019be3d6-8530-72f9-bd6e-4ee75e5fcfb1
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 41184 | artifact.fetch | complete | 1 / 3 | 2 months ago |
| 41185 | proxy.resolve | complete | 1 / 3 | 2 months ago |
| 41186 | tool.cast_disasm | complete | 1 / 3 | 2 months ago |
| 41187 | analysis.bundle | complete | 1 / 3 | 2 months ago |
| 41188 | capability.graph | complete | 1 / 3 | 2 months ago |
| 41189 | detector.run | complete | 1 / 3 | 2 months ago |
| 41190 | validation.fork | complete | 1 / 3 | 2 months ago |
| 41448 | report.consolidate | complete | 1 / 6 | 2 months ago |
{
"status": "not_proxy"
}
No slither job recorded yet.
{"no_findings":false,"summary":"Multiple externally-configured CALL hooks are invoked during core token flows without any detected reentrancy guard, and there is a CALLCODE opcode present in an apparently unreachable tail section of the runtime bytecode.","findings":[{"severity":"medium","category":"reentrancy","title":"Externally configured hook contract is called in core token flows (reentrancy/DoS risk)","exploit_scenario":"The contract loads a target address from storage and performs multiple external CALLs (selectors 0x3e8a0bc9, 0xf11c4482, 0xcacc24eb, 0x240ecad5, 0xeb06e65e) during functions that appear to align with approve/transfer/transferFrom. If the stored target address is attacker-controlled or compromised, the hook can reenter token functions or deliberately revert, potentially causing reentrancy on state updates or a denial of service on transfers/approvals. No reentrancy guard is detected in the analysis artifacts, and the call targets are computed from mutable storage.","recommendation":"Restrict and harden the hook target (immutable or vetted governance), add a reentrancy guard around state-changing token flows, and ensure state updates occur before external calls where safe. If the hook is only for validation, consider STATICCALL and explicit return-value checks.","evidence":"Disassembly shows calls with encoded selectors and a computed target loaded from storage slot 0x01 (e.g., SLOAD at pc:0x0191 and pc:0x06f4). The detector reports an untrusted CALL target reachable with target variance. Example callsites: pc:0x0178 (selector 0x3e8a0bc9), pc:0x01fe (selector 0xf11c4482), pc:0x040c (selector 0xcacc24eb), pc:0x06da (selector 0x3e8a0bc9), pc:0x0760 (selector 0x240ecad5), pc:0x08e0 (selector 0xeb06e65e).","locations":["pc:0x0178","pc:0x01fe","pc:0x040c","pc:0x06da","pc:0x0760","pc:0x08e0"]},{"severity":"low","category":"other","title":"CALLCODE opcode present in runtime bytecode (likely metadata, but dangerous if reachable)","exploit_scenario":"The runtime bytecode contains a CALLCODE instruction in a tail region that appears to be data/metadata. If execution could ever be redirected into this region (e.g., via a malformed jump table or bytecode corruption), CALLCODE would execute external code in the contract’s storage context, enabling full compromise. The capability graph shows no incoming edges to this block, so reachability is uncertain and likely false-positive.","recommendation":"Confirm that no control-flow path can jump into the metadata tail. If custom assembly is used, remove CALLCODE or replace with safer patterns and ensure jump destinations are constrained to valid JUMPDESTs.","evidence":"Capability graph contains a callsite labeled call:2628 with opcode CALLCODE and no incoming control-flow edges to bb:2627, suggesting it is in a non-executable tail section.","locations":["pc:0x0a44"]}]}
OpenAI Codex v0.77.0 (research preview)
--------
workdir: /tmp/codex-d7f__hsm
model: gpt-5.2-codex
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: auto
session id: 019be4b0-385f-7e73-93c5-eb029ae1ce88
--------
user
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
mcp startup: no servers
thinking
**Reading BYTECODE_BUNDLE.json**
exec
/bin/bash -lc ls in /tmp/codex-d7f__hsm succeeded in 6ms:
BYTECODE_BUNDLE.json
codex-output-schema.json
exec
/bin/bash -lc 'cat BYTECODE_BUNDLE.json' in /tmp/codex-d7f__hsm succeeded in 7ms:
{
"analysis_artifact": {
"address": "0x75ac19045e7b4b96f7840f8fe9e2e255093bd52f",
"artifact_hash": "0x7348aed67ea4644370cd7caf88310084d0572fdb9d2b58b8b052b18aafbd2f3d",
"artifact_json": {
"auth": {
"guards": []
},
"basic_blocks": [
{
"end_pc": 10,
"hash": "0xde7c09ec5c6a787330be3474c14e6af1d95d255c64d4de8caa7d39b964000ee7",
"opcodes": [
"PUSH1",
"PUSH1",
"MSTORE",
"CALLDATASIZE",
"ISZERO",
"PUSH2",
"JUMPI"
thinking
**Identifying ERC20 patterns and callcode risks**
The contract matches ERC20 selectors with many CALLs including a suspicious CALLCODE, which may indicate delegatecall-like behavior; next is verifying if the CALLCODE is reachable from public functions to assess external call risks.
exec
/bin/bash -lc 'rg -n "CALLCODE|callcode|call:2628" BYTECODE_BUNDLE.json' in /tmp/codex-d7f__hsm succeeded in 8ms:
2432: "CALLCODE",
2525: "opcode": "CALLCODE",
6380: "to": "call:2628",
6384: "from": "call:2628",
6385: "to": "sink:callcode",
7063: "id": "call:2628",
7064: "opcode": "CALLCODE",
7079: "id": "sink:callcode",
thinking
**Checking callsites context**
I'm inspecting surrounding lines using sed to better understand how callcode is used in the callsites or graph.
exec
/bin/bash -lc "sed -n '2400,2470p' BYTECODE_BUNDLE.json" in /tmp/codex-d7f__hsm succeeded in 8ms:
"opcodes": [
"JUMPDEST",
"PUSH1",
"OP_96",
"POP"
],
"start_pc": 2610
},
{
"end_pc": 2626,
"hash": "0xacf5b4e42e00d01990b8b6e2f12777e25e0fd0f499a3331e9ee4d7da21dfed84",
"opcodes": [
"JUMPDEST",
"POP",
"POP",
"POP",
"POP",
"POP",
"POP",
"OP_92",
thinking
**Analyzing bytecode graph edges**
Noticing suspicious opcodes likely in metadata, I'm checking edges around specific positions to verify if CREATE2 opcodes are reachable or just metadata artifacts.
exec
/bin/bash -lc "sed -n '6320,6420p' BYTECODE_BUNDLE.json" in /tmp/codex-d7f__hsm succeeded in 7ms:
"to": "call:1036",
"type": "contains"
},
{
"from": "call:1036",
"to": "sink:call",
"type": "capability"
},
{
"from": "bb:1338",
"to": "call:1435",
"type": "contains"
},
{
"from": "call:1435",
"to": "sink:call",
"type": "capability"
},
{
"from": "bb:1682",
thinking
**Checking reachability of specific basic block**
I plan to verify if the basic block bb:2627 is reachable from entry nodes by searching for any graph edges targeting it, since the capability graph currently shows no edges leading there.
exec
/bin/bash -lc "rg -n '\"to\": \"bb:2627\"' BYTECODE_BUNDLE.json" in /tmp/codex-d7f__hsm exited 1 in 7ms:
thinking
**Assessing CALLCODE reachability and call risks**
I noted a CALLCODE with no incoming edges, suggesting it may be unreachable and thus low risk, but this isn't certain. Also, external CALLs with computed targets or value could pose reentrancy risks; without storage info, analyzing bytecode callsites and surrounding context will help assess severity and presence of reentrancy guards.
thinking
**Searching for evidence bundle in bytecode**
exec
/bin/bash -lc 'rg -n "evidence" BYTECODE_BUNDLE.json' in /tmp/codex-d7f__hsm succeeded in 8ms:
5654: "proxy_evidence": {
7182: "evidence_json": {
7235: "evidence_json": {
7288: "evidence_json": {
thinking
**Inspecting code near line 5654**
exec
/bin/bash -lc "sed -n '5600,5720p' BYTECODE_BUNDLE.json" in /tmp/codex-d7f__hsm succeeded in 8ms:
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 2080,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 2157,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 2298,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
}
],
"writes": 4
},
thinking
**Analyzing runtime bytecode for external calls**
The runtime bytecode shows external calls to addresses from storage slot 0 with various nonstandard function selectors, suggesting dynamic external calls possibly linked to token-like functions. I'll focus on these call patterns and ETH transfers to conservatively assess potential untrusted calls or reentrancy risks.
thinking
**Identifying external call hooks with conditional flow**
The bytecode shows approve-like functions calling external contracts stored in slot1 as hooks before state updates, suggesting ERC1363-style hooks that create reentrancy risk if the external contract is untrusted. Access control exists allowing privileged addresses to change the call target, so risk depends on who controls slot1. Calls may transfer ETH, and return value checks are unclear, heightening potential risk.
exec
/bin/bash -lc 'rg -n "storage_access" BYTECODE_BUNDLE.json' in /tmp/codex-d7f__hsm exited 1 in 7ms:
thinking
**Exploring storage-related keys**
I'm checking for storage-related data structures like "storage_accesses," "storage_summary," and "storage_slots" to understand how storage reads and writes are represented in the analysis artifacts.
exec
/bin/bash -lc 'rg -n "storage" BYTECODE_BUNDLE.json | head' in /tmp/codex-d7f__hsm succeeded in 7ms:
3153: "storage": {
3307: "storage": {
3461: "storage": {
3615: "storage": {
3769: "storage": {
3923: "storage": {
4077: "storage": {
4231: "storage": {
4385: "storage": {
4539: "storage": {
thinking
**Inspecting "storage" sections in evidence bundle**
exec
/bin/bash -lc "sed -n '3120,3185p' BYTECODE_BUNDLE.json" in /tmp/codex-d7f__hsm succeeded in 33ms:
"entry_pc": 2835717307,
"selector": "0x95d89b41"
},
{
"entry_pc": 3006958097,
"selector": "0xa9059cbb"
},
{
"entry_pc": 3714247998,
"selector": "0xb33a8a11"
},
{
"entry_pc": 3819549960,
"selector": "0xdd62ed3e"
},
{
"entry_pc": null,
"selector": "0xe3a9b508"
}
],
thinking
**Inspecting function entries for call sinks**
exec
/bin/bash -lc "sed -n '3440,3525p' BYTECODE_BUNDLE.json" in /tmp/codex-d7f__hsm succeeded in 6ms:
{
"op": "SLOAD",
"pc": 2298,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
}
],
"writes": 4
}
},
{
"auth": {
"guards": []
},
"entry_pc": 404098525,
"selector": "0x13af4035",
"sinks": {
"call": 12,
"delegatecall": 0,
"selfdestruct": 0,
"staticcall": 0
thinking
**Analyzing function listings for selectors**
I'm verifying if function entries correspond to selectors or general artifact listings by searching for a specific selector in the functions list to identify details related to call sinks.
exec
/bin/bash -lc "rg -n \"selector\\\": \\\"0xa9059cbb\\\"\" -n BYTECODE_BUNDLE.json" in /tmp/codex-d7f__hsm succeeded in 7ms:
3125: "selector": "0xa9059cbb"
4840: "selector": "0xa9059cbb",
7151: "selector": "0xa9059cbb",
thinking
**Inspecting function details near 4800**
exec
/bin/bash -lc "sed -n '4800,4885p' BYTECODE_BUNDLE.json" in /tmp/codex-d7f__hsm succeeded in 6ms:
},
{
"op": "SLOAD",
"pc": 1660,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000000"
},
{
"op": "SLOAD",
"pc": 1688,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 1780,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
},
{
"op": "SLOAD",
"pc": 2080,
"slot": "0x0000000000000000000000000000000000000000000000000000000000000001"
thinking
**Analyzing external calls for reentrancy risk**
The contract makes dynamic external calls using a stored address slot, indicating possible untrusted calls that could allow reentrancy. Next, I'll check if a reentrancy guard exists, possibly linked to storage slot 0xff, to assess function safety.
thinking
**Confirming no reentrancy guard and complex external call patterns**
No standard reentrancy guard is detected, and token functions call external contracts before state updates, forwarding all gas dynamically. External call targets vary but mostly include the identity precompile and self, reducing typical untrusted risks, though dynamic targets leave uncertainty about reentrancy exposure.
exec
/bin/bash -lc "sed -n '1330,1465p' BYTECODE_BUNDLE.json" in /tmp/codex-d7f__hsm succeeded in 7ms:
"EXP",
"SUB",
"OP_90",
"OP_81",
"AND",
"CALLER",
"OP_90",
"OP_91",
"AND",
"EQ"
],
"start_pc": 1489
},
{
"end_pc": 1514,
"hash": "0xbe49194fcd3ae462f85c03c9ddebefbaf3edb3c4eb7479dc7702100e22994236",
"opcodes": [
"JUMPDEST",
"ISZERO",
"PUSH2",
thinking
**Planning lightweight EVM disassembler**
I'm deciding to write a Python script from scratch to parse and disassemble the runtime bytecode, enabling locating call instructions and SSTORE order without relying on external tools. I'll read the full runtime bytecode from the JSON artifact and output nearby instructions for analysis.
