019ba8df-e1c8-7388-9793-695c80d5a4e5
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 33071 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 33072 | proxy.resolve | complete | 1 / 3 | 3 months ago |
| 33073 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 33074 | analysis.bundle | complete | 1 / 3 | 3 months ago |
| 33075 | capability.graph | complete | 1 / 3 | 3 months ago |
| 33076 | detector.run | complete | 1 / 3 | 3 months ago |
| 33077 | validation.fork | complete | 1 / 3 | 3 months ago |
| 33190 | report.consolidate | complete | 1 / 6 | 3 months ago |
{
"method": "etherscan+onchain",
"status": "confirmed",
"etherscan_hint": {
"source": "etherscan",
"etherscan": {
"proxy_flag": true,
"implementation": "0x0fd04a68d3c3a692d6fa30384d1a87ef93554ee6"
}
},
"implementation": "0x0fd04a68d3c3a692d6fa30384d1a87ef93554ee6",
"onchain_method": "beacon"
}
No slither job recorded yet.
{"no_findings":false,"summary":"Public initializer allows ownership takeover if the proxy was deployed without running initialize in the same transaction.","findings":[{"severity":"high","category":"access_control","title":"Unprotected initializer enables ownership takeover on uninitialized proxy","exploit_scenario":"If the proxy at 0xa693… was deployed without immediately calling initialize, any external account can call initialize first, set themselves as owner, and gain exclusive mint/burn/updateDetails control over the token implementation at 0x0fd0….","recommendation":"Ensure initialization is executed atomically at deployment (constructor/initializer call in proxy deployment). Alternatively add an access check in initialize (e.g., onlyProxyAdmin) or use an initializer pattern that can only be invoked by a trusted deployer/initializer contract.","evidence":"initialize is public and only protected by the one-time initializer flag, with no access control; it sets _state.owner.","locations":["contracts/Contract.sol:1103","contracts/Contract.sol:1299"]}]}
OpenAI Codex v0.77.0 (research preview)
--------
workdir: /tmp/codex-i4pe28ln
model: gpt-5.2-codex
provider: openai
approval: never
sandbox: read-only
reasoning effort: xhigh
reasoning summaries: auto
session id: 019ba8e0-b312-7ae1-afb7-ef0974ea9fb1
--------
user
Context: The user requested the proxy at 0xa693b19d2931d498c5b318df961919bb4aee87a5.
Audit the implementation at 0x0fd04a68d3c3a692d6fa30384d1a87ef93554ee6.
Findings should refer to the implementation unless explicitly about proxy mechanics.
You are a security auditor. Audit this Solidity codebase for exploitable vulnerabilities.
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation, oracle manipulation,
accounting/invariant breaks, external call patterns, unchecked return values, and dangerous delegatecall.
Scope rules:
- You MUST fully read `AUDIT_BUNDLE.txt` before concluding. It contains the complete contents of all first-party Solidity sources in this workspace.
- Treat `lib/` and `@openzeppelin/` as third-party dependencies; skip them unless there is a concrete misuse angle in first-party code.
- If there are only dependency files and no first-party sources, set no_findings=true and explain in summary.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title and file/line locations when possible.
Output constraints (IMPORTANT):
- severity MUST be exactly one of: info, low, medium, high, critical (lowercase).
- category MUST be exactly one of: access_control, reentrancy, math, oracle, upgradeability, auth, other.
Keep summary short and concrete.
mcp startup: no servers
thinking
**Preparing to read AUDIT_BUNDLE.txt**
exec
/bin/bash -lc ls in /tmp/codex-i4pe28ln succeeded in 8ms:
AUDIT_BUNDLE.txt
codex-output-schema.json
contracts
exec
/bin/bash -lc 'cat AUDIT_BUNDLE.txt' in /tmp/codex-i4pe28ln succeeded in 6ms:
This file concatenates the full contents of first-party Solidity sources for auditing.
