Analysis Run

019b3844-a69c-70be-a86d-6ddcfc9460a0

complete

Chain ID

1

Address

0x05ff2b0db69458a0750badebc4f9e13add608c7f

Block Number

—

Created

Fri, Dec 19, 2025 8:19 PM

Review Summary

What survived the funnel

Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?

back to vulns open contract

Confirmed

0

Validated

0

Source

Bytecode only

Review Backing

Not yet

Best current signal

Untrusted DELEGATECALL target reachable

crit 0 high 0 direct contract

Review Checklist

1. Read the findings table first. Ignore raw jobs until the result looks real.

2. Confirm attacker control, not just the existence of a sink.

3. Confirm money or privilege impact.

4. Keep it if the behavior is real. Kill it if this is normal proxy, admin, or upgrade plumbing.

Processing Jobs

Status & attempts

ID	Type	Status	Attempts	Heartbeat
16401	artifact.fetch	complete	1 / 3	3 months ago
16402	tool.cast_disasm	complete	1 / 3	3 months ago
59337	analysis.bundle	complete	1 / 3	1 week ago
59338	capability.graph	complete	1 / 3	1 week ago
59339	detector.run	complete	1 / 3	1 week ago
59340	validation.fork	complete	1 / 3	1 week ago

Artifact

Runtime bytecode: available

Creation TX: —

Deployer: —

Proxy: no

Implementation:

—

Verified Source: no

Slither

tool.slither

No slither job recorded yet.

Codex

report.consolidate

No codex job recorded yet.

Opcode Heuristics

tool.cast_disasm

Delegatecall

2

Selfdestruct

0

CREATE2

0

CALL-family (heavy)