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
import textwrap
path=Path('/tmp/codex-d7f__hsm/BYTECODE_BUNDLE.json')
obj=json.loads(path.read_text())
bytecode=obj['artifact']['runtime_bytecode']['full']
if bytecode.startswith('0x'):
bytecode=bytecode[2:]
code=bytes.fromhex(bytecode)
# opcode table
opcodes={
0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
0x20:'SHA3',
0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',
0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
}
# Build instruction list with pc offsets
instrs=[]
pc=0
while pc < len(code):
op=code[pc]
name=opcodes.get(op,f'OP_{op:02x}')
if 0x60 <= op <= 0x7f:
n=op-0x5f
arg=code[pc+1:pc+1+n]
instrs.append((pc,name,arg.hex()))
pc+=1+n
else:
instrs.append((pc,name,None))
pc+=1
# Find callsites
call_pcs=[376,510,760,890,1036,1435,1754,1888,2272,2398,2628,2646]
# build mapping pc->index for quick find
pc_index={pc:i for i,(pc,_,_) in enumerate(instrs)}
for cpc in call_pcs:
# find nearest instruction with pc <= cpc
idx=max(i for i,(pc,_,_) in enumerate(instrs) if pc<=cpc)
print('\\nCALLSITE around pc',cpc,'instr at',instrs[idx])
start=max(0,idx-15)
end=min(len(instrs),idx+15)
for pc,name,arg in instrs[start:end]:
if arg is None:
print(f'{pc:04x}: {name}')
else:
print(f'{pc:04x}: {name} 0x{arg}')
PY" in /tmp/codex-d7f__hsm succeeded in 53ms:
CALLSITE around pc 376 instr at (376, 'CALL', None)
0164: DUP1
0165: SWAP1
0166: POP
0167: PUSH1 0x20
0169: PUSH1 0x40
016b: MLOAD
016c: DUP1
016d: DUP4
016e: SUB
016f: DUP2
0170: PUSH1 0x00
0172: DUP8
0173: PUSH2 0x61da
0176: GAS
0177: SUB
0178: CALL
0179: ISZERO
017a: PUSH2 0x0002
thinking
**Analyzing callsites and precompile usage**
I’m confirming that certain calls use address 0x04, likely the identity precompile for memory copying, with CALL instead of STATICCALL as seen in older Solidity compilers. This insight helps clarify how callsites handle ABI encoding and external calls.
thinking
**Tracing call targets beyond precompile**
I’m narrowing that only one callsite uses precompile 0x04; others likely call dynamic targets from stack or storage. I’ll extend disassembly around a key call to trace where its target address originates for better resolution.
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
path=Path('/tmp/codex-d7f__hsm/BYTECODE_BUNDLE.json')
obj=json.loads(path.read_text())
bytecode=obj['artifact']['runtime_bytecode']['full'][2:]
code=bytes.fromhex(bytecode)
opcodes={
0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
0x20:'SHA3',
0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',
0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
}
instrs=[]
pc=0
while pc < len(code):
op=code[pc]
name=opcodes.get(op,f'OP_{op:02x}')
if 0x60 <= op <= 0x7f:
n=op-0x5f
arg=code[pc+1:pc+1+n]
instrs.append((pc,name,arg.hex()))
pc+=1+n
else:
instrs.append((pc,name,None))
pc+=1
pc_index={pc:i for i,(pc,_,_) in enumerate(instrs)}
call_pcs=[376,510,760,890,1036,1435,1754,1888,2272]
for cpc in call_pcs:
idx=max(i for i,(pc,_,_) in enumerate(instrs) if pc<=cpc)
start=max(0,idx-40)
end=min(len(instrs),idx+5)
print('\\n== around pc',cpc,'==')
for pc,name,arg in instrs[start:end]:
if arg is None:
print(f'{pc:04x}: {name}')
else:
print(f'{pc:04x}: {name} 0x{arg}')
PY" in /tmp/codex-d7f__hsm succeeded in 81ms:
== around pc 376 ==
013d: DIV
013e: PUSH1 0x01
0140: PUSH1 0xa0
0142: PUSH1 0x02
0144: EXP
0145: SUB
0146: AND
0147: PUSH1 0x01
0149: PUSH1 0xa0
014b: PUSH1 0x02
014d: EXP
014e: SUB
014f: AND
0150: PUSH4 0x3e8a0bc9
0155: PUSH1 0x40
0157: MLOAD
0158: DUP2
0159: PUSH1 0xe0
thinking
**Interpreting call targets as stored addresses**
The call targets appear loaded from masked storage slots, indicating calls delegate to an external token contract for totalSupply and balanceOf queries. This suggests the contract acts as a proxy or wrapper around another token rather than standalone.
thinking
**Identifying repeated external calls and locating selectors**
The contract repeatedly calls an unknown selector on the external token, reinforcing its role as a proxy or aggregator; next, I'll examine code around offset 510 to uncover the missing selector and clarify that interaction.
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
path=Path('/tmp/codex-d7f__hsm/BYTECODE_BUNDLE.json')
obj=json.loads(path.read_text())
bytecode=obj['artifact']['runtime_bytecode']['full'][2:]
code=bytes.fromhex(bytecode)
opcodes={
0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
0x20:'SHA3',
0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',
0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
}
instrs=[]
pc=0
while pc < len(code):
op=code[pc]
name=opcodes.get(op,f'OP_{op:02x}')
if 0x60 <= op <= 0x7f:
n=op-0x5f
arg=code[pc+1:pc+1+n]
instrs.append((pc,name,arg.hex()))
pc+=1+n
else:
instrs.append((pc,name,None))
pc+=1
# print around pc 510 with more context
cpc=510
idx=max(i for i,(pc,_,_) in enumerate(instrs) if pc<=cpc)
start=max(0,idx-80)
end=min(len(instrs),idx+5)
for pc,name,arg in instrs[start:end]:
if arg is None:
print(f'{pc:04x}: {name}')
else:
print(f'{pc:04x}: {name} 0x{arg}')
PY" in /tmp/codex-d7f__hsm succeeded in 40ms:
018f: PUSH1 0x01
0191: SWAP1
0192: SLOAD
0193: SWAP1
0194: PUSH2 0x0100
0197: EXP
0198: SWAP1
0199: DIV
019a: PUSH1 0x01
019c: PUSH1 0xa0
019e: PUSH1 0x02
01a0: EXP
01a1: SUB
01a2: AND
01a3: PUSH1 0x01
01a5: PUSH1 0xa0
01a7: PUSH1 0x02
01a9: EXP
01aa: SUB
01ab: AND
thinking
**Mapping external contract calls**
This contract makes external calls to addresses loaded from storage (likely slot1), invoking known token functions like totalSupply and balanceOf, indicating it acts as a wrapper around an external token. Next, I'll examine call context around 1036 and 1888 for more insight on these calls.
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
path=Path('/tmp/codex-d7f__hsm/BYTECODE_BUNDLE.json')
obj=json.loads(path.read_text())
bytecode=obj['artifact']['runtime_bytecode']['full'][2:]
code=bytes.fromhex(bytecode)
opcodes={
0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
0x20:'SHA3',
0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',
0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
}
instrs=[]
pc=0
while pc < len(code):
op=code[pc]
name=opcodes.get(op,f'OP_{op:02x}')
if 0x60 <= op <= 0x7f:
n=op-0x5f
arg=code[pc+1:pc+1+n]
instrs.append((pc,name,arg.hex()))
pc+=1+n
else:
instrs.append((pc,name,None))
pc+=1
# call at 1888
cpc=1888
idx=max(i for i,(pc,_,_) in enumerate(instrs) if pc<=cpc)
start=max(0,idx-80)
end=min(len(instrs),idx+5)
for pc,name,arg in instrs[start:end]:
if arg is None:
print(f'{pc:04x}: {name}')
else:
print(f'{pc:04x}: {name} 0x{arg}')
PY" in /tmp/codex-d7f__hsm succeeded in 43ms:
06f1: PUSH1 0x01
06f3: SWAP1
06f4: SLOAD
06f5: SWAP1
06f6: PUSH2 0x0100
06f9: EXP
06fa: SWAP1
06fb: DIV
06fc: PUSH1 0x01
06fe: PUSH1 0xa0
0700: PUSH1 0x02
0702: EXP
0703: SUB
0704: AND
0705: PUSH1 0x01
0707: PUSH1 0xa0
0709: PUSH1 0x02
070b: EXP
070c: SUB
070d: AND
thinking
**Identifying unprotected external hook calls**
The contract makes external calls to a configurable address stored in storage without reentrancy guards, exposing risk of reentrancy or denial-of-service via attacker-controlled hooks during token operations like transfer and approve.
thinking
**Confirming external hook calls use mutable storage target**
Calls to an external address stored in a mutable storage slot precede key token operations and include reentrancy and DoS risks; call success is checked but no reentrancy guard is present. ETH value transfer in calls is uncertain but possible, increasing risk. A CALLCODE opcode appears unreachable, likely metadata, posing low risk.
