019b3836-3d36-73b6-80fd-0641ca3adbb2
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 4687 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 4688 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 48016 | analysis.bundle | complete | 1 / 3 | 1 week ago |
| 48017 | capability.graph | complete | 1 / 3 | 1 week ago |
| 48018 | detector.run | complete | 1 / 3 | 1 week ago |
| 48019 | validation.fork | complete | 1 / 3 | 1 week ago |
| 113285 | report.consolidate | complete | 1 / 6 | 1 week ago |
No slither job recorded yet.
{"no_findings":false,"summary":"The runtime is a fallback-only payable contract that keeps dynamic arrays in storage slots 2 and 3, derives winners from block metadata, and performs many value-bearing CALLs without any detected guard. The strongest bytecode-supported risks are reentrancy during the payout phase, unchecked call failures that can desynchronize payouts from state, and manipulable randomness for winner selection.","findings":[{"severity":"high","category":"reentrancy","title":"Payout phase appears reenterable before round state is cleared","exploit_scenario":"A malicious recipient contract can be inserted into the participant arrays and receive ETH during the payout loop. Its fallback can immediately call this contract again through the only visible entrypoint (`fallback`). Because no guard was detected, the round-state variable is set to `100` before the payout gate and is only reset near the end of execution, so a reentrant call can execute while slots 2/3 still hold the current round's data. That can let the same round be processed recursively or against partially updated state, potentially causing repeated payouts or corrupted accounting. This is inferred from bytecode and exact business logic is uncertain, but the reentrancy window is concrete.","recommendation":"Apply checks-effects-interactions: finalize/reset round state before any external value transfer, or move payouts to a pull-based claim flow. Add an explicit reentrancy guard around the fallback path.","evidence":"`fallback` is the only discovered entrypoint. No auth/reentrancy guards were detected. The contract writes `100` to slot 4 at pc `0x193`, checks the payout condition from slot 4 at pc `0x1f1`, performs multiple ETH `CALL`s during the payout loop at pcs `0x2d0`, `0x353`, `0x3d6`, `0x487`, and `0x4a5`, and only resets slot 4 to `0` near pc `0x4e8`. The participant arrays are only cleared after those calls.","locations":["selector:fallback","pc:0x193","pc:0x1f1","pc:0x2d0","pc:0x353","pc:0x3d6","pc:0x487","pc:0x4a5","pc:0x4e8"]},{"severity":"high","category":"other","title":"ETH transfers ignore CALL success and continue mutating state","exploit_scenario":"Any recipient that reverts, exhausts gas, or otherwise rejects ETH causes `CALL` to return `0`. This bytecode pops the return value instead of checking it, then continues updating storage and clearing round state. A malicious or incompatible recipient can therefore make the contract believe a payout step completed when no ETH was actually delivered, leaving rewards unpaid or later diverted by subsequent logic.","recommendation":"Check the boolean result of each low-level `CALL` and revert or record an explicit unpaid balance on failure. Prefer pull payments over push payments for participant rewards.","evidence":"The artifact records 9 `CALL` sites with `returndata_checked: null`, and the disassembly shows the return values being discarded with `POP`. Examples: after `CALL` at `0x18c`, execution immediately stores to slot 4 at `0x193`; after `CALL`s at `0x2d0`, `0x353`, `0x3d6`, `0x487`, and `0x4a5`, execution just pops stack items and continues the payout/cleanup flow. This is a concrete unchecked-call pattern even though exact source-level intent is unknown.","locations":["pc:0x18c","pc:0x1c1","pc:0x1ea","pc:0x2d0","pc:0x353","pc:0x3d6","pc:0x487","pc:0x4a5"]},{"severity":"medium","category":"oracle","title":"Winner selection relies on blockhash/timestamp entropy that can be biased","exploit_scenario":"When the payout phase starts, winner indexes are derived from recent `BLOCKHASH`, `NUMBER`, and `TIMESTAMP` values and then used to select addresses from storage-backed participant arrays for fixed ETH transfers. A block producer or MEV searcher with transaction-order influence can bias whether the round executes in a favorable block, and may influence which stored addresses receive the rewards.","recommendation":"Do not use block metadata as lottery entropy. Replace this with a commit-reveal scheme or an external verifiable randomness source.","evidence":"The bytecode uses `NUMBER` at pc `0x202`, `BLOCKHASH` at pcs `0x208` and `0x214`, and `TIMESTAMP` at pc `0x218`, then applies multiple `MOD` operations through pc `0x242`. Those derived values feed array lookups over slots 2/3 before ETH `CALL`s at `0x2d0`, `0x353`, and `0x3d6`. The exact selector/function name is unknown because dispatch inference found only `fallback`.","locations":["selector:fallback","pc:0x202","pc:0x208","pc:0x214","pc:0x218","pc:0x242","pc:0x2d0","pc:0x353","pc:0x3d6"]}]}
OpenAI Codex v0.118.0 (research preview)
--------
workdir: /tmp/codex-33lysiex
model: gpt-5.4
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: none
session id: 019d5c19-ad0f-7cf2-9a78-40e3a73907fb
--------
user
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
warning: Codex could not find system bubblewrap on PATH. Please install bubblewrap with your package manager. Codex will use the vendored bubblewrap in the meantime.
→ Inspect BYTECODE_BUNDLE.json and related artifacts to understand the runtime bytecode summary, callsites, storage slots, and detector findings
• Assess likely security issues from bytecode evidence with explicit uncertainty
• Produce the required JSON findings output matching the schema
exec
/bin/bash -lc pwd in /tmp/codex-33lysiex
succeeded in 0ms:
/tmp/codex-33lysiex
exec
/bin/bash -lc "rg --files -g 'BYTECODE_BUNDLE.json' -g 'AGENTS.md' -g '*.json'" in /tmp/codex-33lysiex
succeeded in 0ms:
BYTECODE_BUNDLE.json
codex-output-schema.json
exec
/bin/bash -lc "sed -n '1,260p' BYTECODE_BUNDLE.json" in /tmp/codex-33lysiex
succeeded in 0ms:
{
"analysis_artifact": {
"address": "0xe724bf992be1849f3891ed0656c31d5096ea8862",
"artifact_hash": "0x5b12fe4a06ed558f2121c9bd693347bf6002396c54ccde6125683313b40ac15a",
"artifact_json": {
"auth": {
"guards": []
},
"basic_blocks": [
{
"end_pc": 10,
"hash": "0xac0bdec5d70ac003da16146b40dd072a1529c7207bdb7c1e984cda39da7e0897",
"opcodes": [
"PUSH1",
"PUSH1",
"MSTORE",
"CALLDATASIZE",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 0
},
{
"end_pc": 45,
"hash": "0x4a8d930976f1ba0b9c45b1fc1b9cc7731c6a66f125c24fd827331949c9a3ace8",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"SLOAD",
"PUSH6",
"OP_90",
"PUSH1",
"SUB",
"OP_81",
"MUL",
"CALLVALUE",
"OP_82",
"OP_81",
"DIV",
"OP_90",
"PUSH1",
"OP_90",
"OP_84",
"OP_90",
"LT",
"PUSH2",
"JUMPI"
],
"start_pc": 11
},
{
"end_pc": 68,
"hash": "0x60cee588c2ed0197d42d0014fa31fcff562a6934657574c19380ae9532135651",
"opcodes": [
"PUSH1",
"OP_80",
"SLOAD",
"PUSH1",
"OP_81",
"ADD",
"OP_80",
"OP_83",
"SSTORE",
"OP_82",
"OP_81",
"OP_83",
"OP_80",
"ISZERO",
"OP_82",
"OP_90",
"GT",
"PUSH2",
"JUMPI"
],
"start_pc": 46
},
{
"end_pc": 92,
"hash": "0xa4c6811d3f33898042b18956f6fe3def3caff320201da695806c19578f0ed400",
"opcodes": [
"OP_81",
"OP_83",
"PUSH1",
"MSTORE",
"PUSH1",
"PUSH1",
"SHA3",
"OP_91",
"OP_82",
"ADD",
"OP_91",
"ADD",
"PUSH2",
"OP_91",
"OP_90",
"PUSH2",
"JUMP"
],
"start_pc": 69
},
{
"end_pc": 94,
"hash": "0xf27922a49ab31c41093d887a867069180d7c2a9fc401d04775372d1f486eb104",
"opcodes": [
"JUMPDEST",
"STOP"
],
"start_pc": 93
},
{
"end_pc": 146,
"hash": "0xdf4670469b3278a42d5bf101cdff3c37c9a280707d0291cb6cb9ca62a92d06db",
"opcodes": [
"JUMPDEST",
"POP",
"POP",
"POP",
"PUSH1",
"OP_92",
"OP_83",
"MSTORE",
"POP",
"PUSH1",
"OP_90",
"OP_91",
"SHA3",
"ADD",
"OP_80",
"SLOAD",
"PUSH20",
"NOT",
"AND",
"CALLER",
"OR",
"OP_90",
"SSTORE",
"CALLVALUE",
"OP_83",
"LT",
"PUSH2",
"JUMPI"
],
"start_pc": 95
},
{
"end_pc": 177,
"hash": "0xecd8824fb9efc6624587ec0f284f763ecaab31b75608152f0f9a8b0f530bb75d",
"opcodes": [
"PUSH1",
"OP_80",
"SLOAD",
"OP_83",
"ADD",
"OP_90",
"SSTORE",
"PUSH1",
"OP_80",
"SLOAD",
"PUSH1",
"OP_81",
"ADD",
"OP_80",
"OP_83",
"SSTORE",
"OP_82",
"OP_81",
"OP_83",
"OP_80",
"ISZERO",
"OP_82",
"OP_90",
"GT",
"PUSH2",
"JUMPI"
],
"start_pc": 147
},
{
"end_pc": 211,
"hash": "0x7bae98674eb907782658f81000144f8a8af0ef5f04919ebd7c2772b41feaf7b2",
"opcodes": [
"PUSH1",
"OP_83",
"OP_90",
"MSTORE",
"PUSH2",
"OP_90",
"PUSH1",
"OP_80",
"MLOAD",
"PUSH1",
"PUSH2",
"OP_83",
"CODECOPY",
"OP_81",
"MLOAD",
"OP_91",
"MSTORE",
"OP_90",
"OP_81",
"ADD",
"OP_90",
"OP_83",
"ADD",
"PUSH2",
"JUMP"
],
"start_pc": 178
},
{
"end_pc": 248,
"hash": "0x734e147a365d5c3998f40ac179a5b553368f050d574b03f5e59e1fd816128c63",
"opcodes": [
"JUMPDEST",
"PUSH1",
"OP_80",
"SLOAD",
"PUSH1",
"OP_80",
"OP_83",
"SSTORE",
"OP_91",
"OP_90",
"OP_91",
"MSTORE",
"PUSH2",
"OP_90",
"PUSH1",
"OP_80",
"MLOAD",
"PUSH1",
"PUSH2",
"OP_83",
"CODECOPY",
"OP_81",
"MLOAD",
"OP_91",
"MSTORE",
"OP_90",
"OP_81",
"ADD",
"OP_90"
],
"start_pc": 212
},
{
"end_pc": 257,
"hash": "0x79108d6c4c516db88a9c2a1c3d54cc025eab0b1c1808fdefefd7a8ff1451befd",
"opcodes": [
"JUMPDEST",
"OP_80",
"OP_82",
"GT",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 249
exec
/bin/bash -lc "sed -n '1,220p' codex-output-schema.json" in /tmp/codex-33lysiex
succeeded in 0ms:
{"type": "object", "additionalProperties": false, "required": ["no_findings", "summary", "findings"], "properties": {"no_findings": {"type": "boolean"}, "summary": {"type": "string"}, "findings": {"type": "array", "items": {"type": "object", "additionalProperties": false, "required": ["severity", "category", "title", "evidence", "locations", "exploit_scenario", "recommendation"], "properties": {"severity": {"type": "string", "enum": ["info", "low", "medium", "high", "critical"]}, "category": {"type": "string", "enum": ["access_control", "reentrancy", "math", "oracle", "upgradeability", "auth", "other"]}, "title": {"type": "string"}, "exploit_scenario": {"type": "string"}, "recommendation": {"type": "string"}, "evidence": {"type": "string"}, "locations": {"type": "array", "items": {"type": "string"}}}}}}}
exec
/bin/bash -lc "jq 'keys, .analysis_artifact.artifact_json | keys' BYTECODE_BUNDLE.json" in /tmp/codex-33lysiex
succeeded in 0ms:
[
0,
1,
2,
3,
4,
5
]
[
"auth",
"basic_blocks",
"callsites",
"cfg_edges",
"cfg_hash",
"dispatcher_type",
"function_entries",
"functions",
"selectors",
"sinks",
"storage",
"version"
]
exec
/bin/bash -lc "jq '{top_keys: keys, artifact_keys: .analysis_artifact.artifact_json|keys}' BYTECODE_BUNDLE.json" in /tmp/codex-33lysiex
succeeded in 0ms:
{
"top_keys": [
"analysis_artifact",
"analysis_run",
"artifact",
"capability_graph",
"detector_findings",
"heuristics_summary"
],
"artifact_keys": [
"auth",
"basic_blocks",
"callsites",
"cfg_edges",
"cfg_hash",
"dispatcher_type",
"function_entries",
"functions",
"selectors",
"sinks",
"storage",
"version"
]
}
exec
/bin/bash -lc "jq '.heuristics_summary' BYTECODE_BUNDLE.json" in /tmp/codex-33lysiex
succeeded in 0ms:
{
"create2_count": 0,
"delegatecall_count": 0,
"flags": [],
"selfdestruct_count": 0
}
exec
/bin/bash -lc "jq '.detector_findings' BYTECODE_BUNDLE.json" in /tmp/codex-33lysiex
succeeded in 0ms:
[
{
"confidence": 60,
"evidence_json": {
"call_count": 9,
"examples": [
{
"opcode": "CALL",
"pc": 396,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 449,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 490,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": [],
"untrusted_call_count": 9
},
"normalized_json": {
"sink": "CALL"
},
"severity": "high",
"title": "Untrusted CALL target/value reachable",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000001",
"0xe724bf992be1849f3891ed0656c31d5096ea8862"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x6638e4dc5defe6764a74d2ddff6afa4ef5e674aaf55460312e6750b2e33bd061",
"trace_mode": "callTracer"
}
},
{
"confidence": 55,
"evidence_json": {
"eth_value_calls": 9,
"examples": [
{
"opcode": "CALL",
"pc": 396,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 449,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 490,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": []
},
"normalized_json": {
"sink": "CALL",
"value": "nonzero"
},
"severity": "high",
"title": "ETH value transfer possible",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000001",
"0xe724bf992be1849f3891ed0656c31d5096ea8862"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x6638e4dc5defe6764a74d2ddff6afa4ef5e674aaf55460312e6750b2e33bd061",
"trace_mode": "callTracer"
}
}
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.selectors, .analysis_artifact.artifact_json.function_entries, .analysis_artifact.artifact_json.callsites, .analysis_artifact.artifact_json.sinks, .analysis_artifact.artifact_json.storage, .analysis_artifact.artifact_json.auth' BYTECODE_BUNDLE.json" in /tmp/codex-33lysiex
succeeded in 0ms:
[]
[
{
"entry_pc": 0,
"selector": "fallback"
}
]
[
{
"opcode": "CALL",
"pc": 396,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 449,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 490,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 720,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 851,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 982,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 1159,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "CALL",
"pc": 1189,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "STATICCALL",
"pc": 1272,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "n/a"
},
{
"opcode": "CALLCODE",
"pc": 1277,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
},
{
"opcode": "STATICCALL",
"pc": 1293,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "n/a"
}
]
{
"call": 9,
"create": 0,
"create2": 0,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 2,
"upgrade_slot_write_suspected": false
}
{
"keccak_count": 5,
"reads": 30,
"slots": [
{
"op": "SLOAD",
"pc": 17,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000004"
},
{
"op": "SLOAD",
"pc": 49,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000004"
},
{
"op": "SLOAD",
"pc": 158,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 216,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 290,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000004"
},
{
"op": "SLOAD",
"pc": 306,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SSTORE",
"pc": 403,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000064"
},
{
"op": "SLOAD",
"pc": 499,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000004"
},
{
"op": "SLOAD",
"pc": 588,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
},
{
"op": "SLOAD",
"pc": 599,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 652,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
},
{
"op": "SLOAD",
"pc": 730,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 783,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
},
{
"op": "SLOAD",
"pc": 861,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 914,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
},
{
"op": "SLOAD",
"pc": 992,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 1045,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
},
{
"op": "SLOAD",
"pc": 1126,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 1164,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 1213,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
},
{
"op": "SSTORE",
"pc": 1256,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
}
],
"writes": 13
}
{
"guards": []
}
exec
/bin/bash -lc "jq '{analysis_run: .analysis_run, artifact: .artifact, capability_graph: .capability_graph}' BYTECODE_BUNDLE.json" in /tmp/codex-33lysiex
succeeded in 0ms:
t_pc": 1042,
"type": "basic_block"
},
{
"end_pc": 1121,
"hash": "0x010367c38c10585af5d2534f68e249d404e7745ab34d9a1eeee8fcf040fd1697",
"id": "bb:1059",
"start_pc": 1059,
"type": "basic_block"
},
{
"end_pc": 1201,
"hash": "0x242804485dd80596916adce0346aff2f46f95eaa020d0a59dace21e4d969ed38",
"id": "bb:1122",
"start_pc": 1122,
"type": "basic_block"
},
{
"end_pc": 1207,
"hash": "0xfd4de9aba7551192b4ef4413b399af5e1720c19a2d4cb1051d1619cc9d903d29",
"id": "bb:1202",
"start_pc": 1202,
"type": "basic_block"
},
{
"end_pc": 1249,
"hash": "0xce2d04a362b97826019a0c9c73391e914c6f74517a3faa8b0f669c6b1d8f4a5b",
"id": "bb:1208",
"start_pc": 1208,
"type": "basic_block"
},
{
"end_pc": 1268,
"hash": "0xbaa9c2165d2713f437eeaea2f3c801cfc46bbc62f2e3943e310871fc75036b6b",
"id": "bb:1250",
"start_pc": 1250,
"type": "basic_block"
},
{
"end_pc": 1270,
"hash": "0x65b66ca57de1ea193c270a3989acf0b42b11e09d845dd446ac5b57223a7767ac",
"id": "bb:1269",
"start_pc": 1269,
"type": "basic_block"
},
{
"end_pc": 1329,
"hash": "0xdc9c689876a54ab439238659a6cbcfbcb044a8f1a687646d5a63e487135944aa",
"id": "bb:1271",
"start_pc": 1271,
"type": "basic_block"
},
{
"id": "call:396",
"opcode": "CALL",
"pc": 396,
"type": "callsite"
},
{
"id": "call:449",
"opcode": "CALL",
"pc": 449,
"type": "callsite"
},
{
"id": "call:490",
"opcode": "CALL",
"pc": 490,
"type": "callsite"
},
{
"id": "call:720",
"opcode": "CALL",
"pc": 720,
"type": "callsite"
},
{
"id": "call:851",
"opcode": "CALL",
"pc": 851,
"type": "callsite"
},
{
"id": "call:982",
"opcode": "CALL",
"pc": 982,
"type": "callsite"
},
{
"id": "call:1159",
"opcode": "CALL",
"pc": 1159,
"type": "callsite"
},
{
"id": "call:1189",
"opcode": "CALL",
"pc": 1189,
"type": "callsite"
},
{
"id": "call:1272",
"opcode": "STATICCALL",
"pc": 1272,
"type": "callsite"
},
{
"id": "call:1277",
"opcode": "CALLCODE",
"pc": 1277,
"type": "callsite"
},
{
"id": "call:1293",
"opcode": "STATICCALL",
"pc": 1293,
"type": "callsite"
},
{
"id": "sink:call",
"type": "sink"
},
{
"id": "sink:staticcall",
"type": "sink"
},
{
"id": "sink:callcode",
"type": "sink"
},
{
"entry_pc": 0,
"id": "fn:fallback",
"selector": "fallback",
"type": "function"
}
],
"version": "capability_graph_v1"
},
"id": 2504,
"updated_at": "2026-04-04T19:57:44.000000Z",
"version": "capability_graph_v1"
}
}
exec
/bin/bash -lc "python - <<'PY'
import json
from textwrap import wrap
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
code=data['artifact']['runtime_bytecode']['full'][2:]
bs=bytes.fromhex(code)
ops={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'}
for i in range(1,33): ops[0x5f+i]=f'PUSH{i}'
for i in range(1,17): ops[0x7f+i]=f'DUP{i}'
for i in range(1,17): ops[0x8f+i]=f'SWAP{i}'
for i in range(0,5): ops[0xa0+i]=f'LOG{i}'
pc=0
inst=[]
while pc < len(bs):
op=bs[pc]
name=ops.get(op,f'OP_{op:02x}')
arg=None
start=pc
pc+=1
if 0x60 <= op <= 0x7f:
n=op-0x5f
arg=bs[pc:pc+n]
pc+=n
inst.append((start,name,arg))
# print windows around interesting pcs
interesting=[350,396,407,423,449,464,490,496,509,585,609,666,720,726,740,797,851,857,871,928,982,988,1122,1159,1189,1208,1250,1269,1271]
for target in interesting:
print(f'--- around {target} ---')
for s,name,arg in inst:
if target-18 <= s <= target+18:
if arg is None:
print(f'{s:04x}: {name}')
else:
print(f'{s:04x}: {name} 0x{arg.hex()}')
PY" in /tmp/codex-33lysiex
succeeded in 0ms:
--- around 350 ---
014d: PUSH1 0x00
014f: SHA3
0150: SWAP2
0151: DUP3
0152: ADD
0153: SWAP2
0154: ADD
0155: PUSH2 0x015e
0158: SWAP2
0159: SWAP1
015a: PUSH2 0x00f9
015d: JUMP
015e: JUMPDEST
015f: POP
0160: POP
0161: POP
0162: PUSH1 0x00
0164: SWAP3