0

EXT*/BALANCE

1

Total opcodes

259

Flags

delegatecall_present

View cast disassembly output

00000000: PUSH1 0x80
00000002: PUSH1 0x40
00000004: MSTORE
00000005: PUSH1 0x04
00000007: CALLDATASIZE
00000008: LT
00000009: PUSH2 0x0022
0000000c: JUMPI
0000000d: PUSH1 0x00
0000000f: CALLDATALOAD
00000010: PUSH1 0xe0
00000012: SHR
00000013: DUP1
00000014: PUSH4 0x10e88892
00000019: EQ
0000001a: PUSH2 0x0094
0000001d: JUMPI
0000001e: PUSH2 0x0023
00000021: JUMP
00000022: JUMPDEST
00000023: JUMPDEST
00000024: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00000039: PUSH1 0x00
0000003b: SLOAD
0000003c: AND
0000003d: PUSH32 0xa619486e00000000000000000000000000000000000000000000000000000000
0000005e: PUSH1 0x00
00000060: CALLDATALOAD
00000061: SUB
00000062: PUSH2 0x006f
00000065: JUMPI
00000066: DUP1
00000067: PUSH1 0x00
00000069: MSTORE
0000006a: PUSH1 0x20
0000006c: PUSH1 0x00
0000006e: RETURN
0000006f: JUMPDEST
00000070: CALLDATASIZE
00000071: PUSH1 0x00
00000073: DUP1
00000074: CALLDATACOPY
00000075: PUSH1 0x00
00000077: DUP1
00000078: CALLDATASIZE
00000079: PUSH1 0x00
0000007b: DUP5
0000007c: GAS
0000007d: DELEGATECALL
0000007e: RETURNDATASIZE
0000007f: PUSH1 0x00
00000081: DUP1
00000082: RETURNDATACOPY
00000083: PUSH1 0x00
00000085: DUP2
00000086: SUB
00000087: PUSH2 0x008f
0000008a: JUMPI
0000008b: RETURNDATASIZE
0000008c: PUSH1 0x00
0000008e: REVERT
0000008f: JUMPDEST
00000090: RETURNDATASIZE
00000091: PUSH1 0x00
00000093: RETURN
00000094: JUMPDEST
00000095: CALLVALUE
00000096: DUP1
00000097: ISZERO
00000098: PUSH2 0x00a0
0000009b: JUMPI
0000009c: PUSH1 0x00
0000009e: DUP1
0000009f: REVERT
000000a0: JUMPDEST
000000a1: POP
000000a2: PUSH2 0x00bb
000000a5: PUSH1 0x04
000000a7: DUP1
000000a8: CALLDATASIZE
000000a9: SUB
000000aa: DUP2
000000ab: ADD
000000ac: SWAP1
000000ad: PUSH2 0x00b6
000000b0: SWAP2
000000b1: SWAP1
000000b2: PUSH2 0x01bd
000000b5: JUMP
000000b6: JUMPDEST
000000b7: PUSH2 0x00bd
000000ba: JUMP
000000bb: JUMPDEST
000000bc: STOP
000000bd: JUMPDEST
000000be: PUSH1 0x01
000000c0: PUSH1 0x00
000000c2: SWAP1
000000c3: SLOAD
000000c4: SWAP1
000000c5: PUSH2 0x0100
000000c8: EXP
000000c9: SWAP1
000000ca: DIV
000000cb: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
000000e0: AND
000000e1: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
000000f6: AND
000000f7: CALLER
000000f8: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
0000010d: AND
0000010e: EQ
0000010f: PUSH2 0x0117
00000112: JUMPI
00000113: PUSH1 0x00
00000115: DUP1
00000116: REVERT
00000117: JUMPDEST
00000118: DUP1
00000119: PUSH1 0x00
0000011b: DUP1
0000011c: PUSH2 0x0100
0000011f: EXP
00000120: DUP2
00000121: SLOAD
00000122: DUP2
00000123: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00000138: MUL
00000139: NOT
0000013a: AND
0000013b: SWAP1
0000013c: DUP4
0000013d: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00000152: AND
00000153: MUL
00000154: OR
00000155: SWAP1
00000156: SSTORE
00000157: POP
00000158: POP
00000159: JUMP
0000015a: JUMPDEST
0000015b: PUSH1 0x00
0000015d: DUP1
0000015e: REVERT
0000015f: JUMPDEST
00000160: PUSH1 0x00
00000162: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00000177: DUP3
00000178: AND
00000179: SWAP1
0000017a: POP
0000017b: SWAP2
0000017c: SWAP1
0000017d: POP
0000017e: JUMP
0000017f: JUMPDEST
00000180: PUSH1 0x00
00000182: PUSH2 0x018a
00000185: DUP3
00000186: PUSH2 0x015f
00000189: JUMP
0000018a: JUMPDEST
0000018b: SWAP1
0000018c: POP
0000018d: SWAP2
0000018e: SWAP1
0000018f: POP
00000190: JUMP
00000191: JUMPDEST
00000192: PUSH2 0x019a
00000195: DUP2
00000196: PUSH2 0x017f
00000199: JUMP
0000019a: JUMPDEST
0000019b: DUP2
0000019c: EQ
0000019d: PUSH2 0x01a5
000001a0: JUMPI
000001a1: PUSH1 0x00
000001a3: DUP1
000001a4: REVERT
000001a5: JUMPDEST
000001a6: POP
000001a7: JUMP
000001a8: JUMPDEST
000001a9: PUSH1 0x00
000001ab: DUP2
000001ac: CALLDATALOAD
000001ad: SWAP1
000001ae: POP
000001af: PUSH2 0x01b7
000001b2: DUP2
000001b3: PUSH2 0x0191
000001b6: JUMP
000001b7: JUMPDEST
000001b8: SWAP3
000001b9: SWAP2
000001ba: POP
000001bb: POP
000001bc: JUMP
000001bd: JUMPDEST
000001be: PUSH1 0x00
000001c0: PUSH1 0x20
000001c2: DUP3
000001c3: DUP5
000001c4: SUB
000001c5: SLT
000001c6: ISZERO
000001c7: PUSH2 0x01d3
000001ca: JUMPI
000001cb: PUSH2 0x01d2
000001ce: PUSH2 0x015a
000001d1: JUMP
000001d2: JUMPDEST
000001d3: JUMPDEST
000001d4: PUSH1 0x00
000001d6: PUSH2 0x01e1
000001d9: DUP5
000001da: DUP3
000001db: DUP6
000001dc: ADD
000001dd: PUSH2 0x01a8
000001e0: JUMP
000001e1: JUMPDEST
000001e2: SWAP2
000001e3: POP
000001e4: POP
000001e5: SWAP3
000001e6: SWAP2
000001e7: POP
000001e8: POP
000001e9: JUMP
000001ea: INVALID
000001eb: LOG2
000001ec: PUSH5 0x6970667358
000001f2: UNKNOWN(0x22)
000001f3: SLT
000001f4: KECCAK256
000001f5: EQ
000001f6: BLOCKHASH
000001f7: PUSH12 0x0352b962330a82d8b75d095a
00000204: UNKNOWN(0x1F)
00000205: DIFFICULTY
00000206: UNKNOWN(0xA5)
00000207: ADDRESS
00000208: BALANCE
00000209: DUP4
0000020a: UNKNOWN(0xFB)
0000020b: DELEGATECALL
0000020c: PUSH6 0xcbccaf6db0a1
00000213: RETURN
00000214: UNKNOWN(0x27)
00000215: PUSH5 0x736f6c6343
0000021b: STOP
0000021c: ADDMOD
0000021d: GT
0000021e: STOP
0000021f: CALLER

