TW
Tripwire
Find contracts. Test them. Review real vulns.

Analysis Run

019bab3b-aa82-7335-b614-433ed19c750a

complete
Chain ID
1
Address
0x3de8eb830000f1d914294d000051000031a81d00
Block Number
Created
Sun, Jan 11, 2026 4:06 AM
Review Summary

What survived the funnel

Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?

back to vulns open contract
Confirmed
0
Validated
0
Source
Bytecode only
Review Backing
Present
Best current signal
Untrusted CALL target/value reachable
crit 0 high 0 direct contract
Review Checklist
1. Read the findings table first. Ignore raw jobs until the result looks real.
2. Confirm attacker control, not just the existence of a sink.
3. Confirm money or privilege impact.
4. Keep it if the behavior is real. Kill it if this is normal proxy, admin, or upgrade plumbing.

Processing Jobs

Status & attempts
ID Type Status Attempts Heartbeat
38331 artifact.fetch complete 1 / 3 3 months ago
38332 proxy.resolve complete 1 / 3 3 months ago
38333 tool.cast_disasm complete 1 / 3 3 months ago
38334 analysis.bundle complete 1 / 3 3 months ago
38335 capability.graph complete 1 / 3 3 months ago
38336 detector.run complete 1 / 3 3 months ago
38337 validation.fork complete 1 / 3 3 months ago
38952 report.consolidate complete 1 / 6 3 months ago

Artifact

Runtime bytecode: available
Creation TX:
Deployer:
Proxy: no not_proxy
Implementation:
Verified Source: no
Proxy evidence 
{
    "status": "not_proxy"
}

Slither

tool.slither

No slither job recorded yet.

Codex

report.consolidate
Job Status
complete
Attempts
1 / 6
Findings
1
No findings?
no
Summary
Bytecode is a fallback-only executor with a hardcoded caller allowlist and multiple external CALLs (including WETH interactions and miner/caller payments). No proxy/delegatecall patterns detected; all state is stateless (no storage reads/writes).
View stdout 
{"no_findings":false,"summary":"Bytecode is a fallback-only executor with a hardcoded caller allowlist and multiple external CALLs (including WETH interactions and miner/caller payments). No proxy/delegatecall patterns detected; all state is stateless (no storage reads/writes).","findings":[{"severity":"low","category":"other","title":"Fallback allows calldata-driven external CALLs with ETH value transfers","exploit_scenario":"The fallback dispatcher issues CALLs where the target address and (likely) value are derived from calldata/stack. If the hardcoded caller key(s) are compromised or mis-specified, an attacker can use this contract as a generic executor to call arbitrary contracts and drain any ETH held by the contract (including miner bribes to COINBASE and refunds to CALLER).","recommendation":"If this is not intentionally a privileged executor, restrict CALL targets and value ranges (e.g., hardcoded allowlists or explicit selector checks). If it is intended, ensure the hardcoded caller addresses are correct and secured (multisig/rotation), and avoid leaving funds in the contract.","evidence":"Multiple CALL sites pull targets from calldata (CALLDATALOAD + SHR -> CALL), plus explicit CALLs to COINBASE/CALLER with value likely on stack.","locations":["pc:0x0459","pc:0x04b3","pc:0x053b","pc:0x05df","pc:0x036c","pc:0x037e"]}]}
View stderr 
OpenAI Codex v0.77.0 (research preview)
--------
workdir: /tmp/codex-gu0na25k
model: gpt-5.2-codex
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: auto
session id: 019bab5d-9149-7623-a5cf-e6dd6c05cd21
--------
user
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.

Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.

Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".

Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
mcp startup: no servers

thinking
**Reading BYTECODE_BUNDLE.json**
exec
/bin/bash -lc ls in /tmp/codex-gu0na25k succeeded in 5ms:
BYTECODE_BUNDLE.json
codex-output-schema.json

thinking
**Reading bundle**
exec
/bin/bash -lc 'cat BYTECODE_BUNDLE.json' in /tmp/codex-gu0na25k succeeded in 29ms:
{
  "analysis_artifact": {
    "address": "0x3de8eb830000f1d914294d000051000031a81d00",
    "artifact_hash": "0xf0c07d70ecf3ba6e0c34e77969d80d1a6c62d9b50ef5ae2687d46b56d6eccfdc",
    "artifact_json": {
      "auth": {
        "guards": []
      },
      "basic_blocks": [
        {
          "end_pc": 24,
          "hash": "0x0bc8292b4694780eae958a1c7811d3a4ce1766c748bf853c1305386576ccb8a2",
          "opcodes": [
            "PUSH18",
            "CALLER",
            "SUB",
            "PUSH2",
            "JUMPI"
          ],
          "start_pc": 0

thinking
**Investigating storage and selectors in bytecode**
exec
/bin/bash -lc 'rg -n "storage|selector|proxy|eip|delegate|upgrade|slot" BYTECODE_BUNDLE.json' in /tmp/codex-gu0na25k succeeded in 23ms:
2045:          "selector": "fallback"
2054:          "selector": "fallback",
2057:            "delegatecall": 0,
2061:          "storage": {
2063:            "slots": [],
2068:      "selectors": [],
2073:        "delegatecall": 0,
2076:        "upgrade_slot_write_suspected": false
2078:      "storage": {
2081:        "slots": [],
2113:        "proxy": "0",
2118:      "proxy_evidence": {
2119:        "status": "not_proxy"
2123:    "is_proxy": false,
3486:          "selector": "fallback",
3604:    "delegatecall_count": 0,

