019bab3b-abf8-72ed-bfa4-d886cd417463
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 38681 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 38682 | proxy.resolve | complete | 1 / 3 | 3 months ago |
| 38683 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 38684 | analysis.bundle | complete | 1 / 3 | 3 months ago |
| 38685 | capability.graph | complete | 1 / 3 | 3 months ago |
| 38686 | detector.run | complete | 1 / 3 | 3 months ago |
| 38687 | validation.fork | complete | 1 / 3 | 3 months ago |
| 39135 | report.consolidate | complete | 1 / 6 | 3 months ago |
{
"method": "eip1967",
"status": "onchain_only",
"implementation": "0x62c9e5e52351e02635f48072fa20c03bb650f787",
"onchain_method": "eip1967"
}
No slither job recorded yet.
{"no_findings":false,"summary":"Bytecode-only review of implementation 0x62c9e5e52351e02635f48072fa20c03bb650f787. The evidence bundle shows a computed-target DELEGATECALL and multiple computed-target/value CALLs; no auth guards were detected. A CALLCODE opcode also appears in the runtime bytecode but may be unreachable data. Selectors/entrypoints are best‑effort and may be incomplete.","findings":[{"severity":"high","category":"other","title":"Computed-target DELEGATECALL allows code execution in caller storage if user-controlled","exploit_scenario":"If any external entrypoint lets a caller influence the delegatecall target, an attacker can point it to malicious code that executes in this contract’s storage context, enabling full state takeover or asset drain.","recommendation":"Ensure delegatecall targets are strictly whitelisted or derived from trusted, immutable storage; add explicit access control and sanity checks before invoking delegatecall.","evidence":"Callsite at pc 3653 performs DELEGATECALL with target_expression_category=\"computed\" and no detected guards (auth.guards=[]). Returndata checking is unknown (returndata_checked=null).","locations":["pc:0x0e45"]},{"severity":"medium","category":"access_control","title":"Multiple computed-target/value CALLs may enable arbitrary external calls and ETH transfers","exploit_scenario":"If any of these CALL paths are reachable by untrusted users and accept target/value inputs, an attacker could direct funds or invoke arbitrary external contracts, potentially draining ETH or triggering unexpected external effects.","recommendation":"Restrict these CALL paths to authorized callers and validate target/value parameters. Consider allowlists and explicit caps on ETH value when external calls are required.","evidence":"Several CALL sites use computed targets and computed value (e.g., pc 2149, 5006, 10448, 11101, 11590, 12363). Detector notes eth-value CALLs and untrusted CALL targets. No auth guards detected in artifact.","locations":["pc:0x0865","pc:0x138e","pc:0x28d0","pc:0x2b5d","pc:0x2d46","pc:0x304b"]},{"severity":"low","category":"other","title":"CALLCODE opcode present in runtime bytecode (reachability unclear)","exploit_scenario":"If this CALLCODE is reachable (uncertain), it behaves like a legacy delegatecall, executing in the caller’s storage context and potentially enabling state corruption or privilege escalation.","recommendation":"Confirm whether the CALLCODE opcode is reachable. If reachable, refactor to avoid CALLCODE and use safer patterns with strict access control and target validation.","evidence":"Bytecode includes a CALLCODE at pc 17315 with computed target/value. The surrounding basic block lacks a JUMPDEST, suggesting it may be non‑code data, but reachability cannot be confirmed from this artifact alone.","locations":["pc:0x43b3"]}]}
OpenAI Codex v0.77.0 (research preview)
--------
workdir: /tmp/codex-ihostma4
model: gpt-5.2-codex
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: auto
session id: 019babc8-6d90-72d3-a1af-c788f4fb2306
--------
user
Context: The user requested the proxy at 0x60330141cf5911c14cdb400b7ad400b3c3dfdc7a.
Audit the implementation at 0x62c9e5e52351e02635f48072fa20c03bb650f787.
Findings should refer to the implementation unless explicitly about proxy mechanics.
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
mcp startup: no servers
thinking
**Preparing to read BYTECODE_BUNDLE.json**
exec
/bin/bash -lc ls in /tmp/codex-ihostma4 succeeded in 6ms:
BYTECODE_BUNDLE.json
codex-output-schema.json
exec
/bin/bash -lc 'cat BYTECODE_BUNDLE.json' in /tmp/codex-ihostma4 succeeded in 29ms:
{
"analysis_artifact": {
"address": "0x62c9e5e52351e02635f48072fa20c03bb650f787",
"artifact_hash": "0x77b379e7186a6b5eb9963cb81f2925a57aa78bdb84bded332186f09e1a5c6ab0",
"artifact_json": {
"auth": {
"guards": []
},
"basic_blocks": [
{
"end_pc": 12,
"hash": "0xc5a3c3aa00eba015ed0720784b5e3e794ef56cfc83f359a7d27a5ecb05fc4ca7",
"opcodes": [
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"CALLDATASIZE",
"LT",
"PUSH2",
thinking
**Searching for evidence-related keys**
exec
/bin/bash -lc 'rg -n "bytecode|summary|evidence|storage|slot|proxy|implementation|callsite|selector|function" BYTECODE_BUNDLE.json' in /tmp/codex-ihostma4 succeeded in 7ms:
19268: "callsites": [
25318: "dispatcher_type": "selector_jump_table",
25319: "function_entries": [
25322: "selector": "0xcb1eec6d"
25326: "selector": "0xdb6b5246"
25330: "selector": "0xed24911d"
25334: "selector": "0xf2fde38b"
25338: "selector": "0xf62d1888"
25342: "selector": "0x8c42f5aa"
25346: "selector": "0x8da5cb5b"
25350: "selector": "0xac9650d8"
25354: "selector": "0xb52c14f4"
25358: "selector": "0xc8b2feb2"
25362: "selector": "0x58b8dc6c"
25366: "selector": "0x69328dec"
25370: "selector": "0x71061398"
25374: "selector": "0x72403331"
25378: "selector": "0x84b0196e"
25382: "selector": "0x150b7a02"
25386: "selector": "0x1626ba7e"
thinking
**Extracting specific JSON sections**
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
p=Path('BYTECODE_BUNDLE.json')
obj=json.loads(p.read_text())
# print top-level keys
print(obj.keys())
print('analysis_artifact keys', obj['analysis_artifact'].keys())
print('artifact_json keys', obj['analysis_artifact']['artifact_json'].keys())
print('artifact_json has bytecode_summary', 'bytecode_summary' in obj['analysis_artifact']['artifact_json'])
print('artifact_json has proxy_evidence', 'proxy_evidence' in obj['analysis_artifact']['artifact_json'])
print('artifact_json has dispatcher', 'dispatcher' in obj['analysis_artifact']['artifact_json'])
print('artifact_json has storage', 'storage' in obj['analysis_artifact']['artifact_json'])
print('artifact_json has functions', 'functions' in obj['analysis_artifact']['artifact_json'])
PY" in /tmp/codex-ihostma4 succeeded in 44ms:
dict_keys(['analysis_artifact', 'analysis_run', 'artifact', 'capability_graph', 'detector_findings', 'heuristics_summary'])
