019ba9bc-ecbc-739d-b105-b2a1c740223d
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 37874 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 37875 | proxy.resolve | complete | 1 / 3 | 3 months ago |
| 37876 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 37877 | analysis.bundle | complete | 1 / 3 | 3 months ago |
| 37878 | capability.graph | complete | 1 / 3 | 3 months ago |
| 37879 | detector.run | complete | 1 / 3 | 3 months ago |
| 37880 | validation.fork | complete | 1 / 3 | 3 months ago |
| 37959 | report.consolidate | complete | 1 / 6 | 3 months ago |
{
"status": "not_proxy"
}
No slither job recorded yet.
{"no_findings":false,"summary":"Found two issues: ProfitContainer trusts an owner-controlled token address for payouts, and the token uses the standard approve race pattern that can enable allowance double-spends.","findings":[{"severity":"medium","category":"access_control","title":"Owner can swap token contract to arbitrary address and drain ProfitContainer","exploit_scenario":"The owner calls changeTokenContract to point tokenCtr at a malicious contract that returns lock()=true, totalSupply()=1, and balanceOf(attacker)=1. The attacker then calls withdrawalProfit to receive essentially all ETH in ProfitContainer because payout math trusts tokenCtr’s responses.","recommendation":"Restrict token changes with a timelock/multisig and/or remove the ability to change tokenCtr after deployment. At minimum, validate the new token contract (code hash or interface checks) and consider snapshotting a fixed token address for payouts.","evidence":"ProfitContainer.withdrawalProfit trusts tokenCtr.balanceOf/totalSupply/lock without verifying the token contract, and changeTokenContract is owner-only with no safeguards.","locations":["contracts/Contract.sol:301","contracts/Contract.sol:330"]},{"severity":"low","category":"auth","title":"ERC20 approve race condition allows double-spend of allowances","exploit_scenario":"If an allowance is changed from X to Y, a spender can front‑run the approval change and spend X before the update, then spend Y after it, effectively using both allowances.","recommendation":"Use the safe allowance pattern (require setting to 0 before a new non‑zero value) or add increaseAllowance/decreaseAllowance functions.","evidence":"approve overwrites the allowance directly without requiring a zero‑reset, enabling the known ERC20 allowance race.","locations":["contracts/Contract.sol:165"]}]}
OpenAI Codex v0.77.0 (research preview)
--------
workdir: /tmp/codex-cdsmfo3l
model: gpt-5.2-codex
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: auto
session id: 019baa21-ab14-7c90-bc20-cc72d2f0fa5d
--------
user
You are a security auditor. Audit this Solidity codebase for exploitable vulnerabilities.
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation, oracle manipulation,
accounting/invariant breaks, external call patterns, unchecked return values, and dangerous delegatecall.
Scope rules:
- You MUST fully read `AUDIT_BUNDLE.txt` before concluding. It contains the complete contents of all first-party Solidity sources in this workspace.
- Treat `lib/` and `@openzeppelin/` as third-party dependencies; skip them unless there is a concrete misuse angle in first-party code.
- If there are only dependency files and no first-party sources, set no_findings=true and explain in summary.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title and file/line locations when possible.
Output constraints (IMPORTANT):
- severity MUST be exactly one of: info, low, medium, high, critical (lowercase).
- category MUST be exactly one of: access_control, reentrancy, math, oracle, upgradeability, auth, other.
Keep summary short and concrete.
mcp startup: no servers
thinking
**Preparing to audit AGENTS and AUDIT_BUNDLE**
exec
/bin/bash -lc ls in /tmp/codex-cdsmfo3l succeeded in 5ms:
AUDIT_BUNDLE.txt
codex-output-schema.json
contracts
exec
/bin/bash -lc 'cat AUDIT_BUNDLE.txt' in /tmp/codex-cdsmfo3l succeeded in 5ms:
This file concatenates the full contents of first-party Solidity sources for auditing.
Do not treat dependency code under lib/ or @openzeppelin/ as first-party.
================================================================================
FILE: contracts/Contract.sol
================================================================================
pragma solidity ^0.4.0;
/*
This vSlice token contract is based on the ERC20 token contract. Additional
functionality has been integrated:
* the contract Lockable, which is used as a parent of the Token contract
* the function mintTokens(), which makes use of the currentSwapRate() and safeToAdd() helpers
* the function disableTokenSwapLock()
*/
contract Lockable {
uint public numOfCurrentEpoch;
uint public creationTime;
uint public constant UNLOCKED_TIME = 25 days;
uint public constant LOCKED_TIME = 5 days;
thinking
**Analyzing Solidity contract security risks**
thinking
**Evaluating token transfer locking and access risks**
I'll dig into the token transfer locking mechanics, highlighting how the first transfer after locking returns false without throwing, which might confuse callers but isn't exploitable. I’m also exploring how the owner’s ability to swap the token contract unilaterally introduces a centralization risk that could let them redirect funds by pointing to a malicious token. There’s an ERC20 approve race condition worth noting and some nuances around stale lock and epoch updates that might cause unusual behaviors without clear exploits. Overall, these reflect access control and functional quirks rather than direct vulnerabilities.
exec
/bin/bash -lc "nl -ba contracts/Contract.sol | sed -n '1,260p'" in /tmp/codex-cdsmfo3l succeeded in 8ms:
1 pragma solidity ^0.4.0;
2 /*
3 This vSlice token contract is based on the ERC20 token contract. Additional
4 functionality has been integrated:
5 * the contract Lockable, which is used as a parent of the Token contract
6 * the function mintTokens(), which makes use of the currentSwapRate() and safeToAdd() helpers
7 * the function disableTokenSwapLock()
8 */
9
10 contract Lockable {
11 uint public numOfCurrentEpoch;
12 uint public creationTime;
13 uint public constant UNLOCKED_TIME = 25 days;
14 uint public constant LOCKED_TIME = 5 days;
15 uint public constant EPOCH_LENGTH = 30 days;
16 bool public lock;
17 bool public tokenSwapLock;
18
19 event Locked();
20 event Unlocked();
exec
/bin/bash -lc "nl -ba contracts/Contract.sol | sed -n '260,520p'" in /tmp/codex-cdsmfo3l succeeded in 26ms:
260 // The modifier onlyNotPaidOut prevents token holders who have
261 // already withdrawn their share of profits in the epoch, to cash
262 // out additional shares.
