019b3836-402f-712f-9b83-79c8b5f61796
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 5175 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 5176 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 48764 | analysis.bundle | complete | 1 / 3 | 1 week ago |
| 48765 | capability.graph | complete | 1 / 3 | 1 week ago |
| 48766 | detector.run | complete | 1 / 3 | 1 week ago |
| 48767 | validation.fork | complete | 1 / 3 | 1 week ago |
| 113302 | report.consolidate | complete | 1 / 6 | 1 week ago |
No slither job recorded yet.
{"no_findings":false,"summary":"Bytecode looks like a small non-proxy token with five selectors (`name`, `symbol`, `decimals`, `balanceOf`, `transfer`). I did not find evidence of delegatecall, upgrade slots, or a reentrant state-changing external call. The detector-reported `CALL` at `pc:392` sits inside the long-string return helper used by `name`/`symbol` and is more consistent with the old Solidity identity-precompile copy pattern than an attacker-controlled outbound interaction. The concrete issues supported by the bytecode are a non-standard `transfer` ABI and unconditional ETH acceptance.","findings":[{"severity":"low","category":"other","title":"`transfer(0xa9059cbb)` does not return the standard ERC20 boolean","exploit_scenario":"A protocol that assumes selector `0xa9059cbb` is ERC20-compliant and requires a 32-byte boolean return can fail to interact with this token. If that protocol already custodys the token, outbound transfers may keep reverting until it adds special handling for optional return data, effectively trapping user positions inside the integration.","recommendation":"If the contract is upgradeable or replaceable, make `transfer` return a 32-byte success value (`true`) on the success path. If it is immutable, integrations should only use wrappers that tolerate optional ERC20 return data.","evidence":"The dispatcher routes selector `0xa9059cbb` to `pc:291`. That path checks sender balance, updates the mapping at `pc:576` and `pc:622`, emits the `Transfer` log at `pc:658`-`pc:712`, and then executes `JUMP` at `pc:715` back to return address `0x0045`, which is `pc:69` (`STOP`). There is no selector-specific `RETURN` of a 32-byte boolean on this path.","locations":["selector:0xa9059cbb","pc:291","pc:576","pc:622","pc:715","pc:69"]},{"severity":"low","category":"other","title":"Fallback and function entries accept ETH, with no evident recovery path","exploit_scenario":"Any user or integrator that accidentally sends ETH to this contract, either via empty calldata/unknown selector or alongside one of the exposed functions, will not be rejected. From the available bytecode there is no dedicated withdrawal selector, no proxy admin path, and no obvious owner-only rescue function, so accidentally sent ETH is likely to remain stuck.","recommendation":"Reject unexpected ETH by making the fallback/nonpayable entrypoints revert on nonzero `msg.value`, or add an explicit rescue path if ETH custody is intended.","evidence":"The dispatcher falls through to `pc:69`, which is a bare `STOP`, so empty calldata and unknown selectors succeed instead of reverting. Across the runtime bytecode there is no `CALLVALUE` opcode, meaning the exposed selectors also do not enforce nonpayable behavior. The only outbound `CALL` in the bundle is the helper at `pc:392`, which appears tied to string-return handling rather than an ETH withdrawal function; bytecode-only analysis cannot prove every edge case, but I do not see a reachable recovery path.","locations":["pc:0","pc:69","pc:71","pc:176","pc:200","pc:291","pc:392"]}]}
OpenAI Codex v0.118.0 (research preview)
--------
workdir: /tmp/codex-b11fa6yj
model: gpt-5.4
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: none
session id: 019d5c5e-ebc8-75d2-a733-ea5b54854048
--------
user
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
warning: Codex could not find system bubblewrap on PATH. Please install bubblewrap with your package manager. Codex will use the vendored bubblewrap in the meantime.
exec
/bin/bash -lc pwd in /tmp/codex-b11fa6yj
succeeded in 0ms:
/tmp/codex-b11fa6yj
exec
/bin/bash -lc 'rg --files' in /tmp/codex-b11fa6yj
succeeded in 0ms:
codex-output-schema.json
BYTECODE_BUNDLE.json
→ Read BYTECODE_BUNDLE.json and identify the contract shape, entrypoints, and detector artifacts
• Evaluate evidence for concrete security issues with bytecode-level uncertainty called out
• Return findings as JSON matching the required schema
exec
/bin/bash -lc 'wc -c BYTECODE_BUNDLE.json' in /tmp/codex-b11fa6yj
succeeded in 0ms:
44930 BYTECODE_BUNDLE.json
exec
/bin/bash -lc "sed -n '1,220p' BYTECODE_BUNDLE.json" in /tmp/codex-b11fa6yj
succeeded in 0ms:
{
"analysis_artifact": {
"address": "0xb0c3ffc92314c9192214f202a0d3bd022caeaa94",
"artifact_hash": "0x809753134b52255340a33f9ed532d71297ef581feb31e0abb2d615c60b41d701",
"artifact_json": {
"auth": {
"guards": []
},
"basic_blocks": [
{
"end_pc": 24,
"hash": "0x6a350686911b120d699f8e8d1e9440d4ce17c4434492baee43484e2ef083a112",
"opcodes": [
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"PUSH1",
"EXP",
"PUSH1",
"CALLDATALOAD",
"DIV",
"PUSH4",
"OP_81",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 0
},
{
"end_pc": 35,
"hash": "0x09fc75e3aa8fb02b98e24881cc463925488c7dfa7ef308570a5930c5c420c614",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 25
},
{
"end_pc": 46,
"hash": "0x976103db32485bde438fb5c3f9f54ee02f48623f2e3b08249411cd4aee3c334a",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 36
},
{
"end_pc": 57,
"hash": "0x3c19c073e27395dc44272beb525b6373ad140a4045aabbd1b653e498e1806824",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 47
},
{
"end_pc": 68,
"hash": "0x3a122683470ea7901e31e80e6378780a829a06da64b04e691b5d5c5621392507",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 58
},
{
"end_pc": 70,
"hash": "0x55afd043d32294d5f0189f5a0aa04f3174e4c087a31c85396f49b5f17813cb96",
"opcodes": [
"JUMPDEST",
"STOP"
],
"start_pc": 69
},
{
"end_pc": 136,
"hash": "0xfc01f99e3d71612bfaa85e2bb57cdd9403eabce7b9348bcac405b7924f1b1f2d",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"OP_80",
"SLOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"OP_83",
"AND",
"ISZERO",
"PUSH2",
"MUL",
"PUSH1",
"NOT",
"ADD",
"OP_90",
"OP_92",
"AND",
"OP_91",
"OP_90",
"OP_91",
"DIV",
"PUSH1",
"OP_81",
"ADD",
"OP_82",
"OP_90",
"DIV",
"OP_90",
"OP_91",
"MUL",
"PUSH1",
"OP_90",
"OP_81",
"ADD",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_82",
"OP_81",
"MSTORE",
"OP_92",
"OP_91",
"OP_90",
"OP_82",
"OP_82",
"OP_80",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 71
},
{
"end_pc": 144,
"hash": "0x94766029cd41199d0239fbf67bb17d1e452d9bb9f7b63a80357531b66475e6d3",
"opcodes": [
"OP_80",
"PUSH1",
"LT",
"PUSH2",
"JUMPI"
],
"start_pc": 137
},
{
"end_pc": 163,
"hash": "0x7a9c5e28ca72e7db26993eb4591b942a2bd83baf5200667721f5598807ec92a5",
"opcodes": [
"PUSH2",
"OP_80",
"OP_83",
"SLOAD",
"DIV",
"MUL",
"OP_83",