analysis_artifact keys dict_keys(['address', 'artifact_hash', 'artifact_json', 'block_number', 'chain_id', 'codehash', 'created_at', 'id', 'updated_at', 'version'])
artifact_json keys dict_keys(['auth', 'basic_blocks', 'callsites', 'cfg_edges', 'cfg_hash', 'dispatcher_type', 'function_entries', 'functions', 'selectors', 'sinks', 'storage', 'version'])
artifact_json has bytecode_summary False
artifact_json has proxy_evidence False
artifact_json has dispatcher False
artifact_json has storage True
artifact_json has functions True
thinking
**Exploring artifact and evidence connections**
exec
/bin/bash -lc "python - <<'PY'
import json, textwrap
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
print('analysis_run keys', obj['analysis_run'].keys())
print('artifact keys', obj['artifact'].keys())
print('capability_graph keys', obj['capability_graph'].keys())
PY" in /tmp/codex-ihostma4 succeeded in 126ms:
analysis_run keys dict_keys(['address', 'block_number', 'chain_id', 'child_links', 'created_at', 'id', 'parent_links', 'status', 'updated_at'])
artifact keys dict_keys(['codehash', 'compiler_json', 'implementation_address', 'is_proxy', 'runtime_bytecode', 'verified_source'])
capability_graph keys dict_keys(['address', 'block_number', 'chain_id', 'codehash', 'created_at', 'graph_hash', 'graph_json', 'id', 'updated_at', 'version'])
thinking
**Inspecting capability graph artifact**
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
print(obj['capability_graph']['graph_json'].keys())
PY" in /tmp/codex-ihostma4 succeeded in 36ms:
dict_keys(['edges', 'nodes', 'version'])
thinking
**Investigating callsites and proxy status**
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
blocks=obj['analysis_artifact']['artifact_json']['basic_blocks']
# find blocks containing pc 3653 and 17315 and 2149
for target in [3653,17315,2149,5006,10448,11101,11590,12363]:
blk = next((b for b in blocks if b['start_pc']<=target<=b['end_pc']), None)
print('pc',target,'block', blk['start_pc'] if blk else None, blk['end_pc'] if blk else None, blk['opcodes'][:10] if blk else None)
PY" in /tmp/codex-ihostma4 succeeded in 42ms:
pc 3653 block 3642 3665 ['JUMPDEST', 'PUSH0', 'PUSH1', 'MLOAD', 'OP_80', 'OP_83', 'SUB', 'OP_81', 'OP_85', 'GAS']
pc 17315 block 17299 17347 ['OP_A2', 'PUSH5', 'OP_22', 'SLT', 'SHA3', 'LT', 'OP_90', 'OP_FB', 'OP_9B', 'SSTORE']
pc 2149 block 2123 2162 ['PUSH0', 'OP_81', 'PUSH1', 'PUSH1', 'PUSH1', 'SHL', 'SUB', 'AND', 'OP_83', 'PUSH1']
pc 5006 block 4994 5019 ['JUMPDEST', 'PUSH0', 'PUSH1', 'MLOAD', 'OP_80', 'OP_83', 'SUB', 'OP_81', 'OP_85', 'OP_87']
pc 10448 block 10421 10461 ['JUMPDEST', 'PUSH0', 'OP_82', 'PUSH1', 'PUSH1', 'PUSH1', 'SHL', 'SUB', 'AND', 'OP_82']
pc 11101 block 11089 11114 ['JUMPDEST', 'PUSH0', 'PUSH1', 'MLOAD', 'OP_80', 'OP_83', 'SUB', 'OP_81', 'OP_85', 'OP_87']
pc 11590 block 11563 11603 ['JUMPDEST', 'PUSH0', 'OP_87', 'PUSH1', 'PUSH1', 'PUSH1', 'SHL', 'SUB', 'AND', 'OP_82']
pc 12363 block 12351 12376 ['JUMPDEST', 'PUSH0', 'PUSH1', 'MLOAD', 'OP_80', 'OP_83', 'SUB', 'OP_81', 'OP_85', 'OP_87']
thinking
**Inspecting full block opcodes**
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
blocks=obj['analysis_artifact']['artifact_json']['basic_blocks']
def show(target):
blk = next((b for b in blocks if b['start_pc']<=target<=b['end_pc']), None)
print('pc',target,'block', blk['start_pc'], blk['end_pc'])
print(blk['opcodes'])
for t in [3653,17315,2149,5006,10448,11101,11590,12363]:
show(t)
print('---')
PY" in /tmp/codex-ihostma4 succeeded in 43ms:
pc 3653 block 3642 3665
['JUMPDEST', 'PUSH0', 'PUSH1', 'MLOAD', 'OP_80', 'OP_83', 'SUB', 'OP_81', 'OP_85', 'GAS', 'DELEGATECALL', 'OP_91', 'POP', 'POP', 'RETURNDATASIZE', 'OP_80', 'PUSH0', 'OP_81', 'EQ', 'PUSH2', 'JUMPI']
---
pc 17315 block 17299 17347
['OP_A2', 'PUSH5', 'OP_22', 'SLT', 'SHA3', 'LT', 'OP_90', 'OP_FB', 'OP_9B', 'SSTORE', 'OP_4B', 'CALLCODE', 'OP_C8', 'PUSH18', 'PUSH4', 'PUSH5', 'STOP']
---
pc 2149 block 2123 2162
['PUSH0', 'OP_81', 'PUSH1', 'PUSH1', 'PUSH1', 'SHL', 'SUB', 'AND', 'OP_83', 'PUSH1', 'MLOAD', 'PUSH0', 'PUSH1', 'MLOAD', 'OP_80', 'OP_83', 'SUB', 'OP_81', 'OP_85', 'OP_87', 'GAS', 'CALL', 'OP_92', 'POP', 'POP', 'POP', 'RETURNDATASIZE', 'OP_80', 'PUSH0', 'OP_81', 'EQ', 'PUSH2', 'JUMPI']
---
pc 5006 block 4994 5019
['JUMPDEST', 'PUSH0', 'PUSH1', 'MLOAD', 'OP_80', 'OP_83', 'SUB', 'OP_81', 'OP_85', 'OP_87', 'GAS', 'CALL', 'OP_92', 'POP', 'POP', 'POP', 'RETURNDATASIZE', 'OP_80', 'PUSH0', 'OP_81', 'EQ', 'PUSH2', 'JUMPI']
---
pc 10448 block 10421 10461
['JUMPDEST', 'PUSH0', 'OP_82', 'PUSH1', 'PUSH1', 'PUSH1', 'SHL', 'SUB', 'AND', 'OP_82', 'PUSH1', 'MLOAD', 'PUSH0', 'PUSH1', 'MLOAD', 'OP_80', 'OP_83', 'SUB', 'OP_81', 'OP_85', 'OP_87', 'GAS', 'CALL', 'OP_92', 'POP', 'POP', 'POP', 'RETURNDATASIZE', 'OP_80', 'PUSH0', 'OP_81', 'EQ', 'PUSH2', 'JUMPI']
---
pc 11101 block 11089 11114
['JUMPDEST', 'PUSH0', 'PUSH1', 'MLOAD', 'OP_80', 'OP_83', 'SUB', 'OP_81', 'OP_85', 'OP_87', 'GAS', 'CALL', 'OP_92', 'POP', 'POP', 'POP', 'RETURNDATASIZE', 'OP_80', 'PUSH0', 'OP_81', 'EQ', 'PUSH2', 'JUMPI']
---
pc 11590 block 11563 11603
['JUMPDEST', 'PUSH0', 'OP_87', 'PUSH1', 'PUSH1', 'PUSH1', 'SHL', 'SUB', 'AND', 'OP_82', 'PUSH1', 'MLOAD', 'PUSH0', 'PUSH1', 'MLOAD', 'OP_80', 'OP_83', 'SUB', 'OP_81', 'OP_85', 'OP_87', 'GAS', 'CALL', 'OP_92', 'POP', 'POP', 'POP', 'RETURNDATASIZE', 'OP_80', 'PUSH0', 'OP_81', 'EQ', 'PUSH2', 'JUMPI']
thinking
**Investigating suspicious CALLCODE at pc 17315**
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
callsites=obj['analysis_artifact']['artifact_json']['callsites']
print('callsites count', len(callsites))
# show callsite entries with pc and opcode and maybe function/args
for c in callsites:
if c.get('pc') in [3653,2149,5006,10448,11101,11590,12363,17315]:
print(c)
PY" in /tmp/codex-ihostma4 succeeded in 49ms:
callsites count 35
{'opcode': 'CALL', 'pc': 2149, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'computed'}
{'opcode': 'DELEGATECALL', 'pc': 3653, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'n/a'}
{'opcode': 'CALL', 'pc': 5006, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'computed'}
{'opcode': 'CALL', 'pc': 10448, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'computed'}
{'opcode': 'CALL', 'pc': 11101, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'computed'}
{'opcode': 'CALL', 'pc': 11590, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'computed'}
{'opcode': 'CALL', 'pc': 12363, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'computed'}
{'opcode': 'CALLCODE', 'pc': 17315, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'computed'}
thinking
**Analyzing access control and call risks**
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
# find nodes with callsite id or pc
nodes=obj['capability_graph']['graph_json']['nodes']
# Build mapping of callsite nodes by pc if available
for n in nodes:
if n.get('type')=='callsite':
if n.get('pc') in [2149,5006,10448,11101,11590,12363,3653,17315]:
print(n)
PY" in /tmp/codex-ihostma4 succeeded in 39ms:
{'id': 'call:2149', 'opcode': 'CALL', 'pc': 2149, 'type': 'callsite'}
{'id': 'call:3653', 'opcode': 'DELEGATECALL', 'pc': 3653, 'type': 'callsite'}
{'id': 'call:5006', 'opcode': 'CALL', 'pc': 5006, 'type': 'callsite'}
{'id': 'call:10448', 'opcode': 'CALL', 'pc': 10448, 'type': 'callsite'}
{'id': 'call:11101', 'opcode': 'CALL', 'pc': 11101, 'type': 'callsite'}
{'id': 'call:11590', 'opcode': 'CALL', 'pc': 11590, 'type': 'callsite'}
{'id': 'call:12363', 'opcode': 'CALL', 'pc': 12363, 'type': 'callsite'}
{'id': 'call:17315', 'opcode': 'CALLCODE', 'pc': 17315, 'type': 'callsite'}
thinking
**Formulating detailed security findings**
I'm assembling a JSON summary of security findings based on bytecode analysis, carefully categorizing issues like computed DELEGATECALL and external CALLs by severity and category. I want to include clear exploit scenarios, evidence with precise program counters in hex, and notes on uncertainty, while ensuring the output conforms to the required schema and includes a comprehensive summary mentioning implementation details.
codex
{"no_findings":false,"summary":"Bytecode-only review of implementation 0x62c9e5e52351e02635f48072fa20c03bb650f787. The evidence bundle shows a computed-target DELEGATECALL and multiple computed-target/value CALLs; no auth guards were detected. A CALLCODE opcode also appears in the runtime bytecode but may be unreachable data. Selectors/entrypoints are best‑effort and may be incomplete.","findings":[{"severity":"high","category":"other","title":"Computed-target DELEGATECALL allows code execution in caller storage if user-controlled","exploit_scenario":"If any external entrypoint lets a caller influence the delegatecall target, an attacker can point it to malicious code that executes in this contract’s storage context, enabling full state takeover or asset drain.","recommendation":"Ensure delegatecall targets are strictly whitelisted or derived from trusted, immutable storage; add explicit access control and sanity checks before invoking delegatecall.","evidence":"Callsite at pc 3653 performs DELEGATECALL with target_expression_category=\"computed\" and no detected guards (auth.guards=[]). Returndata checking is unknown (returndata_checked=null).","locations":["pc:0x0e45"]},{"severity":"medium","category":"access_control","title":"Multiple computed-target/value CALLs may enable arbitrary external calls and ETH transfers","exploit_scenario":"If any of these CALL paths are reachable by untrusted users and accept target/value inputs, an attacker could direct funds or invoke arbitrary external contracts, potentially draining ETH or triggering unexpected external effects.","recommendation":"Restrict these CALL paths to authorized callers and validate target/value parameters. Consider allowlists and explicit caps on ETH value when external calls are required.","evidence":"Several CALL sites use computed targets and computed value (e.g., pc 2149, 5006, 10448, 11101, 11590, 12363). Detector notes eth-value CALLs and untrusted CALL targets. No auth guards detected in artifact.","locations":["pc:0x0865","pc:0x138e","pc:0x28d0","pc:0x2b5d","pc:0x2d46","pc:0x304b"]},{"severity":"low","category":"other","title":"CALLCODE opcode present in runtime bytecode (reachability unclear)","exploit_scenario":"If this CALLCODE is reachable (uncertain), it behaves like a legacy delegatecall, executing in the caller’s storage context and potentially enabling state corruption or privilege escalation.","recommendation":"Confirm whether the CALLCODE opcode is reachable. If reachable, refactor to avoid CALLCODE and use safer patterns with strict access control and target validation.","evidence":"Bytecode includes a CALLCODE at pc 17315 with computed target/value. The surrounding basic block lacks a JUMPDEST, suggesting it may be non‑code data, but reachability cannot be confirmed from this artifact alone.","locations":["pc:0x43b3"]}]}
tokens used
46,253
{
"codex": {
"ran_at": "2026-01-11T06:41:40.995588+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 34706,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "Bytecode-only review of implementation 0x62c9e5e52351e02635f48072fa20c03bb650f787. The evidence bundle shows a computed-target DELEGATECALL and multiple computed-target/value CALLs; no auth guards were detected. A CALLCODE opcode also appears in the runtime bytecode but may be unreachable data. Selectors/entrypoints are best\u2011effort and may be incomplete.",
"raw_final": {
"summary": "Bytecode-only review of implementation 0x62c9e5e52351e02635f48072fa20c03bb650f787. The evidence bundle shows a computed-target DELEGATECALL and multiple computed-target/value CALLs; no auth guards were detected. A CALLCODE opcode also appears in the runtime bytecode but may be unreachable data. Selectors/entrypoints are best\u2011effort and may be incomplete.",
"findings": [
{
"title": "Computed-target DELEGATECALL allows code execution in caller storage if user-controlled",
"category": "other",
"evidence": "Callsite at pc 3653 performs DELEGATECALL with target_expression_category=\"computed\" and no detected guards (auth.guards=[]). Returndata checking is unknown (returndata_checked=null).",
"severity": "high",
"locations": [
"pc:0x0e45"
],
"recommendation": "Ensure delegatecall targets are strictly whitelisted or derived from trusted, immutable storage; add explicit access control and sanity checks before invoking delegatecall.",
"exploit_scenario": "If any external entrypoint lets a caller influence the delegatecall target, an attacker can point it to malicious code that executes in this contract\u2019s storage context, enabling full state takeover or asset drain."
},
{
"title": "Multiple computed-target/value CALLs may enable arbitrary external calls and ETH transfers",
"category": "access_control",
"evidence": "Several CALL sites use computed targets and computed value (e.g., pc 2149, 5006, 10448, 11101, 11590, 12363). Detector notes eth-value CALLs and untrusted CALL targets. No auth guards detected in artifact.",
"severity": "medium",
"locations": [
"pc:0x0865",
"pc:0x138e",
"pc:0x28d0",
"pc:0x2b5d",
"pc:0x2d46",
"pc:0x304b"
],
"recommendation": "Restrict these CALL paths to authorized callers and validate target/value parameters. Consider allowlists and explicit caps on ETH value when external calls are required.",
"exploit_scenario": "If any of these CALL paths are reachable by untrusted users and accept target/value inputs, an attacker could direct funds or invoke arbitrary external contracts, potentially draining ETH or triggering unexpected external effects."
