019ba8ee-e13d-72b4-8059-646bb500cbfa
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 33591 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 33592 | proxy.resolve | complete | 1 / 3 | 3 months ago |
| 33593 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 33594 | analysis.bundle | complete | 1 / 3 | 3 months ago |
| 33595 | capability.graph | complete | 1 / 3 | 3 months ago |
| 33596 | detector.run | complete | 1 / 3 | 3 months ago |
| 33597 | validation.fork | complete | 1 / 3 | 3 months ago |
| 33626 | report.consolidate | complete | 1 / 6 | 3 months ago |
{
"status": "not_proxy"
}
No slither job recorded yet.
{"no_findings":false,"summary":"Two dynamic external CALL sites are present with computed targets and possible ETH value transfer; no delegatecall/proxy patterns detected. Impact depends on whether callers can control the target/value (guards not detected in bytecode).","findings":[{"severity":"medium","category":"other","title":"Dynamic external CALL with computed target/value (possible ETH forwarding)","exploit_scenario":"If a publicly reachable function feeds user-controlled parameters into the CALL target/value, an attacker can direct the contract to call arbitrary addresses (including their own) and potentially forward ETH from the contract balance or msg.value. This can lead to ETH loss or unexpected external interactions; evidence confirms the target can vary, but bytecode-only analysis cannot prove who controls it.","recommendation":"Restrict or validate the call target (allowlist or fixed target), cap value to expected amounts (ideally zero unless explicitly intended), and consider using pull-style payments. If the call is a hook (e.g., transfer-and-call), document it clearly and avoid forwarding contract ETH.","evidence":"detector_findings report CALL at pc 703 and pc 1187 with computed target/value and no guards detected; validation shows target varies and nonzero ETH value is possible; returndata_checked is null at both sites.","locations":["pc:703","pc:1187"]},{"severity":"low","category":"reentrancy","title":"External CALLs without detected reentrancy guard","exploit_scenario":"A malicious callee could reenter during the external CALL (pc 703 or pc 1187) and invoke other state-changing functions while execution is in-flight. The bytecode analysis did not detect reentrancy guards; impact depends on whether these callsites are reachable from state-mutating logic and on invariant design, which cannot be confirmed from bytecode alone.","recommendation":"Add a reentrancy guard around functions that perform external calls, or restructure to minimize cross-function reentrancy exposure (e.g., limit callable hooks, use checks-effects-interactions with careful invariant review).","evidence":"No guards detected in detector_findings; CALL opcodes at pc 703 and pc 1187 are reachable with dynamic targets, creating a reentrancy surface.","locations":["pc:703","pc:1187"]}]}
OpenAI Codex v0.77.0 (research preview)
--------
workdir: /tmp/codex-9149d6mq
model: gpt-5.2-codex
provider: openai
approval: never
sandbox: read-only
reasoning effort: xhigh
reasoning summaries: auto
session id: 019ba8ef-a3ef-7fd2-9d77-e6bd651a0037
--------
user
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
mcp startup: no servers
thinking
**Preparing to read instructions and relevant files**
exec
/bin/bash -lc ls in /tmp/codex-9149d6mq succeeded in 8ms:
BYTECODE_BUNDLE.json
codex-output-schema.json
exec
/bin/bash -lc 'cat BYTECODE_BUNDLE.json' in /tmp/codex-9149d6mq succeeded in 5ms:
{
"analysis_artifact": {
"address": "0x92f1dbea03ce08225e31e95cc926ddbe0198e6f2",
"artifact_hash": "0x551fe16a4f68c3541f5d06818a41d8c9f10fa4b39c8495c7d8e4e25ae9f44a6a",
"artifact_json": {
"auth": {
"guards": []
},
"basic_blocks": [
{
"end_pc": 10,
"hash": "0xc590080b273074d852d07d86387bb692518eb6057284cadca88ac84fde6f0664",
"opcodes": [
"PUSH1",
"PUSH1",
"MSTORE",
"CALLDATASIZE",
"ISZERO",
"PUSH2",
"JUMPI"
thinking
**Examining bytecode call instructions**
I’m focused on analyzing the bytecode bundle to identify potential external calls at specific program counters like 703 and 1187, checking function selectors and call graph details to detect risky external calls such as those that transfer ETH without proper checks. I'll locate relevant code sections with rg to better understand the context around these calls.
exec
/bin/bash -lc 'rg -n "pc": 703 BYTECODE_BUNDLE.json' in /tmp/codex-9149d6mq exited 2 in 50ms:
rg: 703: No such file or directory (os error 2)
thinking
**Correcting ripgrep argument quoting**
exec
/bin/bash -lc 'rg -n "pc": 703 BYTECODE_BUNDLE.json' in /tmp/codex-9149d6mq exited 2 in 9ms:
rg: 703: No such file or directory (os error 2)
thinking
**Escaping quotes in search patterns**
exec
/bin/bash -lc "rg -n '\"pc\": 703' BYTECODE_BUNDLE.json" in /tmp/codex-9149d6mq succeeded in 31ms:
1397: "pc": 703,
3417: "pc": 703,
3511: "pc": 703,
3557: "pc": 703,
thinking
**Extracting context around line 1397**
exec
/bin/bash -lc "sed -n '1370,1435p' BYTECODE_BUNDLE.json" in /tmp/codex-9149d6mq succeeded in 6ms:
"end_pc": 1360,
"hash": "0xeae0364b29f3000df5b96dded209b23f1014521c1d1a357e94d277dbd437fa1e",
"opcodes": [
"JUMPDEST",
"POP",
"PUSH1",
"PUSH2",
"JUMP"
],
"start_pc": 1353
},
{
"end_pc": 1368,
"hash": "0xad9ad3a7c2b99c95a018f687eab174e2c03eec2de1754d305fa7d864d2b42527",
"opcodes": [
"JUMPDEST",
"POP",
"PUSH1",
"PUSH2",
"JUMP"
thinking
**Analyzing callsite-to-function mapping**
exec
/bin/bash -lc "python - <<'PY'
import json
from collections import defaultdict, deque
with open('BYTECODE_BUNDLE.json','r') as f:
data=json.load(f)
artifact=data['analysis_artifact']['artifact_json']
edges=artifact.get('cfg_edges',[])
# build adjacency for control flow
adj=defaultdict(list)
for e in edges:
if e['type'] in ('control_flow','control_flow_fallthrough'):
adj[e['from']].append(e['to'])
# entry mapping
entries=defaultdict(list)
for e in edges:
if e['type']=='entry':
entries[e['from']].append(e['to'])
# callsite nodes
calls=[n for n in artifact.get('nodes',[]) if n.get('type')=='callsite']
call_ids=[c['id'] for c in calls]
# to map call to containing basic block from edges type contains
contains = defaultdict(list)
for e in edges:
if e['type']=='contains':
contains[e['to']].append(e['from'])
# compute reachable calls for each function
reachable_calls = defaultdict(set)
for fn, entry_nodes in entries.items():
# BFS from each entry
seen=set()
dq=deque(entry_nodes)
while dq:
n=dq.popleft()
if n in seen:
continue
seen.add(n)
