019bab3b-aa00-73d8-9ab9-0b082407aff2
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 38226 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 38227 | proxy.resolve | complete | 1 / 3 | 3 months ago |
| 38228 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 38229 | analysis.bundle | complete | 1 / 3 | 3 months ago |
| 38230 | capability.graph | complete | 1 / 3 | 3 months ago |
| 38231 | detector.run | complete | 1 / 3 | 3 months ago |
| 38232 | validation.fork | complete | 1 / 3 | 3 months ago |
| 38911 | report.consolidate | complete | 1 / 6 | 3 months ago |
| 38912 | tool.slither | complete | 1 / 2 | 3 months ago |
{
"method": "etherscan+onchain",
"status": "confirmed",
"etherscan_hint": {
"source": "etherscan",
"etherscan": {
"proxy_flag": true,
"implementation": "0xc3fe3e0ea967b2878fab2fec7e1067b32adf1c03"
}
},
"implementation": "0xc3fe3e0ea967b2878fab2fec7e1067b32adf1c03",
"onchain_method": "eip1967"
}
'forge clean' running (wd: /tmp/slither-3qblx_ke) 'forge config --json' running 'forge build --build-info --skip ./test/** ./script/** --force' running (wd: /tmp/slither-3qblx_ke) Proxy.upgradeTo(address) (contracts/universal/Proxy.sol#87-89) calls Proxy.proxyCallIfNotAdmin() (contracts/universal/Proxy.sol#48-55) which halt the execution return(uint256,uint256)(0x0,returndatasize()()) (contracts/universal/Proxy.sol#188) Proxy.upgradeToAndCall(address,bytes) (contracts/universal/Proxy.sol#98-109) calls Proxy.proxyCallIfNotAdmin() (contracts/universal/Proxy.sol#48-55) which halt the execution return(uint256,uint256)(0x0,returndatasize()()) (contracts/universal/Proxy.sol#188) Proxy.changeAdmin(address) (contracts/universal/Proxy.sol#116-118) calls Proxy.proxyCallIfNotAdmin() (contracts/universal/Proxy.sol#48-55) which halt the execution return(uint256,uint256)(0x0,returndatasize()()) (contracts/universal/Proxy.sol#188) Proxy.admin() (contracts/universal/Proxy.sol#125-127) calls Proxy.proxyCallIfNotAdmin() (contracts/universal/Proxy.sol#48-55) which halt the execution return(uint256,uint256)(0x0,returndatasize()()) (contracts/universal/Proxy.sol#188) Proxy.implementation() (contracts/universal/Proxy.sol#134-136) calls Proxy.proxyCallIfNotAdmin() (contracts/universal/Proxy.sol#48-55) which halt the execution return(uint256,uint256)(0x0,returndatasize()()) (contracts/universal/Proxy.sol#188) Proxy.proxyCallIfNotAdmin() (contracts/universal/Proxy.sol#48-55) calls Proxy._doProxyCall() (contracts/universal/Proxy.sol#166-190) which halt the execution return(uint256,uint256)(0x0,returndatasize()()) (contracts/universal/Proxy.sol#188) Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-return-in-assembly Proxy.upgradeToAndCall(address,bytes)._implementation (contracts/universal/Proxy.sol#98) lacks a zero-check on : - (success,returndata) = _implementation.delegatecall(_data) (contracts/universal/Proxy.sol#106) Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#missing-zero-address-validation Modifier Proxy.proxyCallIfNotAdmin() (contracts/universal/Proxy.sol#48-55) does not always execute _; or revert Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-modifier Proxy._setImplementation(address) (contracts/universal/Proxy.sol#143-148) uses assembly - INLINE ASM (contracts/universal/Proxy.sol#144-146) Proxy._changeAdmin(address) (contracts/universal/Proxy.sol#155-161) uses assembly - INLINE ASM (contracts/universal/Proxy.sol#157-159) Proxy._doProxyCall() (contracts/universal/Proxy.sol#166-190) uses assembly - INLINE ASM (contracts/universal/Proxy.sol#170-189) Proxy._getImplementation() (contracts/universal/Proxy.sol#197-203) uses assembly - INLINE ASM (contracts/universal/Proxy.sol#199-201) Proxy._getAdmin() (contracts/universal/Proxy.sol#210-216) uses assembly - INLINE ASM (contracts/universal/Proxy.sol#212-214) Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#assembly-usage Version constraint 0.8.15 contains known severe issues (https://solidity.readthedocs.io/en/latest/bugs.html) - VerbatimInvalidDeduplication - FullInlinerNonExpressionSplitArgumentEvaluationOrder - MissingSideEffectsOnSelectorAccess - StorageWriteRemovalBeforeConditionalTermination - AbiReencodingHeadOverflowWithStaticArrayCleanup. It is used by: - 0.8.15 (contracts/universal/Proxy.sol#2) Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-versions-of-solidity Low level call in Proxy.upgradeToAndCall(address,bytes) (contracts/universal/Proxy.sol#98-109): - (success,returndata) = _implementation.delegatecall(_data) (contracts/universal/Proxy.sol#106) Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#low-level-calls Parameter Proxy.upgradeTo(address)._implementation (contracts/universal/Proxy.sol#87) is not in mixedCase Parameter Proxy.upgradeToAndCall(address,bytes)._implementation (contracts/universal/Proxy.sol#98) is not in mixedCase Parameter Proxy.upgradeToAndCall(address,bytes)._data (contracts/universal/Proxy.sol#98) is not in mixedCase Parameter Proxy.changeAdmin(address)._admin (contracts/universal/Proxy.sol#116) is not in mixedCase Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#conformance-to-solidity-naming-conventions . analyzed (1 contracts with 100 detectors), 19 result(s) found
{
"solc": {
"status": "ok",
"use_rc": 0,
"version": "0.8.15",
"strategy": "solc-select",
"solc_path": "/var/www/tripwire/.venv/bin/solc",
"install_rc": 0,
"use_stderr": null,
"use_stdout": "Switched global version to 0.8.15",
"install_stderr": null,
"install_stdout": "Installing solc '0.8.15'...\nVersion '0.8.15' installed."
