019bb490-f311-7387-a624-2ced8b0052f8
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 40011 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 40012 | proxy.resolve | complete | 1 / 3 | 3 months ago |
| 40013 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 40014 | analysis.bundle | complete | 1 / 3 | 3 months ago |
| 40015 | capability.graph | complete | 1 / 3 | 3 months ago |
| 40016 | detector.run | complete | 1 / 3 | 3 months ago |
| 40017 | validation.fork | complete | 1 / 3 | 3 months ago |
| 40183 | report.consolidate | complete | 1 / 6 | 3 months ago |
| 40184 | tool.slither | complete | 1 / 2 | 3 months ago |
{
"method": "etherscan+onchain",
"status": "confirmed",
"etherscan_hint": {
"source": "etherscan",
"etherscan": {
"proxy_flag": true,
"implementation": "0x0b9f13ffab8448089f50073cf24bbe5c7bd8675a"
}
},
"implementation": "0x0b9f13ffab8448089f50073cf24bbe5c7bd8675a",
"onchain_method": "eip1967"
}
'forge clean' running (wd: /tmp/slither-yg9kpq59)
'forge config --json' running
'forge build --build-info --skip ./test/** ./script/** --force' running (wd: /tmp/slither-yg9kpq59)
TransparentUpgradeableProxy.upgradeToAndCall(address,bytes) (contracts/Contract.sol#368-373) uses delegatecall to a input-controlled function id
- (success,None) = newImplementation.delegatecall(data) (contracts/Contract.sol#370-371)
UpgradeableProxy.constructor(address,bytes) (contracts/Contract.sol#219-224) uses delegatecall to a input-controlled function id
- (success,None) = _logic.delegatecall(_data) (contracts/Contract.sol#223)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#controlled-delegatecall
TransparentUpgradeableProxy.admin() (contracts/Contract.sol#327-329) calls TransparentUpgradeableProxy.ifAdmin() (contracts/Contract.sol#310-313) which halt the execution return(uint256,uint256)(0,returndatasize()()) (contracts/Contract.sol#160-161)
TransparentUpgradeableProxy.implementation() (contracts/Contract.sol#339-341) calls TransparentUpgradeableProxy.ifAdmin() (contracts/Contract.sol#310-313) which halt the execution return(uint256,uint256)(0,returndatasize()()) (contracts/Contract.sol#160-161)
TransparentUpgradeableProxy.changeAdmin(address) (contracts/Contract.sol#343-351) calls TransparentUpgradeableProxy.ifAdmin() (contracts/Contract.sol#310-313) which halt the execution return(uint256,uint256)(0,returndatasize()()) (contracts/Contract.sol#160-161)
TransparentUpgradeableProxy.upgradeTo(address) (contracts/Contract.sol#355-356) calls TransparentUpgradeableProxy.ifAdmin() (contracts/Contract.sol#310-313) which halt the execution return(uint256,uint256)(0,returndatasize()()) (contracts/Contract.sol#160-161)
TransparentUpgradeableProxy.upgradeToAndCall(address,bytes) (contracts/Contract.sol#368-373) calls TransparentUpgradeableProxy.ifAdmin() (contracts/Contract.sol#310-313) which halt the execution return(uint256,uint256)(0,returndatasize()()) (contracts/Contract.sol#160-161)
TransparentUpgradeableProxy.ifAdmin() (contracts/Contract.sol#310-313) calls Proxy._fallback() (contracts/Contract.sol#173-175) which halt the execution return(uint256,uint256)(0,returndatasize()()) (contracts/Contract.sol#160-161)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-return-in-assembly
TransparentUpgradeableProxy.constructor(address,address,bytes)._admin (contracts/Contract.sol#295) shadows:
- TransparentUpgradeableProxy._admin() (contracts/Contract.sol#373-377) (function)
Tokenlon.constructor(address,address,bytes)._admin (contracts/Contract.sol#402) shadows:
- TransparentUpgradeableProxy._admin() (contracts/Contract.sol#373-377) (function)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#local-variable-shadowing
TransparentUpgradeableProxy.upgradeToAndCall(address,bytes).newImplementation (contracts/Contract.sol#369) lacks a zero-check on :
- (success,None) = newImplementation.delegatecall(data) (contracts/Contract.sol#370-371)
UpgradeableProxy.constructor(address,bytes)._logic (contracts/Contract.sol#219) lacks a zero-check on :
- (success,None) = _logic.delegatecall(_data) (contracts/Contract.sol#223)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#missing-zero-address-validation
Modifier TransparentUpgradeableProxy.ifAdmin() (contracts/Contract.sol#310-313) does not always execute _; or revert
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-modifier
Address.isContract(address) (contracts/Contract.sol#23-31) uses assembly
- INLINE ASM (contracts/Contract.sol#30-31)
Address._functionCallWithValue(address,bytes,uint256,string) (contracts/Contract.sol#107-123) uses assembly
- INLINE ASM (contracts/Contract.sol#119-122)
Proxy._delegate(address) (contracts/Contract.sol#145-162) uses assembly
- INLINE ASM (contracts/Contract.sol#147-161)
UpgradeableProxy._implementation() (contracts/Contract.sol#238-244) uses assembly
- INLINE ASM (contracts/Contract.sol#242-243)
UpgradeableProxy._setImplementation(address) (contracts/Contract.sol#255-264) uses assembly
- INLINE ASM (contracts/Contract.sol#263-264)
TransparentUpgradeableProxy._admin() (contracts/Contract.sol#373-377) uses assembly
- INLINE ASM (contracts/Contract.sol#376-377)
TransparentUpgradeableProxy._setAdmin(address) (contracts/Contract.sol#379-386) uses assembly
- INLINE ASM (contracts/Contract.sol#385-386)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#assembly-usage
2 different versions of Solidity are used:
- Version constraint ^0.6.2 is used by:
-^0.6.2 (contracts/Contract.sol#2-3)
- Version constraint ^0.6.0 is used by:
-^0.6.0 (contracts/Contract.sol#125-126)
-^0.6.0 (contracts/Contract.sol#197-199)
-^0.6.0 (contracts/Contract.sol#264-265)
-^0.6.0 (contracts/Contract.sol#398)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#different-pragma-directives-are-used
Version constraint ^0.6.2 contains known severe issues (https://solidity.readthedocs.io/en/latest/bugs.html)
- MissingSideEffectsOnSelectorAccess
- AbiReencodingHeadOverflowWithStaticArrayCleanup
- DirtyBytesArrayToStorage
- NestedCalldataArrayAbiReencodingSizeValidation
- ABIDecodeTwoDimensionalArrayMemory
- KeccakCaching
- EmptyByteArrayCopy
- DynamicArrayCleanup
- MissingEscapingInFormatting
- ArraySliceDynamicallyEncodedBaseType
- ImplicitConstructorCallvalueCheck
- TupleAssignmentMultiStackSlotComponents
- MemoryArrayCreationOverflow.
