019bb490-f339-7161-b115-fb04cf7fed99
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 40046 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 40047 | proxy.resolve | complete | 1 / 3 | 3 months ago |
| 40048 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 40049 | analysis.bundle | complete | 1 / 3 | 3 months ago |
| 40050 | capability.graph | complete | 1 / 3 | 3 months ago |
| 40051 | detector.run | complete | 1 / 3 | 3 months ago |
| 40052 | validation.fork | complete | 1 / 3 | 3 months ago |
| 40204 | report.consolidate | complete | 1 / 6 | 3 months ago |
| 40205 | tool.slither | complete | 1 / 2 | 3 months ago |
{
"method": "etherscan+onchain",
"status": "confirmed",
"etherscan_hint": {
"source": "etherscan",
"etherscan": {
"proxy_flag": true,
"implementation": "0x1c0df262a40f99d7d6145faba04db75d1126f93d"
}
},
"implementation": "0x1c0df262a40f99d7d6145faba04db75d1126f93d",
"onchain_method": "eip1967"
}
'forge clean' running (wd: /tmp/slither-2ylisad1)
'forge config --json' running
'forge build --build-info --skip ./test/** ./script/** --force' running (wd: /tmp/slither-2ylisad1)
AdminUpgradeabilityProxy.admin() (contracts/Contract.sol#387-390) calls AdminUpgradeabilityProxy.ifAdmin() (contracts/Contract.sol#383-387) which halt the execution return(uint256,uint256)(0,returndatasize()()) (contracts/Contract.sol#96)
AdminUpgradeabilityProxy.implementation() (contracts/Contract.sol#391-394) calls AdminUpgradeabilityProxy.ifAdmin() (contracts/Contract.sol#383-387) which halt the execution return(uint256,uint256)(0,returndatasize()()) (contracts/Contract.sol#96)
AdminUpgradeabilityProxy.changeAdmin(address) (contracts/Contract.sol#405-413) calls AdminUpgradeabilityProxy.ifAdmin() (contracts/Contract.sol#383-387) which halt the execution return(uint256,uint256)(0,returndatasize()()) (contracts/Contract.sol#96)
AdminUpgradeabilityProxy.upgradeTo(address) (contracts/Contract.sol#419-422) calls AdminUpgradeabilityProxy.ifAdmin() (contracts/Contract.sol#383-387) which halt the execution return(uint256,uint256)(0,returndatasize()()) (contracts/Contract.sol#96)
AdminUpgradeabilityProxy.upgradeToAndCall(address,bytes) (contracts/Contract.sol#437-441) calls AdminUpgradeabilityProxy.ifAdmin() (contracts/Contract.sol#383-387) which halt the execution return(uint256,uint256)(0,returndatasize()()) (contracts/Contract.sol#96)
AdminUpgradeabilityProxy.ifAdmin() (contracts/Contract.sol#383-387) calls Proxy._fallback() (contracts/Contract.sol#107-112) which halt the execution return(uint256,uint256)(0,returndatasize()()) (contracts/Contract.sol#96)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-return-in-assembly
AdminUpgradeabilityProxy.constructor(address,address,bytes)._admin (contracts/Contract.sol#364-365) shadows:
- AdminUpgradeabilityProxy._admin() (contracts/Contract.sol#442-443) (function)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#local-variable-shadowing
UpgradeabilityProxy.constructor(address,bytes)._logic (contracts/Contract.sol#283) lacks a zero-check on :
- (success,None) = _logic.delegatecall(_data) (contracts/Contract.sol#285)
AdminUpgradeabilityProxy.upgradeToAndCall(address,bytes).newImplementation (contracts/Contract.sol#438-439) lacks a zero-check on :
- (success,None) = newImplementation.delegatecall(data) (contracts/Contract.sol#440-441)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#missing-zero-address-validation
Modifier AdminUpgradeabilityProxy.ifAdmin() (contracts/Contract.sol#383-387) does not always execute _; or revert
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-modifier
Proxy._delegate(address) (contracts/Contract.sol#78-97) uses assembly
- INLINE ASM (contracts/Contract.sol#79-97)
Address.isContract(address) (contracts/Contract.sol#142-152) uses assembly
- INLINE ASM (contracts/Contract.sol#149-150)
Address._functionCallWithValue(address,bytes,uint256,string) (contracts/Contract.sol#235-253) uses assembly
- INLINE ASM (contracts/Contract.sol#248-250)
UpgradeabilityProxy._implementation() (contracts/Contract.sol#304-307) uses assembly
- INLINE ASM (contracts/Contract.sol#307)
UpgradeabilityProxy._setImplementation(address) (contracts/Contract.sol#322-331) uses assembly
- INLINE ASM (contracts/Contract.sol#330-331)
AdminUpgradeabilityProxy._admin() (contracts/Contract.sol#442-443) uses assembly
- INLINE ASM (contracts/Contract.sol#443)
AdminUpgradeabilityProxy._setAdmin(address) (contracts/Contract.sol#445-448) uses assembly
- INLINE ASM (contracts/Contract.sol#447-448)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#assembly-usage
2 different versions of Solidity are used:
- Version constraint ^0.6.0 is used by:
-^0.6.0 (contracts/Contract.sol#40-42)
-^0.6.0 (contracts/Contract.sol#254)
-^0.6.0 (contracts/Contract.sol#333)
- Version constraint ^0.6.2 is used by:
-^0.6.2 (contracts/Contract.sol#115-116)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#different-pragma-directives-are-used
Version constraint ^0.6.0 contains known severe issues (https://solidity.readthedocs.io/en/latest/bugs.html)
- AbiReencodingHeadOverflowWithStaticArrayCleanup
- DirtyBytesArrayToStorage
- NestedCalldataArrayAbiReencodingSizeValidation
- ABIDecodeTwoDimensionalArrayMemory
- KeccakCaching
- EmptyByteArrayCopy
- DynamicArrayCleanup
- MissingEscapingInFormatting
- ArraySliceDynamicallyEncodedBaseType
- ImplicitConstructorCallvalueCheck
- TupleAssignmentMultiStackSlotComponents
- MemoryArrayCreationOverflow
- YulOptimizerRedundantAssignmentBreakContinue.
