019bb004-7b3d-70c2-b93c-a100cd2b8bc6
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 39409 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 39410 | proxy.resolve | complete | 1 / 3 | 3 months ago |
| 39411 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 39412 | analysis.bundle | complete | 1 / 3 | 3 months ago |
| 39413 | capability.graph | complete | 1 / 3 | 3 months ago |
| 39414 | detector.run | complete | 1 / 3 | 3 months ago |
| 39415 | validation.fork | complete | 1 / 3 | 3 months ago |
| 39508 | report.consolidate | complete | 1 / 6 | 3 months ago |
| 39509 | tool.slither | failed | 2 / 2 | 3 months ago |
{
"method": "eip1967",
"status": "onchain_only",
"implementation": "0x86e3f7bd35bbd635bd41834c73356e1d9803e53b",
"onchain_method": "eip1967"
}
Traceback (most recent call last):
File "/var/www/tripwire/worker/worker.py", line 198, in main
payload = dispatch_job(job_type, job_id, job_meta, run_data, config, laravel_client)
File "/var/www/tripwire/worker/worker.py", line 114, in dispatch_job
return slither_run.run(job_id, job_meta, run_data, config, log, laravel_client)
~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/www/tripwire/worker/jobs/slither_run.py", line 1084, in run
stdout_text, stderr_text, result_json = _run_slither(
~~~~~~~~~~~~^
workspace,
^^^^^^^^^^
...<4 lines>...
target_path=target_path,
^^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/var/www/tripwire/worker/jobs/slither_run.py", line 958, in _run_slither
raise RuntimeError(f"slither failed (exit {result.returncode}): {stderr_text or stdout_text}")
RuntimeError: slither failed (exit 1): 'forge clean' running (wd: /tmp/slither-uuqhij0d)
'forge config --json' running
'forge build --build-info --skip ./test/** ./script/** --force' running (wd: /tmp/slither-uuqhij0d)
'forge' returned non-zero exit code 1
Error: Encountered invalid solc version in lib/openzeppelin-contracts/contracts/proxy/ERC1967/ERC1967Proxy.sol: No solc version exists that matches the version requirement: ^0.8.22
stderr: Encountered invalid solc version in lib/openzeppelin-contracts/contracts/proxy/utils/UUPSUpgradeable.sol: No solc version exists that matches the version requirement: ^0.8.22
Traceback (most recent call last):
File "/var/www/tripwire/.venv/bin/slither", line 10, in <module>
sys.exit(main())
~~~~^^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/slither/__main__.py", line 776, in main
main_impl(all_detector_classes=detectors, all_printer_classes=printers)
~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/slither/__main__.py", line 882, in main_impl
) = process_all(filename, args, detector_classes, printer_classes)
~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/slither/__main__.py", line 96, in process_all
compilations = compile_all(target, **vars(args))
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/crytic_compile/crytic_compile.py", line 722, in compile_all
compilations.append(CryticCompile(target, **kwargs))
~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/crytic_compile/crytic_compile.py", line 211, in __init__
self._compile(**kwargs)
~~~~~~~~~~~~~^^^^^^^^^^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/crytic_compile/crytic_compile.py", line 633, in _compile
self._platform.compile(self, **kwargs)
~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/crytic_compile/platform/foundry.py", line 102, in compile
hardhat_like_parsing(
~~~~~~~~~~~~~~~~~~~~^
crytic_compile, str(self._target), build_directory, str(self._project_root)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/crytic_compile/platform/hardhat.py", line 52, in hardhat_like_parsing
raise InvalidCompilation(txt)
crytic_compile.platform.exceptions.InvalidCompilation: Compilation failed. Can you run build command?
/tmp/slither-uuqhij0d/out/build-info is not a directory.
{"no_findings":false,"summary":"Bytecode analysis shows multiple low-level CALLs with computed targets and ETH value; guard detection only found a single msg.sender==constant check. Due to limited evidence, impact depends on whether these calls are user-influenced or properly restricted.","findings":[{"severity":"low","category":"other","title":"Computed CALL targets/values may allow untrusted external calls with ETH","exploit_scenario":"If any externally callable path can influence the CALL target or value (via calldata or attacker-controlled storage), an attacker could direct the contract to call arbitrary addresses and forward ETH, potentially enabling reentrancy into state-mutating flows or draining contract-held ETH/tokens. The validation trace observed a constant self-target in one probe, so exploitability is uncertain without source-level context.","recommendation":"Verify that all CALL targets are fixed or strictly whitelisted and that any value forwarded is tightly bounded. Ensure these paths are gated by appropriate access control and, where state is updated, apply checks-effects-interactions or a reentrancy guard. Consider explicit return-data checks for low-level calls.","evidence":"10 CALL sites have target_expression_category=value_expression_category=\"computed\" with returndata_checked=null. Detector findings flagged untrusted CALL target/value and ETH value transfer possible; only one heuristic guard (msg.sender == 0xde8a12735c237800000000000000000000000000) detected at pc:0x1929, not mapped to specific functions. Validation trace reported constant self-target in one run, so control of target/value is not confirmed.","locations":["pc:0x28a7","pc:0x30b7","pc:0x319b","pc:0x3221","pc:0x3305","pc:0x3991","pc:0x4253","pc:0x4acb","pc:0x4d3e","pc:0x4e6d"]}]}
OpenAI Codex v0.77.0 (research preview)
--------
workdir: /tmp/codex-b1robs60
model: gpt-5.2-codex
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: auto
session id: 019bb037-d8c8-70e0-9e64-4accbad437e8
--------
user
Context: The user requested the proxy at 0x10fc064739ecef0a076ccce5de283b5a9e74faf6.
Audit the implementation at 0x86e3f7bd35bbd635bd41834c73356e1d9803e53b.
Findings should refer to the implementation unless explicitly about proxy mechanics.
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
mcp startup: no servers
thinking
**Reading BYTECODE_BUNDLE.json**
exec
/bin/bash -lc ls in /tmp/codex-b1robs60 succeeded in 5ms:
BYTECODE_BUNDLE.json
codex-output-schema.json
exec
/bin/bash -lc 'cat BYTECODE_BUNDLE.json' in /tmp/codex-b1robs60 succeeded in 14ms:
{
"analysis_artifact": {
"address": "0x86e3f7bd35bbd635bd41834c73356e1d9803e53b",
"artifact_hash": "0x922d5c072b546ee4ff1b862dd7291391d9a16da4316ba764ac6873bcbf70e0c3",
"artifact_json": {
"auth": {
"guards": [
{
"pc": 6441,
"type": "msg_sender_eq_const",
"value": 1.2704750612363817e+48
}
]
},
"basic_blocks": [
{
"end_pc": 12,
"hash": "0x22184ed1e874bff831cd45fde40c6538b817cec8c0f742072857e79cfd2978fd",
"opcodes": [
"PUSH1",
thinking
**Searching for evidence in large file**
exec
/bin/bash -lc 'rg -n "evidence|storage|slot|callsite|guards|function" BYTECODE_BUNDLE.json' in /tmp/codex-b1robs60 succeeded in 12ms:
7: "guards": [
25760: "callsites": [
33789: "function_entries": [
34115: "functions": [
34118: "guards": [
34134: "storage": {
34136: "slots": [
34140: "slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
34145: "slot": "0x000000000000000000000000000000000000000000000000000000000000000c"
34150: "slot": "0x0000000000000000000000000000000000000000000000000000000000000013"
34155: "slot": "0x0000000000000000000000000000000000000000000000000000000000000004"
34160: "slot": "0x00000000000000000000000000000000000000000000000000000000000000fc"
34165: "slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
34170: "slot": "0x0000000000000000000000000000000000000000000000000000000000000003"
34175: "slot": "0x0000000000000000000000000000000000000000000000000000000000000012"
34180: "slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
34185: "slot": "0x0000000000000000000000000000000000000000000000000000000000000006"
34190: "slot": "0x0000000000000000000000000000000000000000000000000000000000000014"
34195: "slot": "0x0000000000000000000000000000000000000000000000000000000000000009"
34200: "slot": "0x0000000000000000000000000000000000000000000000000000000000000015"
thinking
**Planning JSON parsing with Python**
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
p=Path('BYTECODE_BUNDLE.json')
data=json.loads(p.read_text())
print(data.keys())
print('detector_findings', len(data.get('detector_findings',[])))
print('heuristics_summary', data.get('heuristics_summary'))
print('analysis_artifact keys', data['analysis_artifact'].keys())
# print proxy evidence if exists
artifact_json=data['analysis_artifact'].get('artifact_json',{})
print('artifact_json keys', artifact_json.keys())
print('proxy_evidence', artifact_json.get('proxy_evidence'))
# list top-level function_entries maybe
for key in ['callsites','function_entries','functions']:
if key in artifact_json:
print(key, 'len', len(artifact_json[key]))
# try to find evidence bundle in artifact_json
for key in artifact_json:
if 'evidence' in key:
print('evidence key', key)
PY" in /tmp/codex-b1robs60 succeeded in 58ms:
dict_keys(['analysis_artifact', 'analysis_run', 'artifact', 'capability_graph', 'detector_findings', 'heuristics_summary'])
detector_findings 2
heuristics_summary {'create2_count': 0, 'delegatecall_count': 0, 'flags': ['heavy_ext_balance_usage', 'call_family_heavy'], 'selfdestruct_count': 0}
analysis_artifact keys dict_keys(['address', 'artifact_hash', 'artifact_json', 'block_number', 'chain_id', 'codehash', 'created_at', 'id', 'updated_at', 'version'])
artifact_json keys dict_keys(['auth', 'basic_blocks', 'callsites', 'cfg_edges', 'cfg_hash', 'dispatcher_type', 'function_entries', 'functions', 'selectors', 'sinks', 'storage', 'version'])
proxy_evidence None
callsites len 19
function_entries len 81
functions len 81
thinking
**Examining function usage and callsites**
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
data=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
