019b3836-39d7-7001-a2ca-2321dc5d26da
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 4151 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 4152 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 47760 | analysis.bundle | complete | 1 / 3 | 1 week ago |
| 47761 | capability.graph | complete | 1 / 3 | 1 week ago |
| 47762 | detector.run | complete | 1 / 3 | 1 week ago |
| 47763 | validation.fork | complete | 1 / 3 | 1 week ago |
| 113280 | report.consolidate | complete | 1 / 6 | 1 week ago |
No slither job recorded yet.
{"no_findings":false,"summary":"Bytecode-only review found a high-confidence reentrancy/accounting issue in the payable payout loop and a separate unchecked-CALL accounting risk. Selector names are unknown, so the conclusions below are based on control flow, storage usage, and the bundled detector evidence rather than verified source semantics.","findings":[{"severity":"high","category":"reentrancy","title":"Payout loop performs external ETH send before advancing queue/accounting state","exploit_scenario":"A participant can register a contract address as the payout recipient. When the contract later reaches that recipient in the payable/fallback-driven payout loop, the low-level CALL at pc:0x6e2 transfers ETH before the current payout record is finalized. The recipient contract can reenter the payable entry path during its fallback and execute against stale queue/balance state, potentially receiving multiple payouts or corrupting payout progression before pc:0x71e/pc:0x727 run.","recommendation":"Apply checks-effects-interactions in the payout path: update the owed amount / cursor before any external CALL, add a reentrancy guard around the payable entrypoint and payout routine, and prefer pull-based withdrawals over push payments.","evidence":"From bytecode only: the payable receive/fallback path jumps into the deposit/payout routine at pc:0x0453. That routine eventually loads a recipient from keccak-derived storage and issues a value-bearing CALL at pc:0x06e2. No guard was detected in the artifact. State changes appear after the external call: pc:0x071a..0x071e subtracts stored value and pc:0x0720..0x0727 increments the queue cursor in slot 0x04. Because authoritative state is updated after the CALL, reentrancy is plausible. This is reinforced by the detector bundle marking reachable untrusted CALLs with nonzero value and no detected guards.","locations":["pc:0x453","pc:0x6e2","pc:0x71e","pc:0x727"]},{"severity":"medium","category":"other","title":"Unchecked low-level ETH sends can silently desynchronize internal accounting from actual transfers","exploit_scenario":"If a payout target or the owner-like address stored in slot 0x05 is a contract that rejects ETH, runs out of gas, or otherwise returns failure, the CALL returns 0 but the contract continues execution. Internal balances/counters can still be decremented or advanced, leaving the queue or fee accounting inconsistent with real ETH movement and potentially causing skipped payouts or insolvency-like state.","recommendation":"Check the boolean result of each low-level CALL and revert on failure, or record failed sends as claimable credit that the recipient can withdraw later. Do not mutate accounting state unless the transfer succeeded.","evidence":"The value-bearing CALL sites at pc:0x04ee, pc:0x0527, pc:0x0564, and pc:0x06e2 all POP the success flag instead of branching on it. The bundled callsite evidence reports `returndata_checked: null` for the CALL examples. One CALL site at pc:0x03f4 appears to be a precompile/helper pattern and is excluded from this claim. At pc:0x052a..0x0533 and pc:0x0567..0x0570 storage slot 0x01 is updated after the CALL regardless of success, and after pc:0x06e2 the routine proceeds into post-payment accounting/cursor updates at pc:0x071a..0x0727 without any visible success check. Exact variable names are unknown from bytecode, but the bookkeeping-after-unchecked-call pattern is clear.","locations":["pc:0x4ee","pc:0x527","pc:0x564","pc:0x6e2"]}]}
OpenAI Codex v0.118.0 (research preview)
--------
workdir: /tmp/codex-l8gojlez
model: gpt-5.4
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: none
session id: 019d5c0b-1887-7ec1-97e0-f3e35cf14177
--------
user
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
warning: Codex could not find system bubblewrap on PATH. Please install bubblewrap with your package manager. Codex will use the vendored bubblewrap in the meantime.
→ Inspect BYTECODE_BUNDLE.json and identify contract architecture, entrypoints, and detector evidence
• Assess high-signal risks from bytecode evidence with conservative severity
• Produce JSON findings matching the required schema
exec
/bin/bash -lc "pwd && ls -la && rg --files -g 'BYTECODE_BUNDLE.json' -g 'AGENTS.md'" in /tmp/codex-l8gojlez
succeeded in 0ms:
/tmp/codex-l8gojlez
total 272
drwx------ 2 noahkuhn noahkuhn 4096 Apr 5 05:08 .
drwxrwxrwt 270 nobody nogroup 24576 Apr 5 05:08 ..
-rw-rw-r-- 1 noahkuhn noahkuhn 238328 Apr 5 05:08 BYTECODE_BUNDLE.json
-rw-rw-r-- 1 noahkuhn noahkuhn 815 Apr 5 05:08 codex-output-schema.json
BYTECODE_BUNDLE.json
exec
/bin/bash -lc 'cat codex-output-schema.json' in /tmp/codex-l8gojlez
succeeded in 0ms:
{"type": "object", "additionalProperties": false, "required": ["no_findings", "summary", "findings"], "properties": {"no_findings": {"type": "boolean"}, "summary": {"type": "string"}, "findings": {"type": "array", "items": {"type": "object", "additionalProperties": false, "required": ["severity", "category", "title", "evidence", "locations", "exploit_scenario", "recommendation"], "properties": {"severity": {"type": "string", "enum": ["info", "low", "medium", "high", "critical"]}, "category": {"type": "string", "enum": ["access_control", "reentrancy", "math", "oracle", "upgradeability", "auth", "other"]}, "title": {"type": "string"}, "exploit_scenario": {"type": "string"}, "recommendation": {"type": "string"}, "evidence": {"type": "string"}, "locations": {"type": "array", "items": {"type": "string"}}}}}}}
exec
/bin/bash -lc "jq 'keys' BYTECODE_BUNDLE.json" in /tmp/codex-l8gojlez
succeeded in 0ms:
[
"analysis_artifact",
"analysis_run",
"artifact",
"capability_graph",
"detector_findings",
"heuristics_summary"
]
exec
/bin/bash -lc "jq '.analysis_artifact | keys' BYTECODE_BUNDLE.json" in /tmp/codex-l8gojlez
succeeded in 0ms:
[
"address",
"artifact_hash",
"artifact_json",
"block_number",
"chain_id",
"codehash",
"created_at",
"id",
"updated_at",
"version"
]
exec
/bin/bash -lc "jq '.artifact | keys' BYTECODE_BUNDLE.json" in /tmp/codex-l8gojlez
succeeded in 0ms:
[
"codehash",
"compiler_json",
"implementation_address",
"is_proxy",
"runtime_bytecode",
"verified_source"
]
exec
/bin/bash -lc "jq '.detector_findings | length' BYTECODE_BUNDLE.json" in /tmp/codex-l8gojlez
succeeded in 0ms:
2
exec
/bin/bash -lc "jq '.heuristics_summary | keys' BYTECODE_BUNDLE.json" in /tmp/codex-l8gojlez
succeeded in 0ms:
[
"create2_count",
"delegatecall_count",
"flags",
"selfdestruct_count"
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json | (type), keys' BYTECODE_BUNDLE.json" in /tmp/codex-l8gojlez
succeeded in 0ms:
"object"
[
"auth",
"basic_blocks",
"callsites",
"cfg_edges",
"cfg_hash",
"dispatcher_type",
"function_entries",
"functions",
"selectors",
"sinks",
"storage",
"version"
]
exec
/bin/bash -lc "jq '.artifact | {is_proxy, implementation_address, codehash}' BYTECODE_BUNDLE.json" in /tmp/codex-l8gojlez
succeeded in 0ms:
{
"is_proxy": false,
"implementation_address": null,
"codehash": "0x6291d69f86f62322716234e4ab2d3449eca5bf0c3a31d6b69e332c708d5e6940"
}
exec
/bin/bash -lc "jq '.heuristics_summary' BYTECODE_BUNDLE.json" in /tmp/codex-l8gojlez
succeeded in 0ms:
{
"create2_count": 0,
"delegatecall_count": 0,
"flags": [],
"selfdestruct_count": 0
}
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json | {dispatcher_type, selectors, function_entries, auth, sinks}' BYTECODE_BUNDLE.json" in /tmp/codex-l8gojlez
succeeded in 0ms:
{
"dispatcher_type": "selector_jump_table",
"selectors": [
"0x09dfdc71",
"0x253459e3",
"0x4229616d",
"0x57d4021b",
"0x686f2c90",
"0x6fbaaa1e",
"0x8a5fb3ca",
"0x9dbc4f9b",
"0xa26dbf26",
"0xa6f9dae1",
"0xb4022950",
"0xced92670",
"0xd11f13df",
"0xfae14192"
],
"function_entries": [
{
"entry_pc": null,
"selector": "0x09dfdc71"
},
{
"entry_pc": 1110008173,
"selector": "0x253459e3"
},
{
"entry_pc": 1473511963,
"selector": "0x4229616d"
},
{
"entry_pc": 1752116368,
"selector": "0x57d4021b"
},
{
"entry_pc": 1874504222,
"selector": "0x686f2c90"
},
{
"entry_pc": 2321527754,
"selector": "0x6fbaaa1e"
},
{
"entry_pc": 2646364059,
"selector": "0x8a5fb3ca"
},
{
"entry_pc": 2725101350,
"selector": "0x9dbc4f9b"
},
{
"entry_pc": 2801392353,
"selector": "0xa26dbf26"
},
{
"entry_pc": 3020040528,
"selector": "0xa6f9dae1"
},
{
"entry_pc": 3470337648,
"selector": "0xb4022950"
},
{
"entry_pc": 3508474847,
"selector": "0xced92670"
},
{
"entry_pc": 4209066386,
"selector": "0xd11f13df"
},
{
"entry_pc": 948,
"selector": "0xfae14192"
}
],
"auth": {
"guards": []
},
"sinks": {
"call": 5,
"create": 0,
"create2": 0,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0,
"upgrade_slot_write_suspected": false
}
}
exec
/bin/bash -lc "jq '.detector_findings' BYTECODE_BUNDLE.json" in /tmp/codex-l8gojlez
succeeded in 0ms:
[
{
"confidence": 60,
"evidence_json": {
"call_count": 5,
"examples": [
{
"opcode": "CALL",
"pc": 1012,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 1262,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 1319,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": [],
"untrusted_call_count": 5
},
"normalized_json": {
"sink": "CALL"
},
"severity": "high",
"title": "Untrusted CALL target/value reachable",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x79c039d075bc3b86a7df63ebbe55fbc642b5220f"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x0bd962aa5597728bf8755c16d678e34d99c29f895104cf068b47fc71ee1acbcc",
"trace_mode": "callTracer"
}
},
{
"confidence": 55,
"evidence_json": {
"eth_value_calls": 5,
"examples": [
{
"opcode": "CALL",
"pc": 1012,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 1262,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 1319,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": []
},
"normalized_json": {
"sink": "CALL",
"value": "nonzero"
},
"severity": "high",
"title": "ETH value transfer possible",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x79c039d075bc3b86a7df63ebbe55fbc642b5220f"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x0bd962aa5597728bf8755c16d678e34d99c29f895104cf068b47fc71ee1acbcc",
"trace_mode": "callTracer"
}
}
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.functions | length' BYTECODE_BUNDLE.json" in /tmp/codex-l8gojlez
succeeded in 0ms:
14
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.functions[] | {selector, name, start_pc, end_pc, callsites: (.callsites|length), storage_reads: (.storage_reads|length), storage_writes: (.storage_writes|length)}' BYTECODE_BUNDLE.json" in /tmp/codex-l8gojlez
succeeded in 0ms:
{
"selector": "0x09dfdc71",
"name": null,
"start_pc": null,
"end_pc": null,
"callsites": 0,
"storage_reads": 0,
"storage_writes": 0
}
{
"selector": "0x253459e3",
"name": null,
"start_pc": null,
"end_pc": null,
"callsites": 0,
"storage_reads": 0,
"storage_writes": 0
}
{
"selector": "0x4229616d",
"name": null,
"start_pc": null,
"end_pc": null,
"callsites": 0,
"storage_reads": 0,
"storage_writes": 0
}
{
"selector": "0x57d4021b",
"name": null,
"start_pc": null,
"end_pc": null,
"callsites": 0,
"storage_reads": 0,
"storage_writes": 0
}
{
"selector": "0x686f2c90",
"name": null,
"start_pc": null,
"end_pc": null,
"callsites": 0,
"storage_reads": 0,
"storage_writes": 0
}
{
"selector": "0x6fbaaa1e",
"name": null,
"start_pc": null,
"end_pc": null,
"callsites": 0,
"storage_reads": 0,
"storage_writes": 0
}
{
"selector": "0x8a5fb3ca",
"name": null,
"start_pc": null,
"end_pc": null,
"callsites": 0,
"storage_reads": 0,
"storage_writes": 0
}
{
"selector": "0x9dbc4f9b",
"name": null,
"start_pc": null,
"end_pc": null,
"callsites": 0,
"storage_reads": 0,
"storage_writes": 0
}
{
"selector": "0xa26dbf26",
"name": null,
"start_pc": null,
"end_pc": null,
"callsites": 0,
"storage_reads": 0,
"storage_writes": 0
}
{
"selector": "0xa6f9dae1",
"name": null,
"start_pc": null,
"end_pc": null,
"callsites": 0,
"storage_reads": 0,
"storage_writes": 0
}
{
"selector": "0xb4022950",
"name": null,
"start_pc": null,
"end_pc": null,
"callsites": 0,
"storage_reads": 0,
"storage_writes": 0
}
{
"selector": "0xced92670",
"name": null,
"start_pc": null,
"end_pc": null,
"callsites": 0,
"storage_reads": 0,
"storage_writes": 0
}
{
"selector": "0xd11f13df",
"name": null,
"start_pc": null,
"end_pc": null,
"callsites": 0,
"storage_reads": 0,
"storage_writes": 0
}
{
"selector": "0xfae14192",
"name": null,
"start_pc": null,
"end_pc": null,
"callsites": 0,
"storage_reads": 0,
"storage_writes": 0
}
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.callsites' BYTECODE_BUNDLE.json" in /tmp/codex-l8gojlez
succeeded in 0ms:
[
{
"opcode": "CALL",
"pc": 1012,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 1262,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 1319,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 1380,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 1762,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.storage' BYTECODE_BUNDLE.json" in /tmp/codex-l8gojlez
succeeded in 0ms:
{
"keccak_count": 14,
"reads": 59,
"slots": [
{
"op": "SLOAD",
"pc": 202,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 276,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 315,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000005"
},
{
"op": "SLOAD",
"pc": 342,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 390,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000004"
},
{
"op": "SLOAD",
"pc": 435,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000005"
},
{
"op": "SLOAD",