thinking
**Checking surrounding context with sed**
exec
/bin/bash -lc "sed -n '2020,2135p' BYTECODE_BUNDLE.json" in /tmp/codex-gu0na25k succeeded in 6ms:
          "from": "bb:1439",
          "to": "bb:1509",
          "type": "control_flow_fallthrough"
        },
        {
          "from": "bb:1509",
          "to": "bb:1426",
          "type": "control_flow"
        },
        {
          "from": "bb:1515",
          "to": "bb:1528",
          "type": "control_flow"
        },
        {
          "from": "bb:1523",
          "to": "bb:1509",
          "type": "control_flow"
        }
      ],

thinking
**Analyzing runtime bytecode for call patterns**

I'm examining the runtime bytecode which seems to implement a fallback-only, stateless contract acting like a router with calls to fixed addresses like WETH and a specific address 0x2d02d..., likely gated by caller address checks. There are several CALL and STATICCALL instructions, possibly used to pay the miner or interact with external contracts, and I'm planning to write a Python script to disassemble the hex bytecode to identify call targets and better understand its behavior conservatively.
exec
/bin/bash -lc "python - <<'PY'
import json, binascii
from pathlib import Path
import sys

data=json.load(open('/tmp/codex-gu0na25k/BYTECODE_BUNDLE.json'))
hexcode=data['artifact']['runtime_bytecode']['full']
if hexcode.startswith('0x'): hexcode=hexcode[2:]
code=bytes.fromhex(hexcode)

# opcode map
opnames={
0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
0x20:'SHA3',
0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
0x5f:'PUSH0'
}
for i in range(1,33):
    opnames[0x5f+i]=f'PUSH{i}'
for i in range(1,17):
    opnames[0x7f+i]=f'DUP{i}'
for i in range(1,17):
    opnames[0x8f+i]=f'SWAP{i}'

opnames.update({0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'})

pcs_of_interest={360,715,816,876,894,976,1113,1203,1339,1503}

# disassemble and capture around pcs
ins=[]
pc=0
while pc<len(code):
    op=code[pc]
    name=opnames.get(op,f'OP_{op:02x}')
    arg=None
    size=1
    if 0x60<=op<=0x7f:
        n=op-0x5f
        arg=code[pc+1:pc+1+n]
        size=1+n
    ins.append((pc,name,arg))
    pc+=size

# create map for quick lookup
ins_map={pc:(name,arg) for pc,name,arg in ins}

# print window around each call pc
for target in sorted(pcs_of_interest):
    print('\\n=== around pc',target,'===')
    # find index
    idx=None
    for i,(pc,name,arg) in enumerate(ins):
        if pc==target:
            idx=i
            break
    if idx is None:
        print('pc not found')
        continue
    for pc,name,arg in ins[max(0,idx-8):idx+8]:
        if arg is None:
            arg_s=''
        else:
            arg_s=' 0x'+arg.hex()
        print(f'{pc:04x}: {name}{arg_s}')
PY" in /tmp/codex-gu0na25k succeeded in 62ms:

=== around pc 360 ===
0149: PUSH1 0x04
014b: MSTORE
014c: PUSH1 0x20
014e: DUP2
014f: PUSH1 0x24
0151: DUP2
0152: PUSH20 0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2
0167: GAS
0168: STATICCALL
0169: ISZERO
016a: PUSH2 0x0171
016d: JUMPI
016e: MLOAD
016f: SWAP1
0170: JUMP
0171: JUMPDEST

=== around pc 715 ===

thinking
**Analyzing EVM CALL patterns**
exec
/bin/bash -lc "python - <<'PY'
import json
hexcode=json.load(open('/tmp/codex-gu0na25k/BYTECODE_BUNDLE.json'))['artifact']['runtime_bytecode']['full']
if hexcode.startswith('0x'): hexcode=hexcode[2:]
code=bytes.fromhex(hexcode)
# find sequence of push20 0x2d02...
seq=bytes.fromhex('73'+'2d02d92ce7ee85c684733128223b53cdb9eae5e9')
idx=code.find(seq)
print('idx',idx)
print(code[idx-10:idx+30].hex())
PY" in /tmp/codex-gu0na25k succeeded in 32ms:
idx 261
5050610083610471565b732d02d92ce7ee85c684733128223b53cdb9eae5e933031561001957005b

thinking
**Preparing disassembly around program counter**
exec
/bin/bash -lc "python - <<'PY'
import json
hexcode=json.load(open('/tmp/codex-gu0na25k/BYTECODE_BUNDLE.json'))['artifact']['runtime_bytecode']['full']
if hexcode.startswith('0x'): hexcode=hexcode[2:]
code=bytes.fromhex(hexcode)
# disassemble around pc 0x100
opnames={
0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
0x20:'SHA3',
0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
0x5f:'PUSH0'
}
for i in range(1,33):
    opnames[0x5f+i]=f'PUSH{i}'
for i in range(1,17):
    opnames[0x7f+i]=f'DUP{i}'
for i in range(1,17):
    opnames[0x8f+i]=f'SWAP{i}'

opnames.update({0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'})

# disassemble to list
ins=[]
pc=0
while pc<len(code):
    op=code[pc]
    name=opnames.get(op,f'OP_{op:02x}')
    arg=None
    size=1
    if 0x60<=op<=0x7f:
        n=op-0x5f
        arg=code[pc+1:pc+1+n]
        size=1+n
    ins.append((pc,name,arg))
    pc+=size

