019be3d6-840c-7196-a8ab-4b88c63a071e
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 40981 | artifact.fetch | complete | 1 / 3 | 2 months ago |
| 40982 | proxy.resolve | complete | 1 / 3 | 2 months ago |
| 40983 | tool.cast_disasm | complete | 1 / 3 | 2 months ago |
| 40984 | analysis.bundle | complete | 1 / 3 | 2 months ago |
| 40985 | capability.graph | complete | 1 / 3 | 2 months ago |
| 40986 | detector.run | complete | 1 / 3 | 2 months ago |
| 40987 | validation.fork | complete | 1 / 3 | 2 months ago |
| 41388 | report.consolidate | complete | 1 / 6 | 2 months ago |
| 41389 | tool.slither | complete | 1 / 2 | 2 months ago |
{
"status": "conflict",
"onchain_impl": "0xa0d828a754961ff78e733701eb98d22084db242c",
"etherscan_hint": {
"source": "etherscan",
"etherscan": {
"proxy_flag": true,
"implementation": "0x12f4b7020b4694f1971479157a3a77106018809b"
}
},
"etherscan_impl": "0x12f4b7020b4694f1971479157a3a77106018809b",
"onchain_method": "eip1967"
}
'forge clean' running (wd: /tmp/slither-qlio7_m5)
'forge config --json' running
'forge build --build-info --skip ./test/** ./script/** --force' running (wd: /tmp/slither-qlio7_m5)
TransparentUpgradeableProxy.admin() (contracts/Proxy/TransparentUpgradeableProxy.sol#58-60) calls TransparentUpgradeableProxy.ifAdmin() (contracts/Proxy/TransparentUpgradeableProxy.sol#41-47) which halt the execution return(uint256,uint256)(0,returndatasize()()) (contracts/Proxy/Proxy.sol#39)
TransparentUpgradeableProxy.implementation() (contracts/Proxy/TransparentUpgradeableProxy.sol#71-73) calls TransparentUpgradeableProxy.ifAdmin() (contracts/Proxy/TransparentUpgradeableProxy.sol#41-47) which halt the execution return(uint256,uint256)(0,returndatasize()()) (contracts/Proxy/Proxy.sol#39)
TransparentUpgradeableProxy.changeAdmin(address) (contracts/Proxy/TransparentUpgradeableProxy.sol#82-84) calls TransparentUpgradeableProxy.ifAdmin() (contracts/Proxy/TransparentUpgradeableProxy.sol#41-47) which halt the execution return(uint256,uint256)(0,returndatasize()()) (contracts/Proxy/Proxy.sol#39)
TransparentUpgradeableProxy.upgradeTo(address) (contracts/Proxy/TransparentUpgradeableProxy.sol#91-93) calls TransparentUpgradeableProxy.ifAdmin() (contracts/Proxy/TransparentUpgradeableProxy.sol#41-47) which halt the execution return(uint256,uint256)(0,returndatasize()()) (contracts/Proxy/Proxy.sol#39)
TransparentUpgradeableProxy.upgradeToAndCall(address,bytes) (contracts/Proxy/TransparentUpgradeableProxy.sol#102-104) calls TransparentUpgradeableProxy.ifAdmin() (contracts/Proxy/TransparentUpgradeableProxy.sol#41-47) which halt the execution return(uint256,uint256)(0,returndatasize()()) (contracts/Proxy/Proxy.sol#39)
TransparentUpgradeableProxy.ifAdmin() (contracts/Proxy/TransparentUpgradeableProxy.sol#41-47) calls Proxy._fallback() (contracts/Proxy/Proxy.sol#54-57) which halt the execution return(uint256,uint256)(0,returndatasize()()) (contracts/Proxy/Proxy.sol#39)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-return-in-assembly
ERC1967Upgrade._upgradeToAndCall(address,bytes,bool) (contracts/Proxy/ERC1967Upgrade.sol#55-61) ignores return value by Address.functionDelegateCall(newImplementation,data) (contracts/Proxy/ERC1967Upgrade.sol#59)
ERC1967Upgrade._upgradeToAndCallSecure(address,bytes,bool) (contracts/Proxy/ERC1967Upgrade.sol#68-96) ignores return value by Address.functionDelegateCall(newImplementation,data) (contracts/Proxy/ERC1967Upgrade.sol#74)
ERC1967Upgrade._upgradeToAndCallSecure(address,bytes,bool) (contracts/Proxy/ERC1967Upgrade.sol#68-96) ignores return value by Address.functionDelegateCall(newImplementation,abi.encodeWithSignature(upgradeTo(address),oldImplementation)) (contracts/Proxy/ERC1967Upgrade.sol#82-88)
ERC1967Upgrade._upgradeBeaconToAndCall(address,bytes,bool) (contracts/Proxy/ERC1967Upgrade.sol#104-110) ignores return value by Address.functionDelegateCall(IBeacon(newBeacon).implementation(),data) (contracts/Proxy/ERC1967Upgrade.sol#108)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#unused-return
Modifier TransparentUpgradeableProxy.ifAdmin() (contracts/Proxy/TransparentUpgradeableProxy.sol#41-47) does not always execute _; or revert
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-modifier
Reentrancy in ERC1967Upgrade._upgradeToAndCallSecure(address,bytes,bool) (contracts/Proxy/ERC1967Upgrade.sol#68-96):
External calls:
- Address.functionDelegateCall(newImplementation,data) (contracts/Proxy/ERC1967Upgrade.sol#74)
- Address.functionDelegateCall(newImplementation,abi.encodeWithSignature(upgradeTo(address),oldImplementation)) (contracts/Proxy/ERC1967Upgrade.sol#82-88)
Event emitted after the call(s):
- Upgraded(newImplementation) (contracts/Proxy/ERC1967Upgrade.sol#94)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#reentrancy-vulnerabilities-3
Address.isContract(address) (contracts/Proxy/Address.sol#26-35) uses assembly
- INLINE ASM (contracts/Proxy/Address.sol#33)
Address._verifyCallResult(bool,bytes,string) (contracts/Proxy/Address.sol#171-188) uses assembly
- INLINE ASM (contracts/Proxy/Address.sol#180-183)
Proxy._delegate(address) (contracts/Proxy/Proxy.sol#21-41) uses assembly
- INLINE ASM (contracts/Proxy/Proxy.sol#23-40)
StorageSlot.getAddressSlot(bytes32) (contracts/Proxy/StorageSlot.sol#51-55) uses assembly
- INLINE ASM (contracts/Proxy/StorageSlot.sol#52-54)
StorageSlot.getBooleanSlot(bytes32) (contracts/Proxy/StorageSlot.sol#60-64) uses assembly
- INLINE ASM (contracts/Proxy/StorageSlot.sol#61-63)
StorageSlot.getBytes32Slot(bytes32) (contracts/Proxy/StorageSlot.sol#69-73) uses assembly
- INLINE ASM (contracts/Proxy/StorageSlot.sol#70-72)
StorageSlot.getUint256Slot(bytes32) (contracts/Proxy/StorageSlot.sol#78-82) uses assembly
- INLINE ASM (contracts/Proxy/StorageSlot.sol#79-81)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#assembly-usage
ERC1967Upgrade._getBeacon() (contracts/Proxy/ERC1967Upgrade.sol#163-165) is never used and should be removed
ERC1967Upgrade._setBeacon(address) (contracts/Proxy/ERC1967Upgrade.sol#170-180) is never used and should be removed
ERC1967Upgrade._upgradeBeaconToAndCall(address,bytes,bool) (contracts/Proxy/ERC1967Upgrade.sol#104-110) is never used and should be removed
ERC1967Upgrade._upgradeTo(address) (contracts/Proxy/ERC1967Upgrade.sol#45-48) is never used and should be removed
ERC1967Upgrade._upgradeToAndCallSecure(address,bytes,bool) (contracts/Proxy/ERC1967Upgrade.sol#68-96) is never used and should be removed
TransparentUpgradeableProxy._admin() (contracts/Proxy/TransparentUpgradeableProxy.sol#109-111) is never used and should be removed
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#dead-code
Version constraint ^0.8.0 contains known severe issues (https://solidity.readthedocs.io/en/latest/bugs.html)
- FullInlinerNonExpressionSplitArgumentEvaluationOrder
- MissingSideEffectsOnSelectorAccess
- AbiReencodingHeadOverflowWithStaticArrayCleanup
- DirtyBytesArrayToStorage
- DataLocationChangeInInternalOverride
- NestedCalldataArrayAbiReencodingSizeValidation
- SignedImmutables
- ABIDecodeTwoDimensionalArrayMemory
- KeccakCaching.