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
path=Path('/tmp/codex-d7f__hsm/BYTECODE_BUNDLE.json')
obj=json.loads(path.read_text())
code=bytes.fromhex(obj['artifact']['runtime_bytecode']['full'][2:])
opcodes={
0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
0x20:'SHA3',0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',
0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
}
instrs=[]
pc=0
while pc < len(code):
op=code[pc]
name=opcodes.get(op,f'OP_{op:02x}')
if 0x60 <= op <= 0x7f:
n=op-0x5f
arg=code[pc+1:pc+1+n]
instrs.append((pc,name,arg.hex()))
pc+=1+n
else:
instrs.append((pc,name,None))
pc+=1
# search for sload near call 376 earlier
cpc=376
idx=max(i for i,(pc,_,_) in enumerate(instrs) if pc<=cpc)
start=max(0,idx-120)
end=idx-60
for pc,name,arg in instrs[start:end]:
if arg is None:
print(f'{pc:04x}: {name}')
else:
print(f'{pc:04x}: {name} 0x{arg}')
PY" in /tmp/codex-d7f__hsm succeeded in 42ms:
00d4: ADD
00d5: SWAP1
00d6: SWAP3
00d7: AND
00d8: SWAP2
00d9: SWAP1
00da: SWAP2
00db: DIV
00dc: PUSH1 0x1f
00de: DUP2
00df: ADD
00e0: DUP3
00e1: SWAP1
00e2: DIV
00e3: DUP3
00e4: MUL
00e5: DUP5
00e6: ADD
00e7: DUP3
00e8: ADD
thinking
**Identifying external controller risk**
Recognized that external calls use an address from a mutable storage slot, enabling a controller contract to run arbitrary logic during token operations, posing reentrancy or DoS risks with medium severity. Next is mapping involved functions and including callsite selectors and PCs as evidence.
thinking
**Noting uncertain ETH value transfer**
Found potential ETH value forwarded in some CALLs but can't confirm exact value from bytecode analysis; will include as low-severity with detector evidence. Will also search for CALLVALUE opcode near callsites to clarify if value is parameterized or zero.
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
path=Path('/tmp/codex-d7f__hsm/BYTECODE_BUNDLE.json')
obj=json.loads(path.read_text())
code=bytes.fromhex(obj['artifact']['runtime_bytecode']['full'][2:])
pcs=[i for i,b in enumerate(code) if b==0x34]
print(pcs[:20])
PY" in /tmp/codex-d7f__hsm succeeded in 34ms:
[]
thinking
**Analyzing absence of CALLVALUE**
Noticing no CALLVALUE opcode suggests payable functions and ETH transfers are likely zero; the detector's ETH value transfer warning may be a false positive due to computed or constant zero values in calls.
thinking
**Assessing access control on storage writes**
Planning to analyze all SSTORE instructions to verify if they’re properly guarded by CALLER checks, focusing on identifying unprotected writes that could indicate access control issues.
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
path=Path('/tmp/codex-d7f__hsm/BYTECODE_BUNDLE.json')
obj=json.loads(path.read_text())
code=bytes.fromhex(obj['artifact']['runtime_bytecode']['full'][2:])
# disassemble to list pcs of SSTORE
pc=0
sstore_pcs=[]
while pc < len(code):
op=code[pc]
if op==0x55:
sstore_pcs.append(pc)
pc+=1
elif 0x60 <= op <= 0x7f:
pc+=1+(op-0x5f)
else:
pc+=1
print(sstore_pcs)
PY" in /tmp/codex-d7f__hsm succeeded in 44ms:
[676, 1546, 2137, 2337]
thinking
**Inspecting storage operations for access control**
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
path=Path('/tmp/codex-d7f__hsm/BYTECODE_BUNDLE.json')
obj=json.loads(path.read_text())
code=bytes.fromhex(obj['artifact']['runtime_bytecode']['full'][2:])
opcodes={
0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
0x20:'SHA3',
0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',
0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
}
# build instructions list
instrs=[]
pc=0
while pc < len(code):
op=code[pc]
name=opcodes.get(op,f'OP_{op:02x}')
if 0x60 <= op <= 0x7f:
n=op-0x5f
arg=code[pc+1:pc+1+n]
instrs.append((pc,name,arg.hex()))
pc+=1+n
else:
instrs.append((pc,name,None))
pc+=1
# map pc->index
pc_index={pc:i for i,(pc,_,_) in enumerate(instrs)}
for s_pc in [676,1546,2137,2337]:
idx=pc_index[s_pc]
start=max(0,idx-30)
end=min(len(instrs),idx+5)
print('\\n== SSTORE around pc',s_pc,'==')
for pc,name,arg in instrs[start:end]:
if arg is None:
print(f'{pc:04x}: {name}')
else:
print(f'{pc:04x}: {name} 0x{arg}')
PY" in /tmp/codex-d7f__hsm succeeded in 58ms:
== SSTORE around pc 676 ==
026a: PUSH1 0x03
026c: SLOAD
026d: PUSH1 0x00
026f: SWAP1
0270: PUSH1 0x01
0272: PUSH1 0xa0
0274: PUSH1 0x02
0276: EXP
0277: SUB
0278: SWAP1
0279: DUP2
027a: AND
027b: CALLER
027c: SWAP1
027d: SWAP2
027e: AND
027f: EQ
0280: ISZERO
thinking
**Identifying reentrancy risk from external calls**
Confirmed access control on storage writes and external call target in storage slot1, but calls to that external address happen without reentrancy guards or state updates first, allowing potential reentrancy or denial-of-service through hooked external token logic.
thinking
**Detailing findings and crafting final report**
Finalizing two findings: a medium severity reentrancy risk from externally configurable hook calls with callsites and storage evidence, and a low severity warning on unreachable CALLCODE in bytecode metadata; including exploit scenarios, recommendations, and precise locations for each.
codex
{"no_findings":false,"summary":"Multiple externally-configured CALL hooks are invoked during core token flows without any detected reentrancy guard, and there is a CALLCODE opcode present in an apparently unreachable tail section of the runtime bytecode.","findings":[{"severity":"medium","category":"reentrancy","title":"Externally configured hook contract is called in core token flows (reentrancy/DoS risk)","exploit_scenario":"The contract loads a target address from storage and performs multiple external CALLs (selectors 0x3e8a0bc9, 0xf11c4482, 0xcacc24eb, 0x240ecad5, 0xeb06e65e) during functions that appear to align with approve/transfer/transferFrom. If the stored target address is attacker-controlled or compromised, the hook can reenter token functions or deliberately revert, potentially causing reentrancy on state updates or a denial of service on transfers/approvals. No reentrancy guard is detected in the analysis artifacts, and the call targets are computed from mutable storage.","recommendation":"Restrict and harden the hook target (immutable or vetted governance), add a reentrancy guard around state-changing token flows, and ensure state updates occur before external calls where safe. If the hook is only for validation, consider STATICCALL and explicit return-value checks.","evidence":"Disassembly shows calls with encoded selectors and a computed target loaded from storage slot 0x01 (e.g., SLOAD at pc:0x0191 and pc:0x06f4). The detector reports an untrusted CALL target reachable with target variance. Example callsites: pc:0x0178 (selector 0x3e8a0bc9), pc:0x01fe (selector 0xf11c4482), pc:0x040c (selector 0xcacc24eb), pc:0x06da (selector 0x3e8a0bc9), pc:0x0760 (selector 0x240ecad5), pc:0x08e0 (selector 0xeb06e65e).","locations":["pc:0x0178","pc:0x01fe","pc:0x040c","pc:0x06da","pc:0x0760","pc:0x08e0"]},{"severity":"low","category":"other","title":"CALLCODE opcode present in runtime bytecode (likely metadata, but dangerous if reachable)","exploit_scenario":"The runtime bytecode contains a CALLCODE instruction in a tail region that appears to be data/metadata. If execution could ever be redirected into this region (e.g., via a malformed jump table or bytecode corruption), CALLCODE would execute external code in the contract’s storage context, enabling full compromise. The capability graph shows no incoming edges to this block, so reachability is uncertain and likely false-positive.","recommendation":"Confirm that no control-flow path can jump into the metadata tail. If custom assembly is used, remove CALLCODE or replace with safer patterns and ensure jump destinations are constrained to valid JUMPDESTs.","evidence":"Capability graph contains a callsite labeled call:2628 with opcode CALLCODE and no incoming control-flow edges to bb:2627, suggesting it is in a non-executable tail section.","locations":["pc:0x0a44"]}]}
tokens used
73,463
{
"codex": {
"ran_at": "2026-01-22T07:59:39.979762+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 5320,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "Multiple externally-configured CALL hooks are invoked during core token flows without any detected reentrancy guard, and there is a CALLCODE opcode present in an apparently unreachable tail section of the runtime bytecode.",
"raw_final": {
"summary": "Multiple externally-configured CALL hooks are invoked during core token flows without any detected reentrancy guard, and there is a CALLCODE opcode present in an apparently unreachable tail section of the runtime bytecode.",
"findings": [
{
"title": "Externally configured hook contract is called in core token flows (reentrancy/DoS risk)",
"category": "reentrancy",
"evidence": "Disassembly shows calls with encoded selectors and a computed target loaded from storage slot 0x01 (e.g., SLOAD at pc:0x0191 and pc:0x06f4). The detector reports an untrusted CALL target reachable with target variance. Example callsites: pc:0x0178 (selector 0x3e8a0bc9), pc:0x01fe (selector 0xf11c4482), pc:0x040c (selector 0xcacc24eb), pc:0x06da (selector 0x3e8a0bc9), pc:0x0760 (selector 0x240ecad5), pc:0x08e0 (selector 0xeb06e65e).",
"severity": "medium",
"locations": [
"pc:0x0178",
"pc:0x01fe",
"pc:0x040c",
"pc:0x06da",
"pc:0x0760",
"pc:0x08e0"
],
"recommendation": "Restrict and harden the hook target (immutable or vetted governance), add a reentrancy guard around state-changing token flows, and ensure state updates occur before external calls where safe. If the hook is only for validation, consider STATICCALL and explicit return-value checks.",
"exploit_scenario": "The contract loads a target address from storage and performs multiple external CALLs (selectors 0x3e8a0bc9, 0xf11c4482, 0xcacc24eb, 0x240ecad5, 0xeb06e65e) during functions that appear to align with approve/transfer/transferFrom. If the stored target address is attacker-controlled or compromised, the hook can reenter token functions or deliberately revert, potentially causing reentrancy on state updates or a denial of service on transfers/approvals. No reentrancy guard is detected in the analysis artifacts, and the call targets are computed from mutable storage."
},
{
"title": "CALLCODE opcode present in runtime bytecode (likely metadata, but dangerous if reachable)",
"category": "other",
"evidence": "Capability graph contains a callsite labeled call:2628 with opcode CALLCODE and no incoming control-flow edges to bb:2627, suggesting it is in a non-executable tail section.",
"severity": "low",
"locations": [
"pc:0x0a44"
],
"recommendation": "Confirm that no control-flow path can jump into the metadata tail. If custom assembly is used, remove CALLCODE or replace with safer patterns and ensure jump destinations are constrained to valid JUMPDESTs.",
"exploit_scenario": "The runtime bytecode contains a CALLCODE instruction in a tail region that appears to be data/metadata. If execution could ever be redirected into this region (e.g., via a malformed jump table or bytecode corruption), CALLCODE would execute external code in the contract\u2019s storage context, enabling full compromise. The capability graph shows no incoming edges to this block, so reachability is uncertain and likely false-positive."