},
"solc_args": "--base-path /tmp/slither-3qblx_ke --allow-paths /tmp/slither-3qblx_ke,/tmp/slither-3qblx_ke/lib,/tmp/slither-3qblx_ke/src",
"remappings": [
"@openzeppelin/=node_modules/@openzeppelin/",
"@openzeppelin/contracts-upgradeable/=node_modules/@openzeppelin/contracts-upgradeable/",
"@openzeppelin/contracts/=node_modules/@openzeppelin/contracts/",
"@rari-capital/=node_modules/@rari-capital/",
"@rari-capital/solmate/=node_modules/@rari-capital/solmate/",
"ds-test/=node_modules/ds-test/src/",
"forge-std/=node_modules/forge-std/src/"
],
"source_files": [
"contracts/universal/Proxy.sol"
],
"contract_count": 0,
"contract_names": [],
"detector_count": 19,
"workspace_hash": "d122553c8b8d5db7169b074ba8017e73d347bb62fdb13cc58df52fc8781e3da2",
"duration_seconds": 0.8295831680297852,
"solc_version_requested": "0.8.15"
}
{"no_findings":true,"summary":"No exploitable issues found in the first‑party implementation contracts reviewed (OptimismPortal/L2OutputOracle/SystemConfig and supporting libraries); dependencies under lib//@openzeppelin not assessed.","findings":[]}
OpenAI Codex v0.77.0 (research preview)
--------
workdir: /tmp/codex-_c79t_wv
model: gpt-5.2-codex
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: auto
session id: 019bab49-1d3b-73b0-922a-d9a0a64ff8be
--------
user
Context: The user requested the proxy at 0xba1ac896f3b7cb273dae94bf9a6291a432e826c7.
Audit the implementation at 0xc3fe3e0ea967b2878fab2fec7e1067b32adf1c03.
Findings should refer to the implementation unless explicitly about proxy mechanics.
You are a security auditor. Audit this Solidity codebase for exploitable vulnerabilities.
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation, oracle manipulation,
accounting/invariant breaks, external call patterns, unchecked return values, and dangerous delegatecall.
Scope rules:
- You MUST fully read `AUDIT_BUNDLE.txt` before concluding. It contains the complete contents of all first-party Solidity sources in this workspace.
- Treat `lib/` and `@openzeppelin/` as third-party dependencies; skip them unless there is a concrete misuse angle in first-party code.
- If there are only dependency files and no first-party sources, set no_findings=true and explain in summary.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title and file/line locations when possible.
Output constraints (IMPORTANT):
- severity MUST be exactly one of: info, low, medium, high, critical (lowercase).
- category MUST be exactly one of: access_control, reentrancy, math, oracle, upgradeability, auth, other.
Keep summary short and concrete.
mcp startup: no servers
thinking
**Reviewing audit bundle**
exec
/bin/bash -lc ls in /tmp/codex-_c79t_wv succeeded in 8ms:
AUDIT_BUNDLE.txt
codex-output-schema.json
contracts
lib
exec
/bin/bash -lc 'cat AUDIT_BUNDLE.txt' in /tmp/codex-_c79t_wv succeeded in 5ms:
This file concatenates the full contents of first-party Solidity sources for auditing.
Do not treat dependency code under lib/ or @openzeppelin/ as first-party.
================================================================================
FILE: contracts/L1/L2OutputOracle.sol
================================================================================
// SPDX-License-Identifier: MIT
pragma solidity 0.8.15;
import { Initializable } from "@openzeppelin/contracts/proxy/utils/Initializable.sol";
import { Semver } from "../universal/Semver.sol";
import { Types } from "../libraries/Types.sol";
/// @custom:proxied
/// @title L2OutputOracle
/// @notice The L2OutputOracle contains an array of L2 state outputs, where each output is a
/// commitment to the state of the L2 chain. Other contracts like the OptimismPortal use
/// these outputs to verify information about the state of L2.
contract L2OutputOracle is Initializable, Semver {
/// @notice The interval in L2 blocks at which checkpoints must be submitted.
thinking
**Searching for OptimismPortal finalizeWithdrawal**
exec
/bin/bash -lc 'rg -n "finalizeWithdrawal|withdrawal" contracts/L1/OptimismPortal.sol' in /tmp/codex-_c79t_wv succeeded in 9ms:
22: /// @notice Represents a proven withdrawal.
24: /// @custom:field timestamp Timestamp at whcih the withdrawal was proven.
44: /// @notice Address that has the ability to pause and unpause withdrawals.
47: /// @notice Address of the L2 account which initiated a withdrawal in this transaction.
49: /// a call to finalizeWithdrawalTransaction.
52: /// @notice A list of withdrawal hashes which have been successfully finalized.
55: /// @notice A mapping of withdrawal hashes to `ProvenWithdrawal` data.
59: /// When set to true, withdrawals are paused.
77: /// @notice Emitted when a withdrawal transaction is proven.
78: /// @param withdrawalHash Hash of the withdrawal transaction.
79: /// @param from Address that triggered the withdrawal transaction.
80: /// @param to Address that the withdrawal transaction is directed to.
82: bytes32 indexed withdrawalHash,
87: /// @notice Emitted when a withdrawal transaction is finalized.
88: /// @param withdrawalHash Hash of the withdrawal transaction.
89: /// @param success Whether the withdrawal transaction was successful.
90: event WithdrawalFinalized(bytes32 indexed withdrawalHash, bool success);
109: /// @param _guardian Address that can pause withdrawals.
131: /// @notice Pauses withdrawals.
138: /// @notice Unpauses withdrawals.
thinking
**Reviewing OptimismPortal functions**
exec
/bin/bash -lc "sed -n '150,380p' contracts/L1/OptimismPortal.sol" in /tmp/codex-_c79t_wv succeeded in 5ms:
/// @param _byteCount Number of bytes in the calldata.
/// @return The minimum gas limit for a deposit.
function minimumGasLimit(uint64 _byteCount) public pure returns (uint64) {
return _byteCount * 16 + 21000;
}
/// @notice Accepts value so that users can send ETH directly to this contract and have the
/// funds be deposited to their address on L2. This is intended as a convenience
/// function for EOAs. Contracts should call the depositTransaction() function directly
/// otherwise any deposited funds will be lost due to address aliasing.
// solhint-disable-next-line ordering
receive() external payable {
depositTransaction(msg.sender, msg.value, RECEIVE_DEFAULT_GAS_LIMIT, false, bytes(""));
}
/// @notice Accepts ETH value without triggering a deposit to L2.