It is used by:
- ^0.6.2 (contracts/Contract.sol#2-3)
Version constraint ^0.6.0 contains known severe issues (https://solidity.readthedocs.io/en/latest/bugs.html)
- AbiReencodingHeadOverflowWithStaticArrayCleanup
- DirtyBytesArrayToStorage
- NestedCalldataArrayAbiReencodingSizeValidation
- ABIDecodeTwoDimensionalArrayMemory
- KeccakCaching
- EmptyByteArrayCopy
- DynamicArrayCleanup
- MissingEscapingInFormatting
- ArraySliceDynamicallyEncodedBaseType
- ImplicitConstructorCallvalueCheck
- TupleAssignmentMultiStackSlotComponents
- MemoryArrayCreationOverflow
- YulOptimizerRedundantAssignmentBreakContinue.
It is used by:
- ^0.6.0 (contracts/Contract.sol#125-126)
- ^0.6.0 (contracts/Contract.sol#197-199)
- ^0.6.0 (contracts/Contract.sol#264-265)
- ^0.6.0 (contracts/Contract.sol#398)
solc-0.6.2 is an outdated solc version. Use a more recent version (at least 0.8.0), if possible.
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-versions-of-solidity
Low level call in Address.sendValue(address,uint256) (contracts/Contract.sol#48-54):
- (success,None) = recipient.call{value: amount}() (contracts/Contract.sol#52-53)
Low level call in Address._functionCallWithValue(address,bytes,uint256,string) (contracts/Contract.sol#107-123):
- (success,returndata) = target.call{value: weiValue}(data) (contracts/Contract.sol#111-112)
Low level call in UpgradeableProxy.constructor(address,bytes) (contracts/Contract.sol#219-224):
- (success,None) = _logic.delegatecall(_data) (contracts/Contract.sol#223)
Low level call in TransparentUpgradeableProxy.upgradeToAndCall(address,bytes) (contracts/Contract.sol#368-373):
- (success,None) = newImplementation.delegatecall(data) (contracts/Contract.sol#370-371)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#low-level-calls
. analyzed (5 contracts with 100 detectors), 28 result(s) found
{
"solc": {
"status": "ok",
"use_rc": 0,
"version": "0.6.2",
"strategy": "solc-select",
"solc_path": "/var/www/tripwire/.venv/bin/solc",
"install_rc": 0,
"use_stderr": null,
"use_stdout": "Switched global version to 0.6.2",
"install_stderr": null,
"install_stdout": "Version '0.6.2' is already installed, skipping..."
},
"solc_args": "--base-path /tmp/slither-yg9kpq59 --allow-paths /tmp/slither-yg9kpq59,/tmp/slither-yg9kpq59/lib,/tmp/slither-yg9kpq59/src",
"remappings": [],
"source_files": [
"contracts/Contract.sol"
],
"contract_count": 0,
"contract_names": [],
"detector_count": 28,
"workspace_hash": "86035064c0ea7501d8fec0d337594f213d76036a05d89295a1b1a3497478c4be",
"duration_seconds": 0.5190434455871582,
"solc_version_requested": "0.6.12"
}
{"no_findings":false,"summary":"Unprotected initializer lets the first caller seize operator control if the proxy/implementation storage is still uninitialized.","findings":[{"severity":"high","category":"access_control","title":"Initializer can be called by anyone to become operator","exploit_scenario":"If the proxy storage is not initialized, any external account can call `initialize` first, set themselves as `operator`, and then use operator-only functions to change module addresses and enable/disable trading paths, effectively taking control.","recommendation":"Protect initialization with a dedicated initializer guard (e.g., OpenZeppelin Initializable), and restrict it to a trusted deployer/owner or the proxy admin. Ensure initialization is performed atomically at deployment.","evidence":"`initialize` is `external` and lacks access control; it only checks that `version` is empty before setting `operator`.","locations":["contracts/UserProxy.sol:60"]}]}
OpenAI Codex v0.77.0 (research preview)
--------
workdir: /tmp/codex-plwppptq
model: gpt-5.2-codex
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: auto
session id: 019bb493-7a0f-77f3-acd1-678c11168896
--------
user
Context: The user requested the proxy at 0x03f34be1bf910116595db1b11e9d1b2ca5d59659.
Audit the implementation at 0x0b9f13ffab8448089f50073cf24bbe5c7bd8675a.
Findings should refer to the implementation unless explicitly about proxy mechanics.
You are a security auditor. Audit this Solidity codebase for exploitable vulnerabilities.
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation, oracle manipulation,
accounting/invariant breaks, external call patterns, unchecked return values, and dangerous delegatecall.
Scope rules:
- You MUST fully read `AUDIT_BUNDLE.txt` before concluding. It contains the complete contents of all first-party Solidity sources in this workspace.
- Treat `lib/` and `@openzeppelin/` as third-party dependencies; skip them unless there is a concrete misuse angle in first-party code.
- If there are only dependency files and no first-party sources, set no_findings=true and explain in summary.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title and file/line locations when possible.
Output constraints (IMPORTANT):
- severity MUST be exactly one of: info, low, medium, high, critical (lowercase).
- category MUST be exactly one of: access_control, reentrancy, math, oracle, upgradeability, auth, other.
Keep summary short and concrete.
mcp startup: no servers
thinking
**Reading AUDIT_BUNDLE file**
exec
/bin/bash -lc 'cat AUDIT_BUNDLE.txt' in /tmp/codex-plwppptq succeeded in 7ms:
This file concatenates the full contents of first-party Solidity sources for auditing.
Do not treat dependency code under lib/ or @openzeppelin/ as first-party.
