019c0ea9-07fe-73e2-8bc7-22c2d64cf37d
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 41725 | artifact.fetch | complete | 1 / 3 | 2 months ago |
| 41726 | proxy.resolve | complete | 1 / 3 | 2 months ago |
| 41727 | tool.cast_disasm | complete | 1 / 3 | 2 months ago |
| 41728 | analysis.bundle | complete | 1 / 3 | 2 months ago |
| 41729 | capability.graph | complete | 1 / 3 | 2 months ago |
| 41730 | detector.run | complete | 1 / 3 | 2 months ago |
| 41731 | validation.fork | complete | 1 / 3 | 2 months ago |
| 42306 | report.consolidate | complete | 1 / 6 | 2 months ago |
| 42307 | tool.slither | failed | 2 / 2 | 2 months ago |
{
"method": "eip1967",
"status": "onchain_only",
"implementation": "0x52af16664155608b845be18aa29620ebf6ea2d3a",
"onchain_method": "eip1967"
}
Traceback (most recent call last):
File "/var/www/tripwire/worker/worker.py", line 198, in main
payload = dispatch_job(job_type, job_id, job_meta, run_data, config, laravel_client)
File "/var/www/tripwire/worker/worker.py", line 114, in dispatch_job
return slither_run.run(job_id, job_meta, run_data, config, log, laravel_client)
~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/www/tripwire/worker/jobs/slither_run.py", line 1084, in run
stdout_text, stderr_text, result_json = _run_slither(
~~~~~~~~~~~~^
workspace,
^^^^^^^^^^
...<4 lines>...
target_path=target_path,
^^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/var/www/tripwire/worker/jobs/slither_run.py", line 958, in _run_slither
raise RuntimeError(f"slither failed (exit {result.returncode}): {stderr_text or stdout_text}")
RuntimeError: slither failed (exit 1): 'forge clean' running (wd: /tmp/slither-q9zoxaze)
'forge config --json' running
'forge build --build-info --skip ./test/** ./script/** --force' running (wd: /tmp/slither-q9zoxaze)
Traceback (most recent call last):
File "/var/www/tripwire/.venv/bin/slither", line 10, in <module>
sys.exit(main())
~~~~^^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/slither/__main__.py", line 776, in main
main_impl(all_detector_classes=detectors, all_printer_classes=printers)
~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/slither/__main__.py", line 882, in main_impl
) = process_all(filename, args, detector_classes, printer_classes)
~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/slither/__main__.py", line 96, in process_all
compilations = compile_all(target, **vars(args))
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/crytic_compile/crytic_compile.py", line 722, in compile_all
compilations.append(CryticCompile(target, **kwargs))
~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/crytic_compile/crytic_compile.py", line 211, in __init__
self._compile(**kwargs)
~~~~~~~~~~~~~^^^^^^^^^^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/crytic_compile/crytic_compile.py", line 633, in _compile
self._platform.compile(self, **kwargs)
~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/crytic_compile/platform/foundry.py", line 102, in compile
hardhat_like_parsing(
~~~~~~~~~~~~~~~~~~~~^
crytic_compile, str(self._target), build_directory, str(self._project_root)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/crytic_compile/platform/hardhat.py", line 52, in hardhat_like_parsing
raise InvalidCompilation(txt)
crytic_compile.platform.exceptions.InvalidCompilation: Compilation failed. Can you run build command?
/tmp/slither-q9zoxaze/out/build-info is not a directory.
{"no_findings":true,"summary":"No exploitable issues found in the first-party DAO implementation in the provided bundle; logic follows standard UUPS/permission patterns. Proxy mechanics at 0xf3fb… were not analyzed beyond the implementation code context.","findings":[]}
OpenAI Codex v0.77.0 (research preview)
--------
workdir: /tmp/codex-8hema7l9
model: gpt-5.2-codex
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: auto
session id: 019c0f05-c017-7d43-89ba-7ea056324b2a
--------
user
Context: The user requested the proxy at 0xf3fb403300e698082033e61f7c3cf780bce4da03.
Audit the implementation at 0x52af16664155608b845be18aa29620ebf6ea2d3a.