Do not treat dependency code under lib/ or @openzeppelin/ as first-party.
================================================================================
FILE: contracts/Contract.sol
================================================================================
// SPDX-License-Identifier: Apache 2
// File: @openzeppelin/contracts/utils/Counters.sol
pragma solidity ^0.8.0;
/**
* @title Counters
* @author Matt Condon (@shrugs)
* @dev Provides counters that can only be incremented, decremented or reset. This can be used e.g. to track the number
* of elements in a mapping, issuing ERC721 ids, or counting request ids.
*
* Include with `using Counters for Counters.Counter;`
*/
thinking
**Analyzing token implementation and proxy risks**
exec
/bin/bash -lc 'rg "''^FILE:" -n AUDIT_BUNDLE.txt' in /tmp/codex-i4pe28ln succeeded in 43ms:
5:FILE: contracts/Contract.sol
thinking
**Preparing to locate initialize function**
exec
/bin/bash -lc 'rg -n "function initialize" contracts/Contract.sol' in /tmp/codex-i4pe28ln succeeded in 7ms:
1103: function initialize(
thinking
**Preparing to review specific code lines**
exec
/bin/bash -lc "nl -ba contracts/Contract.sol | sed -n '1090,1160p'" in /tmp/codex-i4pe28ln succeeded in 7ms:
1090 // contracts/TokenImplementation.sol
1091
1092 pragma solidity ^0.8.0;
1093
1094
1095
1096
1097
1098 // Based on the OpenZepplin ERC20 implementation, licensed under MIT
1099 contract TokenImplementation is TokenState, Context {
1100 event Transfer(address indexed from, address indexed to, uint256 value);
1101 event Approval(address indexed owner, address indexed spender, uint256 value);
1102
1103 function initialize(
1104 string memory name_,
1105 string memory symbol_,
1106 uint8 decimals_,
1107 uint64 sequence_,
1108 address owner_,
1109 uint16 chainId_,
thinking
**Searching for modifier initializer**
exec
/bin/bash -lc 'rg -n "modifier initializer" contracts/Contract.sol' in /tmp/codex-i4pe28ln succeeded in 28ms:
1299: modifier initializer() {
exec
/bin/bash -lc "nl -ba contracts/Contract.sol | sed -n '1285,1325p'" in /tmp/codex-i4pe28ln succeeded in 20ms:
1285 _state.name = name_;
1286 _state.symbol = symbol_;
1287 _state.metaLastUpdatedSequence = sequence_;
1288
1289 // Because the name is updated, we need to recache the domain separator.
1290 // For old implementations, none of the caches may have been written to yet.
1291 _initializePermitStateIfNeeded();
1292 }
1293
1294 modifier onlyOwner() {
1295 require(owner() == _msgSender(), "caller is not the owner");
1296 _;
1297 }
1298
1299 modifier initializer() {
1300 require(
1301 !_state.initialized,
1302 "Already initialized"
1303 );
1304
thinking
**Analyzing unprotected initializer risks**
I'm carefully reviewing the contract's initialization logic and access controls, focusing on the public `initialize` function that lacks proper restrictions. There's a notable high-severity issue where an attacker could call `initialize` on a proxy that wasn't initialized at deployment, allowing ownership takeover and privileged actions like minting and burning. I also examined potential signature replay risks, caching behavior, upgrade patterns, and other access control nuances to craft a detailed report with evidence and recommendations.