},
{
"title": "CALLCODE opcode present in runtime bytecode (reachability unclear)",
"category": "other",
"evidence": "Bytecode includes a CALLCODE at pc 17315 with computed target/value. The surrounding basic block lacks a JUMPDEST, suggesting it may be non\u2011code data, but reachability cannot be confirmed from this artifact alone.",
"severity": "low",
"locations": [
"pc:0x43b3"
],
"recommendation": "Confirm whether the CALLCODE opcode is reachable. If reachable, refactor to avoid CALLCODE and use safer patterns with strict access control and target validation.",
"exploit_scenario": "If this CALLCODE is reachable (uncertain), it behaves like a legacy delegatecall, executing in the caller\u2019s storage context and potentially enabling state corruption or privilege escalation."
}
],
"no_findings": false
},
"no_findings": false,
"proxy_context": {
"proxy_run_id": "019bab3b-abf8-72ed-bfa4-d886cd417463",
"proxy_address": "0x60330141cf5911c14cdb400b7ad400b3c3dfdc7a",
"implementation_run_id": "019bab3d-a735-71f5-99d9-235223139c05",
"implementation_address": "0x62c9e5e52351e02635f48072fa20c03bb650f787"
},
"schema_version": 1
}
00000000: PUSH1 0x80 00000002: PUSH1 0x40 00000004: MSTORE 00000005: PUSH1 0x04 00000007: CALLDATASIZE 00000008: LT 00000009: PUSH2 0x004d 0000000c: JUMPI 0000000d: PUSH0 0000000e: CALLDATALOAD 0000000f: PUSH1 0xe0 00000011: SHR 00000012: DUP1 00000013: PUSH4 0x3659cfe6 00000018: EQ 00000019: PUSH2 0x0064 0000001c: JUMPI 0000001d: DUP1 0000001e: PUSH4 0x4f1ef286 00000023: EQ 00000024: PUSH2 0x0077 00000027: JUMPI 00000028: DUP1 00000029: PUSH4 0x5c60da1b 0000002e: EQ 0000002f: PUSH2 0x008a 00000032: JUMPI 00000033: DUP1 00000034: PUSH4 0x8f283970 00000039: EQ 0000003a: PUSH2 0x00ae 0000003d: JUMPI 0000003e: DUP1 0000003f: PUSH4 0xf851a440 00000044: EQ 00000045: PUSH2 0x00c1 00000048: JUMPI 00000049: PUSH2 0x005c 0000004c: JUMP 0000004d: JUMPDEST 0000004e: CALLDATASIZE 0000004f: PUSH2 0x005c 00000052: JUMPI 00000053: PUSH2 0x005a 00000056: PUSH2 0x00c9 00000059: JUMP 0000005a: JUMPDEST 0000005b: STOP 0000005c: JUMPDEST 0000005d: PUSH2 0x005a 00000060: PUSH2 0x00c9 00000063: JUMP 00000064: JUMPDEST 00000065: PUSH2 0x005a 00000068: PUSH2 0x0072 0000006b: CALLDATASIZE 0000006c: PUSH1 0x04 0000006e: PUSH2 0x0692 00000071: JUMP 00000072: JUMPDEST 00000073: PUSH2 0x00e3 00000076: JUMP 00000077: JUMPDEST 00000078: PUSH2 0x005a 0000007b: PUSH2 0x0085 0000007e: CALLDATASIZE 0000007f: PUSH1 0x04 00000081: PUSH2 0x06ab 00000084: JUMP 00000085: JUMPDEST 00000086: PUSH2 0x0126 00000089: JUMP 0000008a: JUMPDEST 0000008b: PUSH2 0x0092 0000008e: PUSH2 0x018c 00000091: JUMP 00000092: JUMPDEST 00000093: PUSH1 0x40 00000095: MLOAD 00000096: PUSH1 0x01 00000098: PUSH1 0x01 0000009a: PUSH1 0xa0 0000009c: SHL 0000009d: SUB 0000009e: SWAP1 0000009f: SWAP2 000000a0: AND 000000a1: DUP2 000000a2: MSTORE 000000a3: PUSH1 0x20 000000a5: ADD 000000a6: PUSH1 0x40 000000a8: MLOAD 000000a9: DUP1 000000aa: SWAP2 000000ab: SUB 000000ac: SWAP1 000000ad: RETURN 000000ae: JUMPDEST 000000af: PUSH2 0x005a 000000b2: PUSH2 0x00bc 000000b5: CALLDATASIZE 000000b6: PUSH1 0x04 000000b8: PUSH2 0x0692 000000bb: JUMP 000000bc: JUMPDEST 000000bd: PUSH2 0x01c4 000000c0: JUMP 000000c1: JUMPDEST 000000c2: PUSH2 0x0092 000000c5: PUSH2 0x01ec 000000c8: JUMP 000000c9: JUMPDEST 000000ca: PUSH2 0x00d1 000000cd: PUSH2 0x0214 000000d0: JUMP 000000d1: JUMPDEST 000000d2: PUSH2 0x00e1 000000d5: PUSH2 0x00dc 000000d8: PUSH2 0x02a9 000000db: JUMP 000000dc: JUMPDEST 000000dd: PUSH2 0x02b2 000000e0: JUMP 000000e1: JUMPDEST 000000e2: JUMP 000000e3: JUMPDEST 000000e4: PUSH2 0x00eb 000000e7: PUSH2 0x02d0 000000ea: JUMP 000000eb: JUMPDEST 000000ec: PUSH1 0x01 000000ee: PUSH1 0x01 000000f0: PUSH1 0xa0 000000f2: SHL 000000f3: SUB 000000f4: AND 000000f5: CALLER 000000f6: SUB 000000f7: PUSH2 0x011e 000000fa: JUMPI 000000fb: PUSH2 0x0102 000000fe: PUSH2 0x0302 00000101: JUMP 00000102: JUMPDEST 00000103: PUSH2 0x011b 00000106: DUP2 00000107: PUSH1 0x40 00000109: MLOAD 0000010a: DUP1 0000010b: PUSH1 0x20 0000010d: ADD 0000010e: PUSH1 0x40 00000110: MSTORE 00000111: DUP1 00000112: PUSH0 00000113: DUP2 00000114: MSTORE 00000115: POP 00000116: PUSH0 00000117: PUSH2 0x030c 0000011a: JUMP 0000011b: JUMPDEST 0000011c: POP 0000011d: JUMP 0000011e: JUMPDEST 0000011f: PUSH2 0x011b 00000122: PUSH2 0x00c9 00000125: JUMP 00000126: JUMPDEST 00000127: PUSH2 0x012e 0000012a: PUSH2 0x02d0 0000012d: JUMP 0000012e: JUMPDEST 0000012f: PUSH1 0x01 00000131: PUSH1 0x01 00000133: PUSH1 0xa0 00000135: SHL 00000136: SUB 00000137: AND 00000138: CALLER 00000139: SUB 0000013a: PUSH2 0x0184 0000013d: JUMPI 0000013e: PUSH2 0x017f 00000141: DUP4 00000142: DUP4 00000143: DUP4 00000144: DUP1 00000145: DUP1 00000146: PUSH1 0x1f 00000148: ADD 00000149: PUSH1 0x20 0000014b: DUP1 0000014c: SWAP2 0000014d: DIV 0000014e: MUL 0000014f: PUSH1 0x20 00000151: ADD 00000152: PUSH1 0x40 00000154: MLOAD 00000155: SWAP1 00000156: DUP2 00000157: ADD 00000158: PUSH1 0x40 0000015a: MSTORE 0000015b: DUP1 0000015c: SWAP4 0000015d: SWAP3 0000015e: SWAP2 0000015f: SWAP1 00000160: DUP2 00000161: DUP2 00000162: MSTORE 00000163: PUSH1 0x20 00000165: ADD 00000166: DUP4 00000167: DUP4 