019bb377-69a4-71cb-9ad1-0ec87c6b314a
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 39818 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 39819 | proxy.resolve | complete | 1 / 3 | 3 months ago |
| 39820 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 39821 | analysis.bundle | complete | 1 / 3 | 3 months ago |
| 39822 | capability.graph | complete | 1 / 3 | 3 months ago |
| 39823 | detector.run | complete | 1 / 3 | 3 months ago |
| 39824 | validation.fork | complete | 1 / 3 | 3 months ago |
| 39956 | report.consolidate | complete | 1 / 6 | 3 months ago |
{
"status": "not_proxy"
}
No slither job recorded yet.
{"no_findings":false,"summary":"Bytecode shows multiple external CALLs to computed targets (ERC20-style selectors) with state updates happening after the calls and no explicit reentrancy guard detected; ERC20 return data is not validated beyond CALL success. Evidence is bytecode-only, so selector inference/intent is best-effort.","findings":[{"severity":"medium","category":"reentrancy","title":"External CALLs occur before state updates (reentrancy window)","exploit_scenario":"If the external CALL target (likely a token contract address loaded from storage) is malicious or upgradeable, it can reenter during the CALL and invoke state-changing entrypoints before accounting is updated. Because storage writes occur after the CALLs (e.g., mapping/counter updates), a reentrant call could bypass limits or double-count contributions. This is especially relevant for public functions that process payments/transfers.","recommendation":"Apply checks-effects-interactions: update internal accounting before external calls, or add a reentrancy guard. Prefer STATICCALL for read-only token queries when possible.","evidence":"Bytecode disassembly shows CALL followed by SSTORE in the same control flow with no guard detection. Examples: CALL at pc:0x05a9 then SSTORE at pc:0x05f3; CALL at pc:0x0651 then SSTORE at pc:0x067d; CALL at pc:0x09ca then SSTORE at pc:0x09f3. Call targets are stack-derived (computed) with EXTCODESIZE checks, indicating external interactions.","locations":["pc:0x05a9","pc:0x05f3","pc:0x0651","pc:0x067d","pc:0x09ca","pc:0x09f3"]},{"severity":"low","category":"other","title":"ERC20 low-level CALLs do not validate return data","exploit_scenario":"If the token returns `false` without reverting (or returns malformed data), these CALLs will still be treated as success because only the CALL success flag is checked. This can lead to accounting mismatches where state updates/logs proceed but tokens were not actually transferred.","recommendation":"Adopt a SafeERC20-style check: accept empty return data or explicitly decode a boolean `true` response; otherwise revert.","evidence":"Bytecode constructs calldata for selectors (e.g., `0xa9059cbb`, `0xa521ebfa`, `0x70a08231`) and performs CALLs with `ISZERO ISZERO` success checks only; no `RETURNDATASIZE/RETURNDATACOPY`-based boolean validation is present around these callsites.","locations":["pc:0x0651","pc:0x08cc","pc:0x092a","pc:0x0a65","pc:0x0b62","pc:0x0bc0","selector:0xa9059cbb","selector:0xa521ebfa","selector:0x70a08231"]}]}
OpenAI Codex v0.77.0 (research preview)
--------
workdir: /tmp/codex-lsg75pjp
model: gpt-5.2-codex
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: auto
session id: 019bb38f-a17f-76a2-9721-ad9da250e8cf
--------
user
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
mcp startup: no servers
thinking
**Preparing to read BYTECODE_BUNDLE.json**
exec
/bin/bash -lc ls in /tmp/codex-lsg75pjp succeeded in 6ms:
BYTECODE_BUNDLE.json
codex-output-schema.json
thinking
**Reading BYTECODE_BUNDLE.json**
exec
/bin/bash -lc 'cat BYTECODE_BUNDLE.json' in /tmp/codex-lsg75pjp succeeded in 7ms:
{
"analysis_artifact": {
"address": "0x5087fecec9b7386d1f2417fd779e1fd9bf509466",
"artifact_hash": "0x349077ae5a87bbead0feffb5f32c9348eac430b60a0526128403564cafe08031",
"artifact_json": {
"auth": {
"guards": []
},
"basic_blocks": [
{
"end_pc": 10,
"hash": "0x9b47076c3adbd96720e085efb41ab95860d2d3f1f199f9b1aeae79f5f0665190",
"opcodes": [
"PUSH1",
"PUSH1",
"MSTORE",
"CALLDATASIZE",
"ISZERO",
"PUSH2",
"JUMPI"
thinking
**Investigating bytecode callsites and access control**
exec
/bin/bash -lc 'rg -n "storage" BYTECODE_BUNDLE.json | head' in /tmp/codex-lsg75pjp succeeded in 18ms:
5152: "storage": {
5461: "storage": {
5770: "storage": {
6079: "storage": {
6388: "storage": {
6697: "storage": {
7006: "storage": {
7315: "storage": {
7624: "storage": {
7933: "storage": {
thinking
**Exploring detector-related sections**
exec
/bin/bash -lc "sed -n '5100,5205p' BYTECODE_BUNDLE.json" in /tmp/codex-lsg75pjp succeeded in 6ms:
"selector": "0x78e97925"
},
{
"entry_pc": 2374970075,
"selector": "0x7ff9b596"
},
{
"entry_pc": 2376452955,
"selector": "0x8d8f2adb"
},
{
"entry_pc": 2422875872,
"selector": "0x8da5cb5b"
},
{
"entry_pc": 3622194176,
"selector": "0x906a26e0"
},
{
"entry_pc": 3974647765,
thinking
**Investigating function list and callsites**
exec
/bin/bash -lc 'rg -n "callsite" BYTECODE_BUNDLE.json | head' in /tmp/codex-lsg75pjp succeeded in 14ms:
3886: "callsites": [
14676: "type": "callsite"
14682: "type": "callsite"
14688: "type": "callsite"
14694: "type": "callsite"
14700: "type": "callsite"
14706: "type": "callsite"
14712: "type": "callsite"
14718: "type": "callsite"
14724: "type": "callsite"
thinking
**Reviewing callsites in code region**
exec
/bin/bash -lc "sed -n '3820,3925p' BYTECODE_BUNDLE.json" in /tmp/codex-lsg75pjp succeeded in 8ms:
"POP"
],
"start_pc": 3193
},
{
"end_pc": 3203,
"hash": "0x2b6dedea5547d66ae8513d78d21e86ecc90792ad22227d64ec45e287e1f538df",
"opcodes": [
"JUMPDEST",
"POP",
"OP_92",
"OP_91",
"POP",
"POP",
"JUMP"
],
"start_pc": 3197
},
{
"end_pc": 3204,
thinking
**Analyzing callsites and storage writes**
exec
/bin/bash -lc 'rg -n "writes" BYTECODE_BUNDLE.json | head' in /tmp/codex-lsg75pjp succeeded in 7ms:
5446: "writes": 9
5755: "writes": 9
6064: "writes": 9
6373: "writes": 9
6682: "writes": 9
6991: "writes": 9
7300: "writes": 9
7609: "writes": 9
7918: "writes": 9
8227: "writes": 9
thinking
**Inspecting functions with writes**
exec
/bin/bash -lc "sed -n '5360,5485p' BYTECODE_BUNDLE.json" in /tmp/codex-lsg75pjp succeeded in 6ms:
{
"op": "SLOAD",
"pc": 2550,
"slot": "0x000000000000000000000000000000000000000000000000000000000000000b"
},
{
"op": "SLOAD",
"pc": 2572,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
},
{
"op": "SLOAD",
"pc": 2746,
"slot": "0x000000000000000000000000000000000000000000000000000000000000000b"
},
{
"op": "SLOAD",
"pc": 2752,
"slot": "0x000000000000000000000000000000000000000000000000000000000000000c"
},
thinking
**Analyzing repeated function storage behavior**
I'm noticing identical storage reads and writes across functions, which might be an artifact or bug. Focusing on untrusted call targets, I see calls to the contract itself, possibly internal or fallback calls. There’s no evidence of upgradeability or explicit access controls, though ownership functions exist without detected guards. Given heuristic limitations, I'll conservatively flag untrusted external calls without guards and potential reentrancy risks, and I'll investigate storage writes using SSTORE references for more clues.
exec
/bin/bash -lc 'rg -n "SSTORE" BYTECODE_BUNDLE.json | head' in /tmp/codex-lsg75pjp succeeded in 14ms:
1793: "SSTORE",
2024: "SSTORE"
2157: "SSTORE",
2176: "SSTORE",
2195: "SSTORE",
2866: "SSTORE",
3089: "SSTORE",
3108: "SSTORE",
3727: "SSTORE"
thinking
**Inspecting context around SSTOREs**
exec
/bin/bash -lc "sed -n '1680,1845p' BYTECODE_BUNDLE.json" in /tmp/codex-lsg75pjp succeeded in 7ms:
"JUMPDEST",
"GT",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 1191
},
{
"end_pc": 1201,
"hash": "0x056bc91015bb4fc117f1ddc4b3a936200b0809b813a9671847a18a5b598bd25c",
"opcodes": [
"PUSH1",
"OP_80",
"REVERT"
],
"start_pc": 1198
},
{
"end_pc": 1215,
thinking
**Inspecting SSTORE call context**
exec
/bin/bash -lc "sed -n '1400,1495p' BYTECODE_BUNDLE.json" in /tmp/codex-lsg75pjp succeeded in 12ms:
"OP_80",
"OP_91",
"SUB",
"OP_90",
"RETURN"
],
"start_pc": 977
},
{
"end_pc": 1003,
"hash": "0x53ed640c9166c17f27bf79fcd282cd913e2f286ef92d462d7537db5d3af26e22",
"opcodes": [
"JUMPDEST",
"CALLVALUE",
"ISZERO",
"PUSH2",
"JUMPI"
],
"start_pc": 997
},
thinking
**Searching for call opcode location**
exec
/bin/bash -lc "rg -n \"\\\"pc\\\": 1449\" -n BYTECODE_BUNDLE.json" in /tmp/codex-lsg75pjp succeeded in 29ms:
3889: "pc": 1449,
14675: "pc": 1449,
14875: "pc": 1449,
14927: "pc": 1449,
thinking
**Checking for evidence bundles**
exec
/bin/bash -lc "sed -n '14840,14960p' BYTECODE_BUNDLE.json" in /tmp/codex-lsg75pjp succeeded in 16ms:
"type": "function"
},
{
"entry_pc": 4219905028,
"id": "fn:0xf2fde38b",
"selector": "0xf2fde38b",
"type": "function"
},
{
"entry_pc": 4228666474,
"id": "fn:0xfb86a404",
"selector": "0xfb86a404",
"type": "function"
},
{
"entry_pc": 288,
"id": "fn:0xfc0c546a",
"selector": "0xfc0c546a",
"type": "function"
}
thinking
**Searching for evidence_bundle**
exec
/bin/bash -lc 'rg -n "evidence" BYTECODE_BUNDLE.json | head' in /tmp/codex-lsg75pjp succeeded in 13ms:
11683: "proxy_evidence": {
14870: "evidence_json": {
14922: "evidence_json": {
thinking
**Examining proxy_evidence area**
exec
/bin/bash -lc "sed -n '11640,11740p' BYTECODE_BUNDLE.json" in /tmp/codex-lsg75pjp succeeded in 6ms:
},
{
"op": "SLOAD",
"pc": 3166,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000002"
}
],
"writes": 9
},
"version": "analysis_artifact_v1"
},
"block_number": null,
"chain_id": 1,
"codehash": "0x0424cf4e8ef8ea260319b7764248a9bb7bb6fc0049ecca7398163eba29c0239f",
"created_at": "2026-01-12T18:28:43.000000Z",
"id": 1050,
"updated_at": "2026-01-12T18:28:43.000000Z",
"version": "analysis_artifact_v1"
},
"analysis_run": {
thinking
**Analyzing runtime bytecode for token interactions and external calls**
I'm parsing the runtime bytecode which appears to be a token sale contract interacting with an ERC20 token via low-level CALLs rather than STATICCALLs, indicating potential reentrancy risks. I'll decode function selectors and storage slot usage to detect access control patterns and identify where external token calls occur. Since this is complex and disassembler tools aren't available, I'll plan to write a Python script to parse the JSON runtime bytecode and disassemble sections around CALL instructions to better understand the call targets and data. This will help clarify owner checks and possible vulnerabilities around ETH transfers and external calls without return data checks. Let's try this methodical approach next!
