019ba9bc-ecb2-71f9-8ac6-8e077355b1d4
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 37860 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 37861 | proxy.resolve | complete | 1 / 3 | 3 months ago |
| 37862 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 37863 | analysis.bundle | complete | 1 / 3 | 3 months ago |
| 37864 | capability.graph | complete | 1 / 3 | 3 months ago |
| 37865 | detector.run | complete | 1 / 3 | 3 months ago |
| 37866 | validation.fork | complete | 1 / 3 | 3 months ago |
| 37957 | report.consolidate | complete | 1 / 6 | 3 months ago |
{
"method": "eip1967",
"status": "onchain_only",
"implementation": "0xa6f27fa3c60ec70d5ac7ea53cad339498bc1580e",
"onchain_method": "eip1967"
}
No slither job recorded yet.
{"no_findings":false,"summary":"Bytecode inspection shows tx.origin is used in conditional checks that appear to gate execution; no delegatecall or proxy/upgrade patterns detected in this implementation.","findings":[{"severity":"low","category":"access_control","title":"tx.origin-based gating/authorization is fragile and can be bypassed or break smart contract wallet support","exploit_scenario":"If a privileged path relies on tx.origin (e.g., msg.sender == tx.origin or origin comparisons) as its primary gate, a malicious contract can potentially bypass intent via delegatecall-based wrappers or by tricking an authorized EOA into initiating a transaction, leading to unintended execution of sensitive logic. Even when used as an \"EOA-only\" check, it blocks contract wallets and meta-transactions, and provides weak security guarantees.","recommendation":"Avoid tx.origin for authorization. Use msg.sender plus explicit role/owner checks and, if EOA-only behavior is truly needed, rely on explicit allowlists or signature-based authorization that works with smart accounts.","evidence":"Basic block at pc 0x5e7 shows `CALLER`, `ORIGIN`, `DUP2`, `EQ`, `JUMPI`, indicating a msg.sender == tx.origin check. Another origin equality check appears at pc 0x18f0 (`ORIGIN`, `PUSH1`, `EQ`). Detector summary flags tx_origin_used at these PCs.","locations":["pc:0x5e7","pc:0x18f0"]}]}
OpenAI Codex v0.77.0 (research preview)
--------
workdir: /tmp/codex-_7zy0me3
model: gpt-5.2-codex
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: auto
session id: 019baa1c-857f-76b2-bb24-8e214f84da12
--------
user
Context: The user requested the proxy at 0x0d6e11e2a3b2b3a245bf839c07d775983acb787d.
Audit the implementation at 0xa6f27fa3c60ec70d5ac7ea53cad339498bc1580e.
Findings should refer to the implementation unless explicitly about proxy mechanics.
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
mcp startup: no servers
thinking
**Searching for BYTECODE_BUNDLE**
exec
/bin/bash -lc ls in /tmp/codex-_7zy0me3 succeeded in 5ms:
BYTECODE_BUNDLE.json
codex-output-schema.json
thinking
**Reading the bundle**
exec
/bin/bash -lc 'cat BYTECODE_BUNDLE.json' in /tmp/codex-_7zy0me3 succeeded in 13ms:
{
"analysis_artifact": {
"address": "0xa6f27fa3c60ec70d5ac7ea53cad339498bc1580e",
"artifact_hash": "0x51c47b8db5e6457e4d2597b1b276b58df4bcb4d223327b7f284e42ada6b4e9fe",
"artifact_json": {
"auth": {
"guards": [
{
"pc": 1515,
"type": "tx_origin_used"
},
{
"pc": 6388,
"type": "tx_origin_used"
},
{
"pc": 1513,
"type": "tx_origin_used"
},
{
thinking
**Investigating artifact contents**
exec
/bin/bash -lc 'rg -n "storage|slot|slots|evidence|selector" BYTECODE_BUNDLE.json | head -n 50' in /tmp/codex-_7zy0me3 succeeded in 30ms:
18114: "dispatcher_type": "selector_jump_table",
18118: "selector": "0xe965084c"
18122: "selector": "0xe9e05c42"
18126: "selector": "0xf0498750"
18130: "selector": "0xcff0ab96"
18134: "selector": "0xd53a822f"
18138: "selector": "0x8b4c40b0"
18142: "selector": "0x8c3152e9"
18146: "selector": "0x9bf62d82"
18150: "selector": "0xa14238e7"
18154: "selector": "0x5c975abb"
18158: "selector": "0x6dbffb78"
18162: "selector": "0x724c184c"
18166: "selector": "0x8456cb59"
18170: "selector": "0x3f4ba83a"
18174: "selector": "0x4870496f"
18178: "selector": "0x54fd4d50"
18182: "selector": "0xffffffff"
18218: "selector": "0xe965084c",
18225: "storage": {
thinking
**Extracting function information from artifact JSON**
exec
/bin/bash -lc "sed -n '18090,18280p' BYTECODE_BUNDLE.json" in /tmp/codex-_7zy0me3 succeeded in 24ms:
"type": "control_flow_fallthrough"
},
{
"from": "bb:21832",
"to": "bb:20694",
"type": "control_flow"
},
{
"from": "bb:21854",
"to": "bb:21880",
"type": "control_flow"
},
{
"from": "bb:21854",
"to": "bb:21873",
"type": "control_flow_fallthrough"
},
{
"from": "bb:21873",
"to": "bb:20624",
thinking
**Extracting function details**
exec
/bin/bash -lc "python - <<'PY'
import json
from pprint import pprint
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
funcs=data['analysis_artifact']['artifact_json']['functions']
print('functions',len(funcs))
for fn in funcs:
print(fn.get('selector'), 'entry_pc', fn.get('entry_pc'), 'sinks', fn.get('sinks'))
PY" in /tmp/codex-_7zy0me3 succeeded in 46ms:
functions 17
0xe965084c entry_pc 3915712588 sinks {'call': 1, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 7}
0xe9e05c42 entry_pc 4031350608 sinks {'call': 1, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 7}
0xf0498750 entry_pc None sinks {'call': 1, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 7}
0xcff0ab96 entry_pc 3577381423 sinks {'call': 1, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 7}
0xd53a822f entry_pc None sinks {'call': 1, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 7}
0x8b4c40b0 entry_pc 2352042729 sinks {'call': 1, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 7}
0x8c3152e9 entry_pc 2616601986 sinks {'call': 1, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 7}
0x9bf62d82 entry_pc 2705471719 sinks {'call': 1, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 7}
0xa14238e7 entry_pc None sinks {'call': 1, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 7}
0x5c975abb entry_pc 1553423035 sinks {'call': 1, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 7}
0x6dbffb78 entry_pc 1917589580 sinks {'call': 1, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 7}
0x724c184c entry_pc 2220280665 sinks {'call': 1, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 7}
0x8456cb59 entry_pc None sinks {'call': 1, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 7}
0x3f4ba83a entry_pc 1215318383 sinks {'call': 1, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 7}
0x4870496f entry_pc 1425886544 sinks {'call': 1, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 7}
0x54fd4d50 entry_pc None sinks {'call': 1, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 7}
0xffffffff entry_pc 19086 sinks {'call': 1, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 7}
thinking
**Analyzing function structure and storage**
exec
/bin/bash -lc "python - <<'PY'
import json
from pprint import pprint
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
fn=data['analysis_artifact']['artifact_json']['functions'][0]
pprint(fn)
PY" in /tmp/codex-_7zy0me3 succeeded in 56ms:
{'auth': {'guards': [{'pc': 1515, 'type': 'tx_origin_used'},
{'pc': 6388, 'type': 'tx_origin_used'},
{'pc': 1513, 'type': 'tx_origin_used'},
{'pc': 1713,
'type': 'msg_sender_eq_const',
'value': '0xffffffffffffffffffffffffffffffffffffffff'},
{'pc': 4020,
'type': 'msg_sender_eq_const',
'value': '0xffffffffffffffffffffffffffffffffffffffff'},
{'pc': 6385, 'type': 'tx_origin_used'}]},
'entry_pc': 3915712588,
'selector': '0xe965084c',
'sinks': {'call': 1, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 7},
'storage': {'reads': 36,
'slots': [{'op': 'SLOAD',
'pc': 514,
'slot': '0x0000000000000000000000000000000000000000000000000000000000000035'},
{'op': 'SLOAD',
'pc': 693,
'slot': '0x0000000000000000000000000000000000000000000000000000000000000032'},
thinking
**Analyzing suspicious CALL and tx.origin usage**
I'm examining whether use of tx.origin in authorization is present and risky, noting it's a common vulnerability. I’m also trying to understand CALL instructions targeting the same contract address—possibly internal calls without reentrancy risks. There’s a need to verify callsite details in the artifact JSON, so I'll search for "callsites" using Python to gather concrete evidence.