artifact=data['analysis_artifact']['artifact_json']
print('callsites:')
for cs in artifact['callsites']:
if cs['type']=='callsite':
print(cs)
print('\\nfunctions with guards:')
for f in artifact['functions']:
guards=f.get('guards')
if guards:
print(f['id'], f.get('selector'), 'guards', guards)
break
print('total guards in auth', artifact['auth'])
PY" in /tmp/codex-b1robs60 exited 1 in 68ms:
callsites:
Traceback (most recent call last):
File "<stdin>", line 8, in <module>
KeyError: 'type'
thinking
**Inspecting callsites array structure**
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
data=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
artifact=data['analysis_artifact']['artifact_json']
print('callsites first', artifact['callsites'][0])
print('callsites keys', artifact['callsites'][0].keys())
PY" in /tmp/codex-b1robs60 succeeded in 109ms:
callsites first {'opcode': 'STATICCALL', 'pc': 4332, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'n/a'}
callsites keys dict_keys(['opcode', 'pc', 'returndata_checked', 'target_expression_category', 'value_expression_category'])
thinking
**Preparing callsites list with opcodes**
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
data=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
artifact=data['analysis_artifact']['artifact_json']
from collections import Counter
print('callsite opcodes counts', Counter(cs['opcode'] for cs in artifact['callsites']))
print('callsites details:')
for cs in artifact['callsites']:
print(cs)
PY" in /tmp/codex-b1robs60 succeeded in 72ms:
callsite opcodes counts Counter({'CALL': 10, 'STATICCALL': 9})
callsites details:
{'opcode': 'STATICCALL', 'pc': 4332, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'n/a'}
{'opcode': 'STATICCALL', 'pc': 5592, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'n/a'}
{'opcode': 'STATICCALL', 'pc': 5751, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'n/a'}
{'opcode': 'STATICCALL', 'pc': 7636, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'n/a'}
{'opcode': 'STATICCALL', 'pc': 7792, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'n/a'}
{'opcode': 'CALL', 'pc': 10407, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'computed'}
{'opcode': 'CALL', 'pc': 12471, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'computed'}
{'opcode': 'STATICCALL', 'pc': 12578, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'n/a'}
{'opcode': 'CALL', 'pc': 12699, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'computed'}
{'opcode': 'CALL', 'pc': 12833, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'computed'}
{'opcode': 'STATICCALL', 'pc': 12940, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'n/a'}
{'opcode': 'CALL', 'pc': 13061, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'computed'}
{'opcode': 'CALL', 'pc': 14737, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'computed'}
{'opcode': 'STATICCALL', 'pc': 15599, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'n/a'}
{'opcode': 'STATICCALL', 'pc': 15764, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'n/a'}
{'opcode': 'CALL', 'pc': 16979, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'computed'}
{'opcode': 'CALL', 'pc': 19147, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'computed'}
{'opcode': 'CALL', 'pc': 19774, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'computed'}
thinking
**Investigating potential reentrancy and guard usage**
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
data=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
artifact=data['analysis_artifact']['artifact_json']
functions=artifact['functions']
print('num functions', len(functions))
print('guards in functions count', sum(1 for f in functions if f.get('guards')))
for f in functions:
if f.get('guards'):
print('function', f.get('selector'), 'guards', f['guards'][:3])
PY" in /tmp/codex-b1robs60 succeeded in 54ms:
num functions 81
guards in functions count 0
thinking
**Investigating guard implementations**
exec
/bin/bash -lc "python - <<'PY'
import json, math
val=1.2704750612363817e+48
# convert to int
ival=int(val)
print(ival)
print(hex(ival))
PY" in /tmp/codex-b1robs60 succeeded in 66ms:
1270475061236381707857066224985647745824435732480
0xde8a12735c237800000000000000000000000000
thinking
**Verifying address length**
exec
/bin/bash -lc "python - <<'PY'
val=1270475061236381707857066224985647745824435732480
h=hex(val)[2:]
print(len(h), h)
PY" in /tmp/codex-b1robs60 succeeded in 59ms:
40 de8a12735c237800000000000000000000000000
thinking
**Evaluating low-level calls and callsite risks**
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
data=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
artifact=data['analysis_artifact']['artifact_json']
selectors=artifact.get('selectors',{})
print('selectors keys', selectors.keys())
# if selectors is dict of selector->function ids? print sample
if isinstance(selectors, dict):
print('selectors count', len(selectors))
for k,v in list(selectors.items())[:10]:
print(k, v)
else:
print('selectors type', type(selectors))
PY" in /tmp/codex-b1robs60 exited 1 in 56ms:
Traceback (most recent call last):
File "<stdin>", line 7, in <module>
AttributeError: 'list' object has no attribute 'keys'
thinking
**Inspecting selectors list**
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
data=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
selectors=data['analysis_artifact']['artifact_json']['selectors']
print('selectors len', len(selectors))
print(selectors[:20])
PY" in /tmp/codex-b1robs60 succeeded in 69ms:
selectors len 81
['0x01ffc9a7', '0x040141e5', '0x0e89341c', '0x1b2b67b6', '0x1c1f78eb', '0x246132f9', '0x248a9ca3', '0x2495a599', '0x27b3bf11', '0x2ab29df7', '0x2cd479af', '0x2eb2c2d6', '0x2f2ff15d', '0x30f81250', '0x36568abe', '0x386a9525', '0x441a3e70', '0x453dc777', '0x4665096d', '0x492b50d7']
thinking
**Analyzing bytecode and capability data**
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
data=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
print('artifact keys', data['artifact'].keys())
print('capability_graph keys', data['capability_graph'].keys())
# print sample from artifact
print('artifact type', type(data['artifact']))
print('capability_graph type', type(data['capability_graph']))
PY" in /tmp/codex-b1robs60 succeeded in 65ms:
artifact keys dict_keys(['codehash', 'compiler_json', 'implementation_address', 'is_proxy', 'runtime_bytecode', 'verified_source'])
capability_graph keys dict_keys(['address', 'block_number', 'chain_id', 'codehash', 'created_at', 'graph_hash', 'graph_json', 'id', 'updated_at', 'version'])
artifact type <class 'dict'>
capability_graph type <class 'dict'>
thinking
**Inspecting artifact and capability graph JSON**
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
data=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
print('artifact implementation address', data['artifact'].get('implementation_address'))
print('artifact is_proxy', data['artifact'].get('is_proxy'))
print('verified_source', data['artifact'].get('verified_source'))
print('runtime_bytecode length', len(data['artifact'].get('runtime_bytecode','')))
graph=data['capability_graph']['graph_json']
print('graph_json keys', graph.keys())
print('graph_json version', graph.get('version'))
print('graph_json nodes count', len(graph.get('nodes',[])))
print('graph_json edges count', len(graph.get('edges',[])))
PY" in /tmp/codex-b1robs60 succeeded in 71ms:
artifact implementation address None
artifact is_proxy False
verified_source False
runtime_bytecode length 5
graph_json keys dict_keys(['edges', 'nodes', 'version'])
graph_json version capability_graph_v1
graph_json nodes count 1575
graph_json edges count 1694
thinking
**Examining runtime bytecode and graph nodes**
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
data=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
print('analysis_run keys', data['analysis_run'].keys())
print('analysis_run detector_count', data['analysis_run'].get('detector_count'))
print('analysis_run detectors', data['analysis_run'].get('detectors')[:10])
PY" in /tmp/codex-b1robs60 exited 1 in 63ms:
analysis_run keys dict_keys(['address', 'block_number', 'chain_id', 'child_links', 'created_at', 'id', 'parent_links', 'status', 'updated_at'])
analysis_run detector_count None
Traceback (most recent call last):
File "<stdin>", line 7, in <module>
TypeError: 'NoneType' object is not subscriptable
thinking
**Inspecting artifact data for insights**
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
data=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
artifact=data['analysis_artifact']['artifact_json']
fe=artifact['function_entries']
print('function_entries example', fe[:5])
PY" in /tmp/codex-b1robs60 succeeded in 105ms:
function_entries example [{'entry_pc': 67191269, 'selector': '0x01ffc9a7'}, {'entry_pc': 243872796, 'selector': '0x040141e5'}, {'entry_pc': 455829430, 'selector': '0x0e89341c'}, {'entry_pc': 471824619, 'selector': '0x1b2b67b6'}, {'entry_pc': 610349817, 'selector': '0x1c1f78eb'}]
thinking
**Analyzing function entry PCs and access control**
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
data=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
print(data['analysis_artifact']['artifact_json']['auth'])
PY" in /tmp/codex-b1robs60 succeeded in 98ms:
{'guards': [{'pc': 6441, 'type': 'msg_sender_eq_const', 'value': 1.2704750612363817e+48}]}
thinking
**Analyzing access control and reentrancy risks**
I'm reviewing the available guards and external calls to identify potential access control gaps or reentrancy vulnerabilities. Because guard detection is heuristic and limited, I must be cautious about conclusions, highlighting only possible concerns around external calls with computed targets lacking return-data checks and the absence of explicit reentrancy protection—while noting uncertainty and classifying severity conservatively. I'll prepare findings in JSON with structured fields, extracting concrete evidence from detectors using Python for clarity.
