019bab3b-abbc-7163-9153-9fe872130821
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 38625 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 38626 | proxy.resolve | complete | 1 / 3 | 3 months ago |
| 38627 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 38628 | analysis.bundle | complete | 1 / 3 | 3 months ago |
| 38629 | capability.graph | complete | 1 / 3 | 3 months ago |
| 38630 | detector.run | complete | 1 / 3 | 3 months ago |
| 38631 | validation.fork | complete | 1 / 3 | 3 months ago |
| 39098 | report.consolidate | complete | 1 / 6 | 3 months ago |
| 39099 | tool.slither | complete | 1 / 2 | 3 months ago |
{
"method": "etherscan+onchain",
"status": "confirmed",
"etherscan_hint": {
"source": "etherscan",
"etherscan": {
"proxy_flag": true,
"implementation": "0x524818cb8081941b618613c6f990c17bb3da0866"
}
},
"implementation": "0x524818cb8081941b618613c6f990c17bb3da0866",
"onchain_method": "eip1967"
}
'forge clean' running (wd: /tmp/slither-qz7buj53) 'forge config --json' running 'forge build --build-info --skip ./test/** ./script/** --force' running (wd: /tmp/slither-qz7buj53) TransparentUpgradeableProxy.admin() (contracts/Contract.sol#215-216) calls TransparentUpgradeableProxy.ifAdmin() (contracts/Contract.sol#197-200) which halt the execution return(uint256,uint256)(0,returndatasize()()) (contracts/Contract.sol#50) TransparentUpgradeableProxy.initialize(address,address,bytes) (contracts/Contract.sol#216-225) calls TransparentUpgradeableProxy.ifAdmin() (contracts/Contract.sol#197-200) which halt the execution return(uint256,uint256)(0,returndatasize()()) (contracts/Contract.sol#50) TransparentUpgradeableProxy.implementation() (contracts/Contract.sol#238-239) calls TransparentUpgradeableProxy.ifAdmin() (contracts/Contract.sol#197-200) which halt the execution return(uint256,uint256)(0,returndatasize()()) (contracts/Contract.sol#50) TransparentUpgradeableProxy.changeAdmin(address) (contracts/Contract.sol#243-251) calls TransparentUpgradeableProxy.ifAdmin() (contracts/Contract.sol#197-200) which halt the execution return(uint256,uint256)(0,returndatasize()()) (contracts/Contract.sol#50) TransparentUpgradeableProxy.upgradeTo(address) (contracts/Contract.sol#254-260) calls TransparentUpgradeableProxy.ifAdmin() (contracts/Contract.sol#197-200) which halt the execution return(uint256,uint256)(0,returndatasize()()) (contracts/Contract.sol#50) TransparentUpgradeableProxy.upgradeToAndCall(address,bytes) (contracts/Contract.sol#269-275) calls TransparentUpgradeableProxy.ifAdmin() (contracts/Contract.sol#197-200) which halt the execution return(uint256,uint256)(0,returndatasize()()) (contracts/Contract.sol#50) TransparentUpgradeableProxy.ifAdmin() (contracts/Contract.sol#197-200) calls Proxy._fallback() (contracts/Contract.sol#64-66) which halt the execution return(uint256,uint256)(0,returndatasize()()) (contracts/Contract.sol#50) Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-return-in-assembly TransparentUpgradeableProxy.initialize(address,address,bytes)._admin (contracts/Contract.sol#217) shadows: - TransparentUpgradeableProxy._admin() (contracts/Contract.sol#275-280) (function) Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#local-variable-shadowing TransparentUpgradeableProxy.upgradeToAndCall(address,bytes).newImplementation (contracts/Contract.sol#270) lacks a zero-check on : - (success,None) = newImplementation.delegatecall(data) (contracts/Contract.sol#273-275) Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#missing-zero-address-validation Modifier TransparentUpgradeableProxy.ifAdmin() (contracts/Contract.sol#197-200) does not always execute _; or revert Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-modifier Proxy._delegate(address) (contracts/Contract.sol#31-51) uses assembly - INLINE ASM (contracts/Contract.sol#34-51) UpgradeableProxy._implementation() (contracts/Contract.sol#117-123) uses assembly - INLINE ASM (contracts/Contract.sol#122-123) UpgradeableProxy._setImplementation(address) (contracts/Contract.sol#137-147) uses assembly - INLINE ASM (contracts/Contract.sol#145-147) TransparentUpgradeableProxy._admin() (contracts/Contract.sol#275-280) uses assembly - INLINE ASM (contracts/Contract.sol#278-279) TransparentUpgradeableProxy._setAdmin(address) (contracts/Contract.sol#285-296) uses assembly - INLINE ASM (contracts/Contract.sol#294-295) Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#assembly-usage Version constraint ^0.6.12 contains known severe issues (https://solidity.readthedocs.io/en/latest/bugs.html) - FullInlinerNonExpressionSplitArgumentEvaluationOrder - MissingSideEffectsOnSelectorAccess - AbiReencodingHeadOverflowWithStaticArrayCleanup - DirtyBytesArrayToStorage - DataLocationChangeInInternalOverride - NestedCalldataArrayAbiReencodingSizeValidation - SignedImmutables - ABIDecodeTwoDimensionalArrayMemory - KeccakCaching - EmptyByteArrayCopy - DynamicArrayCleanup. It is used by: - ^0.6.12 (contracts/Contract.sol#1) - ^0.6.12 (contracts/Contract.sol#2-3) - ^0.6.12 (contracts/Contract.sol#3-5) solc-0.6.12 is an outdated solc version. Use a more recent version (at least 0.8.0), if possible. Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-versions-of-solidity Low level call in TransparentUpgradeableProxy.initialize(address,address,bytes) (contracts/Contract.sol#216-225): - (success,None) = _implementation().delegatecall(_data) (contracts/Contract.sol#223-224) Low level call in TransparentUpgradeableProxy.upgradeToAndCall(address,bytes) (contracts/Contract.sol#269-275): - (success,None) = newImplementation.delegatecall(data) (contracts/Contract.sol#273-275) Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#low-level-calls Parameter TransparentUpgradeableProxy.initialize(address,address,bytes)._newImplementation (contracts/Contract.sol#216-217) is not in mixedCase Parameter TransparentUpgradeableProxy.initialize(address,address,bytes)._admin (contracts/Contract.sol#217) is not in mixedCase Parameter TransparentUpgradeableProxy.initialize(address,address,bytes)._data (contracts/Contract.sol#217) is not in mixedCase Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#conformance-to-solidity-naming-conventions . analyzed (5 contracts with 100 detectors), 22 result(s) found
{
"solc": {
"status": "ok",
"use_rc": 0,
"version": "0.6.12",
"strategy": "solc-select",
"solc_path": "/var/www/tripwire/.venv/bin/solc",
"install_rc": 0,
"use_stderr": null,
"use_stdout": "Switched global version to 0.6.12",
"install_stderr": null,
"install_stdout": "Version '0.6.12' is already installed, skipping..."