# if this is a callsite or its containing callsite? callsite isn't in control flow graph except via contains edges.
# So we check if node contains a callsite
for call_id, from_nodes in contains.items():
pass
# traverse
for nxt in adj.get(n,[]):
if nxt not in seen:
dq.append(nxt)
# now, determine calls if any of seen are in contains for callsite
for call_id, from_nodes in contains.items():
if any(b in seen for b in from_nodes):
reachable_calls[fn].add(call_id)
print('functions:', len(entries))
print('callsites:', call_ids)
print('contains:', contains)
for fn, calls in reachable_calls.items():
if calls:
print(fn, '->', calls)
PY" in /tmp/codex-9149d6mq succeeded in 36ms:
functions: 0
callsites: []
contains: defaultdict(<class 'list'>, {})
thinking
**Investigating empty function and edge counts**
exec
/bin/bash -lc "python - <<'PY'
import json
with open('BYTECODE_BUNDLE.json','r') as f:
data=json.load(f)
artifact=data['analysis_artifact']['artifact_json']
print(artifact.keys())
print('cfg_edges', len(artifact.get('cfg_edges',[])))
print('nodes', len(artifact.get('nodes',[])))
print('basic_blocks', len(artifact.get('basic_blocks',[])))
print('callsites', len(artifact.get('callsites',[])))
# Show sample of cfg_edges keys
if artifact.get('cfg_edges'):
print('first edge', artifact['cfg_edges'][0])
PY" in /tmp/codex-9149d6mq succeeded in 24ms:
dict_keys(['auth', 'basic_blocks', 'callsites', 'cfg_edges', 'cfg_hash', 'dispatcher_type', 'function_entries', 'functions', 'selectors', 'sinks', 'storage', 'version'])
cfg_edges 71
nodes 0
basic_blocks 57
callsites 2
first edge {'from': 'bb:0', 'to': 'bb:141', 'type': 'control_flow'}
thinking
**Investigating missing nodes list**
exec
/bin/bash -lc "rg -n '\"nodes\"' BYTECODE_BUNDLE.json" in /tmp/codex-9149d6mq succeeded in 7ms:
3014: "nodes": [
thinking
**Investigating artifact_json content near nodes**
exec
/bin/bash -lc "sed -n '2980,3055p' BYTECODE_BUNDLE.json" in /tmp/codex-9149d6mq succeeded in 6ms:
"to": "bb:2835717307",
"type": "entry"
},
{
"from": "fn:0xa9059cbb",
"to": "bb:3506355788",
"type": "entry"
},
{
"from": "fn:0xd0febe4c",
"to": "bb:3714247998",
"type": "entry"
},
{
"from": "bb:677",
"to": "call:703",
"type": "contains"
},
{
"from": "call:703",
thinking
**Analyzing missing "nodes" key in JSON**
exec
/bin/bash -lc "python - <<'PY'
import json, re
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
artifact=data['analysis_artifact']['artifact_json']
print([k for k in artifact.keys() if 'node' in k])
PY" in /tmp/codex-9149d6mq succeeded in 27ms:
[]
thinking
**Verifying JSON structure around nodes**
exec
/bin/bash -lc "sed -n '2930,2995p' BYTECODE_BUNDLE.json" in /tmp/codex-9149d6mq succeeded in 24ms:
"to": "bb:1338",
"type": "control_flow_fallthrough"
},
{
"from": "bb:1345",
"to": "bb:752",
"type": "control_flow"
},
{
"from": "bb:1353",
"to": "bb:752",
"type": "control_flow"
},
{
"from": "bb:1361",
"to": "bb:348",
"type": "control_flow"
},
{
"from": "fn:0x095ea7b3",
thinking
**Investigating missing 'nodes' key in JSON structure**
exec
/bin/bash -lc "python - <<'PY'
import json
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
print(data['analysis_artifact'].keys())
PY" in /tmp/codex-9149d6mq succeeded in 55ms:
dict_keys(['address', 'artifact_hash', 'artifact_json', 'block_number', 'chain_id', 'codehash', 'created_at', 'id', 'updated_at', 'version'])
thinking
**Investigating JSON structure for nodes key**
exec
/bin/bash -lc "sed -n '2960,3020p' BYTECODE_BUNDLE.json" in /tmp/codex-9149d6mq succeeded in 13ms:
"to": "bb:826074471",
"type": "entry"
},
{
"from": "fn:0x313ce567",
"to": "bb:1813101779",
"type": "entry"
},
{
"from": "fn:0x6c11bcd3",
"to": "bb:1889567281",
"type": "entry"
},
{
"from": "fn:0x70a08231",
"to": "bb:2514000705",
"type": "entry"
},
{
"from": "fn:0x95d89b41",
thinking
**Investigating missing JSON key issue**
exec
/bin/bash -lc "python - <<'PY'
import re
path='BYTECODE_BUNDLE.json'
with open(path,'r') as f:
s=f.read()
idx=s.find('\"nodes\"')
print('idx', idx)
print(s[idx-80:idx+20])
PY" in /tmp/codex-9149d6mq succeeded in 28ms:
idx 78546
"to": "sink:call",
"type": "capability"
}
],
"nodes": [
{
thinking
**Reviewing earlier artifact_json context**
exec
/bin/bash -lc "python - <<'PY'
path='BYTECODE_BUNDLE.json'
with open(path,'r') as f:
s=f.read()
idx=s.find('\"nodes\"')
print(s[idx-200:idx-1])
PY" in /tmp/codex-9149d6mq succeeded in 18ms:
33",
"to": "call:1187",
"type": "contains"
},
{
"from": "call:1187",
"to": "sink:call",
"type": "capability"
}
],
thinking
**Investigating missing nodes key**
exec
/bin/bash -lc "python - <<'PY'
import json
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
artifact=data['analysis_artifact']['artifact_json']
print('nodes' in artifact)
# show json keys with similar length maybe
print(sorted(artifact.keys()))
# Let's check length of cfg_edges to ensure that includes contains edges
edges=artifact['cfg_edges']
# find any edge with type contains
print('contains count', sum(1 for e in edges if e['type']=='contains'))
# check edges last few
print('last edge', edges[-1])
PY" in /tmp/codex-9149d6mq succeeded in 36ms:
False
['auth', 'basic_blocks', 'callsites', 'cfg_edges', 'cfg_hash', 'dispatcher_type', 'function_entries', 'functions', 'selectors', 'sinks', 'storage', 'version']
contains count 0
last edge {'from': 'bb:1361', 'to': 'bb:348', 'type': 'control_flow'}
thinking
**Investigating incomplete cfg_edges parsing**
exec
/bin/bash -lc "rg -n '\"cfg_edges\"' BYTECODE_BUNDLE.json" in /tmp/codex-9149d6mq succeeded in 7ms:
1410: "cfg_edges": [
thinking
**Analyzing partial JSON parsing issue**
exec
/bin/bash -lc "python - <<'PY'
import json
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
edges=data['analysis_artifact']['artifact_json']['cfg_edges']
for e in edges[-15:]:
print(e)
PY" in /tmp/codex-9149d6mq succeeded in 26ms:
{'from': 'bb:901', 'to': 'bb:907', 'type': 'control_flow_fallthrough'}
{'from': 'bb:907', 'to': 'bb:348', 'type': 'control_flow'}
{'from': 'bb:1016', 'to': 'bb:1061', 'type': 'control_flow_fallthrough'}
{'from': 'bb:1081', 'to': 'bb:348', 'type': 'control_flow'}
{'from': 'bb:1133', 'to': 'bb:1229', 'type': 'control_flow'}
{'from': 'bb:1133', 'to': 'bb:1204', 'type': 'control_flow_fallthrough'}
{'from': 'bb:1204', 'to': 'bb:1229', 'type': 'control_flow_fallthrough'}
{'from': 'bb:1283', 'to': 'bb:1297', 'type': 'control_flow_fallthrough'}
{'from': 'bb:1297', 'to': 'bb:1297', 'type': 'control_flow'}
{'from': 'bb:1297', 'to': 'bb:1317', 'type': 'control_flow_fallthrough'}
{'from': 'bb:1317', 'to': 'bb:1326', 'type': 'control_flow_fallthrough'}
{'from': 'bb:1334', 'to': 'bb:1338', 'type': 'control_flow_fallthrough'}
{'from': 'bb:1345', 'to': 'bb:752', 'type': 'control_flow'}
{'from': 'bb:1353', 'to': 'bb:752', 'type': 'control_flow'}
{'from': 'bb:1361', 'to': 'bb:348', 'type': 'control_flow'}
thinking
**Analyzing JSON parsing issues**
exec
/bin/bash -lc "python - <<'PY'
import json
from collections import deque
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
