019b3836-356e-733b-b631-4f1e1b0cfb47
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 3421 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 3422 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 46548 | analysis.bundle | complete | 1 / 3 | 1 week ago |
| 46549 | capability.graph | complete | 1 / 3 | 1 week ago |
| 46550 | detector.run | complete | 1 / 3 | 1 week ago |
| 46551 | validation.fork | complete | 1 / 3 | 1 week ago |
| 113266 | report.consolidate | complete | 1 / 6 | 1 week ago |
No slither job recorded yet.
{"no_findings":false,"summary":"I reviewed `BYTECODE_BUNDLE.json` and the runtime looks like a small legacy ERC20-like token with inferred selectors `name`, `symbol`, `decimals`, `balanceOf`, and `transfer`. I did not treat the detector's `CALL` findings at `pc:0x1a7` as a confirmed vulnerability: the surrounding bytecode is consistent with an old Solidity dynamic-bytes copy helper that calls precompile `0x04` (identity), and the bundle shows no `DELEGATECALL`, proxy pattern, or obvious privileged upgrade path. The meaningful issues are low-severity legacy-behavior risks around ETH acceptance and silent-success / no-return semantics.","findings":[{"severity":"low","category":"other","title":"Contract appears to accept ETH but exposes no visible recovery path","exploit_scenario":"Because the runtime has no non-payable `CALLVALUE` checks, a user or integrating contract can send ETH to this token contract by mistake, either with empty calldata or alongside a token method call. The call will succeed, but no selector in the bundle suggests an owner-only rescue or withdrawal path, so the ETH may be permanently trapped.","recommendation":"If this contract can be changed, reject nonzero `msg.value` on all token functions and revert in the fallback/receive path. If it is immutable, document clearly that ETH must never be sent here and consider operational monitoring for accidental deposits.","evidence":"The dispatcher falls through to `STOP` at `pc:0x45` for unknown selectors / plain calls, and the runtime bytecode contains no visible `CALLVALUE` guard at the dispatcher or inferred function entries. The bytecode bundle marks `is_proxy=false`, shows no `SELFDESTRUCT`, and infers only five token-style selectors, with no visible withdrawal selector.","locations":["pc:0x0","pc:0x45"]},{"severity":"low","category":"other","title":"Legacy silent-success semantics can mislead integrations","exploit_scenario":"An integrating contract that uses low-level calls and treats only the EVM success flag as authoritative can be misled by this token. Unsupported selectors fall into a successful `STOP`, and the inferred `transfer(address,uint256)` path updates storage then halts without returning the standard ABI-encoded `bool`. Depending on the caller's assumptions, this can cause stale approvals, phantom success, or accounting mismatches at the integration layer.","recommendation":"Integrations should use compatibility wrappers that tolerate no-return tokens only for known methods and should verify expected returndata for other token operations. If the contract is mutable, make the fallback revert and return an explicit `true` from `transfer`.","evidence":"Selector `0xa9059cbb` dispatches to `pc:0x123`; after the balance updates and `Transfer` log, control returns to `pc:0x45` (`STOP`) instead of writing and returning a boolean. The default dispatcher path also ends at the same `STOP`, so unknown selectors succeed with empty returndata rather than reverting.","locations":["selector:0xa9059cbb","pc:0x123","pc:0x45"]}]}
OpenAI Codex v0.118.0 (research preview)
--------
workdir: /tmp/codex-qz7vio0a
model: gpt-5.4
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: none
session id: 019d5bd9-7e0d-7a32-89c0-dd39d47364ed
--------
user
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
warning: Codex could not find system bubblewrap on PATH. Please install bubblewrap with your package manager. Codex will use the vendored bubblewrap in the meantime.
exec
/bin/bash -lc 'rg --files' in /tmp/codex-qz7vio0a
succeeded in 0ms:
BYTECODE_BUNDLE.json
codex-output-schema.json
exec
/bin/bash -lc pwd in /tmp/codex-qz7vio0a
succeeded in 0ms:
/tmp/codex-qz7vio0a
exec
/bin/bash -lc "sed -n '1,260p' BYTECODE_BUNDLE.json" in /tmp/codex-qz7vio0a
succeeded in 0ms:
{
"analysis_artifact": {
"address": "0x08b54d4f5877ee091e31e92523b9791df9efce93",
"artifact_hash": "0xff66b52ab72621c0811f0b0776659bee4592040493e489fb493cb83fe07354c1",
"artifact_json": {
"auth": {
"guards": []
},
"basic_blocks": [
{
"end_pc": 24,
"hash": "0x6a350686911b120d699f8e8d1e9440d4ce17c4434492baee43484e2ef083a112",
"opcodes": [
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"PUSH1",
"EXP",
"PUSH1",
"CALLDATALOAD",
"DIV",
"PUSH4",
"OP_81",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 0
},
{
"end_pc": 35,
"hash": "0x09fc75e3aa8fb02b98e24881cc463925488c7dfa7ef308570a5930c5c420c614",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 25
},
{
"end_pc": 46,
"hash": "0x976103db32485bde438fb5c3f9f54ee02f48623f2e3b08249411cd4aee3c334a",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 36
},
{
"end_pc": 57,
"hash": "0x3c19c073e27395dc44272beb525b6373ad140a4045aabbd1b653e498e1806824",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 47
},
{
"end_pc": 68,
"hash": "0x3a122683470ea7901e31e80e6378780a829a06da64b04e691b5d5c5621392507",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 58
},
{
"end_pc": 70,
"hash": "0x55afd043d32294d5f0189f5a0aa04f3174e4c087a31c85396f49b5f17813cb96",
"opcodes": [
"JUMPDEST",
"STOP"
],
"start_pc": 69
},
{
"end_pc": 136,
"hash": "0xf40449b02dac3d8f47855034813de568b98c652f9830a133b3073a9873212a05",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"OP_80",
"SLOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"OP_83",
"AND",
"ISZERO",
"PUSH2",
"MUL",
"PUSH1",
"NOT",
"ADD",
"OP_90",
"OP_92",
"AND",
"OP_91",
"OP_90",
"OP_91",
"DIV",
"PUSH1",
"OP_81",
"ADD",
"OP_82",
"OP_90",
"DIV",
"OP_90",
"OP_91",
"MUL",
"PUSH1",
"OP_90",
"OP_81",
"ADD",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_82",
"OP_81",
"MSTORE",
"OP_92",
"OP_91",
"OP_90",
"OP_82",
"OP_82",
"OP_80",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 71
},
{
"end_pc": 144,
"hash": "0x7a355623b8b883b4699f46760b468c692676e190c7e929634fc8cc91b960e828",
"opcodes": [
"OP_80",
"PUSH1",
"LT",
"PUSH2",
"JUMPI"
],
"start_pc": 137
},
{
"end_pc": 163,
"hash": "0xecf2c5af628c9d14e5484dd92b242b3443b71f5fbb56ef3bb6d6ecc43488b865",
"opcodes": [
"PUSH2",
"OP_80",
"OP_83",
"SLOAD",
"DIV",
"MUL",
"OP_83",
"MSTORE",
"OP_91",
"PUSH1",
"ADD",
"OP_91",
"PUSH2",
"JUMP"
],
"start_pc": 145
},
{
"end_pc": 175,
"hash": "0xf62eccf39e21b0e7c82cfcb3b9161109c9cde5dd5c779dfdf9d7973b15a1f6f4",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"SLOAD",
"PUSH1",
"AND",
"OP_81",
"JUMP"
],
"start_pc": 164
},
{
"end_pc": 199,
"hash": "0x05f97e1fd71d0e615e61d36d6d9fc9f3a8acf10fd5fb739c2455360490997f41",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"CALLDATALOAD",
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"OP_90",
"SHA3",
"SLOAD",
"OP_81",
"JUMP"
],
"start_pc": 176
},
{
"end_pc": 263,
"hash": "0x3b9a3c0e7fbbf4ecb17a787b5a04fc83590949a51a6fd3d3f767311abf7a0c87",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"OP_80",
"SLOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"PUSH1",
"NOT",
"PUSH2",
"OP_85",
"OP_87",
"AND",
"ISZERO",
"MUL",
"ADD",
"OP_90",
"OP_93",
"AND",
"OP_92",
"OP_90",
"OP_92",
"DIV",
"OP_91",
"OP_82",
"ADD",
"OP_81",
"OP_90",
"DIV",
"MUL",
"PUSH1",
"OP_90",
"OP_81",
"ADD",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_82",
exec
/bin/bash -lc "sed -n '261,520p' BYTECODE_BUNDLE.json" in /tmp/codex-qz7vio0a
succeeded in 0ms:
"OP_81",
"MSTORE",
"OP_92",
"OP_91",
"OP_90",
"OP_82",
"OP_82",
"OP_80",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 200
},
{
"end_pc": 271,
"hash": "0x7090146e9b5fc2309802dbb79ccb9ee86583359c5c3be96451826d65ecdc85ad",
"opcodes": [
"OP_80",
"PUSH1",
"LT",
"PUSH2",
"JUMPI"
],
"start_pc": 264
},
{
"end_pc": 290,
"hash": "0x10fb4a62e31f9d523fba9e254b0a1cdf4088252f3ab9207bbb88b56ad78999f5",
"opcodes": [
"PUSH2",
"OP_80",
"OP_83",
"SLOAD",
"DIV",
"MUL",
"OP_83",
"MSTORE",
"OP_91",
"PUSH1",
"ADD",
"OP_91",
"PUSH2",
"JUMP"
],
"start_pc": 272
},
{
"end_pc": 333,
"hash": "0xd2efc930fda1fda27663cef7ff064d3b5644e25c73944457c5b247a2a2b5ebc0",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"CALLDATALOAD",
"PUSH1",
"CALLDATALOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"CALLER",
"AND",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_90",
"SHA3",
"SLOAD",
"OP_81",
"OP_90",
"LT",
"OP_80",
"PUSH2",
"JUMPI"
],
"start_pc": 291
},
{
"end_pc": 358,
"hash": "0x0cb281f02dafac7bc5747ea2ef6cc0ac9cd79b706be48c09434fe236d62304c0",
"opcodes": [
"POP",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"OP_82",
