019ba940-88c4-712e-a280-97a8be91c73d
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 36392 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 36393 | proxy.resolve | complete | 1 / 3 | 3 months ago |
| 36394 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 36395 | analysis.bundle | complete | 1 / 3 | 3 months ago |
| 36396 | capability.graph | complete | 1 / 3 | 3 months ago |
| 36397 | detector.run | complete | 1 / 3 | 3 months ago |
| 36398 | validation.fork | complete | 1 / 3 | 3 months ago |
| 36827 | report.consolidate | complete | 1 / 6 | 3 months ago |
{
"method": "etherscan+onchain",
"status": "confirmed",
"etherscan_hint": {
"source": "etherscan",
"etherscan": {
"proxy_flag": true,
"implementation": "0x5acae76a83d9770370989738452ad3a8be3c54dd"
}
},
"implementation": "0x5acae76a83d9770370989738452ad3a8be3c54dd",
"onchain_method": "eip1967"
}
No slither job recorded yet.
{"no_findings":false,"summary":"Two issues found: a pre-initialization call can permanently lock base indices, and oracle prices are accepted without freshness checks.","findings":[{"severity":"high","category":"upgradeability","title":"Pre-initialization call can permanently lock base indices and brick base actions","exploit_scenario":"If the contract is deployed without immediately calling `initializeStorage`, any user can call `accrueAccount` (or `absorb`) first. This triggers `accrueInternal`, which sets `lastAccrualTime` while `baseSupplyIndex`/`baseBorrowIndex` remain zero. After that, `initializeStorage` reverts (`AlreadyInitialized`), leaving indices at zero forever. Subsequent base operations that compute `principalValue` will revert due to division by zero, effectively bricking supply/borrow/transfer of the base asset.","recommendation":"Call `initializeStorage` in the constructor or ensure it can run even if `lastAccrualTime` was set (e.g., gate on `baseSupplyIndex == 0 && baseBorrowIndex == 0` instead). Alternatively, block `accrueInternal`/`accrueAccount`/`absorb` until initialization has set non-zero indices.","evidence":"`initializeStorage` only guards on `lastAccrualTime` and sets indices, while `accrueInternal` updates `lastAccrualTime` without initializing indices. `accrueAccount` is externally callable and invokes `accrueInternal`.","locations":["contracts/CometWithExtendedAssetList.sol:203","contracts/CometWithExtendedAssetList.sol:270","contracts/CometWithExtendedAssetList.sol:285"]},{"severity":"medium","category":"oracle","title":"Oracle freshness not validated (stale price risk)","exploit_scenario":"`getPrice` accepts `latestRoundData()` without checking `updatedAt` or `answeredInRound`. If a feed is stale or stops updating, collateralization checks and `buyCollateral` pricing can use outdated prices, enabling undercollateralized borrowing or discounted collateral purchases during oracle outages.","recommendation":"Validate `updatedAt` against a maximum staleness threshold, require `answeredInRound >= roundId`, and on L2s consider a sequencer uptime feed before accepting prices.","evidence":"`getPrice` only checks `price > 0` and returns the value without staleness or round validity checks.","locations":["contracts/CometWithExtendedAssetList.sol:340"]}]}
OpenAI Codex v0.77.0 (research preview)
--------
workdir: /tmp/codex-k24gm6gr
model: gpt-5.2-codex
provider: openai
approval: never
sandbox: read-only
reasoning effort: xhigh
reasoning summaries: auto
session id: 019ba943-ea6b-7f23-aa38-0dfda2da9f8c
--------
user
Context: The user requested the proxy at 0x5d409e56d886231adaf00c8775665ad0f9897b56.
Audit the implementation at 0x5acae76a83d9770370989738452ad3a8be3c54dd.
Findings should refer to the implementation unless explicitly about proxy mechanics.
You are a security auditor. Audit this Solidity codebase for exploitable vulnerabilities.
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation, oracle manipulation,
accounting/invariant breaks, external call patterns, unchecked return values, and dangerous delegatecall.
Scope rules:
- You MUST fully read `AUDIT_BUNDLE.txt` before concluding. It contains the complete contents of all first-party Solidity sources in this workspace.
- Treat `lib/` and `@openzeppelin/` as third-party dependencies; skip them unless there is a concrete misuse angle in first-party code.
- If there are only dependency files and no first-party sources, set no_findings=true and explain in summary.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title and file/line locations when possible.
Output constraints (IMPORTANT):
- severity MUST be exactly one of: info, low, medium, high, critical (lowercase).
- category MUST be exactly one of: access_control, reentrancy, math, oracle, upgradeability, auth, other.
Keep summary short and concrete.
mcp startup: no servers
thinking
**Reviewing AUDIT_BUNDLE file**
exec
/bin/bash -lc ls in /tmp/codex-k24gm6gr succeeded in 5ms:
AUDIT_BUNDLE.txt
codex-output-schema.json
contracts
exec
/bin/bash -lc 'cat AUDIT_BUNDLE.txt' in /tmp/codex-k24gm6gr succeeded in 5ms:
This file concatenates the full contents of first-party Solidity sources for auditing.
Do not treat dependency code under lib/ or @openzeppelin/ as first-party.
================================================================================
FILE: contracts/CometConfiguration.sol
================================================================================
// SPDX-License-Identifier: BUSL-1.1
pragma solidity 0.8.15;
/**
* @title Compound's Comet Configuration Interface
* @author Compound
*/
contract CometConfiguration {
struct ExtConfiguration {
bytes32 name32;
bytes32 symbol32;
}
struct Configuration {
thinking
**Noticing truncated output requiring full file read**
exec
/bin/bash -lc 'rg -n "contract CometWithExtendedAssetList" -n contracts/CometWithExtendedAssetList.sol' in /tmp/codex-k24gm6gr succeeded in 16ms:
16:contract CometWithExtendedAssetList is CometMainInterface {
exec
/bin/bash -lc "sed -n '1,240p' contracts/CometWithExtendedAssetList.sol" in /tmp/codex-k24gm6gr succeeded in 29ms:
// SPDX-License-Identifier: BUSL-1.1
pragma solidity 0.8.15;
import "./CometMainInterface.sol";
import "./IERC20NonStandard.sol";
import "./IPriceFeed.sol";
import "./IAssetListFactory.sol";
import "./IAssetListFactoryHolder.sol";
import "./IAssetList.sol";
/**
* @title Compound's Comet Contract
* @notice An efficient monolithic money market protocol
* @author Compound
*/
contract CometWithExtendedAssetList is CometMainInterface {
/** General configuration constants **/
/// @notice The admin of the protocol
address public override immutable governor;
exec
/bin/bash -lc "sed -n '240,480p' contracts/CometWithExtendedAssetList.sol" in /tmp/codex-k24gm6gr succeeded in 5ms:
revert BadAsset();
}
/**
* @return The current timestamp
**/
function getNowInternal() virtual internal view returns (uint40) {
if (block.timestamp >= 2**40) revert TimestampTooLarge();
return uint40(block.timestamp);
}
/**
* @dev Calculate accrued interest indices for base token supply and borrows
**/
function accruedInterestIndices(uint timeElapsed) internal view returns (uint64, uint64) {
uint64 baseSupplyIndex_ = baseSupplyIndex;
uint64 baseBorrowIndex_ = baseBorrowIndex;
if (timeElapsed > 0) {
uint utilization = getUtilization();
uint supplyRate = getSupplyRate(utilization);
exec
/bin/bash -lc "sed -n '480,960p' contracts/CometWithExtendedAssetList.sol" in /tmp/codex-k24gm6gr succeeded in 29ms:
return (uint104(oldPrincipal - newPrincipal), 0);
} else if (oldPrincipal <= 0) {
return (0, uint104(oldPrincipal - newPrincipal));
} else {
return (uint104(oldPrincipal), uint104(-newPrincipal));
}
}
/**
* @notice Pauses different actions within Comet
* @param supplyPaused Boolean for pausing supply actions
* @param transferPaused Boolean for pausing transfer actions
* @param withdrawPaused Boolean for pausing withdraw actions
* @param absorbPaused Boolean for pausing absorb actions
* @param buyPaused Boolean for pausing buy actions
*/
function pause(
bool supplyPaused,
bool transferPaused,
bool withdrawPaused,
thinking
**Analyzing potential vulnerabilities in CometWithExtendedAssetList**
thinking
**Examining asset offset risks and reentrancy guard interactions**
I’m parsing potential issues with assetList offsets possibly causing misaligned collateral tracking that could affect liquidation logic. I’m also considering how the shared storage slot for the reentrancy guard might interact between the base contract and the delegate extension through fallback delegatecall, which could lead to subtle storage collisions or conflicts.