It is used by:
- ^0.6.0 (contracts/Contract.sol#40-42)
- ^0.6.0 (contracts/Contract.sol#254)
- ^0.6.0 (contracts/Contract.sol#333)
Version constraint ^0.6.2 contains known severe issues (https://solidity.readthedocs.io/en/latest/bugs.html)
- MissingSideEffectsOnSelectorAccess
- AbiReencodingHeadOverflowWithStaticArrayCleanup
- DirtyBytesArrayToStorage
- NestedCalldataArrayAbiReencodingSizeValidation
- ABIDecodeTwoDimensionalArrayMemory
- KeccakCaching
- EmptyByteArrayCopy
- DynamicArrayCleanup
- MissingEscapingInFormatting
- ArraySliceDynamicallyEncodedBaseType
- ImplicitConstructorCallvalueCheck
- TupleAssignmentMultiStackSlotComponents
- MemoryArrayCreationOverflow.
It is used by:
- ^0.6.2 (contracts/Contract.sol#115-116)
solc-0.6.2 is an outdated solc version. Use a more recent version (at least 0.8.0), if possible.
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-versions-of-solidity
Low level call in Address.sendValue(address,uint256) (contracts/Contract.sol#172-177):
- (success,None) = recipient.call{value: amount}() (contracts/Contract.sol#174-175)
Low level call in Address._functionCallWithValue(address,bytes,uint256,string) (contracts/Contract.sol#235-253):
- (success,returndata) = target.call{value: weiValue}(data) (contracts/Contract.sol#240)
Low level call in UpgradeabilityProxy.constructor(address,bytes) (contracts/Contract.sol#283-287):
- (success,None) = _logic.delegatecall(_data) (contracts/Contract.sol#285)
Low level call in AdminUpgradeabilityProxy.upgradeToAndCall(address,bytes) (contracts/Contract.sol#437-441):
- (success,None) = newImplementation.delegatecall(data) (contracts/Contract.sol#440-441)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#low-level-calls
. analyzed (4 contracts with 100 detectors), 25 result(s) found
{
"solc": {
"status": "ok",
"use_rc": 0,
"version": "0.6.2",
"strategy": "solc-select",
"solc_path": "/var/www/tripwire/.venv/bin/solc",
"install_rc": 0,
"use_stderr": null,
"use_stdout": "Switched global version to 0.6.2",
"install_stderr": null,
"install_stdout": "Version '0.6.2' is already installed, skipping..."
},
"solc_args": "--base-path /tmp/slither-2ylisad1 --allow-paths /tmp/slither-2ylisad1,/tmp/slither-2ylisad1/lib,/tmp/slither-2ylisad1/src",
"remappings": [],
"source_files": [
"contracts/Contract.sol"
],
"contract_count": 0,
"contract_names": [],
"detector_count": 25,
"workspace_hash": "e57161430a6b8f3a021cf53d9c7cb57588ae708551eea0f17e6c83ac77fc9881",
"duration_seconds": 0.4862513542175293,
"solc_version_requested": "0.6.8"
}
{"no_findings":true,"summary":"No exploitable issues found in the first-party implementation; logic is minimal and access-controlled, with no unsafe external calls or stateful accounting to break.","findings":[]}
OpenAI Codex v0.77.0 (research preview)
--------
workdir: /tmp/codex-aj300lio
model: gpt-5.2-codex
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: auto
session id: 019bb49a-72c5-7e62-8ff1-3287af8dac59
--------
user
Context: The user requested the proxy at 0x67df244584b67e8c51b10ad610aaffa9a402fdb6.
Audit the implementation at 0x1c0df262a40f99d7d6145faba04db75d1126f93d.
Findings should refer to the implementation unless explicitly about proxy mechanics.
You are a security auditor. Audit this Solidity codebase for exploitable vulnerabilities.
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation, oracle manipulation,
accounting/invariant breaks, external call patterns, unchecked return values, and dangerous delegatecall.
Scope rules:
- You MUST fully read `AUDIT_BUNDLE.txt` before concluding. It contains the complete contents of all first-party Solidity sources in this workspace.
- Treat `lib/` and `@openzeppelin/` as third-party dependencies; skip them unless there is a concrete misuse angle in first-party code.
- If there are only dependency files and no first-party sources, set no_findings=true and explain in summary.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title and file/line locations when possible.
Output constraints (IMPORTANT):
- severity MUST be exactly one of: info, low, medium, high, critical (lowercase).
- category MUST be exactly one of: access_control, reentrancy, math, oracle, upgradeability, auth, other.