"MSTORE",
"OP_91",
"PUSH1",
"ADD",
"OP_91",
"PUSH2",
"JUMP"
],
"start_pc": 145
},
{
"end_pc": 175,
"hash": "0x938aee19a0e1094c19b5a9528f839968d51c237564158e673ab6899436584f6e",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"SLOAD",
"PUSH1",
"AND",
"OP_81",
"JUMP"
],
"start_pc": 164
},
{
"end_pc": 199,
"hash": "0x7b0565c261db3d55c39f20ac0ee4d4710d6951f51b6844e361a4647909dcfc38",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"CALLDATALOAD",
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"OP_90",
"SHA3",
"SLOAD",
"OP_81",
"JUMP"
],
"start_pc": 176
},
{
"end_pc": 263,
"hash": "0x05bb2b1cf28e868299a2692b981f091c16cd0b0ff5f325436e762172d3967632",
exec
/bin/bash -lc "sed -n '1,220p' codex-output-schema.json" in /tmp/codex-b11fa6yj
succeeded in 0ms:
{"type": "object", "additionalProperties": false, "required": ["no_findings", "summary", "findings"], "properties": {"no_findings": {"type": "boolean"}, "summary": {"type": "string"}, "findings": {"type": "array", "items": {"type": "object", "additionalProperties": false, "required": ["severity", "category", "title", "evidence", "locations", "exploit_scenario", "recommendation"], "properties": {"severity": {"type": "string", "enum": ["info", "low", "medium", "high", "critical"]}, "category": {"type": "string", "enum": ["access_control", "reentrancy", "math", "oracle", "upgradeability", "auth", "other"]}, "title": {"type": "string"}, "exploit_scenario": {"type": "string"}, "recommendation": {"type": "string"}, "evidence": {"type": "string"}, "locations": {"type": "array", "items": {"type": "string"}}}}}}}
exec
/bin/bash -lc "jq 'keys, .analysis_artifact.artifact_json | keys' BYTECODE_BUNDLE.json" in /tmp/codex-b11fa6yj
succeeded in 0ms:
[
0,
1,
2,
3,
4,
5
]
[
"auth",
"basic_blocks",
"callsites",
"cfg_edges",
"cfg_hash",
"dispatcher_type",
"function_entries",
"functions",
"selectors",
"sinks",
"storage",
"version"
]
exec
/bin/bash -lc "jq 'type, map(type)' BYTECODE_BUNDLE.json" in /tmp/codex-b11fa6yj
succeeded in 0ms:
"object"
[
"object",
"object",
"object",
"object",
"array",
"object"
]
exec
/bin/bash -lc "jq '.[0] | keys' BYTECODE_BUNDLE.json" in /tmp/codex-b11fa6yj
exited 5 in 0ms:
jq: error (at BYTECODE_BUNDLE.json:1722): Cannot index object with number
exec
/bin/bash -lc "jq '.[1] | keys' BYTECODE_BUNDLE.json" in /tmp/codex-b11fa6yj
exited 5 in 0ms:
jq: error (at BYTECODE_BUNDLE.json:1722): Cannot index object with number
exec
/bin/bash -lc "jq '.[2] | keys' BYTECODE_BUNDLE.json" in /tmp/codex-b11fa6yj
exited 5 in 0ms:
jq: error (at BYTECODE_BUNDLE.json:1722): Cannot index object with number
exec
/bin/bash -lc "jq 'keys' BYTECODE_BUNDLE.json" in /tmp/codex-b11fa6yj
succeeded in 0ms:
[
"analysis_artifact",
"analysis_run",
"artifact",
"capability_graph",
"detector_findings",
"heuristics_summary"
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.function_entries' BYTECODE_BUNDLE.json" in /tmp/codex-b11fa6yj
succeeded in 0ms:
[
{
"entry_pc": null,
"selector": "0x06fdde03"
},
{
"entry_pc": 1889567281,
"selector": "0x313ce567"
},
{
"entry_pc": 2514000705,
"selector": "0x70a08231"
},
{
"entry_pc": 2835717307,
"selector": "0x95d89b41"
},
{
"entry_pc": null,
"selector": "0xa9059cbb"
}
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.selectors' BYTECODE_BUNDLE.json" in /tmp/codex-b11fa6yj
succeeded in 0ms:
[
"0x06fdde03",
"0x313ce567",
"0x70a08231",
"0x95d89b41",
"0xa9059cbb"
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.callsites' BYTECODE_BUNDLE.json" in /tmp/codex-b11fa6yj
succeeded in 0ms:
[
{
"opcode": "CALL",
"pc": 392,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
]
exec
/bin/bash -lc "jq '.detector_findings' BYTECODE_BUNDLE.json" in /tmp/codex-b11fa6yj
succeeded in 0ms:
[
{
"confidence": 60,
"evidence_json": {
"call_count": 1,
"examples": [
{
"opcode": "CALL",
"pc": 392,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": [],
"untrusted_call_count": 1
},
"normalized_json": {
"sink": "CALL"
},
"severity": "high",
"title": "Untrusted CALL target/value reachable",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0xb0c3ffc92314c9192214f202a0d3bd022caeaa94"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x9e46fc414a7fdce0887bcf5f2abfba062db707d799b116447cdf7bb8bac0b363",
"trace_mode": "callTracer"
}
},
{
"confidence": 55,
"evidence_json": {
"eth_value_calls": 1,
"examples": [
{
"opcode": "CALL",
"pc": 392,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": []
},
"normalized_json": {
"sink": "CALL",
"value": "nonzero"
},
"severity": "high",
"title": "ETH value transfer possible",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0xb0c3ffc92314c9192214f202a0d3bd022caeaa94"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x9e46fc414a7fdce0887bcf5f2abfba062db707d799b116447cdf7bb8bac0b363",
"trace_mode": "callTracer"
}
}
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.functions' BYTECODE_BUNDLE.json" in /tmp/codex-b11fa6yj
succeeded in 0ms:
[
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0x06fdde03",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 1889567281,
"selector": "0x313ce567",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 2514000705,
"selector": "0x70a08231",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 2835717307,
"selector": "0x95d89b41",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0xa9059cbb",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
}
]
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.sinks' BYTECODE_BUNDLE.json" in /tmp/codex-b11fa6yj
succeeded in 0ms:
{
"call": 1,
"create": 0,
"create2": 0,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0,
"upgrade_slot_write_suspected": false
}
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.storage' BYTECODE_BUNDLE.json" in /tmp/codex-b11fa6yj
succeeded in 0ms:
{
"keccak_count": 6,
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
exec
/bin/bash -lc "jq '.heuristics_summary' BYTECODE_BUNDLE.json" in /tmp/codex-b11fa6yj
succeeded in 0ms:
{
"create2_count": 0,
"delegatecall_count": 0,
"flags": [],
"selfdestruct_count": 0
}
exec
/bin/bash -lc "jq '.artifact | keys' BYTECODE_BUNDLE.json" in /tmp/codex-b11fa6yj
succeeded in 0ms:
[
"codehash",
"compiler_json",
"implementation_address",
"is_proxy",
"runtime_bytecode",
"verified_source"
]
exec
/bin/bash -lc "jq '.analysis_run' BYTECODE_BUNDLE.json" in /tmp/codex-b11fa6yj
succeeded in 0ms:
{
"address": "0xb0c3ffc92314c9192214f202a0d3bd022caeaa94",
"block_number": null,
"chain_id": 1,
"child_links": [],
"created_at": "2025-12-19T20:03:58.000000Z",
"id": "019b3836-402f-712f-9b83-79c8b5f61796",
"parent_links": [],
"status": "running",
"updated_at": "2026-04-04T19:59:21.000000Z"
}
exec
/bin/bash -lc "jq '.capability_graph' BYTECODE_BUNDLE.json" in /tmp/codex-b11fa6yj
succeeded in 0ms:
{
"address": "0xb0c3ffc92314c9192214f202a0d3bd022caeaa94",
"block_number": null,
"chain_id": 1,
"codehash": "0x9c955d6fcbfcbaebc1eba76ca0b918c6f34cf6cc3f5c33f4a4a83a88440f4e9f",