It is used by:
- ^0.8.0 (contracts/Proxy/Address.sol#3)
- ^0.8.0 (contracts/Proxy/ERC1967Proxy.sol#3)
- ^0.8.0 (contracts/Proxy/ERC1967Upgrade.sol#3)
- ^0.8.0 (contracts/Proxy/IBeacon.sol#3)
- ^0.8.0 (contracts/Proxy/Proxy.sol#3)
- ^0.8.0 (contracts/Proxy/StorageSlot.sol#3)
- ^0.8.0 (contracts/Proxy/TransparentUpgradeableProxy.sol#3)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#incorrect-versions-of-solidity
Low level call in Address.sendValue(address,uint256) (contracts/Proxy/Address.sol#53-59):
- (success,None) = recipient.call{value: amount}() (contracts/Proxy/Address.sol#57)
Low level call in Address.functionCallWithValue(address,bytes,uint256,string) (contracts/Proxy/Address.sol#114-121):
- (success,returndata) = target.call{value: value}(data) (contracts/Proxy/Address.sol#119)
Low level call in Address.functionStaticCall(address,bytes,string) (contracts/Proxy/Address.sol#139-145):
- (success,returndata) = target.staticcall(data) (contracts/Proxy/Address.sol#143)
Low level call in Address.functionDelegateCall(address,bytes,string) (contracts/Proxy/Address.sol#163-169):
- (success,returndata) = target.delegatecall(data) (contracts/Proxy/Address.sol#167)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#low-level-calls
TransparentUpgradeableProxy (contracts/Proxy/TransparentUpgradeableProxy.sol#28-121) should inherit from IBeacon (contracts/Proxy/IBeacon.sol#8-16)
Reference: https://github.com/crytic/slither/wiki/Detector-Documentation#missing-inheritance
. analyzed (7 contracts with 100 detectors), 31 result(s) found
{
"solc": {
"status": "ok",
"use_rc": 0,
"version": "0.8.0",
"strategy": "solc-select",
"solc_path": "/var/www/tripwire/.venv/bin/solc",
"install_rc": 0,
"use_stderr": null,
"use_stdout": "Switched global version to 0.8.0",
"install_stderr": null,
"install_stdout": "Version '0.8.0' is already installed, skipping..."
},
"solc_args": "--base-path /tmp/slither-qlio7_m5 --allow-paths /tmp/slither-qlio7_m5,/tmp/slither-qlio7_m5/lib,/tmp/slither-qlio7_m5/src",
"remappings": [],
"source_files": [
"contracts/Proxy/TransparentUpgradeableProxy.sol",
"contracts/Proxy/ERC1967Proxy.sol",
"contracts/Proxy/Proxy.sol",
"contracts/Proxy/ERC1967Upgrade.sol",
"contracts/Proxy/IBeacon.sol",
"contracts/Proxy/Address.sol",
"contracts/Proxy/StorageSlot.sol"
],
"contract_count": 0,
"contract_names": [],
"detector_count": 31,
"workspace_hash": "7161614e3c57b8bb9e9cd5df27f99eef51eef7484f1bc3416f0ab41549946db9",
"duration_seconds": 0.731522798538208,
"solc_version_requested": "0.8.0"
}
{"no_findings":true,"summary":"Reviewed runtime bytecode and analysis artifacts for 0xa0d828a754961ff78e733701eb98d22084db242c. No clear vulnerabilities identified from bytecode alone; tx.origin appears only in logging paths and CALL sites revert on failure.","findings":[]}
OpenAI Codex v0.77.0 (research preview)
--------
workdir: /tmp/codex-avpt0syr
model: gpt-5.2-codex
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: auto
session id: 019be46c-9e75-79a2-bf62-5d601f028e95
--------
user
Context: The user requested the proxy at 0x6f1d09fed11115d65e1071cd2109edb300d80a27.
Audit the implementation at 0xa0d828a754961ff78e733701eb98d22084db242c.
Findings should refer to the implementation unless explicitly about proxy mechanics.
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
mcp startup: no servers
thinking
**Reading bytecode bundle file**
exec
/bin/bash -lc ls in /tmp/codex-avpt0syr succeeded in 6ms:
BYTECODE_BUNDLE.json
codex-output-schema.json
exec
/bin/bash -lc 'cat BYTECODE_BUNDLE.json' in /tmp/codex-avpt0syr succeeded in 19ms:
{
"analysis_artifact": {
"address": "0xa0d828a754961ff78e733701eb98d22084db242c",
"artifact_hash": "0xcd66ad8369d636923cdce3c8e0a72fa42ba52eb46bc11a4b7b23e1320db76100",
"artifact_json": {
"auth": {
"guards": [
{
"pc": 6463,
"type": "tx_origin_used"
},
{
"pc": 8058,
"type": "tx_origin_used"
},
{
"pc": 18589,
"type": "tx_origin_used"
}
]
thinking
**Assessing evidence for tx.origin guards**
I'm focusing on gathering concrete evidence about tx.origin usage in authorization guards and untrusted external calls. The analysis shows potential tx.origin authorization but lacks clear sink mapping, so I'll treat severity as medium given the uncertainty. Next, I'll inspect callsite details and the BYTECODE_BUNDLE for more precise evidence on call targets and untrusted calls.
exec
/bin/bash -lc 'rg -n "evidence_bundle|evidence" BYTECODE_BUNDLE.json' in /tmp/codex-avpt0syr succeeded in 18ms:
37804: "proxy_evidence": {
51171: "evidence_json": {
51200: "evidence_json": {
51265: "evidence_json": {
exec
/bin/bash -lc "sed -n '37780,37920p' BYTECODE_BUNDLE.json" in /tmp/codex-avpt0syr succeeded in 9ms:
"id": "019be3d6-840c-7196-a8ab-4b88c63a071e",
"status": "running",
"updated_at": "2026-01-22T03:56:29.000000Z"
},
"parent_run_id": "019be3d6-840c-7196-a8ab-4b88c63a071e",
"updated_at": "2026-01-22T03:56:30.000000Z"
}
],
"status": "running",
"updated_at": "2026-01-22T06:37:59.000000Z"
},
"artifact": {
"codehash": "0x30eb4634847e064c32b9dbe0f880e22328aa8e8dab2bb6e8e21b0bdf8c591635",
"compiler_json": {
"compiler_version": null,
"etherscan": {
"contract_name": null,
"implementation": null,
"license": "Unknown",
"proxy": "0",
thinking
**Analyzing tx.origin and reentrancy usage**
Found tx.origin usage guarded at specific bytecode offsets, so mapping these to functions will clarify impact. Noted reentrancy guard is present, likely preventing reentrant calls broadly. External calls target token contract addresses stored in storage, showing potential untrusted call reachability but with stored constants, suggesting intended use. Need to verify if all external calls are covered by reentrancy guard and if tx.origin is sole access control or others exist.
thinking
**Confirming Ownable and tx.origin use in authorization**
Detected standard Ownable pattern alongside tx.origin used as an additional or alternative guard at specific bytecode locations. Reentrancy guard appears present but may not cover all external calls with value to computed targets, suggesting limited coverage. Signature validation likely uses ecrecover (implied by "Ethereum Signed Message") but no strong evidence of vulnerabilities there. Findings should highlight medium severity on tx.origin use for auth due to phishing risk and cautious note on external calls with computed targets and value, given partial reentrancy protection.
exec
/bin/bash -lc "rg -n \"\\\"start_pc\\\": 6463|\\\"start_pc\\\": 8058|\\\"start_pc\\\": 18589|\\\"end_pc\\\": 6463|\\\"end_pc\\\": 8058|\\\"end_pc\\\": 18589\" BYTECODE_BUNDLE.json" in /tmp/codex-avpt0syr succeeded in 11ms:
19103: "start_pc": 18589
50811: "start_pc": 18589,
thinking
**Inspecting opcode region near block boundary**
I'm checking the opcodes around the code block start at 18589 to understand why many blocks may not be included, focusing on lines near 19090 for relevant details.
exec
/bin/bash -lc "sed -n '19080,19140p' BYTECODE_BUNDLE.json" in /tmp/codex-avpt0syr succeeded in 9ms:
"OP_F9",
"OP_A9",
"RETURN"
],
"start_pc": 18576
},
{
"end_pc": 18600,
"hash": "0x049f8ac86d580ead12584947cf5d760e183fdf182464f070f66c3b264c3e472f",
"opcodes": [
"ORIGIN",
"TIMESTAMP",
"OP_CB",
"OP_ED",
"CALLDATALOAD",
"OP_AD",
"NUMBER",
"CALLDATACOPY",
"OP_8E",
"OP_23",
thinking
**Investigating opcode locations by program counter**
I'm searching for exact program counter entries like "pc": 6463 to locate where specific operations occur since basic block listings might be truncated or incomplete. This will help confirm if ORIGIN and related opcodes tie into guard logic.