Keep summary short and concrete.
mcp startup: no servers
thinking
**Searching for bundle files**
exec
/bin/bash -lc ls in /tmp/codex-aj300lio succeeded in 6ms:
AUDIT_BUNDLE.txt
codex-output-schema.json
contracts
@openzeppelin
thinking
**Reading AUDIT_BUNDLE.txt**
exec
/bin/bash -lc 'cat AUDIT_BUNDLE.txt' in /tmp/codex-aj300lio succeeded in 6ms:
This file concatenates the full contents of first-party Solidity sources for auditing.
Do not treat dependency code under lib/ or @openzeppelin/ as first-party.
================================================================================
FILE: contracts/FoundationTreasury.sol
================================================================================
/*
・
* ★
・ 。
・ ゚☆ 。
* ★ ゚・。 * 。
* ☆ 。・゚*.。
゚ *.。☆。★ ・
* ゚。·*・。 ゚*
☆゚・。°*. ゚
・ ゚*。・゚★。
・ *゚。 *
・゚*。★・
☆∴。 *
thinking
**Analyzing upgradeability and access control risks**
I’m carefully reviewing the implementation for upgradeability concerns, initialization patterns, and access control, especially regarding role administration and potential reentrancy in fund withdrawals. The main points are about initializer coverage, admin role assignment, and the safety of external call patterns. After thorough consideration, no critical findings emerge, but I’ll prepare a concise JSON summary emphasizing these aspects.
codex
{"no_findings":true,"summary":"No exploitable issues found in the first-party implementation; logic is minimal and access-controlled, with no unsafe external calls or stateful accounting to break.","findings":[]}
tokens used
12,900
{
"codex": {
"ran_at": "2026-01-12T23:46:53.499925+00:00",
"returncode": 0
},
"project": {
"mode": "source",
"file_count": 11,
"import_count": 13,
"first_party_contracts_count": 6
},
"summary": "No exploitable issues found in the first-party implementation; logic is minimal and access-controlled, with no unsafe external calls or stateful accounting to break.",
"raw_final": {
"summary": "No exploitable issues found in the first-party implementation; logic is minimal and access-controlled, with no unsafe external calls or stateful accounting to break.",
"findings": [],
"no_findings": true
},
"no_findings": true,
"proxy_context": {
"proxy_run_id": "019bb490-f339-7161-b115-fb04cf7fed99",
"proxy_address": "0x67df244584b67e8c51b10ad610aaffa9a402fdb6",
"implementation_run_id": "019bb491-3d27-7127-9860-f89577df5ac6",
"implementation_address": "0x1c0df262a40f99d7d6145faba04db75d1126f93d"
},
"schema_version": 1
}
00000000: PUSH1 0x80 00000002: PUSH1 0x40 00000004: MSTORE 00000005: PUSH1 0x04 00000007: CALLDATASIZE 00000008: LT 00000009: PUSH2 0x004e 0000000c: JUMPI 0000000d: PUSH1 0x00 0000000f: CALLDATALOAD 00000010: PUSH1 0xe0 00000012: SHR 00000013: DUP1 00000014: PUSH4 0x3659cfe6 00000019: EQ 0000001a: PUSH2 0x0067 0000001d: JUMPI 0000001e: DUP1 0000001f: PUSH4 0x4f1ef286 00000024: EQ 00000025: PUSH2 0x00b8 00000028: JUMPI 00000029: DUP1 0000002a: PUSH4 0x5c60da1b 0000002f: EQ 00000030: PUSH2 0x0151 00000033: JUMPI 00000034: DUP1 00000035: PUSH4 0x8f283970 0000003a: EQ 0000003b: PUSH2 0x01a8 0000003e: JUMPI 0000003f: DUP1 00000040: PUSH4 0xf851a440 00000045: EQ 00000046: PUSH2 0x01f9 00000049: JUMPI 0000004a: PUSH2 0x005d 0000004d: JUMP 0000004e: JUMPDEST 0000004f: CALLDATASIZE 00000050: PUSH2 0x005d 00000053: JUMPI 00000054: PUSH2 0x005b 00000057: PUSH2 0x0250 0000005a: JUMP 0000005b: JUMPDEST 0000005c: STOP 0000005d: JUMPDEST 0000005e: PUSH2 0x0065 00000061: PUSH2 0x0250 00000064: JUMP 00000065: JUMPDEST 00000066: STOP 00000067: JUMPDEST 00000068: CALLVALUE 00000069: DUP1 0000006a: ISZERO 0000006b: PUSH2 0x0073 0000006e: JUMPI 0000006f: PUSH1 0x00 00000071: DUP1 00000072: REVERT 00000073: JUMPDEST 00000074: POP 00000075: PUSH2 0x00b6 00000078: PUSH1 0x04 0000007a: DUP1 0000007b: CALLDATASIZE 0000007c: SUB 0000007d: PUSH1 0x20 0000007f: DUP2 00000080: LT 00000081: ISZERO 00000082: PUSH2 0x008a 00000085: JUMPI 