263 modifier onlyNotPaidOut {
264 if (lastPaidOutEpoch[msg.sender] == currentEpoch) throw;
265 _;
266 }
267
268 // The modifier onlyLocked prevents token holders from collecting
269 // their profits when the token contract is in an unlocked state
270 modifier onlyLocked {
271 if (!tokenCtr.lock()) throw;
272 _;
273 }
274
275 // The modifier resetPaidOut updates the currenct epoch, and
276 // enables the smart contract to track when a token holder
277 // has already received their fair share of profits or not
278 // and sets the balance for the epoch using current balance
279 modifier resetPaidOut {
thinking
**Summarizing security analysis**
I'm gathering my detailed assessment of possible vulnerabilities, focusing mainly on a medium-severity access control risk where the owner can swap the token contract to a malicious one and drain funds, plus a low-severity ERC20 approve race condition. I'll craft a JSON report capturing these findings with evidence, locations, and recommendations.
codex
{"no_findings":false,"summary":"Found two issues: ProfitContainer trusts an owner-controlled token address for payouts, and the token uses the standard approve race pattern that can enable allowance double-spends.","findings":[{"severity":"medium","category":"access_control","title":"Owner can swap token contract to arbitrary address and drain ProfitContainer","exploit_scenario":"The owner calls changeTokenContract to point tokenCtr at a malicious contract that returns lock()=true, totalSupply()=1, and balanceOf(attacker)=1. The attacker then calls withdrawalProfit to receive essentially all ETH in ProfitContainer because payout math trusts tokenCtr’s responses.","recommendation":"Restrict token changes with a timelock/multisig and/or remove the ability to change tokenCtr after deployment. At minimum, validate the new token contract (code hash or interface checks) and consider snapshotting a fixed token address for payouts.","evidence":"ProfitContainer.withdrawalProfit trusts tokenCtr.balanceOf/totalSupply/lock without verifying the token contract, and changeTokenContract is owner-only with no safeguards.","locations":["contracts/Contract.sol:301","contracts/Contract.sol:330"]},{"severity":"low","category":"auth","title":"ERC20 approve race condition allows double-spend of allowances","exploit_scenario":"If an allowance is changed from X to Y, a spender can front‑run the approval change and spend X before the update, then spend Y after it, effectively using both allowances.","recommendation":"Use the safe allowance pattern (require setting to 0 before a new non‑zero value) or add increaseAllowance/decreaseAllowance functions.","evidence":"approve overwrites the allowance directly without requiring a zero‑reset, enabling the known ERC20 allowance race.","locations":["contracts/Contract.sol:165"]}]}
tokens used
20,732
{
"codex": {
"ran_at": "2026-01-10T23:01:16.749016+00:00",
"returncode": 0
},
"project": {
"mode": "source",
"file_count": 1,
"import_count": 0,
"first_party_contracts_count": 1
},
"summary": "Found two issues: ProfitContainer trusts an owner-controlled token address for payouts, and the token uses the standard approve race pattern that can enable allowance double-spends.",
"raw_final": {
"summary": "Found two issues: ProfitContainer trusts an owner-controlled token address for payouts, and the token uses the standard approve race pattern that can enable allowance double-spends.",
"findings": [
{
"title": "Owner can swap token contract to arbitrary address and drain ProfitContainer",
"category": "access_control",
"evidence": "ProfitContainer.withdrawalProfit trusts tokenCtr.balanceOf/totalSupply/lock without verifying the token contract, and changeTokenContract is owner-only with no safeguards.",
"severity": "medium",
"locations": [
"contracts/Contract.sol:301",
"contracts/Contract.sol:330"
],
"recommendation": "Restrict token changes with a timelock/multisig and/or remove the ability to change tokenCtr after deployment. At minimum, validate the new token contract (code hash or interface checks) and consider snapshotting a fixed token address for payouts.",
"exploit_scenario": "The owner calls changeTokenContract to point tokenCtr at a malicious contract that returns lock()=true, totalSupply()=1, and balanceOf(attacker)=1. The attacker then calls withdrawalProfit to receive essentially all ETH in ProfitContainer because payout math trusts tokenCtr\u2019s responses."
},
{
"title": "ERC20 approve race condition allows double-spend of allowances",
"category": "auth",
"evidence": "approve overwrites the allowance directly without requiring a zero\u2011reset, enabling the known ERC20 allowance race.",
"severity": "low",
"locations": [
"contracts/Contract.sol:165"
],
"recommendation": "Use the safe allowance pattern (require setting to 0 before a new non\u2011zero value) or add increaseAllowance/decreaseAllowance functions.",