exec
/bin/bash -lc "rg -n '\"pc\": 6463|\"pc\": 8058' BYTECODE_BUNDLE.json" in /tmp/codex-avpt0syr succeeded in 9ms:
9: "pc": 6463,
13: "pc": 8058,
24913: "pc": 6463,
24917: "pc": 8058,
25250: "pc": 6463,
25254: "pc": 8058,
25587: "pc": 6463,
25591: "pc": 8058,
25924: "pc": 6463,
25928: "pc": 8058,
26261: "pc": 6463,
26265: "pc": 8058,
26598: "pc": 6463,
26602: "pc": 8058,
26935: "pc": 6463,
26939: "pc": 8058,
27272: "pc": 6463,
27276: "pc": 8058,
27609: "pc": 6463,
27613: "pc": 8058,
thinking
**Analyzing authorization and calls**
Noticed use of `tx.origin` for authorization, which is risky, plus low-level `call` invocations without clear return data checks that might allow silent failures; the contract uses initializer patterns suggesting partial upgradeability but lacks proxy logic.
thinking
**Planning EVM disassembly for callsite analysis**
I'm preparing to disassemble bytecode regions around key PCs where low-level calls occur to verify if return data checks are present, aiming to clarify risk level of unchecked external calls with value given weak detector evidence.
exec
/bin/bash -lc "python - <<'PY'
import json
import textwrap
from pathlib import Path
bundle = json.loads(Path('/tmp/codex-avpt0syr/BYTECODE_BUNDLE.json').read_text())
bytecode = bundle['artifact']['runtime_bytecode']['full']
if bytecode.startswith('0x'):
bytecode = bytecode[2:]
code = bytes.fromhex(bytecode)
# opcode mapping
opcodes = {}
# 0x00-0x0f
names = {
0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
0x20:'SHA3',
0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',
0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
}
opcodes.update(names)
def disasm_range(start, end):
i = start
out = []
while i < end and i < len(code):
op = code[i]
name = opcodes.get(op, f'OP_{op:02x}')
i += 1
if 0x60 <= op <= 0x7f:
n = op - 0x5f
data = code[i:i+n]
i += n
out.append((i - n -1, name, data.hex()))
else:
out.append((i-1, name, None))
return out
# dump around callsites
pcs = [2710, 3738, 4089, 5290, 5901, 6313, 11005, 11368, 12746, 6463, 8058, 18589]
for pc in pcs:
start = max(0, pc-20)
end = pc+20
print(f\"\\n== around pc {pc} ==\")
for addr, name, data in disasm_range(start, end):
if data is None:
print(f\"{addr:05x}: {name}\")
else:
print(f\"{addr:05x}: {name} 0x{data}\")
PY" in /tmp/codex-avpt0syr succeeded in 42ms:
== around pc 2710 ==
00a82: DUP2
00a83: PUSH1 0x00
00a85: DUP8
00a86: DUP1
00a87: EXTCODESIZE
00a88: ISZERO
00a89: DUP1
00a8a: ISZERO
00a8b: PUSH2 0x0a93
00a8e: JUMPI
00a8f: PUSH1 0x00
00a91: DUP1
00a92: REVERT
00a93: JUMPDEST
00a94: POP
00a95: GAS
00a96: CALL
00a97: ISZERO
thinking
**Assessing tx.origin usage context**
The ORIGIN value appears near event logging code rather than explicit authorization checks, so I need to extend disassembly to confirm whether tx.origin is used in conditionals or just embedded in event data.
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
bundle = json.loads(Path('/tmp/codex-avpt0syr/BYTECODE_BUNDLE.json').read_text())
bytecode = bundle['artifact']['runtime_bytecode']['full']
if bytecode.startswith('0x'):
bytecode = bytecode[2:]
code = bytes.fromhex(bytecode)
opnames = {}
# mapping similar to previous
names = {
0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
0x20:'SHA3',
0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',
0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
}
opnames.update(names)
def disasm(start, end):
i = start
out = []
while i < end and i < len(code):
op = code[i]
name = opnames.get(op, f'OP_{op:02x}')
i += 1
if 0x60 <= op <= 0x7f:
n = op - 0x5f
data = code[i:i+n]
i += n
out.append((i - n -1, name, data.hex()))
else:
out.append((i-1, name, None))
return out
# detailed around pc 6463 and 8058
for pc in [6463, 8058]:
start = max(0, pc-80)
end = pc+80
print(f\"\\n== detailed around pc {pc} ==\")
for addr, name, data in disasm(start, end):
if data is None:
print(f\"{addr:05x}: {name}\")
else:
print(f\"{addr:05x}: {name} 0x{data}\")
PY" in /tmp/codex-avpt0syr succeeded in 46ms:
== detailed around pc 6463 ==
018ef: DUP1
018f0: ISZERO
018f1: PUSH2 0x1916
018f4: JUMPI
018f5: PUSH1 0x40
018f7: MLOAD
018f8: SWAP2
018f9: POP
018fa: PUSH1 0x1f
018fc: NOT
018fd: PUSH1 0x3f
018ff: RETURNDATASIZE
01900: ADD
01901: AND
01902: DUP3
01903: ADD
01904: PUSH1 0x40
01906: MSTORE
thinking
**Disqualifying tx.origin authorization claim**
The code shows tx.origin mainly used for logging events or appearing in metadata, not for authorization checks before jumps, so the tx.origin auth vulnerability claim is unsupported.
thinking
**Analyzing external call handling**
I’m inspecting a low-level CALL pattern around PC 6313 that captures the call’s success flag, conditionally jumps on failure, and may set a status; I’ll expand disassembly around 6280–6350 to confirm if it properly handles call return data, possibly like SafeERC20.
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
bundle = json.loads(Path('/tmp/codex-avpt0syr/BYTECODE_BUNDLE.json').read_text())
bytecode = bundle['artifact']['runtime_bytecode']['full']
if bytecode.startswith('0x'):
bytecode = bytecode[2:]
code = bytes.fromhex(bytecode)
# opcode mapping
opnames = {}
# mapping from earlier
names = {
0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
0x20:'SHA3',
0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',
0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
}
opnames.update(names)
def disasm(start, end):
i = start
out = []
while i < end and i < len(code):
op = code[i]
name = opnames.get(op, f'OP_{op:02x}')
i += 1
if 0x60 <= op <= 0x7f:
n = op - 0x5f
data = code[i:i+n]
i += n
out.append((i - n -1, name, data.hex()))
else:
out.append((i-1, name, None))
return out
start = 6260
end = 6365
for addr, name, data in disasm(start, end):
if data is None:
print(f\"{addr:05x}: {name}\")
else:
print(f\"{addr:05x}: {name} 0x{data}\")
PY" in /tmp/codex-avpt0syr succeeded in 51ms:
01874: PUSH1 0xe0
01876: SHL
01877: SWAP1
01878: MSTORE
01879: SWAP1
0187a: ADDRESS
0187b: PUSH4 0x561aa97d
01880: PUSH2 0x188c
01883: DUP6
01884: PUSH1 0x24
01886: DUP6
01887: ADD
01888: PUSH2 0x44ba
0188b: JUMP
0188c: JUMPDEST
0188d: PUSH1 0x00
0188f: PUSH1 0x40
01891: MLOAD
01892: DUP1
01893: DUP4
thinking
**Confirming external calls have success checks**
External calls consistently check for success and revert on failure, indicating safe handling after calls. Reentrancy guard usage is present in some functions, but potential reentrancy risk remains in external calls within loops and state updates, requiring deeper analysis.
thinking
**Clarifying call target and tx.origin usage**
Dynamic analysis shows calls targeting the contract itself, likely due to default or testing conditions, reducing concerns about untrusted external calls. `tx.origin` appears only in event logging, not authorization checks, so likely not a vulnerability. Next, a script will verify all `ORIGIN` opcode usages to confirm this pattern.
