019bb491-4432-70a1-a118-169deb6eada5
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 40206 | artifact.fetch | complete | 1 / 3 | 3 months ago |
| 40207 | proxy.resolve | complete | 1 / 3 | 3 months ago |
| 40208 | tool.cast_disasm | complete | 1 / 3 | 3 months ago |
| 40209 | analysis.bundle | complete | 1 / 3 | 3 months ago |
| 40210 | capability.graph | complete | 1 / 3 | 3 months ago |
| 40211 | detector.run | complete | 1 / 3 | 3 months ago |
| 40212 | validation.fork | complete | 1 / 3 | 3 months ago |
| 40269 | report.consolidate | complete | 1 / 6 | 3 months ago |
| 40270 | tool.slither | complete | 1 / 2 | 3 months ago |
{
"status": "not_proxy"
}
'forge clean' running (wd: /tmp/slither-wycww0i7)
'forge config --json' running
'forge build --build-info --skip ./test/** ./script/** --force' running (wd: /tmp/slither-wycww0i7)
BaseEscrow._ethTransfer(address,uint256) (contracts/BaseEscrow.sol#95-98) sends eth to arbitrary user
Dangerous calls:
- (success,None) = to.call{value: amount}() (contracts/BaseEscrow.sol#96)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#functions-that-send-ether-to-arbitrary-destinations
BaseEscrow.onlyAccessTokenHolder() (contracts/BaseEscrow.sol#63-66) uses a dangerous strict equality:
- _ACCESS_TOKEN.balanceOf(msg.sender) == 0 (contracts/BaseEscrow.sol#64)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#dangerous-strict-equalities
Reentrancy in EscrowDst._withdraw(bytes32,IBaseEscrow.Immutables) (contracts/EscrowDst.sol#77-85):
External calls:
- _uniTransfer(immutables.token.get(),immutables.maker.get(),immutables.amount) (contracts/EscrowDst.sol#82)
- (success,None) = to.call{value: amount}() (contracts/BaseEscrow.sol#96)
- _ethTransfer(msg.sender,immutables.safetyDeposit) (contracts/EscrowDst.sol#83)
- (success,None) = to.call{value: amount}() (contracts/BaseEscrow.sol#96)
Event emitted after the call(s):
- EscrowWithdrawal(secret) (contracts/EscrowDst.sol#84)
Reentrancy in EscrowDst.cancel(IBaseEscrow.Immutables) (contracts/EscrowDst.sol#62-71):
External calls:
- _uniTransfer(immutables.token.get(),immutables.taker.get(),immutables.amount) (contracts/EscrowDst.sol#68)
- (success,None) = to.call{value: amount}() (contracts/BaseEscrow.sol#96)
- _ethTransfer(msg.sender,immutables.safetyDeposit) (contracts/EscrowDst.sol#69)
- (success,None) = to.call{value: amount}() (contracts/BaseEscrow.sol#96)
Event emitted after the call(s):
- EscrowCancelled() (contracts/EscrowDst.sol#70)
Reentrancy in BaseEscrow.rescueFunds(address,uint256,IBaseEscrow.Immutables) (contracts/BaseEscrow.sol#71-79):
External calls:
- _uniTransfer(token,msg.sender,amount) (contracts/BaseEscrow.sol#77)
- (success,None) = to.call{value: amount}() (contracts/BaseEscrow.sol#96)
Event emitted after the call(s):
- FundsRescued(token,amount) (contracts/BaseEscrow.sol#78)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#reentrancy-vulnerabilities-3
BaseEscrow._keccakBytes32(bytes32) (contracts/BaseEscrow.sol#110-115) uses assembly
- INLINE ASM (contracts/BaseEscrow.sol#111-114)
ImmutablesLib.hash(IBaseEscrow.Immutables) (contracts/libraries/ImmutablesLib.sol#19-25) uses assembly
- INLINE ASM (contracts/libraries/ImmutablesLib.sol#20-24)
ImmutablesLib.hashMem(IBaseEscrow.Immutables) (contracts/libraries/ImmutablesLib.sol#32-36) uses assembly
- INLINE ASM (contracts/libraries/ImmutablesLib.sol#33-35)
ProxyHashLib.computeProxyBytecodeHash(address) (contracts/libraries/ProxyHashLib.sol#15-25) uses assembly
- INLINE ASM (contracts/libraries/ProxyHashLib.sol#16-24)
Create2.deploy(uint256,bytes32,bytes) (lib/openzeppelin-contracts/contracts/utils/Create2.sol#38-55) uses assembly
- INLINE ASM (lib/openzeppelin-contracts/contracts/utils/Create2.sol#45-47)
Create2.computeAddress(bytes32,bytes32,address) (lib/openzeppelin-contracts/contracts/utils/Create2.sol#69-90) uses assembly
- INLINE ASM (lib/openzeppelin-contracts/contracts/utils/Create2.sol#70-89)
LowLevelCall.callNoReturn(address,uint256,bytes) (lib/openzeppelin-contracts/contracts/utils/LowLevelCall.sol#19-23) uses assembly
- INLINE ASM (lib/openzeppelin-contracts/contracts/utils/LowLevelCall.sol#20-22)
LowLevelCall.callReturn64Bytes(address,uint256,bytes) (lib/openzeppelin-contracts/contracts/utils/LowLevelCall.sol#38-48) uses assembly
- INLINE ASM (lib/openzeppelin-contracts/contracts/utils/LowLevelCall.sol#43-47)
LowLevelCall.staticcallNoReturn(address,bytes) (lib/openzeppelin-contracts/contracts/utils/LowLevelCall.sol#51-55) uses assembly
- INLINE ASM (lib/openzeppelin-contracts/contracts/utils/LowLevelCall.sol#52-54)
LowLevelCall.staticcallReturn64Bytes(address,bytes) (lib/openzeppelin-contracts/contracts/utils/LowLevelCall.sol#62-71) uses assembly
- INLINE ASM (lib/openzeppelin-contracts/contracts/utils/LowLevelCall.sol#66-70)
LowLevelCall.delegatecallNoReturn(address,bytes) (lib/openzeppelin-contracts/contracts/utils/LowLevelCall.sol#74-78) uses assembly
- INLINE ASM (lib/openzeppelin-contracts/contracts/utils/LowLevelCall.sol#75-77)
LowLevelCall.delegatecallReturn64Bytes(address,bytes) (lib/openzeppelin-contracts/contracts/utils/LowLevelCall.sol#85-94) uses assembly
- INLINE ASM (lib/openzeppelin-contracts/contracts/utils/LowLevelCall.sol#89-93)
LowLevelCall.returnDataSize() (lib/openzeppelin-contracts/contracts/utils/LowLevelCall.sol#97-101) uses assembly
- INLINE ASM (lib/openzeppelin-contracts/contracts/utils/LowLevelCall.sol#98-100)
LowLevelCall.returnData() (lib/openzeppelin-contracts/contracts/utils/LowLevelCall.sol#104-111) uses assembly
- INLINE ASM (lib/openzeppelin-contracts/contracts/utils/LowLevelCall.sol#105-110)
LowLevelCall.bubbleRevert() (lib/openzeppelin-contracts/contracts/utils/LowLevelCall.sol#114-120) uses assembly
- INLINE ASM (lib/openzeppelin-contracts/contracts/utils/LowLevelCall.sol#115-119)
LowLevelCall.bubbleRevert(bytes) (lib/openzeppelin-contracts/contracts/utils/LowLevelCall.sol#122-126) uses assembly
- INLINE ASM (lib/openzeppelin-contracts/contracts/utils/LowLevelCall.sol#123-125)