codex
{"no_findings":false,"summary":"Public initializer allows ownership takeover if the proxy was deployed without running initialize in the same transaction.","findings":[{"severity":"high","category":"access_control","title":"Unprotected initializer enables ownership takeover on uninitialized proxy","exploit_scenario":"If the proxy at 0xa693… was deployed without immediately calling initialize, any external account can call initialize first, set themselves as owner, and gain exclusive mint/burn/updateDetails control over the token implementation at 0x0fd0….","recommendation":"Ensure initialization is executed atomically at deployment (constructor/initializer call in proxy deployment). Alternatively add an access check in initialize (e.g., onlyProxyAdmin) or use an initializer pattern that can only be invoked by a trusted deployer/initializer contract.","evidence":"initialize is public and only protected by the one-time initializer flag, with no access control; it sets _state.owner.","locations":["contracts/Contract.sol:1103","contracts/Contract.sol:1299"]}]}
tokens used
20,298
{
"codex": {
"ran_at": "2026-01-10T17:09:15.572865+00:00",
"returncode": 0
},
"project": {
"mode": "source",
"file_count": 1,
"import_count": 0,
"first_party_contracts_count": 1
},
"summary": "Public initializer allows ownership takeover if the proxy was deployed without running initialize in the same transaction.",
"raw_final": {
"summary": "Public initializer allows ownership takeover if the proxy was deployed without running initialize in the same transaction.",
"findings": [
{
"title": "Unprotected initializer enables ownership takeover on uninitialized proxy",
"category": "access_control",
"evidence": "initialize is public and only protected by the one-time initializer flag, with no access control; it sets _state.owner.",
"severity": "high",
"locations": [
"contracts/Contract.sol:1103",
"contracts/Contract.sol:1299"
],
"recommendation": "Ensure initialization is executed atomically at deployment (constructor/initializer call in proxy deployment). Alternatively add an access check in initialize (e.g., onlyProxyAdmin) or use an initializer pattern that can only be invoked by a trusted deployer/initializer contract.",
"exploit_scenario": "If the proxy at 0xa693\u2026 was deployed without immediately calling initialize, any external account can call initialize first, set themselves as owner, and gain exclusive mint/burn/updateDetails control over the token implementation at 0x0fd0\u2026."
}
],
"no_findings": false
},
"no_findings": false,
"proxy_context": {
"proxy_run_id": "019ba8df-e1c8-7388-9793-695c80d5a4e5",
"proxy_address": "0xa693b19d2931d498c5b318df961919bb4aee87a5",
"implementation_run_id": "019ba8e0-383d-71cc-86fb-dc8d981e1f90",
"implementation_address": "0x0fd04a68d3c3a692d6fa30384d1a87ef93554ee6"
},
"schema_version": 1
}
