc6e94a1030125085174a198e75c2",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 97
},
{
"end_pc": 125,
"hash": "0x04140a3d6b6cb246de2d130791f72037d29391fc0cf105d689c459b89dcb7aa6",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"SLOAD",
"PUSH1",
"OP_90",
"PUSH1",
"AND",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 108
},
{
"end_pc": 129,
"hash": "0x20d627c23015b78a3053022e3f0570f6e568b742eb86bcac89c2fbed2dc1746a",
"opcodes": [
"PUSH2",
"JUMP"
],
"start_pc": 126
},
{
"end_pc": 145,
"hash": "0x1242433d3d9438b3431e5b0159e1030e2c4834611042e16e0050e853469f1f9f",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"SLOAD",
"PUSH1",
"OP_90",
"TIMESTAMP",
"LT",
"PUSH2",
"JUMPI"
],
"start_pc": 130
},
{
"end_pc": 157,
"hash": "0x18dd946bbe373d9c9614bc8a7fc5461b995e840fb66ed8db580580cd686378c7",
"opcodes": [
"PUSH1",
"SLOAD",
"PUSH1",
"SLOAD",
"OP_90",
"LT",
"PUSH2",
"JUMPI"
],
"start_pc": 146
},
{
"end_pc": 232,
"hash": "0xa6491ebf3b8abfa3aeab7b93e54a439eefd3120758f1bb433f04a49267f5ed32",
"opcodes": [
"PUSH1",
"SLOAD",
"OP_81",
"SLOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"AND",
"OP_90",
"OP_82",
"OP_90",
"PUSH1",
"OP_82",
"OP_81",
"OP_81",
"OP_81",
"OP_85",
"OP_88",
"OP_83",
"CALL",
"POP",
"PUSH1",
"OP_80",
"MLOAD",
"OP_94",
"OP_85",
"MSTORE",
"PUSH1",
"OP_85",
"ADD",
"OP_92",
"OP_90",
"OP_92",
"MSTORE",
"OP_83",
"OP_82",
"ADD",
"OP_92",
"OP_90",
"OP_92",
"MSTORE",
"MLOAD",
"PUSH1",
"OP_80",
"MLOAD",
"PUSH1",
"PUSH2",
"OP_83",
"CODECOPY",
"OP_81",
"MLOAD",
"OP_91",
"MSTORE",
"OP_92",
"OP_81",
"OP_90",
"SUB",
"OP_90",
"OP_91",
"ADD",
"OP_90",
"OP_A1"
],
"start_pc": 158
},
{
"end_pc": 286,
"hash": "0xe745613c2c71862f16368e6fb61619937f15ffc5d17205a46bbd71f2244d31dc",
"opcodes": [
"JUMPDEST",
exec
/bin/bash -lc "rg -n 'selectors|detector|callsites|storage|delegatecall|proxy|implementation|upgrade|findings|external_calls|evidence_bundle|summary' BYTECODE_BUNDLE.json" in /tmp/codex-a3t5xbqz
succeeded in 0ms:
1164: "callsites": [
1463: "delegatecall": 0,
1467: "storage": {
1592: "delegatecall": 0,
1596: "storage": {
1721: "delegatecall": 0,
1725: "storage": {
1850: "delegatecall": 0,
1854: "storage": {
1979: "delegatecall": 0,
1983: "storage": {
2108: "delegatecall": 0,
2112: "storage": {
2237: "delegatecall": 0,
2241: "storage": {
2366: "delegatecall": 0,
2370: "storage": {
2488: "selectors": [
2502: "delegatecall": 0,
2505: "upgrade_slot_write_suspected": false
2507: "storage": {
2652: "implementation_address": null,
2653: "is_proxy": false,
3378: "detector_findings": [
3488: "heuristics_summary": {
3490: "delegatecall_count": 0,
exec
/bin/bash -lc "sed -n '1120,1305p' BYTECODE_BUNDLE.json" in /tmp/codex-a3t5xbqz
succeeded in 0ms:
"hash": "0x3b06f18d541c81ef4088c8358dc72da5f6889b51f502a8e47a0bd734274ad35f",
"opcodes": [
"OP_E8",
"TIMESTAMP",
"OP_AE",
"OP_A7",
"OP_A5",
"CALL",
"OP_B0",
"LT",
"OP_49",
"OP_D7",
"MSTORE",
"STOP"
],
"start_pc": 1291
},
{
"end_pc": 1322,
"hash": "0xa67c5ce7ac4e501f944d645dc38ee45e73abc5198d97c5969fa59adc2ef78be4",
"opcodes": [
"OP_8C",
"MSTORE8",
"OP_C5",
"OP_28",
"OP_90",
"OP_B1",
"OP_A6",
"OP_DA",
"OP_F6",
"PUSH1",
"CODECOPY",
"OP_E8",
"OP_EE",
"OP_C5",
"MOD",
"GT",
"OP_2B",
"OP_BD",
"OP_F6"
],
"start_pc": 1303
}
],
"callsites": [
{
"opcode": "CALL",
"pc": 184,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 266,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 680,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 1097,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 1296,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"cfg_edges": [
{
"from": "bb:0",
"to": "bb:108",
"type": "control_flow"
},
{
"from": "bb:0",
"to": "bb:11",
"type": "control_flow_fallthrough"
},
{
"from": "bb:11",
"to": "bb:130",
"type": "control_flow"
},
{
"from": "bb:11",
"to": "bb:31",
"type": "control_flow_fallthrough"
},
{
"from": "bb:31",
"to": "bb:287",
"type": "control_flow"
},
{
"from": "bb:31",
"to": "bb:42",
"type": "control_flow_fallthrough"
},
{
"from": "bb:42",
"to": "bb:296",
"type": "control_flow"
},
{
"from": "bb:42",
"to": "bb:53",
"type": "control_flow_fallthrough"
},
{
"from": "bb:53",
"to": "bb:314",
"type": "control_flow"
},
{
"from": "bb:53",
"to": "bb:64",
"type": "control_flow_fallthrough"
},
{
"from": "bb:64",
"to": "bb:332",
"type": "control_flow"
},
{
"from": "bb:64",
"to": "bb:75",
"type": "control_flow_fallthrough"
},
{
"from": "bb:75",
"to": "bb:341",
"type": "control_flow"
},
{
"from": "bb:75",
"to": "bb:86",
"type": "control_flow_fallthrough"
},
{
"from": "bb:86",
"to": "bb:350",
"type": "control_flow"
},
{
"from": "bb:86",
"to": "bb:97",
"type": "control_flow_fallthrough"
},
{
"from": "bb:97",
"to": "bb:359",
"type": "control_flow"
},
{
"from": "bb:97",
"to": "bb:108",
"type": "control_flow_fallthrough"
},
{
"from": "bb:108",
"to": "bb:748",
"type": "control_flow"
},
{
"from": "bb:108",
"to": "bb:126",
"type": "control_flow_fallthrough"
},
{
"from": "bb:130",
"to": "bb:745",
"type": "control_flow"
exec
/bin/bash -lc "sed -n '2460,2665p' BYTECODE_BUNDLE.json" in /tmp/codex-a3t5xbqz
succeeded in 0ms:
"pc": 770,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000006"
},
{
"op": "SLOAD",
"pc": 953,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000006"
},
{
"op": "SLOAD",
"pc": 964,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000006"
},
{
"op": "SLOAD",
"pc": 1022,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000006"
},
{
"op": "SLOAD",
"pc": 1126,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000006"
}
],
"writes": 7
}
}
],
"selectors": [
"0x01cb3b20",
"0x29dcb0cf",
"0x38af3eed",
"0x6e66f6e9",
"0x7a3a0e84",
"0x7b3e5e7b",
"0xa035b1fe",
"0xdc0d3dff"
],
"sinks": {
"call": 5,
"create": 0,
"create2": 0,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0,
"upgrade_slot_write_suspected": false
},
"storage": {
"keccak_count": 2,
"reads": 33,
"slots": [
{
"op": "SLOAD",
"pc": 114,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000007"
},
{
"op": "SLOAD",
"pc": 136,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
},
{
"op": "SLOAD",
"pc": 148,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 151,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 160,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 240,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 272,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000007"
},
{
"op": "SLOAD",
"pc": 293,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
},
{
"op": "SLOAD",
"pc": 302,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 320,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000005"
},
{
"op": "SLOAD",
"pc": 338,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 347,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 356,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000004"
},
{
"op": "SLOAD",
"pc": 369,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000006"
},
{
"op": "SLOAD",
"pc": 568,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 582,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 619,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000004"
},
{
"op": "SLOAD",
"pc": 770,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000006"
},
{
"op": "SLOAD",
"pc": 953,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000006"
},
{
"op": "SLOAD",
"pc": 964,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000006"
},
{
"op": "SLOAD",
"pc": 1022,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000006"
},
{
"op": "SLOAD",
"pc": 1126,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000006"
}
],
"writes": 7
},
"version": "analysis_artifact_v1"
},
"block_number": null,
"chain_id": 1,
"codehash": "0x94ef6d6e6f3d29fc0b624edbfa47bd83a4f763fdd6d9e55797cba02e7962112d",
"created_at": "2026-04-04T19:54:03.000000Z",
"id": 2089,
"updated_at": "2026-04-04T19:54:03.000000Z",
"version": "analysis_artifact_v1"
},
"analysis_run": {
"address": "0xba8ee7ba243a363d1995812121bc3fdfa6052785",
"block_number": null,
"chain_id": 1,
"child_links": [],
"created_at": "2025-12-19T20:03:54.000000Z",
"id": "019b3836-333c-73df-8c9f-e39c4a7e4486",
"parent_links": [],
"status": "running",
"updated_at": "2026-04-04T19:54:03.000000Z"
},
"artifact": {
"codehash": "0x94ef6d6e6f3d29fc0b624edbfa47bd83a4f763fdd6d9e55797cba02e7962112d",
"compiler_json": {
"etherscan": {
"skipped": true
}
},
"implementation_address": null,
"is_proxy": false,
"runtime_bytecode": {