RevertReasonForwarder.reRevert() (lib/solidity-utils/contracts/libraries/RevertReasonForwarder.sol#14-21) uses assembly
- INLINE ASM (lib/solidity-utils/contracts/libraries/RevertReasonForwarder.sol#16-20)
RevertReasonForwarder.reReason() (lib/solidity-utils/contracts/libraries/RevertReasonForwarder.sol#28-36) uses assembly
- INLINE ASM (lib/solidity-utils/contracts/libraries/RevertReasonForwarder.sol#29-35)
SafeERC20.safeBalanceOf(IERC20,address) (lib/solidity-utils/contracts/libraries/SafeERC20.sol#44-61) uses assembly
- INLINE ASM (lib/solidity-utils/contracts/libraries/SafeERC20.sol#49-60)
SafeERC20.safeTransferFrom(IERC20,address,address,uint256) (lib/solidity-utils/contracts/libraries/SafeERC20.sol#99-126) uses assembly
- INLINE ASM (lib/solidity-utils/contracts/libraries/SafeERC20.sol#107-124)
SafeERC20.safeTransferFromPermit2(IERC20,address,address,uint256) (lib/solidity-utils/contracts/libraries/SafeERC20.sol#138-161) uses assembly
- INLINE ASM (lib/solidity-utils/contracts/libraries/SafeERC20.sol#147-159)
SafeERC20.tryPermit(IERC20,address,address,bytes) (lib/solidity-utils/contracts/libraries/SafeERC20.sol#300-402) uses assembly
- INLINE ASM (lib/solidity-utils/contracts/libraries/SafeERC20.sol#306-401)
SafeERC20._makeCall(IERC20,bytes4,address,uint256) (lib/solidity-utils/contracts/libraries/SafeERC20.sol#414-437) uses assembly
- INLINE ASM (lib/solidity-utils/contracts/libraries/SafeERC20.sol#420-436)
SafeERC20.safeDeposit(IWETH,uint256) (lib/solidity-utils/contracts/libraries/SafeERC20.sol#444-456) uses assembly
- INLINE ASM (lib/solidity-utils/contracts/libraries/SafeERC20.sol#447-454)
SafeERC20.safeWithdraw(IWETH,uint256) (lib/solidity-utils/contracts/libraries/SafeERC20.sol#464-475) uses assembly
- INLINE ASM (lib/solidity-utils/contracts/libraries/SafeERC20.sol#466-474)
SafeERC20.safeWithdrawTo(IWETH,uint256,address) (lib/solidity-utils/contracts/libraries/SafeERC20.sol#484-495) uses assembly
- INLINE ASM (lib/solidity-utils/contracts/libraries/SafeERC20.sol#487-493)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#assembly-usage
4 different versions of Solidity are used:
- Version constraint 0.8.23 is used by:
-0.8.23 (contracts/BaseEscrow.sol#3)
-0.8.23 (contracts/Escrow.sol#3)
-0.8.23 (contracts/EscrowDst.sol#3)
- Version constraint ^0.8.0 is used by:
-^0.8.0 (contracts/interfaces/IBaseEscrow.sol#3)
-^0.8.0 (contracts/interfaces/IEscrow.sol#3)
-^0.8.0 (contracts/interfaces/IEscrowDst.sol#3)
-^0.8.0 (lib/solidity-utils/contracts/interfaces/IDaiLikePermit.sol#3)
-^0.8.0 (lib/solidity-utils/contracts/interfaces/IERC7597Permit.sol#3)
-^0.8.0 (lib/solidity-utils/contracts/interfaces/IPermit2.sol#3)
-^0.8.0 (lib/solidity-utils/contracts/interfaces/IWETH.sol#3)
-^0.8.0 (lib/solidity-utils/contracts/libraries/AddressLib.sol#3)
-^0.8.0 (lib/solidity-utils/contracts/libraries/RevertReasonForwarder.sol#3)
-^0.8.0 (lib/solidity-utils/contracts/libraries/SafeERC20.sol#3)
- Version constraint ^0.8.20 is used by:
-^0.8.20 (contracts/libraries/ImmutablesLib.sol#3)
-^0.8.20 (contracts/libraries/ProxyHashLib.sol#3)
-^0.8.20 (contracts/libraries/TimelocksLib.sol#3)
-^0.8.20 (lib/openzeppelin-contracts/contracts/utils/Create2.sol#4)
-^0.8.20 (lib/openzeppelin-contracts/contracts/utils/Errors.sol#4)
-^0.8.20 (lib/openzeppelin-contracts/contracts/utils/LowLevelCall.sol#4)
- Version constraint >=0.4.16 is used by:
->=0.4.16 (lib/openzeppelin-contracts/contracts/token/ERC20/IERC20.sol#4)
->=0.4.16 (lib/openzeppelin-contracts/contracts/token/ERC20/extensions/IERC20Permit.sol#4)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#different-pragma-directives-are-used
Version constraint ^0.8.0 contains known severe issues (https://solidity.readthedocs.io/en/latest/bugs.html)
- FullInlinerNonExpressionSplitArgumentEvaluationOrder
- MissingSideEffectsOnSelectorAccess
- AbiReencodingHeadOverflowWithStaticArrayCleanup
- DirtyBytesArrayToStorage
- DataLocationChangeInInternalOverride
- NestedCalldataArrayAbiReencodingSizeValidation
- SignedImmutables
- ABIDecodeTwoDimensionalArrayMemory
- KeccakCaching.
It is used by:
- ^0.8.0 (contracts/interfaces/IBaseEscrow.sol#3)
- ^0.8.0 (contracts/interfaces/IEscrow.sol#3)
- ^0.8.0 (contracts/interfaces/IEscrowDst.sol#3)
- ^0.8.0 (lib/solidity-utils/contracts/interfaces/IDaiLikePermit.sol#3)
- ^0.8.0 (lib/solidity-utils/contracts/interfaces/IERC7597Permit.sol#3)
- ^0.8.0 (lib/solidity-utils/contracts/interfaces/IPermit2.sol#3)
- ^0.8.0 (lib/solidity-utils/contracts/interfaces/IWETH.sol#3)
- ^0.8.0 (lib/solidity-utils/contracts/libraries/AddressLib.sol#3)
- ^0.8.0 (lib/solidity-utils/contracts/libraries/RevertReasonForwarder.sol#3)
- ^0.8.0 (lib/solidity-utils/contracts/libraries/SafeERC20.sol#3)
Version constraint ^0.8.20 contains known severe issues (https://solidity.readthedocs.io/en/latest/bugs.html)
- VerbatimInvalidDeduplication
- FullInlinerNonExpressionSplitArgumentEvaluationOrder
- MissingSideEffectsOnSelectorAccess.
It is used by:
- ^0.8.20 (contracts/libraries/ImmutablesLib.sol#3)
- ^0.8.20 (contracts/libraries/ProxyHashLib.sol#3)
- ^0.8.20 (contracts/libraries/TimelocksLib.sol#3)
- ^0.8.20 (lib/openzeppelin-contracts/contracts/utils/Create2.sol#4)
- ^0.8.20 (lib/openzeppelin-contracts/contracts/utils/Errors.sol#4)
- ^0.8.20 (lib/openzeppelin-contracts/contracts/utils/LowLevelCall.sol#4)
Version constraint >=0.4.16 contains known severe issues (https://solidity.readthedocs.io/en/latest/bugs.html)
- DirtyBytesArrayToStorage
- ABIDecodeTwoDimensionalArrayMemory
- KeccakCaching
- EmptyByteArrayCopy
- DynamicArrayCleanup
- ImplicitConstructorCallvalueCheck
- TupleAssignmentMultiStackSlotComponents
- MemoryArrayCreationOverflow
- privateCanBeOverridden
- SignedArrayStorageCopy
- ABIEncoderV2StorageArrayWithMultiSlotElement
- DynamicConstructorArgumentsClippedABIV2
- UninitializedFunctionPointerInConstructor_0.4.x
- IncorrectEventSignatureInLibraries_0.4.x
- ExpExponentCleanup
- NestedArrayFunctionCallDecoder
- ZeroFunctionSelector.