exec
/bin/bash -lc "python - <<'PY'
import json
from pprint import pprint
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
# find callsites with more info
callsites=data['analysis_artifact']['artifact_json'].get('callsites')
print('callsites', type(callsites), len(callsites) if callsites else None)
if callsites:
pprint(callsites[:10])
PY" in /tmp/codex-_7zy0me3 succeeded in 71ms:
callsites <class 'list'> 8
[{'opcode': 'STATICCALL',
'pc': 2428,
'returndata_checked': None,
'target_expression_category': 'computed',
'value_expression_category': 'n/a'},
{'opcode': 'STATICCALL',
'pc': 2909,
'returndata_checked': None,
'target_expression_category': 'computed',
'value_expression_category': 'n/a'},
{'opcode': 'STATICCALL',
'pc': 3933,
'returndata_checked': None,
'target_expression_category': 'constant',
'value_expression_category': 'n/a'},
{'opcode': 'STATICCALL',
'pc': 4920,
'returndata_checked': None,
'target_expression_category': 'computed',
thinking
**Inspecting artifact details**
exec
/bin/bash -lc "python - <<'PY'
import json
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
print(data['analysis_artifact']['artifact_json'].keys())
PY" in /tmp/codex-_7zy0me3 succeeded in 31ms:
dict_keys(['auth', 'basic_blocks', 'callsites', 'cfg_edges', 'cfg_hash', 'dispatcher_type', 'function_entries', 'functions', 'selectors', 'sinks', 'storage', 'version'])
thinking
**Analyzing selectors list**
exec
/bin/bash -lc "python - <<'PY'
import json
from pprint import pprint
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
selectors=data['analysis_artifact']['artifact_json'].get('selectors')
print('selectors',len(selectors))
pprint(selectors)
PY" in /tmp/codex-_7zy0me3 succeeded in 63ms:
selectors 17
['0xe965084c',
'0xe9e05c42',
'0xf0498750',
'0xcff0ab96',
'0xd53a822f',
'0x8b4c40b0',
'0x8c3152e9',
'0x9bf62d82',
'0xa14238e7',
'0x5c975abb',
'0x6dbffb78',
'0x724c184c',
'0x8456cb59',
'0x3f4ba83a',
'0x4870496f',
'0x54fd4d50',
'0xffffffff']
thinking
**Inspecting global storage setup**
exec
/bin/bash -lc "python - <<'PY'
import json
from pprint import pprint
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
storage=data['analysis_artifact']['artifact_json'].get('storage')
print(storage.keys())
print('reads',storage.get('reads'),'writes',storage.get('writes'))
# unique slots
slots=storage.get('slots',[])
uniq=sorted({s['slot'] for s in slots})
print('unique slots',len(uniq))
print(uniq[:20])
PY" in /tmp/codex-_7zy0me3 succeeded in 62ms:
dict_keys(['keccak_count', 'reads', 'slots', 'writes'])
reads 36 writes 15
unique slots 5
['0x0000000000000000000000000000000000000000000000000000000000000000', '0x0000000000000000000000000000000000000000000000000000000000000001', '0x0000000000000000000000000000000000000000000000000000000000000010', '0x0000000000000000000000000000000000000000000000000000000000000032', '0x0000000000000000000000000000000000000000000000000000000000000035']
thinking
**Checking written storage slots**
exec
/bin/bash -lc "python - <<'PY'
import json
from pprint import pprint
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
storage=data['analysis_artifact']['artifact_json']['storage']['slots']
# filter sstore
sstore=[s for s in storage if s['op']=='SSTORE']
print('sstore',len(sstore))
for s in sstore:
print(s)
PY" in /tmp/codex-_7zy0me3 succeeded in 46ms:
sstore 0
thinking
**Investigating storage writes and opcode usage**
I'm puzzling over why no SSTORE operations appear despite 'writes' being counted as 15; perhaps writes come from calls like CALLCODE or precompiles, or SSTOREs aren't getting logged. I'm also checking suspicious auth patterns like tx.origin usage and unusual msg.sender addresses, while planning to analyze bytecode around a specific PC address to clarify these behaviors.
exec
/bin/bash -lc "python - <<'PY'
import json
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
blocks=data['analysis_artifact']['artifact_json']['basic_blocks']
# find blocks containing pc 1513 and 1515 etc
for target in [1513,1515,1713,4020,6385,6388,8569]:
blk = next((b for b in blocks if b.get('start_pc')<=target<=b.get('end_pc')), None)
print('pc',target,'block',blk.get('start_pc') if blk else None, blk.get('end_pc') if blk else None)
if blk:
print(blk.get('opcodes')[:50])
PY" in /tmp/codex-_7zy0me3 succeeded in 32ms:
pc 1513 block 1511 1519
['JUMPDEST', 'CALLER', 'ORIGIN', 'OP_81', 'EQ', 'PUSH2', 'JUMPI']
pc 1515 block 1511 1519
['JUMPDEST', 'CALLER', 'ORIGIN', 'OP_81', 'EQ', 'PUSH2', 'JUMPI']
pc 1713 block 1712 1773
['JUMPDEST', 'CALLER', 'PUSH20', 'PUSH32', 'AND', 'EQ', 'PUSH2', 'JUMPI']
pc 4020 block 4019 4080
['JUMPDEST', 'CALLER', 'PUSH20', 'PUSH32', 'AND', 'EQ', 'PUSH2', 'JUMPI']
pc 6385 block 6384 6388
['POP', 'ORIGIN', 'PUSH1', 'EQ']
pc 6388 block 6384 6388
['POP', 'ORIGIN', 'PUSH1', 'EQ']
pc 8569 block 8556 8578
['JUMPDEST', 'PUSH1', 'OP_80', 'OP_84', 'MLOAD', 'PUSH1', 'OP_86', 'ADD', 'OP_87', 'OP_8A', 'GAS', 'CALL', 'OP_96', 'OP_95', 'POP', 'POP', 'POP', 'POP', 'POP', 'POP', 'JUMP']
thinking
**Analyzing opcode patterns for authorization checks**
exec
/bin/bash -lc "python - <<'PY'
import json
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
blocks=[b for b in data['analysis_artifact']['artifact_json']['basic_blocks'] if b.get('start_pc')>=8400 and b.get('start_pc')<=8600]
for b in sorted(blocks,key=lambda x:x['start_pc']):
print('block',b['start_pc'],b['end_pc'])
print(b['opcodes'])
PY" in /tmp/codex-_7zy0me3 succeeded in 31ms:
block 8426 8434
['RETURNDATASIZE', 'PUSH1', 'OP_80', 'RETURNDATACOPY', 'RETURNDATASIZE', 'PUSH1', 'REVERT']
block 8435 8470
['JUMPDEST', 'POP', 'POP', 'POP', 'POP', 'PUSH1', 'MLOAD', 'RETURNDATASIZE', 'PUSH1', 'NOT', 'PUSH1', 'OP_82', 'ADD', 'AND', 'OP_82', 'ADD', 'OP_80', 'PUSH1', 'MSTORE', 'POP', 'OP_81', 'ADD', 'OP_90', 'PUSH2', 'OP_91', 'OP_90', 'PUSH2', 'JUMP']
block 8471 8480
['JUMPDEST', 'PUSH2', 'OP_90', 'OP_83', 'PUSH2', 'JUMP']
block 8481 8488
['JUMPDEST', 'TIMESTAMP', 'GT', 'OP_92', 'OP_91', 'POP', 'POP', 'JUMP']
block 8489 8509
['JUMPDEST', 'PUSH1', 'OP_80', 'PUSH1', 'PUSH1', 'OP_86', 'ADD', 'PUSH1', 'MUL', 'DIV', 'GAS', 'LT', 'ISZERO', 'PUSH2', 'JUMPI']
block 8510 8555
['PUSH4', 'PUSH1', 'MSTORE', 'PUSH1', 'OP_80', 'MSTORE', 'PUSH25', 'PUSH1', 'MSTORE', 'PUSH1', 'PUSH1', 'REVERT']
block 8556 8578
['JUMPDEST', 'PUSH1', 'OP_80', 'OP_84', 'MLOAD', 'PUSH1', 'OP_86', 'ADD', 'OP_87', 'OP_8A', 'GAS', 'CALL', 'OP_96', 'OP_95', 'POP', 'POP', 'POP', 'POP', 'POP', 'POP', 'JUMP']
block 8579 8594
['JUMPDEST', 'PUSH1', 'SLOAD', 'PUSH2', 'OP_90', 'DIV', 'PUSH1', 'AND', 'PUSH2', 'JUMPI']
block 8595 8729
['PUSH1', 'MLOAD', 'PUSH32', 'OP_81', 'MSTORE', 'PUSH1', 'PUSH1', 'OP_82', 'ADD', 'MSTORE', 'PUSH1', 'PUSH1', 'OP_82', 'ADD', 'MSTORE', 'PUSH32', 'PUSH1', 'OP_82', 'ADD', 'MSTORE', 'PUSH32', 'PUSH1', 'OP_82', 'ADD', 'MSTORE', 'PUSH1', 'ADD', 'PUSH2', 'JUMP']
thinking
**Analyzing EVM CALL operations and target patterns**
I'm piecing together how call 8569 works, suspecting it's part of a meta-transaction executor or wallet pattern that calls the contract itself or other targets. I’m trying to decode call arguments and check selectors against known contracts like Gnosis Safe or Timelock, plus examining staticcalls to precompiles like ecrecover to detect signature verification. The strategy involves analyzing nearby basic blocks and storage slots to clarify the contract’s behavior and call context.