"full": "0x6060604052361561006c5760e060020a600035046301cb3b20811461008257806329dcb0cf1461011f57806338af3eed146101285780636e66f6e91461013a5780637a3a0e841461014c5780637b3e5e7b14610155578063a035b1fe1461015e578063dc0d3dff14610167575b6101db60075460009060ff16156102ec57610002565b6101db60035460009042106102e9576002546001549010610394576002548154600160a060020a0316908290606082818181858883f150604080519485526020850192909252838201929092525160008051602061050b8339815191529281900390910190a15b60405160008054600160a060020a039081169230909116319082818181858883f150506007805460ff1916600117905550505050565b61036a60035481565b610374600054600160a060020a031681565b610374600554600160a060020a031681565b61036a60015481565b61036a60025481565b61036a60045481565b61038760043560068054829081101561000257506000526002027ff652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d3f8101547ff652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d409190910154600160a060020a03919091169082565b005b505050815481101561000257906000526020600020906002020160005060008201518160000160006101000a815481600160a060020a030219169083021790555060208201518160010160005055905050806002600082828250540192505081905550600560009054906101000a9004600160a060020a0316600160a060020a031663a9059cbb3360046000505484046040518360e060020a0281526004018083600160a060020a03168152602001828152602001925050506000604051808303816000876161da5a03f11561000257505060408051600160a060020a033316815260208101849052600181830152905160008051602061050b83398151915292509081900360600190a15b50565b5060a0604052336060908152346080819052600680546001810180835592939282908280158290116101dd576002028160020283600052602060002091820191016101dd91905b8082111561036657805473ffffffffffffffffffffffffffffffffffffffff191681556000600191909101908155610333565b5090565b6060908152602090f35b600160a060020a03166060908152602090f35b6060918252608052604090f35b6060818152600b60805260a082905260008051602061050b8339815191529080a15b6006548110156100e9576006805482908110156100025760009182526002027ff652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d3f0190905460068054600160a060020a039290921692918490811015610002576002027ff652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d40015460405190915082818181858883f193505050505060008051602061050b83398151915260066000508281548110156100025760008290526002027ff652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d3f01548154600160a060020a039190911691908490811015610002576002027ff652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d40015460408051600160a060020a0394909416845260208401919091526000838201525191829003606001919050a16001016103b656e842aea7a5f1b01049d752008c53c52890b1a6daf660cf39e8eec506112bbdf6",
"head": null,
"length": 2648,
"tail": null,
"truncated": false
},
"verified_source": false
},
"capability_graph": {
"address": "0xba8ee7ba243a363d1995812121bc3fdfa6052785",
"block_number": null,
exec
/bin/bash -lc "sed -n '3370,3535p' BYTECODE_BUNDLE.json" in /tmp/codex-a3t5xbqz
succeeded in 0ms:
}
],
"version": "capability_graph_v1"
},
"id": 2089,
"updated_at": "2026-04-04T19:54:03.000000Z",
"version": "capability_graph_v1"
},
"detector_findings": [
{
"confidence": 60,
"evidence_json": {
"call_count": 5,
"examples": [
{
"opcode": "CALL",
"pc": 184,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 266,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 680,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": [],
"untrusted_call_count": 5
},
"normalized_json": {
"sink": "CALL"
},
"severity": "high",
"title": "Untrusted CALL target/value reachable",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0e4c4d07ba172310ebe36622b03de3ebb6686c41",
"0xba8ee7ba243a363d1995812121bc3fdfa6052785",
"0xc22e0a99f696fbd240730b52984b6e78e3876206"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x71abaa6e1e60172ca2d68145de123726abdeb4ea1879a88a079741ef7df2434c",
"trace_mode": "callTracer"
}
},
{
"confidence": 55,
"evidence_json": {
"eth_value_calls": 5,
"examples": [
{
"opcode": "CALL",
"pc": 184,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 266,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 680,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": []
},
"normalized_json": {
"sink": "CALL",
"value": "nonzero"
},
"severity": "high",
"title": "ETH value transfer possible",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0e4c4d07ba172310ebe36622b03de3ebb6686c41",
"0xba8ee7ba243a363d1995812121bc3fdfa6052785",
"0xc22e0a99f696fbd240730b52984b6e78e3876206"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x71abaa6e1e60172ca2d68145de123726abdeb4ea1879a88a079741ef7df2434c",
"trace_mode": "callTracer"
}
}
],
"heuristics_summary": {
"create2_count": 0,
"delegatecall_count": 0,
"flags": [],
"selfdestruct_count": 0
}
}
exec
/bin/bash -lc "sed -n '2665,3370p' BYTECODE_BUNDLE.json" in /tmp/codex-a3t5xbqz
succeeded in 0ms:
"block_number": null,
"chain_id": 1,
"codehash": "0x94ef6d6e6f3d29fc0b624edbfa47bd83a4f763fdd6d9e55797cba02e7962112d",
"created_at": "2026-04-04T19:54:03.000000Z",
"graph_hash": "0xf33d312cbafa75aba4574509425e3c4198fde687c64335c07f68aca4920ec0e5",
"graph_json": {
"edges": [
{
"from": "bb:0",
"to": "bb:108",
"type": "control_flow"
},
{
"from": "bb:0",
"to": "bb:11",
"type": "control_flow_fallthrough"
},
{
"from": "bb:11",
"to": "bb:130",
"type": "control_flow"
},
{
"from": "bb:11",
"to": "bb:31",
"type": "control_flow_fallthrough"
},
{
"from": "bb:31",
"to": "bb:287",
"type": "control_flow"
},
{
"from": "bb:31",
"to": "bb:42",
"type": "control_flow_fallthrough"
},
{
"from": "bb:42",
"to": "bb:296",
"type": "control_flow"
},
{
"from": "bb:42",
"to": "bb:53",
"type": "control_flow_fallthrough"
},
{
"from": "bb:53",
"to": "bb:314",
"type": "control_flow"
},
{
"from": "bb:53",
"to": "bb:64",
"type": "control_flow_fallthrough"
},
{
"from": "bb:64",
"to": "bb:332",
"type": "control_flow"
},
{
"from": "bb:64",
"to": "bb:75",
"type": "control_flow_fallthrough"
},
{
"from": "bb:75",
"to": "bb:341",
"type": "control_flow"
},
{
"from": "bb:75",
"to": "bb:86",
"type": "control_flow_fallthrough"
},
{
"from": "bb:86",
"to": "bb:350",
"type": "control_flow"
},
{
"from": "bb:86",
"to": "bb:97",
"type": "control_flow_fallthrough"
},
{
"from": "bb:97",
"to": "bb:359",
"type": "control_flow"
},
{
"from": "bb:97",
"to": "bb:108",
"type": "control_flow_fallthrough"
},
{
"from": "bb:108",
"to": "bb:748",
"type": "control_flow"
},
{
"from": "bb:108",
"to": "bb:126",
"type": "control_flow_fallthrough"
},
{
"from": "bb:130",
"to": "bb:745",
"type": "control_flow"
},
{
"from": "bb:130",
"to": "bb:146",
"type": "control_flow_fallthrough"
},
{
"from": "bb:146",
"to": "bb:916",
"type": "control_flow"
},
{
"from": "bb:146",
"to": "bb:158",
"type": "control_flow_fallthrough"
},
{
"from": "bb:158",
"to": "bb:233",
"type": "control_flow_fallthrough"
},
{
"from": "bb:359",
"to": "bb:379",
"type": "control_flow_fallthrough"
},
{
"from": "bb:477",
"to": "bb:490",
"type": "control_flow_fallthrough"
},
{
"from": "bb:490",
"to": "bb:686",
"type": "control_flow_fallthrough"
},
{
"from": "bb:686",
"to": "bb:745",
"type": "control_flow_fallthrough"
},
{
"from": "bb:748",
"to": "bb:477",
"type": "control_flow"
},
{
"from": "bb:748",
"to": "bb:793",
"type": "control_flow_fallthrough"
},
{
"from": "bb:793",
"to": "bb:819",
"type": "control_flow_fallthrough"
},
{
"from": "bb:819",
"to": "bb:870",
"type": "control_flow"
},
{
"from": "bb:819",
"to": "bb:828",
"type": "control_flow_fallthrough"
},
{
"from": "bb:828",
"to": "bb:819",
"type": "control_flow"
},
{
"from": "bb:916",
"to": "bb:950",
"type": "control_flow_fallthrough"
},
{
"from": "bb:950",
"to": "bb:233",
"type": "control_flow"
},
{
"from": "bb:950",
"to": "bb:961",
"type": "control_flow_fallthrough"
},
{
"from": "bb:961",
"to": "bb:974",
"type": "control_flow_fallthrough"
},
{
"from": "bb:974",
"to": "bb:1046",
"type": "control_flow_fallthrough"
},
{
"from": "bb:1046",
"to": "bb:1134",
"type": "control_flow_fallthrough"
},
{
"from": "bb:1134",
"to": "bb:1202",
"type": "control_flow_fallthrough"
},
{
"from": "bb:1202",
"to": "bb:950",
"type": "control_flow"
},
{
"from": "fn:0x29dcb0cf",
"to": "bb:951009005",
"type": "entry"
},
{
"from": "fn:0x38af3eed",
"to": "bb:1852241641",
"type": "entry"
},
{
"from": "fn:0x6e66f6e9",
"to": "bb:2050625156",
"type": "entry"
},
{
"from": "fn:0x7a3a0e84",
"to": "bb:2067684987",
"type": "entry"
},
{
"from": "fn:0x7b3e5e7b",
"to": "bb:2687873534",
"type": "entry"
},
{
"from": "fn:0xa035b1fe",
"to": "bb:3691855359",
"type": "entry"
},
{
"from": "fn:0xdc0d3dff",
"to": "bb:475",
"type": "entry"
},
{
"from": "bb:158",
"to": "call:184",
"type": "contains"
},
{
"from": "call:184",
"to": "sink:call",
"type": "capability"
},
{
"from": "bb:233",
"to": "call:266",
"type": "contains"
},
{
"from": "call:266",
"to": "sink:call",
"type": "capability"
},
{
"from": "bb:490",
"to": "call:680",
"type": "contains"
},
{
"from": "call:680",
"to": "sink:call",
"type": "capability"
},
{
"from": "bb:1046",
"to": "call:1097",
"type": "contains"
},
{
"from": "call:1097",
"to": "sink:call",
"type": "capability"
},
{
"from": "bb:1291",
"to": "call:1296",
"type": "contains"
},
{
"from": "call:1296",
"to": "sink:call",
"type": "capability"
}
],
"nodes": [
{
"end_pc": 10,
"hash": "0x700ae68e6e48f29f5039c54f12674c3a4ca8c5c3a2f54ca417214312e0b28325",
"id": "bb:0",
"start_pc": 0,
"type": "basic_block"