},
"solc_args": "--base-path /tmp/slither-qz7buj53 --allow-paths /tmp/slither-qz7buj53,/tmp/slither-qz7buj53/lib,/tmp/slither-qz7buj53/src",
"remappings": [],
"source_files": [
"contracts/Contract.sol"
],
"contract_count": 0,
"contract_names": [],
"detector_count": 22,
"workspace_hash": "fb1c3115dcacb2db41ac5113d6803815efc517683e5427345cf6a1b6f4d2e04a",
"duration_seconds": 0.6578083038330078,
"solc_version_requested": "0.6.12"
}
{"no_findings":false,"summary":"Unprotected initializer allows any caller to set factory/token addresses if the proxy is uninitialized, permanently locking in a malicious configuration.","findings":[{"severity":"medium","category":"access_control","title":"Initializer can be called by any address, enabling hostile initialization","exploit_scenario":"If the proxy at 0xa029a744b4e44e22f68a1bb9a848caafbf6bb233 (or any new deployment) has not yet been initialized, an attacker can call initialize first and set token0/token1/factory to arbitrary addresses. This permanently locks the pair configuration and prevents the intended factory from initializing it, potentially creating a misleading pool or bricking the intended pair.","recommendation":"Restrict initialize to the intended factory/admin (e.g., require msg.sender == factory or use an initializer modifier with an admin), or ensure initialization is performed atomically during deployment. For already-deployed proxies, verify initialization has been executed by a trusted caller.","evidence":"initialize only checks a boolean flag and sets factory/token addresses without any caller restriction.","locations":["contracts/Contract.sol:310"]}]}
OpenAI Codex v0.77.0 (research preview)
--------
workdir: /tmp/codex-5bm5i9mm
model: gpt-5.2-codex
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: auto
session id: 019babc2-2c82-71e1-b519-b5256dc15928
--------
user
Context: The user requested the proxy at 0xa029a744b4e44e22f68a1bb9a848caafbf6bb233.
Audit the implementation at 0x524818cb8081941b618613c6f990c17bb3da0866.
Findings should refer to the implementation unless explicitly about proxy mechanics.
You are a security auditor. Audit this Solidity codebase for exploitable vulnerabilities.
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation, oracle manipulation,
accounting/invariant breaks, external call patterns, unchecked return values, and dangerous delegatecall.
Scope rules:
- You MUST fully read `AUDIT_BUNDLE.txt` before concluding. It contains the complete contents of all first-party Solidity sources in this workspace.
- Treat `lib/` and `@openzeppelin/` as third-party dependencies; skip them unless there is a concrete misuse angle in first-party code.
- If there are only dependency files and no first-party sources, set no_findings=true and explain in summary.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title and file/line locations when possible.
Output constraints (IMPORTANT):
- severity MUST be exactly one of: info, low, medium, high, critical (lowercase).
- category MUST be exactly one of: access_control, reentrancy, math, oracle, upgradeability, auth, other.
Keep summary short and concrete.
mcp startup: no servers
thinking
**Reading audit instructions**
exec
/bin/bash -lc ls in /tmp/codex-5bm5i9mm succeeded in 8ms:
AUDIT_BUNDLE.txt
codex-output-schema.json
contracts
exec
/bin/bash -lc 'cat AUDIT_BUNDLE.txt' in /tmp/codex-5bm5i9mm succeeded in 7ms:
This file concatenates the full contents of first-party Solidity sources for auditing.
Do not treat dependency code under lib/ or @openzeppelin/ as first-party.
================================================================================
FILE: contracts/Contract.sol
================================================================================
// SPDX-License-Identifier: GPL-3.0-or-later
pragma solidity ^0.6.12;
interface IWSPair {
event Approval(address indexed owner, address indexed spender, uint value);
event Transfer(address indexed from, address indexed to, uint value);
event Mint(address indexed sender, uint amount0, uint amount1);
event Burn(address indexed sender, uint amount0, uint amount1, address indexed to);
event Swap(
address indexed sender,
uint amount0In,
uint amount1In,
thinking
**Analyzing potential vulnerabilities in initialization**
exec
/bin/bash -lc "nl -ba contracts/Contract.sol | sed -n '130,260p'" in /tmp/codex-5bm5i9mm succeeded in 31ms:
130 function _approve(address owner, address spender, uint value) private {
131 allowance[owner][spender] = value;
132 emit Approval(owner, spender, value);
133 }
134
135 function _transfer(address from, address to, uint value) private {
136 balanceOf[from] = balanceOf[from].sub(value);
137 balanceOf[to] = balanceOf[to].add(value);
138 emit Transfer(from, to, value);
139 }
140