"exploit_scenario": "If an allowance is changed from X to Y, a spender can front\u2011run the approval change and spend X before the update, then spend Y after it, effectively using both allowances."
}
],
"no_findings": false
},
"no_findings": false,
"schema_version": 1
}
00000000: PUSH1 0x60 00000002: PUSH1 0x40 00000004: MSTORE 00000005: CALLDATASIZE 00000006: ISZERO 00000007: PUSH2 0x006c 0000000a: JUMPI 0000000b: PUSH1 0xe0 0000000d: PUSH1 0x02 0000000f: EXP 00000010: PUSH1 0x00 00000012: CALLDATALOAD 00000013: DIV 00000014: PUSH4 0x2ebec916 00000019: DUP2 0000001a: EQ 0000001b: PUSH2 0x0075 0000001e: JUMPI 0000001f: DUP1 00000020: PUSH4 0x36bc32a2 00000025: EQ 00000026: PUSH2 0x0084 00000029: JUMPI 0000002a: DUP1 0000002b: PUSH4 0x50148ed2 00000030: EQ 00000031: PUSH2 0x00a6 00000034: JUMPI 00000035: DUP1 00000036: PUSH4 0x523aee69 0000003b: EQ 0000003c: PUSH2 0x00c5 0000003f: JUMPI 00000040: DUP1 00000041: PUSH4 0x76671808 00000046: EQ 00000047: PUSH2 0x00d7 0000004a: JUMPI 0000004b: DUP1 0000004c: PUSH4 0x8da5cb5b 00000051: EQ 00000052: PUSH2 0x00f6 00000055: JUMPI 00000056: DUP1 00000057: PUSH4 0xaef251a7 0000005c: EQ 0000005d: PUSH2 0x011f 00000060: JUMPI 00000061: DUP1 00000062: PUSH4 0xf2fde38b 00000067: EQ 00000068: PUSH2 0x0148 0000006b: JUMPI 0000006c: JUMPDEST 0000006d: PUSH2 0x0073 00000070: JUMPDEST 00000071: JUMPDEST 00000072: JUMP 00000073: JUMPDEST 00000074: STOP 00000075: JUMPDEST 00000076: CALLVALUE 00000077: PUSH2 0x0000 0000007a: JUMPI 0000007b: PUSH2 0x0073 0000007e: PUSH2 0x015a 00000081: JUMP 00000082: JUMPDEST 00000083: STOP 00000084: JUMPDEST 00000085: CALLVALUE 00000086: PUSH2 0x0000 00000089: JUMPI 0000008a: PUSH2 0x0094 0000008d: PUSH1 0x04 0000008f: CALLDATALOAD 00000090: PUSH2 0x052c 00000093: JUMP 00000094: JUMPDEST 00000095: PUSH1 0x40 00000097: DUP1 00000098: MLOAD 00000099: SWAP2 0000009a: DUP3 0000009b: MSTORE 0000009c: MLOAD 0000009d: SWAP1 0000009e: DUP2 0000009f: SWAP1 000000a0: SUB 000000a1: PUSH1 0x20 000000a3: ADD 000000a4: SWAP1 000000a5: RETURN 000000a6: JUMPDEST 000000a7: CALLVALUE 000000a8: PUSH2 0x0000 000000ab: JUMPI 000000ac: PUSH2 0x0094 000000af: PUSH2 0x0694 000000b2: JUMP 000000b3: JUMPDEST 000000b4: PUSH1 0x40 000000b6: DUP1 000000b7: MLOAD 000000b8: SWAP2 000000b9: DUP3 000000ba: MSTORE 000000bb: MLOAD 000000bc: SWAP1 000000bd: DUP2 000000be: SWAP1 000000bf: SUB 000000c0: PUSH1 0x20 000000c2: ADD 000000c3: SWAP1 000000c4: RETURN 000000c5: JUMPDEST 000000c6: CALLVALUE 000000c7: PUSH2 0x0000 000000ca: JUMPI 000000cb: PUSH2 0x0073 000000ce: PUSH1 0x04 000000d0: CALLDATALOAD 000000d1: PUSH2 0x069a 000000d4: JUMP 000000d5: JUMPDEST 000000d6: STOP 000000d7: JUMPDEST 000000d8: CALLVALUE 000000d9: PUSH2 0x0000 000000dc: JUMPI 000000dd: PUSH2 0x0094 000000e0: PUSH2 0x0739 000000e3: JUMP 000000e4: JUMPDEST 000000e5: PUSH1 0x40 000000e7: DUP1 000000e8: MLOAD 000000e9: SWAP2 000000ea: DUP3 000000eb: MSTORE 000000ec: MLOAD 000000ed: SWAP1 000000ee: DUP2 000000ef: SWAP1 000000f0: SUB 000000f1: PUSH1 0x20 000000f3: ADD 000000f4: SWAP1 000000f5: RETURN 000000f6: JUMPDEST 000000f7: CALLVALUE 000000f8: PUSH2 0x0000 000000fb: JUMPI 000000fc: PUSH2 0x0103 000000ff: PUSH2 0x073f 00000102: JUMP 00000103: JUMPDEST 00000104: PUSH1 0x40 00000106: DUP1 00000107: MLOAD 00000108: PUSH1 0x01 0000010a: PUSH1 0xa0 0000010c: PUSH1 0x02 0000010e: EXP 0000010f: SUB 00000110: SWAP1 00000111: SWAP3 00000112: AND 00000113: DUP3 00000114: MSTORE 00000115: MLOAD 00000116: SWAP1 00000117: DUP2 00000118: SWAP1 00000119: SUB 0000011a: PUSH1 0x20 0000011c: ADD 0000011d: SWAP1 0000011e: RETURN 0000011f: JUMPDEST 00000120: CALLVALUE 00000121: PUSH2 0x0000 00000124: JUMPI 00000125: PUSH2 0x0103 00000128: PUSH2 0x074e 0000012b: JUMP 0000012c: JUMPDEST 0000012d: PUSH1 0x40 0000012f: DUP1 00000130: MLOAD 00000131: PUSH1 0x01 00000133: PUSH1 0xa0 00000135: PUSH1 0x02 00000137: EXP 00000138: SUB 00000139: SWAP1 0000013a: SWAP3 0000013b: AND 0000013c: DUP3 0000013d: MSTORE 0000013e: MLOAD 0000013f: SWAP1 00000140: DUP2 00000141: SWAP1 00000142: SUB 00000143: PUSH1 0x20 00000145: ADD 00000146: SWAP1 00000147: RETURN 00000148: JUMPDEST 00000149: CALLVALUE 0000014a: PUSH2 0x0000 0000014d: JUMPI 0000014e: PUSH2 0x0073 00000151: PUSH1 0x04 00000153: CALLDATALOAD 00000154: PUSH2 0x075d 00000157: JUMP 00000158: JUMPDEST 00000159: STOP 0000015a: JUMPDEST 0000015b: PUSH1 0x00 0000015d: PUSH1 0x00 0000015f: PUSH1 0x00 00000161: PUSH1 0x00 00000163: PUSH1 0x00 00000165: PUSH1 0x04 00000167: PUSH1 0x00 00000169: SWAP1 0000016a: SLOAD 0000016b: SWAP1 0000016c: PUSH2 0x0100 0000016f: EXP 00000170: SWAP1 00000171: DIV 00000172: PUSH1 0x01 00000174: PUSH1 0xa0 00000176: PUSH1 0x02 00000178: EXP 00000179: SUB 0000017a: AND 0000017b: PUSH1 0x01 0000017d: PUSH1 0xa0 0000017f: PUSH1 