}
],
"no_findings": false
},
"no_findings": false,
"schema_version": 1
}
00000000: PUSH1 0x60 00000002: PUSH1 0x40 00000004: MSTORE 00000005: CALLDATASIZE 00000006: ISZERO 00000007: PUSH2 0x00b9 0000000a: JUMPI 0000000b: PUSH1 0xe0 0000000d: PUSH1 0x02 0000000f: EXP 00000010: PUSH1 0x00 00000012: CALLDATALOAD 00000013: DIV 00000014: PUSH4 0x06fdde03 00000019: DUP2 0000001a: EQ 0000001b: PUSH2 0x00bb 0000001e: JUMPI 0000001f: DUP1 00000020: PUSH4 0x095ea7b3 00000025: EQ 00000026: PUSH2 0x0119 00000029: JUMPI 0000002a: DUP1 0000002b: PUSH4 0x13af4035 00000030: EQ 00000031: PUSH2 0x0263 00000034: JUMPI 00000035: DUP1 00000036: PUSH4 0x18160ddd 0000003b: EQ 0000003c: PUSH2 0x02ab 0000003f: JUMPI 00000040: DUP1 00000041: PUSH4 0x23b872dd 00000046: EQ 00000047: PUSH2 0x030c 0000004a: JUMPI 0000004b: DUP1 0000004c: PUSH4 0x2dcb5c8d 00000051: EQ 00000052: PUSH2 0x04c4 00000055: JUMPI 00000056: DUP1 00000057: PUSH4 0x313ce567 0000005c: EQ 0000005d: PUSH2 0x04d0 00000060: JUMPI 00000061: DUP1 00000062: PUSH4 0x5a3b7e42 00000067: EQ 00000068: PUSH2 0x04dc 0000006b: JUMPI 0000006c: DUP1 0000006d: PUSH4 0x70a08231 00000072: EQ 00000073: PUSH2 0x053a 00000076: JUMPI 00000077: DUP1 00000078: PUSH4 0x8e25071a 0000007d: EQ 0000007e: PUSH2 0x05af 00000081: JUMPI 00000082: DUP1 00000083: PUSH4 0x95d89b41 00000088: EQ 00000089: PUSH2 0x060f 0000008c: JUMPI 0000008d: DUP1 0000008e: PUSH4 0xa9059cbb 00000093: EQ 00000094: PUSH2 0x066f 00000097: JUMPI 00000098: DUP1 00000099: PUSH4 0xb33a8a11 0000009e: EQ 0000009f: PUSH2 0x0817 000000a2: JUMPI 000000a3: DUP1 000000a4: PUSH4 0xdd62ed3e 000000a9: EQ 000000aa: PUSH2 0x0860 000000ad: JUMPI 000000ae: DUP1 000000af: PUSH4 0xe3a9b508 000000b4: EQ 000000b5: PUSH2 0x08f4 000000b8: JUMPI 000000b9: JUMPDEST 000000ba: STOP 000000bb: JUMPDEST 000000bc: PUSH1 0x40 000000be: DUP1 000000bf: MLOAD 000000c0: PUSH1 0x05 000000c2: DUP1 000000c3: SLOAD 000000c4: PUSH1 0x20 000000c6: PUSH1 0x02 000000c8: PUSH1 0x01 000000ca: DUP4 000000cb: AND 000000cc: ISZERO 000000cd: PUSH2 0x0100 000000d0: MUL 000000d1: PUSH1 0x00 000000d3: NOT 000000d4: ADD 000000d5: SWAP1 000000d6: SWAP3 000000d7: AND 000000d8: SWAP2 000000d9: SWAP1 000000da: SWAP2 000000db: DIV 000000dc: PUSH1 0x1f 000000de: DUP2 000000df: ADD 000000e0: DUP3 000000e1: SWAP1 000000e2: DIV 000000e3: DUP3 000000e4: MUL 000000e5: DUP5 000000e6: ADD 000000e7: DUP3 000000e8: ADD 000000e9: SWAP1 000000ea: SWAP5 000000eb: MSTORE 000000ec: DUP4 000000ed: DUP4 000000ee: MSTORE 000000ef: PUSH2 0x0928 000000f2: SWAP4 000000f3: SWAP1 000000f4: DUP4 000000f5: ADD 000000f6: DUP3 000000f7: DUP3 000000f8: DUP1 000000f9: ISZERO 000000fa: PUSH2 0x09fe 000000fd: JUMPI 000000fe: DUP1 000000ff: PUSH1 0x1f 00000101: LT 00000102: PUSH2 0x09d3 00000105: JUMPI 00000106: PUSH2 0x0100 00000109: DUP1 0000010a: DUP4 0000010b: SLOAD 0000010c: DIV 0000010d: MUL 0000010e: DUP4 0000010f: MSTORE 00000110: SWAP2 00000111: PUSH1 0x20 00000113: ADD 00000114: SWAP2 00000115: PUSH2 0x09fe 00000118: JUMP 00000119: JUMPDEST 0000011a: PUSH2 0x0996 0000011d: PUSH1 0x04 0000011f: CALLDATALOAD 00000120: PUSH1 0x24 00000122: CALLDATALOAD 00000123: PUSH1 0x00 00000125: DUP1 00000126: SLOAD 00000127: PUSH1 0xff 00000129: AND 0000012a: DUP1 0000012b: ISZERO 0000012c: PUSH2 0x0187 0000012f: JUMPI 00000130: POP 00000131: PUSH1 0x00 00000133: PUSH1 0x01 00000135: SWAP1 00000136: SLOAD 00000137: SWAP1 00000138: PUSH2 0x0100 0000013b: EXP 0000013c: SWAP1 0000013d: DIV 0000013e: PUSH1 0x01 00000140: PUSH1 0xa0 00000142: PUSH1 0x02 00000144: EXP 00000145: SUB 00000146: AND 00000147: PUSH1 0x01 00000149: PUSH1 0xa0 0000014b: PUSH1 0x02 0000014d: EXP 0000014e: SUB 0000014f: AND 00000150: PUSH4 0x3e8a0bc9 00000155: PUSH1 0x40 00000157: MLOAD 00000158: DUP2 00000159: PUSH1 0xe0 0000015b: PUSH1 0x02 0000015d: EXP 0000015e: MUL 0000015f: DUP2 00000160: MSTORE 00000161: PUSH1 0x04 00000163: ADD 00000164: DUP1 00000165: SWAP1 00000166: POP 00000167: PUSH1 0x20 00000169: PUSH1 0x40 0000016b: MLOAD 0000016c: DUP1 0000016d: DUP4 0000016e: SUB 0000016f: DUP2 00000170: PUSH1 0x00 00000172: DUP8 00000173: PUSH2 0x61da 00000176: GAS 00000177: SUB 00000178: CALL 00000179: ISZERO 0000017a: PUSH2 0x0002 0000017d: JUMPI 0000017e: POP 0000017f: POP 00000180: PUSH1 0x40 00000182: MLOAD 00000183: MLOAD 00000184: ISZERO 00000185: SWAP1 00000186: POP 00000187: JUMPDEST 00000188: ISZERO 00000189: PUSH2 0x0a0a 0000018c: JUMPI 0000018d: PUSH1 0x00 0000018f: PUSH1 0x01 00000191: SWAP1 00000192: SLOAD 00000193: SWAP1 00000194: PUSH2 0x0100 00000197: EXP 00000198: SWAP1 00000199: DIV 0000019a: PUSH1 0x01 0000019c: PUSH1 0xa0 0000019e: PUSH1 0x02 000001a0: EXP 000001a1: SUB 000001a2: AND 000001a3: PUSH1 0x01 000001a5: PUSH1 0xa0 000001a7: PUSH1 0x02 000001a9: EXP 000001aa: SUB 000001ab: AND 000001ac: PUSH4 0xf11c4482 000001b1: CALLER 000001b2: DUP6 000001b3: DUP6 000001b4: PUSH1 0x40 000001b6: MLOAD 000001b7: DUP5 000001b8: PUSH1 0xe0 000001ba: PUSH1 0x02 000001bc: EXP 000001bd: MUL 000001be: DUP2 000001bf: MSTORE 000001c0: PUSH1 0x04 000001c2: ADD 000001c3: DUP1 000001c4: DUP5 000001c5: PUSH1 0x01 000001c7: PUSH1 0xa0 000001c9: PUSH1 0x02 000001cb: EXP 000001cc: SUB 000001cd: AND 000001ce: DUP2 000001cf: MSTORE 000001d0: PUSH1 0x20 000001d2: ADD 000001d3: DUP4 000001d4: PUSH1 0x01 000001d6: PUSH1 0xa0 000001d8: PUSH1 0x02 000001da: EXP 000001db: SUB 000001dc: AND 000001dd: DUP2 000001de: MSTORE 000001df: PUSH1 0x20 000001e1: ADD 000001e2: DUP3 000001e3: DUP2 000001e4: MSTORE 000001e5: PUSH1 0x20 000001e7: ADD 000001e8: SWAP4 000001e9: POP 000001ea: POP 000001eb: POP 000001ec: POP 000001ed: PUSH1 0x20 000001ef: PUSH1 0x40 000001f1: MLOAD 000001f2: DUP1 000001f3: DUP4 000001f4: SUB 000001f5: DUP2 000001f6: PUSH1 0x00 000001f8: DUP8 000001f9: PUSH2 0x61da 000001fc: GAS 000001fd: SUB 000001fe: CALL 000001ff: ISZERO 00000200: PUSH2 0x0002 00000203: JUMPI 00000204: POP 00000205: POP 00000206: PUSH1 0x40 00000208: MLOAD 00000209: MLOAD 0000020a: ISZERO 0000020b: SWAP1 0000020c: POP 0000020d: PUSH2 0x0a06 00000210: JUMPI 00000211: DUP3 00000212: PUSH1 0x01 00000214: PUSH1 0xa0 00000216: PUSH1 0x02 00000218: EXP 00000219: SUB 0000021a: AND 0000021b: CALLER 0000021c: PUSH1 0x01 0000021e: PUSH1 0xa0 00000220: PUSH1 0x02 00000222: EXP 00000223: SUB 00000224: AND 00000225: PUSH32 0x8c5be1e5ebec7d5bd14f71427d1e84f3dd0314c0f7b2291e5b200ac8c7c3b925 00000246: DUP5 00000247: PUSH1 0x40 00000249: MLOAD 0000024a: DUP1 0000024b: DUP3 0000024c: DUP2 0000024d: MSTORE 0000024e: PUSH1 0x20 00000250: ADD 00000251: SWAP2 00000252: POP 00000253: POP 00000254: PUSH1 0x40 00000256: MLOAD 00000257: DUP1 00000258: SWAP2 00000259: SUB 0000025a: SWAP1 0000025b: LOG3 0000025c: POP 0000025d: PUSH1 0x01 0000025f: PUSH2 0x0a0a 00000262: JUMP 00000263: JUMPDEST 00000264: PUSH2 0x0996 00000267: PUSH1 0x04 00000269: CALLDATALOAD 0000026a: PUSH1 0x03 0000026c: SLOAD 0000026d: PUSH1 0x00 0000026f: SWAP1 00000270: PUSH1 0x01 00000272: PUSH1 0xa0 00000274: PUSH1 0x02 00000276: EXP 00000277: SUB 00000278: SWAP1 00000279: DUP2 0000027a: AND 0000027b: CALLER 0000027c: SWAP1 0000027d: SWAP2 0000027e: AND 0000027f: EQ 00000280: ISZERO 00000281: PUSH2 0x0a10 00000284: JUMPI 00000285: POP 00000286: PUSH1 0x02 00000288: DUP1 00000289: SLOAD 0000028a: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000029f: NOT 000002a0: AND 000002a1: DUP3 000002a2: OR 000002a3: SWAP1 000002a4: SSTORE 000002a5: PUSH1 0x01 000002a7: PUSH2 0x0a14 000002aa: JUMP 000002ab: JUMPDEST 000002ac: PUSH2 0x09aa 000002af: PUSH1 0x00 000002b1: PUSH1 0x00 000002b3: PUSH1 0x01 000002b5: SWAP1 000002b6: SLOAD 000002b7: SWAP1 000002b8: PUSH2 0x0100 000002bb: EXP 000002bc: SWAP1 000002bd: DIV 000002be: PUSH1 0x01 000002c0: PUSH1 0xa0 000002c2: PUSH1 0x02 000002c4: EXP 000002c5: SUB 000002c6: AND 000002c7: PUSH1 0x01 000002c9: PUSH1 0xa0 000002cb: PUSH1 0x02 000002cd: EXP 000002ce: SUB 000002cf: AND 000002d0: PUSH4 0x18160ddd 000002d5: PUSH1 0x40 000002d7: MLOAD 000002d8: DUP2 000002d9: PUSH1 0xe0 000002db: PUSH1 0x02 000002dd: EXP 000002de: MUL 000002df: DUP2 000002e0: MSTORE 