"pc": 459,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 495,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
},
{
"op": "SLOAD",
"pc": 547,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 583,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000006"
},
{
"op": "SLOAD",
"pc": 598,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000006"
},
{
"op": "SLOAD",
"pc": 718,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000006"
},
{
"op": "SLOAD",
"pc": 732,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000005"
},
{
"op": "SLOAD",
"pc": 757,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000005"
},
{
"op": "SLOAD",
"pc": 783,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000005"
},
{
"op": "SLOAD",
"pc": 807,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 845,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000005"
},
{
"op": "SLOAD",
"pc": 895,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000006"
},
{
"op": "SLOAD",
"pc": 898,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000004"
},
{
"op": "SLOAD",
"pc": 914,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000005"
},
{
"op": "SLOAD",
"pc": 1111,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 1145,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000006"
},
{
"op": "SSTORE",
"pc": 1156,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 1232,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 1235,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000005"
},
{
"op": "SLOAD",
"pc": 1274,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 1290,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000005"
},
{
"op": "SLOAD",
"pc": 1325,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 1340,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 1343,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000005"
},
{
"op": "SLOAD",
"pc": 1386,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 1448,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
},
{
"op": "SLOAD",
"pc": 1491,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000006"
},
{
"op": "SSTORE",
"pc": 1504,
"slot": "0x00000000000000000000000000000000000000000000000000000000000000c8"
},
{
"op": "SLOAD",
"pc": 1516,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000006"
},
{
"op": "SSTORE",
"pc": 1529,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000096"
},
{
"op": "SLOAD",
"pc": 1534,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 1556,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 1570,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000004"
},
{
"op": "SLOAD",
"pc": 1574,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000006"
},
{
"op": "SLOAD",
"pc": 1635,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 1644,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000004"
},
{
"op": "SLOAD",
"pc": 1648,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000006"
},
{
"op": "SLOAD",
"pc": 1681,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000004"
},
{
"op": "SLOAD",
"pc": 1779,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000004"
},
{
"op": "SLOAD",
"pc": 1826,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000004"
}
],
"writes": 18
}
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.basic_blocks[0]' BYTECODE_BUNDLE.json" in /tmp/codex-l8gojlez
succeeded in 0ms:
{
"end_pc": 10,
"hash": "0xfd342fab7341c089cd1fdef11e74566bbd7ffa7ac4f4f86648f0fae109a15a10",
"opcodes": [
"PUSH1",
"PUSH1",
"MSTORE",
"CALLDATASIZE",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 0
}
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.basic_blocks[] | select(.start_pc <= 1012 and .end_pc >= 1012)' BYTECODE_BUNDLE.json" in /tmp/codex-l8gojlez
succeeded in 0ms:
{
"end_pc": 1028,
"hash": "0xac6829789d5fd30574f1962f5d0f19bcd46d8dfb4d74c4bf17dcefd7adfd442d",
"opcodes": [
"JUMPDEST",
"PUSH1",
"MLOAD",
"OP_80",
"OP_83",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_80",
"PUSH1",
"ADD",
"OP_82",
"OP_81",
"SUB",
"OP_82",
"MSTORE",
"OP_83",
"OP_81",
"OP_81",
"MLOAD",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP",
"OP_80",
"MLOAD",
"OP_90",
"PUSH1",
"ADD",
"OP_90",
"OP_80",
"OP_83",
"OP_83",
"OP_82",
"OP_90",
"PUSH1",
"PUSH1",
"PUSH1",
"OP_84",
"PUSH1",
"ADD",
"DIV",
"PUSH1",
"MUL",
"PUSH1",
"ADD",
"CALL",
"POP",
"OP_90",
"POP",
"OP_90",
"OP_81",
"ADD",
"OP_90",
"PUSH1",
"AND",
"OP_80",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 952
}
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.basic_blocks[] | select(.start_pc <= 1262 and .end_pc >= 1262)' BYTECODE_BUNDLE.json" in /tmp/codex-l8gojlez
succeeded in 0ms:
{
"end_pc": 1270,
"hash": "0x42c7e49a03006b164b80eee9528d6ccefb2ea3d603703ec276ab51d3521533df",
"opcodes": [
"JUMPDEST",
"PUSH1",
"SLOAD",
"PUSH1",
"SLOAD",
"PUSH1",
"MLOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"OP_91",
"OP_90",
"OP_91",
"AND",
"OP_91",
"PUSH1",
"OP_91",
"OP_82",
"OP_81",
"OP_81",
"OP_81",
"OP_85",
"OP_88",
"OP_83",
"CALL",
"POP",
"POP",
"POP",
"PUSH1",
"SSTORE",
"POP",
"JUMP"
],
"start_pc": 1229
}
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.basic_blocks[] | select(.start_pc <= 1319 and .end_pc >= 1319)' BYTECODE_BUNDLE.json" in /tmp/codex-l8gojlez
succeeded in 0ms:
{
"end_pc": 1335,
"hash": "0x11d03c704a27e9d961ee59028b5e6d29c6c1681f0341e7000f7d63c69a79aad3",
"opcodes": [
"JUMPDEST",
"PUSH1",
"SLOAD",
"PUSH1",
"MLOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"OP_91",
"OP_90",
"OP_91",
"AND",
"OP_90",
"PUSH1",
"OP_90",
"OP_83",
"OP_90",
"OP_82",
"OP_81",
"OP_81",
"OP_81",
"OP_85",
"OP_88",
"OP_83",
"CALL",
"POP",
"POP",
"PUSH1",
"OP_80",
"SLOAD",
"OP_91",
"OP_90",
"OP_91",
"SUB",
"OP_90",
"SSTORE",
"POP",
"POP",
"POP",
"JUMP"
],
"start_pc": 1287
}
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.basic_blocks[] | select(.start_pc <= 1380 and .end_pc >= 1380)' BYTECODE_BUNDLE.json" in /tmp/codex-l8gojlez
succeeded in 0ms:
{
"end_pc": 1394,
"hash": "0xa4a9b27efc706a8a95f51d83d86ba79b95ab8358b14215787488e1d7344fd5c3",
"opcodes": [
"JUMPDEST",
"POP",
"PUSH1",
"SLOAD",
"PUSH1",
"SLOAD",
"PUSH1",
"MLOAD",
"PUSH1",
"OP_90",
"OP_92",
"DIV",
"OP_83",
"MUL",
"OP_91",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"OP_91",
"OP_90",
"OP_91",
"AND",
"OP_90",
"PUSH1",
"OP_90",
"OP_83",
"OP_90",
"OP_82",
"OP_81",
"OP_81",
"OP_81",
"OP_85",
"OP_88",
"OP_83",
"CALL",
"POP",
"POP",
"PUSH1",
"OP_80",
"SLOAD",
"OP_91",
"OP_90",
"OP_91",
"SUB",
"OP_90",
"SSTORE",
"POP",
"POP"
],
"start_pc": 1336
}
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.basic_blocks[] | select(.start_pc <= 1762 and .end_pc >= 1762)' BYTECODE_BUNDLE.json" in /tmp/codex-l8gojlez
succeeded in 0ms:
{
"end_pc": 1788,
"hash": "0xf07048ee95a23422602cf676da28673ac324dbcc6de4dd7f0e7f7faa232caafc",
"opcodes": [
"PUSH1",
"MUL",
"PUSH32",
"ADD",
"SLOAD",
"PUSH1",
"MLOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"OP_91",
"OP_90",
"OP_91",
"AND",
"OP_91",
"POP",
"PUSH1",
"OP_90",
"OP_83",
"OP_90",
"OP_82",
"OP_81",
"OP_81",
"OP_81",
"OP_85",
"OP_88",
"OP_83",
"CALL",
"OP_93",
"POP",
"POP",
"POP",
"POP",
"POP",
"PUSH1",
"PUSH1",
"POP",
"PUSH1",
"PUSH1",
"POP",
"SLOAD",
"OP_81",
"SLOAD",
"OP_81",
"LT",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 1695
}
exec
/bin/bash -lc 'which cast || true
which evm || true
which hevm || true
which forge || true
which python3 || true' in /tmp/codex-l8gojlez
succeeded in 0ms:
/home/noahkuhn/.foundry/bin/cast
/home/noahkuhn/.foundry/bin/forge
/var/www/tripwire/.venv/bin/python3
exec
/bin/bash -lc "cast --help | sed -n '1,120p'" in /tmp/codex-l8gojlez
succeeded in 0ms:
A Swiss Army knife for interacting with Ethereum applications from the command line
Usage: cast [OPTIONS] <COMMAND>
Commands:
4byte Get the function signatures for the given selector from
<https://openchain.xyz> [aliases: 4, 4b]
4byte-calldata Decode ABI-encoded calldata using <https://openchain.xyz> [aliases: 4c,
4bc]
4byte-event Get the event signature for a given topic 0 from <https://openchain.xyz>
[aliases: 4e, 4be, topic0-event, t0e]
abi-encode ABI encode the given function argument, excluding the selector [aliases:
ae]
abi-encode-event ABI encode an event and its arguments to generate topics and data [aliases:
aee]
access-list Create an access list for a transaction [aliases: ac, acl]
address-zero Prints the zero address [aliases: --address-zero, az]
admin Fetch the EIP-1967 admin account [aliases: adm]
age Get the timestamp of a block [aliases: a]
artifact Generate an artifact file, that can be used to deploy a contract locally
[aliases: ar]
b2e-payload Convert Beacon payload to execution payload [aliases: b2e]
balance Get the balance of an account in wei [aliases: b]
base-fee Get the basefee of a block [aliases: ba, fee, basefee]
bind Generate a rust binding from a given ABI [aliases: bi]
block Get information about a block [aliases: bl]
block-number Get the latest block number [aliases: bn]
call Perform a call on an account without publishing a transaction [aliases: c]
calldata ABI-encode a function with arguments [aliases: cd]
chain Get the symbolic name of the current chain
chain-id Get the Ethereum chain ID [aliases: ci, cid]
client Get the current client version [aliases: cl]
code Get the runtime bytecode of a contract [aliases: co]
codehash Get the codehash for an account
codesize Get the runtime bytecode size of a contract [aliases: cs]
completions Generate shell completions script [aliases: com]
compute-address Compute the contract address from a given nonce and deployer address
[aliases: ca]
concat-hex Concatenate hex strings [aliases: --concat-hex, ch]
constructor-args Display constructor arguments used for the contract initialization
[aliases: cra]
create2 Generate a deterministic contract address using CREATE2 [aliases: c2]
creation-code Download a contract creation code from Etherscan and RPC [aliases: cc]
da-estimate Estimates the data availability size of a given opstack block
decode-abi Decode ABI-encoded input or output data [aliases: abi-decode, --abi-decode,
ad]
decode-calldata Decode ABI-encoded input data [aliases: calldata-decode, --calldata-decode,
cdd]
decode-error Decode custom error data [aliases: error-decode, --error-decode, erd]
decode-event Decode event data [aliases: event-decode, --event-decode, ed]
decode-string Decode ABI-encoded string [aliases: string-decode, --string-decode, sd]
decode-transaction Decodes a raw signed EIP 2718 typed transaction [aliases: dt, decode-tx]
disassemble Disassembles a hex-encoded bytecode into a human-readable representation
[aliases: da]
erc20-token ERC20 token operations [aliases: erc20]
estimate Estimate the gas cost of a transaction [aliases: e]
find-block Get the block number closest to the provided timestamp [aliases: f]
format-bytes32-string Formats a string into bytes32 encoding [aliases: --format-bytes32-string]
format-units Format a number from smallest unit to decimal with arbitrary decimals
[aliases: --format-units, fun]
from-bin Convert binary data into hex data [aliases: --from-bin, from-binx, fb]
from-fixed-point Convert a fixed point number into an integer [aliases: --from-fix, ff]
from-rlp Decodes RLP hex-encoded data [aliases: --from-rlp]
from-utf8 Convert UTF8 text to hex [aliases: --from-ascii, --from-utf8, from-ascii,
fu, fa]
from-wei Convert wei into an ETH amount [aliases: --from-wei, fw]
gas-price Get the current gas price [aliases: g]
hash-message Hash a message according to EIP-191 [aliases: --hash-message, hm]
hash-zero Prints the zero hash [aliases: --hash-zero, hz]
help Print this message or the help of the given subcommand(s)
implementation Fetch the EIP-1967 implementation for a contract Can read from the
implementation slot or the beacon slot [aliases: impl]
index Compute the storage slot for an entry in a mapping [aliases: in]
index-erc7201 Compute storage slots as specified by `ERC-7201: Namespaced Storage Layout`
[aliases: index7201, in7201]
interface Generate a Solidity interface from a given ABI [aliases: i]
keccak Hash arbitrary data using Keccak-256 [aliases: k, keccak256]
logs Get logs by signature or topic [aliases: l]
lookup-address Perform an ENS reverse lookup [aliases: la]
max-int Prints the maximum value of the given integer type [aliases: --max-int,
maxi]
max-uint Prints the maximum value of the given integer type [aliases: --max-uint,
maxu]
min-int Prints the minimum value of the given integer type [aliases: --min-int,
mini]
mktx Build and sign a transaction [aliases: m]
namehash Calculate the ENS namehash of a name [aliases: na, nh]
nonce Get the nonce for an account [aliases: n]
pad Pads hex data to a specified length [aliases: pd]
parse-bytes32-address Parses a checksummed address from bytes32 encoding. [aliases:
--parse-bytes32-address]
parse-bytes32-string Parses a string from bytes32 encoding [aliases: --parse-bytes32-string]
parse-units Convert a number from decimal to smallest unit with arbitrary decimals
[aliases: --parse-units, pun]
pretty-calldata Pretty print calldata [aliases: pc]
proof Generate a storage proof for a given storage slot [aliases: pr]
publish Publish a raw transaction to the network [aliases: p]
receipt Get the transaction receipt for a transaction [aliases: re]
recover-authority Recovery an EIP-7702 authority from a Authorization JSON string [aliases:
decode-auth]
resolve-name Perform an ENS lookup [aliases: rn]
rpc Perform a raw JSON-RPC request [aliases: rp]
run Runs a published transaction in a local environment and prints the trace
[aliases: r]
selectors Extracts function selectors and arguments from bytecode [aliases: sel]
send Sign and publish a transaction [aliases: s]
shl Perform a left shifting operation
shr Perform a right shifting operation
sig Get the selector for a function [aliases: si]
sig-event Generate event signatures from event string [aliases: se]
source Get the source code of a contract from a block explorer [aliases: et, src]