exec
/bin/bash -lc "python - <<'PY'
import json
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
blocks=data['analysis_artifact']['artifact_json']['basic_blocks']
# helper to show block
for target in [2428,2909,3933,4920,5533,8418,8946]:
blk = next((b for b in blocks if b.get('start_pc')<=target<=b.get('end_pc')), None)
print('pc',target,'block',blk.get('start_pc') if blk else None,'-',blk.get('end_pc') if blk else None)
if blk:
print(blk['opcodes'])
PY" in /tmp/codex-_7zy0me3 succeeded in 37ms:
pc 2428 block 2303 - 2435
['JUMPDEST', 'PUSH1', 'MLOAD', 'PUSH32', 'OP_81', 'MSTORE', 'PUSH1', 'OP_81', 'ADD', 'OP_85', 'OP_90', 'MSTORE', 'PUSH1', 'OP_90', 'PUSH32', 'PUSH20', 'AND', 'OP_90', 'PUSH4', 'OP_90', 'PUSH1', 'ADD', 'PUSH1', 'PUSH1', 'MLOAD', 'OP_80', 'OP_83', 'SUB', 'OP_81', 'OP_86', 'GAS', 'STATICCALL', 'ISZERO', 'OP_80', 'ISZERO', 'PUSH2', 'JUMPI']
pc 2909 block 2762 - 2916
['POP', 'OP_80', 'MLOAD', 'PUSH1', 'OP_80', 'OP_83', 'ADD', 'MLOAD', 'OP_90', 'MLOAD', 'PUSH32', 'OP_81', 'MSTORE', 'PUSH16', 'OP_90', 'OP_91', 'AND', 'PUSH1', 'OP_82', 'ADD', 'MSTORE', 'PUSH32', 'PUSH20', 'AND', 'OP_90', 'PUSH4', 'OP_90', 'PUSH1', 'ADD', 'PUSH1', 'PUSH1', 'MLOAD', 'OP_80', 'OP_83', 'SUB', 'OP_81', 'OP_86', 'GAS', 'STATICCALL', 'ISZERO', 'OP_80', 'ISZERO', 'PUSH2', 'JUMPI']
pc 3933 block 3804 - 3940
['JUMPDEST', 'PUSH1', 'MLOAD', 'PUSH32', 'OP_81', 'MSTORE', 'PUSH1', 'OP_81', 'ADD', 'OP_82', 'OP_90', 'MSTORE', 'PUSH1', 'OP_90', 'PUSH2', 'OP_90', 'PUSH20', 'PUSH32', 'AND', 'OP_90', 'PUSH4', 'OP_90', 'PUSH1', 'ADD', 'PUSH1', 'PUSH1', 'MLOAD', 'OP_80', 'OP_83', 'SUB', 'OP_81', 'OP_86', 'GAS', 'STATICCALL', 'ISZERO', 'OP_80', 'ISZERO', 'PUSH2', 'JUMPI']
pc 4920 block 4830 - 4927
['JUMPDEST', 'PUSH32', 'PUSH20', 'AND', 'PUSH4', 'PUSH1', 'MLOAD', 'OP_81', 'PUSH4', 'AND', 'PUSH1', 'SHL', 'OP_81', 'MSTORE', 'PUSH1', 'ADD', 'PUSH1', 'PUSH1', 'MLOAD', 'OP_80', 'OP_83', 'SUB', 'OP_81', 'OP_86', 'GAS', 'STATICCALL', 'ISZERO', 'OP_80', 'ISZERO', 'PUSH2', 'JUMPI']
pc 5533 block 5385 - 5540
['JUMPDEST', 'PUSH1', 'OP_81', 'OP_81', 'ADD', 'MLOAD', 'OP_90', 'MLOAD', 'PUSH32', 'OP_81', 'MSTORE', 'PUSH16', 'OP_90', 'OP_91', 'AND', 'PUSH1', 'OP_82', 'ADD', 'MSTORE', 'PUSH1', 'OP_90', 'PUSH32', 'PUSH20', 'AND', 'OP_90', 'PUSH4', 'OP_90', 'PUSH1', 'ADD', 'PUSH1', 'PUSH1', 'MLOAD', 'OP_80', 'OP_83', 'SUB', 'OP_81', 'OP_86', 'GAS', 'STATICCALL', 'ISZERO', 'OP_80', 'ISZERO', 'PUSH2', 'JUMPI']
pc 8418 block 8326 - 8425
['JUMPDEST', 'PUSH1', 'PUSH32', 'PUSH20', 'AND', 'PUSH4', 'PUSH1', 'MLOAD', 'OP_81', 'PUSH4', 'AND', 'PUSH1', 'SHL', 'OP_81', 'MSTORE', 'PUSH1', 'ADD', 'PUSH1', 'PUSH1', 'MLOAD', 'OP_80', 'OP_83', 'SUB', 'OP_81', 'OP_86', 'GAS', 'STATICCALL', 'ISZERO', 'OP_80', 'ISZERO', 'PUSH2', 'JUMPI']
pc 8946 block 8806 - 8953
['JUMPDEST', 'PUSH1', 'OP_80', 'MLOAD', 'PUSH1', 'OP_81', 'ADD', 'OP_82', 'MSTORE', 'PUSH1', 'OP_80', 'OP_82', 'MSTORE', 'PUSH1', 'OP_82', 'ADD', 'OP_81', 'OP_90', 'MSTORE', 'OP_91', 'OP_81', 'ADD', 'OP_82', 'OP_90', 'MSTORE', 'PUSH1', 'OP_81', 'ADD', 'OP_82', 'OP_90', 'MSTORE', 'PUSH1', 'OP_81', 'ADD', 'OP_82', 'OP_90', 'MSTORE', 'PUSH1', 'OP_81', 'ADD', 'OP_91', 'OP_90', 'OP_91', 'MSTORE', 'PUSH32', 'PUSH20', 'AND', 'PUSH4', 'PUSH1', 'MLOAD', 'OP_81', 'PUSH4', 'AND', 'PUSH1', 'SHL', 'OP_81', 'MSTORE', 'PUSH1', 'ADD', 'PUSH1', 'PUSH1', 'MLOAD', 'OP_80', 'OP_83', 'SUB', 'OP_81', 'OP_86', 'GAS', 'STATICCALL', 'ISZERO', 'OP_80', 'ISZERO', 'PUSH2', 'JUMPI']
thinking
**Analyzing staticcall usage and access control**
exec
/bin/bash -lc "python - <<'PY'
import json
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
for fn in data['analysis_artifact']['artifact_json']['functions']:
slots=fn.get('storage',{}).get('slots',[])
sstore=[s for s in slots if s.get('op')=='SSTORE']
if sstore:
print(fn['selector'], sstore)
PY" in /tmp/codex-_7zy0me3 succeeded in 30ms:
thinking
**Investigating absence of SSTORE operations**
exec
/bin/bash -lc "python - <<'PY'
import json
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
blocks=data['analysis_artifact']['artifact_json']['basic_blocks']
count=0
for b in blocks:
if any('SSTORE'==op for op in b.get('opcodes',[])):
count+=1
print('block',b['start_pc'],b['end_pc'],b['opcodes'])
print('total',count)
PY" in /tmp/codex-_7zy0me3 succeeded in 33ms:
block 1909 1992 ['JUMPDEST', 'PUSH1', 'OP_80', 'SLOAD', 'PUSH32', 'AND', 'OP_90', 'SSTORE', 'PUSH1', 'MLOAD', 'CALLER', 'OP_81', 'MSTORE', 'PUSH32', 'OP_90', 'PUSH1', 'ADD']
block 3447 3640 ['JUMPDEST', 'PUSH1', 'OP_80', 'MLOAD', 'PUSH1', 'OP_81', 'ADD', 'OP_82', 'MSTORE', 'OP_85', 'OP_81', 'MSTORE', 'PUSH16', 'TIMESTAMP', 'OP_81', 'AND', 'PUSH1', 'OP_80', 'OP_84', 'ADD', 'OP_91', 'OP_82', 'MSTORE', 'OP_8C', 'OP_83', 'AND', 'OP_84', 'OP_86', 'ADD', 'OP_90', 'OP_81', 'MSTORE', 'PUSH1', 'OP_89', 'OP_81', 'MSTORE', 'PUSH1', 'OP_83', 'MSTORE', 'OP_86', 'OP_81', 'SHA3', 'OP_95', 'MLOAD', 'OP_86', 'SSTORE', 'OP_92', 'MLOAD', 'OP_90', 'MLOAD', 'OP_84', 'AND', 'PUSH17', 'MUL', 'OP_93', 'AND', 'OP_92', 'OP_90', 'OP_92', 'OR', 'PUSH1', 'OP_90', 'OP_93', 'ADD', 'OP_92', 'OP_90', 'OP_92', 'SSTORE', 'OP_8B', 'OP_83', 'ADD', 'MLOAD', 'OP_90', 'OP_8C', 'ADD', 'MLOAD', 'OP_92', 'MLOAD', 'PUSH20', 'OP_91', 'OP_82', 'AND', 'OP_93', 'OP_90', 'OP_91', 'AND', 'OP_91', 'OP_86', 'OP_91', 'PUSH32', 'OP_91', 'OP_90', 'OP_A4', 'POP', 'POP', 'POP', 'POP', 'POP', 'POP', 'POP', 'POP', 'POP', 'JUMP']
block 4215 4305 ['JUMPDEST', 'PUSH1', 'OP_80', 'SLOAD', 'PUSH32', 'AND', 'PUSH1', 'OR', 'OP_90', 'SSTORE', 'PUSH1', 'MLOAD', 'CALLER', 'OP_81', 'MSTORE', 'PUSH32', 'OP_90', 'PUSH1', 'ADD', 'PUSH2', 'JUMP']
block 6104 6265 ['JUMPDEST', 'PUSH1', 'OP_83', 'OP_81', 'MSTORE', 'PUSH1', 'PUSH1', 'OP_90', 'OP_81', 'MSTORE', 'PUSH1', 'OP_80', 'OP_83', 'SHA3', 'OP_80', 'SLOAD', 'PUSH32', 'AND', 'PUSH1', 'OR', 'OP_90', 'SSTORE', 'OP_90', 'OP_86', 'ADD', 'MLOAD', 'PUSH1', 'OP_80', 'SLOAD', 'PUSH20', 'OP_90', 'OP_92', 'AND', 'PUSH32', 'OP_90', 'OP_92', 'AND', 'OP_91', 'OP_90', 'OP_91', 'OR', 'OP_90', 'SSTORE', 'OP_85', 'ADD', 'MLOAD', 'PUSH1', 'OP_86', 'ADD', 'MLOAD', 'PUSH1', 'OP_87', 'ADD', 'MLOAD', 'PUSH1', 'OP_88', 'ADD', 'MLOAD', 'PUSH2', 'OP_93', 'OP_92', 'OP_91', 'OP_90', 'PUSH2', 'JUMP']
block 6266 6366 ['JUMPDEST', 'PUSH1', 'OP_80', 'SLOAD', 'PUSH32', 'AND', 'PUSH2', 'OR', 'OP_90', 'SSTORE', 'PUSH1', 'MLOAD', 'OP_90', 'OP_91', 'POP', 'OP_84', 'OP_90', 'PUSH32', 'OP_90', 'PUSH2', 'OP_90', 'OP_84', 'ISZERO', 'ISZERO', 'OP_81', 'MSTORE', 'PUSH1', 'ADD', 'OP_90', 'JUMP']
block 6697 6746 ['JUMPDEST', 'PUSH1', 'OP_80', 'SLOAD', 'PUSH32', 'AND', 'PUSH1', 'OR', 'OP_90', 'SSTORE', 'OP_80', 'ISZERO', 'PUSH2', 'JUMPI']
block 6747 6790 ['PUSH1', 'OP_80', 'SLOAD', 'PUSH32', 'AND', 'PUSH2', 'OR', 'OP_90', 'SSTORE']
block 6791 6888 ['JUMPDEST', 'PUSH1', 'OP_80', 'SLOAD', 'PUSH32', 'AND', 'PUSH2', 'OR', 'OP_90', 'SSTORE', 'PUSH1', 'OP_80', 'SLOAD', 'OP_83', 'ISZERO', 'ISZERO', 'PUSH32', 'OP_90', 'OP_91', 'AND', 'OR', 'OP_90', 'SSTORE', 'PUSH2', 'PUSH2', 'JUMP']
block 6896 6987 ['PUSH1', 'OP_80', 'SLOAD', 'PUSH32', 'AND', 'OP_90', 'SSTORE', 'PUSH1', 'MLOAD', 'PUSH1', 'OP_81', 'MSTORE', 'PUSH32', 'OP_90', 'PUSH1', 'ADD', 'PUSH1', 'MLOAD', 'OP_80', 'OP_91', 'SUB', 'OP_90', 'OP_A1']
block 7367 7429 ['JUMPDEST', 'PUSH16', 'AND', 'PUSH25', 'PUSH8', 'NUMBER', 'AND', 'MUL', 'OR', 'PUSH1', 'SSTORE', 'POP', 'POP']
block 7481 7572 ['JUMPDEST', 'OP_92', 'POP', 'PUSH2', 'EXP', 'OP_81', 'SLOAD', 'OP_81', 'PUSH8', 'MUL', 'NOT', 'AND', 'OP_90', 'OP_83', 'PUSH8', 'AND', 'MUL', 'OR', 'OP_90', 'SSTORE', 'POP', 'OP_81', 'PUSH1', 'ADD', 'MLOAD', 'PUSH4', 'AND', 'PUSH1', 'PUSH1', 'ADD', 'PUSH1', 'OP_90', 'SLOAD', 'OP_90', 'PUSH2', 'EXP', 'OP_90', 'DIV', 'PUSH8', 'AND', 'PUSH8', 'AND', 'SGT', 'ISZERO', 'PUSH2', 'JUMPI']
block 8730 8805 ['JUMPDEST', 'PUSH1', 'OP_80', 'MLOAD', 'PUSH1', 'OP_81', 'ADD', 'OP_82', 'MSTORE', 'PUSH4', 'OP_80', 'OP_82', 'MSTORE', 'PUSH1', 'PUSH1', 'OP_83', 'ADD', 'MSTORE', 'NUMBER', 'PUSH8', 'AND', 'OP_91', 'OP_90', 'OP_92', 'ADD', 'OP_81', 'OP_90', 'MSTORE', 'PUSH25', 'MUL', 'OR', 'PUSH1', 'SSTORE', 'JUMP']
total 12
thinking
**Analyzing smart contract storage and security**
I'm examining numerous storage operations and how the contract employs guards like `tx.origin` and `msg.sender == 0xffff...` for access control. The contract seems to use calls (including a self-call) with limited evidence of reentrancy protections, so I'll carefully highlight a potential phishing risk from `tx.origin` usage and missing external call return checks, while noting no delegatecall or proxy patterns. I want to clarify storage slot usage, signature verification, and whether these guards protect critical functions to form conservative security findings.