View stderr

Warning: This is a nightly build of Foundry. It is recommended to use the latest stable version. To mute this warning set `FOUNDRY_DISABLE_NIGHTLY_WARNING` in your environment.

Findings

validated = confirmed for call sinks; sink observed for others

Severity	Category	Tool	Title	Confidence	Validated	Confirmed	Details
high	upgradeability	detector	Untrusted DELEGATECALL target reachable	55	no	no	view trace_id: 0xfad8c8414bd77406deeb3a633715d48657934dd5fc1d297245e6d63bc26de5b4 validation_json { "sink": "DELEGATECALL", "errors": 0, "status": "unknown", "attempts": 12, "trace_id": "0xfad8c8414bd77406deeb3a633715d48657934dd5fc1d297245e6d63bc26de5b4", "confirmed": false, "trace_mode": "callTracer", "call_targets": null, "matched_probe": null, "target_varies": null, "classification": "no_sink" } witness_json { "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata", "constraints": [], "entrypoints": [ { "calldata": "0x10e88892", "selector": "0x10e88892", "calldata_variants": [ "0x10e88892", "0x10e888920000000000000000000000000000000000000000000000000000000000000000" ] } ] } evidence_json { "examples": [ { "pc": 125, "opcode": "DELEGATECALL", "returndata_checked": null, "value_expression_category": "n/a", "target_expression_category": "computed" }, { "pc": 523, "opcode": "DELEGATECALL", "returndata_checked": null, "value_expression_category": "n/a", "target_expression_category": "computed" } ], "guards_detected": [ { "pc": 247, "type": "msg_sender_eq_const", "value": "0xffffffffffffffffffffffffffffffffffffffff" } ], "delegatecall_count": 2, "untrusted_delegatecall_count": 2 }

Severity

Category

Tool

Title

Confidence

Validated

Confirmed

Details

high

upgradeability

detector

Untrusted DELEGATECALL target reachable

55

no

view

trace_id: 0xfad8c8414bd77406deeb3a633715d48657934dd5fc1d297245e6d63bc26de5b4

validation_json

{
    "sink": "DELEGATECALL",
    "errors": 0,
    "status": "unknown",
    "attempts": 12,
    "trace_id": "0xfad8c8414bd77406deeb3a633715d48657934dd5fc1d297245e6d63bc26de5b4",
    "confirmed": false,
    "trace_mode": "callTracer",
    "call_targets": null,
    "matched_probe": null,
    "target_varies": null,
    "classification": "no_sink"
}

witness_json

{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x10e88892",
            "selector": "0x10e88892",
            "calldata_variants": [
                "0x10e88892",
                "0x10e888920000000000000000000000000000000000000000000000000000000000000000"
            ]
        }
    ]
}

evidence_json

{
    "examples": [
        {
            "pc": 125,
            "opcode": "DELEGATECALL",
            "returndata_checked": null,
            "value_expression_category": "n/a",
            "target_expression_category": "computed"
        },
        {
            "pc": 523,
            "opcode": "DELEGATECALL",
            "returndata_checked": null,
            "value_expression_category": "n/a",
            "target_expression_category": "computed"
        }
    ],
    "guards_detected": [
        {
            "pc": 247,
            "type": "msg_sender_eq_const",
            "value": "0xffffffffffffffffffffffffffffffffffffffff"
        }
    ],
    "delegatecall_count": 2,
    "untrusted_delegatecall_count": 2
}