storage Get the raw value of a contract's storage slot [aliases: st]
storage-root Get the storage root for an account [aliases: sr]
to-ascii Convert hex data to an ASCII string [aliases: --to-ascii, tas, 2as]
to-base Converts a number of one base to another [aliases: --to-base, --to-radix,
to-radix, tr, 2r]
to-bytes32 Right-pads hex data to 32 bytes [aliases: --to-bytes32, tb, 2b]
to-check-sum-address Convert an address to a checksummed format (EIP-55) [aliases:
--to-checksum-address, --to-checksum, to-checksum, ta, 2a]
to-dec Converts a number of one base to decimal [aliases: --to-dec, td, 2d]
exec
/bin/bash -lc "jq -r '.artifact.runtime_bytecode' BYTECODE_BUNDLE.json | head -c 80 && echo" in /tmp/codex-l8gojlez
succeeded in 0ms:
{
"full": "0x606060405236156100ae5760e060020a600035046309dfdc7181146100d257806
exec
/bin/bash -lc "jq '.artifact.runtime_bytecode | keys' BYTECODE_BUNDLE.json" in /tmp/codex-l8gojlez
succeeded in 0ms:
[
"full",
"head",
"length",
"tail",
"truncated"
]
exec
/bin/bash -lc "python3 - <<'PY'
import json, subprocess, textwrap
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
bytecode=data['artifact']['runtime_bytecode']['full']
open('/tmp/codex-l8gojlez/runtime.hex','w').write(bytecode)
PY
cast disassemble "'$(cat /tmp/codex-l8gojlez/runtime.hex) | sed -n '"'980,1060p'" in /tmp/codex-l8gojlez
succeeded in 0ms:
Traceback (most recent call last):
File "<stdin>", line 5, in <module>
OSError: [Errno 30] Read-only file system: '/tmp/codex-l8gojlez/runtime.hex'
cat: /tmp/codex-l8gojlez/runtime.hex: No such file or directory
exec
/bin/bash -lc 'cast disassemble "$(jq -r '"'.artifact.runtime_bytecode.full' BYTECODE_BUNDLE.json)\" | sed -n '980,1060p'" in /tmp/codex-l8gojlez
succeeded in 0ms:
00000594: ADD
00000595: PUSH1 0x00
00000597: POP
00000598: PUSH1 0x40
0000059a: DUP1
0000059b: MLOAD
0000059c: DUP1
0000059d: DUP3
0000059e: ADD
0000059f: SWAP1
000005a0: SWAP2
000005a1: MSTORE
000005a2: CALLER
000005a3: DUP1
000005a4: DUP3
000005a5: MSTORE
000005a6: PUSH1 0x03
000005a8: SLOAD
000005a9: PUSH1 0x64
000005ab: CALLVALUE
000005ac: SWAP2
000005ad: SWAP1
000005ae: SWAP2
000005af: MUL
000005b0: DIV
000005b1: PUSH1 0x20
000005b3: SWAP3
000005b4: SWAP1
000005b5: SWAP3
000005b6: ADD
000005b7: DUP3
000005b8: SWAP1
000005b9: MSTORE
000005ba: DUP3
000005bb: SLOAD
000005bc: PUSH1 0x01
000005be: PUSH1 0xa0
000005c0: PUSH1 0x02
000005c2: EXP
000005c3: SUB
000005c4: NOT
000005c5: AND
000005c6: OR
000005c7: DUP3
000005c8: SSTORE
000005c9: PUSH1 0x01
000005cb: SWAP2
000005cc: SWAP1
000005cd: SWAP2
000005ce: ADD
000005cf: SSTORE
000005d0: POP
000005d1: PUSH1 0x06
000005d3: SLOAD
000005d4: PUSH1 0x0a
000005d6: EQ
000005d7: ISZERO
000005d8: PUSH2 0x05e9
000005db: JUMPI
000005dc: PUSH1 0xc8
000005de: PUSH1 0x03
000005e0: SSTORE
000005e1: PUSH2 0x05fa
000005e4: JUMP
000005e5: JUMPDEST
000005e6: POP
000005e7: SWAP1
000005e8: JUMP
000005e9: JUMPDEST
000005ea: PUSH1 0x06
000005ec: SLOAD
000005ed: PUSH1 0x19
000005ef: EQ
000005f0: ISZERO
000005f1: PUSH2 0x05fa
000005f4: JUMPI
000005f5: PUSH1 0x96
000005f7: PUSH1 0x03
000005f9: SSTORE
000005fa: JUMPDEST
000005fb: PUSH1 0x00
exec
/bin/bash -lc 'cast disassemble "$(jq -r '"'.artifact.runtime_bytecode.full' BYTECODE_BUNDLE.json)\" | rg -n \"000003(e|f)|000004(0|1)|000004e|0000050|0000052|0000056|000006e|000006f\"" in /tmp/codex-l8gojlez
succeeded in 0ms:
33:0000003f: JUMPI
34:00000040: DUP1
35:00000041: PUSH4 0x686f2c90
42:00000052: PUSH2 0x01d8
44:00000056: DUP1
639:000003e0: DUP4
640:000003e1: DUP3
641:000003e2: SWAP1
642:000003e3: PUSH1 0x00
643:000003e5: PUSH1 0x04
644:000003e7: PUSH1 0x20
645:000003e9: DUP5
646:000003ea: PUSH1 0x1f
647:000003ec: ADD
648:000003ed: DIV
649:000003ee: PUSH1 0x0f
650:000003f0: MUL
651:000003f1: PUSH1 0x03
652:000003f3: ADD
653:000003f4: CALL
654:000003f5: POP
655:000003f6: SWAP1
656:000003f7: POP
657:000003f8: SWAP1
658:000003f9: DUP2
659:000003fa: ADD
660:000003fb: SWAP1
661:000003fc: PUSH1 0x1f
662:000003fe: AND
663:000003ff: DUP1
664:00000400: ISZERO
665:00000401: PUSH2 0x041e
666:00000404: JUMPI
667:00000405: DUP1
668:00000406: DUP3
669:00000407: SUB
670:00000408: DUP1
671:00000409: MLOAD
672:0000040a: PUSH1 0x01
673:0000040c: DUP4
674:0000040d: PUSH1 0x20
675:0000040f: SUB
676:00000410: PUSH2 0x0100
677:00000413: EXP
678:00000414: SUB
679:00000415: NOT
680:00000416: AND
681:00000417: DUP2
682:00000418: MSTORE
683:00000419: PUSH1 0x20
684:0000041b: ADD
685:0000041c: SWAP2
686:0000041d: POP
687:0000041e: JUMPDEST
688:0000041f: POP
830:000004e0: SWAP1
831:000004e1: SWAP2
832:000004e2: AND
833:000004e3: SWAP2
834:000004e4: PUSH1 0x00
835:000004e6: SWAP2
836:000004e7: DUP3
837:000004e8: DUP2
838:000004e9: DUP2
839:000004ea: DUP2
840:000004eb: DUP6
841:000004ec: DUP9
842:000004ed: DUP4
843:000004ee: CALL
844:000004ef: POP
858:00000502: JUMPI
859:00000503: PUSH2 0x0002
860:00000506: JUMP
861:00000507: JUMPDEST
862:00000508: PUSH1 0x05
863:0000050a: SLOAD
864:0000050b: PUSH1 0x40
865:0000050d: MLOAD
866:0000050e: PUSH1 0x01
880:00000520: DUP3
881:00000521: DUP2
882:00000522: DUP2
883:00000523: DUP2
884:00000524: DUP6
885:00000525: DUP9
886:00000526: DUP4
887:00000527: CALL
888:00000528: POP
889:00000529: POP
890:0000052a: PUSH1 0x01
891:0000052c: DUP1
892:0000052d: SLOAD
893:0000052e: SWAP2
894:0000052f: SWAP1
935:00000560: DUP2
936:00000561: DUP6
937:00000562: DUP9
938:00000563: DUP4
939:00000564: CALL
940:00000565: POP
941:00000566: POP
942:00000567: PUSH1 0x01
943:00000569: DUP1
944:0000056a: SLOAD
945:0000056b: SWAP2
946:0000056c: SWAP1
947:0000056d: SWAP2
948:0000056e: SUB
949:0000056f: SWAP1
1194:000006e0: DUP9
1195:000006e1: DUP4
1196:000006e2: CALL
1197:000006e3: SWAP4
1198:000006e4: POP
1199:000006e5: POP
1200:000006e6: POP
1201:000006e7: POP
1202:000006e8: POP
1203:000006e9: PUSH1 0x06
1204:000006eb: PUSH1 0x00
1205:000006ed: POP
1206:000006ee: PUSH1 0x04
1207:000006f0: PUSH1 0x00
1208:000006f2: POP
1209:000006f3: SLOAD
1210:000006f4: DUP2
1211:000006f5: SLOAD
1212:000006f6: DUP2
1213:000006f7: LT
1214:000006f8: ISZERO
1215:000006f9: PUSH2 0x0002
1216:000006fc: JUMPI
1217:000006fd: PUSH1 0x00
1218:000006ff: SWAP2
exec
/bin/bash -lc 'cast disassemble "$(jq -r '"'.artifact.runtime_bytecode.full' BYTECODE_BUNDLE.json)\" | sed -n '620,710p;820,960p;1170,1235p'" in /tmp/codex-l8gojlez
succeeded in 0ms:
000003cb: MSTORE
000003cc: DUP4
000003cd: DUP2
000003ce: DUP2
000003cf: MLOAD
000003d0: DUP2
000003d1: MSTORE
000003d2: PUSH1 0x20
000003d4: ADD
000003d5: SWAP2
000003d6: POP
000003d7: DUP1
000003d8: MLOAD
000003d9: SWAP1
000003da: PUSH1 0x20
000003dc: ADD
000003dd: SWAP1
000003de: DUP1
000003df: DUP4
000003e0: DUP4
000003e1: DUP3
000003e2: SWAP1
000003e3: PUSH1 0x00
000003e5: PUSH1 0x04
000003e7: PUSH1 0x20
000003e9: DUP5
000003ea: PUSH1 0x1f
000003ec: ADD
000003ed: DIV
000003ee: PUSH1 0x0f
000003f0: MUL
000003f1: PUSH1 0x03
000003f3: ADD
000003f4: CALL
000003f5: POP
000003f6: SWAP1
000003f7: POP
000003f8: SWAP1
000003f9: DUP2
000003fa: ADD
000003fb: SWAP1
000003fc: PUSH1 0x1f
000003fe: AND
000003ff: DUP1
00000400: ISZERO
00000401: PUSH2 0x041e
00000404: JUMPI
00000405: DUP1
00000406: DUP3
00000407: SUB
00000408: DUP1
00000409: MLOAD
0000040a: PUSH1 0x01
0000040c: DUP4
0000040d: PUSH1 0x20
0000040f: SUB
00000410: PUSH2 0x0100
00000413: EXP
00000414: SUB
00000415: NOT
00000416: AND
00000417: DUP2
00000418: MSTORE
00000419: PUSH1 0x20
0000041b: ADD
0000041c: SWAP2
0000041d: POP
0000041e: JUMPDEST
0000041f: POP
00000420: SWAP4
00000421: POP
00000422: POP
00000423: POP
00000424: POP
00000425: PUSH1 0x40
00000427: MLOAD
00000428: DUP1
00000429: SWAP2
0000042a: SUB
0000042b: SWAP1
0000042c: RETURN
0000042d: JUMPDEST
0000042e: PUSH1 0x40
00000430: MLOAD
00000431: DUP1
00000432: DUP4
00000433: PUSH1 0x01
00000435: PUSH1 0xa0
00000437: PUSH1 0x02
00000439: EXP
0000043a: SUB
000004d1: PUSH1 0x05
000004d3: SLOAD
000004d4: PUSH1 0x40
000004d6: MLOAD
000004d7: PUSH1 0x01
000004d9: PUSH1 0xa0
000004db: PUSH1 0x02
000004dd: EXP
000004de: SUB
000004df: SWAP2
000004e0: SWAP1
000004e1: SWAP2
000004e2: AND
000004e3: SWAP2
000004e4: PUSH1 0x00
000004e6: SWAP2
000004e7: DUP3
000004e8: DUP2
000004e9: DUP2
000004ea: DUP2
000004eb: DUP6
000004ec: DUP9
000004ed: DUP4
000004ee: CALL
000004ef: POP
000004f0: POP
000004f1: POP
000004f2: PUSH1 0x01
000004f4: SSTORE
000004f5: POP
000004f6: JUMP
000004f7: JUMPDEST
000004f8: PUSH1 0x01
000004fa: SLOAD
000004fb: PUSH1 0x00
000004fd: EQ
000004fe: ISZERO
000004ff: PUSH2 0x0507
00000502: JUMPI
00000503: PUSH2 0x0002
00000506: JUMP
00000507: JUMPDEST
00000508: PUSH1 0x05
0000050a: SLOAD
0000050b: PUSH1 0x40
0000050d: MLOAD
0000050e: PUSH1 0x01
00000510: PUSH1 0xa0
00000512: PUSH1 0x02
00000514: EXP
00000515: SUB
00000516: SWAP2
00000517: SWAP1
00000518: SWAP2
00000519: AND
0000051a: SWAP1
0000051b: PUSH1 0x00
0000051d: SWAP1
0000051e: DUP4
0000051f: SWAP1
00000520: DUP3
00000521: DUP2
00000522: DUP2
00000523: DUP2
00000524: DUP6
00000525: DUP9
00000526: DUP4
00000527: CALL
00000528: POP
00000529: POP
0000052a: PUSH1 0x01
0000052c: DUP1
0000052d: SLOAD
0000052e: SWAP2
0000052f: SWAP1
00000530: SWAP2
00000531: SUB
00000532: SWAP1
00000533: SSTORE
00000534: POP
00000535: POP
00000536: POP
00000537: JUMP
00000538: JUMPDEST
00000539: POP
0000053a: PUSH1 0x01
0000053c: SLOAD
0000053d: PUSH1 0x05
0000053f: SLOAD
00000540: PUSH1 0x40
00000542: MLOAD
00000543: PUSH1 0x64
00000545: SWAP1
00000546: SWAP3
00000547: DIV
00000548: DUP4
00000549: MUL
0000054a: SWAP2
0000054b: PUSH1 0x01
0000054d: PUSH1 0xa0
0000054f: PUSH1 0x02
00000551: EXP
00000552: SUB
00000553: SWAP2
00000554: SWAP1
00000555: SWAP2
00000556: AND
00000557: SWAP1
00000558: PUSH1 0x00
0000055a: SWAP1
0000055b: DUP4
0000055c: SWAP1
0000055d: DUP3
0000055e: DUP2
0000055f: DUP2
00000560: DUP2
00000561: DUP6
00000562: DUP9
00000563: DUP4
00000564: CALL
00000565: POP
00000566: POP
00000567: PUSH1 0x01
00000569: DUP1
0000056a: SLOAD
0000056b: SWAP2
0000056c: SWAP1
0000056d: SWAP2
0000056e: SUB
0000056f: SWAP1
00000570: SSTORE
00000571: POP
00000572: POP
00000573: JUMPDEST
00000574: POP
00000575: POP
00000576: JUMP
00000577: JUMPDEST
00000578: PUSH1 0x03
0000057a: SSTORE
0000057b: JUMP
000006c3: ADD
000006c4: SLOAD
000006c5: PUSH1 0x40
000006c7: MLOAD
000006c8: PUSH1 0x01
000006ca: PUSH1 0xa0
000006cc: PUSH1 0x02
000006ce: EXP
000006cf: SUB
000006d0: SWAP2
000006d1: SWAP1
000006d2: SWAP2
000006d3: AND
000006d4: SWAP2
000006d5: POP
000006d6: PUSH1 0x00
000006d8: SWAP1
000006d9: DUP4
000006da: SWAP1
000006db: DUP3
000006dc: DUP2
000006dd: DUP2
000006de: DUP2
000006df: DUP6
000006e0: DUP9
000006e1: DUP4
000006e2: CALL
000006e3: SWAP4
000006e4: POP
000006e5: POP
000006e6: POP
000006e7: POP
000006e8: POP
000006e9: PUSH1 0x06
000006eb: PUSH1 0x00
000006ed: POP
000006ee: PUSH1 0x04
000006f0: PUSH1 0x00
000006f2: POP
000006f3: SLOAD
000006f4: DUP2
000006f5: SLOAD
000006f6: DUP2
000006f7: LT
000006f8: ISZERO
000006f9: PUSH2 0x0002
000006fc: JUMPI
000006fd: PUSH1 0x00
000006ff: SWAP2
00000700: DUP3
00000701: MSTORE
00000702: DUP2
00000703: SLOAD
00000704: PUSH1 0x02
00000706: SWAP2
00000707: SWAP1
00000708: SWAP2
00000709: MUL
0000070a: PUSH1 0x00
0000070c: DUP1
0000070d: MLOAD
0000070e: PUSH1 0x20
00000710: PUSH2 0x0999
00000713: DUP4
00000714: CODECOPY
00000715: DUP2
exec
/bin/bash -lc 'cast selectors "$(jq -r '"'.artifact.runtime_bytecode.full' BYTECODE_BUNDLE.json)\"" in /tmp/codex-l8gojlez
succeeded in 0ms:
0x09dfdc71 payable
0x253459e3 payable
0x4229616d uint256 payable
0x57d4021b payable
0x686f2c90 payable
0x6fbaaa1e payable
0x8a5fb3ca payable
0x9dbc4f9b uint256 payable
0xa26dbf26 payable
0xa6f9dae1 uint256 payable
0xb4022950 uint256 payable
0xced92670 uint256 payable
0xd11f13df payable
0xfae14192 uint256 payable
exec
/bin/bash -lc "python3 - <<'PY'
import json,re,binascii
with open('BYTECODE_BUNDLE.json') as f:
bc=json.load(f)['artifact']['runtime_bytecode']['full'][2:]
bs=bytes.fromhex(bc)
for m in re.finditer(rb'[ -~]{4,}', bs):
s=m.group().decode('ascii', 'ignore')
print(hex(m.start()), s)
PY" in /tmp/codex-l8gojlez
succeeded in 0ms:
0x0 ```@R6
0x20 c%4Y
0x2b cB)am
0x41 cho,
0xce U[PV[`@
0x15c cWP`d
0x19b Q` a
0x2ab WPP`
0x2b5 Q` a
0x2d1 V[a
0x303 UPV[a
0x36b rWP`x
0x387 V[a
0x3b6 [V[`@Q
0x421 PPPP`@Q
0x42d [`@Q
0x448 PPP`@Q
0x497 R` `
0x4d3 T`@Q`
0x4ef PPP`
0x4f4 UPV[`
0x50a T`@Q`
0x533 UPPPV[P`
0x53f T`@Q`d
0x570 UPP[PPV[`
0x57a UV[`
0x57f UV[PPP
0x58a R` `
0x5a8 T`d4
0x681 Q` a
0x6c4 T`@Q`
0x6e4 PPPPP`
0x70d Q` a
0x72b VShown in % form. Fee is halved(50%) for amounts equal or greater than 50 ethers. (Fee may change, but is capped to a maximum of 10%)All balance values are measured in Ethers, note that due to no decimal placing, these values show up as integers only, within the contract itself you will get the exact decimal value you are supposed toThis multiplier applies to you as soon as transaction is received, may be lowered to hasten payouts or increased if payouts are fast enough. Due to no float or decimals, multiplier is x100 for a fractional multiplier e.g. 250 is actually a 2.5x multiplier. Capped at 3x max and 1.2x min.
exec
/bin/bash -lc "python3 - <<'PY'
import json,re
with open('BYTECODE_BUNDLE.json') as f:
bc=json.load(f)['artifact']['runtime_bytecode']['full'][2:]
bs=bytes.fromhex(bc)
for m in re.finditer(rb'[ -~]{20,}', bs):
print(hex(m.start()), m.group().decode('ascii', 'ignore'))
PY" in /tmp/codex-l8gojlez
succeeded in 0ms:
0x72b VShown in % form. Fee is halved(50%) for amounts equal or greater than 50 ethers. (Fee may change, but is capped to a maximum of 10%)All balance values are measured in Ethers, note that due to no decimal placing, these values show up as integers only, within the contract itself you will get the exact decimal value you are supposed toThis multiplier applies to you as soon as transaction is received, may be lowered to hasten payouts or increased if payouts are fast enough. Due to no float or decimals, multiplier is x100 for a fractional multiplier e.g. 250 is actually a 2.5x multiplier. Capped at 3x max and 1.2x min.