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
data=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
for i,det in enumerate(data.get('detector_findings', [])):
print('Detector', i, det['title'])
print('severity', det['severity'], 'confidence', det.get('confidence'))
print('evidence_json', det.get('evidence_json'))
print('validation_json', det.get('validation_json'))
PY" in /tmp/codex-b1robs60 succeeded in 91ms:
Detector 0 Untrusted CALL target/value reachable
severity medium confidence 45
evidence_json {'call_count': 10, 'examples': [{'opcode': 'CALL', 'pc': 10407, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'computed'}, {'opcode': 'CALL', 'pc': 12471, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'computed'}, {'opcode': 'CALL', 'pc': 12699, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'computed'}], 'guards_detected': [{'pc': 6441, 'type': 'msg_sender_eq_const', 'value': 1.2704750612363817e+48}], 'untrusted_call_count': 10}
validation_json {'attempts': 1, 'call_targets': ['0x86e3f7bd35bbd635bd41834c73356e1d9803e53b'], 'classification': 'constant_target', 'confirmed': False, 'errors': 0, 'matched_probe': None, 'sink': 'CALL', 'status': 'sink_reached', 'target_varies': False, 'trace_id': '0x6a844444ffac981267c0ed4947b8a4d4bc8fb35d609071afe4c700408dc8b11c', 'trace_mode': 'callTracer'}
Detector 1 ETH value transfer possible
severity medium confidence 40
evidence_json {'eth_value_calls': 10, 'examples': [{'opcode': 'CALL', 'pc': 10407, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'computed'}, {'opcode': 'CALL', 'pc': 12471, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'computed'}, {'opcode': 'CALL', 'pc': 12699, 'returndata_checked': None, 'target_expression_category': 'computed', 'value_expression_category': 'computed'}], 'guards_detected': [{'pc': 6441, 'type': 'msg_sender_eq_const', 'value': 1.2704750612363817e+48}]}
validation_json {'attempts': 1, 'call_targets': ['0x86e3f7bd35bbd635bd41834c73356e1d9803e53b'], 'classification': 'constant_target', 'confirmed': False, 'errors': 0, 'matched_probe': None, 'sink': 'CALL', 'status': 'sink_reached', 'target_varies': False, 'trace_id': '0x6a844444ffac981267c0ed4947b8a4d4bc8fb35d609071afe4c700408dc8b11c', 'trace_mode': 'callTracer'}
thinking
**Investigating callsite nodes in graph_json**
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
data=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
node_list=data['capability_graph']['graph_json']['nodes']
# callsite nodes
call_nodes=[n for n in node_list if n.get('type')=='callsite']
print('call_nodes', len(call_nodes))
print('first 5', call_nodes[:5])
# try to find nodes with opcodes
for n in call_nodes[:5]:
print(n)
PY" in /tmp/codex-b1robs60 succeeded in 55ms:
call_nodes 19
first 5 [{'id': 'call:4332', 'opcode': 'STATICCALL', 'pc': 4332, 'type': 'callsite'}, {'id': 'call:5592', 'opcode': 'STATICCALL', 'pc': 5592, 'type': 'callsite'}, {'id': 'call:5751', 'opcode': 'STATICCALL', 'pc': 5751, 'type': 'callsite'}, {'id': 'call:7636', 'opcode': 'STATICCALL', 'pc': 7636, 'type': 'callsite'}, {'id': 'call:7792', 'opcode': 'STATICCALL', 'pc': 7792, 'type': 'callsite'}]
{'id': 'call:4332', 'opcode': 'STATICCALL', 'pc': 4332, 'type': 'callsite'}
{'id': 'call:5592', 'opcode': 'STATICCALL', 'pc': 5592, 'type': 'callsite'}
{'id': 'call:5751', 'opcode': 'STATICCALL', 'pc': 5751, 'type': 'callsite'}
{'id': 'call:7636', 'opcode': 'STATICCALL', 'pc': 7636, 'type': 'callsite'}
{'id': 'call:7792', 'opcode': 'STATICCALL', 'pc': 7792, 'type': 'callsite'}
thinking
**Parsing edges for call nodes**
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
data=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
edge_list=data['capability_graph']['graph_json']['edges']
# gather edges for call:10407
call_id='call:10407'
related=[e for e in edge_list if e.get('src')==call_id or e.get('dst')==call_id]
print('edges for', call_id, len(related))
print(related[:20])
PY" in /tmp/codex-b1robs60 succeeded in 59ms:
edges for call:10407 0
[]
thinking
**Checking graph edges and structure**
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
data=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
edge_list=data['capability_graph']['graph_json']['edges']
print('edge example', edge_list[:10])
PY" in /tmp/codex-b1robs60 succeeded in 62ms:
edge example [{'from': 'bb:0', 'to': 'bb:875', 'type': 'control_flow'}, {'from': 'bb:0', 'to': 'bb:13', 'type': 'control_flow_fallthrough'}, {'from': 'bb:13', 'to': 'bb:880', 'type': 'control_flow'}, {'from': 'bb:13', 'to': 'bb:29', 'type': 'control_flow_fallthrough'}, {'from': 'bb:29', 'to': 'bb:931', 'type': 'control_flow'}, {'from': 'bb:29', 'to': 'bb:39', 'type': 'control_flow_fallthrough'}, {'from': 'bb:39', 'to': 'bb:963', 'type': 'control_flow'}, {'from': 'bb:39', 'to': 'bb:50', 'type': 'control_flow_fallthrough'}, {'from': 'bb:50', 'to': 'bb:1011', 'type': 'control_flow'}, {'from': 'bb:50', 'to': 'bb:61', 'type': 'control_flow_fallthrough'}]
thinking
**Analyzing CALL targets and control flow**
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
data=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
artifact=data['analysis_artifact']['artifact_json']
print('sinks', artifact.get('sinks'))
PY" in /tmp/codex-b1robs60 succeeded in 57ms:
sinks {'call': 10, 'create': 0, 'create2': 0, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 9, 'upgrade_slot_write_suspected': False}
thinking
**Analyzing low-level call risks and validations**
I'm focusing on low-level CALL instructions that send ETH with computed targets and checking whether they're properly guarded or validated. It looks like only one callsite has an ownership check, so there might be a risk if untrusted callers can trigger ETH transfers or reentrancy, but no clear evidence of state change reentrancy. I’m considering how to categorize this finding as "other" for unsafe external call surfaces. Also, missing return-data checks on low-level CALLs are a concern, and I’ll convert program counters from decimal to hex for reporting.