Findings should refer to the implementation unless explicitly about proxy mechanics.
You are a security auditor. Audit this Solidity codebase for exploitable vulnerabilities.
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation, oracle manipulation,
accounting/invariant breaks, external call patterns, unchecked return values, and dangerous delegatecall.
Scope rules:
- You MUST fully read `AUDIT_BUNDLE.txt` before concluding. It contains the complete contents of all first-party Solidity sources in this workspace.
- Treat `lib/` and `@openzeppelin/` as third-party dependencies; skip them unless there is a concrete misuse angle in first-party code.
- If there are only dependency files and no first-party sources, set no_findings=true and explain in summary.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title and file/line locations when possible.
Output constraints (IMPORTANT):
- severity MUST be exactly one of: info, low, medium, high, critical (lowercase).
- category MUST be exactly one of: access_control, reentrancy, math, oracle, upgradeability, auth, other.
Keep summary short and concrete.
mcp startup: no servers
exec
/bin/bash -lc ls in /tmp/codex-8hema7l9 succeeded in 5ms:
AUDIT_BUNDLE.txt
codex-output-schema.json
@openzeppelin
src
exec
/bin/bash -lc 'cat AUDIT_BUNDLE.txt' in /tmp/codex-8hema7l9 succeeded in 6ms:
This file concatenates the full contents of first-party Solidity sources for auditing.
Do not treat dependency code under lib/ or @openzeppelin/ as first-party.
================================================================================
FILE: src/core/dao/DAO.sol
================================================================================
// SPDX-License-Identifier: AGPL-3.0-or-later
pragma solidity 0.8.17;
import "@openzeppelin/contracts-upgradeable/utils/introspection/ERC165StorageUpgradeable.sol";
import "@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol";
import "@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol";
import "@openzeppelin/contracts-upgradeable/token/ERC20/utils/SafeERC20Upgradeable.sol";
import "@openzeppelin/contracts-upgradeable/token/ERC20/IERC20Upgradeable.sol";
import "@openzeppelin/contracts-upgradeable/token/ERC721/IERC721ReceiverUpgradeable.sol";
import "@openzeppelin/contracts-upgradeable/token/ERC1155/IERC1155Upgradeable.sol";
import "@openzeppelin/contracts-upgradeable/token/ERC1155/IERC1155ReceiverUpgradeable.sol";
import "@openzeppelin/contracts-upgradeable/utils/AddressUpgradeable.sol";
import "@openzeppelin/contracts/interfaces/IERC1271.sol";
exec
/bin/bash -lc "sed -n '1,200p' AUDIT_BUNDLE.txt" in /tmp/codex-8hema7l9 succeeded in 8ms:
This file concatenates the full contents of first-party Solidity sources for auditing.
Do not treat dependency code under lib/ or @openzeppelin/ as first-party.
================================================================================
FILE: src/core/dao/DAO.sol
================================================================================
// SPDX-License-Identifier: AGPL-3.0-or-later
pragma solidity 0.8.17;
import "@openzeppelin/contracts-upgradeable/utils/introspection/ERC165StorageUpgradeable.sol";
import "@openzeppelin/contracts-upgradeable/proxy/utils/Initializable.sol";
import "@openzeppelin/contracts-upgradeable/proxy/utils/UUPSUpgradeable.sol";
import "@openzeppelin/contracts-upgradeable/token/ERC20/utils/SafeERC20Upgradeable.sol";
import "@openzeppelin/contracts-upgradeable/token/ERC20/IERC20Upgradeable.sol";
import "@openzeppelin/contracts-upgradeable/token/ERC721/IERC721ReceiverUpgradeable.sol";
import "@openzeppelin/contracts-upgradeable/token/ERC1155/IERC1155Upgradeable.sol";
import "@openzeppelin/contracts-upgradeable/token/ERC1155/IERC1155ReceiverUpgradeable.sol";
import "@openzeppelin/contracts-upgradeable/utils/AddressUpgradeable.sol";
import "@openzeppelin/contracts/interfaces/IERC1271.sol";
exec
/bin/bash -lc "sed -n '200,400p' AUDIT_BUNDLE.txt" in /tmp/codex-8hema7l9 succeeded in 6ms:
_permissionId == SET_TRUSTED_FORWARDER_PERMISSION_ID ||
_permissionId == SET_SIGNATURE_VALIDATOR_PERMISSION_ID ||
_permissionId == REGISTER_STANDARD_CALLBACK_PERMISSION_ID;
}
/// @notice Internal method authorizing the upgrade of the contract via the [upgradeability mechanism for UUPS proxies](https://docs.openzeppelin.com/contracts/4.x/api/proxy#UUPSUpgradeable) (see [ERC-1822](https://eips.ethereum.org/EIPS/eip-1822)).