exec
/bin/bash -lc 'cast disassemble "$(jq -r '"'.artifact.runtime_bytecode.full' BYTECODE_BUNDLE.json)\" | sed -n '1,220p'" in /tmp/codex-l8gojlez
succeeded in 0ms:
00000000: PUSH1 0x60
00000002: PUSH1 0x40
00000004: MSTORE
00000005: CALLDATASIZE
00000006: ISZERO
00000007: PUSH2 0x00ae
0000000a: JUMPI
0000000b: PUSH1 0xe0
0000000d: PUSH1 0x02
0000000f: EXP
00000010: PUSH1 0x00
00000012: CALLDATALOAD
00000013: DIV
00000014: PUSH4 0x09dfdc71
00000019: DUP2
0000001a: EQ
0000001b: PUSH2 0x00d2
0000001e: JUMPI
0000001f: DUP1
00000020: PUSH4 0x253459e3
00000025: EQ
00000026: PUSH2 0x0111
00000029: JUMPI
0000002a: DUP1
0000002b: PUSH4 0x4229616d
00000030: EQ
00000031: PUSH2 0x0132
00000034: JUMPI
00000035: DUP1
00000036: PUSH4 0x57d4021b
0000003b: EQ
0000003c: PUSH2 0x016d
0000003f: JUMPI
00000040: DUP1
00000041: PUSH4 0x686f2c90
00000046: EQ
00000047: PUSH2 0x01ac
0000004a: JUMPI
0000004b: DUP1
0000004c: PUSH4 0x6fbaaa1e
00000051: EQ
00000052: PUSH2 0x01d8
00000055: JUMPI
00000056: DUP1
00000057: PUSH4 0x8a5fb3ca
0000005c: EQ
0000005d: PUSH2 0x020c
00000060: JUMPI
00000061: DUP1
00000062: PUSH4 0x9dbc4f9b
00000067: EQ
00000068: PUSH2 0x023e
0000006b: JUMPI
0000006c: DUP1
0000006d: PUSH4 0xa26dbf26
00000072: EQ
00000073: PUSH2 0x02cb
00000076: JUMPI
00000077: DUP1
00000078: PUSH4 0xa6f9dae1
0000007d: EQ
0000007e: PUSH2 0x02d3
00000081: JUMPI
00000082: DUP1
00000083: PUSH4 0xb4022950
00000088: EQ
00000089: PUSH2 0x0306
0000008c: JUMPI
0000008d: DUP1
0000008e: PUSH4 0xced92670
00000093: EQ
00000094: PUSH2 0x0344
00000097: JUMPI
00000098: DUP1
00000099: PUSH4 0xd11f13df
0000009e: EQ
0000009f: PUSH2 0x037c
000000a2: JUMPI
000000a3: DUP1
000000a4: PUSH4 0xfae14192
000000a9: EQ
000000aa: PUSH2 0x0389
000000ad: JUMPI
000000ae: JUMPDEST
000000af: PUSH2 0x03b4
000000b2: PUSH2 0x03b6
000000b5: PUSH1 0x00
000000b7: PUSH8 0x0de0b6b3a7640000
000000c0: CALLVALUE
000000c1: LT
000000c2: ISZERO
000000c3: PUSH2 0x0453
000000c6: JUMPI
000000c7: PUSH1 0x01
000000c9: DUP1
000000ca: SLOAD
000000cb: CALLVALUE
000000cc: ADD
000000cd: SWAP1
000000ce: SSTORE
000000cf: JUMPDEST
000000d0: POP
000000d1: JUMP
000000d2: JUMPDEST
000000d3: PUSH1 0x40
000000d5: DUP1
000000d6: MLOAD
000000d7: PUSH1 0x20
000000d9: DUP2
000000da: DUP2
000000db: ADD
000000dc: DUP4
000000dd: MSTORE
000000de: PUSH1 0x00
000000e0: DUP1
000000e1: DUP4
000000e2: MSTORE
000000e3: DUP4
000000e4: MLOAD
000000e5: SWAP1
000000e6: SLOAD
000000e7: PUSH2 0x0100
000000ea: DUP3
000000eb: ADD
000000ec: SWAP1
000000ed: SWAP5
000000ee: MSTORE
000000ef: PUSH1 0xca
000000f1: DUP1
000000f2: DUP3
000000f3: MSTORE
000000f4: PUSH2 0x03b8
000000f7: SWAP5
000000f8: PUSH8 0x0de0b6b3a7640000
00000101: SWAP1
00000102: DIV
00000103: SWAP4
00000104: SWAP3
00000105: PUSH2 0x07b0
00000108: SWAP1
00000109: DUP4
0000010a: ADD
0000010b: CODECOPY
0000010c: SWAP1
0000010d: POP
0000010e: SWAP1
0000010f: SWAP2
00000110: JUMP
00000111: JUMPDEST
00000112: PUSH1 0x01
00000114: SLOAD
00000115: PUSH8 0x0de0b6b3a7640000
0000011e: SWAP1
0000011f: DIV
00000120: JUMPDEST
00000121: PUSH1 0x40
00000123: DUP1
00000124: MLOAD
00000125: SWAP2
00000126: DUP3
00000127: MSTORE
00000128: MLOAD
00000129: SWAP1
0000012a: DUP2
0000012b: SWAP1
0000012c: SUB
0000012d: PUSH1 0x20
0000012f: ADD
00000130: SWAP1
00000131: RETURN
00000132: JUMPDEST
00000133: PUSH2 0x03b4
00000136: PUSH1 0x04
00000138: CALLDATALOAD
00000139: PUSH1 0x05
0000013b: SLOAD
0000013c: PUSH1 0x00
0000013e: SWAP1
0000013f: PUSH1 0x01
00000141: PUSH1 0xa0
00000143: PUSH1 0x02
00000145: EXP
00000146: SUB
00000147: SWAP1
00000148: DUP2
00000149: AND
0000014a: CALLER
0000014b: SWAP1
0000014c: SWAP2
0000014d: AND
0000014e: EQ
0000014f: ISZERO
00000150: PUSH2 0x0573
00000153: JUMPI
00000154: PUSH1 0x01
00000156: SLOAD
00000157: DUP2
00000158: EQ
00000159: DUP1
0000015a: PUSH2 0x0163
0000015d: JUMPI
0000015e: POP
0000015f: PUSH1 0x64
00000161: DUP3
00000162: GT
00000163: JUMPDEST
00000164: ISZERO
00000165: PUSH2 0x0538
00000168: JUMPI
00000169: PUSH2 0x0002
0000016c: JUMP
0000016d: JUMPDEST
0000016e: PUSH2 0x0120
00000171: PUSH1 0x00
00000173: PUSH8 0x0de0b6b3a7640000
0000017c: PUSH1 0x06
0000017e: PUSH1 0x00
00000180: POP
00000181: PUSH1 0x04
00000183: PUSH1 0x00
exec
/bin/bash -lc 'cast disassemble "$(jq -r '"'.artifact.runtime_bytecode.full' BYTECODE_BUNDLE.json)\" | sed -n '220,430p'" in /tmp/codex-l8gojlez
succeeded in 0ms:
00000183: PUSH1 0x00
00000185: POP
00000186: SLOAD
00000187: DUP2
00000188: SLOAD
00000189: DUP2
0000018a: LT
0000018b: ISZERO
0000018c: PUSH2 0x0002
0000018f: JUMPI
00000190: SWAP3
00000191: MSTORE
00000192: PUSH1 0x02
00000194: SWAP2
00000195: SWAP1
00000196: SWAP2
00000197: MUL
00000198: PUSH1 0x00
0000019a: DUP1
0000019b: MLOAD
0000019c: PUSH1 0x20
0000019e: PUSH2 0x0999
000001a1: DUP4
000001a2: CODECOPY
000001a3: DUP2
000001a4: MLOAD
000001a5: SWAP2
000001a6: MSTORE
000001a7: ADD
000001a8: SLOAD
000001a9: DIV
000001aa: SWAP1
000001ab: JUMP
000001ac: JUMPDEST
000001ad: PUSH2 0x03b4
000001b0: JUMPDEST
000001b1: PUSH1 0x05
000001b3: SLOAD
000001b4: PUSH1 0x01
000001b6: PUSH1 0xa0
000001b8: PUSH1 0x02
000001ba: EXP
000001bb: SUB
000001bc: SWAP1
000001bd: DUP2
000001be: AND
000001bf: CALLER
000001c0: SWAP1
000001c1: SWAP2
000001c2: AND
000001c3: EQ
000001c4: ISZERO
000001c5: PUSH2 0x03b6
000001c8: JUMPI
000001c9: PUSH1 0x01
000001cb: SLOAD
000001cc: PUSH1 0x00
000001ce: EQ
000001cf: ISZERO
000001d0: PUSH2 0x04cd
000001d3: JUMPI
000001d4: PUSH2 0x0002
000001d7: JUMP
000001d8: JUMPDEST
000001d9: PUSH2 0x03b8
000001dc: PUSH1 0x40
000001de: DUP1
000001df: MLOAD
000001e0: PUSH1 0x20
000001e2: DUP2
000001e3: DUP2
000001e4: ADD
000001e5: DUP4
000001e6: MSTORE
000001e7: PUSH1 0x00
000001e9: DUP3
000001ea: MSTORE
000001eb: DUP3
000001ec: MLOAD
000001ed: PUSH1 0x03
000001ef: SLOAD
000001f0: PUSH2 0x0140
000001f3: DUP3
000001f4: ADD
000001f5: SWAP1
000001f6: SWAP5
000001f7: MSTORE
000001f8: PUSH2 0x011f
000001fb: DUP1
000001fc: DUP3
000001fd: MSTORE
000001fe: SWAP1
000001ff: SWAP2
00000200: PUSH2 0x087a
00000203: SWAP1
00000204: DUP4
00000205: ADD
00000206: CODECOPY
00000207: SWAP1
00000208: POP
00000209: SWAP1
0000020a: SWAP2
0000020b: JUMP
0000020c: JUMPDEST
0000020d: PUSH2 0x03b8
00000210: PUSH1 0x40
00000212: DUP1
00000213: MLOAD
00000214: PUSH1 0x20
00000216: DUP2
00000217: DUP2
00000218: ADD
00000219: DUP4
0000021a: MSTORE
0000021b: PUSH1 0x00
0000021d: DUP3
0000021e: MSTORE
0000021f: DUP3
00000220: MLOAD
00000221: PUSH1 0x02
00000223: SLOAD
00000224: PUSH1 0xc0
00000226: DUP3
00000227: ADD
00000228: SWAP1
00000229: SWAP5
0000022a: MSTORE
0000022b: PUSH1 0x84
0000022d: DUP1
0000022e: DUP3
0000022f: MSTORE
00000230: SWAP1
00000231: SWAP2
00000232: PUSH2 0x072c
00000235: SWAP1
00000236: DUP4
00000237: ADD
00000238: CODECOPY
00000239: SWAP1
0000023a: POP
0000023b: SWAP1
0000023c: SWAP2
0000023d: JUMP
0000023e: JUMPDEST
0000023f: PUSH2 0x042d
00000242: PUSH1 0x04
00000244: CALLDATALOAD
00000245: PUSH1 0x06
00000247: SLOAD
00000248: PUSH1 0x00
0000024a: SWAP1
0000024b: DUP2
0000024c: SWAP1
0000024d: DUP4
0000024e: GT
0000024f: PUSH2 0x02c6
00000252: JUMPI
00000253: PUSH1 0x06
00000255: DUP1
00000256: SLOAD
00000257: DUP5
00000258: SWAP1
00000259: DUP2
0000025a: LT
0000025b: ISZERO
0000025c: PUSH2 0x0002
0000025f: JUMPI
00000260: POP
00000261: DUP1
00000262: SLOAD
00000263: DUP2
00000264: DUP4
00000265: MSTORE
00000266: PUSH1 0x02
00000268: DUP6
00000269: MUL
0000026a: PUSH32 0xf652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d3f
0000028b: ADD
0000028c: SLOAD
0000028d: PUSH1 0x01
0000028f: PUSH1 0xa0
00000291: PUSH1 0x02
00000293: EXP
00000294: SUB
00000295: AND
00000296: SWAP4
00000297: POP
00000298: PUSH8 0x0de0b6b3a7640000
000002a1: SWAP2
000002a2: SWAP1
000002a3: DUP6
000002a4: SWAP1
000002a5: DUP2
000002a6: LT
000002a7: ISZERO
000002a8: PUSH2 0x0002
000002ab: JUMPI
000002ac: POP
000002ad: POP
000002ae: PUSH1 0x02
000002b0: DUP5
000002b1: MUL
000002b2: PUSH1 0x00
000002b4: DUP1
000002b5: MLOAD
000002b6: PUSH1 0x20
000002b8: PUSH2 0x0999
000002bb: DUP4
000002bc: CODECOPY
000002bd: DUP2
000002be: MLOAD
exec
/bin/bash -lc 'cast disassemble "$(jq -r '"'.artifact.runtime_bytecode.full' BYTECODE_BUNDLE.json)\" | sed -n '430,620p'" in /tmp/codex-l8gojlez
succeeded in 0ms:
000002be: MLOAD
000002bf: SWAP2
000002c0: MSTORE
000002c1: ADD
000002c2: SLOAD
000002c3: DIV
000002c4: SWAP1
000002c5: POP
000002c6: JUMPDEST
000002c7: SWAP2
000002c8: POP
000002c9: SWAP2
000002ca: JUMP
000002cb: JUMPDEST
000002cc: PUSH1 0x06
000002ce: SLOAD
000002cf: PUSH2 0x0120
000002d2: JUMP
000002d3: JUMPDEST
000002d4: PUSH2 0x03b4
000002d7: PUSH1 0x04
000002d9: CALLDATALOAD
000002da: PUSH1 0x05
000002dc: SLOAD
000002dd: PUSH1 0x01
000002df: PUSH1 0xa0
000002e1: PUSH1 0x02
000002e3: EXP
000002e4: SUB
000002e5: SWAP1
000002e6: DUP2
000002e7: AND
000002e8: CALLER
000002e9: SWAP1
000002ea: SWAP2
000002eb: AND
000002ec: EQ
000002ed: ISZERO
000002ee: PUSH2 0x00cf
000002f1: JUMPI
000002f2: PUSH1 0x05
000002f4: DUP1
000002f5: SLOAD
000002f6: PUSH1 0x01
000002f8: PUSH1 0xa0
000002fa: PUSH1 0x02
000002fc: EXP
000002fd: SUB
000002fe: NOT
000002ff: AND
00000300: DUP3
00000301: OR
00000302: SWAP1
00000303: SSTORE
00000304: POP
00000305: JUMP
00000306: JUMPDEST
00000307: PUSH2 0x03b4
0000030a: PUSH1 0x04
0000030c: CALLDATALOAD
0000030d: PUSH1 0x05
0000030f: SLOAD
00000310: PUSH1 0x01
00000312: PUSH1 0xa0
00000314: PUSH1 0x02
00000316: EXP
00000317: SUB
00000318: SWAP1
00000319: DUP2
0000031a: AND
0000031b: CALLER
0000031c: SWAP1
0000031d: SWAP2
0000031e: AND
0000031f: EQ
00000320: ISZERO
00000321: PUSH2 0x00cf
00000324: JUMPI
00000325: PUSH1 0x01
00000327: SLOAD
00000328: PUSH8 0x0de0b6b3a7640000
00000331: SWAP2
00000332: SWAP1
00000333: SWAP2
00000334: MUL
00000335: SWAP1
00000336: DUP2
00000337: GT
00000338: ISZERO
00000339: PUSH2 0x04f7
0000033c: JUMPI
0000033d: PUSH2 0x04f7
00000340: PUSH2 0x01b0
00000343: JUMP
00000344: JUMPDEST
00000345: PUSH2 0x03b4
00000348: PUSH1 0x04
0000034a: CALLDATALOAD
0000034b: PUSH1 0x05
0000034d: SLOAD
0000034e: PUSH1 0x01
00000350: PUSH1 0xa0
00000352: PUSH1 0x02
00000354: EXP
00000355: SUB
00000356: SWAP1
00000357: DUP2
00000358: AND
00000359: CALLER
0000035a: SWAP1
0000035b: SWAP2
0000035c: AND
0000035d: EQ
0000035e: ISZERO
0000035f: PUSH2 0x00cf
00000362: JUMPI
00000363: PUSH2 0x012c
00000366: DUP2
00000367: GT
00000368: DUP1
00000369: PUSH2 0x0372
0000036c: JUMPI
0000036d: POP
0000036e: PUSH1 0x78
00000370: DUP2
00000371: LT
00000372: JUMPDEST
00000373: ISZERO
00000374: PUSH2 0x0577
00000377: JUMPI
00000378: PUSH2 0x0002
0000037b: JUMP
0000037c: JUMPDEST
0000037d: PUSH1 0x06
0000037f: SLOAD
00000380: PUSH1 0x04
00000382: SLOAD
00000383: SWAP1
00000384: SUB
00000385: PUSH2 0x0120
00000388: JUMP
00000389: JUMPDEST
0000038a: PUSH2 0x03b4
0000038d: PUSH1 0x04
0000038f: CALLDATALOAD
00000390: PUSH1 0x05
00000392: SLOAD
00000393: CALLER
00000394: PUSH1 0x01
00000396: PUSH1 0xa0
00000398: PUSH1 0x02
0000039a: EXP
0000039b: SUB
0000039c: SWAP1
0000039d: DUP2
0000039e: AND
0000039f: SWAP2
000003a0: AND
000003a1: EQ
000003a2: ISZERO
000003a3: PUSH2 0x00cf
000003a6: JUMPI
000003a7: PUSH1 0x0a
000003a9: DUP2
000003aa: GT
000003ab: ISZERO
000003ac: PUSH2 0x057c
000003af: JUMPI
000003b0: PUSH2 0x0002
000003b3: JUMP
000003b4: JUMPDEST
000003b5: STOP
000003b6: JUMPDEST
000003b7: JUMP
000003b8: JUMPDEST
000003b9: PUSH1 0x40
000003bb: MLOAD
000003bc: DUP1
000003bd: DUP4
000003be: DUP2
000003bf: MSTORE
000003c0: PUSH1 0x20
000003c2: ADD
000003c3: DUP1
000003c4: PUSH1 0x20
000003c6: ADD
000003c7: DUP3
000003c8: DUP2
000003c9: SUB
000003ca: DUP3
000003cb: MSTORE
exec
/bin/bash -lc 'cast disassemble "$(jq -r '"'.artifact.runtime_bytecode.full' BYTECODE_BUNDLE.json)\" | sed -n '700,880p'" in /tmp/codex-l8gojlez
succeeded in 0ms:
0000042c: RETURN
0000042d: JUMPDEST
0000042e: PUSH1 0x40