000002e1: PUSH1 0x04 000002e3: ADD 000002e4: DUP1 000002e5: SWAP1 000002e6: POP 000002e7: PUSH1 0x20 000002e9: PUSH1 0x40 000002eb: MLOAD 000002ec: DUP1 000002ed: DUP4 000002ee: SUB 000002ef: DUP2 000002f0: PUSH1 0x00 000002f2: DUP8 000002f3: PUSH2 0x61da 000002f6: GAS 000002f7: SUB 000002f8: CALL 000002f9: ISZERO 000002fa: PUSH2 0x0002 000002fd: JUMPI 000002fe: POP 000002ff: POP 00000300: PUSH1 0x40 00000302: MLOAD 00000303: MLOAD 00000304: SWAP2 00000305: POP 00000306: PUSH2 0x0a1d 00000309: SWAP1 0000030a: POP 0000030b: JUMP 0000030c: JUMPDEST 0000030d: PUSH2 0x0996 00000310: PUSH1 0x04 00000312: CALLDATALOAD 00000313: PUSH1 0x24 00000315: CALLDATALOAD 00000316: PUSH1 0x44 00000318: CALLDATALOAD 00000319: PUSH1 0x00 0000031b: DUP1 0000031c: SLOAD 0000031d: DUP2 0000031e: SWAP1 0000031f: DUP2 00000320: SWAP1 00000321: DUP2 00000322: SWAP1 00000323: DUP2 00000324: SWAP1 00000325: DUP2 00000326: SWAP1 00000327: DUP2 00000328: SWAP1 00000329: PUSH1 0xff 0000032b: AND 0000032c: DUP1 0000032d: ISZERO 0000032e: PUSH2 0x0389 00000331: JUMPI 00000332: POP 00000333: PUSH1 0x00 00000335: PUSH1 0x01 00000337: SWAP1 00000338: SLOAD 00000339: SWAP1 0000033a: PUSH2 0x0100 0000033d: EXP 0000033e: SWAP1 0000033f: DIV 00000340: PUSH1 0x01 00000342: PUSH1 0xa0 00000344: PUSH1 0x02 00000346: EXP 00000347: SUB 00000348: AND 00000349: PUSH1 0x01 0000034b: PUSH1 0xa0 0000034d: PUSH1 0x02 0000034f: EXP 00000350: SUB 00000351: AND 00000352: PUSH4 0x3e8a0bc9 00000357: PUSH1 0x40 00000359: MLOAD 0000035a: DUP2 0000035b: PUSH1 0xe0 0000035d: PUSH1 0x02 0000035f: EXP 00000360: MUL 00000361: DUP2 00000362: MSTORE 00000363: PUSH1 0x04 00000365: ADD 00000366: DUP1 00000367: SWAP1 00000368: POP 00000369: PUSH1 0x20 0000036b: PUSH1 0x40 0000036d: MLOAD 0000036e: DUP1 0000036f: DUP4 00000370: SUB 00000371: DUP2 00000372: PUSH1 0x00 00000374: DUP8 00000375: PUSH2 0x61da 00000378: GAS 00000379: SUB 0000037a: CALL 0000037b: ISZERO 0000037c: PUSH2 0x0002 0000037f: JUMPI 00000380: POP 00000381: POP 00000382: PUSH1 0x40 00000384: MLOAD 00000385: MLOAD 00000386: ISZERO 00000387: SWAP1 00000388: POP 00000389: JUMPDEST 0000038a: ISZERO 0000038b: PUSH2 0x0a25 0000038e: JUMPI 0000038f: PUSH1 0x40 00000391: DUP1 00000392: MLOAD 00000393: PUSH1 0x00 00000395: DUP1 00000396: SLOAD 00000397: PUSH32 0xcacc24eb00000000000000000000000000000000000000000000000000000000 000003b8: DUP4 000003b9: MSTORE 000003ba: PUSH1 0x01 000003bc: PUSH1 0xa0 000003be: PUSH1 0x02 000003c0: EXP 000003c1: SUB 000003c2: CALLER 000003c3: DUP2 000003c4: AND 000003c5: PUSH1 0x04 000003c7: DUP6 000003c8: ADD 000003c9: MSTORE 000003ca: DUP15 000003cb: DUP2 000003cc: AND 000003cd: PUSH1 0x24 000003cf: DUP6 000003d0: ADD 000003d1: MSTORE 000003d2: DUP14 000003d3: DUP2 000003d4: AND 000003d5: PUSH1 0x44 000003d7: DUP6 000003d8: ADD 000003d9: MSTORE 000003da: PUSH1 0x64 000003dc: DUP5 000003dd: ADD 000003de: DUP14 000003df: SWAP1 000003e0: MSTORE 000003e1: SWAP4 000003e2: MLOAD 000003e3: PUSH2 0x0100 000003e6: SWAP1 000003e7: SWAP2 000003e8: DIV 000003e9: SWAP1 000003ea: SWAP4 000003eb: AND 000003ec: SWAP3 000003ed: PUSH4 0xcacc24eb 000003f2: SWAP3 000003f3: PUSH1 0x84 000003f5: DUP2 000003f6: DUP2 000003f7: ADD 000003f8: SWAP4 000003f9: PUSH1 0xc0 000003fb: SWAP4 000003fc: SWAP3 000003fd: DUP4 000003fe: SWAP1 000003ff: SUB 00000400: SWAP1 00000401: SWAP2 00000402: ADD 00000403: SWAP1 00000404: DUP3 00000405: SWAP1 00000406: DUP8 00000407: PUSH2 0x61da 0000040a: GAS 0000040b: SUB 0000040c: CALL 0000040d: ISZERO 0000040e: PUSH2 0x0002 00000411: JUMPI 00000412: POP 00000413: POP 00000414: PUSH1 0x40 00000416: DUP1 00000417: MLOAD 00000418: DUP1 00000419: MLOAD 0000041a: PUSH1 0x20 0000041c: DUP3 0000041d: ADD 0000041e: MLOAD 0000041f: SWAP3 00000420: DUP3 00000421: ADD 00000422: MLOAD 00000423: PUSH1 0x60 00000425: DUP4 00000426: ADD 00000427: MLOAD 00000428: PUSH1 0x80 0000042a: DUP5 0000042b: ADD 0000042c: MLOAD 0000042d: PUSH1 0xa0 0000042f: SWAP5 00000430: SWAP1 00000431: SWAP5 00000432: ADD 00000433: MLOAD 00000434: SWAP3 00000435: SWAP12 00000436: POP 00000437: SWAP4 00000438: SWAP10 00000439: POP 0000043a: SWAP8 0000043b: POP 0000043c: SWAP2 0000043d: SWAP6 0000043e: POP 0000043f: SWAP4 00000440: POP 00000441: SWAP2 00000442: POP 00000443: POP 00000444: DUP6 00000445: ISZERO 00000446: PUSH2 0x0a20 00000449: JUMPI 0000044a: DUP4 0000044b: PUSH1 0x01 0000044d: PUSH1 0xa0 0000044f: PUSH1 0x02 00000451: EXP 00000452: SUB 00000453: AND 00000454: DUP6 00000455: PUSH1 0x01 00000457: PUSH1 0xa0 00000459: PUSH1 0x02 0000045b: EXP 0000045c: SUB 0000045d: AND 0000045e: PUSH1 0x00 00000460: DUP1 00000461: MLOAD 00000462: PUSH1 0x20 00000464: PUSH2 0x0a43 00000467: DUP4 00000468: CODECOPY 00000469: DUP2 0000046a: MLOAD 0000046b: SWAP2 0000046c: MSTORE 0000046d: DUP6 0000046e: PUSH1 0x40 00000470: MLOAD 00000471: DUP1 00000472: DUP3 00000473: DUP2 00000474: MSTORE 00000475: PUSH1 0x20 00000477: ADD 00000478: SWAP2 00000479: POP 0000047a: POP 0000047b: PUSH1 0x40 0000047d: MLOAD 0000047e: DUP1 0000047f: SWAP2 00000480: SUB 00000481: SWAP1 00000482: LOG3 00000483: DUP2 00000484: PUSH1 0x01 00000486: PUSH1 0xa0 00000488: PUSH1 0x02 0000048a: EXP 0000048b: SUB 0000048c: AND 0000048d: DUP6 0000048e: PUSH1 0x01 00000490: PUSH1 0xa0 00000492: PUSH1 0x02 00000494: EXP 00000495: SUB 00000496: AND 00000497: PUSH1 0x00 00000499: DUP1 0000049a: MLOAD 0000049b: PUSH1 0x20 0000049d: PUSH2 0x0a43 000004a0: DUP4 000004a1: CODECOPY 000004a2: DUP2 000004a3: MLOAD 000004a4: SWAP2 000004a5: MSTORE 000004a6: DUP4 000004a7: PUSH1 0x40 000004a9: MLOAD 000004aa: DUP1 000004ab: DUP3 000004ac: DUP2 000004ad: MSTORE 000004ae: PUSH1 0x20 000004b0: ADD 000004b1: SWAP2 000004b2: POP 000004b3: POP 000004b4: PUSH1 0x40 000004b6: MLOAD 000004b7: DUP1 000004b8: SWAP2 000004b9: SUB 000004ba: SWAP1 000004bb: LOG3 000004bc: PUSH1 0x01 000004be: SWAP7 000004bf: POP 000004c0: PUSH2 0x0a25 000004c3: JUMP 000004c4: JUMPDEST 000004c5: PUSH2 0x0996 000004c8: PUSH1 0x00 000004ca: SLOAD 000004cb: PUSH1 0xff 000004cd: AND 000004ce: DUP2 000004cf: JUMP 000004d0: JUMPDEST 000004d1: PUSH2 0x09bc 000004d4: PUSH1 0x07 000004d6: SLOAD 000004d7: PUSH1 0xff 000004d9: AND 000004da: DUP2 000004db: JUMP 000004dc: JUMPDEST 000004dd: PUSH2 0x0928 000004e0: PUSH1 0x04 000004e2: DUP1 000004e3: SLOAD 000004e4: PUSH1 0x40 000004e6: DUP1 000004e7: MLOAD 000004e8: PUSH1 0x20 000004ea: PUSH1 0x02 000004ec: PUSH1 0x01 000004ee: DUP6 000004ef: AND 000004f0: ISZERO 000004f1: PUSH2 0x0100 000004f4: MUL 000004f5: PUSH1 0x00 000004f7: NOT 000004f8: ADD 000004f9: SWAP1 000004fa: SWAP5 000004fb: AND 000004fc: SWAP4 000004fd: SWAP1 000004fe: SWAP4 000004ff: DIV 00000500: PUSH1 0x1f 00000502: DUP2 00000503: ADD 00000504: DUP5 00000505: SWAP1 00000506: DIV 00000507: DUP5 00000508: MUL 00000509: DUP3 0000050a: ADD 0000050b: DUP5 0000050c: ADD 0000050d: SWAP1 0000050e: SWAP3 0000050f: MSTORE 00000510: DUP2 00000511: DUP2 00000512: MSTORE 00000513: SWAP3 00000514: SWAP2 00000515: DUP4 00000516: ADD 00000517: DUP3 00000518: DUP3 00000519: DUP1 0000051a: ISZERO 0000051b: PUSH2 0x09fe 0000051e: JUMPI 0000051f: DUP1 00000520: PUSH1 0x1f 00000522: LT 00000523: PUSH2 0x09d3 00000526: JUMPI 00000527: PUSH2 0x0100 0000052a: DUP1 0000052b: DUP4 0000052c: SLOAD 0000052d: DIV 0000052e: MUL 0000052f: DUP4 00000530: MSTORE 00000531: SWAP2 00000532: PUSH1 0x20 00000534: ADD 00000535: SWAP2 00000536: PUSH2 0x09fe 00000539: JUMP 0000053a: JUMPDEST 0000053b: PUSH2 0x09aa 0000053e: PUSH1 0x04 00000540: CALLDATALOAD 00000541: PUSH1 0x00 00000543: PUSH1 0x00 00000545: PUSH1 0x01 00000547: SWAP1 00000548: SLOAD 00000549: SWAP1 0000054a: PUSH2 0x0100 0000054d: EXP 0000054e: SWAP1 0000054f: DIV 00000550: PUSH1 0x01 00000552: PUSH1 0xa0 00000554: PUSH1 0x02 00000556: EXP 00000557: SUB 00000558: AND 00000559: PUSH1 0x01 0000055b: PUSH1 0xa0 0000055d: PUSH1 0x02 0000055f: EXP 00000560: SUB 00000561: AND 00000562: PUSH4 0x70a08231 00000567: DUP4 00000568: PUSH1 0x40 0000056a: MLOAD 0000056b: DUP3 0000056c: PUSH1 0xe0 0000056e: PUSH1 0x02 00000570: EXP 00000571: MUL 