/// This function mainly exists for the sake of the migration between the legacy
/// Optimism system and Bedrock.
function donateETH() external payable {
// Intentionally empty.
exec
/bin/bash -lc "sed -n '380,760p' contracts/L1/OptimismPortal.sol" in /tmp/codex-_c79t_wv succeeded in 17ms:
bool _isCreation,
bytes memory _data
) public payable metered(_gasLimit) {
// Just to be safe, make sure that people specify address(0) as the target when doing
// contract creations.
if (_isCreation) {
require(
_to == address(0),
"OptimismPortal: must send to address(0) when creating a contract"
);
}
// Prevent depositing transactions that have too small of a gas limit. Users should pay
// more for more resource usage.
require(
_gasLimit >= minimumGasLimit(uint64(_data.length)),
"OptimismPortal: gas limit too small"
);
// Prevent the creation of deposit transactions that have too much calldata. This gives an
thinking
**Analyzing Optimism Bedrock contract logic and vulnerabilities**
I'm reviewing the L2OutputOracle and deposit transaction logic, checking for potential vulnerabilities like reentrancy in finalizeWithdrawal, correctness of deleteL2Outputs array modifications, and consistency of deposit values between L1 and L2. I’m also scrutinizing access controls, proxy initialization patterns, and boundary cases around output indexing to understand if there are risks or subtle bugs, while confirming expected behaviors align with Optimism Bedrock’s design.
exec
/bin/bash -lc 'rg -n "contract SystemConfig|SystemConfig" contracts -g"*.sol"' in /tmp/codex-_c79t_wv succeeded in 45ms:
contracts/L1/OptimismPortal.sol:7:import { SystemConfig } from "./SystemConfig.sol";
contracts/L1/OptimismPortal.sol:41: /// @notice Address of the SystemConfig contract.
contracts/L1/OptimismPortal.sol:42: SystemConfig public immutable SYSTEM_CONFIG;
contracts/L1/OptimismPortal.sol:111: /// @param _config Address of the SystemConfig contract.
contracts/L1/OptimismPortal.sol:116: SystemConfig _config
contracts/L1/OptimismPortal.sol:174: /// The SystemConfig is the source of truth for the resource config.
contracts/L1/SystemConfig.sol:10:/// @title SystemConfig
contracts/L1/SystemConfig.sol:11:/// @notice The SystemConfig contract is used to manage configuration of an Optimism network.
contracts/L1/SystemConfig.sol:14:contract SystemConfig is OwnableUpgradeable, Semver {
contracts/L1/SystemConfig.sol:57: /// @param version SystemConfig version.
contracts/L1/SystemConfig.sol:63: /// @notice Constructs the SystemConfig contract.
contracts/L1/SystemConfig.sol:117: require(_gasLimit >= minimumGasLimit(), "SystemConfig: gas limit too low");
contracts/L1/SystemConfig.sol:176: require(_gasLimit >= minimumGasLimit(), "SystemConfig: gas limit too low");
contracts/L1/SystemConfig.sol:216: "SystemConfig: min base fee must be less than max base"
contracts/L1/SystemConfig.sol:221: "SystemConfig: denominator must be larger than 1"
contracts/L1/SystemConfig.sol:227: "SystemConfig: gas limit too low"
contracts/L1/SystemConfig.sol:232: "SystemConfig: elasticity multiplier cannot be 0"
contracts/L1/SystemConfig.sol:238: "SystemConfig: precision loss with target resource limit"
exec
/bin/bash -lc "sed -n '1,260p' contracts/L1/SystemConfig.sol" in /tmp/codex-_c79t_wv succeeded in 6ms:
// SPDX-License-Identifier: MIT
pragma solidity 0.8.15;
import {
OwnableUpgradeable
} from "@openzeppelin/contracts-upgradeable/access/OwnableUpgradeable.sol";
import { Semver } from "../universal/Semver.sol";
import { ResourceMetering } from "./ResourceMetering.sol";
/// @title SystemConfig
/// @notice The SystemConfig contract is used to manage configuration of an Optimism network.
/// All configuration is stored on L1 and picked up by L2 as part of the derviation of
/// the L2 chain.
contract SystemConfig is OwnableUpgradeable, Semver {
/// @notice Enum representing different types of updates.
/// @custom:value BATCHER Represents an update to the batcher hash.
/// @custom:value GAS_CONFIG Represents an update to txn fee config on L2.
/// @custom:value GAS_LIMIT Represents an update to gas limit on L2.
/// @custom:value UNSAFE_BLOCK_SIGNER Represents an update to the signer key for unsafe
/// block distrubution.
thinking
**Reviewing storage and initialization concerns**
I'm inspecting potential issues in storage slot usage, especially with unsafeBlockSigner and its assembly storage, to ensure no proxy collisions occur. I'm also evaluating initialization patterns in upgradeable contracts, confirming protections like initializer modifiers and constructor calls safeguard against misuse, while considering implications for immutables and proxy deployment nuances.
exec
/bin/bash -lc 'rg -n "''^FILE:" AUDIT_BUNDLE.txt' in /tmp/codex-_c79t_wv succeeded in 7ms:
5:FILE: contracts/L1/L2OutputOracle.sol
299:FILE: contracts/L1/OptimismPortal.sol
746:FILE: contracts/L1/ResourceMetering.sol
914:FILE: contracts/L1/SystemConfig.sol
1161:FILE: contracts/libraries/Arithmetic.sol
1203:FILE: contracts/libraries/Burn.sol
1239:FILE: contracts/libraries/Bytes.sol
1397:FILE: contracts/libraries/Constants.sol
1442:FILE: contracts/libraries/Encoding.sol
1582:FILE: contracts/libraries/Hashing.sol
1728:FILE: contracts/libraries/SafeCall.sol
1879:FILE: contracts/libraries/Types.sol
1953:FILE: contracts/libraries/rlp/RLPReader.sol
2316:FILE: contracts/libraries/rlp/RLPWriter.sol
2541:FILE: contracts/libraries/trie/MerkleTrie.sol
2833:FILE: contracts/libraries/trie/SecureMerkleTrie.sol
2901:FILE: contracts/universal/Semver.sol
2950:FILE: contracts/vendor/AddressAliasHelper.sol
thinking
**Auditing core components**
exec
/bin/bash -lc "sed -n '700,980p' AUDIT_BUNDLE.txt" in /tmp/codex-_c79t_wv succeeded in 6ms:
// upper limit on the size of unsafe blocks over the p2p network. 120kb is chosen to ensure
// that the transaction can fit into the p2p network policy of 128kb even though deposit
// transactions are not gossipped over the p2p network.
require(_data.length <= 120_000, "OptimismPortal: data too large");
// Transform the from-address to its alias if the caller is a contract.
address from = msg.sender;
if (msg.sender != tx.origin) {
from = AddressAliasHelper.applyL1ToL2Alias(msg.sender);
}
// Compute the opaque data that will be emitted as part of the TransactionDeposited event.