"AND",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"OP_90",
"SHA3",
"SLOAD",
"OP_80",
"OP_82",
"ADD",
"LT"
],
"start_pc": 334
},
{
"end_pc": 364,
"hash": "0x4814088d1abceba7bce3d4b5b89f161d17c093265433f37367be8adf0dc5d9aa",
"opcodes": [
"JUMPDEST",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 359
},
{
"end_pc": 368,
"hash": "0xac36dca57ddb5fc789957ffad51730f7f53229ca3982b5d74ea2101757b9905f",
"opcodes": [
"PUSH2",
"JUMP"
],
"start_pc": 365
},
{
"end_pc": 439,
"hash": "0x4a2fafd97023c8a8f31f1ac7c9d6df99ecfea6a6c1f4b93506db3ef9cb749e5e",
"opcodes": [
"JUMPDEST",
"PUSH1",
"MLOAD",
"OP_80",
"OP_80",
"PUSH1",
"ADD",
"OP_82",
"OP_81",
"SUB",
"OP_82",
"MSTORE",
"OP_83",
"OP_81",
"OP_81",
"MLOAD",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP",
"OP_80",
"MLOAD",
"OP_90",
"PUSH1",
"ADD",
"OP_90",
"OP_80",
"OP_83",
"OP_83",
"OP_82",
"OP_90",
"PUSH1",
"PUSH1",
"PUSH1",
"OP_84",
"PUSH1",
"ADD",
"DIV",
"PUSH1",
"MUL",
"PUSH1",
"ADD",
"CALL",
"POP",
"OP_90",
"POP",
"OP_90",
"OP_81",
"ADD",
"OP_90",
"PUSH1",
"AND",
"OP_80",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 369
},
{
"end_pc": 464,
"hash": "0xebb6ccfb60657a2ed3d1a377dfa457bf2b13b45b75c03c3302572d286824ebdf",
"opcodes": [
"OP_80",
"OP_82",
"SUB",
"OP_80",
"MLOAD",
"PUSH1",
"OP_83",
"PUSH1",
"SUB",
"PUSH2",
"EXP",
"SUB",
"NOT",
"AND",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP"
],
"start_pc": 440
},
{
"end_pc": 478,
"hash": "0xd8b1d5b723eaa7895bcb21e965231688c1662a1902dec4aabd2354f749c4df07",
"opcodes": [
"JUMPDEST",
"POP",
"OP_92",
"POP",
"POP",
"POP",
"PUSH1",
"MLOAD",
"OP_80",
"OP_91",
"SUB",
"OP_90",
"RETURN"
],
"start_pc": 465
},
{
"end_pc": 488,
"hash": "0x672c26154dc00d7172790e8e1de59fd7d9ca445474687406424f70df4450fe25",
"opcodes": [
"JUMPDEST",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"OP_90",
"RETURN"
],
"start_pc": 479
},
{
"end_pc": 502,
exec
/bin/bash -lc "sed -n '521,780p' BYTECODE_BUNDLE.json" in /tmp/codex-qz7vio0a
succeeded in 0ms:
"hash": "0x7bde65d6a9816da073cced29f6f34d22c241ed00ffe7e5bdc351d09cf32af2b7",
"opcodes": [
"JUMPDEST",
"OP_82",
"ADD",
"OP_91",
"OP_90",
"PUSH1",
"MSTORE",
"PUSH1",
"PUSH1",
"SHA3",
"OP_90"
],
"start_pc": 489
},
{
"end_pc": 522,
"hash": "0xe65d9d6443f3a673e82c38fd7dd0017f03525f100e05bc5fcf0baddb948cdeb4",
"opcodes": [
"JUMPDEST",
"OP_81",
"SLOAD",
"OP_81",
"MSTORE",
"OP_90",
"PUSH1",
"ADD",
"OP_90",
"PUSH1",
"ADD",
"OP_80",
"OP_83",
"GT",
"PUSH2",
"JUMPI"
],
"start_pc": 503
},
{
"end_pc": 531,
"hash": "0xaa71a205054de33589ec835473fdc578d8c5d518fbca97c609b111c4b5d7237f",
"opcodes": [
"OP_82",
"OP_90",
"SUB",
"PUSH1",
"AND",
"OP_82",
"ADD",
"OP_91"
],
"start_pc": 523
},
{
"end_pc": 539,
"hash": "0xb6701d2440ac796fa26fd00c5144c1da1ea113aa11d54563da929fd75db3e96a",
"opcodes": [
"JUMPDEST",
"POP",
"POP",
"POP",
"POP",
"POP",
"OP_81",
"JUMP"
],
"start_pc": 532
},
{
"end_pc": 712,
"hash": "0x1bf824d37500e40fbaa54fddc78cc7c83681f362412140bde6c660277afad52a",
"opcodes": [
"JUMPDEST",
"OP_80",
"PUSH1",
"PUSH1",
"POP",
"PUSH1",
"CALLER",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"AND",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"PUSH1",
"SHA3",
"PUSH1",
"OP_82",
"OP_82",
"OP_82",
"POP",
"SLOAD",
"SUB",
"OP_92",
"POP",
"POP",
"OP_81",
"OP_90",
"SSTORE",
"POP",
"OP_80",
"PUSH1",
"PUSH1",
"POP",
"PUSH1",
"OP_84",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"AND",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"PUSH1",
"SHA3",
"PUSH1",
"OP_82",
"OP_82",
"OP_82",
"POP",
"SLOAD",
"ADD",
"OP_92",
"POP",
"POP",
"OP_81",
"OP_90",
"SSTORE",
"POP",
"OP_81",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"AND",
"CALLER",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"AND",
"PUSH32",
"OP_83",
"PUSH1",
"MLOAD",
"OP_80",
"OP_82",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP",
"POP",
"PUSH1",
"MLOAD",
"OP_80",
"OP_91",
"SUB",
"OP_90",
"OP_A3",
"POP",
"POP",
"JUMP"
],
"start_pc": 540
}
],
"callsites": [
{
"opcode": "CALL",
"pc": 423,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"cfg_edges": [
{
"from": "bb:0",
"to": "bb:71",
"type": "control_flow"
},
{
"from": "bb:0",
"to": "bb:25",
"type": "control_flow_fallthrough"
},
{
"from": "bb:25",
"to": "bb:164",
"type": "control_flow"
},
{
"from": "bb:25",
"to": "bb:36",
"type": "control_flow_fallthrough"
},
{
"from": "bb:36",
"to": "bb:176",
"type": "control_flow"
},
{
"from": "bb:36",
"to": "bb:47",
"type": "control_flow_fallthrough"
},
{
"from": "bb:47",
"to": "bb:200",
"type": "control_flow"
},
{
"from": "bb:47",
"to": "bb:58",
"type": "control_flow_fallthrough"
},
{
"from": "bb:58",
"to": "bb:291",
"type": "control_flow"
},
{
"from": "bb:58",
"to": "bb:69",
"type": "control_flow_fallthrough"
},
{
"from": "bb:71",
"to": "bb:532",
"type": "control_flow"
},
{
"from": "bb:71",
"to": "bb:137",
"type": "control_flow_fallthrough"
},
{
exec
/bin/bash -lc "sed -n '781,1040p' BYTECODE_BUNDLE.json" in /tmp/codex-qz7vio0a
succeeded in 0ms:
"from": "bb:137",
"to": "bb:489",
"type": "control_flow"
},
{
"from": "bb:137",
"to": "bb:145",
"type": "control_flow_fallthrough"
},
{
"from": "bb:145",
"to": "bb:532",
"type": "control_flow"
},
{
"from": "bb:200",
"to": "bb:532",
"type": "control_flow"
},
{
"from": "bb:200",
"to": "bb:264",
"type": "control_flow_fallthrough"
},
{
"from": "bb:264",
"to": "bb:489",
"type": "control_flow"
},
{
"from": "bb:264",
"to": "bb:272",
"type": "control_flow_fallthrough"
},
{
"from": "bb:272",
"to": "bb:532",
"type": "control_flow"
},
{
"from": "bb:291",
"to": "bb:359",
"type": "control_flow"
},
{
"from": "bb:291",
"to": "bb:334",
"type": "control_flow_fallthrough"
},
{
"from": "bb:334",
"to": "bb:359",
"type": "control_flow_fallthrough"
},
{
"from": "bb:359",
"to": "bb:540",
"type": "control_flow"
},
{
"from": "bb:359",
"to": "bb:365",
"type": "control_flow_fallthrough"
},
{
"from": "bb:369",
"to": "bb:465",
"type": "control_flow"
},
{
"from": "bb:369",
"to": "bb:440",
"type": "control_flow_fallthrough"
},
{
"from": "bb:440",
"to": "bb:465",
"type": "control_flow_fallthrough"
},
{
"from": "bb:489",
"to": "bb:503",
"type": "control_flow_fallthrough"
},
{
"from": "bb:503",
"to": "bb:503",
"type": "control_flow"
},
{
"from": "bb:503",
"to": "bb:523",
"type": "control_flow_fallthrough"
},
{
"from": "bb:523",
"to": "bb:532",
"type": "control_flow_fallthrough"
}
],
"cfg_hash": "0x62bc9d91060a7d906e3ed62fa92d1796a7bd561a18943a9a9e8c6074c19a14b8",
"dispatcher_type": "selector_jump_table",
"function_entries": [
{
"entry_pc": null,
"selector": "0x06fdde03"
},
{
"entry_pc": 1889567281,
"selector": "0x313ce567"
},
{
"entry_pc": 2514000705,
"selector": "0x70a08231"
},
{
"entry_pc": 2835717307,
"selector": "0x95d89b41"
},
{
"entry_pc": null,
"selector": "0xa9059cbb"
}
],
"functions": [
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0x06fdde03",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 1889567281,
"selector": "0x313ce567",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 2514000705,
"selector": "0x70a08231",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
exec
/bin/bash -lc "sed -n '1041,1320p' BYTECODE_BUNDLE.json" in /tmp/codex-qz7vio0a
succeeded in 0ms:
},
"entry_pc": 2835717307,
"selector": "0x95d89b41",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0xa9059cbb",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
}
],
"selectors": [
"0x06fdde03",
"0x313ce567",
"0x70a08231",
"0x95d89b41",
"0xa9059cbb"
],
"sinks": {
"call": 1,
"create": 0,
"create2": 0,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0,
"upgrade_slot_write_suspected": false
},
"storage": {
"keccak_count": 6,
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
},
"version": "analysis_artifact_v1"
},
"block_number": null,
"chain_id": 1,
"codehash": "0x000d13dda2843fe929be00661f96552e3f1e851c177f0c270f65088f35b0c09b",
"created_at": "2026-04-04T19:55:47.000000Z",
"id": 2294,
"updated_at": "2026-04-04T19:55:47.000000Z",
"version": "analysis_artifact_v1"
},
"analysis_run": {
"address": "0x08b54d4f5877ee091e31e92523b9791df9efce93",
"block_number": null,
"chain_id": 1,
"child_links": [],
"created_at": "2025-12-19T20:03:55.000000Z",
"id": "019b3836-356e-733b-b631-4f1e1b0cfb47",
"parent_links": [],
"status": "running",
"updated_at": "2026-04-04T19:55:47.000000Z"
},
"artifact": {
"codehash": "0x000d13dda2843fe929be00661f96552e3f1e851c177f0c270f65088f35b0c09b",
"compiler_json": {
"etherscan": {
"skipped": true
}
},
"implementation_address": null,
"is_proxy": false,
"runtime_bytecode": {