00000086: PUSH1 0x00 00000088: DUP1 00000089: REVERT 0000008a: JUMPDEST 0000008b: DUP2 0000008c: ADD 0000008d: SWAP1 0000008e: DUP1 0000008f: DUP1 00000090: CALLDATALOAD 00000091: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000000a6: AND 000000a7: SWAP1 000000a8: PUSH1 0x20 000000aa: ADD 000000ab: SWAP1 000000ac: SWAP3 000000ad: SWAP2 000000ae: SWAP1 000000af: POP 000000b0: POP 000000b1: POP 000000b2: PUSH2 0x026a 000000b5: JUMP 000000b6: JUMPDEST 000000b7: STOP 000000b8: JUMPDEST 000000b9: PUSH2 0x014f 000000bc: PUSH1 0x04 000000be: DUP1 000000bf: CALLDATASIZE 000000c0: SUB 000000c1: PUSH1 0x40 000000c3: DUP2 000000c4: LT 000000c5: ISZERO 000000c6: PUSH2 0x00ce 000000c9: JUMPI 000000ca: PUSH1 0x00 000000cc: DUP1 000000cd: REVERT 000000ce: JUMPDEST 000000cf: DUP2 000000d0: ADD 000000d1: SWAP1 000000d2: DUP1 000000d3: DUP1 000000d4: CALLDATALOAD 000000d5: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000000ea: AND 000000eb: SWAP1 000000ec: PUSH1 0x20 000000ee: ADD 000000ef: SWAP1 000000f0: SWAP3 000000f1: SWAP2 000000f2: SWAP1 000000f3: DUP1 000000f4: CALLDATALOAD 000000f5: SWAP1 000000f6: PUSH1 0x20 000000f8: ADD 000000f9: SWAP1 000000fa: PUSH5 0x0100000000 00000100: DUP2 00000101: GT 00000102: ISZERO 00000103: PUSH2 0x010b 00000106: JUMPI 00000107: PUSH1 0x00 00000109: DUP1 0000010a: REVERT 0000010b: JUMPDEST 0000010c: DUP3 0000010d: ADD 0000010e: DUP4 0000010f: PUSH1 0x20 00000111: DUP3 00000112: ADD 00000113: GT 00000114: ISZERO 00000115: PUSH2 0x011d 00000118: JUMPI 00000119: PUSH1 0x00 0000011b: DUP1 0000011c: REVERT 0000011d: JUMPDEST 0000011e: DUP1 0000011f: CALLDATALOAD 00000120: SWAP1 00000121: PUSH1 0x20 00000123: ADD 00000124: SWAP2 00000125: DUP5 00000126: PUSH1 0x01 00000128: DUP4 00000129: MUL 0000012a: DUP5 0000012b: ADD 0000012c: GT 0000012d: PUSH5 0x0100000000 00000133: DUP4 00000134: GT 00000135: OR 00000136: ISZERO 00000137: PUSH2 0x013f 0000013a: JUMPI 0000013b: PUSH1 0x00 0000013d: DUP1 0000013e: REVERT 0000013f: JUMPDEST 00000140: SWAP1 00000141: SWAP2 00000142: SWAP3 00000143: SWAP4 00000144: SWAP2 00000145: SWAP3 00000146: SWAP4 00000147: SWAP1 00000148: POP 00000149: POP 0000014a: POP 0000014b: PUSH2 0x02bf 0000014e: JUMP 0000014f: JUMPDEST 00000150: STOP 00000151: JUMPDEST 00000152: CALLVALUE 00000153: DUP1 00000154: ISZERO 00000155: PUSH2 0x015d 00000158: JUMPI 00000159: PUSH1 0x00 0000015b: DUP1 0000015c: REVERT 0000015d: JUMPDEST 0000015e: POP 0000015f: PUSH2 0x0166 00000162: PUSH2 0x0395 00000165: JUMP 00000166: JUMPDEST 00000167: PUSH1 0x40 00000169: MLOAD 0000016a: DUP1 0000016b: DUP3 0000016c: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000181: AND 00000182: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000197: AND 00000198: DUP2 00000199: MSTORE 0000019a: PUSH1 0x20 0000019c: ADD 0000019d: SWAP2 0000019e: POP 0000019f: POP 000001a0: PUSH1 0x40 000001a2: MLOAD 000001a3: DUP1 000001a4: SWAP2 000001a5: SUB 000001a6: SWAP1 000001a7: RETURN 000001a8: JUMPDEST 000001a9: CALLVALUE 000001aa: DUP1 000001ab: ISZERO 000001ac: PUSH2 0x01b4 000001af: JUMPI 000001b0: PUSH1 0x00 000001b2: DUP1 000001b3: REVERT 000001b4: JUMPDEST 000001b5: POP 000001b6: PUSH2 0x01f7 000001b9: PUSH1 0x04 000001bb: DUP1 000001bc: CALLDATASIZE 000001bd: SUB 000001be: PUSH1 0x20 000001c0: DUP2 000001c1: LT 000001c2: ISZERO 000001c3: PUSH2 0x01cb 000001c6: JUMPI 000001c7: PUSH1 0x00 000001c9: DUP1 000001ca: REVERT 000001cb: JUMPDEST 000001cc: DUP2 000001cd: ADD 000001ce: SWAP1 000001cf: DUP1 000001d0: DUP1 000001d1: CALLDATALOAD 000001d2: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000001e7: AND 000001e8: SWAP1 000001e9: PUSH1 0x20 000001eb: ADD 000001ec: SWAP1 000001ed: SWAP3 000001ee: SWAP2 000001ef: SWAP1 000001f0: POP 000001f1: POP 000001f2: POP 000001f3: PUSH2 0x03ed 000001f6: JUMP 000001f7: JUMPDEST 000001f8: STOP 000001f9: JUMPDEST 000001fa: CALLVALUE 000001fb: DUP1 000001fc: ISZERO 000001fd: PUSH2 0x0205 00000200: JUMPI 00000201: PUSH1 0x00 00000203: DUP1 00000204: REVERT 00000205: JUMPDEST 00000206: POP 00000207: PUSH2 0x020e 0000020a: PUSH2 0x0566 0000020d: JUMP 0000020e: JUMPDEST 0000020f: PUSH1 0x40 00000211: MLOAD 00000212: DUP1 00000213: DUP3 00000214: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000229: AND 0000022a: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000023f: AND 00000240: DUP2 00000241: MSTORE 00000242: PUSH1 0x20 00000244: ADD 00000245: SWAP2 00000246: POP 00000247: POP 00000248: PUSH1 0x40 0000024a: MLOAD 0000024b: DUP1 0000024c: SWAP2 0000024d: SUB 0000024e: SWAP1 0000024f: RETURN 00000250: JUMPDEST 00000251: PUSH2 0x0258 00000254: PUSH2 0x05d1 00000257: JUMP 00000258: JUMPDEST 00000259: PUSH2 0x0268 0000025c: PUSH2 0x0263 0000025f: PUSH2 0x0667 00000262: JUMP 00000263: JUMPDEST 00000264: PUSH2 0x0698 00000267: JUMP 00000268: JUMPDEST 00000269: JUMP 0000026a: JUMPDEST 0000026b: PUSH2 0x0272 0000026e: PUSH2 0x06be 00000271: JUMP 00000272: JUMPDEST 00000273: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000288: AND 00000289: CALLER 0000028a: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000029f: AND 000002a0: EQ 000002a1: ISZERO 000002a2: PUSH2 0x02b3 000002a5: JUMPI 000002a6: PUSH2 0x02ae 000002a9: DUP2 000002aa: PUSH2 0x06ef 000002ad: JUMP 000002ae: JUMPDEST 000002af: PUSH2 0x02bc 000002b2: JUMP 000002b3: JUMPDEST 000002b4: PUSH2 0x02bb 000002b7: PUSH2 0x0250 000002ba: JUMP 000002bb: JUMPDEST 000002bc: JUMPDEST 000002bd: POP 000002be: JUMP 000002bf: JUMPDEST 000002c0: PUSH2 0x02c7 000002c3: PUSH2 0x06be 000002c6: JUMP 000002c7: JUMPDEST 000002c8: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000002dd: AND 000002de: CALLER 000002df: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000002f4: AND 000002f5: EQ 000002f6: ISZERO 000002f7: PUSH2 0x0387 000002fa: JUMPI 000002fb: PUSH2 0x0303 000002fe: DUP4 000002ff: PUSH2 0x06ef 00000302: JUMP 00000303: JUMPDEST 00000304: PUSH1 0x00 00000306: DUP4 00000307: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000031c: AND 0000031d: DUP4 0000031e: DUP4 0000031f: PUSH1 0x40 00000321: MLOAD 00000322: DUP1 00000323: DUP4 00000324: DUP4 00000325: DUP1 00000326: DUP3 00000327: DUP5 00000328: CALLDATACOPY 00000329: DUP1 0000032a: DUP4 0000032b: ADD 0000032c: SWAP3 0000032d: POP 0000032e: POP 0000032f: POP 00000330: SWAP3 00000331: POP 00000332: POP 00000333: POP 00000334: PUSH1 0x00 00000336: PUSH1 0x40 00000338: MLOAD 00000339: DUP1 0000033a: DUP4 0000033b: SUB 0000033c: DUP2 0000033d: DUP6 0000033e: GAS 0000033f: DELEGATECALL 00000340: SWAP2 00000341: POP 00000342: POP 00000343: RETURNDATASIZE 00000344: DUP1 00000345: PUSH1 0x00 00000347: DUP2 00000348: EQ 00000349: PUSH2 0x036e 0000034c: JUMPI 0000034d: PUSH1 0x40 0000034f: MLOAD 00000350: SWAP2 00000351: POP 00000352: PUSH1 0x1f 00000354: NOT 00000355: PUSH1 0x3f 00000357: RETURNDATASIZE 00000358: ADD 00000359: AND 0000035a: DUP3 0000035b: ADD 0000035c: PUSH1 0x40 0000035e: MSTORE 0000035f: RETURNDATASIZE 00000360: DUP3 00000361: MSTORE 00000362: RETURNDATASIZE 00000363: PUSH1 0x00 00000365: PUSH1 0x20 00000367: DUP5 00000368: ADD 00000369: RETURNDATACOPY 0000036a: PUSH2 0x0373 0000036d: JUMP 0000036e: JUMPDEST 0000036f: PUSH1 0x60 00000371: SWAP2 00000372: POP 00000373: JUMPDEST 00000374: POP 00000375: POP 00000376: SWAP1 00000377: POP 00000378: DUP1 00000379: PUSH2 0x0381 0000037c: JUMPI 0000037d: PUSH1 0x00 0000037f: DUP1 00000380: REVERT 00000381: JUMPDEST 00000382: POP 00000383: PUSH2 0x0390 00000386: JUMP 00000387: JUMPDEST 00000388: PUSH2 0x038f 0000038b: PUSH2 0x0250 0000038e: JUMP 0000038f: JUMPDEST 00000390: JUMPDEST 00000391: POP 00000392: POP 00000393: POP 00000394: JUMP 00000395: JUMPDEST 00000396: PUSH1 0x00 00000398: PUSH2 0x039f 0000039b: PUSH2 0x06be 0000039e: JUMP 0000039f: JUMPDEST 000003a0: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000003b5: AND 000003b6: CALLER 000003b7: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000003cc: AND 000003cd: EQ 000003ce: ISZERO 000003cf: PUSH2 0x03e1 000003d2: JUMPI 000003d3: PUSH2 0x03da 000003d6: PUSH2 0x0667 000003d9: JUMP 000003da: JUMPDEST 000003db: SWAP1 000003dc: POP 000003dd: PUSH2 0x03ea 000003e0: JUMP 000003e1: JUMPDEST 000003e2: PUSH2 0x03e9 000003e5: PUSH2 0x0250 000003e8: JUMP 000003e9: JUMPDEST 000003ea: JUMPDEST 000003eb: SWAP1 000003ec: JUMP 000003ed: JUMPDEST 000003ee: PUSH2 0x03f5 000003f1: PUSH2 0x06be 000003f4: JUMP 000003f5: JUMPDEST 000003f6: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000040b: AND 0000040c: CALLER 0000040d: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000422: AND 00000423: EQ 00000424: ISZERO 00000425: PUSH2 0x055a 00000428: JUMPI 00000429: PUSH1 0x00 0000042b: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000440: AND 00000441: DUP2 00000442: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000457: AND 00000458: EQ 00000459: ISZERO 0000045a: PUSH2 0x04ae 0000045d: JUMPI 0000045e: PUSH1 0x40 00000460: MLOAD 00000461: PUSH32 0x08c379a000000000000000000000000000000000000000000000000000000000 00000482: DUP2 00000483: MSTORE 00000484: PUSH1 0x04 00000486: ADD 00000487: DUP1 00000488: DUP1 00000489: PUSH1 0x20 0000048b: ADD 0000048c: DUP3 0000048d: DUP2 0000048e: SUB 0000048f: DUP3 00000490: MSTORE 00000491: PUSH1 0x36 00000493: DUP2 00000494: MSTORE 00000495: PUSH1 0x20 00000497: ADD 00000498: DUP1 00000499: PUSH2 0x082f 0000049c: PUSH1 0x36 0000049e: SWAP2 0000049f: CODECOPY 000004a0: PUSH1 0x40 000004a2: ADD 000004a3: SWAP2 000004a4: POP 000004a5: POP 000004a6: PUSH1 0x40 000004a8: MLOAD 000004a9: DUP1 000004aa: SWAP2 000004ab: SUB 000004ac: SWAP1 000004ad: REVERT 000004ae: JUMPDEST 000004af: PUSH32 0x7e644d79422f17c01e4894b5f4f588d331ebfa28653d42ae832dc59e38c9798f 000004d0: PUSH2 0x04d7 000004d3: PUSH2 0x06be 000004d6: JUMP 000004d7: JUMPDEST 000004d8: DUP3 000004d9: PUSH1 0x40 000004db: MLOAD 000004dc: DUP1 000004dd: DUP4 000004de: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000004f3: AND 000004f4: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000509: AND 0000050a: DUP2 0000050b: MSTORE 0000050c: PUSH1 0x20 0000050e: ADD 0000050f: DUP3 00000510: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000525: AND 00000526: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000053b: AND 0000053c: DUP2 0000053d: MSTORE 0000053e: PUSH1 0x20 00000540: ADD 00000541: SWAP3 00000542: POP 00000543: POP 00000544: POP 00000545: PUSH1 0x40 00000547: MLOAD 00000548: DUP1 00000549: SWAP2 0000054a: SUB 0000054b: SWAP1 0000054c: LOG1 0000054d: PUSH2 0x0555 00000550: DUP2 00000551: PUSH2 0x073e 00000554: JUMP 00000555: JUMPDEST 00000556: PUSH2 0x0563 00000559: JUMP 0000055a: JUMPDEST 0000055b: PUSH2 0x0562 0000055e: PUSH2 0x0250 00000561: JUMP 00000562: JUMPDEST 00000563: JUMPDEST 00000564: POP 00000565: JUMP 00000566: JUMPDEST 00000567: PUSH1 0x00 00000569: PUSH2 0x0570 0000056c: PUSH2 0x06be 0000056f: JUMP 00000570: JUMPDEST 00000571: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000586: AND 00000587: CALLER 00000588: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000059d: AND 0000059e: EQ 0000059f: ISZERO 000005a0: PUSH2 0x05b2 000005a3: JUMPI 000005a4: PUSH2 0x05ab 000005a7: PUSH2 0x06be 000005aa: JUMP 000005ab: JUMPDEST 000005ac: SWAP1 000005ad: POP 000005ae: PUSH2 0x05bb 000005b1: JUMP 000005b2: JUMPDEST 000005b3: PUSH2 0x05ba 000005b6: PUSH2 0x0250 000005b9: JUMP 000005ba: JUMPDEST 000005bb: JUMPDEST 000005bc: SWAP1 000005bd: JUMP 000005be: JUMPDEST 000005bf: PUSH1 0x00 000005c1: DUP1 000005c2: DUP3 000005c3: EXTCODESIZE 000005c4: SWAP1 000005c5: POP 000005c6: PUSH1 0x00 000005c8: DUP2 000005c9: GT 000005ca: SWAP2 000005cb: POP 000005cc: POP 000005cd: SWAP2 000005ce: SWAP1 000005cf: POP 000005d0: JUMP 000005d1: JUMPDEST 000005d2: PUSH2 0x05d9 000005d5: PUSH2 