00000430: MLOAD
00000431: DUP1
00000432: DUP4
00000433: PUSH1 0x01
00000435: PUSH1 0xa0
00000437: PUSH1 0x02
00000439: EXP
0000043a: SUB
0000043b: AND
0000043c: DUP2
0000043d: MSTORE
0000043e: PUSH1 0x20
00000440: ADD
00000441: DUP3
00000442: DUP2
00000443: MSTORE
00000444: PUSH1 0x20
00000446: ADD
00000447: SWAP3
00000448: POP
00000449: POP
0000044a: POP
0000044b: PUSH1 0x40
0000044d: MLOAD
0000044e: DUP1
0000044f: SWAP2
00000450: SUB
00000451: SWAP1
00000452: RETURN
00000453: JUMPDEST
00000454: POP
00000455: PUSH1 0x02
00000457: SLOAD
00000458: PUSH9 0x02b5e3af16b1880000
00000462: CALLVALUE
00000463: LT
00000464: PUSH2 0x046c
00000467: JUMPI
00000468: PUSH1 0x02
0000046a: SWAP1
0000046b: DIV
0000046c: JUMPDEST
0000046d: PUSH2 0x00cf
00000470: DUP2
00000471: PUSH1 0x00
00000473: PUSH1 0x06
00000475: PUSH1 0x00
00000477: POP
00000478: DUP1
00000479: SLOAD
0000047a: DUP1
0000047b: PUSH1 0x01
0000047d: ADD
0000047e: DUP3
0000047f: DUP2
00000480: DUP2
00000481: SLOAD
00000482: DUP2
00000483: DUP4
00000484: SSTORE
00000485: DUP2
00000486: DUP2
00000487: ISZERO
00000488: GT
00000489: PUSH2 0x0581
0000048c: JUMPI
0000048d: PUSH1 0x02
0000048f: MUL
00000490: DUP2
00000491: PUSH1 0x02
00000493: MUL
00000494: DUP4
00000495: PUSH1 0x00
00000497: MSTORE
00000498: PUSH1 0x20
0000049a: PUSH1 0x00
0000049c: KECCAK256
0000049d: SWAP2
0000049e: DUP3
0000049f: ADD
000004a0: SWAP2
000004a1: ADD
000004a2: PUSH2 0x0581
000004a5: SWAP2
000004a6: SWAP1
000004a7: JUMPDEST
000004a8: DUP1
000004a9: DUP3
000004aa: GT
000004ab: ISZERO
000004ac: PUSH2 0x05e5
000004af: JUMPI
000004b0: DUP1
000004b1: SLOAD
000004b2: PUSH1 0x01
000004b4: PUSH1 0xa0
000004b6: PUSH1 0x02
000004b8: EXP
000004b9: SUB
000004ba: NOT
000004bb: AND
000004bc: DUP2
000004bd: SSTORE
000004be: PUSH1 0x00
000004c0: PUSH1 0x01
000004c2: SWAP2
000004c3: SWAP1
000004c4: SWAP2
000004c5: ADD
000004c6: SWAP1
000004c7: DUP2
000004c8: SSTORE
000004c9: PUSH2 0x04a7
000004cc: JUMP
000004cd: JUMPDEST
000004ce: PUSH1 0x01
000004d0: SLOAD
000004d1: PUSH1 0x05
000004d3: SLOAD
000004d4: PUSH1 0x40
000004d6: MLOAD
000004d7: PUSH1 0x01
000004d9: PUSH1 0xa0
000004db: PUSH1 0x02
000004dd: EXP
000004de: SUB
000004df: SWAP2
000004e0: SWAP1
000004e1: SWAP2
000004e2: AND
000004e3: SWAP2
000004e4: PUSH1 0x00
000004e6: SWAP2
000004e7: DUP3
000004e8: DUP2
000004e9: DUP2
000004ea: DUP2
000004eb: DUP6
000004ec: DUP9
000004ed: DUP4
000004ee: CALL
000004ef: POP
000004f0: POP
000004f1: POP
000004f2: PUSH1 0x01
000004f4: SSTORE
000004f5: POP
000004f6: JUMP
000004f7: JUMPDEST
000004f8: PUSH1 0x01
000004fa: SLOAD
000004fb: PUSH1 0x00
000004fd: EQ
000004fe: ISZERO
000004ff: PUSH2 0x0507
00000502: JUMPI
00000503: PUSH2 0x0002
00000506: JUMP
00000507: JUMPDEST
00000508: PUSH1 0x05
0000050a: SLOAD
0000050b: PUSH1 0x40
0000050d: MLOAD
0000050e: PUSH1 0x01
00000510: PUSH1 0xa0
00000512: PUSH1 0x02
00000514: EXP
00000515: SUB
00000516: SWAP2
00000517: SWAP1
00000518: SWAP2
00000519: AND
0000051a: SWAP1
0000051b: PUSH1 0x00
0000051d: SWAP1
0000051e: DUP4
0000051f: SWAP1
00000520: DUP3
exec
/bin/bash -lc 'cast disassemble "$(jq -r '"'.artifact.runtime_bytecode.full' BYTECODE_BUNDLE.json)\" | sed -n '880,1020p'" in /tmp/codex-l8gojlez
succeeded in 0ms:
00000520: DUP3
00000521: DUP2
00000522: DUP2
00000523: DUP2
00000524: DUP6
00000525: DUP9
00000526: DUP4
00000527: CALL
00000528: POP
00000529: POP
0000052a: PUSH1 0x01
0000052c: DUP1
0000052d: SLOAD
0000052e: SWAP2
0000052f: SWAP1
00000530: SWAP2
00000531: SUB
00000532: SWAP1
00000533: SSTORE
00000534: POP
00000535: POP
00000536: POP
00000537: JUMP
00000538: JUMPDEST
00000539: POP
0000053a: PUSH1 0x01
0000053c: SLOAD
0000053d: PUSH1 0x05
0000053f: SLOAD
00000540: PUSH1 0x40
00000542: MLOAD
00000543: PUSH1 0x64
00000545: SWAP1
00000546: SWAP3
00000547: DIV
00000548: DUP4
00000549: MUL
0000054a: SWAP2
0000054b: PUSH1 0x01
0000054d: PUSH1 0xa0
0000054f: PUSH1 0x02
00000551: EXP
00000552: SUB
00000553: SWAP2
00000554: SWAP1
00000555: SWAP2
00000556: AND
00000557: SWAP1
00000558: PUSH1 0x00
0000055a: SWAP1
0000055b: DUP4
0000055c: SWAP1
0000055d: DUP3
0000055e: DUP2
0000055f: DUP2
00000560: DUP2
00000561: DUP6
00000562: DUP9
00000563: DUP4
00000564: CALL
00000565: POP
00000566: POP
00000567: PUSH1 0x01
00000569: DUP1
0000056a: SLOAD
0000056b: SWAP2
0000056c: SWAP1
0000056d: SWAP2
0000056e: SUB
0000056f: SWAP1
00000570: SSTORE
00000571: POP
00000572: POP
00000573: JUMPDEST
00000574: POP
00000575: POP
00000576: JUMP
00000577: JUMPDEST
00000578: PUSH1 0x03
0000057a: SSTORE
0000057b: JUMP
0000057c: JUMPDEST
0000057d: PUSH1 0x02
0000057f: SSTORE
00000580: JUMP
00000581: JUMPDEST
00000582: POP
00000583: POP
00000584: POP
00000585: SWAP2
00000586: SWAP1
00000587: SWAP1
00000588: PUSH1 0x00
0000058a: MSTORE
0000058b: PUSH1 0x20
0000058d: PUSH1 0x00
0000058f: KECCAK256
00000590: SWAP1
00000591: PUSH1 0x02
00000593: MUL
00000594: ADD
00000595: PUSH1 0x00
00000597: POP
00000598: PUSH1 0x40
0000059a: DUP1
0000059b: MLOAD
0000059c: DUP1
0000059d: DUP3
0000059e: ADD
0000059f: SWAP1
000005a0: SWAP2
000005a1: MSTORE
000005a2: CALLER
000005a3: DUP1
000005a4: DUP3
000005a5: MSTORE
000005a6: PUSH1 0x03
000005a8: SLOAD
000005a9: PUSH1 0x64
000005ab: CALLVALUE
000005ac: SWAP2
000005ad: SWAP1
000005ae: SWAP2
000005af: MUL
000005b0: DIV
000005b1: PUSH1 0x20
000005b3: SWAP3
000005b4: SWAP1
000005b5: SWAP3
000005b6: ADD
000005b7: DUP3
000005b8: SWAP1
000005b9: MSTORE
000005ba: DUP3
000005bb: SLOAD
000005bc: PUSH1 0x01
000005be: PUSH1 0xa0
000005c0: PUSH1 0x02
000005c2: EXP
000005c3: SUB
000005c4: NOT
exec
/bin/bash -lc 'cast disassemble "$(jq -r '"'.artifact.runtime_bytecode.full' BYTECODE_BUNDLE.json)\" | sed -n '1020,1175p'" in /tmp/codex-l8gojlez
succeeded in 0ms:
000005c4: NOT
000005c5: AND
000005c6: OR
000005c7: DUP3
000005c8: SSTORE
000005c9: PUSH1 0x01
000005cb: SWAP2
000005cc: SWAP1
000005cd: SWAP2
000005ce: ADD
000005cf: SSTORE
000005d0: POP
000005d1: PUSH1 0x06
000005d3: SLOAD
000005d4: PUSH1 0x0a
000005d6: EQ
000005d7: ISZERO
000005d8: PUSH2 0x05e9
000005db: JUMPI
000005dc: PUSH1 0xc8
000005de: PUSH1 0x03
000005e0: SSTORE
000005e1: PUSH2 0x05fa
000005e4: JUMP
000005e5: JUMPDEST
000005e6: POP
000005e7: SWAP1
000005e8: JUMP
000005e9: JUMPDEST
000005ea: PUSH1 0x06
000005ec: SLOAD
000005ed: PUSH1 0x19
000005ef: EQ
000005f0: ISZERO
000005f1: PUSH2 0x05fa
000005f4: JUMPI
000005f5: PUSH1 0x96
000005f7: PUSH1 0x03
000005f9: SSTORE
000005fa: JUMPDEST
000005fb: PUSH1 0x00
000005fd: DUP1
000005fe: SLOAD
000005ff: PUSH1 0x64
00000601: DUP5
00000602: DUP2
00000603: SUB
00000604: CALLVALUE
00000605: SWAP1
00000606: DUP2
00000607: MUL
00000608: DUP3
00000609: SWAP1
0000060a: DIV
0000060b: SWAP1
0000060c: SWAP3
0000060d: ADD
0000060e: SWAP1
0000060f: SWAP3
00000610: SSTORE
00000611: PUSH1 0x01
00000613: DUP1
00000614: SLOAD
00000615: SWAP2
00000616: DUP6
00000617: MUL
00000618: SWAP3
00000619: SWAP1
0000061a: SWAP3
0000061b: DIV
0000061c: ADD
0000061d: SWAP1
0000061e: SSTORE
0000061f: JUMPDEST
00000620: PUSH1 0x04
00000622: SLOAD
00000623: PUSH1 0x06
00000625: DUP1
00000626: SLOAD
00000627: SWAP1
00000628: SWAP2
00000629: SWAP1
0000062a: DUP2
0000062b: LT
0000062c: ISZERO
0000062d: PUSH2 0x0002
00000630: JUMPI
00000631: PUSH1 0x00
00000633: SWAP2
00000634: DUP3
00000635: MSTORE
00000636: PUSH1 0x02
00000638: MUL
00000639: PUSH32 0xf652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d3f
0000065a: ADD
0000065b: SWAP1
0000065c: POP
0000065d: PUSH1 0x01
0000065f: ADD
00000660: SLOAD
00000661: PUSH1 0x00
00000663: SLOAD
00000664: GT
00000665: ISZERO
00000666: PUSH2 0x0573
00000669: JUMPI
0000066a: PUSH1 0x04
0000066c: SLOAD
0000066d: PUSH1 0x06
0000066f: DUP1
00000670: SLOAD
00000671: SWAP1
00000672: SWAP2
00000673: SWAP1
00000674: DUP2
00000675: LT
00000676: ISZERO
00000677: PUSH2 0x0002
0000067a: JUMPI
0000067b: PUSH1 0x02
0000067d: MUL
0000067e: PUSH1 0x00
00000680: DUP1
00000681: MLOAD
00000682: PUSH1 0x20
00000684: PUSH2 0x0999
00000687: DUP4
00000688: CODECOPY
00000689: DUP2
0000068a: MLOAD
0000068b: SWAP2
0000068c: MSTORE
0000068d: ADD
0000068e: SLOAD
0000068f: PUSH1 0x04
00000691: SLOAD
00000692: DUP3
00000693: SLOAD
00000694: SWAP2
00000695: SWAP4
00000696: POP
00000697: SWAP1
00000698: DUP2
00000699: LT
0000069a: ISZERO
0000069b: PUSH2 0x0002
0000069e: JUMPI
0000069f: PUSH1 0x02
000006a1: MUL
000006a2: PUSH32 0xf652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d3f
000006c3: ADD
000006c4: SLOAD
000006c5: PUSH1 0x40
000006c7: MLOAD
000006c8: PUSH1 0x01
000006ca: PUSH1 0xa0
exec
/bin/bash -lc 'cast disassemble "$(jq -r '"'.artifact.runtime_bytecode.full' BYTECODE_BUNDLE.json)\" | sed -n '1235,1325p'" in /tmp/codex-l8gojlez
succeeded in 0ms:
00000715: DUP2
00000716: MLOAD
00000717: SWAP2
00000718: MSTORE
00000719: ADD
0000071a: SLOAD
0000071b: SWAP1
0000071c: SUB
0000071d: SWAP1
0000071e: SSTORE
0000071f: PUSH1 0x04
00000721: DUP1
00000722: SLOAD
00000723: PUSH1 0x01
00000725: ADD
00000726: SWAP1
00000727: SSTORE
00000728: PUSH2 0x061f
0000072b: JUMP
0000072c: MSTORE8
0000072d: PUSH9 0x6f776e20696e202520
00000737: PUSH7 0x6f726d2e204665
0000073f: PUSH6 0x206973206861
00000746: PUSH13 0x766564283530252920666f7220
00000754: PUSH2 0x6d6f
00000757: PUSH22 0x6e747320657175616c206f7220677265617465722074
0000076e: PUSH9 0x616e20353020657468
00000778: PUSH6 0x72732e202846
0000077f: PUSH6 0x65206d617920
00000786: PUSH4 0x68616e67
0000078b: PUSH6 0x2c2062757420
00000792: PUSH10 0x73206361707065642074
0000079d: PUSH16 0x2061206d6178696d756d206f66203130
000007ae: UNKNOWN(0x25)
000007af: UNKNOWN(0x29)
000007b0: COINBASE
000007b1: PUSH13 0x6c2062616c616e63652076616c
000007bf: PUSH22 0x657320617265206d6561737572656420696e20457468
000007d6: PUSH6 0x72732c206e6f
000007dd: PUSH21 0x6520746861742064756520746f206e6f2064656369
000007f3: PUSH14 0x616c20706c6163696e672c207468
00000802: PUSH6 0x73652076616c
00000809: PUSH22 0x65732073686f7720757020617320696e746567657273
00000820: KECCAK256
00000821: PUSH16 0x6e6c792c2077697468696e2074686520
00000832: PUSH4 0x6f6e7472
00000837: PUSH2 0x6374
0000083a: KECCAK256
0000083b: PUSH10 0x7473656c6620796f7520
00000846: PUSH24 0x696c6c206765742074686520657861637420646563696d61
0000085f: PUSH13 0x2076616c756520796f75206172
0000086d: PUSH6 0x20737570706f
00000874: PUSH20 0x656420746f54686973206d756c7469706c696572
00000889: KECCAK256
0000088a: PUSH2 0x7070
0000088d: PUSH13 0x69657320746f20796f75206173
0000089b: KECCAK256
0000089c: PUSH20 0x6f6f6e206173207472616e73616374696f6e2069
000008b1: PUSH20 0x2072656365697665642c206d6179206265206c6f
000008c6: PUSH24 0x6572656420746f2068617374656e207061796f757473206f
000008df: PUSH19 0x20696e63726561736564206966207061796f75
000008f3: PUSH21 0x7320617265206661737420656e6f7567682e204475
00000909: PUSH6 0x20746f206e6f
00000910: KECCAK256
00000911: PUSH7 0x6c6f6174206f72
00000919: KECCAK256
0000091a: PUSH5 0x6563696d61
00000920: PUSH13 0x732c206d756c7469706c696572
0000092e: KECCAK256
0000092f: PUSH10 0x73207831303020666f72
0000093a: KECCAK256
0000093b: PUSH2 0x2066
0000093e: PUSH19 0x616374696f6e616c206d756c7469706c696572
00000952: KECCAK256
00000953: PUSH6 0x2e672e203235
0000095a: ADDRESS
0000095b: KECCAK256
0000095c: PUSH10 0x732061637475616c6c79
00000967: KECCAK256
00000968: PUSH2 0x2032
0000096b: UNKNOWN(0x2E)
0000096c: CALLDATALOAD
0000096d: PUSH25 0x206d756c7469706c6965722e20436170706564206174203378
00000987: KECCAK256
00000988: PUSH14 0x617820616e6420312e3278206d69
00000997: PUSH15 0x2ef652222313e28459528d920b6511
000009a7: TLOAD
000009a8: AND
000009a9: UNKNOWN(0xC0)
000009aa: UNKNOWN(0x4F)
000009ab: RETURNDATACOPY
I read the bundle, disassembled the relevant bytecode regions, and narrowed the issues to one strong reentrancy/accounting risk in the payable payout loop plus unchecked low-level ETH sends that mutate storage regardless of success.
