019b3836-4018-7355-8e4c-3fb66cb0a7df
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 5159 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 5160 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 48788 | analysis.bundle | complete | 1 / 3 | 1 week ago |
| 48789 | capability.graph | complete | 1 / 3 | 1 week ago |
| 48790 | detector.run | complete | 1 / 3 | 1 week ago |
| 48791 | validation.fork | complete | 1 / 3 | 1 week ago |
| 113305 | report.consolidate | complete | 1 / 6 | 1 week ago |
No slither job recorded yet.
{"no_findings":false,"summary":"Bytecode looks like a small ERC20-like token with metadata (`0x06fdde03`,`0x95d89b41`), `decimals` (`0x313ce567`), `balanceOf` (`0x70a08231`), and `transfer` (`0xa9059cbb`). I did not find evidence of proxy/upgradeability logic, delegatecall, or user-controlled external calls. The single `CALL` at `pc:0x188` is consistent with the identity precompile (`0x04`) used by older Solidity string-return helpers, so I am not treating the detector's untrusted-call alert as a real issue. One meaningful risk remains: the runtime appears payable everywhere and the fallback path simply stops, so ETH sent to this contract is likely stuck.","findings":[{"severity":"low","category":"other","title":"Payable runtime likely allows ETH to be trapped permanently","exploit_scenario":"Because the runtime has no visible `CALLVALUE` checks, a user or integrating contract can send ETH along with any call, or directly hit the fallback/receive path, and the call will not revert. The visible runtime only exposes token metadata, `balanceOf`, and `transfer`; I found no withdrawal or sweep path in the bytecode. If ETH is sent accidentally, it is likely unrecoverable.","recommendation":"Make non-ETH functions explicitly nonpayable and revert in fallback/receive unless ETH custody is intentional. If ETH must be accepted, add an explicit, access-controlled withdrawal/sweep mechanism.","evidence":"Selector dispatch falls through to `pc:0x45`, which is a bare `STOP`, not a revert. I found no `CALLVALUE` opcode in the runtime, so no payable guard is visible. The only state writes are the two balance `SSTORE`s in the `transfer` path, and the only `CALL` (`pc:0x188`) matches the identity precompile pattern rather than an ETH-withdrawal path. This conclusion is based on bytecode only; selector inference can miss hidden functionality, but the explicit jump table here makes that less likely.","locations":["pc:0x0","pc:0x45","pc:0x123"]}]}
OpenAI Codex v0.118.0 (research preview)
--------
workdir: /tmp/codex-0w852vhs
model: gpt-5.4
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: none
session id: 019d5c6b-fc32-7c00-81f5-9126e2f64925
--------
user
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
warning: Codex could not find system bubblewrap on PATH. Please install bubblewrap with your package manager. Codex will use the vendored bubblewrap in the meantime.
exec
/bin/bash -lc "pwd && ls -la && rg --files -g 'BYTECODE_BUNDLE.json' -g 'AGENTS.md'" in /tmp/codex-0w852vhs
succeeded in 0ms:
/tmp/codex-0w852vhs
total 80
drwx------ 2 noahkuhn noahkuhn 4096 Apr 5 06:54 .
drwxrwxrwt 270 nobody nogroup 24576 Apr 5 06:54 ..
-rw-rw-r-- 1 noahkuhn noahkuhn 44930 Apr 5 06:54 BYTECODE_BUNDLE.json
-rw-rw-r-- 1 noahkuhn noahkuhn 815 Apr 5 06:54 codex-output-schema.json
BYTECODE_BUNDLE.json
exec
/bin/bash -lc "jq '{top_keys: keys, contract_name: .contract_name, summary_keys: (.summary|keys?), detector_findings_count: (.detector_findings|length?), callsites_count: (.callsites|length?), storage_slots_count: (.storage_slots|length?)}' BYTECODE_BUNDLE.json" in /tmp/codex-0w852vhs
succeeded in 0ms:
exec
/bin/bash -lc "which jq && jq 'keys' BYTECODE_BUNDLE.json | sed -n '1,120p'" in /tmp/codex-0w852vhs
succeeded in 0ms:
/usr/bin/jq
[
"analysis_artifact",
"analysis_run",
"artifact",
"capability_graph",
"detector_findings",
"heuristics_summary"
]
exec
/bin/bash -lc "jq '.artifact | {keys: keys, metadata: .metadata, summary: .bytecode_summary, selectors: .selectors[0:20], storage_slots_count: (.storage_slots|length), callsites_count: (.callsites|length)}' BYTECODE_BUNDLE.json" in /tmp/codex-0w852vhs
succeeded in 0ms:
{
"keys": [
"codehash",
"compiler_json",
"implementation_address",
"is_proxy",
"runtime_bytecode",
"verified_source"
],
"metadata": null,
"summary": null,
"selectors": null,
"storage_slots_count": 0,
"callsites_count": 0
}
exec
/bin/bash -lc "jq '.detector_findings | map({id, title, severity, confidence, category, summary, evidence: (.evidence[0:3] // [])})' BYTECODE_BUNDLE.json" in /tmp/codex-0w852vhs
succeeded in 0ms:
[
{
"id": null,
"title": "Untrusted CALL target/value reachable",
"severity": "high",
"confidence": 60,
"category": null,
"summary": null,
"evidence": []
},
{
"id": null,
"title": "ETH value transfer possible",
"severity": "high",
"confidence": 55,
"category": null,
"summary": null,
"evidence": []
}
]
exec
/bin/bash -lc "jq '.analysis_artifact | {keys: keys, summary: .summary, evidence_bundle_keys: (.evidence_bundle|keys?), notes: .notes}' BYTECODE_BUNDLE.json" in /tmp/codex-0w852vhs
succeeded in 0ms:
exec
/bin/bash -lc "jq '.analysis_artifact | keys' BYTECODE_BUNDLE.json" in /tmp/codex-0w852vhs
succeeded in 0ms:
[
"address",
"artifact_hash",
"artifact_json",
"block_number",
"chain_id",
"codehash",
"created_at",
"id",
"updated_at",
"version"
]
exec
/bin/bash -lc "jq -r '.analysis_artifact.artifact_json' BYTECODE_BUNDLE.json | jq '{keys: keys, bytecode_summary: .bytecode_summary, selectors_count: (.selectors|length?), callsites_count: (.callsites|length?), storage_slots_count: (.storage_slots|length?), evidence_keys: (.evidence_bundle|keys?)}'" in /tmp/codex-0w852vhs
succeeded in 0ms:
exec
/bin/bash -lc "python - <<'PY'
import json
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
aj=data['analysis_artifact']['artifact_json']
print(type(aj).__name__)
print(str(aj)[:500])
PY" in /tmp/codex-0w852vhs
succeeded in 0ms:
dict
{'auth': {'guards': []}, 'basic_blocks': [{'end_pc': 24, 'hash': '0x6a350686911b120d699f8e8d1e9440d4ce17c4434492baee43484e2ef083a112', 'opcodes': ['PUSH1', 'PUSH1', 'MSTORE', 'PUSH1', 'PUSH1', 'EXP', 'PUSH1', 'CALLDATALOAD', 'DIV', 'PUSH4', 'OP_81', 'EQ', 'PUSH2', 'JUMPI'], 'start_pc': 0}, {'end_pc': 35, 'hash': '0x09fc75e3aa8fb02b98e24881cc463925488c7dfa7ef308570a5930c5c420c614', 'opcodes': ['OP_80', 'PUSH4', 'EQ', 'PUSH2', 'JUMPI'], 'start_pc': 25}, {'end_pc': 46, 'hash': '0x976103db32485bde43
exec
/bin/bash -lc "python - <<'PY'
import json, pprint
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
art=data['analysis_artifact']['artifact_json']
print('keys', sorted(art.keys()))
