TW
Tripwire
Find contracts. Test them. Review real vulns.

Analysis Run

019bab3b-ab74-7343-a3d1-557498378979

complete
Chain ID
1
Address
0x2d83ff1cb1c79c68fe530d35f439a92a645faded
Block Number
Created
Sun, Jan 11, 2026 4:06 AM
Review Summary

What survived the funnel

Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?

back to vulns open contract
Confirmed
0
Validated
0
Source
Bytecode only
Review Backing
Present
Best current signal
Authorization based on tx.origin
crit 0 high 0 direct contract
Review Checklist
1. Read the findings table first. Ignore raw jobs until the result looks real.
2. Confirm attacker control, not just the existence of a sink.
3. Confirm money or privilege impact.
4. Keep it if the behavior is real. Kill it if this is normal proxy, admin, or upgrade plumbing.

Processing Jobs

Status & attempts
ID Type Status Attempts Heartbeat
38555 artifact.fetch complete 1 / 3 3 months ago
38556 proxy.resolve complete 1 / 3 3 months ago
38557 tool.cast_disasm complete 1 / 3 3 months ago
38558 analysis.bundle complete 1 / 3 3 months ago
38559 capability.graph complete 1 / 3 3 months ago
38560 detector.run complete 1 / 3 3 months ago
38561 validation.fork complete 1 / 3 3 months ago
39067 report.consolidate complete 1 / 6 3 months ago

Artifact

Runtime bytecode: available
Creation TX:
Deployer:
Proxy: no not_proxy
Implementation:
Verified Source: no
Proxy evidence 
{
    "status": "not_proxy"
}

Slither

tool.slither

No slither job recorded yet.

Codex

report.consolidate
Job Status
complete
Attempts
1 / 6
Findings
2
No findings?
no
Summary
Fallback-only bytecode shows tx.origin usage and multiple low-level CALLs with computed target/value; findings focus on auth robustness and external-call safety based on bytecode evidence only.
View stdout 
{"no_findings":false,"summary":"Fallback-only bytecode shows tx.origin usage and multiple low-level CALLs with computed target/value; findings focus on auth robustness and external-call safety based on bytecode evidence only.","findings":[{"severity":"medium","category":"auth","title":"tx.origin used in sensitive logic (heuristic)","exploit_scenario":"If authorization or recipient selection relies on tx.origin, a malicious contract can trick an EOA into initiating a call and then invoke this contract, passing the tx.origin check and triggering token/ETH forwarding or approvals. Contract wallets would also see tx.origin differ from msg.sender, potentially sending assets to an unintended EOA.","recommendation":"Avoid tx.origin for authorization or recipient logic. Use msg.sender for access control and pass recipients explicitly; if caller authorization is needed, prefer signatures (EIP-712) or explicit allowlists.","evidence":"ORIGIN opcode appears in the fallback path (pc 140); detector flags a tx.origin guard in this region.","locations":["pc:140"]},{"severity":"low","category":"other","title":"Low-level external CALLs with computed target/value and no return-data validation","exploit_scenario":"The bytecode performs multiple CALLs where target/value are computed at runtime. If the authorized caller is compromised or access control is bypassed, this contract can be used to forward ETH or arbitrary calldata to external addresses. Additionally, success is only checked at the CALL level; ERC20s that return false (without reverting) would not be detected, potentially masking failed transfers/approvals.","recommendation":"Restrict or validate external call targets/values, and validate ERC20 return data (SafeERC20-style). Monitor and harden the privileged caller key or enforce stricter access control.","evidence":"Four CALL sites with computed target/value and returndata_checked=null are present at pc 74, 110, 158, and 214.","locations":["pc:74","pc:110","pc:158","pc:214"]}]}
View stderr 
OpenAI Codex v0.77.0 (research preview)
--------
workdir: /tmp/codex-ht2t11sx
model: gpt-5.2-codex
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: auto
session id: 019baba9-c6f9-7f51-b018-8914e13c98e4
--------
user
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.

Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.

Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".

Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
mcp startup: no servers

thinking
**Reading BYTECODE_BUNDLE.json file**
exec
/bin/bash -lc ls in /tmp/codex-ht2t11sx succeeded in 5ms:
BYTECODE_BUNDLE.json
codex-output-schema.json
exec
/bin/bash -lc 'cat BYTECODE_BUNDLE.json' in /tmp/codex-ht2t11sx succeeded in 5ms:
{
  "analysis_artifact": {
    "address": "0x2d83ff1cb1c79c68fe530d35f439a92a645faded",
    "artifact_hash": "0x1cf7459000304fcf8f5f30bd9b008a3a3cf239b33a12d6f619dbd0defd8b8d8c",
    "artifact_json": {
      "auth": {
        "guards": [
          {
            "pc": 140,
            "type": "tx_origin_used"
          }
        ]
      },
      "basic_blocks": [
        {
          "end_pc": 25,
          "hash": "0x86337c9dab3e48113fe886a37de254e9da10e2d2a11152098c8ea09e73071b77",
          "opcodes": [
            "PUSH20",
            "CALLER",



thinking
**Interpreting complex fallback bytecode**
thinking
**Summarizing security-relevant analysis with findings**

I'll outline key findings about tx.origin usage for authorization or recipient roles and the presence of low-level external calls with computed targets and values, noting the access control by a hardcoded caller and the implications of ignoring return data from token calls.
thinking
**Detailing return data validation concerns**

I'm clarifying that the contract doesn’t validate return data from ERC20 calls, which might make calls that return false appear successful, and I'll recommend stricter validation and safer transfer methods alongside access control monitoring.
codex
{"no_findings":false,"summary":"Fallback-only bytecode shows tx.origin usage and multiple low-level CALLs with computed target/value; findings focus on auth robustness and external-call safety based on bytecode evidence only.","findings":[{"severity":"medium","category":"auth","title":"tx.origin used in sensitive logic (heuristic)","exploit_scenario":"If authorization or recipient selection relies on tx.origin, a malicious contract can trick an EOA into initiating a call and then invoke this contract, passing the tx.origin check and triggering token/ETH forwarding or approvals. Contract wallets would also see tx.origin differ from msg.sender, potentially sending assets to an unintended EOA.","recommendation":"Avoid tx.origin for authorization or recipient logic. Use msg.sender for access control and pass recipients explicitly; if caller authorization is needed, prefer signatures (EIP-712) or explicit allowlists.","evidence":"ORIGIN opcode appears in the fallback path (pc 140); detector flags a tx.origin guard in this region.","locations":["pc:140"]},{"severity":"low","category":"other","title":"Low-level external CALLs with computed target/value and no return-data validation","exploit_scenario":"The bytecode performs multiple CALLs where target/value are computed at runtime. If the authorized caller is compromised or access control is bypassed, this contract can be used to forward ETH or arbitrary calldata to external addresses. Additionally, success is only checked at the CALL level; ERC20s that return false (without reverting) would not be detected, potentially masking failed transfers/approvals.","recommendation":"Restrict or validate external call targets/values, and validate ERC20 return data (SafeERC20-style). Monitor and harden the privileged caller key or enforce stricter access control.","evidence":"Four CALL sites with computed target/value and returndata_checked=null are present at pc 74, 110, 158, and 214.","locations":["pc:74","pc:110","pc:158","pc:214"]}]}
tokens used
19,657
Metadata 
{
    "codex": {
        "ran_at": "2026-01-11T06:09:09.537396+00:00",
        "returncode": 0
    },
    "project": {
        "mode": "bytecode",
        "bytecode_length": 442,
        "bytecode_truncated": false,
        "capability_graph_present": true,
        "analysis_artifact_present": true
    },
    "summary": "Fallback-only bytecode shows tx.origin usage and multiple low-level CALLs with computed target/value; findings focus on auth robustness and external-call safety based on bytecode evidence only.",
    "raw_final": {
        "summary": "Fallback-only bytecode shows tx.origin usage and multiple low-level CALLs with computed target/value; findings focus on auth robustness and external-call safety based on bytecode evidence only.",
        "findings": [
            {
                "title": "tx.origin used in sensitive logic (heuristic)",
                "category": "auth",
                "evidence": "ORIGIN opcode appears in the fallback path (pc 140); detector flags a tx.origin guard in this region.",
                "severity": "medium",
                "locations": [
                    "pc:140"
                ],
                "recommendation": "Avoid tx.origin for authorization or recipient logic. Use msg.sender for access control and pass recipients explicitly; if caller authorization is needed, prefer signatures (EIP-712) or explicit allowlists.",
                "exploit_scenario": "If authorization or recipient selection relies on tx.origin, a malicious contract can trick an EOA into initiating a call and then invoke this contract, passing the tx.origin check and triggering token/ETH forwarding or approvals. Contract wallets would also see tx.origin differ from msg.sender, potentially sending assets to an unintended EOA."
            },
            {
                "title": "Low-level external CALLs with computed target/value and no return-data validation",
                "category": "other",
                "evidence": "Four CALL sites with computed target/value and returndata_checked=null are present at pc 74, 110, 158, and 214.",
                "severity": "low",
                "locations": [
                    "pc:74",
                    "pc:110",
                    "pc:158",
                    "pc:214"
                ],
                "recommendation": "Restrict or validate external call targets/values, and validate ERC20 return data (SafeERC20-style). Monitor and harden the privileged caller key or enforce stricter access control.",
                "exploit_scenario": "The bytecode performs multiple CALLs where target/value are computed at runtime. If the authorized caller is compromised or access control is bypassed, this contract can be used to forward ETH or arbitrary calldata to external addresses. Additionally, success is only checked at the CALL level; ERC20s that return false (without reverting) would not be detected, potentially masking failed transfers/approvals."
            }
        ],
        "no_findings": false
    },
    "no_findings": false,
    "schema_version": 1
}