================================================================================
FILE: contracts/UserProxy.sol
================================================================================
// SPDX-License-Identifier: MIT
pragma solidity 0.7.6;
pragma abicoder v2;
import "./utils/UserProxyStorage.sol";
import "./utils/Multicall.sol";
/**
* @dev UserProxy contract
*/
contract UserProxy is Multicall {
// Below are the variables which consume storage slots.
address public operator;
string public version; // Current version of the contract
thinking
**Reviewing proxy initialization vulnerabilities**
exec
/bin/bash -lc "nl -ba contracts/UserProxy.sol | sed -n '35,90p'" in /tmp/codex-plwppptq succeeded in 10ms:
35 *************************************************************/
36 modifier onlyOperator() {
37 require(operator == msg.sender, "UserProxy: not the operator");
38 _;
39 }
40
41 function nominateNewOperator(address _newOperator) external onlyOperator {
42 require(_newOperator != address(0), "UserProxy: operator can not be zero address");
43 nominatedOperator = _newOperator;
44
45 emit OperatorNominated(_newOperator);
46 }
47
48 function acceptOwnership() external {
49 require(msg.sender == nominatedOperator, "UserProxy: not nominated");
50 emit OperatorChanged(operator, nominatedOperator);
51
52 operator = nominatedOperator;
53 nominatedOperator = address(0);
54 }
thinking
**Preparing final JSON structure**
codex
{"no_findings":false,"summary":"Unprotected initializer lets the first caller seize operator control if the proxy/implementation storage is still uninitialized.","findings":[{"severity":"high","category":"access_control","title":"Initializer can be called by anyone to become operator","exploit_scenario":"If the proxy storage is not initialized, any external account can call `initialize` first, set themselves as `operator`, and then use operator-only functions to change module addresses and enable/disable trading paths, effectively taking control.","recommendation":"Protect initialization with a dedicated initializer guard (e.g., OpenZeppelin Initializable), and restrict it to a trusted deployer/owner or the proxy admin. Ensure initialization is performed atomically at deployment.","evidence":"`initialize` is `external` and lacks access control; it only checks that `version` is empty before setting `operator`.","locations":["contracts/UserProxy.sol:60"]}]}
tokens used
10,525
{
"codex": {
"ran_at": "2026-01-12T23:39:12.869713+00:00",
"returncode": 0
},
"project": {
"mode": "source",
"file_count": 4,
"import_count": 3,
"first_party_contracts_count": 4
},
"summary": "Unprotected initializer lets the first caller seize operator control if the proxy/implementation storage is still uninitialized.",
"raw_final": {
"summary": "Unprotected initializer lets the first caller seize operator control if the proxy/implementation storage is still uninitialized.",
"findings": [
{
"title": "Initializer can be called by anyone to become operator",
"category": "access_control",
"evidence": "`initialize` is `external` and lacks access control; it only checks that `version` is empty before setting `operator`.",
"severity": "high",
"locations": [
"contracts/UserProxy.sol:60"
],
"recommendation": "Protect initialization with a dedicated initializer guard (e.g., OpenZeppelin Initializable), and restrict it to a trusted deployer/owner or the proxy admin. Ensure initialization is performed atomically at deployment.",
"exploit_scenario": "If the proxy storage is not initialized, any external account can call `initialize` first, set themselves as `operator`, and then use operator-only functions to change module addresses and enable/disable trading paths, effectively taking control."
}
],
"no_findings": false
},
"no_findings": false,
"proxy_context": {
"proxy_run_id": "019bb490-f311-7387-a624-2ced8b0052f8",
"proxy_address": "0x03f34be1bf910116595db1b11e9d1b2ca5d59659",
"implementation_run_id": "019bb491-169f-736c-a71d-6f79af8f0433",
"implementation_address": "0x0b9f13ffab8448089f50073cf24bbe5c7bd8675a"
},
"schema_version": 1
}
00000000: PUSH1 0x80 00000002: PUSH1 0x40 00000004: MSTORE 00000005: PUSH1 0x04 00000007: CALLDATASIZE 00000008: LT 00000009: PUSH2 0x005e 0000000c: JUMPI 0000000d: PUSH1 0x00 0000000f: CALLDATALOAD 00000010: PUSH1 0xe0 00000012: SHR 00000013: DUP1 00000014: PUSH4 0x5c60da1b 00000019: GT 0000001a: PUSH2 0x0043 0000001d: JUMPI 0000001e: DUP1 0000001f: PUSH4 0x5c60da1b 00000024: EQ 00000025: PUSH2 0x0128 00000028: JUMPI 00000029: DUP1 0000002a: PUSH4 0x8f283970 0000002f: EQ 00000030: PUSH2 0x0159 00000033: JUMPI 00000034: DUP1 00000035: PUSH4 0xf851a440 0000003a: EQ 0000003b: PUSH2 0x018c 0000003e: JUMPI 0000003f: PUSH2 0x006d 00000042: JUMP 00000043: JUMPDEST 00000044: DUP1 00000045: PUSH4 0x3659cfe6 0000004a: EQ 0000004b: PUSH2 0x0075 0000004e: JUMPI 0000004f: DUP1 00000050: PUSH4 0x4f1ef286 00000055: EQ 00000056: PUSH2 0x00a8 00000059: JUMPI 0000005a: PUSH2 0x006d 0000005d: JUMP 0000005e: JUMPDEST 0000005f: CALLDATASIZE 00000060: PUSH2 0x006d 00000063: JUMPI 00000064: PUSH2 0x006b 00000067: PUSH2 0x01a1 0000006a: JUMP 0000006b: JUMPDEST 0000006c: STOP 0000006d: JUMPDEST 0000006e: PUSH2 0x006b 00000071: PUSH2 0x01a1 00000074: JUMP 00000075: JUMPDEST 00000076: CALLVALUE 00000077: DUP1 00000078: ISZERO 00000079: PUSH2 0x0081 0000007c: JUMPI 0000007d: PUSH1 0x00 0000007f: DUP1 00000080: REVERT 00000081: JUMPDEST 00000082: POP 00000083: PUSH2 0x006b 00000086: PUSH1 0x04 00000088: DUP1 00000089: CALLDATASIZE 0000008a: SUB 0000008b: PUSH1 0x20 0000008d: DUP2 0000008e: LT 0000008f: ISZERO 00000090: PUSH2 0x0098 00000093: JUMPI 00000094: PUSH1 0x00 00000096: DUP1 00000097: REVERT 00000098: JUMPDEST 00000099: POP 0000009a: CALLDATALOAD 0000009b: PUSH1 0x01 0000009d: PUSH1 0x01 0000009f: PUSH1 0xa0 000000a1: SHL 000000a2: SUB 000000a3: AND 000000a4: PUSH2 0x01bb 000000a7: JUMP 000000a8: JUMPDEST 000000a9: PUSH2 0x006b 000000ac: PUSH1 0x04 000000ae: DUP1 000000af: CALLDATASIZE 000000b0: SUB 000000b1: PUSH1 0x40 000000b3: DUP2 000000b4: LT 000000b5: ISZERO 000000b6: PUSH2 0x00be 000000b9: JUMPI 000000ba: PUSH1 0x00 000000bc: DUP1 000000bd: REVERT 000000be: JUMPDEST 000000bf: PUSH1 0x01 000000c1: PUSH1 0x01 000000c3: PUSH1 0xa0 000000c5: SHL 000000c6: SUB 000000c7: DUP3 000000c8: CALLDATALOAD 000000c9: AND 000000ca: SWAP2 000000cb: SWAP1 000000cc: DUP2 000000cd: ADD 000000ce: SWAP1 000000cf: PUSH1 0x40 000000d1: DUP2 000000d2: ADD 000000d3: PUSH1 0x20 000000d5: DUP3 000000d6: ADD 000000d7: CALLDATALOAD 000000d8: PUSH5 0x0100000000 000000de: DUP2 000000df: GT 000000e0: ISZERO 000000e1: PUSH2 0x00e9 000000e4: JUMPI 000000e5: PUSH1 0x00 000000e7: DUP1 000000e8: REVERT 000000e9: JUMPDEST 000000ea: DUP3 000000eb: ADD 000000ec: DUP4 000000ed: PUSH1 0x20 000000ef: DUP3 000000f0: ADD 000000f1: GT 000000f2: ISZERO 000000f3: PUSH2 0x00fb 000000f6: JUMPI 000000f7: PUSH1 0x00 000000f9: DUP1 000000fa: REVERT 000000fb: JUMPDEST 000000fc: DUP1 000000fd: CALLDATALOAD 000000fe: SWAP1 000000ff: PUSH1 0x20 00000101: ADD 00000102: SWAP2 00000103: DUP5 00000104: PUSH1 0x01 00000106: DUP4 00000107: MUL 00000108: DUP5 00000109: ADD 0000010a: GT 0000010b: PUSH5 0x0100000000 00000111: DUP4 00000112: GT 00000113: OR 00000114: ISZERO 00000115: PUSH2 0x011d 00000118: JUMPI 00000119: PUSH1 0x00 0000011b: DUP1 0000011c: REVERT 0000011d: JUMPDEST 0000011e: POP 0000011f: SWAP1 00000120: SWAP3 00000121: POP 00000122: SWAP1 00000123: POP 00000124: PUSH2 0x01f5 00000127: JUMP 00000128: JUMPDEST 00000129: CALLVALUE 0000012a: DUP1 0000012b: ISZERO 0000012c: PUSH2 0x0134 0000012f: JUMPI 00000130: PUSH1 0x00 00000132: DUP1 00000133: REVERT 00000134: JUMPDEST 00000135: POP 00000136: PUSH2 0x013d 00000139: PUSH2 0x02a2 0000013c: JUMP 0000013d: JUMPDEST 0000013e: PUSH1 0x40 00000140: DUP1 00000141: MLOAD 00000142: PUSH1 0x01 00000144: PUSH1 0x01 00000146: PUSH1 0xa0 00000148: SHL 00000149: SUB 0000014a: SWAP1 0000014b: SWAP3 0000014c: AND 0000014d: DUP3 0000014e: MSTORE 0000014f: MLOAD 00000150: SWAP1 00000151: DUP2 00000152: SWAP1 00000153: SUB 00000154: PUSH1 0x20 00000156: ADD 00000157: SWAP1 00000158: RETURN 00000159: JUMPDEST 0000015a: CALLVALUE 0000015b: DUP1 0000015c: ISZERO 0000015d: PUSH2 0x0165 00000160: JUMPI 00000161: PUSH1 0x00 00000163: DUP1 00000164: REVERT 00000165: JUMPDEST 00000166: POP 00000167: PUSH2 0x006b 0000016a: PUSH1 0x04 0000016c: DUP1 0000016d: CALLDATASIZE 0000016e: SUB 0000016f: PUSH1 0x20 00000171: DUP2 00000172: LT 00000173: ISZERO 00000174: PUSH2 0x017c 00000177: JUMPI 00000178: PUSH1 0x00 0000017a: DUP1 0000017b: REVERT 0000017c: JUMPDEST 0000017d: POP 0000017e: CALLDATALOAD 0000017f: PUSH1 0x01 00000181: PUSH1 0x01 00000183: PUSH1 0xa0 00000185: SHL 00000186: SUB 00000187: AND 00000188: PUSH2 0x02df 0000018b: JUMP 0000018c: JUMPDEST 0000018d: CALLVALUE 0000018e: DUP1 0000018f: ISZERO 00000190: PUSH2 0x0198 00000193: JUMPI 00000194: PUSH1 0x00 00000196: DUP1 00000197: REVERT 00000198: JUMPDEST 00000199: POP 0000019a: PUSH2 0x013d 0000019d: PUSH2 0x0399 000001a0: JUMP 000001a1: JUMPDEST 000001a2: PUSH2 0x01a9 000001a5: PUSH2 0x03ca 000001a8: JUMP 000001a9: JUMPDEST 000001aa: PUSH2 0x01b9 000001ad: PUSH2 0x01b4 000001b0: PUSH2 0x042a 000001b3: JUMP 000001b4: JUMPDEST 000001b5: PUSH2 0x044f 000001b8: JUMP 000001b9: JUMPDEST 000001ba: JUMP 000001bb: JUMPDEST 000001bc: PUSH2 0x01c3 000001bf: PUSH2 0x0473 000001c2: JUMP 000001c3: JUMPDEST 000001c4: PUSH1 0x01 000001c6: PUSH1 0x01 000001c8: PUSH1 0xa0 000001ca: SHL 000001cb: SUB 000001cc: AND 000001cd: CALLER 000001ce: PUSH1 0x01 000001d0: PUSH1 0x01 000001d2: PUSH1 0xa0 000001d4: SHL 000001d5: SUB 000001d6: AND 000001d7: EQ 000001d8: ISZERO 000001d9: PUSH2 0x01ea 000001dc: JUMPI 000001dd: PUSH2 0x01e5 000001e0: DUP2 000001e1: PUSH2 0x0498 000001e4: JUMP 000001e5: JUMPDEST 000001e6: PUSH2 0x01f2 000001e9: JUMP 000001ea: JUMPDEST 000001eb: PUSH2 0x01f2 000001ee: PUSH2 0x01a1 000001f1: JUMP 000001f2: JUMPDEST 000001f3: POP 000001f4: JUMP 000001f5: JUMPDEST 000001f6: PUSH2 0x01fd 000001f9: PUSH2 0x0473 