for k in ['bytecode_summary','selectors','callsites','storage_slots','evidence_bundle','proxy','upgradeability','auth','external_calls','function_dispatch']:
if k in art:
v=art[k]
if isinstance(v, (list,dict)):
size = len(v)
else:
size = None
print('\\nKEY', k, 'type', type(v).__name__, 'size', size)
pprint.pp(v if not isinstance(v, list) else v[:5], width=120)
PY" in /tmp/codex-0w852vhs
succeeded in 0ms:
keys ['auth', 'basic_blocks', 'callsites', 'cfg_edges', 'cfg_hash', 'dispatcher_type', 'function_entries', 'functions', 'selectors', 'sinks', 'storage', 'version']
KEY selectors type list size 5
['0x06fdde03', '0x313ce567', '0x70a08231', '0x95d89b41', '0xa9059cbb']
KEY callsites type list size 1
[{'opcode': 'CALL',
'pc': 392,
'returndata_checked': None,
'target_expression_category': 'computed',
'value_expression_category': 'computed'}]
KEY auth type dict size 1
{'guards': []}
exec
/bin/bash -lc "python - <<'PY'
import json, pprint
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
art=data['analysis_artifact']['artifact_json']
for k in ['dispatcher_type','function_entries','functions','sinks','storage']:
v=art.get(k)
print('\\nKEY', k, 'type', type(v).__name__)
pprint.pp(v, width=140)
PY" in /tmp/codex-0w852vhs
succeeded in 0ms:
KEY dispatcher_type type str
'selector_jump_table'
KEY function_entries type list
[{'entry_pc': None, 'selector': '0x06fdde03'},
{'entry_pc': 1889567281, 'selector': '0x313ce567'},
{'entry_pc': 2514000705, 'selector': '0x70a08231'},
{'entry_pc': 2835717307, 'selector': '0x95d89b41'},
{'entry_pc': None, 'selector': '0xa9059cbb'}]
KEY functions type list
[{'auth': {'guards': []},
'entry_pc': None,
'selector': '0x06fdde03',
'sinks': {'call': 1, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 0},
'storage': {'reads': 11,
'slots': [{'op': 'SLOAD', 'pc': 78, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'},
{'op': 'SLOAD', 'pc': 150, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'},
{'op': 'SLOAD', 'pc': 170, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'},
{'op': 'SLOAD', 'pc': 207, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000001'},
{'op': 'SLOAD', 'pc': 277, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}],
'writes': 2}},
{'auth': {'guards': []},
'entry_pc': 1889567281,
'selector': '0x313ce567',
'sinks': {'call': 1, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 0},
'storage': {'reads': 11,
'slots': [{'op': 'SLOAD', 'pc': 78, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'},
{'op': 'SLOAD', 'pc': 150, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'},
{'op': 'SLOAD', 'pc': 170, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'},
{'op': 'SLOAD', 'pc': 207, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000001'},
{'op': 'SLOAD', 'pc': 277, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}],
'writes': 2}},
{'auth': {'guards': []},
'entry_pc': 2514000705,
'selector': '0x70a08231',
'sinks': {'call': 1, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 0},
'storage': {'reads': 11,
'slots': [{'op': 'SLOAD', 'pc': 78, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'},
{'op': 'SLOAD', 'pc': 150, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'},
{'op': 'SLOAD', 'pc': 170, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'},
{'op': 'SLOAD', 'pc': 207, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000001'},
{'op': 'SLOAD', 'pc': 277, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}],
'writes': 2}},
{'auth': {'guards': []},
'entry_pc': 2835717307,
'selector': '0x95d89b41',
'sinks': {'call': 1, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 0},
'storage': {'reads': 11,
'slots': [{'op': 'SLOAD', 'pc': 78, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'},
{'op': 'SLOAD', 'pc': 150, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'},
{'op': 'SLOAD', 'pc': 170, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'},
{'op': 'SLOAD', 'pc': 207, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000001'},
{'op': 'SLOAD', 'pc': 277, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}],
'writes': 2}},
{'auth': {'guards': []},
'entry_pc': None,
'selector': '0xa9059cbb',
'sinks': {'call': 1, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 0},
'storage': {'reads': 11,
'slots': [{'op': 'SLOAD', 'pc': 78, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'},
{'op': 'SLOAD', 'pc': 150, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'},
{'op': 'SLOAD', 'pc': 170, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'},
{'op': 'SLOAD', 'pc': 207, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000001'},
{'op': 'SLOAD', 'pc': 277, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}],
'writes': 2}}]
KEY sinks type dict
{'call': 1, 'create': 0, 'create2': 0, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 0, 'upgrade_slot_write_suspected': False}
KEY storage type dict
{'keccak_count': 6,
'reads': 11,
'slots': [{'op': 'SLOAD', 'pc': 78, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'},
{'op': 'SLOAD', 'pc': 150, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'},
{'op': 'SLOAD', 'pc': 170, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'},
{'op': 'SLOAD', 'pc': 207, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000001'},
{'op': 'SLOAD', 'pc': 277, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}],
'writes': 2}
exec
/bin/bash -lc "python - <<'PY'
import json
from pprint import pprint
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
art=data['analysis_artifact']['artifact_json']
for bb in art['basic_blocks']:
if bb['start_pc'] <= 392 <= bb['end_pc'] or abs(bb['start_pc']-392) < 80 or abs(bb['end_pc']-392) < 80:
print('\\nblock', bb['start_pc'], bb['end_pc'])
print(bb['opcodes'])
PY" in /tmp/codex-0w852vhs
succeeded in 0ms:
block 291 333
['JUMPDEST', 'PUSH2', 'PUSH1', 'CALLDATALOAD', 'PUSH1', 'CALLDATALOAD', 'PUSH1', 'PUSH1', 'PUSH1', 'EXP', 'SUB', 'CALLER', 'AND', 'PUSH1', 'OP_90', 'OP_81', 'MSTORE', 'PUSH1', 'PUSH1', 'MSTORE', 'PUSH1', 'OP_90', 'SHA3', 'SLOAD', 'OP_81', 'OP_90', 'LT', 'ISZERO', 'PUSH2', 'JUMPI']
block 334 337
['PUSH2', 'JUMP']
block 338 408
['JUMPDEST', 'PUSH1', 'MLOAD', 'OP_80', 'OP_80', 'PUSH1', 'ADD', 'OP_82', 'OP_81', 'SUB', 'OP_82', 'MSTORE', 'OP_83', 'OP_81', 'OP_81', 'MLOAD', 'OP_81', 'MSTORE', 'PUSH1', 'ADD', 'OP_91', 'POP', 'OP_80', 'MLOAD', 'OP_90', 'PUSH1', 'ADD', 'OP_90', 'OP_80', 'OP_83', 'OP_83', 'OP_82', 'OP_90', 'PUSH1', 'PUSH1', 'PUSH1', 'OP_84', 'PUSH1', 'ADD', 'DIV', 'PUSH1', 'MUL', 'PUSH1', 'ADD', 'CALL', 'POP', 'OP_90', 'POP', 'OP_90', 'OP_81', 'ADD', 'OP_90', 'PUSH1', 'AND', 'OP_80', 'ISZERO', 'PUSH2', 'JUMPI']
block 409 433