0x02 00000181: EXP 00000182: SUB 00000183: AND 00000184: PUSH4 0x018e13d0 00000189: PUSH1 0x00 0000018b: PUSH1 0x40 0000018d: MLOAD 0000018e: PUSH1 0x20 00000190: ADD 00000191: MSTORE 00000192: PUSH1 0x40 00000194: MLOAD 00000195: DUP2 00000196: PUSH1 0xe0 00000198: PUSH1 0x02 0000019a: EXP 0000019b: MUL 0000019c: DUP2 0000019d: MSTORE 0000019e: PUSH1 0x04 000001a0: ADD 000001a1: DUP1 000001a2: SWAP1 000001a3: POP 000001a4: PUSH1 0x20 000001a6: PUSH1 0x40 000001a8: MLOAD 000001a9: DUP1 000001aa: DUP4 000001ab: SUB 000001ac: DUP2 000001ad: PUSH1 0x00 000001af: DUP8 000001b0: DUP1 000001b1: EXTCODESIZE 000001b2: ISZERO 000001b3: PUSH2 0x0000 000001b6: JUMPI 000001b7: PUSH1 0x32 000001b9: GAS 000001ba: SUB 000001bb: CALL 000001bc: ISZERO 000001bd: PUSH2 0x0000 000001c0: JUMPI 000001c1: POP 000001c2: POP 000001c3: PUSH1 0x40 000001c5: MLOAD 000001c6: MLOAD 000001c7: PUSH1 0x01 000001c9: SLOAD 000001ca: LT 000001cb: ISZERO 000001cc: SWAP1 000001cd: POP 000001ce: PUSH2 0x026d 000001d1: JUMPI 000001d2: PUSH1 0x04 000001d4: PUSH1 0x00 000001d6: SWAP1 000001d7: SLOAD 000001d8: SWAP1 000001d9: PUSH2 0x0100 000001dc: EXP 000001dd: SWAP1 000001de: DIV 000001df: PUSH1 0x01 000001e1: PUSH1 0xa0 000001e3: PUSH1 0x02 000001e5: EXP 000001e6: SUB 000001e7: AND 000001e8: PUSH1 0x01 000001ea: PUSH1 0xa0 000001ec: PUSH1 0x02 000001ee: EXP 000001ef: SUB 000001f0: AND 000001f1: PUSH4 0x018e13d0 000001f6: PUSH1 0x00 000001f8: PUSH1 0x40 000001fa: MLOAD 000001fb: PUSH1 0x20 000001fd: ADD 000001fe: MSTORE 000001ff: PUSH1 0x40 00000201: MLOAD 00000202: DUP2 00000203: PUSH1 0xe0 00000205: PUSH1 0x02 00000207: EXP 00000208: MUL 00000209: DUP2 0000020a: MSTORE 0000020b: PUSH1 0x04 0000020d: ADD 0000020e: DUP1 0000020f: SWAP1 00000210: POP 00000211: PUSH1 0x20 00000213: PUSH1 0x40 00000215: MLOAD 00000216: DUP1 00000217: DUP4 00000218: SUB 00000219: DUP2 0000021a: PUSH1 0x00 0000021c: DUP8 0000021d: DUP1 0000021e: EXTCODESIZE 0000021f: ISZERO 00000220: PUSH2 0x0000 00000223: JUMPI 00000224: PUSH1 0x32 00000226: GAS 00000227: SUB 00000228: CALL 00000229: ISZERO 0000022a: PUSH2 0x0000 0000022d: JUMPI 0000022e: POP 0000022f: POP 00000230: PUSH1 0x40 00000232: MLOAD 00000233: DUP1 00000234: MLOAD 00000235: PUSH1 0x01 00000237: SSTORE 00000238: PUSH1 0x01 0000023a: PUSH1 0xa0 0000023c: PUSH1 0x02 0000023e: EXP 0000023f: SUB 00000240: ADDRESS 00000241: AND 00000242: BALANCE 00000243: PUSH1 0x02 00000245: SSTORE 00000246: PUSH32 0x66f7d730c9ba098beec19ac6c1d94380c4f8b016455b36cb348ca4c646a075bc 00000267: SWAP2 00000268: POP 00000269: PUSH1 0x00 0000026b: SWAP1 0000026c: LOG1 0000026d: JUMPDEST 0000026e: PUSH1 0x04 00000270: PUSH1 0x00 00000272: SWAP1 00000273: SLOAD 00000274: SWAP1 00000275: PUSH2 0x0100 00000278: EXP 00000279: SWAP1 0000027a: DIV 0000027b: PUSH1 0x01 0000027d: PUSH1 0xa0 0000027f: PUSH1 0x02 00000281: EXP 00000282: SUB 00000283: AND 00000284: PUSH1 0x01 00000286: PUSH1 0xa0 00000288: PUSH1 0x02 0000028a: EXP 0000028b: SUB 0000028c: AND 0000028d: PUSH4 0xf83d08ba 00000292: PUSH1 0x00 00000294: PUSH1 0x40 00000296: MLOAD 00000297: PUSH1 0x20 00000299: ADD 0000029a: MSTORE 0000029b: PUSH1 0x40 0000029d: MLOAD 0000029e: DUP2 0000029f: PUSH1 0xe0 000002a1: PUSH1 0x02 000002a3: EXP 000002a4: MUL 000002a5: DUP2 000002a6: MSTORE 000002a7: PUSH1 0x04 000002a9: ADD 000002aa: DUP1 000002ab: SWAP1 000002ac: POP 000002ad: PUSH1 0x20 000002af: PUSH1 0x40 000002b1: MLOAD 000002b2: DUP1 000002b3: DUP4 000002b4: SUB 000002b5: DUP2 000002b6: PUSH1 0x00 000002b8: DUP8 000002b9: DUP1 000002ba: EXTCODESIZE 000002bb: ISZERO 000002bc: PUSH2 0x0000 000002bf: JUMPI 000002c0: PUSH1 0x32 000002c2: GAS 000002c3: SUB 000002c4: CALL 000002c5: ISZERO 000002c6: PUSH2 0x0000 000002c9: JUMPI 000002ca: POP 000002cb: POP 000002cc: PUSH1 0x40 000002ce: MLOAD 000002cf: MLOAD 000002d0: ISZERO 000002d1: ISZERO 000002d2: SWAP1 000002d3: POP 000002d4: PUSH2 0x02dc 000002d7: JUMPI 000002d8: PUSH2 0x0000 000002db: JUMP 000002dc: JUMPDEST 000002dd: PUSH1 0x01 000002df: SLOAD 000002e0: PUSH1 0x01 000002e2: PUSH1 0xa0 000002e4: PUSH1 0x02 000002e6: EXP 000002e7: SUB 000002e8: CALLER 000002e9: AND 000002ea: PUSH1 0x00 000002ec: SWAP1 000002ed: DUP2 000002ee: MSTORE 000002ef: PUSH1 0x03 000002f1: PUSH1 0x20 000002f3: MSTORE 000002f4: PUSH1 0x40 000002f6: SWAP1 000002f7: KECCAK256 000002f8: SLOAD 000002f9: EQ 000002fa: ISZERO 000002fb: PUSH2 0x0303 000002fe: JUMPI 000002ff: PUSH2 0x0000 00000302: JUMP 00000303: JUMPDEST 00000304: PUSH1 0x04 00000306: PUSH1 0x00 00000308: SWAP1 00000309: SLOAD 0000030a: SWAP1 0000030b: PUSH2 0x0100 0000030e: EXP 0000030f: SWAP1 00000310: DIV 00000311: PUSH1 0x01 00000313: PUSH1 0xa0 00000315: PUSH1 0x02 00000317: EXP 00000318: SUB 00000319: AND 0000031a: PUSH1 0x01 0000031c: PUSH1 0xa0 0000031e: PUSH1 0x02 00000320: EXP 00000321: SUB 00000322: AND 00000323: PUSH4 0x018e13d0 