0x06be 000005d8: JUMP 000005d9: JUMPDEST 000005da: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000005ef: AND 000005f0: CALLER 000005f1: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000606: AND 00000607: EQ 00000608: ISZERO 00000609: PUSH2 0x065d 0000060c: JUMPI 0000060d: PUSH1 0x40 0000060f: MLOAD 00000610: PUSH32 0x08c379a000000000000000000000000000000000000000000000000000000000 00000631: DUP2 00000632: MSTORE 00000633: PUSH1 0x04 00000635: ADD 00000636: DUP1 00000637: DUP1 00000638: PUSH1 0x20 0000063a: ADD 0000063b: DUP3 0000063c: DUP2 0000063d: SUB 0000063e: DUP3 0000063f: MSTORE 00000640: PUSH1 0x32 00000642: DUP2 00000643: MSTORE 00000644: PUSH1 0x20 00000646: ADD 00000647: DUP1 00000648: PUSH2 0x07fd 0000064b: PUSH1 0x32 0000064d: SWAP2 0000064e: CODECOPY 0000064f: PUSH1 0x40 00000651: ADD 00000652: SWAP2 00000653: POP 00000654: POP 00000655: PUSH1 0x40 00000657: MLOAD 00000658: DUP1 00000659: SWAP2 0000065a: SUB 0000065b: SWAP1 0000065c: REVERT 0000065d: JUMPDEST 0000065e: PUSH2 0x0665 00000661: PUSH2 0x076d 00000664: JUMP 00000665: JUMPDEST 00000666: JUMP 00000667: JUMPDEST 00000668: PUSH1 0x00 0000066a: DUP1 0000066b: PUSH32 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc 0000068c: PUSH1 0x00 0000068e: SHL 0000068f: SWAP1 00000690: POP 00000691: DUP1 00000692: SLOAD 00000693: SWAP2 00000694: POP 00000695: POP 00000696: SWAP1 00000697: JUMP 00000698: JUMPDEST 00000699: CALLDATASIZE 0000069a: PUSH1 0x00 0000069c: DUP1 0000069d: CALLDATACOPY 0000069e: PUSH1 0x00 000006a0: DUP1 000006a1: CALLDATASIZE 000006a2: PUSH1 0x00 000006a4: DUP5 000006a5: GAS 000006a6: DELEGATECALL 000006a7: RETURNDATASIZE 000006a8: PUSH1 0x00 000006aa: DUP1 000006ab: RETURNDATACOPY 000006ac: DUP1 000006ad: PUSH1 0x00 000006af: DUP2 000006b0: EQ 000006b1: PUSH2 0x06b9 000006b4: JUMPI 000006b5: RETURNDATASIZE 000006b6: PUSH1 0x00 000006b8: RETURN 000006b9: JUMPDEST 000006ba: RETURNDATASIZE 000006bb: PUSH1 0x00 000006bd: REVERT 000006be: JUMPDEST 000006bf: PUSH1 0x00 000006c1: DUP1 000006c2: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 000006e3: PUSH1 0x00 000006e5: SHL 000006e6: SWAP1 000006e7: POP 000006e8: DUP1 000006e9: SLOAD 000006ea: SWAP2 000006eb: POP 000006ec: POP 000006ed: SWAP1 000006ee: JUMP 000006ef: JUMPDEST 000006f0: PUSH2 0x06f8 000006f3: DUP2 000006f4: PUSH2 0x076f 000006f7: JUMP 000006f8: JUMPDEST 000006f9: DUP1 000006fa: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000070f: AND 00000710: PUSH32 0xbc7cd75a20ee27fd9adebab32041f755214dbc6bffa90cc0225b39da2e5c2d3b 00000731: PUSH1 0x40 00000733: MLOAD 00000734: PUSH1 0x40 00000736: MLOAD 00000737: DUP1 00000738: SWAP2 00000739: SUB 0000073a: SWAP1 0000073b: LOG2 0000073c: POP 0000073d: JUMP 0000073e: JUMPDEST 0000073f: PUSH1 0x00 00000741: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 00000762: PUSH1 0x00 00000764: SHL 00000765: SWAP1 00000766: POP 00000767: DUP2 00000768: DUP2 00000769: SSTORE 0000076a: POP 0000076b: POP 0000076c: JUMP 0000076d: JUMPDEST 0000076e: JUMP 0000076f: JUMPDEST 00000770: PUSH2 0x0778 00000773: DUP2 00000774: PUSH2 0x05be 00000777: JUMP 00000778: JUMPDEST 00000779: PUSH2 0x07cd 0000077c: JUMPI 0000077d: PUSH1 0x40 0000077f: MLOAD 00000780: PUSH32 0x08c379a000000000000000000000000000000000000000000000000000000000 000007a1: DUP2 000007a2: MSTORE 000007a3: PUSH1 0x04 000007a5: ADD 000007a6: DUP1 000007a7: DUP1 000007a8: PUSH1 0x20 000007aa: ADD 000007ab: DUP3 000007ac: DUP2 000007ad: SUB 000007ae: DUP3 000007af: MSTORE 000007b0: PUSH1 0x3b 000007b2: DUP2 000007b3: MSTORE 000007b4: PUSH1 0x20 000007b6: ADD 000007b7: DUP1 000007b8: PUSH2 0x0865 000007bb: PUSH1 0x3b 000007bd: SWAP2 000007be: CODECOPY 000007bf: PUSH1 0x40 000007c1: ADD 000007c2: SWAP2 000007c3: POP 000007c4: POP 000007c5: PUSH1 0x40 000007c7: MLOAD 000007c8: DUP1 000007c9: SWAP2 000007ca: SUB 000007cb: SWAP1 000007cc: REVERT 000007cd: JUMPDEST 000007ce: PUSH1 