0165: DUP4
0166: MSTORE
0167: POP
0168: PUSH1 0x20
016a: DUP3
016b: SHA3
016c: PUSH1 0x64
016e: SWAP2
016f: ADD
0170: SSTORE
--- around 396 ---
017a: EXP
017b: SUB
017c: CALLER
017d: AND
017e: SWAP2
017f: SWAP1
0180: CALLVALUE
0181: DUP7
0182: SWAP1
0183: SUB
0184: SWAP1
0185: DUP3
0186: DUP2
0187: DUP2
0188: DUP2
0189: DUP6
018a: DUP9
018b: DUP4
018c: CALL
018d: POP
018e: POP
018f: PUSH1 0x64
0191: PUSH1 0x04
0193: SSTORE
0194: POP
0195: POP
0196: POP
0197: JUMPDEST
0198: DUP4
0199: PUSH1 0x00
019b: CALLVALUE
019c: ADDMOD
019d: SWAP1
019e: POP
--- around 407 ---
0185: DUP3
0186: DUP2
0187: DUP2
0188: DUP2
0189: DUP6
018a: DUP9
018b: DUP4
018c: CALL
018d: POP
018e: POP
018f: PUSH1 0x64
0191: PUSH1 0x04
0193: SSTORE
0194: POP
0195: POP
0196: POP
0197: JUMPDEST
0198: DUP4
0199: PUSH1 0x00
019b: CALLVALUE
019c: ADDMOD
019d: SWAP1
019e: POP
019f: PUSH1 0x00
01a1: DUP2
01a2: EQ
01a3: PUSH2 0x01c7
01a6: JUMPI
01a7: PUSH1 0x40
01a9: MLOAD
--- around 423 ---
0195: POP
0196: POP
0197: JUMPDEST
0198: DUP4
0199: PUSH1 0x00
019b: CALLVALUE
019c: ADDMOD
019d: SWAP1
019e: POP
019f: PUSH1 0x00
01a1: DUP2
01a2: EQ
01a3: PUSH2 0x01c7
01a6: JUMPI
01a7: PUSH1 0x40
01a9: MLOAD
01aa: PUSH1 0x01
01ac: PUSH1 0xa0
01ae: PUSH1 0x02
01b0: EXP
01b1: SUB
01b2: CALLER
01b3: AND
01b4: SWAP1
01b5: PUSH1 0x00
01b7: SWAP1
01b8: DUP4
01b9: SWAP1
--- around 449 ---
01b0: EXP
01b1: SUB
01b2: CALLER
01b3: AND
01b4: SWAP1
01b5: PUSH1 0x00
01b7: SWAP1
01b8: DUP4
01b9: SWAP1
01ba: DUP3
01bb: DUP2
01bc: DUP2
01bd: DUP2
01be: DUP6
01bf: DUP9
01c0: DUP4
01c1: CALL
01c2: POP
01c3: POP
01c4: POP
01c5: POP
01c6: POP
01c7: JUMPDEST
01c8: DUP4
01c9: CALLVALUE
01ca: LT
01cb: ISZERO
01cc: PUSH2 0x01f0
01cf: JUMPI
01d0: PUSH1 0x40
01d2: MLOAD
01d3: PUSH1 0x01
--- around 464 ---
01be: DUP6
01bf: DUP9
01c0: DUP4
01c1: CALL
01c2: POP
01c3: POP
01c4: POP
01c5: POP
01c6: POP
01c7: JUMPDEST
01c8: DUP4
01c9: CALLVALUE
01ca: LT
01cb: ISZERO
01cc: PUSH2 0x01f0
01cf: JUMPI
01d0: PUSH1 0x40
01d2: MLOAD
01d3: PUSH1 0x01
01d5: PUSH1 0xa0
01d7: PUSH1 0x02
01d9: EXP
01da: SUB
01db: CALLER
01dc: AND
01dd: SWAP1
01de: PUSH1 0x00
01e0: SWAP1
01e1: CALLVALUE
01e2: SWAP1
--- around 490 ---
01d9: EXP
01da: SUB
01db: CALLER
01dc: AND
01dd: SWAP1
01de: PUSH1 0x00
01e0: SWAP1
01e1: CALLVALUE
01e2: SWAP1
01e3: DUP3
01e4: DUP2
01e5: DUP2
01e6: DUP2
01e7: DUP6
01e8: DUP9
01e9: DUP4
01ea: CALL
01eb: POP
01ec: POP
01ed: POP
01ee: POP
01ef: POP
01f0: JUMPDEST
01f1: PUSH1 0x04
01f3: SLOAD
01f4: PUSH1 0x63
01f6: SWAP1
01f7: GT
01f8: ISZERO
01f9: PUSH2 0x04b2
01fc: JUMPI
--- around 496 ---
01de: PUSH1 0x00
01e0: SWAP1
01e1: CALLVALUE
01e2: SWAP1
01e3: DUP3
01e4: DUP2
01e5: DUP2
01e6: DUP2
01e7: DUP6
01e8: DUP9
01e9: DUP4
01ea: CALL
01eb: POP
01ec: POP
01ed: POP
01ee: POP
01ef: POP
01f0: JUMPDEST
01f1: PUSH1 0x04
01f3: SLOAD
01f4: PUSH1 0x63
01f6: SWAP1
01f7: GT
01f8: ISZERO
01f9: PUSH2 0x04b2
01fc: JUMPI
01fd: PUSH2 0x04b2
0200: PUSH1 0x01
0202: NUMBER
--- around 509 ---
01eb: POP
01ec: POP
01ed: POP
01ee: POP
01ef: POP
01f0: JUMPDEST
01f1: PUSH1 0x04
01f3: SLOAD
01f4: PUSH1 0x63
01f6: SWAP1
01f7: GT
01f8: ISZERO
01f9: PUSH2 0x04b2
01fc: JUMPI
01fd: PUSH2 0x04b2
0200: PUSH1 0x01
0202: NUMBER
0203: PUSH1 0x00
0205: NOT
0206: DUP2
0207: ADD
0208: BLOCKHASH
0209: DUP3
020a: SWAP1
020b: MOD
020c: SWAP2
020d: PUSH1 0x01
020f: NOT
--- around 585 ---
0237: MOD
0238: SWAP3
0239: PUSH5 0x02540be400
023f: DUP8
0240: DIV
0241: ADD
0242: MOD
0243: SWAP1
0244: DUP1
0245: DUP1
0246: DUP1
0247: PUSH1 0x00
0249: JUMPDEST
024a: PUSH1 0x03
024c: SLOAD
024d: DUP2
024e: LT
024f: ISZERO
0250: PUSH2 0x00d4
0253: JUMPI
0254: PUSH1 0x02
0256: DUP1
0257: SLOAD
0258: DUP3
0259: SWAP1
025a: DUP2
025b: LT
--- around 609 ---
024f: ISZERO
0250: PUSH2 0x00d4
0253: JUMPI
0254: PUSH1 0x02
0256: DUP1
0257: SLOAD
0258: DUP3
0259: SWAP1
025a: DUP2
025b: LT
025c: ISZERO
025d: PUSH2 0x0002
0260: JUMPI
0261: PUSH1 0x00
0263: SWAP2
0264: SWAP1
0265: SWAP2
0266: MSTORE
0267: PUSH1 0x00
0269: DUP1
026a: MLOAD
026b: PUSH1 0x20
026d: PUSH2 0x04f5
0270: DUP4
0271: CODECOPY
0272: DUP2
0273: MLOAD
--- around 666 ---
0288: JUMPI
0289: PUSH1 0x03
028b: DUP1
028c: SLOAD
028d: PUSH1 0x00
028f: SWAP7
0290: POP
0291: DUP3
0292: SWAP1
0293: DUP2
0294: LT
0295: ISZERO
0296: PUSH2 0x0002
0299: JUMPI
029a: SWAP1
029b: DUP7
029c: MSTORE
029d: PUSH1 0x40
029f: MLOAD
02a0: PUSH1 0x00
02a2: DUP1
02a3: MLOAD
02a4: PUSH1 0x20
02a6: PUSH2 0x0515
02a9: DUP4
02aa: CODECOPY
02ab: DUP2
02ac: MLOAD
--- around 720 ---
02be: DUP7
02bf: SWAP1
02c0: PUSH7 0x18de76816d8000
02c8: SWAP1
02c9: DUP3
02ca: DUP2
02cb: DUP2
02cc: DUP2
02cd: DUP6
02ce: DUP9
02cf: DUP4
02d0: CALL
02d1: POP
02d2: POP
02d3: POP
02d4: POP
02d5: POP
02d6: JUMPDEST
02d7: PUSH1 0x02
02d9: DUP1
02da: SLOAD
02db: DUP3
02dc: SWAP1
02dd: DUP2
02de: LT
02df: ISZERO
02e0: PUSH2 0x0002
--- around 726 ---
02c8: SWAP1
02c9: DUP3
02ca: DUP2
02cb: DUP2
02cc: DUP2
02cd: DUP6
02ce: DUP9
02cf: DUP4
02d0: CALL
02d1: POP
02d2: POP
02d3: POP
02d4: POP
02d5: POP
02d6: JUMPDEST
02d7: PUSH1 0x02
02d9: DUP1
02da: SLOAD
02db: DUP3
02dc: SWAP1
02dd: DUP2
02de: LT
02df: ISZERO
02e0: PUSH2 0x0002
02e3: JUMPI
02e4: PUSH1 0x00
02e6: SWAP2
02e7: SWAP1
02e8: SWAP2
--- around 740 ---
02d2: POP
02d3: POP
02d4: POP
02d5: POP
02d6: JUMPDEST
02d7: PUSH1 0x02
02d9: DUP1
02da: SLOAD
02db: DUP3
02dc: SWAP1
02dd: DUP2
02de: LT
02df: ISZERO
02e0: PUSH2 0x0002
02e3: JUMPI
02e4: PUSH1 0x00
02e6: SWAP2
02e7: SWAP1
02e8: SWAP2
02e9: MSTORE
02ea: PUSH1 0x00
02ec: DUP1
02ed: MLOAD
02ee: PUSH1 0x20
02f0: PUSH2 0x04f5
02f3: DUP4
02f4: CODECOPY
02f5: DUP2
02f6: MLOAD
--- around 797 ---
030b: JUMPI
030c: PUSH1 0x03
030e: DUP1
030f: SLOAD
0310: PUSH1 0x00
0312: SWAP6
0313: POP
0314: DUP3
0315: SWAP1
0316: DUP2
0317: LT
0318: ISZERO
0319: PUSH2 0x0002
031c: JUMPI
031d: SWAP1
031e: DUP6
031f: MSTORE
0320: PUSH1 0x40
0322: MLOAD
0323: PUSH1 0x00
0325: DUP1
0326: MLOAD
0327: PUSH1 0x20
0329: PUSH2 0x0515
032c: DUP4
032d: CODECOPY
032e: DUP2
032f: MLOAD
--- around 851 ---
0341: DUP6
0342: SWAP1
0343: PUSH7 0x071afd498d0000
034b: SWAP1
034c: DUP3
034d: DUP2
034e: DUP2
034f: DUP2
0350: DUP6
0351: DUP9
0352: DUP4
0353: CALL
0354: POP
0355: POP
0356: POP
0357: POP
0358: POP
0359: JUMPDEST
035a: PUSH1 0x02
035c: DUP1
035d: SLOAD
035e: DUP3
035f: SWAP1
0360: DUP2
0361: LT
0362: ISZERO
0363: PUSH2 0x0002
--- around 857 ---
034b: SWAP1
034c: DUP3
034d: DUP2
034e: DUP2
034f: DUP2
0350: DUP6
0351: DUP9
0352: DUP4
0353: CALL
0354: POP
0355: POP
0356: POP
0357: POP
0358: POP
0359: JUMPDEST
035a: PUSH1 0x02
035c: DUP1
035d: SLOAD
035e: DUP3
035f: SWAP1
0360: DUP2
0361: LT
0362: ISZERO
0363: PUSH2 0x0002
0366: JUMPI
0367: PUSH1 0x00
0369: SWAP2
036a: SWAP1
036b: SWAP2
--- around 871 ---
0355: POP
0356: POP
0357: POP
0358: POP
0359: JUMPDEST
035a: PUSH1 0x02
035c: DUP1
035d: SLOAD
035e: DUP3
035f: SWAP1
0360: DUP2
0361: LT
0362: ISZERO
0363: PUSH2 0x0002
0366: JUMPI
0367: PUSH1 0x00
0369: SWAP2
036a: SWAP1
036b: SWAP2
036c: MSTORE
036d: PUSH1 0x00
036f: DUP1
0370: MLOAD
0371: PUSH1 0x20
0373: PUSH2 0x04f5
0376: DUP4
0377: CODECOPY
0378: DUP2
0379: MLOAD
--- around 928 ---
038e: JUMPI
038f: PUSH1 0x03
0391: DUP1
0392: SLOAD
0393: PUSH1 0x00
0395: SWAP5
0396: POP
0397: DUP3
0398: SWAP1
0399: DUP2
039a: LT
039b: ISZERO
039c: PUSH2 0x0002
039f: JUMPI
03a0: SWAP1
03a1: DUP5
03a2: MSTORE
03a3: PUSH1 0x40
03a5: MLOAD
03a6: PUSH1 0x00
03a8: DUP1
03a9: MLOAD
03aa: PUSH1 0x20
03ac: PUSH2 0x0515
03af: DUP4
03b0: CODECOPY
03b1: DUP2
03b2: MLOAD
--- around 982 ---
03c4: DUP5
03c5: SWAP1
03c6: PUSH7 0x01c6bf52634000
03ce: SWAP1
03cf: DUP3
03d0: DUP2
03d1: DUP2
03d2: DUP2
03d3: DUP6
03d4: DUP9
03d5: DUP4
03d6: CALL
03d7: POP
03d8: POP
03d9: POP
03da: POP
03db: POP
03dc: JUMPDEST
03dd: PUSH1 0x02
03df: DUP1
03e0: SLOAD
03e1: DUP3
03e2: SWAP1
03e3: DUP2
03e4: LT
03e5: ISZERO
03e6: PUSH2 0x0002
--- around 988 ---
03ce: SWAP1
03cf: DUP3
03d0: DUP2
03d1: DUP2
03d2: DUP2
03d3: DUP6
03d4: DUP9
03d5: DUP4
03d6: CALL
03d7: POP
03d8: POP
03d9: POP
03da: POP
03db: POP
03dc: JUMPDEST
03dd: PUSH1 0x02
03df: DUP1
03e0: SLOAD
03e1: DUP3
03e2: SWAP1
03e3: DUP2
03e4: LT
03e5: ISZERO
03e6: PUSH2 0x0002
03e9: JUMPI
03ea: PUSH1 0x00
03ec: SWAP2
03ed: SWAP1
03ee: SWAP2
--- around 1122 ---
045a: NOT
045b: SWAP2
045c: SWAP1
045d: SWAP2
045e: AND
045f: OR
0460: DUP3
0461: SSTORE
0462: JUMPDEST
0463: PUSH1 0x00
0465: DUP1
0466: SLOAD
0467: PUSH1 0x40
0469: MLOAD
046a: PUSH1 0x01
046c: PUSH1 0xa0
046e: PUSH1 0x02
0470: EXP
0471: SUB
0472: SWAP2
0473: SWAP1
0474: SWAP2
--- around 1159 ---
0475: AND
0476: SWAP2
0477: SWAP1
0478: PUSH6 0x16bcc41e9000
047f: SWAP1
0480: DUP3
0481: DUP2
0482: DUP2
0483: DUP2
0484: DUP6
0485: DUP9
0486: DUP4
0487: CALL
0488: POP
0489: POP
048a: PUSH1 0x01
048c: SLOAD
048d: PUSH1 0x40
048f: MLOAD
0490: PUSH1 0x01
0492: PUSH1 0xa0
0494: PUSH1 0x02
0496: EXP
0497: SUB
0498: SWAP2
0499: SWAP1
--- around 1189 ---
0494: PUSH1 0x02
0496: EXP
0497: SUB
0498: SWAP2
0499: SWAP1
049a: SWAP2
049b: AND
049c: SWAP4
049d: POP
049e: DUP3
049f: DUP2
04a0: DUP2
04a1: DUP2
04a2: DUP6
04a3: DUP9
04a4: DUP4
04a5: CALL
04a6: POP
04a7: POP
04a8: POP
04a9: POP
04aa: POP
04ab: PUSH1 0x01
04ad: ADD
04ae: PUSH2 0x0249
04b1: JUMP
04b2: JUMPDEST
04b3: POP
04b4: POP
04b5: POP
04b6: POP
04b7: JUMP
--- around 1208 ---
04a6: POP
04a7: POP
04a8: POP
04a9: POP
04aa: POP
04ab: PUSH1 0x01
04ad: ADD
04ae: PUSH2 0x0249
04b1: JUMP
04b2: JUMPDEST
04b3: POP
04b4: POP
04b5: POP
04b6: POP
04b7: JUMP
04b8: JUMPDEST
04b9: POP
04ba: PUSH1 0x03
04bc: DUP1
04bd: SLOAD
04be: PUSH1 0x00
04c0: DUP1
04c1: DUP4
04c2: SSTORE
04c3: SWAP2
04c4: SWAP1
04c5: SWAP2
04c6: MSTORE
04c7: PUSH2 0x04e2
04ca: SWAP1
--- around 1250 ---
04d1: PUSH2 0x0515
04d4: DUP4
04d5: CODECOPY
04d6: DUP2
04d7: MLOAD
04d8: SWAP2
04d9: MSTORE
04da: SWAP1
04db: DUP2
04dc: ADD
04dd: SWAP1