thinking
**Evaluating access control and call patterns**
I'm pinpointing `tx.origin` guard usage at specific program counters and examining hardcoded privileged addresses like 0xffff... which may restrict function access but likely not security flaws. I’m also analyzing external call behavior, especially regarding return value checks, but unclear evidence prevents firm conclusions. Overall, I’m gathering evidence to detail findings on authorization checks and call handling while avoiding speculative claims.
exec
/bin/bash -lc "python - <<'PY'
import json
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
blocks=data['analysis_artifact']['artifact_json']['basic_blocks']
for b in blocks:
if 'ORIGIN' in b.get('opcodes',[]):
print('block',b['start_pc'],b['end_pc'],b['opcodes'])
PY" in /tmp/codex-_7zy0me3 succeeded in 35ms:
block 1511 1519 ['JUMPDEST', 'CALLER', 'ORIGIN', 'OP_81', 'EQ', 'PUSH2', 'JUMPI']
block 6384 6388 ['POP', 'ORIGIN', 'PUSH1', 'EQ']
thinking
**Analyzing tx.origin usage in access control**
exec
/bin/bash -lc "python - <<'PY'
import json
with open('BYTECODE_BUNDLE.json') as f:
data=json.load(f)
blocks=[b for b in data['analysis_artifact']['artifact_json']['basic_blocks'] if 1450<=b.get('start_pc')<=1600]
for b in sorted(blocks,key=lambda x:x['start_pc']):
print('block',b['start_pc'],b['end_pc'])
print(b['opcodes'])
PY" in /tmp/codex-_7zy0me3 succeeded in 35ms:
block 1511 1519
['JUMPDEST', 'CALLER', 'ORIGIN', 'OP_81', 'EQ', 'PUSH2', 'JUMPI']
block 1520 1543
['POP', 'CALLER', 'PUSH20', 'ADD']
block 1544 1570
['JUMPDEST', 'PUSH1', 'CALLVALUE', 'OP_88', 'OP_88', 'OP_88', 'OP_88', 'PUSH1', 'MLOAD', 'PUSH1', 'ADD', 'PUSH2', 'OP_95', 'OP_94', 'OP_93', 'OP_92', 'OP_91', 'OP_90', 'PUSH2', 'JUMP']
block 1571 1682
['JUMPDEST', 'PUSH1', 'MLOAD', 'PUSH1', 'OP_81', 'OP_83', 'SUB', 'SUB', 'OP_81', 'MSTORE', 'OP_90', 'PUSH1', 'MSTORE', 'OP_90', 'POP', 'PUSH1', 'OP_89', 'PUSH20', 'AND', 'OP_83', 'PUSH20', 'AND', 'PUSH32', 'OP_84', 'PUSH1', 'MLOAD', 'PUSH2', 'OP_91', 'OP_90', 'PUSH2', 'JUMP']
thinking
**Analyzing tx.origin usage and call risks**
I'm piecing together how the contract uses tx.origin for restricting execution, suspecting it’s meant to limit calls to EOAs but recognizing this is a risky anti-pattern that can break smart contract wallets and potentially be bypassed via delegatecall wrappers. There’s a computed CALL that might enable reentrancy if unguarded, though evidence is slim; overall, I’m leaning toward a medium-severity finding highlighting the improper use of tx.origin and potential untrusted external calls, backing it with precise bytecode references for clarity.
codex
{"no_findings":false,"summary":"Bytecode inspection shows tx.origin is used in conditional checks that appear to gate execution; no delegatecall or proxy/upgrade patterns detected in this implementation.","findings":[{"severity":"low","category":"access_control","title":"tx.origin-based gating/authorization is fragile and can be bypassed or break smart contract wallet support","exploit_scenario":"If a privileged path relies on tx.origin (e.g., msg.sender == tx.origin or origin comparisons) as its primary gate, a malicious contract can potentially bypass intent via delegatecall-based wrappers or by tricking an authorized EOA into initiating a transaction, leading to unintended execution of sensitive logic. Even when used as an \"EOA-only\" check, it blocks contract wallets and meta-transactions, and provides weak security guarantees.","recommendation":"Avoid tx.origin for authorization. Use msg.sender plus explicit role/owner checks and, if EOA-only behavior is truly needed, rely on explicit allowlists or signature-based authorization that works with smart accounts.","evidence":"Basic block at pc 0x5e7 shows `CALLER`, `ORIGIN`, `DUP2`, `EQ`, `JUMPI`, indicating a msg.sender == tx.origin check. Another origin equality check appears at pc 0x18f0 (`ORIGIN`, `PUSH1`, `EQ`). Detector summary flags tx_origin_used at these PCs.","locations":["pc:0x5e7","pc:0x18f0"]}]}
tokens used
53,869
{
"codex": {
"ran_at": "2026-01-10T22:56:57.794220+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 43900,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "Bytecode inspection shows tx.origin is used in conditional checks that appear to gate execution; no delegatecall or proxy/upgrade patterns detected in this implementation.",
"raw_final": {
"summary": "Bytecode inspection shows tx.origin is used in conditional checks that appear to gate execution; no delegatecall or proxy/upgrade patterns detected in this implementation.",
"findings": [
{
"title": "tx.origin-based gating/authorization is fragile and can be bypassed or break smart contract wallet support",
"category": "access_control",
"evidence": "Basic block at pc 0x5e7 shows `CALLER`, `ORIGIN`, `DUP2`, `EQ`, `JUMPI`, indicating a msg.sender == tx.origin check. Another origin equality check appears at pc 0x18f0 (`ORIGIN`, `PUSH1`, `EQ`). Detector summary flags tx_origin_used at these PCs.",
"severity": "low",
"locations": [
"pc:0x5e7",
"pc:0x18f0"
],
"recommendation": "Avoid tx.origin for authorization. Use msg.sender plus explicit role/owner checks and, if EOA-only behavior is truly needed, rely on explicit allowlists or signature-based authorization that works with smart accounts.",
"exploit_scenario": "If a privileged path relies on tx.origin (e.g., msg.sender == tx.origin or origin comparisons) as its primary gate, a malicious contract can potentially bypass intent via delegatecall-based wrappers or by tricking an authorized EOA into initiating a transaction, leading to unintended execution of sensitive logic. Even when used as an \"EOA-only\" check, it blocks contract wallets and meta-transactions, and provides weak security guarantees."