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
bundle = json.loads(Path('/tmp/codex-avpt0syr/BYTECODE_BUNDLE.json').read_text())
bytecode = bundle['artifact']['runtime_bytecode']['full']
if bytecode.startswith('0x'):
bytecode = bytecode[2:]
code = bytes.fromhex(bytecode)
# simple opcode decode
ops = []
# mapping for push size
push_sizes = {i: i-0x5f for i in range(0x60, 0x80)}
pc = 0
while pc < len(code):
op = code[pc]
ops.append((pc, op))
pc += 1
if op in push_sizes:
pc += push_sizes[op]
# find ORIGIN usage
origin_pcs = [pc for pc, op in ops if op == 0x32]
print('ORIGIN count', len(origin_pcs))
# build quick lookup of next few non-push opcodes after each origin
opnames = {0x14:'EQ',0x15:'ISZERO',0x56:'JUMP',0x57:'JUMPI',0x33:'CALLER',0x32:'ORIGIN'}
# create mapping from pc to index in ops list
pc_to_index = {pc:i for i,(pc,op) in enumerate(ops)}
for pc in origin_pcs:
i = pc_to_index[pc]
# look ahead 10 ops
seq = []
for j in range(i, min(i+12, len(ops))):
op = ops[j][1]
name = opnames.get(op, f'op_{op:02x}')
seq.append(name)
print(hex(pc), seq)
PY" in /tmp/codex-avpt0syr succeeded in 51ms:
ORIGIN count 3
0x193f ['ORIGIN', 'op_91', 'op_7f', 'op_91', 'op_61', 'op_91', 'op_60', 'op_89', 'op_01', 'op_35', 'op_91', 'op_87']
0x1f7a ['ORIGIN', 'op_60', 'op_54', 'op_8f', 'op_8e', 'op_8e', 'op_8d', 'op_8d', 'op_8d', 'op_8d', 'op_60', 'op_51']
0x489d ['ORIGIN', 'op_42', 'op_cb', 'op_ed', 'op_35', 'op_ad', 'op_43', 'op_37', 'op_8e', 'op_23', 'op_d8', 'JUMP']
thinking
**Ruling out tx.origin auth issue and validating call return checks**
The tx.origin occurrences aren't used for authorization, so no vulnerability there. Call instructions mostly have proper return data checks and revert handling, including ones resembling Address.functionCall, reducing risk. Next, I'll examine CALL opcodes with value transfers for missing success checks by analyzing opcode patterns around callsites to confirm no unchecked call failures.
thinking
**Concluding no vulnerabilities found**
Thorough bytecode analysis found no clear vulnerabilities; external calls are properly checked, reentrancy guard is present, and tx.origin is used only in logging. The plan is to output a JSON summary indicating no findings with a concise explanation.
codex
{"no_findings":true,"summary":"Reviewed runtime bytecode and analysis artifacts for 0xa0d828a754961ff78e733701eb98d22084db242c. No clear vulnerabilities identified from bytecode alone; tx.origin appears only in logging paths and CALL sites revert on failure.","findings":[]}
tokens used
76,312
{
"codex": {
"ran_at": "2026-01-22T06:41:57.973147+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 37260,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "Reviewed runtime bytecode and analysis artifacts for 0xa0d828a754961ff78e733701eb98d22084db242c. No clear vulnerabilities identified from bytecode alone; tx.origin appears only in logging paths and CALL sites revert on failure.",
"raw_final": {
"summary": "Reviewed runtime bytecode and analysis artifacts for 0xa0d828a754961ff78e733701eb98d22084db242c. No clear vulnerabilities identified from bytecode alone; tx.origin appears only in logging paths and CALL sites revert on failure.",
"findings": [],
"no_findings": true
},
"no_findings": true,
"proxy_context": {
"proxy_run_id": "019be3d6-840c-7196-a8ab-4b88c63a071e",
"proxy_address": "0x6f1d09fed11115d65e1071cd2109edb300d80a27",
"implementation_run_id": "019be3d8-bb60-7023-94d5-bc2e86082ed0",
"implementation_address": "0xa0d828a754961ff78e733701eb98d22084db242c"
},
"schema_version": 1
}
00000000: PUSH1 0x80 00000002: PUSH1 0x40 00000004: MSTORE 00000005: PUSH1 0x04 00000007: CALLDATASIZE 00000008: LT 00000009: PUSH2 0x004e 0000000c: JUMPI 0000000d: PUSH1 0x00 0000000f: CALLDATALOAD 00000010: PUSH1 0xe0 00000012: SHR 00000013: DUP1 00000014: PUSH4 0x3659cfe6 00000019: EQ 0000001a: PUSH2 0x0065 0000001d: JUMPI 0000001e: DUP1 0000001f: PUSH4 0x4f1ef286 00000024: EQ 00000025: PUSH2 0x0085 00000028: JUMPI 00000029: DUP1 0000002a: PUSH4 0x5c60da1b 0000002f: EQ 00000030: PUSH2 0x0098 00000033: JUMPI 00000034: DUP1 00000035: PUSH4 0x8f283970 0000003a: EQ 0000003b: PUSH2 0x00c3 0000003e: JUMPI 0000003f: DUP1 00000040: PUSH4 0xf851a440 00000045: EQ 00000046: PUSH2 0x00e3 00000049: JUMPI 0000004a: PUSH2 0x005d 0000004d: JUMP 0000004e: JUMPDEST 0000004f: CALLDATASIZE 00000050: PUSH2 0x005d 00000053: JUMPI 00000054: PUSH2 0x005b 00000057: PUSH2 0x00f8 0000005a: JUMP 0000005b: JUMPDEST 0000005c: STOP 0000005d: JUMPDEST 0000005e: PUSH2 0x005b 00000061: PUSH2 0x00f8 00000064: JUMP 00000065: JUMPDEST 00000066: CALLVALUE 00000067: DUP1 00000068: ISZERO 00000069: PUSH2 0x0071 0000006c: JUMPI 0000006d: PUSH1 0x00 0000006f: DUP1 00000070: REVERT 00000071: JUMPDEST 00000072: POP 00000073: PUSH2 0x005b 00000076: PUSH2 0x0080 00000079: CALLDATASIZE 0000007a: PUSH1 0x04 0000007c: PUSH2 0x05d2 0000007f: JUMP 00000080: JUMPDEST 00000081: PUSH2 0x0112 00000084: JUMP 00000085: JUMPDEST 00000086: PUSH2 0x005b 00000089: PUSH2 0x0093 0000008c: CALLDATASIZE 0000008d: PUSH1 0x04 0000008f: PUSH2 0x05ec 00000092: JUMP 00000093: JUMPDEST 00000094: PUSH2 0x015e 00000097: JUMP 00000098: JUMPDEST 00000099: CALLVALUE 0000009a: DUP1 0000009b: ISZERO 0000009c: PUSH2 0x00a4 0000009f: JUMPI 000000a0: PUSH1 0x00 000000a2: DUP1 000000a3: REVERT 000000a4: JUMPDEST 000000a5: POP 000000a6: PUSH2 0x00ad 000000a9: PUSH2 0x01d4 000000ac: JUMP 000000ad: JUMPDEST 000000ae: PUSH1 0x40 000000b0: MLOAD 000000b1: PUSH2 0x00ba 000000b4: SWAP2 000000b5: SWAP1 000000b6: PUSH2 0x0686 000000b9: JUMP 000000ba: JUMPDEST 000000bb: PUSH1 0x40 000000bd: MLOAD 000000be: DUP1 000000bf: SWAP2 000000c0: SUB 000000c1: SWAP1 000000c2: RETURN 