exec
/bin/bash -lc 'rg --files contracts' in /tmp/codex-k24gm6gr succeeded in 38ms:
contracts/IPriceFeed.sol
contracts/IAssetListFactory.sol
contracts/IERC20NonStandard.sol
contracts/CometWithExtendedAssetList.sol
contracts/CometCore.sol
contracts/CometConfiguration.sol
contracts/CometMath.sol
contracts/CometStorage.sol
contracts/IAssetList.sol
contracts/IAssetListFactoryHolder.sol
contracts/CometMainInterface.sol
thinking
**Analyzing CometWithExtendedAssetList for vulnerabilities**
exec
/bin/bash -lc 'rg -n "MAX_ASSETS" contracts' in /tmp/codex-k24gm6gr succeeded in 11ms:
contracts/CometWithExtendedAssetList.sol:109: uint8 internal constant MAX_ASSETS_FOR_ASSET_LIST = 24;
contracts/CometWithExtendedAssetList.sol:120: if (config.assetConfigs.length > MAX_ASSETS_FOR_ASSET_LIST) revert TooManyAssets();
contracts/CometCore.sol:25: uint8 internal constant MAX_ASSETS = 15;
Reconnecting... 1/5
thinking
**Analyzing reentrancy and initialization risks**
There's a deep examination of potential reentrancy via assetList calls, concluding that nonReentrant guards block most paths and view-only functions are safe. I'm also exploring dangers around initialization order: if functions that update lastAccrualTime run before initializeStorage sets base indices, the protocol gets stuck with zero indices and inevitable division-by-zero reverts, effectively bricking the system. This could happen if accrueInternal is called prematurely—definitely worth highlighting as a critical risk!
thinking
**Investigating initialization blocking and division errors**
The analysis points out that calling accrueAccount or absorb before initializeStorage sets base indices permanently blocks proper initialization, leaving indices at zero and causing critical division-by-zero errors in supply, withdraw, and transfer functions. This can brick the protocol by preventing any base operations despite no access controls restricting early calls—definitely a serious vulnerability related to initialization order and state management.
exec
/bin/bash -lc "nl -ba contracts/CometWithExtendedAssetList.sol | sed -n '140,240p'" in /tmp/codex-k24gm6gr succeeded in 11ms:
140 baseTrackingSupplySpeed = config.baseTrackingSupplySpeed;
141 baseTrackingBorrowSpeed = config.baseTrackingBorrowSpeed;
142
143 baseBorrowMin = config.baseBorrowMin;
144 targetReserves = config.targetReserves;
145 }
146
147 // Set interest rate model configs
148 unchecked {
149 supplyKink = config.supplyKink;
150 supplyPerSecondInterestRateSlopeLow = config.supplyPerYearInterestRateSlopeLow / SECONDS_PER_YEAR;
151 supplyPerSecondInterestRateSlopeHigh = config.supplyPerYearInterestRateSlopeHigh / SECONDS_PER_YEAR;
152 supplyPerSecondInterestRateBase = config.supplyPerYearInterestRateBase / SECONDS_PER_YEAR;
153 borrowKink = config.borrowKink;
154 borrowPerSecondInterestRateSlopeLow = config.borrowPerYearInterestRateSlopeLow / SECONDS_PER_YEAR;
155 borrowPerSecondInterestRateSlopeHigh = config.borrowPerYearInterestRateSlopeHigh / SECONDS_PER_YEAR;
156 borrowPerSecondInterestRateBase = config.borrowPerYearInterestRateBase / SECONDS_PER_YEAR;
157 }
158
159 // Set asset info
thinking
**Identifying missing lines for accruing methods**
exec
/bin/bash -lc "nl -ba contracts/CometWithExtendedAssetList.sol | sed -n '260,360p'" in /tmp/codex-k24gm6gr succeeded in 6ms:
260 uint borrowRate = getBorrowRate(utilization);
261 baseSupplyIndex_ += safe64(mulFactor(baseSupplyIndex_, supplyRate * timeElapsed));
262 baseBorrowIndex_ += safe64(mulFactor(baseBorrowIndex_, borrowRate * timeElapsed));
263 }
264 return (baseSupplyIndex_, baseBorrowIndex_);
265 }
266
267 /**
268 * @dev Accrue interest (and rewards) in base token supply and borrows
269 **/
270 function accrueInternal() internal {
271 uint40 now_ = getNowInternal();
272 uint timeElapsed = uint256(now_ - lastAccrualTime);
273 if (timeElapsed > 0) {
274 (baseSupplyIndex, baseBorrowIndex) = accruedInterestIndices(timeElapsed);
275 if (totalSupplyBase >= baseMinForRewards) {
276 trackingSupplyIndex += safe64(divBaseWei(baseTrackingSupplySpeed * timeElapsed, totalSupplyBase));
277 }
278 if (totalBorrowBase >= baseMinForRewards) {
279 trackingBorrowIndex += safe64(divBaseWei(baseTrackingBorrowSpeed * timeElapsed, totalBorrowBase));
thinking
**Summarizing oracle and upgradeability findings**
codex
{"no_findings":false,"summary":"Two issues found: a pre-initialization call can permanently lock base indices, and oracle prices are accepted without freshness checks.","findings":[{"severity":"high","category":"upgradeability","title":"Pre-initialization call can permanently lock base indices and brick base actions","exploit_scenario":"If the contract is deployed without immediately calling `initializeStorage`, any user can call `accrueAccount` (or `absorb`) first. This triggers `accrueInternal`, which sets `lastAccrualTime` while `baseSupplyIndex`/`baseBorrowIndex` remain zero. After that, `initializeStorage` reverts (`AlreadyInitialized`), leaving indices at zero forever. Subsequent base operations that compute `principalValue` will revert due to division by zero, effectively