00000328: PUSH1 0x00 0000032a: PUSH1 0x40 0000032c: MLOAD 0000032d: PUSH1 0x20 0000032f: ADD 00000330: MSTORE 00000331: PUSH1 0x40 00000333: MLOAD 00000334: DUP2 00000335: PUSH1 0xe0 00000337: PUSH1 0x02 00000339: EXP 0000033a: MUL 0000033b: DUP2 0000033c: MSTORE 0000033d: PUSH1 0x04 0000033f: ADD 00000340: DUP1 00000341: SWAP1 00000342: POP 00000343: PUSH1 0x20 00000345: PUSH1 0x40 00000347: MLOAD 00000348: DUP1 00000349: DUP4 0000034a: SUB 0000034b: DUP2 0000034c: PUSH1 0x00 0000034e: DUP8 0000034f: DUP1 00000350: EXTCODESIZE 00000351: ISZERO 00000352: PUSH2 0x0000 00000355: JUMPI 00000356: PUSH1 0x32 00000358: GAS 00000359: SUB 0000035a: CALL 0000035b: ISZERO 0000035c: PUSH2 0x0000 0000035f: JUMPI 00000360: POP 00000361: POP 00000362: PUSH1 0x40 00000364: DUP1 00000365: MLOAD 00000366: DUP1 00000367: MLOAD 00000368: PUSH1 0x04 0000036a: DUP1 0000036b: SLOAD 0000036c: PUSH1 0x00 0000036e: PUSH1 0x20 00000370: SWAP5 00000371: DUP6 00000372: ADD 00000373: DUP2 00000374: SWAP1 00000375: MSTORE 00000376: DUP6 00000377: MLOAD 00000378: PUSH32 0x70a0823100000000000000000000000000000000000000000000000000000000 00000399: DUP2 0000039a: MSTORE 0000039b: PUSH1 0x01 0000039d: PUSH1 0xa0 0000039f: PUSH1 0x02 000003a1: EXP 000003a2: SUB 000003a3: CALLER 000003a4: DUP2 000003a5: AND 000003a6: SWAP5 000003a7: DUP3 000003a8: ADD 000003a9: SWAP5 000003aa: SWAP1 000003ab: SWAP5 000003ac: MSTORE 000003ad: SWAP6 000003ae: MLOAD 000003af: SWAP4 000003b0: SWAP12 000003b1: POP 000003b2: SWAP2 000003b3: AND 000003b4: SWAP5 000003b5: POP 000003b6: PUSH4 0x70a08231 000003bb: SWAP4 000003bc: PUSH1 0x24 000003be: DUP1 000003bf: DUP3 000003c0: ADD 000003c1: SWAP5 000003c2: SWAP4 000003c3: SWAP3 000003c4: SWAP2 000003c5: DUP4 000003c6: SWAP1 000003c7: SUB 000003c8: ADD 000003c9: SWAP1 000003ca: DUP3 000003cb: SWAP1 000003cc: DUP8 000003cd: DUP1 000003ce: EXTCODESIZE 000003cf: ISZERO 000003d0: PUSH2 0x0000 000003d3: JUMPI 000003d4: PUSH1 0x32 000003d6: GAS 000003d7: SUB 000003d8: CALL 000003d9: ISZERO 000003da: PUSH2 0x0000 000003dd: JUMPI 000003de: POP 000003df: POP 000003e0: PUSH1 0x40 000003e2: DUP1 000003e3: MLOAD 000003e4: DUP1 000003e5: MLOAD 000003e6: PUSH1 0x04 000003e8: DUP1 000003e9: SLOAD 000003ea: PUSH1 0x00 000003ec: PUSH1 0x20 000003ee: SWAP5 000003ef: DUP6 000003f0: ADD 000003f1: DUP2 000003f2: SWAP1 000003f3: MSTORE 000003f4: DUP6 000003f5: MLOAD 000003f6: PUSH32 0x18160ddd00000000000000000000000000000000000000000000000000000000 00000417: DUP2 00000418: MSTORE 00000419: SWAP6 0000041a: MLOAD 0000041b: SWAP4 0000041c: SWAP11 0000041d: POP 0000041e: PUSH1 0x01 00000420: PUSH1 0xa0 00000422: PUSH1 0x02 00000424: EXP 00000425: SUB 00000426: SWAP1 00000427: SWAP2 00000428: AND 00000429: SWAP6 0000042a: POP 0000042b: PUSH4 0x18160ddd 00000430: SWAP5 00000431: DUP1 00000432: DUP4 00000433: ADD 00000434: SWAP5 00000435: SWAP4 00000436: SWAP3 00000437: SWAP1 00000438: DUP4 00000439: SWAP1 0000043a: SUB 0000043b: ADD 0000043c: SWAP1 0000043d: DUP3 0000043e: SWAP1 0000043f: DUP8 00000440: DUP1 00000441: EXTCODESIZE 00000442: ISZERO 00000443: PUSH2 0x0000 00000446: JUMPI 00000447: PUSH1 0x32 00000449: GAS 0000044a: SUB 0000044b: CALL 0000044c: ISZERO 0000044d: PUSH2 0x0000 00000450: JUMPI 00000451: POP 00000452: POP 00000453: PUSH1 0x40 00000455: MLOAD 00000456: MLOAD 00000457: SWAP4 00000458: POP 00000459: POP 0000045a: DUP4 0000045b: ISZERO 0000045c: ISZERO 0000045d: PUSH2 0x0465 00000460: JUMPI 00000461: PUSH2 0x0000 00000464: JUMP 00000465: JUMPDEST 00000466: PUSH1 0x01 00000468: PUSH1 0xa0 0000046a: PUSH1 0x02 0000046c: EXP 0000046d: SUB 0000046e: CALLER 0000046f: AND 00000470: PUSH1 0x00 00000472: SWAP1 00000473: DUP2 00000474: MSTORE 00000475: PUSH1 0x03 00000477: PUSH1 0x20 00000479: MSTORE 0000047a: PUSH1 0x40 0000047c: SWAP1 0000047d: KECCAK256 0000047e: DUP6 0000047f: SWAP1 00000480: SSTORE 00000481: PUSH1 0x02 00000483: SLOAD 00000484: PUSH2 0x048e 00000487: SWAP1 00000488: DUP6 00000489: SWAP1 0000048a: PUSH2 0x07bf 0000048d: JUMP 0000048e: JUMPDEST 0000048f: ISZERO 00000490: ISZERO 00000491: PUSH2 0x0499 00000494: JUMPI 00000495: PUSH2 0x0000 00000498: JUMP 00000499: JUMPDEST 0000049a: PUSH1 0x02 0000049c: SLOAD 0000049d: DUP5 0000049e: MUL 0000049f: SWAP2 000004a0: POP 000004a1: DUP3 000004a2: DUP3 000004a3: DUP2 000004a4: ISZERO 000004a5: PUSH2 0x0000 000004a8: JUMPI 000004a9: PUSH1 0x40 000004ab: MLOAD 000004ac: SWAP2 000004ad: SWAP1 000004ae: DIV 000004af: SWAP2 000004b0: POP 000004b1: PUSH1 0x01 000004b3: PUSH1 0xa0 000004b5: PUSH1 0x02 000004b7: EXP 000004b8: SUB 000004b9: CALLER 000004ba: AND 000004bb: SWAP1 000004bc: DUP3 000004bd: ISZERO 000004be: PUSH2 0x08fc 000004c1: MUL 000004c2: SWAP1 000004c3: DUP4 000004c4: SWAP1 000004c5: PUSH1 0x00 000004c7: DUP2 000004c8: DUP2 000004c9: DUP2 000004ca: DUP6 000004cb: DUP9 000004cc: DUP9 000004cd: CALL 