00000168: DUP1 00000169: DUP3 0000016a: DUP5 0000016b: CALLDATACOPY 0000016c: PUSH0 0000016d: SWAP3 0000016e: ADD 0000016f: SWAP2 00000170: SWAP1 00000171: SWAP2 00000172: MSTORE 00000173: POP 00000174: PUSH1 0x01 00000176: SWAP3 00000177: POP 00000178: PUSH2 0x030c 0000017b: SWAP2 0000017c: POP 0000017d: POP 0000017e: JUMP 0000017f: JUMPDEST 00000180: POP 00000181: POP 00000182: POP 00000183: JUMP 00000184: JUMPDEST 00000185: PUSH2 0x017f 00000188: PUSH2 0x00c9 0000018b: JUMP 0000018c: JUMPDEST 0000018d: PUSH0 0000018e: PUSH2 0x0195 00000191: PUSH2 0x02d0 00000194: JUMP 00000195: JUMPDEST 00000196: PUSH1 0x01 00000198: PUSH1 0x01 0000019a: PUSH1 0xa0 0000019c: SHL 0000019d: SUB 0000019e: AND 0000019f: CALLER 000001a0: SUB 000001a1: PUSH2 0x01b9 000001a4: JUMPI 000001a5: PUSH2 0x01ac 000001a8: PUSH2 0x0302 000001ab: JUMP 000001ac: JUMPDEST 000001ad: PUSH2 0x01b4 000001b0: PUSH2 0x02a9 000001b3: JUMP 000001b4: JUMPDEST 000001b5: SWAP1 000001b6: POP 000001b7: SWAP1 000001b8: JUMP 000001b9: JUMPDEST 000001ba: PUSH2 0x01c1 000001bd: PUSH2 0x00c9 000001c0: JUMP 000001c1: JUMPDEST 000001c2: SWAP1 000001c3: JUMP 000001c4: JUMPDEST 000001c5: PUSH2 0x01cc 000001c8: PUSH2 0x02d0 000001cb: JUMP 000001cc: JUMPDEST 000001cd: PUSH1 0x01 000001cf: PUSH1 0x01 000001d1: PUSH1 0xa0 000001d3: SHL 000001d4: SUB 000001d5: AND 000001d6: CALLER 000001d7: SUB 000001d8: PUSH2 0x011e 000001db: JUMPI 000001dc: PUSH2 0x01e3 000001df: PUSH2 0x0302 000001e2: JUMP 000001e3: JUMPDEST 000001e4: PUSH2 0x011b 000001e7: DUP2 000001e8: PUSH2 0x0336 000001eb: JUMP 000001ec: JUMPDEST 000001ed: PUSH0 000001ee: PUSH2 0x01f5 000001f1: PUSH2 0x02d0 000001f4: JUMP 000001f5: JUMPDEST 000001f6: PUSH1 0x01 000001f8: PUSH1 0x01 000001fa: PUSH1 0xa0 000001fc: SHL 000001fd: SUB 000001fe: AND 000001ff: CALLER 00000200: SUB 00000201: PUSH2 0x01b9 00000204: JUMPI 00000205: PUSH2 0x020c 00000208: PUSH2 0x0302 0000020b: JUMP 0000020c: JUMPDEST 0000020d: PUSH2 0x01b4 00000210: PUSH2 0x02d0 00000213: JUMP 00000214: JUMPDEST 00000215: PUSH2 0x021c 00000218: PUSH2 0x02d0 0000021b: JUMP 0000021c: JUMPDEST 0000021d: PUSH1 0x01 0000021f: PUSH1 0x01 00000221: PUSH1 0xa0 00000223: SHL 00000224: SUB 00000225: AND 00000226: CALLER 00000227: SUB 00000228: PUSH2 0x00e1 0000022b: JUMPI 0000022c: PUSH1 0x40 0000022e: MLOAD 0000022f: PUSH3 0x461bcd 00000233: PUSH1 0xe5 00000235: SHL 00000236: DUP2 00000237: MSTORE 00000238: PUSH1 0x20 0000023a: PUSH1 0x04 0000023c: DUP3 0000023d: ADD 0000023e: MSTORE 0000023f: PUSH1 0x42 00000241: PUSH1 0x24 00000243: DUP3 00000244: ADD 00000245: MSTORE 00000246: PUSH32 0x5472616e73706172656e745570677261646561626c6550726f78793a2061646d 00000267: PUSH1 0x44 00000269: DUP3 0000026a: ADD 0000026b: MSTORE 0000026c: PUSH32 0x696e2063616e6e6f742066616c6c6261636b20746f2070726f78792074617267 0000028d: PUSH1 0x64 0000028f: DUP3 00000290: ADD 00000291: MSTORE 00000292: PUSH2 0x195d 00000295: PUSH1 0xf2 00000297: SHL 00000298: PUSH1 0x84 0000029a: DUP3 0000029b: ADD 0000029c: MSTORE 0000029d: PUSH1 0xa4 0000029f: ADD 000002a0: JUMPDEST 000002a1: PUSH1 0x40 000002a3: MLOAD 000002a4: DUP1 000002a5: SWAP2 000002a6: SUB 000002a7: SWAP1 000002a8: REVERT 000002a9: JUMPDEST 000002aa: PUSH0 000002ab: PUSH2 0x01b4 000002ae: PUSH2 0x038a 000002b1: JUMP 000002b2: JUMPDEST 000002b3: CALLDATASIZE 000002b4: PUSH0 000002b5: DUP1 000002b6: CALLDATACOPY 000002b7: PUSH0 000002b8: DUP1 000002b9: CALLDATASIZE 000002ba: PUSH0 000002bb: DUP5 000002bc: GAS 000002bd: DELEGATECALL 000002be: RETURNDATASIZE 000002bf: PUSH0 000002c0: DUP1 000002c1: RETURNDATACOPY 000002c2: DUP1 000002c3: DUP1 000002c4: ISZERO 000002c5: PUSH2 0x02cc 000002c8: JUMPI 000002c9: RETURNDATASIZE 000002ca: PUSH0 000002cb: RETURN 000002cc: JUMPDEST 000002cd: RETURNDATASIZE 000002ce: PUSH0 000002cf: REVERT 000002d0: JUMPDEST 000002d1: PUSH0 000002d2: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 000002f3: JUMPDEST 000002f4: SLOAD 000002f5: PUSH1 0x01 000002f7: PUSH1 0x01 000002f9: PUSH1 0xa0 000002fb: SHL 000002fc: SUB 000002fd: AND 000002fe: SWAP2 000002ff: SWAP1 00000300: POP 00000301: JUMP 00000302: JUMPDEST 00000303: CALLVALUE 00000304: ISZERO 00000305: PUSH2 0x00e1 00000308: JUMPI 00000309: PUSH0 0000030a: DUP1 0000030b: REVERT 0000030c: JUMPDEST 0000030d: PUSH2 0x0315 00000310: DUP4 00000311: PUSH2 0x03b1 00000314: JUMP 00000315: JUMPDEST 00000316: PUSH0 00000317: DUP3 00000318: MLOAD 00000319: GT 0000031a: DUP1 0000031b: PUSH2 0x0321 0000031e: JUMPI 0000031f: POP 00000320: DUP1 00000321: JUMPDEST 00000322: ISZERO 00000323: PUSH2 0x017f 00000326: JUMPI 00000327: PUSH2 0x0330 0000032a: DUP4 0000032b: DUP4 0000032c: PUSH2 0x03f0 0000032f: JUMP 00000330: JUMPDEST 00000331: POP 00000332: POP 00000333: POP 00000334: POP 00000335: JUMP 00000336: JUMPDEST 00000337: PUSH32 0x7e644d79422f17c01e4894b5f4f588d331ebfa28653d42ae832dc59e38c9798f 00000358: PUSH2 0x035f 0000035b: PUSH2 0x02d0 0000035e: JUMP 0000035f: JUMPDEST 00000360: PUSH1 0x40 00000362: DUP1 00000363: MLOAD 00000364: PUSH1 0x01 00000366: PUSH1 0x01 00000368: PUSH1 0xa0 0000036a: SHL 0000036b: SUB 0000036c: SWAP3 0000036d: DUP4 0000036e: AND 0000036f: DUP2 00000370: MSTORE 00000371: SWAP2 00000372: DUP5 00000373: AND 00000374: PUSH1 0x20 00000376: DUP4 00000377: ADD 00000378: MSTORE 00000379: ADD 0000037a: PUSH1 0x40 0000037c: MLOAD 0000037d: DUP1 0000037e: SWAP2 0000037f: SUB 00000380: SWAP1 00000381: LOG1 00000382: PUSH2 0x011b 00000385: DUP2 00000386: PUSH2 0x041c 00000389: JUMP 0000038a: JUMPDEST 0000038b: PUSH0 0000038c: PUSH32 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc 000003ad: PUSH2 0x02f3 000003b0: JUMP 000003b1: JUMPDEST 000003b2: PUSH2 0x03ba 000003b5: DUP2 000003b6: PUSH2 0x04c5 000003b9: JUMP 000003ba: JUMPDEST 000003bb: PUSH1 0x40 000003bd: MLOAD 000003be: PUSH1 0x01 000003c0: PUSH1 0x01 000003c2: PUSH1 0xa0 000003c4: SHL 000003c5: SUB 000003c6: DUP3 000003c7: AND 000003c8: SWAP1 000003c9: PUSH32 0xbc7cd75a20ee27fd9adebab32041f755214dbc6bffa90cc0225b39da2e5c2d3b 000003ea: SWAP1 000003eb: PUSH0 000003ec: SWAP1 000003ed: LOG2 000003ee: POP 000003ef: JUMP 000003f0: JUMPDEST 000003f1: PUSH1 0x60 000003f3: PUSH2 0x0415 000003f6: DUP4 000003f7: DUP4 000003f8: PUSH1 0x40 000003fa: MLOAD 000003fb: DUP1 000003fc: PUSH1 0x60 000003fe: ADD 000003ff: PUSH1 0x40 00000401: MSTORE 00000402: DUP1 00000403: PUSH1 0x27 00000405: DUP2 00000406: MSTORE 00000407: PUSH1 0x20 00000409: ADD 0000040a: PUSH2 0x0775 0000040d: PUSH1 0x27 0000040f: SWAP2 00000410: CODECOPY 00000411: PUSH2 0x0559 00000414: JUMP 00000415: JUMPDEST 00000416: SWAP4 00000417: SWAP3 00000418: POP 00000419: POP 0000041a: POP 0000041b: JUMP 0000041c: JUMPDEST 0000041d: PUSH1 0x01 0000041f: PUSH1 0x01 00000421: PUSH1 0xa0 00000423: SHL 00000424: SUB 00000425: DUP2 00000426: AND 00000427: PUSH2 0x0481 0000042a: JUMPI 0000042b: PUSH1 0x40 0000042d: MLOAD 0000042e: PUSH3 0x461bcd 00000432: PUSH1 0xe5 00000434: SHL 00000435: DUP2 00000436: MSTORE 00000437: PUSH1 0x20 00000439: PUSH1 0x04 0000043b: DUP3 0000043c: ADD 0000043d: MSTORE 0000043e: PUSH1 0x26 00000440: PUSH1 0x24 00000442: DUP3 00000443: ADD 00000444: MSTORE 00000445: PUSH32 0x455243313936373a206e65772061646d696e20697320746865207a65726f2061 00000466: PUSH1 0x44 00000468: DUP3 00000469: ADD 0000046a: MSTORE 0000046b: PUSH6 0x646472657373 00000472: PUSH1 0xd0 00000474: SHL 00000475: PUSH1 0x64 00000477: DUP3 00000478: ADD 00000479: MSTORE 0000047a: PUSH1 0x84 0000047c: ADD 0000047d: PUSH2 0x02a0 00000480: JUMP 00000481: JUMPDEST 00000482: DUP1 00000483: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 000004a4: JUMPDEST 000004a5: DUP1 000004a6: SLOAD 000004a7: PUSH1 0x01 000004a9: PUSH1 0x01 000004ab: PUSH1 0xa0 000004ad: SHL 000004ae: SUB 000004af: NOT 000004b0: AND 000004b1: PUSH1 0x01 000004b3: PUSH1 0x01 000004b5: PUSH1 0xa0 000004b7: SHL 000004b8: SUB 000004b9: SWAP3 000004ba: SWAP1 000004bb: SWAP3 000004bc: AND 000004bd: SWAP2 000004be: SWAP1 000004bf: SWAP2 000004c0: OR 000004c1: SWAP1 000004c2: SSTORE 000004c3: POP 000004c4: JUMP 000004c5: JUMPDEST 000004c6: PUSH1 0x01 000004c8: PUSH1 0x01 000004ca: PUSH1 0xa0 000004cc: SHL 000004cd: SUB 000004ce: DUP2 000004cf: AND 000004d0: EXTCODESIZE 000004d1: PUSH2 0x0532 000004d4: JUMPI 000004d5: PUSH1 0x40 000004d7: MLOAD 000004d8: PUSH3 0x461bcd 000004dc: PUSH1 0xe5 000004de: SHL 000004df: DUP2 000004e0: MSTORE 000004e1: PUSH1 0x20 000004e3: PUSH1 0x04 000004e5: DUP3 000004e6: ADD 000004e7: MSTORE 000004e8: PUSH1 0x2d 000004ea: PUSH1 0x24 000004ec: DUP3 000004ed: ADD 000004ee: MSTORE 000004ef: PUSH32 0x455243313936373a206e657720696d706c656d656e746174696f6e206973206e 00000510: PUSH1 0x44 00000512: DUP3 00000513: ADD 00000514: MSTORE 00000515: PUSH13 0x1bdd08184818dbdb9d1c9858dd 00000523: PUSH1 0x9a 00000525: SHL 00000526: PUSH1 0x64 00000528: DUP3 00000529: ADD 0000052a: MSTORE 0000052b: PUSH1 0x84 0000052d: ADD 0000052e: PUSH2 0x02a0 00000531: JUMP 00000532: JUMPDEST 00000533: DUP1 00000534: PUSH32 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc 00000555: PUSH2 0x04a4 00000558: JUMP 00000559: JUMPDEST 0000055a: PUSH1 0x60 0000055c: PUSH0 0000055d: DUP1 0000055e: DUP6 0000055f: PUSH1 0x01 00000561: PUSH1 0x01 00000563: PUSH1 0xa0 00000565: SHL 00000566: SUB 00000567: AND 00000568: DUP6 00000569: PUSH1 0x40 0000056b: MLOAD 0000056c: PUSH2 0x0575 0000056f: SWAP2 00000570: SWAP1 00000571: PUSH2 0x0729 00000574: JUMP 00000575: JUMPDEST 00000576: PUSH0 00000577: PUSH1 0x40 00000579: MLOAD 0000057a: DUP1 0000057b: DUP4 0000057c: SUB 0000057d: DUP2 0000057e: DUP6 0000057f: GAS 00000580: DELEGATECALL 00000581: SWAP2 00000582: POP 00000583: POP 00000584: RETURNDATASIZE 00000585: DUP1 00000586: PUSH0 00000587: DUP2 00000588: EQ 00000589: PUSH2 0x05ad 0000058c: JUMPI 0000058d: PUSH1 0x40 0000058f: MLOAD 00000590: SWAP2 00000591: POP 00000592: PUSH1 0x1f 00000594: NOT 00000595: PUSH1 0x3f 00000597: RETURNDATASIZE 00000598: ADD 00000599: AND 0000059a: DUP3 0000059b: ADD 0000059c: PUSH1 0x40 0000059e: MSTORE 0000059f: RETURNDATASIZE 000005a0: DUP3 000005a1: MSTORE 000005a2: RETURNDATASIZE 000005a3: PUSH0 000005a4: PUSH1 0x20 000005a6: DUP5 000005a7: ADD 000005a8: RETURNDATACOPY 000005a9: PUSH2 0x05b2 000005ac: JUMP 000005ad: JUMPDEST 000005ae: PUSH1 0x60 000005b0: SWAP2 000005b1: POP 000005b2: JUMPDEST 000005b3: POP 000005b4: SWAP2 000005b5: POP 000005b6: SWAP2 000005b7: POP 000005b8: PUSH2 0x05c3 000005bb: DUP7 000005bc: DUP4 000005bd: DUP4 000005be: DUP8 000005bf: PUSH2 0x05cd 000005c2: JUMP 000005c3: JUMPDEST 000005c4: SWAP7 000005c5: SWAP6 000005c6: POP 000005c7: POP 000005c8: POP 000005c9: POP 000005ca: POP 000005cb: POP 000005cc: JUMP 000005cd: JUMPDEST 000005ce: PUSH1 0x60 000005d0: DUP4 000005d1: ISZERO 000005d2: PUSH2 0x063b 000005d5: JUMPI 000005d6: DUP3 000005d7: MLOAD 000005d8: PUSH0 000005d9: SUB 000005da: PUSH2 0x0634 000005dd: JUMPI 000005de: PUSH1 0x01 000005e0: PUSH1 0x01 000005e2: PUSH1 0xa0 000005e4: SHL 000005e5: SUB 000005e6: DUP6 000005e7: AND 000005e8: EXTCODESIZE 000005e9: PUSH2 0x0634 000005ec: JUMPI 000005ed: PUSH1 0x40 000005ef: MLOAD 000005f0: PUSH3 0x461bcd 000005f4: PUSH1 0xe5 000005f6: SHL 000005f7: DUP2 000005f8: MSTORE 000005f9: PUSH1 0x20 000005fb: PUSH1 0x04 000005fd: DUP3 000005fe: ADD 000005ff: MSTORE 00000600: PUSH1 0x1d 00000602: PUSH1 0x24 00000604: DUP3 00000605: ADD 00000606: MSTORE 00000607: PUSH32 0x416464726573733a2063616c6c20746f206e6f6e2d636f6e7472616374000000 00000628: PUSH1 0x44 0000062a: DUP3 0000062b: ADD 0000062c: MSTORE 0000062d: PUSH1 0x64 0000062f: ADD 00000630: PUSH2 0x02a0 00000633: JUMP 00000634: JUMPDEST 00000635: POP 00000636: DUP2 00000637: PUSH2 0x0645 0000063a: JUMP 0000063b: JUMPDEST 0000063c: PUSH2 0x0645 0000063f: DUP4 00000640: DUP4 00000641: PUSH2 0x064d 00000644: JUMP 00000645: JUMPDEST 00000646: SWAP5 00000647: SWAP4 00000648: POP 00000649: POP 0000064a: POP 0000064b: POP 0000064c: JUMP 0000064d: JUMPDEST 0000064e: DUP2 0000064f: MLOAD 00000650: ISZERO 00000651: PUSH2 0x065d 00000654: JUMPI 00000655: DUP2 00000656: MLOAD 00000657: DUP1 00000658: DUP4 00000659: PUSH1 0x20 0000065b: ADD 0000065c: REVERT 0000065d: JUMPDEST 0000065e: DUP1 0000065f: PUSH1 0x40 00000661: MLOAD 00000662: PUSH3 0x461bcd 00000666: PUSH1 0xe5 00000668: SHL 00000669: DUP2 0000066a: MSTORE 0000066b: PUSH1 0x04 0000066d: ADD 0000066e: PUSH2 0x02a0 00000671: SWAP2 00000672: SWAP1 00000673: PUSH2 0x073f 00000676: JUMP 00000677: JUMPDEST 00000678: DUP1 00000679: CALLDATALOAD 0000067a: PUSH1 0x01 0000067c: PUSH1 0x01 0000067e: PUSH1 0xa0 00000680: SHL 00000681: SUB 00000682: DUP2 00000683: AND 00000684: DUP2 00000685: EQ 00000686: PUSH2 0x068d 00000689: JUMPI 0000068a: PUSH0 0000068b: DUP1 0000068c: REVERT 0000068d: JUMPDEST 0000068e: SWAP2 0000068f: SWAP1 00000690: POP 00000691: JUMP 00000692: JUMPDEST 00000693: PUSH0 00000694: PUSH1 0x20 00000696: DUP3 00000697: DUP5 00000698: SUB 00000699: SLT 0000069a: ISZERO 0000069b: PUSH2 0x06a2 0000069e: JUMPI 0000069f: PUSH0 000006a0: DUP1 000006a1: REVERT 000006a2: JUMPDEST 000006a3: PUSH2 0x0415 000006a6: DUP3 000006a7: PUSH2 0x0677 000006aa: JUMP 000006ab: JUMPDEST 000006ac: PUSH0 000006ad: DUP1 000006ae: PUSH0 000006af: PUSH1 0x40 000006b1: DUP5 000006b2: DUP7 000006b3: SUB 000006b4: SLT 000006b5: ISZERO 000006b6: PUSH2 0x06bd 000006b9: JUMPI 000006ba: PUSH0 000006bb: DUP1 000006bc: REVERT 000006bd: JUMPDEST 000006be: PUSH2 0x06c6 000006c1: DUP5 000006c2: PUSH2 0x0677 000006c5: JUMP 000006c6: JUMPDEST 000006c7: SWAP3 000006c8: POP 000006c9: PUSH1 0x20 000006cb: DUP5 000006cc: ADD 000006cd: CALLDATALOAD 000006ce: PUSH8 0xffffffffffffffff 000006d7: DUP2 000006d8: GT 000006d9: ISZERO 000006da: PUSH2 0x06e1 000006dd: JUMPI 000006de: PUSH0 000006df: DUP1 000006e0: REVERT 000006e1: JUMPDEST 000006e2: DUP5 000006e3: ADD 000006e4: PUSH1 0x1f 000006e6: DUP2 000006e7: ADD 000006e8: DUP7 000006e9: SGT 000006ea: PUSH2 0x06f1 000006ed: JUMPI 000006ee: PUSH0 000006ef: DUP1 000006f0: REVERT 000006f1: JUMPDEST 000006f2: DUP1 000006f3: CALLDATALOAD 000006f4: PUSH8 0xffffffffffffffff 000006fd: DUP2 000006fe: GT 000006ff: ISZERO 00000700: PUSH2 0x0707 00000703: JUMPI 00000704: PUSH0 00000705: DUP1 00000706: REVERT 00000707: JUMPDEST 00000708: DUP7 00000709: PUSH1 0x20 0000070b: DUP3 0000070c: DUP5 0000070d: ADD 0000070e: ADD 0000070f: GT 00000710: ISZERO 00000711: PUSH2 0x0718 00000714: JUMPI 00000715: PUSH0 00000716: DUP1 00000717: REVERT 00000718: JUMPDEST 00000719: SWAP4 0000071a: SWAP7 0000071b: PUSH1 0x20 0000071d: SWAP2 0000071e: SWAP1 0000071f: SWAP2 00000720: ADD 00000721: SWAP6 00000722: POP 00000723: SWAP3 00000724: SWAP4 00000725: POP 00000726: POP 00000727: POP 00000728: JUMP 00000729: JUMPDEST 0000072a: PUSH0 0000072b: DUP3 0000072c: MLOAD 0000072d: DUP1 0000072e: PUSH1 0x20 00000730: DUP6 00000731: ADD 00000732: DUP5 00000733: MCOPY 00000734: PUSH0 00000735: SWAP3 00000736: ADD 00000737: SWAP2 00000738: DUP3 00000739: MSTORE 0000073a: POP 0000073b: SWAP2 0000073c: SWAP1 0000073d: POP 0000073e: JUMP 0000073f: JUMPDEST 00000740: PUSH1 0x20 00000742: DUP2 00000743: MSTORE 00000744: PUSH0 00000745: DUP3 00000746: MLOAD 00000747: DUP1 00000748: PUSH1 0x20 0000074a: DUP5 0000074b: ADD 0000074c: MSTORE 0000074d: DUP1 0000074e: PUSH1 0x20 00000750: DUP6 00000751: ADD 00000752: PUSH1 0x40 00000754: DUP6 00000755: ADD 00000756: MCOPY 00000757: PUSH0 00000758: PUSH1 0x40 0000075a: DUP3 0000075b: DUP6 0000075c: ADD 0000075d: ADD 0000075e: MSTORE 0000075f: PUSH1 0x40 00000761: PUSH1 0x1f 00000763: NOT 00000764: PUSH1 0x1f 00000766: DUP4 00000767: ADD 00000768: AND 00000769: DUP5 0000076a: ADD 0000076b: ADD 0000076c: SWAP2 0000076d: POP 0000076e: POP 0000076f: SWAP3 00000770: SWAP2 00000771: POP 00000772: POP 00000773: JUMP 00000774: INVALID 00000775: COINBASE 00000776: PUSH5 0x6472657373 0000077c: GASPRICE 0000077d: KECCAK256 0000077e: PUSH13 0x6f772d6c6576656c2064656c65 0000078c: PUSH8 0x6174652063616c6c 00000795: KECCAK256 00000796: PUSH7 0x61696c6564a264 0000079e: PUSH10 0x70667358221220167f8f 000007a9: UNKNOWN(0xE2) 000007aa: UNKNOWN(0xC7) 000007ab: UNKNOWN(0x4C) 000007ac: UNKNOWN(0xE5) 000007ad: UNKNOWN(0xC4) 000007ae: PUSH17 0xafea48c32a8f34d02f0c8068376017b7fe 000007c0: PUSH5 0xb25cb66031 000007c6: PUSH5 0x736f6c6343 000007cc: STOP 000007cd: ADDMOD 000007ce: BYTE 000007cf: STOP 000007d0: CALLER