000001fc: JUMP 000001fd: JUMPDEST 000001fe: PUSH1 0x01 00000200: PUSH1 0x01 00000202: PUSH1 0xa0 00000204: SHL 00000205: SUB 00000206: AND 00000207: CALLER 00000208: PUSH1 0x01 0000020a: PUSH1 0x01 0000020c: PUSH1 0xa0 0000020e: SHL 0000020f: SUB 00000210: AND 00000211: EQ 00000212: ISZERO 00000213: PUSH2 0x0295 00000216: JUMPI 00000217: PUSH2 0x021f 0000021a: DUP4 0000021b: PUSH2 0x0498 0000021e: JUMP 0000021f: JUMPDEST 00000220: PUSH1 0x00 00000222: DUP4 00000223: PUSH1 0x01 00000225: PUSH1 0x01 00000227: PUSH1 0xa0 00000229: SHL 0000022a: SUB 0000022b: AND 0000022c: DUP4 0000022d: DUP4 0000022e: PUSH1 0x40 00000230: MLOAD 00000231: DUP1 00000232: DUP4 00000233: DUP4 00000234: DUP1 00000235: DUP3 00000236: DUP5 00000237: CALLDATACOPY 00000238: PUSH1 0x40 0000023a: MLOAD 0000023b: SWAP3 0000023c: ADD 0000023d: SWAP5 0000023e: POP 0000023f: PUSH1 0x00 00000241: SWAP4 00000242: POP 00000243: SWAP1 00000244: SWAP2 00000245: POP 00000246: POP 00000247: DUP1 00000248: DUP4 00000249: SUB 0000024a: DUP2 0000024b: DUP6 0000024c: GAS 0000024d: DELEGATECALL 0000024e: SWAP2 0000024f: POP 00000250: POP 00000251: RETURNDATASIZE 00000252: DUP1 00000253: PUSH1 0x00 00000255: DUP2 00000256: EQ 00000257: PUSH2 0x027c 0000025a: JUMPI 0000025b: PUSH1 0x40 0000025d: MLOAD 0000025e: SWAP2 0000025f: POP 00000260: PUSH1 0x1f 00000262: NOT 00000263: PUSH1 0x3f 00000265: RETURNDATASIZE 00000266: ADD 00000267: AND 00000268: DUP3 00000269: ADD 0000026a: PUSH1 0x40 0000026c: MSTORE 0000026d: RETURNDATASIZE 0000026e: DUP3 0000026f: MSTORE 00000270: RETURNDATASIZE 00000271: PUSH1 0x00 00000273: PUSH1 0x20 00000275: DUP5 00000276: ADD 00000277: RETURNDATACOPY 00000278: PUSH2 0x0281 0000027b: JUMP 0000027c: JUMPDEST 0000027d: PUSH1 0x60 0000027f: SWAP2 00000280: POP 00000281: JUMPDEST 00000282: POP 00000283: POP 00000284: SWAP1 00000285: POP 00000286: DUP1 00000287: PUSH2 0x028f 0000028a: JUMPI 0000028b: PUSH1 0x00 0000028d: DUP1 0000028e: REVERT 0000028f: JUMPDEST 00000290: POP 00000291: PUSH2 0x029d 00000294: JUMP 00000295: JUMPDEST 00000296: PUSH2 0x029d 00000299: PUSH2 0x01a1 0000029c: JUMP 0000029d: JUMPDEST 0000029e: POP 0000029f: POP 000002a0: POP 000002a1: JUMP 000002a2: JUMPDEST 000002a3: PUSH1 0x00 000002a5: PUSH2 0x02ac 000002a8: PUSH2 0x0473 000002ab: JUMP 000002ac: JUMPDEST 000002ad: PUSH1 0x01 000002af: PUSH1 0x01 000002b1: PUSH1 0xa0 000002b3: SHL 000002b4: SUB 000002b5: AND 000002b6: CALLER 000002b7: PUSH1 0x01 000002b9: PUSH1 0x01 000002bb: PUSH1 0xa0 000002bd: SHL 000002be: SUB 000002bf: AND 000002c0: EQ 000002c1: ISZERO 000002c2: PUSH2 0x02d4 000002c5: JUMPI 000002c6: PUSH2 0x02cd 000002c9: PUSH2 0x042a 000002cc: JUMP 000002cd: JUMPDEST 000002ce: SWAP1 000002cf: POP 000002d0: PUSH2 0x02dc 000002d3: JUMP 000002d4: JUMPDEST 000002d5: PUSH2 0x02dc 000002d8: PUSH2 0x01a1 000002db: JUMP 000002dc: JUMPDEST 000002dd: SWAP1 000002de: JUMP 000002df: JUMPDEST 000002e0: PUSH2 0x02e7 000002e3: PUSH2 0x0473 000002e6: JUMP 000002e7: JUMPDEST 000002e8: PUSH1 0x01 000002ea: PUSH1 0x01 000002ec: PUSH1 0xa0 000002ee: SHL 000002ef: SUB 000002f0: AND 000002f1: CALLER 000002f2: PUSH1 0x01 000002f4: PUSH1 0x01 000002f6: PUSH1 0xa0 000002f8: SHL 000002f9: SUB 000002fa: AND 000002fb: EQ 000002fc: ISZERO 000002fd: PUSH2 0x01ea 00000300: JUMPI 00000301: PUSH1 0x01 00000303: PUSH1 0x01 00000305: PUSH1 0xa0 00000307: SHL 00000308: SUB 00000309: DUP2 0000030a: AND 0000030b: PUSH2 0x0345 0000030e: JUMPI 0000030f: PUSH1 0x40 00000311: MLOAD 00000312: PUSH3 0x461bcd 00000316: PUSH1 0xe5 00000318: SHL 00000319: DUP2 0000031a: MSTORE 0000031b: PUSH1 0x04 0000031d: ADD 0000031e: DUP1 0000031f: DUP1 00000320: PUSH1 0x20 00000322: ADD 00000323: DUP3 00000324: DUP2 00000325: SUB 00000326: DUP3 00000327: MSTORE 00000328: PUSH1 0x3a 0000032a: DUP2 0000032b: MSTORE 0000032c: PUSH1 0x20 0000032e: ADD 0000032f: DUP1 00000330: PUSH2 0x0565 00000333: PUSH1 0x3a 00000335: SWAP2 00000336: CODECOPY 00000337: PUSH1 0x40 00000339: ADD 0000033a: SWAP2 0000033b: POP 0000033c: POP 0000033d: PUSH1 0x40 0000033f: MLOAD 00000340: DUP1 00000341: SWAP2 00000342: SUB 00000343: SWAP1 00000344: REVERT 00000345: JUMPDEST 00000346: PUSH32 0x7e644d79422f17c01e4894b5f4f588d331ebfa28653d42ae832dc59e38c9798f 00000367: PUSH2 0x036e 0000036a: PUSH2 0x0473 0000036d: JUMP 0000036e: JUMPDEST 0000036f: PUSH1 0x40 00000371: DUP1 00000372: MLOAD 00000373: PUSH1 0x01 00000375: PUSH1 0x01 00000377: PUSH1 0xa0 00000379: SHL 0000037a: SUB 0000037b: SWAP3 0000037c: DUP4 0000037d: AND 0000037e: DUP2 0000037f: MSTORE 00000380: SWAP2 00000381: DUP5 00000382: AND 00000383: PUSH1 0x20 00000385: DUP4 00000386: ADD 00000387: MSTORE 00000388: DUP1 00000389: MLOAD 0000038a: SWAP2 0000038b: DUP3 0000038c: SWAP1 0000038d: SUB 0000038e: ADD 0000038f: SWAP1 00000390: LOG1 00000391: PUSH2 0x01e5 00000394: DUP2 00000395: PUSH2 0x04d8 00000398: JUMP 00000399: JUMPDEST 0000039a: PUSH1 0x00 0000039c: PUSH2 0x03a3 0000039f: PUSH2 0x0473 000003a2: JUMP 000003a3: JUMPDEST 000003a4: PUSH1 0x01 000003a6: PUSH1 0x01 000003a8: PUSH1 0xa0 