000000c3: JUMPDEST 000000c4: CALLVALUE 000000c5: DUP1 000000c6: ISZERO 000000c7: PUSH2 0x00cf 000000ca: JUMPI 000000cb: PUSH1 0x00 000000cd: DUP1 000000ce: REVERT 000000cf: JUMPDEST 000000d0: POP 000000d1: PUSH2 0x005b 000000d4: PUSH2 0x00de 000000d7: CALLDATASIZE 000000d8: PUSH1 0x04 000000da: PUSH2 0x05d2 000000dd: JUMP 000000de: JUMPDEST 000000df: PUSH2 0x0211 000000e2: JUMP 000000e3: JUMPDEST 000000e4: CALLVALUE 000000e5: DUP1 000000e6: ISZERO 000000e7: PUSH2 0x00ef 000000ea: JUMPI 000000eb: PUSH1 0x00 000000ed: DUP1 000000ee: REVERT 000000ef: JUMPDEST 000000f0: POP 000000f1: PUSH2 0x00ad 000000f4: PUSH2 0x023b 000000f7: JUMP 000000f8: JUMPDEST 000000f9: PUSH2 0x0100 000000fc: PUSH2 0x029c 000000ff: JUMP 00000100: JUMPDEST 00000101: PUSH2 0x0110 00000104: PUSH2 0x010b 00000107: PUSH2 0x02e6 0000010a: JUMP 0000010b: JUMPDEST 0000010c: PUSH2 0x02f5 0000010f: JUMP 00000110: JUMPDEST 00000111: JUMP 00000112: JUMPDEST 00000113: PUSH2 0x011a 00000116: PUSH2 0x0319 00000119: JUMP 0000011a: JUMPDEST 0000011b: PUSH1 0x01 0000011d: PUSH1 0x01 0000011f: PUSH1 0xa0 00000121: SHL 00000122: SUB 00000123: AND 00000124: CALLER 00000125: PUSH1 0x01 00000127: PUSH1 0x01 00000129: PUSH1 0xa0 0000012b: SHL 0000012c: SUB 0000012d: AND 0000012e: EQ 0000012f: ISZERO 00000130: PUSH2 0x0153 00000133: JUMPI 00000134: PUSH2 0x014e 00000137: DUP2 00000138: PUSH1 0x40 0000013a: MLOAD 0000013b: DUP1 0000013c: PUSH1 0x20 0000013e: ADD 0000013f: PUSH1 0x40 00000141: MSTORE 00000142: DUP1 00000143: PUSH1 0x00 00000145: DUP2 00000146: MSTORE 00000147: POP 00000148: PUSH1 0x00 0000014a: PUSH2 0x0353 0000014d: JUMP 0000014e: JUMPDEST 0000014f: PUSH2 0x015b 00000152: JUMP 00000153: JUMPDEST 00000154: PUSH2 0x015b 00000157: PUSH2 0x00f8 0000015a: JUMP 0000015b: JUMPDEST 0000015c: POP 0000015d: JUMP 0000015e: JUMPDEST 0000015f: PUSH2 0x0166 00000162: PUSH2 0x0319 00000165: JUMP 00000166: JUMPDEST 00000167: PUSH1 0x01 00000169: PUSH1 0x01 0000016b: PUSH1 0xa0 0000016d: SHL 0000016e: SUB 0000016f: AND 00000170: CALLER 00000171: PUSH1 0x01 00000173: PUSH1 0x01 00000175: PUSH1 0xa0 00000177: SHL 00000178: SUB 00000179: AND 0000017a: EQ 0000017b: ISZERO 0000017c: PUSH2 0x01c7 0000017f: JUMPI 00000180: PUSH2 0x01c2 00000183: DUP4 00000184: DUP4 00000185: DUP4 00000186: DUP1 00000187: DUP1 00000188: PUSH1 0x1f 0000018a: ADD 0000018b: PUSH1 0x20 0000018d: DUP1 0000018e: SWAP2 0000018f: DIV 00000190: MUL 00000191: PUSH1 0x20 00000193: ADD 00000194: PUSH1 0x40 00000196: MLOAD 00000197: SWAP1 00000198: DUP2 00000199: ADD 0000019a: PUSH1 0x40 0000019c: MSTORE 0000019d: DUP1 0000019e: SWAP4 0000019f: SWAP3 000001a0: SWAP2 000001a1: SWAP1 000001a2: DUP2 000001a3: DUP2 000001a4: MSTORE 000001a5: PUSH1 0x20 000001a7: ADD 000001a8: DUP4 000001a9: DUP4 000001aa: DUP1 000001ab: DUP3 000001ac: DUP5 000001ad: CALLDATACOPY 000001ae: PUSH1 0x00 000001b0: SWAP3 000001b1: ADD 000001b2: SWAP2 000001b3: SWAP1 000001b4: SWAP2 000001b5: MSTORE 000001b6: POP 000001b7: PUSH1 0x01 000001b9: SWAP3 000001ba: POP 000001bb: PUSH2 0x0353 000001be: SWAP2 000001bf: POP 000001c0: POP 000001c1: JUMP 000001c2: JUMPDEST 000001c3: PUSH2 0x01cf 000001c6: JUMP 000001c7: JUMPDEST 000001c8: PUSH2 0x01cf 000001cb: PUSH2 0x00f8 000001ce: JUMP 000001cf: JUMPDEST 000001d0: POP 000001d1: POP 000001d2: POP 000001d3: JUMP 000001d4: JUMPDEST 000001d5: PUSH1 0x00 000001d7: PUSH2 0x01de 000001da: PUSH2 0x0319 000001dd: JUMP 000001de: JUMPDEST 000001df: PUSH1 0x01 000001e1: PUSH1 0x01 000001e3: PUSH1 0xa0 000001e5: SHL 000001e6: SUB 000001e7: AND 000001e8: CALLER 000001e9: PUSH1 0x01 000001eb: PUSH1 0x01 000001ed: PUSH1 0xa0 000001ef: SHL 000001f0: SUB 000001f1: AND 000001f2: EQ 000001f3: ISZERO 000001f4: PUSH2 0x0206 000001f7: JUMPI 000001f8: PUSH2 0x01ff 000001fb: PUSH2 0x02e6 000001fe: JUMP 000001ff: JUMPDEST 00000200: SWAP1 00000201: POP 00000202: PUSH2 0x020e 00000205: JUMP 00000206: JUMPDEST 00000207: PUSH2 0x020e 0000020a: PUSH2 0x00f8 0000020d: JUMP 0000020e: JUMPDEST 0000020f: SWAP1 00000210: JUMP 00000211: JUMPDEST 00000212: PUSH2 0x0219 00000215: PUSH2 0x0319 00000218: JUMP 00000219: JUMPDEST 0000021a: PUSH1 0x01 0000021c: PUSH1 0x01 0000021e: PUSH1 0xa0 00000220: SHL 00000221: SUB 00000222: AND 00000223: CALLER 00000224: PUSH1 0x01 00000226: PUSH1 0x01 00000228: PUSH1 0xa0 0000022a: SHL 0000022b: SUB 0000022c: AND 0000022d: EQ 0000022e: ISZERO 0000022f: PUSH2 0x0153 00000232: JUMPI 00000233: PUSH2 0x014e 00000236: DUP2 00000237: PUSH2 0x03b2 0000023a: JUMP 0000023b: JUMPDEST 0000023c: PUSH1 0x00 0000023e: PUSH2 0x0245 00000241: PUSH2 0x0319 00000244: JUMP 00000245: JUMPDEST 00000246: PUSH1 0x01 00000248: PUSH1 0x01 0000024a: PUSH1 0xa0 0000024c: SHL 0000024d: SUB 0000024e: AND 0000024f: CALLER 00000250: PUSH1 0x01 00000252: PUSH1 0x01 00000254: PUSH1 0xa0 00000256: SHL 00000257: SUB 00000258: AND 00000259: EQ 0000025a: ISZERO 0000025b: PUSH2 0x0206 0000025e: JUMPI 0000025f: PUSH2 0x01ff 00000262: PUSH2 0x0319 00000265: JUMP 00000266: JUMPDEST 00000267: PUSH1 0x60 00000269: PUSH2 0x028b 0000026c: DUP4 0000026d: DUP4 0000026e: PUSH1 0x40 00000270: MLOAD 00000271: DUP1 00000272: PUSH1 0x60 00000274: ADD 00000275: PUSH1 0x40 00000277: MSTORE 00000278: DUP1 00000279: PUSH1 0x27 0000027b: DUP2 0000027c: MSTORE 0000027d: PUSH1 0x20 0000027f: ADD 00000280: PUSH2 0x0855 00000283: PUSH1 0x27 00000285: SWAP2 00000286: CODECOPY 00000287: PUSH2 0x03fb 0000028a: JUMP 0000028b: JUMPDEST 0000028c: SWAP4 0000028d: SWAP3 0000028e: POP 0000028f: POP 00000290: POP 00000291: JUMP 00000292: JUMPDEST 00000293: DUP1 00000294: EXTCODESIZE 00000295: ISZERO 00000296: ISZERO 00000297: JUMPDEST 00000298: SWAP2 00000299: SWAP1 0000029a: POP 0000029b: JUMP 0000029c: JUMPDEST 0000029d: PUSH2 