It is used by:
- >=0.4.16 (lib/openzeppelin-contracts/contracts/token/ERC20/IERC20.sol#4)
- >=0.4.16 (lib/openzeppelin-contracts/contracts/token/ERC20/extensions/IERC20Permit.sol#4)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-versions-of-solidity
Low level call in BaseEscrow._ethTransfer(address,uint256) (contracts/BaseEscrow.sol#95-98):
- (success,None) = to.call{value: amount}() (contracts/BaseEscrow.sol#96)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#low-level-calls
Variable BaseEscrow._ACCESS_TOKEN (contracts/BaseEscrow.sol#26) is not in mixedCase
Variable BaseEscrow.RESCUE_DELAY (contracts/BaseEscrow.sol#29) is not in mixedCase
Variable BaseEscrow.FACTORY (contracts/BaseEscrow.sol#31) is not in mixedCase
Variable Escrow.PROXY_BYTECODE_HASH (contracts/Escrow.sol#22) is not in mixedCase
Function IBaseEscrow.RESCUE_DELAY() (contracts/interfaces/IBaseEscrow.sol#52) is not in mixedCase
Function IBaseEscrow.FACTORY() (contracts/interfaces/IBaseEscrow.sol#54) is not in mixedCase
Function IEscrow.PROXY_BYTECODE_HASH() (contracts/interfaces/IEscrow.sol#14) is not in mixedCase
Function IERC20Permit.DOMAIN_SEPARATOR() (lib/openzeppelin-contracts/contracts/token/ERC20/extensions/IERC20Permit.sol#89) is not in mixedCase
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#conformance-to-solidity-naming-conventions
ProxyHashLib.computeProxyBytecodeHash(address) (contracts/libraries/ProxyHashLib.sol#15-25) uses literals with too many digits:
- mstore(uint256,uint256)(0x00,implementation >> 0x88 | 0x3d602d80600a3d3981f3363d3d373d3d3d363d73000000) (contracts/libraries/ProxyHashLib.sol#22)
TimelocksLib.slitherConstructorConstantVariables() (contracts/libraries/TimelocksLib.sol#34-81) uses literals with too many digits:
- _DEPLOYED_AT_MASK = 0xffffffff00000000000000000000000000000000000000000000000000000000 (contracts/libraries/TimelocksLib.sol#45)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#too-many-digits
. analyzed (21 contracts with 100 detectors), 46 result(s) found
{
"solc": {
"status": "ok",
"use_rc": 0,
"version": "0.8.23",
"strategy": "solc-select",
"solc_path": "/var/www/tripwire/.venv/bin/solc",
"install_rc": 0,
"use_stderr": null,
"use_stdout": "Switched global version to 0.8.23",
"install_stderr": null,
"install_stdout": "Version '0.8.23' is already installed, skipping..."
},
"solc_args": "--base-path /tmp/slither-wycww0i7 --include-path /tmp/slither-wycww0i7/lib --include-path /tmp/slither-wycww0i7/lib/openzeppelin-contracts --include-path /tmp/slither-wycww0i7/lib/solidity-utils --allow-paths /tmp/slither-wycww0i7,/tmp/slither-wycww0i7/lib,/tmp/slither-wycww0i7/lib/openzeppelin-contracts,/tmp/slither-wycww0i7/lib/solidity-utils,/tmp/slither-wycww0i7/src",
"remappings": [
"@1inch/limit-order-protocol-contract/=lib/limit-order-protocol/",
"@1inch/limit-order-settlement/=lib/limit-order-settlement/",
"@1inch/solidity-utils/=lib/solidity-utils/",
"solidity-utils/=lib/solidity-utils/",
"limit-order-protocol/=lib/limit-order-protocol/",
"limit-order-settlement/=lib/limit-order-settlement/",
"@openzeppelin/contracts/=lib/openzeppelin-contracts/contracts/",
"ds-test/=lib/forge-std/lib/ds-test/src/",
"erc4626-tests/=lib/openzeppelin-contracts/lib/erc4626-tests/",
"forge-std/=lib/forge-std/src/",
"murky/=lib/murky/",
"openzeppelin-contracts/=lib/openzeppelin-contracts/"
],
"source_files": [
"contracts/EscrowDst.sol",
"lib/openzeppelin-contracts/contracts/token/ERC20/IERC20.sol",
"lib/solidity-utils/contracts/libraries/SafeERC20.sol",
"lib/solidity-utils/contracts/libraries/AddressLib.sol",
"contracts/libraries/TimelocksLib.sol",
"contracts/interfaces/IEscrowDst.sol",
"contracts/BaseEscrow.sol",
"contracts/Escrow.sol",
"lib/openzeppelin-contracts/contracts/token/ERC20/extensions/IERC20Permit.sol",
"lib/solidity-utils/contracts/interfaces/IDaiLikePermit.sol",
"lib/solidity-utils/contracts/interfaces/IPermit2.sol",
"lib/solidity-utils/contracts/interfaces/IERC7597Permit.sol",
"lib/solidity-utils/contracts/interfaces/IWETH.sol",
"lib/solidity-utils/contracts/libraries/RevertReasonForwarder.sol",
"contracts/interfaces/IEscrow.sol",
"contracts/libraries/ImmutablesLib.sol",
"contracts/interfaces/IBaseEscrow.sol",
"lib/openzeppelin-contracts/contracts/utils/Create2.sol",
"contracts/libraries/ProxyHashLib.sol",
"lib/openzeppelin-contracts/contracts/utils/Errors.sol"
],
"contract_count": 0,
"contract_names": [],
"detector_count": 46,
"workspace_hash": "44ede1c555649ec288338df4ae39eac737de512f62ed643327b56c09fdb33171",
"duration_seconds": 0.9790356159210205,
"solc_version_requested": "0.8.23"
}
{"no_findings":true,"summary":"Reviewed BaseEscrow/Escrow/EscrowDst and libraries in AUDIT_BUNDLE.txt; no exploitable issues found within the requested categories. Correctness still depends on factory-provided immutables/timelocks and the chosen access token behavior.","findings":[]}
OpenAI Codex v0.77.0 (research preview)
--------
workdir: /tmp/codex-0it_hspw
model: gpt-5.2-codex
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: auto
session id: 019bb4c9-ee17-77c1-91e2-0529a07327c8
--------
user
You are a security auditor. Audit this Solidity codebase for exploitable vulnerabilities.
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation, oracle manipulation,
accounting/invariant breaks, external call patterns, unchecked return values, and dangerous delegatecall.
Scope rules:
- You MUST fully read `AUDIT_BUNDLE.txt` before concluding. It contains the complete contents of all first-party Solidity sources in this workspace.
- Treat `lib/` and `@openzeppelin/` as third-party dependencies; skip them unless there is a concrete misuse angle in first-party code.
- If there are only dependency files and no first-party sources, set no_findings=true and explain in summary.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title and file/line locations when possible.
Output constraints (IMPORTANT):
- severity MUST be exactly one of: info, low, medium, high, critical (lowercase).
- category MUST be exactly one of: access_control, reentrancy, math, oracle, upgradeability, auth, other.
Keep summary short and concrete.
mcp startup: no servers
thinking
**Preparing for security audit**
exec
/bin/bash -lc ls in /tmp/codex-0it_hspw succeeded in 6ms:
AUDIT_BUNDLE.txt
codex-output-schema.json
contracts
lib
exec
/bin/bash -lc 'cat AUDIT_BUNDLE.txt' in /tmp/codex-0it_hspw succeeded in 7ms:
This file concatenates the full contents of first-party Solidity sources for auditing.
Do not treat dependency code under lib/ or @openzeppelin/ as first-party.
================================================================================
FILE: contracts/BaseEscrow.sol
================================================================================
// SPDX-License-Identifier: MIT
pragma solidity 0.8.23;
import { IERC20 } from "openzeppelin-contracts/contracts/token/ERC20/IERC20.sol";
import { AddressLib, Address } from "solidity-utils/contracts/libraries/AddressLib.sol";
import { SafeERC20 } from "solidity-utils/contracts/libraries/SafeERC20.sol";
import { ImmutablesLib } from "./libraries/ImmutablesLib.sol";
import { Timelocks, TimelocksLib } from "./libraries/TimelocksLib.sol";
import { IBaseEscrow } from "./interfaces/IBaseEscrow.sol";
/**
thinking
**Auditing escrow contracts for vulnerabilities**
I'm carefully reviewing BaseEscrow, Escrow, and EscrowDst contracts to identify any issues, especially reentrancy and access control concerns. I'm checking how funds and tokens are transferred, the use of immutables, and timing locks, focusing on whether missing state updates or external calls may create risks, while also considering design intentions and Ethereum token behaviors that could affect security.
thinking
**Planning struct size inspection**
exec
/bin/bash -lc 'rg -n "type Address" -S lib' in /tmp/codex-0it_hspw succeeded in 11ms:
lib/solidity-utils/contracts/libraries/AddressLib.sol:5:type Address is uint256;
exec
/bin/bash -lc "sed -n '1,80p' lib/solidity-utils/contracts/libraries/AddressLib.sol" in /tmp/codex-0it_hspw succeeded in 7ms:
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
type Address is uint256;
/**
* @notice AddressLib
* @notice Library for working with addresses encoded as uint256 values, which can include flags in the highest bits.