},
{
"end_pc": 30,
"hash": "0x0b0826bbd06a9f98d2c39b550066216820846c6043069b1ceff18070694d069c",
"id": "bb:11",
"start_pc": 11,
"type": "basic_block"
},
{
"end_pc": 41,
"hash": "0x5b868c6bac2f00787a394063a907b266c6c729f12b0a439b24526735338a984a",
"id": "bb:31",
"start_pc": 31,
"type": "basic_block"
},
{
"end_pc": 52,
"hash": "0x6e84592464c5fb6e2a6bb2201ccfacf3082ba0bb63e9940ff7f46c8a31071314",
"id": "bb:42",
"start_pc": 42,
"type": "basic_block"
},
{
"end_pc": 63,
"hash": "0x0d5c6b3376fca4ed9f2e2844e4e069a312879f025c4222b5819daf16bd2b90a8",
"id": "bb:53",
"start_pc": 53,
"type": "basic_block"
},
{
"end_pc": 74,
"hash": "0x335697324002b083b21ce8e7987d3087401ba6db992dc3cf5dd92b6ed938055e",
"id": "bb:64",
"start_pc": 64,
"type": "basic_block"
},
{
"end_pc": 85,
"hash": "0x8bd4c4975a5af19feecf8f6564ca2343b5a5c68a8903932e26f978ed72664699",
"id": "bb:75",
"start_pc": 75,
"type": "basic_block"
},
{
"end_pc": 96,
"hash": "0x5a205a683afbeb8479af2a5eab2c419d1d7affc0ffdb308b88c224134049969f",
"id": "bb:86",
"start_pc": 86,
"type": "basic_block"
},
{
"end_pc": 107,
"hash": "0x9aa72d0cf1ba3fe662a66fb959e6e88cf37cc6e94a1030125085174a198e75c2",
"id": "bb:97",
"start_pc": 97,
"type": "basic_block"
},
{
"end_pc": 125,
"hash": "0x04140a3d6b6cb246de2d130791f72037d29391fc0cf105d689c459b89dcb7aa6",
"id": "bb:108",
"start_pc": 108,
"type": "basic_block"
},
{
"end_pc": 129,
"hash": "0x20d627c23015b78a3053022e3f0570f6e568b742eb86bcac89c2fbed2dc1746a",
"id": "bb:126",
"start_pc": 126,
"type": "basic_block"
},
{
"end_pc": 145,
"hash": "0x1242433d3d9438b3431e5b0159e1030e2c4834611042e16e0050e853469f1f9f",
"id": "bb:130",
"start_pc": 130,
"type": "basic_block"
},
{
"end_pc": 157,
"hash": "0x18dd946bbe373d9c9614bc8a7fc5461b995e840fb66ed8db580580cd686378c7",
"id": "bb:146",
"start_pc": 146,
"type": "basic_block"
},
{
"end_pc": 232,
"hash": "0xa6491ebf3b8abfa3aeab7b93e54a439eefd3120758f1bb433f04a49267f5ed32",
"id": "bb:158",
"start_pc": 158,
"type": "basic_block"
},
{
"end_pc": 286,
"hash": "0xe745613c2c71862f16368e6fb61619937f15ffc5d17205a46bbd71f2244d31dc",
"id": "bb:233",
"start_pc": 233,
"type": "basic_block"
},
{
"end_pc": 295,
"hash": "0x035095300dd9018de59eeac746ef23975bc7a4da5fbb4018f3a9f1c3514a8743",
"id": "bb:287",
"start_pc": 287,
"type": "basic_block"
},
{
"end_pc": 313,
"hash": "0xbc7433d0efa81a1bf9d32c1f97755429bd75e86107262fdca4a7d26638e20b71",
"id": "bb:296",
"start_pc": 296,
"type": "basic_block"
},
{
"end_pc": 331,
"hash": "0xec72d1fe2c270ca1c4f28d56298c53897fef08c7599e4ef360bc935ae5ff88ca",
"id": "bb:314",
"start_pc": 314,
"type": "basic_block"
},
{
"end_pc": 340,
"hash": "0x5886bd5f080e7e676b5dc40a0f2b8b31cfc3c0557ad8817a1250086406d1c74d",
"id": "bb:332",
"start_pc": 332,
"type": "basic_block"
},
{
"end_pc": 349,
"hash": "0xe7b94dc65643054d69e2ad778e3ee5faf5b042e28ae90e315e61a912f4649755",
"id": "bb:341",
"start_pc": 341,
"type": "basic_block"
},
{
"end_pc": 358,
"hash": "0xa82549f4e64015d4a84dd5107b47f117297e9f8ad40452d608d94921fed20d2c",
"id": "bb:350",
"start_pc": 350,
"type": "basic_block"
},
{
"end_pc": 378,
"hash": "0xac39245c718edb468b700b7a1df9854facc66c9e81e34d2e1e9b9ce35cc5ee1b",
"id": "bb:359",
"start_pc": 359,
"type": "basic_block"
},
{
"end_pc": 474,
"hash": "0xff18eae7bbf730a5a77ee369b7c3f124afa85ad3c96d9a0aeff507a763bb2f0c",
"id": "bb:379",
"start_pc": 379,
"type": "basic_block"
},
{
"end_pc": 476,
"hash": "0xe38ee6866f0faa036c704c1e65129b1d49deb3c8123a6036bfcb5e76f320c13d",
"id": "bb:475",
"start_pc": 475,
"type": "basic_block"
},
{
"end_pc": 489,
"hash": "0xc5e7d7161d99462d1275753380bb2285d0f935dd9c923897ca03ae4c76355465",
"id": "bb:477",
"start_pc": 477,
"type": "basic_block"
},
{
"end_pc": 685,
"hash": "0xa0233fc50506634a5af118024189b65e19c83ffac525a4f984c2392786911f58",
"id": "bb:490",
"start_pc": 490,
"type": "basic_block"
},
{
"end_pc": 744,
"hash": "0x77bf66b312fe761642b1eeecd33c39bc497ff80442cf7a7b217863b47103ca17",
"id": "bb:686",
"start_pc": 686,
"type": "basic_block"
},
{
"end_pc": 747,
"hash": "0x708b818ba3d06e881c739770b41b4076791259d4bd2071530c214ff90b9962b2",
"id": "bb:745",
"start_pc": 745,
"type": "basic_block"
},
{
"end_pc": 792,
"hash": "0x31d8569995e14ee2b3b81f6c3c4451be061a927a42ea52d3ee91fa54802f20fd",
"id": "bb:748",
"start_pc": 748,
"type": "basic_block"
},
{
"end_pc": 818,
"hash": "0xa383834adad0f03cef5aae0c442fc12e3c9aded5332deb5f502ca6da430a17fb",
"id": "bb:793",
"start_pc": 793,
"type": "basic_block"
},
{
"end_pc": 827,
"hash": "0x9acf648fa2799b89a0aa01b8d1dbecd7ea7d0de704827cb0c86fe8a6bd9a0b8d",
"id": "bb:819",
"start_pc": 819,
"type": "basic_block"
},
{
"end_pc": 869,
"hash": "0x381e4127a3cb541568d154e163905767531a55f45cccd0586f82c418c82fffef",
"id": "bb:828",
"start_pc": 828,
"type": "basic_block"
},
{
"end_pc": 873,
"hash": "0x0e7aa7128fc01ce6dfa4d67f843e95a2f710b18cf86a67ae5c445b5005a0b3e2",
"id": "bb:870",
"start_pc": 870,
"type": "basic_block"
},
{
"end_pc": 883,
"hash": "0x0f2cdf9338d7cbf85104d84135400e29ed4090476ab32155d82702914b56b001",
"id": "bb:874",
"start_pc": 874,
"type": "basic_block"
},
{
"end_pc": 902,
"hash": "0x32b808d1c1f9aa3cb7e7f8858318e90e4854dbbf4168ef269d5df543ab28d0a5",
"id": "bb:884",
"start_pc": 884,
"type": "basic_block"
},
{
"end_pc": 915,
"hash": "0x8da1daae14f291edc31c4ba3e1288bacb0d0b5f4ffa2e19402bede1e9545687a",
"id": "bb:903",
"start_pc": 903,
"type": "basic_block"
},
{
"end_pc": 949,
"hash": "0xdd5b4dc46146ecbab716bf6a8859600e8f477c20af5ceda26e30d9dc9b713011",
"id": "bb:916",
"start_pc": 916,
"type": "basic_block"
},
{
"end_pc": 960,
"hash": "0xbe3b0bf748b911c2f88b01a2c52791ca3e0570803f3b6eaee60ca81f57abc24b",
"id": "bb:950",
"start_pc": 950,
"type": "basic_block"
},
{
"end_pc": 973,
"hash": "0x706cc6ac8fbb0619320fe13b506c3e831ebc876f097c0e9ff4b9c4c204b92c3d",
"id": "bb:961",
"start_pc": 961,
"type": "basic_block"
},
{
"end_pc": 1045,
"hash": "0xebd50cf03565301f297ae4cf08c2757c47d2fda68d2340db7a74e02a87c34b59",
"id": "bb:974",
"start_pc": 974,
"type": "basic_block"
},
{
"end_pc": 1133,
"hash": "0x619b0ef2ab7fd2263cbf50479e5f49a58d9220c653db49401bfa7f44f3c900fc",
"id": "bb:1046",
"start_pc": 1046,
"type": "basic_block"
},
{
"end_pc": 1201,
"hash": "0x3d58e7dc27ef353d554f9f4f8fd43759322556270d3ea8acb5182b81bafe8092",
"id": "bb:1134",
"start_pc": 1134,
"type": "basic_block"
},
{
"end_pc": 1290,
"hash": "0xe6b9610b4f1e6c9ed401c5231986428e3bb6549c86ed49b166c403576857541c",
"id": "bb:1202",
"start_pc": 1202,
"type": "basic_block"
},
{
"end_pc": 1302,
"hash": "0x3b06f18d541c81ef4088c8358dc72da5f6889b51f502a8e47a0bd734274ad35f",
"id": "bb:1291",
"start_pc": 1291,
"type": "basic_block"
},
{
"end_pc": 1322,
"hash": "0xa67c5ce7ac4e501f944d645dc38ee45e73abc5198d97c5969fa59adc2ef78be4",
"id": "bb:1303",
"start_pc": 1303,
"type": "basic_block"
},
{
"id": "call:184",
"opcode": "CALL",
"pc": 184,
"type": "callsite"
},
{
"id": "call:266",
"opcode": "CALL",
"pc": 266,
"type": "callsite"
},
{
"id": "call:680",
"opcode": "CALL",
"pc": 680,
"type": "callsite"
},
{
"id": "call:1097",
"opcode": "CALL",
"pc": 1097,
"type": "callsite"
},
{
"id": "call:1296",
"opcode": "CALL",
"pc": 1296,
"type": "callsite"
},
{
"id": "sink:call",
"type": "sink"
},
{
"entry_pc": null,
"id": "fn:0x01cb3b20",
"selector": "0x01cb3b20",
"type": "function"
},
{
"entry_pc": 951009005,
"id": "fn:0x29dcb0cf",
"selector": "0x29dcb0cf",
"type": "function"
},
{
"entry_pc": 1852241641,
"id": "fn:0x38af3eed",
"selector": "0x38af3eed",
"type": "function"
},
{
"entry_pc": 2050625156,
"id": "fn:0x6e66f6e9",
"selector": "0x6e66f6e9",
"type": "function"
},
{
"entry_pc": 2067684987,
"id": "fn:0x7a3a0e84",
"selector": "0x7a3a0e84",
"type": "function"
},
{
"entry_pc": 2687873534,
"id": "fn:0x7b3e5e7b",
"selector": "0x7b3e5e7b",
"type": "function"
},
{
"entry_pc": 3691855359,
"id": "fn:0xa035b1fe",
"selector": "0xa035b1fe",
"type": "function"
},
{
"entry_pc": 475,
"id": "fn:0xdc0d3dff",
"selector": "0xdc0d3dff",
"type": "function"
}
exec
/bin/bash -lc "python3 - <<'PY'
import json
from pathlib import Path
ops = {
0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
}
for i in range(1,33): ops[0x5f+i]='PUSH'+str(i)
# Actually above started at 0x60. fine.
obj = json.loads(Path('BYTECODE_BUNDLE.json').read_text())
bytecode = obj['artifact']['runtime_bytecode']['full'][2:]
bs = bytes.fromhex(bytecode)
# disasm all with selected windows
windows = [(0,240),(230,320),(470,760),(740,920),(900,1210),(1200,1315)]
for start,end in windows:
print(f'-- window {start}-{end} --')
pc = 0
while pc < len(bs):
op = bs[pc]
name = ops.get(op, f'OP_{op:02x}')
if 0x60 <= op <= 0x7f:
n = op - 0x5f
data = bs[pc+1:pc+1+n]
if start <= pc <= end:
print(f'{pc:04x}: {name} 0x{data.hex()}')
pc += 1+n
else:
if start <= pc <= end:
print(f'{pc:04x}: {name}')
pc += 1
print()
PY" in /tmp/codex-a3t5xbqz
succeeded in 0ms:
-- window 0-240 --
0000: PUSH1 0x60
0002: PUSH1 0x40
0004: MSTORE
0005: CALLDATASIZE