141 function approve(address spender, uint value) external override returns (bool) {
142 _approve(msg.sender, spender, value);
143 return true;
144 }
145
146 function transfer(address to, uint value) external override returns (bool) {
147 _transfer(msg.sender, to, value);
148 return true;
149 }
exec
/bin/bash -lc "nl -ba contracts/Contract.sol | sed -n '300,430p'" in /tmp/codex-5bm5i9mm succeeded in 17ms:
300 event Swap(
301 address indexed sender,
302 uint amount0In,
303 uint amount1In,
304 uint amount0Out,
305 uint amount1Out,
306 address indexed to
307 );
308 event Sync(uint112 reserve0, uint112 reserve1);
309
310 // called once by the factory at time of deployment
311 function initialize(address _factory, address _token0, address _token1) override external returns(bool) {
312 require(initialized == false, 'WSwap: FORBIDDEN');
313 token0 = _token0;
314 token1 = _token1;
315 factory = _factory;
316 initialized = true;
317 unlocked = 1;
318 super.initialize();
319 return true;
exec
/bin/bash -lc "nl -ba contracts/Contract.sol | sed -n '430,520p'" in /tmp/codex-5bm5i9mm succeeded in 6ms:
430 uint balance0Adjusted = balanceOrAmountOut0.mul(10_000).sub(amount0In.mul(30 - discount));
431 uint balance1Adjusted = balanceOrAmountOut1.mul(10_000).sub(amount1In.mul(30 - discount));
432 require(balance0Adjusted.mul(balance1Adjusted) >= uint(_reserve0).mul(_reserve1).mul(10_000**2), 'WSwap: K');
433 }
434
435 _update(balanceOrAmountOut0, balanceOrAmountOut1, _reserve0, _reserve1);
436 balanceOrAmountOut0 = amount0Out;
437 balanceOrAmountOut1 = amount1Out;
438 emit Swap(msg.sender, amount0In, amount1In, balanceOrAmountOut0, balanceOrAmountOut1, to);
439 }
440
441 // this low-level function should be called from a contract which performs important safety checks
442 function swap(uint amount0Out, uint amount1Out, address to, bytes calldata data) external override lock {
443 _swap(amount0Out, amount1Out, to, data, 0);
444 }
445
446 function swapDiscount(uint amount0Out, uint amount1Out, address to, bytes calldata data, uint discount) external override lock {
447 _swap(amount0Out, amount1Out, to, data, discount);
448 }
449
thinking
**Analyzing initialize function vulnerability**
codex
{"no_findings":false,"summary":"Unprotected initializer allows any caller to set factory/token addresses if the proxy is uninitialized, permanently locking in a malicious configuration.","findings":[{"severity":"medium","category":"access_control","title":"Initializer can be called by any address, enabling hostile initialization","exploit_scenario":"If the proxy at 0xa029a744b4e44e22f68a1bb9a848caafbf6bb233 (or any new deployment) has not yet been initialized, an attacker can call initialize first and set token0/token1/factory to arbitrary addresses. This permanently locks the pair configuration and prevents the intended factory from initializing it, potentially creating a misleading pool or bricking the intended pair.","recommendation":"Restrict initialize to the intended factory/admin (e.g., require msg.sender == factory or use an initializer modifier with an admin), or ensure initialization is performed atomically during deployment. For already-deployed proxies, verify initialization has been executed by a trusted caller.","evidence":"initialize only checks a boolean flag and sets factory/token addresses without any caller restriction.","locations":["contracts/Contract.sol:310"]}]}
tokens used
27,007
{
"codex": {
"ran_at": "2026-01-11T06:34:11.682933+00:00",
"returncode": 0
},
"project": {
"mode": "source",
"file_count": 1,
"import_count": 0,
"first_party_contracts_count": 1
},
"summary": "Unprotected initializer allows any caller to set factory/token addresses if the proxy is uninitialized, permanently locking in a malicious configuration.",
"raw_final": {
"summary": "Unprotected initializer allows any caller to set factory/token addresses if the proxy is uninitialized, permanently locking in a malicious configuration.",
"findings": [
{
"title": "Initializer can be called by any address, enabling hostile initialization",
"category": "access_control",
"evidence": "initialize only checks a boolean flag and sets factory/token addresses without any caller restriction.",
"severity": "medium",
"locations": [
"contracts/Contract.sol:310"
],
"recommendation": "Restrict initialize to the intended factory/admin (e.g., require msg.sender == factory or use an initializer modifier with an admin), or ensure initialization is performed atomically during deployment. For already-deployed proxies, verify initialization has been executed by a trusted caller.",
"exploit_scenario": "If the proxy at 0xa029a744b4e44e22f68a1bb9a848caafbf6bb233 (or any new deployment) has not yet been initialized, an attacker can call initialize first and set token0/token1/factory to arbitrary addresses. This permanently locks the pair configuration and prevents the intended factory from initializing it, potentially creating a misleading pool or bricking the intended pair."