00000000: PUSH1 0x80 00000002: PUSH1 0x40 00000004: MSTORE 00000005: CALLDATASIZE 00000006: PUSH2 0x0013 00000009: JUMPI 0000000a: PUSH2 0x0011 0000000d: PUSH2 0x0017 00000010: JUMP 00000011: JUMPDEST 00000012: STOP 00000013: JUMPDEST 00000014: PUSH2 0x0011 00000017: JUMPDEST 00000018: PUSH2 0x0027 0000001b: PUSH2 0x0022 0000001e: PUSH2 0x005e 00000021: JUMP 00000022: JUMPDEST 00000023: PUSH2 0x0106 00000026: JUMP 00000027: JUMPDEST 00000028: JUMP 00000029: JUMPDEST 0000002a: PUSH1 0x60 0000002c: PUSH2 0x004e 0000002f: DUP4 00000030: DUP4 00000031: PUSH1 0x40 00000033: MLOAD 00000034: DUP1 00000035: PUSH1 0x60 00000037: ADD 00000038: PUSH1 0x40 0000003a: MSTORE 0000003b: DUP1 0000003c: PUSH1 0x27 0000003e: DUP2 0000003f: MSTORE 00000040: PUSH1 0x20 00000042: ADD 00000043: PUSH2 0x02e3 00000046: PUSH1 0x27 00000048: SWAP2 00000049: CODECOPY 0000004a: PUSH2 0x012a 0000004d: JUMP 0000004e: JUMPDEST 0000004f: SWAP4 00000050: SWAP3 00000051: POP 00000052: POP 00000053: POP 00000054: JUMP 00000055: JUMPDEST 00000056: EXTCODESIZE 00000057: ISZERO 00000058: ISZERO 00000059: SWAP1 0000005a: JUMP 0000005b: JUMPDEST 0000005c: SWAP1 0000005d: JUMP 0000005e: JUMPDEST 0000005f: PUSH1 0x00 00000061: PUSH2 0x0091 00000064: PUSH32 0xa3f0ad74e5423aebfd80d3ef4346578335a9a72aeaee59ff6cb3582b35133d50 00000085: SLOAD 00000086: PUSH1 0x01 00000088: PUSH1 0x01 0000008a: PUSH1 0xa0 0000008c: SHL 0000008d: SUB 0000008e: AND 0000008f: SWAP1 00000090: JUMP 00000091: JUMPDEST 00000092: PUSH1 0x01 00000094: PUSH1 0x01 00000096: PUSH1 0xa0 00000098: SHL 00000099: SUB 0000009a: AND 0000009b: PUSH4 0x5c60da1b 000000a0: PUSH1 0x40 000000a2: MLOAD 000000a3: DUP2 000000a4: PUSH4 0xffffffff 000000a9: AND 000000aa: PUSH1 0xe0 000000ac: SHL 000000ad: DUP2 000000ae: MSTORE 000000af: PUSH1 0x04 000000b1: ADD 000000b2: PUSH1 0x20 000000b4: PUSH1 0x40 000000b6: MLOAD 000000b7: DUP1 000000b8: DUP4 000000b9: SUB 000000ba: DUP2 000000bb: DUP7 000000bc: DUP1 000000bd: EXTCODESIZE 000000be: ISZERO 000000bf: DUP1 000000c0: ISZERO 000000c1: PUSH2 0x00c9 000000c4: JUMPI 000000c5: PUSH1 0x00 000000c7: DUP1 000000c8: REVERT 000000c9: JUMPDEST 000000ca: POP 000000cb: GAS 000000cc: STATICCALL 000000cd: ISZERO 000000ce: DUP1 000000cf: ISZERO 000000d0: PUSH2 0x00dd 000000d3: JUMPI 000000d4: RETURNDATASIZE 000000d5: PUSH1 0x00 000000d7: DUP1 000000d8: RETURNDATACOPY 000000d9: RETURNDATASIZE 000000da: PUSH1 0x00 000000dc: REVERT 000000dd: JUMPDEST 000000de: POP 000000df: POP 000000e0: POP 000000e1: POP 000000e2: PUSH1 0x40 000000e4: MLOAD 000000e5: RETURNDATASIZE 000000e6: PUSH1 0x1f 000000e8: NOT 000000e9: PUSH1 0x1f 000000eb: DUP3 000000ec: ADD 000000ed: AND 000000ee: DUP3 000000ef: ADD 000000f0: DUP1 000000f1: PUSH1 0x40 000000f3: MSTORE 000000f4: POP 000000f5: DUP2 000000f6: ADD 000000f7: SWAP1 000000f8: PUSH2 0x0101 000000fb: SWAP2 000000fc: SWAP1 000000fd: PUSH2 0x023c 