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
with open('/tmp/codex-lsg75pjp/BYTECODE_BUNDLE.json','r') as f:
data=json.load(f)
bytecode = data['artifact']['runtime_bytecode']['full']
if bytecode.startswith('0x'):
bytecode = bytecode[2:]
# EVM opcode table
opcodes = {
0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
0x20:'SHA3',
0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xf6:'INVALID',0xf7:'SELFDESTRUCT',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
}
for i in range(1,33):
opcodes[0x5f+i] = f'PUSH{i}'
for i in range(1,17):
opcodes[0x7f+i] = f'DUP{i}'
for i in range(1,17):
opcodes[0x8f+i] = f'SWAP{i}'
# disassemble
b = bytes.fromhex(bytecode)
instrs = []
pc=0
while pc < len(b):
op = b[pc]
name = opcodes.get(op, f'OP_{op:02x}')
pc0=pc
pc += 1
arg=None
if name.startswith('PUSH'):
n = int(name[4:])
arg = b[pc:pc+n]
pc += n
instrs.append((pc0,name,arg))
# index by pc
pc_map = {pc: (name,arg) for pc,name,arg in instrs}
call_pcs = [1449,1617,2127,2252,2346,2506,2661,2914,3008]
for cpc in call_pcs:
# show context 10 instr before and after
idx = next(i for i,(pc,_,__) in enumerate(instrs) if pc==cpc)
start = max(0, idx-10)
end = min(len(instrs), idx+5)
print('\\nCALLSITE pc',cpc)
for pc,name,arg in instrs[start:end]:
if arg is not None:
print(f'{pc:04x}: {name} 0x{arg.hex()}')
else:
print(f'{pc:04x}: {name}')
PY" in /tmp/codex-lsg75pjp succeeded in 62ms:
CALLSITE pc 1449
059a: ISZERO
059b: PUSH2 0x05a3
059e: JUMPI
059f: PUSH1 0x00
05a1: DUP1
05a2: REVERT
05a3: JUMPDEST
05a4: PUSH2 0x02c6
05a7: GAS
05a8: SUB
05a9: CALL
05aa: ISZERO
05ab: ISZERO
05ac: PUSH2 0x05b4
05af: JUMPI
CALLSITE pc 1617
0642: ISZERO
thinking
**Extending disassembly context**
exec
/bin/bash -lc "python - <<'PY'
import json
with open('/tmp/codex-lsg75pjp/BYTECODE_BUNDLE.json','r') as f:
data=json.load(f)
bytecode = data['artifact']['runtime_bytecode']['full']
if bytecode.startswith('0x'):
bytecode = bytecode[2:]
opcodes = {
0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
0x20:'SHA3',
0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xf6:'INVALID',0xf7:'SELFDESTRUCT',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
}
for i in range(1,33):
opcodes[0x5f+i] = f'PUSH{i}'
for i in range(1,17):
opcodes[0x7f+i] = f'DUP{i}'
for i in range(1,17):
opcodes[0x8f+i] = f'SWAP{i}'
b = bytes.fromhex(bytecode)
instrs = []
pc=0
while pc < len(b):
op = b[pc]
name = opcodes.get(op, f'OP_{op:02x}')
pc0=pc
pc += 1
arg=None
if name.startswith('PUSH'):
n = int(name[4:])
arg = b[pc:pc+n]
pc += n
instrs.append((pc0,name,arg))
call_pcs = [1449,1617,2127,2252,2346,2506,2661,2914,3008]
for cpc in call_pcs:
idx = next(i for i,(pc,_,__) in enumerate(instrs) if pc==cpc)
start = max(0, idx-30)
end = min(len(instrs), idx+15)
print('\\nCALLSITE pc',cpc)
for pc,name,arg in instrs[start:end]:
if arg is not None:
print(f'{pc:04x}: {name} 0x{arg.hex()}')
else:
print(f'{pc:04x}: {name}')
PY" in /tmp/codex-lsg75pjp succeeded in 52ms:
CALLSITE pc 1449
0581: SWAP2
0582: AND
0583: PUSH1 0x04
0585: DUP3
0586: ADD
0587: MSTORE
0588: PUSH1 0x24
058a: ADD
058b: PUSH1 0x20
058d: PUSH1 0x40
058f: MLOAD
0590: DUP1
0591: DUP4
0592: SUB
0593: DUP2
0594: PUSH1 0x00
0596: DUP8
0597: DUP1
thinking
**Analyzing external CALL arguments and implications**
exec
/bin/bash -lc "python - <<'PY'
import json
with open('/tmp/codex-lsg75pjp/BYTECODE_BUNDLE.json','r') as f:
data=json.load(f)
bytecode = data['artifact']['runtime_bytecode']['full']
if bytecode.startswith('0x'):
bytecode = bytecode[2:]
opcodes = {
0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
0x20:'SHA3',
0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xf6:'INVALID',0xf7:'SELFDESTRUCT',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
}
for i in range(1,33):
opcodes[0x5f+i] = f'PUSH{i}'
for i in range(1,17):
opcodes[0x7f+i] = f'DUP{i}'
for i in range(1,17):
opcodes[0x8f+i] = f'SWAP{i}'
b = bytes.fromhex(bytecode)
instrs = []
pc=0
while pc < len(b):
op = b[pc]
name = opcodes.get(op, f'OP_{op:02x}')
pc0=pc
pc += 1
arg=None
if name.startswith('PUSH'):
n = int(name[4:])
arg = b[pc:pc+n]
pc += n
instrs.append((pc0,name,arg))
pc_index = {pc:i for i,(pc,_,__) in enumerate(instrs)}
call_pcs = [1449,1617,2127,2252,2346,2506,2661,2914,3008]
for cpc in call_pcs:
idx = pc_index[cpc]
start = idx
end = min(len(instrs), idx+80)
print('\\nAFTER CALL pc',cpc)
for pc,name,arg in instrs[start:end]:
if arg is not None:
print(f'{pc:04x}: {name} 0x{arg.hex()}')
else:
print(f'{pc:04x}: {name}')
PY" in /tmp/codex-lsg75pjp succeeded in 53ms:
AFTER CALL pc 1449
05a9: CALL
05aa: ISZERO
05ab: ISZERO
05ac: PUSH2 0x05b4
05af: JUMPI
05b0: PUSH1 0x00
05b2: DUP1
05b3: REVERT
05b4: JUMPDEST
05b5: POP
05b6: POP
05b7: POP
05b8: PUSH1 0x40
05ba: MLOAD
05bb: DUP1
05bc: MLOAD
05bd: SWAP1
05be: POP
thinking
**Analyzing reentrancy and token call risks**
thinking
**Summarizing callsite evidence and findings in JSON**
I'll assemble a clear JSON report with two main findings: medium-severity reentrancy risk from external CALLs preceding state updates with no reentrancy guard, and low-severity unchecked ERC20 return values—citing callsites (pcs in hex), selectors, and evidential bytecode details, while noting uncertainty about ETH value forwarding.
codex
{"no_findings":false,"summary":"Bytecode shows multiple external CALLs to computed targets (ERC20-style selectors) with state updates happening after the calls and no explicit reentrancy guard detected; ERC20 return data is not validated beyond CALL success. Evidence is bytecode-only, so selector inference/intent is best-effort.","findings":[{"severity":"medium","category":"reentrancy","title":"External CALLs occur before state updates (reentrancy window)","exploit_scenario":"If the external CALL target (likely a token contract address loaded from storage) is malicious or upgradeable, it can reenter during the CALL and invoke state-changing entrypoints before accounting is updated. Because storage writes occur after the CALLs (e.g., mapping/counter updates), a reentrant call could bypass limits or double-count contributions. This is especially relevant for public functions that process payments/transfers.","recommendation":"Apply checks-effects-interactions: update internal accounting before external calls, or add a reentrancy guard. Prefer STATICCALL for read-only token queries when possible.","evidence":"Bytecode disassembly shows CALL followed by SSTORE in the same control flow with no guard detection. Examples: CALL at pc:0x05a9 then SSTORE at pc:0x05f3; CALL at pc:0x0651 then SSTORE at pc:0x067d; CALL at pc:0x09ca then SSTORE at pc:0x09f3. Call targets are stack-derived (computed) with EXTCODESIZE checks, indicating external interactions.","locations":["pc:0x05a9","pc:0x05f3","pc:0x0651","pc:0x067d","pc:0x09ca","pc:0x09f3"]},{"severity":"low","category":"other","title":"ERC20 low-level CALLs do not validate return data","exploit_scenario":"If the token returns `false` without reverting (or returns malformed data), these CALLs will still be treated as success because only the CALL success flag is checked. This can lead to accounting mismatches where state updates/logs proceed but tokens were not actually transferred.","recommendation":"Adopt a SafeERC20-style check: accept empty return data or explicitly decode a boolean `true` response; otherwise revert.","evidence":"Bytecode constructs calldata for selectors (e.g., `0xa9059cbb`, `0xa521ebfa`, `0x70a08231`) and performs CALLs with `ISZERO ISZERO` success checks only; no `RETURNDATASIZE/RETURNDATACOPY`-based boolean validation is present around these callsites.","locations":["pc:0x0651","pc:0x08cc","pc:0x092a","pc:0x0a65","pc:0x0b62","pc:0x0bc0","selector:0xa9059cbb","selector:0xa521ebfa","selector:0x70a08231"]}]}
tokens used
80,524
{
"codex": {
"ran_at": "2026-01-12T18:59:48.540239+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 6498,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "Bytecode shows multiple external CALLs to computed targets (ERC20-style selectors) with state updates happening after the calls and no explicit reentrancy guard detected; ERC20 return data is not validated beyond CALL success. Evidence is bytecode-only, so selector inference/intent is best-effort.",
"raw_final": {
"summary": "Bytecode shows multiple external CALLs to computed targets (ERC20-style selectors) with state updates happening after the calls and no explicit reentrancy guard detected; ERC20 return data is not validated beyond CALL success. Evidence is bytecode-only, so selector inference/intent is best-effort.",
"findings": [
{
"title": "External CALLs occur before state updates (reentrancy window)",
"category": "reentrancy",
"evidence": "Bytecode disassembly shows CALL followed by SSTORE in the same control flow with no guard detection. Examples: CALL at pc:0x05a9 then SSTORE at pc:0x05f3; CALL at pc:0x0651 then SSTORE at pc:0x067d; CALL at pc:0x09ca then SSTORE at pc:0x09f3. Call targets are stack-derived (computed) with EXTCODESIZE checks, indicating external interactions.",
"severity": "medium",
"locations": [
"pc:0x05a9",
"pc:0x05f3",
"pc:0x0651",
"pc:0x067d",
"pc:0x09ca",
"pc:0x09f3"
],
"recommendation": "Apply checks-effects-interactions: update internal accounting before external calls, or add a reentrancy guard. Prefer STATICCALL for read-only token queries when possible.",
"exploit_scenario": "If the external CALL target (likely a token contract address loaded from storage) is malicious or upgradeable, it can reenter during the CALL and invoke state-changing entrypoints before accounting is updated. Because storage writes occur after the CALLs (e.g., mapping/counter updates), a reentrant call could bypass limits or double-count contributions. This is especially relevant for public functions that process payments/transfers."