# print around pc 0x100-0x130
for pc,name,arg in ins:
    if 0x0f0 <= pc <= 0x130:
        arg_s='' if arg is None else ' 0x'+arg.hex()
        print(f'{pc:04x}: {name}{arg_s}')
PY" in /tmp/codex-gu0na25k succeeded in 39ms:
00f1: JUMP
00f2: JUMPDEST
00f3: PUSH2 0x0075
00f6: PUSH2 0x0471
00f9: JUMP
00fa: JUMPDEST
00fb: POP
00fc: POP
00fd: PUSH2 0x0083
0100: PUSH2 0x0471
0103: JUMP
0104: JUMPDEST
0105: PUSH20 0x2d02d92ce7ee85c684733128223b53cdb9eae5e9
011a: CALLER
011b: SUB
011c: ISZERO
011d: PUSH2 0x0019
0120: JUMPI
0121: STOP
0122: JUMPDEST

thinking
**Analyzing access control mechanism**
exec
/bin/bash -lc "python - <<'PY'
import json
hexcode=json.load(open('/tmp/codex-gu0na25k/BYTECODE_BUNDLE.json'))['artifact']['runtime_bytecode']['full']
if hexcode.startswith('0x'): hexcode=hexcode[2:]
code=bytes.fromhex(hexcode)
# disassemble start
opnames={
0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
0x20:'SHA3',
0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
0x5f:'PUSH0'
}
for i in range(1,33):
    opnames[0x5f+i]=f'PUSH{i}'
for i in range(1,17):
    opnames[0x7f+i]=f'DUP{i}'
for i in range(1,17):
    opnames[0x8f+i]=f'SWAP{i}'

opnames.update({0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'})

ins=[]
pc=0
while pc<len(code):
    op=code[pc]
    name=opnames.get(op,f'OP_{op:02x}')
    arg=None
    size=1
    if 0x60<=op<=0x7f:
        n=op-0x5f
        arg=code[pc+1:pc+1+n]
        size=1+n
    ins.append((pc,name,arg))
    pc+=size

for pc,name,arg in ins:
    if pc<=0x40:
        arg_s='' if arg is None else ' 0x'+arg.hex()
        print(f'{pc:04x}: {name}{arg_s}')
PY" in /tmp/codex-gu0na25k succeeded in 65ms:
0000: PUSH18 0xe0c70000ca6bc5006838e7cc3e7c8fd23d00
0013: CALLER
0014: SUB
0015: PUSH2 0x0104
0018: JUMPI
0019: JUMPDEST
001a: GAS
001b: PUSH1 0x00
001d: CALLDATALOAD
001e: PUSH1 0x00
0020: BYTE
0021: DUP1
0022: PUSH1 0x03
0024: EQ
0025: PUSH2 0x00fa
0028: JUMPI
0029: DUP1
002a: PUSH1 0x04
002c: EQ
002d: PUSH2 0x00e5



thinking
**Analyzing bytecode access control and external calls**
thinking
**Summarizing contract structure and security observations**

I'll review the contract’s design as a fallback-only, stateless executor enabling authorized callers to perform multi-calls with calldata-driven targets and ETH values, and note core findings around untrusted external calls, caller allowlist mechanics, and design tradeoffs.
thinking
**Preparing audit findings and recommendations**
codex
{"no_findings":false,"summary":"Bytecode is a fallback-only executor with a hardcoded caller allowlist and multiple external CALLs (including WETH interactions and miner/caller payments). No proxy/delegatecall patterns detected; all state is stateless (no storage reads/writes).","findings":[{"severity":"low","category":"other","title":"Fallback allows calldata-driven external CALLs with ETH value transfers","exploit_scenario":"The fallback dispatcher issues CALLs where the target address and (likely) value are derived from calldata/stack. If the hardcoded caller key(s) are compromised or mis-specified, an attacker can use this contract as a generic executor to call arbitrary contracts and drain any ETH held by the contract (including miner bribes to COINBASE and refunds to CALLER).","recommendation":"If this is not intentionally a privileged executor, restrict CALL targets and value ranges (e.g., hardcoded allowlists or explicit selector checks). If it is intended, ensure the hardcoded caller addresses are correct and secured (multisig/rotation), and avoid leaving funds in the contract.","evidence":"Multiple CALL sites pull targets from calldata (CALLDATALOAD + SHR -> CALL), plus explicit CALLs to COINBASE/CALLER with value likely on stack.","locations":["pc:0x0459","pc:0x04b3","pc:0x053b","pc:0x05df","pc:0x036c","pc:0x037e"]}]}
tokens used
46,245
Metadata 
{
    "codex": {
        "ran_at": "2026-01-11T04:47:42.968798+00:00",
        "returncode": 0
    },
    "project": {
        "mode": "bytecode",
        "bytecode_length": 3080,
        "bytecode_truncated": false,
        "capability_graph_present": true,
        "analysis_artifact_present": true
    },
    "summary": "Bytecode is a fallback-only executor with a hardcoded caller allowlist and multiple external CALLs (including WETH interactions and miner/caller payments). No proxy/delegatecall patterns detected; all state is stateless (no storage reads/writes).",
    "raw_final": {
        "summary": "Bytecode is a fallback-only executor with a hardcoded caller allowlist and multiple external CALLs (including WETH interactions and miner/caller payments). No proxy/delegatecall patterns detected; all state is stateless (no storage reads/writes).",
        "findings": [
            {
                "title": "Fallback allows calldata-driven external CALLs with ETH value transfers",
                "category": "other",
                "evidence": "Multiple CALL sites pull targets from calldata (CALLDATALOAD + SHR -> CALL), plus explicit CALLs to COINBASE/CALLER with value likely on stack.",
                "severity": "low",
                "locations": [
                    "pc:0x0459",
                    "pc:0x04b3",
                    "pc:0x053b",
                    "pc:0x05df",
                    "pc:0x036c",
                    "pc:0x037e"
                ],
                "recommendation": "If this is not intentionally a privileged executor, restrict CALL targets and value ranges (e.g., hardcoded allowlists or explicit selector checks). If it is intended, ensure the hardcoded caller addresses are correct and secured (multisig/rotation), and avoid leaving funds in the contract.",
                "exploit_scenario": "The fallback dispatcher issues CALLs where the target address and (likely) value are derived from calldata/stack. If the hardcoded caller key(s) are compromised or mis-specified, an attacker can use this contract as a generic executor to call arbitrary contracts and drain any ETH held by the contract (including miner bribes to COINBASE and refunds to CALLER)."
            }
        ],
        "no_findings": false
    },
    "no_findings": false,
    "schema_version": 1
}