"created_at": "2026-04-04T19:59:21.000000Z",
"graph_hash": "0x2ee0f252132699f51924d69c5f1c6dfb4e7637cad6f24f07a9a7a4cd1120fbb1",
"graph_json": {
"edges": [
{
"from": "bb:0",
"to": "bb:71",
"type": "control_flow"
},
{
"from": "bb:0",
"to": "bb:25",
"type": "control_flow_fallthrough"
},
{
"from": "bb:25",
"to": "bb:164",
"type": "control_flow"
},
{
"from": "bb:25",
"to": "bb:36",
"type": "control_flow_fallthrough"
},
{
"from": "bb:36",
"to": "bb:176",
"type": "control_flow"
},
{
"from": "bb:36",
"to": "bb:47",
"type": "control_flow_fallthrough"
},
{
"from": "bb:47",
"to": "bb:200",
"type": "control_flow"
},
{
"from": "bb:47",
"to": "bb:58",
"type": "control_flow_fallthrough"
},
{
"from": "bb:58",
"to": "bb:291",
"type": "control_flow"
},
{
"from": "bb:58",
"to": "bb:69",
"type": "control_flow_fallthrough"
},
{
"from": "bb:71",
"to": "bb:501",
"type": "control_flow"
},
{
"from": "bb:71",
"to": "bb:137",
"type": "control_flow_fallthrough"
},
{
"from": "bb:137",
"to": "bb:458",
"type": "control_flow"
},
{
"from": "bb:137",
"to": "bb:145",
"type": "control_flow_fallthrough"
},
{
"from": "bb:145",
"to": "bb:501",
"type": "control_flow"
},
{
"from": "bb:200",
"to": "bb:501",
"type": "control_flow"
},
{
"from": "bb:200",
"to": "bb:264",
"type": "control_flow_fallthrough"
},
{
"from": "bb:264",
"to": "bb:458",
"type": "control_flow"
},
{
"from": "bb:264",
"to": "bb:272",
"type": "control_flow_fallthrough"
},
{
"from": "bb:272",
"to": "bb:501",
"type": "control_flow"
},
{
"from": "bb:291",
"to": "bb:509",
"type": "control_flow"
},
{
"from": "bb:291",
"to": "bb:334",
"type": "control_flow_fallthrough"
},
{
"from": "bb:338",
"to": "bb:434",
"type": "control_flow"
},
{
"from": "bb:338",
"to": "bb:409",
"type": "control_flow_fallthrough"
},
{
"from": "bb:409",
"to": "bb:434",
"type": "control_flow_fallthrough"
},
{
"from": "bb:458",
"to": "bb:472",
"type": "control_flow_fallthrough"
},
{
"from": "bb:472",
"to": "bb:472",
"type": "control_flow"
},
{
"from": "bb:472",
"to": "bb:492",
"type": "control_flow_fallthrough"
},
{
"from": "bb:492",
"to": "bb:501",
"type": "control_flow_fallthrough"
},
{
"from": "bb:509",
"to": "bb:543",
"type": "control_flow"
},
{
"from": "bb:509",
"to": "bb:539",
"type": "control_flow_fallthrough"
},
{
"from": "fn:0x313ce567",
"to": "bb:1889567281",
"type": "entry"
},
{
"from": "fn:0x70a08231",
"to": "bb:2514000705",
"type": "entry"
},
{
"from": "fn:0x95d89b41",
"to": "bb:2835717307",
"type": "entry"
},
{
"from": "bb:338",
"to": "call:392",
"type": "contains"
},
{
"from": "call:392",
"to": "sink:call",
"type": "capability"
}
],
"nodes": [
{
"end_pc": 24,
"hash": "0x6a350686911b120d699f8e8d1e9440d4ce17c4434492baee43484e2ef083a112",
"id": "bb:0",
"start_pc": 0,
"type": "basic_block"
},
{
"end_pc": 35,
"hash": "0x09fc75e3aa8fb02b98e24881cc463925488c7dfa7ef308570a5930c5c420c614",
"id": "bb:25",
"start_pc": 25,
"type": "basic_block"
},
{
"end_pc": 46,
"hash": "0x976103db32485bde438fb5c3f9f54ee02f48623f2e3b08249411cd4aee3c334a",
"id": "bb:36",
"start_pc": 36,
"type": "basic_block"
},
{
"end_pc": 57,
"hash": "0x3c19c073e27395dc44272beb525b6373ad140a4045aabbd1b653e498e1806824",
"id": "bb:47",
"start_pc": 47,
"type": "basic_block"
},
{
"end_pc": 68,
"hash": "0x3a122683470ea7901e31e80e6378780a829a06da64b04e691b5d5c5621392507",
"id": "bb:58",
"start_pc": 58,
"type": "basic_block"
},
{
"end_pc": 70,
"hash": "0x55afd043d32294d5f0189f5a0aa04f3174e4c087a31c85396f49b5f17813cb96",
"id": "bb:69",
"start_pc": 69,
"type": "basic_block"
},
{
"end_pc": 136,
"hash": "0xfc01f99e3d71612bfaa85e2bb57cdd9403eabce7b9348bcac405b7924f1b1f2d",
"id": "bb:71",
"start_pc": 71,
"type": "basic_block"
},
{
"end_pc": 144,
"hash": "0x94766029cd41199d0239fbf67bb17d1e452d9bb9f7b63a80357531b66475e6d3",
"id": "bb:137",
"start_pc": 137,
"type": "basic_block"
},
{
"end_pc": 163,
"hash": "0x7a9c5e28ca72e7db26993eb4591b942a2bd83baf5200667721f5598807ec92a5",
"id": "bb:145",
"start_pc": 145,
"type": "basic_block"
},
{
"end_pc": 175,
"hash": "0x938aee19a0e1094c19b5a9528f839968d51c237564158e673ab6899436584f6e",
"id": "bb:164",
"start_pc": 164,
"type": "basic_block"
},
{
"end_pc": 199,
"hash": "0x7b0565c261db3d55c39f20ac0ee4d4710d6951f51b6844e361a4647909dcfc38",
"id": "bb:176",
"start_pc": 176,
"type": "basic_block"
},
{
"end_pc": 263,
"hash": "0x05bb2b1cf28e868299a2692b981f091c16cd0b0ff5f325436e762172d3967632",
"id": "bb:200",
"start_pc": 200,
"type": "basic_block"
},
{
"end_pc": 271,
"hash": "0x21b49c68f1af8b85acdfbc3ef26289b590ab67ebb18271dfc552d3d38c161349",
"id": "bb:264",
"start_pc": 264,
"type": "basic_block"
},
{
"end_pc": 290,
"hash": "0xae7e4932e7d3455de45f6fa310bc61e816c4075510a405b25c6797cfa8308dd4",
"id": "bb:272",
"start_pc": 272,
"type": "basic_block"
},
{
"end_pc": 333,
"hash": "0x695d244bc0789518ea2be8b9593ab18c4b31efe9b0bb2b4a99b09bfa0bd4168d",
"id": "bb:291",
"start_pc": 291,
"type": "basic_block"
},
{
"end_pc": 337,
"hash": "0x5ebda49c75a90269902080f51db6f1c7b1af883a7fd6baf1d61b81a8b96dcdca",
"id": "bb:334",
"start_pc": 334,
"type": "basic_block"
},
{
"end_pc": 408,
"hash": "0x8260bcfbd4c1d49f77b482640c6297cd133661f3ada7f52d07e1835f240b06d3",
"id": "bb:338",
"start_pc": 338,
"type": "basic_block"
},
{
"end_pc": 433,
"hash": "0xc0a703c2254334f9171c8126ae06fea5cf289341f4c19c890fa2f6b928c400e4",
"id": "bb:409",
"start_pc": 409,
"type": "basic_block"
},
{
"end_pc": 447,
"hash": "0xbbf38bd955ec6188d491c8a752950f390e38b6a9203b6891438ecf3d66b81c51",
"id": "bb:434",
"start_pc": 434,
"type": "basic_block"
},
{
"end_pc": 457,
"hash": "0xe40870dc717cbfdedea9fbb4d2473ca373d3dd88734eda3a8e7ff7e0a08a80de",
"id": "bb:448",
"start_pc": 448,
"type": "basic_block"
},
{
"end_pc": 471,
"hash": "0x712f7aabde4f2b6cb8fd21b243449d960bb2bde97dfa68f99a6793a74191755f",
"id": "bb:458",
"start_pc": 458,
"type": "basic_block"
},
{
"end_pc": 491,
"hash": "0xb72355893dc85ba3dba3d8450e06bc619269717a95c970bc878e9b20fda0e6a2",
"id": "bb:472",
"start_pc": 472,
"type": "basic_block"
},
{
"end_pc": 500,
"hash": "0x44d3956d843a32ee50717833fa8ec9dbfa425cdf8dcb23848e44acae24f05d14",
"id": "bb:492",
"start_pc": 492,
"type": "basic_block"
},
{
"end_pc": 508,
"hash": "0xfc2ec825a8f178aa5a5c70c694abf2c3132e519e33d00850e8769ebb62cf186a",
"id": "bb:501",
"start_pc": 501,
"type": "basic_block"
},
{
"end_pc": 538,
"hash": "0xa75c05a5c67571b18cbd868879dec0d7c57966797b1df8756504756360d24fa1",
"id": "bb:509",
"start_pc": 509,
"type": "basic_block"
},
{
"end_pc": 542,
"hash": "0xee4e5c2be823ee6e569c01a0bf832422eaf7ebbf27bd4c5f027d970c75b8c6f9",
"id": "bb:539",
"start_pc": 539,
"type": "basic_block"
},
{
"end_pc": 715,
"hash": "0x55470c341be9e608b9f37871022d25fc911758efeacc5d69b28df302da0d728e",
"id": "bb:543",
"start_pc": 543,
"type": "basic_block"
},
{
"id": "call:392",
"opcode": "CALL",
"pc": 392,
"type": "callsite"
},
{
"id": "sink:call",
"type": "sink"
},
{
"entry_pc": null,
"id": "fn:0x06fdde03",
"selector": "0x06fdde03",
"type": "function"
},
{
"entry_pc": 1889567281,
"id": "fn:0x313ce567",
"selector": "0x313ce567",