0006: ISZERO
0007: PUSH2 0x006c
000a: JUMPI
000b: PUSH1 0xe0
000d: PUSH1 0x02
000f: EXP
0010: PUSH1 0x00
0012: CALLDATALOAD
0013: DIV
0014: PUSH4 0x01cb3b20
0019: DUP2
001a: EQ
001b: PUSH2 0x0082
001e: JUMPI
001f: DUP1
0020: PUSH4 0x29dcb0cf
0025: EQ
0026: PUSH2 0x011f
0029: JUMPI
002a: DUP1
002b: PUSH4 0x38af3eed
0030: EQ
0031: PUSH2 0x0128
0034: JUMPI
0035: DUP1
0036: PUSH4 0x6e66f6e9
003b: EQ
003c: PUSH2 0x013a
003f: JUMPI
0040: DUP1
0041: PUSH4 0x7a3a0e84
0046: EQ
0047: PUSH2 0x014c
004a: JUMPI
004b: DUP1
004c: PUSH4 0x7b3e5e7b
0051: EQ
0052: PUSH2 0x0155
0055: JUMPI
0056: DUP1
0057: PUSH4 0xa035b1fe
005c: EQ
005d: PUSH2 0x015e
0060: JUMPI
0061: DUP1
0062: PUSH4 0xdc0d3dff
0067: EQ
0068: PUSH2 0x0167
006b: JUMPI
006c: JUMPDEST
006d: PUSH2 0x01db
0070: PUSH1 0x07
0072: SLOAD
0073: PUSH1 0x00
0075: SWAP1
0076: PUSH1 0xff
0078: AND
0079: ISZERO
007a: PUSH2 0x02ec
007d: JUMPI
007e: PUSH2 0x0002
0081: JUMP
0082: JUMPDEST
0083: PUSH2 0x01db
0086: PUSH1 0x03
0088: SLOAD
0089: PUSH1 0x00
008b: SWAP1
008c: TIMESTAMP
008d: LT
008e: PUSH2 0x02e9
0091: JUMPI
0092: PUSH1 0x02
0094: SLOAD
0095: PUSH1 0x01
0097: SLOAD
0098: SWAP1
0099: LT
009a: PUSH2 0x0394
009d: JUMPI
009e: PUSH1 0x02
00a0: SLOAD
00a1: DUP2
00a2: SLOAD
00a3: PUSH1 0x01
00a5: PUSH1 0xa0
00a7: PUSH1 0x02
00a9: EXP
00aa: SUB
00ab: AND
00ac: SWAP1
00ad: DUP3
00ae: SWAP1
00af: PUSH1 0x60
00b1: DUP3
00b2: DUP2
00b3: DUP2
00b4: DUP2
00b5: DUP6
00b6: DUP9
00b7: DUP4
00b8: CALL
00b9: POP
00ba: PUSH1 0x40
00bc: DUP1
00bd: MLOAD
00be: SWAP5
00bf: DUP6
00c0: MSTORE
00c1: PUSH1 0x20
00c3: DUP6
00c4: ADD
00c5: SWAP3
00c6: SWAP1
00c7: SWAP3
00c8: MSTORE
00c9: DUP4
00ca: DUP3
00cb: ADD
00cc: SWAP3
00cd: SWAP1
00ce: SWAP3
00cf: MSTORE
00d0: MLOAD
00d1: PUSH1 0x00
00d3: DUP1
00d4: MLOAD
00d5: PUSH1 0x20
00d7: PUSH2 0x050b
00da: DUP4
00db: CODECOPY
00dc: DUP2
00dd: MLOAD
00de: SWAP2
00df: MSTORE
00e0: SWAP3
00e1: DUP2
00e2: SWAP1
00e3: SUB
00e4: SWAP1
00e5: SWAP2
00e6: ADD
00e7: SWAP1
00e8: LOG1
00e9: JUMPDEST
00ea: PUSH1 0x40
00ec: MLOAD
00ed: PUSH1 0x00
00ef: DUP1
00f0: SLOAD
-- window 230-320 --
00e6: ADD
00e7: SWAP1
00e8: LOG1
00e9: JUMPDEST
00ea: PUSH1 0x40
00ec: MLOAD
00ed: PUSH1 0x00
00ef: DUP1
00f0: SLOAD
00f1: PUSH1 0x01
00f3: PUSH1 0xa0
00f5: PUSH1 0x02
00f7: EXP
00f8: SUB
00f9: SWAP1
00fa: DUP2
00fb: AND
00fc: SWAP3
00fd: ADDRESS
00fe: SWAP1
00ff: SWAP2
0100: AND
0101: BALANCE
0102: SWAP1
0103: DUP3
0104: DUP2
0105: DUP2
0106: DUP2
0107: DUP6
0108: DUP9
0109: DUP4
010a: CALL
010b: POP
010c: POP
010d: PUSH1 0x07
010f: DUP1
0110: SLOAD
0111: PUSH1 0xff
0113: NOT
0114: AND
0115: PUSH1 0x01
0117: OR
0118: SWAP1
0119: SSTORE
011a: POP
011b: POP
011c: POP
011d: POP
011e: JUMP
011f: JUMPDEST
0120: PUSH2 0x036a
0123: PUSH1 0x03
0125: SLOAD
0126: DUP2
0127: JUMP
0128: JUMPDEST
0129: PUSH2 0x0374
012c: PUSH1 0x00
012e: SLOAD
012f: PUSH1 0x01
0131: PUSH1 0xa0
0133: PUSH1 0x02
0135: EXP
0136: SUB
0137: AND
0138: DUP2
0139: JUMP
013a: JUMPDEST
013b: PUSH2 0x0374
013e: PUSH1 0x05
0140: SLOAD
-- window 470-760 --
01d6: SWAP2
01d7: AND
01d8: SWAP1
01d9: DUP3
01da: JUMP
01db: JUMPDEST
01dc: STOP
01dd: JUMPDEST
01de: POP
01df: POP
01e0: POP
01e1: DUP2
01e2: SLOAD
01e3: DUP2
01e4: LT
01e5: ISZERO
01e6: PUSH2 0x0002
01e9: JUMPI
01ea: SWAP1
01eb: PUSH1 0x00
01ed: MSTORE
01ee: PUSH1 0x20
01f0: PUSH1 0x00
01f2: SHA3
01f3: SWAP1
01f4: PUSH1 0x02
01f6: MUL
01f7: ADD
01f8: PUSH1 0x00
01fa: POP
01fb: PUSH1 0x00
01fd: DUP3
01fe: ADD
01ff: MLOAD
0200: DUP2
0201: PUSH1 0x00
0203: ADD
0204: PUSH1 0x00
0206: PUSH2 0x0100
0209: EXP
020a: DUP2
020b: SLOAD
020c: DUP2
020d: PUSH1 0x01
020f: PUSH1 0xa0
0211: PUSH1 0x02
0213: EXP
0214: SUB
0215: MUL
0216: NOT
0217: AND
0218: SWAP1
0219: DUP4
021a: MUL
021b: OR
021c: SWAP1
021d: SSTORE
021e: POP
021f: PUSH1 0x20
0221: DUP3
0222: ADD
0223: MLOAD
0224: DUP2
0225: PUSH1 0x01
0227: ADD
0228: PUSH1 0x00
022a: POP
022b: SSTORE
022c: SWAP1
022d: POP
022e: POP
022f: DUP1
0230: PUSH1 0x02
0232: PUSH1 0x00
0234: DUP3
0235: DUP3
0236: DUP3
0237: POP
0238: SLOAD
0239: ADD
023a: SWAP3
023b: POP
023c: POP
023d: DUP2
023e: SWAP1
023f: SSTORE
0240: POP
0241: PUSH1 0x05
0243: PUSH1 0x00
0245: SWAP1
0246: SLOAD
0247: SWAP1
0248: PUSH2 0x0100
024b: EXP
024c: SWAP1
024d: DIV
024e: PUSH1 0x01
0250: PUSH1 0xa0
0252: PUSH1 0x02
0254: EXP
0255: SUB
0256: AND
0257: PUSH1 0x01
0259: PUSH1 0xa0
025b: PUSH1 0x02
025d: EXP
025e: SUB
025f: AND
0260: PUSH4 0xa9059cbb
0265: CALLER
0266: PUSH1 0x04
0268: PUSH1 0x00
026a: POP
026b: SLOAD
026c: DUP5
026d: DIV
026e: PUSH1 0x40
0270: MLOAD
0271: DUP4
0272: PUSH1 0xe0
0274: PUSH1 0x02
0276: EXP
0277: MUL
0278: DUP2
0279: MSTORE
027a: PUSH1 0x04
027c: ADD
027d: DUP1
027e: DUP4
027f: PUSH1 0x01
0281: PUSH1 0xa0
0283: PUSH1 0x02
0285: EXP
0286: SUB
0287: AND
0288: DUP2
0289: MSTORE
028a: PUSH1 0x20
028c: ADD
028d: DUP3
028e: DUP2
028f: MSTORE
0290: PUSH1 0x20
0292: ADD
0293: SWAP3
0294: POP
0295: POP
0296: POP
0297: PUSH1 0x00
0299: PUSH1 0x40
029b: MLOAD
029c: DUP1
029d: DUP4
029e: SUB
029f: DUP2
02a0: PUSH1 0x00
02a2: DUP8
02a3: PUSH2 0x61da
02a6: GAS
02a7: SUB
02a8: CALL
02a9: ISZERO
02aa: PUSH2 0x0002
02ad: JUMPI
02ae: POP
02af: POP
02b0: PUSH1 0x40
02b2: DUP1
02b3: MLOAD
02b4: PUSH1 0x01
02b6: PUSH1 0xa0
02b8: PUSH1 0x02
02ba: EXP
02bb: SUB
02bc: CALLER
02bd: AND
02be: DUP2
02bf: MSTORE
02c0: PUSH1 0x20
02c2: DUP2
02c3: ADD
02c4: DUP5
02c5: SWAP1
02c6: MSTORE
02c7: PUSH1 0x01
02c9: DUP2
02ca: DUP4
02cb: ADD
02cc: MSTORE
02cd: SWAP1
02ce: MLOAD
02cf: PUSH1 0x00
02d1: DUP1
02d2: MLOAD
02d3: PUSH1 0x20
02d5: PUSH2 0x050b
02d8: DUP4
02d9: CODECOPY
02da: DUP2
02db: MLOAD
02dc: SWAP2
02dd: MSTORE
02de: SWAP3
02df: POP
02e0: SWAP1
02e1: DUP2
02e2: SWAP1
02e3: SUB
02e4: PUSH1 0x60
02e6: ADD
02e7: SWAP1
02e8: LOG1
02e9: JUMPDEST
02ea: POP
02eb: JUMP
02ec: JUMPDEST
02ed: POP
02ee: PUSH1 0xa0
02f0: PUSH1 0x40
02f2: MSTORE
02f3: CALLER
02f4: PUSH1 0x60
02f6: SWAP1
02f7: DUP2
02f8: MSTORE
-- window 740-920 --
02e4: PUSH1 0x60
02e6: ADD
02e7: SWAP1
02e8: LOG1
02e9: JUMPDEST
02ea: POP
02eb: JUMP
02ec: JUMPDEST
02ed: POP
02ee: PUSH1 0xa0
02f0: PUSH1 0x40
02f2: MSTORE
02f3: CALLER
02f4: PUSH1 0x60
02f6: SWAP1
02f7: DUP2
02f8: MSTORE
02f9: CALLVALUE
02fa: PUSH1 0x80
02fc: DUP2
02fd: SWAP1
02fe: MSTORE
02ff: PUSH1 0x06
0301: DUP1
0302: SLOAD
0303: PUSH1 0x01
0305: DUP2
0306: ADD
0307: DUP1
0308: DUP4
0309: SSTORE
030a: SWAP3
030b: SWAP4
030c: SWAP3
030d: DUP3
030e: SWAP1
030f: DUP3
0310: DUP1
0311: ISZERO
0312: DUP3
0313: SWAP1
0314: GT
0315: PUSH2 0x01dd
0318: JUMPI
0319: PUSH1 0x02
031b: MUL
031c: DUP2
031d: PUSH1 0x02
031f: MUL
0320: DUP4
0321: PUSH1 0x00
0323: MSTORE
0324: PUSH1 0x20
0326: PUSH1 0x00
0328: SHA3
0329: SWAP2
032a: DUP3
032b: ADD
032c: SWAP2
032d: ADD
032e: PUSH2 0x01dd
0331: SWAP2
0332: SWAP1
0333: JUMPDEST
0334: DUP1
0335: DUP3
0336: GT
0337: ISZERO
0338: PUSH2 0x0366
033b: JUMPI
033c: DUP1
033d: SLOAD
033e: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
0353: NOT
0354: AND
0355: DUP2
0356: SSTORE
0357: PUSH1 0x00
0359: PUSH1 0x01
035b: SWAP2
035c: SWAP1
035d: SWAP2
035e: ADD
035f: SWAP1
0360: DUP2
0361: SSTORE
0362: PUSH2 0x0333
0365: JUMP
0366: JUMPDEST
0367: POP
0368: SWAP1
0369: JUMP
036a: JUMPDEST
036b: PUSH1 0x60
036d: SWAP1
036e: DUP2
036f: MSTORE
0370: PUSH1 0x20
0372: SWAP1
0373: RETURN
0374: JUMPDEST
0375: PUSH1 0x01
0377: PUSH1 0xa0
0379: PUSH1 0x02
037b: EXP
037c: SUB
037d: AND
037e: PUSH1 0x60
0380: SWAP1
0381: DUP2
0382: MSTORE
0383: PUSH1 0x20
0385: SWAP1
0386: RETURN
0387: JUMPDEST
0388: PUSH1 0x60
038a: SWAP2
038b: DUP3
038c: MSTORE
038d: PUSH1 0x80
038f: MSTORE
0390: PUSH1 0x40
0392: SWAP1
0393: RETURN
0394: JUMPDEST
0395: PUSH1 0x60
0397: DUP2
0398: DUP2
-- window 900-1210 --
0385: SWAP1
0386: RETURN
0387: JUMPDEST
0388: PUSH1 0x60
038a: SWAP2
038b: DUP3
038c: MSTORE
038d: PUSH1 0x80
038f: MSTORE
0390: PUSH1 0x40
0392: SWAP1
0393: RETURN
0394: JUMPDEST
0395: PUSH1 0x60
0397: DUP2
0398: DUP2
0399: MSTORE
039a: PUSH1 0x0b
039c: PUSH1 0x80
039e: MSTORE
039f: PUSH1 0xa0
03a1: DUP3
03a2: SWAP1
03a3: MSTORE
03a4: PUSH1 0x00
03a6: DUP1
03a7: MLOAD
03a8: PUSH1 0x20
03aa: PUSH2 0x050b
03ad: DUP4
03ae: CODECOPY
03af: DUP2
03b0: MLOAD
03b1: SWAP2
03b2: MSTORE
03b3: SWAP1
03b4: DUP1
03b5: LOG1
03b6: JUMPDEST
03b7: PUSH1 0x06
03b9: SLOAD
03ba: DUP2
03bb: LT
03bc: ISZERO
03bd: PUSH2 0x00e9
03c0: JUMPI
03c1: PUSH1 0x06
03c3: DUP1
03c4: SLOAD
03c5: DUP3
03c6: SWAP1
03c7: DUP2
03c8: LT
03c9: ISZERO
03ca: PUSH2 0x0002
03cd: JUMPI
03ce: PUSH1 0x00
03d0: SWAP2
03d1: DUP3
03d2: MSTORE
03d3: PUSH1 0x02
03d5: MUL
03d6: PUSH32 0xf652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d3f
03f7: ADD
03f8: SWAP1
03f9: SWAP1
03fa: SLOAD
03fb: PUSH1 0x06
03fd: DUP1
03fe: SLOAD
03ff: PUSH1 0x01
0401: PUSH1 0xa0
0403: PUSH1 0x02
0405: EXP
0406: SUB
0407: SWAP3
0408: SWAP1
0409: SWAP3
040a: AND
040b: SWAP3
040c: SWAP2
040d: DUP5
040e: SWAP1
040f: DUP2
0410: LT
0411: ISZERO
0412: PUSH2 0x0002
0415: JUMPI