"full": "0x606060405260e060020a600035046306fdde038114610047578063313ce567146100a457806370a08231146100b057806395d89b41146100c8578063a9059cbb14610123575b005b61017160008054602060026001831615610100026000190190921691909104601f810182900490910260809081016040526060828152929190828280156102145780601f106101e957610100808354040283529160200191610214565b6101df60025460ff1681565b6101df60043560036020526000908152604090205481565b610171600180546020601f6002600019610100858716150201909316929092049182018190040260809081016040526060828152929190828280156102145780601f106101e957610100808354040283529160200191610214565b610045600435602435600160a060020a033316600090815260036020526040902054819010806101675750600160a060020a03821660009081526040902054808201105b1561021c57610002565b60405180806020018281038252838181518152602001915080519060200190808383829060006004602084601f0104600f02600301f150905090810190601f1680156101d15780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b6060908152602090f35b820191906000526020600020905b8154815290600101906020018083116101f757829003601f168201915b505050505081565b806003600050600033600160a060020a03168152602001908152602001600020600082828250540392505081905550806003600050600084600160a060020a0316815260200190815260200160002060008282825054019250508190555081600160a060020a031633600160a060020a03167fddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef836040518082815260200191505060405180910390a3505056",
"head": null,
"length": 1428,
"tail": null,
"truncated": false
},
"verified_source": false
},
"capability_graph": {
"address": "0x08b54d4f5877ee091e31e92523b9791df9efce93",
"block_number": null,
"chain_id": 1,
"codehash": "0x000d13dda2843fe929be00661f96552e3f1e851c177f0c270f65088f35b0c09b",
"created_at": "2026-04-04T19:55:47.000000Z",
"graph_hash": "0x8de325a24b2afd792ab9a468e6edee3adedaa775bc08e5d275cefe9a3b40f325",
"graph_json": {
"edges": [
{
"from": "bb:0",
"to": "bb:71",
"type": "control_flow"
},
{
"from": "bb:0",
"to": "bb:25",
"type": "control_flow_fallthrough"
},
{
"from": "bb:25",
"to": "bb:164",
"type": "control_flow"
},
{
"from": "bb:25",
"to": "bb:36",
"type": "control_flow_fallthrough"
},
{
"from": "bb:36",
"to": "bb:176",
"type": "control_flow"
},
{
"from": "bb:36",
"to": "bb:47",
"type": "control_flow_fallthrough"
},
{
"from": "bb:47",
"to": "bb:200",
"type": "control_flow"
},
{
"from": "bb:47",
"to": "bb:58",
"type": "control_flow_fallthrough"
},
{
"from": "bb:58",
"to": "bb:291",
"type": "control_flow"
},
{
"from": "bb:58",
"to": "bb:69",
"type": "control_flow_fallthrough"
},
{
"from": "bb:71",
"to": "bb:532",
"type": "control_flow"
},
{
"from": "bb:71",
"to": "bb:137",
"type": "control_flow_fallthrough"
},
{
"from": "bb:137",
"to": "bb:489",
"type": "control_flow"
},
{
"from": "bb:137",
"to": "bb:145",
"type": "control_flow_fallthrough"
},
{
"from": "bb:145",
"to": "bb:532",
"type": "control_flow"
},
{
"from": "bb:200",
"to": "bb:532",
"type": "control_flow"
},
{
"from": "bb:200",
"to": "bb:264",
"type": "control_flow_fallthrough"
},
{
"from": "bb:264",
"to": "bb:489",
"type": "control_flow"
},
{
"from": "bb:264",
"to": "bb:272",
"type": "control_flow_fallthrough"
},
{
"from": "bb:272",
"to": "bb:532",
exec
/bin/bash -lc "rg -n 'detector|finding|evidence|proxy|delegatecall|CALL|SSTORE|SLOAD|slot|selector|transfer|approve|totalSupply|balanceOf|name|symbol|decimals|revert|callsite' BYTECODE_BUNDLE.json" in /tmp/codex-qz7vio0a
succeeded in 0ms:
21: "CALLDATALOAD",
96: "SLOAD",
165: "SLOAD",
186: "SLOAD",
201: "CALLDATALOAD",
212: "SLOAD",
226: "SLOAD",
294: "SLOAD",
315: "CALLDATALOAD",
317: "CALLDATALOAD",
323: "CALLER",
335: "SLOAD",
364: "SLOAD",
440: "CALL",
543: "SLOAD",
600: "CALLER",
623: "SLOAD",
630: "SSTORE",
660: "SLOAD",
667: "SSTORE",
676: "CALLER",
710: "callsites": [
712: "opcode": "CALL",
882: "dispatcher_type": "selector_jump_table",
886: "selector": "0x06fdde03"
890: "selector": "0x313ce567"
894: "selector": "0x70a08231"
898: "selector": "0x95d89b41"
902: "selector": "0xa9059cbb"
911: "selector": "0x06fdde03",
914: "delegatecall": 0,
920: "slots": [
922: "op": "SLOAD",
924: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
927: "op": "SLOAD",
929: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
932: "op": "SLOAD",
934: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
937: "op": "SLOAD",
939: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
942: "op": "SLOAD",
944: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
955: "selector": "0x313ce567",
958: "delegatecall": 0,
964: "slots": [
966: "op": "SLOAD",
968: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
971: "op": "SLOAD",
973: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
976: "op": "SLOAD",
978: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
981: "op": "SLOAD",
983: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
986: "op": "SLOAD",
988: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
999: "selector": "0x70a08231",
1002: "delegatecall": 0,
1008: "slots": [
1010: "op": "SLOAD",
1012: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1015: "op": "SLOAD",
1017: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1020: "op": "SLOAD",
1022: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
1025: "op": "SLOAD",
1027: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
1030: "op": "SLOAD",
1032: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1043: "selector": "0x95d89b41",
1046: "delegatecall": 0,
1052: "slots": [
1054: "op": "SLOAD",
1056: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1059: "op": "SLOAD",
1061: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1064: "op": "SLOAD",
1066: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
1069: "op": "SLOAD",
1071: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
1074: "op": "SLOAD",
1076: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1087: "selector": "0xa9059cbb",
1090: "delegatecall": 0,
1096: "slots": [
1098: "op": "SLOAD",
1100: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1103: "op": "SLOAD",
1105: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1108: "op": "SLOAD",
1110: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
1113: "op": "SLOAD",
1115: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
1118: "op": "SLOAD",
1120: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1127: "selectors": [
1138: "delegatecall": 0,
1141: "upgrade_slot_write_suspected": false
1146: "slots": [
1148: "op": "SLOAD",
1150: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1153: "op": "SLOAD",
1155: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1158: "op": "SLOAD",
1160: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
1163: "op": "SLOAD",
1165: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
1168: "op": "SLOAD",
1170: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1204: "is_proxy": false,
1601: "opcode": "CALL",
1603: "type": "callsite"
1612: "selector": "0x06fdde03",
1618: "selector": "0x313ce567",
1624: "selector": "0x70a08231",
1630: "selector": "0x95d89b41",
1636: "selector": "0xa9059cbb",
1646: "detector_findings": [
1649: "evidence_json": {
1653: "opcode": "CALL",
1664: "sink": "CALL"
1667: "title": "Untrusted CALL target/value reachable",
1679: "sink": "CALL",
1688: "evidence_json": {
1692: "opcode": "CALL",
1702: "sink": "CALL",
1706: "title": "ETH value transfer possible",
1718: "sink": "CALL",
1728: "delegatecall_count": 0,
exec
/bin/bash -lc "sed -n '1321,1800p' BYTECODE_BUNDLE.json" in /tmp/codex-qz7vio0a
succeeded in 0ms:
"type": "control_flow"
},
{
"from": "bb:291",
"to": "bb:359",
"type": "control_flow"
},
{
"from": "bb:291",
"to": "bb:334",
"type": "control_flow_fallthrough"
},
{
"from": "bb:334",
"to": "bb:359",
"type": "control_flow_fallthrough"
},
{
"from": "bb:359",
"to": "bb:540",
"type": "control_flow"
},
{
"from": "bb:359",
"to": "bb:365",
"type": "control_flow_fallthrough"
},
{
"from": "bb:369",
"to": "bb:465",
"type": "control_flow"
},
{
"from": "bb:369",
"to": "bb:440",
"type": "control_flow_fallthrough"
},
{
"from": "bb:440",
"to": "bb:465",
"type": "control_flow_fallthrough"
},
{
"from": "bb:489",
"to": "bb:503",
"type": "control_flow_fallthrough"
},
{
"from": "bb:503",
"to": "bb:503",
"type": "control_flow"
},
{
"from": "bb:503",
"to": "bb:523",
"type": "control_flow_fallthrough"
},
{
"from": "bb:523",
"to": "bb:532",
"type": "control_flow_fallthrough"
},
{
"from": "fn:0x313ce567",
"to": "bb:1889567281",
"type": "entry"
},
{
"from": "fn:0x70a08231",
"to": "bb:2514000705",
"type": "entry"
},
{
"from": "fn:0x95d89b41",
"to": "bb:2835717307",
"type": "entry"
},
{
"from": "bb:369",
"to": "call:423",
"type": "contains"
},
{
"from": "call:423",
"to": "sink:call",
"type": "capability"
}
],
"nodes": [
{
"end_pc": 24,
"hash": "0x6a350686911b120d699f8e8d1e9440d4ce17c4434492baee43484e2ef083a112",
"id": "bb:0",
"start_pc": 0,
"type": "basic_block"
},
{
"end_pc": 35,
"hash": "0x09fc75e3aa8fb02b98e24881cc463925488c7dfa7ef308570a5930c5c420c614",
"id": "bb:25",
"start_pc": 25,
"type": "basic_block"
},
{
"end_pc": 46,
"hash": "0x976103db32485bde438fb5c3f9f54ee02f48623f2e3b08249411cd4aee3c334a",
"id": "bb:36",
"start_pc": 36,
"type": "basic_block"
},
{
"end_pc": 57,