"type": "function"
},
{
"entry_pc": 2514000705,
"id": "fn:0x70a08231",
"selector": "0x70a08231",
"type": "function"
},
{
"entry_pc": 2835717307,
"id": "fn:0x95d89b41",
"selector": "0x95d89b41",
"type": "function"
},
{
"entry_pc": null,
"id": "fn:0xa9059cbb",
"selector": "0xa9059cbb",
"type": "function"
}
],
"version": "capability_graph_v1"
},
"id": 2690,
"updated_at": "2026-04-04T19:59:21.000000Z",
"version": "capability_graph_v1"
}
exec
/bin/bash -lc "jq '.analysis_artifact.artifact_json.basic_blocks[] | select(.start_pc>=291 and .start_pc<=447)' BYTECODE_BUNDLE.json" in /tmp/codex-b11fa6yj
succeeded in 0ms:
{
"end_pc": 333,
"hash": "0x695d244bc0789518ea2be8b9593ab18c4b31efe9b0bb2b4a99b09bfa0bd4168d",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"CALLDATALOAD",
"PUSH1",
"CALLDATALOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"CALLER",
"AND",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_90",
"SHA3",
"SLOAD",
"OP_81",
"OP_90",
"LT",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 291
}
{
"end_pc": 337,
"hash": "0x5ebda49c75a90269902080f51db6f1c7b1af883a7fd6baf1d61b81a8b96dcdca",
"opcodes": [
"PUSH2",
"JUMP"
],
"start_pc": 334
}
{
"end_pc": 408,
"hash": "0x8260bcfbd4c1d49f77b482640c6297cd133661f3ada7f52d07e1835f240b06d3",
"opcodes": [
"JUMPDEST",
"PUSH1",
"MLOAD",
"OP_80",
"OP_80",
"PUSH1",
"ADD",
"OP_82",
"OP_81",
"SUB",
"OP_82",
"MSTORE",
"OP_83",
"OP_81",
"OP_81",
"MLOAD",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP",
"OP_80",
"MLOAD",
"OP_90",
"PUSH1",
"ADD",
"OP_90",
"OP_80",
"OP_83",
"OP_83",
"OP_82",
"OP_90",
"PUSH1",
"PUSH1",
"PUSH1",
"OP_84",
"PUSH1",
"ADD",
"DIV",
"PUSH1",
"MUL",
"PUSH1",
"ADD",
"CALL",
"POP",
"OP_90",
"POP",
"OP_90",
"OP_81",
"ADD",
"OP_90",
"PUSH1",
"AND",
"OP_80",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 338
}
{
"end_pc": 433,
"hash": "0xc0a703c2254334f9171c8126ae06fea5cf289341f4c19c890fa2f6b928c400e4",
"opcodes": [
"OP_80",
"OP_82",
"SUB",
"OP_80",
"MLOAD",
"PUSH1",
"OP_83",
"PUSH1",
"SUB",
"PUSH2",
"EXP",
"SUB",
"NOT",
"AND",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP"
],
"start_pc": 409
}
{
"end_pc": 447,
"hash": "0xbbf38bd955ec6188d491c8a752950f390e38b6a9203b6891438ecf3d66b81c51",
"opcodes": [
"JUMPDEST",
"POP",
"OP_92",
"POP",
"POP",
"POP",
"PUSH1",
"MLOAD",
"OP_80",
"OP_91",
"SUB",
"OP_90",
"RETURN"
],
"start_pc": 434
}
exec
/bin/bash -lc "jq '.artifact | {is_proxy, implementation_address, verified_source, compiler_json}' BYTECODE_BUNDLE.json" in /tmp/codex-b11fa6yj
succeeded in 0ms:
{
"is_proxy": false,
"implementation_address": null,
"verified_source": false,
"compiler_json": {
"etherscan": {
"skipped": true
}
}
}
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
code=data['artifact']['runtime_bytecode']
if code.startswith('0x'): code=code[2:]
bs=bytes.fromhex(code)
ops={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'}
for i in range(1,33): ops[0x5f+i]=f'PUSH{i}'
for i in range(1,17): ops[0x7f+i]=f'DUP{i}'
for i in range(1,17): ops[0x8f+i]=f'SWAP{i}'
for i in range(0,5): ops[0xa0+i]=f'LOG{i}'
pc=0
out=[]
while pc < len(bs):
op=bs[pc]
name=ops.get(op,f'OP_{op:02x}')
if name.startswith('PUSH'):
n=int(name[4:])
arg=bs[pc+1:pc+1+n].hex()
out.append((pc,name,'0x'+arg))
pc+=1+n
else:
out.append((pc,name,None))
pc+=1
for pc,name,arg in out:
if 280 <= pc <= 450:
print(f'{pc:04d}: {name}' + (f' {arg}' if arg else ''))
PY" in /tmp/codex-b11fa6yj
exited 1 in 0ms:
Traceback (most recent call last):
File "<stdin>", line 6, in <module>
AttributeError: 'dict' object has no attribute 'startswith'
exec
/bin/bash -lc "jq '.artifact.runtime_bytecode | type, .' BYTECODE_BUNDLE.json" in /tmp/codex-b11fa6yj
succeeded in 0ms:
"object"
{
"full": "0x606060405260e060020a600035046306fdde038114610047578063313ce567146100a457806370a08231146100b057806395d89b41146100c8578063a9059cbb14610123575b005b61015260008054602060026001831615610100026000190190921691909104601f810182900490910260809081016040526060828152929190828280156101f55780601f106101ca576101008083540402835291602001916101f5565b6101c060025460ff1681565b6101c060043560036020526000908152604090205481565b610152600180546020601f6002600019610100858716150201909316929092049182018190040260809081016040526060828152929190828280156101f55780601f106101ca576101008083540402835291602001916101f5565b610045600435602435600160a060020a033316600090815260036020526040902054819010156101fd57610002565b60405180806020018281038252838181518152602001915080519060200190808383829060006004602084601f0104600f02600301f150905090810190601f1680156101b25780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b6060908152602090f35b820191906000526020600020905b8154815290600101906020018083116101d857829003601f168201915b505050505081565b600160a060020a03821660009081526040902054808201101561021f57610002565b806003600050600033600160a060020a03168152602001908152602001600020600082828250540392505081905550806003600050600084600160a060020a0316815260200190815260200160002060008282825054019250508190555081600160a060020a031633600160a060020a03167fddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef836040518082815260200191505060405180910390a3505056",
"head": null,
"length": 1434,
"tail": null,
"truncated": false
}
exec
/bin/bash -lc "python - <<'PY'
import json
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
code=data['artifact']['runtime_bytecode']['full']
code=code[2:] if code.startswith('0x') else code
bs=bytes.fromhex(code)
ops={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'}
for i in range(1,33): ops[0x5f+i]=f'PUSH{i}'
for i in range(1,17): ops[0x7f+i]=f'DUP{i}'
for i in range(1,17): ops[0x8f+i]=f'SWAP{i}'
for i in range(0,5): ops[0xa0+i]=f'LOG{i}'
pc=0
while pc < len(bs):
op=bs[pc]
name=ops.get(op,f'OP_{op:02x}')
if name.startswith('PUSH'):
n=int(name[4:])
arg='0x'+bs[pc+1:pc+1+n].hex()
if 280 <= pc <= 450:
print(f'{pc:04d}: {name} {arg}')
pc+=1+n
else:
if 280 <= pc <= 450:
print(f'{pc:04d}: {name}')
pc+=1
PY" in /tmp/codex-b11fa6yj
succeeded in 0ms:
0280: DUP4
0281: MSTORE
0282: SWAP2
0283: PUSH1 0x20
0285: ADD
0286: SWAP2
0287: PUSH2 0x01f5
0290: JUMP
0291: JUMPDEST
0292: PUSH2 0x0045
0295: PUSH1 0x04
0297: CALLDATALOAD
0298: PUSH1 0x24
0300: CALLDATALOAD
0301: PUSH1 0x01
0303: PUSH1 0xa0
0305: PUSH1 0x02
0307: EXP
0308: SUB
0309: CALLER
0310: AND
0311: PUSH1 0x00
0313: SWAP1
0314: DUP2
0315: MSTORE
0316: PUSH1 0x03
0318: PUSH1 0x20
0320: MSTORE
0321: PUSH1 0x40
0323: SWAP1
0324: SHA3
0325: SLOAD
0326: DUP2
0327: SWAP1
0328: LT
0329: ISZERO
0330: PUSH2 0x01fd
0333: JUMPI
0334: PUSH2 0x0002
0337: JUMP
0338: JUMPDEST
0339: PUSH1 0x40
0341: MLOAD
0342: DUP1
0343: DUP1
0344: PUSH1 0x20
0346: ADD
0347: DUP3
0348: DUP2
0349: SUB
0350: DUP3
0351: MSTORE
0352: DUP4
0353: DUP2
0354: DUP2
0355: MLOAD
0356: DUP2
0357: MSTORE
0358: PUSH1 0x20
0360: ADD
0361: SWAP2
0362: POP
0363: DUP1
0364: MLOAD
0365: SWAP1
0366: PUSH1 0x20
0368: ADD
0369: SWAP1
0370: DUP1
0371: DUP4
0372: DUP4
0373: DUP3
0374: SWAP1
0375: PUSH1 0x00
0377: PUSH1 0x04
0379: PUSH1 0x20