},
{
"title": "ERC20 low-level CALLs do not validate return data",
"category": "other",
"evidence": "Bytecode constructs calldata for selectors (e.g., `0xa9059cbb`, `0xa521ebfa`, `0x70a08231`) and performs CALLs with `ISZERO ISZERO` success checks only; no `RETURNDATASIZE/RETURNDATACOPY`-based boolean validation is present around these callsites.",
"severity": "low",
"locations": [
"pc:0x0651",
"pc:0x08cc",
"pc:0x092a",
"pc:0x0a65",
"pc:0x0b62",
"pc:0x0bc0",
"selector:0xa9059cbb",
"selector:0xa521ebfa",
"selector:0x70a08231"
],
"recommendation": "Adopt a SafeERC20-style check: accept empty return data or explicitly decode a boolean `true` response; otherwise revert.",
"exploit_scenario": "If the token returns `false` without reverting (or returns malformed data), these CALLs will still be treated as success because only the CALL success flag is checked. This can lead to accounting mismatches where state updates/logs proceed but tokens were not actually transferred."
}
],
"no_findings": false
},
"no_findings": false,
"schema_version": 1
}
00000000: PUSH1 0x60 00000002: PUSH1 0x40 00000004: MSTORE 00000005: CALLDATASIZE 00000006: ISZERO 00000007: PUSH2 0x00f6 0000000a: JUMPI 0000000b: PUSH4 0xffffffff 00000010: PUSH1 0xe0 00000012: PUSH1 0x02 00000014: EXP 00000015: PUSH1 0x00 00000017: CALLDATALOAD 00000018: DIV 00000019: AND 0000001a: PUSH4 0x06fdde03 0000001f: DUP2 00000020: EQ 00000021: PUSH2 0x0122 00000024: JUMPI 00000025: DUP1 00000026: PUSH4 0x18886657 0000002b: EQ 0000002c: PUSH2 0x01ad 0000002f: JUMPI 00000030: DUP1 00000031: PUSH4 0x2b9edee9 00000036: EQ 00000037: PUSH2 0x01d2 0000003a: JUMPI 0000003b: DUP1 0000003c: PUSH4 0x3197cbb6 00000041: EQ 00000042: PUSH2 0x01f9 00000045: JUMPI 00000046: DUP1 00000047: PUSH4 0x38af3eed 0000004c: EQ 0000004d: PUSH2 0x021e 00000050: JUMPI 00000051: DUP1 00000052: PUSH4 0x3ccfd60b 00000057: EQ 00000058: PUSH2 0x024d 0000005b: JUMPI 0000005c: DUP1 0000005d: PUSH4 0x4042b66f 00000062: EQ 00000063: PUSH2 0x0262 00000066: JUMPI 00000067: DUP1 00000068: PUSH4 0x518ab2a8 0000006d: EQ 0000006e: PUSH2 0x0287 00000071: JUMPI 00000072: DUP1 00000073: PUSH4 0x590e1ae3 00000078: EQ 00000079: PUSH2 0x02ac 0000007c: JUMPI 0000007d: DUP1 0000007e: PUSH4 0x5da89ac0 00000083: EQ 00000084: PUSH2 0x02c1 00000087: JUMPI 00000088: DUP1 00000089: PUSH4 0x78e97925 0000008e: EQ 0000008f: PUSH2 0x02e6 00000092: JUMPI 00000093: DUP1 00000094: PUSH4 0x7ff9b596 00000099: EQ 0000009a: PUSH2 0x030b 0000009d: JUMPI 0000009e: DUP1 0000009f: PUSH4 0x8d8f2adb 000000a4: EQ 000000a5: PUSH2 0x0330 000000a8: JUMPI 000000a9: DUP1 000000aa: PUSH4 0x8da5cb5b 000000af: EQ 000000b0: PUSH2 0x0345 000000b3: JUMPI 000000b4: DUP1 000000b5: PUSH4 0x906a26e0 000000ba: EQ 000000bb: PUSH2 0x0374 000000be: JUMPI 000000bf: DUP1 000000c0: PUSH4 0xd7e64c00 000000c5: EQ 000000c6: PUSH2 0x0399 000000c9: JUMPI 000000ca: DUP1 000000cb: PUSH4 0xece84fd5 000000d0: EQ 000000d1: PUSH2 0x03be 000000d4: JUMPI 000000d5: DUP1 000000d6: PUSH4 0xf2fde38b 000000db: EQ 000000dc: PUSH2 0x03e5 000000df: JUMPI 000000e0: DUP1 000000e1: PUSH4 0xfb86a404 000000e6: EQ 000000e7: PUSH2 0x0406 000000ea: JUMPI 000000eb: DUP1 000000ec: PUSH4 0xfc0c546a 000000f1: EQ 000000f2: PUSH2 0x042b 000000f5: JUMPI 000000f6: JUMPDEST 000000f7: PUSH2 0x0120 000000fa: JUMPDEST 000000fb: PUSH1 0x00 000000fd: PUSH1 0x06 000000ff: SLOAD 00000100: CALLVALUE 00000101: DUP2 00000102: ISZERO 00000103: ISZERO 00000104: PUSH2 0x0109 00000107: JUMPI 00000108: INVALID 00000109: JUMPDEST 0000010a: DIV 0000010b: GT 0000010c: PUSH2 0x0114 0000010f: JUMPI 00000110: PUSH1 0x00 00000112: DUP1 00000113: REVERT 00000114: JUMPDEST 00000115: PUSH2 0x011d 00000118: CALLER 00000119: PUSH2 0x045a 0000011c: JUMP 0000011d: JUMPDEST 0000011e: JUMPDEST 0000011f: JUMP 00000120: JUMPDEST 00000121: STOP 00000122: JUMPDEST 00000123: CALLVALUE 00000124: ISZERO 00000125: PUSH2 0x012d 00000128: JUMPI 00000129: PUSH1 0x00 0000012b: DUP1 0000012c: REVERT 0000012d: JUMPDEST 0000012e: PUSH2 0x0135 00000131: PUSH2 0x0738 00000134: JUMP 00000135: JUMPDEST 00000136: PUSH1 0x40 00000138: MLOAD 00000139: PUSH1 0x20 0000013b: DUP1 0000013c: DUP3 0000013d: MSTORE 0000013e: DUP2 0000013f: SWAP1 00000140: DUP2 00000141: ADD 00000142: DUP4 00000143: DUP2 00000144: DUP2 00000145: MLOAD 00000146: DUP2 00000147: MSTORE 00000148: PUSH1 0x20 0000014a: ADD 0000014b: SWAP2 0000014c: POP 0000014d: DUP1 0000014e: MLOAD 0000014f: SWAP1 00000150: PUSH1 0x20 00000152: ADD 00000153: SWAP1 00000154: DUP1 00000155: DUP4 00000156: DUP4 00000157: PUSH1 0x00 00000159: JUMPDEST 0000015a: DUP4 0000015b: DUP2 0000015c: LT 0000015d: ISZERO 0000015e: PUSH2 0x0172 00000161: JUMPI 00000162: DUP1 00000163: DUP3 00000164: ADD 00000165: MLOAD 00000166: DUP2 00000167: DUP5 00000168: ADD 00000169: MSTORE 0000016a: JUMPDEST 0000016b: PUSH1 0x20 0000016d: ADD 0000016e: PUSH2 0x0159 00000171: JUMP 00000172: JUMPDEST 00000173: POP 00000174: POP 00000175: POP 00000176: POP 00000177: SWAP1 00000178: POP 00000179: SWAP1 0000017a: DUP2 0000017b: ADD 0000017c: SWAP1 0000017d: PUSH1 0x1f 0000017f: AND 00000180: DUP1 00000181: ISZERO 00000182: PUSH2 0x019f 00000185: JUMPI 00000186: DUP1 00000187: DUP3 00000188: SUB 00000189: DUP1 0000018a: MLOAD 0000018b: PUSH1 0x01 0000018d: DUP4 0000018e: PUSH1 0x20 00000190: SUB 00000191: PUSH2 0x0100 00000194: EXP 00000195: SUB 00000196: NOT 00000197: AND 00000198: DUP2 00000199: MSTORE 0000019a: PUSH1 0x20 0000019c: ADD 0000019d: SWAP2 0000019e: POP 0000019f: JUMPDEST 000001a0: POP 000001a1: SWAP3 000001a2: POP 000001a3: POP 000001a4: POP 000001a5: PUSH1 0x40 000001a7: MLOAD 000001a8: DUP1 000001a9: SWAP2 000001aa: SUB 000001ab: SWAP1 000001ac: RETURN 000001ad: JUMPDEST 000001ae: CALLVALUE 000001af: ISZERO 000001b0: PUSH2 0x01b8 000001b3: JUMPI 000001b4: PUSH1 0x00 000001b6: DUP1 000001b7: REVERT 000001b8: JUMPDEST 000001b9: PUSH2 0x01c0 000001bc: PUSH2 0x07d6 000001bf: JUMP 000001c0: JUMPDEST 000001c1: PUSH1 0x40 000001c3: MLOAD 000001c4: SWAP1 000001c5: DUP2 000001c6: MSTORE 000001c7: PUSH1 0x20 000001c9: ADD 000001ca: PUSH1 0x40 000001cc: MLOAD 000001cd: DUP1 000001ce: SWAP2 000001cf: SUB 000001d0: SWAP1 000001d1: RETURN 000001d2: JUMPDEST 000001d3: CALLVALUE 000001d4: ISZERO 000001d5: PUSH2 0x01dd 000001d8: JUMPI 000001d9: PUSH1 0x00 000001db: DUP1 000001dc: REVERT 000001dd: JUMPDEST 000001de: PUSH2 0x01e5 000001e1: PUSH2 0x07dc 000001e4: JUMP 000001e5: JUMPDEST 000001e6: PUSH1 0x40 000001e8: MLOAD 000001e9: SWAP1 000001ea: ISZERO 000001eb: ISZERO 000001ec: DUP2 000001ed: MSTORE 000001ee: PUSH1 0x20 000001f0: ADD 000001f1: PUSH1 0x40 000001f3: MLOAD 000001f4: DUP1 000001f5: SWAP2 000001f6: SUB 000001f7: SWAP1 000001f8: RETURN 000001f9: JUMPDEST 000001fa: CALLVALUE 000001fb: ISZERO 000001fc: PUSH2 0x0204 000001ff: JUMPI 00000200: PUSH1 0x00 00000202: DUP1 00000203: REVERT 00000204: JUMPDEST 00000205: PUSH2 0x01c0 00000208: PUSH2 0x07e5 0000020b: JUMP 0000020c: JUMPDEST 0000020d: PUSH1 0x40 0000020f: MLOAD 00000210: SWAP1 00000211: DUP2 00000212: MSTORE 00000213: PUSH1 0x20 00000215: ADD 00000216: PUSH1 0x40 00000218: MLOAD 00000219: DUP1 0000021a: SWAP2 0000021b: SUB 0000021c: SWAP1 0000021d: RETURN 0000021e: JUMPDEST 0000021f: CALLVALUE 00000220: ISZERO 00000221: PUSH2 0x0229 00000224: JUMPI 00000225: PUSH1 0x00 00000227: DUP1 00000228: REVERT 00000229: JUMPDEST 0000022a: PUSH2 0x0231 0000022d: PUSH2 0x07eb 00000230: JUMP 00000231: JUMPDEST 00000232: PUSH1 0x40 00000234: MLOAD 00000235: PUSH1 0x01 00000237: PUSH1 0xa0 00000239: PUSH1 0x02 0000023b: EXP 0000023c: SUB 0000023d: SWAP1 0000023e: SWAP2 0000023f: AND 00000240: DUP2 00000241: MSTORE 00000242: PUSH1 0x20 00000244: ADD 00000245: PUSH1 0x40 00000247: MLOAD 00000248: DUP1 00000249: SWAP2 0000024a: SUB 0000024b: SWAP1 0000024c: RETURN 0000024d: JUMPDEST 0000024e: CALLVALUE 0000024f: ISZERO 00000250: PUSH2 0x0258 00000253: JUMPI 00000254: PUSH1 0x00 00000256: DUP1 00000257: REVERT 00000258: JUMPDEST 00000259: PUSH2 0x0120 0000025c: PUSH2 0x07fa 0000025f: JUMP 00000260: JUMPDEST 00000261: STOP 00000262: JUMPDEST 00000263: CALLVALUE 00000264: ISZERO 00000265: PUSH2 0x026d 00000268: JUMPI 00000269: PUSH1 0x00 0000026b: DUP1 0000026c: REVERT 0000026d: JUMPDEST 0000026e: PUSH2 0x01c0 00000271: PUSH2 0x094b 00000274: JUMP 00000275: JUMPDEST 00000276: PUSH1 0x40 00000278: MLOAD 00000279: SWAP1 0000027a: DUP2 0000027b: MSTORE 0000027c: PUSH1 0x20 0000027e: ADD 0000027f: PUSH1 0x40 00000281: MLOAD 00000282: DUP1 00000283: SWAP2 00000284: SUB 00000285: SWAP1 00000286: RETURN 00000287: JUMPDEST 00000288: CALLVALUE 00000289: ISZERO 0000028a: PUSH2 0x0292 0000028d: JUMPI 0000028e: PUSH1 0x00 00000290: DUP1 00000291: REVERT 00000292: JUMPDEST 00000293: PUSH2 0x01c0 00000296: PUSH2 0x0951 00000299: JUMP 0000029a: JUMPDEST 0000029b: PUSH1 0x40 0000029d: MLOAD 0000029e: SWAP1 0000029f: DUP2 000002a0: MSTORE 000002a1: PUSH1 0x20 000002a3: ADD 000002a4: PUSH1 0x40 000002a6: MLOAD 000002a7: DUP1 000002a8: SWAP2 000002a9: SUB 000002aa: SWAP1 000002ab: RETURN 000002ac: JUMPDEST 000002ad: CALLVALUE 000002ae: ISZERO 000002af: PUSH2 0x02b7 000002b2: JUMPI 000002b3: PUSH1 0x00 000002b5: DUP1 000002b6: REVERT 000002b7: JUMPDEST 000002b8: PUSH2 0x0120 000002bb: PUSH2 0x0957 000002be: JUMP 000002bf: JUMPDEST 000002c0: STOP 000002c1: JUMPDEST 000002c2: CALLVALUE 000002c3: ISZERO 000002c4: PUSH2 0x02cc 000002c7: JUMPI 000002c8: PUSH1 0x00 000002ca: DUP1 000002cb: REVERT 000002cc: JUMPDEST 000002cd: PUSH2 0x01c0 000002d0: PUSH2 0x0ab7 000002d3: JUMP 000002d4: JUMPDEST 000002d5: PUSH1 0x40 000002d7: MLOAD 000002d8: SWAP1 000002d9: DUP2 000002da: MSTORE 000002db: PUSH1 0x20 000002dd: ADD 000002de: PUSH1 0x40 000002e0: MLOAD 000002e1: DUP1 000002e2: SWAP2 000002e3: SUB 000002e4: SWAP1 000002e5: RETURN 000002e6: JUMPDEST 000002e7: CALLVALUE 000002e8: ISZERO 000002e9: PUSH2 0x02f1 000002ec: JUMPI 000002ed: PUSH1 0x00 000002ef: DUP1 000002f0: REVERT 000002f1: JUMPDEST 000002f2: PUSH2 0x01c0 000002f5: PUSH2 0x0abd 000002f8: JUMP 000002f9: JUMPDEST 000002fa: PUSH1 0x40 000002fc: MLOAD 000002fd: SWAP1 000002fe: DUP2 000002ff: MSTORE 00000300: PUSH1 0x20 00000302: ADD 00000303: PUSH1 0x40 00000305: MLOAD 00000306: DUP1 00000307: SWAP2 00000308: SUB 00000309: SWAP1 0000030a: RETURN 0000030b: JUMPDEST 0000030c: CALLVALUE 0000030d: ISZERO 0000030e: PUSH2 0x0316 00000311: JUMPI 00000312: PUSH1 0x00 00000314: DUP1 00000315: REVERT 00000316: JUMPDEST 00000317: PUSH2 0x01c0 0000031a: PUSH2 0x0ac3 0000031d: JUMP 0000031e: JUMPDEST 0000031f: PUSH1 0x40 00000321: MLOAD 00000322: SWAP1 00000323: DUP2 00000324: MSTORE 00000325: PUSH1 0x20 00000327: ADD 00000328: PUSH1 0x40 0000032a: MLOAD 0000032b: DUP1 0000032c: SWAP2 0000032d: SUB 0000032e: SWAP1 0000032f: RETURN 00000330: JUMPDEST 00000331: CALLVALUE 00000332: ISZERO 00000333: PUSH2 0x033b 00000336: JUMPI 00000337: PUSH1 0x00 00000339: DUP1 0000033a: REVERT 0000033b: JUMPDEST 0000033c: PUSH2 0x0120 0000033f: PUSH2 0x0ac9 00000342: JUMP 00000343: JUMPDEST 00000344: STOP 00000345: JUMPDEST 00000346: CALLVALUE 00000347: ISZERO 00000348: PUSH2 0x0350 0000034b: JUMPI 0000034c: PUSH1 0x00 0000034e: DUP1 0000034f: REVERT 00000350: JUMPDEST 00000351: PUSH2 0x0231 00000354: PUSH2 0x0bd4 00000357: JUMP 00000358: JUMPDEST 00000359: PUSH1 0x40 0000035b: MLOAD 0000035c: PUSH1 0x01 0000035e: PUSH1 0xa0 00000360: PUSH1 0x02 00000362: EXP 00000363: SUB 00000364: SWAP1 00000365: SWAP2 00000366: AND 00000367: DUP2 00000368: MSTORE 00000369: PUSH1 0x20 0000036b: ADD 0000036c: PUSH1 0x40 0000036e: MLOAD 0000036f: DUP1 00000370: SWAP2 00000371: SUB 00000372: SWAP1 00000373: RETURN 00000374: JUMPDEST 00000375: CALLVALUE 00000376: ISZERO 00000377: PUSH2 0x037f 0000037a: JUMPI 0000037b: PUSH1 0x00 0000037d: DUP1 0000037e: REVERT 0000037f: JUMPDEST 00000380: PUSH2 0x01c0 00000383: PUSH2 0x0be3 00000386: JUMP 00000387: JUMPDEST 00000388: PUSH1 0x40 0000038a: MLOAD 0000038b: SWAP1 0000038c: DUP2 0000038d: MSTORE 0000038e: PUSH1 0x20 00000390: ADD 00000391: PUSH1 0x40 00000393: MLOAD 00000394: DUP1 00000395: SWAP2 00000396: SUB 00000397: SWAP1 00000398: RETURN 00000399: JUMPDEST 0000039a: CALLVALUE 0000039b: ISZERO 0000039c: PUSH2 0x03a4 0000039f: JUMPI 000003a0: PUSH1 0x00 000003a2: DUP1 000003a3: REVERT 000003a4: JUMPDEST 000003a5: PUSH2 0x01c0 000003a8: PUSH2 0x0be9 000003ab: JUMP 000003ac: JUMPDEST 000003ad: PUSH1 0x40 000003af: MLOAD 000003b0: SWAP1 000003b1: DUP2 000003b2: MSTORE 000003b3: PUSH1 0x20 000003b5: ADD 000003b6: PUSH1 0x40 000003b8: MLOAD 000003b9: DUP1 000003ba: SWAP2 000003bb: SUB 000003bc: SWAP1 000003bd: RETURN 000003be: JUMPDEST 000003bf: CALLVALUE 000003c0: ISZERO 000003c1: PUSH2 0x03c9 000003c4: JUMPI 000003c5: PUSH1 0x00 000003c7: DUP1 000003c8: REVERT 000003c9: JUMPDEST 000003ca: PUSH2 0x01e5 000003cd: PUSH2 0x0bef 000003d0: JUMP 000003d1: JUMPDEST 000003d2: PUSH1 0x40 000003d4: MLOAD 000003d5: SWAP1 000003d6: ISZERO 000003d7: ISZERO 000003d8: DUP2 000003d9: MSTORE 000003da: PUSH1 0x20 000003dc: ADD 000003dd: PUSH1 0x40 000003df: MLOAD 000003e0: DUP1 000003e1: SWAP2 000003e2: SUB 000003e3: SWAP1 000003e4: RETURN 000003e5: JUMPDEST 000003e6: CALLVALUE 000003e7: ISZERO 000003e8: PUSH2 0x03f0 000003eb: JUMPI 000003ec: PUSH1 0x00 000003ee: DUP1 000003ef: REVERT 000003f0: JUMPDEST 000003f1: PUSH2 0x0120 000003f4: PUSH1 0x01 000003f6: PUSH1 0xa0 000003f8: PUSH1 0x02 000003fa: EXP 000003fb: SUB 000003fc: PUSH1 0x04 000003fe: CALLDATALOAD 000003ff: AND 00000400: PUSH2 0x0bfd 00000403: JUMP 00000404: JUMPDEST 00000405: STOP 00000406: JUMPDEST 00000407: CALLVALUE 00000408: ISZERO 00000409: PUSH2 0x0411 0000040c: JUMPI 0000040d: PUSH1 0x00 0000040f: DUP1 00000410: REVERT 00000411: JUMPDEST 00000412: PUSH2 0x01c0 00000415: PUSH2 0x0c55 00000418: JUMP 00000419: JUMPDEST 0000041a: PUSH1 0x40 0000041c: MLOAD 0000041d: SWAP1 0000041e: DUP2 0000041f: MSTORE 00000420: PUSH1 0x20 00000422: ADD 00000423: PUSH1 0x40 00000425: MLOAD 00000426: DUP1 00000427: SWAP2 00000428: SUB 00000429: SWAP1 0000042a: RETURN 0000042b: JUMPDEST 0000042c: CALLVALUE 0000042d: ISZERO 0000042e: PUSH2 0x0436 00000431: JUMPI 00000432: PUSH1 0x00 00000434: DUP1 00000435: REVERT 00000436: JUMPDEST 00000437: PUSH2 0x0231 0000043a: PUSH2 0x0c5b 0000043d: JUMP 0000043e: JUMPDEST 0000043f: PUSH1 0x40 00000441: MLOAD 00000442: PUSH1 0x01 00000444: PUSH1 0xa0 00000446: PUSH1 0x02 00000448: EXP 00000449: SUB 0000044a: SWAP1 0000044b: SWAP2 0000044c: AND 0000044d: DUP2 0000044e: MSTORE 0000044f: PUSH1 0x20 00000451: ADD 00000452: PUSH1 0x40 00000454: MLOAD 00000455: DUP1 00000456: SWAP2 00000457: SUB 00000458: SWAP1 00000459: RETURN 0000045a: JUMPDEST 0000045b: PUSH1 0x00 0000045d: PUSH1 0x0c 0000045f: SLOAD 00000460: DUP1 00000461: TIMESTAMP 00000462: LT 00000463: ISZERO 00000464: ISZERO 00000465: ISZERO 00000466: PUSH2 0x046e 00000469: JUMPI 0000046a: PUSH1 0x00 0000046c: DUP1 0000046d: REVERT 0000046e: JUMPDEST 0000046f: PUSH1 0x0d 00000471: SLOAD 00000472: TIMESTAMP 00000473: DUP2 00000474: SWAP1 00000475: GT 00000476: ISZERO 00000477: PUSH2 0x047f 0000047a: JUMPI 0000047b: PUSH1 0x00 0000047d: DUP1 0000047e: REVERT 0000047f: JUMPDEST 00000480: PUSH1 0x0e 00000482: SLOAD 00000483: PUSH2 0x0100 00000486: SWAP1 00000487: DIV 00000488: PUSH1 0xff 0000048a: AND 0000048b: ISZERO 0000048c: PUSH2 0x0491 0000048f: JUMPI 00000490: INVALID 00000491: JUMPDEST 00000492: PUSH1 0x04 00000494: SLOAD 00000495: PUSH1 0x09 00000497: SLOAD 00000498: PUSH2 0x04a7 0000049b: SWAP1 0000049c: CALLVALUE 0000049d: PUSH4 0xffffffff 000004a2: PUSH2 0x0c6a 