019b3836-4533-7185-8d7b-fedf8e215cd2
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 5973 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 5974 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 49200 | analysis.bundle | complete | 1 / 3 | 1 week ago |
| 49201 | capability.graph | complete | 1 / 3 | 1 week ago |
| 49202 | detector.run | complete | 1 / 3 | 1 week ago |
| 49203 | validation.fork | complete | 1 / 3 | 1 week ago |
| 113313 | report.consolidate | complete | 1 / 6 | 1 week ago |
No slither job recorded yet.
{"no_findings":false,"summary":"Based on the runtime bytecode and BYTECODE_BUNDLE.json only, this looks like a small legacy token-like contract with selectors for name/symbol/decimals/balanceOf/transfer. I did not treat the detector-reported CALL at pc:0x188 as an untrusted external call issue: the opcode pattern matches the identity precompile (0x04) used by older Solidity string-copy helpers, so the bundle’s CALL/ETH-transfer alerts appear to be false positives. The concrete issues below are low-severity compatibility/asset-safety risks visible from bytecode.","findings":[{"severity":"low","category":"other","title":"Payable fallback silently accepts ETH and unknown selectors","exploit_scenario":"Because the dispatcher falls through to STOP for unmatched selectors, calls with bad calldata or plain ETH transfers succeed instead of reverting. A user, wallet, or integrating contract can accidentally send ETH to this token contract or invoke a nonexistent function and receive a success status; with no visible withdrawal path in the runtime, that ETH would remain stuck in the contract.","recommendation":"Add an explicit reverting fallback/receive path for unexpected calls and nonzero CALLVALUE, or add a controlled recovery mechanism if ETH custody is intended.","evidence":"Dispatcher compares known selectors at pc:0x0-0x44, then falls through to JUMPDEST/STOP at pc:0x45 without any preceding CALLVALUE check. The runtime has no DELEGATECALL/SELFDESTRUCT and only one CALL site at pc:0x188, which matches the identity precompile copy pattern rather than an ETH-withdrawal path. This is a bytecode-only inference, so the lack of a recovery path is based on the visible runtime only.","locations":["pc:0x0","pc:0x45","pc:0x188"]},{"severity":"low","category":"other","title":"`transfer(address,uint256)` appears to return no boolean value","exploit_scenario":"Integrations that assume canonical ERC-20 semantics for selector 0xa9059cbb may decode the returndata as `bool` and fail, or may need special-case handling. In practice this can break deposits, withdrawals, routers, or wrappers that require a strict `true` return value from `transfer`.","recommendation":"If this contract is meant to be ERC-20 compatible, make `transfer` ABI-return `true` on success. If the contract is immutable legacy bytecode, document it clearly and require integrators to use safe wrappers that tolerate missing return data.","evidence":"Selector 0xa9059cbb dispatches to pc:0x123. That path pushes return destination 0x0045, performs balance checks and state updates through pc:0x21f-0x2cb, then jumps back to pc:0x45, which is STOP, not a RETURN helper. By contrast, read functions route through explicit return helpers at pc:0x152 and pc:0x1c0. This strongly suggests `transfer` succeeds with empty returndata rather than a 32-byte boolean.","locations":["selector:0xa9059cbb","pc:0x123","pc:0x45"]}]}
OpenAI Codex v0.118.0 (research preview)
--------
workdir: /tmp/codex-chbbow8y
model: gpt-5.4
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: none
session id: 019d5c88-b7a9-75f3-ad2f-3ba01e378af3
--------
user
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
warning: Codex could not find system bubblewrap on PATH. Please install bubblewrap with your package manager. Codex will use the vendored bubblewrap in the meantime.
→ Inspect BYTECODE_BUNDLE.json and available analysis artifacts
• Assess bytecode evidence for concrete security findings
• Return JSON report matching the required schema
exec
/bin/bash -lc pwd in /tmp/codex-chbbow8y
succeeded in 0ms:
/tmp/codex-chbbow8y
exec
/bin/bash -lc 'rg --files' in /tmp/codex-chbbow8y
succeeded in 0ms:
codex-output-schema.json
BYTECODE_BUNDLE.json
exec
/bin/bash -lc "sed -n '1,260p' BYTECODE_BUNDLE.json" in /tmp/codex-chbbow8y
succeeded in 0ms:
{
"analysis_artifact": {
"address": "0xebf1031e6690d9befe06dc19b0114c592694abf3",
"artifact_hash": "0x809753134b52255340a33f9ed532d71297ef581feb31e0abb2d615c60b41d701",
"artifact_json": {
"auth": {
"guards": []
},
"basic_blocks": [
{
"end_pc": 24,
"hash": "0x6a350686911b120d699f8e8d1e9440d4ce17c4434492baee43484e2ef083a112",
"opcodes": [
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"PUSH1",
"EXP",
"PUSH1",
"CALLDATALOAD",
"DIV",
"PUSH4",
"OP_81",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 0
},
{
"end_pc": 35,
"hash": "0x09fc75e3aa8fb02b98e24881cc463925488c7dfa7ef308570a5930c5c420c614",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 25
},
{
"end_pc": 46,
"hash": "0x976103db32485bde438fb5c3f9f54ee02f48623f2e3b08249411cd4aee3c334a",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 36
},
{
"end_pc": 57,
"hash": "0x3c19c073e27395dc44272beb525b6373ad140a4045aabbd1b653e498e1806824",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 47
},
{
"end_pc": 68,
"hash": "0x3a122683470ea7901e31e80e6378780a829a06da64b04e691b5d5c5621392507",
"opcodes": [
"OP_80",
"PUSH4",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 58
},
{
"end_pc": 70,
"hash": "0x55afd043d32294d5f0189f5a0aa04f3174e4c087a31c85396f49b5f17813cb96",
"opcodes": [
"JUMPDEST",
"STOP"
],
"start_pc": 69
},
{
"end_pc": 136,
"hash": "0xfc01f99e3d71612bfaa85e2bb57cdd9403eabce7b9348bcac405b7924f1b1f2d",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"OP_80",
"SLOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"OP_83",
"AND",
"ISZERO",
"PUSH2",
"MUL",
"PUSH1",
"NOT",
"ADD",
"OP_90",
"OP_92",
"AND",
"OP_91",
"OP_90",
"OP_91",
"DIV",
"PUSH1",
"OP_81",
"ADD",
"OP_82",
"OP_90",
"DIV",
"OP_90",
"OP_91",
"MUL",
"PUSH1",
"OP_90",
"OP_81",
"ADD",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_82",
"OP_81",
"MSTORE",
"OP_92",
"OP_91",
"OP_90",
"OP_82",
"OP_82",
"OP_80",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 71
},
{
"end_pc": 144,
"hash": "0x94766029cd41199d0239fbf67bb17d1e452d9bb9f7b63a80357531b66475e6d3",
"opcodes": [
"OP_80",
"PUSH1",
"LT",
"PUSH2",
"JUMPI"
],
"start_pc": 137
},
{
"end_pc": 163,
"hash": "0x7a9c5e28ca72e7db26993eb4591b942a2bd83baf5200667721f5598807ec92a5",
"opcodes": [
"PUSH2",
"OP_80",
"OP_83",
"SLOAD",
"DIV",
"MUL",
"OP_83",
"MSTORE",
"OP_91",
"PUSH1",
"ADD",
"OP_91",
"PUSH2",
"JUMP"
],
"start_pc": 145
},
{
"end_pc": 175,
"hash": "0x938aee19a0e1094c19b5a9528f839968d51c237564158e673ab6899436584f6e",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"SLOAD",
"PUSH1",
"AND",
"OP_81",
"JUMP"
],
"start_pc": 164
},
{
"end_pc": 199,
"hash": "0x7b0565c261db3d55c39f20ac0ee4d4710d6951f51b6844e361a4647909dcfc38",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"CALLDATALOAD",
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"OP_90",
"SHA3",
"SLOAD",
"OP_81",
"JUMP"
],
"start_pc": 176
},
{
"end_pc": 263,
"hash": "0x05bb2b1cf28e868299a2692b981f091c16cd0b0ff5f325436e762172d3967632",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"OP_80",
"SLOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"PUSH1",
"NOT",
"PUSH2",
"OP_85",
"OP_87",
"AND",
"ISZERO",
"MUL",
"ADD",
"OP_90",
"OP_93",
"AND",
"OP_92",
"OP_90",
"OP_92",
"DIV",
"OP_91",
"OP_82",
"ADD",
"OP_81",
"OP_90",
"DIV",
"MUL",
"PUSH1",
"OP_90",
"OP_81",
"ADD",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_82",
exec
/bin/bash -lc "sed -n '261,520p' BYTECODE_BUNDLE.json" in /tmp/codex-chbbow8y
succeeded in 0ms:
"OP_81",
"MSTORE",
"OP_92",
"OP_91",
"OP_90",
"OP_82",
"OP_82",
"OP_80",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 200
},
{
"end_pc": 271,
"hash": "0x21b49c68f1af8b85acdfbc3ef26289b590ab67ebb18271dfc552d3d38c161349",
"opcodes": [
"OP_80",
"PUSH1",
"LT",
"PUSH2",
"JUMPI"
],
"start_pc": 264
},
{
"end_pc": 290,
"hash": "0xae7e4932e7d3455de45f6fa310bc61e816c4075510a405b25c6797cfa8308dd4",
"opcodes": [
"PUSH2",
"OP_80",
"OP_83",
"SLOAD",
"DIV",
"MUL",
"OP_83",
"MSTORE",
"OP_91",
"PUSH1",
"ADD",
"OP_91",
"PUSH2",
"JUMP"
],
"start_pc": 272
},
{
"end_pc": 333,
"hash": "0x695d244bc0789518ea2be8b9593ab18c4b31efe9b0bb2b4a99b09bfa0bd4168d",
"opcodes": [
"JUMPDEST",
"PUSH2",
"PUSH1",
"CALLDATALOAD",
"PUSH1",
"CALLDATALOAD",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"CALLER",
"AND",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"OP_90",
"SHA3",
"SLOAD",
"OP_81",
"OP_90",
"LT",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 291
},
{
"end_pc": 337,
"hash": "0x5ebda49c75a90269902080f51db6f1c7b1af883a7fd6baf1d61b81a8b96dcdca",
"opcodes": [
"PUSH2",
"JUMP"
],
"start_pc": 334
},
{
"end_pc": 408,
"hash": "0x8260bcfbd4c1d49f77b482640c6297cd133661f3ada7f52d07e1835f240b06d3",
"opcodes": [
"JUMPDEST",
"PUSH1",
"MLOAD",
"OP_80",
"OP_80",
"PUSH1",
"ADD",
"OP_82",
"OP_81",
"SUB",
"OP_82",
"MSTORE",
"OP_83",
"OP_81",
"OP_81",
"MLOAD",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP",
"OP_80",
"MLOAD",
"OP_90",
"PUSH1",
"ADD",
"OP_90",
"OP_80",
"OP_83",
"OP_83",
"OP_82",
"OP_90",
"PUSH1",
"PUSH1",
"PUSH1",
"OP_84",
"PUSH1",
"ADD",
"DIV",
"PUSH1",
"MUL",
"PUSH1",
"ADD",
"CALL",
"POP",
"OP_90",
"POP",
"OP_90",
"OP_81",
"ADD",
"OP_90",
"PUSH1",
"AND",
"OP_80",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 338
},
{
"end_pc": 433,
"hash": "0xc0a703c2254334f9171c8126ae06fea5cf289341f4c19c890fa2f6b928c400e4",
"opcodes": [
"OP_80",
"OP_82",
"SUB",
"OP_80",
"MLOAD",
"PUSH1",
"OP_83",
"PUSH1",
"SUB",
"PUSH2",
"EXP",
"SUB",
"NOT",
"AND",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP"
],
"start_pc": 409
},
{
"end_pc": 447,
"hash": "0xbbf38bd955ec6188d491c8a752950f390e38b6a9203b6891438ecf3d66b81c51",
"opcodes": [
"JUMPDEST",
"POP",
"OP_92",
"POP",
"POP",
"POP",
"PUSH1",
"MLOAD",
"OP_80",
"OP_91",
"SUB",
"OP_90",
"RETURN"
],
"start_pc": 434
},
{
"end_pc": 457,
"hash": "0xe40870dc717cbfdedea9fbb4d2473ca373d3dd88734eda3a8e7ff7e0a08a80de",
"opcodes": [
"JUMPDEST",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"OP_90",
"RETURN"
],
"start_pc": 448
},
{
"end_pc": 471,
"hash": "0x712f7aabde4f2b6cb8fd21b243449d960bb2bde97dfa68f99a6793a74191755f",
"opcodes": [
"JUMPDEST",
"OP_82",
"ADD",
"OP_91",
"OP_90",
"PUSH1",
"MSTORE",
"PUSH1",
"PUSH1",
"SHA3",
"OP_90"
],
"start_pc": 458
},
{
"end_pc": 491,
"hash": "0xb72355893dc85ba3dba3d8450e06bc619269717a95c970bc878e9b20fda0e6a2",
"opcodes": [
"JUMPDEST",
"OP_81",
"SLOAD",
"OP_81",
"MSTORE",
"OP_90",
"PUSH1",
"ADD",
"OP_90",
"PUSH1",
"ADD",
"OP_80",
"OP_83",
"GT",
"PUSH2",
"JUMPI"
],
"start_pc": 472
exec
/bin/bash -lc "sed -n '521,780p' BYTECODE_BUNDLE.json" in /tmp/codex-chbbow8y
succeeded in 0ms:
},
{
"end_pc": 500,
"hash": "0x44d3956d843a32ee50717833fa8ec9dbfa425cdf8dcb23848e44acae24f05d14",
"opcodes": [
"OP_82",
"OP_90",
"SUB",
"PUSH1",
"AND",
"OP_82",
"ADD",
"OP_91"
],
"start_pc": 492
},
{
"end_pc": 508,
"hash": "0xfc2ec825a8f178aa5a5c70c694abf2c3132e519e33d00850e8769ebb62cf186a",
"opcodes": [
"JUMPDEST",
"POP",
"POP",
"POP",
"POP",
"POP",
"OP_81",
"JUMP"
],
"start_pc": 501
},
{
"end_pc": 538,
"hash": "0xa75c05a5c67571b18cbd868879dec0d7c57966797b1df8756504756360d24fa1",
"opcodes": [
"JUMPDEST",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"OP_82",
"AND",
"PUSH1",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"OP_90",
"SHA3",
"SLOAD",
"OP_80",
"OP_82",
"ADD",
"LT",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 509
},
{
"end_pc": 542,
"hash": "0xee4e5c2be823ee6e569c01a0bf832422eaf7ebbf27bd4c5f027d970c75b8c6f9",
"opcodes": [
"PUSH2",
"JUMP"
],
"start_pc": 539
},
{
"end_pc": 715,
"hash": "0x55470c341be9e608b9f37871022d25fc911758efeacc5d69b28df302da0d728e",
"opcodes": [
"JUMPDEST",
"OP_80",
"PUSH1",
"PUSH1",
"POP",
"PUSH1",
"CALLER",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"AND",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"PUSH1",
"SHA3",
"PUSH1",
"OP_82",
"OP_82",
"OP_82",
"POP",
"SLOAD",
"SUB",
"OP_92",
"POP",
"POP",
"OP_81",
"OP_90",
"SSTORE",
"POP",
"OP_80",
"PUSH1",
"PUSH1",
"POP",
"PUSH1",
"OP_84",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"AND",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_90",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"PUSH1",
"SHA3",
"PUSH1",
"OP_82",
"OP_82",
"OP_82",
"POP",
"SLOAD",
"ADD",
"OP_92",
"POP",
"POP",
"OP_81",
"OP_90",
"SSTORE",
"POP",
"OP_81",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"AND",
"CALLER",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"AND",
"PUSH32",
"OP_83",
"PUSH1",
"MLOAD",
"OP_80",
"OP_82",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP",
"POP",
"PUSH1",
"MLOAD",
"OP_80",
"OP_91",
"SUB",
"OP_90",
"OP_A3",
"POP",
"POP",
"JUMP"
],
"start_pc": 543
}
],
"callsites": [
{
"opcode": "CALL",
"pc": 392,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"cfg_edges": [
{
"from": "bb:0",
"to": "bb:71",
"type": "control_flow"
},
{
"from": "bb:0",
"to": "bb:25",
"type": "control_flow_fallthrough"
},
{
"from": "bb:25",
"to": "bb:164",
"type": "control_flow"
},
{
"from": "bb:25",
"to": "bb:36",
"type": "control_flow_fallthrough"
},
{
"from": "bb:36",
"to": "bb:176",
"type": "control_flow"
},
{
"from": "bb:36",
"to": "bb:47",
"type": "control_flow_fallthrough"
},
{
"from": "bb:47",
"to": "bb:200",
"type": "control_flow"
},
{
"from": "bb:47",
"to": "bb:58",
"type": "control_flow_fallthrough"
},
{
"from": "bb:58",
"to": "bb:291",
"type": "control_flow"
},
{
"from": "bb:58",
"to": "bb:69",
"type": "control_flow_fallthrough"
},
{
"from": "bb:71",
"to": "bb:501",
"type": "control_flow"
},
{
"from": "bb:71",
"to": "bb:137",
"type": "control_flow_fallthrough"
},
exec
/bin/bash -lc "sed -n '781,1040p' BYTECODE_BUNDLE.json" in /tmp/codex-chbbow8y
succeeded in 0ms:
{
"from": "bb:137",
"to": "bb:458",
"type": "control_flow"
},
{
"from": "bb:137",
"to": "bb:145",
"type": "control_flow_fallthrough"
},
{
"from": "bb:145",
"to": "bb:501",
"type": "control_flow"
},
{
"from": "bb:200",
"to": "bb:501",
"type": "control_flow"
},
{
"from": "bb:200",
"to": "bb:264",
"type": "control_flow_fallthrough"
},
{
"from": "bb:264",
"to": "bb:458",
"type": "control_flow"
},
{
"from": "bb:264",
"to": "bb:272",
"type": "control_flow_fallthrough"
},
{
"from": "bb:272",
"to": "bb:501",
"type": "control_flow"
},
{
"from": "bb:291",
"to": "bb:509",
"type": "control_flow"
},
{
"from": "bb:291",
"to": "bb:334",
"type": "control_flow_fallthrough"
