019c0ea9-090d-708e-8500-724695b54269
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 41977 | artifact.fetch | complete | 1 / 3 | 2 months ago |
| 41978 | proxy.resolve | complete | 1 / 3 | 2 months ago |
| 41979 | tool.cast_disasm | complete | 1 / 3 | 2 months ago |
| 41980 | analysis.bundle | complete | 1 / 3 | 2 months ago |
| 41981 | capability.graph | complete | 1 / 3 | 2 months ago |
| 41982 | detector.run | complete | 1 / 3 | 2 months ago |
| 41983 | validation.fork | complete | 1 / 3 | 2 months ago |
| 42386 | report.consolidate | complete | 1 / 6 | 2 months ago |
| 42387 | tool.slither | failed | 2 / 2 | 2 months ago |
{
"method": "eip1967",
"status": "onchain_only",
"implementation": "0x9c3a4329ff26934b04312162f83c8f69d52aa060",
"onchain_method": "eip1967"
}
Traceback (most recent call last):
File "/var/www/tripwire/worker/worker.py", line 198, in main
payload = dispatch_job(job_type, job_id, job_meta, run_data, config, laravel_client)
File "/var/www/tripwire/worker/worker.py", line 114, in dispatch_job
return slither_run.run(job_id, job_meta, run_data, config, log, laravel_client)
~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/www/tripwire/worker/jobs/slither_run.py", line 1084, in run
stdout_text, stderr_text, result_json = _run_slither(
~~~~~~~~~~~~^
workspace,
^^^^^^^^^^
...<4 lines>...
target_path=target_path,
^^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/var/www/tripwire/worker/jobs/slither_run.py", line 958, in _run_slither
raise RuntimeError(f"slither failed (exit {result.returncode}): {stderr_text or stdout_text}")
RuntimeError: slither failed (exit 1): 'forge clean' running (wd: /tmp/slither-49r6_wu0)
'forge config --json' running
'forge build --build-info --skip ./test/** ./script/** --force' running (wd: /tmp/slither-49r6_wu0)
Traceback (most recent call last):
File "/var/www/tripwire/.venv/bin/slither", line 10, in <module>
sys.exit(main())
~~~~^^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/slither/__main__.py", line 776, in main
main_impl(all_detector_classes=detectors, all_printer_classes=printers)
~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/slither/__main__.py", line 882, in main_impl
) = process_all(filename, args, detector_classes, printer_classes)
~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/slither/__main__.py", line 96, in process_all
compilations = compile_all(target, **vars(args))
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/crytic_compile/crytic_compile.py", line 722, in compile_all
compilations.append(CryticCompile(target, **kwargs))
~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/crytic_compile/crytic_compile.py", line 211, in __init__
self._compile(**kwargs)
~~~~~~~~~~~~~^^^^^^^^^^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/crytic_compile/crytic_compile.py", line 633, in _compile
self._platform.compile(self, **kwargs)
~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/crytic_compile/platform/foundry.py", line 102, in compile
hardhat_like_parsing(
~~~~~~~~~~~~~~~~~~~~^
crytic_compile, str(self._target), build_directory, str(self._project_root)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
)
^
File "/var/www/tripwire/.venv/lib/python3.13/site-packages/crytic_compile/platform/hardhat.py", line 52, in hardhat_like_parsing
raise InvalidCompilation(txt)
crytic_compile.platform.exceptions.InvalidCompilation: Compilation failed. Can you run build command?
/tmp/slither-49r6_wu0/out/build-info is not a directory.
{"no_findings":false,"summary":"One low-severity access control/centralization risk observed: a privileged function can issue arbitrary external calls (including ETH value) based on calldata.","findings":[{"severity":"low","category":"access_control","title":"Privileged arbitrary external call can move ETH/tokens","exploit_scenario":"If the role stored in slot 0x03 (used in the caller check) is compromised or misconfigured, an attacker can invoke selector 0xfe9ae209 to perform arbitrary CALLs with calldata‑supplied target/value, potentially draining ETH/tokens or invoking arbitrary contracts.","recommendation":"Confirm this admin/execute capability is intentional. Restrict it to a multisig/timelock, and consider allow‑listing targets or removing the capability entirely if not required.","evidence":"In selector 0xfe9ae209, the code checks caller against a masked SLOAD from slot 0x03 (pc:0x731) and then executes a raw CALL with computed parameters (pc:0x7ab). The callsite is marked as computed target/value in the bundle (callsite pc 1963).","locations":["selector:0xfe9ae209","pc:0x731","pc:0x7ab"]}]}
OpenAI Codex v0.77.0 (research preview)
--------
workdir: /tmp/codex-wucv6ne8
model: gpt-5.2-codex
provider: openai
approval: never
sandbox: read-only
reasoning effort: high
reasoning summaries: auto
session id: 019c0f51-8dc0-7b11-978d-205c35ec42a1
--------
user
Context: The user requested the proxy at 0x32e297877fec71e93ff3bb40e1fb10f9f9c32800.