# BFS search for string value
needle='fn:0x095ea7b3'
found_paths=[]
# Use stack of (path, obj)
stack=[([], data)]
while stack:
path,obj=stack.pop()
if isinstance(obj, dict):
for k,v in obj.items():
stack.append((path+[k], v))
elif isinstance(obj, list):
for i,v in enumerate(obj):
stack.append((path+[i], v))
else:
if obj==needle:
found_paths.append(path)
print('found', len(found_paths))
if found_paths:
print(found_paths[:3])
PY" in /tmp/codex-9149d6mq succeeded in 26ms:
found 2
[['capability_graph', 'graph_json', 'nodes', 61, 'id'], ['capability_graph', 'graph_json', 'edges', 71, 'from']]
thinking
**Inspecting top-level keys**
exec
/bin/bash -lc "python - <<'PY'
import json
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
print(data.keys())
PY" in /tmp/codex-9149d6mq succeeded in 29ms:
dict_keys(['analysis_artifact', 'analysis_run', 'artifact', 'capability_graph', 'detector_findings', 'heuristics_summary'])
thinking
**Investigating capability_graph structure**
exec
/bin/bash -lc "python - <<'PY'
import json
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
print(data['capability_graph'].keys())
print(data['capability_graph']['graph_json'].keys())
print('edges', len(data['capability_graph']['graph_json']['edges']))
print('nodes', len(data['capability_graph']['graph_json']['nodes']))
PY" in /tmp/codex-9149d6mq succeeded in 28ms:
dict_keys(['address', 'block_number', 'chain_id', 'codehash', 'created_at', 'graph_hash', 'graph_json', 'id', 'updated_at', 'version'])
dict_keys(['edges', 'nodes', 'version'])
edges 84
nodes 71
thinking
**Implementing reachability analysis**
exec
/bin/bash -lc "python - <<'PY'
import json
from collections import defaultdict, deque
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
cg=data['capability_graph']['graph_json']
edges=cg['edges']
adj=defaultdict(list)
entries=defaultdict(list)
contains=defaultdict(list)
for e in edges:
t=e['type']
if t in ('control_flow','control_flow_fallthrough'):
adj[e['from']].append(e['to'])
elif t=='entry':
entries[e['from']].append(e['to'])
elif t=='contains':
contains[e['to']].append(e['from'])
# callsites ids
calls=[n['id'] for n in cg['nodes'] if n.get('type')=='callsite']
print('calls', calls)
# compute reachable calls from functions
reachable_calls=defaultdict(set)
for fn, entry_nodes in entries.items():
seen=set()
dq=deque(entry_nodes)
while dq:
n=dq.popleft()
if n in seen:
continue
seen.add(n)
for nxt in adj.get(n,[]):
if nxt not in seen:
dq.append(nxt)
for call_id, from_nodes in contains.items():
if any(b in seen for b in from_nodes):
reachable_calls[fn].add(call_id)
for fn, calls in reachable_calls.items():
if calls:
print(fn, '->', calls)
# Map callsite to basic block and pc
# nodes list includes callsite details with pc
call_info={n['id']:n for n in cg['nodes'] if n.get('type')=='callsite'}
print('call_info', call_info)
PY" in /tmp/codex-9149d6mq succeeded in 27ms:
calls ['call:703', 'call:1187']
call_info {'call:703': {'id': 'call:703', 'opcode': 'CALL', 'pc': 703, 'type': 'callsite'}, 'call:1187': {'id': 'call:1187', 'opcode': 'CALL', 'pc': 1187, 'type': 'callsite'}}
thinking
**Checking entries in capability_graph**
exec
/bin/bash -lc "python - <<'PY'
import json
from collections import Counter
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
gedges=data['capability_graph']['graph_json']['edges']
print('edge types', Counter(e['type'] for e in gedges))
# show entry edges
entries=[e for e in gedges if e['type']=='entry']
print('entries', len(entries))
print(entries[:5])
PY" in /tmp/codex-9149d6mq succeeded in 27ms:
edge types Counter({'control_flow_fallthrough': 37, 'control_flow': 34, 'entry': 9, 'contains': 2, 'capability': 2})
entries 9
[{'from': 'fn:0x095ea7b3', 'to': 'bb:404098525', 'type': 'entry'}, {'from': 'fn:0x18160ddd', 'to': 'bb:599290589', 'type': 'entry'}, {'from': 'fn:0x23b872dd', 'to': 'bb:826074471', 'type': 'entry'}, {'from': 'fn:0x313ce567', 'to': 'bb:1813101779', 'type': 'entry'}, {'from': 'fn:0x6c11bcd3', 'to': 'bb:1889567281', 'type': 'entry'}]
thinking
**Verifying basic block ID matches**
exec
/bin/bash -lc "python - <<'PY'
import json
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
nodes=[n['id'] for n in data['capability_graph']['graph_json']['nodes']]
# check if entry bb ids exist
entry_ids=[e['to'] for e in data['capability_graph']['graph_json']['edges'] if e['type']=='entry']
missing=[eid for eid in entry_ids if eid not in nodes]
print('missing entry nodes', len(missing))
print('sample missing', missing[:5])
PY" in /tmp/codex-9149d6mq succeeded in 28ms:
missing entry nodes 9
sample missing ['bb:404098525', 'bb:599290589', 'bb:826074471', 'bb:1813101779', 'bb:1889567281']
thinking
**Analyzing callsites and function mappings**
exec
/bin/bash -lc "rg -n '\"start_pc\": 1133' BYTECODE_BUNDLE.json" in /tmp/codex-9149d6mq succeeded in 14ms:
1164: "start_pc": 1133
3320: "start_pc": 1133,
thinking
**Examining basic block definitions**
exec
/bin/bash -lc "sed -n '1120,1185p' BYTECODE_BUNDLE.json" in /tmp/codex-9149d6mq succeeded in 7ms:
"MLOAD",
"OP_81",
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP",
"OP_80",
"MLOAD",
"OP_90",
"PUSH1",
"ADD",
"OP_90",
"OP_80",
"OP_83",
"OP_83",
"OP_82",
"OP_90",
"PUSH1",
"PUSH1",
thinking
**Examining basic block around start_pc 677**
exec
/bin/bash -lc "sed -n '660,730p' BYTECODE_BUNDLE.json" in /tmp/codex-9149d6mq succeeded in 14ms:
"opcodes": [
"POP",
"PUSH1",
"MLOAD",
"CALLER",
"PUSH1",
"PUSH1",
"PUSH1",
"EXP",
"SUB",
"AND",
"OP_90",
"OP_82",
"OP_90",
"OP_84",
"OP_90",
"OP_82",
"OP_81",
"OP_81",
"OP_81",
thinking
**Analyzing external call risks and reentrancy**
exec
/bin/bash -lc "python - <<'PY'
import json
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
storage=data['analysis_artifact']['artifact_json'].get('storage',{})
print(storage)
PY" in /tmp/codex-9149d6mq succeeded in 59ms:
{'keccak_count': 19, 'reads': 22, 'slots': [{'op': 'SLOAD', 'pc': 151, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000003'}, {'op': 'SLOAD', 'pc': 223, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}, {'op': 'SLOAD', 'pc': 360, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 604, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000005'}, {'op': 'SLOAD', 'pc': 662, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 764, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000004'}, {'op': 'SLOAD', 'pc': 837, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}, {'op': 'SLOAD', 'pc': 1053, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}], 'writes': 10}
thinking
**Analyzing reentrancy and call risks**
I'm examining storage slot usage and external calls, noting high-severity issues like untrusted CALL targets and ETH transfers. I’m carefully checking if state updates happen before external calls to assess reentrancy risk, considering common security patterns like CEI. I’m also looking into the contract’s fallback behavior and payable functions to understand if ETH can be sent or received unexpectedly, all to shape a cautious security summary based on solid evidence.