bricking supply/borrow/transfer of the base asset.","recommendation":"Call `initializeStorage` in the constructor or ensure it can run even if `lastAccrualTime` was set (e.g., gate on `baseSupplyIndex == 0 && baseBorrowIndex == 0` instead). Alternatively, block `accrueInternal`/`accrueAccount`/`absorb` until initialization has set non-zero indices.","evidence":"`initializeStorage` only guards on `lastAccrualTime` and sets indices, while `accrueInternal` updates `lastAccrualTime` without initializing indices. `accrueAccount` is externally callable and invokes `accrueInternal`.","locations":["contracts/CometWithExtendedAssetList.sol:203","contracts/CometWithExtendedAssetList.sol:270","contracts/CometWithExtendedAssetList.sol:285"]},{"severity":"medium","category":"oracle","title":"Oracle freshness not validated (stale price risk)","exploit_scenario":"`getPrice` accepts `latestRoundData()` without checking `updatedAt` or `answeredInRound`. If a feed is stale or stops updating, collateralization checks and `buyCollateral` pricing can use outdated prices, enabling undercollateralized borrowing or discounted collateral purchases during oracle outages.","recommendation":"Validate `updatedAt` against a maximum staleness threshold, require `answeredInRound >= roundId`, and on L2s consider a sequencer uptime feed before accepting prices.","evidence":"`getPrice` only checks `price > 0` and returns the value without staleness or round validity checks.","locations":["contracts/CometWithExtendedAssetList.sol:340"]}]}
tokens used
48,997
{
"codex": {
"ran_at": "2026-01-10T19:02:50.563818+00:00",
"returncode": 0
},
"project": {
"mode": "source",
"file_count": 11,
"import_count": 10,
"first_party_contracts_count": 11
},
"summary": "Two issues found: a pre-initialization call can permanently lock base indices, and oracle prices are accepted without freshness checks.",
"raw_final": {
"summary": "Two issues found: a pre-initialization call can permanently lock base indices, and oracle prices are accepted without freshness checks.",
"findings": [
{
"title": "Pre-initialization call can permanently lock base indices and brick base actions",
"category": "upgradeability",
"evidence": "`initializeStorage` only guards on `lastAccrualTime` and sets indices, while `accrueInternal` updates `lastAccrualTime` without initializing indices. `accrueAccount` is externally callable and invokes `accrueInternal`.",
"severity": "high",
"locations": [
"contracts/CometWithExtendedAssetList.sol:203",
"contracts/CometWithExtendedAssetList.sol:270",
"contracts/CometWithExtendedAssetList.sol:285"
],
"recommendation": "Call `initializeStorage` in the constructor or ensure it can run even if `lastAccrualTime` was set (e.g., gate on `baseSupplyIndex == 0 && baseBorrowIndex == 0` instead). Alternatively, block `accrueInternal`/`accrueAccount`/`absorb` until initialization has set non-zero indices.",
"exploit_scenario": "If the contract is deployed without immediately calling `initializeStorage`, any user can call `accrueAccount` (or `absorb`) first. This triggers `accrueInternal`, which sets `lastAccrualTime` while `baseSupplyIndex`/`baseBorrowIndex` remain zero. After that, `initializeStorage` reverts (`AlreadyInitialized`), leaving indices at zero forever. Subsequent base operations that compute `principalValue` will revert due to division by zero, effectively bricking supply/borrow/transfer of the base asset."
},
{
"title": "Oracle freshness not validated (stale price risk)",
"category": "oracle",
"evidence": "`getPrice` only checks `price > 0` and returns the value without staleness or round validity checks.",
"severity": "medium",
"locations": [
"contracts/CometWithExtendedAssetList.sol:340"
],
"recommendation": "Validate `updatedAt` against a maximum staleness threshold, require `answeredInRound >= roundId`, and on L2s consider a sequencer uptime feed before accepting prices.",
"exploit_scenario": "`getPrice` accepts `latestRoundData()` without checking `updatedAt` or `answeredInRound`. If a feed is stale or stops updating, collateralization checks and `buyCollateral` pricing can use outdated prices, enabling undercollateralized borrowing or discounted collateral purchases during oracle outages."
}
],
"no_findings": false
},
"no_findings": false,
"proxy_context": {
"proxy_run_id": "019ba940-88c4-712e-a280-97a8be91c73d",
"proxy_address": "0x5d409e56d886231adaf00c8775665ad0f9897b56",
"implementation_run_id": "019ba941-db43-73b2-a5a6-bf37ca006e94",
"implementation_address": "0x5acae76a83d9770370989738452ad3a8be3c54dd"
},
"schema_version": 1
}