*/
library AddressLib {
uint256 private constant _LOW_160_BIT_MASK = (1 << 160) - 1;
/**
* @notice Returns the address representation of a uint256.
* @param a The uint256 value to convert to an address.
* @return The address representation of the provided uint256 value.
*/
function get(Address a) internal pure returns (address) {
return address(uint160(Address.unwrap(a) & _LOW_160_BIT_MASK));
thinking
**Analyzing struct size and risk factors**
I'll carefully verify the struct’s total size matches expectations and then examine potential misconfigurations related to timelocks and rescue delays, considering whether the contract’s reliance on factory-set parameters could pose residual risks despite no clear vulnerabilities found.
codex
{"no_findings":true,"summary":"Reviewed BaseEscrow/Escrow/EscrowDst and libraries in AUDIT_BUNDLE.txt; no exploitable issues found within the requested categories. Correctness still depends on factory-provided immutables/timelocks and the chosen access token behavior.","findings":[]}
tokens used
15,290
{
"codex": {
"ran_at": "2026-01-13T00:40:03.816713+00:00",
"returncode": 0
},
"project": {
"mode": "source",
"file_count": 20,
"import_count": 24,
"first_party_contracts_count": 9
},
"summary": "Reviewed BaseEscrow/Escrow/EscrowDst and libraries in AUDIT_BUNDLE.txt; no exploitable issues found within the requested categories. Correctness still depends on factory-provided immutables/timelocks and the chosen access token behavior.",
"raw_final": {
"summary": "Reviewed BaseEscrow/Escrow/EscrowDst and libraries in AUDIT_BUNDLE.txt; no exploitable issues found within the requested categories. Correctness still depends on factory-provided immutables/timelocks and the chosen access token behavior.",
"findings": [],
"no_findings": true
},
"no_findings": true,
"schema_version": 1
}
00000000: PUSH1 0x80 00000002: PUSH1 0x40 00000004: SWAP1 00000005: DUP1 00000006: DUP3 00000007: MSTORE 00000008: PUSH1 0x04 0000000a: DUP1 0000000b: CALLDATASIZE 0000000c: LT 0000000d: ISZERO 0000000e: PUSH2 0x0015 00000011: JUMPI 00000012: PUSH0 00000013: DUP1 00000014: REVERT 00000015: JUMPDEST 00000016: PUSH1 0xe0 00000018: PUSH0 00000019: CALLDATALOAD 0000001a: DUP2 0000001b: SHR 0000001c: SWAP3 0000001d: DUP4 0000001e: PUSH4 0x0af97558 00000023: EQ 00000024: PUSH2 0x0582 00000027: JUMPI 00000028: POP 00000029: DUP3 0000002a: PUSH4 0x23305703 0000002f: EQ 00000030: PUSH2 0x04f6 00000033: JUMPI 00000034: DUP3 00000035: PUSH4 0x2dd31000 0000003a: EQ 0000003b: PUSH2 0x0488 0000003e: JUMPI 0000003f: DUP3 00000040: PUSH4 0x34862b6a 00000045: EQ 00000046: PUSH2 0x0430 00000049: JUMPI 0000004a: DUP3 0000004b: PUSH4 0x4649088b 00000050: EQ 00000051: PUSH2 0x0255 00000054: JUMPI 00000055: POP 00000056: DUP2 00000057: PUSH4 0x90d3252f 0000005c: EQ 0000005d: PUSH2 0x00ca 00000060: JUMPI 00000061: POP 00000062: PUSH4 0xf56cd69c 00000067: EQ 00000068: PUSH2 0x006f 0000006b: JUMPI 0000006c: PUSH0 0000006d: DUP1 0000006e: REVERT 0000006f: JUMPDEST 00000070: CALLVALUE 00000071: PUSH2 0x00c6 00000074: JUMPI 00000075: PUSH0 00000076: PUSH32 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc 00000097: CALLDATASIZE 00000098: ADD 00000099: SLT 0000009a: PUSH2 0x00c6 0000009d: JUMPI 0000009e: PUSH1 0x20 000000a0: SWAP1 000000a1: MLOAD 000000a2: PUSH32 0x00000000000000000000000000000000000000000000000000000000000a8c00 000000c3: DUP2 000000c4: MSTORE 000000c5: RETURN 000000c6: JUMPDEST 000000c7: PUSH0 000000c8: DUP1 000000c9: REVERT 000000ca: JUMPDEST 000000cb: DUP3 000000cc: CALLVALUE 000000cd: PUSH2 0x00c6 000000d0: JUMPI 000000d1: PUSH2 0x0100 000000d4: DUP1 000000d5: PUSH32 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc 000000f6: CALLDATASIZE 000000f7: ADD 000000f8: SLT 000000f9: PUSH2 0x00c6 000000fc: JUMPI 000000fd: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000112: SWAP2 00000113: DUP3 00000114: PUSH1 0x64 00000116: CALLDATALOAD 00000117: AND 00000118: SWAP2 00000119: DUP3 0000011a: CALLER 0000011b: SUB 0000011c: PUSH2 0x022d 0000011f: JUMPI 00000120: PUSH1 0x55 00000122: PUSH1 0x0b 00000124: DUP6 00000125: SWAP3 00000126: DUP5 00000127: MLOAD 00000128: DUP2 00000129: DUP10 0000012a: DUP3 0000012b: CALLDATACOPY 0000012c: KECCAK256 0000012d: DUP5 0000012e: MLOAD 0000012f: SWAP1 00000130: PUSH32 0xecbf051d115fa5ccc1177d7a547bf60561f699139f67c74f72f5fd67efde9155 00000151: DUP7 00000152: DUP4 00000153: ADD 00000154: MSTORE 00000155: PUSH1 0x20 00000157: DUP3 00000158: ADD 00000159: MSTORE 0000015a: PUSH32 0x000000000000000000000000a7bcb4eac8964306f9e3764f67db6a7af6ddf99a 0000017b: DUP2 0000017c: MSTORE 0000017d: ADD 0000017e: PUSH1 0xff 00000180: DUP2 00000181: MSTORE8 00000182: KECCAK256 00000183: AND 00000184: ADDRESS 00000185: SUB 00000186: PUSH2 0x0205 00000189: JUMPI 0000018a: PUSH2 0x0194 0000018d: PUSH1 0xe4 0000018f: CALLDATALOAD 00000190: PUSH2 0x08c0 00000193: JUMP 00000194: JUMPDEST 00000195: TIMESTAMP 00000196: LT 00000197: PUSH2 0x01dd 0000019a: JUMPI 0000019b: PUSH2 0x01ab 0000019e: PUSH1 0xa4 000001a0: CALLDATALOAD 000001a1: DUP4 000001a2: PUSH1 0x84 000001a4: CALLDATALOAD 000001a5: DUP7 000001a6: AND 000001a7: PUSH2 0x0907 000001aa: JUMP 000001ab: JUMPDEST 000001ac: PUSH2 0x01b7 000001af: PUSH1 0xc4 000001b1: CALLDATALOAD 000001b2: CALLER 000001b3: PUSH2 0x09c7 000001b6: JUMP 000001b7: JUMPDEST 000001b8: PUSH32 0x6e3be9294e58d10b9c8053cfd5e09871b67e442fe394d6b0870d336b9df984a9 000001d9: PUSH0 000001da: DUP1 000001db: LOG1 000001dc: STOP 000001dd: JUMPDEST 000001de: DUP4 000001df: SWAP1 000001e0: MLOAD 000001e1: PUSH32 0x6f7eac2600000000000000000000000000000000000000000000000000000000 00000202: DUP2 00000203: MSTORE 00000204: REVERT 00000205: JUMPDEST 00000206: DUP4 00000207: SWAP1 