"hash": "0x3c19c073e27395dc44272beb525b6373ad140a4045aabbd1b653e498e1806824",
"id": "bb:47",
"start_pc": 47,
"type": "basic_block"
},
{
"end_pc": 68,
"hash": "0x3a122683470ea7901e31e80e6378780a829a06da64b04e691b5d5c5621392507",
"id": "bb:58",
"start_pc": 58,
"type": "basic_block"
},
{
"end_pc": 70,
"hash": "0x55afd043d32294d5f0189f5a0aa04f3174e4c087a31c85396f49b5f17813cb96",
"id": "bb:69",
"start_pc": 69,
"type": "basic_block"
},
{
"end_pc": 136,
"hash": "0xf40449b02dac3d8f47855034813de568b98c652f9830a133b3073a9873212a05",
"id": "bb:71",
"start_pc": 71,
"type": "basic_block"
},
{
"end_pc": 144,
"hash": "0x7a355623b8b883b4699f46760b468c692676e190c7e929634fc8cc91b960e828",
"id": "bb:137",
"start_pc": 137,
"type": "basic_block"
},
{
"end_pc": 163,
"hash": "0xecf2c5af628c9d14e5484dd92b242b3443b71f5fbb56ef3bb6d6ecc43488b865",
"id": "bb:145",
"start_pc": 145,
"type": "basic_block"
},
{
"end_pc": 175,
"hash": "0xf62eccf39e21b0e7c82cfcb3b9161109c9cde5dd5c779dfdf9d7973b15a1f6f4",
"id": "bb:164",
"start_pc": 164,
"type": "basic_block"
},
{
"end_pc": 199,
"hash": "0x05f97e1fd71d0e615e61d36d6d9fc9f3a8acf10fd5fb739c2455360490997f41",
"id": "bb:176",
"start_pc": 176,
"type": "basic_block"
},
{
"end_pc": 263,
"hash": "0x3b9a3c0e7fbbf4ecb17a787b5a04fc83590949a51a6fd3d3f767311abf7a0c87",
"id": "bb:200",
"start_pc": 200,
"type": "basic_block"
},
{
"end_pc": 271,
"hash": "0x7090146e9b5fc2309802dbb79ccb9ee86583359c5c3be96451826d65ecdc85ad",
"id": "bb:264",
"start_pc": 264,
"type": "basic_block"
},
{
"end_pc": 290,
"hash": "0x10fb4a62e31f9d523fba9e254b0a1cdf4088252f3ab9207bbb88b56ad78999f5",
"id": "bb:272",
"start_pc": 272,
"type": "basic_block"
},
{
"end_pc": 333,
"hash": "0xd2efc930fda1fda27663cef7ff064d3b5644e25c73944457c5b247a2a2b5ebc0",
"id": "bb:291",
"start_pc": 291,
"type": "basic_block"
},
{
"end_pc": 358,
"hash": "0x0cb281f02dafac7bc5747ea2ef6cc0ac9cd79b706be48c09434fe236d62304c0",
"id": "bb:334",
"start_pc": 334,
"type": "basic_block"
},
{
"end_pc": 364,
"hash": "0x4814088d1abceba7bce3d4b5b89f161d17c093265433f37367be8adf0dc5d9aa",
"id": "bb:359",
"start_pc": 359,
"type": "basic_block"
},
{
"end_pc": 368,
"hash": "0xac36dca57ddb5fc789957ffad51730f7f53229ca3982b5d74ea2101757b9905f",
"id": "bb:365",
"start_pc": 365,
"type": "basic_block"
},
{
"end_pc": 439,
"hash": "0x4a2fafd97023c8a8f31f1ac7c9d6df99ecfea6a6c1f4b93506db3ef9cb749e5e",
"id": "bb:369",
"start_pc": 369,
"type": "basic_block"
},
{
"end_pc": 464,
"hash": "0xebb6ccfb60657a2ed3d1a377dfa457bf2b13b45b75c03c3302572d286824ebdf",
"id": "bb:440",
"start_pc": 440,
"type": "basic_block"
},
{
"end_pc": 478,
"hash": "0xd8b1d5b723eaa7895bcb21e965231688c1662a1902dec4aabd2354f749c4df07",
"id": "bb:465",
"start_pc": 465,
"type": "basic_block"
},
{
"end_pc": 488,
"hash": "0x672c26154dc00d7172790e8e1de59fd7d9ca445474687406424f70df4450fe25",
"id": "bb:479",
"start_pc": 479,
"type": "basic_block"
},
{
"end_pc": 502,
"hash": "0x7bde65d6a9816da073cced29f6f34d22c241ed00ffe7e5bdc351d09cf32af2b7",
"id": "bb:489",
"start_pc": 489,
"type": "basic_block"
},
{
"end_pc": 522,
"hash": "0xe65d9d6443f3a673e82c38fd7dd0017f03525f100e05bc5fcf0baddb948cdeb4",
"id": "bb:503",
"start_pc": 503,
"type": "basic_block"
},
{
"end_pc": 531,
"hash": "0xaa71a205054de33589ec835473fdc578d8c5d518fbca97c609b111c4b5d7237f",
"id": "bb:523",
"start_pc": 523,
"type": "basic_block"
},
{
"end_pc": 539,
"hash": "0xb6701d2440ac796fa26fd00c5144c1da1ea113aa11d54563da929fd75db3e96a",
"id": "bb:532",
"start_pc": 532,
"type": "basic_block"
},
{
"end_pc": 712,
"hash": "0x1bf824d37500e40fbaa54fddc78cc7c83681f362412140bde6c660277afad52a",
"id": "bb:540",
"start_pc": 540,
"type": "basic_block"
},
{
"id": "call:423",
"opcode": "CALL",
"pc": 423,
"type": "callsite"
},
{
"id": "sink:call",
"type": "sink"
},
{
"entry_pc": null,
"id": "fn:0x06fdde03",
"selector": "0x06fdde03",
"type": "function"
},
{
"entry_pc": 1889567281,
"id": "fn:0x313ce567",
"selector": "0x313ce567",
"type": "function"
},
{
"entry_pc": 2514000705,
"id": "fn:0x70a08231",
"selector": "0x70a08231",
"type": "function"
},
{
"entry_pc": 2835717307,
"id": "fn:0x95d89b41",
"selector": "0x95d89b41",
"type": "function"
},
{
"entry_pc": null,
"id": "fn:0xa9059cbb",
"selector": "0xa9059cbb",
"type": "function"
}
],
"version": "capability_graph_v1"
},
"id": 2294,
"updated_at": "2026-04-04T19:55:47.000000Z",
"version": "capability_graph_v1"
},
"detector_findings": [
{
"confidence": 60,
"evidence_json": {
"call_count": 1,
"examples": [
{
"opcode": "CALL",
"pc": 423,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": [],
"untrusted_call_count": 1
},
"normalized_json": {
"sink": "CALL"
},
"severity": "high",
"title": "Untrusted CALL target/value reachable",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x08b54d4f5877ee091e31e92523b9791df9efce93"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0xf0a26eb03c85911d3e4b29247417fab5cd21810af82ba4bb0423192ed844015d",
"trace_mode": "callTracer"
}
},
{
"confidence": 55,
"evidence_json": {
"eth_value_calls": 1,
"examples": [
{
"opcode": "CALL",
"pc": 423,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": []
},
"normalized_json": {
"sink": "CALL",
"value": "nonzero"
},
"severity": "high",
"title": "ETH value transfer possible",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x08b54d4f5877ee091e31e92523b9791df9efce93"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0xf0a26eb03c85911d3e4b29247417fab5cd21810af82ba4bb0423192ed844015d",
"trace_mode": "callTracer"
}
}
],
"heuristics_summary": {
"create2_count": 0,
"delegatecall_count": 0,
"flags": [],
"selfdestruct_count": 0
}
}
exec
/bin/bash -lc "python - <<'PY'
bytecode='606060405260e060020a600035046306fdde038114610047578063313ce567146100a457806370a08231146100b057806395d89b41146100c8578063a9059cbb14610123575b005b61017160008054602060026001831615610100026000190190921691909104601f810182900490910260809081016040526060828152929190828280156102145780601f106101e957610100808354040283529160200191610214565b6101df60025460ff1681565b6101df60043560036020526000908152604090205481565b610171600180546020601f6002600019610100858716150201909316929092049182018190040260809081016040526060828152929190828280156102145780601f106101e957610100808354040283529160200191610214565b610045600435602435600160a060020a033316600090815260036020526040902054819010806101675750600160a060020a03821660009081526040902054808201105b1561021c57610002565b60405180806020018281038252838181518152602001915080519060200190808383829060006004602084601f0104600f02600301f150905090810190601f1680156101d15780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b6060908152602090f35b820191906000526020600020905b8154815290600101906020018083116101f757829003601f168201915b505050505081565b806003600050600033600160a060020a03168152602001908152602001600020600082828250540392505081905550806003600050600084600160a060020a0316815260200190815260200160002060008282825054019250508190555081600160a060020a031633600160a060020a03167fddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef836040518082815260200191505060405180910390a3505056'
ops = {
0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
}
code=bytes.fromhex(bytecode)
pc=0
while pc < len(code):
op=code[pc]
name=ops.get(op, f'OP_{op:02x}')
if 360 <= pc <= 450:
if 0x60 <= op <= 0x7f:
n=op-0x5f
data=code[pc+1:pc+1+n]
print(f'{pc:04x}: {name} 0x{data.hex()}')
pc+=1+n
else:
print(f'{pc:04x}: {name}')
pc+=1
else:
if 0x60 <= op <= 0x7f:
pc += 1 + (op-0x5f)
else:
pc += 1
PY" in /tmp/codex-qz7vio0a
succeeded in 0ms:
0168: ISZERO
0169: PUSH2 0x021c
016c: JUMPI
016d: PUSH2 0x0002
0170: JUMP
0171: JUMPDEST
0172: PUSH1 0x40
0174: MLOAD
0175: DUP1
0176: DUP1
0177: PUSH1 0x20
0179: ADD
017a: DUP3
017b: DUP2
017c: SUB
017d: DUP3
017e: MSTORE
017f: DUP4
0180: DUP2
0181: DUP2
0182: MLOAD
0183: DUP2
0184: MSTORE
0185: PUSH1 0x20
0187: ADD
0188: SWAP2
0189: POP
018a: DUP1
018b: MLOAD
018c: SWAP1
018d: PUSH1 0x20
018f: ADD
0190: SWAP1
0191: DUP1
0192: DUP4
0193: DUP4
0194: DUP3
0195: SWAP1
0196: PUSH1 0x00
0198: PUSH1 0x04
019a: PUSH1 0x20
019c: DUP5
019d: PUSH1 0x1f
019f: ADD
01a0: DIV
01a1: PUSH1 0x0f
01a3: MUL
01a4: PUSH1 0x03
01a6: ADD
01a7: CALL
01a8: POP
01a9: SWAP1
01aa: POP
01ab: SWAP1
01ac: DUP2
01ad: ADD
01ae: SWAP1
01af: PUSH1 0x1f
01b1: AND
01b2: DUP1
01b3: ISZERO
01b4: PUSH2 0x01d1
01b7: JUMPI
01b8: DUP1
01b9: DUP3
01ba: SUB
01bb: DUP1
01bc: MLOAD
01bd: PUSH1 0x01
01bf: DUP4
01c0: PUSH1 0x20
01c2: SUB
exec
/bin/bash -lc "python - <<'PY'