0381: DUP5
0382: PUSH1 0x1f
0384: ADD
0385: DIV
0386: PUSH1 0x0f
0388: MUL
0389: PUSH1 0x03
0391: ADD
0392: CALL
0393: POP
0394: SWAP1
0395: POP
0396: SWAP1
0397: DUP2
0398: ADD
0399: SWAP1
0400: PUSH1 0x1f
0402: AND
0403: DUP1
0404: ISZERO
0405: PUSH2 0x01b2
0408: JUMPI
0409: DUP1
0410: DUP3
0411: SUB
0412: DUP1
0413: MLOAD
0414: PUSH1 0x01
0416: DUP4
0417: PUSH1 0x20
0419: SUB
0420: PUSH2 0x0100
0423: EXP
0424: SUB
0425: NOT
0426: AND
0427: DUP2
0428: MSTORE
0429: PUSH1 0x20
0431: ADD
0432: SWAP2
0433: POP
0434: JUMPDEST
0435: POP
0436: SWAP3
0437: POP
0438: POP
0439: POP
0440: PUSH1 0x40
0442: MLOAD
0443: DUP1
0444: SWAP2
0445: SUB
0446: SWAP1
0447: RETURN
0448: JUMPDEST
0449: PUSH1 0x60
exec
/bin/bash -lc "python - <<'PY'
import json
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
code=data['artifact']['runtime_bytecode']['full']
code=code[2:] if code.startswith('0x') else code
bs=bytes.fromhex(code)
ops={0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'}
for i in range(1,33): ops[0x5f+i]=f'PUSH{i}'
for i in range(1,17): ops[0x7f+i]=f'DUP{i}'
for i in range(1,17): ops[0x8f+i]=f'SWAP{i}'
for i in range(0,5): ops[0xa0+i]=f'LOG{i}'
pc=0
while pc < len(bs):
op=bs[pc]
name=ops.get(op,f'OP_{op:02x}')
if name.startswith('PUSH'):
n=int(name[4:])
arg='0x'+bs[pc+1:pc+1+n].hex()
if pc <= 260 or 448 <= pc <= 715:
print(f'{pc:04d}: {name} {arg}')
pc+=1+n
else:
if pc <= 260 or 448 <= pc <= 715:
print(f'{pc:04d}: {name}')
pc+=1
PY" in /tmp/codex-b11fa6yj
succeeded in 0ms:
0000: PUSH1 0x60
0002: PUSH1 0x40
0004: MSTORE
0005: PUSH1 0xe0
0007: PUSH1 0x02
0009: EXP
0010: PUSH1 0x00
0012: CALLDATALOAD
0013: DIV
0014: PUSH4 0x06fdde03
0019: DUP2
0020: EQ
0021: PUSH2 0x0047
0024: JUMPI
0025: DUP1
0026: PUSH4 0x313ce567
0031: EQ
0032: PUSH2 0x00a4
0035: JUMPI
0036: DUP1
0037: PUSH4 0x70a08231
0042: EQ
0043: PUSH2 0x00b0
0046: JUMPI
0047: DUP1
0048: PUSH4 0x95d89b41
0053: EQ
0054: PUSH2 0x00c8
0057: JUMPI
0058: DUP1
0059: PUSH4 0xa9059cbb
0064: EQ
0065: PUSH2 0x0123
0068: JUMPI
0069: JUMPDEST
0070: STOP
0071: JUMPDEST
0072: PUSH2 0x0152
0075: PUSH1 0x00
0077: DUP1
0078: SLOAD
0079: PUSH1 0x20
0081: PUSH1 0x02
0083: PUSH1 0x01
0085: DUP4
0086: AND
0087: ISZERO
0088: PUSH2 0x0100
0091: MUL
0092: PUSH1 0x00
0094: NOT
0095: ADD
0096: SWAP1
0097: SWAP3
0098: AND
0099: SWAP2
0100: SWAP1
0101: SWAP2
0102: DIV
0103: PUSH1 0x1f
0105: DUP2
0106: ADD
0107: DUP3
0108: SWAP1
0109: DIV
0110: SWAP1
0111: SWAP2
0112: MUL
0113: PUSH1 0x80
0115: SWAP1
0116: DUP2
0117: ADD
0118: PUSH1 0x40
0120: MSTORE
0121: PUSH1 0x60
0123: DUP3
0124: DUP2
0125: MSTORE
0126: SWAP3
0127: SWAP2
0128: SWAP1
0129: DUP3
0130: DUP3
0131: DUP1
0132: ISZERO
0133: PUSH2 0x01f5
0136: JUMPI
0137: DUP1
0138: PUSH1 0x1f
0140: LT
0141: PUSH2 0x01ca
0144: JUMPI
0145: PUSH2 0x0100
0148: DUP1
0149: DUP4
0150: SLOAD
0151: DIV
0152: MUL
0153: DUP4
0154: MSTORE
0155: SWAP2
0156: PUSH1 0x20
0158: ADD
0159: SWAP2
0160: PUSH2 0x01f5
0163: JUMP
0164: JUMPDEST
0165: PUSH2 0x01c0
0168: PUSH1 0x02
0170: SLOAD
0171: PUSH1 0xff
0173: AND
0174: DUP2
0175: JUMP
0176: JUMPDEST
0177: PUSH2 0x01c0
0180: PUSH1 0x04
0182: CALLDATALOAD
0183: PUSH1 0x03
0185: PUSH1 0x20
0187: MSTORE
0188: PUSH1 0x00
0190: SWAP1
0191: DUP2
0192: MSTORE
0193: PUSH1 0x40
0195: SWAP1
0196: SHA3
0197: SLOAD
0198: DUP2
0199: JUMP
0200: JUMPDEST
0201: PUSH2 0x0152
0204: PUSH1 0x01
0206: DUP1
0207: SLOAD
0208: PUSH1 0x20
0210: PUSH1 0x1f
0212: PUSH1 0x02
0214: PUSH1 0x00
0216: NOT
0217: PUSH2 0x0100
0220: DUP6
0221: DUP8
0222: AND
0223: ISZERO
0224: MUL
0225: ADD
0226: SWAP1
0227: SWAP4
0228: AND
0229: SWAP3
0230: SWAP1
0231: SWAP3
0232: DIV
0233: SWAP2
0234: DUP3
0235: ADD
0236: DUP2
0237: SWAP1
0238: DIV
0239: MUL
0240: PUSH1 0x80
0242: SWAP1
0243: DUP2
0244: ADD
0245: PUSH1 0x40
0247: MSTORE
0248: PUSH1 0x60
0250: DUP3
0251: DUP2
0252: MSTORE
0253: SWAP3
0254: SWAP2
0255: SWAP1
0256: DUP3
0257: DUP3
0258: DUP1
0259: ISZERO
0260: PUSH2 0x01f5
0448: JUMPDEST
0449: PUSH1 0x60
0451: SWAP1
0452: DUP2
0453: MSTORE
0454: PUSH1 0x20
0456: SWAP1
0457: RETURN
0458: JUMPDEST
0459: DUP3
0460: ADD
0461: SWAP2
0462: SWAP1
0463: PUSH1 0x00
0465: MSTORE
0466: PUSH1 0x20
0468: PUSH1 0x00
0470: SHA3
0471: SWAP1
0472: JUMPDEST
0473: DUP2
0474: SLOAD
0475: DUP2
0476: MSTORE
0477: SWAP1
0478: PUSH1 0x01
0480: ADD
0481: SWAP1
0482: PUSH1 0x20
0484: ADD
0485: DUP1
0486: DUP4
0487: GT
0488: PUSH2 0x01d8
0491: JUMPI
0492: DUP3
0493: SWAP1
0494: SUB
0495: PUSH1 0x1f
0497: AND
0498: DUP3
0499: ADD
0500: SWAP2
0501: JUMPDEST
0502: POP
0503: POP
0504: POP
0505: POP
0506: POP
0507: DUP2
0508: JUMP
0509: JUMPDEST
0510: PUSH1 0x01
0512: PUSH1 0xa0
0514: PUSH1 0x02
0516: EXP
0517: SUB
0518: DUP3
0519: AND
0520: PUSH1 0x00
0522: SWAP1
0523: DUP2
0524: MSTORE
0525: PUSH1 0x40
0527: SWAP1
0528: SHA3
0529: SLOAD
0530: DUP1
0531: DUP3
0532: ADD
0533: LT
0534: ISZERO
0535: PUSH2 0x021f
0538: JUMPI
0539: PUSH2 0x0002
0542: JUMP
0543: JUMPDEST
0544: DUP1
0545: PUSH1 0x03
0547: PUSH1 0x00
0549: POP
0550: PUSH1 0x00
0552: CALLER
0553: PUSH1 0x01
0555: PUSH1 0xa0
0557: PUSH1 0x02
0559: EXP
0560: SUB
0561: AND
0562: DUP2
0563: MSTORE
0564: PUSH1 0x20
0566: ADD
0567: SWAP1
0568: DUP2
0569: MSTORE
0570: PUSH1 0x20
0572: ADD
0573: PUSH1 0x00
0575: SHA3
0576: PUSH1 0x00
0578: DUP3
0579: DUP3
0580: DUP3
0581: POP
0582: SLOAD
0583: SUB
0584: SWAP3
0585: POP
0586: POP
0587: DUP2
0588: SWAP1
0589: SSTORE
0590: POP
0591: DUP1
0592: PUSH1 0x03
0594: PUSH1 0x00
0596: POP
0597: PUSH1 0x00
0599: DUP5
0600: PUSH1 0x01
0602: PUSH1 0xa0
0604: PUSH1 0x02
0606: EXP
0607: SUB
0608: AND
0609: DUP2
0610: MSTORE
0611: PUSH1 0x20
0613: ADD
0614: SWAP1
0615: DUP2
0616: MSTORE
0617: PUSH1 0x20
0619: ADD
0620: PUSH1 0x00
0622: SHA3
0623: PUSH1 0x00
0625: DUP3
0626: DUP3
0627: DUP3
0628: POP
0629: SLOAD
0630: ADD
0631: SWAP3
0632: POP
0633: POP
0634: DUP2
0635: SWAP1
0636: SSTORE
0637: POP
0638: DUP2
0639: PUSH1 0x01
0641: PUSH1 0xa0
0643: PUSH1 0x02
0645: EXP
0646: SUB
0647: AND
0648: CALLER
0649: PUSH1 0x01
0651: PUSH1 0xa0
0653: PUSH1 0x02
0655: EXP
0656: SUB
0657: AND
0658: PUSH32 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef
0691: DUP4
0692: PUSH1 0x40
0694: MLOAD
0695: DUP1
0696: DUP3
0697: DUP2
0698: MSTORE
0699: PUSH1 0x20
0701: ADD
0702: SWAP2
0703: POP
0704: POP
0705: PUSH1 0x40
0707: MLOAD
0708: DUP1
0709: SWAP2
0710: SUB
0711: SWAP1
0712: LOG3
0713: POP
0714: POP
0715: JUMP
exec
/bin/bash -lc "python - <<'PY'
import json
with open('BYTECODE_BUNDLE.json') as f: data=json.load(f)
code=data['artifact']['runtime_bytecode']['full'][2:]
bs=bytes.fromhex(code)
for i,b in enumerate(bs):
if b==0x34:
print(i)
PY" in /tmp/codex-b11fa6yj
succeeded in 0ms:
Read the bundle, reconstructed the selector routes from bytecode, and checked the reported CALL against the surrounding instructions. The only concrete issues I can support from bytecode are interface noncompliance on `transfer` and unintended ETH acceptance; I did not find evidence for proxy/delegatecall/reentrancy issues.