Opcode Heuristics

tool.cast_disasm
Delegatecall
0
Selfdestruct
0
CREATE2
0
CALL-family (heavy)
10
EXT*/BALANCE
0
Total opcodes
789
Flags
No heuristic flags raised.
View cast disassembly output 
00000000: PUSH18 0xe0c70000ca6bc5006838e7cc3e7c8fd23d00
00000013: CALLER
00000014: SUB
00000015: PUSH2 0x0104
00000018: JUMPI
00000019: JUMPDEST
0000001a: GAS
0000001b: PUSH1 0x00
0000001d: CALLDATALOAD
0000001e: PUSH1 0x00
00000020: BYTE
00000021: DUP1
00000022: PUSH1 0x03
00000024: EQ
00000025: PUSH2 0x00fa
00000028: JUMPI
00000029: DUP1
0000002a: PUSH1 0x04
0000002c: EQ
0000002d: PUSH2 0x00e5
00000030: JUMPI
00000031: DUP1
00000032: PUSH1 0x50
00000034: EQ
00000035: PUSH2 0x00db
00000038: JUMPI
00000039: DUP1
0000003a: PUSH1 0x51
0000003c: EQ
0000003d: PUSH2 0x00c6
00000040: JUMPI
00000041: DUP1
00000042: PUSH1 0x52
00000044: EQ
00000045: PUSH2 0x009f
00000048: JUMPI
00000049: DUP1
0000004a: PUSH1 0x30
0000004c: EQ
0000004d: PUSH2 0x008d
00000050: JUMPI
00000051: PUSH1 0x31
00000053: EQ
00000054: PUSH2 0x0059
00000057: JUMPI
00000058: STOP
00000059: JUMPDEST
0000005a: PUSH2 0x0083
0000005d: SWAP1
0000005e: PUSH2 0x0065
00000061: PUSH2 0x0122
00000064: JUMP
00000065: JUMPDEST
00000066: PUSH2 0x006d
00000069: PUSH2 0x026e
0000006c: JUMP
0000006d: JUMPDEST
0000006e: PUSH2 0x0075
00000071: PUSH2 0x0550
00000074: JUMP
00000075: JUMPDEST
00000076: PUSH2 0x007d
00000079: PUSH2 0x0122
0000007c: JUMP
0000007d: JUMPDEST
0000007e: SWAP1
0000007f: PUSH2 0x0179
00000082: JUMP
00000083: JUMPDEST
00000084: PUSH2 0x008b
00000087: PUSH2 0x0338
0000008a: JUMP
0000008b: JUMPDEST
0000008c: STOP
0000008d: JUMPDEST
0000008e: POP
0000008f: POP
00000090: PUSH2 0x0097
00000093: PUSH2 0x026e
00000096: JUMP
00000097: JUMPDEST
00000098: PUSH2 0x0083
0000009b: PUSH2 0x0550
0000009e: JUMP
0000009f: JUMPDEST
000000a0: POP
000000a1: PUSH2 0x0083
000000a4: SWAP1
000000a5: PUSH2 0x00ac
000000a8: PUSH2 0x0122
000000ab: JUMP
000000ac: JUMPDEST
000000ad: SELFBALANCE
000000ae: PUSH2 0x00b5
000000b1: PUSH2 0x03dc
000000b4: JUMP
000000b5: JUMPDEST
000000b6: PUSH2 0x00bd
000000b9: PUSH2 0x0122
000000bc: JUMP
000000bd: JUMPDEST
000000be: SELFBALANCE
000000bf: ADD
000000c0: SWAP2
000000c1: ADD
000000c2: PUSH2 0x0179
000000c5: JUMP
000000c6: JUMPDEST
000000c7: POP
000000c8: PUSH2 0x0083
000000cb: SWAP1
000000cc: PUSH2 0x00d3
000000cf: PUSH2 0x0122
000000d2: JUMP
000000d3: JUMPDEST
000000d4: PUSH2 0x0075
000000d7: PUSH2 0x03dc
000000da: JUMP
000000db: JUMPDEST
000000dc: POP
000000dd: POP
000000de: PUSH2 0x0083
000000e1: PUSH2 0x03dc
000000e4: JUMP
000000e5: JUMPDEST
000000e6: POP
000000e7: PUSH2 0x0083
000000ea: SWAP1
000000eb: PUSH2 0x00f2
000000ee: PUSH2 0x0122
000000f1: JUMP
000000f2: JUMPDEST
000000f3: PUSH2 0x0075
000000f6: PUSH2 0x0471
000000f9: JUMP
000000fa: JUMPDEST
000000fb: POP
000000fc: POP
000000fd: PUSH2 0x0083
00000100: PUSH2 0x0471
00000103: JUMP
00000104: JUMPDEST
00000105: PUSH20 0x2d02d92ce7ee85c684733128223b53cdb9eae5e9
0000011a: CALLER
0000011b: SUB
0000011c: ISZERO
0000011d: PUSH2 0x0019
00000120: JUMPI
00000121: STOP
00000122: JUMPDEST
00000123: PUSH1 0x00
00000125: PUSH32 0x70a0823100000000000000000000000000000000000000000000000000000000
00000146: DUP2
00000147: MSTORE
00000148: ADDRESS
00000149: PUSH1 0x04
0000014b: MSTORE
0000014c: PUSH1 0x20
0000014e: DUP2
0000014f: PUSH1 0x24
00000151: DUP2
00000152: PUSH20 0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2
00000167: GAS
00000168: STATICCALL
00000169: ISZERO
0000016a: PUSH2 0x0171
0000016d: JUMPI
0000016e: MLOAD
0000016f: SWAP1
00000170: JUMP
00000171: JUMPDEST
00000172: RETURNDATASIZE
00000173: DUP2
00000174: DUP1
00000175: RETURNDATACOPY
00000176: RETURNDATASIZE
00000177: SWAP1
00000178: REVERT
00000179: JUMPDEST
0000017a: SWAP1
0000017b: SWAP2
0000017c: DUP2
0000017d: DUP4
0000017e: LT
0000017f: PUSH2 0x0216