bytecode='606060405260e060020a600035046306fdde038114610047578063313ce567146100a457806370a08231146100b057806395d89b41146100c8578063a9059cbb14610123575b005b61017160008054602060026001831615610100026000190190921691909104601f810182900490910260809081016040526060828152929190828280156102145780601f106101e957610100808354040283529160200191610214565b6101df60025460ff1681565b6101df60043560036020526000908152604090205481565b610171600180546020601f6002600019610100858716150201909316929092049182018190040260809081016040526060828152929190828280156102145780601f106101e957610100808354040283529160200191610214565b610045600435602435600160a060020a033316600090815260036020526040902054819010806101675750600160a060020a03821660009081526040902054808201105b1561021c57610002565b60405180806020018281038252838181518152602001915080519060200190808383829060006004602084601f0104600f02600301f150905090810190601f1680156101d15780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b6060908152602090f35b820191906000526020600020905b8154815290600101906020018083116101f757829003601f168201915b505050505081565b806003600050600033600160a060020a03168152602001908152602001600020600082828250540392505081905550806003600050600084600160a060020a0316815260200190815260200160002060008282825054019250508190555081600160a060020a031633600160a060020a03167fddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef836040518082815260200191505060405180910390a3505056'
ops={i:n for i,n in [(0x00,'STOP'),(0x01,'ADD'),(0x02,'MUL'),(0x03,'SUB'),(0x04,'DIV'),(0x05,'SDIV'),(0x06,'MOD'),(0x07,'SMOD'),(0x08,'ADDMOD'),(0x09,'MULMOD'),(0x0a,'EXP'),(0x0b,'SIGNEXTEND'),(0x10,'LT'),(0x11,'GT'),(0x12,'SLT'),(0x13,'SGT'),(0x14,'EQ'),(0x15,'ISZERO'),(0x16,'AND'),(0x17,'OR'),(0x18,'XOR'),(0x19,'NOT'),(0x1a,'BYTE'),(0x20,'SHA3'),(0x30,'ADDRESS'),(0x31,'BALANCE'),(0x32,'ORIGIN'),(0x33,'CALLER'),(0x34,'CALLVALUE'),(0x35,'CALLDATALOAD'),(0x36,'CALLDATASIZE'),(0x37,'CALLDATACOPY'),(0x38,'CODESIZE'),(0x39,'CODECOPY'),(0x3a,'GASPRICE'),(0x3b,'EXTCODESIZE'),(0x3c,'EXTCODECOPY'),(0x3d,'RETURNDATASIZE'),(0x3e,'RETURNDATACOPY'),(0x40,'BLOCKHASH'),(0x41,'COINBASE'),(0x42,'TIMESTAMP'),(0x43,'NUMBER'),(0x44,'DIFFICULTY'),(0x45,'GASLIMIT'),(0x50,'POP'),(0x51,'MLOAD'),(0x52,'MSTORE'),(0x53,'MSTORE8'),(0x54,'SLOAD'),(0x55,'SSTORE'),(0x56,'JUMP'),(0x57,'JUMPI'),(0x58,'PC'),(0x59,'MSIZE'),(0x5a,'GAS'),(0x5b,'JUMPDEST'),(0xf1,'CALL'),(0xf3,'RETURN'),(0xfd,'REVERT')]}
for x in range(0x60,0x80): ops[x]=f'PUSH{x-0x5f}'
for x in range(0x80,0x90): ops[x]=f'DUP{x-0x7f}'
for x in range(0x90,0xa0): ops[x]=f'SWAP{x-0x8f}'
for x in range(0xa0,0xa5): ops[x]=f'LOG{x-0xa0}'
code=bytes.fromhex(bytecode)
pc=0
while pc < len(code):
op=code[pc]
if 0x1c0 <= pc <= 0x1d5:
name=ops.get(op,f'OP_{op:02x}')
if 0x60 <= op <= 0x7f:
n=op-0x5f; data=code[pc+1:pc+1+n]
print(f'{pc:04x}: {name} 0x{data.hex()}')
pc+=1+n
else:
print(f'{pc:04x}: {name}')
pc+=1
else:
pc+=1+(op-0x5f if 0x60<=op<=0x7f else 0)
PY" in /tmp/codex-qz7vio0a
succeeded in 0ms:
01c0: PUSH1 0x20
01c2: SUB
01c3: PUSH2 0x0100
01c6: EXP
01c7: SUB
01c8: NOT
01c9: AND
01ca: DUP2
01cb: MSTORE
01cc: PUSH1 0x20
01ce: ADD
01cf: SWAP2
01d0: POP
01d1: JUMPDEST
01d2: POP
01d3: SWAP3
01d4: POP
01d5: POP
exec
/bin/bash -lc "python - <<'PY'
bytecode='606060405260e060020a600035046306fdde038114610047578063313ce567146100a457806370a08231146100b057806395d89b41146100c8578063a9059cbb14610123575b005b61017160008054602060026001831615610100026000190190921691909104601f810182900490910260809081016040526060828152929190828280156102145780601f106101e957610100808354040283529160200191610214565b6101df60025460ff1681565b6101df60043560036020526000908152604090205481565b610171600180546020601f6002600019610100858716150201909316929092049182018190040260809081016040526060828152929190828280156102145780601f106101e957610100808354040283529160200191610214565b610045600435602435600160a060020a033316600090815260036020526040902054819010806101675750600160a060020a03821660009081526040902054808201105b1561021c57610002565b60405180806020018281038252838181518152602001915080519060200190808383829060006004602084601f0104600f02600301f150905090810190601f1680156101d15780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b6060908152602090f35b820191906000526020600020905b8154815290600101906020018083116101f757829003601f168201915b505050505081565b806003600050600033600160a060020a03168152602001908152602001600020600082828250540392505081905550806003600050600084600160a060020a0316815260200190815260200160002060008282825054019250508190555081600160a060020a031633600160a060020a03167fddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef836040518082815260200191505060405180910390a3505056'
ops={}
for i,n in [(0x00,'STOP'),(0x01,'ADD'),(0x02,'MUL'),(0x03,'SUB'),(0x04,'DIV'),(0x05,'SDIV'),(0x06,'MOD'),(0x07,'SMOD'),(0x08,'ADDMOD'),(0x09,'MULMOD'),(0x0a,'EXP'),(0x0b,'SIGNEXTEND'),(0x10,'LT'),(0x11,'GT'),(0x12,'SLT'),(0x13,'SGT'),(0x14,'EQ'),(0x15,'ISZERO'),(0x16,'AND'),(0x17,'OR'),(0x18,'XOR'),(0x19,'NOT'),(0x1a,'BYTE'),(0x20,'SHA3'),(0x30,'ADDRESS'),(0x31,'BALANCE'),(0x32,'ORIGIN'),(0x33,'CALLER'),(0x34,'CALLVALUE'),(0x35,'CALLDATALOAD'),(0x36,'CALLDATASIZE'),(0x37,'CALLDATACOPY'),(0x38,'CODESIZE'),(0x39,'CODECOPY'),(0x3a,'GASPRICE'),(0x3b,'EXTCODESIZE'),(0x3c,'EXTCODECOPY'),(0x3d,'RETURNDATASIZE'),(0x3e,'RETURNDATACOPY'),(0x40,'BLOCKHASH'),(0x41,'COINBASE'),(0x42,'TIMESTAMP'),(0x43,'NUMBER'),(0x44,'DIFFICULTY'),(0x45,'GASLIMIT'),(0x50,'POP'),(0x51,'MLOAD'),(0x52,'MSTORE'),(0x53,'MSTORE8'),(0x54,'SLOAD'),(0x55,'SSTORE'),(0x56,'JUMP'),(0x57,'JUMPI'),(0x58,'PC'),(0x59,'MSIZE'),(0x5a,'GAS'),(0x5b,'JUMPDEST'),(0xf1,'CALL'),(0xf3,'RETURN'),(0xfd,'REVERT')]: ops[i]=n
for x in range(0x60,0x80): ops[x]=f'PUSH{x-0x5f}'
for x in range(0x80,0x90): ops[x]=f'DUP{x-0x7f}'
for x in range(0x90,0xa0): ops[x]=f'SWAP{x-0x8f}'
for x in range(0xa0,0xa5): ops[x]=f'LOG{x-0xa0}'
code=bytes.fromhex(bytecode)
pc=0
while pc < len(code):
op=code[pc]; name=ops.get(op,f'OP_{op:02x}')
if 0x120 <= pc <= 0x2c8:
if 0x60 <= op <= 0x7f:
n=op-0x5f; data=code[pc+1:pc+1+n]
print(f'{pc:04x}: {name:<7} 0x{data.hex()}')
pc+=1+n
else:
print(f'{pc:04x}: {name}')
pc+=1
else:
pc+=1+(op-0x5f if 0x60<=op<=0x7f else 0)
PY" in /tmp/codex-qz7vio0a
succeeded in 0ms:
0122: JUMP
0123: JUMPDEST
0124: PUSH2 0x0045
0127: PUSH1 0x04
0129: CALLDATALOAD
012a: PUSH1 0x24
012c: CALLDATALOAD
012d: PUSH1 0x01
012f: PUSH1 0xa0
0131: PUSH1 0x02
0133: EXP
0134: SUB
0135: CALLER
0136: AND
0137: PUSH1 0x00
0139: SWAP1
013a: DUP2
013b: MSTORE
013c: PUSH1 0x03
013e: PUSH1 0x20
0140: MSTORE
0141: PUSH1 0x40
0143: SWAP1
0144: SHA3
0145: SLOAD
0146: DUP2
0147: SWAP1
0148: LT
0149: DUP1
014a: PUSH2 0x0167
014d: JUMPI
014e: POP
014f: PUSH1 0x01
0151: PUSH1 0xa0
0153: PUSH1 0x02
0155: EXP
0156: SUB
0157: DUP3
0158: AND
0159: PUSH1 0x00
015b: SWAP1
015c: DUP2
015d: MSTORE
015e: PUSH1 0x40
0160: SWAP1
0161: SHA3
0162: SLOAD
0163: DUP1
0164: DUP3
0165: ADD
0166: LT
0167: JUMPDEST
0168: ISZERO
0169: PUSH2 0x021c
016c: JUMPI
016d: PUSH2 0x0002
0170: JUMP
0171: JUMPDEST
0172: PUSH1 0x40
0174: MLOAD
0175: DUP1
0176: DUP1
0177: PUSH1 0x20
0179: ADD
017a: DUP3
017b: DUP2
017c: SUB
017d: DUP3
017e: MSTORE
017f: DUP4
0180: DUP2
0181: DUP2
0182: MLOAD
0183: DUP2
0184: MSTORE
0185: PUSH1 0x20
0187: ADD
0188: SWAP2
0189: POP
018a: DUP1
018b: MLOAD
018c: SWAP1
018d: PUSH1 0x20
018f: ADD
0190: SWAP1
0191: DUP1
0192: DUP4
0193: DUP4
0194: DUP3
0195: SWAP1
0196: PUSH1 0x00
0198: PUSH1 0x04
019a: PUSH1 0x20
019c: DUP5
019d: PUSH1 0x1f
019f: ADD
01a0: DIV
01a1: PUSH1 0x0f
01a3: MUL
01a4: PUSH1 0x03
01a6: ADD
01a7: CALL
01a8: POP
01a9: SWAP1
01aa: POP
01ab: SWAP1
01ac: DUP2
01ad: ADD
01ae: SWAP1
01af: PUSH1 0x1f
01b1: AND
01b2: DUP1
01b3: ISZERO
01b4: PUSH2 0x01d1
01b7: JUMPI
01b8: DUP1
01b9: DUP3
01ba: SUB
01bb: DUP1
01bc: MLOAD
01bd: PUSH1 0x01
01bf: DUP4
01c0: PUSH1 0x20
01c2: SUB
01c3: PUSH2 0x0100
01c6: EXP
01c7: SUB
01c8: NOT
01c9: AND
01ca: DUP2
01cb: MSTORE
01cc: PUSH1 0x20
01ce: ADD
01cf: SWAP2
01d0: POP
01d1: JUMPDEST
01d2: POP
01d3: SWAP3
01d4: POP
01d5: POP
01d6: POP
01d7: PUSH1 0x40
01d9: MLOAD
01da: DUP1
01db: SWAP2
01dc: SUB
01dd: SWAP1
01de: RETURN
01df: JUMPDEST
01e0: PUSH1 0x60
01e2: SWAP1
01e3: DUP2
01e4: MSTORE
01e5: PUSH1 0x20
01e7: SWAP1
01e8: RETURN
01e9: JUMPDEST
01ea: DUP3
01eb: ADD
01ec: SWAP2
01ed: SWAP1
01ee: PUSH1 0x00
01f0: MSTORE
01f1: PUSH1 0x20
01f3: PUSH1 0x00
01f5: SHA3
01f6: SWAP1
01f7: JUMPDEST
01f8: DUP2
01f9: SLOAD
01fa: DUP2
01fb: MSTORE
01fc: SWAP1
01fd: PUSH1 0x01
01ff: ADD
0200: SWAP1
0201: PUSH1 0x20
0203: ADD
0204: DUP1
0205: DUP4
0206: GT
0207: PUSH2 0x01f7
020a: JUMPI
020b: DUP3
020c: SWAP1
020d: SUB
020e: PUSH1 0x1f
0210: AND
0211: DUP3
0212: ADD
0213: SWAP2
0214: JUMPDEST
0215: POP
0216: POP
0217: POP
0218: POP
0219: POP
021a: DUP2
021b: JUMP
021c: JUMPDEST
021d: DUP1
021e: PUSH1 0x03
0220: PUSH1 0x00
0222: POP
0223: PUSH1 0x00
0225: CALLER
0226: PUSH1 0x01
0228: PUSH1 0xa0
022a: PUSH1 0x02
022c: EXP
022d: SUB
022e: AND
022f: DUP2
0230: MSTORE
0231: PUSH1 0x20
0233: ADD
0234: SWAP1
0235: DUP2
0236: MSTORE
0237: PUSH1 0x20
0239: ADD
023a: PUSH1 0x00
023c: SHA3
023d: PUSH1 0x00
023f: DUP3
0240: DUP3
0241: DUP3
0242: POP
0243: SLOAD
0244: SUB
0245: SWAP3
0246: POP
0247: POP
0248: DUP2
0249: SWAP1
024a: SSTORE
024b: POP
024c: DUP1
024d: PUSH1 0x03
024f: PUSH1 0x00
0251: POP
0252: PUSH1 0x00
0254: DUP5
0255: PUSH1 0x01
0257: PUSH1 0xa0
0259: PUSH1 0x02
025b: EXP
025c: SUB