},
{
"from": "bb:338",
"to": "bb:434",
"type": "control_flow"
},
{
"from": "bb:338",
"to": "bb:409",
"type": "control_flow_fallthrough"
},
{
"from": "bb:409",
"to": "bb:434",
"type": "control_flow_fallthrough"
},
{
"from": "bb:458",
"to": "bb:472",
"type": "control_flow_fallthrough"
},
{
"from": "bb:472",
"to": "bb:472",
"type": "control_flow"
},
{
"from": "bb:472",
"to": "bb:492",
"type": "control_flow_fallthrough"
},
{
"from": "bb:492",
"to": "bb:501",
"type": "control_flow_fallthrough"
},
{
"from": "bb:509",
"to": "bb:543",
"type": "control_flow"
},
{
"from": "bb:509",
"to": "bb:539",
"type": "control_flow_fallthrough"
}
],
"cfg_hash": "0x6dea98c1fdd74928a6717ed23e8cdb7870607a66fe0991540e9325b99a0c2ccc",
"dispatcher_type": "selector_jump_table",
"function_entries": [
{
"entry_pc": null,
"selector": "0x06fdde03"
},
{
"entry_pc": 1889567281,
"selector": "0x313ce567"
},
{
"entry_pc": 2514000705,
"selector": "0x70a08231"
},
{
"entry_pc": 2835717307,
"selector": "0x95d89b41"
},
{
"entry_pc": null,
"selector": "0xa9059cbb"
}
],
"functions": [
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0x06fdde03",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 1889567281,
"selector": "0x313ce567",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 2514000705,
"selector": "0x70a08231",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": 2835717307,
"selector": "0x95d89b41",
"sinks": {
exec
/bin/bash -lc "sed -n '1041,1300p' BYTECODE_BUNDLE.json" in /tmp/codex-chbbow8y
succeeded in 0ms:
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
},
{
"auth": {
"guards": []
},
"entry_pc": null,
"selector": "0xa9059cbb",
"sinks": {
"call": 1,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
},
"storage": {
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
}
}
],
"selectors": [
"0x06fdde03",
"0x313ce567",
"0x70a08231",
"0x95d89b41",
"0xa9059cbb"
],
"sinks": {
"call": 1,
"create": 0,
"create2": 0,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0,
"upgrade_slot_write_suspected": false
},
"storage": {
"keccak_count": 6,
"reads": 11,
"slots": [
{
"op": "SLOAD",
"pc": 78,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 150,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
},
{
"op": "SLOAD",
"pc": 170,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 207,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 277,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
}
],
"writes": 2
},
"version": "analysis_artifact_v1"
},
"block_number": null,
"chain_id": 1,
"codehash": "0x9c955d6fcbfcbaebc1eba76ca0b918c6f34cf6cc3f5c33f4a4a83a88440f4e9f",
"created_at": "2026-04-04T20:00:21.000000Z",
"id": 2800,
"updated_at": "2026-04-04T23:34:28.000000Z",
"version": "analysis_artifact_v1"
},
"analysis_run": {
"address": "0xebf1031e6690d9befe06dc19b0114c592694abf3",
"block_number": null,
"chain_id": 1,
"child_links": [],
"created_at": "2025-12-19T20:03:59.000000Z",
"id": "019b3836-4533-7185-8d7b-fedf8e215cd2",
"parent_links": [],
"status": "running",
"updated_at": "2026-04-04T20:00:21.000000Z"
},
"artifact": {
"codehash": "0x9c955d6fcbfcbaebc1eba76ca0b918c6f34cf6cc3f5c33f4a4a83a88440f4e9f",
"compiler_json": {
"etherscan": {
"skipped": true
}
},
"implementation_address": null,
"is_proxy": false,
"runtime_bytecode": {
"full": "0x606060405260e060020a600035046306fdde038114610047578063313ce567146100a457806370a08231146100b057806395d89b41146100c8578063a9059cbb14610123575b005b61015260008054602060026001831615610100026000190190921691909104601f810182900490910260809081016040526060828152929190828280156101f55780601f106101ca576101008083540402835291602001916101f5565b6101c060025460ff1681565b6101c060043560036020526000908152604090205481565b610152600180546020601f6002600019610100858716150201909316929092049182018190040260809081016040526060828152929190828280156101f55780601f106101ca576101008083540402835291602001916101f5565b610045600435602435600160a060020a033316600090815260036020526040902054819010156101fd57610002565b60405180806020018281038252838181518152602001915080519060200190808383829060006004602084601f0104600f02600301f150905090810190601f1680156101b25780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b6060908152602090f35b820191906000526020600020905b8154815290600101906020018083116101d857829003601f168201915b505050505081565b600160a060020a03821660009081526040902054808201101561021f57610002565b806003600050600033600160a060020a03168152602001908152602001600020600082828250540392505081905550806003600050600084600160a060020a0316815260200190815260200160002060008282825054019250508190555081600160a060020a031633600160a060020a03167fddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef836040518082815260200191505060405180910390a3505056",
"head": null,
"length": 1434,
"tail": null,
"truncated": false
},
"verified_source": false
},
"capability_graph": {
"address": "0xebf1031e6690d9befe06dc19b0114c592694abf3",
"block_number": null,
"chain_id": 1,
"codehash": "0x9c955d6fcbfcbaebc1eba76ca0b918c6f34cf6cc3f5c33f4a4a83a88440f4e9f",
"created_at": "2026-04-04T20:00:21.000000Z",
"graph_hash": "0x2ee0f252132699f51924d69c5f1c6dfb4e7637cad6f24f07a9a7a4cd1120fbb1",
"graph_json": {
"edges": [
{
"from": "bb:0",
"to": "bb:71",
"type": "control_flow"
},
{
"from": "bb:0",
"to": "bb:25",
"type": "control_flow_fallthrough"
},
{
"from": "bb:25",
"to": "bb:164",
"type": "control_flow"
},
{
"from": "bb:25",
"to": "bb:36",
"type": "control_flow_fallthrough"
},
{
"from": "bb:36",
"to": "bb:176",
"type": "control_flow"
},
{
"from": "bb:36",
"to": "bb:47",
"type": "control_flow_fallthrough"
},
{
"from": "bb:47",
"to": "bb:200",
"type": "control_flow"
},
{
"from": "bb:47",
"to": "bb:58",
"type": "control_flow_fallthrough"
},
{
"from": "bb:58",
"to": "bb:291",
"type": "control_flow"
},
{
"from": "bb:58",
"to": "bb:69",
"type": "control_flow_fallthrough"
},
{
"from": "bb:71",
"to": "bb:501",
"type": "control_flow"
},
{
"from": "bb:71",
"to": "bb:137",
"type": "control_flow_fallthrough"
},
{
"from": "bb:137",
"to": "bb:458",
"type": "control_flow"
},
{
"from": "bb:137",
"to": "bb:145",
"type": "control_flow_fallthrough"
},
{
"from": "bb:145",
"to": "bb:501",
"type": "control_flow"
},
{
"from": "bb:200",
"to": "bb:501",
"type": "control_flow"
},
{
"from": "bb:200",
exec
/bin/bash -lc "rg -n 'detector|evidence|finding|proxy|delegatecall|callsite|slot|ddf252ad|CALL|DELEGATECALL|SELFDESTRUCT|owner|auth|guard|reentr' BYTECODE_BUNDLE.json" in /tmp/codex-chbbow8y
succeeded in 0ms:
6: "auth": {
7: "guards": []
21: "CALLDATALOAD",
201: "CALLDATALOAD",
315: "CALLDATALOAD",
317: "CALLDATALOAD",
323: "CALLER",
402: "CALL",
601: "CALLER",
677: "CALLER",
711: "callsites": [
713: "opcode": "CALL",
903: "auth": {
904: "guards": []
910: "delegatecall": 0,
916: "slots": [
920: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
925: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
930: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
935: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
940: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
947: "auth": {
948: "guards": []
954: "delegatecall": 0,
960: "slots": [
964: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
969: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
974: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
979: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