0x00 000007d0: PUSH32 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc 000007f1: PUSH1 0x00 000007f3: SHL 000007f4: SWAP1 000007f5: POP 000007f6: DUP2 000007f7: DUP2 000007f8: SSTORE 000007f9: POP 000007fa: POP 000007fb: JUMP 000007fc: INVALID 000007fd: NUMBER 000007fe: PUSH2 0x6e6e 00000801: PUSH16 0x742063616c6c2066616c6c6261636b20 00000812: PUSH7 0x756e6374696f6e 0000081a: KECCAK256 0000081b: PUSH7 0x726f6d20746865 00000823: KECCAK256 00000824: PUSH17 0x726f78792061646d696e43616e6e6f7420 00000836: PUSH4 0x68616e67 0000083b: PUSH6 0x207468652061 00000842: PUSH5 0x6d696e206f 00000848: PUSH7 0x20612070726f78 00000850: PUSH26 0x20746f20746865207a65726f206164647265737343616e6e6f74 0000086b: KECCAK256 0000086c: PUSH20 0x657420612070726f787920696d706c656d656e74 00000881: PUSH2 0x7469 00000884: PUSH16 0x6e20746f2061206e6f6e2d636f6e7472 00000895: PUSH2 0x6374 00000898: KECCAK256 00000899: PUSH2 0x6464 0000089c: PUSH19 0x657373a2646970667358221220b0503c23d64d 000008b0: STOP 000008b1: DUP8 000008b2: UNKNOWN(0x2F) 000008b3: ADDRESS 000008b4: SWAP11 000008b5: UNKNOWN(0xF6) 000008b6: UNKNOWN(0xEB) 000008b7: UNKNOWN(0xC4) 000008b8: CODECOPY 000008b9: BLOCKHASH 000008ba: UNKNOWN(0x1F) 000008bb: BLOBBASEFEE 000008bc: GASPRICE 000008bd: MSTORE 000008be: DUP10 000008bf: UNKNOWN(0xBB) 000008c0: UNKNOWN(0xB6) 000008c1: SWAP9 000008c2: STATICCALL 000008c3: UNKNOWN(0x4E) 000008c4: GAS 000008c5: UNKNOWN(0xAB) 000008c6: UNKNOWN(0xD7) 000008c7: SELFBALANCE 000008c8: PUSH5 0x2664736f6c 000008ce: PUSH4 0x43000608 000008d3: STOP 000008d4: CALLER
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | upgradeability | detector | Untrusted DELEGATECALL target reachable | 55 | no | no |
viewtrace_id: 0x0b6518c4353b4aa322f544fe7c80b0a3eae63e54d64b4bed53025386f10a60f7
call_targets:
0x1c0df262a40f99d7d6145faba04db75d1126f93d
target_varies:
no
classification:
constant_target
validation_json{
"sink": "DELEGATECALL",
"errors": 0,
"status": "sink_reached",
"attempts": 2,
"trace_id": "0x0b6518c4353b4aa322f544fe7c80b0a3eae63e54d64b4bed53025386f10a60f7",
"confirmed": false,
"trace_mode": "callTracer",
"call_targets": [
"0x1c0df262a40f99d7d6145faba04db75d1126f93d"
],
"matched_probe": null,
"target_varies": false,
"classification": "constant_target"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x3659cfe6",
"selector": "0x3659cfe6",
"calldata_variants": [
"0x3659cfe6",
"0x3659cfe60000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x4f1ef286",
"selector": "0x4f1ef286",
"calldata_variants": [
"0x4f1ef286",
"0x4f1ef2860000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x5c60da1b",
"selector": "0x5c60da1b",
"calldata_variants": [
"0x5c60da1b",
"0x5c60da1b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x8f283970",
"selector": "0x8f283970",
"calldata_variants": [
"0x8f283970",
"0x8f2839700000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xf851a440",
"selector": "0xf851a440",
"calldata_variants": [
"0xf851a440",
"0xf851a4400000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 831,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
},
{
"pc": 1702,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
}
],
"guards_detected": [
{
"pc": 649,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
},
{
"pc": 734,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
},
{
"pc": 950,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
},
{
"pc": 1036,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
},
{
"pc": 1415,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
},
{
"pc": 1520,
"type": "msg_sender_eq_const",
"value": "0xffffffffffffffffffffffffffffffffffffffff"
}
],
"delegatecall_count": 2,
"untrusted_delegatecall_count": 2
}
|
| medium | upgradeability | cast | DELEGATECALL present | 80 | no | — |
viewevidence_json{
"notes": "delegatecall enables execution in caller context; common in proxies/upgradeable patterns",
"delegatecall_count": 2
}
|