00000000: PUSH1 0x80 00000002: PUSH1 0x40 00000004: MSTORE 00000005: PUSH1 0x04 00000007: CALLDATASIZE 00000008: LT 00000009: ISZERO 0000000a: PUSH2 0x002c 0000000d: JUMPI 0000000e: JUMPDEST 0000000f: CALLDATASIZE 00000010: ISZERO 00000011: PUSH2 0x001f 00000014: JUMPI 00000015: JUMPDEST 00000016: PUSH2 0x001d 00000019: PUSH2 0x0350 0000001c: JUMP 0000001d: JUMPDEST 0000001e: STOP 0000001f: JUMPDEST 00000020: PUSH2 0x0027 00000023: PUSH2 0x0350 00000026: JUMP 00000027: JUMPDEST 00000028: PUSH2 0x0015 0000002b: JUMP 0000002c: JUMPDEST 0000002d: PUSH1 0x00 0000002f: DUP1 00000030: CALLDATALOAD 00000031: PUSH1 0xe0 00000033: SHR 00000034: SWAP1 00000035: DUP2 00000036: PUSH4 0x3659cfe6 0000003b: EQ 0000003c: PUSH2 0x0093 0000003f: JUMPI 00000040: POP 00000041: DUP1 00000042: PUSH4 0x4f1ef286 00000047: EQ 00000048: PUSH2 0x008a 0000004b: JUMPI 0000004c: DUP1 0000004d: PUSH4 0x5c60da1b 00000052: EQ 00000053: PUSH2 0x0081 00000056: JUMPI 00000057: DUP1 00000058: PUSH4 0x8f283970 0000005d: EQ 0000005e: PUSH2 0x0078 00000061: JUMPI 00000062: PUSH4 0xf851a440 00000067: SUB 00000068: PUSH2 0x000e 0000006b: JUMPI 0000006c: PUSH2 0x0073 0000006f: PUSH2 0x0306 00000072: JUMP 00000073: JUMPDEST 00000074: PUSH2 0x000e 00000077: JUMP 00000078: JUMPDEST 00000079: POP 0000007a: PUSH2 0x0073 0000007d: PUSH2 0x0224 00000080: JUMP 00000081: JUMPDEST 00000082: POP 00000083: PUSH2 0x0073 00000086: PUSH2 0x01be 00000089: JUMP 0000008a: JUMPDEST 0000008b: POP 0000008c: PUSH2 0x0073 0000008f: PUSH2 0x011a 00000092: JUMP 00000093: JUMPDEST 00000094: CALLVALUE 00000095: PUSH2 0x00fe 00000098: JUMPI 00000099: PUSH1 0x20 0000009b: CALLDATASIZE 0000009c: PUSH1 0x03 0000009e: NOT 0000009f: ADD 000000a0: SLT 000000a1: PUSH2 0x00fe 000000a4: JUMPI 000000a5: PUSH2 0x00ae 000000a8: PUSH1 0x04 000000aa: PUSH2 0x0101 000000ad: JUMP 000000ae: JUMPDEST 000000af: PUSH1 0x00 000000b1: DUP1 000000b2: MLOAD 000000b3: PUSH1 0x20 000000b5: PUSH2 0x06e1 000000b8: DUP4 000000b9: CODECOPY 000000ba: DUP2 000000bb: MLOAD 000000bc: SWAP2 000000bd: MSTORE 000000be: SLOAD 000000bf: DUP3 000000c0: SWAP1 000000c1: CALLER 000000c2: PUSH1 0x01 000000c4: PUSH1 0x01 000000c6: PUSH1 0xa0 000000c8: SHL 000000c9: SUB 000000ca: SWAP1 000000cb: SWAP2 000000cc: AND 000000cd: SUB 000000ce: PUSH2 0x00f4 000000d1: JUMPI 000000d2: PUSH2 0x00ef 000000d5: SWAP2 000000d6: PUSH2 0x00e6 000000d9: PUSH2 0x00e1 000000dc: DUP4 000000dd: PUSH2 0x0461 000000e0: JUMP 000000e1: JUMPDEST 000000e2: PUSH2 0x042f 000000e5: JUMP 000000e6: JUMPDEST 000000e7: SWAP1 000000e8: DUP3 000000e9: DUP3 000000ea: MSTORE 000000eb: PUSH2 0x048b 000000ee: JUMP 000000ef: JUMPDEST 000000f0: PUSH1 0x40 000000f2: MLOAD 000000f3: RETURN 000000f4: JUMPDEST 000000f5: POP 000000f6: POP 000000f7: PUSH2 0x00ef 000000fa: PUSH2 0x0350 000000fd: JUMP 000000fe: JUMPDEST 000000ff: DUP1 00000100: REVERT 00000101: JUMPDEST 00000102: CALLDATALOAD 00000103: SWAP1 00000104: PUSH1 0x01 00000106: PUSH1 0x01 00000108: PUSH1 0xa0 0000010a: SHL 0000010b: SUB 0000010c: DUP3 0000010d: AND 0000010e: DUP3 0000010f: SUB 00000110: PUSH2 0x0115 00000113: JUMPI 00000114: JUMP 00000115: JUMPDEST 00000116: PUSH1 0x00 00000118: DUP1 00000119: REVERT 0000011a: JUMPDEST 0000011b: POP 0000011c: PUSH1 0x40 0000011e: CALLDATASIZE 0000011f: PUSH1 0x03 00000121: NOT 00000122: ADD 00000123: SLT 00000124: PUSH2 0x0115 00000127: JUMPI 00000128: PUSH2 0x0131 0000012b: PUSH1 0x04 0000012d: PUSH2 0x0101 00000130: JUMP 00000131: JUMPDEST 00000132: PUSH1 0x01 00000134: PUSH1 0x01 00000136: PUSH1 0x40 00000138: SHL 00000139: SUB 0000013a: PUSH1 0x24 0000013c: CALLDATALOAD 0000013d: DUP2 0000013e: DUP2 0000013f: GT 00000140: PUSH2 0x0115 00000143: JUMPI 00000144: CALLDATASIZE 00000145: PUSH1 0x23 00000147: DUP3 00000148: ADD 00000149: SLT 0000014a: ISZERO 0000014b: PUSH2 0x0115 0000014e: JUMPI 0000014f: DUP1 00000150: PUSH1 0x04 00000152: ADD 00000153: CALLDATALOAD 00000154: SWAP2 00000155: DUP3 00000156: GT 00000157: PUSH2 0x0115 0000015a: JUMPI 0000015b: CALLDATASIZE 0000015c: PUSH1 0x24 0000015e: DUP4 0000015f: DUP4 00000160: ADD 00000161: ADD 00000162: GT 00000163: PUSH2 0x0115 00000166: JUMPI 00000167: PUSH1 0x00 00000169: DUP1 0000016a: MLOAD 0000016b: PUSH1 0x20 0000016d: PUSH2 0x06e1 00000170: DUP4 00000171: CODECOPY 00000172: DUP2 00000173: MLOAD 00000174: SWAP2 00000175: MSTORE 00000176: SLOAD 00000177: CALLER 00000178: PUSH1 0x01 0000017a: PUSH1 0x01 0000017c: PUSH1 0xa0 0000017e: SHL 0000017f: SUB 00000180: SWAP1 00000181: SWAP2 00000182: AND 00000183: SUB 00000184: PUSH2 0x01b3 00000187: JUMPI 00000188: PUSH2 0x001d 0000018b: SWAP3 0000018c: PUSH1 0x00 0000018e: PUSH1 0x20 00000190: DUP5 00000191: DUP1 00000192: PUSH1 0x24 00000194: PUSH2 0x01a1 00000197: PUSH2 0x00e1 0000019a: PUSH1 0x01 0000019c: SWAP10 0000019d: PUSH2 0x0461 000001a0: JUMP 000001a1: JUMPDEST 000001a2: SWAP7 000001a3: DUP3 000001a4: DUP9 000001a5: MSTORE 000001a6: ADD 000001a7: DUP4 000001a8: DUP8 000001a9: ADD 000001aa: CALLDATACOPY 000001ab: DUP5 000001ac: ADD 000001ad: ADD 000001ae: MSTORE 000001af: PUSH2 0x048b 000001b2: JUMP 000001b3: JUMPDEST 000001b4: POP 000001b5: POP 000001b6: POP 000001b7: PUSH2 0x001d 000001ba: PUSH2 0x0350 000001bd: JUMP 000001be: JUMPDEST 000001bf: POP 000001c0: CALLVALUE 000001c1: PUSH2 0x0115 000001c4: JUMPI 000001c5: PUSH1 0x00 000001c7: CALLDATASIZE 000001c8: PUSH1 0x03 000001ca: NOT 000001cb: ADD 000001cc: SLT 000001cd: PUSH2 0x0115 000001d0: JUMPI 000001d1: PUSH1 0x00 000001d3: DUP1 000001d4: MLOAD 000001d5: PUSH1 0x20 000001d7: PUSH2 0x06e1 000001da: DUP4 000001db: CODECOPY 000001dc: DUP2 000001dd: MLOAD 000001de: SWAP2 000001df: MSTORE 000001e0: SLOAD 000001e1: PUSH1 0x20 000001e3: SWAP1 000001e4: PUSH1 0x01 000001e6: PUSH1 0x01 000001e8: PUSH1 0xa0 000001ea: SHL 000001eb: SUB 000001ec: SWAP1 000001ed: PUSH1 0x00 000001ef: SWAP1 000001f0: CALLER 000001f1: SWAP1 000001f2: DUP4 000001f3: AND 000001f4: SUB 000001f5: PUSH2 0x0216 000001f8: JUMPI 000001f9: POP 000001fa: DUP1 000001fb: PUSH1 0x00 000001fd: DUP1 000001fe: MLOAD 000001ff: PUSH1 0x20 00000201: PUSH2 0x0701 00000204: DUP4 00000205: CODECOPY 00000206: DUP2 00000207: MLOAD 00000208: SWAP2 00000209: MSTORE 0000020a: SLOAD 0000020b: AND 0000020c: SWAP1 0000020d: JUMPDEST 0000020e: PUSH1 0x40 00000210: MLOAD 00000211: SWAP2 00000212: AND 00000213: DUP2 00000214: MSTORE 00000215: RETURN 00000216: JUMPDEST 00000217: SWAP1 00000218: PUSH2 0x021f 0000021b: PUSH2 0x0350 0000021e: JUMP 0000021f: JUMPDEST 00000220: PUSH2 0x020d 00000223: JUMP 00000224: JUMPDEST 00000225: POP 00000226: CALLVALUE 00000227: PUSH2 0x0115 0000022a: JUMPI 0000022b: PUSH1 0x20 0000022d: CALLDATASIZE 0000022e: PUSH1 0x03 00000230: NOT 00000231: ADD 00000232: SLT 00000233: PUSH2 0x0115 00000236: JUMPI 00000237: PUSH2 0x0240 0000023a: PUSH1 0x04 0000023c: PUSH2 0x0101 0000023f: JUMP 00000240: JUMPDEST 00000241: PUSH1 0x00 00000243: DUP1 00000244: MLOAD 00000245: PUSH1 0x20 00000247: PUSH2 0x06e1 0000024a: DUP4 0000024b: CODECOPY 0000024c: DUP2 0000024d: MLOAD 0000024e: SWAP2 0000024f: MSTORE 00000250: DUP1 00000251: SLOAD 00000252: SWAP1 00000253: SWAP2 00000254: SWAP1 00000255: PUSH1 0x01 00000257: PUSH1 0x01 00000259: PUSH1 0xa0 0000025b: SHL 0000025c: SUB 0000025d: SWAP1 0000025e: CALLER 0000025f: SWAP1 00000260: DUP3 00000261: AND 00000262: SUB 00000263: PUSH2 0x01b3 00000266: JUMPI 00000267: PUSH32 0x7e644d79422f17c01e4894b5f4f588d331ebfa28653d42ae832dc59e38c9798f 00000288: PUSH1 0x40 0000028a: DUP5 0000028b: SLOAD 0000028c: SWAP3 0000028d: DUP2 0000028e: MLOAD 0000028f: SWAP5 00000290: DUP2 00000291: DUP6 00000292: AND 00000293: DUP7 00000294: MSTORE 00000295: AND 00000296: SWAP4 00000297: DUP5 00000298: PUSH1 0x20 0000029a: DUP3 0000029b: ADD 0000029c: MSTORE 0000029d: LOG1 0000029e: DUP2 0000029f: ISZERO 000002a0: PUSH2 0x02b2 000002a3: JUMPI 000002a4: PUSH1 0x01 000002a6: PUSH1 0x01 000002a8: PUSH1 0xa0 000002aa: SHL 000002ab: SUB 000002ac: NOT 000002ad: AND 000002ae: OR 000002af: SWAP1 000002b0: SSTORE 000002b1: STOP 000002b2: JUMPDEST 000002b3: PUSH1 0x40 000002b5: MLOAD 000002b6: PUSH3 0x461bcd 000002ba: PUSH1 0xe5 000002bc: SHL 000002bd: DUP2 000002be: MSTORE 000002bf: PUSH1 0x20 000002c1: PUSH1 0x04 000002c3: DUP3 000002c4: ADD 000002c5: MSTORE 000002c6: PUSH1 0x26 000002c8: PUSH1 0x24 000002ca: DUP3 000002cb: ADD 000002cc: MSTORE 000002cd: PUSH32 0x455243313936373a206e65772061646d696e20697320746865207a65726f2061 000002ee: PUSH1 0x44 000002f0: DUP3 000002f1: ADD 000002f2: MSTORE 000002f3: PUSH6 0x646472657373 000002fa: PUSH1 0xd0 000002fc: SHL 000002fd: PUSH1 0x64 000002ff: DUP3 00000300: ADD 00000301: MSTORE 00000302: PUSH1 0x84 00000304: SWAP1 00000305: REVERT 00000306: JUMPDEST 00000307: POP 00000308: CALLVALUE 00000309: PUSH2 0x0115 0000030c: JUMPI 0000030d: PUSH1 0x00 0000030f: CALLDATASIZE 00000310: PUSH1 0x03 00000312: NOT 00000313: ADD 00000314: SLT 00000315: PUSH2 0x0115 00000318: JUMPI 00000319: PUSH1 0x20 0000031b: PUSH1 0x00 0000031d: PUSH1 0x01 0000031f: DUP1 00000320: PUSH1 0xa0 00000322: SHL 00000323: SUB 00000324: PUSH1 0x00 00000326: DUP1 00000327: MLOAD 00000328: PUSH1 0x20 0000032a: PUSH2 0x06e1 0000032d: DUP4 0000032e: CODECOPY 0000032f: DUP2 00000330: MLOAD 00000331: SWAP2 00000332: MSTORE 00000333: DUP2 00000334: DUP2 00000335: SLOAD 00000336: AND 00000337: CALLER 00000338: EQ 00000339: PUSH1 0x00 0000033b: EQ 0000033c: PUSH2 0x034b 0000033f: JUMPI 00000340: SLOAD 00000341: PUSH1 0x40 00000343: MLOAD 00000344: SWAP2 00000345: AND 00000346: DUP2 00000347: MSTORE 00000348: SWAP1 00000349: POP 0000034a: RETURN 0000034b: JUMPDEST 0000034c: POP 0000034d: PUSH2 0x021f 00000350: JUMPDEST 00000351: POP 00000352: PUSH1 0x00 00000354: DUP1 00000355: MLOAD 00000356: PUSH1 0x20 00000358: PUSH2 0x06e1 0000035b: DUP4 0000035c: CODECOPY 0000035d: DUP2 0000035e: MLOAD 0000035f: SWAP2 00000360: MSTORE 00000361: SLOAD 00000362: PUSH1 0x01 00000364: PUSH1 0x01 00000366: PUSH1 0xa0 00000368: SHL 00000369: SUB 0000036a: SWAP1 0000036b: DUP2 0000036c: AND 0000036d: CALLER 0000036e: EQ 0000036f: PUSH2 0x03a2 00000372: JUMPI 00000373: PUSH1 0x00 00000375: DUP1 00000376: MLOAD 00000377: PUSH1 0x20 00000379: PUSH2 0x0701 0000037c: DUP4 0000037d: CODECOPY 0000037e: DUP2 0000037f: MLOAD 00000380: SWAP2 00000381: MSTORE 00000382: SLOAD 00000383: AND 00000384: PUSH1 0x00 00000386: DUP1 00000387: DUP1 00000388: SWAP3 00000389: CALLDATASIZE 0000038a: DUP3 0000038b: DUP1 0000038c: CALLDATACOPY 0000038d: DUP2 0000038e: CALLDATASIZE 0000038f: SWAP2 00000390: GAS 00000391: DELEGATECALL 00000392: RETURNDATASIZE 00000393: DUP3 00000394: DUP1 00000395: RETURNDATACOPY 00000396: ISZERO 00000397: PUSH2 0x039e 0000039a: JUMPI 0000039b: RETURNDATASIZE 0000039c: SWAP1 0000039d: RETURN 0000039e: JUMPDEST 0000039f: RETURNDATASIZE 000003a0: SWAP1 