}
],
"no_findings": false
},
"no_findings": false,
"proxy_context": {
"proxy_run_id": "019bab3b-abbc-7163-9153-9fe872130821",
"proxy_address": "0xa029a744b4e44e22f68a1bb9a848caafbf6bb233",
"implementation_run_id": "019bab3d-6eaf-71cf-a4ce-ac665330e14b",
"implementation_address": "0x524818cb8081941b618613c6f990c17bb3da0866"
},
"schema_version": 1
}
00000000: PUSH1 0x80 00000002: PUSH1 0x40 00000004: MSTORE 00000005: PUSH1 0x04 00000007: CALLDATASIZE 00000008: LT 00000009: PUSH2 0x0069 0000000c: JUMPI 0000000d: PUSH1 0x00 0000000f: CALLDATALOAD 00000010: PUSH1 0xe0 00000012: SHR 00000013: DUP1 00000014: PUSH4 0x8f283970 00000019: GT 0000001a: PUSH2 0x0043 0000001d: JUMPI 0000001e: DUP1 0000001f: PUSH4 0x8f283970 00000024: EQ 00000025: PUSH2 0x0196 00000028: JUMPI 00000029: DUP1 0000002a: PUSH4 0xcf7a1d77 0000002f: EQ 00000030: PUSH2 0x01d6 00000033: JUMPI 00000034: DUP1 00000035: PUSH4 0xf851a440 0000003a: EQ 0000003b: PUSH2 0x0279 0000003e: JUMPI 0000003f: PUSH2 0x0080 00000042: JUMP 00000043: JUMPDEST 00000044: DUP1 00000045: PUSH4 0x3659cfe6 0000004a: EQ 0000004b: PUSH2 0x008b 0000004e: JUMPI 0000004f: DUP1 00000050: PUSH4 0x4f1ef286 00000055: EQ 00000056: PUSH2 0x00cb 00000059: JUMPI 0000005a: DUP1 0000005b: PUSH4 0x5c60da1b 00000060: EQ 00000061: PUSH2 0x0158 00000064: JUMPI 00000065: PUSH2 0x0080 00000068: JUMP 00000069: JUMPDEST 0000006a: CALLDATASIZE 0000006b: PUSH2 0x0080 0000006e: JUMPI 0000006f: PUSH2 0x007e 00000072: PUSH2 0x0079 00000075: PUSH2 0x028e 00000078: JUMP 00000079: JUMPDEST 0000007a: PUSH2 0x02b3 0000007d: JUMP 0000007e: JUMPDEST 0000007f: STOP 00000080: JUMPDEST 00000081: PUSH2 0x007e 00000084: PUSH2 0x0079 00000087: PUSH2 0x028e 0000008a: JUMP 0000008b: JUMPDEST 0000008c: CALLVALUE 0000008d: DUP1 0000008e: ISZERO 0000008f: PUSH2 0x0097 00000092: JUMPI 00000093: PUSH1 0x00 00000095: DUP1 00000096: REVERT 00000097: JUMPDEST 00000098: POP 00000099: PUSH2 0x007e 0000009c: PUSH1 0x04 0000009e: DUP1 0000009f: CALLDATASIZE 000000a0: SUB 000000a1: PUSH1 0x20 000000a3: DUP2 000000a4: LT 000000a5: ISZERO 000000a6: PUSH2 0x00ae 000000a9: JUMPI 000000aa: PUSH1 0x00 000000ac: DUP1 000000ad: REVERT 000000ae: JUMPDEST 000000af: POP 000000b0: CALLDATALOAD 000000b1: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000000c6: AND 000000c7: PUSH2 0x02dc 000000ca: JUMP 000000cb: JUMPDEST 000000cc: PUSH2 0x007e 000000cf: PUSH1 0x04 000000d1: DUP1 000000d2: CALLDATASIZE 000000d3: SUB 000000d4: PUSH1 0x40 000000d6: DUP2 000000d7: LT 000000d8: ISZERO 000000d9: PUSH2 0x00e1 000000dc: JUMPI 000000dd: PUSH1 0x00 000000df: DUP1 000000e0: REVERT 000000e1: JUMPDEST 000000e2: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000000f7: DUP3 000000f8: CALLDATALOAD 000000f9: AND 000000fa: SWAP2 000000fb: SWAP1 000000fc: DUP2 000000fd: ADD 000000fe: SWAP1 000000ff: PUSH1 0x40 00000101: DUP2 00000102: ADD 00000103: PUSH1 0x20 00000105: DUP3 00000106: ADD 00000107: CALLDATALOAD 00000108: PUSH5 0x0100000000 0000010e: DUP2 0000010f: GT 00000110: ISZERO 00000111: PUSH2 0x0119 00000114: JUMPI 00000115: PUSH1 0x00 00000117: DUP1 00000118: REVERT 00000119: JUMPDEST 0000011a: DUP3 0000011b: ADD 0000011c: DUP4 0000011d: PUSH1 0x20 0000011f: DUP3 00000120: ADD 00000121: GT 00000122: ISZERO 00000123: PUSH2 0x012b 00000126: JUMPI 00000127: PUSH1 0x00 00000129: DUP1 0000012a: REVERT 0000012b: JUMPDEST 0000012c: DUP1 0000012d: CALLDATALOAD 0000012e: SWAP1 0000012f: PUSH1 0x20 00000131: ADD 00000132: SWAP2 00000133: DUP5 00000134: PUSH1 0x01 00000136: DUP4 00000137: MUL 00000138: DUP5 00000139: ADD 0000013a: GT 0000013b: PUSH5 0x0100000000 00000141: DUP4 00000142: GT 00000143: OR 00000144: ISZERO 00000145: PUSH2 0x014d 00000148: JUMPI 00000149: PUSH1 0x00 0000014b: DUP1 0000014c: REVERT 0000014d: JUMPDEST 0000014e: POP 0000014f: SWAP1 00000150: SWAP3 00000151: POP 00000152: SWAP1 00000153: POP 00000154: PUSH2 0x0330 00000157: JUMP 00000158: JUMPDEST 00000159: CALLVALUE 0000015a: DUP1 0000015b: ISZERO 0000015c: PUSH2 0x0164 0000015f: JUMPI 00000160: PUSH1 0x00 00000162: DUP1 00000163: REVERT 00000164: JUMPDEST 00000165: POP 00000166: PUSH2 0x016d 00000169: PUSH2 0x03ff 0000016c: JUMP 0000016d: JUMPDEST 0000016e: PUSH1 0x40 00000170: DUP1 00000171: MLOAD 00000172: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000187: SWAP1 00000188: SWAP3 00000189: AND 0000018a: DUP3 0000018b: MSTORE 0000018c: MLOAD 0000018d: SWAP1 0000018e: DUP2 0000018f: SWAP1 00000190: SUB 00000191: PUSH1 0x20 00000193: ADD 00000194: SWAP1 00000195: RETURN 00000196: JUMPDEST 00000197: CALLVALUE 00000198: DUP1 00000199: ISZERO 0000019a: PUSH2 0x01a2 