exec
/bin/bash -lc "python - <<'PY'
for pc in [10407,12471,12699,12833,13061,14737,16979,19147,19774,20077]:
print(pc, hex(pc))
PY" in /tmp/codex-b1robs60 succeeded in 18ms:
10407 0x28a7
12471 0x30b7
12699 0x319b
12833 0x3221
13061 0x3305
14737 0x3991
16979 0x4253
19147 0x4acb
19774 0x4d3e
20077 0x4e6d
thinking
**Considering staticcalls and guards**
exec
/bin/bash -lc "python - <<'PY'
print(hex(6441))
PY" in /tmp/codex-b1robs60 succeeded in 22ms:
0x1929
thinking
**Summarizing security findings on external CALLs**
codex
{"no_findings":false,"summary":"Bytecode analysis shows multiple low-level CALLs with computed targets and ETH value; guard detection only found a single msg.sender==constant check. Due to limited evidence, impact depends on whether these calls are user-influenced or properly restricted.","findings":[{"severity":"low","category":"other","title":"Computed CALL targets/values may allow untrusted external calls with ETH","exploit_scenario":"If any externally callable path can influence the CALL target or value (via calldata or attacker-controlled storage), an attacker could direct the contract to call arbitrary addresses and forward ETH, potentially enabling reentrancy into state-mutating flows or draining contract-held ETH/tokens. The validation trace observed a constant self-target in one probe, so exploitability is uncertain without source-level context.","recommendation":"Verify that all CALL targets are fixed or strictly whitelisted and that any value forwarded is tightly bounded. Ensure these paths are gated by appropriate access control and, where state is updated, apply checks-effects-interactions or a reentrancy guard. Consider explicit return-data checks for low-level calls.","evidence":"10 CALL sites have target_expression_category=value_expression_category=\"computed\" with returndata_checked=null. Detector findings flagged untrusted CALL target/value and ETH value transfer possible; only one heuristic guard (msg.sender == 0xde8a12735c237800000000000000000000000000) detected at pc:0x1929, not mapped to specific functions. Validation trace reported constant self-target in one run, so control of target/value is not confirmed.","locations":["pc:0x28a7","pc:0x30b7","pc:0x319b","pc:0x3221","pc:0x3305","pc:0x3991","pc:0x4253","pc:0x4acb","pc:0x4d3e","pc:0x4e6d"]}]}
tokens used
91,237
{
"codex": {
"ran_at": "2026-01-12T03:23:11.997041+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 48100,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "Bytecode analysis shows multiple low-level CALLs with computed targets and ETH value; guard detection only found a single msg.sender==constant check. Due to limited evidence, impact depends on whether these calls are user-influenced or properly restricted.",
"raw_final": {
"summary": "Bytecode analysis shows multiple low-level CALLs with computed targets and ETH value; guard detection only found a single msg.sender==constant check. Due to limited evidence, impact depends on whether these calls are user-influenced or properly restricted.",
"findings": [
{
"title": "Computed CALL targets/values may allow untrusted external calls with ETH",
"category": "other",
"evidence": "10 CALL sites have target_expression_category=value_expression_category=\"computed\" with returndata_checked=null. Detector findings flagged untrusted CALL target/value and ETH value transfer possible; only one heuristic guard (msg.sender == 0xde8a12735c237800000000000000000000000000) detected at pc:0x1929, not mapped to specific functions. Validation trace reported constant self-target in one run, so control of target/value is not confirmed.",
"severity": "low",
"locations": [
"pc:0x28a7",
"pc:0x30b7",
"pc:0x319b",
"pc:0x3221",
"pc:0x3305",
"pc:0x3991",
"pc:0x4253",
"pc:0x4acb",
"pc:0x4d3e",
"pc:0x4e6d"
],
"recommendation": "Verify that all CALL targets are fixed or strictly whitelisted and that any value forwarded is tightly bounded. Ensure these paths are gated by appropriate access control and, where state is updated, apply checks-effects-interactions or a reentrancy guard. Consider explicit return-data checks for low-level calls.",
"exploit_scenario": "If any externally callable path can influence the CALL target or value (via calldata or attacker-controlled storage), an attacker could direct the contract to call arbitrary addresses and forward ETH, potentially enabling reentrancy into state-mutating flows or draining contract-held ETH/tokens. The validation trace observed a constant self-target in one probe, so exploitability is uncertain without source-level context."
}
],
"no_findings": false
},
"no_findings": false,
"proxy_context": {
"proxy_run_id": "019bb004-7b3d-70c2-b93c-a100cd2b8bc6",
"proxy_address": "0x10fc064739ecef0a076ccce5de283b5a9e74faf6",
"implementation_run_id": "019bb005-1c17-7327-878c-60f8b94db434",
"implementation_address": "0x86e3f7bd35bbd635bd41834c73356e1d9803e53b"
},
"schema_version": 1
}
00000000: PUSH1 0x80 00000002: PUSH1 0x40 00000004: MSTORE 00000005: PUSH1 0x04 00000007: CALLDATASIZE 00000008: LT 00000009: PUSH2 0x004e 0000000c: JUMPI 0000000d: PUSH1 0x00 0000000f: CALLDATALOAD 00000010: PUSH1 0xe0 00000012: SHR 00000013: DUP1 00000014: PUSH4 0x3659cfe6 00000019: EQ 0000001a: PUSH2 0x0065 0000001d: JUMPI 0000001e: DUP1 0000001f: PUSH4 0x4f1ef286 00000024: EQ 00000025: PUSH2 0x0085 00000028: JUMPI 00000029: DUP1 0000002a: PUSH4 0x5c60da1b 0000002f: EQ 00000030: PUSH2 0x0098 00000033: JUMPI 00000034: DUP1 00000035: PUSH4 0x8f283970 0000003a: EQ 0000003b: PUSH2 0x00c9 0000003e: JUMPI 0000003f: DUP1 00000040: PUSH4 0xf851a440 00000045: EQ 00000046: PUSH2 0x00e9 00000049: JUMPI 0000004a: PUSH2 0x005d 0000004d: JUMP 0000004e: JUMPDEST 0000004f: CALLDATASIZE 00000050: PUSH2 0x005d 00000053: JUMPI 00000054: PUSH2 0x005b 00000057: PUSH2 0x00fe 0000005a: JUMP 0000005b: JUMPDEST 0000005c: STOP 0000005d: JUMPDEST 0000005e: PUSH2 0x005b 00000061: PUSH2 0x00fe 00000064: JUMP 00000065: JUMPDEST 00000066: CALLVALUE 00000067: DUP1 00000068: ISZERO 00000069: PUSH2 0x0071 0000006c: JUMPI 0000006d: PUSH1 0x00 0000006f: DUP1 00000070: REVERT 00000071: JUMPDEST 00000072: POP 00000073: PUSH2 0x005b 00000076: PUSH2 0x0080 00000079: CALLDATASIZE 0000007a: PUSH1 0x04 0000007c: PUSH2 0x06ed 0000007f: JUMP 00000080: JUMPDEST 00000081: PUSH2 0x0118 00000084: JUMP 00000085: JUMPDEST 00000086: PUSH2 0x005b 00000089: PUSH2 0x0093 0000008c: CALLDATASIZE 0000008d: PUSH1 0x04 0000008f: PUSH2 0x0707 00000092: JUMP 00000093: JUMPDEST 00000094: PUSH2 0x0164 00000097: JUMP 00000098: JUMPDEST 00000099: CALLVALUE 0000009a: DUP1 0000009b: ISZERO 0000009c: PUSH2 0x00a4 0000009f: JUMPI 000000a0: PUSH1 0x00 000000a2: DUP1 000000a3: REVERT 000000a4: JUMPDEST 000000a5: POP 000000a6: PUSH2 0x00ad 000000a9: PUSH2 0x01da 000000ac: JUMP 000000ad: JUMPDEST 000000ae: PUSH1 0x40 000000b0: MLOAD 000000b1: PUSH1 0x01 000000b3: PUSH1 0x01 000000b5: PUSH1 0xa0 000000b7: SHL 000000b8: SUB 000000b9: SWAP1 000000ba: SWAP2 000000bb: AND 000000bc: DUP2 000000bd: MSTORE 000000be: PUSH1 0x20 000000c0: ADD 000000c1: PUSH1 0x40 000000c3: MLOAD 000000c4: DUP1 000000c5: SWAP2 000000c6: SUB 000000c7: SWAP1 000000c8: RETURN 000000c9: JUMPDEST 000000ca: CALLVALUE 000000cb: DUP1 000000cc: ISZERO 000000cd: PUSH2 0x00d5 000000d0: JUMPI 000000d1: PUSH1 0x00 000000d3: DUP1 000000d4: REVERT 000000d5: JUMPDEST 000000d6: POP 000000d7: PUSH2 0x005b 000000da: PUSH2 0x00e4 000000dd: CALLDATASIZE 000000de: PUSH1 0x04 000000e0: PUSH2 0x06ed 000000e3: JUMP 000000e4: JUMPDEST 000000e5: PUSH2 0x0217 000000e8: JUMP 000000e9: JUMPDEST 000000ea: CALLVALUE 000000eb: DUP1 000000ec: ISZERO 000000ed: PUSH2 0x00f5 000000f0: JUMPI 000000f1: PUSH1 0x00 000000f3: DUP1 000000f4: REVERT 000000f5: JUMPDEST 000000f6: POP 000000f7: PUSH2 0x00ad 000000fa: PUSH2 0x0241 000000fd: JUMP 000000fe: JUMPDEST 000000ff: PUSH2 0x0106 00000102: PUSH2 0x02a2 00000105: JUMP 00000106: JUMPDEST 00000107: PUSH2 0x0116 0000010a: PUSH2 0x0111 0000010d: PUSH2 0x0346 00000110: JUMP 00000111: JUMPDEST 00000112: PUSH2 0x0355 00000115: JUMP 00000116: JUMPDEST 00000117: JUMP 00000118: JUMPDEST 00000119: PUSH2 0x0120 0000011c: PUSH2 0x0379 0000011f: JUMP 00000120: JUMPDEST 00000121: PUSH1 0x01 00000123: PUSH1 0x01 00000125: PUSH1 0xa0 00000127: SHL 00000128: SUB 00000129: AND 0000012a: CALLER 0000012b: PUSH1 0x01 0000012d: PUSH1 0x01 0000012f: PUSH1 0xa0 00000131: SHL 00000132: SUB 00000133: AND 00000134: EQ 00000135: ISZERO 00000136: PUSH2 0x0159 00000139: JUMPI 0000013a: PUSH2 0x0154 0000013d: DUP2 0000013e: PUSH1 0x40 00000140: MLOAD 00000141: DUP1 00000142: PUSH1 0x20 00000144: ADD 00000145: PUSH1 0x40 00000147: MSTORE 00000148: DUP1 00000149: PUSH1 0x00 0000014b: DUP2 0000014c: MSTORE 0000014d: POP 0000014e: PUSH1 0x00 00000150: PUSH2 0x03ac 00000153: JUMP 00000154: JUMPDEST 00000155: PUSH2 0x0161 00000158: JUMP 00000159: JUMPDEST 0000015a: PUSH2 0x0161 0000015d: PUSH2 0x00fe 00000160: JUMP 00000161: JUMPDEST 00000162: POP 00000163: JUMP 00000164: JUMPDEST 00000165: PUSH2 0x016c 00000168: PUSH2 0x0379 0000016b: JUMP 0000016c: JUMPDEST 0000016d: PUSH1 0x01 0000016f: PUSH1 0x01 00000171: PUSH1 0xa0 00000173: SHL 00000174: SUB 00000175: AND 00000176: CALLER 00000177: PUSH1 0x01 00000179: PUSH1 0x01 0000017b: PUSH1 0xa0 0000017d: SHL 0000017e: SUB 0000017f: AND 00000180: EQ 00000181: ISZERO 00000182: PUSH2 0x01cd 00000185: JUMPI 00000186: PUSH2 0x01c8 00000189: DUP4 0000018a: DUP4 0000018b: DUP4 0000018c: DUP1 0000018d: DUP1 0000018e: PUSH1 0x1f 00000190: ADD 00000191: PUSH1 0x20 00000193: DUP1 00000194: SWAP2 00000195: DIV 00000196: MUL 00000197: PUSH1 0x20 00000199: ADD 0000019a: PUSH1 0x40 0000019c: MLOAD 0000019d: SWAP1 0000019e: DUP2 0000019f: ADD 000001a0: PUSH1 0x40 000001a2: MSTORE 000001a3: DUP1 000001a4: SWAP4 000001a5: SWAP3 000001a6: SWAP2 000001a7: SWAP1 000001a8: DUP2 000001a9: DUP2 000001aa: MSTORE 000001ab: PUSH1 0x20 000001ad: ADD 000001ae: DUP4 000001af: DUP4 000001b0: DUP1 000001b1: DUP3 000001b2: DUP5 000001b3: CALLDATACOPY 000001b4: PUSH1 0x00 000001b6: SWAP3 000001b7: ADD 000001b8: SWAP2 000001b9: SWAP1 000001ba: SWAP2 000001bb: MSTORE 000001bc: POP 000001bd: PUSH1 0x01 000001bf: SWAP3 000001c0: POP 000001c1: PUSH2 0x03ac 000001c4: SWAP2 000001c5: POP 000001c6: POP 000001c7: JUMP 000001c8: JUMPDEST 000001c9: PUSH2 0x01d5 000001cc: JUMP 000001cd: JUMPDEST 000001ce: PUSH2 0x01d5 000001d1: PUSH2 0x00fe 000001d4: JUMP 000001d5: JUMPDEST 000001d6: POP 000001d7: POP 000001d8: POP 000001d9: JUMP 000001da: JUMPDEST 000001db: PUSH1 0x00 000001dd: PUSH2 0x01e4 000001e0: PUSH2 0x0379 000001e3: JUMP 000001e4: JUMPDEST 000001e5: PUSH1 0x01 000001e7: PUSH1 0x01 000001e9: PUSH1 0xa0 000001eb: SHL 000001ec: SUB 000001ed: AND 000001ee: CALLER 000001ef: PUSH1 0x01 000001f1: PUSH1 0x01 000001f3: PUSH1 0xa0 000001f5: SHL 000001f6: SUB 000001f7: AND 000001f8: EQ 000001f9: ISZERO 000001fa: PUSH2 0x020c 000001fd: JUMPI 000001fe: PUSH2 0x0205 00000201: PUSH2 0x0346 00000204: JUMP 00000205: JUMPDEST 00000206: SWAP1 00000207: POP 00000208: PUSH2 0x0214 0000020b: JUMP 0000020c: JUMPDEST 0000020d: PUSH2 0x0214 00000210: PUSH2 0x00fe 00000213: JUMP 00000214: JUMPDEST 00000215: SWAP1 00000216: JUMP 00000217: JUMPDEST 00000218: PUSH2 0x021f 0000021b: PUSH2 0x0379 0000021e: JUMP 0000021f: JUMPDEST 00000220: PUSH1 0x01 00000222: PUSH1 0x01 00000224: PUSH1 0xa0 00000226: SHL 00000227: SUB 00000228: AND 00000229: CALLER 0000022a: PUSH1 0x01 0000022c: PUSH1 0x01 0000022e: PUSH1 0xa0 00000230: SHL 00000231: SUB 00000232: AND 00000233: EQ 00000234: ISZERO 00000235: PUSH2 0x0159 00000238: JUMPI 00000239: PUSH2 0x0154 0000023c: DUP2 0000023d: PUSH2 0x040b 00000240: JUMP 00000241: JUMPDEST 00000242: PUSH1 0x00 00000244: PUSH2 0x024b 00000247: PUSH2 0x0379 0000024a: JUMP 0000024b: JUMPDEST 0000024c: PUSH1 0x01 0000024e: PUSH1 0x01 00000250: PUSH1 0xa0 00000252: SHL 00000253: SUB 00000254: AND 00000255: CALLER 00000256: PUSH1 0x01 00000258: PUSH1 0x01 0000025a: PUSH1 0xa0 0000025c: SHL 0000025d: SUB 0000025e: AND 0000025f: EQ 00000260: ISZERO 00000261: PUSH2 0x020c 00000264: JUMPI 00000265: PUSH2 0x0205 00000268: PUSH2 0x0379 