exec
/bin/bash -lc "sed -n '1040,1145p' BYTECODE_BUNDLE.json" in /tmp/codex-9149d6mq succeeded in 28ms:
"ISZERO",
"OP_82",
"MSTORE",
"MLOAD",
"OP_90",
"OP_81",
"OP_90",
"SUB",
"PUSH1",
"ADD",
"OP_90",
"RETURN"
],
"start_pc": 1061
},
{
"end_pc": 1132,
"hash": "0xa4826980ac76398efb5e6a7997b962bd41781edfaf3533095b2cfb0617b27037",
"opcodes": [
"JUMPDEST",
thinking
**Analyzing storage operations around call sites**
exec
/bin/bash -lc "sed -n '1185,1245p' BYTECODE_BUNDLE.json" in /tmp/codex-9149d6mq succeeded in 6ms:
"MSTORE",
"PUSH1",
"ADD",
"OP_91",
"POP"
],
"start_pc": 1204
},
{
"end_pc": 1242,
"hash": "0x7d22a2da887bed713245221b863aa0dd6faa94aa702e5fee19210d929ceec4e0",
"opcodes": [
"JUMPDEST",
"POP",
"OP_92",
"POP",
"POP",
"POP",
"PUSH1",
"MLOAD",
thinking
**Analyzing call site and blocks**
exec
/bin/bash -lc "python - <<'PY'
import json
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
artifact=data['analysis_artifact']['artifact_json']
print('selectors', artifact.get('selectors',{}))
print('functions', artifact.get('functions',{}))
PY" in /tmp/codex-9149d6mq succeeded in 64ms:
selectors ['0x06fdde03', '0x095ea7b3', '0x18160ddd', '0x23b872dd', '0x313ce567', '0x6c11bcd3', '0x70a08231', '0x95d89b41', '0xa9059cbb', '0xd0febe4c', '0xdd62ed3e']
functions [{'auth': {'guards': []}, 'entry_pc': None, 'selector': '0x06fdde03', 'sinks': {'call': 2, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 0}, 'storage': {'reads': 22, 'slots': [{'op': 'SLOAD', 'pc': 151, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000003'}, {'op': 'SLOAD', 'pc': 223, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}, {'op': 'SLOAD', 'pc': 360, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 604, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000005'}, {'op': 'SLOAD', 'pc': 662, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 764, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000004'}, {'op': 'SLOAD', 'pc': 837, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}, {'op': 'SLOAD', 'pc': 1053, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}], 'writes': 10}}, {'auth': {'guards': []}, 'entry_pc': 404098525, 'selector': '0x095ea7b3', 'sinks': {'call': 2, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 0}, 'storage': {'reads': 22, 'slots': [{'op': 'SLOAD', 'pc': 151, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000003'}, {'op': 'SLOAD', 'pc': 223, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}, {'op': 'SLOAD', 'pc': 360, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 604, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000005'}, {'op': 'SLOAD', 'pc': 662, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 764, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000004'}, {'op': 'SLOAD', 'pc': 837, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}, {'op': 'SLOAD', 'pc': 1053, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}], 'writes': 10}}, {'auth': {'guards': []}, 'entry_pc': 599290589, 'selector': '0x18160ddd', 'sinks': {'call': 2, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 0}, 'storage': {'reads': 22, 'slots': [{'op': 'SLOAD', 'pc': 151, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000003'}, {'op': 'SLOAD', 'pc': 223, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}, {'op': 'SLOAD', 'pc': 360, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 604, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000005'}, {'op': 'SLOAD', 'pc': 662, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 764, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000004'}, {'op': 'SLOAD', 'pc': 837, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}, {'op': 'SLOAD', 'pc': 1053, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}], 'writes': 10}}, {'auth': {'guards': []}, 'entry_pc': 826074471, 'selector': '0x23b872dd', 'sinks': {'call': 2, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 0}, 'storage': {'reads': 22, 'slots': [{'op': 'SLOAD', 'pc': 151, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000003'}, {'op': 'SLOAD', 'pc': 223, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}, {'op': 'SLOAD', 'pc': 360, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 604, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000005'}, {'op': 'SLOAD', 'pc': 662, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 764, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000004'}, {'op': 'SLOAD', 'pc': 837, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}, {'op': 'SLOAD', 'pc': 1053, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}], 'writes': 10}}, {'auth': {'guards': []}, 'entry_pc': 1813101779, 'selector': '0x313ce567', 'sinks': {'call': 2, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 0}, 'storage': {'reads': 22, 'slots': [{'op': 'SLOAD', 'pc': 151, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000003'}, {'op': 'SLOAD', 'pc': 223, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}, {'op': 'SLOAD', 'pc': 360, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 604, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000005'}, {'op': 'SLOAD', 'pc': 662, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 764, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000004'}, {'op': 'SLOAD', 'pc': 837, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}, {'op': 'SLOAD', 'pc': 1053, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}], 'writes': 10}}, {'auth': {'guards': []}, 'entry_pc': 1889567281, 'selector': '0x6c11bcd3', 'sinks': {'call': 2, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 0}, 'storage': {'reads': 22, 'slots': [{'op': 'SLOAD', 'pc': 151, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000003'}, {'op': 'SLOAD', 'pc': 223, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}, {'op': 'SLOAD', 'pc': 360, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 604, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000005'}, {'op': 'SLOAD', 'pc': 662, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 764, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000004'}, {'op': 'SLOAD', 'pc': 837, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}, {'op': 'SLOAD', 'pc': 1053, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}], 'writes': 10}}, {'auth': {'guards': []}, 'entry_pc': 2514000705, 'selector': '0x70a08231', 'sinks': {'call': 2, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 0}, 'storage': {'reads': 22, 'slots': [{'op': 'SLOAD', 'pc': 151, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000003'}, {'op': 'SLOAD', 'pc': 223, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}, {'op': 'SLOAD', 'pc': 360, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 604, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000005'}, {'op': 'SLOAD', 'pc': 662, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 764, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000004'}, {'op': 'SLOAD', 'pc': 837, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}, {'op': 'SLOAD', 'pc': 1053, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}], 'writes': 10}}, {'auth': {'guards': []}, 'entry_pc': 2835717307, 'selector': '0x95d89b41', 'sinks': {'call': 2, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 0}, 'storage': {'reads': 22, 'slots': [{'op': 'SLOAD', 'pc': 151, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000003'}, {'op': 'SLOAD', 'pc': 223, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}, {'op': 'SLOAD', 'pc': 360, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 604, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000005'}, {'op': 'SLOAD', 'pc': 662, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 764, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000004'}, {'op': 'SLOAD', 'pc': 837, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}, {'op': 'SLOAD', 'pc': 1053, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}], 'writes': 10}}, {'auth': {'guards': []}, 'entry_pc': 3506355788, 'selector': '0xa9059cbb', 'sinks': {'call': 2, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 0}, 'storage': {'reads': 22, 'slots': [{'op': 'SLOAD', 'pc': 151, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000003'}, {'op': 'SLOAD', 'pc': 223, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}, {'op': 'SLOAD', 'pc': 360, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 604, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000005'}, {'op': 'SLOAD', 'pc': 662, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 764, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000004'}, {'op': 'SLOAD', 'pc': 837, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}, {'op': 'SLOAD', 'pc': 1053, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}], 'writes': 10}}, {'auth': {'guards': []}, 'entry_pc': 3714247998, 'selector': '0xd0febe4c', 'sinks': {'call': 2, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 0}, 'storage': {'reads': 22, 'slots': [{'op': 'SLOAD', 'pc': 151, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000003'}, {'op': 'SLOAD', 'pc': 223, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}, {'op': 'SLOAD', 'pc': 360, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 604, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000005'}, {'op': 'SLOAD', 'pc': 662, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 764, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000004'}, {'op': 'SLOAD', 'pc': 837, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}, {'op': 'SLOAD', 'pc': 1053, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}], 'writes': 10}}, {'auth': {'guards': []}, 'entry_pc': None, 'selector': '0xdd62ed3e', 'sinks': {'call': 2, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 0}, 'storage': {'reads': 22, 'slots': [{'op': 'SLOAD', 'pc': 151, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000003'}, {'op': 'SLOAD', 'pc': 223, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}, {'op': 'SLOAD', 'pc': 360, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 604, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000005'}, {'op': 'SLOAD', 'pc': 662, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 764, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000004'}, {'op': 'SLOAD', 'pc': 837, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000100'}, {'op': 'SLOAD', 'pc': 1053, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}], 'writes': 10}}]
thinking
**Summarizing external call risks and findings**
I'm analyzing dynamic external CALLs with computed targets and possible ETH transfers, noting the absence of access control and potential reentrancy risks; I'll prepare findings that cautiously highlight these issues with severity levels reflecting the uncertainty in the evidence.