0000019d: JUMPI 0000019e: PUSH1 0x00 000001a0: DUP1 000001a1: REVERT 000001a2: JUMPDEST 000001a3: POP 000001a4: PUSH2 0x007e 000001a7: PUSH1 0x04 000001a9: DUP1 000001aa: CALLDATASIZE 000001ab: SUB 000001ac: PUSH1 0x20 000001ae: DUP2 000001af: LT 000001b0: ISZERO 000001b1: PUSH2 0x01b9 000001b4: JUMPI 000001b5: PUSH1 0x00 000001b7: DUP1 000001b8: REVERT 000001b9: JUMPDEST 000001ba: POP 000001bb: CALLDATALOAD 000001bc: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000001d1: AND 000001d2: PUSH2 0x0456 000001d5: JUMP 000001d6: JUMPDEST 000001d7: CALLVALUE 000001d8: DUP1 000001d9: ISZERO 000001da: PUSH2 0x01e2 000001dd: JUMPI 000001de: PUSH1 0x00 000001e0: DUP1 000001e1: REVERT 000001e2: JUMPDEST 000001e3: POP 000001e4: PUSH2 0x007e 000001e7: PUSH1 0x04 000001e9: DUP1 000001ea: CALLDATASIZE 000001eb: SUB 000001ec: PUSH1 0x60 000001ee: DUP2 000001ef: LT 000001f0: ISZERO 000001f1: PUSH2 0x01f9 000001f4: JUMPI 000001f5: PUSH1 0x00 000001f7: DUP1 000001f8: REVERT 000001f9: JUMPDEST 000001fa: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000020f: DUP3 00000210: CALLDATALOAD 00000211: DUP2 00000212: AND 00000213: SWAP3 00000214: PUSH1 0x20 00000216: DUP2 00000217: ADD 00000218: CALLDATALOAD 00000219: SWAP1 0000021a: SWAP2 0000021b: AND 0000021c: SWAP2 0000021d: DUP2 0000021e: ADD 0000021f: SWAP1 00000220: PUSH1 0x60 00000222: DUP2 00000223: ADD 00000224: PUSH1 0x40 00000226: DUP3 00000227: ADD 00000228: CALLDATALOAD 00000229: PUSH5 0x0100000000 0000022f: DUP2 00000230: GT 00000231: ISZERO 00000232: PUSH2 0x023a 00000235: JUMPI 00000236: PUSH1 0x00 00000238: DUP1 00000239: REVERT 0000023a: JUMPDEST 0000023b: DUP3 0000023c: ADD 0000023d: DUP4 0000023e: PUSH1 0x20 00000240: DUP3 00000241: ADD 00000242: GT 00000243: ISZERO 00000244: PUSH2 0x024c 00000247: JUMPI 00000248: PUSH1 0x00 0000024a: DUP1 0000024b: REVERT 0000024c: JUMPDEST 0000024d: DUP1 0000024e: CALLDATALOAD 0000024f: SWAP1 00000250: PUSH1 0x20 00000252: ADD 00000253: SWAP2 00000254: DUP5 00000255: PUSH1 0x01 00000257: DUP4 00000258: MUL 00000259: DUP5 0000025a: ADD 0000025b: GT 0000025c: PUSH5 0x0100000000 00000262: DUP4 00000263: GT 00000264: OR 00000265: ISZERO 00000266: PUSH2 0x026e 00000269: JUMPI 0000026a: PUSH1 0x00 0000026c: DUP1 0000026d: REVERT 0000026e: JUMPDEST 0000026f: POP 00000270: SWAP1 00000271: SWAP3 00000272: POP 00000273: SWAP1 00000274: POP 00000275: PUSH2 0x057e 00000278: JUMP 00000279: JUMPDEST 0000027a: CALLVALUE 0000027b: DUP1 0000027c: ISZERO 0000027d: PUSH2 0x0285 00000280: JUMPI 00000281: PUSH1 0x00 00000283: DUP1 00000284: REVERT 00000285: JUMPDEST 00000286: POP 00000287: PUSH2 0x016d 0000028a: PUSH2 0x066a 0000028d: JUMP 0000028e: JUMPDEST 0000028f: PUSH32 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc 000002b0: SLOAD 000002b1: SWAP1 000002b2: JUMP 000002b3: JUMPDEST 000002b4: CALLDATASIZE 000002b5: PUSH1 0x00 000002b7: DUP1 000002b8: CALLDATACOPY 000002b9: PUSH1 0x00 000002bb: DUP1 000002bc: CALLDATASIZE 000002bd: PUSH1 0x00 000002bf: DUP5 000002c0: GAS 000002c1: DELEGATECALL 000002c2: RETURNDATASIZE 000002c3: PUSH1 0x00 000002c5: DUP1 000002c6: RETURNDATACOPY 000002c7: DUP1 000002c8: DUP1 000002c9: ISZERO 000002ca: PUSH2 0x02d2 000002cd: JUMPI 000002ce: RETURNDATASIZE 000002cf: PUSH1 0x00 000002d1: RETURN 000002d2: JUMPDEST 000002d3: RETURNDATASIZE 000002d4: PUSH1 0x00 000002d6: REVERT 000002d7: JUMPDEST 000002d8: POP 000002d9: POP 000002da: POP 000002db: JUMP 000002dc: JUMPDEST 000002dd: PUSH2 0x02e4 000002e0: PUSH2 0x06ab 000002e3: JUMP 000002e4: JUMPDEST 000002e5: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000002fa: AND 000002fb: CALLER 000002fc: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000311: AND 00000312: EQ 00000313: ISZERO 00000314: PUSH2 0x0325 00000317: JUMPI 00000318: PUSH2 0x0320 0000031b: DUP2 0000031c: PUSH2 0x06d0 0000031f: JUMP 00000320: JUMPDEST 00000321: PUSH2 0x032d 00000324: JUMP 00000325: JUMPDEST 00000326: PUSH2 0x032d 00000329: PUSH2 0x071d 0000032c: JUMP 0000032d: JUMPDEST 0000032e: POP 0000032f: JUMP 00000330: JUMPDEST 00000331: PUSH2 0x0338 00000334: PUSH2 0x06ab 00000337: JUMP 00000338: JUMPDEST 00000339: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000034e: AND 0000034f: CALLER 00000350: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000365: AND 00000366: EQ 00000367: ISZERO 00000368: PUSH2 0x03f7 0000036b: JUMPI 0000036c: PUSH2 0x0374 0000036f: DUP4 00000370: PUSH2 0x06d0 00000373: JUMP 00000374: JUMPDEST 00000375: PUSH1 0x00 00000377: DUP4 00000378: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000038d: AND 0000038e: DUP4 0000038f: DUP4 00000390: PUSH1 0x40 00000392: MLOAD 00000393: DUP1 00000394: DUP4 00000395: DUP4 00000396: DUP1 00000397: DUP3 00000398: DUP5 00000399: CALLDATACOPY 0000039a: PUSH1 0x40 0000039c: MLOAD 0000039d: SWAP3 0000039e: ADD 0000039f: SWAP5 000003a0: POP 000003a1: PUSH1 0x00 000003a3: SWAP4 000003a4: POP 000003a5: SWAP1 000003a6: SWAP2 000003a7: POP 000003a8: POP 000003a9: DUP1 000003aa: DUP4 000003ab: SUB 000003ac: DUP2 000003ad: DUP6 000003ae: GAS 000003af: DELEGATECALL 000003b0: SWAP2 000003b1: POP 000003b2: POP 000003b3: RETURNDATASIZE 000003b4: DUP1 000003b5: PUSH1 0x00 000003b7: DUP2 000003b8: EQ 000003b9: PUSH2 0x03de 000003bc: JUMPI 000003bd: PUSH1 0x40 000003bf: MLOAD 000003c0: SWAP2 000003c1: POP 000003c2: PUSH1 0x1f 000003c4: NOT 000003c5: PUSH1 0x3f 000003c7: RETURNDATASIZE 000003c8: ADD 000003c9: AND 000003ca: DUP3 000003cb: ADD 000003cc: PUSH1 0x40 000003ce: MSTORE 000003cf: RETURNDATASIZE 000003d0: DUP3 000003d1: MSTORE 000003d2: RETURNDATASIZE 000003d3: PUSH1 0x00 000003d5: PUSH1 0x20 000003d7: DUP5 000003d8: ADD 000003d9: RETURNDATACOPY 000003da: PUSH2 0x03e3 000003dd: JUMP 000003de: JUMPDEST 000003df: PUSH1 0x60 000003e1: SWAP2 000003e2: POP 000003e3: JUMPDEST 000003e4: POP 000003e5: POP 000003e6: SWAP1 000003e7: POP 000003e8: DUP1 000003e9: PUSH2 0x03f1 000003ec: JUMPI 000003ed: PUSH1 0x00 000003ef: DUP1 000003f0: REVERT 000003f1: JUMPDEST 000003f2: POP 000003f3: PUSH2 0x02d7 000003f6: JUMP 000003f7: JUMPDEST 000003f8: PUSH2 0x02d7 000003fb: PUSH2 0x071d 000003fe: JUMP 000003ff: JUMPDEST 00000400: PUSH1 0x00 00000402: PUSH2 0x0409 00000405: PUSH2 0x06ab 00000408: JUMP 00000409: JUMPDEST 0000040a: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000041f: AND 00000420: CALLER 00000421: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000436: AND 00000437: EQ 00000438: ISZERO 00000439: PUSH2 0x044b 0000043c: JUMPI 0000043d: PUSH2 0x0444 00000440: PUSH2 0x028e 00000443: JUMP 00000444: JUMPDEST 00000445: SWAP1 00000446: POP 00000447: PUSH2 0x0453 0000044a: JUMP 0000044b: JUMPDEST 0000044c: PUSH2 0x0453 0000044f: PUSH2 0x071d 00000452: JUMP 00000453: JUMPDEST 00000454: SWAP1 00000455: JUMP 00000456: JUMPDEST 00000457: PUSH2 0x045e 0000045a: PUSH2 0x06ab 0000045d: JUMP 0000045e: JUMPDEST 0000045f: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000474: AND 00000475: CALLER 00000476: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000048b: AND 0000048c: EQ 0000048d: ISZERO 0000048e: PUSH2 0x0325 00000491: JUMPI 00000492: PUSH2 0x0499 00000495: PUSH2 0x06ab 00000498: JUMP 00000499: JUMPDEST 0000049a: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000004af: AND 000004b0: DUP2 000004b1: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000004c6: AND 000004c7: EQ 000004c8: ISZERO 000004c9: PUSH2 0x051d 000004cc: JUMPI 000004cd: PUSH1 0x40 000004cf: MLOAD 000004d0: PUSH32 0x08c379a000000000000000000000000000000000000000000000000000000000 000004f1: DUP2 000004f2: MSTORE 000004f3: PUSH1 0x04 000004f5: ADD 000004f6: DUP1 000004f7: DUP1 000004f8: PUSH1 0x20 000004fa: ADD 000004fb: DUP3 000004fc: DUP2 000004fd: SUB 000004fe: DUP3 000004ff: MSTORE 00000500: PUSH1 0x25 00000502: DUP2 00000503: MSTORE 00000504: PUSH1 0x20 00000506: ADD 00000507: DUP1 00000508: PUSH2 0x0871 0000050b: PUSH1 0x25 0000050d: SWAP2 0000050e: CODECOPY 0000050f: PUSH1 0x40 00000511: ADD 00000512: SWAP2 00000513: POP 00000514: POP 00000515: PUSH1 0x40 00000517: MLOAD 00000518: DUP1 00000519: SWAP2 0000051a: SUB 0000051b: SWAP1 0000051c: REVERT 0000051d: JUMPDEST 0000051e: PUSH32 0x7e644d79422f17c01e4894b5f4f588d331ebfa28653d42ae832dc59e38c9798f 0000053f: PUSH2 0x0546 00000542: PUSH2 0x06ab 00000545: JUMP 00000546: JUMPDEST 00000547: PUSH1 0x40 00000549: DUP1 0000054a: MLOAD 0000054b: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000560: SWAP3 00000561: DUP4 00000562: AND 00000563: DUP2 00000564: MSTORE 00000565: SWAP2 00000566: DUP5 00000567: AND 00000568: PUSH1 0x20 0000056a: DUP4 0000056b: ADD 0000056c: MSTORE 0000056d: DUP1 0000056e: MLOAD 0000056f: SWAP2 00000570: DUP3 00000571: SWAP1 00000572: SUB 00000573: ADD 00000574: SWAP1 00000575: LOG1 00000576: PUSH2 0x0320 00000579: DUP2 0000057a: PUSH2 0x072a 0000057d: JUMP 0000057e: JUMPDEST 0000057f: PUSH2 0x0586 00000582: PUSH2 0x06ab 00000585: JUMP 00000586: JUMPDEST 00000587: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000059c: AND 0000059d: CALLER 0000059e: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000005b3: AND 000005b4: EQ 000005b5: ISZERO 000005b6: PUSH2 0x065c 000005b9: JUMPI 000005ba: PUSH2 0x05c2 000005bd: DUP5 000005be: PUSH2 0x06d0 000005c1: JUMP 000005c2: JUMPDEST 000005c3: PUSH2 0x05cb 000005c6: DUP4 000005c7: PUSH2 0x072a 000005ca: JUMP 000005cb: JUMPDEST 000005cc: DUP1 000005cd: ISZERO 000005ce: PUSH2 0x0657 000005d1: JUMPI 000005d2: PUSH1 0x00 000005d4: PUSH2 0x05db 000005d7: PUSH2 0x028e 000005da: JUMP 000005db: JUMPDEST 000005dc: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000005f1: AND 000005f2: DUP4 