00000100: JUMP 00000101: JUMPDEST 00000102: SWAP1 00000103: POP 00000104: SWAP1 00000105: JUMP 00000106: JUMPDEST 00000107: CALLDATASIZE 00000108: PUSH1 0x00 0000010a: DUP1 0000010b: CALLDATACOPY 0000010c: PUSH1 0x00 0000010e: DUP1 0000010f: CALLDATASIZE 00000110: PUSH1 0x00 00000112: DUP5 00000113: GAS 00000114: DELEGATECALL 00000115: RETURNDATASIZE 00000116: PUSH1 0x00 00000118: DUP1 00000119: RETURNDATACOPY 0000011a: DUP1 0000011b: DUP1 0000011c: ISZERO 0000011d: PUSH2 0x0125 00000120: JUMPI 00000121: RETURNDATASIZE 00000122: PUSH1 0x00 00000124: RETURN 00000125: JUMPDEST 00000126: RETURNDATASIZE 00000127: PUSH1 0x00 00000129: REVERT 0000012a: JUMPDEST 0000012b: PUSH1 0x60 0000012d: DUP4 0000012e: EXTCODESIZE 0000012f: PUSH2 0x018e 00000132: JUMPI 00000133: PUSH1 0x40 00000135: MLOAD 00000136: PUSH3 0x461bcd 0000013a: PUSH1 0xe5 0000013c: SHL 0000013d: DUP2 0000013e: MSTORE 0000013f: PUSH1 0x20 00000141: PUSH1 0x04 00000143: DUP3 00000144: ADD 00000145: MSTORE 00000146: PUSH1 0x26 00000148: PUSH1 0x24 0000014a: DUP3 0000014b: ADD 0000014c: MSTORE 0000014d: PUSH32 0x416464726573733a2064656c65676174652063616c6c20746f206e6f6e2d636f 0000016e: PUSH1 0x44 00000170: DUP3 00000171: ADD 00000172: MSTORE 00000173: PUSH6 0x1b9d1c9858dd 0000017a: PUSH1 0xd2 0000017c: SHL 0000017d: PUSH1 0x64 0000017f: DUP3 00000180: ADD 00000181: MSTORE 00000182: PUSH1 0x84 00000184: ADD 00000185: JUMPDEST 00000186: PUSH1 0x40 00000188: MLOAD 00000189: DUP1 0000018a: SWAP2 0000018b: SUB 0000018c: SWAP1 0000018d: REVERT 0000018e: JUMPDEST 0000018f: PUSH1 0x00 00000191: DUP1 00000192: DUP6 00000193: PUSH1 0x01 00000195: PUSH1 0x01 00000197: PUSH1 0xa0 00000199: SHL 0000019a: SUB 0000019b: AND 0000019c: DUP6 0000019d: PUSH1 0x40 0000019f: MLOAD 000001a0: PUSH2 0x01a9 000001a3: SWAP2 000001a4: SWAP1 000001a5: PUSH2 0x0263 000001a8: JUMP 000001a9: JUMPDEST 000001aa: PUSH1 0x00 000001ac: PUSH1 0x40 000001ae: MLOAD 000001af: DUP1 000001b0: DUP4 000001b1: SUB 000001b2: DUP2 000001b3: DUP6 000001b4: GAS 000001b5: DELEGATECALL 000001b6: SWAP2 000001b7: POP 000001b8: POP 000001b9: RETURNDATASIZE 000001ba: DUP1 000001bb: PUSH1 0x00 000001bd: DUP2 000001be: EQ 000001bf: PUSH2 0x01e4 000001c2: JUMPI 000001c3: PUSH1 0x40 000001c5: MLOAD 000001c6: SWAP2 000001c7: POP 000001c8: PUSH1 0x1f 000001ca: NOT 000001cb: PUSH1 0x3f 000001cd: RETURNDATASIZE 000001ce: ADD 000001cf: AND 000001d0: DUP3 000001d1: ADD 000001d2: PUSH1 0x40 000001d4: MSTORE 000001d5: RETURNDATASIZE 000001d6: DUP3 000001d7: MSTORE 000001d8: RETURNDATASIZE 000001d9: PUSH1 0x00 000001db: PUSH1 0x20 000001dd: DUP5 000001de: ADD 000001df: RETURNDATACOPY 000001e0: PUSH2 0x01e9 000001e3: JUMP 000001e4: JUMPDEST 000001e5: PUSH1 0x60 000001e7: SWAP2 000001e8: POP 000001e9: JUMPDEST 000001ea: POP 000001eb: SWAP2 000001ec: POP 000001ed: SWAP2 000001ee: POP 000001ef: PUSH2 0x01f9 000001f2: DUP3 