000004a5: AND 000004a6: JUMP 000004a7: JUMPDEST 000004a8: GT 000004a9: ISZERO 000004aa: PUSH2 0x04b2 000004ad: JUMPI 000004ae: PUSH1 0x00 000004b0: DUP1 000004b1: REVERT 000004b2: JUMPDEST 000004b3: PUSH1 0x0e 000004b5: SLOAD 000004b6: PUSH1 0xff 000004b8: AND 000004b9: ISZERO 000004ba: DUP1 000004bb: ISZERO 000004bc: PUSH2 0x04c8 000004bf: JUMPI 000004c0: POP 000004c1: PUSH1 0x05 000004c3: SLOAD 000004c4: PUSH1 0x09 000004c6: SLOAD 000004c7: LT 000004c8: JUMPDEST 000004c9: DUP1 000004ca: ISZERO 000004cb: PUSH2 0x04e8 000004ce: JUMPI 000004cf: POP 000004d0: PUSH1 0x05 000004d2: SLOAD 000004d3: PUSH1 0x09 000004d5: SLOAD 000004d6: PUSH2 0x04e5 000004d9: SWAP1 000004da: CALLVALUE 000004db: PUSH4 0xffffffff 000004e0: PUSH2 0x0c6a 000004e3: AND 000004e4: JUMP 000004e5: JUMPDEST 000004e6: LT 000004e7: ISZERO 000004e8: JUMPDEST 000004e9: ISZERO 000004ea: PUSH2 0x0531 000004ed: JUMPI 000004ee: PUSH1 0x0e 000004f0: DUP1 000004f1: SLOAD 000004f2: PUSH1 0xff 000004f4: NOT 000004f5: AND 000004f6: PUSH1 0x01 000004f8: OR 000004f9: SWAP1 000004fa: SSTORE 000004fb: PUSH1 0x05 000004fd: SLOAD 000004fe: PUSH32 0x42ef6182c6d744dd081ab962505f40413083376dfcc13e58b60f4f32e9673809 0000051f: SWAP1 00000520: PUSH1 0x40 00000522: MLOAD 00000523: SWAP1 00000524: DUP2 00000525: MSTORE 00000526: PUSH1 0x20 00000528: ADD 00000529: PUSH1 0x40 0000052b: MLOAD 0000052c: DUP1 0000052d: SWAP2 0000052e: SUB 0000052f: SWAP1 00000530: LOG1 00000531: JUMPDEST 00000532: PUSH1 0x06 00000534: SLOAD 00000535: CALLVALUE 00000536: DUP2 00000537: ISZERO 00000538: ISZERO 00000539: PUSH2 0x053e 0000053c: JUMPI 0000053d: INVALID 0000053e: JUMPDEST 0000053f: PUSH1 0x07 00000541: SLOAD 00000542: PUSH1 0x02 00000544: SLOAD 00000545: SWAP3 00000546: SWAP1 00000547: SWAP2 00000548: DIV 00000549: SWAP5 0000054a: POP 0000054b: SWAP1 0000054c: DUP5 0000054d: SWAP1 0000054e: PUSH1 0x01 00000550: PUSH1 0xa0 00000552: PUSH1 0x02 00000554: EXP 00000555: SUB 00000556: AND 00000557: PUSH4 0x70a08231 0000055c: DUP8 0000055d: PUSH1 0x00 0000055f: PUSH1 0x40 00000561: MLOAD 00000562: PUSH1 0x20 00000564: ADD 00000565: MSTORE 00000566: PUSH1 0x40 00000568: MLOAD 00000569: PUSH1 0xe0 0000056b: PUSH1 0x02 0000056d: EXP 0000056e: PUSH4 0xffffffff 00000573: DUP5 00000574: AND 00000575: MUL 00000576: DUP2 00000577: MSTORE 00000578: PUSH1 0x01 0000057a: PUSH1 0xa0 0000057c: PUSH1 0x02 0000057e: EXP 0000057f: SUB 00000580: SWAP1 00000581: SWAP2 00000582: AND 00000583: PUSH1 0x04 00000585: DUP3 00000586: ADD 00000587: MSTORE 00000588: PUSH1 0x24 0000058a: ADD 0000058b: PUSH1 0x20 0000058d: PUSH1 0x40 0000058f: MLOAD 00000590: DUP1 00000591: DUP4 00000592: SUB 00000593: DUP2 00000594: PUSH1 0x00 00000596: DUP8 00000597: DUP1 00000598: EXTCODESIZE 00000599: ISZERO 0000059a: ISZERO 0000059b: PUSH2 0x05a3 0000059e: JUMPI 0000059f: PUSH1 0x00 000005a1: DUP1 000005a2: REVERT 000005a3: JUMPDEST 000005a4: PUSH2 0x02c6 000005a7: GAS 000005a8: SUB 000005a9: CALL 000005aa: ISZERO 000005ab: ISZERO 000005ac: PUSH2 0x05b4 000005af: JUMPI 000005b0: PUSH1 0x00 000005b2: DUP1 000005b3: REVERT 000005b4: JUMPDEST 000005b5: POP 000005b6: POP 000005b7: POP 000005b8: PUSH1 0x40 000005ba: MLOAD 000005bb: DUP1 000005bc: MLOAD 000005bd: SWAP1 000005be: POP 000005bf: ADD 000005c0: GT 000005c1: ISZERO 000005c2: ISZERO 000005c3: ISZERO 000005c4: PUSH2 0x05cc 000005c7: JUMPI 000005c8: PUSH1 0x00 000005ca: DUP1 000005cb: REVERT 000005cc: JUMPDEST 000005cd: PUSH1 0x01 000005cf: PUSH1 0xa0 000005d1: PUSH1 0x02 000005d3: EXP 000005d4: SUB 000005d5: DUP5 000005d6: AND 000005d7: PUSH1 0x00 000005d9: SWAP1 000005da: DUP2 000005db: MSTORE 000005dc: PUSH1 0x0f 000005de: PUSH1 0x20 000005e0: MSTORE 000005e1: PUSH1 0x40 000005e3: SWAP1 000005e4: KECCAK256 000005e5: SLOAD 000005e6: ISZERO 000005e7: ISZERO 000005e8: PUSH2 0x05f5 000005eb: JUMPI 000005ec: PUSH1 0x0a 000005ee: DUP1 000005ef: SLOAD 000005f0: PUSH1 0x01 000005f2: ADD 000005f3: SWAP1 000005f4: SSTORE 000005f5: JUMPDEST 000005f6: PUSH1 0x02 000005f8: SLOAD 000005f9: PUSH1 0x01 000005fb: PUSH1 0xa0 000005fd: PUSH1 0x02 000005ff: EXP 00000600: SUB 00000601: AND 00000602: PUSH4 0xa9059cbb 00000607: DUP6 00000608: DUP6 00000609: PUSH1 0x40 0000060b: MLOAD 0000060c: PUSH1 0xe0 0000060e: PUSH1 0x02 00000610: EXP 00000611: PUSH4 0xffffffff 00000616: DUP6 00000617: AND 00000618: MUL 00000619: DUP2 0000061a: MSTORE 0000061b: PUSH1 0x01 0000061d: PUSH1 0xa0 0000061f: PUSH1 0x02 00000621: EXP 00000622: SUB 00000623: SWAP1 00000624: SWAP3 00000625: AND 00000626: PUSH1 0x04 00000628: DUP4 00000629: ADD 0000062a: MSTORE 0000062b: PUSH1 0x24 0000062d: DUP3 0000062e: ADD 0000062f: MSTORE 00000630: PUSH1 0x44 00000632: ADD 00000633: PUSH1 0x00 00000635: PUSH1 0x40 00000637: MLOAD 00000638: DUP1 00000639: DUP4 0000063a: SUB 0000063b: DUP2 0000063c: PUSH1 0x00 0000063e: DUP8 0000063f: DUP1 00000640: EXTCODESIZE 00000641: ISZERO 00000642: ISZERO 00000643: PUSH2 0x064b 00000646: JUMPI 00000647: PUSH1 0x00 00000649: DUP1 0000064a: REVERT 0000064b: JUMPDEST 0000064c: PUSH2 0x02c6 0000064f: GAS 00000650: SUB 00000651: CALL 00000652: ISZERO 00000653: ISZERO 00000654: PUSH2 0x065c 00000657: JUMPI 00000658: PUSH1 0x00 0000065a: DUP1 0000065b: REVERT 0000065c: JUMPDEST 0000065d: POP 0000065e: POP 0000065f: POP 00000660: PUSH1 0x01 00000662: PUSH1 0xa0 00000664: PUSH1 0x02 00000666: EXP 00000667: SUB 00000668: DUP5 00000669: AND 0000066a: PUSH1 0x00 0000066c: SWAP1 0000066d: DUP2 0000066e: MSTORE 0000066f: PUSH1 0x0f 00000671: PUSH1 0x20 00000673: MSTORE 00000674: PUSH1 0x40 00000676: SWAP1 00000677: KECCAK256 00000678: DUP1 00000679: SLOAD 0000067a: DUP5 0000067b: ADD 0000067c: SWAP1 0000067d: SSTORE 0000067e: PUSH1 0x08 00000680: SLOAD 00000681: PUSH2 0x0690 00000684: SWAP1 00000685: DUP5 00000686: PUSH4 0xffffffff 0000068b: PUSH2 0x0c6a 0000068e: AND 0000068f: JUMP 00000690: JUMPDEST 00000691: PUSH1 0x08 00000693: SSTORE 00000694: PUSH1 0x09 00000696: SLOAD 00000697: PUSH2 0x06a6 0000069a: SWAP1 0000069b: CALLVALUE 0000069c: PUSH4 0xffffffff 000006a1: PUSH2 0x0c6a 000006a4: AND 000006a5: JUMP 000006a6: JUMPDEST 000006a7: PUSH1 0x09 000006a9: SSTORE 000006aa: PUSH1 0x01 000006ac: PUSH1 0xa0 000006ae: PUSH1 0x02 000006b0: EXP 000006b1: SUB 000006b2: DUP5 000006b3: AND 000006b4: PUSH32 0x16d99cb06fd9528f88184dd0483174a09cfd8312c28639858734b0c449cc05b8 000006d5: DUP5 000006d6: CALLVALUE 000006d7: PUSH1 0x40 000006d9: MLOAD 000006da: SWAP2 000006db: DUP3 000006dc: MSTORE 000006dd: PUSH1 0x20 000006df: DUP3 000006e0: ADD 000006e1: MSTORE 000006e2: PUSH1 0x40 000006e4: SWAP1 000006e5: DUP2 000006e6: ADD 000006e7: SWAP1 000006e8: MLOAD 000006e9: DUP1 000006ea: SWAP2 000006eb: SUB 000006ec: SWAP1 000006ed: LOG2 000006ee: PUSH1 0x04 000006f0: SLOAD 000006f1: PUSH1 0x09 000006f3: SLOAD 000006f4: EQ 000006f5: ISZERO 000006f6: PUSH2 0x072f 000006f9: JUMPI 000006fa: PUSH32 0xfbfd8ab7c24300fa9888cd721c8565a7da56759384781283684dcf7c7c4a846b 0000071b: PUSH1 0x04 0000071d: SLOAD 0000071e: PUSH1 0x40 00000720: MLOAD 00000721: SWAP1 00000722: DUP2 00000723: MSTORE 00000724: PUSH1 0x20 00000726: ADD 00000727: PUSH1 0x40 00000729: MLOAD 0000072a: DUP1 0000072b: SWAP2 0000072c: SUB 0000072d: SWAP1 0000072e: LOG1 0000072f: JUMPDEST 00000730: JUMPDEST 00000731: JUMPDEST 00000732: POP 00000733: JUMPDEST 00000734: POP 00000735: POP 00000736: POP 00000737: JUMP 00000738: JUMPDEST 00000739: PUSH1 0x01 0000073b: DUP1 0000073c: SLOAD 0000073d: PUSH1 0x01 0000073f: DUP2 00000740: PUSH1 0x01 00000742: AND 00000743: ISZERO 00000744: PUSH2 0x0100 00000747: MUL 00000748: SUB 00000749: AND 0000074a: PUSH1 0x02 0000074c: SWAP1 0000074d: DIV 0000074e: DUP1 0000074f: PUSH1 0x1f 00000751: ADD 00000752: PUSH1 0x20 00000754: DUP1 00000755: SWAP2 00000756: DIV 00000757: MUL 00000758: PUSH1 0x20 