Audit the implementation at 0x9c3a4329ff26934b04312162f83c8f69d52aa060.
Findings should refer to the implementation unless explicitly about proxy mechanics.
You are a security auditor. You ONLY have runtime bytecode + analysis artifacts.
You MUST read `BYTECODE_BUNDLE.json` before concluding; it contains the bytecode summary,
evidence bundle, callsites, storage slots, and detector findings.
Special cases when reasoning from bytecode (be explicit about uncertainty):
- Selector inference is best-effort; missing selectors are common.
- Fallback/receive paths may be the only entrypoints.
- CALL vs DELEGATECALL semantics differ; DELEGATECALL executes in caller storage.
- Proxy patterns (EIP-1967, minimal proxies, beacon) change which storage is authoritative.
- Storage slots are raw; mappings/arrays appear via keccak patterns, names are unknown.
- Guard detection is heuristic; absence of guards does NOT mean unguarded.
- Returndata checking is unknown unless explicitly shown in evidence.
- Precompiles (0x1..0x9) and common ERC20 transfer selectors may appear; do not over-claim.
Output MUST be valid JSON matching the provided schema.
- If you find nothing meaningful: set no_findings=true and findings=[].
- Otherwise: set no_findings=false and include findings with severity/category/title.
- Locations can be pc references like "pc:0x123" or selectors like "selector:0xa9059cbb".
Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation,
accounting/invariant breaks, dangerous delegatecall, and untrusted external calls.
Be conservative: if evidence is weak, mark severity low/medium and explain why.
mcp startup: no servers
exec
/bin/bash -lc ls in /tmp/codex-wucv6ne8 succeeded in 9ms:
BYTECODE_BUNDLE.json
codex-output-schema.json
exec
/bin/bash -lc 'cat BYTECODE_BUNDLE.json' in /tmp/codex-wucv6ne8 succeeded in 9ms:
{
"analysis_artifact": {
"address": "0x9c3a4329ff26934b04312162f83c8f69d52aa060",
"artifact_hash": "0xa7dd2b6e8e3cb0d649103d99290b549346171b94a19c1a2d73d2b0c46cd18ee9",
"artifact_json": {
"auth": {
"guards": []
},
"basic_blocks": [
{
"end_pc": 12,
"hash": "0xd1922a9ce9b117ded240b43eeb59ae63961b5f856ae439922b81171ded1b6c50",
"opcodes": [
"PUSH1",
"PUSH1",
"MSTORE",
"PUSH1",
"CALLDATASIZE",
"LT",
"PUSH2",
exec
/bin/bash -lc 'rg -n "evidence|summary|storage|slot|selector|callsite|function" BYTECODE_BUNDLE.json | head -n 200' in /tmp/codex-wucv6ne8 succeeded in 11ms:
12250: "callsites": [
15820: "dispatcher_type": "selector_jump_table",
15821: "function_entries": [
15824: "selector": "0xea7b42a6"
15828: "selector": "0xf2fde38b"
15832: "selector": "0xf7b188a5"
15836: "selector": "0xfa52c7d8"
15840: "selector": "0xfe9ae209"
15844: "selector": "0xcdc18424"
15848: "selector": "0xdc038251"
15852: "selector": "0xe0591af3"
15856: "selector": "0xe1ffe8b9"
15860: "selector": "0xafbc7011"
15864: "selector": "0xc0c53b8b"
15868: "selector": "0xc30f2e87"
15872: "selector": "0xc7977be7"
15876: "selector": "0x7c374f99"
15880: "selector": "0x82787cda"
15884: "selector": "0x86013de5"
15888: "selector": "0x8da5cb5b"
exec
/bin/bash -lc "sed -n '12180,12380p' BYTECODE_BUNDLE.json" in /tmp/codex-wucv6ne8 succeeded in 10ms:
"JUMPDEST",
"OP_81",
"CALLDATALOAD",
"PUSH1",
"OP_81",
"AND",
"OP_81",
"EQ",
"PUSH2",
"JUMPI"
],
"start_pc": 11651
},
{
"end_pc": 11667,
"hash": "0xbef72f9d17e593a247a033f5002f38a6f1eb74c8e762d7fe90a20f3e988dd142",
"opcodes": [
"PUSH1",
"OP_80",
"REVERT"
exec
/bin/bash -lc "python - <<'PY'
import json
import sys
from pathlib import Path
path=Path('BYTECODE_BUNDLE.json')
obj=json.loads(path.read_text())
blocks=obj['analysis_artifact']['artifact_json']['basic_blocks']
pcs=[1963,7422,7740,9168,9611,7248,7831,7998,8976,9483]