000003a1: REVERT 000003a2: JUMPDEST 000003a3: PUSH1 0x40 000003a5: MLOAD 000003a6: PUSH3 0x461bcd 000003aa: PUSH1 0xe5 000003ac: SHL 000003ad: DUP2 000003ae: MSTORE 000003af: PUSH1 0x20 000003b1: PUSH1 0x04 000003b3: DUP3 000003b4: ADD 000003b5: MSTORE 000003b6: PUSH1 0x42 000003b8: PUSH1 0x24 000003ba: DUP3 000003bb: ADD 000003bc: MSTORE 000003bd: PUSH32 0x5472616e73706172656e745570677261646561626c6550726f78793a2061646d 000003de: PUSH1 0x44 000003e0: DUP3 000003e1: ADD 000003e2: MSTORE 000003e3: PUSH32 0x696e2063616e6e6f742066616c6c6261636b20746f2070726f78792074617267 00000404: PUSH1 0x64 00000406: DUP3 00000407: ADD 00000408: MSTORE 00000409: PUSH2 0x195d 0000040c: PUSH1 0xf2 0000040e: SHL 0000040f: PUSH1 0x84 00000411: DUP3 00000412: ADD 00000413: MSTORE 00000414: PUSH1 0xa4 00000416: SWAP1 00000417: REVERT 00000418: JUMPDEST 00000419: POP 0000041a: PUSH4 0x4e487b71 0000041f: PUSH1 0xe0 00000421: SHL 00000422: PUSH1 0x00 00000424: MSTORE 00000425: PUSH1 0x41 00000427: PUSH1 0x04 00000429: MSTORE 0000042a: PUSH1 0x24 0000042c: PUSH1 0x00 0000042e: REVERT 0000042f: JUMPDEST 00000430: PUSH1 0x40 00000432: MLOAD 00000433: SWAP2 00000434: SWAP1 00000435: PUSH1 0x1f 00000437: ADD 00000438: PUSH1 0x1f 0000043a: NOT 0000043b: AND 0000043c: DUP3 0000043d: ADD 0000043e: PUSH1 0x01 00000440: PUSH1 0x01 00000442: PUSH1 0x40 00000444: SHL 00000445: SUB 00000446: DUP2 00000447: GT 00000448: DUP4 00000449: DUP3 0000044a: LT 0000044b: OR 0000044c: PUSH2 0x0454 0000044f: JUMPI 00000450: PUSH1 0x40 00000452: MSTORE 00000453: JUMP 00000454: JUMPDEST 00000455: PUSH2 0x045c 00000458: PUSH2 0x0418 0000045b: JUMP 0000045c: JUMPDEST 0000045d: PUSH1 0x40 0000045f: MSTORE 00000460: JUMP 00000461: JUMPDEST 00000462: PUSH1 0x20 00000464: SWAP1 00000465: PUSH1 0x01 00000467: PUSH1 0x01 00000469: PUSH1 0x40 0000046b: SHL 0000046c: SUB 0000046d: DUP2 0000046e: GT 0000046f: PUSH2 0x047e 00000472: JUMPI 00000473: JUMPDEST 00000474: PUSH1 0x1f 00000476: ADD 00000477: PUSH1 0x1f 00000479: NOT 0000047a: AND 0000047b: ADD 0000047c: SWAP1 0000047d: JUMP 0000047e: JUMPDEST 0000047f: PUSH2 0x0486 00000482: PUSH2 0x0418 00000485: JUMP 00000486: JUMPDEST 00000487: PUSH2 0x0473 0000048a: JUMP 0000048b: JUMPDEST 0000048c: SWAP1 0000048d: SWAP2 0000048e: DUP2 0000048f: EXTCODESIZE 00000490: ISZERO 00000491: PUSH2 0x051a 00000494: JUMPI 00000495: PUSH1 0x00 00000497: DUP1 00000498: MLOAD 00000499: PUSH1 0x20 0000049b: PUSH2 0x0701 0000049e: DUP4 0000049f: CODECOPY 000004a0: DUP2 000004a1: MLOAD 000004a2: SWAP2 000004a3: MSTORE 000004a4: DUP1 000004a5: SLOAD 000004a6: PUSH1 0x01 000004a8: PUSH1 0x01 000004aa: PUSH1 0xa0 000004ac: SHL 000004ad: SUB 000004ae: NOT 000004af: AND 000004b0: PUSH1 0x01 000004b2: PUSH1 0x01 000004b4: PUSH1 0xa0 000004b6: SHL 000004b7: SUB 000004b8: DUP5 000004b9: AND 000004ba: SWAP1 000004bb: DUP2 000004bc: OR 000004bd: SWAP1 000004be: SWAP2 000004bf: SSTORE 000004c0: PUSH1 0x40 000004c2: MLOAD 000004c3: PUSH32 0xbc7cd75a20ee27fd9adebab32041f755214dbc6bffa90cc0225b39da2e5c2d3b 000004e4: SWAP1 000004e5: PUSH1 0x00 000004e7: SWAP1 000004e8: LOG2 000004e9: DUP3 000004ea: MLOAD 000004eb: ISZERO 000004ec: SWAP1 000004ed: DUP2 000004ee: ISZERO 000004ef: SWAP2 000004f0: PUSH2 0x0512 000004f3: JUMPI 000004f4: JUMPDEST 000004f5: POP 000004f6: PUSH2 0x04fd 000004f9: JUMPI 000004fa: POP 000004fb: POP 000004fc: JUMP 000004fd: JUMPDEST 000004fe: PUSH2 0x050f 00000501: SWAP2 00000502: PUSH2 0x0509 00000505: PUSH2 0x0575 00000508: JUMP 00000509: JUMPDEST 0000050a: SWAP2 0000050b: PUSH2 0x05bc 0000050e: JUMP 0000050f: JUMPDEST 00000510: POP 00000511: JUMP 00000512: JUMPDEST 00000513: SWAP1 00000514: POP 00000515: CODESIZE 00000516: PUSH2 0x04f4 00000519: JUMP 0000051a: JUMPDEST 0000051b: PUSH1 0x40 0000051d: MLOAD 0000051e: PUSH3 0x461bcd 00000522: PUSH1 0xe5 00000524: SHL 00000525: DUP2 00000526: MSTORE 00000527: PUSH1 0x20 00000529: PUSH1 0x04 0000052b: DUP3 0000052c: ADD 0000052d: MSTORE 0000052e: PUSH1 0x2d 00000530: PUSH1 0x24 00000532: DUP3 00000533: ADD 00000534: MSTORE 00000535: PUSH32 0x455243313936373a206e657720696d706c656d656e746174696f6e206973206e 00000556: PUSH1 0x44 00000558: DUP3 00000559: ADD 0000055a: MSTORE 0000055b: PUSH13 0x1bdd08184818dbdb9d1c9858dd 00000569: PUSH1 0x9a 0000056b: SHL 0000056c: PUSH1 0x64 0000056e: DUP3 0000056f: ADD 00000570: MSTORE 00000571: PUSH1 0x84 00000573: SWAP1 00000574: REVERT 00000575: JUMPDEST 00000576: PUSH2 0x057f 00000579: PUSH1 0x60 0000057b: PUSH2 0x042f 0000057e: JUMP 0000057f: JUMPDEST 00000580: SWAP1 00000581: PUSH1 0x27 00000583: DUP3 00000584: MSTORE 00000585: PUSH7 0x0819985a5b1959 0000058d: PUSH1 0xca 0000058f: SHL 00000590: PUSH1 0x40 00000592: DUP4 00000593: PUSH32 0x416464726573733a206c6f772d6c6576656c2064656c65676174652063616c6c 000005b4: PUSH1 0x20 000005b6: DUP3 000005b7: ADD 000005b8: MSTORE 000005b9: ADD 000005ba: MSTORE 000005bb: JUMP 000005bc: JUMPDEST 000005bd: SWAP2 000005be: SWAP1 000005bf: DUP3 000005c0: EXTCODESIZE 000005c1: ISZERO 000005c2: PUSH2 0x0605 000005c5: JUMPI 000005c6: PUSH1 0x00 000005c8: DUP2 000005c9: PUSH2 0x05fa 000005cc: SWAP5 000005cd: PUSH1 0x20 