['OP_80', 'OP_82', 'SUB', 'OP_80', 'MLOAD', 'PUSH1', 'OP_83', 'PUSH1', 'SUB', 'PUSH2', 'EXP', 'SUB', 'NOT', 'AND', 'OP_81', 'MSTORE', 'PUSH1', 'ADD', 'OP_91', 'POP']
block 434 447
['JUMPDEST', 'POP', 'OP_92', 'POP', 'POP', 'POP', 'PUSH1', 'MLOAD', 'OP_80', 'OP_91', 'SUB', 'OP_90', 'RETURN']
block 448 457
['JUMPDEST', 'PUSH1', 'OP_90', 'OP_81', 'MSTORE', 'PUSH1', 'OP_90', 'RETURN']
block 458 471
['JUMPDEST', 'OP_82', 'ADD', 'OP_91', 'OP_90', 'PUSH1', 'MSTORE', 'PUSH1', 'PUSH1', 'SHA3', 'OP_90']
exec
/bin/bash -lc "python - <<'PY'
import json
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
bytecode=data['artifact']['runtime_bytecode']
print('type', type(bytecode).__name__)
print('len_hex', len(bytecode))
print(bytecode[:120])
PY" in /tmp/codex-0w852vhs
exited 1 in 0ms:
type dict
len_hex 5
Traceback (most recent call last):
File "<stdin>", line 7, in <module>
KeyError: slice(None, 120, None)
exec
/bin/bash -lc "python - <<'PY'
import json, pprint
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
pprint.pp(data['artifact']['runtime_bytecode'], width=120)
PY" in /tmp/codex-0w852vhs
succeeded in 0ms:
{'full': '0x606060405260e060020a600035046306fdde038114610047578063313ce567146100a457806370a08231146100b057806395d89b41146100c8578063a9059cbb14610123575b005b61015260008054602060026001831615610100026000190190921691909104601f810182900490910260809081016040526060828152929190828280156101f55780601f106101ca576101008083540402835291602001916101f5565b6101c060025460ff1681565b6101c060043560036020526000908152604090205481565b610152600180546020601f6002600019610100858716150201909316929092049182018190040260809081016040526060828152929190828280156101f55780601f106101ca576101008083540402835291602001916101f5565b610045600435602435600160a060020a033316600090815260036020526040902054819010156101fd57610002565b60405180806020018281038252838181518152602001915080519060200190808383829060006004602084601f0104600f02600301f150905090810190601f1680156101b25780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b6060908152602090f35b820191906000526020600020905b8154815290600101906020018083116101d857829003601f168201915b505050505081565b600160a060020a03821660009081526040902054808201101561021f57610002565b806003600050600033600160a060020a03168152602001908152602001600020600082828250540392505081905550806003600050600084600160a060020a0316815260200190815260200160002060008282825054019250508190555081600160a060020a031633600160a060020a03167fddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef836040518082815260200191505060405180910390a3505056',
'head': None,
'length': 1434,
'tail': None,
'truncated': False}
exec
/bin/bash -lc "python - <<'PY'
import json
ops={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT',0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4'}
for i in range(1,33): ops[0x5f+i]=f'PUSH{i}'
for i in range(1,17): ops[0x7f+i]=f'DUP{i}'
for i in range(1,17): ops[0x8f+i]=f'SWAP{i}'
for i in range(0,5): ops[0xa0+i]=f'LOG{i}'
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
hexcode=data['artifact']['runtime_bytecode']['full'][2:]
code=bytes.fromhex(hexcode)
pc=0
while pc < len(code):
op=code[pc]
name=ops.get(op,f'OP_{op:02x}')
if name.startswith('PUSH'):
n=int(name[4:])
arg=code[pc+1:pc+1+n]
print(f'{pc:04x}: {name} 0x{arg.hex()}')
pc+=1+n
else:
print(f'{pc:04x}: {name}')
pc+=1
PY" in /tmp/codex-0w852vhs
succeeded in 0ms:
0000: PUSH1 0x60
0002: PUSH1 0x40
0004: MSTORE
0005: PUSH1 0xe0
0007: PUSH1 0x02
0009: EXP
000a: PUSH1 0x00
000c: CALLDATALOAD
000d: DIV
000e: PUSH4 0x06fdde03
0013: DUP2
0014: EQ
0015: PUSH2 0x0047
0018: JUMPI
0019: DUP1
001a: PUSH4 0x313ce567
001f: EQ
0020: PUSH2 0x00a4
0023: JUMPI
0024: DUP1
0025: PUSH4 0x70a08231
002a: EQ
002b: PUSH2 0x00b0
002e: JUMPI
002f: DUP1
0030: PUSH4 0x95d89b41
0035: EQ
0036: PUSH2 0x00c8
0039: JUMPI
003a: DUP1
003b: PUSH4 0xa9059cbb
0040: EQ
0041: PUSH2 0x0123
0044: JUMPI
0045: JUMPDEST
0046: STOP
0047: JUMPDEST
0048: PUSH2 0x0152
004b: PUSH1 0x00
004d: DUP1
004e: SLOAD
004f: PUSH1 0x20
0051: PUSH1 0x02
0053: PUSH1 0x01
0055: DUP4
0056: AND
0057: ISZERO
0058: PUSH2 0x0100
005b: MUL
005c: PUSH1 0x00
005e: NOT
005f: ADD
0060: SWAP1
0061: SWAP3
0062: AND
0063: SWAP2
0064: SWAP1
0065: SWAP2
0066: DIV
0067: PUSH1 0x1f
0069: DUP2
006a: ADD
006b: DUP3
006c: SWAP1
006d: DIV
006e: SWAP1
006f: SWAP2
0070: MUL
0071: PUSH1 0x80
0073: SWAP1
0074: DUP2
0075: ADD
0076: PUSH1 0x40
0078: MSTORE
0079: PUSH1 0x60
007b: DUP3
007c: DUP2
007d: MSTORE
007e: SWAP3
007f: SWAP2
0080: SWAP1
0081: DUP3
0082: DUP3
0083: DUP1
0084: ISZERO
0085: PUSH2 0x01f5
0088: JUMPI
0089: DUP1
008a: PUSH1 0x1f
008c: LT
008d: PUSH2 0x01ca
0090: JUMPI
0091: PUSH2 0x0100
0094: DUP1
0095: DUP4
0096: SLOAD
0097: DIV
0098: MUL
0099: DUP4
009a: MSTORE
009b: SWAP2
009c: PUSH1 0x20
009e: ADD
009f: SWAP2
00a0: PUSH2 0x01f5
00a3: JUMP
00a4: JUMPDEST
00a5: PUSH2 0x01c0
00a8: PUSH1 0x02
00aa: SLOAD
00ab: PUSH1 0xff
00ad: AND
00ae: DUP2
00af: JUMP
00b0: JUMPDEST
00b1: PUSH2 0x01c0
00b4: PUSH1 0x04
00b6: CALLDATALOAD
00b7: PUSH1 0x03
00b9: PUSH1 0x20
00bb: MSTORE
00bc: PUSH1 0x00
00be: SWAP1
00bf: DUP2
00c0: MSTORE
00c1: PUSH1 0x40
00c3: SWAP1
00c4: SHA3
00c5: SLOAD
00c6: DUP2
00c7: JUMP
00c8: JUMPDEST
00c9: PUSH2 0x0152
00cc: PUSH1 0x01
00ce: DUP1
00cf: SLOAD
00d0: PUSH1 0x20
00d2: PUSH1 0x1f
00d4: PUSH1 0x02
00d6: PUSH1 0x00
00d8: NOT
00d9: PUSH2 0x0100
00dc: DUP6
00dd: DUP8
00de: AND
00df: ISZERO
00e0: MUL
00e1: ADD
00e2: SWAP1
00e3: SWAP4
00e4: AND
00e5: SWAP3
00e6: SWAP1
00e7: SWAP3
00e8: DIV
00e9: SWAP2
00ea: DUP3
00eb: ADD
00ec: DUP2
00ed: SWAP1
00ee: DIV
00ef: MUL
00f0: PUSH1 0x80
00f2: SWAP1
00f3: DUP2
00f4: ADD
00f5: PUSH1 0x40
00f7: MSTORE
00f8: PUSH1 0x60
00fa: DUP3
00fb: DUP2
00fc: MSTORE
00fd: SWAP3
00fe: SWAP2
00ff: SWAP1
0100: DUP3
0101: DUP3
0102: DUP1
0103: ISZERO
0104: PUSH2 0x01f5
0107: JUMPI
0108: DUP1
0109: PUSH1 0x1f
010b: LT
010c: PUSH2 0x01ca
010f: JUMPI
0110: PUSH2 0x0100
0113: DUP1
0114: DUP4
0115: SLOAD
0116: DIV
0117: MUL
0118: DUP4
0119: MSTORE
011a: SWAP2
011b: PUSH1 0x20
011d: ADD
011e: SWAP2
011f: PUSH2 0x01f5
0122: JUMP
0123: JUMPDEST
0124: PUSH2 0x0045
0127: PUSH1 0x04
0129: CALLDATALOAD
012a: PUSH1 0x24
012c: CALLDATALOAD
012d: PUSH1 0x01
012f: PUSH1 0xa0
0131: PUSH1 0x02
0133: EXP
0134: SUB
0135: CALLER
0136: AND
0137: PUSH1 0x00
0139: SWAP1
013a: DUP2
013b: MSTORE
013c: PUSH1 0x03
013e: PUSH1 0x20
0140: MSTORE
0141: PUSH1 0x40
0143: SWAP1
0144: SHA3
0145: SLOAD
0146: DUP2
0147: SWAP1
0148: LT
0149: ISZERO
014a: PUSH2 0x01fd
014d: JUMPI
014e: PUSH2 0x0002
0151: JUMP
0152: JUMPDEST
0153: PUSH1 0x40
0155: MLOAD
0156: DUP1
0157: DUP1
0158: PUSH1 0x20
015a: ADD
015b: DUP3
015c: DUP2
015d: SUB
015e: DUP3
015f: MSTORE
0160: DUP4
0161: DUP2
0162: DUP2
0163: MLOAD
0164: DUP2
0165: MSTORE