✓ Inspect BYTECODE_BUNDLE.json and identify contract architecture, entrypoints, and detector evidence
✓ Assess high-signal risks from bytecode evidence with conservative severity
→ Produce JSON findings matching the required schema
codex
{"no_findings":false,"summary":"Bytecode-only review found a high-confidence reentrancy/accounting issue in the payable payout loop and a separate unchecked-CALL accounting risk. Selector names are unknown, so the conclusions below are based on control flow, storage usage, and the bundled detector evidence rather than verified source semantics.","findings":[{"severity":"high","category":"reentrancy","title":"Payout loop performs external ETH send before advancing queue/accounting state","exploit_scenario":"A participant can register a contract address as the payout recipient. When the contract later reaches that recipient in the payable/fallback-driven payout loop, the low-level CALL at pc:0x6e2 transfers ETH before the current payout record is finalized. The recipient contract can reenter the payable entry path during its fallback and execute against stale queue/balance state, potentially receiving multiple payouts or corrupting payout progression before pc:0x71e/pc:0x727 run.","recommendation":"Apply checks-effects-interactions in the payout path: update the owed amount / cursor before any external CALL, add a reentrancy guard around the payable entrypoint and payout routine, and prefer pull-based withdrawals over push payments.","evidence":"From bytecode only: the payable receive/fallback path jumps into the deposit/payout routine at pc:0x0453. That routine eventually loads a recipient from keccak-derived storage and issues a value-bearing CALL at pc:0x06e2. No guard was detected in the artifact. State changes appear after the external call: pc:0x071a..0x071e subtracts stored value and pc:0x0720..0x0727 increments the queue cursor in slot 0x04. Because authoritative state is updated after the CALL, reentrancy is plausible. This is reinforced by the detector bundle marking reachable untrusted CALLs with nonzero value and no detected guards.","locations":["pc:0x453","pc:0x6e2","pc:0x71e","pc:0x727"]},{"severity":"medium","category":"other","title":"Unchecked low-level ETH sends can silently desynchronize internal accounting from actual transfers","exploit_scenario":"If a payout target or the owner-like address stored in slot 0x05 is a contract that rejects ETH, runs out of gas, or otherwise returns failure, the CALL returns 0 but the contract continues execution. Internal balances/counters can still be decremented or advanced, leaving the queue or fee accounting inconsistent with real ETH movement and potentially causing skipped payouts or insolvency-like state.","recommendation":"Check the boolean result of each low-level CALL and revert on failure, or record failed sends as claimable credit that the recipient can withdraw later. Do not mutate accounting state unless the transfer succeeded.","evidence":"The value-bearing CALL sites at pc:0x04ee, pc:0x0527, pc:0x0564, and pc:0x06e2 all POP the success flag instead of branching on it. The bundled callsite evidence reports `returndata_checked: null` for the CALL examples. One CALL site at pc:0x03f4 appears to be a precompile/helper pattern and is excluded from this claim. At pc:0x052a..0x0533 and pc:0x0567..0x0570 storage slot 0x01 is updated after the CALL regardless of success, and after pc:0x06e2 the routine proceeds into post-payment accounting/cursor updates at pc:0x071a..0x0727 without any visible success check. Exact variable names are unknown from bytecode, but the bookkeeping-after-unchecked-call pattern is clear.","locations":["pc:0x4ee","pc:0x527","pc:0x564","pc:0x6e2"]}]}
tokens used
68,671
{
"codex": {
"ran_at": "2026-04-05T05:13:09.488028+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 4980,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "Bytecode-only review found a high-confidence reentrancy/accounting issue in the payable payout loop and a separate unchecked-CALL accounting risk. Selector names are unknown, so the conclusions below are based on control flow, storage usage, and the bundled detector evidence rather than verified source semantics.",
"raw_final": {
"summary": "Bytecode-only review found a high-confidence reentrancy/accounting issue in the payable payout loop and a separate unchecked-CALL accounting risk. Selector names are unknown, so the conclusions below are based on control flow, storage usage, and the bundled detector evidence rather than verified source semantics.",
"findings": [
{
"title": "Payout loop performs external ETH send before advancing queue/accounting state",
"category": "reentrancy",
"evidence": "From bytecode only: the payable receive/fallback path jumps into the deposit/payout routine at pc:0x0453. That routine eventually loads a recipient from keccak-derived storage and issues a value-bearing CALL at pc:0x06e2. No guard was detected in the artifact. State changes appear after the external call: pc:0x071a..0x071e subtracts stored value and pc:0x0720..0x0727 increments the queue cursor in slot 0x04. Because authoritative state is updated after the CALL, reentrancy is plausible. This is reinforced by the detector bundle marking reachable untrusted CALLs with nonzero value and no detected guards.",
"severity": "high",
"locations": [
"pc:0x453",
"pc:0x6e2",
"pc:0x71e",
"pc:0x727"
],
"recommendation": "Apply checks-effects-interactions in the payout path: update the owed amount / cursor before any external CALL, add a reentrancy guard around the payable entrypoint and payout routine, and prefer pull-based withdrawals over push payments.",
"exploit_scenario": "A participant can register a contract address as the payout recipient. When the contract later reaches that recipient in the payable/fallback-driven payout loop, the low-level CALL at pc:0x6e2 transfers ETH before the current payout record is finalized. The recipient contract can reenter the payable entry path during its fallback and execute against stale queue/balance state, potentially receiving multiple payouts or corrupting payout progression before pc:0x71e/pc:0x727 run."
},
{
"title": "Unchecked low-level ETH sends can silently desynchronize internal accounting from actual transfers",
"category": "other",
"evidence": "The value-bearing CALL sites at pc:0x04ee, pc:0x0527, pc:0x0564, and pc:0x06e2 all POP the success flag instead of branching on it. The bundled callsite evidence reports `returndata_checked: null` for the CALL examples. One CALL site at pc:0x03f4 appears to be a precompile/helper pattern and is excluded from this claim. At pc:0x052a..0x0533 and pc:0x0567..0x0570 storage slot 0x01 is updated after the CALL regardless of success, and after pc:0x06e2 the routine proceeds into post-payment accounting/cursor updates at pc:0x071a..0x0727 without any visible success check. Exact variable names are unknown from bytecode, but the bookkeeping-after-unchecked-call pattern is clear.",
"severity": "medium",
"locations": [
"pc:0x4ee",
"pc:0x527",
"pc:0x564",
"pc:0x6e2"
],
"recommendation": "Check the boolean result of each low-level CALL and revert on failure, or record failed sends as claimable credit that the recipient can withdraw later. Do not mutate accounting state unless the transfer succeeded.",
"exploit_scenario": "If a payout target or the owner-like address stored in slot 0x05 is a contract that rejects ETH, runs out of gas, or otherwise returns failure, the CALL returns 0 but the contract continues execution. Internal balances/counters can still be decremented or advanced, leaving the queue or fee accounting inconsistent with real ETH movement and potentially causing skipped payouts or insolvency-like state."
}
],
"no_findings": false
},
"no_findings": false,
"schema_version": 1
}
00000000: PUSH1 0x60 00000002: PUSH1 0x40 00000004: MSTORE 00000005: CALLDATASIZE 00000006: ISZERO 00000007: PUSH2 0x00ae 0000000a: JUMPI 0000000b: PUSH1 0xe0 0000000d: PUSH1 0x02 0000000f: EXP 00000010: PUSH1 0x00 00000012: CALLDATALOAD 00000013: DIV 00000014: PUSH4 0x09dfdc71 00000019: DUP2 0000001a: EQ 0000001b: PUSH2 0x00d2 0000001e: JUMPI 0000001f: DUP1 00000020: PUSH4 0x253459e3 00000025: EQ 00000026: PUSH2 0x0111 00000029: JUMPI 0000002a: DUP1 0000002b: PUSH4 0x4229616d 00000030: EQ 00000031: PUSH2 0x0132 00000034: JUMPI 00000035: DUP1 00000036: PUSH4 0x57d4021b 0000003b: EQ 0000003c: PUSH2 0x016d 0000003f: JUMPI 00000040: DUP1 00000041: PUSH4 0x686f2c90 00000046: EQ 00000047: PUSH2 0x01ac 0000004a: JUMPI 0000004b: DUP1 0000004c: PUSH4 0x6fbaaa1e 00000051: EQ 00000052: PUSH2 0x01d8 00000055: JUMPI 00000056: DUP1 00000057: PUSH4 0x8a5fb3ca 0000005c: EQ 0000005d: PUSH2 0x020c 00000060: JUMPI 00000061: DUP1 00000062: PUSH4 0x9dbc4f9b 00000067: EQ 00000068: PUSH2 0x023e 0000006b: JUMPI 0000006c: DUP1 0000006d: PUSH4 0xa26dbf26 00000072: EQ 00000073: PUSH2 0x02cb 00000076: JUMPI 00000077: DUP1 00000078: PUSH4 0xa6f9dae1 0000007d: EQ 0000007e: PUSH2 0x02d3 00000081: JUMPI 00000082: DUP1 00000083: PUSH4 0xb4022950 00000088: EQ 00000089: PUSH2 0x0306 0000008c: JUMPI 0000008d: DUP1 0000008e: PUSH4 0xced92670 00000093: EQ 00000094: PUSH2 0x0344 00000097: JUMPI 00000098: DUP1 00000099: PUSH4 0xd11f13df 0000009e: EQ 0000009f: PUSH2 0x037c 000000a2: JUMPI 000000a3: DUP1 000000a4: PUSH4 0xfae14192 000000a9: EQ 000000aa: PUSH2 0x0389 000000ad: JUMPI 000000ae: JUMPDEST 000000af: PUSH2 0x03b4 000000b2: PUSH2 0x03b6 000000b5: PUSH1 0x00 000000b7: PUSH8 0x0de0b6b3a7640000 000000c0: CALLVALUE 000000c1: LT 000000c2: ISZERO 000000c3: PUSH2 0x0453 000000c6: JUMPI 000000c7: PUSH1 0x01 000000c9: DUP1 000000ca: SLOAD 000000cb: CALLVALUE 000000cc: ADD 000000cd: SWAP1 000000ce: SSTORE 000000cf: JUMPDEST 000000d0: POP 000000d1: JUMP 000000d2: JUMPDEST 000000d3: PUSH1 0x40 000000d5: DUP1 000000d6: MLOAD 000000d7: PUSH1 0x20 000000d9: DUP2 000000da: DUP2 000000db: ADD 000000dc: DUP4 000000dd: MSTORE 000000de: PUSH1 0x00 000000e0: DUP1 000000e1: DUP4 000000e2: MSTORE 000000e3: DUP4 000000e4: MLOAD 000000e5: SWAP1 000000e6: SLOAD 000000e7: PUSH2 0x0100 000000ea: DUP3 000000eb: ADD 000000ec: SWAP1 000000ed: SWAP5 000000ee: MSTORE 000000ef: PUSH1 0xca 000000f1: DUP1 000000f2: DUP3 000000f3: MSTORE 000000f4: PUSH2 0x03b8 000000f7: SWAP5 000000f8: PUSH8 0x0de0b6b3a7640000 00000101: SWAP1 00000102: DIV 00000103: SWAP4 00000104: SWAP3 00000105: PUSH2 0x07b0 00000108: SWAP1 00000109: DUP4 0000010a: ADD 0000010b: CODECOPY 0000010c: SWAP1 0000010d: POP 0000010e: SWAP1 0000010f: SWAP2 00000110: JUMP 00000111: JUMPDEST 00000112: PUSH1 0x01 00000114: SLOAD 00000115: PUSH8 0x0de0b6b3a7640000 0000011e: SWAP1 0000011f: DIV 00000120: JUMPDEST 00000121: PUSH1 0x40 00000123: DUP1 00000124: MLOAD 00000125: SWAP2 00000126: DUP3 00000127: MSTORE 00000128: MLOAD 00000129: SWAP1 0000012a: DUP2 0000012b: SWAP1 0000012c: SUB 0000012d: PUSH1 0x20 0000012f: ADD 00000130: SWAP1 00000131: RETURN 00000132: JUMPDEST 00000133: PUSH2 0x03b4 00000136: PUSH1 0x04 00000138: CALLDATALOAD 00000139: PUSH1 0x05 0000013b: SLOAD 0000013c: PUSH1 0x00 0000013e: SWAP1 0000013f: PUSH1 0x01 00000141: PUSH1 0xa0 00000143: PUSH1 0x02 00000145: EXP 00000146: SUB 00000147: SWAP1 00000148: DUP2 00000149: AND 0000014a: CALLER 0000014b: SWAP1 0000014c: SWAP2 0000014d: AND 0000014e: EQ 0000014f: ISZERO 00000150: PUSH2 0x0573 00000153: JUMPI 00000154: PUSH1 0x01 00000156: SLOAD 00000157: DUP2 00000158: EQ 00000159: DUP1 0000015a: PUSH2 0x0163 0000015d: JUMPI 0000015e: POP 0000015f: PUSH1 0x64 00000161: DUP3 00000162: GT 00000163: JUMPDEST 00000164: ISZERO 00000165: PUSH2 0x0538 00000168: JUMPI 00000169: PUSH2 0x0002 0000016c: JUMP 0000016d: JUMPDEST 0000016e: PUSH2 0x0120 00000171: PUSH1 0x00 00000173: PUSH8 0x0de0b6b3a7640000 0000017c: PUSH1 0x06 0000017e: PUSH1 0x00 00000180: POP 00000181: PUSH1 0x04 00000183: PUSH1 0x00 00000185: POP 00000186: SLOAD 00000187: DUP2 00000188: SLOAD 00000189: DUP2 0000018a: LT 0000018b: ISZERO 0000018c: PUSH2 0x0002 0000018f: JUMPI 00000190: SWAP3 00000191: MSTORE 00000192: PUSH1 0x02 00000194: SWAP2 00000195: SWAP1 00000196: SWAP2 00000197: MUL 00000198: PUSH1 0x00 0000019a: DUP1 0000019b: MLOAD 0000019c: PUSH1 0x20 0000019e: PUSH2 0x0999 000001a1: DUP4 000001a2: CODECOPY 000001a3: DUP2 000001a4: MLOAD 000001a5: SWAP2 000001a6: MSTORE 000001a7: ADD 000001a8: SLOAD 000001a9: DIV 000001aa: SWAP1 000001ab: JUMP 000001ac: JUMPDEST 000001ad: PUSH2 0x03b4 000001b0: JUMPDEST 000001b1: PUSH1 0x05 000001b3: SLOAD 000001b4: PUSH1 0x01 000001b6: PUSH1 0xa0 000001b8: PUSH1 0x02 000001ba: EXP 000001bb: SUB 000001bc: SWAP1 000001bd: DUP2 000001be: AND 000001bf: CALLER 000001c0: SWAP1 000001c1: SWAP2 000001c2: AND 000001c3: EQ 000001c4: ISZERO 000001c5: PUSH2 0x03b6 000001c8: JUMPI 000001c9: PUSH1 0x01 000001cb: SLOAD 000001cc: PUSH1 0x00 000001ce: EQ 000001cf: ISZERO 000001d0: PUSH2 0x04cd 000001d3: JUMPI 000001d4: PUSH2 0x0002 000001d7: JUMP 000001d8: JUMPDEST 000001d9: PUSH2 0x03b8 000001dc: PUSH1 0x40 000001de: DUP1 000001df: MLOAD 000001e0: PUSH1 0x20 000001e2: DUP2 000001e3: DUP2 000001e4: ADD 000001e5: DUP4 000001e6: MSTORE 000001e7: PUSH1 0x00 000001e9: DUP3 000001ea: MSTORE 000001eb: DUP3 000001ec: MLOAD 000001ed: PUSH1 0x03 000001ef: SLOAD 000001f0: PUSH2 0x0140 000001f3: DUP3 000001f4: ADD 000001f5: SWAP1 000001f6: SWAP5 000001f7: MSTORE 000001f8: PUSH2 0x011f 000001fb: DUP1 000001fc: DUP3 000001fd: MSTORE 000001fe: SWAP1 000001ff: SWAP2 00000200: PUSH2 0x087a 00000203: SWAP1 00000204: DUP4 00000205: ADD 00000206: CODECOPY 00000207: SWAP1 00000208: POP 00000209: SWAP1 0000020a: SWAP2 0000020b: JUMP 0000020c: JUMPDEST 0000020d: PUSH2 0x03b8 00000210: PUSH1 0x40 00000212: DUP1 00000213: MLOAD 00000214: PUSH1 0x20 00000216: DUP2 00000217: DUP2 00000218: ADD 00000219: DUP4 0000021a: MSTORE 0000021b: PUSH1 0x00 0000021d: DUP3 0000021e: MSTORE 0000021f: DUP3 00000220: MLOAD 00000221: PUSH1 0x02 00000223: SLOAD 00000224: PUSH1 0xc0 00000226: DUP3 00000227: ADD 00000228: SWAP1 00000229: SWAP5 0000022a: MSTORE 0000022b: PUSH1 0x84 0000022d: DUP1 0000022e: DUP3 0000022f: MSTORE 00000230: SWAP1 00000231: SWAP2 00000232: PUSH2 0x072c 00000235: SWAP1 00000236: DUP4 00000237: ADD 00000238: CODECOPY 00000239: SWAP1 0000023a: POP 0000023b: SWAP1 0000023c: SWAP2 0000023d: JUMP 0000023e: JUMPDEST 0000023f: PUSH2 0x042d 00000242: PUSH1 0x04 00000244: CALLDATALOAD 00000245: PUSH1 0x06 00000247: SLOAD 00000248: PUSH1 0x00 0000024a: SWAP1 0000024b: DUP2 0000024c: SWAP1 0000024d: DUP4 0000024e: GT 0000024f: PUSH2 0x02c6 00000252: JUMPI 00000253: PUSH1 0x06 00000255: DUP1 00000256: SLOAD 00000257: DUP5 00000258: SWAP1 00000259: DUP2 0000025a: LT 0000025b: ISZERO 0000025c: PUSH2 0x0002 0000025f: JUMPI 00000260: POP 00000261: DUP1 00000262: SLOAD 00000263: DUP2 00000264: DUP4 00000265: MSTORE 00000266: PUSH1 0x02 00000268: DUP6 00000269: MUL 0000026a: PUSH32 0xf652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d3f 0000028b: ADD 0000028c: SLOAD 0000028d: PUSH1 0x01 0000028f: PUSH1 0xa0 00000291: PUSH1 0x02 00000293: EXP 00000294: SUB 00000295: AND 00000296: SWAP4 00000297: POP 00000298: PUSH8 0x0de0b6b3a7640000 000002a1: SWAP2 000002a2: SWAP1 000002a3: DUP6 000002a4: SWAP1 000002a5: DUP2 000002a6: LT 000002a7: ISZERO 000002a8: PUSH2 0x0002 000002ab: JUMPI 000002ac: POP 000002ad: POP 000002ae: PUSH1 0x02 000002b0: DUP5 000002b1: MUL 000002b2: PUSH1 0x00 000002b4: DUP1 000002b5: MLOAD 000002b6: PUSH1 0x20 000002b8: PUSH2 0x0999 000002bb: DUP4 000002bc: CODECOPY 000002bd: DUP2 000002be: MLOAD 000002bf: SWAP2 000002c0: MSTORE 000002c1: ADD 000002c2: SLOAD 000002c3: DIV 000002c4: SWAP1 000002c5: POP 000002c6: JUMPDEST 000002c7: SWAP2 000002c8: POP 000002c9: SWAP2 000002ca: JUMP 000002cb: JUMPDEST 000002cc: PUSH1 0x06 000002ce: SLOAD 000002cf: PUSH2 0x0120 000002d2: JUMP 000002d3: JUMPDEST 000002d4: PUSH2 0x03b4 000002d7: PUSH1 0x04 000002d9: CALLDATALOAD 000002da: PUSH1 0x05 000002dc: SLOAD 000002dd: PUSH1 0x01 000002df: PUSH1 0xa0 000002e1: PUSH1 0x02 000002e3: EXP 000002e4: SUB 000002e5: SWAP1 000002e6: DUP2 000002e7: AND 000002e8: CALLER 000002e9: SWAP1 000002ea: SWAP2 000002eb: AND 000002ec: EQ 000002ed: ISZERO 000002ee: PUSH2 0x00cf 000002f1: JUMPI 000002f2: PUSH1 0x05 000002f4: DUP1 000002f5: SLOAD 000002f6: PUSH1 0x01 000002f8: PUSH1 0xa0 000002fa: PUSH1 0x02 000002fc: EXP 000002fd: SUB 000002fe: NOT 000002ff: AND 00000300: DUP3 00000301: OR 00000302: SWAP1 00000303: SSTORE 00000304: POP 00000305: JUMP 00000306: JUMPDEST 00000307: PUSH2 0x03b4 0000030a: PUSH1 0x04 0000030c: CALLDATALOAD 0000030d: PUSH1 0x05 0000030f: SLOAD 00000310: PUSH1 0x01 00000312: PUSH1 0xa0 00000314: PUSH1 0x02 00000316: EXP 00000317: SUB 00000318: SWAP1 00000319: DUP2 0000031a: AND 0000031b: CALLER 0000031c: SWAP1 0000031d: SWAP2 0000031e: AND 0000031f: EQ 00000320: ISZERO 00000321: PUSH2 0x00cf 00000324: JUMPI 00000325: PUSH1 0x01 00000327: SLOAD 00000328: PUSH8 0x0de0b6b3a7640000 00000331: SWAP2 00000332: SWAP1 00000333: SWAP2 00000334: MUL 00000335: SWAP1 00000336: DUP2 00000337: GT 00000338: ISZERO 00000339: PUSH2 0x04f7 0000033c: JUMPI 0000033d: PUSH2 0x04f7 00000340: PUSH2 0x01b0 00000343: JUMP 00000344: JUMPDEST 00000345: PUSH2 0x03b4 00000348: PUSH1 0x04 0000034a: CALLDATALOAD 0000034b: PUSH1 0x05 0000034d: SLOAD 0000034e: PUSH1 0x01 00000350: PUSH1 0xa0 00000352: PUSH1 0x02 00000354: EXP 00000355: SUB 00000356: SWAP1 00000357: DUP2 00000358: AND 00000359: CALLER 0000035a: SWAP1 0000035b: SWAP2 0000035c: AND 0000035d: EQ 0000035e: ISZERO 0000035f: PUSH2 0x00cf 00000362: JUMPI 00000363: PUSH2 0x012c 00000366: DUP2 00000367: GT 00000368: DUP1 00000369: PUSH2 0x0372 0000036c: JUMPI 0000036d: POP 0000036e: PUSH1 0x78 00000370: DUP2 00000371: LT 00000372: JUMPDEST 00000373: ISZERO 00000374: PUSH2 0x0577 00000377: JUMPI 00000378: PUSH2 0x0002 0000037b: JUMP 0000037c: JUMPDEST 0000037d: PUSH1 0x06 0000037f: SLOAD 00000380: PUSH1 0x04 00000382: SLOAD 00000383: SWAP1 00000384: SUB 00000385: PUSH2 0x0120 00000388: JUMP 00000389: JUMPDEST 0000038a: PUSH2 0x03b4 0000038d: PUSH1 0x04 0000038f: CALLDATALOAD 00000390: PUSH1 0x05 00000392: SLOAD 00000393: CALLER 00000394: PUSH1 0x01 00000396: PUSH1 0xa0 00000398: PUSH1 0x02 0000039a: EXP 0000039b: SUB 0000039c: SWAP1 0000039d: DUP2 0000039e: AND 0000039f: SWAP2 000003a0: AND 000003a1: EQ 000003a2: ISZERO 000003a3: PUSH2 0x00cf 000003a6: JUMPI 000003a7: PUSH1 0x0a 000003a9: DUP2 000003aa: GT 000003ab: ISZERO 000003ac: PUSH2 0x057c 000003af: JUMPI 000003b0: PUSH2 0x0002 000003b3: JUMP 000003b4: JUMPDEST 000003b5: STOP 000003b6: JUMPDEST 000003b7: JUMP 000003b8: JUMPDEST 000003b9: PUSH1 0x40 000003bb: MLOAD 000003bc: DUP1 000003bd: DUP4 000003be: DUP2 000003bf: MSTORE 000003c0: PUSH1 0x20 000003c2: ADD 000003c3: DUP1 000003c4: PUSH1 0x20 000003c6: ADD 000003c7: DUP3 000003c8: DUP2 000003c9: SUB 000003ca: DUP3 000003cb: MSTORE 000003cc: DUP4 000003cd: DUP2 000003ce: DUP2 000003cf: MLOAD 000003d0: DUP2 000003d1: MSTORE 000003d2: PUSH1 0x20 000003d4: ADD 000003d5: SWAP2 000003d6: POP 000003d7: DUP1 000003d8: MLOAD 000003d9: SWAP1 000003da: PUSH1 0x20 000003dc: ADD 000003dd: SWAP1 000003de: DUP1 000003df: DUP4 000003e0: DUP4 000003e1: DUP3 000003e2: SWAP1 000003e3: PUSH1 0x00 000003e5: PUSH1 0x04 000003e7: PUSH1 0x20 000003e9: DUP5 000003ea: PUSH1 0x1f 000003ec: ADD 000003ed: DIV 000003ee: PUSH1 0x0f 000003f0: MUL 000003f1: PUSH1 0x03 000003f3: ADD 000003f4: CALL 000003f5: POP 000003f6: SWAP1 000003f7: POP 000003f8: SWAP1 000003f9: DUP2 000003fa: ADD 000003fb: SWAP1 000003fc: PUSH1 0x1f 000003fe: AND 000003ff: DUP1 00000400: ISZERO 00000401: PUSH2 0x041e 00000404: JUMPI 00000405: DUP1 00000406: DUP3 00000407: SUB 00000408: DUP1 00000409: MLOAD 0000040a: PUSH1 0x01 0000040c: DUP4 0000040d: PUSH1 0x20 0000040f: SUB 00000410: PUSH2 0x0100 00000413: EXP 00000414: SUB 00000415: NOT 00000416: AND 00000417: DUP2 00000418: MSTORE 00000419: PUSH1 0x20 0000041b: ADD 0000041c: SWAP2 0000041d: POP 0000041e: JUMPDEST 0000041f: POP 00000420: SWAP4 00000421: POP 00000422: POP 00000423: POP 00000424: POP 00000425: PUSH1 0x40 00000427: MLOAD 00000428: DUP1 00000429: SWAP2 0000042a: SUB 0000042b: SWAP1 0000042c: RETURN 0000042d: JUMPDEST 0000042e: PUSH1 0x40 00000430: MLOAD 00000431: DUP1 00000432: DUP4 00000433: PUSH1 0x01 00000435: PUSH1 0xa0 00000437: PUSH1 0x02 00000439: EXP 0000043a: SUB 0000043b: AND 0000043c: DUP2 0000043d: MSTORE 0000043e: PUSH1 0x20 00000440: ADD 00000441: DUP3 00000442: DUP2 00000443: MSTORE 00000444: PUSH1 0x20 00000446: ADD 00000447: SWAP3 00000448: POP 00000449: POP 0000044a: POP 0000044b: PUSH1 0x40 0000044d: MLOAD 0000044e: DUP1 0000044f: SWAP2 00000450: SUB 00000451: SWAP1 00000452: RETURN 00000453: JUMPDEST 00000454: POP 00000455: PUSH1 0x02 00000457: SLOAD 00000458: PUSH9 0x02b5e3af16b1880000 00000462: CALLVALUE 00000463: LT 00000464: PUSH2 0x046c 00000467: JUMPI 00000468: PUSH1 0x02 0000046a: SWAP1 0000046b: DIV 0000046c: JUMPDEST 0000046d: PUSH2 0x00cf 00000470: DUP2 00000471: PUSH1 0x00 00000473: PUSH1 0x06 00000475: PUSH1 0x00 00000477: POP 00000478: DUP1 00000479: SLOAD 0000047a: DUP1 0000047b: PUSH1 0x01 0000047d: ADD 0000047e: DUP3 0000047f: DUP2 00000480: DUP2 00000481: SLOAD 00000482: DUP2 00000483: DUP4 00000484: SSTORE 00000485: DUP2 00000486: DUP2 00000487: ISZERO 00000488: GT 00000489: PUSH2 0x0581 0000048c: JUMPI 0000048d: PUSH1 0x02 0000048f: MUL 00000490: DUP2 00000491: PUSH1 0x02 00000493: MUL 00000494: DUP4 00000495: PUSH1 0x00 00000497: MSTORE 00000498: PUSH1 0x20 0000049a: PUSH1 0x00 0000049c: KECCAK256 0000049d: SWAP2 0000049e: DUP3 0000049f: ADD 000004a0: SWAP2 000004a1: ADD 000004a2: PUSH2 0x0581 000004a5: SWAP2 000004a6: SWAP1 000004a7: JUMPDEST 000004a8: DUP1 000004a9: DUP3 000004aa: GT 000004ab: ISZERO 000004ac: PUSH2 0x05e5 000004af: JUMPI 000004b0: DUP1 000004b1: SLOAD 000004b2: PUSH1 0x01 000004b4: PUSH1 0xa0 000004b6: PUSH1 0x02 000004b8: EXP 000004b9: SUB 000004ba: NOT 000004bb: AND 000004bc: DUP2 000004bd: SSTORE 000004be: PUSH1 0x00 000004c0: PUSH1 0x01 000004c2: SWAP2 000004c3: SWAP1 000004c4: SWAP2 000004c5: ADD 000004c6: SWAP1 000004c7: DUP2 000004c8: SSTORE 000004c9: PUSH2 0x04a7 000004cc: JUMP 000004cd: JUMPDEST 000004ce: PUSH1 0x01 000004d0: SLOAD 000004d1: PUSH1 0x05 000004d3: SLOAD 000004d4: PUSH1 0x40 000004d6: MLOAD 000004d7: PUSH1 0x01 000004d9: PUSH1 0xa0 000004db: PUSH1 0x02 000004dd: EXP 000004de: SUB 000004df: SWAP2 000004e0: SWAP1 000004e1: SWAP2 000004e2: AND 000004e3: SWAP2 000004e4: PUSH1 0x00 000004e6: SWAP2 000004e7: DUP3 000004e8: DUP2 000004e9: DUP2 000004ea: DUP2 000004eb: DUP6 000004ec: DUP9 000004ed: DUP4 000004ee: CALL 000004ef: POP 000004f0: POP 000004f1: POP 000004f2: PUSH1 0x01 000004f4: SSTORE 000004f5: POP 000004f6: JUMP 000004f7: JUMPDEST 000004f8: PUSH1 0x01 000004fa: SLOAD 000004fb: PUSH1 0x00 000004fd: EQ 000004fe: ISZERO 000004ff: PUSH2 0x0507 00000502: JUMPI 00000503: PUSH2 0x0002 00000506: JUMP 00000507: JUMPDEST 00000508: PUSH1 0x05 0000050a: SLOAD 0000050b: PUSH1 0x40 0000050d: MLOAD 0000050e: PUSH1 0x01 00000510: PUSH1 0xa0 00000512: PUSH1 0x02 00000514: EXP 00000515: SUB 00000516: SWAP2 00000517: SWAP1 00000518: SWAP2 00000519: AND 0000051a: SWAP1 0000051b: PUSH1 0x00 0000051d: SWAP1 0000051e: DUP4 0000051f: SWAP1 00000520: DUP3 00000521: DUP2 00000522: DUP2 00000523: DUP2 00000524: DUP6 00000525: DUP9 00000526: DUP4 00000527: CALL 00000528: POP 00000529: POP 0000052a: PUSH1 0x01 0000052c: DUP1 0000052d: SLOAD 0000052e: SWAP2 0000052f: SWAP1 00000530: SWAP2 00000531: SUB 00000532: SWAP1 00000533: SSTORE 00000534: POP 00000535: POP 00000536: POP 00000537: JUMP 00000538: JUMPDEST 00000539: POP 0000053a: PUSH1 0x01 0000053c: SLOAD 0000053d: PUSH1 0x05 0000053f: SLOAD 00000540: PUSH1 0x40 00000542: MLOAD 00000543: PUSH1 0x64 00000545: SWAP1 00000546: SWAP3 00000547: DIV 00000548: DUP4 00000549: MUL 0000054a: SWAP2 0000054b: PUSH1 0x01 0000054d: PUSH1 0xa0 0000054f: PUSH1 0x02 00000551: EXP 00000552: SUB 00000553: SWAP2 00000554: SWAP1 00000555: SWAP2 00000556: AND 00000557: SWAP1 00000558: PUSH1 0x00 0000055a: SWAP1 0000055b: DUP4 0000055c: SWAP1 0000055d: DUP3 0000055e: DUP2 0000055f: DUP2 00000560: DUP2 00000561: DUP6 00000562: DUP9 00000563: DUP4 00000564: CALL 00000565: POP 00000566: POP 00000567: PUSH1 0x01 00000569: DUP1 0000056a: SLOAD 0000056b: SWAP2 0000056c: SWAP1 0000056d: SWAP2 0000056e: SUB 0000056f: SWAP1 00000570: SSTORE 00000571: POP 00000572: POP 00000573: JUMPDEST 00000574: POP 00000575: POP 00000576: JUMP 00000577: JUMPDEST 00000578: PUSH1 0x03 0000057a: SSTORE 0000057b: JUMP 0000057c: JUMPDEST 0000057d: PUSH1 0x02 0000057f: SSTORE 00000580: JUMP 00000581: JUMPDEST 00000582: POP 00000583: POP 00000584: POP 00000585: SWAP2 00000586: SWAP1 00000587: SWAP1 00000588: PUSH1 0x00 0000058a: MSTORE 0000058b: PUSH1 0x20 0000058d: PUSH1 0x00 0000058f: KECCAK256 00000590: SWAP1 00000591: PUSH1 0x02 00000593: MUL 00000594: ADD 00000595: PUSH1 0x00 00000597: POP 00000598: PUSH1 0x40 0000059a: DUP1 0000059b: MLOAD 0000059c: DUP1 0000059d: DUP3 0000059e: ADD 0000059f: SWAP1 000005a0: SWAP2 000005a1: MSTORE 000005a2: CALLER 000005a3: DUP1 000005a4: DUP3 000005a5: MSTORE 000005a6: PUSH1 0x03 000005a8: SLOAD 000005a9: PUSH1 0x64 000005ab: CALLVALUE 000005ac: SWAP2 000005ad: SWAP1 000005ae: SWAP2 000005af: MUL 000005b0: DIV 000005b1: PUSH1 0x20 000005b3: SWAP3 000005b4: SWAP1 000005b5: SWAP3 000005b6: ADD 000005b7: DUP3 000005b8: SWAP1 000005b9: MSTORE 000005ba: DUP3 000005bb: SLOAD 000005bc: PUSH1 0x01 000005be: PUSH1 0xa0 000005c0: PUSH1 0x02 000005c2: EXP 000005c3: SUB 000005c4: NOT 000005c5: AND 000005c6: OR 000005c7: DUP3 000005c8: SSTORE 000005c9: PUSH1 0x01 000005cb: SWAP2 000005cc: SWAP1 000005cd: SWAP2 000005ce: ADD 000005cf: SSTORE 000005d0: POP 000005d1: PUSH1 0x06 000005d3: SLOAD 000005d4: PUSH1 0x0a 000005d6: EQ 000005d7: ISZERO 000005d8: PUSH2 0x05e9 000005db: JUMPI 000005dc: PUSH1 0xc8 000005de: PUSH1 0x03 000005e0: SSTORE 000005e1: PUSH2 0x05fa 000005e4: JUMP 000005e5: JUMPDEST 000005e6: POP 000005e7: SWAP1 000005e8: JUMP 000005e9: JUMPDEST 000005ea: PUSH1 0x06 000005ec: SLOAD 000005ed: PUSH1 0x19 000005ef: EQ 000005f0: ISZERO 000005f1: PUSH2 0x05fa 000005f4: JUMPI 000005f5: PUSH1 0x96 000005f7: PUSH1 0x03 000005f9: SSTORE 000005fa: JUMPDEST 000005fb: PUSH1 0x00 000005fd: DUP1 000005fe: SLOAD 000005ff: PUSH1 0x64 00000601: DUP5 