00000182: JUMPI
00000183: PUSH1 0x01
00000185: CALLDATALOAD
00000186: PUSH1 0xb0
00000188: SHR
00000189: PUSH1 0x00
0000018b: SWAP2
0000018c: PUSH3 0xa893b7
00000190: PUSH3 0xffffff
00000194: DUP4
00000195: AND
00000196: SUB
00000197: PUSH2 0x01fd
0000019a: JUMPI
0000019b: JUMPDEST
0000019c: POP
0000019d: ADD
0000019e: ADD
0000019f: GT
000001a0: PUSH2 0x01a5
000001a3: JUMPI
000001a4: JUMP
000001a5: JUMPDEST
000001a6: PUSH32 0x08c379a000000000000000000000000000000000000000000000000000000000
000001c7: PUSH1 0x00
000001c9: MSTORE
000001ca: PUSH1 0x20
000001cc: PUSH1 0x04
000001ce: MSTORE
000001cf: PUSH1 0x04
000001d1: PUSH1 0x24
000001d3: MSTORE
000001d4: PUSH32 0x6d50526200000000000000000000000000000000000000000000000000000000
000001f5: PUSH1 0x44
000001f7: MSTORE
000001f8: PUSH1 0x64
000001fa: PUSH1 0x00
000001fc: REVERT
000001fd: JUMPDEST
000001fe: SWAP1
000001ff: SWAP2
00000200: POP
00000201: PUSH2 0x7918
00000204: BASEFEE
00000205: SWAP2
00000206: GAS
00000207: SWAP1
00000208: SUB
00000209: PUSH1 0x06
0000020b: CALLDATASIZE
0000020c: MUL
0000020d: ADD
0000020e: ADD
0000020f: MUL
00000210: SWAP1
00000211: CODESIZE
00000212: PUSH2 0x019b
00000215: JUMP
00000216: JUMPDEST
00000217: PUSH32 0x08c379a000000000000000000000000000000000000000000000000000000000
00000238: PUSH1 0x00
0000023a: MSTORE
0000023b: PUSH1 0x20
0000023d: PUSH1 0x04
0000023f: MSTORE
00000240: PUSH1 0x03
00000242: PUSH1 0x24
00000244: MSTORE
00000245: PUSH32 0x6d50520000000000000000000000000000000000000000000000000000000000
00000266: PUSH1 0x44
00000268: MSTORE
00000269: PUSH1 0x64
0000026b: PUSH1 0x00
0000026d: REVERT
0000026e: JUMPDEST
0000026f: PUSH1 0x15
00000271: CALLDATALOAD
00000272: PUSH1 0xb0
00000274: SHR
00000275: DUP1
00000276: PUSH2 0x027c
00000279: JUMPI
0000027a: POP
0000027b: JUMP
0000027c: JUMPDEST
0000027d: PUSH1 0x00
0000027f: SWAP1
00000280: PUSH32 0xa9059cbb00000000000000000000000000000000000000000000000000000000
000002a1: DUP3
000002a2: MSTORE
000002a3: PUSH1 0x29
000002a5: CALLDATALOAD
000002a6: PUSH1 0x60
000002a8: SHR
000002a9: PUSH1 0x04
000002ab: MSTORE
000002ac: PUSH1 0x24
000002ae: MSTORE
000002af: DUP1
000002b0: DUP1
000002b1: PUSH1 0x44
000002b3: DUP2
000002b4: DUP1
000002b5: PUSH20 0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2
000002ca: GAS
000002cb: CALL
000002cc: ISZERO
000002cd: PUSH2 0x0171
000002d0: JUMPI
000002d1: POP
000002d2: JUMP
000002d3: JUMPDEST
000002d4: PUSH1 0x15
000002d6: CALLDATALOAD
000002d7: PUSH1 0xb0
000002d9: SHR
000002da: DUP1
000002db: PUSH2 0x02e1
000002de: JUMPI
000002df: POP
000002e0: JUMP
000002e1: JUMPDEST
000002e2: PUSH1 0x00
000002e4: SWAP1
000002e5: PUSH32 0xa9059cbb00000000000000000000000000000000000000000000000000000000
00000306: DUP3
00000307: MSTORE
00000308: PUSH1 0x2a
0000030a: CALLDATALOAD
0000030b: PUSH1 0x60
0000030d: SHR
0000030e: PUSH1 0x04
00000310: MSTORE
00000311: PUSH1 0x24
00000313: MSTORE
00000314: DUP1
00000315: DUP1
00000316: PUSH1 0x44
00000318: DUP2
00000319: DUP1
0000031a: PUSH20 0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2
0000032f: GAS
00000330: CALL
00000331: ISZERO
00000332: PUSH2 0x0171
00000335: JUMPI
00000336: POP
00000337: JUMP
00000338: JUMPDEST
00000339: PUSH1 0x0b
0000033b: CALLDATALOAD
0000033c: PUSH1 0xb0
0000033e: SHR
0000033f: DUP1
00000340: PUSH2 0x038a
00000343: JUMPI
00000344: JUMPDEST
00000345: POP
00000346: PUSH1 0x1f
00000348: CALLDATALOAD
00000349: PUSH1 0xb0
0000034b: SHR
0000034c: DUP1
0000034d: PUSH2 0x0374
00000350: JUMPI
00000351: JUMPDEST
00000352: POP
00000353: PUSH1 0x01
00000355: CALLDATALOAD
00000356: PUSH1 0xb0
00000358: SHR
00000359: DUP1
0000035a: PUSH2 0x0360
0000035d: JUMPI
0000035e: POP
0000035f: JUMP
00000360: JUMPDEST
00000361: PUSH1 0x00
00000363: DUP1
00000364: DUP1
00000365: DUP1
00000366: DUP1
00000367: SWAP5
00000368: COINBASE