// We use opaque data so that we can update the TransactionDeposited event in the future
// without breaking the current interface.
bytes memory opaqueData = abi.encodePacked(
msg.value,
_value,
_gasLimit,
_isCreation,
_data
thinking
**Analyzing ResourceMetering for corner cases**
I'm reviewing ResourceMetering’s math and config checks for overflow or division issues, focusing on parameters like elasticityMultiplier and blockDiff. The SystemConfig enforces safe values, but I’m double-checking for misuse outside that context or subtle bugs, while also noting a warning about deposit address aliasing that’s more of a user error than a vulnerability. Next, I'm shifting attention to the Hashing library for possible issues.
exec
/bin/bash -lc "sed -n '1580,1760p' AUDIT_BUNDLE.txt" in /tmp/codex-_c79t_wv succeeded in 6ms:
================================================================================
FILE: contracts/libraries/Hashing.sol
================================================================================
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import { Types } from "./Types.sol";
import { Encoding } from "./Encoding.sol";
/// @title Hashing
/// @notice Hashing handles Optimism's various different hashing schemes.
library Hashing {
/// @notice Computes the hash of the RLP encoded L2 transaction that would be generated when a
/// given deposit is sent to the L2 system. Useful for searching for a deposit in the L2
/// system.
/// @param _tx User deposit transaction to hash.
/// @return Hash of the RLP encoded L2 deposit transaction.
function hashDepositTransaction(Types.UserDepositTransaction memory _tx)
internal
thinking
**Analyzing ResourceMetering overflow risks**
exec
/bin/bash -lc "sed -n '1160,1300p' AUDIT_BUNDLE.txt" in /tmp/codex-_c79t_wv succeeded in 19ms:
================================================================================
FILE: contracts/libraries/Arithmetic.sol
================================================================================
// SPDX-License-Identifier: MIT
pragma solidity 0.8.15;
import { SignedMath } from "@openzeppelin/contracts/utils/math/SignedMath.sol";
import { FixedPointMathLib } from "@rari-capital/solmate/src/utils/FixedPointMathLib.sol";
/// @title Arithmetic
/// @notice Even more math than before.
library Arithmetic {
/// @notice Clamps a value between a minimum and maximum.
/// @param _value The value to clamp.
/// @param _min The minimum value.
/// @param _max The maximum value.
/// @return The clamped value.
function clamp(
int256 _value,
int256 _min,
thinking
**Evaluating potential gas and call issues**
exec
/bin/bash -lc 'rg -n "callWithMinGas" -n contracts/libraries/SafeCall.sol' in /tmp/codex-_c79t_wv succeeded in 30ms:
99: function callWithMinGas(
exec
/bin/bash -lc "sed -n '1720,1885p' AUDIT_BUNDLE.txt" in /tmp/codex-_c79t_wv succeeded in 27ms:
_outputRootProof.messagePasserStorageRoot,
_outputRootProof.latestBlockhash
)
);
}
}
================================================================================
FILE: contracts/libraries/SafeCall.sol
================================================================================
// SPDX-License-Identifier: MIT
pragma solidity 0.8.15;
/// @title SafeCall
/// @notice Perform low level safe calls
library SafeCall {
/// @notice Performs a low level call without copying any returndata.
/// @dev Passes no calldata to the call context.
/// @param _target Address to call
/// @param _gas Amount of gas to pass to the call
thinking
**Analyzing contract security assumptions**
exec
/bin/bash -lc "sed -n '1440,1620p' AUDIT_BUNDLE.txt" in /tmp/codex-_c79t_wv succeeded in 29ms:
================================================================================
FILE: contracts/libraries/Encoding.sol
================================================================================
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
import { Types } from "./Types.sol";
import { Hashing } from "./Hashing.sol";
import { RLPWriter } from "./rlp/RLPWriter.sol";
/// @title Encoding
/// @notice Encoding handles Optimism's various different encoding schemes.
library Encoding {
/// @notice RLP encodes the L2 transaction that would be generated when a given deposit is sent
/// to the L2 system. Useful for searching for a deposit in the L2 system. The
/// transaction is prefixed with 0x7e to identify its EIP-2718 type.
/// @param _tx User deposit transaction to encode.
/// @return RLP encoded L2 deposit transaction.
function encodeDepositTransaction(Types.UserDepositTransaction memory _tx)
thinking
**Summarizing audit findings and risks**
I'm compiling a detailed summary of the audit for first-party contracts, noting no exploitable implementation issues while highlighting proxy initialization risks as deployment concerns, and considering upgradeability and minor gas/payment quirks. I'll produce the required JSON output with no findings but mention residual deployment risks and clarify the audit scope.