000001f3: DUP3 000001f4: DUP7 000001f5: PUSH2 0x0203 000001f8: JUMP 000001f9: JUMPDEST 000001fa: SWAP7 000001fb: SWAP6 000001fc: POP 000001fd: POP 000001fe: POP 000001ff: POP 00000200: POP 00000201: POP 00000202: JUMP 00000203: JUMPDEST 00000204: PUSH1 0x60 00000206: DUP4 00000207: ISZERO 00000208: PUSH2 0x0212 0000020b: JUMPI 0000020c: POP 0000020d: DUP2 0000020e: PUSH2 0x004e 00000211: JUMP 00000212: JUMPDEST 00000213: DUP3 00000214: MLOAD 00000215: ISZERO 00000216: PUSH2 0x0222 00000219: JUMPI 0000021a: DUP3 0000021b: MLOAD 0000021c: DUP1 0000021d: DUP5 0000021e: PUSH1 0x20 00000220: ADD 00000221: REVERT 00000222: JUMPDEST 00000223: DUP2 00000224: PUSH1 0x40 00000226: MLOAD 00000227: PUSH3 0x461bcd 0000022b: PUSH1 0xe5 0000022d: SHL 0000022e: DUP2 0000022f: MSTORE 00000230: PUSH1 0x04 00000232: ADD 00000233: PUSH2 0x0185 00000236: SWAP2 00000237: SWAP1 00000238: PUSH2 0x027f 0000023b: JUMP 0000023c: JUMPDEST 0000023d: PUSH1 0x00 0000023f: PUSH1 0x20 00000241: DUP3 00000242: DUP5 00000243: SUB 00000244: SLT 00000245: ISZERO 00000246: PUSH2 0x024d 00000249: JUMPI 0000024a: DUP1 0000024b: DUP2 0000024c: REVERT 0000024d: JUMPDEST 0000024e: DUP2 0000024f: MLOAD 00000250: PUSH1 0x01 00000252: PUSH1 0x01 00000254: PUSH1 0xa0 00000256: SHL 00000257: SUB 00000258: DUP2 00000259: AND 0000025a: DUP2 0000025b: EQ 0000025c: PUSH2 0x004e 0000025f: JUMPI 00000260: DUP2 00000261: DUP3 00000262: REVERT 00000263: JUMPDEST 00000264: PUSH1 0x00 00000266: DUP3 00000267: MLOAD 00000268: PUSH2 0x0275 0000026b: DUP2 0000026c: DUP5 0000026d: PUSH1 0x20 0000026f: DUP8 00000270: ADD 00000271: PUSH2 0x02b2 00000274: JUMP 00000275: JUMPDEST 00000276: SWAP2 00000277: SWAP1 00000278: SWAP2 00000279: ADD 0000027a: SWAP3 0000027b: SWAP2 0000027c: POP 0000027d: POP 0000027e: JUMP 0000027f: JUMPDEST 00000280: PUSH1 0x20 00000282: DUP2 00000283: MSTORE 00000284: PUSH1 0x00 00000286: DUP3 00000287: MLOAD 00000288: DUP1 00000289: PUSH1 0x20 0000028b: DUP5 0000028c: ADD 0000028d: MSTORE 0000028e: PUSH2 0x029e 00000291: DUP2 00000292: PUSH1 0x40 00000294: DUP6 00000295: ADD 00000296: PUSH1 0x20 00000298: DUP8 00000299: ADD 0000029a: PUSH2 0x02b2 0000029d: JUMP 0000029e: JUMPDEST 0000029f: PUSH1 0x1f 000002a1: ADD 000002a2: PUSH1 0x1f 000002a4: NOT 000002a5: AND 000002a6: SWAP2 000002a7: SWAP1 000002a8: SWAP2 000002a9: ADD 000002aa: PUSH1 0x40 000002ac: ADD 000002ad: SWAP3 000002ae: SWAP2 000002af: POP 000002b0: POP 000002b1: JUMP 000002b2: JUMPDEST 000002b3: PUSH1 0x00 000002b5: JUMPDEST 000002b6: DUP4 000002b7: DUP2 000002b8: LT 000002b9: ISZERO 000002ba: PUSH2 0x02cd 000002bd: JUMPI 000002be: DUP2 000002bf: DUP2 000002c0: ADD 000002c1: MLOAD 000002c2: DUP4 000002c3: DUP3 000002c4: ADD 000002c5: MSTORE 000002c6: PUSH1 0x20 000002c8: ADD 000002c9: PUSH2 0x02b5 000002cc: JUMP 000002cd: JUMPDEST 000002ce: DUP4 000002cf: DUP2 000002d0: GT 000002d1: ISZERO 