04de: PUSH2 0x00f9
04e1: JUMP
04e2: JUMPDEST
04e3: POP
04e4: PUSH1 0x00
04e6: PUSH1 0x04
04e8: SSTORE
04e9: POP
04ea: POP
04eb: POP
04ec: POP
04ed: POP
04ee: POP
04ef: POP
04f0: POP
04f1: POP
04f2: POP
04f3: POP
04f4: JUMP
--- around 1269 ---
04e3: POP
04e4: PUSH1 0x00
04e6: PUSH1 0x04
04e8: SSTORE
04e9: POP
04ea: POP
04eb: POP
04ec: POP
04ed: POP
04ee: POP
04ef: POP
04f0: POP
04f1: POP
04f2: POP
04f3: POP
04f4: JUMP
04f5: BLOCKHASH
04f6: JUMPI
04f7: DUP8
04f8: STATICCALL
04f9: SLT
04fa: OP_a8
04fb: OP_23
04fc: OP_e0
04fd: CALLCODE
04fe: OP_b7
04ff: PUSH4 0x1cc41b3b
0504: OP_a8
0505: DUP3
0506: DUP12
0507: CALLER
--- around 1271 ---
04e6: PUSH1 0x04
04e8: SSTORE
04e9: POP
04ea: POP
04eb: POP
04ec: POP
04ed: POP
04ee: POP
04ef: POP
04f0: POP
04f1: POP
04f2: POP
04f3: POP
04f4: JUMP
04f5: BLOCKHASH
04f6: JUMPI
04f7: DUP8
04f8: STATICCALL
04f9: SLT
04fa: OP_a8
04fb: OP_23
04fc: OP_e0
04fd: CALLCODE
04fe: OP_b7
04ff: PUSH4 0x1cc41b3b
0504: OP_a8
0505: DUP3
0506: DUP12
0507: CALLER
0508: OP_21
0509: OP_ca
exec
/bin/bash -lc "python - <<'PY'
import json
with open('BYTECODE_BUNDLE.json') as f:data=json.load(f)
code=bytes.fromhex(data['artifact']['runtime_bytecode']['full'][2:])
for off in [0x4f5,0x515]:
chunk=code[off:off+32]
print(hex(off), chunk.hex(), 'as_int', int.from_bytes(chunk,'big'))
print('addr?', '0x'+chunk[-20:].hex())
PY" in /tmp/codex-33lysiex
succeeded in 0ms:
0x4f5 405787fa12a823e0f2b7631cc41b3ba8828b3321ca811111fa75cd3aa3bb5ace as_int 29102676481673041902632991033461445430619272659676223336789171408008386403022
addr? 0xc41b3ba8828b3321ca811111fa75cd3aa3bb5ace
0x515 c2575a0e9e593c00f959f8c92f12db2869c3395a3b0502d05e2516446f71f85b as_int 87903029871075914254377627908054574944891091886930582284385770809450030037083
addr? 0x2f12db2869c3395a3b0502d05e2516446f71f85b
exec
/bin/bash -lc "python - <<'PY'
import json
with open('BYTECODE_BUNDLE.json') as f:data=json.load(f)
code=bytes.fromhex(data['artifact']['runtime_bytecode']['full'][2:])
ops={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'PREVRANDAO',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'}
for i in range(1,33): ops[0x5f+i]=f'PUSH{i}'
for i in range(1,17): ops[0x7f+i]=f'DUP{i}'
for i in range(1,17): ops[0x8f+i]=f'SWAP{i}'
for i in range(0,5): ops[0xa0+i]=f'LOG{i}'
pc=0
while pc < len(code):
op=code[pc]
name=ops.get(op,f'OP_{op:02x}')
start=pc;pc+=1
arg=''
if 0x60<=op<=0x7f:
n=op-0x5f
arg=' 0x'+code[pc:pc+n].hex();pc+=n
if start<0x4f5:
print(f'{start:04x}: {name}{arg}')
PY" in /tmp/codex-33lysiex
succeeded in 0ms:
0000: PUSH1 0x60
0002: PUSH1 0x40
0004: MSTORE
0005: CALLDATASIZE
0006: ISZERO
0007: PUSH2 0x000b
000a: JUMPI
000b: JUMPDEST
000c: PUSH2 0x005d
000f: PUSH1 0x04
0011: SLOAD
0012: PUSH6 0x5af3107a4000
0019: SWAP1
001a: PUSH1 0x64
001c: SUB
001d: DUP2
001e: MUL
001f: CALLVALUE
0020: DUP3
0021: DUP2
0022: DIV
0023: SWAP1
0024: PUSH1 0x00
0026: SWAP1
0027: DUP5
0028: SWAP1
0029: LT
002a: PUSH2 0x0197
002d: JUMPI
002e: PUSH1 0x03
0030: DUP1
0031: SLOAD
0032: PUSH1 0x01
0034: DUP2
0035: ADD
0036: DUP1
0037: DUP4
0038: SSTORE
0039: DUP3
003a: DUP2
003b: DUP4
003c: DUP1
003d: ISZERO
003e: DUP3
003f: SWAP1
0040: GT
0041: PUSH2 0x005f
0044: JUMPI
0045: DUP2
0046: DUP4
0047: PUSH1 0x00
0049: MSTORE
004a: PUSH1 0x20
004c: PUSH1 0x00
004e: SHA3
004f: SWAP2
0050: DUP3
0051: ADD
0052: SWAP2
0053: ADD
0054: PUSH2 0x005f
0057: SWAP2
0058: SWAP1
0059: PUSH2 0x00f9
005c: JUMP
005d: JUMPDEST
005e: STOP
005f: JUMPDEST
0060: POP
0061: POP
0062: POP
0063: PUSH1 0x00
0065: SWAP3
0066: DUP4
0067: MSTORE
0068: POP
0069: PUSH1 0x20
006b: SWAP1
006c: SWAP2
006d: SHA3
006e: ADD
006f: DUP1
0070: SLOAD
0071: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
0086: NOT
0087: AND
0088: CALLER
0089: OR
008a: SWAP1
008b: SSTORE
008c: CALLVALUE
008d: DUP4
008e: LT
008f: PUSH2 0x0126
0092: JUMPI
0093: PUSH1 0x04
0095: DUP1
0096: SLOAD
0097: DUP4
0098: ADD
0099: SWAP1
009a: SSTORE
009b: PUSH1 0x02
009d: DUP1
009e: SLOAD
009f: PUSH1 0x01
00a1: DUP2
00a2: ADD
00a3: DUP1
00a4: DUP4
00a5: SSTORE
00a6: DUP3
00a7: DUP2
00a8: DUP4
00a9: DUP1
00aa: ISZERO
00ab: DUP3
00ac: SWAP1
00ad: GT
00ae: PUSH2 0x0111
00b1: JUMPI
00b2: PUSH1 0x00
00b4: DUP4
00b5: SWAP1
00b6: MSTORE
00b7: PUSH2 0x0111
00ba: SWAP1
00bb: PUSH1 0x00
00bd: DUP1
00be: MLOAD
00bf: PUSH1 0x20
00c1: PUSH2 0x04f5
00c4: DUP4
00c5: CODECOPY
00c6: DUP2
00c7: MLOAD
00c8: SWAP2
00c9: MSTORE
00ca: SWAP1
00cb: DUP2
00cc: ADD
00cd: SWAP1
00ce: DUP4
00cf: ADD
00d0: PUSH2 0x00f9
00d3: JUMP
00d4: JUMPDEST
00d5: PUSH1 0x02
00d7: DUP1
00d8: SLOAD
00d9: PUSH1 0x00
00db: DUP1
00dc: DUP4
00dd: SSTORE
00de: SWAP2
00df: SWAP1
00e0: SWAP2
00e1: MSTORE
00e2: PUSH2 0x04b8
00e5: SWAP1
00e6: PUSH1 0x00
00e8: DUP1
00e9: MLOAD
00ea: PUSH1 0x20
00ec: PUSH2 0x04f5
00ef: DUP4
00f0: CODECOPY
00f1: DUP2
00f2: MLOAD
00f3: SWAP2
00f4: MSTORE
00f5: SWAP1
00f6: DUP2
00f7: ADD
00f8: SWAP1
00f9: JUMPDEST
00fa: DUP1
00fb: DUP3
00fc: GT
00fd: ISZERO
00fe: PUSH2 0x010d
0101: JUMPI
0102: PUSH1 0x00
0104: DUP2
0105: SSTORE
0106: PUSH1 0x01
0108: ADD
0109: PUSH2 0x00f9
010c: JUMP
010d: JUMPDEST
010e: POP
010f: SWAP1
0110: JUMP
0111: JUMPDEST
0112: POP
0113: POP
0114: POP
0115: PUSH1 0x00
0117: SWAP3
0118: DUP4
0119: MSTORE
011a: POP
011b: PUSH1 0x20
011d: SWAP1
011e: SWAP2
011f: SHA3
0120: PUSH1 0x04
0122: SLOAD
0123: SWAP2
0124: ADD
0125: SSTORE
0126: JUMPDEST
0127: CALLVALUE
0128: DUP4
0129: LT
012a: ISZERO
012b: PUSH2 0x0197
012e: JUMPI
012f: PUSH1 0x02
0131: DUP1
0132: SLOAD
0133: PUSH1 0x01
0135: DUP2
0136: ADD
0137: DUP1
0138: DUP4
0139: SSTORE
013a: DUP3
013b: DUP2
013c: DUP4
013d: DUP1
013e: ISZERO
013f: DUP3
0140: SWAP1
0141: GT
0142: PUSH2 0x015e
0145: JUMPI
0146: DUP2
0147: DUP4
0148: PUSH1 0x00
014a: MSTORE
014b: PUSH1 0x20
014d: PUSH1 0x00
014f: SHA3
0150: SWAP2
0151: DUP3
0152: ADD
0153: SWAP2
0154: ADD
0155: PUSH2 0x015e
0158: SWAP2
0159: SWAP1
015a: PUSH2 0x00f9
015d: JUMP
015e: JUMPDEST
015f: POP
0160: POP
0161: POP
0162: PUSH1 0x00
0164: SWAP3
0165: DUP4
0166: MSTORE
0167: POP
0168: PUSH1 0x20
016a: DUP3
016b: SHA3
016c: PUSH1 0x64
016e: SWAP2
016f: ADD
0170: SSTORE
0171: PUSH1 0x40
0173: MLOAD
0174: PUSH1 0x01
0176: PUSH1 0xa0
0178: PUSH1 0x02
017a: EXP
017b: SUB
017c: CALLER
017d: AND
017e: SWAP2
017f: SWAP1
0180: CALLVALUE
0181: DUP7
0182: SWAP1
0183: SUB
0184: SWAP1
0185: DUP3
0186: DUP2
0187: DUP2
0188: DUP2
0189: DUP6
018a: DUP9
018b: DUP4
018c: CALL
018d: POP
018e: POP
018f: PUSH1 0x64
0191: PUSH1 0x04
0193: SSTORE
0194: POP
0195: POP
0196: POP
0197: JUMPDEST
0198: DUP4
0199: PUSH1 0x00
019b: CALLVALUE
019c: ADDMOD
019d: SWAP1
019e: POP
019f: PUSH1 0x00
01a1: DUP2
01a2: EQ
01a3: PUSH2 0x01c7
01a6: JUMPI
01a7: PUSH1 0x40
01a9: MLOAD
01aa: PUSH1 0x01
01ac: PUSH1 0xa0
01ae: PUSH1 0x02
01b0: EXP
01b1: SUB
01b2: CALLER
01b3: AND
01b4: SWAP1
01b5: PUSH1 0x00
01b7: SWAP1
01b8: DUP4
01b9: SWAP1
01ba: DUP3
01bb: DUP2
01bc: DUP2
01bd: DUP2
01be: DUP6
01bf: DUP9
01c0: DUP4
01c1: CALL
01c2: POP
01c3: POP
01c4: POP
01c5: POP
01c6: POP
01c7: JUMPDEST
01c8: DUP4
01c9: CALLVALUE
01ca: LT
01cb: ISZERO
01cc: PUSH2 0x01f0
01cf: JUMPI
01d0: PUSH1 0x40
01d2: MLOAD
01d3: PUSH1 0x01
01d5: PUSH1 0xa0
01d7: PUSH1 0x02
01d9: EXP
01da: SUB
01db: CALLER
01dc: AND
01dd: SWAP1
01de: PUSH1 0x00
01e0: SWAP1
01e1: CALLVALUE
01e2: SWAP1
01e3: DUP3
01e4: DUP2
01e5: DUP2
01e6: DUP2
01e7: DUP6
01e8: DUP9
01e9: DUP4
01ea: CALL
01eb: POP
01ec: POP
01ed: POP
01ee: POP
01ef: POP
01f0: JUMPDEST
01f1: PUSH1 0x04
01f3: SLOAD
01f4: PUSH1 0x63
01f6: SWAP1
01f7: GT
01f8: ISZERO
01f9: PUSH2 0x04b2
01fc: JUMPI
01fd: PUSH2 0x04b2
0200: PUSH1 0x01
0202: NUMBER
0203: PUSH1 0x00
0205: NOT
0206: DUP2
0207: ADD
0208: BLOCKHASH
0209: DUP3
020a: SWAP1
020b: MOD
020c: SWAP2
020d: PUSH1 0x01
020f: NOT
0210: SWAP2
0211: SWAP1
0212: SWAP2
0213: ADD
0214: BLOCKHASH
0215: SWAP1
0216: PUSH1 0x64
0218: TIMESTAMP
0219: DUP1
021a: DUP5
021b: ADD
021c: DUP3
021d: SWAP1
021e: MOD
021f: SWAP3
0220: PUSH2 0x03e8
0223: DUP1
0224: DUP7
0225: DIV
0226: DUP4
0227: ADD
0228: SWAP4
0229: SWAP1
022a: SWAP4
022b: MOD
022c: SWAP3
022d: PUSH3 0x0f4240
0231: DUP7
0232: DIV
0233: DUP4
0234: ADD
0235: DUP2
0236: SWAP1
0237: MOD
0238: SWAP3
0239: PUSH5 0x02540be400
023f: DUP8
0240: DIV
0241: ADD
0242: MOD
0243: SWAP1
0244: DUP1
0245: DUP1
0246: DUP1
0247: PUSH1 0x00
0249: JUMPDEST
024a: PUSH1 0x03
024c: SLOAD
024d: DUP2
024e: LT
024f: ISZERO
0250: PUSH2 0x00d4
0253: JUMPI
0254: PUSH1 0x02
0256: DUP1
0257: SLOAD
0258: DUP3
0259: SWAP1
025a: DUP2
025b: LT
025c: ISZERO
025d: PUSH2 0x0002
0260: JUMPI
0261: PUSH1 0x00
0263: SWAP2
0264: SWAP1
0265: SWAP2
0266: MSTORE
0267: PUSH1 0x00
0269: DUP1
026a: MLOAD
026b: PUSH1 0x20
026d: PUSH2 0x04f5
0270: DUP4
0271: CODECOPY
0272: DUP2
0273: MLOAD
0274: SWAP2
0275: MSTORE
0276: ADD
0277: SLOAD
0278: DUP10
0279: GT
027a: DUP1
027b: ISZERO
027c: SWAP1
027d: PUSH2 0x0283
0280: JUMPI
0281: POP
0282: DUP5
0283: JUMPDEST
0284: ISZERO
0285: PUSH2 0x02d6
0288: JUMPI
0289: PUSH1 0x03
028b: DUP1
028c: SLOAD
028d: PUSH1 0x00
028f: SWAP7
0290: POP
0291: DUP3
0292: SWAP1
0293: DUP2
0294: LT
0295: ISZERO
0296: PUSH2 0x0002
0299: JUMPI
029a: SWAP1
029b: DUP7
029c: MSTORE
029d: PUSH1 0x40
029f: MLOAD
02a0: PUSH1 0x00
02a2: DUP1
02a3: MLOAD
02a4: PUSH1 0x20
02a6: PUSH2 0x0515
02a9: DUP4
02aa: CODECOPY
02ab: DUP2
02ac: MLOAD
02ad: SWAP2
02ae: MSTORE
02af: SWAP2
02b0: SWAP1
02b1: SWAP2
02b2: ADD
02b3: SLOAD
02b4: PUSH1 0x01
02b6: PUSH1 0xa0
02b8: PUSH1 0x02
02ba: EXP
02bb: SUB
02bc: AND
02bd: SWAP1
02be: DUP7
02bf: SWAP1
02c0: PUSH7 0x18de76816d8000
02c8: SWAP1
02c9: DUP3
02ca: DUP2
02cb: DUP2
02cc: DUP2
02cd: DUP6
02ce: DUP9
02cf: DUP4
02d0: CALL
02d1: POP
02d2: POP
02d3: POP
02d4: POP
02d5: POP
02d6: JUMPDEST
02d7: PUSH1 0x02
02d9: DUP1
02da: SLOAD
02db: DUP3
02dc: SWAP1
02dd: DUP2
02de: LT
02df: ISZERO