000004ce: SWAP4 000004cf: POP 000004d0: POP 000004d1: POP 000004d2: POP 000004d3: ISZERO 000004d4: ISZERO 000004d5: PUSH2 0x04dd 000004d8: JUMPI 000004d9: PUSH2 0x0000 000004dc: JUMP 000004dd: JUMPDEST 000004de: PUSH1 0x40 000004e0: DUP1 000004e1: MLOAD 000004e2: PUSH1 0x01 000004e4: PUSH1 0xa0 000004e6: PUSH1 0x02 000004e8: EXP 000004e9: SUB 000004ea: CALLER 000004eb: AND 000004ec: DUP2 000004ed: MSTORE 000004ee: PUSH1 0x20 000004f0: DUP2 000004f1: ADD 000004f2: DUP4 000004f3: SWAP1 000004f4: MSTORE 000004f5: DUP2 000004f6: MLOAD 000004f7: PUSH32 0x016e128b6bdadd9e9068abd0b18db2fc8b27ed3dbced50e4aa6cc0a6934251ab 00000518: SWAP3 00000519: SWAP2 0000051a: DUP2 0000051b: SWAP1 0000051c: SUB 0000051d: SWAP1 0000051e: SWAP2 0000051f: ADD 00000520: SWAP1 00000521: LOG1 00000522: JUMPDEST 00000523: JUMPDEST 00000524: JUMPDEST 00000525: JUMPDEST 00000526: POP 00000527: POP 00000528: POP 00000529: POP 0000052a: POP 0000052b: JUMP 0000052c: JUMPDEST 0000052d: PUSH1 0x00 0000052f: PUSH1 0x04 00000531: PUSH1 0x00 00000533: SWAP1 00000534: SLOAD 00000535: SWAP1 00000536: PUSH2 0x0100 00000539: EXP 0000053a: SWAP1 0000053b: DIV 0000053c: PUSH1 0x01 0000053e: PUSH1 0xa0 00000540: PUSH1 0x02 00000542: EXP 00000543: SUB 00000544: AND 00000545: PUSH1 0x01 00000547: PUSH1 0xa0 00000549: PUSH1 0x02 0000054b: EXP 0000054c: SUB 0000054d: AND 0000054e: PUSH4 0xf83d08ba 00000553: PUSH1 0x00 00000555: PUSH1 0x40 00000557: MLOAD 00000558: PUSH1 0x20 0000055a: ADD 0000055b: MSTORE 0000055c: PUSH1 0x40 0000055e: MLOAD 0000055f: DUP2 00000560: PUSH1 0xe0 00000562: PUSH1 0x02 00000564: EXP 00000565: MUL 00000566: DUP2 00000567: MSTORE 00000568: PUSH1 0x04 0000056a: ADD 0000056b: DUP1 0000056c: SWAP1 0000056d: POP 0000056e: PUSH1 0x20 00000570: PUSH1 0x40 00000572: MLOAD 00000573: DUP1 00000574: DUP4 00000575: SUB 00000576: DUP2 00000577: PUSH1 0x00 00000579: DUP8 0000057a: DUP1 0000057b: EXTCODESIZE 0000057c: ISZERO 0000057d: PUSH2 0x0000 00000580: JUMPI 00000581: PUSH1 0x32 00000583: GAS 00000584: SUB 00000585: CALL 00000586: ISZERO 00000587: PUSH2 0x0000 0000058a: JUMPI 0000058b: POP 0000058c: POP 0000058d: PUSH1 0x40 0000058f: MLOAD 00000590: MLOAD 00000591: ISZERO 00000592: ISZERO 00000593: SWAP1 00000594: POP 00000595: PUSH2 0x05a0 00000598: JUMPI 00000599: POP 0000059a: PUSH1 0x00 0000059c: PUSH2 0x068f 0000059f: JUMP 000005a0: JUMPDEST 000005a1: PUSH1 0x04 000005a3: PUSH1 0x00 000005a5: SWAP1 000005a6: SLOAD 000005a7: SWAP1 000005a8: PUSH2 0x0100 000005ab: EXP 000005ac: SWAP1 000005ad: DIV 000005ae: PUSH1 0x01 000005b0: PUSH1 0xa0 000005b2: PUSH1 0x02 000005b4: EXP 000005b5: SUB 000005b6: AND 000005b7: PUSH1 0x01 000005b9: PUSH1 0xa0 000005bb: PUSH1 0x02 000005bd: EXP 000005be: SUB 000005bf: AND 000005c0: PUSH4 0x18160ddd 000005c5: PUSH1 0x00 000005c7: PUSH1 0x40 000005c9: MLOAD 000005ca: PUSH1 0x20 000005cc: ADD 000005cd: MSTORE 000005ce: PUSH1 0x40 000005d0: MLOAD 000005d1: DUP2 000005d2: PUSH1 0xe0 000005d4: PUSH1 0x02 000005d6: EXP 000005d7: MUL 000005d8: DUP2 000005d9: MSTORE 000005da: PUSH1 0x04 000005dc: ADD 000005dd: DUP1 000005de: SWAP1 000005df: POP 000005e0: PUSH1 0x20 000005e2: PUSH1 0x40 000005e4: MLOAD 000005e5: DUP1 000005e6: DUP4 000005e7: SUB 000005e8: DUP2 000005e9: PUSH1 0x00 000005eb: DUP8 000005ec: DUP1 000005ed: EXTCODESIZE 000005ee: ISZERO 000005ef: PUSH2 0x0000 000005f2: JUMPI 000005f3: PUSH1 0x32 000005f5: GAS 000005f6: SUB 000005f7: CALL 000005f8: ISZERO 000005f9: PUSH2 0x0000 000005fc: JUMPI 000005fd: POP 000005fe: POP 000005ff: POP 00000600: PUSH1 0x40 00000602: MLOAD 00000603: DUP1 00000604: MLOAD 00000605: SWAP1 00000606: PUSH1 0x20 00000608: ADD 00000609: POP 0000060a: PUSH1 0x02 0000060c: SLOAD 0000060d: PUSH1 0x04 0000060f: PUSH1 0x00 00000611: SWAP1 00000612: SLOAD 00000613: SWAP1 00000614: PUSH2 0x0100 00000617: EXP 00000618: SWAP1 00000619: DIV 0000061a: PUSH1 0x01 0000061c: PUSH1 0xa0 0000061e: PUSH1 0x02 00000620: EXP 00000621: SUB 00000622: AND 00000623: PUSH1 0x01 00000625: PUSH1 0xa0 00000627: PUSH1 0x02 00000629: EXP 0000062a: SUB 0000062b: AND 0000062c: PUSH4 0x70a08231 00000631: DUP6 00000632: PUSH1 0x00 00000634: PUSH1 0x40 00000636: MLOAD 00000637: PUSH1 0x20 00000639: ADD 0000063a: MSTORE 0000063b: PUSH1 0x40 0000063d: MLOAD 0000063e: DUP3 0000063f: PUSH1 0xe0 00000641: PUSH1 0x02 00000643: EXP 00000644: MUL 00000645: DUP2 00000646: MSTORE 00000647: PUSH1 0x04 00000649: ADD 0000064a: DUP1 0000064b: DUP3 0000064c: PUSH1 0x01 0000064e: PUSH1 0xa0 00000650: PUSH1 0x02 00000652: EXP 00000653: SUB 00000654: AND 00000655: DUP2 00000656: MSTORE 00000657: PUSH1 0x20 00000659: ADD 0000065a: SWAP2 0000065b: POP 0000065c: POP 0000065d: PUSH1 0x20 0000065f: PUSH1 0x40 00000661: MLOAD 00000662: DUP1 00000663: DUP4 00000664: SUB 00000665: DUP2 00000666: PUSH1 0x00 00000668: DUP8 00000669: DUP1 0000066a: EXTCODESIZE 0000066b: ISZERO 