019be3d6-8331-73e6-a86d-412bb8153def
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 40806 | artifact.fetch | complete | 1 / 3 | 2 months ago |
| 40807 | proxy.resolve | complete | 1 / 3 | 2 months ago |
| 40808 | tool.cast_disasm | complete | 1 / 3 | 2 months ago |
| 40809 | analysis.bundle | complete | 1 / 3 | 2 months ago |
| 40810 | capability.graph | complete | 1 / 3 | 2 months ago |
| 40811 | detector.run | complete | 1 / 3 | 2 months ago |
| 40812 | validation.fork | complete | 1 / 3 | 2 months ago |
| 41324 | report.consolidate | complete | 1 / 6 | 2 months ago |
| 41325 | tool.slither | failed | 2 / 2 | 2 months ago |
{
"method": "etherscan+onchain",
"status": "confirmed",
"etherscan_hint": {
"source": "etherscan",
"etherscan": {
"proxy_flag": true,
"implementation": "0x73d0fd329abecfbca9e0a482ed161a01616d9fca"
}
},
"implementation": "0x73d0fd329abecfbca9e0a482ed161a01616d9fca",
"onchain_method": "eip1967"
}
Traceback (most recent call last):
File "/var/www/tripwire/worker/worker.py", line 198, in main
payload = dispatch_job(job_type, job_id, job_meta, run_data, config, laravel_client)
File "/var/www/tripwire/worker/worker.py", line 114, in dispatch_job
return slither_run.run(job_id, job_meta, run_data, config, log, laravel_client)
~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/www/tripwire/worker/jobs/slither_run.py", line 1084, in run
stdout_text, stderr_text, result_json = _run_slither(
~~~~~~~~~~~~^
workspace,
^^^^^^^^^^
...<4 lines>...
target_path=target_path,
^^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/var/www/tripwire/worker/jobs/slither_run.py", line 958, in _run_slither
raise RuntimeError(f"slither failed (exit {result.returncode}): {stderr_text or stdout_text}")
RuntimeError: slither failed (exit 1): 'forge clean' running (wd: /tmp/slither-5cvulj3x)
'forge config --json' running
'forge build --build-info --skip ./test/** ./script/** --force' running (wd: /tmp/slither-5cvulj3x)
Traceback (most recent call last):
File "/var/www/tripwire/.venv/bin/slither", line 10, in <module>
sys.exit(main())
~~~~^^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/slither/__main__.py", line 776, in main
main_impl(all_detector_classes=detectors, all_printer_classes=printers)
~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/slither/__main__.py", line 882, in main_impl
) = process_all(filename, args, detector_classes, printer_classes)
~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/slither/__main__.py", line 96, in process_all
compilations = compile_all(target, **vars(args))
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/crytic_compile/crytic_compile.py", line 722, in compile_all
compilations.append(CryticCompile(target, **kwargs))
~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/crytic_compile/crytic_compile.py", line 211, in __init__
self._compile(**kwargs)
~~~~~~~~~~~~~^^^^^^^^^^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/crytic_compile/crytic_compile.py", line 633, in _compile
self._platform.compile(self, **kwargs)
~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/crytic_compile/platform/foundry.py", line 102, in compile
hardhat_like_parsing(
~~~~~~~~~~~~~~~~~~~~^
crytic_compile, str(self._target), build_directory, str(self._project_root)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/crytic_compile/platform/hardhat.py", line 52, in hardhat_like_parsing
raise InvalidCompilation(txt)
crytic_compile.platform.exceptions.InvalidCompilation: Compilation failed. Can you run build command?
/tmp/slither-5cvulj3x/out/build-info is not a directory.
{"no_findings":true,"summary":"Reviewed the first-party Solidity sources in `AUDIT_BUNDLE.txt` (including `src/contracts/L1OpUSDCBridgeAdapter.sol`, `src/contracts/universal/OpUSDCBridgeAdapter.sol`, and `src/contracts/utils/FallbackProxyAdmin.sol`) for the implementation at 0x73d0fd329abecfbca9e0a482ed161a01616d9fca; no exploitable issues found within the scoped categories.","findings":[]}
OpenAI Codex v0.77.0 (research preview)
--------
workdir: /tmp/codex-o8_8irjv
model: gpt-5.2-codex
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: auto
session id: 019be43c-1820-7ed3-916d-a7914b67e9e3
--------
user
Context: The user requested the proxy at 0xe6a5175293bbd0f5b5499801e29e3ce15e0fe90a.