codex
{"no_findings":true,"summary":"No exploitable issues found in the first‑party implementation contracts reviewed (OptimismPortal/L2OutputOracle/SystemConfig and supporting libraries); dependencies under lib//@openzeppelin not assessed.","findings":[]}
tokens used
45,425
{
"codex": {
"ran_at": "2026-01-11T04:23:46.413096+00:00",
"returncode": 0
},
"project": {
"mode": "source",
"file_count": 28,
"import_count": 29,
"first_party_contracts_count": 18
},
"summary": "No exploitable issues found in the first\u2011party implementation contracts reviewed (OptimismPortal/L2OutputOracle/SystemConfig and supporting libraries); dependencies under lib//@openzeppelin not assessed.",
"raw_final": {
"summary": "No exploitable issues found in the first\u2011party implementation contracts reviewed (OptimismPortal/L2OutputOracle/SystemConfig and supporting libraries); dependencies under lib//@openzeppelin not assessed.",
"findings": [],
"no_findings": true
},
"no_findings": true,
"proxy_context": {
"proxy_run_id": "019bab3b-aa00-73d8-9ab9-0b082407aff2",
"proxy_address": "0xba1ac896f3b7cb273dae94bf9a6291a432e826c7",
"implementation_run_id": "019bab3b-cd42-72ee-8d44-36346e11fccc",
"implementation_address": "0xc3fe3e0ea967b2878fab2fec7e1067b32adf1c03"
},
"schema_version": 1
}
00000000: PUSH1 0x80 00000002: PUSH1 0x40 00000004: MSTORE 00000005: PUSH1 0x04 00000007: CALLDATASIZE 00000008: LT 00000009: PUSH2 0x005e 0000000c: JUMPI 0000000d: PUSH1 0x00 0000000f: CALLDATALOAD 00000010: PUSH1 0xe0 00000012: SHR 00000013: DUP1 00000014: PUSH4 0x5c60da1b 00000019: GT 0000001a: PUSH2 0x0043 0000001d: JUMPI 0000001e: DUP1 0000001f: PUSH4 0x5c60da1b 00000024: EQ 00000025: PUSH2 0x00be 00000028: JUMPI 00000029: DUP1 0000002a: PUSH4 0x8f283970 0000002f: EQ 00000030: PUSH2 0x00f8 00000033: JUMPI 00000034: DUP1 00000035: PUSH4 0xf851a440 0000003a: EQ 0000003b: PUSH2 0x0118 0000003e: JUMPI 0000003f: PUSH2 0x006d 00000042: JUMP 00000043: JUMPDEST 00000044: DUP1 00000045: PUSH4 0x3659cfe6 0000004a: EQ 0000004b: PUSH2 0x0075 0000004e: JUMPI 0000004f: DUP1 00000050: PUSH4 0x4f1ef286 00000055: EQ 00000056: PUSH2 0x0095 00000059: JUMPI 0000005a: PUSH2 0x006d 0000005d: JUMP 0000005e: JUMPDEST 0000005f: CALLDATASIZE 00000060: PUSH2 0x006d 00000063: JUMPI 00000064: PUSH2 0x006b 00000067: PUSH2 0x012d 0000006a: JUMP 0000006b: JUMPDEST 0000006c: STOP 0000006d: JUMPDEST 0000006e: PUSH2 0x006b 00000071: PUSH2 0x012d 00000074: JUMP 00000075: JUMPDEST 00000076: CALLVALUE 00000077: DUP1 00000078: ISZERO 00000079: PUSH2 0x0081 0000007c: JUMPI 0000007d: PUSH1 0x00 0000007f: DUP1 00000080: REVERT 00000081: JUMPDEST 00000082: POP 00000083: PUSH2 0x006b 00000086: PUSH2 0x0090 00000089: CALLDATASIZE 0000008a: PUSH1 0x04 0000008c: PUSH2 0x06d9 0000008f: JUMP 00000090: JUMPDEST 00000091: PUSH2 0x0224 00000094: JUMP 00000095: JUMPDEST 00000096: PUSH2 0x00a8 00000099: PUSH2 0x00a3 0000009c: CALLDATASIZE 0000009d: PUSH1 0x04 0000009f: PUSH2 0x06f4 000000a2: JUMP 000000a3: JUMPDEST 000000a4: PUSH2 0x0296 000000a7: JUMP 000000a8: JUMPDEST 000000a9: PUSH1 0x40 000000ab: MLOAD 000000ac: PUSH2 0x00b5 000000af: SWAP2 000000b0: SWAP1 000000b1: PUSH2 0x0777 000000b4: JUMP 000000b5: JUMPDEST 000000b6: PUSH1 0x40 000000b8: MLOAD 000000b9: DUP1 000000ba: SWAP2 000000bb: SUB 000000bc: SWAP1 000000bd: RETURN 000000be: JUMPDEST 000000bf: CALLVALUE 000000c0: DUP1 000000c1: ISZERO 000000c2: PUSH2 0x00ca 000000c5: JUMPI 000000c6: PUSH1 0x00 000000c8: DUP1 000000c9: REVERT 000000ca: JUMPDEST 000000cb: POP 000000cc: PUSH2 0x00d3 000000cf: PUSH2 0x0419 000000d2: JUMP 000000d3: JUMPDEST 000000d4: PUSH1 0x40 000000d6: MLOAD 000000d7: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000000ec: SWAP1 000000ed: SWAP2 000000ee: AND 000000ef: DUP2 000000f0: MSTORE 000000f1: PUSH1 0x20 000000f3: ADD 000000f4: PUSH2 0x00b5 000000f7: JUMP 000000f8: JUMPDEST 000000f9: CALLVALUE 000000fa: DUP1 000000fb: ISZERO 000000fc: PUSH2 0x0104 000000ff: JUMPI 00000100: PUSH1 0x00 00000102: DUP1 00000103: REVERT 00000104: JUMPDEST 00000105: POP 00000106: PUSH2 0x006b 00000109: PUSH2 0x0113 0000010c: CALLDATASIZE 0000010d: PUSH1 0x04 0000010f: PUSH2 0x06d9 00000112: JUMP 00000113: JUMPDEST 00000114: PUSH2 0x04b0 00000117: JUMP 00000118: JUMPDEST 00000119: CALLVALUE 0000011a: DUP1 0000011b: ISZERO 0000011c: PUSH2 0x0124 0000011f: JUMPI 00000120: PUSH1 0x00 00000122: DUP1 00000123: REVERT 00000124: JUMPDEST 00000125: POP 00000126: PUSH2 0x00d3 00000129: PUSH2 0x0517 0000012c: JUMP 0000012d: JUMPDEST 0000012e: PUSH1 0x00 00000130: PUSH2 0x0157 00000133: PUSH32 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc 00000154: SLOAD 00000155: SWAP1 00000156: JUMP 00000157: JUMPDEST 00000158: SWAP1 00000159: POP 0000015a: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000016f: DUP2 00000170: AND 00000171: PUSH2 0x0201 00000174: JUMPI 00000175: PUSH1 