codex
{"no_findings":false,"summary":"Two dynamic external CALL sites are present with computed targets and possible ETH value transfer; no delegatecall/proxy patterns detected. Impact depends on whether callers can control the target/value (guards not detected in bytecode).","findings":[{"severity":"medium","category":"other","title":"Dynamic external CALL with computed target/value (possible ETH forwarding)","exploit_scenario":"If a publicly reachable function feeds user-controlled parameters into the CALL target/value, an attacker can direct the contract to call arbitrary addresses (including their own) and potentially forward ETH from the contract balance or msg.value. This can lead to ETH loss or unexpected external interactions; evidence confirms the target can vary, but bytecode-only analysis cannot prove who controls it.","recommendation":"Restrict or validate the call target (allowlist or fixed target), cap value to expected amounts (ideally zero unless explicitly intended), and consider using pull-style payments. If the call is a hook (e.g., transfer-and-call), document it clearly and avoid forwarding contract ETH.","evidence":"detector_findings report CALL at pc 703 and pc 1187 with computed target/value and no guards detected; validation shows target varies and nonzero ETH value is possible; returndata_checked is null at both sites.","locations":["pc:703","pc:1187"]},{"severity":"low","category":"reentrancy","title":"External CALLs without detected reentrancy guard","exploit_scenario":"A malicious callee could reenter during the external CALL (pc 703 or pc 1187) and invoke other state-changing functions while execution is in-flight. The bytecode analysis did not detect reentrancy guards; impact depends on whether these callsites are reachable from state-mutating logic and on invariant design, which cannot be confirmed from bytecode alone.","recommendation":"Add a reentrancy guard around functions that perform external calls, or restructure to minimize cross-function reentrancy exposure (e.g., limit callable hooks, use checks-effects-interactions with careful invariant review).","evidence":"No guards detected in detector_findings; CALL opcodes at pc 703 and pc 1187 are reachable with dynamic targets, creating a reentrancy surface.","locations":["pc:703","pc:1187"]}]}
tokens used
56,664
{
"codex": {
"ran_at": "2026-01-10T17:30:19.899452+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 2740,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "Two dynamic external CALL sites are present with computed targets and possible ETH value transfer; no delegatecall/proxy patterns detected. Impact depends on whether callers can control the target/value (guards not detected in bytecode).",
"raw_final": {
"summary": "Two dynamic external CALL sites are present with computed targets and possible ETH value transfer; no delegatecall/proxy patterns detected. Impact depends on whether callers can control the target/value (guards not detected in bytecode).",
"findings": [
{
"title": "Dynamic external CALL with computed target/value (possible ETH forwarding)",
"category": "other",
"evidence": "detector_findings report CALL at pc 703 and pc 1187 with computed target/value and no guards detected; validation shows target varies and nonzero ETH value is possible; returndata_checked is null at both sites.",
"severity": "medium",
"locations": [
"pc:703",
"pc:1187"
],
"recommendation": "Restrict or validate the call target (allowlist or fixed target), cap value to expected amounts (ideally zero unless explicitly intended), and consider using pull-style payments. If the call is a hook (e.g., transfer-and-call), document it clearly and avoid forwarding contract ETH.",
"exploit_scenario": "If a publicly reachable function feeds user-controlled parameters into the CALL target/value, an attacker can direct the contract to call arbitrary addresses (including their own) and potentially forward ETH from the contract balance or msg.value. This can lead to ETH loss or unexpected external interactions; evidence confirms the target can vary, but bytecode-only analysis cannot prove who controls it."
},
{
"title": "External CALLs without detected reentrancy guard",
"category": "reentrancy",
"evidence": "No guards detected in detector_findings; CALL opcodes at pc 703 and pc 1187 are reachable with dynamic targets, creating a reentrancy surface.",
"severity": "low",
"locations": [
"pc:703",
"pc:1187"
],
"recommendation": "Add a reentrancy guard around functions that perform external calls, or restructure to minimize cross-function reentrancy exposure (e.g., limit callable hooks, use checks-effects-interactions with careful invariant review).",
"exploit_scenario": "A malicious callee could reenter during the external CALL (pc 703 or pc 1187) and invoke other state-changing functions while execution is in-flight. The bytecode analysis did not detect reentrancy guards; impact depends on whether these callsites are reachable from state-mutating logic and on invariant design, which cannot be confirmed from bytecode alone."
}
],
"no_findings": false
},
"no_findings": false,
"schema_version": 1
}
00000000: PUSH1 0x60 00000002: PUSH1 0x40 00000004: MSTORE 00000005: CALLDATASIZE 00000006: ISZERO 00000007: PUSH2 0x008d 0000000a: JUMPI 0000000b: PUSH1 0xe0 0000000d: PUSH1 0x02 0000000f: EXP 00000010: PUSH1 0x00 00000012: CALLDATALOAD 00000013: DIV 00000014: PUSH4 0x06fdde03 00000019: DUP2 0000001a: EQ 0000001b: PUSH2 0x008f 0000001e: JUMPI 0000001f: DUP1 00000020: PUSH4 0x095ea7b3 00000025: EQ 00000026: PUSH2 0x00ed 00000029: JUMPI 0000002a: DUP1 0000002b: PUSH4 0x18160ddd 00000030: EQ 00000031: PUSH2 0x0162 00000034: JUMPI 00000035: DUP1 00000036: PUSH4 0x23b872dd 0000003b: EQ 0000003c: PUSH2 0x016b 0000003f: JUMPI 00000040: DUP1 00000041: PUSH4 0x313ce567 00000046: EQ 00000047: PUSH2 0x0256 0000004a: JUMPI 0000004b: DUP1 0000004c: PUSH4 0x6c11bcd3 00000051: EQ 00000052: PUSH2 0x0262 00000055: JUMPI 00000056: DUP1 00000057: PUSH4 0x70a08231 0000005c: EQ 0000005d: PUSH2 0x02d0 00000060: JUMPI 00000061: DUP1 00000062: PUSH4 0x95d89b41 00000067: EQ 00000068: PUSH2 0x02f5 0000006b: JUMPI 0000006c: DUP1 0000006d: PUSH4 0xa9059cbb 00000072: EQ 00000073: PUSH2 0x0353 00000076: JUMPI 00000077: DUP1 00000078: PUSH4 0xd0febe4c 0000007d: EQ 0000007e: PUSH2 0x03f8 00000081: JUMPI 00000082: DUP1 00000083: PUSH4 0xdd62ed3e 00000088: EQ 00000089: PUSH2 0x0439 0000008c: JUMPI 0000008d: JUMPDEST 0000008e: STOP 0000008f: JUMPDEST 00000090: PUSH1 0x40 00000092: DUP1 00000093: MLOAD 00000094: PUSH1 0x03 00000096: DUP1 00000097: SLOAD 00000098: PUSH1 0x20 0000009a: PUSH1 0x02 0000009c: PUSH1 0x01 0000009e: DUP4 0000009f: AND 000000a0: ISZERO 000000a1: PUSH2 0x0100 000000a4: MUL 000000a5: PUSH1 0x00 000000a7: NOT 000000a8: ADD 000000a9: SWAP1 000000aa: SWAP3 000000ab: AND 000000ac: SWAP2 000000ad: SWAP1 000000ae: SWAP2 000000af: DIV 000000b0: PUSH1 0x1f 000000b2: DUP2 000000b3: ADD 000000b4: DUP3 000000b5: SWAP1 000000b6: DIV 000000b7: DUP3 000000b8: MUL 000000b9: DUP5 000000ba: ADD 000000bb: DUP3 000000bc: ADD 000000bd: SWAP1 000000be: SWAP5 000000bf: MSTORE 000000c0: DUP4 000000c1: DUP4 000000c2: MSTORE 000000c3: PUSH2 0x046d 000000c6: SWAP4 000000c7: SWAP1 000000c8: DUP4 000000c9: ADD 000000ca: DUP3 000000cb: DUP3 000000cc: DUP1 000000cd: ISZERO 000000ce: PUSH2 0x052e 000000d1: JUMPI 000000d2: DUP1 000000d3: PUSH1 0x1f 000000d5: LT 000000d6: PUSH2 0x0503 000000d9: JUMPI 000000da: PUSH2 0x0100 000000dd: DUP1 000000de: DUP4 000000df: SLOAD 000000e0: DIV 000000e1: MUL 000000e2: DUP4 000000e3: MSTORE 000000e4: SWAP2 000000e5: PUSH1 0x20 000000e7: ADD 000000e8: SWAP2 000000e9: PUSH2 0x052e 000000ec: JUMP 000000ed: JUMPDEST 000000ee: PUSH2 0x0425 000000f1: PUSH1 0x04 000000f3: CALLDATALOAD 000000f4: PUSH1 0x24 000000f6: CALLDATALOAD 000000f7: CALLER 000000f8: PUSH1 0x01 000000fa: PUSH1 0xa0 000000fc: PUSH1 0x02 000000fe: EXP 000000ff: SUB 00000100: SWAP1 00000101: DUP2 00000102: AND 00000103: PUSH1 0x00 00000105: DUP2 00000106: DUP2 00000107: MSTORE 00000108: PUSH1 0x01 0000010a: PUSH1 0x20 0000010c: SWAP1 0000010d: DUP2 0000010e: MSTORE 0000010f: PUSH1 0x40 00000111: DUP1 00000112: DUP4 00000113: KECCAK256 00000114: SWAP5 00000115: DUP8 00000116: AND 00000117: DUP1 00000118: DUP5 00000119: MSTORE 0000011a: SWAP5 0000011b: DUP3 0000011c: MSTORE 0000011d: DUP1 0000011e: DUP4 0000011f: KECCAK256 00000120: DUP7 00000121: SWAP1 00000122: SSTORE 00000123: DUP1 00000124: MLOAD 00000125: DUP7 00000126: DUP2 00000127: MSTORE 00000128: SWAP1 00000129: MLOAD 0000012a: SWAP3 0000012b: SWAP5 0000012c: SWAP4 0000012d: SWAP3 0000012e: PUSH32 0x8c5be1e5ebec7d5bd14f71427d1e84f3dd0314c0f7b2291e5b200ac8c7c3b925 0000014f: SWAP3 00000150: SWAP2 00000151: DUP2 00000152: SWAP1 00000153: SUB 00000154: SWAP1 00000155: SWAP2 00000156: ADD 00000157: SWAP1 00000158: LOG3 00000159: POP 0000015a: PUSH1 0x01 0000015c: JUMPDEST 0000015d: SWAP3 0000015e: SWAP2 0000015f: POP 00000160: POP 00000161: JUMP 00000162: JUMPDEST 00000163: PUSH2 0x04db 00000166: PUSH1 0x02 00000168: SLOAD 00000169: DUP2 0000016a: JUMP 0000016b: JUMPDEST 0000016c: PUSH2 0x0425 0000016f: PUSH1 0x04 00000171: CALLDATALOAD 00000172: PUSH1 0x24 00000174: CALLDATALOAD 00000175: PUSH1 0x44 00000177: CALLDATALOAD 00000178: PUSH1 0x01 0000017a: PUSH1 0xa0 0000017c: PUSH1 0x02 0000017e: EXP 0000017f: SUB 00000180: DUP4 00000181: AND 00000182: PUSH1 0x00 00000184: SWAP1 00000185: DUP2 00000186: MSTORE 00000187: PUSH1 0x20 00000189: DUP2 0000018a: SWAP1 0000018b: MSTORE 0000018c: PUSH1 0x40 0000018e: DUP2 0000018f: KECCAK256 00000190: SLOAD 00000191: DUP3 00000192: SWAP1 00000193: LT 00000194: DUP1 00000195: ISZERO 00000196: SWAP1 00000197: PUSH2 0x01be 0000019a: JUMPI 0000019b: POP 0000019c: PUSH1 0x01 0000019e: PUSH1 0x20 000001a0: SWAP1 000001a1: DUP2 000001a2: MSTORE 000001a3: PUSH1 0x40 000001a5: DUP1 000001a6: DUP4 000001a7: KECCAK256 000001a8: CALLER 000001a9: PUSH1 0x01 000001ab: PUSH1 0xa0 000001ad: PUSH1 0x02 000001af: EXP 000001b0: SUB 000001b1: AND 000001b2: DUP5 000001b3: MSTORE 000001b4: SWAP1 000001b5: SWAP2 000001b6: MSTORE 000001b7: DUP2 000001b8: KECCAK256 000001b9: SLOAD 000001ba: DUP3 000001bb: SWAP1 000001bc: LT 000001bd: ISZERO 000001be: JUMPDEST 000001bf: DUP1 000001c0: ISZERO 000001c1: PUSH2 0x01ca 000001c4: JUMPI 000001c5: POP 000001c6: PUSH1 0x00 000001c8: DUP3 000001c9: GT 000001ca: JUMPDEST 000001cb: ISZERO 000001cc: PUSH2 0x0536 000001cf: JUMPI 000001d0: PUSH1 0x01 000001d2: PUSH1 0xa0 000001d4: PUSH1 0x02 000001d6: EXP 000001d7: SUB 000001d8: DUP4 000001d9: DUP2 000001da: AND 000001db: PUSH1 0x00 000001dd: DUP2 000001de: DUP2 000001df: MSTORE 000001e0: PUSH1 0x20 000001e2: DUP2 000001e3: DUP2 000001e4: MSTORE 000001e5: PUSH1 0x40 000001e7: DUP1 000001e8: DUP4 000001e9: KECCAK256 000001ea: DUP1 000001eb: SLOAD 000001ec: DUP9 000001ed: ADD 000001ee: SWAP1 000001ef: SSTORE 000001f0: DUP9 000001f1: DUP6 000001f2: AND 000001f3: DUP1 000001f4: DUP5 000001f5: MSTORE 000001f6: DUP2 000001f7: DUP5 000001f8: KECCAK256 000001f9: DUP1 000001fa: SLOAD 000001fb: DUP10 000001fc: SWAP1 000001fd: SUB 000001fe: SWAP1 000001ff: SSTORE 00000200: PUSH1 0x01 00000202: DUP4 00000203: MSTORE 00000204: DUP2 00000205: DUP5 00000206: KECCAK256 00000207: CALLER 00000208: SWAP1 00000209: SWAP7 0000020a: AND 0000020b: DUP5 0000020c: MSTORE 0000020d: SWAP5 0000020e: DUP3 0000020f: MSTORE 00000210: SWAP2 00000211: DUP3 00000212: SWAP1 00000213: KECCAK256 00000214: DUP1 00000215: SLOAD 00000216: DUP8 00000217: SWAP1 00000218: SUB 00000219: SWAP1 0000021a: SSTORE 0000021b: DUP2 0000021c: MLOAD 0000021d: DUP7 0000021e: DUP2 0000021f: MSTORE 00000220: SWAP2 00000221: MLOAD 00000222: SWAP3 00000223: SWAP4 00000224: SWAP3 00000225: PUSH32 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef 00000246: SWAP3 00000247: DUP2 00000248: SWAP1 00000249: SUB 0000024a: SWAP1 0000024b: SWAP2 0000024c: ADD 0000024d: SWAP1 0000024e: LOG3 0000024f: POP 00000250: PUSH1 0x01 00000252: PUSH2 0x053a 00000255: JUMP 00000256: JUMPDEST 00000257: PUSH2 0x04ed 0000025a: PUSH1 0x05 0000025c: SLOAD 0000025d: PUSH1 0xff 0000025f: AND 00000260: DUP2 00000261: JUMP 00000262: JUMPDEST 00000263: PUSH2 0x0425 00000266: PUSH1 0x04 00000268: CALLDATALOAD 00000269: CALLER 0000026a: PUSH1 0x01 0000026c: PUSH1 0xa0 0000026e: PUSH1 0x02 00000270: EXP 00000271: SUB 00000272: AND 00000273: PUSH1 0x00 00000275: SWAP1 00000276: DUP2 00000277: MSTORE 00000278: PUSH1 0x20 0000027a: DUP2 0000027b: SWAP1 0000027c: MSTORE 0000027d: PUSH1 0x40 0000027f: DUP2 00000280: KECCAK256 00000281: SLOAD 00000282: DUP3 00000283: GT 00000284: PUSH2 0x0541 00000287: JUMPI 00000288: PUSH1 0x40 0000028a: DUP2 0000028b: KECCAK256 0000028c: DUP1 0000028d: SLOAD 0000028e: DUP4 0000028f: SWAP1 00000290: SUB 00000291: SWAP1 00000292: SSTORE 00000293: PUSH1 0x02 00000295: DUP1 00000296: SLOAD 00000297: DUP4 00000298: SWAP1 00000299: SUB 0000029a: SWAP1 0000029b: SSTORE 0000029c: DUP1 0000029d: DUP3 0000029e: GT 0000029f: DUP1 000002a0: ISZERO 000002a1: PUSH2 0x02c6 000002a4: JUMPI 000002a5: POP 000002a6: PUSH1 0x40 000002a8: MLOAD 000002a9: CALLER 000002aa: PUSH1 0x01 000002ac: PUSH1 0xa0 000002ae: PUSH1 0x02 000002b0: EXP 000002b1: SUB 000002b2: AND 000002b3: SWAP1 000002b4: DUP3 000002b5: SWAP1 000002b6: DUP5 000002b7: SWAP1 000002b8: DUP3 000002b9: DUP2 000002ba: DUP2 000002bb: DUP2 000002bc: DUP6 000002bd: DUP9 000002be: DUP4 000002bf: CALL 000002c0: SWAP4 000002c1: POP 000002c2: POP 000002c3: POP 000002c4: POP 