/// @dev The caller must have the `UPGRADE_DAO_PERMISSION_ID` permission.
function _authorizeUpgrade(address) internal virtual override auth(UPGRADE_DAO_PERMISSION_ID) {}
/// @inheritdoc IDAO
function setTrustedForwarder(
address _newTrustedForwarder
) external override auth(SET_TRUSTED_FORWARDER_PERMISSION_ID) {
_setTrustedForwarder(_newTrustedForwarder);
}
/// @inheritdoc IDAO
function getTrustedForwarder() external view virtual override returns (address) {
return trustedForwarder;
}
exec
/bin/bash -lc "sed -n '400,600p' AUDIT_BUNDLE.txt" in /tmp/codex-8hema7l9 succeeded in 6ms:
bytes4 _callbackSelector,
bytes4 _magicNumber
) external override auth(REGISTER_STANDARD_CALLBACK_PERMISSION_ID) {
_registerInterface(_interfaceId);
_registerCallback(_callbackSelector, _magicNumber);
emit StandardCallbackRegistered(_interfaceId, _callbackSelector, _magicNumber);
}
/// @inheritdoc IEIP4824
function daoURI() external view returns (string memory) {
return _daoURI;
}
/// @notice Updates the set DAO URI to a new value.
/// @param newDaoURI The new DAO URI to be set.
function setDaoURI(string calldata newDaoURI) external auth(SET_METADATA_PERMISSION_ID) {
_setDaoURI(newDaoURI);
}
/// @notice Sets the new [ERC-4824](https://eips.ethereum.org/EIPS/eip-4824) DAO URI and emits the associated event.
exec
/bin/bash -lc "sed -n '600,800p' AUDIT_BUNDLE.txt" in /tmp/codex-8hema7l9 succeeded in 27ms:
interface IPermissionCondition {
/// @notice Checks if a call is permitted.
/// @param _where The address of the target contract.
/// @param _who The address (EOA or contract) for which the permissions are checked.
/// @param _permissionId The permission identifier.
/// @param _data Optional data passed to the `PermissionCondition` implementation.
/// @return isPermitted Returns true if the call is permitted.
function isGranted(
address _where,
address _who,
bytes32 _permissionId,
bytes calldata _data
) external view returns (bool isPermitted);
}
================================================================================
FILE: src/core/permission/PermissionCondition.sol
================================================================================
// SPDX-License-Identifier: AGPL-3.0-or-later
exec
/bin/bash -lc "sed -n '800,1000p' AUDIT_BUNDLE.txt" in /tmp/codex-8hema7l9 succeeded in 14ms:
_initializePermissionManager(_initialOwner);
}
/// @notice Grants permission to an address to call methods in a contract guarded by an auth modifier with the specified permission identifier.
/// @dev Requires the `ROOT_PERMISSION_ID` permission.
/// @param _where The address of the target contract for which `_who` receives permission.
/// @param _who The address (EOA or contract) receiving the permission.
/// @param _permissionId The permission identifier.
/// @dev Note, that granting permissions with `_who` or `_where` equal to `ANY_ADDR` does not replace other permissions with specific `_who` and `_where` addresses that exist in parallel.
function grant(
address _where,
address _who,
bytes32 _permissionId
) external virtual auth(ROOT_PERMISSION_ID) {
_grant(_where, _who, _permissionId);
}
/// @notice Grants permission to an address to call methods in a target contract guarded by an auth modifier with the specified permission identifier if the referenced condition permits it.