✓ Read BYTECODE_BUNDLE.json and identify the contract shape, entrypoints, and detector artifacts
✓ Evaluate evidence for concrete security issues with bytecode-level uncertainty called out
→ Return findings as JSON matching the required schema
codex
{"no_findings":false,"summary":"Bytecode looks like a small non-proxy token with five selectors (`name`, `symbol`, `decimals`, `balanceOf`, `transfer`). I did not find evidence of delegatecall, upgrade slots, or a reentrant state-changing external call. The detector-reported `CALL` at `pc:392` sits inside the long-string return helper used by `name`/`symbol` and is more consistent with the old Solidity identity-precompile copy pattern than an attacker-controlled outbound interaction. The concrete issues supported by the bytecode are a non-standard `transfer` ABI and unconditional ETH acceptance.","findings":[{"severity":"low","category":"other","title":"`transfer(0xa9059cbb)` does not return the standard ERC20 boolean","exploit_scenario":"A protocol that assumes selector `0xa9059cbb` is ERC20-compliant and requires a 32-byte boolean return can fail to interact with this token. If that protocol already custodys the token, outbound transfers may keep reverting until it adds special handling for optional return data, effectively trapping user positions inside the integration.","recommendation":"If the contract is upgradeable or replaceable, make `transfer` return a 32-byte success value (`true`) on the success path. If it is immutable, integrations should only use wrappers that tolerate optional ERC20 return data.","evidence":"The dispatcher routes selector `0xa9059cbb` to `pc:291`. That path checks sender balance, updates the mapping at `pc:576` and `pc:622`, emits the `Transfer` log at `pc:658`-`pc:712`, and then executes `JUMP` at `pc:715` back to return address `0x0045`, which is `pc:69` (`STOP`). There is no selector-specific `RETURN` of a 32-byte boolean on this path.","locations":["selector:0xa9059cbb","pc:291","pc:576","pc:622","pc:715","pc:69"]},{"severity":"low","category":"other","title":"Fallback and function entries accept ETH, with no evident recovery path","exploit_scenario":"Any user or integrator that accidentally sends ETH to this contract, either via empty calldata/unknown selector or alongside one of the exposed functions, will not be rejected. From the available bytecode there is no dedicated withdrawal selector, no proxy admin path, and no obvious owner-only rescue function, so accidentally sent ETH is likely to remain stuck.","recommendation":"Reject unexpected ETH by making the fallback/nonpayable entrypoints revert on nonzero `msg.value`, or add an explicit rescue path if ETH custody is intended.","evidence":"The dispatcher falls through to `pc:69`, which is a bare `STOP`, so empty calldata and unknown selectors succeed instead of reverting. Across the runtime bytecode there is no `CALLVALUE` opcode, meaning the exposed selectors also do not enforce nonpayable behavior. The only outbound `CALL` in the bundle is the helper at `pc:392`, which appears tied to string-return handling rather than an ETH withdrawal function; bytecode-only analysis cannot prove every edge case, but I do not see a reachable recovery path.","locations":["pc:0","pc:69","pc:71","pc:176","pc:200","pc:291","pc:392"]}]}
tokens used
56,746
{
"codex": {
"ran_at": "2026-04-05T06:43:22.483424+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 1434,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "Bytecode looks like a small non-proxy token with five selectors (`name`, `symbol`, `decimals`, `balanceOf`, `transfer`). I did not find evidence of delegatecall, upgrade slots, or a reentrant state-changing external call. The detector-reported `CALL` at `pc:392` sits inside the long-string return helper used by `name`/`symbol` and is more consistent with the old Solidity identity-precompile copy pattern than an attacker-controlled outbound interaction. The concrete issues supported by the bytecode are a non-standard `transfer` ABI and unconditional ETH acceptance.",
"raw_final": {
"summary": "Bytecode looks like a small non-proxy token with five selectors (`name`, `symbol`, `decimals`, `balanceOf`, `transfer`). I did not find evidence of delegatecall, upgrade slots, or a reentrant state-changing external call. The detector-reported `CALL` at `pc:392` sits inside the long-string return helper used by `name`/`symbol` and is more consistent with the old Solidity identity-precompile copy pattern than an attacker-controlled outbound interaction. The concrete issues supported by the bytecode are a non-standard `transfer` ABI and unconditional ETH acceptance.",
"findings": [
{
"title": "`transfer(0xa9059cbb)` does not return the standard ERC20 boolean",
"category": "other",
"evidence": "The dispatcher routes selector `0xa9059cbb` to `pc:291`. That path checks sender balance, updates the mapping at `pc:576` and `pc:622`, emits the `Transfer` log at `pc:658`-`pc:712`, and then executes `JUMP` at `pc:715` back to return address `0x0045`, which is `pc:69` (`STOP`). There is no selector-specific `RETURN` of a 32-byte boolean on this path.",
"severity": "low",
"locations": [
"selector:0xa9059cbb",
"pc:291",
"pc:576",
"pc:622",
"pc:715",
"pc:69"
],
"recommendation": "If the contract is upgradeable or replaceable, make `transfer` return a 32-byte success value (`true`) on the success path. If it is immutable, integrations should only use wrappers that tolerate optional ERC20 return data.",
"exploit_scenario": "A protocol that assumes selector `0xa9059cbb` is ERC20-compliant and requires a 32-byte boolean return can fail to interact with this token. If that protocol already custodys the token, outbound transfers may keep reverting until it adds special handling for optional return data, effectively trapping user positions inside the integration."
},
{
"title": "Fallback and function entries accept ETH, with no evident recovery path",
"category": "other",
"evidence": "The dispatcher falls through to `pc:69`, which is a bare `STOP`, so empty calldata and unknown selectors succeed instead of reverting. Across the runtime bytecode there is no `CALLVALUE` opcode, meaning the exposed selectors also do not enforce nonpayable behavior. The only outbound `CALL` in the bundle is the helper at `pc:392`, which appears tied to string-return handling rather than an ETH withdrawal function; bytecode-only analysis cannot prove every edge case, but I do not see a reachable recovery path.",
"severity": "low",
"locations": [
"pc:0",
"pc:69",
"pc:71",
"pc:176",
"pc:200",
"pc:291",
"pc:392"
],
"recommendation": "Reject unexpected ETH by making the fallback/nonpayable entrypoints revert on nonzero `msg.value`, or add an explicit rescue path if ETH custody is intended.",
"exploit_scenario": "Any user or integrator that accidentally sends ETH to this contract, either via empty calldata/unknown selector or alongside one of the exposed functions, will not be rejected. From the available bytecode there is no dedicated withdrawal selector, no proxy admin path, and no obvious owner-only rescue function, so accidentally sent ETH is likely to remain stuck."