000002c5: ISZERO 000002c6: JUMPDEST 000002c7: ISZERO 000002c8: PUSH2 0x0549 000002cb: JUMPI 000002cc: PUSH2 0x0002 000002cf: JUMP 000002d0: JUMPDEST 000002d1: PUSH2 0x04db 000002d4: PUSH1 0x04 000002d6: CALLDATALOAD 000002d7: PUSH1 0x01 000002d9: PUSH1 0xa0 000002db: PUSH1 0x02 000002dd: EXP 000002de: SUB 000002df: DUP2 000002e0: AND 000002e1: PUSH1 0x00 000002e3: SWAP1 000002e4: DUP2 000002e5: MSTORE 000002e6: PUSH1 0x20 000002e8: DUP2 000002e9: SWAP1 000002ea: MSTORE 000002eb: PUSH1 0x40 000002ed: SWAP1 000002ee: KECCAK256 000002ef: SLOAD 000002f0: JUMPDEST 000002f1: SWAP2 000002f2: SWAP1 000002f3: POP 000002f4: JUMP 000002f5: JUMPDEST 000002f6: PUSH2 0x046d 000002f9: PUSH1 0x04 000002fb: DUP1 000002fc: SLOAD 000002fd: PUSH1 0x40 000002ff: DUP1 00000300: MLOAD 00000301: PUSH1 0x20 00000303: PUSH1 0x02 00000305: PUSH1 0x00 00000307: NOT 00000308: PUSH2 0x0100 0000030b: PUSH1 0x01 0000030d: DUP8 0000030e: AND 0000030f: ISZERO 00000310: MUL 00000311: ADD 00000312: SWAP1 00000313: SWAP5 00000314: AND 00000315: SWAP4 00000316: SWAP1 00000317: SWAP4 00000318: DIV 00000319: PUSH1 0x1f 0000031b: DUP2 0000031c: ADD 0000031d: DUP5 0000031e: SWAP1 0000031f: DIV 00000320: DUP5 00000321: MUL 00000322: DUP3 00000323: ADD 00000324: DUP5 00000325: ADD 00000326: SWAP1 00000327: SWAP3 00000328: MSTORE 00000329: DUP2 0000032a: DUP2 0000032b: MSTORE 0000032c: SWAP3 0000032d: SWAP2 0000032e: DUP4 0000032f: ADD 00000330: DUP3 00000331: DUP3 00000332: DUP1 00000333: ISZERO 00000334: PUSH2 0x052e 00000337: JUMPI 00000338: DUP1 00000339: PUSH1 0x1f 0000033b: LT 0000033c: PUSH2 0x0503 0000033f: JUMPI 00000340: PUSH2 0x0100 00000343: DUP1 00000344: DUP4 00000345: SLOAD 00000346: DIV 00000347: MUL 00000348: DUP4 00000349: MSTORE 0000034a: SWAP2 0000034b: PUSH1 0x20 0000034d: ADD 0000034e: SWAP2 0000034f: PUSH2 0x052e 00000352: JUMP 00000353: JUMPDEST 00000354: PUSH2 0x0425 00000357: PUSH1 0x04 00000359: CALLDATALOAD 0000035a: PUSH1 0x24 0000035c: CALLDATALOAD 0000035d: CALLER 0000035e: PUSH1 0x01 00000360: PUSH1 0xa0 00000362: PUSH1 0x02 00000364: EXP 00000365: SUB 00000366: AND 00000367: PUSH1 0x00 00000369: SWAP1 0000036a: DUP2 0000036b: MSTORE 0000036c: PUSH1 0x20 0000036e: DUP2 0000036f: SWAP1 00000370: MSTORE 00000371: PUSH1 0x40 00000373: DUP2 00000374: KECCAK256 00000375: SLOAD 00000376: DUP3 00000377: SWAP1 00000378: LT 00000379: DUP1 0000037a: ISZERO 0000037b: SWAP1 0000037c: PUSH2 0x0385 0000037f: JUMPI 00000380: POP 00000381: PUSH1 0x00 00000383: DUP3 00000384: GT 00000385: JUMPDEST 00000386: ISZERO 00000387: PUSH2 0x0551 0000038a: JUMPI 0000038b: CALLER 0000038c: PUSH1 0x01 0000038e: PUSH1 0xa0 00000390: PUSH1 0x02 00000392: EXP 00000393: SUB 00000394: SWAP1 00000395: DUP2 00000396: AND 00000397: PUSH1 0x00 00000399: DUP2 0000039a: DUP2 0000039b: MSTORE 0000039c: PUSH1 0x20 0000039e: DUP2 0000039f: DUP2 000003a0: MSTORE 000003a1: PUSH1 0x40 000003a3: DUP1 000003a4: DUP4 000003a5: KECCAK256 000003a6: DUP1 000003a7: SLOAD 000003a8: DUP9 000003a9: SWAP1 000003aa: SUB 000003ab: SWAP1 000003ac: SSTORE 000003ad: SWAP4 000003ae: DUP8 000003af: AND 000003b0: DUP1 000003b1: DUP4 000003b2: MSTORE 000003b3: SWAP2 000003b4: DUP5 000003b5: SWAP1 000003b6: KECCAK256 000003b7: DUP1 000003b8: SLOAD 000003b9: DUP8 000003ba: ADD 000003bb: SWAP1 000003bc: SSTORE 000003bd: DUP4 000003be: MLOAD 000003bf: DUP7 000003c0: DUP2 000003c1: MSTORE 000003c2: SWAP4 000003c3: MLOAD 000003c4: SWAP2 000003c5: SWAP4 000003c6: PUSH32 0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef 000003e7: SWAP3 000003e8: SWAP1 000003e9: DUP2 000003ea: SWAP1 000003eb: SUB 000003ec: SWAP1 000003ed: SWAP2 000003ee: ADD 000003ef: SWAP1 000003f0: LOG3 000003f1: POP 000003f2: PUSH1 0x01 000003f4: PUSH2 0x015c 000003f7: JUMP 000003f8: JUMPDEST 000003f9: CALLER 000003fa: PUSH1 0x01 000003fc: PUSH1 0xa0 000003fe: PUSH1 0x02 00000400: EXP 00000401: SUB 00000402: AND 00000403: PUSH1 0x00 00000405: SWAP1 00000406: DUP2 00000407: MSTORE 00000408: PUSH1 0x20 0000040a: DUP2 0000040b: SWAP1 0000040c: MSTORE 0000040d: PUSH1 0x40 0000040f: SWAP1 00000410: KECCAK256 00000411: DUP1 00000412: SLOAD 00000413: CALLVALUE 00000414: SWAP1 00000415: DUP2 00000416: ADD 00000417: SWAP1 00000418: SWAP2 00000419: SSTORE 0000041a: PUSH1 0x02 0000041c: DUP1 0000041d: SLOAD 0000041e: SWAP1 0000041f: SWAP2 00000420: ADD 00000421: SWAP1 00000422: SSTORE 00000423: PUSH1 0x01 00000425: JUMPDEST 00000426: PUSH1 0x40 00000428: DUP1 00000429: MLOAD 0000042a: SWAP2 0000042b: ISZERO 0000042c: ISZERO 0000042d: DUP3 0000042e: MSTORE 0000042f: MLOAD 00000430: SWAP1 00000431: DUP2 00000432: SWAP1 00000433: SUB 00000434: PUSH1 0x20 00000436: ADD 00000437: SWAP1 00000438: RETURN 00000439: JUMPDEST 0000043a: PUSH2 0x04db 0000043d: PUSH1 0x04 0000043f: CALLDATALOAD 00000440: PUSH1 0x24 00000442: CALLDATALOAD 00000443: PUSH1 0x01 00000445: PUSH1 0xa0 00000447: PUSH1 0x02 00000449: EXP 0000044a: SUB 0000044b: DUP3 0000044c: DUP2 0000044d: AND 0000044e: PUSH1 0x00 00000450: SWAP1 00000451: DUP2 00000452: MSTORE 00000453: PUSH1 0x01 00000455: PUSH1 0x20 00000457: SWAP1 00000458: DUP2 00000459: MSTORE 0000045a: PUSH1 0x40 0000045c: DUP1 0000045d: DUP4 0000045e: KECCAK256 0000045f: SWAP4 00000460: DUP6 00000461: AND 00000462: DUP4 00000463: MSTORE 00000464: SWAP3 00000465: SWAP1 00000466: MSTORE 00000467: KECCAK256 00000468: SLOAD 00000469: PUSH2 0x015c 0000046c: JUMP 0000046d: JUMPDEST 0000046e: PUSH1 0x40 00000470: MLOAD 00000471: DUP1 00000472: DUP1 00000473: PUSH1 0x20 00000475: ADD 00000476: DUP3 00000477: DUP2 00000478: SUB 00000479: DUP3 0000047a: MSTORE 0000047b: DUP4 0000047c: DUP2 0000047d: DUP2 0000047e: MLOAD 0000047f: DUP2 00000480: MSTORE 00000481: PUSH1 0x20 00000483: ADD 00000484: SWAP2 00000485: POP 00000486: DUP1 00000487: MLOAD 00000488: SWAP1 00000489: PUSH1 0x20 0000048b: ADD 0000048c: SWAP1 0000048d: DUP1 0000048e: DUP4 0000048f: DUP4 00000490: DUP3 00000491: SWAP1 00000492: PUSH1 0x00 00000494: PUSH1 0x04 00000496: PUSH1 0x20 00000498: DUP5 00000499: PUSH1 0x1f 0000049b: ADD 0000049c: DIV 0000049d: PUSH1 0x03 0000049f: MUL 000004a0: PUSH1 0x0f 000004a2: ADD 000004a3: CALL 000004a4: POP 000004a5: SWAP1 000004a6: POP 000004a7: SWAP1 000004a8: DUP2 000004a9: ADD 000004aa: SWAP1 000004ab: PUSH1 0x1f 000004ad: AND 000004ae: DUP1 000004af: ISZERO 000004b0: PUSH2 0x04cd 000004b3: JUMPI 000004b4: DUP1 000004b5: DUP3 000004b6: SUB 000004b7: DUP1 000004b8: MLOAD 000004b9: PUSH1 0x01 000004bb: DUP4 000004bc: PUSH1 0x20 000004be: SUB 000004bf: PUSH2 0x0100 000004c2: EXP 000004c3: SUB 000004c4: NOT 000004c5: AND 000004c6: DUP2 000004c7: MSTORE 000004c8: PUSH1 0x20 000004ca: ADD 000004cb: SWAP2 000004cc: POP 000004cd: JUMPDEST 000004ce: POP 000004cf: SWAP3 000004d0: POP 000004d1: POP 000004d2: POP 000004d3: PUSH1 0x40 