/// @dev Requires the `ROOT_PERMISSION_ID` permission
/// @param _where The address of the target contract for which `_who` receives permission.
exec
/bin/bash -lc "sed -n '1000,1200p' AUDIT_BUNDLE.txt" in /tmp/codex-8hema7l9 succeeded in 6ms:
who: _who,
permissionId: _permissionId,
currentCondition: currentCondition,
newCondition: conditionAddr
});
}
}
/// @notice This method is used in the public `revoke` method of the permission manager.
/// @param _where The address of the target contract for which `_who` receives permission.
/// @param _who The address (EOA or contract) owning the permission.
/// @param _permissionId The permission identifier.
/// @dev Note, that revoking permissions with `_who` or `_where` equal to `ANY_ADDR` does not revoke other permissions with specific `_who` and `_where` addresses that might have been granted in parallel.
function _revoke(address _where, address _who, bytes32 _permissionId) internal virtual {
bytes32 permHash = permissionHash(_where, _who, _permissionId);
if (permissionsHashed[permHash] != UNSET_FLAG) {
permissionsHashed[permHash] = UNSET_FLAG;
emit Revoked(_permissionId, msg.sender, _where, _who);
}
exec
/bin/bash -lc "sed -n '1200,1240p' AUDIT_BUNDLE.txt" in /tmp/codex-8hema7l9 succeeded in 18ms:
import {IProtocolVersion} from "./IProtocolVersion.sol";
/// @title ProtocolVersion
/// @author Aragon Association - 2023
/// @notice An abstract, stateless, non-upgradeable contract serves as a base for other contracts requiring awareness of the OSx protocol version.
/// @dev Do not add any new variables to this contract that would shift down storage in the inheritance chain.
abstract contract ProtocolVersion is IProtocolVersion {
// IMPORTANT: Do not add any storage variable, see the above notice.
/// @inheritdoc IProtocolVersion
function protocolVersion() public pure returns (uint8[3] memory) {
return [1, 3, 0];
}
}
codex
{"no_findings":true,"summary":"No exploitable issues found in the first-party DAO implementation in the provided bundle; logic follows standard UUPS/permission patterns. Proxy mechanics at 0xf3fb… were not analyzed beyond the implementation code context.","findings":[]}
tokens used
29,815
{
"codex": {
"ran_at": "2026-01-30T13:11:09.272695+00:00",
"returncode": 0
},
"project": {
"mode": "source",
"file_count": 30,
"import_count": 37,
"first_party_contracts_count": 11
},
"summary": "No exploitable issues found in the first-party DAO implementation in the provided bundle; logic follows standard UUPS/permission patterns. Proxy mechanics at 0xf3fb\u2026 were not analyzed beyond the implementation code context.",
"raw_final": {
"summary": "No exploitable issues found in the first-party DAO implementation in the provided bundle; logic follows standard UUPS/permission patterns. Proxy mechanics at 0xf3fb\u2026 were not analyzed beyond the implementation code context.",
"findings": [],
"no_findings": true
},
"no_findings": true,
"proxy_context": {
"proxy_run_id": "019c0ea9-07fe-73e2-8bc7-22c2d64cf37d",