0000066c: PUSH2 0x0000 0000066f: JUMPI 00000670: PUSH1 0x32 00000672: GAS 00000673: SUB 00000674: CALL 00000675: ISZERO 00000676: PUSH2 0x0000 00000679: JUMPI 0000067a: POP 0000067b: POP 0000067c: PUSH1 0x40 0000067e: MLOAD 0000067f: MLOAD 00000680: SWAP2 00000681: SWAP1 00000682: SWAP2 00000683: MUL 00000684: SWAP1 00000685: POP 00000686: DUP2 00000687: ISZERO 00000688: PUSH2 0x0000 0000068b: JUMPI 0000068c: DIV 0000068d: SWAP1 0000068e: POP 0000068f: JUMPDEST 00000690: SWAP2 00000691: SWAP1 00000692: POP 00000693: JUMP 00000694: JUMPDEST 00000695: PUSH1 0x02 00000697: SLOAD 00000698: DUP2 00000699: JUMP 0000069a: JUMPDEST 0000069b: PUSH1 0x00 0000069d: SLOAD 0000069e: CALLER 0000069f: PUSH1 0x01 000006a1: PUSH1 0xa0 000006a3: PUSH1 0x02 000006a5: EXP 000006a6: SUB 000006a7: SWAP1 000006a8: DUP2 000006a9: AND 000006aa: SWAP2 000006ab: AND 000006ac: EQ 000006ad: ISZERO 000006ae: PUSH2 0x0734 000006b1: JUMPI 000006b2: PUSH1 0x01 000006b4: PUSH1 0xa0 000006b6: PUSH1 0x02 000006b8: EXP 000006b9: SUB 000006ba: DUP2 000006bb: AND 000006bc: ISZERO 000006bd: ISZERO 000006be: PUSH2 0x06c6 000006c1: JUMPI 000006c2: PUSH2 0x0000 000006c5: JUMP 000006c6: JUMPDEST 000006c7: PUSH1 0x04 000006c9: DUP1 000006ca: SLOAD 000006cb: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000006e0: NOT 000006e1: AND 000006e2: PUSH13 0x01000000000000000000000000 000006f0: DUP4 000006f1: DUP2 000006f2: MUL 000006f3: DIV 000006f4: OR 000006f5: SWAP1 000006f6: SSTORE 000006f7: PUSH1 0x40 000006f9: DUP1 000006fa: MLOAD 000006fb: PUSH1 0x01 000006fd: PUSH1 0xa0 000006ff: PUSH1 0x02 00000701: EXP 00000702: SUB 00000703: DUP4 00000704: AND 00000705: DUP2 00000706: MSTORE 00000707: SWAP1 00000708: MLOAD 00000709: PUSH32 0xe89f98a27789c8313baa22de83cdb921b7026d66af0ee02973c97d45f952b6be 0000072a: SWAP2 0000072b: PUSH1 0x20 0000072d: SWAP1 0000072e: DUP3 0000072f: SWAP1 00000730: SUB 00000731: ADD 00000732: SWAP1 00000733: LOG1 00000734: JUMPDEST 00000735: JUMPDEST 00000736: JUMPDEST 00000737: POP 00000738: JUMP 00000739: JUMPDEST 0000073a: PUSH1 0x01 0000073c: SLOAD 0000073d: DUP2 0000073e: JUMP 0000073f: JUMPDEST 00000740: PUSH1 0x00 00000742: SLOAD 00000743: PUSH1 0x01 00000745: PUSH1 0xa0 00000747: PUSH1 0x02 00000749: EXP 0000074a: SUB 0000074b: AND 0000074c: DUP2 0000074d: JUMP 0000074e: JUMPDEST 0000074f: PUSH1 0x04 00000751: SLOAD 00000752: PUSH1 0x01 00000754: PUSH1 0xa0 00000756: PUSH1 0x02 00000758: EXP 00000759: SUB 0000075a: AND 0000075b: DUP2 0000075c: JUMP 0000075d: JUMPDEST 0000075e: PUSH1 0x00 00000760: SLOAD 00000761: CALLER 00000762: PUSH1 0x01 00000764: PUSH1 0xa0 00000766: PUSH1 0x02 00000768: EXP 00000769: SUB 0000076a: SWAP1 0000076b: DUP2 0000076c: AND 0000076d: SWAP2 0000076e: AND 0000076f: EQ 00000770: ISZERO 00000771: PUSH2 0x0734 00000774: JUMPI 00000775: PUSH1 0x01 00000777: PUSH1 0xa0 00000779: PUSH1 0x02 0000077b: EXP 0000077c: SUB 0000077d: DUP2 0000077e: AND 0000077f: ISZERO 00000780: ISZERO 00000781: PUSH2 0x0789 00000784: JUMPI 00000785: PUSH2 0x0000 00000788: JUMP 00000789: JUMPDEST 0000078a: PUSH1 0x00 0000078c: DUP1 0000078d: SLOAD 0000078e: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000007a3: NOT 000007a4: AND 000007a5: PUSH13 0x01000000000000000000000000 000007b3: DUP4 000007b4: DUP2 000007b5: MUL 000007b6: DIV 000007b7: OR 000007b8: SWAP1 000007b9: SSTORE 000007ba: JUMPDEST 000007bb: JUMPDEST 000007bc: JUMPDEST 000007bd: POP 000007be: JUMP 000007bf: JUMPDEST 000007c0: PUSH1 0x00 000007c2: DUP2 000007c3: ISZERO 000007c4: DUP1 000007c5: PUSH2 0x07d7 000007c8: JUMPI 000007c9: POP 000007ca: DUP3 000007cb: DUP3 000007cc: DUP4 000007cd: DUP6 000007ce: MUL 000007cf: DUP2 000007d0: ISZERO 000007d1: PUSH2 0x0000 000007d4: JUMPI 000007d5: DIV 000007d6: EQ 000007d7: JUMPDEST 000007d8: SWAP1 000007d9: POP 000007da: JUMPDEST 000007db: SWAP3 000007dc: SWAP2 000007dd: POP 000007de: POP 000007df: JUMP
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | other | detector | Untrusted CALL target/value reachable | 60 | yes | yes |
viewtrace_id: 0x4d91133feea3d3705d75d64ac3e70f9ab15bb34c4ffa377543e7805d848fc4d3
call_targets:
0x51ffc1b089392a5bb65bf24eaf04d07d0e6f88b5, 0x5c543e7ae0a1104f78406c340e9c64fd9fce5170
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x4d91133feea3d3705d75d64ac3e70f9ab15bb34c4ffa377543e7805d848fc4d3",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x51ffc1b089392a5bb65bf24eaf04d07d0e6f88b5",
"0x5c543e7ae0a1104f78406c340e9c64fd9fce5170"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x2ebec916",
"selector": "0x2ebec916",
"calldata_variants": [
"0x2ebec916",
"0x2ebec9160000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x36bc32a2",
"selector": "0x36bc32a2",
"calldata_variants": [
"0x36bc32a2",
"0x36bc32a20000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x50148ed2",
"selector": "0x50148ed2",
"calldata_variants": [