0166: PUSH1 0x20
0168: ADD
0169: SWAP2
016a: POP
016b: DUP1
016c: MLOAD
016d: SWAP1
016e: PUSH1 0x20
0170: ADD
0171: SWAP1
0172: DUP1
0173: DUP4
0174: DUP4
0175: DUP3
0176: SWAP1
0177: PUSH1 0x00
0179: PUSH1 0x04
017b: PUSH1 0x20
017d: DUP5
017e: PUSH1 0x1f
0180: ADD
0181: DIV
0182: PUSH1 0x0f
0184: MUL
0185: PUSH1 0x03
0187: ADD
0188: CALL
0189: POP
018a: SWAP1
018b: POP
018c: SWAP1
018d: DUP2
018e: ADD
018f: SWAP1
0190: PUSH1 0x1f
0192: AND
0193: DUP1
0194: ISZERO
0195: PUSH2 0x01b2
0198: JUMPI
0199: DUP1
019a: DUP3
019b: SUB
019c: DUP1
019d: MLOAD
019e: PUSH1 0x01
01a0: DUP4
01a1: PUSH1 0x20
01a3: SUB
01a4: PUSH2 0x0100
01a7: EXP
01a8: SUB
01a9: NOT
01aa: AND
01ab: DUP2
01ac: MSTORE
01ad: PUSH1 0x20
01af: ADD
01b0: SWAP2
01b1: POP
01b2: JUMPDEST
01b3: POP
01b4: SWAP3
01b5: POP
01b6: POP
01b7: POP
01b8: PUSH1 0x40
01ba: MLOAD
01bb: DUP1
01bc: SWAP2
01bd: SUB
01be: SWAP1
01bf: RETURN
01c0: JUMPDEST
01c1: PUSH1 0x60
01c3: SWAP1
01c4: DUP2
01c5: MSTORE
01c6: PUSH1 0x20
01c8: SWAP1
01c9: RETURN
01ca: JUMPDEST
01cb: DUP3
01cc: ADD
01cd: SWAP2
01ce: SWAP1
01cf: PUSH1 0x00
01d1: MSTORE
01d2: PUSH1 0x20
01d4: PUSH1 0x00
01d6: SHA3
01d7: SWAP1
01d8: JUMPDEST
01d9: DUP2
01da: SLOAD
01db: DUP2
01dc: MSTORE
01dd: SWAP1
01de: PUSH1 0x01
01e0: ADD
01e1: SWAP1
01e2: PUSH1 0x20
01e4: ADD
01e5: DUP1
01e6: DUP4
01e7: GT
01e8: PUSH2 0x01d8
01eb: JUMPI
01ec: DUP3
01ed: SWAP1
01ee: SUB
01ef: PUSH1 0x1f
01f1: AND
01f2: DUP3
01f3: ADD
01f4: SWAP2
01f5: JUMPDEST
01f6: POP
01f7: POP
01f8: POP
01f9: POP
01fa: POP
01fb: DUP2
01fc: JUMP
01fd: JUMPDEST
01fe: PUSH1 0x01
0200: PUSH1 0xa0
0202: PUSH1 0x02
0204: EXP
0205: SUB
0206: DUP3
0207: AND
0208: PUSH1 0x00
020a: SWAP1
020b: DUP2
020c: MSTORE
020d: PUSH1 0x40
020f: SWAP1
0210: SHA3
0211: SLOAD
0212: DUP1
0213: DUP3
0214: ADD
0215: LT
0216: ISZERO
0217: PUSH2 0x021f
021a: JUMPI
021b: PUSH2 0x0002
021e: JUMP
021f: JUMPDEST
0220: DUP1
0221: PUSH1 0x03
0223: PUSH1 0x00
0225: POP
0226: PUSH1 0x00
0228: CALLER
0229: PUSH1 0x01
022b: PUSH1 0xa0
022d: PUSH1 0x02
022f: EXP
0230: SUB
0231: AND
0232: DUP2
0233: MSTORE
0234: PUSH1 0x20
0236: ADD
0237: SWAP1
0238: DUP2
0239: MSTORE
023a: PUSH1 0x20
023c: ADD
023d: PUSH1 0x00
023f: SHA3
0240: PUSH1 0x00
0242: DUP3
0243: DUP3
0244: DUP3
0245: POP
0246: SLOAD
0247: SUB
0248: SWAP3
0249: POP
024a: POP
024b: DUP2
024c: SWAP1
024d: SSTORE
024e: POP
024f: DUP1
0250: PUSH1 0x03
0252: PUSH1 0x00
0254: POP
0255: PUSH1 0x00
0257: DUP5
0258: PUSH1 0x01
025a: PUSH1 0xa0
025c: PUSH1 0x02
025e: EXP
025f: SUB
0260: AND
0261: DUP2
0262: MSTORE
0263: PUSH1 0x20
0265: ADD
0266: SWAP1
0267: DUP2
0268: MSTORE
0269: PUSH1 0x20
026b: ADD
026c: PUSH1 0x00
026e: SHA3
026f: PUSH1 0x00
0271: DUP3
0272: DUP3
0273: DUP3
0274: POP
0275: SLOAD
0276: ADD
0277: SWAP3
0278: POP
0279: POP
027a: DUP2
027b: SWAP1
027c: SSTORE
027d: POP
027e: DUP2
027f: PUSH1 0x01
0281: PUSH1 0xa0
0283: PUSH1 0x02
0285: EXP
0286: SUB
0287: AND
0288: CALLER
0289: PUSH1 0x01
028b: PUSH1 0xa0
028d: PUSH1 0x02
028f: EXP
0290: SUB
0291: AND
0292: PUSH32 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef
02b3: DUP4
02b4: PUSH1 0x40
02b6: MLOAD
02b7: DUP1
02b8: DUP3
02b9: DUP2
02ba: MSTORE
02bb: PUSH1 0x20
02bd: ADD
02be: SWAP2
02bf: POP
02c0: POP
02c1: PUSH1 0x40
02c3: MLOAD
02c4: DUP1
02c5: SWAP2
02c6: SUB
02c7: SWAP1
02c8: LOG3
02c9: POP
02ca: POP
02cb: JUMP
exec
/bin/bash -lc "python - <<'PY'
import json, pprint
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
for k in ['heuristics_summary','analysis_run','capability_graph']:
print('\\nKEY',k)
pprint.pp(data.get(k), width=140)
PY" in /tmp/codex-0w852vhs
succeeded in 0ms:
KEY heuristics_summary
{'create2_count': 0, 'delegatecall_count': 0, 'flags': [], 'selfdestruct_count': 0}
KEY analysis_run
{'address': '0xa9161619071b56d4cacbdd0045b8c12723fcb683',
'block_number': None,
'chain_id': 1,
'child_links': [],
'created_at': '2025-12-19T20:03:58.000000Z',
'id': '019b3836-4018-7355-8e4c-3fb66cb0a7df',
'parent_links': [],
'status': 'running',
'updated_at': '2026-04-04T19:59:24.000000Z'}
KEY capability_graph
{'address': '0xa9161619071b56d4cacbdd0045b8c12723fcb683',
'block_number': None,
'chain_id': 1,
'codehash': '0x9c955d6fcbfcbaebc1eba76ca0b918c6f34cf6cc3f5c33f4a4a83a88440f4e9f',
'created_at': '2026-04-04T19:59:25.000000Z',
'graph_hash': '0x2ee0f252132699f51924d69c5f1c6dfb4e7637cad6f24f07a9a7a4cd1120fbb1',
'graph_json': {'edges': [{'from': 'bb:0', 'to': 'bb:71', 'type': 'control_flow'},
{'from': 'bb:0', 'to': 'bb:25', 'type': 'control_flow_fallthrough'},
{'from': 'bb:25', 'to': 'bb:164', 'type': 'control_flow'},
{'from': 'bb:25', 'to': 'bb:36', 'type': 'control_flow_fallthrough'},
{'from': 'bb:36', 'to': 'bb:176', 'type': 'control_flow'},
{'from': 'bb:36', 'to': 'bb:47', 'type': 'control_flow_fallthrough'},
{'from': 'bb:47', 'to': 'bb:200', 'type': 'control_flow'},
{'from': 'bb:47', 'to': 'bb:58', 'type': 'control_flow_fallthrough'},
{'from': 'bb:58', 'to': 'bb:291', 'type': 'control_flow'},
{'from': 'bb:58', 'to': 'bb:69', 'type': 'control_flow_fallthrough'},
{'from': 'bb:71', 'to': 'bb:501', 'type': 'control_flow'},
{'from': 'bb:71', 'to': 'bb:137', 'type': 'control_flow_fallthrough'},
{'from': 'bb:137', 'to': 'bb:458', 'type': 'control_flow'},
{'from': 'bb:137', 'to': 'bb:145', 'type': 'control_flow_fallthrough'},
{'from': 'bb:145', 'to': 'bb:501', 'type': 'control_flow'},
{'from': 'bb:200', 'to': 'bb:501', 'type': 'control_flow'},
{'from': 'bb:200', 'to': 'bb:264', 'type': 'control_flow_fallthrough'},
{'from': 'bb:264', 'to': 'bb:458', 'type': 'control_flow'},
{'from': 'bb:264', 'to': 'bb:272', 'type': 'control_flow_fallthrough'},
{'from': 'bb:272', 'to': 'bb:501', 'type': 'control_flow'},
{'from': 'bb:291', 'to': 'bb:509', 'type': 'control_flow'},
{'from': 'bb:291', 'to': 'bb:334', 'type': 'control_flow_fallthrough'},
{'from': 'bb:338', 'to': 'bb:434', 'type': 'control_flow'},
{'from': 'bb:338', 'to': 'bb:409', 'type': 'control_flow_fallthrough'},
{'from': 'bb:409', 'to': 'bb:434', 'type': 'control_flow_fallthrough'},
{'from': 'bb:458', 'to': 'bb:472', 'type': 'control_flow_fallthrough'},
{'from': 'bb:472', 'to': 'bb:472', 'type': 'control_flow'},
{'from': 'bb:472', 'to': 'bb:492', 'type': 'control_flow_fallthrough'},
{'from': 'bb:492', 'to': 'bb:501', 'type': 'control_flow_fallthrough'},
{'from': 'bb:509', 'to': 'bb:543', 'type': 'control_flow'},
{'from': 'bb:509', 'to': 'bb:539', 'type': 'control_flow_fallthrough'},
{'from': 'fn:0x313ce567', 'to': 'bb:1889567281', 'type': 'entry'},
{'from': 'fn:0x70a08231', 'to': 'bb:2514000705', 'type': 'entry'},
{'from': 'fn:0x95d89b41', 'to': 'bb:2835717307', 'type': 'entry'},
{'from': 'bb:338', 'to': 'call:392', 'type': 'contains'},