Audit the implementation at 0x73d0fd329abecfbca9e0a482ed161a01616d9fca.
Findings should refer to the implementation unless explicitly about proxy mechanics.
You are a security auditor. Audit this Solidity codebase for exploitable vulnerabilities.
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation, oracle manipulation,
accounting/invariant breaks, external call patterns, unchecked return values, and dangerous delegatecall.
Scope rules:
- You MUST fully read `AUDIT_BUNDLE.txt` before concluding. It contains the complete contents of all first-party Solidity sources in this workspace.
- Treat `lib/` and `@openzeppelin/` as third-party dependencies; skip them unless there is a concrete misuse angle in first-party code.
- If there are only dependency files and no first-party sources, set no_findings=true and explain in summary.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title and file/line locations when possible.
Output constraints (IMPORTANT):
- severity MUST be exactly one of: info, low, medium, high, critical (lowercase).
- category MUST be exactly one of: access_control, reentrancy, math, oracle, upgradeability, auth, other.
Keep summary short and concrete.
mcp startup: no servers
thinking
**Planning bundle read with shell command**
exec
/bin/bash -lc ls in /tmp/codex-o8_8irjv succeeded in 8ms:
AUDIT_BUNDLE.txt
codex-output-schema.json
node_modules
src
thinking
**Reading AUDIT_BUNDLE.txt**
exec
/bin/bash -lc 'cat AUDIT_BUNDLE.txt' in /tmp/codex-o8_8irjv succeeded in 8ms:
This file concatenates the full contents of first-party Solidity sources for auditing.
Do not treat dependency code under lib/ or @openzeppelin/ as first-party.
================================================================================
FILE: src/contracts/L1OpUSDCBridgeAdapter.sol
================================================================================
// SPDX-License-Identifier: MIT
pragma solidity 0.8.25;
import {SafeERC20} from '@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol';
import {OpUSDCBridgeAdapter} from 'contracts/universal/OpUSDCBridgeAdapter.sol';
import {IL1OpUSDCBridgeAdapter} from 'interfaces/IL1OpUSDCBridgeAdapter.sol';
import {IL2OpUSDCBridgeAdapter} from 'interfaces/IL2OpUSDCBridgeAdapter.sol';
import {IOpUSDCBridgeAdapter} from 'interfaces/IOpUSDCBridgeAdapter.sol';
import {ICrossDomainMessenger} from 'interfaces/external/ICrossDomainMessenger.sol';
import {IUSDC} from 'interfaces/external/IUSDC.sol';
/**
* @title L1OpUSDCBridgeAdapter
* @notice L1OpUSDCBridgeAdapter is a contract that bridges Bridged USDC from L1 to L2 and and receives it from L2.
thinking
**Planning full AUDIT_BUNDLE read**
The AUDIT_BUNDLE output was truncated due to tool limits, so I'll use line-range commands like sed to read it in manageable chunks and ensure the entire file is captured. Next, I'll identify file section boundaries with ripgrep to guide chunked reading.
exec
/bin/bash -lc 'rg -n "''^FILE:" AUDIT_BUNDLE.txt' in /tmp/codex-o8_8irjv succeeded in 29ms:
5:FILE: src/contracts/L1OpUSDCBridgeAdapter.sol
344:FILE: src/contracts/universal/OpUSDCBridgeAdapter.sol
507:FILE: src/contracts/utils/FallbackProxyAdmin.sol
564:FILE: src/interfaces/IL1OpUSDCBridgeAdapter.sol
659:FILE: src/interfaces/IL2OpUSDCBridgeAdapter.sol
754:FILE: src/interfaces/IOpUSDCBridgeAdapter.sol
1052:FILE: src/interfaces/external/ICrossDomainMessenger.sol
1092:FILE: src/interfaces/external/IUSDC.sol
thinking
**Planning staged file reading**
I'm preparing to read the full file in 200-line chunks using sed to avoid truncation, covering consecutive ranges like 1-200, 201-400, and so on.
exec
/bin/bash -lc "sed -n '1,200p' AUDIT_BUNDLE.txt" in /tmp/codex-o8_8irjv succeeded in 12ms:
This file concatenates the full contents of first-party Solidity sources for auditing.