for pc in pcs:
blk=None
for b in blocks:
if b.get('start_pc') is not None and b.get('end_pc') is not None and b['start_pc']<=pc<=b['end_pc']:
blk=b
break
print('pc',pc,'block',blk.get('start_pc'),blk.get('end_pc'))
if blk:
ops=blk.get('opcodes',[])
print('ops',ops)
print('---')
PY" in /tmp/codex-wucv6ne8 succeeded in 46ms:
pc 1963 block 1934 1977
ops ['JUMPDEST', 'PUSH1', 'OP_82', 'PUSH1', 'PUSH1', 'PUSH1', 'SHL', 'SUB', 'AND', 'OP_82', 'PUSH1', 'MLOAD', 'PUSH1', 'PUSH1', 'MLOAD', 'OP_80', 'OP_83', 'SUB', 'OP_81', 'OP_85', 'OP_87', 'GAS', 'CALL', 'OP_92', 'POP', 'POP', 'POP', 'RETURNDATASIZE', 'OP_80', 'PUSH1', 'OP_81', 'EQ', 'PUSH2', 'JUMPI']
---
pc 7422 block 7408 7435
ops ['JUMPDEST', 'PUSH1', 'PUSH1', 'MLOAD', 'OP_80', 'OP_83', 'SUB', 'OP_81', 'PUSH1', 'OP_86', 'GAS', 'CALL', 'OP_91', 'POP', 'POP', 'RETURNDATASIZE', 'OP_80', 'PUSH1', 'OP_81', 'EQ', 'PUSH2', 'JUMPI']
---
pc 7740 block 7737 7747
ops ['JUMPDEST', 'POP', 'GAS', 'CALL', 'ISZERO', 'OP_80', 'ISZERO', 'PUSH2', 'JUMPI']
---
pc 9168 block 9150 9173
ops ['JUMPDEST', 'PUSH1', 'OP_80', 'PUSH1', 'PUSH1', 'OP_84', 'MLOAD', 'PUSH1', 'OP_86', 'ADD', 'PUSH1', 'OP_88', 'GAS', 'CALL', 'OP_80', 'PUSH2', 'JUMPI']
---
pc 9611 block 9583 9625
ops ['PUSH1', 'OP_82', 'PUSH1', 'PUSH1', 'PUSH1', 'SHL', 'SUB', 'AND', 'OP_82', 'PUSH1', 'MLOAD', 'PUSH1', 'PUSH1', 'MLOAD', 'OP_80', 'OP_83', 'SUB', 'OP_81', 'OP_85', 'OP_87', 'GAS', 'CALL', 'OP_92', 'POP', 'POP', 'POP', 'RETURNDATASIZE', 'OP_80', 'PUSH1', 'OP_81', 'EQ', 'PUSH2', 'JUMPI']
---
pc 7248 block 7195 7255
ops ['JUMPDEST', 'PUSH1', 'MLOAD', 'PUSH4', 'PUSH1', 'SHL', 'OP_81', 'MSTORE', 'ADDRESS', 'PUSH1', 'OP_82', 'ADD', 'MSTORE', 'PUSH1', 'PUSH1', 'PUSH1', 'SHL', 'SUB', 'OP_91', 'OP_90', 'OP_91', 'AND', 'OP_90', 'PUSH4', 'OP_90', 'PUSH1', 'ADD', 'PUSH1', 'PUSH1', 'MLOAD', 'OP_80', 'OP_83', 'SUB', 'OP_81', 'OP_86', 'GAS', 'STATICCALL', 'ISZERO', 'OP_80', 'ISZERO', 'PUSH2', 'JUMPI']
---
pc 7831 block 7778 7838
ops ['JUMPDEST', 'PUSH1', 'MLOAD', 'PUSH4', 'PUSH1', 'SHL', 'OP_81', 'MSTORE', 'ADDRESS', 'PUSH1', 'OP_82', 'ADD', 'MSTORE', 'PUSH1', 'PUSH1', 'PUSH1', 'SHL', 'SUB', 'OP_91', 'OP_90', 'OP_91', 'AND', 'OP_90', 'PUSH4', 'OP_90', 'PUSH1', 'ADD', 'PUSH1', 'PUSH1', 'MLOAD', 'OP_80', 'OP_83', 'SUB', 'OP_81', 'OP_86', 'GAS', 'STATICCALL', 'ISZERO', 'OP_80', 'ISZERO', 'PUSH2', 'JUMPI']
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
blocks=obj['analysis_artifact']['artifact_json']['basic_blocks']
count=0
pcs=[]
for b in blocks:
ops=b.get('opcodes') or []
if 'CALLER' in ops:
count+=1
pcs.append((b['start_pc'],b['end_pc']))
print('blocks with CALLER',count)
print('first few',pcs[:10])
PY" in /tmp/codex-wucv6ne8 succeeded in 50ms:
blocks with CALLER 14
first few [(1841, 1859), (2152, 2165), (2585, 2648), (3182, 3207), (3225, 3241), (3479, 3497), (5005, 5018), (5448, 5513), (6038, 6087), (6103, 6128)]
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
blocks=obj['analysis_artifact']['artifact_json']['basic_blocks']
pcs=[1841,2152,2585,3182,3225,3479,5005,5448,6038,6103,6685,6966,8662,9381]
# if we know all maybe others; find all blocks with CALLER
for b in blocks:
if 'CALLER' in (b.get('opcodes') or []):
print('block',b['start_pc'],b['end_pc'])
print(b['opcodes'])
print('---')
PY" in /tmp/codex-wucv6ne8 succeeded in 65ms:
block 1841 1859
['JUMPDEST', 'PUSH1', 'SLOAD', 'PUSH1', 'PUSH1', 'PUSH1', 'SHL', 'SUB', 'AND', 'CALLER', 'EQ', 'PUSH2', 'JUMPI']
---
block 2152 2165
['JUMPDEST', 'CALLER', 'PUSH2', 'PUSH1', 'OP_83', 'ADD', 'OP_83', 'PUSH2', 'JUMP']
---
block 2585 2648