000003aa: SHL 000003ab: SUB 000003ac: AND 000003ad: CALLER 000003ae: PUSH1 0x01 000003b0: PUSH1 0x01 000003b2: PUSH1 0xa0 000003b4: SHL 000003b5: SUB 000003b6: AND 000003b7: EQ 000003b8: ISZERO 000003b9: PUSH2 0x02d4 000003bc: JUMPI 000003bd: PUSH2 0x02cd 000003c0: PUSH2 0x0473 000003c3: JUMP 000003c4: JUMPDEST 000003c5: EXTCODESIZE 000003c6: ISZERO 000003c7: ISZERO 000003c8: SWAP1 000003c9: JUMP 000003ca: JUMPDEST 000003cb: PUSH2 0x03d2 000003ce: PUSH2 0x0473 000003d1: JUMP 000003d2: JUMPDEST 000003d3: PUSH1 0x01 000003d5: PUSH1 0x01 000003d7: PUSH1 0xa0 000003d9: SHL 000003da: SUB 000003db: AND 000003dc: CALLER 000003dd: PUSH1 0x01 000003df: PUSH1 0x01 000003e1: PUSH1 0xa0 000003e3: SHL 000003e4: SUB 000003e5: AND 000003e6: EQ 000003e7: ISZERO 000003e8: PUSH2 0x0422 000003eb: JUMPI 000003ec: PUSH1 0x40 000003ee: MLOAD 000003ef: PUSH3 0x461bcd 000003f3: PUSH1 0xe5 000003f5: SHL 000003f6: DUP2 000003f7: MSTORE 000003f8: PUSH1 0x04 000003fa: ADD 000003fb: DUP1 000003fc: DUP1 000003fd: PUSH1 0x20 000003ff: ADD 00000400: DUP3 00000401: DUP2 00000402: SUB 00000403: DUP3 00000404: MSTORE 00000405: PUSH1 0x42 00000407: DUP2 00000408: MSTORE 00000409: PUSH1 0x20 0000040b: ADD 0000040c: DUP1 0000040d: PUSH2 0x05d5 00000410: PUSH1 0x42 00000412: SWAP2 00000413: CODECOPY 00000414: PUSH1 0x60 00000416: ADD 00000417: SWAP2 00000418: POP 00000419: POP 0000041a: PUSH1 0x40 0000041c: MLOAD 0000041d: DUP1 0000041e: SWAP2 0000041f: SUB 00000420: SWAP1 00000421: REVERT 00000422: JUMPDEST 00000423: PUSH2 0x01b9 00000426: PUSH2 0x01b9 00000429: JUMP 0000042a: JUMPDEST 0000042b: PUSH32 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc 0000044c: SLOAD 0000044d: SWAP1 0000044e: JUMP 0000044f: JUMPDEST 00000450: CALLDATASIZE 00000451: PUSH1 0x00 00000453: DUP1 00000454: CALLDATACOPY 00000455: PUSH1 0x00 00000457: DUP1 00000458: CALLDATASIZE 00000459: PUSH1 0x00 0000045b: DUP5 0000045c: GAS 0000045d: DELEGATECALL 0000045e: RETURNDATASIZE 0000045f: PUSH1 0x00 00000461: DUP1 00000462: RETURNDATACOPY 00000463: DUP1 00000464: DUP1 00000465: ISZERO 00000466: PUSH2 0x046e 00000469: JUMPI 0000046a: RETURNDATASIZE 0000046b: PUSH1 0x00 0000046d: RETURN 0000046e: JUMPDEST 0000046f: RETURNDATASIZE 00000470: PUSH1 0x00 00000472: REVERT 00000473: JUMPDEST 00000474: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 00000495: SLOAD 00000496: SWAP1 00000497: JUMP 00000498: JUMPDEST 00000499: PUSH2 0x04a1 0000049c: DUP2 0000049d: PUSH2 0x04fc 000004a0: JUMP 000004a1: JUMPDEST 000004a2: PUSH1 0x40 000004a4: MLOAD 000004a5: PUSH1 0x01 000004a7: PUSH1 0x01 000004a9: PUSH1 0xa0 000004ab: SHL 000004ac: SUB 000004ad: DUP3 000004ae: AND 000004af: SWAP1 000004b0: PUSH32 0xbc7cd75a20ee27fd9adebab32041f755214dbc6bffa90cc0225b39da2e5c2d3b 000004d1: SWAP1 000004d2: PUSH1 0x00 000004d4: SWAP1 000004d5: LOG2 000004d6: POP 000004d7: JUMP 000004d8: JUMPDEST 000004d9: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 000004fa: SSTORE 000004fb: JUMP 000004fc: JUMPDEST 000004fd: PUSH2 0x0505 00000500: DUP2 00000501: PUSH2 0x03c4 00000504: JUMP 00000505: JUMPDEST 00000506: PUSH2 0x0540 00000509: JUMPI 0000050a: PUSH1 0x40 0000050c: MLOAD 0000050d: PUSH3 0x461bcd 00000511: PUSH1 0xe5 00000513: SHL 00000514: DUP2 00000515: MSTORE 00000516: PUSH1 0x04 00000518: ADD 00000519: DUP1 0000051a: DUP1 0000051b: PUSH1 0x20 0000051d: ADD 0000051e: DUP3 0000051f: DUP2 00000520: SUB 00000521: DUP3 00000522: MSTORE 00000523: PUSH1 0x36 00000525: DUP2 00000526: MSTORE 00000527: PUSH1 0x20 00000529: ADD 0000052a: DUP1 0000052b: PUSH2 0x059f 0000052e: PUSH1 0x36 00000530: SWAP2 00000531: CODECOPY 00000532: PUSH1 0x40 00000534: ADD 00000535: SWAP2 00000536: POP 00000537: POP 00000538: PUSH1 0x40 0000053a: MLOAD 0000053b: DUP1 0000053c: SWAP2 0000053d: SUB 0000053e: SWAP1 0000053f: REVERT 00000540: JUMPDEST 00000541: PUSH32 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc 00000562: SSTORE 00000563: JUMP 00000564: INVALID 00000565: SLOAD 00000566: PUSH19 0x616e73706172656e745570677261646561626c 0000057a: PUSH6 0x50726f78793a 00000581: KECCAK256 00000582: PUSH15 0x65772061646d696e20697320746865 00000592: KECCAK256 00000593: PUSH27 0x65726f20616464726573735570677261646561626c6550726f7879 000005af: GASPRICE 000005b0: KECCAK256 000005b1: PUSH15 0x657720696d706c656d656e74617469 000005c1: PUSH16 0x6e206973206e6f74206120636f6e7472 000005d2: PUSH2 0x6374 000005d5: SLOAD 000005d6: PUSH19 0x616e73706172656e745570677261646561626c 000005ea: PUSH6 0x50726f78793a 000005f1: KECCAK256 000005f2: PUSH2 0x646d 000005f5: PUSH10 0x6e2063616e6e6f742066 00000600: PUSH2 0x6c6c 00000603: PUSH3 0x61636b 00000607: KECCAK256 00000608: PUSH21 0x6f2070726f787920746172676574a2646970667358 0000061e: UNKNOWN(0x22) 0000061f: SLT 00000620: KECCAK256 00000621: MSTORE 00000622: UNKNOWN(0xF9) 00000623: UNKNOWN(0xE4) 00000624: PUSH28 0x968279c6afe32fbe38a97ce63eff10a987807bccbfbf0e22e4b1217e 00000641: PUSH5 0x736f6c6343 00000647: STOP 00000648: MOD 00000649: UNKNOWN(0x0C) 0000064a: STOP 0000064b: CALLER