Do not treat dependency code under lib/ or @openzeppelin/ as first-party.
================================================================================
FILE: src/contracts/L1OpUSDCBridgeAdapter.sol
================================================================================
// SPDX-License-Identifier: MIT
pragma solidity 0.8.25;
import {SafeERC20} from '@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol';
import {OpUSDCBridgeAdapter} from 'contracts/universal/OpUSDCBridgeAdapter.sol';
import {IL1OpUSDCBridgeAdapter} from 'interfaces/IL1OpUSDCBridgeAdapter.sol';
import {IL2OpUSDCBridgeAdapter} from 'interfaces/IL2OpUSDCBridgeAdapter.sol';
import {IOpUSDCBridgeAdapter} from 'interfaces/IOpUSDCBridgeAdapter.sol';
import {ICrossDomainMessenger} from 'interfaces/external/ICrossDomainMessenger.sol';
import {IUSDC} from 'interfaces/external/IUSDC.sol';
/**
* @title L1OpUSDCBridgeAdapter
* @notice L1OpUSDCBridgeAdapter is a contract that bridges Bridged USDC from L1 to L2 and and receives it from L2.
exec
/bin/bash -lc "sed -n '200,400p' AUDIT_BUNDLE.txt" in /tmp/codex-o8_8irjv succeeded in 6ms:
* @param _minGasLimit Minimum gas limit that the message can be executed with
*/
function sendMessage(address _to, uint256 _amount, uint32 _minGasLimit) external override {
if (_to == address(0)) revert IOpUSDCBridgeAdapter_InvalidAddress();
// Ensure the address is not blacklisted
if (IUSDC(USDC).isBlacklisted(_to)) revert IOpUSDCBridgeAdapter_BlacklistedAddress();
// Ensure messaging is enabled
if (messengerStatus != Status.Active) revert IOpUSDCBridgeAdapter_MessagingDisabled();
_sendMessage(msg.sender, _to, _amount, _minGasLimit);
}
/**
* @notice Send signer tokens to another chain through the linked adapter
* @param _signer The address of the user sending the message
* @param _to The target address on the destination chain
* @param _amount The amount of tokens to send
* @param _signature The signature of the user
exec
/bin/bash -lc "sed -n '400,600p' AUDIT_BUNDLE.txt" in /tmp/codex-o8_8irjv succeeded in 9ms:
* @param _linkedAdapter The address of the linked adapter
*/
// solhint-disable-next-line no-unused-vars
constructor(address _usdc, address _messenger, address _linkedAdapter) {
USDC = _usdc;
MESSENGER = _messenger;
LINKED_ADAPTER = _linkedAdapter;
_disableInitializers();
}
/**
* @notice Initialize the contract
* @param _owner The owner of the contract
*/
function initialize(address _owner) external virtual initializer {}
/*///////////////////////////////////////////////////////////////
MESSAGING
///////////////////////////////////////////////////////////////*/
exec
/bin/bash -lc "sed -n '600,800p' AUDIT_BUNDLE.txt" in /tmp/codex-o8_8irjv succeeded in 6ms:
uint32 _minGasLimitReceiveOnL2,
uint32 _minGasLimitSetBurnAmount
) external;
/**
* @notice Sets the amount of USDC tokens that will be burned when the burnLockedUSDC function is called
* @param _amount The amount of USDC tokens that will be burned
* @dev Only callable by a whitelisted messenger during its migration process
*/
function setBurnAmount(uint256 _amount) external;
/**
* @notice Burns the USDC tokens locked in the contract
* @dev The amount is determined by the burnAmount variable, which is set in the setBurnAmount function
*/
function burnLockedUSDC() external;
/**
* @notice Send a message to the linked adapter to call receiveStopMessaging() and stop outgoing messages.