00000369: PUSH2 0x03e8
0000036c: CALL
0000036d: ISZERO
0000036e: PUSH2 0x0171
00000371: JUMPI
00000372: POP
00000373: JUMP
00000374: JUMPDEST
00000375: PUSH1 0x00
00000377: DUP1
00000378: DUP1
00000379: DUP1
0000037a: DUP1
0000037b: SWAP5
0000037c: CALLER
0000037d: DUP3
0000037e: CALL
0000037f: PUSH2 0x0351
00000382: JUMPI
00000383: RETURNDATASIZE
00000384: DUP2
00000385: DUP1
00000386: RETURNDATACOPY
00000387: RETURNDATASIZE
00000388: SWAP1
00000389: REVERT
0000038a: JUMPDEST
0000038b: PUSH1 0x00
0000038d: SWAP1
0000038e: PUSH32 0x2e1a7d4d00000000000000000000000000000000000000000000000000000000
000003af: DUP3
000003b0: MSTORE
000003b1: PUSH1 0x04
000003b3: MSTORE
000003b4: DUP1
000003b5: DUP1
000003b6: PUSH1 0x24
000003b8: DUP2
000003b9: DUP1
000003ba: PUSH20 0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2
000003cf: GAS
000003d0: CALL
000003d1: PUSH2 0x0344
000003d4: JUMPI
000003d5: RETURNDATASIZE
000003d6: DUP2
000003d7: DUP1
000003d8: RETURNDATACOPY
000003d9: RETURNDATASIZE
000003da: SWAP1
000003db: REVERT
000003dc: JUMPDEST
000003dd: PUSH2 0x03e4
000003e0: PUSH2 0x02d3
000003e3: JUMP
000003e4: JUMPDEST
000003e5: PUSH1 0x29
000003e7: JUMPDEST
000003e8: CALLDATASIZE
000003e9: DUP2
000003ea: LT
000003eb: PUSH2 0x03f1
000003ee: JUMPI
000003ef: POP
000003f0: JUMP
000003f1: JUMPDEST
000003f2: PUSH1 0x01
000003f4: DUP2
000003f5: ADD
000003f6: SWAP1
000003f7: CALLDATALOAD
000003f8: PUSH1 0x00
000003fa: SWAP1
000003fb: DUP2
000003fc: BYTE
000003fd: SWAP1
000003fe: DUP2
000003ff: ISZERO
00000400: PUSH2 0x0466
00000403: JUMPI
00000404: DUP2
00000405: PUSH1 0x01
00000407: EQ
00000408: PUSH2 0x0432
0000040b: JUMPI
0000040c: POP
0000040d: DUP1
0000040e: PUSH1 0x02
00000410: EQ
00000411: PUSH2 0x0423
00000414: JUMPI
00000415: PUSH1 0x03
00000417: SUB
00000418: PUSH2 0x03e7
0000041b: JUMPI
0000041c: PUSH1 0x14
0000041e: ADD
0000041f: PUSH2 0x03e7
00000422: JUMP
00000423: JUMPDEST
00000424: POP
00000425: PUSH2 0x042d
00000428: SWAP1
00000429: PUSH2 0x04c9
0000042c: JUMP
0000042d: JUMPDEST
0000042e: PUSH2 0x03e7
00000431: JUMP
00000432: JUMPDEST
00000433: PUSH1 0x20
00000435: SWAP3
00000436: PUSH1 0x1e
00000438: DUP2
00000439: ADD
0000043a: CALLDATALOAD
0000043b: PUSH1 0xf0
0000043d: SHR
0000043e: SWAP3
0000043f: POP
00000440: SWAP1
00000441: DUP3
00000442: DUP5
00000443: DUP4
00000444: ADD
00000445: DUP3
00000446: CALLDATACOPY
00000447: DUP1
00000448: DUP1
00000449: DUP5
0000044a: DUP2
0000044b: PUSH1 0x14
0000044d: DUP7
0000044e: ADD
0000044f: CALLDATALOAD
00000450: PUSH1 0xb0
00000452: SHR
00000453: DUP7
00000454: CALLDATALOAD
00000455: PUSH1 0x60
00000457: SHR
00000458: GAS
00000459: CALL
0000045a: ISZERO
0000045b: PUSH2 0x0171
0000045e: JUMPI
0000045f: POP
00000460: ADD
00000461: ADD
00000462: PUSH2 0x03e7
00000465: JUMP
00000466: JUMPDEST
00000467: POP
00000468: POP
00000469: PUSH2 0x042d
0000046c: SWAP1
0000046d: PUSH2 0x0494
00000470: JUMP
00000471: JUMPDEST
00000472: PUSH2 0x0479
00000475: PUSH2 0x026e
00000478: JUMP
00000479: JUMPDEST
0000047a: PUSH1 0x29
0000047c: JUMPDEST
0000047d: CALLDATASIZE
0000047e: DUP2
0000047f: LT
00000480: PUSH2 0x0486
00000483: JUMPI
00000484: POP
00000485: JUMP
00000486: JUMPDEST
00000487: PUSH2 0x048f
0000048a: SWAP1
0000048b: PUSH2 0x0494
0000048e: JUMP
0000048f: JUMPDEST
00000490: PUSH2 0x047c
00000493: JUMP
00000494: JUMPDEST
00000495: SWAP1
00000496: PUSH1 0x14
00000498: DUP3
00000499: ADD
0000049a: CALLDATALOAD
0000049b: PUSH1 0xf0
0000049d: SHR
0000049e: PUSH1 0x00
000004a0: SWAP3
000004a1: DUP2
000004a2: PUSH1 0x16
000004a4: DUP3
000004a5: ADD
000004a6: DUP6
000004a7: CALLDATACOPY
000004a8: DUP4
000004a9: DUP1
000004aa: DUP4
000004ab: DUP2
000004ac: DUP1
000004ad: DUP6
000004ae: CALLDATALOAD
000004af: PUSH1 0x60
000004b1: SHR
000004b2: GAS
000004b3: CALL
000004b4: ISZERO
000004b5: PUSH2 0x04c0
000004b8: JUMPI