000004d5: MLOAD 000004d6: DUP1 000004d7: SWAP2 000004d8: SUB 000004d9: SWAP1 000004da: RETURN 000004db: JUMPDEST 000004dc: PUSH1 0x40 000004de: DUP1 000004df: MLOAD 000004e0: SWAP2 000004e1: DUP3 000004e2: MSTORE 000004e3: MLOAD 000004e4: SWAP1 000004e5: DUP2 000004e6: SWAP1 000004e7: SUB 000004e8: PUSH1 0x20 000004ea: ADD 000004eb: SWAP1 000004ec: RETURN 000004ed: JUMPDEST 000004ee: PUSH1 0x40 000004f0: DUP1 000004f1: MLOAD 000004f2: PUSH1 0xff 000004f4: SWAP1 000004f5: SWAP3 000004f6: AND 000004f7: DUP3 000004f8: MSTORE 000004f9: MLOAD 000004fa: SWAP1 000004fb: DUP2 000004fc: SWAP1 000004fd: SUB 000004fe: PUSH1 0x20 00000500: ADD 00000501: SWAP1 00000502: RETURN 00000503: JUMPDEST 00000504: DUP3 00000505: ADD 00000506: SWAP2 00000507: SWAP1 00000508: PUSH1 0x00 0000050a: MSTORE 0000050b: PUSH1 0x20 0000050d: PUSH1 0x00 0000050f: KECCAK256 00000510: SWAP1 00000511: JUMPDEST 00000512: DUP2 00000513: SLOAD 00000514: DUP2 00000515: MSTORE 00000516: SWAP1 00000517: PUSH1 0x01 00000519: ADD 0000051a: SWAP1 0000051b: PUSH1 0x20 0000051d: ADD 0000051e: DUP1 0000051f: DUP4 00000520: GT 00000521: PUSH2 0x0511 00000524: JUMPI 00000525: DUP3 00000526: SWAP1 00000527: SUB 00000528: PUSH1 0x1f 0000052a: AND 0000052b: DUP3 0000052c: ADD 0000052d: SWAP2 0000052e: JUMPDEST 0000052f: POP 00000530: POP 00000531: POP 00000532: POP 00000533: POP 00000534: DUP2 00000535: JUMP 00000536: JUMPDEST 00000537: POP 00000538: PUSH1 0x00 0000053a: JUMPDEST 0000053b: SWAP4 0000053c: SWAP3 0000053d: POP 0000053e: POP 0000053f: POP 00000540: JUMP 00000541: JUMPDEST 00000542: POP 00000543: PUSH1 0x00 00000545: PUSH2 0x02f0 00000548: JUMP 00000549: JUMPDEST 0000054a: POP 0000054b: PUSH1 0x01 0000054d: PUSH2 0x02f0 00000550: JUMP 00000551: JUMPDEST 00000552: POP 00000553: PUSH1 0x00 00000555: PUSH2 0x015c 00000558: JUMP
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | other | detector | Untrusted CALL target/value reachable | 60 | yes | yes |
viewtrace_id: 0x3554945fdab5b5ab30ffb534405f3fed0a7e583590079e8e783d9da2b9ea92d2
call_targets:
0x0000000000000000000000000000000000000004, 0x92f1dbea03ce08225e31e95cc926ddbe0198e6f2
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x3554945fdab5b5ab30ffb534405f3fed0a7e583590079e8e783d9da2b9ea92d2",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x92f1dbea03ce08225e31e95cc926ddbe0198e6f2"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x095ea7b3",
"selector": "0x095ea7b3",
"calldata_variants": [
"0x095ea7b3",
"0x095ea7b30000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x18160ddd",
"selector": "0x18160ddd",
"calldata_variants": [
"0x18160ddd",
"0x18160ddd0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x23b872dd",
"selector": "0x23b872dd",
"calldata_variants": [
"0x23b872dd",
"0x23b872dd0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x6c11bcd3",
"selector": "0x6c11bcd3",
"calldata_variants": [
"0x6c11bcd3",
"0x6c11bcd30000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 703,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 1187,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 2,
"guards_detected": [],
"untrusted_call_count": 2
}
|
| high | other | detector | ETH value transfer possible | 55 | yes | yes |
viewtrace_id: 0x3554945fdab5b5ab30ffb534405f3fed0a7e583590079e8e783d9da2b9ea92d2
call_targets:
0x0000000000000000000000000000000000000004, 0x92f1dbea03ce08225e31e95cc926ddbe0198e6f2
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x3554945fdab5b5ab30ffb534405f3fed0a7e583590079e8e783d9da2b9ea92d2",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x92f1dbea03ce08225e31e95cc926ddbe0198e6f2"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x095ea7b3",
"selector": "0x095ea7b3",
"calldata_variants": [
"0x095ea7b3",
"0x095ea7b30000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x18160ddd",
"selector": "0x18160ddd",
"calldata_variants": [
"0x18160ddd",
"0x18160ddd0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x23b872dd",
"selector": "0x23b872dd",
"calldata_variants": [
"0x23b872dd",
"0x23b872dd0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x6c11bcd3",
"selector": "0x6c11bcd3",
"calldata_variants": [
"0x6c11bcd3",
"0x6c11bcd30000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x70a08231",
"selector": "0x70a08231",
"calldata_variants": [
"0x70a08231",
"0x70a082310000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x95d89b41",
"selector": "0x95d89b41",
"calldata_variants": [
"0x95d89b41",
"0x95d89b410000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 703,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 1187,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 2,
"guards_detected": []
}
|
| medium | other | codex | Dynamic external CALL with computed target/value (possible ETH forwarding) | 75 | no | — |
viewevidence_json{
"evidence": "detector_findings report CALL at pc 703 and pc 1187 with computed target/value and no guards detected; validation shows target varies and nonzero ETH value is possible; returndata_checked is null at both sites.",
"locations": [
"pc:703",
"pc:1187"
],
"recommendation": "Restrict or validate the call target (allowlist or fixed target), cap value to expected amounts (ideally zero unless explicitly intended), and consider using pull-style payments. If the call is a hook (e.g., transfer-and-call), document it clearly and avoid forwarding contract ETH.",
"exploit_scenario": "If a publicly reachable function feeds user-controlled parameters into the CALL target/value, an attacker can direct the contract to call arbitrary addresses (including their own) and potentially forward ETH from the contract balance or msg.value. This can lead to ETH loss or unexpected external interactions; evidence confirms the target can vary, but bytecode-only analysis cannot prove who controls it."
}
|
| low | reentrancy | codex | External CALLs without detected reentrancy guard | 65 | no | — |
viewevidence_json{
"evidence": "No guards detected in detector_findings; CALL opcodes at pc 703 and pc 1187 are reachable with dynamic targets, creating a reentrancy surface.",
"locations": [
"pc:703",
"pc:1187"
],
"recommendation": "Add a reentrancy guard around functions that perform external calls, or restructure to minimize cross-function reentrancy exposure (e.g., limit callable hooks, use checks-effects-interactions with careful invariant review).",
"exploit_scenario": "A malicious callee could reenter during the external CALL (pc 703 or pc 1187) and invoke other state-changing functions while execution is in-flight. The bytecode analysis did not detect reentrancy guards; impact depends on whether these callsites are reachable from state-mutating logic and on invariant design, which cannot be confirmed from bytecode alone."
}
|