* @dev Only callable by the owner of the adapter
exec
/bin/bash -lc "sed -n '800,1000p' AUDIT_BUNDLE.txt" in /tmp/codex-o8_8irjv succeeded in 7ms:
///////////////////////////////////////////////////////////////*/
/**
* @notice Emitted when messaging is stopped
* @param _messenger The address of the messenger contract that was stopped
*/
event MessagingStopped(address _messenger);
/**
* @notice Emitted when a message is sent to the linked adapter
* @param _user The user that sent the message
* @param _to The target address on the destination chain
* @param _amount The amount of tokens to send
* @param _messenger The address of the messenger contract that was sent through
* @param _minGasLimit Minimum gas limit that the message can be executed with
*/
event MessageSent(
address indexed _user, address indexed _to, uint256 _amount, address indexed _messenger, uint32 _minGasLimit
);
exec
/bin/bash -lc "sed -n '1000,1200p' AUDIT_BUNDLE.txt" in /tmp/codex-o8_8irjv succeeded in 5ms:
*/
function cancelSignature(uint256 _nonce) external;
/*///////////////////////////////////////////////////////////////
VARIABLES
///////////////////////////////////////////////////////////////*/
/**
* @notice Fetches address of the USDC token
* @return _usdc Address of the USDC token
*/
// solhint-disable-next-line func-name-mixedcase
function USDC() external view returns (address _usdc);
/**
* @notice Fetches address of the linked adapter on L2 to send messages to and receive from
* @return _linkedAdapter Address of the linked adapter
*/
// solhint-disable-next-line func-name-mixedcase
function LINKED_ADAPTER() external view returns (address _linkedAdapter);
exec
/bin/bash -lc "sed -n '1200,1400p' AUDIT_BUNDLE.txt" in /tmp/codex-o8_8irjv succeeded in 6ms:
/**
* @notice Removes account from blacklist.
* @param _account The address to remove from the blacklist.
*/
function unBlacklist(address _account) external;
/**
* @notice Function to upgrade the usdc proxy to a new implementation
* @param _newImplementation Address of the new implementation
*/
function upgradeTo(address _newImplementation) external;
/**
* @notice Upgrades the USDC proxy to a new implementation and calls a function on the new implementation
* @param _newImplementation Address of the new implementation
* @param _data Data to call on the new implementation
*/
function upgradeToAndCall(address _newImplementation, bytes calldata _data) external;
/**
thinking
**Assessing reentrancy risk in bridge adapter**
The implementation likely targets L1OpUSDCBridgeAdapter and uses SafeERC20 for token transfers without explicit reentrancy guards; however, state updates occur before external calls, reducing reentrancy risk despite external calls to messenger and USDC contracts.
thinking
**Identifying nuanced risks and access controls**
The implementation handles signature validation, nonces, and upgradeability properly, but lacks inbound messaging pause checks, allowing L1 to accept calls when paused; `withdrawLockedFunds` and other functions have open caller access but no theft risk; some edge cases exist around locked funds and cross-chain message replay assumptions relying on trusted L2 adapters.
thinking
```json
{
"no_findings": true,
"summary": "Reviewed L1OpUSDCBridgeAdapter, OpUSDCBridgeAdapter, and FallbackProxyAdmin in the provided audit bundle at implementation 0x73d0...; no exploitable issues were identified within the scoped categories.",
"findings": []
}
```
codex
{"no_findings":true,"summary":"Reviewed the first-party Solidity sources in `AUDIT_BUNDLE.txt` (including `src/contracts/L1OpUSDCBridgeAdapter.sol`, `src/contracts/universal/OpUSDCBridgeAdapter.sol`, and `src/contracts/utils/FallbackProxyAdmin.sol`) for the implementation at 0x73d0fd329abecfbca9e0a482ed161a01616d9fca; no exploitable issues found within the scoped categories.","findings":[]}
tokens used
39,606
{
"codex": {
"ran_at": "2026-01-22T05:47:32.597515+00:00",