0x02a4 000002a0: PUSH2 0x0319 000002a3: JUMP 000002a4: JUMPDEST 000002a5: PUSH1 0x01 000002a7: PUSH1 0x01 000002a9: PUSH1 0xa0 000002ab: SHL 000002ac: SUB 000002ad: AND 000002ae: CALLER 000002af: PUSH1 0x01 000002b1: PUSH1 0x01 000002b3: PUSH1 0xa0 000002b5: SHL 000002b6: SUB 000002b7: AND 000002b8: EQ 000002b9: ISZERO 000002ba: PUSH2 0x02de 000002bd: JUMPI 000002be: PUSH1 0x40 000002c0: MLOAD 000002c1: PUSH3 0x461bcd 000002c5: PUSH1 0xe5 000002c7: SHL 000002c8: DUP2 000002c9: MSTORE 000002ca: PUSH1 0x04 000002cc: ADD 000002cd: PUSH2 0x02d5 000002d0: SWAP1 000002d1: PUSH2 0x07c0 000002d4: JUMP 000002d5: JUMPDEST 000002d6: PUSH1 0x40 000002d8: MLOAD 000002d9: DUP1 000002da: SWAP2 000002db: SUB 000002dc: SWAP1 000002dd: REVERT 000002de: JUMPDEST 000002df: PUSH2 0x0110 000002e2: PUSH2 0x0110 000002e5: JUMP 000002e6: JUMPDEST 000002e7: PUSH1 0x00 000002e9: PUSH2 0x02f0 000002ec: PUSH2 0x0497 000002ef: JUMP 000002f0: JUMPDEST 000002f1: SWAP1 000002f2: POP 000002f3: SWAP1 000002f4: JUMP 000002f5: JUMPDEST 000002f6: CALLDATASIZE 000002f7: PUSH1 0x00 000002f9: DUP1 000002fa: CALLDATACOPY 000002fb: PUSH1 0x00 000002fd: DUP1 000002fe: CALLDATASIZE 000002ff: PUSH1 0x00 00000301: DUP5 00000302: GAS 00000303: DELEGATECALL 00000304: RETURNDATASIZE 00000305: PUSH1 0x00 00000307: DUP1 00000308: RETURNDATACOPY 00000309: DUP1 0000030a: DUP1 0000030b: ISZERO 0000030c: PUSH2 0x0314 0000030f: JUMPI 00000310: RETURNDATASIZE 00000311: PUSH1 0x00 00000313: RETURN 00000314: JUMPDEST 00000315: RETURNDATASIZE 00000316: PUSH1 0x00 00000318: REVERT 00000319: JUMPDEST 0000031a: PUSH1 0x00 0000031c: PUSH2 0x0344 0000031f: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 00000340: PUSH2 0x020e 00000343: JUMP 00000344: JUMPDEST 00000345: SLOAD 00000346: PUSH1 0x01 00000348: PUSH1 0x01 0000034a: PUSH1 0xa0 0000034c: SHL 0000034d: SUB 0000034e: AND 0000034f: SWAP1 00000350: POP 00000351: SWAP1 00000352: JUMP 00000353: JUMPDEST 00000354: PUSH2 0x035c 00000357: DUP4 00000358: PUSH2 0x04c2 0000035b: JUMP 0000035c: JUMPDEST 0000035d: PUSH1 0x40 0000035f: MLOAD 00000360: PUSH1 0x01 00000362: PUSH1 0x01 00000364: PUSH1 0xa0 00000366: SHL 00000367: SUB 00000368: DUP5 00000369: AND 0000036a: SWAP1 0000036b: PUSH32 0xbc7cd75a20ee27fd9adebab32041f755214dbc6bffa90cc0225b39da2e5c2d3b 0000038c: SWAP1 0000038d: PUSH1 0x00 0000038f: SWAP1 00000390: LOG2 00000391: PUSH1 0x00 00000393: DUP3 00000394: MLOAD 00000395: GT 00000396: DUP1 00000397: PUSH2 0x039d 0000039a: JUMPI 0000039b: POP 0000039c: DUP1 0000039d: JUMPDEST 0000039e: ISZERO 0000039f: PUSH2 0x01cf 000003a2: JUMPI 000003a3: PUSH2 0x03ac 000003a6: DUP4 000003a7: DUP4 000003a8: PUSH2 0x0266 000003ab: JUMP 000003ac: JUMPDEST 000003ad: POP 000003ae: POP 000003af: POP 000003b0: POP 000003b1: JUMP 000003b2: JUMPDEST 000003b3: PUSH32 0x7e644d79422f17c01e4894b5f4f588d331ebfa28653d42ae832dc59e38c9798f 000003d4: PUSH2 0x03db 000003d7: PUSH2 0x0319 000003da: JUMP 000003db: JUMPDEST 000003dc: DUP3 000003dd: PUSH1 0x40 000003df: MLOAD 000003e0: PUSH2 0x03ea 000003e3: SWAP3 000003e4: SWAP2 000003e5: SWAP1 000003e6: PUSH2 0x069a 000003e9: JUMP 000003ea: JUMPDEST 000003eb: PUSH1 0x40 000003ed: MLOAD 000003ee: DUP1 000003ef: SWAP2 000003f0: SUB 000003f1: SWAP1 000003f2: LOG1 000003f3: PUSH2 0x015b 000003f6: DUP2 000003f7: PUSH2 0x0532 000003fa: JUMP 000003fb: JUMPDEST 000003fc: PUSH1 0x60 000003fe: PUSH2 0x0406 00000401: DUP5 00000402: PUSH2 0x0292 00000405: JUMP 00000406: JUMPDEST 00000407: PUSH2 0x0422 0000040a: JUMPI 0000040b: PUSH1 0x40 0000040d: MLOAD 0000040e: PUSH3 0x461bcd 00000412: PUSH1 0xe5 00000414: SHL 00000415: DUP2 00000416: MSTORE 00000417: PUSH1 0x04 00000419: ADD 0000041a: PUSH2 0x02d5 0000041d: SWAP1 0000041e: PUSH2 0x077a 00000421: JUMP 00000422: JUMPDEST 00000423: PUSH1 0x00 00000425: DUP1 00000426: DUP6 00000427: PUSH1 0x01 00000429: PUSH1 0x01 0000042b: PUSH1 0xa0 0000042d: SHL 0000042e: SUB 0000042f: AND 00000430: DUP6 00000431: PUSH1 0x40 00000433: MLOAD 00000434: PUSH2 0x043d 00000437: SWAP2 00000438: SWAP1 00000439: PUSH2 0x066a 0000043c: JUMP 0000043d: JUMPDEST 0000043e: PUSH1 0x00 00000440: PUSH1 0x40 00000442: MLOAD 00000443: DUP1 00000444: DUP4 00000445: SUB 00000446: DUP2 00000447: DUP6 00000448: GAS 00000449: DELEGATECALL 0000044a: SWAP2 0000044b: POP 0000044c: POP 0000044d: RETURNDATASIZE 0000044e: DUP1 0000044f: PUSH1 0x00 00000451: DUP2 00000452: EQ 00000453: PUSH2 0x0478 00000456: JUMPI 00000457: PUSH1 0x40 00000459: MLOAD 0000045a: SWAP2 0000045b: POP 0000045c: PUSH1 0x1f 0000045e: NOT 0000045f: PUSH1 0x3f 00000461: RETURNDATASIZE 00000462: ADD 00000463: AND 00000464: DUP3 00000465: ADD 00000466: PUSH1 0x40 00000468: MSTORE 00000469: RETURNDATASIZE 0000046a: DUP3 0000046b: MSTORE 0000046c: RETURNDATASIZE 0000046d: PUSH1 0x00 0000046f: PUSH1 0x20 00000471: DUP5 00000472: ADD 00000473: RETURNDATACOPY 00000474: PUSH2 0x047d 00000477: JUMP 00000478: JUMPDEST 00000479: PUSH1 0x60 0000047b: SWAP2 0000047c: POP 0000047d: JUMPDEST 0000047e: POP 0000047f: SWAP2 00000480: POP 00000481: SWAP2 00000482: POP 00000483: PUSH2 0x048d 00000486: DUP3 00000487: DUP3 00000488: DUP7 00000489: PUSH2 0x0582 0000048c: JUMP 0000048d: JUMPDEST 0000048e: SWAP7 0000048f: SWAP6 00000490: POP 00000491: POP 00000492: POP 00000493: POP 00000494: POP 00000495: POP 00000496: JUMP 00000497: JUMPDEST 00000498: PUSH1 0x00 0000049a: PUSH2 0x0344 0000049d: PUSH32 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc 000004be: PUSH2 0x020e 000004c1: JUMP 000004c2: JUMPDEST 000004c3: PUSH2 0x04cb 000004c6: DUP2 000004c7: PUSH2 0x0292 000004ca: JUMP 000004cb: JUMPDEST 000004cc: PUSH2 0x04e7 000004cf: JUMPI 000004d0: PUSH1 0x40 000004d2: MLOAD 000004d3: PUSH3 0x461bcd 000004d7: PUSH1 0xe5 