00000572: DUP2 00000573: MSTORE 00000574: PUSH1 0x04 00000576: ADD 00000577: DUP1 00000578: DUP3 00000579: PUSH1 0x01 0000057b: PUSH1 0xa0 0000057d: PUSH1 0x02 0000057f: EXP 00000580: SUB 00000581: AND 00000582: DUP2 00000583: MSTORE 00000584: PUSH1 0x20 00000586: ADD 00000587: SWAP2 00000588: POP 00000589: POP 0000058a: PUSH1 0x20 0000058c: PUSH1 0x40 0000058e: MLOAD 0000058f: DUP1 00000590: DUP4 00000591: SUB 00000592: DUP2 00000593: PUSH1 0x00 00000595: DUP8 00000596: PUSH2 0x61da 00000599: GAS 0000059a: SUB 0000059b: CALL 0000059c: ISZERO 0000059d: PUSH2 0x0002 000005a0: JUMPI 000005a1: POP 000005a2: POP 000005a3: PUSH1 0x40 000005a5: MLOAD 000005a6: MLOAD 000005a7: SWAP2 000005a8: POP 000005a9: PUSH2 0x0a14 000005ac: SWAP1 000005ad: POP 000005ae: JUMP 000005af: JUMPDEST 000005b0: PUSH2 0x0996 000005b3: PUSH1 0x04 000005b5: CALLDATALOAD 000005b6: PUSH1 0x02 000005b8: SLOAD 000005b9: PUSH1 0x00 000005bb: SWAP1 000005bc: PUSH1 0x01 000005be: PUSH1 0xa0 000005c0: PUSH1 0x02 000005c2: EXP 000005c3: SUB 000005c4: SWAP1 000005c5: DUP2 000005c6: AND 000005c7: CALLER 000005c8: SWAP1 000005c9: SWAP2 000005ca: AND 000005cb: EQ 000005cc: DUP1 000005cd: PUSH2 0x05e5 000005d0: JUMPI 000005d1: POP 000005d2: PUSH1 0x03 000005d4: SLOAD 000005d5: PUSH1 0x01 000005d7: PUSH1 0xa0 000005d9: PUSH1 0x02 000005db: EXP 000005dc: SUB 000005dd: SWAP1 000005de: DUP2 000005df: AND 000005e0: CALLER 000005e1: SWAP1 000005e2: SWAP2 000005e3: AND 000005e4: EQ 000005e5: JUMPDEST 000005e6: ISZERO 000005e7: PUSH2 0x0a10 000005ea: JUMPI 000005eb: POP 000005ec: PUSH1 0x01 000005ee: DUP1 000005ef: SLOAD 000005f0: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000605: NOT 00000606: AND 00000607: DUP3 00000608: OR 00000609: DUP2 0000060a: SSTORE 0000060b: PUSH2 0x0a14 0000060e: JUMP 0000060f: JUMPDEST 00000610: PUSH2 0x0928 00000613: PUSH1 0x06 00000615: DUP1 00000616: SLOAD 00000617: PUSH1 0x40 00000619: DUP1 0000061a: MLOAD 0000061b: PUSH1 0x20 0000061d: PUSH1 0x1f 0000061f: PUSH1 0x02 00000621: PUSH1 0x00 00000623: NOT 00000624: PUSH1 0x01 00000626: DUP8 00000627: AND 00000628: ISZERO 00000629: PUSH2 0x0100 0000062c: MUL 0000062d: ADD 0000062e: SWAP1 0000062f: SWAP6 00000630: AND 00000631: SWAP5 00000632: SWAP1 00000633: SWAP5 00000634: DIV 00000635: SWAP4 00000636: DUP5 00000637: ADD 00000638: DUP2 00000639: SWAP1 0000063a: DIV 0000063b: DUP2 0000063c: MUL 0000063d: DUP3 0000063e: ADD 0000063f: DUP2 00000640: ADD 00000641: SWAP1 00000642: SWAP3 00000643: MSTORE 00000644: DUP3 00000645: DUP2 00000646: MSTORE 00000647: SWAP3 00000648: SWAP2 00000649: SWAP1 0000064a: DUP4 0000064b: ADD 0000064c: DUP3 0000064d: DUP3 0000064e: DUP1 0000064f: ISZERO 00000650: PUSH2 0x09fe 00000653: JUMPI 00000654: DUP1 00000655: PUSH1 0x1f 00000657: LT 00000658: PUSH2 0x09d3 0000065b: JUMPI 0000065c: PUSH2 0x0100 0000065f: DUP1 00000660: DUP4 00000661: SLOAD 00000662: DIV 00000663: MUL 00000664: DUP4 00000665: MSTORE 00000666: SWAP2 00000667: PUSH1 0x20 00000669: ADD 0000066a: SWAP2 0000066b: PUSH2 0x09fe 0000066e: JUMP 0000066f: JUMPDEST 00000670: PUSH2 0x0996 00000673: PUSH1 0x04 00000675: CALLDATALOAD 00000676: PUSH1 0x24 00000678: CALLDATALOAD 00000679: PUSH1 0x00 0000067b: DUP1 0000067c: SLOAD 0000067d: DUP2 0000067e: SWAP1 0000067f: DUP2 00000680: SWAP1 00000681: DUP2 00000682: SWAP1 00000683: DUP2 00000684: SWAP1 00000685: DUP2 00000686: SWAP1 00000687: DUP2 00000688: SWAP1 00000689: PUSH1 0xff 0000068b: AND 0000068c: DUP1 0000068d: ISZERO 0000068e: PUSH2 0x06e9 00000691: JUMPI 00000692: POP 00000693: PUSH1 0x00 00000695: PUSH1 0x01 00000697: SWAP1 00000698: SLOAD 00000699: SWAP1 0000069a: PUSH2 0x0100 0000069d: EXP 0000069e: SWAP1 0000069f: DIV 000006a0: PUSH1 0x01 000006a2: PUSH1 0xa0 000006a4: PUSH1 0x02 000006a6: EXP 000006a7: SUB 000006a8: AND 000006a9: PUSH1 0x01 000006ab: PUSH1 0xa0 000006ad: PUSH1 0x02 000006af: EXP 000006b0: SUB 000006b1: AND 000006b2: PUSH4 0x3e8a0bc9 000006b7: PUSH1 0x40 000006b9: MLOAD 000006ba: DUP2 000006bb: PUSH1 0xe0 000006bd: PUSH1 0x02 000006bf: EXP 000006c0: MUL 000006c1: DUP2 000006c2: MSTORE 000006c3: PUSH1 0x04 000006c5: ADD 000006c6: DUP1 000006c7: SWAP1 000006c8: POP 000006c9: PUSH1 0x20 000006cb: PUSH1 0x40 000006cd: MLOAD 000006ce: DUP1 000006cf: DUP4 000006d0: SUB 000006d1: DUP2 000006d2: PUSH1 0x00 000006d4: DUP8 000006d5: PUSH2 0x61da 000006d8: GAS 000006d9: SUB 000006da: CALL 000006db: ISZERO 000006dc: PUSH2 0x0002 000006df: JUMPI 000006e0: POP 000006e1: POP 000006e2: PUSH1 0x40 000006e4: MLOAD 000006e5: MLOAD 000006e6: ISZERO 000006e7: SWAP1 000006e8: POP 000006e9: JUMPDEST 000006ea: ISZERO 000006eb: PUSH2 0x0a37 000006ee: JUMPI 000006ef: PUSH1 0x00 000006f1: PUSH1 0x01 000006f3: SWAP1 000006f4: SLOAD 000006f5: SWAP1 000006f6: PUSH2 0x0100 000006f9: EXP 000006fa: SWAP1 000006fb: DIV 000006fc: PUSH1 0x01 000006fe: PUSH1 0xa0 00000700: PUSH1 0x02 00000702: EXP 00000703: SUB 00000704: AND 00000705: PUSH1 0x01 00000707: PUSH1 0xa0 00000709: PUSH1 0x02 0000070b: EXP 0000070c: SUB 0000070d: AND 0000070e: PUSH4 0x240ecad5 00000713: CALLER 00000714: DUP12 00000715: DUP12 00000716: PUSH1 0x40 00000718: MLOAD 00000719: DUP5 0000071a: PUSH1 0xe0 0000071c: PUSH1 0x02 0000071e: EXP 0000071f: MUL 00000720: DUP2 00000721: MSTORE 00000722: PUSH1 0x04 00000724: ADD 00000725: DUP1 00000726: DUP5 00000727: PUSH1 0x01 00000729: PUSH1 0xa0 0000072b: PUSH1 0x02 0000072d: EXP 0000072e: SUB 0000072f: AND 00000730: DUP2 00000731: MSTORE 00000732: PUSH1 0x20 00000734: ADD 00000735: DUP4 00000736: PUSH1 0x01 00000738: PUSH1 0xa0 0000073a: PUSH1 0x02 0000073c: EXP 0000073d: SUB 0000073e: AND 0000073f: DUP2 00000740: MSTORE 00000741: PUSH1 0x20 00000743: ADD 00000744: DUP3 00000745: DUP2 00000746: MSTORE 00000747: PUSH1 0x20 00000749: ADD 0000074a: SWAP4 0000074b: POP 0000074c: POP 0000074d: POP 0000074e: POP 0000074f: PUSH1 0xc0 00000751: PUSH1 0x40 00000753: MLOAD 00000754: DUP1 00000755: DUP4 00000756: SUB 00000757: DUP2 00000758: PUSH1 0x00 0000075a: DUP8 0000075b: PUSH2 0x61da 0000075e: GAS 0000075f: SUB 00000760: CALL 00000761: ISZERO 00000762: PUSH2 0x0002 00000765: JUMPI 00000766: POP 00000767: POP 00000768: PUSH1 0x40 0000076a: DUP1 0000076b: MLOAD 0000076c: DUP1 0000076d: MLOAD 0000076e: PUSH1 0x20 00000770: DUP3 00000771: ADD 00000772: MLOAD 00000773: SWAP3 00000774: DUP3 00000775: ADD 00000776: MLOAD 00000777: PUSH1 0x60 00000779: DUP4 0000077a: ADD 0000077b: MLOAD 0000077c: PUSH1 0x80 0000077e: DUP5 0000077f: ADD 00000780: MLOAD 00000781: PUSH1 0xa0 00000783: SWAP1 00000784: SWAP5 00000785: ADD 00000786: MLOAD 00000787: SWAP3 00000788: SWAP12 00000789: POP 0000078a: SWAP4 0000078b: SWAP10 0000078c: POP 0000078d: SWAP8 0000078e: POP 0000078f: SWAP2 00000790: SWAP6 00000791: POP 00000792: SWAP4 00000793: POP 00000794: SWAP2 00000795: POP 00000796: POP 00000797: DUP6 00000798: ISZERO 00000799: PUSH2 0x0a32 0000079c: JUMPI 0000079d: DUP4 0000079e: PUSH1 0x01 000007a0: PUSH1 0xa0 000007a2: PUSH1 0x02 000007a4: EXP 000007a5: SUB 000007a6: AND 000007a7: DUP6 000007a8: PUSH1 0x01 000007aa: PUSH1 0xa0 000007ac: PUSH1 0x02 000007ae: EXP 000007af: SUB 000007b0: AND 000007b1: PUSH1 0x00 000007b3: DUP1 000007b4: MLOAD 000007b5: PUSH1 0x20 000007b7: PUSH2 0x0a43 000007ba: DUP4 000007bb: CODECOPY 000007bc: DUP2 000007bd: MLOAD 000007be: SWAP2 000007bf: MSTORE 000007c0: DUP6 000007c1: PUSH1 0x40 000007c3: MLOAD 000007c4: DUP1 000007c5: DUP3 000007c6: DUP2 000007c7: MSTORE 000007c8: PUSH1 0x20 000007ca: ADD 000007cb: SWAP2 000007cc: POP 000007cd: POP 000007ce: PUSH1 0x40 000007d0: MLOAD 000007d1: DUP1 000007d2: SWAP2 000007d3: SUB 000007d4: SWAP1 000007d5: LOG3 000007d6: DUP2 000007d7: PUSH1 0x01 000007d9: PUSH1 0xa0 000007db: PUSH1 0x02 000007dd: EXP 000007de: SUB 000007df: AND 000007e0: DUP6 000007e1: PUSH1 0x01 000007e3: PUSH1 0xa0 000007e5: PUSH1 0x02 000007e7: EXP 000007e8: SUB 000007e9: AND 000007ea: PUSH1 0x00 000007ec: DUP1 000007ed: MLOAD 000007ee: PUSH1 0x20 000007f0: PUSH2 0x0a43 000007f3: DUP4 000007f4: CODECOPY 000007f5: DUP2 000007f6: MLOAD 000007f7: SWAP2 000007f8: MSTORE 000007f9: DUP4 