{'from': 'call:392', 'to': 'sink:call', 'type': 'capability'}],
'nodes': [{'end_pc': 24,
'hash': '0x6a350686911b120d699f8e8d1e9440d4ce17c4434492baee43484e2ef083a112',
'id': 'bb:0',
'start_pc': 0,
'type': 'basic_block'},
{'end_pc': 35,
'hash': '0x09fc75e3aa8fb02b98e24881cc463925488c7dfa7ef308570a5930c5c420c614',
'id': 'bb:25',
'start_pc': 25,
'type': 'basic_block'},
{'end_pc': 46,
'hash': '0x976103db32485bde438fb5c3f9f54ee02f48623f2e3b08249411cd4aee3c334a',
'id': 'bb:36',
'start_pc': 36,
'type': 'basic_block'},
{'end_pc': 57,
'hash': '0x3c19c073e27395dc44272beb525b6373ad140a4045aabbd1b653e498e1806824',
'id': 'bb:47',
'start_pc': 47,
'type': 'basic_block'},
{'end_pc': 68,
'hash': '0x3a122683470ea7901e31e80e6378780a829a06da64b04e691b5d5c5621392507',
'id': 'bb:58',
'start_pc': 58,
'type': 'basic_block'},
{'end_pc': 70,
'hash': '0x55afd043d32294d5f0189f5a0aa04f3174e4c087a31c85396f49b5f17813cb96',
'id': 'bb:69',
'start_pc': 69,
'type': 'basic_block'},
{'end_pc': 136,
'hash': '0xfc01f99e3d71612bfaa85e2bb57cdd9403eabce7b9348bcac405b7924f1b1f2d',
'id': 'bb:71',
'start_pc': 71,
'type': 'basic_block'},
{'end_pc': 144,
'hash': '0x94766029cd41199d0239fbf67bb17d1e452d9bb9f7b63a80357531b66475e6d3',
'id': 'bb:137',
'start_pc': 137,
'type': 'basic_block'},
{'end_pc': 163,
'hash': '0x7a9c5e28ca72e7db26993eb4591b942a2bd83baf5200667721f5598807ec92a5',
'id': 'bb:145',
'start_pc': 145,
'type': 'basic_block'},
{'end_pc': 175,
'hash': '0x938aee19a0e1094c19b5a9528f839968d51c237564158e673ab6899436584f6e',
'id': 'bb:164',
'start_pc': 164,
'type': 'basic_block'},
{'end_pc': 199,
'hash': '0x7b0565c261db3d55c39f20ac0ee4d4710d6951f51b6844e361a4647909dcfc38',
'id': 'bb:176',
'start_pc': 176,
'type': 'basic_block'},
{'end_pc': 263,
'hash': '0x05bb2b1cf28e868299a2692b981f091c16cd0b0ff5f325436e762172d3967632',
'id': 'bb:200',
'start_pc': 200,
'type': 'basic_block'},
{'end_pc': 271,
'hash': '0x21b49c68f1af8b85acdfbc3ef26289b590ab67ebb18271dfc552d3d38c161349',
'id': 'bb:264',
'start_pc': 264,
'type': 'basic_block'},
{'end_pc': 290,
'hash': '0xae7e4932e7d3455de45f6fa310bc61e816c4075510a405b25c6797cfa8308dd4',
'id': 'bb:272',
'start_pc': 272,
'type': 'basic_block'},
{'end_pc': 333,
'hash': '0x695d244bc0789518ea2be8b9593ab18c4b31efe9b0bb2b4a99b09bfa0bd4168d',
'id': 'bb:291',
'start_pc': 291,
'type': 'basic_block'},
{'end_pc': 337,
'hash': '0x5ebda49c75a90269902080f51db6f1c7b1af883a7fd6baf1d61b81a8b96dcdca',
'id': 'bb:334',
'start_pc': 334,
'type': 'basic_block'},
{'end_pc': 408,
'hash': '0x8260bcfbd4c1d49f77b482640c6297cd133661f3ada7f52d07e1835f240b06d3',
'id': 'bb:338',
'start_pc': 338,
'type': 'basic_block'},
{'end_pc': 433,
'hash': '0xc0a703c2254334f9171c8126ae06fea5cf289341f4c19c890fa2f6b928c400e4',
'id': 'bb:409',
'start_pc': 409,
'type': 'basic_block'},
{'end_pc': 447,
'hash': '0xbbf38bd955ec6188d491c8a752950f390e38b6a9203b6891438ecf3d66b81c51',
'id': 'bb:434',
'start_pc': 434,
'type': 'basic_block'},
{'end_pc': 457,
'hash': '0xe40870dc717cbfdedea9fbb4d2473ca373d3dd88734eda3a8e7ff7e0a08a80de',
'id': 'bb:448',
'start_pc': 448,
'type': 'basic_block'},
{'end_pc': 471,
'hash': '0x712f7aabde4f2b6cb8fd21b243449d960bb2bde97dfa68f99a6793a74191755f',
'id': 'bb:458',
'start_pc': 458,
'type': 'basic_block'},
{'end_pc': 491,
'hash': '0xb72355893dc85ba3dba3d8450e06bc619269717a95c970bc878e9b20fda0e6a2',
'id': 'bb:472',
'start_pc': 472,
'type': 'basic_block'},
{'end_pc': 500,
'hash': '0x44d3956d843a32ee50717833fa8ec9dbfa425cdf8dcb23848e44acae24f05d14',
'id': 'bb:492',
'start_pc': 492,
'type': 'basic_block'},
{'end_pc': 508,
'hash': '0xfc2ec825a8f178aa5a5c70c694abf2c3132e519e33d00850e8769ebb62cf186a',
'id': 'bb:501',
'start_pc': 501,
'type': 'basic_block'},
{'end_pc': 538,
'hash': '0xa75c05a5c67571b18cbd868879dec0d7c57966797b1df8756504756360d24fa1',
'id': 'bb:509',
'start_pc': 509,
'type': 'basic_block'},
{'end_pc': 542,
'hash': '0xee4e5c2be823ee6e569c01a0bf832422eaf7ebbf27bd4c5f027d970c75b8c6f9',
'id': 'bb:539',
'start_pc': 539,
'type': 'basic_block'},
{'end_pc': 715,
'hash': '0x55470c341be9e608b9f37871022d25fc911758efeacc5d69b28df302da0d728e',
'id': 'bb:543',
'start_pc': 543,
'type': 'basic_block'},
{'id': 'call:392', 'opcode': 'CALL', 'pc': 392, 'type': 'callsite'},
{'id': 'sink:call', 'type': 'sink'},
{'entry_pc': None, 'id': 'fn:0x06fdde03', 'selector': '0x06fdde03', 'type': 'function'},
{'entry_pc': 1889567281, 'id': 'fn:0x313ce567', 'selector': '0x313ce567', 'type': 'function'},
{'entry_pc': 2514000705, 'id': 'fn:0x70a08231', 'selector': '0x70a08231', 'type': 'function'},
{'entry_pc': 2835717307, 'id': 'fn:0x95d89b41', 'selector': '0x95d89b41', 'type': 'function'},
{'entry_pc': None, 'id': 'fn:0xa9059cbb', 'selector': '0xa9059cbb', 'type': 'function'}],
'version': 'capability_graph_v1'},
'id': 2696,
'updated_at': '2026-04-04T20:42:09.000000Z',
'version': 'capability_graph_v1'}
exec
/bin/bash -lc "python - <<'PY'
import json, pprint
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
art=data['analysis_artifact']['artifact_json']
print('cfg_edges', art['cfg_edges'][:50])
PY" in /tmp/codex-0w852vhs
succeeded in 0ms:
cfg_edges [{'from': 'bb:0', 'to': 'bb:71', 'type': 'control_flow'}, {'from': 'bb:0', 'to': 'bb:25', 'type': 'control_flow_fallthrough'}, {'from': 'bb:25', 'to': 'bb:164', 'type': 'control_flow'}, {'from': 'bb:25', 'to': 'bb:36', 'type': 'control_flow_fallthrough'}, {'from': 'bb:36', 'to': 'bb:176', 'type': 'control_flow'}, {'from': 'bb:36', 'to': 'bb:47', 'type': 'control_flow_fallthrough'}, {'from': 'bb:47', 'to': 'bb:200', 'type': 'control_flow'}, {'from': 'bb:47', 'to': 'bb:58', 'type': 'control_flow_fallthrough'}, {'from': 'bb:58', 'to': 'bb:291', 'type': 'control_flow'}, {'from': 'bb:58', 'to': 'bb:69', 'type': 'control_flow_fallthrough'}, {'from': 'bb:71', 'to': 'bb:501', 'type': 'control_flow'}, {'from': 'bb:71', 'to': 'bb:137', 'type': 'control_flow_fallthrough'}, {'from': 'bb:137', 'to': 'bb:458', 'type': 'control_flow'}, {'from': 'bb:137', 'to': 'bb:145', 'type': 'control_flow_fallthrough'}, {'from': 'bb:145', 'to': 'bb:501', 'type': 'control_flow'}, {'from': 'bb:200', 'to': 'bb:501', 'type': 'control_flow'}, {'from': 'bb:200', 'to': 'bb:264', 'type': 'control_flow_fallthrough'}, {'from': 'bb:264', 'to': 'bb:458', 'type': 'control_flow'}, {'from': 'bb:264', 'to': 'bb:272', 'type': 'control_flow_fallthrough'}, {'from': 'bb:272', 'to': 'bb:501', 'type': 'control_flow'}, {'from': 'bb:291', 'to': 'bb:509', 'type': 'control_flow'}, {'from': 'bb:291', 'to': 'bb:334', 'type': 'control_flow_fallthrough'}, {'from': 'bb:338', 'to': 'bb:434', 'type': 'control_flow'}, {'from': 'bb:338', 'to': 'bb:409', 'type': 'control_flow_fallthrough'}, {'from': 'bb:409', 'to': 'bb:434', 'type': 'control_flow_fallthrough'}, {'from': 'bb:458', 'to': 'bb:472', 'type': 'control_flow_fallthrough'}, {'from': 'bb:472', 'to': 'bb:472', 'type': 'control_flow'}, {'from': 'bb:472', 'to': 'bb:492', 'type': 'control_flow_fallthrough'}, {'from': 'bb:492', 'to': 'bb:501', 'type': 'control_flow_fallthrough'}, {'from': 'bb:509', 'to': 'bb:543', 'type': 'control_flow'}, {'from': 'bb:509', 'to': 'bb:539', 'type': 'control_flow_fallthrough'}]