984: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
991: "auth": {
992: "guards": []
998: "delegatecall": 0,
1004: "slots": [
1008: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1013: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1018: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
1023: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
1028: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1035: "auth": {
1036: "guards": []
1042: "delegatecall": 0,
1048: "slots": [
1052: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1057: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1062: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
1067: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
1072: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1079: "auth": {
1080: "guards": []
1086: "delegatecall": 0,
1092: "slots": [
1096: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1101: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1106: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
1111: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
1116: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1134: "delegatecall": 0,
1137: "upgrade_slot_write_suspected": false
1142: "slots": [
1146: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
1151: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1156: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
1161: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
1166: "slot": "0x0000000000000000000000000000000000000000000000000000000000000100"
1200: "is_proxy": false,
1202: "full": "0x606060405260e060020a600035046306fdde038114610047578063313ce567146100a457806370a08231146100b057806395d89b41146100c8578063a9059cbb14610123575b005b61015260008054602060026001831615610100026000190190921691909104601f810182900490910260809081016040526060828152929190828280156101f55780601f106101ca576101008083540402835291602001916101f5565b6101c060025460ff1681565b6101c060043560036020526000908152604090205481565b610152600180546020601f6002600019610100858716150201909316929092049182018190040260809081016040526060828152929190828280156101f55780601f106101ca576101008083540402835291602001916101f5565b610045600435602435600160a060020a033316600090815260036020526040902054819010156101fd57610002565b60405180806020018281038252838181518152602001915080519060200190808383829060006004602084601f0104600f02600301f150905090810190601f1680156101b25780820380516001836020036101000a031916815260200191505b509250505060405180910390f35b6060908152602090f35b820191906000526020600020905b8154815290600101906020018083116101d857829003601f168201915b505050505081565b600160a060020a03821660009081526040902054808201101561021f57610002565b806003600050600033600160a060020a03168152602001908152602001600020600082828250540392505081905550806003600050600084600160a060020a0316815260200190815260200160002060008282825054019250508190555081600160a060020a031633600160a060020a03167fddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef836040518082815260200191505060405180910390a3505056",
1592: "opcode": "CALL",
1594: "type": "callsite"
1637: "detector_findings": [
1640: "evidence_json": {
1644: "opcode": "CALL",
1651: "guards_detected": [],
1655: "sink": "CALL"
1658: "title": "Untrusted CALL target/value reachable",
1670: "sink": "CALL",
1679: "evidence_json": {
1683: "opcode": "CALL",
1690: "guards_detected": []
1693: "sink": "CALL",
1709: "sink": "CALL",
1719: "delegatecall_count": 0,
exec
/bin/bash -lc "sed -n '1560,1735p' BYTECODE_BUNDLE.json" in /tmp/codex-chbbow8y
succeeded in 0ms:
"type": "basic_block"
},
{
"end_pc": 508,
"hash": "0xfc2ec825a8f178aa5a5c70c694abf2c3132e519e33d00850e8769ebb62cf186a",
"id": "bb:501",
"start_pc": 501,
"type": "basic_block"
},
{
"end_pc": 538,
"hash": "0xa75c05a5c67571b18cbd868879dec0d7c57966797b1df8756504756360d24fa1",
"id": "bb:509",
"start_pc": 509,
"type": "basic_block"
},
{
"end_pc": 542,
"hash": "0xee4e5c2be823ee6e569c01a0bf832422eaf7ebbf27bd4c5f027d970c75b8c6f9",
"id": "bb:539",
"start_pc": 539,
"type": "basic_block"
},
{
"end_pc": 715,
"hash": "0x55470c341be9e608b9f37871022d25fc911758efeacc5d69b28df302da0d728e",
"id": "bb:543",
"start_pc": 543,
"type": "basic_block"
},
{
"id": "call:392",
"opcode": "CALL",
"pc": 392,
"type": "callsite"
},
{
"id": "sink:call",
"type": "sink"
},
{
"entry_pc": null,
"id": "fn:0x06fdde03",
"selector": "0x06fdde03",
"type": "function"
},
{
"entry_pc": 1889567281,
"id": "fn:0x313ce567",
"selector": "0x313ce567",
"type": "function"
},
{
"entry_pc": 2514000705,
"id": "fn:0x70a08231",
"selector": "0x70a08231",
"type": "function"
},
{
"entry_pc": 2835717307,
"id": "fn:0x95d89b41",
"selector": "0x95d89b41",
"type": "function"
},
{
"entry_pc": null,
"id": "fn:0xa9059cbb",
"selector": "0xa9059cbb",
"type": "function"
}
],
"version": "capability_graph_v1"
},
"id": 2799,
"updated_at": "2026-04-04T23:34:28.000000Z",
"version": "capability_graph_v1"
},
"detector_findings": [
{
"confidence": 60,
"evidence_json": {
"call_count": 1,
"examples": [
{
"opcode": "CALL",
"pc": 392,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": [],
"untrusted_call_count": 1
},
"normalized_json": {
"sink": "CALL"
},
"severity": "high",
"title": "Untrusted CALL target/value reachable",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0xebf1031e6690d9befe06dc19b0114c592694abf3"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x9d0d68e21f07525843cd59a20e1b58597a1e60529c1e9ffcdfeced510cb7623d",
"trace_mode": "callTracer"
}
},
{
"confidence": 55,
"evidence_json": {
"eth_value_calls": 1,
"examples": [
{
"opcode": "CALL",
"pc": 392,
"returndata_checked": null,
"target_expression_category": "computed",
"value_expression_category": "computed"
}
],
"guards_detected": []
},
"normalized_json": {
"sink": "CALL",
"value": "nonzero"
},
"severity": "high",
"title": "ETH value transfer possible",
"validated": true,
"validation_json": {
"attempts": 1,
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0xebf1031e6690d9befe06dc19b0114c592694abf3"
],
"classification": "target_varies",
"confirmed": true,
"errors": 0,
"matched_probe": null,
"sink": "CALL",
"status": "confirmed",
"target_varies": true,
"trace_id": "0x9d0d68e21f07525843cd59a20e1b58597a1e60529c1e9ffcdfeced510cb7623d",
"trace_mode": "callTracer"
}
}
],
"heuristics_summary": {
"create2_count": 0,
"delegatecall_count": 0,
"flags": [],
"selfdestruct_count": 0
}
}
exec
/bin/bash -lc "node - <<'NODE'
const fs = require('fs');
const bundle = JSON.parse(fs.readFileSync('BYTECODE_BUNDLE.json','utf8'));
const hex = bundle.artifact.runtime_bytecode.full.slice(2);
const opnames = {};
for (let i=0;i<=0xff;i++) opnames[i] = 'OP_'+i.toString(16).padStart(2,'0');
['STOP','ADD','MUL','SUB','DIV','SDIV','MOD','SMOD','ADDMOD','MULMOD','EXP','SIGNEXTEND'].forEach((n,i)=>opnames[i]=n);
['LT','GT','SLT','SGT','EQ','ISZERO','AND','OR','XOR','NOT','BYTE','SHL','SHR','SAR'].forEach((n,i)=>opnames[0x10+i]=n);
['SHA3'].forEach((n,i)=>opnames[0x20+i]=n);
['ADDRESS','BALANCE','ORIGIN','CALLER','CALLVALUE','CALLDATALOAD','CALLDATASIZE','CALLDATACOPY','CODESIZE','CODECOPY','GASPRICE','EXTCODESIZE','EXTCODECOPY','RETURNDATASIZE','RETURNDATACOPY','EXTCODEHASH'].forEach((n,i)=>opnames[0x30+i]=n);
['BLOCKHASH','COINBASE','TIMESTAMP','NUMBER','DIFFICULTY','GASLIMIT','CHAINID','SELFBALANCE','BASEFEE'].forEach((n,i)=>opnames[0x40+i]=n);