0000075a: ADD 0000075b: PUSH1 0x40 0000075d: MLOAD 0000075e: SWAP1 0000075f: DUP2 00000760: ADD 00000761: PUSH1 0x40 00000763: MSTORE 00000764: DUP1 00000765: SWAP3 00000766: SWAP2 00000767: SWAP1 00000768: DUP2 00000769: DUP2 0000076a: MSTORE 0000076b: PUSH1 0x20 0000076d: ADD 0000076e: DUP3 0000076f: DUP1 00000770: SLOAD 00000771: PUSH1 0x01 00000773: DUP2 00000774: PUSH1 0x01 00000776: AND 00000777: ISZERO 00000778: PUSH2 0x0100 0000077b: MUL 0000077c: SUB 0000077d: AND 0000077e: PUSH1 0x02 00000780: SWAP1 00000781: DIV 00000782: DUP1 00000783: ISZERO 00000784: PUSH2 0x07ce 00000787: JUMPI 00000788: DUP1 00000789: PUSH1 0x1f 0000078b: LT 0000078c: PUSH2 0x07a3 0000078f: JUMPI 00000790: PUSH2 0x0100 00000793: DUP1 00000794: DUP4 00000795: SLOAD 00000796: DIV 00000797: MUL 00000798: DUP4 00000799: MSTORE 0000079a: SWAP2 0000079b: PUSH1 0x20 0000079d: ADD 0000079e: SWAP2 0000079f: PUSH2 0x07ce 000007a2: JUMP 000007a3: JUMPDEST 000007a4: DUP3 000007a5: ADD 000007a6: SWAP2 000007a7: SWAP1 000007a8: PUSH1 0x00 000007aa: MSTORE 000007ab: PUSH1 0x20 000007ad: PUSH1 0x00 000007af: KECCAK256 000007b0: SWAP1 000007b1: JUMPDEST 000007b2: DUP2 000007b3: SLOAD 000007b4: DUP2 000007b5: MSTORE 000007b6: SWAP1 000007b7: PUSH1 0x01 000007b9: ADD 000007ba: SWAP1 000007bb: PUSH1 0x20 000007bd: ADD 000007be: DUP1 000007bf: DUP4 000007c0: GT 000007c1: PUSH2 0x07b1 000007c4: JUMPI 000007c5: DUP3 000007c6: SWAP1 000007c7: SUB 000007c8: PUSH1 0x1f 000007ca: AND 000007cb: DUP3 000007cc: ADD 000007cd: SWAP2 000007ce: JUMPDEST 000007cf: POP 000007d0: POP 000007d1: POP 000007d2: POP 000007d3: POP 000007d4: DUP2 000007d5: JUMP 000007d6: JUMPDEST 000007d7: PUSH1 0x07 000007d9: SLOAD 000007da: DUP2 000007db: JUMP 000007dc: JUMPDEST 000007dd: PUSH1 0x0e 000007df: SLOAD 000007e0: PUSH1 0xff 000007e2: AND 000007e3: DUP2 000007e4: JUMP 000007e5: JUMPDEST 000007e6: PUSH1 0x0d 000007e8: SLOAD 000007e9: DUP2 000007ea: JUMP 000007eb: JUMPDEST 000007ec: PUSH1 0x03 000007ee: SLOAD 000007ef: PUSH1 0x01 000007f1: PUSH1 0xa0 000007f3: PUSH1 0x02 000007f5: EXP 000007f6: SUB 000007f7: AND 000007f8: DUP2 000007f9: JUMP 000007fa: JUMPDEST 000007fb: PUSH1 0x00 000007fd: SLOAD 000007fe: CALLER 000007ff: PUSH1 0x01 00000801: PUSH1 0xa0 00000803: PUSH1 0x02 00000805: EXP 00000806: SUB 00000807: SWAP1 00000808: DUP2 00000809: AND 0000080a: SWAP2 0000080b: AND 0000080c: EQ 0000080d: PUSH2 0x0815 00000810: JUMPI 00000811: PUSH1 0x00 00000813: DUP1 00000814: REVERT 00000815: JUMPDEST 00000816: PUSH1 0x0e 00000818: SLOAD 00000819: PUSH1 0xff 0000081b: AND 0000081c: ISZERO 0000081d: ISZERO 0000081e: PUSH2 0x0826 00000821: JUMPI 00000822: PUSH1 0x00 00000824: DUP1 00000825: REVERT 00000826: JUMPDEST 00000827: PUSH1 0x03 00000829: SLOAD 0000082a: PUSH1 0x09 0000082c: SLOAD 0000082d: PUSH1 0x01 0000082f: PUSH1 0xa0 00000831: PUSH1 0x02 00000833: EXP 00000834: SUB 00000835: SWAP1 00000836: SWAP2 00000837: AND 00000838: SWAP1 00000839: DUP1 0000083a: ISZERO 0000083b: PUSH2 0x08fc 0000083e: MUL 0000083f: SWAP1 00000840: PUSH1 0x40 00000842: MLOAD 00000843: PUSH1 0x00 00000845: PUSH1 0x40 00000847: MLOAD 00000848: DUP1 00000849: DUP4 0000084a: SUB 0000084b: DUP2 0000084c: DUP6 0000084d: DUP9 0000084e: DUP9 0000084f: CALL 00000850: SWAP4 00000851: POP 00000852: POP 00000853: POP 00000854: POP 00000855: ISZERO 00000856: ISZERO 00000857: PUSH2 0x085f 0000085a: JUMPI 0000085b: PUSH1 0x00 0000085d: DUP1 0000085e: REVERT 0000085f: JUMPDEST 00000860: PUSH1 0x02 00000862: SLOAD 00000863: PUSH1 0x03 00000865: SLOAD 00000866: PUSH1 0x01 00000868: PUSH1 0xa0 0000086a: PUSH1 0x02 0000086c: EXP 0000086d: SUB 0000086e: SWAP2 0000086f: DUP3 00000870: AND 00000871: SWAP2 00000872: PUSH4 0xa9059cbb 00000877: SWAP2 00000878: AND 00000879: DUP3 0000087a: PUSH4 0x70a08231 0000087f: ADDRESS 00000880: PUSH1 0x00 00000882: PUSH1 0x40 00000884: MLOAD 00000885: PUSH1 0x20 00000887: ADD 00000888: MSTORE 00000889: PUSH1 0x40 0000088b: MLOAD 0000088c: PUSH1 0xe0 0000088e: PUSH1 0x02 00000890: EXP 00000891: PUSH4 0xffffffff 00000896: DUP5 00000897: AND 00000898: MUL 00000899: DUP2 0000089a: MSTORE 0000089b: PUSH1 0x01 0000089d: PUSH1 0xa0 0000089f: PUSH1 0x02 000008a1: EXP 000008a2: SUB 000008a3: SWAP1 000008a4: SWAP2 000008a5: AND 000008a6: PUSH1 0x04 000008a8: DUP3 000008a9: ADD 000008aa: MSTORE 000008ab: PUSH1 0x24 000008ad: ADD 000008ae: PUSH1 0x20 000008b0: PUSH1 0x40 000008b2: MLOAD 000008b3: DUP1 000008b4: DUP4 000008b5: SUB 000008b6: DUP2 000008b7: PUSH1 0x00 000008b9: DUP8 000008ba: DUP1 000008bb: EXTCODESIZE 000008bc: ISZERO 000008bd: ISZERO 000008be: PUSH2 0x08c6 000008c1: JUMPI 000008c2: PUSH1 0x00 000008c4: DUP1 000008c5: REVERT 000008c6: JUMPDEST 000008c7: PUSH2 0x02c6 000008ca: GAS 000008cb: SUB 000008cc: CALL 000008cd: ISZERO 000008ce: ISZERO 000008cf: PUSH2 0x08d7 000008d2: JUMPI 000008d3: PUSH1 0x00 000008d5: DUP1 000008d6: REVERT 000008d7: JUMPDEST 000008d8: POP 000008d9: POP 000008da: POP 000008db: PUSH1 0x40 000008dd: MLOAD 000008de: DUP1 000008df: MLOAD 000008e0: SWAP1 000008e1: POP 000008e2: PUSH1 0x40 000008e4: MLOAD 000008e5: PUSH1 0xe0 000008e7: PUSH1 0x02 000008e9: EXP 000008ea: PUSH4 0xffffffff 000008ef: DUP6 000008f0: AND 000008f1: MUL 000008f2: DUP2 000008f3: MSTORE 000008f4: PUSH1 0x01 000008f6: PUSH1 0xa0 000008f8: PUSH1 0x02 000008fa: EXP 000008fb: SUB 000008fc: SWAP1 000008fd: SWAP3 000008fe: AND 000008ff: PUSH1 0x04 00000901: DUP4 00000902: ADD 00000903: MSTORE 00000904: PUSH1 0x24 00000906: DUP3 00000907: ADD 00000908: MSTORE 00000909: PUSH1 0x44 0000090b: ADD 0000090c: PUSH1 0x00 0000090e: PUSH1 0x40 00000910: MLOAD 00000911: DUP1 00000912: DUP4 00000913: SUB 00000914: DUP2 00000915: PUSH1 0x00 00000917: DUP8 00000918: DUP1 00000919: EXTCODESIZE 0000091a: ISZERO 0000091b: ISZERO 0000091c: PUSH2 0x0924 0000091f: JUMPI 00000920: PUSH1 0x00 00000922: DUP1 00000923: REVERT 00000924: JUMPDEST 00000925: PUSH2 0x02c6 00000928: GAS 00000929: SUB 0000092a: CALL 0000092b: ISZERO 0000092c: ISZERO 0000092d: PUSH2 0x0935 00000930: JUMPI 00000931: PUSH1 0x00 00000933: DUP1 00000934: REVERT 00000935: JUMPDEST 00000936: POP 00000937: POP 00000938: PUSH1 0x0e 0000093a: DUP1 0000093b: SLOAD 0000093c: PUSH2 0xff00 0000093f: NOT 00000940: AND 00000941: PUSH2 0x0100 00000944: OR 00000945: SWAP1 00000946: SSTORE 00000947: POP 00000948: JUMPDEST 00000949: JUMPDEST 0000094a: JUMP 0000094b: JUMPDEST 0000094c: PUSH1 0x09 0000094e: SLOAD 0000094f: DUP2 00000950: JUMP 00000951: JUMPDEST 00000952: PUSH1 0x08 00000954: SLOAD 00000955: DUP2 00000956: JUMP 00000957: JUMPDEST 00000958: PUSH1 0x00 0000095a: DUP1 0000095b: PUSH1 0x0d 0000095d: SLOAD 0000095e: DUP1 0000095f: TIMESTAMP 00000960: LT 00000961: ISZERO 00000962: ISZERO 00000963: ISZERO 00000964: PUSH2 0x096c 00000967: JUMPI 00000968: PUSH1 0x00 0000096a: DUP1 0000096b: REVERT 0000096c: JUMPDEST 0000096d: PUSH1 0x0e 0000096f: SLOAD 00000970: PUSH1 0xff 00000972: AND 00000973: ISZERO 00000974: PUSH2 0x097c 00000977: JUMPI 00000978: PUSH1 0x00 0000097a: DUP1 0000097b: REVERT 0000097c: JUMPDEST 0000097d: PUSH1 0x01 0000097f: PUSH1 0xa0 00000981: PUSH1 0x02 00000983: EXP 00000984: SUB 00000985: CALLER 00000986: AND 00000987: PUSH1 0x00 00000989: SWAP1 0000098a: DUP2 0000098b: MSTORE 0000098c: PUSH1 0x0f 0000098e: PUSH1 0x20 00000990: MSTORE 00000991: PUSH1 0x40 00000993: DUP2 00000994: KECCAK256 00000995: SLOAD 00000996: SWAP4 00000997: POP 00000998: DUP4 00000999: GT 0000099a: PUSH2 0x09a2 0000099d: JUMPI 0000099e: PUSH1 0x00 000009a0: DUP1 000009a1: REVERT 000009a2: JUMPDEST 000009a3: PUSH1 0x06 000009a5: SLOAD 000009a6: DUP4 000009a7: MUL 000009a8: SWAP2 000009a9: POP 000009aa: PUSH1 0x01 000009ac: PUSH1 0xa0 000009ae: PUSH1 0x02 000009b0: EXP 000009b1: SUB 000009b2: CALLER 000009b3: AND 000009b4: DUP3 