0416: PUSH1 0x02
0418: MUL
0419: PUSH32 0xf652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d40
043a: ADD
043b: SLOAD
043c: PUSH1 0x40
043e: MLOAD
043f: SWAP1
0440: SWAP2
0441: POP
0442: DUP3
0443: DUP2
0444: DUP2
0445: DUP2
0446: DUP6
0447: DUP9
0448: DUP4
0449: CALL
044a: SWAP4
044b: POP
044c: POP
044d: POP
044e: POP
044f: POP
0450: PUSH1 0x00
0452: DUP1
0453: MLOAD
0454: PUSH1 0x20
0456: PUSH2 0x050b
0459: DUP4
045a: CODECOPY
045b: DUP2
045c: MLOAD
045d: SWAP2
045e: MSTORE
045f: PUSH1 0x06
0461: PUSH1 0x00
0463: POP
0464: DUP3
0465: DUP2
0466: SLOAD
0467: DUP2
0468: LT
0469: ISZERO
046a: PUSH2 0x0002
046d: JUMPI
046e: PUSH1 0x00
0470: DUP3
0471: SWAP1
0472: MSTORE
0473: PUSH1 0x02
0475: MUL
0476: PUSH32 0xf652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d3f
0497: ADD
0498: SLOAD
0499: DUP2
049a: SLOAD
049b: PUSH1 0x01
049d: PUSH1 0xa0
049f: PUSH1 0x02
04a1: EXP
04a2: SUB
04a3: SWAP2
04a4: SWAP1
04a5: SWAP2
04a6: AND
04a7: SWAP2
04a8: SWAP1
04a9: DUP5
04aa: SWAP1
04ab: DUP2
04ac: LT
04ad: ISZERO
04ae: PUSH2 0x0002
04b1: JUMPI
04b2: PUSH1 0x02
04b4: MUL
04b5: PUSH32 0xf652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d40
-- window 1200-1315 --
04b1: JUMPI
04b2: PUSH1 0x02
04b4: MUL
04b5: PUSH32 0xf652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d40
04d6: ADD
04d7: SLOAD
04d8: PUSH1 0x40
04da: DUP1
04db: MLOAD
04dc: PUSH1 0x01
04de: PUSH1 0xa0
04e0: PUSH1 0x02
04e2: EXP
04e3: SUB
04e4: SWAP5
04e5: SWAP1
04e6: SWAP5
04e7: AND
04e8: DUP5
04e9: MSTORE
04ea: PUSH1 0x20
04ec: DUP5
04ed: ADD
04ee: SWAP2
04ef: SWAP1
04f0: SWAP2
04f1: MSTORE
04f2: PUSH1 0x00
04f4: DUP4
04f5: DUP3
04f6: ADD
04f7: MSTORE
04f8: MLOAD
04f9: SWAP2
04fa: DUP3
04fb: SWAP1
04fc: SUB
04fd: PUSH1 0x60
04ff: ADD
0500: SWAP2
0501: SWAP1
0502: POP
0503: LOG1
0504: PUSH1 0x01
0506: ADD
0507: PUSH2 0x03b6
050a: JUMP
050b: OP_e8
050c: TIMESTAMP
050d: OP_ae
050e: OP_a7
050f: OP_a5
0510: CALL
0511: OP_b0
0512: LT
0513: OP_49
0514: OP_d7
0515: MSTORE
0516: STOP
0517: DUP13
0518: MSTORE8
0519: OP_c5
051a: OP_28
051b: SWAP1
051c: OP_b1
051d: OP_a6
051e: OP_da
051f: OP_f6
0520: PUSH1 0xcf
0522: CODECOPY
0523: OP_e8
exec
/bin/bash -lc "python3 - <<'PY'
import json
from pathlib import Path
ops={**{i:f'PUSH{i-0x5f}' for i in range(0x60,0x80)}, **{i:f'DUP{i-0x7f}' for i in range(0x80,0x90)}, **{i:f'SWAP{i-0x8f}' for i in range(0x90,0xa0)}}
ops.update({0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'})
bs=bytes.fromhex(json.loads(Path('BYTECODE_BUNDLE.json').read_text())['artifact']['runtime_bytecode']['full'][2:])
for start,end in [(0x150,0x2f0)]:
pc=0
while pc < len(bs):
op=bs[pc]; name=ops.get(op,f'OP_{op:02x}')
if 0x60<=op<=0x7f:
n=op-0x5f; data=bs[pc+1:pc+1+n]
if start<=pc<=end: print(f'{pc:04x}: {name:<8} 0x{data.hex()}')
pc+=1+n
else:
if start<=pc<=end: print(f'{pc:04x}: {name}')
pc+=1
PY" in /tmp/codex-a3t5xbqz
succeeded in 0ms:
0150: PUSH1 0x01
0152: SLOAD
0153: DUP2
0154: JUMP
0155: JUMPDEST
0156: PUSH2 0x036a
0159: PUSH1 0x02
015b: SLOAD
015c: DUP2
015d: JUMP
015e: JUMPDEST
015f: PUSH2 0x036a
0162: PUSH1 0x04
0164: SLOAD
0165: DUP2
0166: JUMP
0167: JUMPDEST
0168: PUSH2 0x0387
016b: PUSH1 0x04
016d: CALLDATALOAD
016e: PUSH1 0x06
0170: DUP1
0171: SLOAD
0172: DUP3
0173: SWAP1
0174: DUP2
0175: LT
0176: ISZERO
0177: PUSH2 0x0002
017a: JUMPI
017b: POP
017c: PUSH1 0x00
017e: MSTORE
017f: PUSH1 0x02
0181: MUL
0182: PUSH32 0xf652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d3f
01a3: DUP2
01a4: ADD
01a5: SLOAD
01a6: PUSH32 0xf652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d40
01c7: SWAP2
01c8: SWAP1
01c9: SWAP2
01ca: ADD
01cb: SLOAD
01cc: PUSH1 0x01
01ce: PUSH1 0xa0
01d0: PUSH1 0x02
01d2: EXP
01d3: SUB
01d4: SWAP2
01d5: SWAP1
01d6: SWAP2
01d7: AND
01d8: SWAP1
01d9: DUP3
01da: JUMP
01db: JUMPDEST
01dc: STOP
01dd: JUMPDEST
01de: POP
01df: POP
01e0: POP
01e1: DUP2
01e2: SLOAD
01e3: DUP2
01e4: LT
01e5: ISZERO
01e6: PUSH2 0x0002
01e9: JUMPI
01ea: SWAP1
01eb: PUSH1 0x00
01ed: MSTORE
01ee: PUSH1 0x20
01f0: PUSH1 0x00
01f2: SHA3
01f3: SWAP1
01f4: PUSH1 0x02
01f6: MUL
01f7: ADD
01f8: PUSH1 0x00
01fa: POP
01fb: PUSH1 0x00
01fd: DUP3
01fe: ADD
01ff: MLOAD
0200: DUP2
0201: PUSH1 0x00
0203: ADD
0204: PUSH1 0x00
0206: PUSH2 0x0100
0209: EXP
020a: DUP2
020b: SLOAD
020c: DUP2
020d: PUSH1 0x01
020f: PUSH1 0xa0
0211: PUSH1 0x02
0213: EXP
0214: SUB
0215: MUL
0216: NOT
0217: AND
0218: SWAP1
0219: DUP4
021a: MUL
021b: OR
021c: SWAP1
021d: SSTORE
021e: POP
021f: PUSH1 0x20
0221: DUP3
0222: ADD
0223: MLOAD
0224: DUP2
0225: PUSH1 0x01
0227: ADD
0228: PUSH1 0x00
022a: POP
022b: SSTORE
022c: SWAP1
022d: POP
022e: POP
022f: DUP1
0230: PUSH1 0x02
0232: PUSH1 0x00
0234: DUP3
0235: DUP3
0236: DUP3
0237: POP
0238: SLOAD
0239: ADD
023a: SWAP3
023b: POP
023c: POP
023d: DUP2
023e: SWAP1
023f: SSTORE
0240: POP
0241: PUSH1 0x05
0243: PUSH1 0x00
0245: SWAP1
0246: SLOAD
0247: SWAP1
0248: PUSH2 0x0100
024b: EXP
024c: SWAP1
024d: DIV
024e: PUSH1 0x01
0250: PUSH1 0xa0
0252: PUSH1 0x02
0254: EXP
0255: SUB
0256: AND
0257: PUSH1 0x01
0259: PUSH1 0xa0
025b: PUSH1 0x02
025d: EXP
025e: SUB
025f: AND
0260: PUSH4 0xa9059cbb
0265: CALLER
0266: PUSH1 0x04
0268: PUSH1 0x00
026a: POP
026b: SLOAD
026c: DUP5
026d: DIV
026e: PUSH1 0x40
0270: MLOAD
0271: DUP4
0272: PUSH1 0xe0
0274: PUSH1 0x02
0276: EXP
0277: MUL
0278: DUP2
0279: MSTORE
027a: PUSH1 0x04
027c: ADD
027d: DUP1
027e: DUP4
027f: PUSH1 0x01
0281: PUSH1 0xa0
0283: PUSH1 0x02
0285: EXP
0286: SUB
0287: AND
0288: DUP2
0289: MSTORE
028a: PUSH1 0x20
028c: ADD
028d: DUP3
028e: DUP2
028f: MSTORE
0290: PUSH1 0x20
0292: ADD
0293: SWAP3
0294: POP
0295: POP
0296: POP
0297: PUSH1 0x00
0299: PUSH1 0x40
029b: MLOAD
029c: DUP1
029d: DUP4
029e: SUB
029f: DUP2
02a0: PUSH1 0x00
02a2: DUP8
02a3: PUSH2 0x61da
02a6: GAS
02a7: SUB
02a8: CALL
02a9: ISZERO
02aa: PUSH2 0x0002
02ad: JUMPI
02ae: POP
02af: POP
02b0: PUSH1 0x40
02b2: DUP1
02b3: MLOAD
02b4: PUSH1 0x01
02b6: PUSH1 0xa0
02b8: PUSH1 0x02
02ba: EXP
02bb: SUB
02bc: CALLER
02bd: AND
02be: DUP2
02bf: MSTORE
02c0: PUSH1 0x20
02c2: DUP2
02c3: ADD
02c4: DUP5
02c5: SWAP1
02c6: MSTORE
02c7: PUSH1 0x01
02c9: DUP2
02ca: DUP4
02cb: ADD
02cc: MSTORE
02cd: SWAP1
02ce: MLOAD
02cf: PUSH1 0x00
02d1: DUP1
02d2: MLOAD
02d3: PUSH1 0x20
02d5: PUSH2 0x050b
02d8: DUP4
02d9: CODECOPY
02da: DUP2
02db: MLOAD
02dc: SWAP2
02dd: MSTORE
02de: SWAP3
02df: POP
02e0: SWAP1
02e1: DUP2
02e2: SWAP1
02e3: SUB
02e4: PUSH1 0x60
02e6: ADD
02e7: SWAP1
02e8: LOG1
02e9: JUMPDEST
02ea: POP
02eb: JUMP
02ec: JUMPDEST
02ed: POP
02ee: PUSH1 0xa0
02f0: PUSH1 0x40
exec
/bin/bash -lc "python3 - <<'PY'
import json
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
slots=[]
# disassemble and show SSTORE pcs with nearby ops
bs=bytes.fromhex(obj['artifact']['runtime_bytecode']['full'][2:])
ops={**{i:f'PUSH{i-0x5f}' for i in range(0x60,0x80)}, **{i:f'DUP{i-0x7f}' for i in range(0x80,0x90)}, **{i:f'SWAP{i-0x8f}' for i in range(0x90,0xa0)}}
ops.update({0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'})
inst=[]
pc=0
while pc < len(bs):
op=bs[pc]; name=ops.get(op,f'OP_{op:02x}'); arg=''
if 0x60<=op<=0x7f:
n=op-0x5f; arg='0x'+bs[pc+1:pc+1+n].hex(); inst.append((pc,name,arg)); pc+=1+n
else:
inst.append((pc,name,arg)); pc+=1
for i,(pc,name,arg) in enumerate(inst):
if name=='SSTORE':
print(f'== SSTORE at {pc} ==')
for j in range(max(0,i-8), min(len(inst),i+5)):
p,n,a=inst[j]
print(f'{p:04x}: {n} {a}'.rstrip())
print()
PY" in /tmp/codex-a3t5xbqz
succeeded in 0ms:
== SSTORE at 281 ==
010f: DUP1
0110: SLOAD
0111: PUSH1 0xff
0113: NOT
0114: AND
0115: PUSH1 0x01
0117: OR
0118: SWAP1
0119: SSTORE
011a: POP
011b: POP
011c: POP
011d: POP
== SSTORE at 541 ==
0215: MUL
0216: NOT
0217: AND
0218: SWAP1
0219: DUP4
021a: MUL
021b: OR
021c: SWAP1
021d: SSTORE
021e: POP
021f: PUSH1 0x20
0221: DUP3
0222: ADD
== SSTORE at 555 ==
0221: DUP3
0222: ADD
0223: MLOAD
0224: DUP2
0225: PUSH1 0x01
0227: ADD
0228: PUSH1 0x00
022a: POP
022b: SSTORE
022c: SWAP1
022d: POP
022e: POP
022f: DUP1
== SSTORE at 575 ==
0237: POP
0238: SLOAD
0239: ADD
023a: SWAP3
023b: POP
023c: POP
023d: DUP2
023e: SWAP1
023f: SSTORE
0240: POP
0241: PUSH1 0x05
0243: PUSH1 0x00
0245: SWAP1
== SSTORE at 777 ==
02ff: PUSH1 0x06
0301: DUP1
0302: SLOAD
0303: PUSH1 0x01
0305: DUP2
0306: ADD
0307: DUP1
0308: DUP4
0309: SSTORE
030a: SWAP3
030b: SWAP4
030c: SWAP3
030d: DUP3
== SSTORE at 854 ==
0338: PUSH2 0x0366
033b: JUMPI
033c: DUP1
033d: SLOAD
033e: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
0353: NOT
0354: AND
0355: DUP2
0356: SSTORE
0357: PUSH1 0x00
0359: PUSH1 0x01
035b: SWAP2
035c: SWAP1
== SSTORE at 865 ==
0357: PUSH1 0x00
0359: PUSH1 0x01
035b: SWAP2
035c: SWAP1
035d: SWAP2
035e: ADD
035f: SWAP1
0360: DUP2
0361: SSTORE
0362: PUSH2 0x0333
0365: JUMP
0366: JUMPDEST
0367: POP
Read the bytecode bundle, traced the executable callsites around the recorded sinks, and derived the main risks from the finalize/refund and fallback paths.