000004b9: ADD
000004ba: PUSH1 0x16
000004bc: ADD
000004bd: SWAP2
000004be: POP
000004bf: JUMP
000004c0: JUMPDEST
000004c1: DUP4
000004c2: RETURNDATASIZE
000004c3: DUP2
000004c4: DUP1
000004c5: RETURNDATACOPY
000004c6: RETURNDATASIZE
000004c7: SWAP1
000004c8: REVERT
000004c9: JUMPDEST
000004ca: PUSH1 0x16
000004cc: SWAP1
000004cd: PUSH1 0x00
000004cf: PUSH32 0x022c0d9f00000000000000000000000000000000000000000000000000000000
000004f0: DUP2
000004f1: MSTORE
000004f2: PUSH1 0x80
000004f4: PUSH1 0x64
000004f6: MSTORE
000004f7: DUP1
000004f8: PUSH1 0x84
000004fa: MSTORE
000004fb: DUP1
000004fc: PUSH1 0xa4
000004fe: DUP2
000004ff: DUP1
00000500: PUSH1 0x14
00000502: DUP7
00000503: ADD
00000504: CALLDATALOAD
00000505: DUP2
00000506: BYTE
00000507: SWAP6
00000508: DUP2
00000509: PUSH1 0x15
0000050b: DUP3
0000050c: ADD
0000050d: CALLDATALOAD
0000050e: DUP2
0000050f: BYTE
00000510: DUP10
00000511: DUP4
00000512: ADD
00000513: CALLDATALOAD
00000514: DUP2
00000515: PUSH1 0x03
00000517: SHL
00000518: PUSH2 0x0100
0000051b: SUB
0000051c: SHR
0000051d: DUP10
0000051e: MSTORE
0000051f: DUP3
00000520: ADD
00000521: SWAP8
00000522: PUSH1 0x28
00000524: SUB
00000525: MSTORE
00000526: PUSH1 0x17
00000528: DUP8
00000529: ADD
0000052a: CALLDATALOAD
0000052b: PUSH1 0x60
0000052d: SHR
0000052e: ADDRESS
0000052f: DUP2
00000530: ISZERO
00000531: MUL
00000532: OR
00000533: PUSH1 0x44
00000535: MSTORE
00000536: CALLDATALOAD
00000537: PUSH1 0x60
00000539: SHR
0000053a: GAS
0000053b: CALL
0000053c: ISZERO
0000053d: PUSH2 0x0544
00000540: JUMPI
00000541: ADD
00000542: SWAP1
00000543: JUMP
00000544: JUMPDEST
00000545: PUSH2 0x054c
00000548: PUSH2 0x05f8
0000054b: JUMP
0000054c: JUMPDEST
0000054d: ADD
0000054e: SWAP1
0000054f: JUMP
00000550: JUMPDEST
00000551: PUSH1 0x29
00000553: PUSH1 0x00
00000555: PUSH32 0x022c0d9f00000000000000000000000000000000000000000000000000000000
00000576: DUP2
00000577: MSTORE
00000578: DUP1
00000579: PUSH1 0x04
0000057b: MSTORE
0000057c: DUP1
0000057d: PUSH1 0x24
0000057f: MSTORE
00000580: PUSH1 0x80
00000582: PUSH1 0x64
00000584: MSTORE
00000585: DUP1
00000586: PUSH1 0x84
00000588: MSTORE
00000589: PUSH1 0x60
0000058b: SWAP2
0000058c: CALLDATALOAD
0000058d: DUP3
0000058e: SHR
0000058f: SWAP2
00000590: PUSH1 0x3d
00000592: JUMPDEST
00000593: CALLDATASIZE
00000594: DUP2
00000595: LT
00000596: PUSH2 0x059f
00000599: JUMPI
0000059a: POP
0000059b: POP
0000059c: POP
0000059d: POP
0000059e: JUMP
0000059f: JUMPDEST
000005a0: DUP3
000005a1: DUP1
000005a2: PUSH1 0xa4
000005a4: DUP2
000005a5: DUP1
000005a6: PUSH1 0x16
000005a8: DUP7
000005a9: CALLDATALOAD
000005aa: DUP3
000005ab: BYTE
000005ac: SWAP7
000005ad: DUP3
000005ae: PUSH1 0x01
000005b0: DUP3
000005b1: ADD
000005b2: CALLDATALOAD
000005b3: DUP2
000005b4: BYTE
000005b5: PUSH1 0x02
000005b7: SWAP3
000005b8: DUP4
000005b9: DUP2
000005ba: ADD
000005bb: CALLDATALOAD
000005bc: DUP3
000005bd: PUSH1 0x03
000005bf: SHL
000005c0: PUSH2 0x0100
000005c3: SUB
000005c4: SHR
000005c5: DUP12
000005c6: MSTORE
000005c7: ADD
000005c8: SWAP9
000005c9: PUSH1 0x28
000005cb: SUB
000005cc: MSTORE
000005cd: DUP8
000005ce: ADD
000005cf: CALLDATALOAD
000005d0: DUP9
000005d1: SHR
000005d2: ADDRESS
000005d3: DUP2
000005d4: ISZERO
000005d5: MUL
000005d6: OR
000005d7: SWAP7
000005d8: ADD
000005d9: SWAP9
000005da: DUP7
000005db: PUSH1 0x44
000005dd: MSTORE
000005de: GAS
000005df: CALL
000005e0: ISZERO
000005e1: PUSH2 0x05eb
000005e4: JUMPI
000005e5: JUMPDEST
000005e6: SWAP3
000005e7: PUSH2 0x0592
000005ea: JUMP
000005eb: JUMPDEST
000005ec: PUSH2 0x05f3
000005ef: PUSH2 0x05f8
000005f2: JUMP
000005f3: JUMPDEST
000005f4: PUSH2 0x05e5
000005f7: JUMP
000005f8: JUMPDEST
000005f9: POP
000005fa: RETURNDATASIZE
000005fb: PUSH1 0x00
000005fd: DUP1
000005fe: RETURNDATACOPY
000005ff: RETURNDATASIZE
00000600: PUSH1 0x00
00000602: REVERT