00000602: DUP2 00000603: SUB 00000604: CALLVALUE 00000605: SWAP1 00000606: DUP2 00000607: MUL 00000608: DUP3 00000609: SWAP1 0000060a: DIV 0000060b: SWAP1 0000060c: SWAP3 0000060d: ADD 0000060e: SWAP1 0000060f: SWAP3 00000610: SSTORE 00000611: PUSH1 0x01 00000613: DUP1 00000614: SLOAD 00000615: SWAP2 00000616: DUP6 00000617: MUL 00000618: SWAP3 00000619: SWAP1 0000061a: SWAP3 0000061b: DIV 0000061c: ADD 0000061d: SWAP1 0000061e: SSTORE 0000061f: JUMPDEST 00000620: PUSH1 0x04 00000622: SLOAD 00000623: PUSH1 0x06 00000625: DUP1 00000626: SLOAD 00000627: SWAP1 00000628: SWAP2 00000629: SWAP1 0000062a: DUP2 0000062b: LT 0000062c: ISZERO 0000062d: PUSH2 0x0002 00000630: JUMPI 00000631: PUSH1 0x00 00000633: SWAP2 00000634: DUP3 00000635: MSTORE 00000636: PUSH1 0x02 00000638: MUL 00000639: PUSH32 0xf652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d3f 0000065a: ADD 0000065b: SWAP1 0000065c: POP 0000065d: PUSH1 0x01 0000065f: ADD 00000660: SLOAD 00000661: PUSH1 0x00 00000663: SLOAD 00000664: GT 00000665: ISZERO 00000666: PUSH2 0x0573 00000669: JUMPI 0000066a: PUSH1 0x04 0000066c: SLOAD 0000066d: PUSH1 0x06 0000066f: DUP1 00000670: SLOAD 00000671: SWAP1 00000672: SWAP2 00000673: SWAP1 00000674: DUP2 00000675: LT 00000676: ISZERO 00000677: PUSH2 0x0002 0000067a: JUMPI 0000067b: PUSH1 0x02 0000067d: MUL 0000067e: PUSH1 0x00 00000680: DUP1 00000681: MLOAD 00000682: PUSH1 0x20 00000684: PUSH2 0x0999 00000687: DUP4 00000688: CODECOPY 00000689: DUP2 0000068a: MLOAD 0000068b: SWAP2 0000068c: MSTORE 0000068d: ADD 0000068e: SLOAD 0000068f: PUSH1 0x04 00000691: SLOAD 00000692: DUP3 00000693: SLOAD 00000694: SWAP2 00000695: SWAP4 00000696: POP 00000697: SWAP1 00000698: DUP2 00000699: LT 0000069a: ISZERO 0000069b: PUSH2 0x0002 0000069e: JUMPI 0000069f: PUSH1 0x02 000006a1: MUL 000006a2: PUSH32 0xf652222313e28459528d920b65115c16c04f3efc82aaedc97be59f3f377c0d3f 000006c3: ADD 000006c4: SLOAD 000006c5: PUSH1 0x40 000006c7: MLOAD 000006c8: PUSH1 0x01 000006ca: PUSH1 0xa0 000006cc: PUSH1 0x02 000006ce: EXP 000006cf: SUB 000006d0: SWAP2 000006d1: SWAP1 000006d2: SWAP2 000006d3: AND 000006d4: SWAP2 000006d5: POP 000006d6: PUSH1 0x00 000006d8: SWAP1 000006d9: DUP4 000006da: SWAP1 000006db: DUP3 000006dc: DUP2 000006dd: DUP2 000006de: DUP2 000006df: DUP6 000006e0: DUP9 000006e1: DUP4 000006e2: CALL 000006e3: SWAP4 000006e4: POP 000006e5: POP 000006e6: POP 000006e7: POP 000006e8: POP 000006e9: PUSH1 0x06 000006eb: PUSH1 0x00 000006ed: POP 000006ee: PUSH1 0x04 000006f0: PUSH1 0x00 000006f2: POP 000006f3: SLOAD 000006f4: DUP2 000006f5: SLOAD 000006f6: DUP2 000006f7: LT 000006f8: ISZERO 000006f9: PUSH2 0x0002 000006fc: JUMPI 000006fd: PUSH1 0x00 000006ff: SWAP2 00000700: DUP3 00000701: MSTORE 00000702: DUP2 00000703: SLOAD 00000704: PUSH1 0x02 00000706: SWAP2 00000707: SWAP1 00000708: SWAP2 00000709: MUL 0000070a: PUSH1 0x00 0000070c: DUP1 0000070d: MLOAD 0000070e: PUSH1 0x20 00000710: PUSH2 0x0999 00000713: DUP4 00000714: CODECOPY 00000715: DUP2 00000716: MLOAD 00000717: SWAP2 00000718: MSTORE 00000719: ADD 0000071a: SLOAD 0000071b: SWAP1 0000071c: SUB 0000071d: SWAP1 0000071e: SSTORE 0000071f: PUSH1 0x04 00000721: DUP1 00000722: SLOAD 00000723: PUSH1 0x01 00000725: ADD 00000726: SWAP1 00000727: SSTORE 00000728: PUSH2 0x061f 0000072b: JUMP 0000072c: MSTORE8 0000072d: PUSH9 0x6f776e20696e202520 00000737: PUSH7 0x6f726d2e204665 0000073f: PUSH6 0x206973206861 00000746: PUSH13 0x766564283530252920666f7220 00000754: PUSH2 0x6d6f 00000757: PUSH22 0x6e747320657175616c206f7220677265617465722074 0000076e: PUSH9 0x616e20353020657468 00000778: PUSH6 0x72732e202846 0000077f: PUSH6 0x65206d617920 00000786: PUSH4 0x68616e67 0000078b: PUSH6 0x2c2062757420 00000792: PUSH10 0x73206361707065642074 0000079d: PUSH16 0x2061206d6178696d756d206f66203130 000007ae: UNKNOWN(0x25) 000007af: UNKNOWN(0x29) 000007b0: COINBASE 000007b1: PUSH13 0x6c2062616c616e63652076616c 000007bf: PUSH22 0x657320617265206d6561737572656420696e20457468 000007d6: PUSH6 0x72732c206e6f 000007dd: PUSH21 0x6520746861742064756520746f206e6f2064656369 000007f3: PUSH14 0x616c20706c6163696e672c207468 00000802: PUSH6 0x73652076616c 00000809: PUSH22 0x65732073686f7720757020617320696e746567657273 00000820: KECCAK256 00000821: PUSH16 0x6e6c792c2077697468696e2074686520 00000832: PUSH4 0x6f6e7472 00000837: PUSH2 0x6374 0000083a: KECCAK256 0000083b: PUSH10 0x7473656c6620796f7520 00000846: PUSH24 0x696c6c206765742074686520657861637420646563696d61 0000085f: PUSH13 0x2076616c756520796f75206172 0000086d: PUSH6 0x20737570706f 00000874: PUSH20 0x656420746f54686973206d756c7469706c696572 00000889: KECCAK256 0000088a: PUSH2 0x7070 0000088d: PUSH13 0x69657320746f20796f75206173 0000089b: KECCAK256 0000089c: PUSH20 0x6f6f6e206173207472616e73616374696f6e2069 000008b1: PUSH20 0x2072656365697665642c206d6179206265206c6f 000008c6: PUSH24 0x6572656420746f2068617374656e207061796f757473206f 000008df: PUSH19 0x20696e63726561736564206966207061796f75 000008f3: PUSH21 0x7320617265206661737420656e6f7567682e204475 00000909: PUSH6 0x20746f206e6f 00000910: KECCAK256 00000911: PUSH7 0x6c6f6174206f72 00000919: KECCAK256 0000091a: PUSH5 0x6563696d61 00000920: PUSH13 0x732c206d756c7469706c696572 0000092e: KECCAK256 0000092f: PUSH10 0x73207831303020666f72 0000093a: KECCAK256 0000093b: PUSH2 0x2066 0000093e: PUSH19 0x616374696f6e616c206d756c7469706c696572 00000952: KECCAK256 00000953: PUSH6 0x2e672e203235 0000095a: ADDRESS 0000095b: KECCAK256 0000095c: PUSH10 0x732061637475616c6c79 00000967: KECCAK256 00000968: PUSH2 0x2032 0000096b: UNKNOWN(0x2E) 0000096c: CALLDATALOAD 0000096d: PUSH25 0x206d756c7469706c6965722e20436170706564206174203378 00000987: KECCAK256 00000988: PUSH14 0x617820616e6420312e3278206d69 00000997: PUSH15 0x2ef652222313e28459528d920b6511 000009a7: TLOAD 000009a8: AND 000009a9: UNKNOWN(0xC0) 000009aa: UNKNOWN(0x4F) 000009ab: RETURNDATACOPY 000009ac: UNKNOWN(0xFC) 000009ad: DUP3 000009ae: UNKNOWN(0xAA) 000009af: UNKNOWN(0xED) 000009b0: UNKNOWN(0xC9) 000009b1: PUSH28
Warning: This is a nightly build of Foundry. It is recommended to use the latest stable version. To mute this warning set `FOUNDRY_DISABLE_NIGHTLY_WARNING` in your environment.
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | other | detector | Untrusted CALL target/value reachable | 60 | yes | yes |
viewtrace_id: 0x0bd962aa5597728bf8755c16d678e34d99c29f895104cf068b47fc71ee1acbcc
call_targets:
0x0000000000000000000000000000000000000004, 0x79c039d075bc3b86a7df63ebbe55fbc642b5220f
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x0bd962aa5597728bf8755c16d678e34d99c29f895104cf068b47fc71ee1acbcc",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x79c039d075bc3b86a7df63ebbe55fbc642b5220f"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x09dfdc71",
"selector": "0x09dfdc71",
"calldata_variants": [
"0x09dfdc71",
"0x09dfdc710000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x253459e3",
"selector": "0x253459e3",
"calldata_variants": [
"0x253459e3",
"0x253459e30000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x4229616d",
"selector": "0x4229616d",
"calldata_variants": [
"0x4229616d",
"0x4229616d0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x57d4021b",
"selector": "0x57d4021b",
"calldata_variants": [
"0x57d4021b",
"0x57d4021b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x686f2c90",
"selector": "0x686f2c90",
"calldata_variants": [
"0x686f2c90",
"0x686f2c900000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x6fbaaa1e",
"selector": "0x6fbaaa1e",
"calldata_variants": [
"0x6fbaaa1e",
"0x6fbaaa1e0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x8a5fb3ca",
"selector": "0x8a5fb3ca",
"calldata_variants": [
"0x8a5fb3ca",
"0x8a5fb3ca0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x9dbc4f9b",
"selector": "0x9dbc4f9b",
"calldata_variants": [
"0x9dbc4f9b",
"0x9dbc4f9b0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 1012,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 1262,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 1319,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 5,
"guards_detected": [],
"untrusted_call_count": 5
}
|
| high | other | detector | ETH value transfer possible | 55 | yes | yes |
viewtrace_id: 0x0bd962aa5597728bf8755c16d678e34d99c29f895104cf068b47fc71ee1acbcc
call_targets:
0x0000000000000000000000000000000000000004, 0x79c039d075bc3b86a7df63ebbe55fbc642b5220f
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x0bd962aa5597728bf8755c16d678e34d99c29f895104cf068b47fc71ee1acbcc",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x79c039d075bc3b86a7df63ebbe55fbc642b5220f"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x09dfdc71",
"selector": "0x09dfdc71",
"calldata_variants": [
"0x09dfdc71",
"0x09dfdc710000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x253459e3",
"selector": "0x253459e3",
"calldata_variants": [
"0x253459e3",
"0x253459e30000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x4229616d",
"selector": "0x4229616d",
"calldata_variants": [
"0x4229616d",
"0x4229616d0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x57d4021b",
"selector": "0x57d4021b",
"calldata_variants": [
"0x57d4021b",
"0x57d4021b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x686f2c90",
"selector": "0x686f2c90",
"calldata_variants": [
"0x686f2c90",
"0x686f2c900000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x6fbaaa1e",
"selector": "0x6fbaaa1e",
"calldata_variants": [
"0x6fbaaa1e",
"0x6fbaaa1e0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x8a5fb3ca",
"selector": "0x8a5fb3ca",
"calldata_variants": [
"0x8a5fb3ca",
"0x8a5fb3ca0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x9dbc4f9b",
"selector": "0x9dbc4f9b",
"calldata_variants": [
"0x9dbc4f9b",
"0x9dbc4f9b0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 1012,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 1262,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 1319,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 5,
"guards_detected": []
}
|
| high | reentrancy | codex | Payout loop performs external ETH send before advancing queue/accounting state | 85 | no | — |
viewevidence_json{
"evidence": "From bytecode only: the payable receive/fallback path jumps into the deposit/payout routine at pc:0x0453. That routine eventually loads a recipient from keccak-derived storage and issues a value-bearing CALL at pc:0x06e2. No guard was detected in the artifact. State changes appear after the external call: pc:0x071a..0x071e subtracts stored value and pc:0x0720..0x0727 increments the queue cursor in slot 0x04. Because authoritative state is updated after the CALL, reentrancy is plausible. This is reinforced by the detector bundle marking reachable untrusted CALLs with nonzero value and no detected guards.",
"locations": [
"pc:0x453",
"pc:0x6e2",
"pc:0x71e",
"pc:0x727"
],
"recommendation": "Apply checks-effects-interactions in the payout path: update the owed amount / cursor before any external CALL, add a reentrancy guard around the payable entrypoint and payout routine, and prefer pull-based withdrawals over push payments.",
"exploit_scenario": "A participant can register a contract address as the payout recipient. When the contract later reaches that recipient in the payable/fallback-driven payout loop, the low-level CALL at pc:0x6e2 transfers ETH before the current payout record is finalized. The recipient contract can reenter the payable entry path during its fallback and execute against stale queue/balance state, potentially receiving multiple payouts or corrupting payout progression before pc:0x71e/pc:0x727 run."
}
|
| medium | other | codex | Unchecked low-level ETH sends can silently desynchronize internal accounting from actual transfers | 75 | no | — |
viewevidence_json{
"evidence": "The value-bearing CALL sites at pc:0x04ee, pc:0x0527, pc:0x0564, and pc:0x06e2 all POP the success flag instead of branching on it. The bundled callsite evidence reports `returndata_checked: null` for the CALL examples. One CALL site at pc:0x03f4 appears to be a precompile/helper pattern and is excluded from this claim. At pc:0x052a..0x0533 and pc:0x0567..0x0570 storage slot 0x01 is updated after the CALL regardless of success, and after pc:0x06e2 the routine proceeds into post-payment accounting/cursor updates at pc:0x071a..0x0727 without any visible success check. Exact variable names are unknown from bytecode, but the bookkeeping-after-unchecked-call pattern is clear.",
"locations": [
"pc:0x4ee",
"pc:0x527",
"pc:0x564",
"pc:0x6e2"
],
"recommendation": "Check the boolean result of each low-level CALL and revert on failure, or record failed sends as claimable credit that the recipient can withdraw later. Do not mutate accounting state unless the transfer succeeded.",
"exploit_scenario": "If a payout target or the owner-like address stored in slot 0x05 is a contract that rejects ETH, runs out of gas, or otherwise returns failure, the CALL returns 0 but the contract continues execution. Internal balances/counters can still be decremented or advanced, leaving the queue or fee accounting inconsistent with real ETH movement and potentially causing skipped payouts or insolvency-like state."
}
|