exec
/bin/bash -lc "python - <<'PY'
import json, pprint
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
print('is_proxy', data['artifact'].get('is_proxy'))
print('implementation_address', data['artifact'].get('implementation_address'))
print('verified_source', type(data['artifact'].get('verified_source')).__name__, data['artifact'].get('verified_source'))
print('compiler_json', data['artifact'].get('compiler_json'))
PY" in /tmp/codex-0w852vhs
succeeded in 0ms:
is_proxy False
implementation_address None
verified_source bool False
compiler_json {'etherscan': {'skipped': True}}
exec
/bin/bash -lc "python - <<'PY'
import json
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
code=bytes.fromhex(data['artifact']['runtime_bytecode']['full'][2:])
pcs=[i for i,b in enumerate(code) if b==0x34]
print('CALLVALUE pcs', pcs)
pcs2=[i for i,b in enumerate(code) if b==0xfd]
print('REVERT pcs', pcs2[:20], 'count', len(pcs2))
PY" in /tmp/codex-0w852vhs
succeeded in 0ms:
CALLVALUE pcs []
REVERT pcs [16, 332] count 2
exec
/bin/bash -lc "python - <<'PY'
import json
ops={}
for i in range(1,33): ops[0x5f+i]=i
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
code=bytes.fromhex(data['artifact']['runtime_bytecode']['full'][2:])
pc=0
sstores=[]
while pc<len(code):
op=code[pc]
if op==0x55:
sstores.append(pc)
if 0x60<=op<=0x7f:
pc += 1 + (op-0x5f)
else:
pc += 1
print('SSTORE pcs', sstores)
PY" in /tmp/codex-0w852vhs
succeeded in 0ms:
SSTORE pcs [589, 636]
codex
{"no_findings":false,"summary":"Bytecode looks like a small ERC20-like token with metadata (`0x06fdde03`,`0x95d89b41`), `decimals` (`0x313ce567`), `balanceOf` (`0x70a08231`), and `transfer` (`0xa9059cbb`). I did not find evidence of proxy/upgradeability logic, delegatecall, or user-controlled external calls. The single `CALL` at `pc:0x188` is consistent with the identity precompile (`0x04`) used by older Solidity string-return helpers, so I am not treating the detector's untrusted-call alert as a real issue. One meaningful risk remains: the runtime appears payable everywhere and the fallback path simply stops, so ETH sent to this contract is likely stuck.","findings":[{"severity":"low","category":"other","title":"Payable runtime likely allows ETH to be trapped permanently","exploit_scenario":"Because the runtime has no visible `CALLVALUE` checks, a user or integrating contract can send ETH along with any call, or directly hit the fallback/receive path, and the call will not revert. The visible runtime only exposes token metadata, `balanceOf`, and `transfer`; I found no withdrawal or sweep path in the bytecode. If ETH is sent accidentally, it is likely unrecoverable.","recommendation":"Make non-ETH functions explicitly nonpayable and revert in fallback/receive unless ETH custody is intentional. If ETH must be accepted, add an explicit, access-controlled withdrawal/sweep mechanism.","evidence":"Selector dispatch falls through to `pc:0x45`, which is a bare `STOP`, not a revert. I found no `CALLVALUE` opcode in the runtime, so no payable guard is visible. The only state writes are the two balance `SSTORE`s in the `transfer` path, and the only `CALL` (`pc:0x188`) matches the identity precompile pattern rather than an ETH-withdrawal path. This conclusion is based on bytecode only; selector inference can miss hidden functionality, but the explicit jump table here makes that less likely.","locations":["pc:0x0","pc:0x45","pc:0x123"]}]}
tokens used
48,696
{
"codex": {
"ran_at": "2026-04-05T06:56:24.922832+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 1434,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "Bytecode looks like a small ERC20-like token with metadata (`0x06fdde03`,`0x95d89b41`), `decimals` (`0x313ce567`), `balanceOf` (`0x70a08231`), and `transfer` (`0xa9059cbb`). I did not find evidence of proxy/upgradeability logic, delegatecall, or user-controlled external calls. The single `CALL` at `pc:0x188` is consistent with the identity precompile (`0x04`) used by older Solidity string-return helpers, so I am not treating the detector's untrusted-call alert as a real issue. One meaningful risk remains: the runtime appears payable everywhere and the fallback path simply stops, so ETH sent to this contract is likely stuck.",
"raw_final": {
"summary": "Bytecode looks like a small ERC20-like token with metadata (`0x06fdde03`,`0x95d89b41`), `decimals` (`0x313ce567`), `balanceOf` (`0x70a08231`), and `transfer` (`0xa9059cbb`). I did not find evidence of proxy/upgradeability logic, delegatecall, or user-controlled external calls. The single `CALL` at `pc:0x188` is consistent with the identity precompile (`0x04`) used by older Solidity string-return helpers, so I am not treating the detector's untrusted-call alert as a real issue. One meaningful risk remains: the runtime appears payable everywhere and the fallback path simply stops, so ETH sent to this contract is likely stuck.",
"findings": [
{
"title": "Payable runtime likely allows ETH to be trapped permanently",
"category": "other",
"evidence": "Selector dispatch falls through to `pc:0x45`, which is a bare `STOP`, not a revert. I found no `CALLVALUE` opcode in the runtime, so no payable guard is visible. The only state writes are the two balance `SSTORE`s in the `transfer` path, and the only `CALL` (`pc:0x188`) matches the identity precompile pattern rather than an ETH-withdrawal path. This conclusion is based on bytecode only; selector inference can miss hidden functionality, but the explicit jump table here makes that less likely.",
"severity": "low",
"locations": [
"pc:0x0",
"pc:0x45",
"pc:0x123"
],
"recommendation": "Make non-ETH functions explicitly nonpayable and revert in fallback/receive unless ETH custody is intentional. If ETH must be accepted, add an explicit, access-controlled withdrawal/sweep mechanism.",
"exploit_scenario": "Because the runtime has no visible `CALLVALUE` checks, a user or integrating contract can send ETH along with any call, or directly hit the fallback/receive path, and the call will not revert. The visible runtime only exposes token metadata, `balanceOf`, and `transfer`; I found no withdrawal or sweep path in the bytecode. If ETH is sent accidentally, it is likely unrecoverable."