000004d9: SHL 000004da: DUP2 000004db: MSTORE 000004dc: PUSH1 0x04 000004de: ADD 000004df: PUSH2 0x02d5 000004e2: SWAP1 000004e3: PUSH2 0x072d 000004e6: JUMP 000004e7: JUMPDEST 000004e8: DUP1 000004e9: PUSH2 0x0511 000004ec: PUSH32 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc 0000050d: PUSH2 0x020e 00000510: JUMP 00000511: JUMPDEST 00000512: DUP1 00000513: SLOAD 00000514: PUSH1 0x01 00000516: PUSH1 0x01 00000518: PUSH1 0xa0 0000051a: SHL 0000051b: SUB 0000051c: NOT 0000051d: AND 0000051e: PUSH1 0x01 00000520: PUSH1 0x01 00000522: PUSH1 0xa0 00000524: SHL 00000525: SUB 00000526: SWAP3 00000527: SWAP1 00000528: SWAP3 00000529: AND 0000052a: SWAP2 0000052b: SWAP1 0000052c: SWAP2 0000052d: OR 0000052e: SWAP1 0000052f: SSTORE 00000530: POP 00000531: JUMP 00000532: JUMPDEST 00000533: PUSH1 0x01 00000535: PUSH1 0x01 00000537: PUSH1 0xa0 00000539: SHL 0000053a: SUB 0000053b: DUP2 0000053c: AND 0000053d: PUSH2 0x0558 00000540: JUMPI 00000541: PUSH1 0x40 00000543: MLOAD 00000544: PUSH3 0x461bcd 00000548: PUSH1 0xe5 0000054a: SHL 0000054b: DUP2 0000054c: MSTORE 0000054d: PUSH1 0x04 0000054f: ADD 00000550: PUSH2 0x02d5 00000553: SWAP1 00000554: PUSH2 0x06e7 00000557: JUMP 00000558: JUMPDEST 00000559: DUP1 0000055a: PUSH2 0x0511 0000055d: PUSH32 0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103 0000057e: PUSH2 0x020e 00000581: JUMP 00000582: JUMPDEST 00000583: PUSH1 0x60 00000585: DUP4 00000586: ISZERO 00000587: PUSH2 0x0591 0000058a: JUMPI 0000058b: POP 0000058c: DUP2 0000058d: PUSH2 0x028b 00000590: JUMP 00000591: JUMPDEST 00000592: DUP3 00000593: MLOAD 00000594: ISZERO 00000595: PUSH2 0x05a1 00000598: JUMPI 00000599: DUP3 0000059a: MLOAD 0000059b: DUP1 0000059c: DUP5 0000059d: PUSH1 0x20 0000059f: ADD 000005a0: REVERT 000005a1: JUMPDEST 000005a2: DUP2 000005a3: PUSH1 0x40 000005a5: MLOAD 000005a6: PUSH3 0x461bcd 000005aa: PUSH1 0xe5 000005ac: SHL 000005ad: DUP2 000005ae: MSTORE 000005af: PUSH1 0x04 000005b1: ADD 000005b2: PUSH2 0x02d5 000005b5: SWAP2 000005b6: SWAP1 000005b7: PUSH2 0x06b4 000005ba: JUMP 000005bb: JUMPDEST 000005bc: DUP1 000005bd: CALLDATALOAD 000005be: PUSH1 0x01 000005c0: PUSH1 0x01 000005c2: PUSH1 0xa0 000005c4: SHL 000005c5: SUB 000005c6: DUP2 000005c7: AND 000005c8: DUP2 000005c9: EQ 000005ca: PUSH2 0x0297 000005cd: JUMPI 000005ce: PUSH1 0x00 000005d0: DUP1 000005d1: REVERT 000005d2: JUMPDEST 000005d3: PUSH1 0x00 000005d5: PUSH1 0x20 000005d7: DUP3 000005d8: DUP5 000005d9: SUB 000005da: SLT 000005db: ISZERO 000005dc: PUSH2 0x05e3 000005df: JUMPI 000005e0: DUP1 000005e1: DUP2 000005e2: REVERT 000005e3: JUMPDEST 000005e4: PUSH2 0x028b 000005e7: DUP3 000005e8: PUSH2 0x05bb 000005eb: JUMP 000005ec: JUMPDEST 000005ed: PUSH1 0x00 000005ef: DUP1 000005f0: PUSH1 0x00 000005f2: PUSH1 0x40 000005f4: DUP5 000005f5: DUP7 000005f6: SUB 000005f7: SLT 000005f8: ISZERO 000005f9: PUSH2 0x0600 000005fc: JUMPI 000005fd: DUP2 000005fe: DUP3 000005ff: REVERT 00000600: JUMPDEST 00000601: PUSH2 0x0609 00000604: DUP5 00000605: PUSH2 0x05bb 00000608: JUMP 00000609: JUMPDEST 0000060a: SWAP3 0000060b: POP 0000060c: PUSH1 0x20 0000060e: DUP5 0000060f: ADD 00000610: CALLDATALOAD 00000611: PUSH8 0xffffffffffffffff 0000061a: DUP1 0000061b: DUP3 0000061c: GT 0000061d: ISZERO 0000061e: PUSH2 0x0625 00000621: JUMPI 00000622: DUP4 00000623: DUP5 00000624: REVERT 00000625: JUMPDEST 00000626: DUP2 00000627: DUP7 00000628: ADD 00000629: SWAP2 0000062a: POP 0000062b: DUP7 0000062c: PUSH1 0x1f 0000062e: DUP4 0000062f: ADD 00000630: SLT 00000631: PUSH2 0x0638 00000634: JUMPI 00000635: DUP4 00000636: DUP5 00000637: REVERT 00000638: JUMPDEST 00000639: DUP2 0000063a: CALLDATALOAD 0000063b: DUP2 0000063c: DUP2 0000063d: GT 0000063e: ISZERO 0000063f: PUSH2 0x0646 00000642: JUMPI 00000643: DUP5 00000644: DUP6 00000645: REVERT 00000646: JUMPDEST 00000647: DUP8 00000648: PUSH1 0x20 0000064a: DUP3 0000064b: DUP6 0000064c: ADD 0000064d: ADD 0000064e: GT 0000064f: ISZERO 00000650: PUSH2 0x0657 00000653: JUMPI 00000654: DUP5 00000655: DUP6 00000656: REVERT 00000657: JUMPDEST 00000658: PUSH1 0x20 0000065a: DUP4 0000065b: ADD 0000065c: SWAP5 0000065d: POP 0000065e: DUP1 0000065f: SWAP4 00000660: POP 00000661: POP 00000662: POP 00000663: POP 00000664: SWAP3 00000665: POP 00000666: SWAP3 00000667: POP 00000668: SWAP3 00000669: JUMP 0000066a: JUMPDEST 0000066b: PUSH1 0x00 0000066d: DUP3 0000066e: MLOAD 0000066f: PUSH2 0x067c 00000672: DUP2 00000673: DUP5 00000674: PUSH1 0x20 00000676: DUP8 00000677: ADD 00000678: PUSH2 0x0828 0000067b: JUMP 0000067c: JUMPDEST 0000067d: SWAP2 0000067e: SWAP1 0000067f: SWAP2 00000680: ADD 00000681: SWAP3 00000682: SWAP2 00000683: POP 00000684: POP 00000685: JUMP 00000686: JUMPDEST 00000687: PUSH1 0x01 00000689: PUSH1 0x01 0000068b: PUSH1 0xa0 0000068d: SHL 0000068e: SUB 0000068f: SWAP2 00000690: SWAP1 00000691: SWAP2 00000692: AND 00000693: DUP2 00000694: MSTORE 00000695: PUSH1 0x20 00000697: ADD 00000698: SWAP1 00000699: JUMP 0000069a: JUMPDEST 0000069b: PUSH1 0x01 0000069d: PUSH1 0x01 0000069f: PUSH1 0xa0 000006a1: SHL 000006a2: SUB 000006a3: SWAP3 000006a4: DUP4 000006a5: AND 000006a6: DUP2 000006a7: MSTORE 000006a8: SWAP2 000006a9: AND 000006aa: PUSH1 0x20 000006ac: DUP3 000006ad: ADD 000006ae: MSTORE 000006af: PUSH1 0x40 000006b1: ADD 000006b2: SWAP1 000006b3: JUMP 000006b4: JUMPDEST 000006b5: PUSH1 0x00 000006b7: PUSH1 0x20 000006b9: DUP3 000006ba: MSTORE 000006bb: DUP3 000006bc: MLOAD 000006bd: DUP1 000006be: PUSH1 0x20 000006c0: DUP5 000006c1: ADD 000006c2: MSTORE 000006c3: PUSH2 0x06d3 000006c6: DUP2 000006c7: PUSH1 0x40 000006c9: DUP6 000006ca: ADD 000006cb: PUSH1 0x20 000006cd: DUP8 000006ce: ADD 000006cf: PUSH2 0x0828 000006d2: JUMP 000006d3: JUMPDEST 000006d4: PUSH1 