"proxy_address": "0xf3fb403300e698082033e61f7c3cf780bce4da03",
"implementation_run_id": "019c0eaa-264c-7262-abcd-2f5c9d2c4512",
"implementation_address": "0x52af16664155608b845be18aa29620ebf6ea2d3a"
},
"schema_version": 1
}
00000000: PUSH1 0x80 00000002: PUSH1 0x40 00000004: MSTORE 00000005: CALLDATASIZE 00000006: PUSH2 0x0013 00000009: JUMPI 0000000a: PUSH2 0x0011 0000000d: PUSH2 0x0017 00000010: JUMP 00000011: JUMPDEST 00000012: STOP 00000013: JUMPDEST 00000014: PUSH2 0x0011 00000017: JUMPDEST 00000018: PUSH2 0x0027 0000001b: PUSH2 0x0022 0000001e: PUSH2 0x0074 00000021: JUMP 00000022: JUMPDEST 00000023: PUSH2 0x00b9 00000026: JUMP 00000027: JUMPDEST 00000028: JUMP 00000029: JUMPDEST 0000002a: PUSH1 0x60 0000002c: PUSH2 0x004e 0000002f: DUP4 00000030: DUP4 00000031: PUSH1 0x40 00000033: MLOAD 00000034: DUP1 00000035: PUSH1 0x60 00000037: ADD 00000038: PUSH1 0x40 0000003a: MSTORE 0000003b: DUP1 0000003c: PUSH1 0x27 0000003e: DUP2 0000003f: MSTORE 00000040: PUSH1 0x20 00000042: ADD 00000043: PUSH2 0x02e5 00000046: PUSH1 0x27 00000048: SWAP2 00000049: CODECOPY 0000004a: PUSH2 0x00dd 0000004d: JUMP 0000004e: JUMPDEST 0000004f: SWAP4 00000050: SWAP3 00000051: POP 00000052: POP 00000053: POP 00000054: JUMP 00000055: JUMPDEST 00000056: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000006b: AND 0000006c: EXTCODESIZE 0000006d: ISZERO 0000006e: ISZERO 0000006f: SWAP1 00000070: JUMP 00000071: JUMPDEST 00000072: SWAP1 00000073: JUMP 00000074: JUMPDEST 00000075: PUSH1 0x00 00000077: PUSH2 0x00b4 0000007a: PUSH32 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc 0000009b: SLOAD 0000009c: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000000b1: AND 000000b2: SWAP1 000000b3: JUMP 000000b4: JUMPDEST 000000b5: SWAP1 000000b6: POP 000000b7: SWAP1 000000b8: JUMP 000000b9: JUMPDEST 000000ba: CALLDATASIZE 000000bb: PUSH1 0x00 000000bd: DUP1 000000be: CALLDATACOPY 000000bf: PUSH1 0x00 000000c1: DUP1 000000c2: CALLDATASIZE 000000c3: PUSH1 0x00 000000c5: DUP5 000000c6: GAS 000000c7: DELEGATECALL 000000c8: RETURNDATASIZE 000000c9: PUSH1 0x00 000000cb: DUP1 000000cc: RETURNDATACOPY 000000cd: DUP1 000000ce: DUP1 000000cf: ISZERO 000000d0: PUSH2 0x00d8 000000d3: JUMPI 000000d4: RETURNDATASIZE 000000d5: PUSH1 0x00 000000d7: RETURN 000000d8: JUMPDEST 000000d9: RETURNDATASIZE 000000da: PUSH1 0x00 000000dc: REVERT 000000dd: JUMPDEST 000000de: PUSH1 0x60 000000e0: PUSH1 0x00 000000e2: DUP1 000000e3: DUP6 000000e4: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 000000f9: AND 000000fa: DUP6 000000fb: PUSH1 0x40 000000fd: MLOAD 000000fe: PUSH2 0x0107 00000101: SWAP2 00000102: SWAP1 00000103: PUSH2 0x0277 00000106: JUMP 00000107: JUMPDEST 00000108: PUSH1 0x00 0000010a: PUSH1 0x40 0000010c: MLOAD 0000010d: DUP1 0000010e: DUP4 0000010f: SUB 00000110: DUP2 00000111: DUP6 00000112: GAS 00000113: DELEGATECALL 00000114: SWAP2 00000115: POP 00000116: POP 00000117: RETURNDATASIZE 00000118: DUP1 00000119: PUSH1 0x00 0000011b: DUP2 0000011c: EQ 0000011d: PUSH2 0x0142 00000120: JUMPI 00000121: PUSH1 