}
],
"no_findings": false
},
"no_findings": false,
"proxy_context": {
"proxy_run_id": "019ba9bc-ecb2-71f9-8ac6-8e077355b1d4",
"proxy_address": "0x0d6e11e2a3b2b3a245bf839c07d775983acb787d",
"implementation_run_id": "019ba9bd-8206-7335-b79d-7b327b7d19bd",
"implementation_address": "0xa6f27fa3c60ec70d5ac7ea53cad339498bc1580e"
},
"schema_version": 1
}
00000000: PUSH1 0x80 00000002: PUSH1 0x40 00000004: MSTORE 00000005: PUSH1 0x04 00000007: CALLDATASIZE 00000008: LT 00000009: PUSH2 0x005e 0000000c: JUMPI 0000000d: PUSH1 0x00 0000000f: CALLDATALOAD 00000010: PUSH1 0xe0 00000012: SHR 00000013: DUP1 00000014: PUSH4 0x5c60da1b 00000019: GT 0000001a: PUSH2 0x0043 0000001d: JUMPI 0000001e: DUP1 0000001f: PUSH4 0x5c60da1b 00000024: EQ 00000025: PUSH2 0x00be 00000028: JUMPI 00000029: DUP1 0000002a: PUSH4 0x8f283970 0000002f: EQ 00000030: PUSH2 0x00f8 00000033: JUMPI 00000034: DUP1 00000035: PUSH4 0xf851a440 0000003a: EQ 0000003b: PUSH2 0x0118 0000003e: JUMPI 0000003f: PUSH2 0x006d 00000042: JUMP 00000043: JUMPDEST 00000044: DUP1 00000045: PUSH4 0x3659cfe6 0000004a: EQ 0000004b: PUSH2 0x0075 0000004e: JUMPI 0000004f: DUP1 00000050: PUSH4 0x4f1ef286 00000055: EQ 00000056: PUSH2 0x0095 00000059: JUMPI 0000005a: PUSH2 0x006d 0000005d: JUMP 0000005e: JUMPDEST 0000005f: CALLDATASIZE 00000060: PUSH2 0x006d 00000063: JUMPI 00000064: PUSH2 0x006b 00000067: PUSH2 0x012d 0000006a: JUMP 0000006b: JUMPDEST 0000006c: STOP 0000006d: JUMPDEST 0000006e: PUSH2 0x006b 00000071: PUSH2 0x012d 00000074: JUMP 00000075: JUMPDEST 00000076: CALLVALUE 00000077: DUP1 00000078: ISZERO 00000079: PUSH2 0x0081 0000007c: JUMPI 0000007d: PUSH1 0x00 0000007f: DUP1 00000080: REVERT 00000081: JUMPDEST 00000082: POP 00000083: PUSH2 0x006b 00000086: PUSH2 0x0090 00000089: CALLDATASIZE 0000008a: PUSH1 0x04 0000008c: PUSH2 0x06d9 0000008f: JUMP 00000090: JUMPDEST 00000091: PUSH2 0x0224 00000094: JUMP 00000095: JUMPDEST 00000096: PUSH2 0x00a8 00000099: PUSH2 0x00a3 0000009c: CALLDATASIZE 0000009d: PUSH1 0x04 0000009f: PUSH2 0x06f4 000000a2: JUMP 000000a3: JUMPDEST 000000a4: PUSH2 0x0296 000000a7: JUMP 000000a8: JUMPDEST 000000a9: PUSH1 0x40 000000ab: MLOAD 000000ac: PUSH2 0x00b5 000000af: SWAP2 000000b0: SWAP1 000000b1: PUSH2 0x0777 000000b4: JUMP 000000b5: JUMPDEST 000000b6: PUSH1 0x40 000000b8: MLOAD 000000b9: DUP1 000000ba: SWAP2 000000bb: SUB 000000bc: SWAP1 000000bd: RETURN 000000be: JUMPDEST 000000bf: CALLVALUE 000000c0: DUP1 000000c1: ISZERO 000000c2: PUSH2 0x00ca 000000c5: JUMPI 000000c6: PUSH1 0x00 000000c8: DUP1 000000c9: REVERT 000000ca: JUMPDEST 000000cb: POP 000000cc: PUSH2 0x00d3 000000cf: PUSH2 0x0419 000000d2: JUMP 000000d3: JUMPDEST 000000d4: PUSH1 0x40 000000d6: MLOAD 000000d7: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000000ec: SWAP1 000000ed: SWAP2 000000ee: AND 000000ef: DUP2 000000f0: MSTORE 000000f1: PUSH1 0x20 000000f3: ADD 000000f4: PUSH2 0x00b5 000000f7: JUMP 000000f8: JUMPDEST 000000f9: CALLVALUE 000000fa: DUP1 000000fb: ISZERO 000000fc: PUSH2 0x0104 000000ff: JUMPI 00000100: PUSH1 0x00 00000102: DUP1 00000103: REVERT 00000104: JUMPDEST 00000105: POP 00000106: PUSH2 0x006b 00000109: PUSH2 0x0113 0000010c: CALLDATASIZE 0000010d: PUSH1 0x04 0000010f: PUSH2 0x06d9 00000112: JUMP 00000113: JUMPDEST 00000114: PUSH2 0x04b0 00000117: JUMP 00000118: JUMPDEST 00000119: CALLVALUE 0000011a: DUP1 0000011b: ISZERO 0000011c: PUSH2 0x0124 0000011f: JUMPI 00000120: PUSH1 0x00 00000122: DUP1 00000123: REVERT 00000124: JUMPDEST 00000125: POP 00000126: PUSH2 0x00d3 00000129: PUSH2 0x0517 0000012c: JUMP 0000012d: JUMPDEST 0000012e: PUSH1 0x00 00000130: PUSH2 0x0157 00000133: PUSH32 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc 00000154: SLOAD 00000155: SWAP1 00000156: JUMP 00000157: JUMPDEST 00000158: SWAP1 00000159: POP 0000015a: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000016f: DUP2 00000170: AND 00000171: PUSH2 0x0201 00000174: JUMPI 00000175: PUSH1 0x40 00000177: MLOAD 00000178: PUSH32 0x08c379a000000000000000000000000000000000000000000000000000000000 00000199: DUP2 0000019a: MSTORE 0000019b: PUSH1 0x20 0000019d: PUSH1 0x04 0000019f: DUP3 000001a0: ADD 000001a1: MSTORE 000001a2: PUSH1 0x25 000001a4: PUSH1 0x24 000001a6: DUP3 000001a7: ADD 000001a8: MSTORE 000001a9: PUSH32 0x50726f78793a20696d706c656d656e746174696f6e206e6f7420696e69746961 000001ca: PUSH1 0x44 000001cc: DUP3 000001cd: ADD 000001ce: MSTORE 000001cf: PUSH32 0x6c697a6564000000000000000000000000000000000000000000000000000000 000001f0: PUSH1 0x64 000001f2: DUP3 000001f3: ADD 000001f4: MSTORE 000001f5: PUSH1 0x84 000001f7: ADD 000001f8: JUMPDEST 000001f9: PUSH1 0x40 000001fb: MLOAD 000001fc: DUP1 000001fd: SWAP2 000001fe: SUB 000001ff: SWAP1 00000200: REVERT 00000201: JUMPDEST 00000202: CALLDATASIZE 00000203: PUSH1 0x00 00000205: DUP1 00000206: CALLDATACOPY 00000207: PUSH1 0x00 00000209: DUP1 0000020a: CALLDATASIZE 0000020b: PUSH1 0x00 0000020d: DUP5 0000020e: GAS 0000020f: DELEGATECALL 00000210: RETURNDATASIZE 00000211: PUSH1 0x00 00000213: DUP1 00000214: RETURNDATACOPY 00000215: DUP1 00000216: PUSH2 0x021e 00000219: JUMPI 0000021a: RETURNDATASIZE 0000021b: PUSH1 0x00 0000021d: REVERT 0000021e: JUMPDEST 0000021f: POP 00000220: RETURNDATASIZE 00000221: PUSH1 0x00 00000223: RETURN 00000224: JUMPDEST 00000225: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 00000246: SLOAD 00000247: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000025c: AND 0000025d: CALLER 0000025e: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000273: AND 00000274: EQ 00000275: DUP1 00000276: PUSH2 0x027d 00000279: JUMPI 0000027a: POP 0000027b: CALLER 0000027c: ISZERO 0000027d: JUMPDEST 0000027e: ISZERO 0000027f: PUSH2 0x028e 00000282: JUMPI 00000283: PUSH2 0x028b 00000286: DUP2 00000287: PUSH2 0x05a3 0000028a: JUMP 0000028b: JUMPDEST 0000028c: POP 0000028d: JUMP 0000028e: JUMPDEST 0000028f: PUSH2 0x028b 00000292: PUSH2 0x012d 00000295: JUMP 00000296: JUMPDEST 00000297: PUSH1 0x60 00000299: PUSH2 0x02c0 0000029c: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 000002bd: SLOAD 000002be: SWAP1 000002bf: JUMP 000002c0: JUMPDEST 000002c1: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000002d6: AND 000002d7: CALLER 000002d8: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000002ed: AND 000002ee: EQ 000002ef: DUP1 000002f0: PUSH2 0x02f7 000002f3: JUMPI 000002f4: POP 000002f5: CALLER 000002f6: ISZERO 000002f7: JUMPDEST 000002f8: ISZERO 000002f9: PUSH2 0x040a 000002fc: JUMPI 000002fd: PUSH2 0x0305 00000300: DUP5 00000301: PUSH2 0x05a3 00000304: JUMP 00000305: JUMPDEST 