0x40 00000177: MLOAD 00000178: PUSH32 0x08c379a000000000000000000000000000000000000000000000000000000000 00000199: DUP2 0000019a: MSTORE 0000019b: PUSH1 0x20 0000019d: PUSH1 0x04 0000019f: DUP3 000001a0: ADD 000001a1: MSTORE 000001a2: PUSH1 0x25 000001a4: PUSH1 0x24 000001a6: DUP3 000001a7: ADD 000001a8: MSTORE 000001a9: PUSH32 0x50726f78793a20696d706c656d656e746174696f6e206e6f7420696e69746961 000001ca: PUSH1 0x44 000001cc: DUP3 000001cd: ADD 000001ce: MSTORE 000001cf: PUSH32 0x6c697a6564000000000000000000000000000000000000000000000000000000 000001f0: PUSH1 0x64 000001f2: DUP3 000001f3: ADD 000001f4: MSTORE 000001f5: PUSH1 0x84 000001f7: ADD 000001f8: JUMPDEST 000001f9: PUSH1 0x40 000001fb: MLOAD 000001fc: DUP1 000001fd: SWAP2 000001fe: SUB 000001ff: SWAP1 00000200: REVERT 00000201: JUMPDEST 00000202: CALLDATASIZE 00000203: PUSH1 0x00 00000205: DUP1 00000206: CALLDATACOPY 00000207: PUSH1 0x00 00000209: DUP1 0000020a: CALLDATASIZE 0000020b: PUSH1 0x00 0000020d: DUP5 0000020e: GAS 0000020f: DELEGATECALL 00000210: RETURNDATASIZE 00000211: PUSH1 0x00 00000213: DUP1 00000214: RETURNDATACOPY 00000215: DUP1 00000216: PUSH2 0x021e 00000219: JUMPI 0000021a: RETURNDATASIZE 0000021b: PUSH1 0x00 0000021d: REVERT 0000021e: JUMPDEST 0000021f: POP 00000220: RETURNDATASIZE 00000221: PUSH1 0x00 00000223: RETURN 00000224: JUMPDEST 00000225: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 00000246: SLOAD 00000247: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000025c: AND 0000025d: CALLER 0000025e: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000273: AND 00000274: EQ 00000275: DUP1 00000276: PUSH2 0x027d 00000279: JUMPI 0000027a: POP 0000027b: CALLER 0000027c: ISZERO 0000027d: JUMPDEST 0000027e: ISZERO 0000027f: PUSH2 0x028e 00000282: JUMPI 00000283: PUSH2 0x028b 00000286: DUP2 00000287: PUSH2 0x05a3 0000028a: JUMP 0000028b: JUMPDEST 0000028c: POP 0000028d: JUMP 0000028e: JUMPDEST 0000028f: PUSH2 0x028b 00000292: PUSH2 0x012d 00000295: JUMP 00000296: JUMPDEST 00000297: PUSH1 0x60 00000299: PUSH2 0x02c0 0000029c: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 000002bd: SLOAD 000002be: SWAP1 000002bf: JUMP 000002c0: JUMPDEST 000002c1: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000002d6: AND 000002d7: CALLER 000002d8: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000002ed: AND 000002ee: EQ 000002ef: DUP1 000002f0: PUSH2 0x02f7 000002f3: JUMPI 000002f4: POP 000002f5: CALLER 000002f6: ISZERO 000002f7: JUMPDEST 000002f8: ISZERO 000002f9: PUSH2 0x040a 000002fc: JUMPI 000002fd: PUSH2 0x0305 00000300: DUP5 00000301: PUSH2 0x05a3 00000304: JUMP 00000305: JUMPDEST 00000306: PUSH1 0x00 00000308: DUP1 00000309: DUP6 0000030a: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000031f: AND 00000320: DUP6 00000321: DUP6 00000322: PUSH1 0x40 00000324: MLOAD 00000325: PUSH2 0x032f 00000328: SWAP3 00000329: SWAP2 0000032a: SWAP1 0000032b: PUSH2 0x07ea 0000032e: JUMP 0000032f: JUMPDEST 00000330: PUSH1 0x00 00000332: PUSH1 0x40 00000334: MLOAD 00000335: DUP1 00000336: DUP4 00000337: SUB 00000338: DUP2 00000339: DUP6 0000033a: GAS 0000033b: DELEGATECALL 0000033c: SWAP2 0000033d: POP 0000033e: POP 0000033f: RETURNDATASIZE 00000340: DUP1 00000341: PUSH1 0x00 00000343: DUP2 00000344: EQ 00000345: PUSH2 0x036a 00000348: JUMPI 00000349: PUSH1 0x40 0000034b: MLOAD 0000034c: SWAP2 0000034d: POP 0000034e: PUSH1 0x1f 00000350: NOT 00000351: PUSH1 0x3f 00000353: RETURNDATASIZE 00000354: ADD 00000355: AND 00000356: DUP3 00000357: ADD 00000358: PUSH1 0x40 0000035a: MSTORE 0000035b: RETURNDATASIZE 0000035c: DUP3 0000035d: MSTORE 0000035e: RETURNDATASIZE 0000035f: PUSH1 0x00 00000361: PUSH1 0x20 00000363: DUP5 00000364: ADD 00000365: RETURNDATACOPY 00000366: PUSH2 0x036f 00000369: JUMP 0000036a: JUMPDEST 0000036b: PUSH1 0x60 0000036d: SWAP2 0000036e: POP 0000036f: JUMPDEST 00000370: POP 00000371: SWAP2 00000372: POP 00000373: SWAP2 00000374: POP 00000375: DUP2 00000376: PUSH2 0x0401 00000379: JUMPI 0000037a: PUSH1 0x40 0000037c: MLOAD 0000037d: PUSH32 0x08c379a000000000000000000000000000000000000000000000000000000000 0000039e: DUP2 0000039f: MSTORE 000003a0: PUSH1 0x20 000003a2: PUSH1 0x04 000003a4: DUP3 000003a5: ADD 000003a6: MSTORE 000003a7: PUSH1 0x39 000003a9: PUSH1 0x24 000003ab: DUP3 000003ac: ADD 000003ad: MSTORE 000003ae: PUSH32 0x50726f78793a2064656c656761746563616c6c20746f206e657720696d706c65 000003cf: PUSH1 0x44 000003d1: DUP3 000003d2: ADD 000003d3: MSTORE 000003d4: PUSH32 0x6d656e746174696f6e20636f6e7472616374206661696c656400000000000000 000003f5: PUSH1 0x64 000003f7: DUP3 000003f8: ADD 000003f9: MSTORE 000003fa: PUSH1 0x84 000003fc: ADD 000003fd: PUSH2 0x01f8 00000400: JUMP 00000401: JUMPDEST 00000402: SWAP2 00000403: POP 00000404: PUSH2 0x0412 00000407: SWAP1 00000408: POP 00000409: JUMP 0000040a: JUMPDEST 0000040b: PUSH2 0x0412 0000040e: PUSH2 0x012d 00000411: JUMP 00000412: JUMPDEST 00000413: SWAP4 00000414: SWAP3 00000415: POP 00000416: POP 00000417: POP 00000418: JUMP 00000419: JUMPDEST 0000041a: PUSH1 0x00 0000041c: PUSH2 0x0443 0000041f: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 00000440: SLOAD 00000441: SWAP1 00000442: JUMP 00000443: JUMPDEST 00000444: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000459: AND 0000045a: CALLER 0000045b: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000470: AND 00000471: EQ 00000472: DUP1 00000473: PUSH2 0x047a 00000476: JUMPI 00000477: POP 00000478: CALLER 00000479: ISZERO 0000047a: JUMPDEST 0000047b: ISZERO 0000047c: PUSH2 0x04a5 0000047f: JUMPI 00000480: POP 00000481: PUSH32 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc 000004a2: SLOAD 000004a3: SWAP1 000004a4: JUMP 000004a5: JUMPDEST 000004a6: PUSH2 0x04ad 000004a9: PUSH2 0x012d 000004ac: JUMP 000004ad: JUMPDEST 000004ae: SWAP1 000004af: JUMP 000004b0: JUMPDEST 000004b1: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 000004d2: SLOAD 000004d3: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000004e8: AND 000004e9: CALLER 000004ea: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000004ff: AND 00000500: EQ 00000501: DUP1 00000502: PUSH2 0x0509 00000505: JUMPI 00000506: POP 00000507: CALLER 00000508: ISZERO 00000509: JUMPDEST 0000050a: ISZERO 0000050b: PUSH2 0x028e 0000050e: JUMPI 0000050f: PUSH2 0x028b 00000512: DUP2 00000513: PUSH2 0x060b 00000516: JUMP 00000517: JUMPDEST 00000518: PUSH1 0x00 0000051a: PUSH2 0x0541 0000051d: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 0000053e: SLOAD 0000053f: SWAP1 00000540: JUMP 00000541: JUMPDEST 00000542: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000557: AND 00000558: CALLER 00000559: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000056e: AND 0000056f: EQ 00000570: DUP1 00000571: PUSH2 0x0578 00000574: JUMPI 00000575: POP 00000576: CALLER 00000577: ISZERO 00000578: JUMPDEST 00000579: ISZERO 0000057a: PUSH2 0x04a5 0000057d: JUMPI 0000057e: POP 0000057f: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 000005a0: SLOAD 000005a1: SWAP1 000005a2: JUMP 000005a3: JUMPDEST 000005a4: PUSH32 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc 000005c5: DUP2 000005c6: SWAP1 000005c7: SSTORE 000005c8: PUSH1 0x40 000005ca: MLOAD 000005cb: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000005e0: DUP3 000005e1: AND 000005e2: SWAP1 000005e3: PUSH32 0xbc7cd75a20ee27fd9adebab32041f755214dbc6bffa90cc0225b39da2e5c2d3b 00000604: SWAP1 00000605: PUSH1 0x00 00000607: SWAP1 00000608: LOG2 00000609: POP 0000060a: JUMP 0000060b: JUMPDEST 0000060c: PUSH1 0x00 0000060e: PUSH2 0x0635 00000611: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 00000632: SLOAD 00000633: SWAP1 00000634: JUMP 00000635: JUMPDEST 00000636: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 00000657: DUP4 00000658: SWAP1 00000659: SSTORE 0000065a: PUSH1 0x40 0000065c: DUP1 0000065d: MLOAD 0000065e: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000673: DUP1 00000674: DUP5 00000675: AND 00000676: DUP3 00000677: MSTORE 00000678: DUP6 00000679: AND 0000067a: PUSH1 0x20 0000067c: DUP3 0000067d: ADD 0000067e: MSTORE 0000067f: SWAP2 00000680: SWAP3 00000681: POP 00000682: PUSH32 0x7e644d79422f17c01e4894b5f4f588d331ebfa28653d42ae832dc59e38c9798f 000006a3: SWAP2 000006a4: ADD 000006a5: PUSH1 0x40 000006a7: MLOAD 000006a8: DUP1 000006a9: SWAP2 000006aa: SUB 000006ab: SWAP1 000006ac: LOG1 000006ad: POP 000006ae: POP 000006af: JUMP 000006b0: JUMPDEST 000006b1: DUP1 000006b2: CALLDATALOAD 000006b3: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000006c8: DUP2 000006c9: AND 000006ca: DUP2 000006cb: EQ 000006cc: PUSH2 0x06d4 000006cf: JUMPI 000006d0: PUSH1 0x00 000006d2: DUP1 000006d3: REVERT 000006d4: JUMPDEST 000006d5: SWAP2 000006d6: SWAP1 000006d7: POP 000006d8: JUMP 000006d9: JUMPDEST 000006da: PUSH1 0x00 000006dc: PUSH1 0x20 000006de: DUP3 000006df: DUP5 000006e0: SUB 000006e1: SLT 000006e2: ISZERO 000006e3: PUSH2 0x06eb 000006e6: JUMPI 000006e7: PUSH1 0x00 000006e9: DUP1 000006ea: REVERT 000006eb: JUMPDEST 000006ec: PUSH2 0x0412 000006ef: DUP3 000006f0: PUSH2 0x06b0 000006f3: JUMP 000006f4: JUMPDEST 000006f5: PUSH1 0x00 000006f7: DUP1 000006f8: PUSH1 0x00 000006fa: PUSH1 0x40 000006fc: DUP5 000006fd: DUP7 000006fe: SUB 000006ff: SLT 00000700: ISZERO 00000701: PUSH2 0x0709 00000704: JUMPI 00000705: PUSH1 0x00 00000707: DUP1 00000708: REVERT 00000709: JUMPDEST 0000070a: PUSH2 0x0712 0000070d: DUP5 0000070e: PUSH2 0x06b0 00000711: JUMP 00000712: JUMPDEST 00000713: SWAP3 00000714: POP 00000715: PUSH1 0x20 00000717: DUP5 00000718: ADD 00000719: CALLDATALOAD 0000071a: PUSH8 0xffffffffffffffff 00000723: DUP1 00000724: DUP3 00000725: GT 00000726: ISZERO 00000727: PUSH2 0x072f 0000072a: JUMPI 0000072b: PUSH1 0x00 0000072d: DUP1 0000072e: REVERT 0000072f: JUMPDEST 00000730: DUP2 00000731: DUP7 00000732: ADD 00000733: SWAP2 00000734: POP 00000735: DUP7 00000736: PUSH1 0x1f 00000738: DUP4 00000739: ADD 0000073a: SLT 0000073b: PUSH2 0x0743 0000073e: JUMPI 0000073f: PUSH1 0x00 00000741: DUP1 00000742: REVERT 00000743: JUMPDEST 00000744: DUP2 00000745: CALLDATALOAD 00000746: DUP2 00000747: DUP2 00000748: GT 00000749: ISZERO 0000074a: PUSH2 0x0752 0000074d: JUMPI 0000074e: PUSH1 0x00 00000750: DUP1 00000751: REVERT 00000752: JUMPDEST 00000753: DUP8 00000754: PUSH1 0x20 00000756: DUP3 00000757: DUP6 00000758: ADD 00000759: ADD 0000075a: GT 0000075b: ISZERO 0000075c: PUSH2 0x0764 0000075f: JUMPI 00000760: PUSH1 0x00 00000762: DUP1 00000763: REVERT 00000764: JUMPDEST 00000765: PUSH1 0x20 00000767: DUP4 00000768: ADD 00000769: SWAP5 0000076a: POP 0000076b: DUP1 0000076c: SWAP4 0000076d: POP 0000076e: POP 0000076f: POP 00000770: POP 00000771: SWAP3 00000772: POP 00000773: SWAP3 00000774: POP 00000775: SWAP3 00000776: JUMP 00000777: JUMPDEST 00000778: PUSH1 0x00 0000077a: PUSH1 0x20 0000077c: DUP1 0000077d: DUP4 0000077e: MSTORE 0000077f: DUP4 00000780: MLOAD 00000781: DUP1 00000782: DUP3 00000783: DUP6 00000784: ADD 00000785: MSTORE 00000786: PUSH1 0x00 00000788: JUMPDEST 00000789: DUP2 0000078a: DUP2 0000078b: LT 0000078c: ISZERO 0000078d: PUSH2 0x07a4 00000790: JUMPI 00000791: DUP6 00000792: DUP2 00000793: ADD 00000794: DUP4 00000795: ADD 00000796: MLOAD 00000797: DUP6 00000798: DUP3 00000799: ADD 0000079a: PUSH1 0x40 0000079c: ADD 0000079d: MSTORE 0000079e: DUP3 0000079f: ADD 000007a0: PUSH2 0x0788 000007a3: JUMP 000007a4: JUMPDEST 000007a5: DUP2 000007a6: DUP2 000007a7: GT 000007a8: ISZERO 000007a9: PUSH2 0x07b6 000007ac: JUMPI 000007ad: PUSH1 0x00 000007af: PUSH1 0x40 000007b1: DUP4 000007b2: DUP8 000007b3: ADD 000007b4: ADD 000007b5: MSTORE 000007b6: JUMPDEST 000007b7: POP 000007b8: PUSH1 0x1f 000007ba: ADD 000007bb: PUSH32 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe0 000007dc: AND 000007dd: SWAP3 000007de: SWAP1 000007df: SWAP3 000007e0: ADD 000007e1: PUSH1 0x40 000007e3: ADD 000007e4: SWAP4 000007e5: SWAP3 000007e6: POP 000007e7: POP 000007e8: POP 000007e9: JUMP 000007ea: JUMPDEST 000007eb: DUP2 000007ec: DUP4 000007ed: DUP3 000007ee: CALLDATACOPY 000007ef: PUSH1 0x00 000007f1: SWAP2 000007f2: ADD 000007f3: SWAP1 000007f4: DUP2 000007f5: MSTORE 000007f6: SWAP2 000007f7: SWAP1 000007f8: POP 000007f9: JUMP 000007fa: INVALID 000007fb: LOG1 000007fc: PUSH5 0x736f6c6343 00000802: STOP 00000803: ADDMOD 00000804: UNKNOWN(0x0F) 00000805: STOP 00000806: EXP
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | upgradeability | detector | Untrusted DELEGATECALL target reachable | 55 | no | no |
viewtrace_id: 0x73fa9c2f023ebaeaa08c464569faa05223f45f60dd4774f2c0a278a094a7d8fa
call_targets:
0xc3fe3e0ea967b2878fab2fec7e1067b32adf1c03
target_varies:
no
classification:
constant_target
validation_json{
"sink": "DELEGATECALL",
"errors": 0,
"status": "sink_reached",
"attempts": 1,
"trace_id": "0x73fa9c2f023ebaeaa08c464569faa05223f45f60dd4774f2c0a278a094a7d8fa",
"confirmed": false,
"trace_mode": "callTracer",
"call_targets": [
"0xc3fe3e0ea967b2878fab2fec7e1067b32adf1c03"
],
"matched_probe": null,
"target_varies": false,
"classification": "constant_target"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x5c60da1b",
"selector": "0x5c60da1b",
"calldata_variants": [
"0x5c60da1b",
"0x5c60da1b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x8f283970",
"selector": "0x8f283970",
"calldata_variants": [
"0x8f283970",
"0x8f2839700000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xf851a440",
"selector": "0xf851a440",
"calldata_variants": [
"0xf851a440",
"0xf851a4400000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x3659cfe6",
"selector": "0x3659cfe6",
"calldata_variants": [
"0x3659cfe6",
"0x3659cfe60000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x4f1ef286",
"selector": "0x4f1ef286",
"calldata_variants": [
"0x4f1ef286",
"0x4f1ef2860000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 527,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
},
{
"pc": 827,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
}
],
"guards_detected": [
{
"pc": 605,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
},
{
"pc": 727,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
},
{
"pc": 1114,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
},
{
"pc": 1257,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
},
{
"pc": 1368,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
}
],
"delegatecall_count": 2,
"untrusted_delegatecall_count": 2
}
|
| medium | upgradeability | cast | DELEGATECALL present | 80 | no | — |
viewevidence_json{
"notes": "delegatecall enables execution in caller context; common in proxies/upgradeable patterns",
"delegatecall_count": 2
}
|