000005cf: DUP4 000005d0: SWAP5 000005d1: MLOAD 000005d2: SWAP3 000005d3: ADD 000005d4: SWAP1 000005d5: GAS 000005d6: DELEGATECALL 000005d7: RETURNDATASIZE 000005d8: ISZERO 000005d9: PUSH2 0x05fd 000005dc: JUMPI 000005dd: RETURNDATASIZE 000005de: SWAP1 000005df: PUSH2 0x05ea 000005e2: PUSH2 0x00e1 000005e5: DUP4 000005e6: PUSH2 0x0461 000005e9: JUMP 000005ea: JUMPDEST 000005eb: SWAP2 000005ec: DUP3 000005ed: MSTORE 000005ee: RETURNDATASIZE 000005ef: PUSH1 0x00 000005f1: PUSH1 0x20 000005f3: DUP5 000005f4: ADD 000005f5: RETURNDATACOPY 000005f6: PUSH2 0x0659 000005f9: JUMP 000005fa: JUMPDEST 000005fb: SWAP1 000005fc: JUMP 000005fd: JUMPDEST 000005fe: PUSH1 0x60 00000600: SWAP1 00000601: PUSH2 0x0659 00000604: JUMP 00000605: JUMPDEST 00000606: PUSH1 0x40 00000608: MLOAD 00000609: PUSH3 0x461bcd 0000060d: PUSH1 0xe5 0000060f: SHL 00000610: DUP2 00000611: MSTORE 00000612: PUSH1 0x20 00000614: PUSH1 0x04 00000616: DUP3 00000617: ADD 00000618: MSTORE 00000619: PUSH1 0x26 0000061b: PUSH1 0x24 0000061d: DUP3 0000061e: ADD 0000061f: MSTORE 00000620: PUSH32 0x416464726573733a2064656c65676174652063616c6c20746f206e6f6e2d636f 00000641: PUSH1 0x44 00000643: DUP3 00000644: ADD 00000645: MSTORE 00000646: PUSH6 0x1b9d1c9858dd 0000064d: PUSH1 0xd2 0000064f: SHL 00000650: PUSH1 0x64 00000652: DUP3 00000653: ADD 00000654: MSTORE 00000655: PUSH1 0x84 00000657: SWAP1 00000658: REVERT 00000659: JUMPDEST 0000065a: SWAP1 0000065b: SWAP2 0000065c: SWAP1 0000065d: ISZERO 0000065e: PUSH2 0x0665 00000661: JUMPI 00000662: POP 00000663: SWAP1 00000664: JUMP 00000665: JUMPDEST 00000666: DUP2 00000667: MLOAD 00000668: ISZERO 00000669: PUSH2 0x0675 0000066c: JUMPI 0000066d: POP 0000066e: DUP1 0000066f: MLOAD 00000670: SWAP1 00000671: PUSH1 0x20 00000673: ADD 00000674: REVERT 00000675: JUMPDEST 00000676: PUSH1 0x40 00000678: MLOAD 00000679: SWAP1 0000067a: PUSH3 0x461bcd 0000067e: PUSH1 0xe5 00000680: SHL 00000681: DUP3 00000682: MSTORE 00000683: DUP2 00000684: PUSH1 0x20 00000686: DUP1 00000687: PUSH1 0x04 00000689: DUP4 0000068a: ADD 0000068b: MSTORE 0000068c: DUP3 0000068d: MLOAD 0000068e: SWAP3 0000068f: DUP4 00000690: PUSH1 0x24 00000692: DUP5 00000693: ADD 00000694: MSTORE 00000695: PUSH1 0x00 00000697: SWAP2 00000698: JUMPDEST 00000699: DUP5 0000069a: DUP4 0000069b: LT 0000069c: PUSH2 0x06c7 0000069f: JUMPI 000006a0: POP 000006a1: POP 000006a2: SWAP2 000006a3: DUP1 000006a4: PUSH1 0x44 000006a6: SWAP4 000006a7: GT 000006a8: PUSH2 0x06ba 000006ab: JUMPI 000006ac: JUMPDEST 000006ad: PUSH1 0x1f 000006af: ADD 000006b0: PUSH1 0x1f 000006b2: NOT 000006b3: AND 000006b4: DUP2 000006b5: ADD 000006b6: SUB 000006b7: ADD 000006b8: SWAP1 000006b9: REVERT 000006ba: JUMPDEST 000006bb: PUSH1 0x00 000006bd: DUP4 000006be: DUP3 000006bf: DUP5 000006c0: ADD 000006c1: ADD 000006c2: MSTORE 000006c3: PUSH2 0x06ac 000006c6: JUMP 000006c7: JUMPDEST 000006c8: DUP2 000006c9: DUP4 000006ca: ADD 000006cb: DUP2 000006cc: ADD 000006cd: MLOAD 000006ce: DUP7 000006cf: DUP5 000006d0: ADD 000006d1: PUSH1 0x44 000006d3: ADD 000006d4: MSTORE 000006d5: DUP6 000006d6: SWAP4 000006d7: POP 000006d8: SWAP2 000006d9: DUP3 000006da: ADD 000006db: SWAP2 000006dc: PUSH2 0x0698 000006df: JUMP 000006e0: INVALID 000006e1: UNKNOWN(0xB5) 000006e2: BALANCE 000006e3: UNKNOWN(0x27) 000006e4: PUSH9 0x4a568b3173ae13b9f8 000006ee: UNKNOWN(0xA6) 000006ef: ADD 000006f0: PUSH15 0x243e63b6e8ee1178d6a717850b5d61 00000700: SUB 00000701: CALLDATASIZE 00000702: ADDMOD 00000703: SWAP5 00000704: LOG1 00000705: EXTCODESIZE 00000706: LOG1 00000707: LOG3 00000708: UNKNOWN(0x21) 00000709: MOD 0000070a: PUSH8 0xc828492db98dca3e 00000713: KECCAK256 00000714: PUSH23 0xcc3735a920a3ca505d382bbca2646970667358221220db 0000072c: ORIGIN 0000072d: NUMBER 0000072e: UNKNOWN(0xBF) 0000072f: SSTORE 00000730: ISZERO 00000731: UNKNOWN(0x26) 00000732: CREATE2 00000733: SWAP8 00000734: UNKNOWN(0xC6) 00000735: UNKNOWN(0xF6) 00000736: SWAP1 00000737: CODECOPY 00000738: SIGNEXTEND 00000739: KECCAK256 0000073a: TSTORE 0000073b: BLOCKHASH 0000073c: LOG4 0000073d: MSTORE8 0000073e: UNKNOWN(0xDE) 0000073f: CALLDATALOAD 00000740: PUSH29
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | upgradeability | detector | Untrusted DELEGATECALL target reachable | 55 | yes | yes |
viewtrace_id: 0x75ae7fc1d20149990f42fdc3d42225d5c8e766c9bbe40c00b78fc5150bc544fa
call_targets:
0x5acae76a83d9770370989738452ad3a8be3c54dd, 0xd4ec911b8fd79139736950235a93d3ea9c3f68ed
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "DELEGATECALL",
"errors": 0,
"status": "confirmed",
"attempts": 2,
"trace_id": "0x75ae7fc1d20149990f42fdc3d42225d5c8e766c9bbe40c00b78fc5150bc544fa",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x5acae76a83d9770370989738452ad3a8be3c54dd",
"0xd4ec911b8fd79139736950235a93d3ea9c3f68ed"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x3659cfe6",
"selector": "0x3659cfe6",
"calldata_variants": [
"0x3659cfe6",
"0x3659cfe60000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x4f1ef286",
"selector": "0x4f1ef286",
"calldata_variants": [
"0x4f1ef286",
"0x4f1ef2860000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x5c60da1b",