000009b5: ISZERO 000009b6: PUSH2 0x08fc 000009b9: MUL 000009ba: DUP4 000009bb: PUSH1 0x40 000009bd: MLOAD 000009be: PUSH1 0x00 000009c0: PUSH1 0x40 000009c2: MLOAD 000009c3: DUP1 000009c4: DUP4 000009c5: SUB 000009c6: DUP2 000009c7: DUP6 000009c8: DUP9 000009c9: DUP9 000009ca: CALL 000009cb: SWAP4 000009cc: POP 000009cd: POP 000009ce: POP 000009cf: POP 000009d0: ISZERO 000009d1: ISZERO 000009d2: PUSH2 0x09da 000009d5: JUMPI 000009d6: PUSH1 0x00 000009d8: DUP1 000009d9: REVERT 000009da: JUMPDEST 000009db: PUSH1 0x01 000009dd: PUSH1 0xa0 000009df: PUSH1 0x02 000009e1: EXP 000009e2: SUB 000009e3: CALLER 000009e4: AND 000009e5: PUSH1 0x00 000009e7: SWAP1 000009e8: DUP2 000009e9: MSTORE 000009ea: PUSH1 0x0f 000009ec: PUSH1 0x20 000009ee: MSTORE 000009ef: PUSH1 0x40 000009f1: DUP2 000009f2: KECCAK256 000009f3: SSTORE 000009f4: PUSH1 0x0b 000009f6: SLOAD 000009f7: PUSH2 0x0a06 000009fa: SWAP1 000009fb: DUP4 000009fc: PUSH4 0xffffffff 00000a01: PUSH2 0x0c6a 00000a04: AND 00000a05: JUMP 00000a06: JUMPDEST 00000a07: PUSH1 0x0b 00000a09: SSTORE 00000a0a: PUSH1 0x02 00000a0c: SLOAD 00000a0d: PUSH1 0x01 00000a0f: PUSH1 0xa0 00000a11: PUSH1 0x02 00000a13: EXP 00000a14: SUB 00000a15: AND 00000a16: PUSH4 0xa521ebfa 00000a1b: CALLER 00000a1c: DUP6 00000a1d: PUSH1 0x40 00000a1f: MLOAD 00000a20: PUSH1 0xe0 00000a22: PUSH1 0x02 00000a24: EXP 00000a25: PUSH4 0xffffffff 00000a2a: DUP6 00000a2b: AND 00000a2c: MUL 00000a2d: DUP2 00000a2e: MSTORE 00000a2f: PUSH1 0x01 00000a31: PUSH1 0xa0 00000a33: PUSH1 0x02 00000a35: EXP 00000a36: SUB 00000a37: SWAP1 00000a38: SWAP3 00000a39: AND 00000a3a: PUSH1 0x04 00000a3c: DUP4 00000a3d: ADD 00000a3e: MSTORE 00000a3f: PUSH1 0x24 00000a41: DUP3 00000a42: ADD 00000a43: MSTORE 00000a44: PUSH1 0x44 00000a46: ADD 00000a47: PUSH1 0x00 00000a49: PUSH1 0x40 00000a4b: MLOAD 00000a4c: DUP1 00000a4d: DUP4 00000a4e: SUB 00000a4f: DUP2 00000a50: PUSH1 0x00 00000a52: DUP8 00000a53: DUP1 00000a54: EXTCODESIZE 00000a55: ISZERO 00000a56: ISZERO 00000a57: PUSH2 0x0a5f 00000a5a: JUMPI 00000a5b: PUSH1 0x00 00000a5d: DUP1 00000a5e: REVERT 00000a5f: JUMPDEST 00000a60: PUSH2 0x02c6 00000a63: GAS 00000a64: SUB 00000a65: CALL 00000a66: ISZERO 00000a67: ISZERO 00000a68: PUSH2 0x0a70 00000a6b: JUMPI 00000a6c: PUSH1 0x00 00000a6e: DUP1 00000a6f: REVERT 00000a70: JUMPDEST 00000a71: POP 00000a72: POP 00000a73: POP 00000a74: CALLER 00000a75: PUSH1 0x01 00000a77: PUSH1 0xa0 00000a79: PUSH1 0x02 00000a7b: EXP 00000a7c: SUB 00000a7d: AND 00000a7e: PUSH32 0xd7dee2702d63ad89917b6a4da9981c90c4d24f8c2bdfd64c604ecae57d8d0651 00000a9f: DUP4 00000aa0: PUSH1 0x40 00000aa2: MLOAD 00000aa3: SWAP1 00000aa4: DUP2 00000aa5: MSTORE 00000aa6: PUSH1 0x20 00000aa8: ADD 00000aa9: PUSH1 0x40 00000aab: MLOAD 00000aac: DUP1 00000aad: SWAP2 00000aae: SUB 00000aaf: SWAP1 00000ab0: LOG2 00000ab1: JUMPDEST 00000ab2: JUMPDEST 00000ab3: POP 00000ab4: POP 00000ab5: POP 00000ab6: JUMP 00000ab7: JUMPDEST 00000ab8: PUSH1 0x0b 00000aba: SLOAD 00000abb: DUP2 00000abc: JUMP 00000abd: JUMPDEST 00000abe: PUSH1 0x0c 00000ac0: SLOAD 00000ac1: DUP2 00000ac2: JUMP 00000ac3: JUMPDEST 00000ac4: PUSH1 0x06 00000ac6: SLOAD 00000ac7: DUP2 00000ac8: JUMP 00000ac9: JUMPDEST 00000aca: PUSH1 0x00 00000acc: SLOAD 00000acd: CALLER 00000ace: PUSH1 0x01 00000ad0: PUSH1 0xa0 00000ad2: PUSH1 0x02 00000ad4: EXP 00000ad5: SUB 00000ad6: SWAP1 00000ad7: DUP2 00000ad8: AND 00000ad9: SWAP2 00000ada: AND 00000adb: EQ 00000adc: PUSH2 0x0ae4 00000adf: JUMPI 00000ae0: PUSH1 0x00 00000ae2: DUP1 00000ae3: REVERT 00000ae4: JUMPDEST 00000ae5: PUSH1 0x0d 00000ae7: SLOAD 00000ae8: TIMESTAMP 00000ae9: DUP2 00000aea: SWAP1 00000aeb: LT 00000aec: ISZERO 00000aed: PUSH2 0x0af5 00000af0: JUMPI 00000af1: PUSH1 0x00 00000af3: DUP1 00000af4: REVERT 00000af5: JUMPDEST 00000af6: PUSH1 0x02 00000af8: SLOAD 00000af9: PUSH1 0x03 00000afb: SLOAD 00000afc: PUSH1 0x01 00000afe: PUSH1 0xa0 00000b00: PUSH1 0x02 00000b02: EXP 00000b03: SUB 00000b04: SWAP2 00000b05: DUP3 00000b06: AND 00000b07: SWAP2 00000b08: PUSH4 0xa9059cbb 00000b0d: SWAP2 00000b0e: AND 00000b0f: DUP3 00000b10: PUSH4 0x70a08231 00000b15: ADDRESS 00000b16: PUSH1 0x00 00000b18: PUSH1 0x40 00000b1a: MLOAD 00000b1b: PUSH1 0x20 00000b1d: ADD 00000b1e: MSTORE 00000b1f: PUSH1 0x40 00000b21: MLOAD 00000b22: PUSH1 0xe0 00000b24: PUSH1 0x02 00000b26: EXP 00000b27: PUSH4 0xffffffff 00000b2c: DUP5 00000b2d: AND 00000b2e: MUL 00000b2f: DUP2 00000b30: MSTORE 00000b31: PUSH1 0x01 00000b33: PUSH1 0xa0 00000b35: PUSH1 0x02 00000b37: EXP 00000b38: SUB 00000b39: SWAP1 00000b3a: SWAP2 00000b3b: AND 00000b3c: PUSH1 0x04 00000b3e: DUP3 00000b3f: ADD 00000b40: MSTORE 00000b41: PUSH1 0x24 00000b43: ADD 00000b44: PUSH1 0x20 00000b46: PUSH1 0x40 00000b48: MLOAD 00000b49: DUP1 00000b4a: DUP4 00000b4b: SUB 00000b4c: DUP2 00000b4d: PUSH1 0x00 00000b4f: DUP8 00000b50: DUP1 00000b51: EXTCODESIZE 00000b52: ISZERO 00000b53: ISZERO 00000b54: PUSH2 0x0b5c 00000b57: JUMPI 00000b58: PUSH1 0x00 00000b5a: DUP1 00000b5b: REVERT 00000b5c: JUMPDEST 00000b5d: PUSH2 0x02c6 00000b60: GAS 00000b61: SUB 00000b62: CALL 00000b63: ISZERO 00000b64: ISZERO 00000b65: PUSH2 0x0b6d 00000b68: JUMPI 00000b69: PUSH1 0x00 00000b6b: DUP1 00000b6c: REVERT 00000b6d: JUMPDEST 00000b6e: POP 00000b6f: POP 00000b70: POP 00000b71: PUSH1 0x40 00000b73: MLOAD 00000b74: DUP1 00000b75: MLOAD 00000b76: SWAP1 00000b77: POP 00000b78: PUSH1 0x40 00000b7a: MLOAD 00000b7b: PUSH1 0xe0 00000b7d: PUSH1 0x02 00000b7f: EXP 00000b80: PUSH4 0xffffffff 00000b85: DUP6 00000b86: AND 00000b87: MUL 00000b88: DUP2 00000b89: MSTORE 00000b8a: PUSH1 0x01 00000b8c: PUSH1 0xa0 00000b8e: PUSH1 0x02 00000b90: EXP 00000b91: SUB 00000b92: SWAP1 00000b93: SWAP3 00000b94: AND 00000b95: PUSH1 0x04 00000b97: DUP4 00000b98: ADD 00000b99: MSTORE 00000b9a: PUSH1 0x24 00000b9c: DUP3 00000b9d: ADD 00000b9e: MSTORE 00000b9f: PUSH1 0x44 00000ba1: ADD 00000ba2: PUSH1 0x00 00000ba4: PUSH1 0x40 00000ba6: MLOAD 00000ba7: DUP1 00000ba8: DUP4 00000ba9: SUB 00000baa: DUP2 00000bab: PUSH1 0x00 00000bad: DUP8 00000bae: DUP1 00000baf: EXTCODESIZE 00000bb0: ISZERO 00000bb1: ISZERO 00000bb2: PUSH2 0x0bba 00000bb5: JUMPI 00000bb6: PUSH1 0x00 00000bb8: DUP1 00000bb9: REVERT 00000bba: JUMPDEST 00000bbb: PUSH2 0x02c6 00000bbe: GAS 00000bbf: SUB 00000bc0: CALL 00000bc1: ISZERO 00000bc2: ISZERO 00000bc3: PUSH2 0x072f 00000bc6: JUMPI 00000bc7: PUSH1 0x00 00000bc9: DUP1 00000bca: REVERT 00000bcb: JUMPDEST 00000bcc: POP 00000bcd: POP 00000bce: POP 00000bcf: JUMPDEST 00000bd0: JUMPDEST 00000bd1: POP 00000bd2: JUMPDEST 00000bd3: JUMP 00000bd4: JUMPDEST 00000bd5: PUSH1 0x00 00000bd7: SLOAD 00000bd8: PUSH1 0x01 00000bda: PUSH1 0xa0 00000bdc: PUSH1 0x02 00000bde: EXP 00000bdf: SUB 00000be0: AND 00000be1: DUP2 00000be2: JUMP 00000be3: JUMPDEST 00000be4: PUSH1 0x05 00000be6: SLOAD 00000be7: DUP2 00000be8: JUMP 00000be9: JUMPDEST 00000bea: PUSH1 0x0a 00000bec: SLOAD 00000bed: DUP2 00000bee: JUMP 00000bef: JUMPDEST 00000bf0: PUSH1 0x0e 00000bf2: SLOAD 00000bf3: PUSH2 0x0100 00000bf6: SWAP1 00000bf7: DIV 00000bf8: PUSH1 0xff 00000bfa: AND 00000bfb: DUP2 00000bfc: JUMP 00000bfd: JUMPDEST 00000bfe: PUSH1 0x00 00000c00: SLOAD 00000c01: CALLER 00000c02: PUSH1 0x01 00000c04: PUSH1 0xa0 00000c06: PUSH1 0x02 00000c08: EXP 00000c09: SUB 00000c0a: SWAP1 00000c0b: DUP2 00000c0c: AND 00000c0d: SWAP2 00000c0e: AND 00000c0f: EQ 00000c10: PUSH2 0x0c18 00000c13: JUMPI 00000c14: PUSH1 0x00 00000c16: DUP1 00000c17: REVERT 00000c18: JUMPDEST 00000c19: PUSH1 0x01 00000c1b: PUSH1 0xa0 00000c1d: PUSH1 0x02 00000c1f: EXP 00000c20: SUB 00000c21: DUP2 00000c22: AND 00000c23: ISZERO 00000c24: PUSH2 0x0bcf 00000c27: JUMPI 00000c28: PUSH1 0x00 00000c2a: DUP1 00000c2b: SLOAD 00000c2c: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000c41: NOT 00000c42: AND 00000c43: PUSH1 