00000208: MLOAD 00000209: PUSH32 0xa269484a00000000000000000000000000000000000000000000000000000000 0000022a: DUP2 0000022b: MSTORE 0000022c: REVERT 0000022d: JUMPDEST 0000022e: DUP5 0000022f: DUP3 00000230: MLOAD 00000231: PUSH32 0x48f5c3ed00000000000000000000000000000000000000000000000000000000 00000252: DUP2 00000253: MSTORE 00000254: REVERT 00000255: JUMPDEST 00000256: DUP4 00000257: SWAP1 00000258: CALLVALUE 00000259: PUSH2 0x00c6 0000025c: JUMPI 0000025d: PUSH2 0x0140 00000260: PUSH32 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc 00000281: CALLDATASIZE 00000282: ADD 00000283: SLT 00000284: PUSH2 0x00c6 00000287: JUMPI 00000288: DUP3 00000289: CALLDATALOAD 0000028a: SWAP3 0000028b: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000002a0: SWAP1 000002a1: DUP2 000002a2: DUP6 000002a3: AND 000002a4: SWAP3 000002a5: DUP4 000002a6: DUP7 000002a7: SUB 000002a8: PUSH2 0x00c6 000002ab: JUMPI 000002ac: PUSH1 0x24 000002ae: CALLDATALOAD 000002af: SWAP3 000002b0: PUSH2 0x0100 000002b3: DUP1 000002b4: PUSH32 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffbc 000002d5: CALLDATASIZE 000002d6: ADD 000002d7: SLT 000002d8: PUSH2 0x00c6 000002db: JUMPI 000002dc: DUP2 000002dd: PUSH1 0xa4 000002df: CALLDATALOAD 000002e0: AND 000002e1: CALLER 000002e2: SUB 000002e3: PUSH2 0x0408 000002e6: JUMPI 000002e7: PUSH1 0x0b 000002e9: PUSH1 0x55 000002eb: SWAP2 000002ec: DUP9 000002ed: MLOAD 000002ee: DUP2 000002ef: PUSH1 0x44 000002f1: DUP3 000002f2: CALLDATACOPY 000002f3: KECCAK256 000002f4: DUP9 000002f5: MLOAD 000002f6: SWAP1 000002f7: PUSH32 0xecbf051d115fa5ccc1177d7a547bf60561f699139f67c74f72f5fd67efde9155 00000318: DUP11 00000319: DUP4 0000031a: ADD 0000031b: MSTORE 0000031c: PUSH1 0x20 0000031e: DUP3 0000031f: ADD 00000320: MSTORE 00000321: PUSH32 0x000000000000000000000000a7bcb4eac8964306f9e3764f67db6a7af6ddf99a 00000342: DUP2 00000343: MSTORE 00000344: ADD 00000345: PUSH1 0xff 00000347: DUP2 00000348: MSTORE8 00000349: KECCAK256 0000034a: AND 0000034b: ADDRESS 0000034c: SUB 0000034d: PUSH2 0x03e0 00000350: JUMPI 00000351: PUSH2 0x0124 00000354: CALLDATALOAD 00000355: SWAP1 00000356: SHR 00000357: PUSH32 0x00000000000000000000000000000000000000000000000000000000000a8c00 00000378: ADD 00000379: TIMESTAMP 0000037a: LT 0000037b: PUSH2 0x03b9 0000037e: JUMPI 0000037f: POP 00000380: PUSH2 0x03ac 00000383: DUP2 00000384: PUSH32 0xc4474c2790e13695f6d2b6f1d8e164290b55370f87a542fd7711abe0a1bf40ac 000003a5: SWAP6 000003a6: CALLER 000003a7: SWAP1 000003a8: PUSH2 0x0907 000003ab: JUMP 000003ac: JUMPDEST 000003ad: DUP3 000003ae: MLOAD 000003af: SWAP2 000003b0: DUP3 000003b1: MSTORE 000003b2: PUSH1 0x20 000003b4: DUP3 000003b5: ADD 000003b6: MSTORE 000003b7: LOG1 000003b8: STOP 000003b9: JUMPDEST 000003ba: DUP4 000003bb: MLOAD 000003bc: PUSH32 0x6f7eac2600000000000000000000000000000000000000000000000000000000 000003dd: DUP2 000003de: MSTORE 000003df: REVERT 000003e0: JUMPDEST 000003e1: POP 000003e2: DUP4 000003e3: MLOAD 000003e4: PUSH32 0xa269484a00000000000000000000000000000000000000000000000000000000 00000405: DUP2 00000406: MSTORE 00000407: REVERT 00000408: JUMPDEST 00000409: DUP4 0000040a: DUP8 0000040b: MLOAD 0000040c: PUSH32 0x48f5c3ed00000000000000000000000000000000000000000000000000000000 0000042d: DUP2 0000042e: MSTORE 0000042f: REVERT 00000430: JUMPDEST 00000431: DUP4 00000432: CALLVALUE 00000433: PUSH2 0x00c6 00000436: JUMPI 00000437: PUSH0 00000438: PUSH32 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc 00000459: CALLDATASIZE 0000045a: ADD 0000045b: SLT 0000045c: PUSH2 0x00c6 0000045f: JUMPI 00000460: PUSH1 0x20 00000462: SWAP1 00000463: MLOAD 00000464: PUSH32 0xecbf051d115fa5ccc1177d7a547bf60561f699139f67c74f72f5fd67efde9155 00000485: DUP2 00000486: MSTORE 00000487: RETURN 00000488: JUMPDEST 00000489: DUP4 0000048a: CALLVALUE 0000048b: PUSH2 0x00c6 0000048e: JUMPI 0000048f: PUSH0 00000490: PUSH32 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc 000004b1: CALLDATASIZE 000004b2: ADD 000004b3: SLT 000004b4: PUSH2 0x00c6 000004b7: JUMPI 000004b8: PUSH1 0x20 000004ba: SWAP1 000004bb: MLOAD 000004bc: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000004d1: PUSH32 0x000000000000000000000000a7bcb4eac8964306f9e3764f67db6a7af6ddf99a 000004f2: AND 000004f3: DUP2 000004f4: MSTORE 000004f5: RETURN 000004f6: JUMPDEST 000004f7: DUP4 000004f8: SWAP1 000004f9: CALLVALUE 000004fa: PUSH2 0x00c6 000004fd: JUMPI 000004fe: PUSH2 0x0506 00000501: CALLDATASIZE 00000502: PUSH2 0x0675 00000505: JUMP 00000506: JUMPDEST 00000507: SWAP3 00000508: SWAP1 00000509: SWAP2 0000050a: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000051f: PUSH1 0x60 00000521: DUP6 00000522: ADD 00000523: CALLDATALOAD 00000524: AND 00000525: CALLER 00000526: SUB 00000527: PUSH2 0x022d 0000052a: JUMPI 0000052b: PUSH4 0xffffffff 00000530: DUP2 00000531: DUP6 00000532: ADD 00000533: CALLDATALOAD 00000534: DUP1 00000535: SWAP3 00000536: SHR 00000537: SWAP2 00000538: PUSH1 0x80 0000053a: SHR 0000053b: AND 0000053c: DUP2 0000053d: ADD 0000053e: DUP1 0000053f: SWAP2 00000540: GT 00000541: PUSH2 0x0556 00000544: JUMPI 00000545: TIMESTAMP 00000546: LT 00000547: PUSH2 0x01dd 0000054a: JUMPI 0000054b: PUSH2 0x0554 0000054e: DUP4 0000054f: DUP4 00000550: PUSH2 0x0742 00000553: JUMP 00000554: JUMPDEST 00000555: STOP 00000556: JUMPDEST 00000557: PUSH1 0x11 00000559: DUP6 0000055a: PUSH32 0x4e487b7100000000000000000000000000000000000000000000000000000000 0000057b: PUSH0 0000057c: MSTORE 0000057d: MSTORE 0000057e: PUSH1 0x24 00000580: PUSH0 00000581: REVERT 00000582: JUMPDEST 00000583: DUP5 00000584: CALLVALUE 00000585: PUSH2 0x00c6 00000588: JUMPI 00000589: PUSH2 0x0591 0000058c: CALLDATASIZE 0000058d: PUSH2 0x0675 00000590: JUMP 00000591: JUMPDEST 