02e0: PUSH2 0x0002
02e3: JUMPI
02e4: PUSH1 0x00
02e6: SWAP2
02e7: SWAP1
02e8: SWAP2
02e9: MSTORE
02ea: PUSH1 0x00
02ec: DUP1
02ed: MLOAD
02ee: PUSH1 0x20
02f0: PUSH2 0x04f5
02f3: DUP4
02f4: CODECOPY
02f5: DUP2
02f6: MLOAD
02f7: SWAP2
02f8: MSTORE
02f9: ADD
02fa: SLOAD
02fb: DUP9
02fc: GT
02fd: DUP1
02fe: ISZERO
02ff: SWAP1
0300: PUSH2 0x0306
0303: JUMPI
0304: POP
0305: DUP4
0306: JUMPDEST
0307: ISZERO
0308: PUSH2 0x0359
030b: JUMPI
030c: PUSH1 0x03
030e: DUP1
030f: SLOAD
0310: PUSH1 0x00
0312: SWAP6
0313: POP
0314: DUP3
0315: SWAP1
0316: DUP2
0317: LT
0318: ISZERO
0319: PUSH2 0x0002
031c: JUMPI
031d: SWAP1
031e: DUP6
031f: MSTORE
0320: PUSH1 0x40
0322: MLOAD
0323: PUSH1 0x00
0325: DUP1
0326: MLOAD
0327: PUSH1 0x20
0329: PUSH2 0x0515
032c: DUP4
032d: CODECOPY
032e: DUP2
032f: MLOAD
0330: SWAP2
0331: MSTORE
0332: SWAP2
0333: SWAP1
0334: SWAP2
0335: ADD
0336: SLOAD
0337: PUSH1 0x01
0339: PUSH1 0xa0
033b: PUSH1 0x02
033d: EXP
033e: SUB
033f: AND
0340: SWAP1
0341: DUP6
0342: SWAP1
0343: PUSH7 0x071afd498d0000
034b: SWAP1
034c: DUP3
034d: DUP2
034e: DUP2
034f: DUP2
0350: DUP6
0351: DUP9
0352: DUP4
0353: CALL
0354: POP
0355: POP
0356: POP
0357: POP
0358: POP
0359: JUMPDEST
035a: PUSH1 0x02
035c: DUP1
035d: SLOAD
035e: DUP3
035f: SWAP1
0360: DUP2
0361: LT
0362: ISZERO
0363: PUSH2 0x0002
0366: JUMPI
0367: PUSH1 0x00
0369: SWAP2
036a: SWAP1
036b: SWAP2
036c: MSTORE
036d: PUSH1 0x00
036f: DUP1
0370: MLOAD
0371: PUSH1 0x20
0373: PUSH2 0x04f5
0376: DUP4
0377: CODECOPY
0378: DUP2
0379: MLOAD
037a: SWAP2
037b: MSTORE
037c: ADD
037d: SLOAD
037e: DUP8
037f: GT
0380: DUP1
0381: ISZERO
0382: SWAP1
0383: PUSH2 0x0389
0386: JUMPI
0387: POP
0388: DUP3
0389: JUMPDEST
038a: ISZERO
038b: PUSH2 0x03dc
038e: JUMPI
038f: PUSH1 0x03
0391: DUP1
0392: SLOAD
0393: PUSH1 0x00
0395: SWAP5
0396: POP
0397: DUP3
0398: SWAP1
0399: DUP2
039a: LT
039b: ISZERO
039c: PUSH2 0x0002
039f: JUMPI
03a0: SWAP1
03a1: DUP5
03a2: MSTORE
03a3: PUSH1 0x40
03a5: MLOAD
03a6: PUSH1 0x00
03a8: DUP1
03a9: MLOAD
03aa: PUSH1 0x20
03ac: PUSH2 0x0515
03af: DUP4
03b0: CODECOPY
03b1: DUP2
03b2: MLOAD
03b3: SWAP2
03b4: MSTORE
03b5: SWAP2
03b6: SWAP1
03b7: SWAP2
03b8: ADD
03b9: SLOAD
03ba: PUSH1 0x01
03bc: PUSH1 0xa0
03be: PUSH1 0x02
03c0: EXP
03c1: SUB
03c2: AND
03c3: SWAP1
03c4: DUP5
03c5: SWAP1
03c6: PUSH7 0x01c6bf52634000
03ce: SWAP1
03cf: DUP3
03d0: DUP2
03d1: DUP2
03d2: DUP2
03d3: DUP6
03d4: DUP9
03d5: DUP4
03d6: CALL
03d7: POP
03d8: POP
03d9: POP
03da: POP
03db: POP
03dc: JUMPDEST
03dd: PUSH1 0x02
03df: DUP1
03e0: SLOAD
03e1: DUP3
03e2: SWAP1
03e3: DUP2
03e4: LT
03e5: ISZERO
03e6: PUSH2 0x0002
03e9: JUMPI
03ea: PUSH1 0x00
03ec: SWAP2
03ed: SWAP1
03ee: SWAP2
03ef: MSTORE
03f0: PUSH1 0x00
03f2: DUP1
03f3: MLOAD
03f4: PUSH1 0x20
03f6: PUSH2 0x04f5
03f9: DUP4
03fa: CODECOPY
03fb: DUP2
03fc: MLOAD
03fd: SWAP2
03fe: MSTORE
03ff: ADD
0400: SLOAD
0401: DUP7
0402: GT
0403: DUP1
0404: ISZERO
0405: SWAP1
0406: PUSH2 0x040c
0409: JUMPI
040a: POP
040b: DUP2
040c: JUMPDEST
040d: ISZERO
040e: PUSH2 0x0462
0411: JUMPI
0412: PUSH1 0x03
0414: DUP1
0415: SLOAD
0416: PUSH1 0x00
0418: SWAP4
0419: POP
041a: DUP3
041b: SWAP1
041c: DUP2
041d: LT
041e: ISZERO
041f: PUSH2 0x0002
0422: JUMPI
0423: SWAP1
0424: DUP4
0425: MSTORE
0426: DUP3
0427: SLOAD
0428: PUSH1 0x00
042a: DUP1
042b: MLOAD
042c: PUSH1 0x20
042e: PUSH2 0x0515
0431: DUP4
0432: CODECOPY
0433: DUP2
0434: MLOAD
0435: SWAP2
0436: MSTORE
0437: SWAP2
0438: SWAP1
0439: SWAP2
043a: ADD
043b: SLOAD
043c: PUSH1 0x01
043e: PUSH1 0xa0
0440: PUSH1 0x02
0442: EXP
0443: SUB
0444: AND
0445: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
045a: NOT
045b: SWAP2
045c: SWAP1
045d: SWAP2
045e: AND
045f: OR
0460: DUP3
0461: SSTORE
0462: JUMPDEST
0463: PUSH1 0x00
0465: DUP1
0466: SLOAD
0467: PUSH1 0x40
0469: MLOAD
046a: PUSH1 0x01
046c: PUSH1 0xa0
046e: PUSH1 0x02
0470: EXP
0471: SUB
0472: SWAP2
0473: SWAP1
0474: SWAP2
0475: AND
0476: SWAP2
0477: SWAP1
0478: PUSH6 0x16bcc41e9000
047f: SWAP1
0480: DUP3
0481: DUP2
0482: DUP2
0483: DUP2
0484: DUP6
0485: DUP9
0486: DUP4
0487: CALL
0488: POP
0489: POP
048a: PUSH1 0x01
048c: SLOAD
048d: PUSH1 0x40
048f: MLOAD
0490: PUSH1 0x01
0492: PUSH1 0xa0
0494: PUSH1 0x02
0496: EXP
0497: SUB
0498: SWAP2
0499: SWAP1
049a: SWAP2
049b: AND
049c: SWAP4
049d: POP
049e: DUP3
049f: DUP2
04a0: DUP2
04a1: DUP2
04a2: DUP6
04a3: DUP9
04a4: DUP4
04a5: CALL
04a6: POP
04a7: POP
04a8: POP
04a9: POP
04aa: POP
04ab: PUSH1 0x01
04ad: ADD
04ae: PUSH2 0x0249
04b1: JUMP
04b2: JUMPDEST
04b3: POP
04b4: POP
04b5: POP
04b6: POP
04b7: JUMP
04b8: JUMPDEST
04b9: POP
04ba: PUSH1 0x03
04bc: DUP1
04bd: SLOAD
04be: PUSH1 0x00
04c0: DUP1
04c1: DUP4
04c2: SSTORE
04c3: SWAP2
04c4: SWAP1
04c5: SWAP2
04c6: MSTORE
04c7: PUSH2 0x04e2
04ca: SWAP1
04cb: PUSH1 0x00
04cd: DUP1
04ce: MLOAD
04cf: PUSH1 0x20
04d1: PUSH2 0x0515
04d4: DUP4
04d5: CODECOPY
04d6: DUP2
04d7: MLOAD
04d8: SWAP2
04d9: MSTORE
04da: SWAP1
04db: DUP2
04dc: ADD
04dd: SWAP1
04de: PUSH2 0x00f9
04e1: JUMP
04e2: JUMPDEST
04e3: POP
04e4: PUSH1 0x00
04e6: PUSH1 0x04
04e8: SSTORE
04e9: POP
04ea: POP
04eb: POP
04ec: POP
04ed: POP
04ee: POP
04ef: POP
04f0: POP
04f1: POP
04f2: POP
04f3: POP
04f4: JUMP
exec
/bin/bash -lc "python - <<'PY'
vals=['0x5af3107a4000','0x18de76816d8000','0x071afd498d0000','0x01c6bf52634000','0x16bcc41e9000']
for v in vals:
n=int(v,16)
print(v,n,n/1e18)
PY" in /tmp/codex-33lysiex
succeeded in 0ms:
0x5af3107a4000 100000000000000 0.0001
0x18de76816d8000 7000000000000000 0.007
0x071afd498d0000 2000000000000000 0.002
0x01c6bf52634000 500000000000000 0.0005
0x16bcc41e9000 25000000000000 2.5e-05
exec
/bin/bash -lc "python - <<'PY'
from Crypto.Hash import keccak
for n in [0,1,2,3,4,100]:
k=keccak.new(digest_bits=256)
k.update((n).to_bytes(32,'big'))
print(n,k.hexdigest())
PY" in /tmp/codex-33lysiex
succeeded in 0ms:
0 290decd9548b62a8d60345a988386fc84ba6bc95484008f6362f93160ef3e563
1 b10e2d527612073b26eecdfd717e6a320cf44b4afac2b0732d9fcbe2b7fa0cf6
2 405787fa12a823e0f2b7631cc41b3ba8828b3321ca811111fa75cd3aa3bb5ace
3 c2575a0e9e593c00f959f8c92f12db2869c3395a3b0502d05e2516446f71f85b
4 8a35acfbc15ff81a39ae7d344fd709f28e8600b4aa8c65c6b64bfe7fe36bd19b
100 26700e13983fefbd9cf16da2ed70fa5c6798ac55062a4803121a869731e308d2
codex
{"no_findings":false,"summary":"The runtime is a fallback-only payable contract that keeps dynamic arrays in storage slots 2 and 3, derives winners from block metadata, and performs many value-bearing CALLs without any detected guard. The strongest bytecode-supported risks are reentrancy during the payout phase, unchecked call failures that can desynchronize payouts from state, and manipulable randomness for winner selection.","findings":[{"severity":"high","category":"reentrancy","title":"Payout phase appears reenterable before round state is cleared","exploit_scenario":"A malicious recipient contract can be inserted into the participant arrays and receive ETH during the payout loop. Its fallback can immediately call this contract again through the only visible entrypoint (`fallback`). Because no guard was detected, the round-state variable is set to `100` before the payout gate and is only reset near the end of execution, so a reentrant call can execute while slots 2/3 still hold the current round's data. That can let the same round be processed recursively or against partially updated state, potentially causing repeated payouts or corrupted accounting. This is inferred from bytecode and exact business logic is uncertain, but the reentrancy window is concrete.","recommendation":"Apply checks-effects-interactions: finalize/reset round state before any external value transfer, or move payouts to a pull-based claim flow. Add an explicit reentrancy guard around the fallback path.","evidence":"`fallback` is the only discovered entrypoint. No auth/reentrancy guards were detected. The contract writes `100` to slot 4 at pc `0x193`, checks the payout condition from slot 4 at pc `0x1f1`, performs multiple ETH `CALL`s during the payout loop at pcs `0x2d0`, `0x353`, `0x3d6`, `0x487`, and `0x4a5`, and only resets slot 4 to `0` near pc `0x4e8`. The participant arrays are only cleared after those calls.","locations":["selector:fallback","pc:0x193","pc:0x1f1","pc:0x2d0","pc:0x353","pc:0x3d6","pc:0x487","pc:0x4a5","pc:0x4e8"]},{"severity":"high","category":"other","title":"ETH transfers ignore CALL success and continue mutating state","exploit_scenario":"Any recipient that reverts, exhausts gas, or otherwise rejects ETH causes `CALL` to return `0`. This bytecode pops the return value instead of checking it, then continues updating storage and clearing round state. A malicious or incompatible recipient can therefore make the contract believe a payout step completed when no ETH was actually delivered, leaving rewards unpaid or later diverted by subsequent logic.","recommendation":"Check the boolean result of each low-level `CALL` and revert or record an explicit unpaid balance on failure. Prefer pull payments over push payments for participant rewards.","evidence":"The artifact records 9 `CALL` sites with `returndata_checked: null`, and the disassembly shows the return values being discarded with `POP`. Examples: after `CALL` at `0x18c`, execution immediately stores to slot 4 at `0x193`; after `CALL`s at `0x2d0`, `0x353`, `0x3d6`, `0x487`, and `0x4a5`, execution just pops stack items and continues the payout/cleanup flow. This is a concrete unchecked-call pattern even though exact source-level intent is unknown.","locations":["pc:0x18c","pc:0x1c1","pc:0x1ea","pc:0x2d0","pc:0x353","pc:0x3d6","pc:0x487","pc:0x4a5"]},{"severity":"medium","category":"oracle","title":"Winner selection relies on blockhash/timestamp entropy that can be biased","exploit_scenario":"When the payout phase starts, winner indexes are derived from recent `BLOCKHASH`, `NUMBER`, and `TIMESTAMP` values and then used to select addresses from storage-backed participant arrays for fixed ETH transfers. A block producer or MEV searcher with transaction-order influence can bias whether the round executes in a favorable block, and may influence which stored addresses receive the rewards.","recommendation":"Do not use block metadata as lottery entropy. Replace this with a commit-reveal scheme or an external verifiable randomness source.","evidence":"The bytecode uses `NUMBER` at pc `0x202`, `BLOCKHASH` at pcs `0x208` and `0x214`, and `TIMESTAMP` at pc `0x218`, then applies multiple `MOD` operations through pc `0x242`. Those derived values feed array lookups over slots 2/3 before ETH `CALL`s at `0x2d0`, `0x353`, and `0x3d6`. The exact selector/function name is unknown because dispatch inference found only `fallback`.","locations":["selector:fallback","pc:0x202","pc:0x208","pc:0x214","pc:0x218","pc:0x242","pc:0x2d0","pc:0x353","pc:0x3d6"]}]}