Opcode Heuristics

tool.cast_disasm
Delegatecall
0
Selfdestruct
0
CREATE2
0
CALL-family (heavy)
4
EXT*/BALANCE
0
Total opcodes
111
Flags
No heuristic flags raised.
View cast disassembly output 
00000000: PUSH20 0x99a5b028d785a7bd475339b1f8548d6d659ce5c2
00000015: CALLER
00000016: SUB
00000017: PUSH1 0x74
00000019: JUMPI
0000001a: PUSH1 0x41
0000001c: CALLDATASIZE
0000001d: LT
0000001e: PUSH1 0x78
00000020: JUMPI
00000021: CALLVALUE
00000022: PUSH1 0x10
00000024: SHR
00000025: PUSH2 0xffff
00000028: CALLVALUE
00000029: AND
0000002a: SWAP1
0000002b: DUP1
0000002c: PUSH0
0000002d: DUP1
0000002e: CALLDATACOPY
0000002f: PUSH0
00000030: DUP1
00000031: DUP3
00000032: DUP2
00000033: DUP1
00000034: PUSH20 0x111111125421ca6dc452d289314280a0f8842a65
00000049: GAS
0000004a: CALL
0000004b: ISZERO
0000004c: PUSH1 0x74
0000004e: JUMPI
0000004f: DUP2
00000050: PUSH0
00000051: SWAP3
00000052: DUP4
00000053: SWAP3
00000054: DUP4
00000055: CALLDATACOPY
00000056: DUP2
00000057: DUP1
00000058: PUSH20 0x111111125421ca6dc452d289314280a0f8842a65
0000006d: GAS
0000006e: CALL
0000006f: ISZERO
00000070: PUSH1 0x74
00000072: JUMPI
00000073: STOP
00000074: JUMPDEST
00000075: PUSH0
00000076: DUP1
00000077: REVERT
00000078: JUMPDEST
00000079: PUSH1 0x40
0000007b: CALLDATASIZE
0000007c: LT
0000007d: PUSH1 0xa4
0000007f: JUMPI
00000080: PUSH4 0xa9059cbb
00000085: PUSH1 0xe0
00000087: SHL
00000088: PUSH0
00000089: SWAP1
0000008a: DUP2
0000008b: MSTORE
0000008c: ORIGIN
0000008d: PUSH1 0x04
0000008f: MSTORE
00000090: PUSH1 0x20
00000092: CALLDATALOAD
00000093: PUSH1 0x24
00000095: MSTORE
00000096: DUP1
00000097: PUSH1 0x44
00000099: DUP2
0000009a: DUP1
0000009b: DUP1
0000009c: CALLDATALOAD
0000009d: GAS
0000009e: CALL
0000009f: ISZERO
000000a0: PUSH1 0x74
000000a2: JUMPI
000000a3: STOP
000000a4: JUMPDEST
000000a5: PUSH4 0x095ea7b3
000000aa: PUSH1 0xe0
000000ac: SHL
000000ad: PUSH0
000000ae: SWAP1
000000af: DUP2
000000b0: MSTORE
000000b1: PUSH20 0x111111125421ca6dc452d289314280a0f8842a65
000000c6: PUSH1 0x04
000000c8: MSTORE
000000c9: PUSH0
000000ca: NOT
000000cb: PUSH1 0x24
000000cd: MSTORE
000000ce: DUP1
000000cf: PUSH1 0x44
000000d1: DUP2
000000d2: DUP1
000000d3: DUP1
000000d4: CALLDATALOAD
000000d5: GAS
000000d6: CALL
000000d7: ISZERO
000000d8: PUSH1 0x74
000000da: JUMPI
000000db: STOP