"0x50148ed2",
"0x50148ed20000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x523aee69",
"selector": "0x523aee69",
"calldata_variants": [
"0x523aee69",
"0x523aee690000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x76671808",
"selector": "0x76671808",
"calldata_variants": [
"0x76671808",
"0x766718080000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x8da5cb5b",
"selector": "0x8da5cb5b",
"calldata_variants": [
"0x8da5cb5b",
"0x8da5cb5b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xaef251a7",
"selector": "0xaef251a7",
"calldata_variants": [
"0xaef251a7",
"0xaef251a70000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xf2fde38b",
"selector": "0xf2fde38b",
"calldata_variants": [
"0xf2fde38b",
"0xf2fde38b0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 443,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 552,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 708,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 10,
"guards_detected": [],
"untrusted_call_count": 10
}
|
| high | other | detector | ETH value transfer possible | 55 | yes | yes |
viewtrace_id: 0x4d91133feea3d3705d75d64ac3e70f9ab15bb34c4ffa377543e7805d848fc4d3
call_targets:
0x51ffc1b089392a5bb65bf24eaf04d07d0e6f88b5, 0x5c543e7ae0a1104f78406c340e9c64fd9fce5170
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0x4d91133feea3d3705d75d64ac3e70f9ab15bb34c4ffa377543e7805d848fc4d3",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x51ffc1b089392a5bb65bf24eaf04d07d0e6f88b5",
"0x5c543e7ae0a1104f78406c340e9c64fd9fce5170"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x2ebec916",
"selector": "0x2ebec916",
"calldata_variants": [
"0x2ebec916",
"0x2ebec9160000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x36bc32a2",
"selector": "0x36bc32a2",
"calldata_variants": [
"0x36bc32a2",
"0x36bc32a20000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x50148ed2",
"selector": "0x50148ed2",
"calldata_variants": [
"0x50148ed2",
"0x50148ed20000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x523aee69",
"selector": "0x523aee69",
"calldata_variants": [
"0x523aee69",
"0x523aee690000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x76671808",
"selector": "0x76671808",
"calldata_variants": [
"0x76671808",
"0x766718080000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x8da5cb5b",
"selector": "0x8da5cb5b",
"calldata_variants": [
"0x8da5cb5b",
"0x8da5cb5b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xaef251a7",
"selector": "0xaef251a7",
"calldata_variants": [
"0xaef251a7",
"0xaef251a70000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xf2fde38b",
"selector": "0xf2fde38b",
"calldata_variants": [
"0xf2fde38b",
"0xf2fde38b0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 443,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 552,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 708,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 10,
"guards_detected": []
}
|
| medium | access_control | codex | Owner can swap token contract to arbitrary address and drain ProfitContainer | 75 | no | — |
viewevidence_json{
"evidence": "ProfitContainer.withdrawalProfit trusts tokenCtr.balanceOf/totalSupply/lock without verifying the token contract, and changeTokenContract is owner-only with no safeguards.",
"locations": [
"contracts/Contract.sol:301",
"contracts/Contract.sol:330"
],
"recommendation": "Restrict token changes with a timelock/multisig and/or remove the ability to change tokenCtr after deployment. At minimum, validate the new token contract (code hash or interface checks) and consider snapshotting a fixed token address for payouts.",
"exploit_scenario": "The owner calls changeTokenContract to point tokenCtr at a malicious contract that returns lock()=true, totalSupply()=1, and balanceOf(attacker)=1. The attacker then calls withdrawalProfit to receive essentially all ETH in ProfitContainer because payout math trusts tokenCtr\u2019s responses."
}
|
| low | auth | codex | ERC20 approve race condition allows double-spend of allowances | 65 | no | — |
viewevidence_json{
"evidence": "approve overwrites the allowance directly without requiring a zero\u2011reset, enabling the known ERC20 allowance race.",
"locations": [
"contracts/Contract.sol:165"
],
"recommendation": "Use the safe allowance pattern (require setting to 0 before a new non\u2011zero value) or add increaseAllowance/decreaseAllowance functions.",
"exploit_scenario": "If an allowance is changed from X to Y, a spender can front\u2011run the approval change and spend X before the update, then spend Y after it, effectively using both allowances."
}
|
| info | other | cast | Heavy EXTCODE*/BALANCE usage | 55 | no | — |
viewevidence_json{
"notes": "frequent external code or balance checks; may indicate introspection or validation logic",
"ext_balance_count": 10
}
|