025d: AND
025e: DUP2
025f: MSTORE
0260: PUSH1 0x20
0262: ADD
0263: SWAP1
0264: DUP2
0265: MSTORE
0266: PUSH1 0x20
0268: ADD
0269: PUSH1 0x00
026b: SHA3
026c: PUSH1 0x00
026e: DUP3
026f: DUP3
0270: DUP3
0271: POP
0272: SLOAD
0273: ADD
0274: SWAP3
0275: POP
0276: POP
0277: DUP2
0278: SWAP1
0279: SSTORE
027a: POP
027b: DUP2
027c: PUSH1 0x01
027e: PUSH1 0xa0
0280: PUSH1 0x02
0282: EXP
0283: SUB
0284: AND
0285: CALLER
0286: PUSH1 0x01
0288: PUSH1 0xa0
028a: PUSH1 0x02
028c: EXP
028d: SUB
028e: AND
028f: PUSH32 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef
02b0: DUP4
02b1: PUSH1 0x40
02b3: MLOAD
02b4: DUP1
02b5: DUP3
02b6: DUP2
02b7: MSTORE
02b8: PUSH1 0x20
02ba: ADD
02bb: SWAP2
02bc: POP
02bd: POP
02be: PUSH1 0x40
02c0: MLOAD
02c1: DUP1
02c2: SWAP2
02c3: SUB
02c4: SWAP1
02c5: LOG3
02c6: POP
02c7: POP
02c8: JUMP
exec
/bin/bash -lc "python - <<'PY'
bytecode='606060405260e060020a600035046306fdde038114610047578063313ce567146100a457806370a08231146100b057806395d89b41146100c8578063a9059cbb14610123575b005b61017160008054602060026001831615610100026000190190921691909104601f810182900490910260809081016040526060828152929190828280156102145780601f106101e957610100808354040283529160200191610214565b6101df60025460ff1681565b6101df60043560036020526000908152604090205481565b610171600180546020601f6002600019610100858716150201909316929092049182018190040260809081016040526060828152929190828280156102145780601f106101e957610100808354040283529160200191610214565b610045600435602435600160a060020a033316600090815260036020526040902054819010806101675750600160a060020a03821660009081526040902054808201105b1561021c57610002565b60405180806020018281038252838181518152602001915080519060200190808383829060006004602084601f0104600f02600301f150905090810190601f1680156101d15780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b6060908152602090f35b820191906000526020600020905b8154815290600101906020018083116101f757829003601f168201915b505050505081565b806003600050600033600160a060020a03168152602001908152602001600020600082828250540392505081905550806003600050600084600160a060020a0316815260200190815260200160002060008282825054019250508190555081600160a060020a031633600160a060020a03167fddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef836040518082815260200191505060405180910390a3505056'
ops={}
for i,n in [(0x00,'STOP'),(0x01,'ADD'),(0x02,'MUL'),(0x03,'SUB'),(0x04,'DIV'),(0x05,'SDIV'),(0x06,'MOD'),(0x07,'SMOD'),(0x08,'ADDMOD'),(0x09,'MULMOD'),(0x0a,'EXP'),(0x0b,'SIGNEXTEND'),(0x10,'LT'),(0x11,'GT'),(0x12,'SLT'),(0x13,'SGT'),(0x14,'EQ'),(0x15,'ISZERO'),(0x16,'AND'),(0x17,'OR'),(0x18,'XOR'),(0x19,'NOT'),(0x1a,'BYTE'),(0x20,'SHA3'),(0x30,'ADDRESS'),(0x31,'BALANCE'),(0x32,'ORIGIN'),(0x33,'CALLER'),(0x34,'CALLVALUE'),(0x35,'CALLDATALOAD'),(0x36,'CALLDATASIZE'),(0x37,'CALLDATACOPY'),(0x38,'CODESIZE'),(0x39,'CODECOPY'),(0x3a,'GASPRICE'),(0x3b,'EXTCODESIZE'),(0x3c,'EXTCODECOPY'),(0x3d,'RETURNDATASIZE'),(0x3e,'RETURNDATACOPY'),(0x40,'BLOCKHASH'),(0x41,'COINBASE'),(0x42,'TIMESTAMP'),(0x43,'NUMBER'),(0x44,'DIFFICULTY'),(0x45,'GASLIMIT'),(0x50,'POP'),(0x51,'MLOAD'),(0x52,'MSTORE'),(0x53,'MSTORE8'),(0x54,'SLOAD'),(0x55,'SSTORE'),(0x56,'JUMP'),(0x57,'JUMPI'),(0x58,'PC'),(0x59,'MSIZE'),(0x5a,'GAS'),(0x5b,'JUMPDEST'),(0xf1,'CALL'),(0xf3,'RETURN'),(0xfd,'REVERT')]: ops[i]=n
for x in range(0x60,0x80): ops[x]=f'PUSH{x-0x5f}'
for x in range(0x80,0x90): ops[x]=f'DUP{x-0x7f}'
for x in range(0x90,0xa0): ops[x]=f'SWAP{x-0x8f}'
for x in range(0xa0,0xa5): ops[x]=f'LOG{x-0xa0}'
code=bytes.fromhex(bytecode)
pc=0
while pc < len(code):
op=code[pc]; name=ops.get(op,f'OP_{op:02x}')
if 0x40 <= pc <= 0x60:
if 0x60 <= op <= 0x7f:
n=op-0x5f; data=code[pc+1:pc+1+n]
print(f'{pc:04x}: {name:<7} 0x{data.hex()}')
pc+=1+n
else:
print(f'{pc:04x}: {name}')
pc+=1
else:
pc+=1+(op-0x5f if 0x60<=op<=0x7f else 0)
PY" in /tmp/codex-qz7vio0a
succeeded in 0ms:
0040: EQ
0041: PUSH2 0x0123
0044: JUMPI
0045: JUMPDEST
0046: STOP
0047: JUMPDEST
0048: PUSH2 0x0171
004b: PUSH1 0x00
004d: DUP1
004e: SLOAD
004f: PUSH1 0x20
0051: PUSH1 0x02
0053: PUSH1 0x01
0055: DUP4
0056: AND
0057: ISZERO
0058: PUSH2 0x0100
005b: MUL
005c: PUSH1 0x00
005e: NOT
005f: ADD
0060: SWAP1
exec
/bin/bash -lc "python - <<'PY'
bytecode='606060405260e060020a600035046306fdde038114610047578063313ce567146100a457806370a08231146100b057806395d89b41146100c8578063a9059cbb14610123575b005b61017160008054602060026001831615610100026000190190921691909104601f810182900490910260809081016040526060828152929190828280156102145780601f106101e957610100808354040283529160200191610214565b6101df60025460ff1681565b6101df60043560036020526000908152604090205481565b610171600180546020601f6002600019610100858716150201909316929092049182018190040260809081016040526060828152929190828280156102145780601f106101e957610100808354040283529160200191610214565b610045600435602435600160a060020a033316600090815260036020526040902054819010806101675750600160a060020a03821660009081526040902054808201105b1561021c57610002565b60405180806020018281038252838181518152602001915080519060200190808383829060006004602084601f0104600f02600301f150905090810190601f1680156101d15780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b6060908152602090f35b820191906000526020600020905b8154815290600101906020018083116101f757829003601f168201915b505050505081565b806003600050600033600160a060020a03168152602001908152602001600020600082828250540392505081905550806003600050600084600160a060020a0316815260200190815260200160002060008282825054019250508190555081600160a060020a031633600160a060020a03167fddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef836040518082815260200191505060405180910390a3505056'
ops={i:n for i,n in [(0x00,'STOP'),(0x01,'ADD'),(0x02,'MUL'),(0x03,'SUB'),(0x04,'DIV'),(0x0a,'EXP'),(0x14,'EQ'),(0x15,'ISZERO'),(0x16,'AND'),(0x19,'NOT'),(0x20,'SHA3'),(0x33,'CALLER'),(0x35,'CALLDATALOAD'),(0x50,'POP'),(0x51,'MLOAD'),(0x52,'MSTORE'),(0x54,'SLOAD'),(0x55,'SSTORE'),(0x56,'JUMP'),(0x57,'JUMPI'),(0x5b,'JUMPDEST'),(0xfd,'REVERT')]}
for x in range(0x60,0x80): ops[x]=f'PUSH{x-0x5f}'
for x in range(0x80,0x90): ops[x]=f'DUP{x-0x7f}'
for x in range(0x90,0xa0): ops[x]=f'SWAP{x-0x8f}'
code=bytes.fromhex(bytecode)
pc=0
while pc < len(code):
op=code[pc]; name=ops.get(op,f'OP_{op:02x}')
if pc<=20:
if 0x60 <= op <= 0x7f:
n=op-0x5f; data=code[pc+1:pc+1+n]
print(f'{pc:04x}: {name:<7} 0x{data.hex()}')
pc+=1+n
else:
print(f'{pc:04x}: {name}')
pc+=1
else:
pc+=1+(op-0x5f if 0x60<=op<=0x7f else 0)
PY" in /tmp/codex-qz7vio0a
succeeded in 0ms:
0000: PUSH1 0x60
0002: PUSH1 0x40
0004: MSTORE
0005: PUSH1 0xe0
0007: PUSH1 0x02
0009: EXP
000a: PUSH1 0x00
000c: CALLDATALOAD
000d: DIV
000e: PUSH4 0x06fdde03
0013: DUP2
0014: EQ
codex
{"no_findings":false,"summary":"I reviewed `BYTECODE_BUNDLE.json` and the runtime looks like a small legacy ERC20-like token with inferred selectors `name`, `symbol`, `decimals`, `balanceOf`, and `transfer`. I did not treat the detector's `CALL` findings at `pc:0x1a7` as a confirmed vulnerability: the surrounding bytecode is consistent with an old Solidity dynamic-bytes copy helper that calls precompile `0x04` (identity), and the bundle shows no `DELEGATECALL`, proxy pattern, or obvious privileged upgrade path. The meaningful issues are low-severity legacy-behavior risks around ETH acceptance and silent-success / no-return semantics.","findings":[{"severity":"low","category":"other","title":"Contract appears to accept ETH but exposes no visible recovery path","exploit_scenario":"Because the runtime has no non-payable `CALLVALUE` checks, a user or integrating contract can send ETH to this token contract by mistake, either with empty calldata or alongside a token method call. The call will succeed, but no selector in the bundle suggests an owner-only rescue or withdrawal path, so the ETH may be permanently trapped.","recommendation":"If this contract can be changed, reject nonzero `msg.value` on all token functions and revert in the fallback/receive path. If it is immutable, document clearly that ETH must never be sent here and consider operational monitoring for accidental deposits.","evidence":"The dispatcher falls through to `STOP` at `pc:0x45` for unknown selectors / plain calls, and the runtime bytecode contains no visible `CALLVALUE` guard at the dispatcher or inferred function entries. The bytecode bundle marks `is_proxy=false`, shows no `SELFDESTRUCT`, and infers only five token-style selectors, with no visible withdrawal selector.","locations":["pc:0x0","pc:0x45"]},{"severity":"low","category":"other","title":"Legacy silent-success semantics can mislead integrations","exploit_scenario":"An integrating contract that uses low-level calls and treats only the EVM success flag as authoritative can be misled by this token. Unsupported selectors fall into a successful `STOP`, and the inferred `transfer(address,uint256)` path updates storage then halts without returning the standard ABI-encoded `bool`. Depending on the caller's assumptions, this can cause stale approvals, phantom success, or accounting mismatches at the integration layer.","recommendation":"Integrations should use compatibility wrappers that tolerate no-return tokens only for known methods and should verify expected returndata for other token operations. If the contract is mutable, make the fallback revert and return an explicit `true` from `transfer`.","evidence":"Selector `0xa9059cbb` dispatches to `pc:0x123`; after the balance updates and `Transfer` log, control returns to `pc:0x45` (`STOP`) instead of writing and returning a boolean. The default dispatcher path also ends at the same `STOP`, so unknown selectors succeed with empty returndata rather than reverting.","locations":["selector:0xa9059cbb","pc:0x123","pc:0x45"]}]}