tokens used
68,609
{
"codex": {
"ran_at": "2026-04-05T05:27:57.356775+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 2668,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "The runtime is a fallback-only payable contract that keeps dynamic arrays in storage slots 2 and 3, derives winners from block metadata, and performs many value-bearing CALLs without any detected guard. The strongest bytecode-supported risks are reentrancy during the payout phase, unchecked call failures that can desynchronize payouts from state, and manipulable randomness for winner selection.",
"raw_final": {
"summary": "The runtime is a fallback-only payable contract that keeps dynamic arrays in storage slots 2 and 3, derives winners from block metadata, and performs many value-bearing CALLs without any detected guard. The strongest bytecode-supported risks are reentrancy during the payout phase, unchecked call failures that can desynchronize payouts from state, and manipulable randomness for winner selection.",
"findings": [
{
"title": "Payout phase appears reenterable before round state is cleared",
"category": "reentrancy",
"evidence": "`fallback` is the only discovered entrypoint. No auth/reentrancy guards were detected. The contract writes `100` to slot 4 at pc `0x193`, checks the payout condition from slot 4 at pc `0x1f1`, performs multiple ETH `CALL`s during the payout loop at pcs `0x2d0`, `0x353`, `0x3d6`, `0x487`, and `0x4a5`, and only resets slot 4 to `0` near pc `0x4e8`. The participant arrays are only cleared after those calls.",
"severity": "high",
"locations": [
"selector:fallback",
"pc:0x193",
"pc:0x1f1",
"pc:0x2d0",
"pc:0x353",
"pc:0x3d6",
"pc:0x487",
"pc:0x4a5",
"pc:0x4e8"
],
"recommendation": "Apply checks-effects-interactions: finalize/reset round state before any external value transfer, or move payouts to a pull-based claim flow. Add an explicit reentrancy guard around the fallback path.",
"exploit_scenario": "A malicious recipient contract can be inserted into the participant arrays and receive ETH during the payout loop. Its fallback can immediately call this contract again through the only visible entrypoint (`fallback`). Because no guard was detected, the round-state variable is set to `100` before the payout gate and is only reset near the end of execution, so a reentrant call can execute while slots 2/3 still hold the current round's data. That can let the same round be processed recursively or against partially updated state, potentially causing repeated payouts or corrupted accounting. This is inferred from bytecode and exact business logic is uncertain, but the reentrancy window is concrete."
},
{
"title": "ETH transfers ignore CALL success and continue mutating state",
"category": "other",
"evidence": "The artifact records 9 `CALL` sites with `returndata_checked: null`, and the disassembly shows the return values being discarded with `POP`. Examples: after `CALL` at `0x18c`, execution immediately stores to slot 4 at `0x193`; after `CALL`s at `0x2d0`, `0x353`, `0x3d6`, `0x487`, and `0x4a5`, execution just pops stack items and continues the payout/cleanup flow. This is a concrete unchecked-call pattern even though exact source-level intent is unknown.",
"severity": "high",
"locations": [
"pc:0x18c",
"pc:0x1c1",
"pc:0x1ea",
"pc:0x2d0",
"pc:0x353",
"pc:0x3d6",
"pc:0x487",
"pc:0x4a5"
],
"recommendation": "Check the boolean result of each low-level `CALL` and revert or record an explicit unpaid balance on failure. Prefer pull payments over push payments for participant rewards.",
"exploit_scenario": "Any recipient that reverts, exhausts gas, or otherwise rejects ETH causes `CALL` to return `0`. This bytecode pops the return value instead of checking it, then continues updating storage and clearing round state. A malicious or incompatible recipient can therefore make the contract believe a payout step completed when no ETH was actually delivered, leaving rewards unpaid or later diverted by subsequent logic."
},
{
"title": "Winner selection relies on blockhash/timestamp entropy that can be biased",
"category": "oracle",
"evidence": "The bytecode uses `NUMBER` at pc `0x202`, `BLOCKHASH` at pcs `0x208` and `0x214`, and `TIMESTAMP` at pc `0x218`, then applies multiple `MOD` operations through pc `0x242`. Those derived values feed array lookups over slots 2/3 before ETH `CALL`s at `0x2d0`, `0x353`, and `0x3d6`. The exact selector/function name is unknown because dispatch inference found only `fallback`.",
"severity": "medium",
"locations": [
"selector:fallback",
"pc:0x202",
"pc:0x208",
"pc:0x214",
"pc:0x218",
"pc:0x242",
"pc:0x2d0",
"pc:0x353",
"pc:0x3d6"
],
"recommendation": "Do not use block metadata as lottery entropy. Replace this with a commit-reveal scheme or an external verifiable randomness source.",
"exploit_scenario": "When the payout phase starts, winner indexes are derived from recent `BLOCKHASH`, `NUMBER`, and `TIMESTAMP` values and then used to select addresses from storage-backed participant arrays for fixed ETH transfers. A block producer or MEV searcher with transaction-order influence can bias whether the round executes in a favorable block, and may influence which stored addresses receive the rewards."
}
],
"no_findings": false
},
"no_findings": false,
"schema_version": 1
}
00000000: PUSH1 0x60 00000002: PUSH1 0x40 00000004: MSTORE 00000005: CALLDATASIZE 00000006: ISZERO 00000007: PUSH2 0x000b 0000000a: JUMPI 0000000b: JUMPDEST 0000000c: PUSH2 0x005d 0000000f: PUSH1 0x04 00000011: SLOAD 00000012: PUSH6 0x5af3107a4000 00000019: SWAP1 0000001a: PUSH1 0x64 0000001c: SUB 0000001d: DUP2 0000001e: MUL 0000001f: CALLVALUE 00000020: DUP3 00000021: DUP2 00000022: DIV 00000023: SWAP1 00000024: PUSH1 0x00 00000026: SWAP1 00000027: DUP5 00000028: SWAP1 00000029: LT 0000002a: PUSH2 0x0197 0000002d: JUMPI 0000002e: PUSH1 0x03 00000030: DUP1 00000031: SLOAD 00000032: PUSH1 0x01 00000034: DUP2 00000035: ADD 00000036: DUP1 00000037: DUP4 00000038: SSTORE 00000039: DUP3 0000003a: DUP2 0000003b: DUP4 0000003c: DUP1 0000003d: ISZERO 0000003e: DUP3 0000003f: SWAP1 00000040: GT 00000041: PUSH2 0x005f 00000044: JUMPI 00000045: DUP2 00000046: DUP4 00000047: PUSH1 0x00 00000049: MSTORE 0000004a: PUSH1 0x20 0000004c: PUSH1 0x00 0000004e: KECCAK256 0000004f: SWAP2 00000050: DUP3 00000051: ADD 00000052: SWAP2 00000053: ADD 00000054: PUSH2 0x005f 00000057: SWAP2 00000058: SWAP1 00000059: PUSH2 0x00f9 0000005c: JUMP 0000005d: JUMPDEST 0000005e: STOP 0000005f: JUMPDEST 00000060: POP 00000061: POP 00000062: POP 00000063: PUSH1 0x00 00000065: SWAP3 00000066: DUP4 00000067: MSTORE 00000068: POP 00000069: PUSH1 0x20 0000006b: SWAP1 0000006c: SWAP2 0000006d: KECCAK256 0000006e: ADD 0000006f: DUP1 00000070: SLOAD 00000071: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000086: NOT 00000087: AND 00000088: CALLER 00000089: OR 0000008a: SWAP1 0000008b: SSTORE 0000008c: CALLVALUE 0000008d: DUP4 0000008e: LT 0000008f: PUSH2 0x0126 00000092: JUMPI 00000093: PUSH1 0x04 00000095: DUP1 00000096: SLOAD 00000097: DUP4 00000098: ADD 00000099: SWAP1 0000009a: SSTORE 0000009b: PUSH1 0x02 0000009d: DUP1 0000009e: SLOAD 0000009f: PUSH1 0x01 000000a1: DUP2 000000a2: ADD 000000a3: DUP1 000000a4: DUP4 000000a5: SSTORE 000000a6: DUP3 000000a7: DUP2 000000a8: DUP4 000000a9: DUP1 000000aa: ISZERO 000000ab: DUP3 000000ac: SWAP1 000000ad: GT 000000ae: PUSH2 0x0111 000000b1: JUMPI 000000b2: PUSH1 0x00 000000b4: DUP4 000000b5: SWAP1 000000b6: MSTORE 000000b7: PUSH2 0x0111 000000ba: SWAP1 000000bb: PUSH1 0x00 000000bd: DUP1 000000be: MLOAD 000000bf: PUSH1 0x20 000000c1: PUSH2 0x04f5 000000c4: DUP4 000000c5: CODECOPY 000000c6: DUP2 000000c7: MLOAD 000000c8: SWAP2 000000c9: MSTORE 000000ca: SWAP1 000000cb: DUP2 000000cc: ADD 000000cd: SWAP1 000000ce: DUP4 000000cf: ADD 000000d0: PUSH2 0x00f9 000000d3: JUMP 000000d4: JUMPDEST 000000d5: PUSH1 0x02 000000d7: DUP1 000000d8: SLOAD 000000d9: PUSH1 0x00 000000db: DUP1 000000dc: DUP4 000000dd: SSTORE 000000de: SWAP2 000000df: SWAP1 000000e0: SWAP2 000000e1: MSTORE 000000e2: PUSH2 0x04b8 000000e5: SWAP1 000000e6: PUSH1 0x00 000000e8: DUP1 000000e9: MLOAD 000000ea: PUSH1 0x20 000000ec: PUSH2 0x04f5 000000ef: DUP4 000000f0: CODECOPY 000000f1: DUP2 000000f2: MLOAD 000000f3: SWAP2 000000f4: MSTORE 000000f5: SWAP1 000000f6: DUP2 000000f7: ADD 000000f8: SWAP1 000000f9: JUMPDEST 000000fa: DUP1 000000fb: DUP3 000000fc: GT 000000fd: ISZERO 000000fe: PUSH2 0x010d 00000101: JUMPI 00000102: PUSH1 0x00 00000104: DUP2 00000105: SSTORE 00000106: PUSH1 0x01 00000108: ADD 00000109: PUSH2 0x00f9 0000010c: JUMP 0000010d: JUMPDEST 0000010e: POP 0000010f: SWAP1 00000110: JUMP 00000111: JUMPDEST 00000112: POP 00000113: POP 00000114: POP 00000115: PUSH1 0x00 00000117: SWAP3 00000118: DUP4 00000119: MSTORE 0000011a: POP 0000011b: PUSH1 0x20 0000011d: SWAP1 0000011e: SWAP2 0000011f: KECCAK256 00000120: PUSH1 0x04 00000122: SLOAD 00000123: SWAP2 00000124: ADD 00000125: SSTORE 00000126: JUMPDEST 00000127: CALLVALUE 00000128: DUP4 00000129: LT 0000012a: ISZERO 0000012b: PUSH2 0x0197 0000012e: JUMPI 0000012f: PUSH1 0x02 00000131: DUP1 00000132: SLOAD 00000133: PUSH1 0x01 00000135: DUP2 00000136: ADD 00000137: DUP1 00000138: DUP4 00000139: SSTORE 0000013a: DUP3 0000013b: DUP2 0000013c: DUP4 0000013d: DUP1 0000013e: ISZERO 0000013f: DUP3 00000140: SWAP1 00000141: GT 00000142: PUSH2 0x015e 00000145: JUMPI 00000146: DUP2 00000147: DUP4 00000148: PUSH1 0x00 0000014a: MSTORE 0000014b: PUSH1 0x20 0000014d: PUSH1 0x00 0000014f: KECCAK256 00000150: SWAP2 00000151: DUP3 00000152: ADD 00000153: SWAP2 00000154: ADD 00000155: PUSH2 0x015e 00000158: SWAP2 00000159: SWAP1 0000015a: PUSH2 0x00f9 0000015d: JUMP 0000015e: JUMPDEST 0000015f: POP 00000160: POP 00000161: POP 00000162: PUSH1 0x00 00000164: SWAP3 00000165: DUP4 00000166: MSTORE 00000167: POP 00000168: PUSH1 0x20 0000016a: DUP3 0000016b: KECCAK256 0000016c: PUSH1 0x64 0000016e: SWAP2 0000016f: ADD 00000170: SSTORE 00000171: PUSH1 0x40 00000173: MLOAD 00000174: PUSH1 0x01 00000176: PUSH1 0xa0 00000178: PUSH1 0x02 0000017a: EXP 0000017b: SUB 0000017c: CALLER 0000017d: AND 0000017e: SWAP2 0000017f: SWAP1 00000180: CALLVALUE 00000181: DUP7 00000182: SWAP1 00000183: SUB 00000184: SWAP1 00000185: DUP3 00000186: DUP2 00000187: DUP2 00000188: DUP2 00000189: DUP6 0000018a: DUP9 0000018b: DUP4 0000018c: CALL 0000018d: POP 0000018e: POP 0000018f: PUSH1 0x64 00000191: PUSH1 0x04 00000193: SSTORE 00000194: POP 00000195: POP 00000196: POP 00000197: JUMPDEST 00000198: DUP4 00000199: PUSH1 0x00 0000019b: CALLVALUE 0000019c: ADDMOD 0000019d: SWAP1 0000019e: POP 0000019f: PUSH1 0x00 000001a1: DUP2 000001a2: EQ 000001a3: PUSH2 0x01c7 000001a6: JUMPI 000001a7: PUSH1 0x40 000001a9: MLOAD 000001aa: PUSH1 0x01 000001ac: PUSH1 0xa0 000001ae: PUSH1 0x02 000001b0: EXP 000001b1: SUB 000001b2: CALLER 000001b3: AND 000001b4: SWAP1 000001b5: PUSH1 0x00 000001b7: SWAP1 000001b8: DUP4 000001b9: SWAP1 000001ba: DUP3 000001bb: DUP2 000001bc: DUP2 000001bd: DUP2 000001be: DUP6 000001bf: DUP9 000001c0: DUP4 000001c1: CALL 000001c2: POP 000001c3: POP 000001c4: POP 000001c5: POP 000001c6: POP 000001c7: JUMPDEST 000001c8: DUP4 000001c9: CALLVALUE 000001ca: LT 000001cb: ISZERO 000001cc: PUSH2 0x01f0 000001cf: JUMPI 000001d0: PUSH1 0x40 000001d2: MLOAD 000001d3: PUSH1 0x01 000001d5: PUSH1 0xa0 000001d7: PUSH1 0x02 000001d9: EXP 000001da: SUB 000001db: CALLER 000001dc: AND 000001dd: SWAP1 000001de: PUSH1 0x00 000001e0: SWAP1 000001e1: CALLVALUE 000001e2: SWAP1 000001e3: DUP3 000001e4: DUP2 000001e5: DUP2 000001e6: DUP2 000001e7: DUP6 000001e8: DUP9 000001e9: DUP4 000001ea: CALL 000001eb: POP 000001ec: POP 000001ed: POP 000001ee: POP 000001ef: POP 000001f0: JUMPDEST 000001f1: PUSH1 0x04 000001f3: SLOAD 000001f4: PUSH1 0x63 000001f6: SWAP1 000001f7: GT 000001f8: ISZERO 000001f9: PUSH2 0x04b2 000001fc: JUMPI 000001fd: PUSH2 0x04b2 00000200: PUSH1 0x01 00000202: NUMBER 00000203: PUSH1 0x00 00000205: NOT 00000206: DUP2 00000207: ADD 00000208: BLOCKHASH 00000209: DUP3 0000020a: SWAP1 0000020b: MOD 0000020c: SWAP2 0000020d: PUSH1 0x01 0000020f: NOT 00000210: SWAP2 00000211: SWAP1 00000212: SWAP2 00000213: ADD 00000214: BLOCKHASH 00000215: SWAP1 00000216: PUSH1 0x64 00000218: TIMESTAMP 00000219: DUP1 0000021a: DUP5 0000021b: ADD 0000021c: DUP3 0000021d: SWAP1 0000021e: MOD 0000021f: SWAP3 00000220: PUSH2 0x03e8 00000223: DUP1 00000224: DUP7 00000225: DIV 00000226: DUP4 00000227: ADD 00000228: SWAP4 00000229: SWAP1 0000022a: SWAP4 0000022b: MOD 0000022c: SWAP3 0000022d: PUSH3 0x0f4240 00000231: DUP7 00000232: DIV 00000233: DUP4 00000234: ADD 00000235: DUP2 00000236: SWAP1 00000237: MOD 00000238: SWAP3 00000239: PUSH5 0x02540be400 0000023f: DUP8 00000240: DIV 00000241: ADD 00000242: MOD 00000243: SWAP1 00000244: DUP1 00000245: DUP1 00000246: DUP1 00000247: PUSH1 0x00 00000249: JUMPDEST 0000024a: PUSH1 0x03 0000024c: SLOAD 0000024d: DUP2 0000024e: LT 0000024f: ISZERO 00000250: PUSH2 0x00d4 00000253: JUMPI 00000254: PUSH1 0x02 00000256: DUP1 00000257: SLOAD 00000258: DUP3 00000259: SWAP1 0000025a: DUP2 0000025b: LT 0000025c: ISZERO 0000025d: PUSH2 0x0002 00000260: JUMPI 00000261: PUSH1 0x00 00000263: SWAP2 00000264: SWAP1 00000265: SWAP2 00000266: MSTORE 00000267: PUSH1 0x00 00000269: DUP1 0000026a: MLOAD 0000026b: PUSH1 0x20 0000026d: PUSH2 0x04f5 00000270: DUP4 00000271: CODECOPY 00000272: DUP2 00000273: MLOAD 00000274: SWAP2 00000275: MSTORE 00000276: ADD 00000277: SLOAD 00000278: DUP10 00000279: GT 0000027a: DUP1 0000027b: ISZERO 0000027c: SWAP1 0000027d: PUSH2 0x0283 00000280: JUMPI 00000281: POP 00000282: DUP5 00000283: JUMPDEST 00000284: ISZERO 00000285: PUSH2 0x02d6 00000288: JUMPI 00000289: PUSH1 0x03 0000028b: DUP1 0000028c: SLOAD 0000028d: PUSH1 0x00 0000028f: SWAP7 00000290: POP 00000291: DUP3 00000292: SWAP1 00000293: DUP2 00000294: LT 00000295: ISZERO 00000296: PUSH2 0x0002 00000299: JUMPI 0000029a: SWAP1 0000029b: DUP7 0000029c: MSTORE 0000029d: PUSH1 0x40 0000029f: MLOAD 000002a0: PUSH1 0x00 000002a2: DUP1 000002a3: MLOAD 000002a4: PUSH1 0x20 000002a6: PUSH2 0x0515 000002a9: DUP4 000002aa: CODECOPY 000002ab: DUP2 000002ac: MLOAD 000002ad: SWAP2 000002ae: MSTORE 000002af: SWAP2 000002b0: SWAP1 000002b1: SWAP2 000002b2: ADD 000002b3: SLOAD 000002b4: PUSH1 0x01 000002b6: PUSH1 0xa0 000002b8: PUSH1 0x02 000002ba: EXP 000002bb: SUB 000002bc: AND 000002bd: SWAP1 000002be: DUP7 000002bf: SWAP1 000002c0: PUSH7 0x18de76816d8000 000002c8: SWAP1 000002c9: DUP3 000002ca: DUP2 000002cb: DUP2 000002cc: DUP2 000002cd: DUP6 000002ce: DUP9 000002cf: DUP4 000002d0: CALL 000002d1: POP 000002d2: POP 000002d3: POP 000002d4: POP 000002d5: POP 000002d6: JUMPDEST 000002d7: PUSH1 0x02 000002d9: DUP1 000002da: SLOAD 000002db: DUP3 000002dc: SWAP1 000002dd: DUP2 000002de: LT 000002df: ISZERO 000002e0: PUSH2 0x0002 000002e3: JUMPI 000002e4: PUSH1 0x00 000002e6: SWAP2 000002e7: SWAP1 000002e8: SWAP2 000002e9: MSTORE 000002ea: PUSH1 0x00 000002ec: DUP1 000002ed: MLOAD 000002ee: PUSH1 0x20 000002f0: PUSH2 0x04f5 000002f3: DUP4 000002f4: CODECOPY 000002f5: DUP2 000002f6: MLOAD 000002f7: SWAP2 000002f8: MSTORE 000002f9: ADD 000002fa: SLOAD 000002fb: DUP9 000002fc: GT 000002fd: DUP1 000002fe: ISZERO 000002ff: SWAP1 00000300: PUSH2 0x0306 00000303: JUMPI 00000304: POP 00000305: DUP4 00000306: JUMPDEST 00000307: ISZERO 00000308: PUSH2 0x0359 0000030b: JUMPI 0000030c: PUSH1 0x03 0000030e: DUP1 0000030f: SLOAD 00000310: PUSH1 0x00 00000312: SWAP6 00000313: POP 00000314: DUP3 00000315: SWAP1 00000316: DUP2 00000317: LT 00000318: ISZERO 00000319: PUSH2 0x0002 0000031c: JUMPI 0000031d: SWAP1 0000031e: DUP6 0000031f: MSTORE 00000320: PUSH1 0x40 00000322: MLOAD 00000323: PUSH1 0x00 00000325: DUP1 00000326: MLOAD 00000327: PUSH1 0x20 00000329: PUSH2 0x0515 0000032c: DUP4 0000032d: CODECOPY 0000032e: DUP2 0000032f: MLOAD 00000330: SWAP2 00000331: MSTORE 00000332: SWAP2 00000333: SWAP1 00000334: SWAP2 00000335: ADD 00000336: SLOAD 00000337: PUSH1 0x01 00000339: PUSH1 0xa0 0000033b: PUSH1 0x02 0000033d: EXP 0000033e: SUB 0000033f: AND 00000340: SWAP1 00000341: DUP6 00000342: SWAP1 00000343: PUSH7 0x071afd498d0000 0000034b: SWAP1 0000034c: DUP3 0000034d: DUP2 0000034e: DUP2 0000034f: DUP2 00000350: DUP6 00000351: DUP9 00000352: DUP4 00000353: CALL 00000354: POP 00000355: POP 00000356: POP 00000357: POP 00000358: POP 00000359: JUMPDEST 0000035a: PUSH1 0x02 0000035c: DUP1 0000035d: SLOAD 0000035e: DUP3 0000035f: SWAP1 00000360: DUP2 00000361: LT 00000362: ISZERO 00000363: PUSH2 0x0002 00000366: JUMPI 00000367: PUSH1 0x00 00000369: SWAP2 0000036a: SWAP1 0000036b: SWAP2 0000036c: MSTORE 0000036d: PUSH1 0x00 0000036f: DUP1 00000370: MLOAD 00000371: PUSH1 0x20 00000373: PUSH2 0x04f5 00000376: DUP4 00000377: CODECOPY 00000378: DUP2 00000379: MLOAD 0000037a: SWAP2 0000037b: MSTORE 0000037c: ADD 0000037d: SLOAD 0000037e: DUP8 0000037f: GT 00000380: DUP1 00000381: ISZERO 00000382: SWAP1 00000383: PUSH2 0x0389 00000386: JUMPI 00000387: POP 00000388: DUP3 00000389: JUMPDEST 0000038a: ISZERO 0000038b: PUSH2 0x03dc 0000038e: JUMPI 0000038f: PUSH1 0x03 00000391: DUP1 00000392: SLOAD 00000393: PUSH1 0x00 00000395: SWAP5 00000396: POP 00000397: DUP3 00000398: SWAP1 00000399: DUP2 0000039a: LT 0000039b: ISZERO 0000039c: PUSH2 0x0002 0000039f: JUMPI 000003a0: SWAP1 000003a1: DUP5 000003a2: MSTORE 000003a3: PUSH1 0x40 000003a5: MLOAD 000003a6: PUSH1 0x00 000003a8: DUP1 000003a9: MLOAD 000003aa: PUSH1 0x20 000003ac: PUSH2 0x0515 000003af: DUP4 000003b0: CODECOPY 000003b1: DUP2 000003b2: MLOAD 000003b3: SWAP2 000003b4: MSTORE 000003b5: SWAP2 000003b6: SWAP1 000003b7: SWAP2 000003b8: ADD 000003b9: SLOAD 000003ba: PUSH1 0x01 000003bc: PUSH1 0xa0 000003be: PUSH1 0x02 000003c0: EXP 000003c1: SUB 000003c2: AND 000003c3: SWAP1 000003c4: DUP5 000003c5: SWAP1 000003c6: PUSH7 0x01c6bf52634000 000003ce: SWAP1 000003cf: DUP3 000003d0: DUP2 000003d1: DUP2 000003d2: DUP2 000003d3: DUP6 000003d4: DUP9 000003d5: DUP4 000003d6: CALL 000003d7: POP 000003d8: POP 000003d9: POP 000003da: POP 000003db: POP 000003dc: JUMPDEST 000003dd: PUSH1 0x02 000003df: DUP1 000003e0: SLOAD 000003e1: DUP3 000003e2: SWAP1 000003e3: DUP2 000003e4: LT 000003e5: ISZERO 000003e6: PUSH2 0x0002 000003e9: JUMPI 000003ea: PUSH1 0x00 000003ec: SWAP2 000003ed: SWAP1 000003ee: SWAP2 000003ef: MSTORE 000003f0: PUSH1 0x00 000003f2: DUP1 000003f3: MLOAD 000003f4: PUSH1 0x20 000003f6: PUSH2 0x04f5 000003f9: DUP4 000003fa: CODECOPY 000003fb: DUP2 000003fc: MLOAD 000003fd: SWAP2 000003fe: MSTORE 000003ff: ADD 00000400: SLOAD 00000401: DUP7 00000402: GT 00000403: DUP1 00000404: ISZERO 00000405: SWAP1 00000406: PUSH2 0x040c 00000409: JUMPI 0000040a: POP 0000040b: DUP2 0000040c: JUMPDEST 0000040d: ISZERO 0000040e: PUSH2 0x0462 00000411: JUMPI 00000412: PUSH1 0x03 00000414: DUP1 00000415: SLOAD 00000416: PUSH1 0x00 00000418: SWAP4 00000419: POP 0000041a: DUP3 0000041b: SWAP1 0000041c: DUP2 0000041d: LT 0000041e: ISZERO 0000041f: PUSH2 0x0002 00000422: JUMPI 00000423: SWAP1 00000424: DUP4 00000425: MSTORE 00000426: DUP3 00000427: SLOAD 00000428: PUSH1 0x00 0000042a: DUP1 0000042b: MLOAD 0000042c: PUSH1 0x20 0000042e: PUSH2 0x0515 00000431: DUP4 00000432: CODECOPY 00000433: DUP2 00000434: MLOAD 00000435: SWAP2 00000436: MSTORE 00000437: SWAP2 00000438: SWAP1 00000439: SWAP2 0000043a: ADD 0000043b: SLOAD 0000043c: PUSH1 0x01 0000043e: PUSH1 0xa0 00000440: PUSH1 0x02 00000442: EXP 00000443: SUB 00000444: AND 00000445: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000045a: NOT 0000045b: SWAP2 0000045c: SWAP1 0000045d: SWAP2 0000045e: AND 0000045f: OR 00000460: DUP3 00000461: SSTORE 00000462: JUMPDEST 00000463: PUSH1 0x00 00000465: DUP1 00000466: SLOAD 00000467: PUSH1 0x40 00000469: MLOAD 0000046a: PUSH1 0x01 0000046c: PUSH1 0xa0 0000046e: PUSH1 0x02 00000470: EXP 00000471: SUB 00000472: SWAP2 00000473: SWAP1 00000474: SWAP2 00000475: AND 00000476: SWAP2 00000477: SWAP1 00000478: PUSH6 0x16bcc41e9000 0000047f: SWAP1 00000480: DUP3 00000481: DUP2 00000482: DUP2 00000483: DUP2 00000484: DUP6 00000485: DUP9 00000486: DUP4 00000487: CALL 00000488: POP 00000489: POP 0000048a: PUSH1 0x01 0000048c: SLOAD 0000048d: PUSH1 0x40 0000048f: MLOAD 00000490: PUSH1 0x01 00000492: PUSH1 0xa0 00000494: PUSH1 0x02 00000496: EXP 00000497: SUB 00000498: SWAP2 00000499: SWAP1 0000049a: SWAP2 0000049b: AND 0000049c: SWAP4 0000049d: POP 0000049e: DUP3 0000049f: DUP2 000004a0: DUP2 000004a1: DUP2 000004a2: DUP6 000004a3: DUP9 000004a4: DUP4 000004a5: CALL 000004a6: POP 000004a7: POP 000004a8: POP 000004a9: POP 000004aa: POP 000004ab: PUSH1 0x01 000004ad: ADD 000004ae: PUSH2 0x0249 000004b1: JUMP 000004b2: JUMPDEST 000004b3: POP 000004b4: POP 000004b5: POP 000004b6: POP 000004b7: JUMP 000004b8: JUMPDEST 000004b9: POP 000004ba: PUSH1 0x03 000004bc: DUP1 000004bd: SLOAD 000004be: PUSH1 0x00 000004c0: DUP1 000004c1: DUP4 000004c2: SSTORE 000004c3: SWAP2 000004c4: SWAP1 000004c5: SWAP2 000004c6: MSTORE 000004c7: PUSH2 0x04e2 000004ca: SWAP1 000004cb: PUSH1 0x00 000004cd: DUP1 000004ce: MLOAD 000004cf: PUSH1 0x20 000004d1: PUSH2 0x0515 000004d4: DUP4 000004d5: CODECOPY 000004d6: DUP2 000004d7: MLOAD 000004d8: SWAP2 000004d9: MSTORE 000004da: SWAP1 000004db: DUP2 000004dc: ADD 000004dd: SWAP1 000004de: PUSH2 0x00f9 000004e1: JUMP 000004e2: JUMPDEST 000004e3: POP 000004e4: PUSH1 0x00 000004e6: PUSH1 0x04 000004e8: SSTORE 000004e9: POP 000004ea: POP 000004eb: POP 000004ec: POP 000004ed: POP 000004ee: POP 000004ef: POP 000004f0: POP 000004f1: POP 000004f2: POP 000004f3: POP 000004f4: JUMP 000004f5: BLOCKHASH 000004f6: JUMPI 000004f7: DUP8 000004f8: STATICCALL 000004f9: SLT 000004fa: UNKNOWN(0xA8) 000004fb: UNKNOWN(0x23) 000004fc: UNKNOWN(0xE0) 000004fd: CALLCODE 000004fe: UNKNOWN(0xB7) 000004ff: PUSH4 0x1cc41b3b 00000504: UNKNOWN(0xA8) 00000505: DUP3 00000506: DUP12 00000507: CALLER 00000508: UNKNOWN(0x21) 00000509: UNKNOWN(0xCA) 0000050a: DUP2 0000050b: GT 0000050c: GT 0000050d: STATICCALL 0000050e: PUSH22 0xcd3aa3bb5acec2575a0e9e593c00f959f8c92f12db28 00000525: PUSH10 0xc3395a3b0502d05e2516 00000530: DIFFICULTY 00000531: PUSH16
Warning: This is a nightly build of Foundry. It is recommended to use the latest stable version. To mute this warning set `FOUNDRY_DISABLE_NIGHTLY_WARNING` in your environment.
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | other | detector | Untrusted CALL target/value reachable | 60 | yes | yes |
viewtrace_id: 0x6638e4dc5defe6764a74d2ddff6afa4ef5e674aaf55460312e6750b2e33bd061
call_targets:
0x0000000000000000000000000000000000000001, 0xe724bf992be1849f3891ed0656c31d5096ea8862
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x6638e4dc5defe6764a74d2ddff6afa4ef5e674aaf55460312e6750b2e33bd061",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000001",
"0xe724bf992be1849f3891ed0656c31d5096ea8862"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x",
"selector": "fallback",
"calldata_variants": [
"0x"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 396,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 449,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 490,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 9,
"guards_detected": [],
"untrusted_call_count": 9
}
|
| high | other | detector | ETH value transfer possible | 55 | yes | yes |
viewtrace_id: 0x6638e4dc5defe6764a74d2ddff6afa4ef5e674aaf55460312e6750b2e33bd061
call_targets:
0x0000000000000000000000000000000000000001, 0xe724bf992be1849f3891ed0656c31d5096ea8862
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x6638e4dc5defe6764a74d2ddff6afa4ef5e674aaf55460312e6750b2e33bd061",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000001",
"0xe724bf992be1849f3891ed0656c31d5096ea8862"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x",
"selector": "fallback",
"calldata_variants": [
"0x"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 396,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 449,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 490,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 9,
"guards_detected": []
}
|
| high | reentrancy | codex | Payout phase appears reenterable before round state is cleared | 85 | no | — |
viewevidence_json{
"evidence": "`fallback` is the only discovered entrypoint. No auth/reentrancy guards were detected. The contract writes `100` to slot 4 at pc `0x193`, checks the payout condition from slot 4 at pc `0x1f1`, performs multiple ETH `CALL`s during the payout loop at pcs `0x2d0`, `0x353`, `0x3d6`, `0x487`, and `0x4a5`, and only resets slot 4 to `0` near pc `0x4e8`. The participant arrays are only cleared after those calls.",
"locations": [
"selector:fallback",
"pc:0x193",
"pc:0x1f1",
"pc:0x2d0",
"pc:0x353",
"pc:0x3d6",
"pc:0x487",
"pc:0x4a5",
"pc:0x4e8"
],
"recommendation": "Apply checks-effects-interactions: finalize/reset round state before any external value transfer, or move payouts to a pull-based claim flow. Add an explicit reentrancy guard around the fallback path.",
"exploit_scenario": "A malicious recipient contract can be inserted into the participant arrays and receive ETH during the payout loop. Its fallback can immediately call this contract again through the only visible entrypoint (`fallback`). Because no guard was detected, the round-state variable is set to `100` before the payout gate and is only reset near the end of execution, so a reentrant call can execute while slots 2/3 still hold the current round's data. That can let the same round be processed recursively or against partially updated state, potentially causing repeated payouts or corrupted accounting. This is inferred from bytecode and exact business logic is uncertain, but the reentrancy window is concrete."
}
|
| high | other | codex | ETH transfers ignore CALL success and continue mutating state | 85 | no | — |
viewevidence_json{
"evidence": "The artifact records 9 `CALL` sites with `returndata_checked: null`, and the disassembly shows the return values being discarded with `POP`. Examples: after `CALL` at `0x18c`, execution immediately stores to slot 4 at `0x193`; after `CALL`s at `0x2d0`, `0x353`, `0x3d6`, `0x487`, and `0x4a5`, execution just pops stack items and continues the payout/cleanup flow. This is a concrete unchecked-call pattern even though exact source-level intent is unknown.",
"locations": [
"pc:0x18c",
"pc:0x1c1",
"pc:0x1ea",
"pc:0x2d0",
"pc:0x353",
"pc:0x3d6",
"pc:0x487",
"pc:0x4a5"
],
"recommendation": "Check the boolean result of each low-level `CALL` and revert or record an explicit unpaid balance on failure. Prefer pull payments over push payments for participant rewards.",
"exploit_scenario": "Any recipient that reverts, exhausts gas, or otherwise rejects ETH causes `CALL` to return `0`. This bytecode pops the return value instead of checking it, then continues updating storage and clearing round state. A malicious or incompatible recipient can therefore make the contract believe a payout step completed when no ETH was actually delivered, leaving rewards unpaid or later diverted by subsequent logic."
}
|
| medium | oracle | codex | Winner selection relies on blockhash/timestamp entropy that can be biased | 75 | no | — |
viewevidence_json{
"evidence": "The bytecode uses `NUMBER` at pc `0x202`, `BLOCKHASH` at pcs `0x208` and `0x214`, and `TIMESTAMP` at pc `0x218`, then applies multiple `MOD` operations through pc `0x242`. Those derived values feed array lookups over slots 2/3 before ETH `CALL`s at `0x2d0`, `0x353`, and `0x3d6`. The exact selector/function name is unknown because dispatch inference found only `fallback`.",
"locations": [
"selector:fallback",
"pc:0x202",
"pc:0x208",
"pc:0x214",
"pc:0x218",
"pc:0x242",
"pc:0x2d0",
"pc:0x353",
"pc:0x3d6"
],
"recommendation": "Do not use block metadata as lottery entropy. Replace this with a commit-reveal scheme or an external verifiable randomness source.",
"exploit_scenario": "When the payout phase starts, winner indexes are derived from recent `BLOCKHASH`, `NUMBER`, and `TIMESTAMP` values and then used to select addresses from storage-backed participant arrays for fixed ETH transfers. A block producer or MEV searcher with transaction-order influence can bias whether the round executes in a favorable block, and may influence which stored addresses receive the rewards."
}
|