0x1f 000006d6: ADD 000006d7: PUSH1 0x1f 000006d9: NOT 000006da: AND 000006db: SWAP2 000006dc: SWAP1 000006dd: SWAP2 000006de: ADD 000006df: PUSH1 0x40 000006e1: ADD 000006e2: SWAP3 000006e3: SWAP2 000006e4: POP 000006e5: POP 000006e6: JUMP 000006e7: JUMPDEST 000006e8: PUSH1 0x20 000006ea: DUP1 000006eb: DUP3 000006ec: MSTORE 000006ed: PUSH1 0x26 000006ef: SWAP1 000006f0: DUP3 000006f1: ADD 000006f2: MSTORE 000006f3: PUSH32 0x455243313936373a206e65772061646d696e20697320746865207a65726f2061 00000714: PUSH1 0x40 00000716: DUP3 00000717: ADD 00000718: MSTORE 00000719: PUSH6 0x646472657373 00000720: PUSH1 0xd0 00000722: SHL 00000723: PUSH1 0x60 00000725: DUP3 00000726: ADD 00000727: MSTORE 00000728: PUSH1 0x80 0000072a: ADD 0000072b: SWAP1 0000072c: JUMP 0000072d: JUMPDEST 0000072e: PUSH1 0x20 00000730: DUP1 00000731: DUP3 00000732: MSTORE 00000733: PUSH1 0x2d 00000735: SWAP1 00000736: DUP3 00000737: ADD 00000738: MSTORE 00000739: PUSH32 0x455243313936373a206e657720696d706c656d656e746174696f6e206973206e 0000075a: PUSH1 0x40 0000075c: DUP3 0000075d: ADD 0000075e: MSTORE 0000075f: PUSH13 0x1bdd08184818dbdb9d1c9858dd 0000076d: PUSH1 0x9a 0000076f: SHL 00000770: PUSH1 0x60 00000772: DUP3 00000773: ADD 00000774: MSTORE 00000775: PUSH1 0x80 00000777: ADD 00000778: SWAP1 00000779: JUMP 0000077a: JUMPDEST 0000077b: PUSH1 0x20 0000077d: DUP1 0000077e: DUP3 0000077f: MSTORE 00000780: PUSH1 0x26 00000782: SWAP1 00000783: DUP3 00000784: ADD 00000785: MSTORE 00000786: PUSH32 0x416464726573733a2064656c65676174652063616c6c20746f206e6f6e2d636f 000007a7: PUSH1 0x40 000007a9: DUP3 000007aa: ADD 000007ab: MSTORE 000007ac: PUSH6 0x1b9d1c9858dd 000007b3: PUSH1 0xd2 000007b5: SHL 000007b6: PUSH1 0x60 000007b8: DUP3 000007b9: ADD 000007ba: MSTORE 000007bb: PUSH1 0x80 000007bd: ADD 000007be: SWAP1 000007bf: JUMP 000007c0: JUMPDEST 000007c1: PUSH1 0x20 000007c3: DUP1 000007c4: DUP3 000007c5: MSTORE 000007c6: PUSH1 0x42 000007c8: SWAP1 000007c9: DUP3 000007ca: ADD 000007cb: MSTORE 000007cc: PUSH32 0x5472616e73706172656e745570677261646561626c6550726f78793a2061646d 000007ed: PUSH1 0x40 000007ef: DUP3 000007f0: ADD 000007f1: MSTORE 000007f2: PUSH32 0x696e2063616e6e6f742066616c6c6261636b20746f2070726f78792074617267 00000813: PUSH1 0x60 00000815: DUP3 00000816: ADD 00000817: MSTORE 00000818: PUSH2 0x195d 0000081b: PUSH1 0xf2 0000081d: SHL 0000081e: PUSH1 0x80 00000820: DUP3 00000821: ADD 00000822: MSTORE 00000823: PUSH1 0xa0 00000825: ADD 00000826: SWAP1 00000827: JUMP 00000828: JUMPDEST 00000829: PUSH1 0x00 0000082b: JUMPDEST 0000082c: DUP4 0000082d: DUP2 0000082e: LT 0000082f: ISZERO 00000830: PUSH2 0x0843 00000833: JUMPI 00000834: DUP2 00000835: DUP2 00000836: ADD 00000837: MLOAD 00000838: DUP4 00000839: DUP3 0000083a: ADD 0000083b: MSTORE 0000083c: PUSH1 0x20 0000083e: ADD 0000083f: PUSH2 0x082b 00000842: JUMP 00000843: JUMPDEST 00000844: DUP4 00000845: DUP2 00000846: GT 00000847: ISZERO 00000848: PUSH2 0x03ac 0000084b: JUMPI 0000084c: POP 0000084d: POP 0000084e: PUSH1 0x00 00000850: SWAP2 00000851: ADD 00000852: MSTORE 00000853: JUMP 00000854: INVALID 00000855: COINBASE 00000856: PUSH5 0x6472657373 0000085c: GASPRICE 0000085d: KECCAK256 0000085e: PUSH13 0x6f772d6c6576656c2064656c65 0000086c: PUSH8 0x6174652063616c6c 00000875: KECCAK256 00000876: PUSH7 0x61696c6564a264 0000087e: PUSH10 0x70667358221220409a76 00000889: UNKNOWN(0x0C) 0000088a: GAS 0000088b: SIGNEXTEND 0000088c: UNKNOWN(0xAA) 0000088d: UNKNOWN(0xEF) 0000088e: UNKNOWN(0x4F) 0000088f: PUSH16 0xdec0537faba681bd5fa7e3d7788c451e 000008a0: UNKNOWN(0xD9) 000008a1: UNKNOWN(0x1F) 000008a2: UNKNOWN(0xD0) 000008a3: UNKNOWN(0xB0) 000008a4: RETURNDATASIZE 000008a5: COINBASE 000008a6: PUSH5 0x736f6c6343 000008ac: STOP 000008ad: ADDMOD 000008ae: STOP 000008af: STOP 000008b0: CALLER
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| critical | upgradeability | detector | Untrusted DELEGATECALL target reachable | 70 | no | no |
viewtrace_id: 0xc3e35b5379a6c52d59b783fc61731bad5b84fa9a7f7e494e0cc0c4fb3a7ae42f
call_targets:
0xa0d828a754961ff78e733701eb98d22084db242c
target_varies:
no
classification:
constant_target
validation_json{
"sink": "DELEGATECALL",
"errors": 0,
"status": "sink_reached",
"attempts": 2,
"trace_id": "0xc3e35b5379a6c52d59b783fc61731bad5b84fa9a7f7e494e0cc0c4fb3a7ae42f",
"confirmed": false,
"trace_mode": "callTracer",
"call_targets": [
"0xa0d828a754961ff78e733701eb98d22084db242c"
],
"matched_probe": null,
"target_varies": false,
"classification": "constant_target"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x3659cfe6",
"selector": "0x3659cfe6",
"calldata_variants": [
"0x3659cfe6",
"0x3659cfe60000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x4f1ef286",
"selector": "0x4f1ef286",
"calldata_variants": [
"0x4f1ef286",
"0x4f1ef2860000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x5c60da1b",
"selector": "0x5c60da1b",
"calldata_variants": [
"0x5c60da1b",
"0x5c60da1b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x8f283970",
"selector": "0x8f283970",
"calldata_variants": [
"0x8f283970",
"0x8f2839700000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xf851a440",
"selector": "0xf851a440",
"calldata_variants": [
"0xf851a440",
"0xf851a4400000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 771,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
},
{
"pc": 1097,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
}
],
"guards_detected": [],
"delegatecall_count": 2,
"untrusted_delegatecall_count": 2
}
|
| medium | upgradeability | cast | DELEGATECALL present | 80 | no | — |
viewevidence_json{
"notes": "delegatecall enables execution in caller context; common in proxies/upgradeable patterns",
"delegatecall_count": 2
}
|