000007fa: PUSH1 0x40 000007fc: MLOAD 000007fd: DUP1 000007fe: DUP3 000007ff: DUP2 00000800: MSTORE 00000801: PUSH1 0x20 00000803: ADD 00000804: SWAP2 00000805: POP 00000806: POP 00000807: PUSH1 0x40 00000809: MLOAD 0000080a: DUP1 0000080b: SWAP2 0000080c: SUB 0000080d: SWAP1 0000080e: LOG3 0000080f: PUSH1 0x01 00000811: SWAP7 00000812: POP 00000813: PUSH2 0x0a37 00000816: JUMP 00000817: JUMPDEST 00000818: PUSH2 0x0996 0000081b: PUSH1 0x04 0000081d: CALLDATALOAD 0000081e: PUSH1 0x01 00000820: SLOAD 00000821: PUSH1 0x00 00000823: SWAP1 00000824: CALLER 00000825: PUSH1 0x01 00000827: PUSH1 0xa0 00000829: PUSH1 0x02 0000082b: EXP 0000082c: SUB 0000082d: SWAP1 0000082e: DUP2 0000082f: AND 00000830: SWAP2 00000831: AND 00000832: EQ 00000833: ISZERO 00000834: PUSH2 0x0a10 00000837: JUMPI 00000838: DUP1 00000839: SLOAD 0000083a: PUSH21 0xffffffffffffffffffffffffffffffffffffffff00 00000850: NOT 00000851: AND 00000852: PUSH2 0x0100 00000855: DUP4 00000856: MUL 00000857: OR 00000858: SWAP1 00000859: SSTORE 0000085a: PUSH1 0x01 0000085c: PUSH2 0x0a14 0000085f: JUMP 00000860: JUMPDEST 00000861: PUSH2 0x09aa 00000864: PUSH1 0x04 00000866: CALLDATALOAD 00000867: PUSH1 0x24 00000869: CALLDATALOAD 0000086a: PUSH1 0x00 0000086c: DUP1 0000086d: SLOAD 0000086e: PUSH1 0x40 00000870: DUP1 00000871: MLOAD 00000872: PUSH32 0xeb06e65e00000000000000000000000000000000000000000000000000000000 00000893: DUP2 00000894: MSTORE 00000895: CALLER 00000896: PUSH1 0x01 00000898: PUSH1 0xa0 0000089a: PUSH1 0x02 0000089c: EXP 0000089d: SUB 0000089e: SWAP1 0000089f: DUP2 000008a0: AND 000008a1: PUSH1 0x04 000008a3: DUP4 000008a4: ADD 000008a5: MSTORE 000008a6: DUP7 000008a7: DUP2 000008a8: AND 000008a9: PUSH1 0x24 000008ab: DUP4 000008ac: ADD 000008ad: MSTORE 000008ae: DUP6 000008af: DUP2 000008b0: AND 000008b1: PUSH1 0x44 000008b3: DUP4 000008b4: ADD 000008b5: MSTORE 000008b6: SWAP2 000008b7: MLOAD 000008b8: PUSH2 0x0100 000008bb: SWAP1 000008bc: SWAP4 000008bd: DIV 000008be: SWAP1 000008bf: SWAP2 000008c0: AND 000008c1: SWAP2 000008c2: PUSH4 0xeb06e65e 000008c7: SWAP2 000008c8: PUSH1 0x64 000008ca: DUP2 000008cb: DUP2 000008cc: ADD 000008cd: SWAP3 000008ce: PUSH1 0x20 000008d0: SWAP3 000008d1: SWAP1 000008d2: SWAP2 000008d3: SWAP1 000008d4: DUP3 000008d5: SWAP1 000008d6: SUB 000008d7: ADD 000008d8: DUP2 000008d9: DUP8 000008da: DUP8 000008db: PUSH2 0x61da 000008de: GAS 000008df: SUB 000008e0: CALL 000008e1: ISZERO 000008e2: PUSH2 0x0002 000008e5: JUMPI 000008e6: POP 000008e7: POP 000008e8: PUSH1 0x40 000008ea: MLOAD 000008eb: MLOAD 000008ec: SWAP2 000008ed: POP 000008ee: PUSH2 0x0a0a 000008f1: SWAP1 000008f2: POP 000008f3: JUMP 000008f4: JUMPDEST 000008f5: PUSH2 0x0996 000008f8: PUSH1 0x01 000008fa: SLOAD 000008fb: PUSH1 0x00 000008fd: SWAP1 000008fe: CALLER 000008ff: PUSH1 0x01 00000901: PUSH1 0xa0 00000903: PUSH1 0x02 00000905: EXP 00000906: SUB 00000907: SWAP1 00000908: DUP2 00000909: AND 0000090a: SWAP2 0000090b: AND 0000090c: EQ 0000090d: ISZERO 0000090e: PUSH2 0x0a19 00000911: JUMPI 00000912: DUP1 00000913: SLOAD 00000914: PUSH1 0xff 00000916: NOT 00000917: DUP2 00000918: AND 00000919: PUSH1 0xff 0000091b: SWAP1 0000091c: SWAP2 0000091d: AND 0000091e: ISZERO 0000091f: OR 00000920: SWAP1 00000921: SSTORE 00000922: PUSH1 0x01 00000924: PUSH2 0x0a1d 00000927: JUMP 00000928: JUMPDEST 00000929: PUSH1 0x40 0000092b: MLOAD 0000092c: DUP1 0000092d: DUP1 0000092e: PUSH1 0x20 00000930: ADD 00000931: DUP3 00000932: DUP2 00000933: SUB 00000934: DUP3 00000935: MSTORE 00000936: DUP4 00000937: DUP2 00000938: DUP2 00000939: MLOAD 0000093a: DUP2 0000093b: MSTORE 0000093c: PUSH1 0x20 0000093e: ADD 0000093f: SWAP2 00000940: POP 00000941: DUP1 00000942: MLOAD 00000943: SWAP1 00000944: PUSH1 0x20 00000946: ADD 00000947: SWAP1 00000948: DUP1 00000949: DUP4 0000094a: DUP4 0000094b: DUP3 0000094c: SWAP1 0000094d: PUSH1 0x00 0000094f: PUSH1 0x04 00000951: PUSH1 0x20 00000953: DUP5 00000954: PUSH1 0x1f 00000956: ADD 00000957: DIV 00000958: PUSH1 0x0f 0000095a: MUL 0000095b: PUSH1 0x03 0000095d: ADD 0000095e: CALL 0000095f: POP 00000960: SWAP1 00000961: POP 00000962: SWAP1 00000963: DUP2 00000964: ADD 00000965: SWAP1 00000966: PUSH1 0x1f 00000968: AND 00000969: DUP1 0000096a: ISZERO 0000096b: PUSH2 0x0988 0000096e: JUMPI 0000096f: DUP1 00000970: DUP3 00000971: SUB 00000972: DUP1 00000973: MLOAD 00000974: PUSH1 0x01 00000976: DUP4 00000977: PUSH1 0x20 00000979: SUB 0000097a: PUSH2 0x0100 0000097d: EXP 0000097e: SUB 0000097f: NOT 00000980: AND 00000981: DUP2 00000982: MSTORE 00000983: PUSH1 0x20 00000985: ADD 00000986: SWAP2 00000987: POP 00000988: JUMPDEST 00000989: POP 0000098a: SWAP3 0000098b: POP 0000098c: POP 0000098d: POP 0000098e: PUSH1 0x40 00000990: MLOAD 00000991: DUP1 00000992: SWAP2 00000993: SUB 00000994: SWAP1 00000995: RETURN 00000996: JUMPDEST 00000997: PUSH1 0x40 00000999: DUP1 0000099a: MLOAD 0000099b: SWAP2 0000099c: ISZERO 0000099d: ISZERO 0000099e: DUP3 0000099f: MSTORE 000009a0: MLOAD 000009a1: SWAP1 000009a2: DUP2 000009a3: SWAP1 000009a4: SUB 000009a5: PUSH1 0x20 000009a7: ADD 000009a8: SWAP1 000009a9: RETURN 000009aa: JUMPDEST 000009ab: PUSH1 0x40 000009ad: DUP1 000009ae: MLOAD 000009af: SWAP2 000009b0: DUP3 000009b1: MSTORE 000009b2: MLOAD 000009b3: SWAP1 000009b4: DUP2 000009b5: SWAP1 000009b6: SUB 000009b7: PUSH1 0x20 000009b9: ADD 000009ba: SWAP1 000009bb: RETURN 000009bc: JUMPDEST 000009bd: PUSH1 0x40 000009bf: DUP1 000009c0: MLOAD 000009c1: PUSH1 0xff 000009c3: SWAP3 000009c4: SWAP1 000009c5: SWAP3 000009c6: AND 000009c7: DUP3 000009c8: MSTORE 000009c9: MLOAD 000009ca: SWAP1 000009cb: DUP2 000009cc: SWAP1 000009cd: SUB 000009ce: PUSH1 0x20 000009d0: ADD 000009d1: SWAP1 000009d2: RETURN 000009d3: JUMPDEST 000009d4: DUP3 000009d5: ADD 000009d6: SWAP2 000009d7: SWAP1 000009d8: PUSH1 0x00 000009da: MSTORE 000009db: PUSH1 0x20 000009dd: PUSH1 0x00 000009df: KECCAK256 000009e0: SWAP1 000009e1: JUMPDEST 000009e2: DUP2 000009e3: SLOAD 000009e4: DUP2 000009e5: MSTORE 000009e6: SWAP1 000009e7: PUSH1 0x01 000009e9: ADD 000009ea: SWAP1 000009eb: PUSH1 0x20 000009ed: ADD 000009ee: DUP1 000009ef: DUP4 000009f0: GT 000009f1: PUSH2 0x09e1 000009f4: JUMPI 000009f5: DUP3 000009f6: SWAP1 000009f7: SUB 000009f8: PUSH1 0x1f 000009fa: AND 000009fb: DUP3 000009fc: ADD 000009fd: SWAP2 000009fe: JUMPDEST 000009ff: POP 00000a00: POP 00000a01: POP 00000a02: POP 00000a03: POP 00000a04: DUP2 00000a05: JUMP 00000a06: JUMPDEST 00000a07: POP 00000a08: PUSH1 0x00 00000a0a: JUMPDEST 00000a0b: SWAP3 00000a0c: SWAP2 00000a0d: POP 00000a0e: POP 00000a0f: JUMP 00000a10: JUMPDEST 00000a11: POP 00000a12: PUSH1 0x00 00000a14: JUMPDEST 00000a15: SWAP2 00000a16: SWAP1 00000a17: POP 00000a18: JUMP 00000a19: JUMPDEST 00000a1a: POP 00000a1b: PUSH1 0x00 00000a1d: JUMPDEST 00000a1e: SWAP1 00000a1f: JUMP 00000a20: JUMPDEST 00000a21: PUSH1 0x00 00000a23: SWAP7 00000a24: POP 00000a25: JUMPDEST 00000a26: POP 00000a27: POP 00000a28: POP 00000a29: POP 00000a2a: POP 00000a2b: POP 00000a2c: SWAP4 00000a2d: SWAP3 00000a2e: POP 00000a2f: POP 00000a30: POP 00000a31: JUMP 00000a32: JUMPDEST 00000a33: PUSH1 0x00 00000a35: SWAP7 00000a36: POP 00000a37: JUMPDEST 00000a38: POP 00000a39: POP 00000a3a: POP 00000a3b: POP 00000a3c: POP 00000a3d: POP 00000a3e: SWAP3 00000a3f: SWAP2 00000a40: POP 00000a41: POP 00000a42: JUMP 00000a43: UNKNOWN(0xDD) 00000a44: CALLCODE 00000a45: MSTORE 00000a46: UNKNOWN(0xAD) 00000a47: SHL 00000a48: UNKNOWN(0xE2) 00000a49: UNKNOWN(0xC8) 00000a4a: SWAP12 00000a4b: PUSH10 0xc2b068fc378daa952ba7 00000a56: CALL 00000a57: PUSH4 0xc4a11628 00000a5c: CREATE2 00000a5d: GAS 00000a5e: UNKNOWN(0x4D) 00000a5f: CREATE2 00000a60: UNKNOWN(0x23) 00000a61: UNKNOWN(0xB3) 00000a62: UNKNOWN(0xEF)
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | other | detector | ETH value transfer possible | 55 | yes | yes |
viewtrace_id: 0xa39ffec31ea910d0343f81637c1c94c5e9f74cc361a1831af2fe64019949162d
call_targets:
0x0000000000000000000000000000000000000004, 0x75ac19045e7b4b96f7840f8fe9e2e255093bd52f