✓ Inspect BYTECODE_BUNDLE.json and related artifacts to understand contract shape, callsites, storage, and detector output
✓ Assess likely vulnerabilities from bytecode evidence with explicit uncertainty
→ Produce JSON findings matching the required schema
codex
{"no_findings":false,"summary":"Bytecode evidence indicates a public finalize/refund routine with value-bearing external calls before completion state is set, unchecked refund/payout call results, and a payable fallback that appears to accept late contributions until finalization.","findings":[{"severity":"high","category":"reentrancy","title":"Refund finalization is reentrant before the contract is marked closed","exploit_scenario":"A malicious contributor can first enter through the empty-calldata payable path so their address/value are stored in the slot6-backed contributor array. After the time gate has passed and the contract takes the refund branch, selector 0x01cb3b20 iterates that array and sends ETH to each contributor at pc 0x449 before the slot7 close flag is set at pc 0x119. The recipient can reenter 0x01cb3b20 from its fallback and reach the same refund logic again, collecting the same refund multiple times until the contract balance is exhausted.","recommendation":"Set the finalized/refunding state before any external call, mark each refund as consumed before sending value, and prefer pull-based withdrawals or a reentrancy guard around the finalize/refund path.","evidence":"The only observed close/finalized bit is the low byte of slot7: it gates the payable fallback at pc 0x6c and is only written at pc 0x119. In selector 0x01cb3b20, the slot2 < slot1 branch jumps to pc 0x394 and then loops from pc 0x3b6, performing a value-bearing CALL at pc 0x449 to addresses loaded from the slot6-backed array, with no storage update that marks an entry refunded before the call.","locations":["selector:0x01cb3b20","pc:0x3b6","pc:0x449","pc:0x119","pc:0x6c"]},{"severity":"high","category":"other","title":"Failed refund calls are ignored and residual ETH is swept to slot0","exploit_scenario":"If a contributor's refund call fails or reverts, the loop continues without reverting and without preserving a claimable refund. When the loop finishes, control jumps to pc 0x00e9 and the contract sends its remaining balance to the slot0 address at pc 0x10a. A reverting recipient can therefore lose its refund while the leftover ETH is redirected to slot0.","recommendation":"Check the success of each refund call and record failed refunds as withdrawable balances instead of continuing. Do not sweep residual ETH to slot0 until all refunds are either completed or safely escrowed.","evidence":"The refund loop CALL at pc 0x449 is followed by stack cleanup and logging, not by a success-dependent branch. Loop exit at pc 0x3bd jumps directly to pc 0x00e9, where slot0 is loaded and ADDRESS/BALANCE are used for another CALL at pc 0x10a. The earlier CALL at pc 0xb8 is also unchecked, so the finalize path generally assumes success without proof.","locations":["selector:0x01cb3b20","pc:0x449","pc:0x3bd","pc:0x10a","pc:0xb8"]},{"severity":"medium","category":"other","title":"Payable fallback appears to accept contributions after the time gate","exploit_scenario":"If slot3 is intended to be the funding deadline, users can still send empty-calldata ETH transfers after that timestamp because the fallback path only checks slot7 and then appends the sender/value to the contributor array. Late deposits keep increasing the slot2 total and can change whether finalization goes down the refund branch or the payout branch.","recommendation":"Mirror the deadline and any funding-status checks in the payable fallback/receive path so contributions are rejected once the funding window has ended.","evidence":"The empty-calldata path at pc 0x6c checks slot7 and jumps to the contribution routine at pc 0x2ec with no TIMESTAMP comparison. By contrast, selector 0x01cb3b20 compares slot3 against TIMESTAMP at pc 0x83-0x8e before allowing finalization behavior. This deadline interpretation is still bytecode-level inference, but it is strongly suggested by the control flow.","locations":["pc:0x6c","pc:0x2ec","selector:0x01cb3b20","pc:0x83","pc:0x8c"]}]}
tokens used
64,955
{
"codex": {
"ran_at": "2026-04-05T03:13:53.867357+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 2648,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "Bytecode evidence indicates a public finalize/refund routine with value-bearing external calls before completion state is set, unchecked refund/payout call results, and a payable fallback that appears to accept late contributions until finalization.",
"raw_final": {
"summary": "Bytecode evidence indicates a public finalize/refund routine with value-bearing external calls before completion state is set, unchecked refund/payout call results, and a payable fallback that appears to accept late contributions until finalization.",
"findings": [
{
"title": "Refund finalization is reentrant before the contract is marked closed",
"category": "reentrancy",
"evidence": "The only observed close/finalized bit is the low byte of slot7: it gates the payable fallback at pc 0x6c and is only written at pc 0x119. In selector 0x01cb3b20, the slot2 < slot1 branch jumps to pc 0x394 and then loops from pc 0x3b6, performing a value-bearing CALL at pc 0x449 to addresses loaded from the slot6-backed array, with no storage update that marks an entry refunded before the call.",
"severity": "high",
"locations": [
"selector:0x01cb3b20",
"pc:0x3b6",
"pc:0x449",
"pc:0x119",
"pc:0x6c"
],
"recommendation": "Set the finalized/refunding state before any external call, mark each refund as consumed before sending value, and prefer pull-based withdrawals or a reentrancy guard around the finalize/refund path.",
"exploit_scenario": "A malicious contributor can first enter through the empty-calldata payable path so their address/value are stored in the slot6-backed contributor array. After the time gate has passed and the contract takes the refund branch, selector 0x01cb3b20 iterates that array and sends ETH to each contributor at pc 0x449 before the slot7 close flag is set at pc 0x119. The recipient can reenter 0x01cb3b20 from its fallback and reach the same refund logic again, collecting the same refund multiple times until the contract balance is exhausted."
},
{
"title": "Failed refund calls are ignored and residual ETH is swept to slot0",
"category": "other",
"evidence": "The refund loop CALL at pc 0x449 is followed by stack cleanup and logging, not by a success-dependent branch. Loop exit at pc 0x3bd jumps directly to pc 0x00e9, where slot0 is loaded and ADDRESS/BALANCE are used for another CALL at pc 0x10a. The earlier CALL at pc 0xb8 is also unchecked, so the finalize path generally assumes success without proof.",
"severity": "high",
"locations": [
"selector:0x01cb3b20",
"pc:0x449",
"pc:0x3bd",
"pc:0x10a",
"pc:0xb8"
],
"recommendation": "Check the success of each refund call and record failed refunds as withdrawable balances instead of continuing. Do not sweep residual ETH to slot0 until all refunds are either completed or safely escrowed.",
"exploit_scenario": "If a contributor's refund call fails or reverts, the loop continues without reverting and without preserving a claimable refund. When the loop finishes, control jumps to pc 0x00e9 and the contract sends its remaining balance to the slot0 address at pc 0x10a. A reverting recipient can therefore lose its refund while the leftover ETH is redirected to slot0."
},
{
"title": "Payable fallback appears to accept contributions after the time gate",
"category": "other",
"evidence": "The empty-calldata path at pc 0x6c checks slot7 and jumps to the contribution routine at pc 0x2ec with no TIMESTAMP comparison. By contrast, selector 0x01cb3b20 compares slot3 against TIMESTAMP at pc 0x83-0x8e before allowing finalization behavior. This deadline interpretation is still bytecode-level inference, but it is strongly suggested by the control flow.",
"severity": "medium",
"locations": [
"pc:0x6c",
"pc:0x2ec",
"selector:0x01cb3b20",
"pc:0x83",
"pc:0x8c"
],
"recommendation": "Mirror the deadline and any funding-status checks in the payable fallback/receive path so contributions are rejected once the funding window has ended.",
"exploit_scenario": "If slot3 is intended to be the funding deadline, users can still send empty-calldata ETH transfers after that timestamp because the fallback path only checks slot7 and then appends the sender/value to the contributor array. Late deposits keep increasing the slot2 total and can change whether finalization goes down the refund branch or the payout branch."
}
],
"no_findings": false
},
"no_findings": false,
"schema_version": 1
}
00000000: PUSH1 0x60 00000002: PUSH1 0x40 00000004: MSTORE 00000005: CALLDATASIZE 00000006: ISZERO 00000007: PUSH2 0x006c 0000000a: JUMPI 0000000b: PUSH1 0xe0 0000000d: PUSH1 0x02 0000000f: EXP 00000010: PUSH1 0x00 00000012: CALLDATALOAD 00000013: DIV 00000014: PUSH4 0x01cb3b20 00000019: DUP2 0000001a: EQ 0000001b: PUSH2 0x0082 0000001e: JUMPI 0000001f: DUP1 00000020: PUSH4 0x29dcb0cf 00000025: EQ 00000026: PUSH2 0x011f 00000029: JUMPI 0000002a: DUP1 0000002b: PUSH4 0x38af3eed 00000030: EQ 00000031: PUSH2 0x0128 00000034: JUMPI 00000035: DUP1 00000036: PUSH4 0x6e66f6e9 0000003b: EQ 0000003c: PUSH2 0x013a 0000003f: JUMPI 00000040: DUP1 00000041: PUSH4 0x7a3a0e84 00000046: EQ 00000047: PUSH2 0x014c 0000004a: JUMPI 0000004b: DUP1 0000004c: PUSH4 0x7b3e5e7b 00000051: EQ 00000052: PUSH2 0x0155 00000055: JUMPI 00000056: DUP1 00000057: PUSH4 0xa035b1fe 0000005c: EQ 0000005d: PUSH2 0x015e 00000060: JUMPI 00000061: DUP1 00000062: PUSH4 0xdc0d3dff 00000067: EQ 00000068: PUSH2 0x0167 0000006b: JUMPI 0000006c: JUMPDEST 0000006d: PUSH2 0x01db 00000070: PUSH1 0x07 00000072: SLOAD 00000073: PUSH1 0x00 00000075: SWAP1 00000076: PUSH1 0xff 00000078: AND 00000079: ISZERO 0000007a: PUSH2 0x02ec 0000007d: JUMPI 0000007e: PUSH2 0x0002 00000081: JUMP 00000082: JUMPDEST 00000083: PUSH2 0x01db 00000086: PUSH1 0x03 00000088: SLOAD 00000089: PUSH1 0x00 0000008b: SWAP1 0000008c: TIMESTAMP 0000008d: LT 0000008e: PUSH2 0x02e9 00000091: JUMPI 00000092: PUSH1 0x02 00000094: SLOAD 00000095: PUSH1 0x01 00000097: SLOAD 00000098: SWAP1 00000099: LT 0000009a: PUSH2 0x0394 0000009d: JUMPI 0000009e: PUSH1 0x02 000000a0: SLOAD 000000a1: DUP2 000000a2: SLOAD 000000a3: PUSH1 0x01 000000a5: PUSH1 0xa0 000000a7: PUSH1 0x02 000000a9: EXP 000000aa: SUB 000000ab: AND 