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| critical | upgradeability | detector | Untrusted DELEGATECALL target reachable | 70 | no | no |
viewtrace_id: 0x874ba68735f06f8578877f345542b9b561a0511c56091dd094a847a3145b1b27
call_targets:
0x0b9f13ffab8448089f50073cf24bbe5c7bd8675a
target_varies:
no
classification:
constant_target
validation_json{
"sink": "DELEGATECALL",
"errors": 0,
"status": "sink_reached",
"attempts": 1,
"trace_id": "0x874ba68735f06f8578877f345542b9b561a0511c56091dd094a847a3145b1b27",
"confirmed": false,
"trace_mode": "callTracer",
"call_targets": [
"0x0b9f13ffab8448089f50073cf24bbe5c7bd8675a"
],
"matched_probe": null,
"target_varies": false,
"classification": "constant_target"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x5c60da1b",
"selector": "0x5c60da1b",
"calldata_variants": [
"0x5c60da1b",
"0x5c60da1b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x8f283970",
"selector": "0x8f283970",
"calldata_variants": [
"0x8f283970",
"0x8f2839700000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xf851a440",
"selector": "0xf851a440",
"calldata_variants": [
"0xf851a440",
"0xf851a4400000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x3659cfe6",
"selector": "0x3659cfe6",
"calldata_variants": [
"0x3659cfe6",
"0x3659cfe60000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x4f1ef286",
"selector": "0x4f1ef286",
"calldata_variants": [
"0x4f1ef286",
"0x4f1ef2860000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 589,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
},
{
"pc": 1117,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
}
],
"guards_detected": [],
"delegatecall_count": 2,
"untrusted_delegatecall_count": 2
}
|
| high | access_control | codex | Initializer can be called by anyone to become operator | 85 | no | — |
viewevidence_json{
"evidence": "`initialize` is `external` and lacks access control; it only checks that `version` is empty before setting `operator`.",
"locations": [
"contracts/UserProxy.sol:60"
],
"recommendation": "Protect initialization with a dedicated initializer guard (e.g., OpenZeppelin Initializable), and restrict it to a trusted deployer/owner or the proxy admin. Ensure initialization is performed atomically at deployment.",
"exploit_scenario": "If the proxy storage is not initialized, any external account can call `initialize` first, set themselves as `operator`, and then use operator-only functions to change module addresses and enable/disable trading paths, effectively taking control."
}
|
| high | upgradeability | slither | TransparentUpgradeableProxy.upgradeToAndCall(address,bytes) (contracts/Contract.sol#368-373) uses delegatecall to a input-controlled function id | 85 | no | — |
viewevidence_json{
"impact": "High",
"detector": "controlled-delegatecall",
"elements": [
{
"name": "upgradeToAndCall",
"type": "function",
"source_mapping": {
"lines": [
368,
369,
370,
371,
372,
373
],
"start": 16924,
"length": 294,
"ending_column": 20,
"is_dependency": false,
"filename_short": "contracts/Contract.sol",
"starting_column": 9,
"filename_absolute": "/tmp/slither-yg9kpq59/contracts/Contract.sol",
"filename_relative": "contracts/Contract.sol"
},
"type_specific_fields": {
"parent": {
"name": "TransparentUpgradeableProxy",
"type": "contract",
"source_mapping": {
"lines": [
290,
291,
292,
293,
294,
295,
296,
297,
298,
299,
300,
301,
302,
303,
304,
305,
306,
307,
308,
309,
310,
311,
312,
313,
314,
315,
316,
317,
318,
319,
320,
321,
322,
323,
324,
325,
326,
327,
328,
329,
330,
331,
332,
333,
334,
335,
336,
337,
338,
339,
340,
341,
342,
343,
344,
345,
346,
347,
348,
349,
350,
351,
352,
353,
354,
355,
356,
357,
358,
359,
360,
361,
362,
363,
364,
365,
366,
367,
368,
369,
370,
371,
372,
373,
374,
375,
376,
377,
378,
379,
380,
381,
382,
383,
384,
385,
386,
387,
388,
389,
390,
391,
392,
393,
394,
395,
396
],
"start": 13514,
"length": 4592,
"ending_column": 57,
"is_dependency": false,
"filename_short": "contracts/Contract.sol",
"starting_column": 22,
"filename_absolute": "/tmp/slither-yg9kpq59/contracts/Contract.sol",
"filename_relative": "contracts/Contract.sol"
}
},
"signature": "upgradeToAndCall(address,bytes)"
}
},
{
"name": "(success,None) = newImplementation.delegatecall(data)",
"type": "node",
"source_mapping": {
"lines": [
370,
371
],
"start": 17131,
"length": 54,
"ending_column": 22,
"is_dependency": false,
"filename_short": "contracts/Contract.sol",
"starting_column": 87,
"filename_absolute": "/tmp/slither-yg9kpq59/contracts/Contract.sol",
"filename_relative": "contracts/Contract.sol"
},
"type_specific_fields": {
"parent": {
"name": "upgradeToAndCall",
"type": "function",
"source_mapping": {
"lines": [
368,
369,
370,
371,
372,
373
],
"start": 16924,
"length": 294,
"ending_column": 20,
"is_dependency": false,
"filename_short": "contracts/Contract.sol",
"starting_column": 9,
"filename_absolute": "/tmp/slither-yg9kpq59/contracts/Contract.sol",
"filename_relative": "contracts/Contract.sol"
},
"type_specific_fields": {
"parent": {
"name": "TransparentUpgradeableProxy",