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| critical | upgradeability | detector | Untrusted DELEGATECALL target reachable | 70 | no | no |
viewtrace_id: 0xd804fa9eae8d788e04c9562b13be2e36da6dea0ea54bb1f10456f7f41ae6b73c
call_targets:
0x62c9e5e52351e02635f48072fa20c03bb650f787
target_varies:
no
classification:
constant_target
validation_json{
"sink": "DELEGATECALL",
"errors": 0,
"status": "sink_reached",
"attempts": 2,
"trace_id": "0xd804fa9eae8d788e04c9562b13be2e36da6dea0ea54bb1f10456f7f41ae6b73c",
"confirmed": false,
"trace_mode": "callTracer",
"call_targets": [
"0x62c9e5e52351e02635f48072fa20c03bb650f787"
],
"matched_probe": null,
"target_varies": false,
"classification": "constant_target"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x3659cfe6",
"selector": "0x3659cfe6",
"calldata_variants": [
"0x3659cfe6",
"0x3659cfe60000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x4f1ef286",
"selector": "0x4f1ef286",
"calldata_variants": [
"0x4f1ef286",
"0x4f1ef2860000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x5c60da1b",
"selector": "0x5c60da1b",
"calldata_variants": [
"0x5c60da1b",
"0x5c60da1b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x8f283970",
"selector": "0x8f283970",
"calldata_variants": [
"0x8f283970",
"0x8f2839700000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xf851a440",
"selector": "0xf851a440",
"calldata_variants": [
"0xf851a440",
"0xf851a4400000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 701,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
},
{
"pc": 1408,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
}
],
"guards_detected": [],
"delegatecall_count": 2,
"untrusted_delegatecall_count": 2
}
|
| high | other | codex | Computed-target DELEGATECALL allows code execution in caller storage if user-controlled | 85 | no | — |
viewevidence_json{
"evidence": "Callsite at pc 3653 performs DELEGATECALL with target_expression_category=\"computed\" and no detected guards (auth.guards=[]). Returndata checking is unknown (returndata_checked=null).",
"locations": [
"pc:0x0e45"
],
"recommendation": "Ensure delegatecall targets are strictly whitelisted or derived from trusted, immutable storage; add explicit access control and sanity checks before invoking delegatecall.",
"exploit_scenario": "If any external entrypoint lets a caller influence the delegatecall target, an attacker can point it to malicious code that executes in this contract\u2019s storage context, enabling full state takeover or asset drain."
}
|
| medium | access_control | codex | Multiple computed-target/value CALLs may enable arbitrary external calls and ETH transfers | 75 | no | — |
viewevidence_json{
"evidence": "Several CALL sites use computed targets and computed value (e.g., pc 2149, 5006, 10448, 11101, 11590, 12363). Detector notes eth-value CALLs and untrusted CALL targets. No auth guards detected in artifact.",
"locations": [
"pc:0x0865",
"pc:0x138e",
"pc:0x28d0",
"pc:0x2b5d",
"pc:0x2d46",
"pc:0x304b"
],
"recommendation": "Restrict these CALL paths to authorized callers and validate target/value parameters. Consider allowlists and explicit caps on ETH value when external calls are required.",
"exploit_scenario": "If any of these CALL paths are reachable by untrusted users and accept target/value inputs, an attacker could direct funds or invoke arbitrary external contracts, potentially draining ETH or triggering unexpected external effects."
}
|
| medium | upgradeability | cast | DELEGATECALL present | 80 | no | — |
viewevidence_json{
"notes": "delegatecall enables execution in caller context; common in proxies/upgradeable patterns",
"delegatecall_count": 2
}
|
| low | other | codex | CALLCODE opcode present in runtime bytecode (reachability unclear) | 65 | no | — |
viewevidence_json{
"evidence": "Bytecode includes a CALLCODE at pc 17315 with computed target/value. The surrounding basic block lacks a JUMPDEST, suggesting it may be non\u2011code data, but reachability cannot be confirmed from this artifact alone.",
"locations": [
"pc:0x43b3"
],
"recommendation": "Confirm whether the CALLCODE opcode is reachable. If reachable, refactor to avoid CALLCODE and use safer patterns with strict access control and target validation.",
"exploit_scenario": "If this CALLCODE is reachable (uncertain), it behaves like a legacy delegatecall, executing in the caller\u2019s storage context and potentially enabling state corruption or privilege escalation."
}
|