0x01 00000c45: PUSH1 0xa0 00000c47: PUSH1 0x02 00000c49: EXP 00000c4a: SUB 00000c4b: DUP4 00000c4c: AND 00000c4d: OR 00000c4e: SWAP1 00000c4f: SSTORE 00000c50: JUMPDEST 00000c51: JUMPDEST 00000c52: JUMPDEST 00000c53: POP 00000c54: JUMP 00000c55: JUMPDEST 00000c56: PUSH1 0x04 00000c58: SLOAD 00000c59: DUP2 00000c5a: JUMP 00000c5b: JUMPDEST 00000c5c: PUSH1 0x02 00000c5e: SLOAD 00000c5f: PUSH1 0x01 00000c61: PUSH1 0xa0 00000c63: PUSH1 0x02 00000c65: EXP 00000c66: SUB 00000c67: AND 00000c68: DUP2 00000c69: JUMP 00000c6a: JUMPDEST 00000c6b: PUSH1 0x00 00000c6d: DUP3 00000c6e: DUP3 00000c6f: ADD 00000c70: DUP4 00000c71: DUP2 00000c72: LT 00000c73: ISZERO 00000c74: PUSH2 0x0c79 00000c77: JUMPI 00000c78: INVALID 00000c79: JUMPDEST 00000c7a: DUP1 00000c7b: SWAP2 00000c7c: POP 00000c7d: JUMPDEST 00000c7e: POP 00000c7f: SWAP3 00000c80: SWAP2 00000c81: POP 00000c82: POP 00000c83: JUMP 00000c84: STOP 00000c85: LOG1 00000c86: PUSH6 0x627a7a723058 00000c8d: KECCAK256 00000c8e: UNKNOWN(0xD9) 00000c8f: PUSH12 0x4bbbf973d947f445adb712f0 00000c9c: DUP15 00000c9d: XOR 00000c9e: UNKNOWN(0xBB) 00000c9f: UNKNOWN(0xC4) 00000ca0: UNKNOWN(0xB4) 00000ca1: UNKNOWN(0x0C) 00000ca2: STATICCALL 00000ca3: EQ 00000ca4: NUMBER 00000ca5: UNKNOWN(0xCA) 00000ca6: GT 00000ca7: UNKNOWN(0x21) 00000ca8: UNKNOWN(0xFC) 00000ca9: UNKNOWN(0xB9) 00000caa: SWAP3 00000cab: DUP4 00000cac: UNKNOWN(0xE6) 00000cad: UNKNOWN(0xD1) 00000cae: STOP 00000caf: UNKNOWN(0x29)
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | other | detector | Untrusted CALL target/value reachable | 60 | no | no |
viewtrace_id: 0xcd86d78e04828c15ad28d359cf3307cac4bef3e7fd6e8487a58c372dbde94a25
call_targets:
0x5087fecec9b7386d1f2417fd779e1fd9bf509466
target_varies:
no
classification:
constant_target
validation_json{
"sink": "CALL",
"errors": 0,
"status": "sink_reached",
"attempts": 1,
"trace_id": "0xcd86d78e04828c15ad28d359cf3307cac4bef3e7fd6e8487a58c372dbde94a25",
"confirmed": false,
"trace_mode": "callTracer",
"call_targets": [
"0x5087fecec9b7386d1f2417fd779e1fd9bf509466"
],
"matched_probe": null,
"target_varies": false,
"classification": "constant_target"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x18886657",
"selector": "0x18886657",
"calldata_variants": [
"0x18886657",
"0x188866570000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x2b9edee9",
"selector": "0x2b9edee9",
"calldata_variants": [
"0x2b9edee9",
"0x2b9edee90000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x3197cbb6",
"selector": "0x3197cbb6",
"calldata_variants": [
"0x3197cbb6",
"0x3197cbb60000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x38af3eed",
"selector": "0x38af3eed",
"calldata_variants": [
"0x38af3eed",
"0x38af3eed0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x3ccfd60b",
"selector": "0x3ccfd60b",
"calldata_variants": [
"0x3ccfd60b",
"0x3ccfd60b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x4042b66f",
"selector": "0x4042b66f",
"calldata_variants": [
"0x4042b66f",
"0x4042b66f0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x518ab2a8",
"selector": "0x518ab2a8",
"calldata_variants": [
"0x518ab2a8",
"0x518ab2a80000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 1449,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 1617,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 2127,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 9,
"guards_detected": [],
"untrusted_call_count": 9
}
|
| high | other | detector | ETH value transfer possible | 55 | no | no |
viewtrace_id: 0xcd86d78e04828c15ad28d359cf3307cac4bef3e7fd6e8487a58c372dbde94a25
call_targets:
0x5087fecec9b7386d1f2417fd779e1fd9bf509466
target_varies:
no
classification:
constant_target
validation_json{
"sink": "CALL",
"errors": 0,
"status": "sink_reached",
"attempts": 1,
"trace_id": "0xcd86d78e04828c15ad28d359cf3307cac4bef3e7fd6e8487a58c372dbde94a25",
"confirmed": false,
"trace_mode": "callTracer",
"call_targets": [
"0x5087fecec9b7386d1f2417fd779e1fd9bf509466"
],
"matched_probe": null,
"target_varies": false,
"classification": "constant_target"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x18886657",
"selector": "0x18886657",
"calldata_variants": [
"0x18886657",
"0x188866570000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x2b9edee9",
"selector": "0x2b9edee9",
"calldata_variants": [
"0x2b9edee9",
"0x2b9edee90000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x3197cbb6",
"selector": "0x3197cbb6",
"calldata_variants": [
"0x3197cbb6",
"0x3197cbb60000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x38af3eed",
"selector": "0x38af3eed",
"calldata_variants": [
"0x38af3eed",
"0x38af3eed0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x3ccfd60b",
"selector": "0x3ccfd60b",
"calldata_variants": [
"0x3ccfd60b",
"0x3ccfd60b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x4042b66f",
"selector": "0x4042b66f",
"calldata_variants": [
"0x4042b66f",
"0x4042b66f0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x518ab2a8",
"selector": "0x518ab2a8",
"calldata_variants": [
"0x518ab2a8",
"0x518ab2a80000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 1449,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 1617,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 2127,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 9,
"guards_detected": []
}
|
| medium | reentrancy | codex | External CALLs occur before state updates (reentrancy window) | 75 | no | — |
viewevidence_json{
"evidence": "Bytecode disassembly shows CALL followed by SSTORE in the same control flow with no guard detection. Examples: CALL at pc:0x05a9 then SSTORE at pc:0x05f3; CALL at pc:0x0651 then SSTORE at pc:0x067d; CALL at pc:0x09ca then SSTORE at pc:0x09f3. Call targets are stack-derived (computed) with EXTCODESIZE checks, indicating external interactions.",
"locations": [
"pc:0x05a9",
"pc:0x05f3",
"pc:0x0651",
"pc:0x067d",
"pc:0x09ca",
"pc:0x09f3"
],
"recommendation": "Apply checks-effects-interactions: update internal accounting before external calls, or add a reentrancy guard. Prefer STATICCALL for read-only token queries when possible.",
"exploit_scenario": "If the external CALL target (likely a token contract address loaded from storage) is malicious or upgradeable, it can reenter during the CALL and invoke state-changing entrypoints before accounting is updated. Because storage writes occur after the CALLs (e.g., mapping/counter updates), a reentrant call could bypass limits or double-count contributions. This is especially relevant for public functions that process payments/transfers."
}
|
| low | other | codex | ERC20 low-level CALLs do not validate return data | 65 | no | — |
viewevidence_json{
"evidence": "Bytecode constructs calldata for selectors (e.g., `0xa9059cbb`, `0xa521ebfa`, `0x70a08231`) and performs CALLs with `ISZERO ISZERO` success checks only; no `RETURNDATASIZE/RETURNDATACOPY`-based boolean validation is present around these callsites.",
"locations": [
"pc:0x0651",
"pc:0x08cc",
"pc:0x092a",
"pc:0x0a65",
"pc:0x0b62",
"pc:0x0bc0",
"selector:0xa9059cbb",
"selector:0xa521ebfa",
"selector:0x70a08231"
],
"recommendation": "Adopt a SafeERC20-style check: accept empty return data or explicitly decode a boolean `true` response; otherwise revert.",
"exploit_scenario": "If the token returns `false` without reverting (or returns malformed data), these CALLs will still be treated as success because only the CALL success flag is checked. This can lead to accounting mismatches where state updates/logs proceed but tokens were not actually transferred."
}
|
| info | other | cast | Heavy EXTCODE*/BALANCE usage | 55 | no | — |
viewevidence_json{
"notes": "frequent external code or balance checks; may indicate introspection or validation logic",
"ext_balance_count": 7
}
|