['POP','MLOAD','MSTORE','MSTORE8','SLOAD','SSTORE','JUMP','JUMPI','PC','MSIZE','GAS','JUMPDEST'].forEach((n,i)=>opnames[0x50+i]=n);
for (let i=1;i<=32;i++) opnames[0x5f+i]='PUSH'+i;
for (let i=1;i<=16;i++) opnames[0x7f+i]='DUP'+i;
for (let i=1;i<=16;i++) opnames[0x8f+i]='SWAP'+i;
for (let i=0;i<=4;i++) opnames[0xa0+i]='LOG'+i;
['CREATE','CALL','CALLCODE','RETURN','DELEGATECALL','CREATE2','STATICCALL','REVERT','INVALID','SELFDESTRUCT'].forEach((n,i)=>opnames[0xf0+i]=n);
let pc=0; const rows=[];
while (pc < hex.length/2) {
const b = parseInt(hex.slice(pc*2, pc*2+2),16);
const name = opnames[b]||('OP_'+b.toString(16));
let arg='';
const start=pc;
pc++;
if (b>=0x60 && b<=0x7f) {
const n=b-0x5f;
arg='0x'+hex.slice(pc*2, pc*2+n*2);
pc+=n;
}
rows.push({pc:start, op:name, arg});
}
for (const row of rows.filter(r=>r.pc>=330 && r.pc<=410)) {
console.log(String(row.pc).padStart(4), row.op, row.arg);
}
NODE" in /tmp/codex-chbbow8y
succeeded in 0ms:
330 PUSH2 0x01fd
333 JUMPI
334 PUSH2 0x0002
337 JUMP
338 JUMPDEST
339 PUSH1 0x40
341 MLOAD
342 DUP1
343 DUP1
344 PUSH1 0x20
346 ADD
347 DUP3
348 DUP2
349 SUB
350 DUP3
351 MSTORE
352 DUP4
353 DUP2
354 DUP2
355 MLOAD
356 DUP2
357 MSTORE
358 PUSH1 0x20
360 ADD
361 SWAP2
362 POP
363 DUP1
364 MLOAD
365 SWAP1
366 PUSH1 0x20
368 ADD
369 SWAP1
370 DUP1
371 DUP4
372 DUP4
373 DUP3
374 SWAP1
375 PUSH1 0x00
377 PUSH1 0x04
379 PUSH1 0x20
381 DUP5
382 PUSH1 0x1f
384 ADD
385 DIV
386 PUSH1 0x0f
388 MUL
389 PUSH1 0x03
391 ADD
392 CALL
393 POP
394 SWAP1
395 POP
396 SWAP1
397 DUP2
398 ADD
399 SWAP1
400 PUSH1 0x1f
402 AND
403 DUP1
404 ISZERO
405 PUSH2 0x01b2
408 JUMPI
409 DUP1
410 DUP3
exec
/bin/bash -lc "node - <<'NODE'
const fs = require('fs');
const bundle = JSON.parse(fs.readFileSync('BYTECODE_BUNDLE.json','utf8'));
const hex = bundle.artifact.runtime_bytecode.full.slice(2);
const opnames = {};
for (let i=0;i<=0xff;i++) opnames[i] = 'OP_'+i.toString(16).padStart(2,'0');
['STOP','ADD','MUL','SUB','DIV','SDIV','MOD','SMOD','ADDMOD','MULMOD','EXP','SIGNEXTEND'].forEach((n,i)=>opnames[i]=n);
['LT','GT','SLT','SGT','EQ','ISZERO','AND','OR','XOR','NOT','BYTE','SHL','SHR','SAR'].forEach((n,i)=>opnames[0x10+i]=n);
opnames[0x20]='SHA3'; ['ADDRESS','BALANCE','ORIGIN','CALLER','CALLVALUE','CALLDATALOAD','CALLDATASIZE','CALLDATACOPY','CODESIZE','CODECOPY','GASPRICE','EXTCODESIZE','EXTCODECOPY','RETURNDATASIZE','RETURNDATACOPY','EXTCODEHASH'].forEach((n,i)=>opnames[0x30+i]=n);
['BLOCKHASH','COINBASE','TIMESTAMP','NUMBER','DIFFICULTY','GASLIMIT','CHAINID','SELFBALANCE','BASEFEE'].forEach((n,i)=>opnames[0x40+i]=n);
['POP','MLOAD','MSTORE','MSTORE8','SLOAD','SSTORE','JUMP','JUMPI','PC','MSIZE','GAS','JUMPDEST'].forEach((n,i)=>opnames[0x50+i]=n);
for (let i=1;i<=32;i++) opnames[0x5f+i]='PUSH'+i;
for (let i=1;i<=16;i++) opnames[0x7f+i]='DUP'+i;
for (let i=1;i<=16;i++) opnames[0x8f+i]='SWAP'+i;
for (let i=0;i<=4;i++) opnames[0xa0+i]='LOG'+i;
['CREATE','CALL','CALLCODE','RETURN','DELEGATECALL','CREATE2','STATICCALL','REVERT','INVALID','SELFDESTRUCT'].forEach((n,i)=>opnames[0xf0+i]=n);
let pc=0; const rows=[];
while (pc < hex.length/2) {
const b = parseInt(hex.slice(pc*2, pc*2+2),16);
const name = opnames[b];
let arg=''; const start=pc; pc++;
if (b>=0x60&&b<=0x7f){const n=b-0x5f;arg='0x'+hex.slice(pc*2,pc*2+n*2);pc+=n;}
rows.push({pc:start, op:name, arg});
}
for (const [a,b] of [[291,338],[509,543],[543,715],[0,120],[164,200],[176,290]]) {
console.log('\\nRANGE',a,b);
for (const row of rows.filter(r=>r.pc>=a && r.pc<b)) console.log(String(row.pc).padStart(4), row.op, row.arg);
}
NODE" in /tmp/codex-chbbow8y
succeeded in 0ms:
RANGE 291 338
291 JUMPDEST
292 PUSH2 0x0045
295 PUSH1 0x04
297 CALLDATALOAD
298 PUSH1 0x24
300 CALLDATALOAD
301 PUSH1 0x01
303 PUSH1 0xa0
305 PUSH1 0x02
307 EXP
308 SUB
309 CALLER
310 AND
311 PUSH1 0x00
313 SWAP1
314 DUP2
315 MSTORE
316 PUSH1 0x03
318 PUSH1 0x20
320 MSTORE
321 PUSH1 0x40
323 SWAP1
324 SHA3
325 SLOAD
326 DUP2
327 SWAP1
328 LT
329 ISZERO
330 PUSH2 0x01fd
333 JUMPI
334 PUSH2 0x0002
337 JUMP
RANGE 509 543
509 JUMPDEST
510 PUSH1 0x01
512 PUSH1 0xa0
514 PUSH1 0x02
516 EXP
517 SUB
518 DUP3
519 AND
520 PUSH1 0x00
522 SWAP1
523 DUP2
524 MSTORE
525 PUSH1 0x40
527 SWAP1
528 SHA3
529 SLOAD
530 DUP1
531 DUP3
532 ADD
533 LT
534 ISZERO
535 PUSH2 0x021f
538 JUMPI
539 PUSH2 0x0002
542 JUMP
RANGE 543 715
543 JUMPDEST
544 DUP1
545 PUSH1 0x03
547 PUSH1 0x00
549 POP
550 PUSH1 0x00
552 CALLER
553 PUSH1 0x01
555 PUSH1 0xa0
557 PUSH1 0x02
559 EXP
560 SUB
561 AND
562 DUP2
563 MSTORE
564 PUSH1 0x20
566 ADD
567 SWAP1
568 DUP2
569 MSTORE
570 PUSH1 0x20
572 ADD
573 PUSH1 0x00
575 SHA3
576 PUSH1 0x00
578 DUP3
579 DUP3
580 DUP3
581 POP
582 SLOAD
583 SUB
584 SWAP3
585 POP
586 POP
587 DUP2
588 SWAP1
589 SSTORE
590 POP
591 DUP1
592 PUSH1 0x03
594 PUSH1 0x00
596 POP
597 PUSH1 0x00
599 DUP5
600 PUSH1 0x01
602 PUSH1 0xa0
604 PUSH1 0x02
606 EXP
607 SUB
608 AND
609 DUP2
610 MSTORE
611 PUSH1 0x20
613 ADD
614 SWAP1
615 DUP2
616 MSTORE
617 PUSH1 0x20
619 ADD
620 PUSH1 0x00
622 SHA3
623 PUSH1 0x00
625 DUP3
626 DUP3
627 DUP3
628 POP
629 SLOAD
630 ADD
631 SWAP3
632 POP
633 POP
634 DUP2
635 SWAP1
636 SSTORE
637 POP
638 DUP2
639 PUSH1 0x01
641 PUSH1 0xa0
643 PUSH1 0x02
645 EXP
646 SUB
647 AND
648 CALLER
649 PUSH1 0x01
651 PUSH1 0xa0
653 PUSH1 0x02
655 EXP
656 SUB
657 AND
658 PUSH32 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef
691 DUP4
692 PUSH1 0x40
694 MLOAD
695 DUP1
696 DUP3
697 DUP2
698 MSTORE
699 PUSH1 0x20
701 ADD
702 SWAP2
703 POP
704 POP
705 PUSH1 0x40
707 MLOAD
708 DUP1
709 SWAP2
710 SUB
711 SWAP1
712 LOG3
713 POP
714 POP
RANGE 0 120
0 PUSH1 0x60
2 PUSH1 0x40
4 MSTORE
5 PUSH1 0xe0
7 PUSH1 0x02
9 EXP
10 PUSH1 0x00
12 CALLDATALOAD
13 DIV
14 PUSH4 0x06fdde03
19 DUP2
20 EQ
21 PUSH2 0x0047
24 JUMPI
25 DUP1
26 PUSH4 0x313ce567
31 EQ
32 PUSH2 0x00a4
35 JUMPI
36 DUP1
37 PUSH4 0x70a08231
42 EQ
43 PUSH2 0x00b0
46 JUMPI
47 DUP1
48 PUSH4 0x95d89b41
53 EQ
54 PUSH2 0x00c8
57 JUMPI
58 DUP1
59 PUSH4 0xa9059cbb
64 EQ
65 PUSH2 0x0123
68 JUMPI
69 JUMPDEST
70 STOP
71 JUMPDEST
72 PUSH2 0x0152
75 PUSH1 0x00
77 DUP1
78 SLOAD
79 PUSH1 0x20
81 PUSH1 0x02
83 PUSH1 0x01
85 DUP4
86 AND
87 ISZERO
88 PUSH2 0x0100
91 MUL
92 PUSH1 0x00
94 NOT
95 ADD
96 SWAP1
97 SWAP3
98 AND
99 SWAP2
100 SWAP1
101 SWAP2
102 DIV
103 PUSH1 0x1f
105 DUP2
106 ADD
107 DUP3
108 SWAP1
109 DIV
110 SWAP1
111 SWAP2
112 MUL
113 PUSH1 0x80
115 SWAP1
116 DUP2
117 ADD
118 PUSH1 0x40
RANGE 164 200
164 JUMPDEST
165 PUSH2 0x01c0
168 PUSH1 0x02
170 SLOAD
171 PUSH1 0xff
173 AND
174 DUP2
175 JUMP
176 JUMPDEST
177 PUSH2 0x01c0
180 PUSH1 0x04
182 CALLDATALOAD
183 PUSH1 0x03
185 PUSH1 0x20
187 MSTORE
188 PUSH1 0x00
190 SWAP1
191 DUP2
192 MSTORE
193 PUSH1 0x40
195 SWAP1
196 SHA3
197 SLOAD
198 DUP2
199 JUMP
RANGE 176 290
176 JUMPDEST
177 PUSH2 0x01c0
180 PUSH1 0x04
182 CALLDATALOAD
183 PUSH1 0x03
185 PUSH1 0x20
187 MSTORE
188 PUSH1 0x00
190 SWAP1
191 DUP2
192 MSTORE
193 PUSH1 0x40
195 SWAP1
196 SHA3
197 SLOAD
198 DUP2
199 JUMP
200 JUMPDEST
201 PUSH2 0x0152
204 PUSH1 0x01
206 DUP1
207 SLOAD
208 PUSH1 0x20
210 PUSH1 0x1f
212 PUSH1 0x02
214 PUSH1 0x00
216 NOT
217 PUSH2 0x0100
220 DUP6
221 DUP8
222 AND
223 ISZERO
224 MUL
225 ADD
226 SWAP1
227 SWAP4
228 AND
229 SWAP3
230 SWAP1
231 SWAP3
232 DIV
233 SWAP2
234 DUP3
235 ADD
236 DUP2
237 SWAP1
238 DIV
239 MUL
240 PUSH1 0x80
242 SWAP1
243 DUP2
244 ADD
245 PUSH1 0x40
247 MSTORE