0000026b: JUMP 0000026c: JUMPDEST 0000026d: PUSH1 0x60 0000026f: PUSH2 0x0291 00000272: DUP4 00000273: DUP4 00000274: PUSH1 0x40 00000276: MLOAD 00000277: DUP1 00000278: PUSH1 0x60 0000027a: ADD 0000027b: PUSH1 0x40 0000027d: MSTORE 0000027e: DUP1 0000027f: PUSH1 0x27 00000281: DUP2 00000282: MSTORE 00000283: PUSH1 0x20 00000285: ADD 00000286: PUSH2 0x0801 00000289: PUSH1 0x27 0000028b: SWAP2 0000028c: CODECOPY 0000028d: PUSH2 0x045f 00000290: JUMP 00000291: JUMPDEST 00000292: SWAP4 00000293: SWAP3 00000294: POP 00000295: POP 00000296: POP 00000297: JUMP 00000298: JUMPDEST 00000299: DUP1 0000029a: EXTCODESIZE 0000029b: ISZERO 0000029c: ISZERO 0000029d: JUMPDEST 0000029e: SWAP2 0000029f: SWAP1 000002a0: POP 000002a1: JUMP 000002a2: JUMPDEST 000002a3: PUSH2 0x02aa 000002a6: PUSH2 0x0379 000002a9: JUMP 000002aa: JUMPDEST 000002ab: PUSH1 0x01 000002ad: PUSH1 0x01 000002af: PUSH1 0xa0 000002b1: SHL 000002b2: SUB 000002b3: AND 000002b4: CALLER 000002b5: PUSH1 0x01 000002b7: PUSH1 0x01 000002b9: PUSH1 0xa0 000002bb: SHL 000002bc: SUB 000002bd: AND 000002be: EQ 000002bf: ISZERO 000002c0: PUSH2 0x0341 000002c3: JUMPI 000002c4: PUSH1 0x40 000002c6: MLOAD 000002c7: PUSH3 0x461bcd 000002cb: PUSH1 0xe5 000002cd: SHL 000002ce: DUP2 000002cf: MSTORE 000002d0: PUSH1 0x20 000002d2: PUSH1 0x04 000002d4: DUP3 000002d5: ADD 000002d6: MSTORE 000002d7: PUSH1 0x42 000002d9: PUSH1 0x24 000002db: DUP3 000002dc: ADD 000002dd: MSTORE 000002de: PUSH32 0x5472616e73706172656e745570677261646561626c6550726f78793a2061646d 000002ff: PUSH1 0x44 00000301: DUP3 00000302: ADD 00000303: MSTORE 00000304: PUSH32 0x696e2063616e6e6f742066616c6c6261636b20746f2070726f78792074617267 00000325: PUSH1 0x64 00000327: DUP3 00000328: ADD 00000329: MSTORE 0000032a: PUSH2 0x195d 0000032d: PUSH1 0xf2 0000032f: SHL 00000330: PUSH1 0x84 00000332: DUP3 00000333: ADD 00000334: MSTORE 00000335: PUSH1 0xa4 00000337: ADD 00000338: JUMPDEST 00000339: PUSH1 0x40 0000033b: MLOAD 0000033c: DUP1 0000033d: SWAP2 0000033e: SUB 0000033f: SWAP1 00000340: REVERT 00000341: JUMPDEST 00000342: PUSH2 0x0116 00000345: JUMP 00000346: JUMPDEST 00000347: PUSH1 0x00 00000349: PUSH2 0x0350 0000034c: PUSH2 0x053a 0000034f: JUMP 00000350: JUMPDEST 00000351: SWAP1 00000352: POP 00000353: SWAP1 00000354: JUMP 00000355: JUMPDEST 00000356: CALLDATASIZE 00000357: PUSH1 0x00 00000359: DUP1 0000035a: CALLDATACOPY 0000035b: PUSH1 0x00 0000035d: DUP1 0000035e: CALLDATASIZE 0000035f: PUSH1 0x00 00000361: DUP5 00000362: GAS 00000363: DELEGATECALL 00000364: RETURNDATASIZE 00000365: PUSH1 0x00 00000367: DUP1 00000368: RETURNDATACOPY 00000369: DUP1 0000036a: DUP1 0000036b: ISZERO 0000036c: PUSH2 0x0374 0000036f: JUMPI 00000370: RETURNDATASIZE 00000371: PUSH1 0x00 00000373: RETURN 00000374: JUMPDEST 00000375: RETURNDATASIZE 00000376: PUSH1 0x00 00000378: REVERT 00000379: JUMPDEST 0000037a: PUSH1 0x00 0000037c: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 0000039d: JUMPDEST 0000039e: SLOAD 0000039f: PUSH1 0x01 000003a1: PUSH1 0x01 000003a3: PUSH1 0xa0 000003a5: SHL 000003a6: SUB 000003a7: AND 000003a8: SWAP1 000003a9: POP 000003aa: SWAP1 000003ab: JUMP 000003ac: JUMPDEST 000003ad: PUSH2 0x03b5 000003b0: DUP4 000003b1: PUSH2 0x0562 000003b4: JUMP 000003b5: JUMPDEST 000003b6: PUSH1 0x40 000003b8: MLOAD 000003b9: PUSH1 0x01 000003bb: PUSH1 0x01 000003bd: PUSH1 0xa0 000003bf: SHL 000003c0: SUB 000003c1: DUP5 000003c2: AND 000003c3: SWAP1 000003c4: PUSH32 0xbc7cd75a20ee27fd9adebab32041f755214dbc6bffa90cc0225b39da2e5c2d3b 000003e5: SWAP1 000003e6: PUSH1 0x00 000003e8: SWAP1 000003e9: LOG2 000003ea: PUSH1 0x00 000003ec: DUP3 000003ed: MLOAD 000003ee: GT 000003ef: DUP1 000003f0: PUSH2 0x03f6 000003f3: JUMPI 000003f4: POP 000003f5: DUP1 000003f6: JUMPDEST 000003f7: ISZERO 000003f8: PUSH2 0x01d5 000003fb: JUMPI 000003fc: PUSH2 0x0405 000003ff: DUP4 00000400: DUP4 00000401: PUSH2 0x026c 00000404: JUMP 00000405: JUMPDEST 00000406: POP 00000407: POP 00000408: POP 00000409: POP 0000040a: JUMP 0000040b: JUMPDEST 0000040c: PUSH32 0x7e644d79422f17c01e4894b5f4f588d331ebfa28653d42ae832dc59e38c9798f 0000042d: PUSH2 0x0434 00000430: PUSH2 0x0379 00000433: JUMP 00000434: JUMPDEST 00000435: PUSH1 0x40 00000437: DUP1 00000438: MLOAD 00000439: PUSH1 0x01 0000043b: PUSH1 0x01 0000043d: PUSH1 0xa0 0000043f: SHL 00000440: SUB 00000441: SWAP3 00000442: DUP4 00000443: AND 00000444: DUP2 00000445: MSTORE 00000446: SWAP2 00000447: DUP5 00000448: AND 00000449: PUSH1 0x20 0000044b: DUP4 0000044c: ADD 0000044d: MSTORE 0000044e: ADD 0000044f: PUSH1 0x40 00000451: MLOAD 00000452: DUP1 00000453: SWAP2 00000454: SUB 00000455: SWAP1 00000456: LOG1 00000457: PUSH2 0x0161 0000045a: DUP2 0000045b: PUSH2 0x0611 0000045e: JUMP 0000045f: JUMPDEST 00000460: PUSH1 0x60 00000462: PUSH2 0x046a 00000465: DUP5 00000466: PUSH2 0x0298 00000469: JUMP 0000046a: JUMPDEST 0000046b: PUSH2 0x04c5 0000046e: JUMPI 0000046f: PUSH1 0x40 00000471: MLOAD 00000472: PUSH3 0x461bcd 00000476: PUSH1 0xe5 00000478: SHL 00000479: DUP2 0000047a: MSTORE 0000047b: PUSH1 0x20 0000047d: PUSH1 0x04 0000047f: DUP3 00000480: ADD 00000481: MSTORE 00000482: PUSH1 0x26 00000484: PUSH1 0x24 00000486: DUP3 00000487: ADD 00000488: MSTORE 00000489: PUSH32 0x416464726573733a2064656c65676174652063616c6c20746f206e6f6e2d636f 000004aa: PUSH1 0x44 000004ac: DUP3 000004ad: ADD 000004ae: MSTORE 000004af: PUSH6 0x1b9d1c9858dd 000004b6: PUSH1 0xd2 000004b8: SHL 000004b9: PUSH1 0x64 000004bb: DUP3 000004bc: ADD 000004bd: MSTORE 000004be: PUSH1 0x84 000004c0: ADD 000004c1: PUSH2 0x0338 000004c4: JUMP 000004c5: JUMPDEST 000004c6: PUSH1 0x00 000004c8: DUP1 000004c9: DUP6 000004ca: PUSH1 0x01 000004cc: PUSH1 0x01 000004ce: PUSH1 0xa0 000004d0: SHL 000004d1: SUB 000004d2: AND 000004d3: DUP6 000004d4: PUSH1 0x40 000004d6: MLOAD 000004d7: PUSH2 0x04e0 000004da: SWAP2 000004db: SWAP1 000004dc: PUSH2 0x0785 000004df: JUMP 000004e0: JUMPDEST 000004e1: PUSH1 0x00 000004e3: PUSH1 0x40 000004e5: MLOAD 000004e6: DUP1 000004e7: DUP4 000004e8: SUB 000004e9: DUP2 000004ea: DUP6 000004eb: GAS 000004ec: DELEGATECALL 000004ed: SWAP2 000004ee: POP 000004ef: POP 000004f0: RETURNDATASIZE 000004f1: DUP1 000004f2: PUSH1 0x00 000004f4: DUP2 000004f5: EQ 000004f6: PUSH2 0x051b 000004f9: JUMPI 000004fa: PUSH1 0x40 000004fc: MLOAD 000004fd: SWAP2 000004fe: POP 000004ff: PUSH1 0x1f 00000501: NOT 00000502: PUSH1 0x3f 00000504: RETURNDATASIZE 00000505: ADD 00000506: AND 00000507: DUP3 00000508: ADD 00000509: PUSH1 0x40 0000050b: MSTORE 0000050c: RETURNDATASIZE 0000050d: DUP3 0000050e: MSTORE 0000050f: RETURNDATASIZE 00000510: PUSH1 0x00 00000512: PUSH1 0x20 00000514: DUP5 00000515: ADD 00000516: RETURNDATACOPY 00000517: PUSH2 0x0520 0000051a: JUMP 0000051b: JUMPDEST 0000051c: PUSH1 0x60 0000051e: SWAP2 0000051f: POP 00000520: JUMPDEST 00000521: POP 00000522: SWAP2 00000523: POP 00000524: SWAP2 00000525: POP 00000526: PUSH2 0x0530 00000529: DUP3 0000052a: DUP3 0000052b: DUP7 0000052c: PUSH2 0x069d 0000052f: JUMP 00000530: JUMPDEST 00000531: SWAP7 00000532: SWAP6 00000533: POP 00000534: POP 00000535: POP 00000536: POP 00000537: POP 00000538: POP 00000539: JUMP 0000053a: JUMPDEST 0000053b: PUSH1 0x00 0000053d: PUSH32 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc 0000055e: PUSH2 0x039d 00000561: JUMP 00000562: JUMPDEST 00000563: PUSH2 0x056b 00000566: DUP2 00000567: PUSH2 0x0298 0000056a: JUMP 0000056b: JUMPDEST 0000056c: PUSH2 0x05cd 0000056f: JUMPI 00000570: PUSH1 0x40 00000572: MLOAD 00000573: PUSH3 0x461bcd 00000577: PUSH1 0xe5 00000579: SHL 0000057a: DUP2 0000057b: MSTORE 0000057c: PUSH1 0x20 0000057e: PUSH1 0x04 00000580: DUP3 00000581: ADD 00000582: MSTORE 00000583: PUSH1 0x2d 00000585: PUSH1 0x24 00000587: DUP3 00000588: ADD 00000589: MSTORE 0000058a: PUSH32 0x455243313936373a206e657720696d706c656d656e746174696f6e206973206e 000005ab: PUSH1 0x44 000005ad: DUP3 000005ae: ADD 000005af: MSTORE 000005b0: PUSH13 0x1bdd08184818dbdb9d1c9858dd 000005be: PUSH1 0x9a 000005c0: SHL 000005c1: PUSH1 0x64 000005c3: DUP3 000005c4: ADD 000005c5: MSTORE 000005c6: PUSH1 0x84 000005c8: ADD 000005c9: PUSH2 0x0338 000005cc: JUMP 000005cd: JUMPDEST 000005ce: DUP1 000005cf: PUSH32 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc 000005f0: JUMPDEST 000005f1: DUP1 000005f2: SLOAD 000005f3: PUSH1 0x01 000005f5: PUSH1 0x01 000005f7: PUSH1 0xa0 000005f9: SHL 000005fa: SUB 000005fb: NOT 000005fc: AND 000005fd: PUSH1 0x01 000005ff: PUSH1 0x01 00000601: PUSH1 0xa0 00000603: SHL 00000604: SUB 00000605: SWAP3 00000606: SWAP1 00000607: SWAP3 00000608: AND 00000609: SWAP2 0000060a: SWAP1 0000060b: SWAP2 0000060c: OR 0000060d: SWAP1 0000060e: SSTORE 0000060f: POP 00000610: JUMP 00000611: JUMPDEST 00000612: PUSH1 0x01 00000614: PUSH1 0x01 00000616: PUSH1 0xa0 00000618: SHL 00000619: SUB 0000061a: DUP2 0000061b: AND 0000061c: PUSH2 0x0676 0000061f: JUMPI 00000620: PUSH1 0x40 00000622: MLOAD 00000623: PUSH3 0x461bcd 00000627: PUSH1 0xe5 00000629: SHL 0000062a: DUP2 0000062b: MSTORE 0000062c: PUSH1 0x20 0000062e: PUSH1 0x04 00000630: DUP3 00000631: ADD 00000632: MSTORE 00000633: PUSH1 0x26 00000635: PUSH1 0x24 00000637: DUP3 00000638: ADD 00000639: MSTORE 0000063a: PUSH32 0x455243313936373a206e65772061646d696e20697320746865207a65726f2061 0000065b: PUSH1 0x44 0000065d: DUP3 0000065e: ADD 0000065f: MSTORE 00000660: PUSH6 0x646472657373 00000667: PUSH1 0xd0 00000669: SHL 0000066a: PUSH1 0x64 0000066c: DUP3 0000066d: ADD 0000066e: MSTORE 0000066f: PUSH1 0x84 00000671: ADD 00000672: PUSH2 0x0338 00000675: JUMP 00000676: JUMPDEST 00000677: DUP1 00000678: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 00000699: PUSH2 0x05f0 0000069c: JUMP 0000069d: JUMPDEST 0000069e: PUSH1 0x60 000006a0: DUP4 000006a1: ISZERO 000006a2: PUSH2 0x06ac 000006a5: JUMPI 000006a6: POP 000006a7: DUP2 000006a8: PUSH2 0x0291 000006ab: JUMP 000006ac: JUMPDEST 000006ad: DUP3 000006ae: MLOAD 000006af: ISZERO 000006b0: PUSH2 0x06bc 000006b3: JUMPI 000006b4: DUP3 000006b5: MLOAD 000006b6: DUP1 000006b7: DUP5 000006b8: PUSH1 0x20 000006ba: ADD 000006bb: REVERT 000006bc: JUMPDEST 000006bd: DUP2 000006be: PUSH1 0x40 000006c0: MLOAD 000006c1: PUSH3 0x461bcd 000006c5: PUSH1 0xe5 000006c7: SHL 000006c8: DUP2 000006c9: MSTORE 000006ca: PUSH1 0x04 000006cc: ADD 000006cd: PUSH2 0x0338 000006d0: SWAP2 000006d1: SWAP1 000006d2: PUSH2 0x07a1 000006d5: JUMP 000006d6: JUMPDEST 000006d7: DUP1 000006d8: CALLDATALOAD 000006d9: PUSH1 0x01 000006db: PUSH1 0x01 000006dd: PUSH1 0xa0 000006df: SHL 000006e0: SUB 000006e1: DUP2 000006e2: AND 000006e3: DUP2 000006e4: EQ 000006e5: PUSH2 0x029d 000006e8: JUMPI 000006e9: PUSH1 0x00 000006eb: DUP1 000006ec: REVERT 000006ed: JUMPDEST 000006ee: PUSH1 0x00 000006f0: PUSH1 0x20 000006f2: DUP3 000006f3: DUP5 000006f4: SUB 000006f5: SLT 000006f6: ISZERO 000006f7: PUSH2 0x06fe 000006fa: JUMPI 000006fb: DUP1 000006fc: DUP2 000006fd: REVERT 000006fe: JUMPDEST 000006ff: PUSH2 0x0291 00000702: DUP3 00000703: PUSH2 0x06d6 00000706: JUMP 00000707: JUMPDEST 00000708: PUSH1 0x00 0000070a: DUP1 0000070b: PUSH1 0x00 0000070d: PUSH1 0x40 0000070f: DUP5 00000710: DUP7 00000711: SUB 00000712: SLT 00000713: ISZERO 00000714: PUSH2 0x071b 00000717: JUMPI 00000718: DUP2 00000719: DUP3 0000071a: REVERT 0000071b: JUMPDEST 0000071c: PUSH2 0x0724 0000071f: DUP5 00000720: PUSH2 0x06d6 00000723: JUMP 00000724: JUMPDEST 00000725: SWAP3 00000726: POP 00000727: PUSH1 0x20 00000729: DUP5 0000072a: ADD 0000072b: CALLDATALOAD 0000072c: PUSH8 0xffffffffffffffff 00000735: DUP1 00000736: DUP3 00000737: GT 00000738: ISZERO 00000739: PUSH2 0x0740 0000073c: JUMPI 0000073d: DUP4 0000073e: DUP5 0000073f: REVERT 00000740: JUMPDEST 00000741: DUP2 00000742: DUP7 00000743: ADD 00000744: SWAP2 00000745: POP 00000746: DUP7 00000747: PUSH1 0x1f 00000749: DUP4 0000074a: ADD 0000074b: SLT 0000074c: PUSH2 0x0753 0000074f: JUMPI 00000750: DUP4 00000751: DUP5 00000752: REVERT 00000753: JUMPDEST 00000754: DUP2 00000755: CALLDATALOAD 00000756: DUP2 00000757: DUP2 00000758: GT 00000759: ISZERO 0000075a: PUSH2 0x0761 0000075d: JUMPI 0000075e: DUP5 0000075f: DUP6 00000760: REVERT 00000761: JUMPDEST 00000762: DUP8 00000763: PUSH1 0x20 00000765: DUP3 