['JUMPDEST', 'OP_90', 'OP_81', 'MSTORE', 'PUSH1', 'OP_80', 'MLOAD', 'PUSH1', 'OP_92', 'OP_81', 'OP_90', 'SUB', 'OP_83', 'ADD', 'OP_90', 'SHA3', 'OP_80', 'SLOAD', 'PUSH1', 'NOT', 'AND', 'OP_93', 'ISZERO', 'ISZERO', 'OP_93', 'OP_90', 'OP_93', 'OR', 'OP_90', 'OP_92', 'SSTORE', 'CALLER', 'PUSH1', 'OP_90', 'OP_81', 'MSTORE', 'PUSH1', 'OP_82', 'MSTORE', 'OP_82', 'OP_81', 'SHA3', 'OP_92', 'OP_88', 'ADD', 'CALLDATALOAD', 'OP_92', 'OP_91', 'PUSH2', 'OP_90', 'OP_89', 'ADD', 'OP_89', 'PUSH2', 'JUMP']
---
block 3182 3207
['JUMPDEST', 'PUSH2', 'CALLER', 'ADDRESS', 'PUSH1', 'OP_85', 'ADD', 'CALLDATALOAD', 'PUSH2', 'PUSH1', 'OP_87', 'ADD', 'PUSH1', 'OP_88', 'ADD', 'PUSH2', 'JUMP']
---
block 3225 3241
['JUMPDEST', 'PUSH1', 'OP_80', 'SLOAD', 'CALLER', 'OP_91', 'PUSH1', 'PUSH2', 'OP_83', 'PUSH2', 'JUMP']
---
block 3479 3497
['JUMPDEST', 'PUSH1', 'SLOAD', 'PUSH1', 'PUSH1', 'PUSH1', 'SHL', 'SUB', 'AND', 'CALLER', 'EQ', 'PUSH2', 'JUMPI']
---
block 5005 5018
['JUMPDEST', 'CALLER', 'PUSH2', 'PUSH1', 'OP_83', 'ADD', 'OP_83', 'PUSH2', 'JUMP']
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
func_entries=obj['analysis_artifact']['artifact_json'].get('function_entries') or obj['analysis_artifact']['artifact_json'].get('functions')
print('function_entries',len(func_entries) if func_entries else None)
if func_entries:
print(func_entries[:5])
functions=obj['analysis_artifact']['artifact_json'].get('functions')
print('functions',len(functions) if functions else None)
print(functions[:2])
PY" in /tmp/codex-wucv6ne8 succeeded in 52ms:
function_entries 33
[{'entry_pc': 3933946534, 'selector': '0xea7b42a6'}, {'entry_pc': 4155607205, 'selector': '0xf2fde38b'}, {'entry_pc': 4199729112, 'selector': '0xf7b188a5'}, {'entry_pc': 4271563273, 'selector': '0xfa52c7d8'}, {'entry_pc': None, 'selector': '0xfe9ae209'}]
functions 33
[{'auth': {'guards': []}, 'entry_pc': 3933946534, 'selector': '0xea7b42a6', 'sinks': {'call': 5, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 5}, 'storage': {'reads': 68, 'slots': [{'op': 'SLOAD', 'pc': 678, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000001'}, {'op': 'SLOAD', 'pc': 729, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000004'}, {'op': 'SLOAD', 'pc': 956, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 1020, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000020'}, {'op': 'SLOAD', 'pc': 1272, 'slot': '0x9016d09d72d40fdae2fd8ceac6b6234c7706214fd39c1cd1e609a0528c199300'}, {'op': 'SLOAD', 'pc': 1437, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000003'}, {'op': 'SLOAD', 'pc': 1546, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000005'}, {'op': 'SLOAD', 'pc': 1669, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000006'}, {'op': 'SLOAD', 'pc': 1723, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000003'}, {'op': 'SLOAD', 'pc': 1844, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000003'}, {'op': 'SLOAD', 'pc': 2054, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000001'}, {'op': 'SLOAD', 'pc': 2497, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 2507, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 2686, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 2876, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SSTORE', 'pc': 2992, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 3101, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 3229, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000001'}, {'op': 'SLOAD', 'pc': 3300, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SSTORE', 'pc': 3379, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 3426, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 3482, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000003'}, {'op': 'SLOAD', 'pc': 3636, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 4042, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 