00000592: SWAP4 00000593: SWAP1 00000594: SWAP3 00000595: PUSH32 0x70a0823100000000000000000000000000000000000000000000000000000000 000005b6: DUP2 000005b7: MSTORE 000005b8: CALLER 000005b9: DUP7 000005ba: DUP3 000005bb: ADD 000005bc: MSTORE 000005bd: PUSH1 0x20 000005bf: DUP2 000005c0: PUSH1 0x24 000005c2: DUP2 000005c3: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000005d8: PUSH32 0x000000000000000000000000acce550000159e70908c0499a1119d04e7039c28 000005f9: AND 000005fa: GAS 000005fb: STATICCALL 000005fc: SWAP1 000005fd: DUP2 000005fe: ISZERO 000005ff: PUSH2 0x066b 00000602: JUMPI 00000603: PUSH0 00000604: SWAP2 00000605: PUSH2 0x0639 00000608: JUMPI 00000609: JUMPDEST 0000060a: POP 0000060b: ISZERO 0000060c: PUSH2 0x022d 0000060f: JUMPI 00000610: PUSH4 0xffffffff 00000615: DUP2 00000616: DUP6 00000617: ADD 00000618: CALLDATALOAD 00000619: DUP1 0000061a: SWAP3 0000061b: SHR 0000061c: SWAP2 0000061d: PUSH1 0xa0 0000061f: SHR 00000620: AND 00000621: DUP2 00000622: ADD 00000623: DUP1 00000624: SWAP2 00000625: GT 00000626: PUSH2 0x0556 00000629: JUMPI 0000062a: TIMESTAMP 0000062b: LT 0000062c: PUSH2 0x01dd 0000062f: JUMPI 00000630: PUSH2 0x0554 00000633: DUP4 00000634: DUP4 00000635: PUSH2 0x0742 00000638: JUMP 00000639: JUMPDEST 0000063a: SWAP1 0000063b: POP 0000063c: PUSH1 0x20 0000063e: DUP2 0000063f: RETURNDATASIZE 00000640: PUSH1 0x20 00000642: GT 00000643: PUSH2 0x0663 00000646: JUMPI 00000647: JUMPDEST 00000648: DUP2 00000649: PUSH2 0x0654 0000064c: PUSH1 0x20 0000064e: SWAP4 0000064f: DUP4 00000650: PUSH2 0x06d4 00000653: JUMP 00000654: JUMPDEST 00000655: DUP2 00000656: ADD 00000657: SUB 00000658: SLT 00000659: PUSH2 0x00c6 0000065c: JUMPI 0000065d: MLOAD 0000065e: DUP7 0000065f: PUSH2 0x0609 00000662: JUMP 00000663: JUMPDEST 00000664: RETURNDATASIZE 00000665: SWAP2 00000666: POP 00000667: PUSH2 0x0647 0000066a: JUMP 0000066b: JUMPDEST 0000066c: DUP4 0000066d: MLOAD 0000066e: RETURNDATASIZE 0000066f: PUSH0 00000670: DUP3 00000671: RETURNDATACOPY 00000672: RETURNDATASIZE 00000673: SWAP1 00000674: REVERT 00000675: JUMPDEST 00000676: SWAP1 00000677: PUSH2 0x0120 0000067a: PUSH32 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc 0000069b: DUP4 0000069c: ADD 0000069d: SLT 0000069e: PUSH2 0x00c6 000006a1: JUMPI 000006a2: PUSH2 0x0100 000006a5: PUSH32 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffdc 000006c6: PUSH1 0x04 000006c8: CALLDATALOAD 000006c9: SWAP4 000006ca: ADD 000006cb: SLT 000006cc: PUSH2 0x00c6 000006cf: JUMPI 000006d0: PUSH1 0x24 000006d2: SWAP1 000006d3: JUMP 000006d4: JUMPDEST 000006d5: SWAP1 000006d6: PUSH1 0x1f 000006d8: PUSH32 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe0 000006f9: SWAP2 000006fa: ADD 000006fb: AND 000006fc: DUP2 000006fd: ADD 000006fe: SWAP1 000006ff: DUP2 00000700: LT 00000701: PUSH8 0xffffffffffffffff 0000070a: DUP3 0000070b: GT 0000070c: OR 0000070d: PUSH2 0x0715 00000710: JUMPI 00000711: PUSH1 0x40 00000713: MSTORE 00000714: JUMP 00000715: JUMPDEST 00000716: PUSH32 0x4e487b7100000000000000000000000000000000000000000000000000000000 00000737: PUSH0 00000738: MSTORE 00000739: PUSH1 0x41 0000073b: PUSH1 0x04 0000073d: MSTORE 0000073e: PUSH1 0x24 00000740: PUSH0 00000741: REVERT 00000742: JUMPDEST 00000743: SWAP1 00000744: PUSH2 0x0750 00000747: PUSH1 0xe0 00000749: DUP3 0000074a: ADD 0000074b: CALLDATALOAD 0000074c: PUSH2 0x08c0 0000074f: JUMP 00000750: JUMPDEST 00000751: TIMESTAMP 00000752: LT 00000753: ISZERO 00000754: PUSH2 0x0896 00000757: JUMPI 00000758: PUSH1 0x40 0000075a: SWAP1 0000075b: PUSH1 0x55 0000075d: PUSH1 0x0b 0000075f: DUP4 00000760: MLOAD 00000761: PUSH2 0x0100 00000764: SWAP1 00000765: DUP2 00000766: DUP6 00000767: DUP3 00000768: CALLDATACOPY 00000769: KECCAK256 0000076a: DUP5 0000076b: MLOAD 0000076c: SWAP1 0000076d: PUSH32 0xecbf051d115fa5ccc1177d7a547bf60561f699139f67c74f72f5fd67efde9155 0000078e: DUP7 0000078f: DUP4 00000790: ADD 00000791: MSTORE 00000792: PUSH1 0x20 00000794: DUP3 00000795: ADD 00000796: MSTORE 00000797: PUSH32 0x000000000000000000000000a7bcb4eac8964306f9e3764f67db6a7af6ddf99a 000007b8: DUP2 000007b9: MSTORE 000007ba: ADD 000007bb: PUSH1 0xff 000007bd: DUP2 000007be: MSTORE8 000007bf: KECCAK256 000007c0: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000007d5: SWAP1 000007d6: DUP2 000007d7: AND 000007d8: ADDRESS 000007d9: SUB 000007da: PUSH2 0x086d 000007dd: JUMPI 000007de: DUP4 000007df: PUSH0 000007e0: MSTORE 000007e1: PUSH1 0x20 000007e3: PUSH0 000007e4: KECCAK256 000007e5: PUSH1 0x20 000007e7: DUP4 000007e8: ADD 000007e9: CALLDATALOAD 000007ea: SUB 000007eb: PUSH2 0x0844 000007ee: JUMPI 000007ef: SWAP2 000007f0: PUSH2 0x083d 000007f3: PUSH1 0xc0 000007f5: DUP4 000007f6: PUSH2 0x0835 000007f9: PUSH1 0x20 000007fb: SWAP7 000007fc: PUSH1 0xa0 000007fe: PUSH32 0xe346f5c97a360db5188bfa5d3ec5f0583abde420c6ba4d08b6cfe61addc17105 0000081f: SWAP10 00000820: SWAP8 00000821: ADD 00000822: CALLDATALOAD 00000823: SWAP1 00000824: DUP1 00000825: DUP8 00000826: DUP6 00000827: ADD 00000828: CALLDATALOAD 00000829: AND 0000082a: SWAP1 0000082b: PUSH1 0x80 0000082d: DUP6 0000082e: ADD 0000082f: CALLDATALOAD 00000830: AND 00000831: PUSH2 0x0907 00000834: JUMP 00000835: JUMPDEST 00000836: ADD 00000837: CALLDATALOAD 00000838: CALLER 00000839: PUSH2 0x09c7 0000083c: JUMP 0000083d: JUMPDEST 0000083e: MLOAD 0000083f: SWAP1 00000840: DUP2 00000841: MSTORE 00000842: LOG1 00000843: JUMP 00000844: JUMPDEST 00000845: PUSH1 0x04 00000847: DUP4 00000848: MLOAD 00000849: PUSH32 0xabab6bd700000000000000000000000000000000000000000000000000000000 0000086a: DUP2 0000086b: MSTORE 0000086c: REVERT 0000086d: JUMPDEST 0000086e: PUSH1 0x04 00000870: DUP4 00000871: MLOAD 00000872: PUSH32 0xa269484a00000000000000000000000000000000000000000000000000000000 