00000766: DUP6 00000767: ADD 00000768: ADD 00000769: GT 0000076a: ISZERO 0000076b: PUSH2 0x0772 0000076e: JUMPI 0000076f: DUP5 00000770: DUP6 00000771: REVERT 00000772: JUMPDEST 00000773: PUSH1 0x20 00000775: DUP4 00000776: ADD 00000777: SWAP5 00000778: POP 00000779: DUP1 0000077a: SWAP4 0000077b: POP 0000077c: POP 0000077d: POP 0000077e: POP 0000077f: SWAP3 00000780: POP 00000781: SWAP3 00000782: POP 00000783: SWAP3 00000784: JUMP 00000785: JUMPDEST 00000786: PUSH1 0x00 00000788: DUP3 00000789: MLOAD 0000078a: PUSH2 0x0797 0000078d: DUP2 0000078e: DUP5 0000078f: PUSH1 0x20 00000791: DUP8 00000792: ADD 00000793: PUSH2 0x07d4 00000796: JUMP 00000797: JUMPDEST 00000798: SWAP2 00000799: SWAP1 0000079a: SWAP2 0000079b: ADD 0000079c: SWAP3 0000079d: SWAP2 0000079e: POP 0000079f: POP 000007a0: JUMP 000007a1: JUMPDEST 000007a2: PUSH1 0x00 000007a4: PUSH1 0x20 000007a6: DUP3 000007a7: MSTORE 000007a8: DUP3 000007a9: MLOAD 000007aa: DUP1 000007ab: PUSH1 0x20 000007ad: DUP5 000007ae: ADD 000007af: MSTORE 000007b0: PUSH2 0x07c0 000007b3: DUP2 000007b4: PUSH1 0x40 000007b6: DUP6 000007b7: ADD 000007b8: PUSH1 0x20 000007ba: DUP8 000007bb: ADD 000007bc: PUSH2 0x07d4 000007bf: JUMP 000007c0: JUMPDEST 000007c1: PUSH1 0x1f 000007c3: ADD 000007c4: PUSH1 0x1f 000007c6: NOT 000007c7: AND 000007c8: SWAP2 000007c9: SWAP1 000007ca: SWAP2 000007cb: ADD 000007cc: PUSH1 0x40 000007ce: ADD 000007cf: SWAP3 000007d0: SWAP2 000007d1: POP 000007d2: POP 000007d3: JUMP 000007d4: JUMPDEST 000007d5: PUSH1 0x00 000007d7: JUMPDEST 000007d8: DUP4 000007d9: DUP2 000007da: LT 000007db: ISZERO 000007dc: PUSH2 0x07ef 000007df: JUMPI 000007e0: DUP2 000007e1: DUP2 000007e2: ADD 000007e3: MLOAD 000007e4: DUP4 000007e5: DUP3 000007e6: ADD 000007e7: MSTORE 000007e8: PUSH1 0x20 000007ea: ADD 000007eb: PUSH2 0x07d7 000007ee: JUMP 000007ef: JUMPDEST 000007f0: DUP4 000007f1: DUP2 000007f2: GT 000007f3: ISZERO 000007f4: PUSH2 0x0405 000007f7: JUMPI 000007f8: POP 000007f9: POP 000007fa: PUSH1 0x00 000007fc: SWAP2 000007fd: ADD 000007fe: MSTORE 000007ff: JUMP 00000800: INVALID 00000801: COINBASE 00000802: PUSH5 0x6472657373 00000808: GASPRICE 00000809: KECCAK256 0000080a: PUSH13 0x6f772d6c6576656c2064656c65 00000818: PUSH8 0x6174652063616c6c 00000821: KECCAK256 00000822: PUSH7 0x61696c6564a264 0000082a: PUSH10 0x7066735822122093f028 00000835: UNKNOWN(0x25) 00000836: POP 00000837: CALLDATALOAD 00000838: UNKNOWN(0xB6) 00000839: SAR 0000083a: DELEGATECALL 0000083b: PUSH23 0xb13b9dba3c4f06f60e51b9b4caee31680b389aef327f64 00000853: PUSH20
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| critical | upgradeability | detector | Untrusted DELEGATECALL target reachable | 70 | no | no |
viewtrace_id: 0x184966ffed0c7e6984788f49f7683e6cabb0520145f5afd3eeca8c0c8e013061
call_targets:
0x86e3f7bd35bbd635bd41834c73356e1d9803e53b
target_varies:
no
classification:
constant_target
validation_json{
"sink": "DELEGATECALL",
"errors": 0,
"status": "sink_reached",
"attempts": 2,
"trace_id": "0x184966ffed0c7e6984788f49f7683e6cabb0520145f5afd3eeca8c0c8e013061",
"confirmed": false,
"trace_mode": "callTracer",
"call_targets": [
"0x86e3f7bd35bbd635bd41834c73356e1d9803e53b"
],
"matched_probe": null,
"target_varies": false,
"classification": "constant_target"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x3659cfe6",
"selector": "0x3659cfe6",
"calldata_variants": [
"0x3659cfe6",
"0x3659cfe60000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x4f1ef286",
"selector": "0x4f1ef286",
"calldata_variants": [
"0x4f1ef286",
"0x4f1ef2860000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x5c60da1b",
"selector": "0x5c60da1b",
"calldata_variants": [
"0x5c60da1b",
"0x5c60da1b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x8f283970",
"selector": "0x8f283970",
"calldata_variants": [
"0x8f283970",
"0x8f2839700000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xf851a440",
"selector": "0xf851a440",
"calldata_variants": [
"0xf851a440",
"0xf851a4400000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 867,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
},
{
"pc": 1260,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
},
{
"pc": 2106,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
}
],
"guards_detected": [],
"delegatecall_count": 3,
"untrusted_delegatecall_count": 3
}
|
| medium | upgradeability | cast | DELEGATECALL present | 80 | no | — |
viewevidence_json{
"notes": "delegatecall enables execution in caller context; common in proxies/upgradeable patterns",
"delegatecall_count": 3
}
|
| low | other | codex | Computed CALL targets/values may allow untrusted external calls with ETH | 65 | no | — |
viewevidence_json{
"evidence": "10 CALL sites have target_expression_category=value_expression_category=\"computed\" with returndata_checked=null. Detector findings flagged untrusted CALL target/value and ETH value transfer possible; only one heuristic guard (msg.sender == 0xde8a12735c237800000000000000000000000000) detected at pc:0x1929, not mapped to specific functions. Validation trace reported constant self-target in one run, so control of target/value is not confirmed.",
"locations": [
"pc:0x28a7",
"pc:0x30b7",
"pc:0x319b",
"pc:0x3221",
"pc:0x3305",
"pc:0x3991",
"pc:0x4253",
"pc:0x4acb",
"pc:0x4d3e",
"pc:0x4e6d"
],
"recommendation": "Verify that all CALL targets are fixed or strictly whitelisted and that any value forwarded is tightly bounded. Ensure these paths are gated by appropriate access control and, where state is updated, apply checks-effects-interactions or a reentrancy guard. Consider explicit return-data checks for low-level calls.",
"exploit_scenario": "If any externally callable path can influence the CALL target or value (via calldata or attacker-controlled storage), an attacker could direct the contract to call arbitrary addresses and forward ETH, potentially enabling reentrancy into state-mutating flows or draining contract-held ETH/tokens. The validation trace observed a constant self-target in one probe, so exploitability is uncertain without source-level context."
}
|