0x40 00000123: MLOAD 00000124: SWAP2 00000125: POP 00000126: PUSH1 0x1f 00000128: NOT 00000129: PUSH1 0x3f 0000012b: RETURNDATASIZE 0000012c: ADD 0000012d: AND 0000012e: DUP3 0000012f: ADD 00000130: PUSH1 0x40 00000132: MSTORE 00000133: RETURNDATASIZE 00000134: DUP3 00000135: MSTORE 00000136: RETURNDATASIZE 00000137: PUSH1 0x00 00000139: PUSH1 0x20 0000013b: DUP5 0000013c: ADD 0000013d: RETURNDATACOPY 0000013e: PUSH2 0x0147 00000141: JUMP 00000142: JUMPDEST 00000143: PUSH1 0x60 00000145: SWAP2 00000146: POP 00000147: JUMPDEST 00000148: POP 00000149: SWAP2 0000014a: POP 0000014b: SWAP2 0000014c: POP 0000014d: PUSH2 0x0158 00000150: DUP7 00000151: DUP4 00000152: DUP4 00000153: DUP8 00000154: PUSH2 0x0162 00000157: JUMP 00000158: JUMPDEST 00000159: SWAP7 0000015a: SWAP6 0000015b: POP 0000015c: POP 0000015d: POP 0000015e: POP 0000015f: POP 00000160: POP 00000161: JUMP 00000162: JUMPDEST 00000163: PUSH1 0x60 00000165: DUP4 00000166: ISZERO 00000167: PUSH2 0x01fd 0000016a: JUMPI 0000016b: DUP3 0000016c: MLOAD 0000016d: PUSH1 0x00 0000016f: SUB 00000170: PUSH2 0x01f6 00000173: JUMPI 00000174: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000189: DUP6 0000018a: AND 0000018b: EXTCODESIZE 0000018c: PUSH2 0x01f6 0000018f: JUMPI 00000190: PUSH1 0x40 00000192: MLOAD 00000193: PUSH32 0x08c379a000000000000000000000000000000000000000000000000000000000 000001b4: DUP2 000001b5: MSTORE 000001b6: PUSH1 0x20 000001b8: PUSH1 0x04 000001ba: DUP3 000001bb: ADD 000001bc: MSTORE 000001bd: PUSH1 0x1d 000001bf: PUSH1 0x24 000001c1: DUP3 000001c2: ADD 000001c3: MSTORE 000001c4: PUSH32 0x416464726573733a2063616c6c20746f206e6f6e2d636f6e7472616374000000 000001e5: PUSH1 0x44 000001e7: DUP3 000001e8: ADD 000001e9: MSTORE 000001ea: PUSH1 0x64 000001ec: ADD 000001ed: JUMPDEST 000001ee: PUSH1 0x40 000001f0: MLOAD 000001f1: DUP1 000001f2: SWAP2 000001f3: SUB 000001f4: SWAP1 000001f5: REVERT 000001f6: JUMPDEST 000001f7: POP 000001f8: DUP2 000001f9: PUSH2 0x0207 000001fc: JUMP 000001fd: JUMPDEST 000001fe: PUSH2 0x0207 00000201: DUP4 00000202: DUP4 00000203: PUSH2 0x020f 00000206: JUMP 00000207: JUMPDEST 00000208: SWAP5 00000209: SWAP4 0000020a: POP 0000020b: POP 0000020c: POP 0000020d: POP 0000020e: JUMP 0000020f: JUMPDEST 00000210: DUP2 00000211: MLOAD 00000212: ISZERO 00000213: PUSH2 0x021f 00000216: JUMPI 00000217: DUP2 00000218: MLOAD 00000219: DUP1 0000021a: DUP4 0000021b: PUSH1 0x20 0000021d: ADD 0000021e: REVERT 0000021f: JUMPDEST 00000220: DUP1 00000221: PUSH1 0x40 00000223: MLOAD 00000224: PUSH32 0x08c379a000000000000000000000000000000000000000000000000000000000 00000245: DUP2 00000246: MSTORE 00000247: PUSH1 0x04 00000249: ADD 0000024a: PUSH2 0x01ed 0000024d: SWAP2 0000024e: SWAP1 0000024f: PUSH2 0x0293 00000252: JUMP 00000253: JUMPDEST 00000254: PUSH1 0x00 00000256: JUMPDEST 00000257: DUP4 00000258: DUP2 00000259: LT 0000025a: ISZERO 0000025b: PUSH2 0x026e 0000025e: JUMPI 0000025f: DUP2 00000260: DUP2 00000261: ADD 00000262: MLOAD 00000263: DUP4 00000264: DUP3 00000265: ADD 00000266: MSTORE 00000267: PUSH1 0x20 00000269: ADD 0000026a: PUSH2 0x0256 0000026d: JUMP 0000026e: JUMPDEST 0000026f: POP 00000270: POP 00000271: PUSH1 0x00 00000273: SWAP2 00000274: ADD 00000275: MSTORE 00000276: JUMP 00000277: JUMPDEST 00000278: PUSH1 0x00 0000027a: DUP3 0000027b: MLOAD 0000027c: PUSH2 0x0289 0000027f: DUP2 00000280: DUP5 00000281: PUSH1 0x20 00000283: DUP8 00000284: ADD 00000285: PUSH2 0x0253 00000288: JUMP 00000289: JUMPDEST 0000028a: SWAP2 0000028b: SWAP1 0000028c: SWAP2 0000028d: ADD 0000028e: SWAP3 0000028f: SWAP2 00000290: POP 00000291: POP 00000292: JUMP 00000293: JUMPDEST 00000294: PUSH1 0x20 00000296: DUP2 00000297: MSTORE 00000298: PUSH1 0x00 0000029a: DUP3 0000029b: MLOAD 0000029c: DUP1 0000029d: PUSH1 0x20 0000029f: DUP5 000002a0: ADD 000002a1: MSTORE 000002a2: PUSH2 0x02b2 000002a5: DUP2 000002a6: PUSH1 0x40 000002a8: DUP6 000002a9: ADD 000002aa: PUSH1 0x20 000002ac: DUP8 000002ad: ADD 000002ae: PUSH2 0x0253 000002b1: JUMP 000002b2: JUMPDEST 000002b3: PUSH1 0x1f 000002b5: ADD 000002b6: PUSH32 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe0 000002d7: AND 000002d8: SWAP2 000002d9: SWAP1 000002da: SWAP2 000002db: ADD 000002dc: PUSH1 0x40 000002de: ADD 000002df: SWAP3 000002e0: SWAP2 000002e1: POP 000002e2: POP 000002e3: JUMP 000002e4: INVALID 000002e5: COINBASE 000002e6: PUSH5 0x6472657373 000002ec: GASPRICE 000002ed: KECCAK256 000002ee: PUSH13 0x6f772d6c6576656c2064656c65 000002fc: PUSH8 0x6174652063616c6c 00000305: KECCAK256 00000306: PUSH7 0x61696c6564a264 0000030e: PUSH10 0x70667358221220a7c6f2 00000319: UNKNOWN(0xFC) 0000031a: UNKNOWN(0xB7) 0000031b: DUP13 0000031c: PUSH28 0x4c40d8fd8b3b79a2770d3af4a9e7da56689bfa5ce2c1ce5a2164736f 00000339: PUSH13
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| critical | upgradeability | detector | Untrusted DELEGATECALL target reachable | 70 | no | no |
viewtrace_id: 0x311183aa06a8216f1bca577be23d3d4296e804697b2616ee980a53231862795b
call_targets:
0x52af16664155608b845be18aa29620ebf6ea2d3a
target_varies:
no
classification:
constant_target
validation_json{
"sink": "DELEGATECALL",
"errors": 0,
"status": "sink_reached",
"attempts": 1,
"trace_id": "0x311183aa06a8216f1bca577be23d3d4296e804697b2616ee980a53231862795b",
"confirmed": false,
"trace_mode": "callTracer",
"call_targets": [
"0x52af16664155608b845be18aa29620ebf6ea2d3a"
],
"matched_probe": null,
"target_varies": false,
"classification": "constant_target"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x",
"selector": "fallback",
"calldata_variants": [
"0x"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 199,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
},
{
"pc": 275,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
}
],
"guards_detected": [],
"delegatecall_count": 2,
"untrusted_delegatecall_count": 2
}
|
| medium | upgradeability | cast | DELEGATECALL present | 80 | no | — |
viewevidence_json{
"notes": "delegatecall enables execution in caller context; common in proxies/upgradeable patterns",
"delegatecall_count": 2
}
|