248 PUSH1 0x60
250 DUP3
251 DUP2
252 MSTORE
253 SWAP3
254 SWAP2
255 SWAP1
256 DUP3
257 DUP3
258 DUP1
259 ISZERO
260 PUSH2 0x01f5
263 JUMPI
264 DUP1
265 PUSH1 0x1f
267 LT
268 PUSH2 0x01ca
271 JUMPI
272 PUSH2 0x0100
275 DUP1
276 DUP4
277 SLOAD
278 DIV
279 MUL
280 DUP4
281 MSTORE
282 SWAP2
283 PUSH1 0x20
285 ADD
286 SWAP2
287 PUSH2 0x01f5
The bundle decodes to a small legacy token-like contract. I discounted the detector’s CALL warnings because the only CALL at pc 0x188 matches the identity precompile copy pattern used by old Solidity string-return helpers.
✓ Inspect BYTECODE_BUNDLE.json and available analysis artifacts
✓ Assess bytecode evidence for concrete security findings
→ Return JSON report matching the required schema
codex
{"no_findings":false,"summary":"Based on the runtime bytecode and BYTECODE_BUNDLE.json only, this looks like a small legacy token-like contract with selectors for name/symbol/decimals/balanceOf/transfer. I did not treat the detector-reported CALL at pc:0x188 as an untrusted external call issue: the opcode pattern matches the identity precompile (0x04) used by older Solidity string-copy helpers, so the bundle’s CALL/ETH-transfer alerts appear to be false positives. The concrete issues below are low-severity compatibility/asset-safety risks visible from bytecode.","findings":[{"severity":"low","category":"other","title":"Payable fallback silently accepts ETH and unknown selectors","exploit_scenario":"Because the dispatcher falls through to STOP for unmatched selectors, calls with bad calldata or plain ETH transfers succeed instead of reverting. A user, wallet, or integrating contract can accidentally send ETH to this token contract or invoke a nonexistent function and receive a success status; with no visible withdrawal path in the runtime, that ETH would remain stuck in the contract.","recommendation":"Add an explicit reverting fallback/receive path for unexpected calls and nonzero CALLVALUE, or add a controlled recovery mechanism if ETH custody is intended.","evidence":"Dispatcher compares known selectors at pc:0x0-0x44, then falls through to JUMPDEST/STOP at pc:0x45 without any preceding CALLVALUE check. The runtime has no DELEGATECALL/SELFDESTRUCT and only one CALL site at pc:0x188, which matches the identity precompile copy pattern rather than an ETH-withdrawal path. This is a bytecode-only inference, so the lack of a recovery path is based on the visible runtime only.","locations":["pc:0x0","pc:0x45","pc:0x188"]},{"severity":"low","category":"other","title":"`transfer(address,uint256)` appears to return no boolean value","exploit_scenario":"Integrations that assume canonical ERC-20 semantics for selector 0xa9059cbb may decode the returndata as `bool` and fail, or may need special-case handling. In practice this can break deposits, withdrawals, routers, or wrappers that require a strict `true` return value from `transfer`.","recommendation":"If this contract is meant to be ERC-20 compatible, make `transfer` ABI-return `true` on success. If the contract is immutable legacy bytecode, document it clearly and require integrators to use safe wrappers that tolerate missing return data.","evidence":"Selector 0xa9059cbb dispatches to pc:0x123. That path pushes return destination 0x0045, performs balance checks and state updates through pc:0x21f-0x2cb, then jumps back to pc:0x45, which is STOP, not a RETURN helper. By contrast, read functions route through explicit return helpers at pc:0x152 and pc:0x1c0. This strongly suggests `transfer` succeeds with empty returndata rather than a 32-byte boolean.","locations":["selector:0xa9059cbb","pc:0x123","pc:0x45"]}]}
tokens used
51,020
{
"codex": {
"ran_at": "2026-04-05T07:28:14.146551+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 1434,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "Based on the runtime bytecode and BYTECODE_BUNDLE.json only, this looks like a small legacy token-like contract with selectors for name/symbol/decimals/balanceOf/transfer. I did not treat the detector-reported CALL at pc:0x188 as an untrusted external call issue: the opcode pattern matches the identity precompile (0x04) used by older Solidity string-copy helpers, so the bundle\u2019s CALL/ETH-transfer alerts appear to be false positives. The concrete issues below are low-severity compatibility/asset-safety risks visible from bytecode.",
"raw_final": {
"summary": "Based on the runtime bytecode and BYTECODE_BUNDLE.json only, this looks like a small legacy token-like contract with selectors for name/symbol/decimals/balanceOf/transfer. I did not treat the detector-reported CALL at pc:0x188 as an untrusted external call issue: the opcode pattern matches the identity precompile (0x04) used by older Solidity string-copy helpers, so the bundle\u2019s CALL/ETH-transfer alerts appear to be false positives. The concrete issues below are low-severity compatibility/asset-safety risks visible from bytecode.",
"findings": [
{
"title": "Payable fallback silently accepts ETH and unknown selectors",
"category": "other",
"evidence": "Dispatcher compares known selectors at pc:0x0-0x44, then falls through to JUMPDEST/STOP at pc:0x45 without any preceding CALLVALUE check. The runtime has no DELEGATECALL/SELFDESTRUCT and only one CALL site at pc:0x188, which matches the identity precompile copy pattern rather than an ETH-withdrawal path. This is a bytecode-only inference, so the lack of a recovery path is based on the visible runtime only.",
"severity": "low",
"locations": [
"pc:0x0",
"pc:0x45",
"pc:0x188"
],
"recommendation": "Add an explicit reverting fallback/receive path for unexpected calls and nonzero CALLVALUE, or add a controlled recovery mechanism if ETH custody is intended.",
"exploit_scenario": "Because the dispatcher falls through to STOP for unmatched selectors, calls with bad calldata or plain ETH transfers succeed instead of reverting. A user, wallet, or integrating contract can accidentally send ETH to this token contract or invoke a nonexistent function and receive a success status; with no visible withdrawal path in the runtime, that ETH would remain stuck in the contract."
},
{
"title": "`transfer(address,uint256)` appears to return no boolean value",
"category": "other",
"evidence": "Selector 0xa9059cbb dispatches to pc:0x123. That path pushes return destination 0x0045, performs balance checks and state updates through pc:0x21f-0x2cb, then jumps back to pc:0x45, which is STOP, not a RETURN helper. By contrast, read functions route through explicit return helpers at pc:0x152 and pc:0x1c0. This strongly suggests `transfer` succeeds with empty returndata rather than a 32-byte boolean.",
"severity": "low",
"locations": [
"selector:0xa9059cbb",
"pc:0x123",
"pc:0x45"
],
"recommendation": "If this contract is meant to be ERC-20 compatible, make `transfer` ABI-return `true` on success. If the contract is immutable legacy bytecode, document it clearly and require integrators to use safe wrappers that tolerate missing return data.",
"exploit_scenario": "Integrations that assume canonical ERC-20 semantics for selector 0xa9059cbb may decode the returndata as `bool` and fail, or may need special-case handling. In practice this can break deposits, withdrawals, routers, or wrappers that require a strict `true` return value from `transfer`."