"returncode": 0
},
"project": {
"mode": "source",
"file_count": 31,
"import_count": 34,
"first_party_contracts_count": 8
},
"summary": "Reviewed the first-party Solidity sources in `AUDIT_BUNDLE.txt` (including `src/contracts/L1OpUSDCBridgeAdapter.sol`, `src/contracts/universal/OpUSDCBridgeAdapter.sol`, and `src/contracts/utils/FallbackProxyAdmin.sol`) for the implementation at 0x73d0fd329abecfbca9e0a482ed161a01616d9fca; no exploitable issues found within the scoped categories.",
"raw_final": {
"summary": "Reviewed the first-party Solidity sources in `AUDIT_BUNDLE.txt` (including `src/contracts/L1OpUSDCBridgeAdapter.sol`, `src/contracts/universal/OpUSDCBridgeAdapter.sol`, and `src/contracts/utils/FallbackProxyAdmin.sol`) for the implementation at 0x73d0fd329abecfbca9e0a482ed161a01616d9fca; no exploitable issues found within the scoped categories.",
"findings": [],
"no_findings": true
},
"no_findings": true,
"proxy_context": {
"proxy_run_id": "019be3d6-8331-73e6-a86d-412bb8153def",
"proxy_address": "0xe6a5175293bbd0f5b5499801e29e3ce15e0fe90a",
"implementation_run_id": "019be3d7-f3f6-7335-be5b-07a67d5c232d",
"implementation_address": "0x73d0fd329abecfbca9e0a482ed161a01616d9fca"
},
"schema_version": 1
}
00000000: PUSH1 0x80 00000002: PUSH1 0x40 00000004: MSTORE 00000005: PUSH32 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc 00000026: SLOAD 00000027: PUSH1 0x00 00000029: SWAP1 0000002a: DUP2 0000002b: SWAP1 0000002c: DUP2 0000002d: SWAP1 0000002e: PUSH1 0x01 00000030: PUSH1 0x01 00000032: PUSH1 0xa0 00000034: SHL 00000035: SUB 00000036: AND 00000037: CALLDATASIZE 00000038: DUP3 00000039: DUP1 0000003a: CALLDATACOPY 0000003b: DUP2 0000003c: CALLDATASIZE 0000003d: SWAP2 0000003e: GAS 0000003f: DELEGATECALL 00000040: RETURNDATASIZE 00000041: DUP3 00000042: DUP1 00000043: RETURNDATACOPY 00000044: ISZERO 00000045: PUSH1 0x4b 00000047: JUMPI 00000048: RETURNDATASIZE 00000049: SWAP1 0000004a: RETURN 0000004b: JUMPDEST 0000004c: RETURNDATASIZE 0000004d: SWAP1 0000004e: REVERT 0000004f: INVALID 00000050: LOG2 00000051: PUSH5 0x6970667358 00000057: UNKNOWN(0x22) 00000058: SLT 00000059: KECCAK256 0000005a: UNKNOWN(0xE2) 0000005b: UNKNOWN(0xCA) 0000005c: LOG0 0000005d: UNKNOWN(0xBC) 0000005e: UNKNOWN(0xCE) 0000005f: UNKNOWN(0xC4) 00000060: UNKNOWN(0x1F) 00000061: TIMESTAMP 00000062: PUSH21 0x6d3537b85eff9c858b9f8470c314eb958c447b0eff 00000078: PUSH11 0x5c64736f6c634300081900 00000084: CALLER
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| critical | upgradeability | detector | Untrusted DELEGATECALL target reachable | 70 | no | no |
viewtrace_id: 0xd7e4aac23e54b1dcc144fe18c7191703501a116f974efe6d69352f5a31fcdfaf
call_targets:
0x73d0fd329abecfbca9e0a482ed161a01616d9fca
target_varies:
no
classification:
constant_target
validation_json{
"sink": "DELEGATECALL",
"errors": 0,
"status": "sink_reached",
"attempts": 1,
"trace_id": "0xd7e4aac23e54b1dcc144fe18c7191703501a116f974efe6d69352f5a31fcdfaf",
"confirmed": false,
"trace_mode": "callTracer",
"call_targets": [
"0x73d0fd329abecfbca9e0a482ed161a01616d9fca"
],
"matched_probe": null,
"target_varies": false,
"classification": "constant_target"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x",
"selector": "fallback",
"calldata_variants": [
"0x"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 63,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
}
],
"guards_detected": [],
"delegatecall_count": 1,
"untrusted_delegatecall_count": 1
}
|
| medium | upgradeability | cast | DELEGATECALL present | 80 | no | — |
viewevidence_json{
"notes": "delegatecall enables execution in caller context; common in proxies/upgradeable patterns",
"delegatecall_count": 1
}
|
| info | upgradeability | cast | Likely proxy-like runtime | 60 | no | — |
viewevidence_json{
"notes": "short runtime with SLOAD and DELEGATECALL resembles minimal proxy/upgradeable pattern",
"sload_count": 1,
"total_opcodes": 57,
"delegatecall_count": 1
}
|