4605, 'slot': '0xf0c57e16840df040f15088dc2f81fe391c3923bec73e23a9662efc9c229c6a00'}, {'op': 'SLOAD', 'pc': 4865, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000003'}, {'op': 'SLOAD', 'pc': 4896, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000004'}, {'op': 'SLOAD', 'pc': 5168, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 5178, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 5263, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 5279, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 5551, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SSTORE', 'pc': 5796, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 5880, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000004'}, {'op': 'SLOAD', 'pc': 6076, 'slot': '0x9016d09d72d40fdae2fd8ceac6b6234c7706214fd39c1cd1e609a0528c199300'}, {'op': 'SLOAD', 'pc': 6145, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000020'}, {'op': 'SLOAD', 'pc': 6195, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000020'}, {'op': 'SSTORE', 'pc': 6516, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 6610, 'slot': '0x9016d09d72d40fdae2fd8ceac6b6234c7706214fd39c1cd1e609a0528c199300'}, {'op': 'SLOAD', 'pc': 7028, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000001'}, {'op': 'SLOAD', 'pc': 7332, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000004'}, {'op': 'SLOAD', 'pc': 7369, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000004'}, {'op': 'SLOAD', 'pc': 7666, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000004'}, {'op': 'SLOAD', 'pc': 8227, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000001'}, {'op': 'SLOAD', 'pc': 8411, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000020'}, {'op': 'SSTORE', 'pc': 8420, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 8510, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000020'}, {'op': 'SSTORE', 'pc': 8516, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 8565, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 9297, 'slot': '0xf0c57e16840df040f15088dc2f81fe391c3923bec73e23a9662efc9c229c6a00'}, {'op': 'SLOAD', 'pc': 9361, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000020'}, {'op': 'SSTORE', 'pc': 9367, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 9734, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000020'}], 'writes': 32}}, {'auth': {'guards': []}, 'entry_pc': 4155607205, 'selector': '0xf2fde38b', 'sinks': {'call': 5, 'delegatecall': 0, 'selfdestruct': 0, 'staticcall': 5}, 'storage': {'reads': 68, 'slots': [{'op': 'SLOAD', 'pc': 678, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000001'}, {'op': 'SLOAD', 'pc': 729, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000004'}, {'op': 'SLOAD', 'pc': 956, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 1020, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000020'}, {'op': 'SLOAD', 'pc': 1272, 'slot': '0x9016d09d72d40fdae2fd8ceac6b6234c7706214fd39c1cd1e609a0528c199300'}, {'op': 'SLOAD', 'pc': 1437, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000003'}, {'op': 'SLOAD', 'pc': 1546, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000005'}, {'op': 'SLOAD', 'pc': 1669, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000006'}, {'op': 'SLOAD', 'pc': 1723, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000003'}, {'op': 'SLOAD', 'pc': 1844, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000003'}, {'op': 'SLOAD', 'pc': 2054, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000001'}, {'op': 'SLOAD', 'pc': 2497, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 2507, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 