"selector": "0x5c60da1b",
"calldata_variants": [
"0x5c60da1b",
"0x5c60da1b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x8f283970",
"selector": "0x8f283970",
"calldata_variants": [
"0x8f283970",
"0x8f2839700000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 913,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
},
{
"pc": 1494,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
}
],
"guards_detected": [
{
"pc": 1836,
"type": "tx_origin_used"
}
],
"delegatecall_count": 2,
"untrusted_delegatecall_count": 2
}
|
| high | auth | detector | Authorization based on tx.origin | 70 | no | — |
viewvalidation_json{
"reason": "missing sink mapping",
"status": "no_sink"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x3659cfe6",
"selector": "0x3659cfe6",
"calldata_variants": [
"0x3659cfe6",
"0x3659cfe60000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x4f1ef286",
"selector": "0x4f1ef286",
"calldata_variants": [
"0x4f1ef286",
"0x4f1ef2860000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x5c60da1b",
"selector": "0x5c60da1b",
"calldata_variants": [
"0x5c60da1b",
"0x5c60da1b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x8f283970",
"selector": "0x8f283970",
"calldata_variants": [
"0x8f283970",
"0x8f2839700000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"guards_detected": [
{
"pc": 1836,
"type": "tx_origin_used"
}
]
}
|
| high | upgradeability | codex | Pre-initialization call can permanently lock base indices and brick base actions | 85 | no | — |
viewevidence_json{
"evidence": "`initializeStorage` only guards on `lastAccrualTime` and sets indices, while `accrueInternal` updates `lastAccrualTime` without initializing indices. `accrueAccount` is externally callable and invokes `accrueInternal`.",
"locations": [
"contracts/CometWithExtendedAssetList.sol:203",
"contracts/CometWithExtendedAssetList.sol:270",
"contracts/CometWithExtendedAssetList.sol:285"
],
"recommendation": "Call `initializeStorage` in the constructor or ensure it can run even if `lastAccrualTime` was set (e.g., gate on `baseSupplyIndex == 0 && baseBorrowIndex == 0` instead). Alternatively, block `accrueInternal`/`accrueAccount`/`absorb` until initialization has set non-zero indices.",
"exploit_scenario": "If the contract is deployed without immediately calling `initializeStorage`, any user can call `accrueAccount` (or `absorb`) first. This triggers `accrueInternal`, which sets `lastAccrualTime` while `baseSupplyIndex`/`baseBorrowIndex` remain zero. After that, `initializeStorage` reverts (`AlreadyInitialized`), leaving indices at zero forever. Subsequent base operations that compute `principalValue` will revert due to division by zero, effectively bricking supply/borrow/transfer of the base asset."
}
|
| medium | other | detector | CREATE/CREATE2 reachable | 45 | no | no |
viewtrace_id: 0x57d436eeb41603da7990e861daa5aa0cdec58f0aa26bdb7c68d54954cc4f1e29
validation_json{
"sink": "CREATE",
"errors": 0,
"status": "unknown",
"attempts": 8,
"trace_id": "0x57d436eeb41603da7990e861daa5aa0cdec58f0aa26bdb7c68d54954cc4f1e29",
"confirmed": false,
"trace_mode": "structLogs",
"call_targets": null,
"matched_probe": null,
"target_varies": null,
"classification": "no_sink"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x3659cfe6",
"selector": "0x3659cfe6",
"calldata_variants": [
"0x3659cfe6",
"0x3659cfe60000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x4f1ef286",
"selector": "0x4f1ef286",
"calldata_variants": [
"0x4f1ef286",
"0x4f1ef2860000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x5c60da1b",
"selector": "0x5c60da1b",
"calldata_variants": [
"0x5c60da1b",
"0x5c60da1b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x8f283970",
"selector": "0x8f283970",
"calldata_variants": [
"0x8f283970",
"0x8f2839700000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"create_count": 0,
"create2_count": 1
}
|
| medium | upgradeability | cast | DELEGATECALL present | 80 | no | — |
viewevidence_json{
"notes": "delegatecall enables execution in caller context; common in proxies/upgradeable patterns",
"delegatecall_count": 2
}
|
| medium | oracle | codex | Oracle freshness not validated (stale price risk) | 75 | no | — |
viewevidence_json{
"evidence": "`getPrice` only checks `price > 0` and returns the value without staleness or round validity checks.",
"locations": [
"contracts/CometWithExtendedAssetList.sol:340"
],
"recommendation": "Validate `updatedAt` against a maximum staleness threshold, require `answeredInRound >= roundId`, and on L2s consider a sequencer uptime feed before accepting prices.",
"exploit_scenario": "`getPrice` accepts `latestRoundData()` without checking `updatedAt` or `answeredInRound`. If a feed is stale or stops updating, collateralization checks and `buyCollateral` pricing can use outdated prices, enabling undercollateralized borrowing or discounted collateral purchases during oracle outages."
}
|
| low | other | cast | Contract creation opcode present | 60 | no | — |
viewevidence_json{
"notes": "runtime can deploy contracts dynamically via CREATE/CREATE2",
"create_count": 0,
"create2_count": 1
}
|