"type": "contract",
"source_mapping": {
"lines": [
290,
291,
292,
293,
294,
295,
296,
297,
298,
299,
300,
301,
302,
303,
304,
305,
306,
307,
308,
309,
310,
311,
312,
313,
314,
315,
316,
317,
318,
319,
320,
321,
322,
323,
324,
325,
326,
327,
328,
329,
330,
331,
332,
333,
334,
335,
336,
337,
338,
339,
340,
341,
342,
343,
344,
345,
346,
347,
348,
349,
350,
351,
352,
353,
354,
355,
356,
357,
358,
359,
360,
361,
362,
363,
364,
365,
366,
367,
368,
369,
370,
371,
372,
373,
374,
375,
376,
377,
378,
379,
380,
381,
382,
383,
384,
385,
386,
387,
388,
389,
390,
391,
392,
393,
394,
395,
396
],
"start": 13514,
"length": 4592,
"ending_column": 57,
"is_dependency": false,
"filename_short": "contracts/Contract.sol",
"starting_column": 22,
"filename_absolute": "/tmp/slither-yg9kpq59/contracts/Contract.sol",
"filename_relative": "contracts/Contract.sol"
}
},
"signature": "upgradeToAndCall(address,bytes)"
}
}
}
}
],
"locations": [
{
"file": "contracts/Contract.sol",
"name": "upgradeToAndCall",
"type": "function",
"lines": [
368,
369,
370,
371,
372,
373
]
},
{
"file": "contracts/Contract.sol",
"name": "(success,None) = newImplementation.delegatecall(data)",
"type": "node",
"lines": [
370,
371
]
}
],
"description": "TransparentUpgradeableProxy.upgradeToAndCall(address,bytes) (contracts/Contract.sol#368-373) uses delegatecall to a input-controlled function id\n\t- (success,None) = newImplementation.delegatecall(data) (contracts/Contract.sol#370-371)"
}
|
| high | upgradeability | slither | UpgradeableProxy.constructor(address,bytes) (contracts/Contract.sol#219-224) uses delegatecall to a input-controlled function id | 85 | no | — |
viewevidence_json{
"impact": "High",
"detector": "controlled-delegatecall",
"elements": [
{
"name": "constructor",
"type": "function",
"source_mapping": {
"lines": [
219,
220,
221,
222,
223,
224
],
"start": 10061,
"length": 403,
"ending_column": 11,
"is_dependency": false,
"filename_short": "contracts/Contract.sol",
"starting_column": 12,
"filename_absolute": "/tmp/slither-yg9kpq59/contracts/Contract.sol",
"filename_relative": "contracts/Contract.sol"
},
"type_specific_fields": {
"parent": {
"name": "UpgradeableProxy",
"type": "contract",
"source_mapping": {
"lines": [
209,
210,
211,
212,
213,
214,
215,
216,
217,
218,
219,
220,
221,
222,
223,
224,
225,
226,
227,
228,
229,
230,
231,
232,
233,
234,
235,
236,
237,
238,
239,
240,
241,
242,
243,
244,
245,
246,
247,
248,
249,
250,
251,
252,
253,
254,
255,
256,
257,
258,
259,
260,
261,
262,
263,
264
],
"start": 9679,
"length": 2289,
"ending_column": 33,
"is_dependency": false,
"filename_short": "contracts/Contract.sol",
"starting_column": 91,
"filename_absolute": "/tmp/slither-yg9kpq59/contracts/Contract.sol",
"filename_relative": "contracts/Contract.sol"
}
},
"signature": "constructor(address,bytes)"
}
},
{
"name": "(success,None) = _logic.delegatecall(_data)",
"type": "node",
"source_mapping": {
"lines": [
223
],
"start": 10373,
"length": 44,
"ending_column": 70,
"is_dependency": false,
"filename_short": "contracts/Contract.sol",
"starting_column": 26,
"filename_absolute": "/tmp/slither-yg9kpq59/contracts/Contract.sol",
"filename_relative": "contracts/Contract.sol"
},
"type_specific_fields": {
"parent": {
"name": "constructor",
"type": "function",
"source_mapping": {
"lines": [
219,
220,
221,
222,
223,
224
],
"start": 10061,
"length": 403,
"ending_column": 11,
"is_dependency": false,
"filename_short": "contracts/Contract.sol",
"starting_column": 12,
"filename_absolute": "/tmp/slither-yg9kpq59/contracts/Contract.sol",
"filename_relative": "contracts/Contract.sol"
},
"type_specific_fields": {
"parent": {
"name": "UpgradeableProxy",
"type": "contract",
"source_mapping": {
"lines": [
209,
210,
211,
212,
213,
214,
215,
216,
217,
218,
219,
220,
221,
222,
223,
224,
225,
226,
227,
228,
229,
230,
231,
232,
233,
234,
235,
236,
237,
238,
239,
240,
241,
242,
243,
244,
245,
246,
247,
248,
249,
250,
251,
252,
253,
254,
255,
256,
257,
258,
259,
260,
261,
262,
263,
264
],
"start": 9679,
"length": 2289,
"ending_column": 33,
"is_dependency": false,
"filename_short": "contracts/Contract.sol",
"starting_column": 91,
"filename_absolute": "/tmp/slither-yg9kpq59/contracts/Contract.sol",
"filename_relative": "contracts/Contract.sol"
}
},
"signature": "constructor(address,bytes)"
}
}
}
}
],
"locations": [
{
"file": "contracts/Contract.sol",
"name": "constructor",
"type": "function",
"lines": [
219,
220,
221,
222,
223,
224
]
},
{
"file": "contracts/Contract.sol",
"name": "(success,None) = _logic.delegatecall(_data)",
"type": "node",
"lines": [
223
]
}
],
"description": "UpgradeableProxy.constructor(address,bytes) (contracts/Contract.sol#219-224) uses delegatecall to a input-controlled function id\n\t- (success,None) = _logic.delegatecall(_data) (contracts/Contract.sol#223)"
}
|
| medium | upgradeability | cast | DELEGATECALL present | 80 | no | — |
viewevidence_json{
"notes": "delegatecall enables execution in caller context; common in proxies/upgradeable patterns",
"delegatecall_count": 2
}
|