2686, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 2876, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SSTORE', 'pc': 2992, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 3101, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 3229, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000001'}, {'op': 'SLOAD', 'pc': 3300, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SSTORE', 'pc': 3379, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 3426, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 3482, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000003'}, {'op': 'SLOAD', 'pc': 3636, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 4042, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 4605, 'slot': '0xf0c57e16840df040f15088dc2f81fe391c3923bec73e23a9662efc9c229c6a00'}, {'op': 'SLOAD', 'pc': 4865, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000003'}, {'op': 'SLOAD', 'pc': 4896, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000004'}, {'op': 'SLOAD', 'pc': 5168, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 5178, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000002'}, {'op': 'SLOAD', 'pc': 5263, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 5279, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 5551, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SSTORE', 'pc': 5796, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 5880, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000004'}, {'op': 'SLOAD', 'pc': 6076, 'slot': '0x9016d09d72d40fdae2fd8ceac6b6234c7706214fd39c1cd1e609a0528c199300'}, {'op': 'SLOAD', 'pc': 6145, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000020'}, {'op': 'SLOAD', 'pc': 6195, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000020'}, {'op': 'SSTORE', 'pc': 6516, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 6610, 'slot': '0x9016d09d72d40fdae2fd8ceac6b6234c7706214fd39c1cd1e609a0528c199300'}, {'op': 'SLOAD', 'pc': 7028, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000001'}, {'op': 'SLOAD', 'pc': 7332, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000004'}, {'op': 'SLOAD', 'pc': 7369, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000004'}, {'op': 'SLOAD', 'pc': 7666, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000004'}, {'op': 'SLOAD', 'pc': 8227, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000001'}, {'op': 'SLOAD', 'pc': 8411, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000020'}, {'op': 'SSTORE', 'pc': 8420, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 8510, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000020'}, {'op': 'SSTORE', 'pc': 8516, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 8565, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 9297, 'slot': '0xf0c57e16840df040f15088dc2f81fe391c3923bec73e23a9662efc9c229c6a00'}, {'op': 'SLOAD', 'pc': 9361, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000020'}, {'op': 'SSTORE', 'pc': 9367, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000000'}, {'op': 'SLOAD', 'pc': 9734, 'slot': '0x0000000000000000000000000000000000000000000000000000000000000020'}], 'writes': 32}}]
exec
/bin/bash -lc 'rg -n "evidence_bundle|evidence_json|validation_json|data_flow|call_targets|guards_detected" BYTECODE_BUNDLE.json | head -n 200' in /tmp/codex-wucv6ne8 succeeded in 8ms:
34492: "evidence_json": {
34517: "guards_detected": [],
34526: "validation_json": {
34528: "call_targets": [
34544: "evidence_json": {
34569: "guards_detected": []
34578: "validation_json": {
34580: "call_targets": [
exec
/bin/bash -lc 'rg -n "summary|bytecode" BYTECODE_BUNDLE.json | head -n 200' in /tmp/codex-wucv6ne8 succeeded in 11ms:
25709: "runtime_bytecode": {
34595: "heuristics_summary": {
exec
/bin/bash -lc "sed -n '25690,25880p' BYTECODE_BUNDLE.json" in /tmp/codex-wucv6ne8 succeeded in 7ms:
"artifact": {
"codehash": "0x2f1e075f477d7cce649a2c1602aee58a1ec6b08267c93e25a35f157fd6b8d6bc",
"compiler_json": {
"compiler_version": null,
"etherscan": {
"contract_name": null,
"implementation": null,
"license": "Unknown",
"proxy": "0",
"swarm_source": null
},
"optimizer_enabled": false,
"optimizer_runs": 0,
"proxy_evidence": {
"status": "not_proxy"
}
},
"implementation_address": null,
"is_proxy": false,
"runtime_bytecode": {
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
bytecode_hex=obj['artifact']['runtime_bytecode']['full']
if bytecode_hex.startswith('0x'):
bytecode_hex=bytecode_hex[2:]
bytecode=bytes.fromhex(bytecode_hex)
# opcode mapping
opcodes = {i: f'OP_{i:02X}' for i in range(256)}
# define known opcodes
names = {
0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
0x20:'SHA3',
0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
}
opcodes.update(names)
# disassemble
ops=[]
pc=0
while pc < len(bytecode):
op=bytecode[pc]
name=opcodes.get(op, f'OP_{op:02X}')
imm=b''
pc_next=pc+1
if 0x60 <= op <= 0x7f:
n=op-0x5f
imm=bytecode[pc_next:pc_next+n]
pc_next += n
ops.append((pc,name,imm))
pc=pc_next
# function selector table: scan for pattern PUSH4 <sel> EQ PUSH2 <dest> JUMPI near beginning
selectors=[]
for i in range(len(ops)-4):
if ops[i][1]=='PUSH4' and ops[i+1][1]=='EQ' and ops[i+2][1] in ('PUSH2','PUSH3') and ops[i+3][1]=='JUMPI':
sel=ops[i][2].hex()
dest=int.from_bytes(ops[i+2][2], 'big')
selectors.append((sel,dest,ops[i][0]))
# dedupe
seen=set(); cleaned=[]
for sel,dest,pc in selectors:
if sel not in seen:
seen.add(sel); cleaned.append((sel,dest,pc))
print('selectors',len(cleaned))
print(cleaned[:20])
# find CALL sites with immediate values? show preceding few ops
call_pcs=[1963,7422,7740,9168,9611]
# map pc to index
pc_to_index={pc:i for i,(pc,_,_) in enumerate(ops)}
for target_pc in call_pcs:
# find closest op index with pc==target_pc
idx=pc_to_index.get(target_pc)
if idx is None:
# find op with pc just before target_pc
idx=max(i for i,(pc,_,_) in enumerate(ops) if pc<=target_pc)
print('\\nAround CALL at pc',target_pc,'index',idx, 'op',ops[idx][1])
start=max(0, idx-10)
for j in range(start, idx+5):
pc,name,imm=ops[j]
if imm:
print(f'{pc:05x}: {name} 0x{imm.hex()}')
else:
print(f'{pc:05x}: {name}')
PY" in /tmp/codex-wucv6ne8 succeeded in 57ms:
selectors 33
[('ea7b42a6', 1527, 53), ('f2fde38b', 1549, 64), ('f7b188a5', 1581, 75), ('fa52c7d8', 1602, 86), ('fe9ae209', 1650, 97), ('cdc18424', 1421, 113), ('dc038251', 1453, 124), ('e0591af3', 1474, 135), ('e1ffe8b9', 1495, 146), ('afbc7011', 1286, 173), ('c0c53b8b', 1318, 184), ('c30f2e87', 1350, 195), ('c7977be7', 1369, 206), ('7c374f99', 1129, 222), ('82787cda', 1161, 233), ('86013de5', 1193, 244), ('8da5cb5b', 1225, 255), ('5c975abb', 991, 293), ('5e35359e', 1028, 304), ('5fb2386e', 1060, 315)]
Around CALL at pc 1963 index 1186 op CALL
0079f: PUSH1 0x00
007a1: PUSH1 0x40
007a3: MLOAD
007a4: DUP1
007a5: DUP4
007a6: SUB
007a7: DUP2
007a8: DUP6
007a9: DUP8
007aa: GAS
007ab: CALL
007ac: SWAP3
007ad: POP
007ae: POP
007af: POP
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
bytecode_hex=obj['artifact']['runtime_bytecode']['full'][2:]
bytecode=bytes.fromhex(bytecode_hex)
opnames={}
for i in range(256):
opnames[i]=f'OP_{i:02X}'
# minimal names
names={
0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',0x20:'SHA3',
0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
}
opnames.update(names)
ops=[]
pc=0
while pc < len(bytecode):
op=bytecode[pc]
name=opnames[op]
imm=b''
pc_next=pc+1