00000306: PUSH1 0x00 00000308: DUP1 00000309: DUP6 0000030a: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000031f: AND 00000320: DUP6 00000321: DUP6 00000322: PUSH1 0x40 00000324: MLOAD 00000325: PUSH2 0x032f 00000328: SWAP3 00000329: SWAP2 0000032a: SWAP1 0000032b: PUSH2 0x07ea 0000032e: JUMP 0000032f: JUMPDEST 00000330: PUSH1 0x00 00000332: PUSH1 0x40 00000334: MLOAD 00000335: DUP1 00000336: DUP4 00000337: SUB 00000338: DUP2 00000339: DUP6 0000033a: GAS 0000033b: DELEGATECALL 0000033c: SWAP2 0000033d: POP 0000033e: POP 0000033f: RETURNDATASIZE 00000340: DUP1 00000341: PUSH1 0x00 00000343: DUP2 00000344: EQ 00000345: PUSH2 0x036a 00000348: JUMPI 00000349: PUSH1 0x40 0000034b: MLOAD 0000034c: SWAP2 0000034d: POP 0000034e: PUSH1 0x1f 00000350: NOT 00000351: PUSH1 0x3f 00000353: RETURNDATASIZE 00000354: ADD 00000355: AND 00000356: DUP3 00000357: ADD 00000358: PUSH1 0x40 0000035a: MSTORE 0000035b: RETURNDATASIZE 0000035c: DUP3 0000035d: MSTORE 0000035e: RETURNDATASIZE 0000035f: PUSH1 0x00 00000361: PUSH1 0x20 00000363: DUP5 00000364: ADD 00000365: RETURNDATACOPY 00000366: PUSH2 0x036f 00000369: JUMP 0000036a: JUMPDEST 0000036b: PUSH1 0x60 0000036d: SWAP2 0000036e: POP 0000036f: JUMPDEST 00000370: POP 00000371: SWAP2 00000372: POP 00000373: SWAP2 00000374: POP 00000375: DUP2 00000376: PUSH2 0x0401 00000379: JUMPI 0000037a: PUSH1 0x40 0000037c: MLOAD 0000037d: PUSH32 0x08c379a000000000000000000000000000000000000000000000000000000000 0000039e: DUP2 0000039f: MSTORE 000003a0: PUSH1 0x20 000003a2: PUSH1 0x04 000003a4: DUP3 000003a5: ADD 000003a6: MSTORE 000003a7: PUSH1 0x39 000003a9: PUSH1 0x24 000003ab: DUP3 000003ac: ADD 000003ad: MSTORE 000003ae: PUSH32 0x50726f78793a2064656c656761746563616c6c20746f206e657720696d706c65 000003cf: PUSH1 0x44 000003d1: DUP3 000003d2: ADD 000003d3: MSTORE 000003d4: PUSH32 0x6d656e746174696f6e20636f6e7472616374206661696c656400000000000000 000003f5: PUSH1 0x64 000003f7: DUP3 000003f8: ADD 000003f9: MSTORE 000003fa: PUSH1 0x84 000003fc: ADD 000003fd: PUSH2 0x01f8 00000400: JUMP 00000401: JUMPDEST 00000402: SWAP2 00000403: POP 00000404: PUSH2 0x0412 00000407: SWAP1 00000408: POP 00000409: JUMP 0000040a: JUMPDEST 0000040b: PUSH2 0x0412 0000040e: PUSH2 0x012d 00000411: JUMP 00000412: JUMPDEST 00000413: SWAP4 00000414: SWAP3 00000415: POP 00000416: POP 00000417: POP 00000418: JUMP 00000419: JUMPDEST 0000041a: PUSH1 0x00 0000041c: PUSH2 0x0443 0000041f: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 00000440: SLOAD 00000441: SWAP1 00000442: JUMP 00000443: JUMPDEST 00000444: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000459: AND 0000045a: CALLER 0000045b: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000470: AND 00000471: EQ 00000472: DUP1 00000473: PUSH2 0x047a 00000476: JUMPI 00000477: POP 00000478: CALLER 00000479: ISZERO 0000047a: JUMPDEST 0000047b: ISZERO 0000047c: PUSH2 0x04a5 0000047f: JUMPI 00000480: POP 00000481: PUSH32 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc 000004a2: SLOAD 000004a3: SWAP1 000004a4: JUMP 000004a5: JUMPDEST 000004a6: PUSH2 0x04ad 000004a9: PUSH2 0x012d 000004ac: JUMP 000004ad: JUMPDEST 000004ae: SWAP1 000004af: JUMP 000004b0: JUMPDEST 000004b1: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 000004d2: SLOAD 000004d3: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000004e8: AND 000004e9: CALLER 000004ea: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000004ff: AND 00000500: EQ 00000501: DUP1 00000502: PUSH2 0x0509 00000505: JUMPI 00000506: POP 00000507: CALLER 00000508: ISZERO 00000509: JUMPDEST 0000050a: ISZERO 0000050b: PUSH2 0x028e 0000050e: JUMPI 0000050f: PUSH2 0x028b 00000512: DUP2 00000513: PUSH2 0x060b 00000516: JUMP 00000517: JUMPDEST 00000518: PUSH1 0x00 0000051a: PUSH2 0x0541 0000051d: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 0000053e: SLOAD 0000053f: SWAP1 00000540: JUMP 00000541: JUMPDEST 00000542: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000557: AND 00000558: CALLER 00000559: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000056e: AND 0000056f: EQ 00000570: DUP1 00000571: PUSH2 0x0578 00000574: JUMPI 00000575: POP 00000576: CALLER 00000577: ISZERO 00000578: JUMPDEST 00000579: ISZERO 0000057a: PUSH2 0x04a5 0000057d: JUMPI 0000057e: POP 0000057f: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 000005a0: SLOAD 000005a1: SWAP1 000005a2: JUMP 000005a3: JUMPDEST 000005a4: PUSH32 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc 000005c5: DUP2 000005c6: SWAP1 000005c7: SSTORE 000005c8: PUSH1 0x40 000005ca: MLOAD 000005cb: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000005e0: DUP3 000005e1: AND 000005e2: SWAP1 000005e3: PUSH32 0xbc7cd75a20ee27fd9adebab32041f755214dbc6bffa90cc0225b39da2e5c2d3b 00000604: SWAP1 00000605: PUSH1 0x00 00000607: SWAP1 00000608: LOG2 00000609: POP 0000060a: JUMP 0000060b: JUMPDEST 0000060c: PUSH1 0x00 0000060e: PUSH2 0x0635 00000611: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 00000632: SLOAD 00000633: SWAP1 00000634: JUMP 00000635: JUMPDEST 00000636: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 00000657: DUP4 00000658: SWAP1 00000659: SSTORE 0000065a: PUSH1 0x40 0000065c: DUP1 0000065d: MLOAD 0000065e: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000673: DUP1 00000674: DUP5 00000675: AND 00000676: DUP3 00000677: MSTORE 00000678: DUP6 00000679: AND 0000067a: PUSH1 0x20 0000067c: DUP3 0000067d: ADD 0000067e: MSTORE 0000067f: SWAP2 00000680: SWAP3 00000681: POP 00000682: PUSH32 0x7e644d79422f17c01e4894b5f4f588d331ebfa28653d42ae832dc59e38c9798f 000006a3: SWAP2 000006a4: ADD 000006a5: PUSH1 0x40 000006a7: MLOAD 000006a8: DUP1 000006a9: SWAP2 000006aa: SUB 000006ab: SWAP1 000006ac: LOG1 000006ad: POP 000006ae: POP 000006af: JUMP 000006b0: JUMPDEST 000006b1: DUP1 000006b2: CALLDATALOAD 000006b3: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000006c8: DUP2 000006c9: AND 000006ca: DUP2 000006cb: EQ 000006cc: PUSH2 0x06d4 000006cf: JUMPI 000006d0: PUSH1 0x00 000006d2: DUP1 000006d3: REVERT 000006d4: JUMPDEST 000006d5: SWAP2 000006d6: SWAP1 000006d7: POP 000006d8: JUMP 000006d9: JUMPDEST 000006da: PUSH1 0x00 000006dc: PUSH1 0x20 000006de: DUP3 000006df: DUP5 000006e0: SUB 000006e1: SLT 000006e2: ISZERO 000006e3: PUSH2 0x06eb 000006e6: JUMPI 000006e7: PUSH1 0x00 000006e9: DUP1 000006ea: REVERT 000006eb: JUMPDEST 000006ec: PUSH2 0x0412 000006ef: DUP3 000006f0: PUSH2 0x06b0 000006f3: JUMP 000006f4: JUMPDEST 000006f5: PUSH1 0x00 000006f7: DUP1 000006f8: PUSH1 0x00 000006fa: PUSH1 0x40 000006fc: DUP5 000006fd: DUP7 000006fe: SUB 000006ff: SLT 00000700: ISZERO 00000701: PUSH2 0x0709 00000704: JUMPI 00000705: PUSH1 0x00 00000707: DUP1 00000708: REVERT 00000709: JUMPDEST 0000070a: PUSH2 0x0712 0000070d: DUP5 0000070e: PUSH2 0x06b0 00000711: JUMP 00000712: JUMPDEST 00000713: SWAP3 00000714: POP 00000715: PUSH1 0x20 00000717: DUP5 00000718: ADD 00000719: CALLDATALOAD 0000071a: PUSH8 0xffffffffffffffff 00000723: DUP1 00000724: DUP3 00000725: GT 00000726: ISZERO 00000727: PUSH2 0x072f 0000072a: JUMPI 0000072b: PUSH1 0x00 0000072d: DUP1 0000072e: REVERT 0000072f: JUMPDEST 00000730: DUP2 00000731: DUP7 00000732: ADD 00000733: SWAP2 00000734: POP 00000735: DUP7 00000736: PUSH1 0x1f 00000738: DUP4 00000739: ADD 0000073a: SLT 0000073b: PUSH2 0x0743 0000073e: JUMPI 0000073f: PUSH1 0x00 00000741: DUP1 00000742: REVERT 00000743: JUMPDEST 00000744: DUP2 00000745: CALLDATALOAD 00000746: DUP2 00000747: DUP2 00000748: GT 00000749: ISZERO 0000074a: PUSH2 0x0752 0000074d: JUMPI 0000074e: PUSH1 0x00 00000750: DUP1 00000751: REVERT 00000752: JUMPDEST 00000753: DUP8 00000754: PUSH1 0x20 00000756: DUP3 00000757: DUP6 00000758: ADD 00000759: ADD 0000075a: GT 0000075b: ISZERO 0000075c: PUSH2 0x0764 0000075f: JUMPI 00000760: PUSH1 0x00 00000762: DUP1 00000763: REVERT 00000764: JUMPDEST 00000765: PUSH1 0x20 00000767: DUP4 00000768: ADD 00000769: SWAP5 0000076a: POP 0000076b: DUP1 0000076c: SWAP4 0000076d: POP 0000076e: POP 0000076f: POP 00000770: POP 00000771: SWAP3 00000772: POP 00000773: SWAP3 00000774: POP 00000775: SWAP3 00000776: JUMP 00000777: JUMPDEST 00000778: PUSH1 0x00 0000077a: PUSH1 0x20 0000077c: DUP1 0000077d: DUP4 0000077e: MSTORE 0000077f: DUP4 00000780: MLOAD 00000781: DUP1 00000782: DUP3 00000783: DUP6 00000784: ADD 00000785: MSTORE 00000786: PUSH1 0x00 00000788: JUMPDEST 00000789: DUP2 0000078a: DUP2 0000078b: LT 0000078c: ISZERO 0000078d: PUSH2 0x07a4 00000790: JUMPI 00000791: DUP6 00000792: DUP2 00000793: ADD 00000794: DUP4 00000795: ADD 00000796: MLOAD 00000797: DUP6 00000798: DUP3 00000799: ADD 0000079a: PUSH1 0x40 0000079c: ADD 0000079d: MSTORE 0000079e: DUP3 0000079f: ADD 000007a0: PUSH2 0x0788 000007a3: JUMP 000007a4: JUMPDEST 000007a5: DUP2 000007a6: DUP2 000007a7: GT 000007a8: ISZERO 000007a9: PUSH2 0x07b6 000007ac: JUMPI 000007ad: PUSH1 0x00 000007af: PUSH1 0x40 000007b1: DUP4 000007b2: DUP8 000007b3: ADD 000007b4: ADD 000007b5: MSTORE 000007b6: JUMPDEST 000007b7: POP 000007b8: PUSH1 0x1f 000007ba: ADD 000007bb: PUSH32 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe0 000007dc: AND 000007dd: SWAP3 000007de: SWAP1 000007df: SWAP3 000007e0: ADD 000007e1: PUSH1 0x40 000007e3: ADD 000007e4: SWAP4 000007e5: SWAP3 000007e6: POP 000007e7: POP 000007e8: POP 000007e9: JUMP 000007ea: JUMPDEST 000007eb: DUP2 000007ec: DUP4 000007ed: DUP3 000007ee: CALLDATACOPY 000007ef: PUSH1 0x00 000007f1: SWAP2 000007f2: ADD 000007f3: SWAP1 000007f4: DUP2 000007f5: MSTORE 000007f6: SWAP2 000007f7: SWAP1 000007f8: POP 000007f9: JUMP 000007fa: INVALID 000007fb: LOG1 000007fc: PUSH5 0x736f6c6343 00000802: STOP 00000803: ADDMOD 00000804: UNKNOWN(0x0F) 00000805: STOP 00000806: EXP
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | upgradeability | detector | Untrusted DELEGATECALL target reachable | 55 | no | no |
viewtrace_id: 0x261afe02bcd224825583fa777f30abe5f70328a8f06bd1add533f73c8a1c1975
call_targets:
0xa6f27fa3c60ec70d5ac7ea53cad339498bc1580e
target_varies:
no
classification:
constant_target
validation_json{
"sink": "DELEGATECALL",
"errors": 0,
"status": "sink_reached",
"attempts": 1,
"trace_id": "0x261afe02bcd224825583fa777f30abe5f70328a8f06bd1add533f73c8a1c1975",
"confirmed": false,
"trace_mode": "callTracer",
"call_targets": [
"0xa6f27fa3c60ec70d5ac7ea53cad339498bc1580e"
],
"matched_probe": null,
"target_varies": false,
"classification": "constant_target"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x5c60da1b",
"selector": "0x5c60da1b",
"calldata_variants": [
"0x5c60da1b",
"0x5c60da1b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x8f283970",
"selector": "0x8f283970",
"calldata_variants": [
"0x8f283970",
"0x8f2839700000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xf851a440",
"selector": "0xf851a440",
"calldata_variants": [
"0xf851a440",
"0xf851a4400000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x3659cfe6",
"selector": "0x3659cfe6",
"calldata_variants": [
"0x3659cfe6",
"0x3659cfe60000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x4f1ef286",
"selector": "0x4f1ef286",
"calldata_variants": [
"0x4f1ef286",
"0x4f1ef2860000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 527,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
},
{
"pc": 827,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
}
],
"guards_detected": [
{
"pc": 605,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
},
{
"pc": 727,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
},
{
"pc": 1114,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
},
{
"pc": 1257,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
},
{
"pc": 1368,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
}
],
"delegatecall_count": 2,
"untrusted_delegatecall_count": 2
}
|
| medium | upgradeability | cast | DELEGATECALL present | 80 | no | — |
viewevidence_json{
"notes": "delegatecall enables execution in caller context; common in proxies/upgradeable patterns",
"delegatecall_count": 2
}
|
| low | access_control | codex | tx.origin-based gating/authorization is fragile and can be bypassed or break smart contract wallet support | 65 | no | — |
viewevidence_json{
"evidence": "Basic block at pc 0x5e7 shows `CALLER`, `ORIGIN`, `DUP2`, `EQ`, `JUMPI`, indicating a msg.sender == tx.origin check. Another origin equality check appears at pc 0x18f0 (`ORIGIN`, `PUSH1`, `EQ`). Detector summary flags tx_origin_used at these PCs.",
"locations": [
"pc:0x5e7",
"pc:0x18f0"
],
"recommendation": "Avoid tx.origin for authorization. Use msg.sender plus explicit role/owner checks and, if EOA-only behavior is truly needed, rely on explicit allowlists or signature-based authorization that works with smart accounts.",
"exploit_scenario": "If a privileged path relies on tx.origin (e.g., msg.sender == tx.origin or origin comparisons) as its primary gate, a malicious contract can potentially bypass intent via delegatecall-based wrappers or by tricking an authorized EOA into initiating a transaction, leading to unintended execution of sensitive logic. Even when used as an \"EOA-only\" check, it blocks contract wallets and meta-transactions, and provides weak security guarantees."
}
|