000000ac: SWAP1 000000ad: DUP3 000000ae: SWAP1 000000af: PUSH1 0x60 000000b1: DUP3 000000b2: DUP2 000000b3: DUP2 000000b4: DUP2 000000b5: DUP6 000000b6: DUP9 000000b7: DUP4 000000b8: CALL 000000b9: POP 000000ba: PUSH1 0x40 000000bc: DUP1 000000bd: MLOAD 000000be: SWAP5 000000bf: DUP6 000000c0: MSTORE 000000c1: PUSH1 0x20 000000c3: DUP6 000000c4: ADD 000000c5: SWAP3 000000c6: SWAP1 000000c7: SWAP3 000000c8: MSTORE 000000c9: DUP4 000000ca: DUP3 000000cb: ADD 000000cc: SWAP3 000000cd: SWAP1 000000ce: SWAP3 000000cf: MSTORE 000000d0: MLOAD 000000d1: PUSH1 0x00 000000d3: DUP1 000000d4: MLOAD 000000d5: PUSH1 0x20 000000d7: PUSH2 0x050b 000000da: DUP4 000000db: CODECOPY 000000dc: DUP2 000000dd: MLOAD 000000de: SWAP2 000000df: MSTORE 000000e0: SWAP3 000000e1: DUP2 000000e2: SWAP1 000000e3: SUB 000000e4: SWAP1 000000e5: SWAP2 000000e6: ADD 000000e7: SWAP1 000000e8: LOG1 000000e9: JUMPDEST 000000ea: PUSH1 0x40 000000ec: MLOAD 000000ed: PUSH1 0x00 000000ef: DUP1 000000f0: SLOAD 000000f1: PUSH1 0x01 000000f3: PUSH1 0xa0 000000f5: PUSH1 0x02 000000f7: EXP 000000f8: SUB 000000f9: SWAP1 000000fa: DUP2 000000fb: AND 000000fc: SWAP3 000000fd: ADDRESS 000000fe: SWAP1 000000ff: SWAP2 00000100: AND 00000101: BALANCE 00000102: SWAP1 00000103: DUP3 00000104: DUP2 00000105: DUP2 00000106: DUP2 00000107: DUP6 00000108: DUP9 00000109: DUP4 0000010a: CALL 0000010b: POP 0000010c: POP 0000010d: PUSH1 0x07 0000010f: DUP1 00000110: SLOAD 00000111: PUSH1 0xff 00000113: NOT 00000114: AND 00000115: PUSH1 0x01 00000117: OR 00000118: SWAP1 00000119: SSTORE 0000011a: POP 0000011b: POP 0000011c: POP 0000011d: POP 0000011e: JUMP 0000011f: JUMPDEST 00000120: PUSH2 0x036a 00000123: PUSH1 0x03 00000125: SLOAD 00000126: DUP2 00000127: JUMP 00000128: JUMPDEST 00000129: PUSH2 0x0374 0000012c: PUSH1 0x00 0000012e: SLOAD 0000012f: PUSH1 0x01 00000131: PUSH1 0xa0 00000133: PUSH1 0x02 00000135: EXP 00000136: SUB 00000137: AND 00000138: DUP2 00000139: JUMP 0000013a: JUMPDEST 0000013b: PUSH2 0x0374 0000013e: PUSH1 0x05 00000140: SLOAD 00000141: PUSH1 0x01 00000143: PUSH1 0xa0 00000145: PUSH1 0x02 00000147: EXP 00000148: SUB 00000149: AND 0000014a: DUP2 0000014b: JUMP 0000014c: JUMPDEST 0000014d: PUSH2 0x036a 00000150: PUSH1 0x01 00000152: SLOAD 00000153: DUP2 00000154: JUMP 00000155: JUMPDEST 00000156: PUSH2 0x036a 00000159: PUSH1 0x02 0000015b: SLOAD 0000015c: DUP2 0000015d: JUMP 0000015e: JUMPDEST 0000015f: PUSH2 0x036a 00000162: PUSH1 0x04 00000164: SLOAD 00000165: DUP2 00000166: JUMP 00000167: JUMPDEST 00000168: PUSH2 0x0387 0000016b: PUSH1 0x04 0000016d: CALLDATALOAD 0000016e: PUSH1 0x06 00000170: DUP1 00000171: SLOAD 00000172: DUP3 00000173: SWAP1 00000174: DUP2 00000175: LT 00000176: ISZERO 00000177: PUSH2 0x0002 0000017a: JUMPI 0000017b: POP 0000017c: PUSH1 0x00 0000017e: MSTORE 0000017f: PUSH1 0x02 00000181: MUL 00000182: PUSH32 0xf652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d3f 000001a3: DUP2 000001a4: ADD 000001a5: SLOAD 000001a6: PUSH32 0xf652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d40 000001c7: SWAP2 000001c8: SWAP1 000001c9: SWAP2 000001ca: ADD 000001cb: SLOAD 000001cc: PUSH1 0x01 000001ce: PUSH1 0xa0 000001d0: PUSH1 0x02 000001d2: EXP 000001d3: SUB 000001d4: SWAP2 000001d5: SWAP1 000001d6: SWAP2 000001d7: AND 000001d8: SWAP1 000001d9: DUP3 000001da: JUMP 000001db: JUMPDEST 000001dc: STOP 000001dd: JUMPDEST 000001de: POP 000001df: POP 000001e0: POP 000001e1: DUP2 000001e2: SLOAD 000001e3: DUP2 000001e4: LT 000001e5: ISZERO 000001e6: PUSH2 0x0002 000001e9: JUMPI 000001ea: SWAP1 000001eb: PUSH1 0x00 000001ed: MSTORE 000001ee: PUSH1 0x20 000001f0: PUSH1 0x00 000001f2: KECCAK256 000001f3: SWAP1 000001f4: PUSH1 0x02 000001f6: MUL 000001f7: ADD 000001f8: PUSH1 0x00 000001fa: POP 000001fb: PUSH1 0x00 000001fd: DUP3 000001fe: ADD 000001ff: MLOAD 00000200: DUP2 00000201: PUSH1 0x00 00000203: ADD 00000204: PUSH1 0x00 00000206: PUSH2 0x0100 00000209: EXP 0000020a: DUP2 0000020b: SLOAD 0000020c: DUP2 0000020d: PUSH1 0x01 0000020f: PUSH1 0xa0 00000211: PUSH1 0x02 00000213: EXP 00000214: SUB 00000215: MUL 00000216: NOT 00000217: AND 00000218: SWAP1 00000219: DUP4 0000021a: MUL 0000021b: OR 0000021c: SWAP1 0000021d: SSTORE 0000021e: POP 0000021f: PUSH1 0x20 00000221: DUP3 00000222: ADD 00000223: MLOAD 00000224: DUP2 00000225: PUSH1 0x01 00000227: ADD 00000228: PUSH1 0x00 0000022a: POP 0000022b: SSTORE 0000022c: SWAP1 0000022d: POP 0000022e: POP 0000022f: DUP1 00000230: PUSH1 0x02 00000232: PUSH1 0x00 00000234: DUP3 00000235: DUP3 00000236: DUP3 00000237: POP 00000238: SLOAD 00000239: ADD 0000023a: SWAP3 0000023b: POP 0000023c: POP 0000023d: DUP2 0000023e: SWAP1 0000023f: SSTORE 00000240: POP 00000241: PUSH1 0x05 00000243: PUSH1 0x00 00000245: SWAP1 00000246: SLOAD 00000247: SWAP1 00000248: PUSH2 0x0100 0000024b: EXP 0000024c: SWAP1 0000024d: DIV 0000024e: PUSH1 0x01 00000250: PUSH1 0xa0 00000252: PUSH1 0x02 00000254: EXP 00000255: SUB 00000256: AND 00000257: PUSH1 0x01 00000259: PUSH1 0xa0 0000025b: PUSH1 0x02 0000025d: EXP 0000025e: SUB 0000025f: AND 00000260: PUSH4 0xa9059cbb 00000265: CALLER 00000266: PUSH1 0x04 00000268: PUSH1 0x00 0000026a: POP 0000026b: SLOAD 0000026c: DUP5 0000026d: DIV 0000026e: PUSH1 0x40 00000270: MLOAD 00000271: DUP4 00000272: PUSH1 0xe0 00000274: PUSH1 0x02 00000276: EXP 00000277: MUL 00000278: DUP2 00000279: MSTORE 0000027a: PUSH1 0x04 0000027c: ADD 0000027d: DUP1 0000027e: DUP4 0000027f: PUSH1 0x01 00000281: PUSH1 0xa0 00000283: PUSH1 0x02 00000285: EXP 00000286: SUB 00000287: AND 00000288: DUP2 00000289: MSTORE 0000028a: PUSH1 0x20 0000028c: ADD 0000028d: DUP3 0000028e: DUP2 0000028f: MSTORE 00000290: PUSH1 0x20 00000292: ADD 00000293: SWAP3 00000294: POP 00000295: POP 00000296: POP 00000297: PUSH1 0x00 00000299: PUSH1 0x40 0000029b: MLOAD 0000029c: DUP1 0000029d: DUP4 0000029e: SUB 0000029f: DUP2 000002a0: PUSH1 0x00 000002a2: DUP8 000002a3: PUSH2 0x61da 000002a6: GAS 000002a7: SUB 000002a8: CALL 000002a9: ISZERO 000002aa: PUSH2 0x0002 000002ad: JUMPI 000002ae: POP 000002af: POP 000002b0: PUSH1 0x40 000002b2: DUP1 000002b3: MLOAD 000002b4: PUSH1 0x01 000002b6: PUSH1 0xa0 000002b8: PUSH1 0x02 000002ba: EXP 000002bb: SUB 000002bc: CALLER 000002bd: AND 000002be: DUP2 000002bf: MSTORE 000002c0: PUSH1 0x20 000002c2: DUP2 000002c3: ADD 000002c4: DUP5 000002c5: SWAP1 000002c6: MSTORE 000002c7: PUSH1 0x01 000002c9: DUP2 000002ca: DUP4 000002cb: ADD 000002cc: MSTORE 000002cd: SWAP1 000002ce: MLOAD 000002cf: PUSH1 0x00 000002d1: DUP1 000002d2: MLOAD 000002d3: PUSH1 0x20 000002d5: PUSH2 0x050b 000002d8: DUP4 000002d9: CODECOPY 000002da: DUP2 000002db: MLOAD 000002dc: SWAP2 000002dd: MSTORE 000002de: SWAP3 000002df: POP 000002e0: SWAP1 000002e1: DUP2 000002e2: SWAP1 000002e3: SUB 000002e4: PUSH1 0x60 000002e6: ADD 000002e7: SWAP1 000002e8: LOG1 000002e9: JUMPDEST 000002ea: POP 000002eb: JUMP 000002ec: JUMPDEST 000002ed: POP 000002ee: PUSH1 0xa0 000002f0: PUSH1 0x40 000002f2: MSTORE 000002f3: CALLER 000002f4: PUSH1 0x60 000002f6: SWAP1 000002f7: DUP2 000002f8: MSTORE 000002f9: CALLVALUE 000002fa: PUSH1 0x80 000002fc: DUP2 000002fd: SWAP1 000002fe: MSTORE 000002ff: PUSH1 0x06 00000301: DUP1 00000302: SLOAD 00000303: PUSH1 0x01 00000305: DUP2 00000306: ADD 00000307: DUP1 00000308: DUP4 00000309: SSTORE 0000030a: SWAP3 0000030b: SWAP4 0000030c: SWAP3 0000030d: DUP3 0000030e: SWAP1 0000030f: DUP3 00000310: DUP1 00000311: ISZERO 00000312: DUP3 00000313: SWAP1 00000314: GT 00000315: PUSH2 0x01dd 00000318: JUMPI 00000319: PUSH1 0x02 0000031b: MUL 0000031c: DUP2 0000031d: PUSH1 0x02 0000031f: MUL 00000320: DUP4 00000321: PUSH1 0x00 00000323: MSTORE 00000324: PUSH1 0x20 00000326: PUSH1 0x00 00000328: KECCAK256 00000329: SWAP2 0000032a: DUP3 0000032b: ADD 0000032c: SWAP2 0000032d: ADD 0000032e: PUSH2 0x01dd 00000331: SWAP2 00000332: SWAP1 00000333: JUMPDEST 00000334: DUP1 00000335: DUP3 00000336: GT 00000337: ISZERO 00000338: PUSH2 0x0366 0000033b: JUMPI 0000033c: DUP1 0000033d: SLOAD 0000033e: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000353: NOT 00000354: AND 00000355: DUP2 00000356: SSTORE 00000357: PUSH1 0x00 00000359: PUSH1 0x01 0000035b: SWAP2 0000035c: SWAP1 0000035d: SWAP2 0000035e: ADD 0000035f: SWAP1 00000360: DUP2 00000361: SSTORE 00000362: PUSH2 0x0333 00000365: JUMP 00000366: JUMPDEST 00000367: POP 00000368: SWAP1 00000369: JUMP 0000036a: JUMPDEST 0000036b: PUSH1 0x60 0000036d: SWAP1 0000036e: DUP2 0000036f: MSTORE 00000370: PUSH1 0x20 00000372: SWAP1 00000373: RETURN 00000374: JUMPDEST 00000375: PUSH1 0x01 00000377: PUSH1 0xa0 00000379: PUSH1 0x02 0000037b: EXP 0000037c: SUB 0000037d: AND 0000037e: PUSH1 0x60 00000380: SWAP1 00000381: DUP2 00000382: MSTORE 00000383: PUSH1 0x20 00000385: SWAP1 00000386: RETURN 00000387: JUMPDEST 00000388: PUSH1 0x60 0000038a: SWAP2 0000038b: DUP3 0000038c: MSTORE 0000038d: PUSH1 0x80 0000038f: MSTORE 00000390: PUSH1 0x40 00000392: SWAP1 00000393: RETURN 00000394: JUMPDEST 00000395: PUSH1 0x60 00000397: DUP2 00000398: DUP2 00000399: MSTORE 0000039a: PUSH1 0x0b 0000039c: PUSH1 0x80 0000039e: MSTORE 0000039f: PUSH1 0xa0 000003a1: DUP3 000003a2: SWAP1 000003a3: MSTORE 000003a4: PUSH1 0x00 000003a6: DUP1 000003a7: MLOAD 000003a8: PUSH1 0x20 000003aa: PUSH2 0x050b 000003ad: DUP4 000003ae: CODECOPY 000003af: DUP2 000003b0: MLOAD 000003b1: SWAP2 000003b2: MSTORE 000003b3: SWAP1 000003b4: DUP1 000003b5: LOG1 000003b6: JUMPDEST 000003b7: PUSH1 0x06 000003b9: SLOAD 000003ba: DUP2 000003bb: LT 000003bc: ISZERO 000003bd: PUSH2 0x00e9 000003c0: JUMPI 000003c1: PUSH1 0x06 000003c3: DUP1 000003c4: SLOAD 000003c5: DUP3 000003c6: SWAP1 000003c7: DUP2 000003c8: LT 000003c9: ISZERO 000003ca: PUSH2 0x0002 000003cd: JUMPI 000003ce: PUSH1 0x00 000003d0: SWAP2 000003d1: DUP3 000003d2: MSTORE 000003d3: PUSH1 0x02 000003d5: MUL 000003d6: PUSH32 0xf652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d3f 000003f7: ADD 000003f8: SWAP1 000003f9: SWAP1 000003fa: SLOAD 000003fb: PUSH1 0x06 000003fd: DUP1 000003fe: SLOAD 000003ff: PUSH1 0x01 00000401: PUSH1 0xa0 00000403: PUSH1 0x02 00000405: EXP 00000406: SUB 00000407: SWAP3 00000408: SWAP1 00000409: SWAP3 0000040a: AND 0000040b: SWAP3 0000040c: SWAP2 0000040d: DUP5 0000040e: SWAP1 0000040f: DUP2 00000410: LT 00000411: ISZERO 00000412: PUSH2 0x0002 00000415: JUMPI 00000416: PUSH1 0x02 00000418: MUL 00000419: PUSH32 0xf652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d40 0000043a: ADD 0000043b: SLOAD 0000043c: PUSH1 0x40 0000043e: MLOAD 0000043f: SWAP1 00000440: SWAP2 00000441: POP 00000442: DUP3 00000443: DUP2 00000444: DUP2 00000445: DUP2 00000446: DUP6 