000005f3: DUP4 000005f4: PUSH1 0x40 000005f6: MLOAD 000005f7: DUP1 000005f8: DUP4 000005f9: DUP4 000005fa: DUP1 000005fb: DUP3 000005fc: DUP5 000005fd: CALLDATACOPY 000005fe: PUSH1 0x40 00000600: MLOAD 00000601: SWAP3 00000602: ADD 00000603: SWAP5 00000604: POP 00000605: PUSH1 0x00 00000607: SWAP4 00000608: POP 00000609: SWAP1 0000060a: SWAP2 0000060b: POP 0000060c: POP 0000060d: DUP1 0000060e: DUP4 0000060f: SUB 00000610: DUP2 00000611: DUP6 00000612: GAS 00000613: DELEGATECALL 00000614: SWAP2 00000615: POP 00000616: POP 00000617: RETURNDATASIZE 00000618: DUP1 00000619: PUSH1 0x00 0000061b: DUP2 0000061c: EQ 0000061d: PUSH2 0x0642 00000620: JUMPI 00000621: PUSH1 0x40 00000623: MLOAD 00000624: SWAP2 00000625: POP 00000626: PUSH1 0x1f 00000628: NOT 00000629: PUSH1 0x3f 0000062b: RETURNDATASIZE 0000062c: ADD 0000062d: AND 0000062e: DUP3 0000062f: ADD 00000630: PUSH1 0x40 00000632: MSTORE 00000633: RETURNDATASIZE 00000634: DUP3 00000635: MSTORE 00000636: RETURNDATASIZE 00000637: PUSH1 0x00 00000639: PUSH1 0x20 0000063b: DUP5 0000063c: ADD 0000063d: RETURNDATACOPY 0000063e: PUSH2 0x0647 00000641: JUMP 00000642: JUMPDEST 00000643: PUSH1 0x60 00000645: SWAP2 00000646: POP 00000647: JUMPDEST 00000648: POP 00000649: POP 0000064a: SWAP1 0000064b: POP 0000064c: DUP1 0000064d: PUSH2 0x0655 00000650: JUMPI 00000651: PUSH1 0x00 00000653: DUP1 00000654: REVERT 00000655: JUMPDEST 00000656: POP 00000657: JUMPDEST 00000658: PUSH2 0x0664 0000065b: JUMP 0000065c: JUMPDEST 0000065d: PUSH2 0x0664 00000660: PUSH2 0x071d 00000663: JUMP 00000664: JUMPDEST 00000665: POP 00000666: POP 00000667: POP 00000668: POP 00000669: JUMP 0000066a: JUMPDEST 0000066b: PUSH1 0x00 0000066d: PUSH2 0x0674 00000670: PUSH2 0x06ab 00000673: JUMP 00000674: JUMPDEST 00000675: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000068a: AND 0000068b: CALLER 0000068c: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000006a1: AND 000006a2: EQ 000006a3: ISZERO 000006a4: PUSH2 0x044b 000006a7: JUMPI 000006a8: PUSH2 0x0444 000006ab: JUMPDEST 000006ac: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 000006cd: SLOAD 000006ce: SWAP1 000006cf: JUMP 000006d0: JUMPDEST 000006d1: PUSH2 0x06d9 000006d4: DUP2 000006d5: PUSH2 0x07ba 000006d8: JUMP 000006d9: JUMPDEST 000006da: PUSH1 0x40 000006dc: MLOAD 000006dd: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000006f2: DUP3 000006f3: AND 000006f4: SWAP1 000006f5: PUSH32 0xbc7cd75a20ee27fd9adebab32041f755214dbc6bffa90cc0225b39da2e5c2d3b 00000716: SWAP1 00000717: PUSH1 0x00 00000719: SWAP1 0000071a: LOG2 0000071b: POP 0000071c: JUMP 0000071d: JUMPDEST 0000071e: PUSH2 0x0728 00000721: PUSH2 0x0079 00000724: PUSH2 0x028e 00000727: JUMP 00000728: JUMPDEST 00000729: JUMP 0000072a: JUMPDEST 0000072b: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 0000074c: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000761: DUP3 00000762: AND 00000763: PUSH2 0x07b7 00000766: JUMPI 00000767: PUSH1 0x40 00000769: MLOAD 0000076a: PUSH32 0x08c379a000000000000000000000000000000000000000000000000000000000 0000078b: DUP2 0000078c: MSTORE 0000078d: PUSH1 0x04 0000078f: ADD 00000790: DUP1 00000791: DUP1 00000792: PUSH1 0x20 00000794: ADD 00000795: DUP3 00000796: DUP2 00000797: SUB 00000798: DUP3 00000799: MSTORE 0000079a: PUSH1 0x29 0000079c: DUP2 0000079d: MSTORE 0000079e: PUSH1 0x20 000007a0: ADD 000007a1: DUP1 000007a2: PUSH2 0x08d0 000007a5: PUSH1 0x29 000007a7: SWAP2 000007a8: CODECOPY 000007a9: PUSH1 0x40 000007ab: ADD 000007ac: SWAP2 000007ad: POP 000007ae: POP 000007af: PUSH1 0x40 000007b1: MLOAD 000007b2: DUP1 000007b3: SWAP2 000007b4: SUB 000007b5: SWAP1 000007b6: REVERT 000007b7: JUMPDEST 000007b8: SSTORE 000007b9: JUMP 000007ba: JUMPDEST 000007bb: PUSH1 0x00 000007bd: PUSH2 0x07c4 000007c0: PUSH2 0x028e 000007c3: JUMP 000007c4: JUMPDEST 000007c5: SWAP1 000007c6: POP 000007c7: DUP2 000007c8: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000007dd: AND 000007de: DUP2 000007df: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000007f4: AND 000007f5: EQ 000007f6: ISZERO 000007f7: PUSH2 0x084b 000007fa: JUMPI 000007fb: PUSH1 0x40 000007fd: MLOAD 000007fe: PUSH32 0x08c379a000000000000000000000000000000000000000000000000000000000 0000081f: DUP2 00000820: MSTORE 00000821: PUSH1 0x04 00000823: ADD 00000824: DUP1 00000825: DUP1 00000826: PUSH1 0x20 00000828: ADD 00000829: DUP3 0000082a: DUP2 0000082b: SUB 0000082c: DUP3 0000082d: MSTORE 0000082e: PUSH1 0x3a 00000830: DUP2 00000831: MSTORE 00000832: PUSH1 0x20 00000834: ADD 00000835: DUP1 00000836: PUSH2 0x0896 00000839: PUSH1 0x3a 0000083b: SWAP2 0000083c: CODECOPY 0000083d: PUSH1 0x40 0000083f: ADD 00000840: SWAP2 00000841: POP 00000842: POP 00000843: PUSH1 0x40 00000845: MLOAD 00000846: DUP1 00000847: SWAP2 00000848: SUB 00000849: SWAP1 0000084a: REVERT 0000084b: JUMPDEST 0000084c: POP 0000084d: PUSH32 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc 0000086e: SSTORE 0000086f: JUMP 00000870: INVALID 00000871: JUMPI 00000872: MSTORE8 00000873: POP 00000874: PUSH19 0x6f78793a206e65772061646d696e2069732074 00000888: PUSH9 0x652073616d65206164 00000892: PUSH14 0x696e2e575350726f78793a204174 000008a1: PUSH21 0x656d7073207570646174652070726f787920776974 000008b7: PUSH9 0x207468652073616d65 000008c1: KECCAK256 000008c2: PUSH10 0x6d706c656d656e746174 000008cd: PUSH10 0x6f6e575350726f78793a 000008d8: KECCAK256 000008d9: NUMBER 000008da: PUSH2 0x6e27 000008dd: PUSH21 0x207365742061646d696e20746f207a65726f206164 000008f3: PUSH5 0x726573732e 000008f9: LOG2 000008fa: PUSH5 0x6970667358 00000900: UNKNOWN(0x22) 00000901: SLT 00000902: KECCAK256 00000903: PUSH9 0x7d0738850e5aa90dec 0000090d: ADDMOD 0000090e: UNKNOWN(0xBE) 0000090f: CALLDATASIZE 00000910: STATICCALL 00000911: EXP 00000912: UNKNOWN(0xDA) 00000913: SWAP13 00000914: PUSH10 0x7aab51c9f0e17c0c1b3d 0000091f: EXTCODEHASH 00000920: UNKNOWN(0xAB) 00000921: UNKNOWN(0x4D) 00000922: SWAP13 00000923: PUSH5 0x736f6c6343 00000929: STOP 0000092a: MOD 0000092b: UNKNOWN(0x0C) 0000092c: STOP 0000092d: CALLER
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | upgradeability | detector | Untrusted DELEGATECALL target reachable | 55 | no | no |
viewtrace_id: 0x77b0dee3beae26a8ed97505d1f74f38f8d09c7bca904362e4a69d0eb93978f39
call_targets:
0x524818cb8081941b618613c6f990c17bb3da0866
target_varies:
no
classification:
constant_target
validation_json{
"sink": "DELEGATECALL",
"errors": 0,
"status": "sink_reached",
"attempts": 2,
"trace_id": "0x77b0dee3beae26a8ed97505d1f74f38f8d09c7bca904362e4a69d0eb93978f39",
"confirmed": false,
"trace_mode": "callTracer",
"call_targets": [
"0x524818cb8081941b618613c6f990c17bb3da0866"
],
"matched_probe": null,
"target_varies": false,
"classification": "constant_target"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x8f283970",
"selector": "0x8f283970",
"calldata_variants": [
"0x8f283970",
"0x8f2839700000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xcf7a1d77",
"selector": "0xcf7a1d77",
"calldata_variants": [
"0xcf7a1d77",
"0xcf7a1d770000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xf851a440",
"selector": "0xf851a440",
"calldata_variants": [
"0xf851a440",
"0xf851a4400000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x3659cfe6",
"selector": "0x3659cfe6",
"calldata_variants": [
"0x3659cfe6",
"0x3659cfe60000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x4f1ef286",
"selector": "0x4f1ef286",
"calldata_variants": [
"0x4f1ef286",
"0x4f1ef2860000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x5c60da1b",
"selector": "0x5c60da1b",
"calldata_variants": [
"0x5c60da1b",
"0x5c60da1b0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 705,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
},
{
"pc": 943,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
},
{
"pc": 1555,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
}
],
"guards_detected": [
{
"pc": 763,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
},
{
"pc": 847,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
},
{
"pc": 1056,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
},
{
"pc": 1141,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
},
{
"pc": 1437,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
},
{
"pc": 1675,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
}
],
"delegatecall_count": 3,
"untrusted_delegatecall_count": 3
}
|
| medium | access_control | codex | Initializer can be called by any address, enabling hostile initialization | 75 | no | — |
viewevidence_json{
"evidence": "initialize only checks a boolean flag and sets factory/token addresses without any caller restriction.",
"locations": [
"contracts/Contract.sol:310"
],
"recommendation": "Restrict initialize to the intended factory/admin (e.g., require msg.sender == factory or use an initializer modifier with an admin), or ensure initialization is performed atomically during deployment. For already-deployed proxies, verify initialization has been executed by a trusted caller.",
"exploit_scenario": "If the proxy at 0xa029a744b4e44e22f68a1bb9a848caafbf6bb233 (or any new deployment) has not yet been initialized, an attacker can call initialize first and set token0/token1/factory to arbitrary addresses. This permanently locks the pair configuration and prevents the intended factory from initializing it, potentially creating a misleading pool or bricking the intended pair."
}
|
| medium | upgradeability | cast | DELEGATECALL present | 80 | no | — |
viewevidence_json{
"notes": "delegatecall enables execution in caller context; common in proxies/upgradeable patterns",
"delegatecall_count": 3
}
|