00000893: DUP2 00000894: MSTORE 00000895: REVERT 00000896: JUMPDEST 00000897: PUSH1 0x04 00000899: PUSH1 0x40 0000089b: MLOAD 0000089c: PUSH32 0x6f7eac2600000000000000000000000000000000000000000000000000000000 000008bd: DUP2 000008be: MSTORE 000008bf: REVERT 000008c0: JUMPDEST 000008c1: PUSH4 0xffffffff 000008c6: DUP2 000008c7: PUSH1 0xe0 000008c9: SHR 000008ca: SWAP2 000008cb: PUSH1 0xc0 000008cd: SHR 000008ce: AND 000008cf: DUP2 000008d0: ADD 000008d1: DUP1 000008d2: SWAP2 000008d3: GT 000008d4: PUSH2 0x08da 000008d7: JUMPI 000008d8: SWAP1 000008d9: JUMP 000008da: JUMPDEST 000008db: PUSH32 0x4e487b7100000000000000000000000000000000000000000000000000000000 000008fc: PUSH0 000008fd: MSTORE 000008fe: PUSH1 0x11 00000900: PUSH1 0x04 00000902: MSTORE 00000903: PUSH1 0x24 00000905: PUSH0 00000906: REVERT 00000907: JUMPDEST 00000908: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000091d: AND 0000091e: SWAP2 0000091f: SWAP1 00000920: DUP3 00000921: PUSH2 0x0930 00000924: JUMPI 00000925: PUSH2 0x092e 00000928: SWAP3 00000929: POP 0000092a: PUSH2 0x09c7 0000092d: JUMP 0000092e: JUMPDEST 0000092f: JUMP 00000930: JUMPDEST 00000931: PUSH1 0x44 00000933: PUSH0 00000934: SWAP2 00000935: PUSH1 0x20 00000937: SWAP4 00000938: PUSH1 0x40 0000093a: MLOAD 0000093b: SWAP2 0000093c: PUSH32 0xa9059cbb00000000000000000000000000000000000000000000000000000000 0000095d: DUP4 0000095e: MSTORE 0000095f: PUSH1 0x04 00000961: DUP4 00000962: ADD 00000963: MSTORE 00000964: PUSH1 0x24 00000966: DUP3 00000967: ADD 00000968: MSTORE 00000969: DUP3 0000096a: DUP6 0000096b: GAS 0000096c: CALL 0000096d: SWAP1 0000096e: DUP2 0000096f: PUSH2 0x09a5 00000972: JUMPI 00000973: JUMPDEST 00000974: POP 00000975: ISZERO 00000976: PUSH2 0x097b 00000979: JUMPI 0000097a: JUMP 0000097b: JUMPDEST 0000097c: PUSH1 0x04 0000097e: PUSH1 0x40 00000980: MLOAD 00000981: PUSH32 0xfb7f507900000000000000000000000000000000000000000000000000000000 000009a2: DUP2 000009a3: MSTORE 000009a4: REVERT 000009a5: JUMPDEST 000009a6: SWAP1 000009a7: POP 000009a8: RETURNDATASIZE 000009a9: ISZERO 000009aa: PUSH2 0x09bf 000009ad: JUMPI 000009ae: POP 000009af: PUSH1 0x01 000009b1: PUSH0 000009b2: MLOAD 000009b3: EQ 000009b4: PUSH1 0x1f 000009b6: RETURNDATASIZE 000009b7: GT 000009b8: AND 000009b9: JUMPDEST 000009ba: PUSH0 000009bb: PUSH2 0x0973 000009be: JUMP 000009bf: JUMPDEST 000009c0: EXTCODESIZE 000009c1: ISZERO 000009c2: ISZERO 000009c3: PUSH2 0x09b9 000009c6: JUMP 000009c7: JUMPDEST 000009c8: PUSH0 000009c9: DUP1 000009ca: DUP1 000009cb: SWAP4 000009cc: DUP2 000009cd: SWAP4 000009ce: GAS 000009cf: CALL 000009d0: RETURNDATASIZE 000009d1: ISZERO 000009d2: PUSH2 0x0a56 000009d5: JUMPI 000009d6: RETURNDATASIZE 000009d7: PUSH8 0xffffffffffffffff 000009e0: DUP2 000009e1: GT 000009e2: PUSH2 0x0715 000009e5: JUMPI 000009e6: PUSH1 0x40 000009e8: MLOAD 000009e9: SWAP1 000009ea: PUSH2 0x0a1b 000009ed: PUSH1 0x20 000009ef: PUSH32 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe0 00000a10: PUSH1 0x1f 00000a12: DUP5 00000a13: ADD 00000a14: AND 00000a15: ADD 00000a16: DUP4 00000a17: PUSH2 0x06d4 00000a1a: JUMP 00000a1b: JUMPDEST 00000a1c: DUP2 00000a1d: MSTORE 00000a1e: PUSH0 00000a1f: PUSH1 0x20 00000a21: RETURNDATASIZE 00000a22: SWAP3 00000a23: ADD 00000a24: RETURNDATACOPY 00000a25: JUMPDEST 00000a26: ISZERO 00000a27: PUSH2 0x0a2c 00000a2a: JUMPI 00000a2b: JUMP 00000a2c: JUMPDEST 00000a2d: PUSH1 0x04 00000a2f: PUSH1 0x40 00000a31: MLOAD 00000a32: PUSH32 0x8a0332d500000000000000000000000000000000000000000000000000000000 00000a53: DUP2 00000a54: MSTORE 00000a55: REVERT 00000a56: JUMPDEST 00000a57: PUSH2 0x0a25 00000a5a: JUMP 00000a5b: INVALID 00000a5c: LOG2 00000a5d: PUSH5 0x6970667358 00000a63: UNKNOWN(0x22) 00000a64: SLT 00000a65: KECCAK256 00000a66: CODESIZE 00000a67: POP 00000a68: UNKNOWN(0x2E) 00000a69: UNKNOWN(0xC2) 00000a6a: DUP13 00000a6b: BASEFEE 00000a6c: UNKNOWN(0xB5) 00000a6d: UNKNOWN(0xD1) 00000a6e: CODECOPY 00000a6f: DUP4 00000a70: SAR 00000a71: UNKNOWN(0xB5) 00000a72: CALLDATASIZE 00000a73: OR 00000a74: UNKNOWN(0xA6) 00000a75: MSTORE 00000a76: UNKNOWN(0xA7) 00000a77: SWAP13 00000a78: UNKNOWN(0xE0) 00000a79: UNKNOWN(0xB9) 00000a7a: DUP13 00000a7b: PUSH24
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | other | detector | ETH value transfer possible | 55 | no | no |
viewtrace_id: 0xc25c2d68a7aef274fd51798e82b0bf21b288604ee74f6abfb14d16b64041fb5c
call_targets:
0x9c3e06659f1c34f930ce97fcbce6e04ae88e535b
target_varies:
no
classification:
constant_target
validation_json{
"sink": "CALL",
"errors": 0,
"status": "sink_reached",
"attempts": 1,
"trace_id": "0xc25c2d68a7aef274fd51798e82b0bf21b288604ee74f6abfb14d16b64041fb5c",
"confirmed": false,
"trace_mode": "callTracer",
"call_targets": [
"0x9c3e06659f1c34f930ce97fcbce6e04ae88e535b"
],
"matched_probe": null,
"target_varies": false,
"classification": "constant_target"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x0af97558",
"selector": "0x0af97558",
"calldata_variants": [
"0x0af97558",
"0x0af975580000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x23305703",
"selector": "0x23305703",
"calldata_variants": [
"0x23305703",
"0x233057030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x2dd31000",
"selector": "0x2dd31000",
"calldata_variants": [
"0x2dd31000",
"0x2dd310000000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x34862b6a",
"selector": "0x34862b6a",
"calldata_variants": [
"0x34862b6a",
"0x34862b6a0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x4649088b",
"selector": "0x4649088b",
"calldata_variants": [
"0x4649088b",
"0x4649088b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x90d3252f",
"selector": "0x90d3252f",
"calldata_variants": [
"0x90d3252f",