00000447: DUP9 00000448: DUP4 00000449: CALL 0000044a: SWAP4 0000044b: POP 0000044c: POP 0000044d: POP 0000044e: POP 0000044f: POP 00000450: PUSH1 0x00 00000452: DUP1 00000453: MLOAD 00000454: PUSH1 0x20 00000456: PUSH2 0x050b 00000459: DUP4 0000045a: CODECOPY 0000045b: DUP2 0000045c: MLOAD 0000045d: SWAP2 0000045e: MSTORE 0000045f: PUSH1 0x06 00000461: PUSH1 0x00 00000463: POP 00000464: DUP3 00000465: DUP2 00000466: SLOAD 00000467: DUP2 00000468: LT 00000469: ISZERO 0000046a: PUSH2 0x0002 0000046d: JUMPI 0000046e: PUSH1 0x00 00000470: DUP3 00000471: SWAP1 00000472: MSTORE 00000473: PUSH1 0x02 00000475: MUL 00000476: PUSH32 0xf652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d3f 00000497: ADD 00000498: SLOAD 00000499: DUP2 0000049a: SLOAD 0000049b: PUSH1 0x01 0000049d: PUSH1 0xa0 0000049f: PUSH1 0x02 000004a1: EXP 000004a2: SUB 000004a3: SWAP2 000004a4: SWAP1 000004a5: SWAP2 000004a6: AND 000004a7: SWAP2 000004a8: SWAP1 000004a9: DUP5 000004aa: SWAP1 000004ab: DUP2 000004ac: LT 000004ad: ISZERO 000004ae: PUSH2 0x0002 000004b1: JUMPI 000004b2: PUSH1 0x02 000004b4: MUL 000004b5: PUSH32 0xf652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d40 000004d6: ADD 000004d7: SLOAD 000004d8: PUSH1 0x40 000004da: DUP1 000004db: MLOAD 000004dc: PUSH1 0x01 000004de: PUSH1 0xa0 000004e0: PUSH1 0x02 000004e2: EXP 000004e3: SUB 000004e4: SWAP5 000004e5: SWAP1 000004e6: SWAP5 000004e7: AND 000004e8: DUP5 000004e9: MSTORE 000004ea: PUSH1 0x20 000004ec: DUP5 000004ed: ADD 000004ee: SWAP2 000004ef: SWAP1 000004f0: SWAP2 000004f1: MSTORE 000004f2: PUSH1 0x00 000004f4: DUP4 000004f5: DUP3 000004f6: ADD 000004f7: MSTORE 000004f8: MLOAD 000004f9: SWAP2 000004fa: DUP3 000004fb: SWAP1 000004fc: SUB 000004fd: PUSH1 0x60 000004ff: ADD 00000500: SWAP2 00000501: SWAP1 00000502: POP 00000503: LOG1 00000504: PUSH1 0x01 00000506: ADD 00000507: PUSH2 0x03b6 0000050a: JUMP 0000050b: UNKNOWN(0xE8) 0000050c: TIMESTAMP 0000050d: UNKNOWN(0xAE) 0000050e: UNKNOWN(0xA7) 0000050f: UNKNOWN(0xA5) 00000510: CALL 00000511: UNKNOWN(0xB0) 00000512: LT 00000513: BLOBHASH 00000514: UNKNOWN(0xD7) 00000515: MSTORE 00000516: STOP 00000517: DUP13 00000518: MSTORE8 00000519: UNKNOWN(0xC5) 0000051a: UNKNOWN(0x28) 0000051b: SWAP1 0000051c: UNKNOWN(0xB1) 0000051d: UNKNOWN(0xA6) 0000051e: UNKNOWN(0xDA) 0000051f: UNKNOWN(0xF6) 00000520: PUSH1 0xcf 00000522: CODECOPY 00000523: UNKNOWN(0xE8) 00000524: UNKNOWN(0xEE) 00000525: UNKNOWN(0xC5) 00000526: MOD 00000527: GT 00000528: UNKNOWN(0x2B) 00000529: UNKNOWN(0xBD) 0000052a: UNKNOWN(0xF6)
Warning: This is a nightly build of Foundry. It is recommended to use the latest stable version. To mute this warning set `FOUNDRY_DISABLE_NIGHTLY_WARNING` in your environment.
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | other | detector | Untrusted CALL target/value reachable | 60 | yes | yes |
viewtrace_id: 0x71abaa6e1e60172ca2d68145de123726abdeb4ea1879a88a079741ef7df2434c
call_targets:
0x0e4c4d07ba172310ebe36622b03de3ebb6686c41, 0xba8ee7ba243a363d1995812121bc3fdfa6052785, 0xc22e0a99f696fbd240730b52984b6e78e3876206
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x71abaa6e1e60172ca2d68145de123726abdeb4ea1879a88a079741ef7df2434c",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0e4c4d07ba172310ebe36622b03de3ebb6686c41",
"0xba8ee7ba243a363d1995812121bc3fdfa6052785",
"0xc22e0a99f696fbd240730b52984b6e78e3876206"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x01cb3b20",
"selector": "0x01cb3b20",
"calldata_variants": [
"0x01cb3b20",
"0x01cb3b200000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x29dcb0cf",
"selector": "0x29dcb0cf",
"calldata_variants": [
"0x29dcb0cf",
"0x29dcb0cf0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x38af3eed",
"selector": "0x38af3eed",
"calldata_variants": [
"0x38af3eed",
"0x38af3eed0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x6e66f6e9",
"selector": "0x6e66f6e9",
"calldata_variants": [
"0x6e66f6e9",
"0x6e66f6e90000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x7a3a0e84",
"selector": "0x7a3a0e84",
"calldata_variants": [
"0x7a3a0e84",
"0x7a3a0e840000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x7b3e5e7b",
"selector": "0x7b3e5e7b",
"calldata_variants": [
"0x7b3e5e7b",
"0x7b3e5e7b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa035b1fe",
"selector": "0xa035b1fe",
"calldata_variants": [
"0xa035b1fe",
"0xa035b1fe0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xdc0d3dff",
"selector": "0xdc0d3dff",
"calldata_variants": [
"0xdc0d3dff",
"0xdc0d3dff0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 184,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 266,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 680,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 5,
"guards_detected": [],
"untrusted_call_count": 5
}
|
| high | other | detector | ETH value transfer possible | 55 | yes | yes |
viewtrace_id: 0x71abaa6e1e60172ca2d68145de123726abdeb4ea1879a88a079741ef7df2434c
call_targets:
0x0e4c4d07ba172310ebe36622b03de3ebb6686c41, 0xba8ee7ba243a363d1995812121bc3fdfa6052785, 0xc22e0a99f696fbd240730b52984b6e78e3876206
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x71abaa6e1e60172ca2d68145de123726abdeb4ea1879a88a079741ef7df2434c",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0e4c4d07ba172310ebe36622b03de3ebb6686c41",
"0xba8ee7ba243a363d1995812121bc3fdfa6052785",
"0xc22e0a99f696fbd240730b52984b6e78e3876206"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x01cb3b20",
"selector": "0x01cb3b20",
"calldata_variants": [
"0x01cb3b20",
"0x01cb3b200000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x29dcb0cf",
"selector": "0x29dcb0cf",
"calldata_variants": [
"0x29dcb0cf",
"0x29dcb0cf0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x38af3eed",
"selector": "0x38af3eed",
"calldata_variants": [
"0x38af3eed",
"0x38af3eed0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x6e66f6e9",
"selector": "0x6e66f6e9",
"calldata_variants": [
"0x6e66f6e9",
"0x6e66f6e90000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x7a3a0e84",
"selector": "0x7a3a0e84",
"calldata_variants": [
"0x7a3a0e84",
"0x7a3a0e840000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x7b3e5e7b",
"selector": "0x7b3e5e7b",
"calldata_variants": [
"0x7b3e5e7b",
"0x7b3e5e7b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa035b1fe",
"selector": "0xa035b1fe",
"calldata_variants": [
"0xa035b1fe",
"0xa035b1fe0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xdc0d3dff",
"selector": "0xdc0d3dff",
"calldata_variants": [
"0xdc0d3dff",
"0xdc0d3dff0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 184,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 266,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 680,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 5,
"guards_detected": []
}
|
| high | reentrancy | codex | Refund finalization is reentrant before the contract is marked closed | 85 | no | — |
viewevidence_json{
"evidence": "The only observed close/finalized bit is the low byte of slot7: it gates the payable fallback at pc 0x6c and is only written at pc 0x119. In selector 0x01cb3b20, the slot2 < slot1 branch jumps to pc 0x394 and then loops from pc 0x3b6, performing a value-bearing CALL at pc 0x449 to addresses loaded from the slot6-backed array, with no storage update that marks an entry refunded before the call.",
"locations": [
"selector:0x01cb3b20",
"pc:0x3b6",
"pc:0x449",
"pc:0x119",
"pc:0x6c"
],
"recommendation": "Set the finalized/refunding state before any external call, mark each refund as consumed before sending value, and prefer pull-based withdrawals or a reentrancy guard around the finalize/refund path.",
"exploit_scenario": "A malicious contributor can first enter through the empty-calldata payable path so their address/value are stored in the slot6-backed contributor array. After the time gate has passed and the contract takes the refund branch, selector 0x01cb3b20 iterates that array and sends ETH to each contributor at pc 0x449 before the slot7 close flag is set at pc 0x119. The recipient can reenter 0x01cb3b20 from its fallback and reach the same refund logic again, collecting the same refund multiple times until the contract balance is exhausted."
}
|
| high | other | codex | Failed refund calls are ignored and residual ETH is swept to slot0 | 85 | no | — |
viewevidence_json{
"evidence": "The refund loop CALL at pc 0x449 is followed by stack cleanup and logging, not by a success-dependent branch. Loop exit at pc 0x3bd jumps directly to pc 0x00e9, where slot0 is loaded and ADDRESS/BALANCE are used for another CALL at pc 0x10a. The earlier CALL at pc 0xb8 is also unchecked, so the finalize path generally assumes success without proof.",
"locations": [
"selector:0x01cb3b20",
"pc:0x449",
"pc:0x3bd",
"pc:0x10a",
"pc:0xb8"
],
"recommendation": "Check the success of each refund call and record failed refunds as withdrawable balances instead of continuing. Do not sweep residual ETH to slot0 until all refunds are either completed or safely escrowed.",
"exploit_scenario": "If a contributor's refund call fails or reverts, the loop continues without reverting and without preserving a claimable refund. When the loop finishes, control jumps to pc 0x00e9 and the contract sends its remaining balance to the slot0 address at pc 0x10a. A reverting recipient can therefore lose its refund while the leftover ETH is redirected to slot0."
}
|
| medium | other | codex | Payable fallback appears to accept contributions after the time gate | 75 | no | — |
viewevidence_json{
"evidence": "The empty-calldata path at pc 0x6c checks slot7 and jumps to the contribution routine at pc 0x2ec with no TIMESTAMP comparison. By contrast, selector 0x01cb3b20 compares slot3 against TIMESTAMP at pc 0x83-0x8e before allowing finalization behavior. This deadline interpretation is still bytecode-level inference, but it is strongly suggested by the control flow.",
"locations": [
"pc:0x6c",
"pc:0x2ec",
"selector:0x01cb3b20",
"pc:0x83",
"pc:0x8c"
],
"recommendation": "Mirror the deadline and any funding-status checks in the payable fallback/receive path so contributions are rejected once the funding window has ended.",
"exploit_scenario": "If slot3 is intended to be the funding deadline, users can still send empty-calldata ETH transfers after that timestamp because the fallback path only checks slot7 and then appends the sender/value to the contributor array. Late deposits keep increasing the slot2 total and can change whether finalization goes down the refund branch or the payout branch."
}
|