}
],
"no_findings": false
},
"no_findings": false,
"schema_version": 1
}
00000000: PUSH1 0x60 00000002: PUSH1 0x40 00000004: MSTORE 00000005: PUSH1 0xe0 00000007: PUSH1 0x02 00000009: EXP 0000000a: PUSH1 0x00 0000000c: CALLDATALOAD 0000000d: DIV 0000000e: PUSH4 0x06fdde03 00000013: DUP2 00000014: EQ 00000015: PUSH2 0x0047 00000018: JUMPI 00000019: DUP1 0000001a: PUSH4 0x313ce567 0000001f: EQ 00000020: PUSH2 0x00a4 00000023: JUMPI 00000024: DUP1 00000025: PUSH4 0x70a08231 0000002a: EQ 0000002b: PUSH2 0x00b0 0000002e: JUMPI 0000002f: DUP1 00000030: PUSH4 0x95d89b41 00000035: EQ 00000036: PUSH2 0x00c8 00000039: JUMPI 0000003a: DUP1 0000003b: PUSH4 0xa9059cbb 00000040: EQ 00000041: PUSH2 0x0123 00000044: JUMPI 00000045: JUMPDEST 00000046: STOP 00000047: JUMPDEST 00000048: PUSH2 0x0152 0000004b: PUSH1 0x00 0000004d: DUP1 0000004e: SLOAD 0000004f: PUSH1 0x20 00000051: PUSH1 0x02 00000053: PUSH1 0x01 00000055: DUP4 00000056: AND 00000057: ISZERO 00000058: PUSH2 0x0100 0000005b: MUL 0000005c: PUSH1 0x00 0000005e: NOT 0000005f: ADD 00000060: SWAP1 00000061: SWAP3 00000062: AND 00000063: SWAP2 00000064: SWAP1 00000065: SWAP2 00000066: DIV 00000067: PUSH1 0x1f 00000069: DUP2 0000006a: ADD 0000006b: DUP3 0000006c: SWAP1 0000006d: DIV 0000006e: SWAP1 0000006f: SWAP2 00000070: MUL 00000071: PUSH1 0x80 00000073: SWAP1 00000074: DUP2 00000075: ADD 00000076: PUSH1 0x40 00000078: MSTORE 00000079: PUSH1 0x60 0000007b: DUP3 0000007c: DUP2 0000007d: MSTORE 0000007e: SWAP3 0000007f: SWAP2 00000080: SWAP1 00000081: DUP3 00000082: DUP3 00000083: DUP1 00000084: ISZERO 00000085: PUSH2 0x01f5 00000088: JUMPI 00000089: DUP1 0000008a: PUSH1 0x1f 0000008c: LT 0000008d: PUSH2 0x01ca 00000090: JUMPI 00000091: PUSH2 0x0100 00000094: DUP1 00000095: DUP4 00000096: SLOAD 00000097: DIV 00000098: MUL 00000099: DUP4 0000009a: MSTORE 0000009b: SWAP2 0000009c: PUSH1 0x20 0000009e: ADD 0000009f: SWAP2 000000a0: PUSH2 0x01f5 000000a3: JUMP 000000a4: JUMPDEST 000000a5: PUSH2 0x01c0 000000a8: PUSH1 0x02 000000aa: SLOAD 000000ab: PUSH1 0xff 000000ad: AND 000000ae: DUP2 000000af: JUMP 000000b0: JUMPDEST 000000b1: PUSH2 0x01c0 000000b4: PUSH1 0x04 000000b6: CALLDATALOAD 000000b7: PUSH1 0x03 000000b9: PUSH1 0x20 000000bb: MSTORE 000000bc: PUSH1 0x00 000000be: SWAP1 000000bf: DUP2 000000c0: MSTORE 000000c1: PUSH1 0x40 000000c3: SWAP1 000000c4: KECCAK256 000000c5: SLOAD 000000c6: DUP2 000000c7: JUMP 000000c8: JUMPDEST 000000c9: PUSH2 0x0152 000000cc: PUSH1 0x01 000000ce: DUP1 000000cf: SLOAD 000000d0: PUSH1 0x20 000000d2: PUSH1 0x1f 000000d4: PUSH1 0x02 000000d6: PUSH1 0x00 000000d8: NOT 000000d9: PUSH2 0x0100 000000dc: DUP6 000000dd: DUP8 000000de: AND 000000df: ISZERO 000000e0: MUL 000000e1: ADD 000000e2: SWAP1 000000e3: SWAP4 000000e4: AND 000000e5: SWAP3 000000e6: SWAP1 000000e7: SWAP3 000000e8: DIV 000000e9: SWAP2 000000ea: DUP3 000000eb: ADD 000000ec: DUP2 000000ed: SWAP1 000000ee: DIV 000000ef: MUL 000000f0: PUSH1 0x80 000000f2: SWAP1 000000f3: DUP2 000000f4: ADD 000000f5: PUSH1 0x40 000000f7: MSTORE 000000f8: PUSH1 0x60 000000fa: DUP3 000000fb: DUP2 000000fc: MSTORE 000000fd: SWAP3 000000fe: SWAP2 000000ff: SWAP1 00000100: DUP3 00000101: DUP3 00000102: DUP1 00000103: ISZERO 00000104: PUSH2 0x01f5 00000107: JUMPI 00000108: DUP1 00000109: PUSH1 0x1f 0000010b: LT 0000010c: PUSH2 0x01ca 0000010f: JUMPI 00000110: PUSH2 0x0100 00000113: DUP1 00000114: DUP4 00000115: SLOAD 00000116: DIV 00000117: MUL 00000118: DUP4 00000119: MSTORE 0000011a: SWAP2 0000011b: PUSH1 0x20 0000011d: ADD 0000011e: SWAP2 0000011f: PUSH2 0x01f5 00000122: JUMP 00000123: JUMPDEST 00000124: PUSH2 0x0045 00000127: PUSH1 0x04 00000129: CALLDATALOAD 0000012a: PUSH1 0x24 0000012c: CALLDATALOAD 0000012d: PUSH1 0x01 0000012f: PUSH1 0xa0 00000131: PUSH1 0x02 00000133: EXP 00000134: SUB 00000135: CALLER 00000136: AND 00000137: PUSH1 0x00 00000139: SWAP1 0000013a: DUP2 0000013b: MSTORE 0000013c: PUSH1 0x03 0000013e: PUSH1 0x20 00000140: MSTORE 00000141: PUSH1 0x40 00000143: SWAP1 00000144: KECCAK256 00000145: SLOAD 00000146: DUP2 00000147: SWAP1 00000148: LT 00000149: ISZERO 0000014a: PUSH2 0x01fd 0000014d: JUMPI 0000014e: PUSH2 0x0002 00000151: JUMP 00000152: JUMPDEST 00000153: PUSH1 0x40 00000155: MLOAD 00000156: DUP1 00000157: DUP1 00000158: PUSH1 0x20 0000015a: ADD 0000015b: DUP3 0000015c: DUP2 0000015d: SUB 0000015e: DUP3 0000015f: MSTORE 00000160: DUP4 00000161: DUP2 00000162: DUP2 00000163: MLOAD 00000164: DUP2 00000165: MSTORE 00000166: PUSH1 0x20 00000168: ADD 00000169: SWAP2 0000016a: POP 0000016b: DUP1 0000016c: MLOAD 0000016d: SWAP1 0000016e: PUSH1 0x20 00000170: ADD 00000171: SWAP1 00000172: DUP1 00000173: DUP4 00000174: DUP4 00000175: DUP3 00000176: SWAP1 00000177: PUSH1 0x00 00000179: PUSH1 0x04 0000017b: PUSH1 0x20 0000017d: DUP5 0000017e: PUSH1 0x1f 00000180: ADD 00000181: DIV 00000182: PUSH1 0x0f 00000184: MUL 00000185: PUSH1 0x03 00000187: ADD 00000188: CALL 00000189: POP 0000018a: SWAP1 0000018b: POP 0000018c: SWAP1 0000018d: DUP2 0000018e: ADD 0000018f: SWAP1 00000190: PUSH1 0x1f 00000192: AND 00000193: DUP1 00000194: ISZERO 00000195: PUSH2 0x01b2 00000198: JUMPI 00000199: DUP1 0000019a: DUP3 0000019b: SUB 0000019c: DUP1 0000019d: MLOAD 0000019e: PUSH1 0x01 000001a0: DUP4 000001a1: PUSH1 0x20 000001a3: SUB 000001a4: PUSH2 0x0100 000001a7: EXP 000001a8: SUB 000001a9: NOT 000001aa: AND 000001ab: DUP2 000001ac: MSTORE 000001ad: PUSH1 0x20 000001af: ADD 000001b0: SWAP2 000001b1: POP 000001b2: JUMPDEST 000001b3: POP 000001b4: SWAP3 000001b5: POP 000001b6: POP 000001b7: POP 000001b8: PUSH1 0x40 000001ba: MLOAD 000001bb: DUP1 000001bc: SWAP2 000001bd: SUB 000001be: SWAP1 000001bf: RETURN 000001c0: JUMPDEST 000001c1: PUSH1 0x60 000001c3: SWAP1 000001c4: DUP2 000001c5: MSTORE 000001c6: PUSH1 0x20 000001c8: SWAP1 000001c9: RETURN 000001ca: JUMPDEST 000001cb: DUP3 000001cc: ADD 000001cd: SWAP2 000001ce: SWAP1 000001cf: PUSH1 0x00 000001d1: MSTORE 000001d2: PUSH1 0x20 000001d4: PUSH1 0x00 000001d6: KECCAK256 000001d7: SWAP1 000001d8: JUMPDEST 000001d9: DUP2 000001da: SLOAD 000001db: DUP2 000001dc: MSTORE 000001dd: SWAP1 000001de: PUSH1 0x01 000001e0: ADD 000001e1: SWAP1 000001e2: PUSH1 0x20 000001e4: ADD 000001e5: DUP1 000001e6: DUP4 000001e7: GT 000001e8: PUSH2 0x01d8 000001eb: JUMPI 000001ec: DUP3 000001ed: SWAP1 000001ee: SUB 000001ef: PUSH1 0x1f 000001f1: AND 000001f2: DUP3 000001f3: ADD 000001f4: SWAP2 000001f5: JUMPDEST 000001f6: POP 000001f7: POP 000001f8: POP 000001f9: POP 000001fa: POP 000001fb: DUP2 000001fc: JUMP 000001fd: JUMPDEST 000001fe: PUSH1 0x01 00000200: PUSH1 0xa0 00000202: PUSH1 