Findings

validated = confirmed for call sinks; sink observed for others
Severity Category Tool Title Confidence Validated Confirmed Details
high other detector Untrusted CALL target/value reachable 60 no no
view
trace_id: 0x77eaacc3ca69d55a596c85241f2450315b8c249b6bbc5857c3b1cecad6a06ec0
call_targets: 0x3de8eb830000f1d914294d000051000031a81d00
target_varies: no
classification: constant_target
validation_json 
{
    "sink": "CALL",
    "errors": 0,
    "status": "sink_reached",
    "attempts": 1,
    "trace_id": "0x77eaacc3ca69d55a596c85241f2450315b8c249b6bbc5857c3b1cecad6a06ec0",
    "confirmed": false,
    "trace_mode": "callTracer",
    "call_targets": [
        "0x3de8eb830000f1d914294d000051000031a81d00"
    ],
    "matched_probe": null,
    "target_varies": false,
    "classification": "constant_target"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x",
            "selector": "fallback",
            "calldata_variants": [
                "0x"
            ]
        }
    ]
}
evidence_json 
{
    "examples": [
        {
            "pc": 715,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        },
        {
            "pc": 816,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        },
        {
            "pc": 876,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        }
    ],
    "call_count": 9,
    "guards_detected": [],
    "untrusted_call_count": 9
}
high other detector ETH value transfer possible 55 no no
view
trace_id: 0x77eaacc3ca69d55a596c85241f2450315b8c249b6bbc5857c3b1cecad6a06ec0
call_targets: 0x3de8eb830000f1d914294d000051000031a81d00
target_varies: no
classification: constant_target
validation_json 
{
    "sink": "CALL",
    "errors": 0,
    "status": "sink_reached",
    "attempts": 1,
    "trace_id": "0x77eaacc3ca69d55a596c85241f2450315b8c249b6bbc5857c3b1cecad6a06ec0",
    "confirmed": false,
    "trace_mode": "callTracer",
    "call_targets": [
        "0x3de8eb830000f1d914294d000051000031a81d00"
    ],
    "matched_probe": null,
    "target_varies": false,
    "classification": "constant_target"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x",
            "selector": "fallback",
            "calldata_variants": [
                "0x"
            ]
        }
    ]
}
evidence_json 
{
    "examples": [
        {
            "pc": 715,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        },
        {
            "pc": 816,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        },
        {
            "pc": 876,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        }
    ],
    "eth_value_calls": 9,
    "guards_detected": []
}
low other codex Fallback allows calldata-driven external CALLs with ETH value transfers 65 no
view
evidence_json 
{
    "evidence": "Multiple CALL sites pull targets from calldata (CALLDATALOAD + SHR -> CALL), plus explicit CALLs to COINBASE/CALLER with value likely on stack.",
    "locations": [
        "pc:0x0459",
        "pc:0x04b3",
        "pc:0x053b",
        "pc:0x05df",
        "pc:0x036c",
        "pc:0x037e"
    ],
    "recommendation": "If this is not intentionally a privileged executor, restrict CALL targets and value ranges (e.g., hardcoded allowlists or explicit selector checks). If it is intended, ensure the hardcoded caller addresses are correct and secured (multisig/rotation), and avoid leaving funds in the contract.",
    "exploit_scenario": "The fallback dispatcher issues CALLs where the target address and (likely) value are derived from calldata/stack. If the hardcoded caller key(s) are compromised or mis-specified, an attacker can use this contract as a generic executor to call arbitrary contracts and drain any ETH held by the contract (including miner bribes to COINBASE and refunds to CALLER)."
}