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0xa39ffec31ea910d0343f81637c1c94c5e9f74cc361a1831af2fe64019949162d",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x75ac19045e7b4b96f7840f8fe9e2e255093bd52f"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x095ea7b3",
"selector": "0x095ea7b3",
"calldata_variants": [
"0x095ea7b3",
"0x095ea7b30000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x13af4035",
"selector": "0x13af4035",
"calldata_variants": [
"0x13af4035",
"0x13af40350000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x18160ddd",
"selector": "0x18160ddd",
"calldata_variants": [
"0x18160ddd",
"0x18160ddd0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x23b872dd",
"selector": "0x23b872dd",
"calldata_variants": [
"0x23b872dd",
"0x23b872dd0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x2dcb5c8d",
"selector": "0x2dcb5c8d",
"calldata_variants": [
"0x2dcb5c8d",
"0x2dcb5c8d0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x5a3b7e42",
"selector": "0x5a3b7e42",
"calldata_variants": [
"0x5a3b7e42",
"0x5a3b7e420000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 376,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 510,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 760,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "constant",
"target_expression_category": "computed"
}
],
"eth_value_calls": 12,
"guards_detected": []
}
|
| high | other | detector | Untrusted CALL target/value reachable | 60 | yes | yes |
viewtrace_id: 0xa39ffec31ea910d0343f81637c1c94c5e9f74cc361a1831af2fe64019949162d
call_targets:
0x0000000000000000000000000000000000000004, 0x75ac19045e7b4b96f7840f8fe9e2e255093bd52f
target_varies:
yes
classification:
target_varies
validation_json{
"sink": "CALL",
"errors": 0,
"status": "confirmed",
"attempts": 1,
"trace_id": "0xa39ffec31ea910d0343f81637c1c94c5e9f74cc361a1831af2fe64019949162d",
"confirmed": true,
"trace_mode": "callTracer",
"call_targets": [
"0x0000000000000000000000000000000000000004",
"0x75ac19045e7b4b96f7840f8fe9e2e255093bd52f"
],
"matched_probe": null,
"target_varies": true,
"classification": "target_varies"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x095ea7b3",
"selector": "0x095ea7b3",
"calldata_variants": [
"0x095ea7b3",
"0x095ea7b30000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x13af4035",
"selector": "0x13af4035",
"calldata_variants": [
"0x13af4035",
"0x13af40350000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x18160ddd",
"selector": "0x18160ddd",
"calldata_variants": [
"0x18160ddd",
"0x18160ddd0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x23b872dd",
"selector": "0x23b872dd",
"calldata_variants": [
"0x23b872dd",
"0x23b872dd0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x2dcb5c8d",
"selector": "0x2dcb5c8d",
"calldata_variants": [
"0x2dcb5c8d",
"0x2dcb5c8d0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x5a3b7e42",
"selector": "0x5a3b7e42",
"calldata_variants": [
"0x5a3b7e42",
"0x5a3b7e420000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 376,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 510,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 760,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "constant",
"target_expression_category": "computed"
}
],
"call_count": 12,
"guards_detected": [],
"untrusted_call_count": 12
}
|
| medium | reentrancy | codex | Externally configured hook contract is called in core token flows (reentrancy/DoS risk) | 75 | no | — |
viewevidence_json{
"evidence": "Disassembly shows calls with encoded selectors and a computed target loaded from storage slot 0x01 (e.g., SLOAD at pc:0x0191 and pc:0x06f4). The detector reports an untrusted CALL target reachable with target variance. Example callsites: pc:0x0178 (selector 0x3e8a0bc9), pc:0x01fe (selector 0xf11c4482), pc:0x040c (selector 0xcacc24eb), pc:0x06da (selector 0x3e8a0bc9), pc:0x0760 (selector 0x240ecad5), pc:0x08e0 (selector 0xeb06e65e).",
"locations": [
"pc:0x0178",
"pc:0x01fe",
"pc:0x040c",
"pc:0x06da",
"pc:0x0760",
"pc:0x08e0"
],
"recommendation": "Restrict and harden the hook target (immutable or vetted governance), add a reentrancy guard around state-changing token flows, and ensure state updates occur before external calls where safe. If the hook is only for validation, consider STATICCALL and explicit return-value checks.",
"exploit_scenario": "The contract loads a target address from storage and performs multiple external CALLs (selectors 0x3e8a0bc9, 0xf11c4482, 0xcacc24eb, 0x240ecad5, 0xeb06e65e) during functions that appear to align with approve/transfer/transferFrom. If the stored target address is attacker-controlled or compromised, the hook can reenter token functions or deliberately revert, potentially causing reentrancy on state updates or a denial of service on transfers/approvals. No reentrancy guard is detected in the analysis artifacts, and the call targets are computed from mutable storage."
}
|
| medium | other | detector | CREATE/CREATE2 reachable | 45 | no | no |
viewtrace_id: 0x97b1212a1d309d8d6d84bfbb4dbf24b03bc8dd55297090c70418e87dd2abdfde
validation_json{
"sink": "CREATE",
"errors": 0,
"status": "unknown",
"attempts": 30,
"trace_id": "0x97b1212a1d309d8d6d84bfbb4dbf24b03bc8dd55297090c70418e87dd2abdfde",
"confirmed": false,
"trace_mode": "structLogs",
"call_targets": null,
"matched_probe": null,
"target_varies": null,
"classification": "no_sink"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x06fdde03",
"selector": "0x06fdde03",
"calldata_variants": [
"0x06fdde03",
"0x06fdde030000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x095ea7b3",
"selector": "0x095ea7b3",
"calldata_variants": [
"0x095ea7b3",
"0x095ea7b30000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x13af4035",
"selector": "0x13af4035",
"calldata_variants": [
"0x13af4035",
"0x13af40350000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x18160ddd",
"selector": "0x18160ddd",
"calldata_variants": [
"0x18160ddd",
"0x18160ddd0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x23b872dd",
"selector": "0x23b872dd",
"calldata_variants": [
"0x23b872dd",
"0x23b872dd0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x2dcb5c8d",
"selector": "0x2dcb5c8d",
"calldata_variants": [
"0x2dcb5c8d",
"0x2dcb5c8d0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x313ce567",
"selector": "0x313ce567",
"calldata_variants": [
"0x313ce567",
"0x313ce5670000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x5a3b7e42",
"selector": "0x5a3b7e42",
"calldata_variants": [
"0x5a3b7e42",
"0x5a3b7e420000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"create_count": 0,
"create2_count": 2
}
|
| low | other | cast | Contract creation opcode present | 60 | no | — |
viewevidence_json{
"notes": "runtime can deploy contracts dynamically via CREATE/CREATE2",
"create_count": 0,
"create2_count": 2
}
|
| low | other | codex | CALLCODE opcode present in runtime bytecode (likely metadata, but dangerous if reachable) | 65 | no | — |
viewevidence_json{
"evidence": "Capability graph contains a callsite labeled call:2628 with opcode CALLCODE and no incoming control-flow edges to bb:2627, suggesting it is in a non-executable tail section.",
"locations": [
"pc:0x0a44"
],
"recommendation": "Confirm that no control-flow path can jump into the metadata tail. If custom assembly is used, remove CALLCODE or replace with safer patterns and ensure jump destinations are constrained to valid JUMPDESTs.",
"exploit_scenario": "The runtime bytecode contains a CALLCODE instruction in a tail region that appears to be data/metadata. If execution could ever be redirected into this region (e.g., via a malformed jump table or bytecode corruption), CALLCODE would execute external code in the contract\u2019s storage context, enabling full compromise. The capability graph shows no incoming edges to this block, so reachability is uncertain and likely false-positive."
}
|
| info | other | cast | Heavy CALL-family usage | 55 | no | — |
viewevidence_json{
"notes": "large number of CALL/CALLCODE/STATICCALL opcodes; review external call patterns",
"call_family_count": 12
}
|