}
],
"no_findings": false
},
"no_findings": false,
"schema_version": 1
}
00000000: PUSH1 0x60 00000002: PUSH1 0x40 00000004: MSTORE 00000005: PUSH1 0xe0 00000007: PUSH1 0x02 00000009: EXP 0000000a: PUSH1 0x00 0000000c: CALLDATALOAD 0000000d: DIV 0000000e: PUSH4 0x06fdde03 00000013: DUP2 00000014: EQ 00000015: PUSH2 0x0047 00000018: JUMPI 00000019: DUP1 0000001a: PUSH4 0x313ce567 0000001f: EQ 00000020: PUSH2 0x00a4 00000023: JUMPI 00000024: DUP1 00000025: PUSH4 0x70a08231 0000002a: EQ 0000002b: PUSH2 0x00b0 0000002e: JUMPI 0000002f: DUP1 00000030: PUSH4 0x95d89b41 00000035: EQ 00000036: PUSH2 0x00c8 00000039: JUMPI 0000003a: DUP1 0000003b: PUSH4 0xa9059cbb 00000040: EQ 00000041: PUSH2 0x0123 00000044: JUMPI 00000045: JUMPDEST 00000046: STOP 00000047: JUMPDEST 00000048: PUSH2 0x0152 0000004b: PUSH1 0x00 0000004d: DUP1 0000004e: SLOAD 0000004f: PUSH1 0x20 00000051: PUSH1 0x02 00000053: PUSH1 0x01 00000055: DUP4 00000056: AND 00000057: ISZERO 00000058: PUSH2 0x0100 0000005b: MUL 0000005c: PUSH1 0x00 0000005e: NOT 0000005f: ADD 00000060: SWAP1 00000061: SWAP3 00000062: AND 00000063: SWAP2 00000064: SWAP1 00000065: SWAP2 00000066: DIV 00000067: PUSH1 0x1f 00000069: DUP2 0000006a: ADD 0000006b: DUP3 0000006c: SWAP1 0000006d: DIV 0000006e: SWAP1 0000006f: SWAP2 00000070: MUL 00000071: PUSH1 0x80 00000073: SWAP1 00000074: DUP2 00000075: ADD 00000076: PUSH1 0x40 00000078: MSTORE 00000079: PUSH1 0x60 0000007b: DUP3 0000007c: DUP2 0000007d: MSTORE 0000007e: SWAP3 0000007f: SWAP2 00000080: SWAP1 00000081: DUP3 00000082: DUP3 00000083: DUP1 00000084: ISZERO 00000085: PUSH2 0x01f5 00000088: JUMPI 00000089: DUP1 0000008a: PUSH1 0x1f 0000008c: LT 0000008d: PUSH2 0x01ca 00000090: JUMPI 00000091: PUSH2 0x0100 00000094: DUP1 00000095: DUP4 00000096: SLOAD 00000097: DIV 00000098: MUL 00000099: DUP4 0000009a: MSTORE 0000009b: SWAP2 0000009c: PUSH1 0x20 0000009e: ADD 0000009f: SWAP2 000000a0: PUSH2 0x01f5 000000a3: JUMP 000000a4: JUMPDEST 000000a5: PUSH2 0x01c0 000000a8: PUSH1 0x02 000000aa: SLOAD 000000ab: PUSH1 0xff 000000ad: AND 000000ae: DUP2 000000af: JUMP 000000b0: JUMPDEST 000000b1: PUSH2 0x01c0 000000b4: PUSH1 0x04 000000b6: CALLDATALOAD 000000b7: PUSH1 0x03 000000b9: PUSH1 0x20 000000bb: MSTORE 000000bc: PUSH1 0x00 000000be: SWAP1 000000bf: DUP2 000000c0: MSTORE 000000c1: PUSH1 0x40 000000c3: SWAP1 000000c4: KECCAK256 000000c5: SLOAD 000000c6: DUP2 000000c7: JUMP 000000c8: JUMPDEST 000000c9: PUSH2 0x0152 000000cc: PUSH1 0x01 000000ce: DUP1 000000cf: SLOAD 000000d0: PUSH1 0x20 000000d2: PUSH1 0x1f 000000d4: PUSH1 0x02 000000d6: PUSH1 0x00 000000d8: NOT 000000d9: PUSH2 0x0100 000000dc: DUP6 000000dd: DUP8 000000de: AND 000000df: ISZERO 000000e0: MUL 000000e1: ADD 000000e2: SWAP1 000000e3: SWAP4 000000e4: AND 000000e5: SWAP3 000000e6: SWAP1 000000e7: SWAP3 000000e8: DIV 000000e9: SWAP2 000000ea: DUP3 000000eb: ADD 000000ec: DUP2 000000ed: SWAP1 000000ee: DIV 000000ef: MUL 000000f0: PUSH1 0x80 000000f2: SWAP1 000000f3: DUP2 000000f4: ADD 000000f5: PUSH1 0x40 000000f7: MSTORE 000000f8: PUSH1 0x60 000000fa: DUP3 000000fb: DUP2 000000fc: MSTORE 000000fd: SWAP3 000000fe: SWAP2 000000ff: SWAP1 00000100: DUP3 00000101: DUP3 00000102: DUP1 00000103: ISZERO 00000104: PUSH2 0x01f5 00000107: JUMPI 00000108: DUP1 00000109: PUSH1 0x1f 0000010b: LT 0000010c: PUSH2 0x01ca 0000010f: JUMPI 00000110: PUSH2 0x0100 00000113: DUP1 00000114: DUP4 00000115: SLOAD 00000116: DIV 00000117: MUL 00000118: DUP4 00000119: MSTORE 0000011a: SWAP2 0000011b: PUSH1 0x20 0000011d: ADD 0000011e: SWAP2 0000011f: PUSH2 0x01f5 00000122: JUMP 00000123: JUMPDEST 00000124: PUSH2 0x0045 00000127: PUSH1 0x04 00000129: CALLDATALOAD 0000012a: PUSH1 0x24 0000012c: CALLDATALOAD 0000012d: PUSH1 0x01 0000012f: PUSH1 0xa0 00000131: PUSH1 0x02 00000133: EXP 00000134: SUB 00000135: CALLER 00000136: AND 00000137: PUSH1 0x00 00000139: SWAP1 0000013a: DUP2 0000013b: MSTORE 0000013c: PUSH1 0x03 0000013e: PUSH1 0x20 00000140: MSTORE 00000141: PUSH1 0x40 00000143: SWAP1 00000144: KECCAK256 00000145: SLOAD 00000146: DUP2 00000147: SWAP1 00000148: LT 00000149: ISZERO 0000014a: PUSH2 0x01fd 0000014d: JUMPI 0000014e: PUSH2 0x0002 00000151: JUMP 00000152: JUMPDEST 00000153: PUSH1 0x40 00000155: MLOAD 00000156: DUP1 00000157: DUP1 00000158: PUSH1 0x20 0000015a: ADD 0000015b: DUP3 0000015c: DUP2 0000015d: SUB 0000015e: DUP3 0000015f: MSTORE 00000160: DUP4 00000161: DUP2 00000162: DUP2 00000163: MLOAD 00000164: DUP2 00000165: MSTORE 00000166: PUSH1 0x20 00000168: ADD 00000169: SWAP2 0000016a: POP 0000016b: DUP1 0000016c: MLOAD 0000016d: SWAP1 0000016e: PUSH1 0x20 00000170: ADD 00000171: SWAP1 00000172: DUP1 00000173: DUP4 00000174: DUP4 00000175: DUP3 00000176: SWAP1 00000177: PUSH1 0x00 00000179: PUSH1 0x04 0000017b: PUSH1 0x20 0000017d: DUP5 0000017e: PUSH1 0x1f 00000180: ADD 00000181: DIV 00000182: PUSH1 0x0f 00000184: MUL 00000185: PUSH1 0x03 00000187: ADD 00000188: CALL 00000189: POP 0000018a: SWAP1 0000018b: POP 0000018c: SWAP1 0000018d: DUP2 0000018e: ADD 0000018f: SWAP1 00000190: PUSH1 0x1f 00000192: AND 00000193: DUP1 00000194: ISZERO 00000195: PUSH2 0x01b2 00000198: JUMPI 00000199: DUP1 0000019a: DUP3 0000019b: SUB 0000019c: DUP1 0000019d: MLOAD 0000019e: PUSH1 0x01 000001a0: DUP4 000001a1: PUSH1 0x20 000001a3: SUB 000001a4: PUSH2 0x0100 000001a7: EXP 000001a8: SUB 000001a9: NOT 000001aa: AND 000001ab: DUP2 000001ac: MSTORE 000001ad: PUSH1 0x20 000001af: ADD 000001b0: SWAP2 000001b1: POP 000001b2: JUMPDEST 000001b3: POP 000001b4: SWAP3 000001b5: POP 000001b6: POP 000001b7: POP 000001b8: PUSH1 0x40 000001ba: MLOAD 000001bb: DUP1 000001bc: SWAP2 000001bd: SUB 000001be: SWAP1 000001bf: RETURN 000001c0: JUMPDEST 000001c1: PUSH1 0x60 000001c3: SWAP1 000001c4: DUP2 000001c5: MSTORE 000001c6: PUSH1 0x20 000001c8: SWAP1 000001c9: RETURN 000001ca: JUMPDEST 000001cb: DUP3 000001cc: ADD 000001cd: SWAP2 000001ce: SWAP1 000001cf: PUSH1 0x00 000001d1: MSTORE 000001d2: PUSH1 0x20 000001d4: PUSH1 0x00 000001d6: KECCAK256 000001d7: SWAP1 000001d8: JUMPDEST 000001d9: DUP2 000001da: SLOAD 000001db: DUP2 000001dc: MSTORE 000001dd: SWAP1 000001de: PUSH1 0x01 000001e0: ADD 000001e1: SWAP1 000001e2: PUSH1 0x20 000001e4: ADD 000001e5: DUP1 000001e6: DUP4 000001e7: GT 000001e8: PUSH2 0x01d8 000001eb: JUMPI 000001ec: DUP3 000001ed: SWAP1 000001ee: SUB 000001ef: PUSH1 0x1f 000001f1: AND 000001f2: DUP3 000001f3: ADD 000001f4: SWAP2 000001f5: JUMPDEST 000001f6: POP 000001f7: POP 000001f8: POP 000001f9: POP 000001fa: POP 000001fb: DUP2 000001fc: JUMP 000001fd: JUMPDEST 000001fe: PUSH1 0x01 00000200: PUSH1 0xa0 00000202: PUSH1 0x02 00000204: EXP 00000205: SUB 00000206: DUP3 00000207: AND 00000208: PUSH1 0x00 0000020a: SWAP1 0000020b: DUP2 0000020c: MSTORE 0000020d: PUSH1 0x40 0000020f: SWAP1 00000210: KECCAK256 00000211: SLOAD 00000212: DUP1 00000213: DUP3 00000214: ADD 00000215: LT 00000216: ISZERO 00000217: PUSH2 0x021f 0000021a: JUMPI 0000021b: PUSH2 0x0002 0000021e: JUMP 0000021f: JUMPDEST 00000220: DUP1 00000221: PUSH1 0x03 00000223: PUSH1 0x00 00000225: POP 00000226: PUSH1 0x00 00000228: CALLER 00000229: PUSH1 0x01 0000022b: PUSH1 0xa0 0000022d: PUSH1 0x02 0000022f: EXP 00000230: SUB 00000231: AND 00000232: DUP2 00000233: MSTORE 00000234: PUSH1 0x20 00000236: ADD 00000237: SWAP1 00000238: DUP2 00000239: MSTORE 0000023a: PUSH1 0x20 0000023c: ADD 0000023d: PUSH1 0x00 0000023f: KECCAK256 00000240: PUSH1 0x00 00000242: DUP3 00000243: DUP3 00000244: DUP3 00000245: POP 00000246: SLOAD 00000247: SUB 00000248: SWAP3 00000249: POP 0000024a: POP 0000024b: DUP2 0000024c: SWAP1 0000024d: SSTORE 0000024e: POP 0000024f: DUP1 00000250: PUSH1 0x03 00000252: PUSH1 0x00 00000254: POP 00000255: PUSH1 0x00 00000257: DUP5 00000258: PUSH1 0x01 0000025a: PUSH1 0xa0 0000025c: PUSH1 0x02 0000025e: EXP 0000025f: SUB 00000260: AND 00000261: DUP2 00000262: MSTORE 00000263: PUSH1 0x20 00000265: ADD 00000266: SWAP1 00000267: DUP2 00000268: MSTORE 00000269: PUSH1 0x20 0000026b: ADD 0000026c: PUSH1 0x00 0000026e: KECCAK256 0000026f: PUSH1 0x00 00000271: DUP3 00000272: DUP3 00000273: DUP3 00000274: POP 00000275: SLOAD 00000276: ADD 00000277: SWAP3 00000278: POP 00000279: POP 0000027a: DUP2 0000027b: SWAP1 0000027c: SSTORE 0000027d: POP 0000027e: DUP2 0000027f: PUSH1 0x01 00000281: PUSH1 0xa0 00000283: PUSH1 0x02 00000285: EXP 00000286: SUB 00000287: AND 00000288: CALLER 00000289: PUSH1 0x01 0000028b: PUSH1 0xa0 0000028d: PUSH1 0x02 0000028f: EXP 00000290: SUB 00000291: AND 00000292: PUSH32 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef 000002b3: DUP4 000002b4: PUSH1 0x40 000002b6: MLOAD 000002b7: DUP1 000002b8: DUP3 000002b9: DUP2 000002ba: MSTORE 000002bb: PUSH1 0x20 000002bd: ADD 000002be: SWAP2 000002bf: POP 000002c0: POP 000002c1: PUSH1 0x40 000002c3: MLOAD 000002c4: DUP1 000002c5: SWAP2 000002c6: SUB 000002c7: SWAP1 000002c8: LOG3 000002c9: POP 000002ca: POP 000002cb: JUMP
Warning: This is a nightly build of Foundry. It is recommended to use the latest stable version. To mute this warning set `FOUNDRY_DISABLE_NIGHTLY_WARNING` in your environment.
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | other | detector | Untrusted CALL target/value reachable | 60 | yes | yes |
viewtrace_id: 0xc01ce1f30f6210a87f28efe79c6b32661a856a653fbf4abf9b3de316ee75af35
call_targets:
0x0000000000000000000000000000000000000004, 0xa9161619071b56d4cacbdd0045b8c12723fcb683
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0xc01ce1f30f6210a87f28efe79c6b32661a856a653fbf4abf9b3de316ee75af35",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0xa9161619071b56d4cacbdd0045b8c12723fcb683"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa9059cbb",
"selector": "0xa9059cbb",
"calldata_variants": [
"0xa9059cbb",
"0xa9059cbb0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 392,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 1,
"guards_detected": [],
"untrusted_call_count": 1
}
|
| high | other | detector | ETH value transfer possible | 55 | yes | yes |
viewtrace_id: 0xc01ce1f30f6210a87f28efe79c6b32661a856a653fbf4abf9b3de316ee75af35
call_targets:
0x0000000000000000000000000000000000000004, 0xa9161619071b56d4cacbdd0045b8c12723fcb683
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0xc01ce1f30f6210a87f28efe79c6b32661a856a653fbf4abf9b3de316ee75af35",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0xa9161619071b56d4cacbdd0045b8c12723fcb683"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa9059cbb",
"selector": "0xa9059cbb",
"calldata_variants": [
"0xa9059cbb",
"0xa9059cbb0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 392,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 1,
"guards_detected": []
}
|
| low | other | codex | Payable runtime likely allows ETH to be trapped permanently | 65 | no | — |
viewevidence_json{
"evidence": "Selector dispatch falls through to `pc:0x45`, which is a bare `STOP`, not a revert. I found no `CALLVALUE` opcode in the runtime, so no payable guard is visible. The only state writes are the two balance `SSTORE`s in the `transfer` path, and the only `CALL` (`pc:0x188`) matches the identity precompile pattern rather than an ETH-withdrawal path. This conclusion is based on bytecode only; selector inference can miss hidden functionality, but the explicit jump table here makes that less likely.",
"locations": [
"pc:0x0",
"pc:0x45",
"pc:0x123"
],
"recommendation": "Make non-ETH functions explicitly nonpayable and revert in fallback/receive unless ETH custody is intentional. If ETH must be accepted, add an explicit, access-controlled withdrawal/sweep mechanism.",
"exploit_scenario": "Because the runtime has no visible `CALLVALUE` checks, a user or integrating contract can send ETH along with any call, or directly hit the fallback/receive path, and the call will not revert. The visible runtime only exposes token metadata, `balanceOf`, and `transfer`; I found no withdrawal or sweep path in the bytecode. If ETH is sent accidentally, it is likely unrecoverable."
}
|