000002d2: PUSH2 0x02dc 000002d5: JUMPI 000002d6: PUSH1 0x00 000002d8: DUP5 000002d9: DUP5 000002da: ADD 000002db: MSTORE 000002dc: JUMPDEST 000002dd: POP 000002de: POP 000002df: POP 000002e0: POP 000002e1: JUMP 000002e2: INVALID 000002e3: COINBASE 000002e4: PUSH5 0x6472657373 000002ea: GASPRICE 000002eb: KECCAK256 000002ec: PUSH13 0x6f772d6c6576656c2064656c65 000002fa: PUSH8 0x6174652063616c6c 00000303: KECCAK256 00000304: PUSH7 0x61696c6564a264 0000030c: PUSH10 0x70667358221220ecea17 00000317: UNKNOWN(0xE0) 00000318: PUSH14 0x3e3d12deccb44a959863e4ae901a 00000327: UNKNOWN(0xE4) 00000328: DUP7 00000329: UNKNOWN(0x28) 0000032a: RETURNDATACOPY 0000032b: PUSH25
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| critical | upgradeability | detector | Untrusted DELEGATECALL target reachable | 70 | yes | yes |
viewtrace_id: 0x46e499007e812460cb9aa62b7ee7d3240c961aa4ef2abfc5ffb64445c67a7e1c
call_targets:
0x0fd04a68d3c3a692d6fa30384d1a87ef93554ee6, 0x381752f5458282d317d12c30d2bd4d6e1fd8841e
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "DELEGATECALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x46e499007e812460cb9aa62b7ee7d3240c961aa4ef2abfc5ffb64445c67a7e1c",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0fd04a68d3c3a692d6fa30384d1a87ef93554ee6",
"0x381752f5458282d317d12c30d2bd4d6e1fd8841e"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x",
"selector": "fallback",
"calldata_variants": [
"0x"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 276,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
},
{
"pc": 437,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
}
],
"guards_detected": [],
"delegatecall_count": 2,
"untrusted_delegatecall_count": 2
}
|
| high | access_control | codex | Unprotected initializer enables ownership takeover on uninitialized proxy | 85 | no | — |
viewevidence_json{
"evidence": "initialize is public and only protected by the one-time initializer flag, with no access control; it sets _state.owner.",
"locations": [
"contracts/Contract.sol:1103",
"contracts/Contract.sol:1299"
],
"recommendation": "Ensure initialization is executed atomically at deployment (constructor/initializer call in proxy deployment). Alternatively add an access check in initialize (e.g., onlyProxyAdmin) or use an initializer pattern that can only be invoked by a trusted deployer/initializer contract.",
"exploit_scenario": "If the proxy at 0xa693\u2026 was deployed without immediately calling initialize, any external account can call initialize first, set themselves as owner, and gain exclusive mint/burn/updateDetails control over the token implementation at 0x0fd0\u2026."
}
|
| medium | upgradeability | cast | DELEGATECALL present | 80 | no | — |
viewevidence_json{
"notes": "delegatecall enables execution in caller context; common in proxies/upgradeable patterns",
"delegatecall_count": 2
}
|