0x02 00000204: EXP 00000205: SUB 00000206: DUP3 00000207: AND 00000208: PUSH1 0x00 0000020a: SWAP1 0000020b: DUP2 0000020c: MSTORE 0000020d: PUSH1 0x40 0000020f: SWAP1 00000210: KECCAK256 00000211: SLOAD 00000212: DUP1 00000213: DUP3 00000214: ADD 00000215: LT 00000216: ISZERO 00000217: PUSH2 0x021f 0000021a: JUMPI 0000021b: PUSH2 0x0002 0000021e: JUMP 0000021f: JUMPDEST 00000220: DUP1 00000221: PUSH1 0x03 00000223: PUSH1 0x00 00000225: POP 00000226: PUSH1 0x00 00000228: CALLER 00000229: PUSH1 0x01 0000022b: PUSH1 0xa0 0000022d: PUSH1 0x02 0000022f: EXP 00000230: SUB 00000231: AND 00000232: DUP2 00000233: MSTORE 00000234: PUSH1 0x20 00000236: ADD 00000237: SWAP1 00000238: DUP2 00000239: MSTORE 0000023a: PUSH1 0x20 0000023c: ADD 0000023d: PUSH1 0x00 0000023f: KECCAK256 00000240: PUSH1 0x00 00000242: DUP3 00000243: DUP3 00000244: DUP3 00000245: POP 00000246: SLOAD 00000247: SUB 00000248: SWAP3 00000249: POP 0000024a: POP 0000024b: DUP2 0000024c: SWAP1 0000024d: SSTORE 0000024e: POP 0000024f: DUP1 00000250: PUSH1 0x03 00000252: PUSH1 0x00 00000254: POP 00000255: PUSH1 0x00 00000257: DUP5 00000258: PUSH1 0x01 0000025a: PUSH1 0xa0 0000025c: PUSH1 0x02 0000025e: EXP 0000025f: SUB 00000260: AND 00000261: DUP2 00000262: MSTORE 00000263: PUSH1 0x20 00000265: ADD 00000266: SWAP1 00000267: DUP2 00000268: MSTORE 00000269: PUSH1 0x20 0000026b: ADD 0000026c: PUSH1 0x00 0000026e: KECCAK256 0000026f: PUSH1 0x00 00000271: DUP3 00000272: DUP3 00000273: DUP3 00000274: POP 00000275: SLOAD 00000276: ADD 00000277: SWAP3 00000278: POP 00000279: POP 0000027a: DUP2 0000027b: SWAP1 0000027c: SSTORE 0000027d: POP 0000027e: DUP2 0000027f: PUSH1 0x01 00000281: PUSH1 0xa0 00000283: PUSH1 0x02 00000285: EXP 00000286: SUB 00000287: AND 00000288: CALLER 00000289: PUSH1 0x01 0000028b: PUSH1 0xa0 0000028d: PUSH1 0x02 0000028f: EXP 00000290: SUB 00000291: AND 00000292: PUSH32 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef 000002b3: DUP4 000002b4: PUSH1 0x40 000002b6: MLOAD 000002b7: DUP1 000002b8: DUP3 000002b9: DUP2 000002ba: MSTORE 000002bb: PUSH1 0x20 000002bd: ADD 000002be: SWAP2 000002bf: POP 000002c0: POP 000002c1: PUSH1 0x40 000002c3: MLOAD 000002c4: DUP1 000002c5: SWAP2 000002c6: SUB 000002c7: SWAP1 000002c8: LOG3 000002c9: POP 000002ca: POP 000002cb: JUMP
Warning: This is a nightly build of Foundry. It is recommended to use the latest stable version. To mute this warning set `FOUNDRY_DISABLE_NIGHTLY_WARNING` in your environment.
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | other | detector | Untrusted CALL target/value reachable | 60 | yes | yes |
viewtrace_id: 0x9e46fc414a7fdce0887bcf5f2abfba062db707d799b116447cdf7bb8bac0b363
call_targets:
0x0000000000000000000000000000000000000004, 0xb0c3ffc92314c9192214f202a0d3bd022caeaa94
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x9e46fc414a7fdce0887bcf5f2abfba062db707d799b116447cdf7bb8bac0b363",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0xb0c3ffc92314c9192214f202a0d3bd022caeaa94"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa9059cbb",
"selector": "0xa9059cbb",
"calldata_variants": [
"0xa9059cbb",
"0xa9059cbb0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 392,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 1,
"guards_detected": [],
"untrusted_call_count": 1
}
|
| high | other | detector | ETH value transfer possible | 55 | yes | yes |
viewtrace_id: 0x9e46fc414a7fdce0887bcf5f2abfba062db707d799b116447cdf7bb8bac0b363
call_targets:
0x0000000000000000000000000000000000000004, 0xb0c3ffc92314c9192214f202a0d3bd022caeaa94
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x9e46fc414a7fdce0887bcf5f2abfba062db707d799b116447cdf7bb8bac0b363",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0xb0c3ffc92314c9192214f202a0d3bd022caeaa94"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa9059cbb",
"selector": "0xa9059cbb",
"calldata_variants": [
"0xa9059cbb",
"0xa9059cbb0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 392,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 1,
"guards_detected": []
}
|
| low | other | codex | `transfer(0xa9059cbb)` does not return the standard ERC20 boolean | 65 | no | — |
viewevidence_json{
"evidence": "The dispatcher routes selector `0xa9059cbb` to `pc:291`. That path checks sender balance, updates the mapping at `pc:576` and `pc:622`, emits the `Transfer` log at `pc:658`-`pc:712`, and then executes `JUMP` at `pc:715` back to return address `0x0045`, which is `pc:69` (`STOP`). There is no selector-specific `RETURN` of a 32-byte boolean on this path.",
"locations": [
"selector:0xa9059cbb",
"pc:291",
"pc:576",
"pc:622",
"pc:715",
"pc:69"
],
"recommendation": "If the contract is upgradeable or replaceable, make `transfer` return a 32-byte success value (`true`) on the success path. If it is immutable, integrations should only use wrappers that tolerate optional ERC20 return data.",
"exploit_scenario": "A protocol that assumes selector `0xa9059cbb` is ERC20-compliant and requires a 32-byte boolean return can fail to interact with this token. If that protocol already custodys the token, outbound transfers may keep reverting until it adds special handling for optional return data, effectively trapping user positions inside the integration."
}
|
| low | other | codex | Fallback and function entries accept ETH, with no evident recovery path | 65 | no | — |
viewevidence_json{
"evidence": "The dispatcher falls through to `pc:69`, which is a bare `STOP`, so empty calldata and unknown selectors succeed instead of reverting. Across the runtime bytecode there is no `CALLVALUE` opcode, meaning the exposed selectors also do not enforce nonpayable behavior. The only outbound `CALL` in the bundle is the helper at `pc:392`, which appears tied to string-return handling rather than an ETH withdrawal function; bytecode-only analysis cannot prove every edge case, but I do not see a reachable recovery path.",
"locations": [
"pc:0",
"pc:69",
"pc:71",
"pc:176",
"pc:200",
"pc:291",
"pc:392"
],
"recommendation": "Reject unexpected ETH by making the fallback/nonpayable entrypoints revert on nonzero `msg.value`, or add an explicit rescue path if ETH custody is intended.",
"exploit_scenario": "Any user or integrator that accidentally sends ETH to this contract, either via empty calldata/unknown selector or alongside one of the exposed functions, will not be rejected. From the available bytecode there is no dedicated withdrawal selector, no proxy admin path, and no obvious owner-only rescue function, so accidentally sent ETH is likely to remain stuck."
}
|