}
],
"no_findings": false
},
"no_findings": false,
"schema_version": 1
}
00000000: PUSH1 0x60 00000002: PUSH1 0x40 00000004: MSTORE 00000005: PUSH1 0xe0 00000007: PUSH1 0x02 00000009: EXP 0000000a: PUSH1 0x00 0000000c: CALLDATALOAD 0000000d: DIV 0000000e: PUSH4 0x06fdde03 00000013: DUP2 00000014: EQ 00000015: PUSH2 0x0047 00000018: JUMPI 00000019: DUP1 0000001a: PUSH4 0x313ce567 0000001f: EQ 00000020: PUSH2 0x00a4 00000023: JUMPI 00000024: DUP1 00000025: PUSH4 0x70a08231 0000002a: EQ 0000002b: PUSH2 0x00b0 0000002e: JUMPI 0000002f: DUP1 00000030: PUSH4 0x95d89b41 00000035: EQ 00000036: PUSH2 0x00c8 00000039: JUMPI 0000003a: DUP1 0000003b: PUSH4 0xa9059cbb 00000040: EQ 00000041: PUSH2 0x0123 00000044: JUMPI 00000045: JUMPDEST 00000046: STOP 00000047: JUMPDEST 00000048: PUSH2 0x0152 0000004b: PUSH1 0x00 0000004d: DUP1 0000004e: SLOAD 0000004f: PUSH1 0x20 00000051: PUSH1 0x02 00000053: PUSH1 0x01 00000055: DUP4 00000056: AND 00000057: ISZERO 00000058: PUSH2 0x0100 0000005b: MUL 0000005c: PUSH1 0x00 0000005e: NOT 0000005f: ADD 00000060: SWAP1 00000061: SWAP3 00000062: AND 00000063: SWAP2 00000064: SWAP1 00000065: SWAP2 00000066: DIV 00000067: PUSH1 0x1f 00000069: DUP2 0000006a: ADD 0000006b: DUP3 0000006c: SWAP1 0000006d: DIV 0000006e: SWAP1 0000006f: SWAP2 00000070: MUL 00000071: PUSH1 0x80 00000073: SWAP1 00000074: DUP2 00000075: ADD 00000076: PUSH1 0x40 00000078: MSTORE 00000079: PUSH1 0x60 0000007b: DUP3 0000007c: DUP2 0000007d: MSTORE 0000007e: SWAP3 0000007f: SWAP2 00000080: SWAP1 00000081: DUP3 00000082: DUP3 00000083: DUP1 00000084: ISZERO 00000085: PUSH2 0x01f5 00000088: JUMPI 00000089: DUP1 0000008a: PUSH1 0x1f 0000008c: LT 0000008d: PUSH2 0x01ca 00000090: JUMPI 00000091: PUSH2 0x0100 00000094: DUP1 00000095: DUP4 00000096: SLOAD 00000097: DIV 00000098: MUL 00000099: DUP4 0000009a: MSTORE 0000009b: SWAP2 0000009c: PUSH1 0x20 0000009e: ADD 0000009f: SWAP2 000000a0: PUSH2 0x01f5 000000a3: JUMP 000000a4: JUMPDEST 000000a5: PUSH2 0x01c0 000000a8: PUSH1 0x02 000000aa: SLOAD 000000ab: PUSH1 0xff 000000ad: AND 000000ae: DUP2 000000af: JUMP 000000b0: JUMPDEST 000000b1: PUSH2 0x01c0 000000b4: PUSH1 0x04 000000b6: CALLDATALOAD 000000b7: PUSH1 0x03 000000b9: PUSH1 0x20 000000bb: MSTORE 000000bc: PUSH1 0x00 000000be: SWAP1 000000bf: DUP2 000000c0: MSTORE 000000c1: PUSH1 0x40 000000c3: SWAP1 000000c4: KECCAK256 000000c5: SLOAD 000000c6: DUP2 000000c7: JUMP 000000c8: JUMPDEST 000000c9: PUSH2 0x0152 000000cc: PUSH1 0x01 000000ce: DUP1 000000cf: SLOAD 000000d0: PUSH1 0x20 000000d2: PUSH1 0x1f 000000d4: PUSH1 0x02 000000d6: PUSH1 0x00 000000d8: NOT 000000d9: PUSH2 0x0100 000000dc: DUP6 000000dd: DUP8 000000de: AND 000000df: ISZERO 000000e0: MUL 000000e1: ADD 000000e2: SWAP1 000000e3: SWAP4 000000e4: AND 000000e5: SWAP3 000000e6: SWAP1 000000e7: SWAP3 000000e8: DIV 000000e9: SWAP2 000000ea: DUP3 000000eb: ADD 000000ec: DUP2 000000ed: SWAP1 000000ee: DIV 000000ef: MUL 000000f0: PUSH1 0x80 000000f2: SWAP1 000000f3: DUP2 000000f4: ADD 000000f5: PUSH1 0x40 000000f7: MSTORE 000000f8: PUSH1 0x60 000000fa: DUP3 000000fb: DUP2 000000fc: MSTORE 000000fd: SWAP3 000000fe: SWAP2 000000ff: SWAP1 00000100: DUP3 00000101: DUP3 00000102: DUP1 00000103: ISZERO 00000104: PUSH2 0x01f5 00000107: JUMPI 00000108: DUP1 00000109: PUSH1 0x1f 0000010b: LT 0000010c: PUSH2 0x01ca 0000010f: JUMPI 00000110: PUSH2 0x0100 00000113: DUP1 00000114: DUP4 00000115: SLOAD 00000116: DIV 00000117: MUL 00000118: DUP4 00000119: MSTORE 0000011a: SWAP2 0000011b: PUSH1 0x20 0000011d: ADD 0000011e: SWAP2 0000011f: PUSH2 0x01f5 00000122: JUMP 00000123: JUMPDEST 00000124: PUSH2 0x0045 00000127: PUSH1 0x04 00000129: CALLDATALOAD 0000012a: PUSH1 0x24 0000012c: CALLDATALOAD 0000012d: PUSH1 0x01 0000012f: PUSH1 0xa0 00000131: PUSH1 0x02 00000133: EXP 00000134: SUB 00000135: CALLER 00000136: AND 00000137: PUSH1 0x00 00000139: SWAP1 0000013a: DUP2 0000013b: MSTORE 0000013c: PUSH1 0x03 0000013e: PUSH1 0x20 00000140: MSTORE 00000141: PUSH1 0x40 00000143: SWAP1 00000144: KECCAK256 00000145: SLOAD 00000146: DUP2 00000147: SWAP1 00000148: LT 00000149: ISZERO 0000014a: PUSH2 0x01fd 0000014d: JUMPI 0000014e: PUSH2 0x0002 00000151: JUMP 00000152: JUMPDEST 00000153: PUSH1 0x40 00000155: MLOAD 00000156: DUP1 00000157: DUP1 00000158: PUSH1 0x20 0000015a: ADD 0000015b: DUP3 0000015c: DUP2 0000015d: SUB 0000015e: DUP3 0000015f: MSTORE 00000160: DUP4 00000161: DUP2 00000162: DUP2 00000163: MLOAD 00000164: DUP2 00000165: MSTORE 00000166: PUSH1 0x20 00000168: ADD 00000169: SWAP2 0000016a: POP 0000016b: DUP1 0000016c: MLOAD 0000016d: SWAP1 0000016e: PUSH1 0x20 00000170: ADD 00000171: SWAP1 00000172: DUP1 00000173: DUP4 00000174: DUP4 00000175: DUP3 00000176: SWAP1 00000177: PUSH1 0x00 00000179: PUSH1 0x04 0000017b: PUSH1 0x20 0000017d: DUP5 0000017e: PUSH1 0x1f 00000180: ADD 00000181: DIV 00000182: PUSH1 0x0f 00000184: MUL 00000185: PUSH1 0x03 00000187: ADD 00000188: CALL 00000189: POP 0000018a: SWAP1 0000018b: POP 0000018c: SWAP1 0000018d: DUP2 0000018e: ADD 0000018f: SWAP1 00000190: PUSH1 0x1f 00000192: AND 00000193: DUP1 00000194: ISZERO 00000195: PUSH2 0x01b2 00000198: JUMPI 00000199: DUP1 0000019a: DUP3 0000019b: SUB 0000019c: DUP1 0000019d: MLOAD 0000019e: PUSH1 0x01 000001a0: DUP4 000001a1: PUSH1 0x20 000001a3: SUB 000001a4: PUSH2 0x0100 000001a7: EXP 000001a8: SUB 000001a9: NOT 000001aa: AND 000001ab: DUP2 000001ac: MSTORE 000001ad: PUSH1 0x20 000001af: ADD 000001b0: SWAP2 000001b1: POP 000001b2: JUMPDEST 000001b3: POP 000001b4: SWAP3 000001b5: POP 000001b6: POP 000001b7: POP 000001b8: PUSH1 0x40 000001ba: MLOAD 000001bb: DUP1 000001bc: SWAP2 000001bd: SUB 000001be: SWAP1 000001bf: RETURN 000001c0: JUMPDEST 000001c1: PUSH1 0x60 000001c3: SWAP1 000001c4: DUP2 000001c5: MSTORE 000001c6: PUSH1 0x20 000001c8: SWAP1 000001c9: RETURN 000001ca: JUMPDEST 000001cb: DUP3 000001cc: ADD 000001cd: SWAP2 000001ce: SWAP1 000001cf: PUSH1 0x00 000001d1: MSTORE 000001d2: PUSH1 0x20 000001d4: PUSH1 0x00 000001d6: KECCAK256 000001d7: SWAP1 000001d8: JUMPDEST 000001d9: DUP2 000001da: SLOAD 000001db: DUP2 000001dc: MSTORE 000001dd: SWAP1 000001de: PUSH1 0x01 000001e0: ADD 000001e1: SWAP1 000001e2: PUSH1 0x20 000001e4: ADD 000001e5: DUP1 000001e6: DUP4 000001e7: GT 000001e8: PUSH2 0x01d8 000001eb: JUMPI 000001ec: DUP3 000001ed: SWAP1 000001ee: SUB 000001ef: PUSH1 0x1f 000001f1: AND 000001f2: DUP3 000001f3: ADD 000001f4: SWAP2 000001f5: JUMPDEST 000001f6: POP 000001f7: POP 000001f8: POP 000001f9: POP 000001fa: POP 000001fb: DUP2 000001fc: JUMP 000001fd: JUMPDEST 000001fe: PUSH1 0x01 00000200: PUSH1 0xa0 00000202: PUSH1 0x02 00000204: EXP 00000205: SUB 00000206: DUP3 00000207: AND 00000208: PUSH1 0x00 0000020a: SWAP1 0000020b: DUP2 0000020c: MSTORE 0000020d: PUSH1 0x40 0000020f: SWAP1 00000210: KECCAK256 00000211: SLOAD 00000212: DUP1 00000213: DUP3 00000214: ADD 00000215: LT 00000216: ISZERO 00000217: PUSH2 0x021f 0000021a: JUMPI 0000021b: PUSH2 0x0002 0000021e: JUMP 0000021f: JUMPDEST 00000220: DUP1 00000221: PUSH1 0x03 00000223: PUSH1 0x00 00000225: POP 00000226: PUSH1 0x00 00000228: CALLER 00000229: PUSH1 0x01 0000022b: PUSH1 0xa0 0000022d: PUSH1 0x02 0000022f: EXP 00000230: SUB 00000231: AND 00000232: DUP2 00000233: MSTORE 00000234: PUSH1 0x20 00000236: ADD 00000237: SWAP1 00000238: DUP2 00000239: MSTORE 0000023a: PUSH1 0x20 0000023c: ADD 0000023d: PUSH1 0x00 0000023f: KECCAK256 00000240: PUSH1 0x00 00000242: DUP3 00000243: DUP3 00000244: DUP3 00000245: POP 00000246: SLOAD 00000247: SUB 00000248: SWAP3 00000249: POP 0000024a: POP 0000024b: DUP2 0000024c: SWAP1 0000024d: SSTORE 0000024e: POP 0000024f: DUP1 00000250: PUSH1 0x03 00000252: PUSH1 0x00 00000254: POP 00000255: PUSH1 0x00 00000257: DUP5 00000258: PUSH1 0x01 0000025a: PUSH1 0xa0 0000025c: PUSH1 0x02 0000025e: EXP 0000025f: SUB 00000260: AND 00000261: DUP2 00000262: MSTORE 00000263: PUSH1 0x20 00000265: ADD 00000266: SWAP1 00000267: DUP2 00000268: MSTORE 00000269: PUSH1 0x20 0000026b: ADD 0000026c: PUSH1 0x00 0000026e: KECCAK256 0000026f: PUSH1 0x00 00000271: DUP3 00000272: DUP3 00000273: DUP3 00000274: POP 00000275: SLOAD 00000276: ADD 00000277: SWAP3 00000278: POP 00000279: POP 0000027a: DUP2 0000027b: SWAP1 0000027c: SSTORE 0000027d: POP 0000027e: DUP2 0000027f: PUSH1 0x01 00000281: PUSH1 0xa0 00000283: PUSH1 0x02 00000285: EXP 00000286: SUB 00000287: AND 00000288: CALLER 00000289: PUSH1 0x01 0000028b: PUSH1 0xa0 0000028d: PUSH1 0x02 0000028f: EXP 00000290: SUB 00000291: AND 00000292: PUSH32 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef 000002b3: DUP4 000002b4: PUSH1 0x40 000002b6: MLOAD 000002b7: DUP1 000002b8: DUP3 000002b9: DUP2 000002ba: MSTORE 000002bb: PUSH1 0x20 000002bd: ADD 000002be: SWAP2 000002bf: POP 000002c0: POP 000002c1: PUSH1 0x40 000002c3: MLOAD 000002c4: DUP1 000002c5: SWAP2 000002c6: SUB 000002c7: SWAP1 000002c8: LOG3 000002c9: POP 000002ca: POP 000002cb: JUMP
Warning: This is a nightly build of Foundry. It is recommended to use the latest stable version. To mute this warning set `FOUNDRY_DISABLE_NIGHTLY_WARNING` in your environment.
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | other | detector | Untrusted CALL target/value reachable | 60 | yes | yes |
viewtrace_id: 0x9d0d68e21f07525843cd59a20e1b58597a1e60529c1e9ffcdfeced510cb7623d
call_targets:
0x0000000000000000000000000000000000000004, 0xebf1031e6690d9befe06dc19b0114c592694abf3
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x9d0d68e21f07525843cd59a20e1b58597a1e60529c1e9ffcdfeced510cb7623d",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0xebf1031e6690d9befe06dc19b0114c592694abf3"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa9059cbb",
"selector": "0xa9059cbb",
"calldata_variants": [
"0xa9059cbb",
"0xa9059cbb0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 392,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 1,
"guards_detected": [],
"untrusted_call_count": 1
}
|
| high | other | detector | ETH value transfer possible | 55 | yes | yes |
viewtrace_id: 0x9d0d68e21f07525843cd59a20e1b58597a1e60529c1e9ffcdfeced510cb7623d
call_targets:
0x0000000000000000000000000000000000000004, 0xebf1031e6690d9befe06dc19b0114c592694abf3
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x9d0d68e21f07525843cd59a20e1b58597a1e60529c1e9ffcdfeced510cb7623d",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0xebf1031e6690d9befe06dc19b0114c592694abf3"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xa9059cbb",
"selector": "0xa9059cbb",
"calldata_variants": [
"0xa9059cbb",
"0xa9059cbb0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 392,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 1,
"guards_detected": []
}
|
| low | other | codex | Payable fallback silently accepts ETH and unknown selectors | 65 | no | — |
viewevidence_json{
"evidence": "Dispatcher compares known selectors at pc:0x0-0x44, then falls through to JUMPDEST/STOP at pc:0x45 without any preceding CALLVALUE check. The runtime has no DELEGATECALL/SELFDESTRUCT and only one CALL site at pc:0x188, which matches the identity precompile copy pattern rather than an ETH-withdrawal path. This is a bytecode-only inference, so the lack of a recovery path is based on the visible runtime only.",
"locations": [
"pc:0x0",
"pc:0x45",
"pc:0x188"
],
"recommendation": "Add an explicit reverting fallback/receive path for unexpected calls and nonzero CALLVALUE, or add a controlled recovery mechanism if ETH custody is intended.",
"exploit_scenario": "Because the dispatcher falls through to STOP for unmatched selectors, calls with bad calldata or plain ETH transfers succeed instead of reverting. A user, wallet, or integrating contract can accidentally send ETH to this token contract or invoke a nonexistent function and receive a success status; with no visible withdrawal path in the runtime, that ETH would remain stuck in the contract."
}
|
| low | other | codex | `transfer(address,uint256)` appears to return no boolean value | 65 | no | — |
viewevidence_json{
"evidence": "Selector 0xa9059cbb dispatches to pc:0x123. That path pushes return destination 0x0045, performs balance checks and state updates through pc:0x21f-0x2cb, then jumps back to pc:0x45, which is STOP, not a RETURN helper. By contrast, read functions route through explicit return helpers at pc:0x152 and pc:0x1c0. This strongly suggests `transfer` succeeds with empty returndata rather than a 32-byte boolean.",
"locations": [
"selector:0xa9059cbb",
"pc:0x123",
"pc:0x45"
],
"recommendation": "If this contract is meant to be ERC-20 compatible, make `transfer` ABI-return `true` on success. If the contract is immutable legacy bytecode, document it clearly and require integrators to use safe wrappers that tolerate missing return data.",
"exploit_scenario": "Integrations that assume canonical ERC-20 semantics for selector 0xa9059cbb may decode the returndata as `bool` and fail, or may need special-case handling. In practice this can break deposits, withdrawals, routers, or wrappers that require a strict `true` return value from `transfer`."
}
|