"0x90d3252f0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xf56cd69c",
"selector": "0xf56cd69c",
"calldata_variants": [
"0xf56cd69c",
"0xf56cd69c0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 2412,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 2511,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 2,
"guards_detected": []
}
|
| high | other | detector | Untrusted CALL target/value reachable | 60 | no | no |
viewtrace_id: 0xc25c2d68a7aef274fd51798e82b0bf21b288604ee74f6abfb14d16b64041fb5c
call_targets:
0x9c3e06659f1c34f930ce97fcbce6e04ae88e535b
target_varies:
no
classification:
constant_target
validation_json{
"sink": "CALL",
"errors": 0,
"status": "sink_reached",
"attempts": 1,
"trace_id": "0xc25c2d68a7aef274fd51798e82b0bf21b288604ee74f6abfb14d16b64041fb5c",
"confirmed": false,
"trace_mode": "callTracer",
"call_targets": [
"0x9c3e06659f1c34f930ce97fcbce6e04ae88e535b"
],
"matched_probe": null,
"target_varies": false,
"classification": "constant_target"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x0af97558",
"selector": "0x0af97558",
"calldata_variants": [
"0x0af97558",
"0x0af975580000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x23305703",
"selector": "0x23305703",
"calldata_variants": [
"0x23305703",
"0x233057030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x2dd31000",
"selector": "0x2dd31000",
"calldata_variants": [
"0x2dd31000",
"0x2dd310000000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x34862b6a",
"selector": "0x34862b6a",
"calldata_variants": [
"0x34862b6a",
"0x34862b6a0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x4649088b",
"selector": "0x4649088b",
"calldata_variants": [
"0x4649088b",
"0x4649088b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x90d3252f",
"selector": "0x90d3252f",
"calldata_variants": [
"0x90d3252f",
"0x90d3252f0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xf56cd69c",
"selector": "0xf56cd69c",
"calldata_variants": [
"0xf56cd69c",
"0xf56cd69c0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 2412,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 2511,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 2,
"guards_detected": [],
"untrusted_call_count": 2
}
|
| high | other | slither | BaseEscrow._ethTransfer(address,uint256) (contracts/BaseEscrow.sol#95-98) sends eth to arbitrary user | 85 | no | — |
viewevidence_json{
"impact": "High",
"detector": "arbitrary-send-eth",
"elements": [
{
"name": "_ethTransfer",
"type": "function",
"source_mapping": {
"lines": [
95,
96,
97,
98
],
"start": 3025,
"length": 180,
"ending_column": 6,
"is_dependency": false,
"filename_short": "contracts/BaseEscrow.sol",
"starting_column": 5,
"filename_absolute": "/tmp/slither-wycww0i7/contracts/BaseEscrow.sol",
"filename_relative": "contracts/BaseEscrow.sol"
},
"type_specific_fields": {
"parent": {
"name": "BaseEscrow",
"type": "contract",
"source_mapping": {
"lines": [
19,
20,
21,
22,
23,
24,
25,
26,
27,
28,
29,
30,
31,
32,
33,
34,
35,
36,
37,
38,
39,
40,
41,
42,
43,
44,
45,
46,
47,
48,
49,
50,
51,
52,
53,
54,
55,
56,
57,
58,
59,
60,
61,
62,
63,
64,
65,
66,
67,
68,
69,
70,
71,
72,
73,
74,
75,
76,
77,
78,
79,
80,
81,
82,
83,
84,
85,
86,
87,
88,
89,
90,
91,
92,
93,
94,
95,
96,
97,
98,
99,
100,
101,
102,
103,
104,
105,
106,
107,
108,
109,
110,
111,
112,
113,
114,
115,
116
],
"start": 761,
"length": 3016,
"ending_column": 2,
"is_dependency": false,
"filename_short": "contracts/BaseEscrow.sol",
"starting_column": 1,
"filename_absolute": "/tmp/slither-wycww0i7/contracts/BaseEscrow.sol",
"filename_relative": "contracts/BaseEscrow.sol"
}
},
"signature": "_ethTransfer(address,uint256)"
}
},
{
"name": "(success,None) = to.call{value: amount}()",
"type": "node",
"source_mapping": {
"lines": [
96
],
"start": 3094,
"length": 46,
"ending_column": 55,
"is_dependency": false,
"filename_short": "contracts/BaseEscrow.sol",
"starting_column": 9,
"filename_absolute": "/tmp/slither-wycww0i7/contracts/BaseEscrow.sol",
"filename_relative": "contracts/BaseEscrow.sol"
},
"type_specific_fields": {
"parent": {
"name": "_ethTransfer",
"type": "function",
"source_mapping": {
"lines": [
95,
96,
97,
98
],
"start": 3025,
"length": 180,
"ending_column": 6,
"is_dependency": false,
"filename_short": "contracts/BaseEscrow.sol",
"starting_column": 5,
"filename_absolute": "/tmp/slither-wycww0i7/contracts/BaseEscrow.sol",
"filename_relative": "contracts/BaseEscrow.sol"
},
"type_specific_fields": {
"parent": {
"name": "BaseEscrow",
"type": "contract",
"source_mapping": {
"lines": [
19,
20,
21,
22,
23,
24,
25,
26,
27,
28,
29,
30,
31,
32,
33,
34,
35,
36,
37,
38,
39,
40,
41,
42,
43,
44,
45,
46,
47,
48,
49,
50,
51,
52,
53,
54,
55,
56,
57,
58,
59,
60,
61,
62,
63,
64,
65,
66,
67,
68,
69,
70,
71,
72,
73,
74,
75,
76,
77,
78,
79,
80,
81,
82,
83,
84,
85,
86,
87,
88,
89,
90,
91,
92,
93,
94,
95,
96,
97,
98,
99,
100,
101,
102,
103,
104,
105,
106,
107,
108,
109,
110,
111,
112,
113,
114,
115,
116
],
"start": 761,
"length": 3016,
"ending_column": 2,
"is_dependency": false,
"filename_short": "contracts/BaseEscrow.sol",
"starting_column": 1,
"filename_absolute": "/tmp/slither-wycww0i7/contracts/BaseEscrow.sol",
"filename_relative": "contracts/BaseEscrow.sol"
}
},
"signature": "_ethTransfer(address,uint256)"
}
}
}
}
],
"locations": [
{
"file": "contracts/BaseEscrow.sol",
"name": "_ethTransfer",
"type": "function",
"lines": [
95,
96,
97,
98
]
},
{
"file": "contracts/BaseEscrow.sol",
"name": "(success,None) = to.call{value: amount}()",
"type": "node",
"lines": [
96
]
}
],
"description": "BaseEscrow._ethTransfer(address,uint256) (contracts/BaseEscrow.sol#95-98) sends eth to arbitrary user\n\tDangerous calls:\n\t- (success,None) = to.call{value: amount}() (contracts/BaseEscrow.sol#96)"
}
|