tokens used
64,065
{
"codex": {
"ran_at": "2026-04-05T04:17:53.137776+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 1428,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "I reviewed `BYTECODE_BUNDLE.json` and the runtime looks like a small legacy ERC20-like token with inferred selectors `name`, `symbol`, `decimals`, `balanceOf`, and `transfer`. I did not treat the detector's `CALL` findings at `pc:0x1a7` as a confirmed vulnerability: the surrounding bytecode is consistent with an old Solidity dynamic-bytes copy helper that calls precompile `0x04` (identity), and the bundle shows no `DELEGATECALL`, proxy pattern, or obvious privileged upgrade path. The meaningful issues are low-severity legacy-behavior risks around ETH acceptance and silent-success / no-return semantics.",
"raw_final": {
"summary": "I reviewed `BYTECODE_BUNDLE.json` and the runtime looks like a small legacy ERC20-like token with inferred selectors `name`, `symbol`, `decimals`, `balanceOf`, and `transfer`. I did not treat the detector's `CALL` findings at `pc:0x1a7` as a confirmed vulnerability: the surrounding bytecode is consistent with an old Solidity dynamic-bytes copy helper that calls precompile `0x04` (identity), and the bundle shows no `DELEGATECALL`, proxy pattern, or obvious privileged upgrade path. The meaningful issues are low-severity legacy-behavior risks around ETH acceptance and silent-success / no-return semantics.",
"findings": [
{
"title": "Contract appears to accept ETH but exposes no visible recovery path",
"category": "other",
"evidence": "The dispatcher falls through to `STOP` at `pc:0x45` for unknown selectors / plain calls, and the runtime bytecode contains no visible `CALLVALUE` guard at the dispatcher or inferred function entries. The bytecode bundle marks `is_proxy=false`, shows no `SELFDESTRUCT`, and infers only five token-style selectors, with no visible withdrawal selector.",
"severity": "low",
"locations": [
"pc:0x0",
"pc:0x45"
],
"recommendation": "If this contract can be changed, reject nonzero `msg.value` on all token functions and revert in the fallback/receive path. If it is immutable, document clearly that ETH must never be sent here and consider operational monitoring for accidental deposits.",
"exploit_scenario": "Because the runtime has no non-payable `CALLVALUE` checks, a user or integrating contract can send ETH to this token contract by mistake, either with empty calldata or alongside a token method call. The call will succeed, but no selector in the bundle suggests an owner-only rescue or withdrawal path, so the ETH may be permanently trapped."
},
{
"title": "Legacy silent-success semantics can mislead integrations",
"category": "other",
"evidence": "Selector `0xa9059cbb` dispatches to `pc:0x123`; after the balance updates and `Transfer` log, control returns to `pc:0x45` (`STOP`) instead of writing and returning a boolean. The default dispatcher path also ends at the same `STOP`, so unknown selectors succeed with empty returndata rather than reverting.",
"severity": "low",
"locations": [
"selector:0xa9059cbb",
"pc:0x123",
"pc:0x45"
],
"recommendation": "Integrations should use compatibility wrappers that tolerate no-return tokens only for known methods and should verify expected returndata for other token operations. If the contract is mutable, make the fallback revert and return an explicit `true` from `transfer`.",
"exploit_scenario": "An integrating contract that uses low-level calls and treats only the EVM success flag as authoritative can be misled by this token. Unsupported selectors fall into a successful `STOP`, and the inferred `transfer(address,uint256)` path updates storage then halts without returning the standard ABI-encoded `bool`. Depending on the caller's assumptions, this can cause stale approvals, phantom success, or accounting mismatches at the integration layer."
}
],
"no_findings": false
},
"no_findings": false,
"schema_version": 1
}
00000000: PUSH1 0x60 00000002: PUSH1 0x40 00000004: MSTORE 00000005: PUSH1 0xe0 00000007: PUSH1 0x02 00000009: EXP 0000000a: PUSH1 0x00 0000000c: CALLDATALOAD 0000000d: DIV 0000000e: PUSH4 0x06fdde03 00000013: DUP2 00000014: EQ 00000015: PUSH2 0x0047 00000018: JUMPI 00000019: DUP1 0000001a: PUSH4 0x313ce567 0000001f: EQ 00000020: PUSH2 0x00a4 00000023: JUMPI 00000024: DUP1 00000025: PUSH4 0x70a08231 0000002a: EQ 0000002b: PUSH2 0x00b0 0000002e: JUMPI 0000002f: DUP1 00000030: PUSH4 0x95d89b41 00000035: EQ 00000036: PUSH2 0x00c8 00000039: JUMPI 0000003a: DUP1 0000003b: PUSH4 0xa9059cbb 00000040: EQ 00000041: PUSH2 0x0123 00000044: JUMPI 00000045: JUMPDEST 00000046: STOP 00000047: JUMPDEST 00000048: PUSH2 0x0171 0000004b: PUSH1 0x00 0000004d: DUP1 0000004e: SLOAD 0000004f: PUSH1 0x20 00000051: PUSH1 0x02 00000053: PUSH1 0x01 00000055: DUP4 00000056: AND 00000057: ISZERO 00000058: PUSH2 0x0100 0000005b: MUL 0000005c: PUSH1 0x00 0000005e: NOT 0000005f: ADD 00000060: SWAP1 00000061: SWAP3 00000062: AND 00000063: SWAP2 00000064: SWAP1 00000065: SWAP2 00000066: DIV 00000067: PUSH1 0x1f 00000069: DUP2 0000006a: ADD 0000006b: DUP3 0000006c: SWAP1 0000006d: DIV 0000006e: SWAP1 0000006f: SWAP2 00000070: MUL 00000071: PUSH1 0x80 00000073: SWAP1 00000074: DUP2 00000075: ADD 00000076: PUSH1 0x40 00000078: MSTORE 00000079: PUSH1 0x60 0000007b: DUP3 0000007c: DUP2 0000007d: MSTORE 0000007e: SWAP3 0000007f: SWAP2 00000080: SWAP1 00000081: DUP3 00000082: DUP3 00000083: DUP1 00000084: ISZERO 00000085: PUSH2 0x0214 00000088: JUMPI 00000089: DUP1 0000008a: PUSH1 0x1f 0000008c: LT 0000008d: PUSH2 0x01e9 00000090: JUMPI 00000091: PUSH2 0x0100 00000094: DUP1 00000095: DUP4 00000096: SLOAD 00000097: DIV 00000098: MUL 00000099: DUP4 0000009a: MSTORE 0000009b: SWAP2 0000009c: PUSH1 0x20 0000009e: ADD 0000009f: SWAP2 000000a0: PUSH2 0x0214 000000a3: JUMP 000000a4: JUMPDEST 000000a5: PUSH2 0x01df 000000a8: PUSH1 0x02 000000aa: SLOAD 000000ab: PUSH1 0xff 000000ad: AND 000000ae: DUP2 000000af: JUMP 000000b0: JUMPDEST 000000b1: PUSH2 0x01df 000000b4: PUSH1 0x04 000000b6: CALLDATALOAD 000000b7: PUSH1 0x03 000000b9: PUSH1 0x20 000000bb: MSTORE 000000bc: PUSH1 0x00 000000be: SWAP1 000000bf: DUP2 000000c0: MSTORE 000000c1: PUSH1 0x40 000000c3: SWAP1 000000c4: KECCAK256 000000c5: SLOAD 000000c6: DUP2 000000c7: JUMP 000000c8: JUMPDEST 000000c9: PUSH2 0x0171 000000cc: PUSH1 0x01 000000ce: DUP1 000000cf: SLOAD 000000d0: PUSH1 0x20 000000d2: PUSH1 0x1f 000000d4: PUSH1 0x02 000000d6: PUSH1 0x00 000000d8: NOT 000000d9: PUSH2 0x0100 000000dc: DUP6 000000dd: DUP8 000000de: AND 000000df: ISZERO 000000e0: MUL 000000e1: ADD 000000e2: SWAP1 000000e3: SWAP4 000000e4: AND 000000e5: SWAP3 000000e6: SWAP1 000000e7: SWAP3 000000e8: DIV 000000e9: SWAP2 000000ea: DUP3 000000eb: ADD 000000ec: DUP2 000000ed: SWAP1 000000ee: DIV 000000ef: MUL 000000f0: PUSH1 0x80 000000f2: SWAP1 000000f3: DUP2 000000f4: ADD 000000f5: PUSH1 0x40 000000f7: MSTORE 000000f8: PUSH1 0x60 000000fa: DUP3 000000fb: DUP2 000000fc: MSTORE 000000fd: SWAP3 000000fe: SWAP2 000000ff: SWAP1 00000100: DUP3 00000101: DUP3 00000102: DUP1 00000103: ISZERO 00000104: PUSH2 0x0214 00000107: JUMPI 00000108: DUP1 00000109: PUSH1 0x1f 0000010b: LT 0000010c: PUSH2 0x01e9 0000010f: JUMPI 00000110: PUSH2 0x0100 00000113: DUP1 00000114: DUP4 00000115: SLOAD 00000116: DIV 00000117: MUL 00000118: DUP4 00000119: MSTORE 0000011a: SWAP2 0000011b: PUSH1 0x20 0000011d: ADD 0000011e: SWAP2 0000011f: PUSH2 0x0214 00000122: JUMP 00000123: JUMPDEST 00000124: PUSH2 0x0045 00000127: PUSH1 0x04 00000129: CALLDATALOAD 0000012a: PUSH1 0x24 0000012c: CALLDATALOAD 0000012d: PUSH1 0x01 0000012f: PUSH1 0xa0 00000131: PUSH1 0x02 00000133: EXP 00000134: SUB 00000135: CALLER 00000136: AND 00000137: PUSH1 0x00 00000139: SWAP1 0000013a: DUP2 0000013b: MSTORE 0000013c: PUSH1 0x03 0000013e: PUSH1 0x20 00000140: MSTORE 00000141: PUSH1 0x40 00000143: SWAP1 00000144: KECCAK256 00000145: SLOAD 00000146: DUP2 00000147: SWAP1 00000148: LT 00000149: DUP1 0000014a: PUSH2 0x0167 0000014d: JUMPI 0000014e: POP 0000014f: PUSH1 0x01 00000151: PUSH1 0xa0 