Findings

validated = confirmed for call sinks; sink observed for others
Severity Category Tool Title Confidence Validated Confirmed Details
high auth detector Authorization based on tx.origin 70 no
view
validation_json 
{
    "reason": "missing sink mapping",
    "status": "no_sink"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x",
            "selector": "fallback",
            "calldata_variants": [
                "0x"
            ]
        }
    ]
}
evidence_json 
{
    "guards_detected": [
        {
            "pc": 140,
            "type": "tx_origin_used"
        }
    ]
}
medium auth codex tx.origin used in sensitive logic (heuristic) 75 no
view
evidence_json 
{
    "evidence": "ORIGIN opcode appears in the fallback path (pc 140); detector flags a tx.origin guard in this region.",
    "locations": [
        "pc:140"
    ],
    "recommendation": "Avoid tx.origin for authorization or recipient logic. Use msg.sender for access control and pass recipients explicitly; if caller authorization is needed, prefer signatures (EIP-712) or explicit allowlists.",
    "exploit_scenario": "If authorization or recipient selection relies on tx.origin, a malicious contract can trick an EOA into initiating a call and then invoke this contract, passing the tx.origin check and triggering token/ETH forwarding or approvals. Contract wallets would also see tx.origin differ from msg.sender, potentially sending assets to an unintended EOA."
}
medium other detector Untrusted CALL target/value reachable 45 no no
view
trace_id: 0xd405a021feeca15ff4efe0d323171ab6adba588e6ab3dd55a289ea9fb73c4b86
call_targets: 0x2d83ff1cb1c79c68fe530d35f439a92a645faded
target_varies: no
classification: constant_target
validation_json 
{
    "sink": "CALL",
    "errors": 0,
    "status": "sink_reached",
    "attempts": 1,
    "trace_id": "0xd405a021feeca15ff4efe0d323171ab6adba588e6ab3dd55a289ea9fb73c4b86",
    "confirmed": false,
    "trace_mode": "callTracer",
    "call_targets": [
        "0x2d83ff1cb1c79c68fe530d35f439a92a645faded"
    ],
    "matched_probe": null,
    "target_varies": false,
    "classification": "constant_target"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x",
            "selector": "fallback",
            "calldata_variants": [
                "0x"
            ]
        }
    ]
}
evidence_json 
{
    "examples": [
        {
            "pc": 74,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        },
        {
            "pc": 110,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        },
        {
            "pc": 158,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        }
    ],
    "call_count": 4,
    "guards_detected": [
        {
            "pc": 140,
            "type": "tx_origin_used"
        }
    ],
    "untrusted_call_count": 4
}
medium other detector ETH value transfer possible 40 no no
view
trace_id: 0xd405a021feeca15ff4efe0d323171ab6adba588e6ab3dd55a289ea9fb73c4b86
call_targets: 0x2d83ff1cb1c79c68fe530d35f439a92a645faded
target_varies: no
classification: constant_target
validation_json 
{
    "sink": "CALL",
    "errors": 0,
    "status": "sink_reached",
    "attempts": 1,
    "trace_id": "0xd405a021feeca15ff4efe0d323171ab6adba588e6ab3dd55a289ea9fb73c4b86",
    "confirmed": false,
    "trace_mode": "callTracer",
    "call_targets": [
        "0x2d83ff1cb1c79c68fe530d35f439a92a645faded"
    ],
    "matched_probe": null,
    "target_varies": false,
    "classification": "constant_target"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x",
            "selector": "fallback",
            "calldata_variants": [
                "0x"
            ]
        }
    ]
}
evidence_json 
{
    "examples": [
        {
            "pc": 74,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        },
        {
            "pc": 110,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        },
        {
            "pc": 158,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        }
    ],
    "eth_value_calls": 4,
    "guards_detected": [
        {
            "pc": 140,
            "type": "tx_origin_used"
        }
    ]
}
low other codex Low-level external CALLs with computed target/value and no return-data validation 65 no
view
evidence_json 
{
    "evidence": "Four CALL sites with computed target/value and returndata_checked=null are present at pc 74, 110, 158, and 214.",
    "locations": [
        "pc:74",
        "pc:110",
        "pc:158",
        "pc:214"
    ],
    "recommendation": "Restrict or validate external call targets/values, and validate ERC20 return data (SafeERC20-style). Monitor and harden the privileged caller key or enforce stricter access control.",
    "exploit_scenario": "The bytecode performs multiple CALLs where target/value are computed at runtime. If the authorized caller is compromised or access control is bypassed, this contract can be used to forward ETH or arbitrary calldata to external addresses. Additionally, success is only checked at the CALL level; ERC20s that return false (without reverting) would not be detected, potentially masking failed transfers/approvals."
}