00000153: PUSH1 0x02 00000155: EXP 00000156: SUB 00000157: DUP3 00000158: AND 00000159: PUSH1 0x00 0000015b: SWAP1 0000015c: DUP2 0000015d: MSTORE 0000015e: PUSH1 0x40 00000160: SWAP1 00000161: KECCAK256 00000162: SLOAD 00000163: DUP1 00000164: DUP3 00000165: ADD 00000166: LT 00000167: JUMPDEST 00000168: ISZERO 00000169: PUSH2 0x021c 0000016c: JUMPI 0000016d: PUSH2 0x0002 00000170: JUMP 00000171: JUMPDEST 00000172: PUSH1 0x40 00000174: MLOAD 00000175: DUP1 00000176: DUP1 00000177: PUSH1 0x20 00000179: ADD 0000017a: DUP3 0000017b: DUP2 0000017c: SUB 0000017d: DUP3 0000017e: MSTORE 0000017f: DUP4 00000180: DUP2 00000181: DUP2 00000182: MLOAD 00000183: DUP2 00000184: MSTORE 00000185: PUSH1 0x20 00000187: ADD 00000188: SWAP2 00000189: POP 0000018a: DUP1 0000018b: MLOAD 0000018c: SWAP1 0000018d: PUSH1 0x20 0000018f: ADD 00000190: SWAP1 00000191: DUP1 00000192: DUP4 00000193: DUP4 00000194: DUP3 00000195: SWAP1 00000196: PUSH1 0x00 00000198: PUSH1 0x04 0000019a: PUSH1 0x20 0000019c: DUP5 0000019d: PUSH1 0x1f 0000019f: ADD 000001a0: DIV 000001a1: PUSH1 0x0f 000001a3: MUL 000001a4: PUSH1 0x03 000001a6: ADD 000001a7: CALL 000001a8: POP 000001a9: SWAP1 000001aa: POP 000001ab: SWAP1 000001ac: DUP2 000001ad: ADD 000001ae: SWAP1 000001af: PUSH1 0x1f 000001b1: AND 000001b2: DUP1 000001b3: ISZERO 000001b4: PUSH2 0x01d1 000001b7: JUMPI 000001b8: DUP1 000001b9: DUP3 000001ba: SUB 000001bb: DUP1 000001bc: MLOAD 000001bd: PUSH1 0x01 000001bf: DUP4 000001c0: PUSH1 0x20 000001c2: SUB 000001c3: PUSH2 0x0100 000001c6: EXP 000001c7: SUB 000001c8: NOT 000001c9: AND 000001ca: DUP2 000001cb: MSTORE 000001cc: PUSH1 0x20 000001ce: ADD 000001cf: SWAP2 000001d0: POP 000001d1: JUMPDEST 000001d2: POP 000001d3: SWAP3 000001d4: POP 000001d5: POP 000001d6: POP 000001d7: PUSH1 0x40 000001d9: MLOAD 000001da: DUP1 000001db: SWAP2 000001dc: SUB 000001dd: SWAP1 000001de: RETURN 000001df: JUMPDEST 000001e0: PUSH1 0x60 000001e2: SWAP1 000001e3: DUP2 000001e4: MSTORE 000001e5: PUSH1 0x20 000001e7: SWAP1 000001e8: RETURN 000001e9: JUMPDEST 000001ea: DUP3 000001eb: ADD 000001ec: SWAP2 000001ed: SWAP1 000001ee: PUSH1 0x00 000001f0: MSTORE 000001f1: PUSH1 0x20 000001f3: PUSH1 0x00 000001f5: KECCAK256 000001f6: SWAP1 000001f7: JUMPDEST 000001f8: DUP2 000001f9: SLOAD 000001fa: DUP2 000001fb: MSTORE 000001fc: SWAP1 000001fd: PUSH1 0x01 000001ff: ADD 00000200: SWAP1 00000201: PUSH1 0x20 00000203: ADD 00000204: DUP1 00000205: DUP4 00000206: GT 00000207: PUSH2 0x01f7 0000020a: JUMPI 0000020b: DUP3 0000020c: SWAP1 0000020d: SUB 0000020e: PUSH1 0x1f 00000210: AND 00000211: DUP3 00000212: ADD 00000213: SWAP2 00000214: JUMPDEST 00000215: POP 00000216: POP 00000217: POP 00000218: POP 00000219: POP 0000021a: DUP2 0000021b: JUMP 0000021c: JUMPDEST 0000021d: DUP1 0000021e: PUSH1 0x03 00000220: PUSH1 0x00 00000222: POP 00000223: PUSH1 0x00 00000225: CALLER 00000226: PUSH1 0x01 00000228: PUSH1 0xa0 0000022a: PUSH1 0x02 0000022c: EXP 0000022d: SUB 0000022e: AND 0000022f: DUP2 00000230: MSTORE 00000231: PUSH1 0x20 00000233: ADD 00000234: SWAP1 00000235: DUP2 00000236: MSTORE 00000237: PUSH1 0x20 00000239: ADD 0000023a: PUSH1 0x00 0000023c: KECCAK256 0000023d: PUSH1 0x00 0000023f: DUP3 00000240: DUP3 00000241: DUP3 00000242: POP 00000243: SLOAD 00000244: SUB 00000245: SWAP3 00000246: POP 00000247: POP 00000248: DUP2 00000249: SWAP1 0000024a: SSTORE 0000024b: POP 0000024c: DUP1 0000024d: PUSH1 0x03 0000024f: PUSH1 0x00 00000251: POP 00000252: PUSH1 0x00 00000254: DUP5 00000255: PUSH1 0x01 00000257: PUSH1 0xa0 00000259: PUSH1 0x02 0000025b: EXP 0000025c: SUB 0000025d: AND 0000025e: DUP2 0000025f: MSTORE 00000260: PUSH1 0x20 00000262: ADD 00000263: SWAP1 00000264: DUP2 00000265: MSTORE 00000266: PUSH1 0x20 00000268: ADD 00000269: PUSH1 0x00 0000026b: KECCAK256 0000026c: PUSH1 0x00 0000026e: DUP3 0000026f: DUP3 00000270: DUP3 00000271: POP 00000272: SLOAD 00000273: ADD 00000274: SWAP3 00000275: POP 00000276: POP 00000277: DUP2 00000278: SWAP1 00000279: SSTORE 0000027a: POP 0000027b: DUP2 0000027c: PUSH1 0x01 0000027e: PUSH1 0xa0 00000280: PUSH1 0x02 00000282: EXP 00000283: SUB 00000284: AND 00000285: CALLER 00000286: PUSH1 0x01 00000288: PUSH1 0xa0 0000028a: PUSH1 0x02 0000028c: EXP 0000028d: SUB 0000028e: AND 0000028f: PUSH32 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef 000002b0: DUP4 000002b1: PUSH1 0x40 000002b3: MLOAD 000002b4: DUP1 000002b5: DUP3 000002b6: DUP2 000002b7: MSTORE 000002b8: PUSH1 0x20 000002ba: ADD 000002bb: SWAP2 000002bc: POP 000002bd: POP 000002be: PUSH1 0x40 000002c0: MLOAD 000002c1: DUP1 000002c2: SWAP2 000002c3: SUB 000002c4: SWAP1 000002c5: LOG3 000002c6: POP 000002c7: POP 000002c8: JUMP
Warning: This is a nightly build of Foundry. It is recommended to use the latest stable version. To mute this warning set `FOUNDRY_DISABLE_NIGHTLY_WARNING` in your environment.
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | other | detector | Untrusted CALL target/value reachable | 60 | yes | yes |
viewtrace_id: 0xf0a26eb03c85911d3e4b29247417fab5cd21810af82ba4bb0423192ed844015d
call_targets:
0x0000000000000000000000000000000000000004, 0x08b54d4f5877ee091e31e92523b9791df9efce93
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0xf0a26eb03c85911d3e4b29247417fab5cd21810af82ba4bb0423192ed844015d",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x08b54d4f5877ee091e31e92523b9791df9efce93"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa9059cbb",
"selector": "0xa9059cbb",
"calldata_variants": [
"0xa9059cbb",
"0xa9059cbb0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 423,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 1,
"guards_detected": [],
"untrusted_call_count": 1
}
|
| high | other | detector | ETH value transfer possible | 55 | yes | yes |
viewtrace_id: 0xf0a26eb03c85911d3e4b29247417fab5cd21810af82ba4bb0423192ed844015d
call_targets:
0x0000000000000000000000000000000000000004, 0x08b54d4f5877ee091e31e92523b9791df9efce93
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0xf0a26eb03c85911d3e4b29247417fab5cd21810af82ba4bb0423192ed844015d",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x08b54d4f5877ee091e31e92523b9791df9efce93"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa9059cbb",
"selector": "0xa9059cbb",
"calldata_variants": [
"0xa9059cbb",
"0xa9059cbb0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 423,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 1,
"guards_detected": []
}
|
| low | other | codex | Contract appears to accept ETH but exposes no visible recovery path | 65 | no | — |
viewevidence_json{
"evidence": "The dispatcher falls through to `STOP` at `pc:0x45` for unknown selectors / plain calls, and the runtime bytecode contains no visible `CALLVALUE` guard at the dispatcher or inferred function entries. The bytecode bundle marks `is_proxy=false`, shows no `SELFDESTRUCT`, and infers only five token-style selectors, with no visible withdrawal selector.",
"locations": [
"pc:0x0",
"pc:0x45"
],
"recommendation": "If this contract can be changed, reject nonzero `msg.value` on all token functions and revert in the fallback/receive path. If it is immutable, document clearly that ETH must never be sent here and consider operational monitoring for accidental deposits.",
"exploit_scenario": "Because the runtime has no non-payable `CALLVALUE` checks, a user or integrating contract can send ETH to this token contract by mistake, either with empty calldata or alongside a token method call. The call will succeed, but no selector in the bundle suggests an owner-only rescue or withdrawal path, so the ETH may be permanently trapped."
}
|
| low | other | codex | Legacy silent-success semantics can mislead integrations | 65 | no | — |
viewevidence_json{
"evidence": "Selector `0xa9059cbb` dispatches to `pc:0x123`; after the balance updates and `Transfer` log, control returns to `pc:0x45` (`STOP`) instead of writing and returning a boolean. The default dispatcher path also ends at the same `STOP`, so unknown selectors succeed with empty returndata rather than reverting.",
"locations": [
"selector:0xa9059cbb",
"pc:0x123",
"pc:0x45"
],
"recommendation": "Integrations should use compatibility wrappers that tolerate no-return tokens only for known methods and should verify expected returndata for other token operations. If the contract is mutable, make the fallback revert and return an explicit `true` from `transfer`.",
"exploit_scenario": "An integrating contract that uses low-level calls and treats only the EVM success flag as authoritative can be misled by this token. Unsupported selectors fall into a successful `STOP`, and the inferred `transfer(address,uint256)` path updates storage then halts without returning the standard ABI-encoded `bool`. Depending on the caller's assumptions, this can cause stale approvals, phantom success, or accounting mismatches at the integration layer."
}
|