if 0x60 <= op <= 0x7f:
n=op-0x5f
imm=bytecode[pc_next:pc_next+n]
pc_next += n
ops.append((pc,name,imm))
pc=pc_next
# function to print context
call_pcs=[1963,7422,7740,9168,9611]
# map pc->index
pc_to_index={pc:i for i,(pc,_,_) in enumerate(ops)}
for target_pc in call_pcs:
idx=pc_to_index.get(target_pc)
if idx is None:
idx=max(i for i,(pc,_,_) in enumerate(ops) if pc<=target_pc)
print('\\n== CALL at pc',hex(target_pc),'==')
start=max(0, idx-40)
end=min(len(ops), idx+10)
for j in range(start, end):
pc,name,imm=ops[j]
if imm:
print(f'{pc:05x}: {name} 0x{imm.hex()}')
else:
print(f'{pc:05x}: {name}')
PY" in /tmp/codex-wucv6ne8 succeeded in 51ms:
== CALL at pc 0x7ab ==
00772: PUSH2 0x078e
00775: JUMPI
00776: PUSH1 0x40
00778: MLOAD
00779: PUSH4 0x3494a40d
0077e: PUSH1 0xe2
00780: SHL
00781: DUP2
00782: MSTORE
00783: PUSH1 0x04
00785: ADD
00786: PUSH1 0x40
00788: MLOAD
00789: DUP1
0078a: SWAP2
0078b: SUB
0078c: SWAP1
0078d: REVERT
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
bytecode_hex=obj['artifact']['runtime_bytecode']['full'][2:]
bytecode=bytes.fromhex(bytecode_hex)
# disassembler
opnames={i:f'OP_{i:02X}' for i in range(256)}
# minimal names
names={
0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',0x20:'SHA3',
0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
}
opnames.update(names)
ops=[]
pc=0
while pc < len(bytecode):
op=bytecode[pc]
name=opnames[op]
imm=b''
pc_next=pc+1
if 0x60 <= op <= 0x7f:
n=op-0x5f
imm=bytecode[pc_next:pc_next+n]
pc_next += n
ops.append((pc,name,imm))
pc=pc_next
# parse dispatcher selectors
selectors=[]
for i in range(len(ops)-4):
if ops[i][1]=='PUSH4' and ops[i+1][1]=='EQ' and ops[i+2][1] in ('PUSH2','PUSH3') and ops[i+3][1]=='JUMPI':
sel=ops[i][2].hex()
dest=int.from_bytes(ops[i+2][2], 'big')
selectors.append((sel,dest,ops[i][0]))
# dedupe
seen=set(); cleaned=[]
for sel,dest,pc in selectors:
if sel not in seen:
seen.add(sel); cleaned.append((sel,dest,pc))
# map pc to index
pc_to_index={pc:i for i,(pc,_,_) in enumerate(ops)}
print('selector -> entry (first ops)')
for sel,dest,_ in cleaned:
idx=pc_to_index.get(dest)
if idx is None:
continue
snippet=[]
for j in range(idx, min(len(ops), idx+12)):
pc,name,imm=ops[j]
if imm:
snippet.append(f'{name} 0x{imm.hex()}')
else:
snippet.append(name)
print(sel,hex(dest), '::', ' | '.join(snippet))
PY" in /tmp/codex-wucv6ne8 succeeded in 44ms:
selector -> entry (first ops)
ea7b42a6 0x5f7 :: JUMPDEST | CALLVALUE | DUP1 | ISZERO | PUSH2 0x0603 | JUMPI | PUSH1 0x00 | DUP1 | REVERT | JUMPDEST | POP | PUSH2 0x0285
f2fde38b 0x60d :: JUMPDEST | CALLVALUE | DUP1 | ISZERO | PUSH2 0x0619 | JUMPI | PUSH1 0x00 | DUP1 | REVERT | JUMPDEST | POP | PUSH2 0x026e
f7b188a5 0x62d :: JUMPDEST | CALLVALUE | DUP1 | ISZERO | PUSH2 0x0639 | JUMPI | PUSH1 0x00 | DUP1 | REVERT | JUMPDEST | POP | PUSH2 0x026e
fa52c7d8 0x642 :: JUMPDEST | CALLVALUE | DUP1 | ISZERO | PUSH2 0x064e | JUMPI | PUSH1 0x00 | DUP1 | REVERT | JUMPDEST | POP | PUSH2 0x0239
fe9ae209 0x672 :: JUMPDEST | CALLVALUE | DUP1 | ISZERO | PUSH2 0x067e | JUMPI | PUSH1 0x00 | DUP1 | REVERT | JUMPDEST | POP | PUSH2 0x0285
cdc18424 0x58d :: JUMPDEST | CALLVALUE | DUP1 | ISZERO | PUSH2 0x0599 | JUMPI | PUSH1 0x00 | DUP1 | REVERT | JUMPDEST | POP | PUSH1 0x03
dc038251 0x5ad :: JUMPDEST | CALLVALUE | DUP1 | ISZERO | PUSH2 0x05b9 | JUMPI | PUSH1 0x00 | DUP1 | REVERT | JUMPDEST | POP | PUSH2 0x0285
e0591af3 0x5c2 :: JUMPDEST | CALLVALUE | DUP1 | ISZERO | PUSH2 0x05ce | JUMPI | PUSH1 0x00 | DUP1 | REVERT | JUMPDEST | POP | PUSH2 0x026e
e1ffe8b9 0x5d7 :: JUMPDEST | CALLVALUE | DUP1 | ISZERO | PUSH2 0x05e3 | JUMPI | PUSH1 0x00 | DUP1 | REVERT | JUMPDEST | POP | PUSH2 0x026e
afbc7011 0x506 :: JUMPDEST | CALLVALUE | DUP1 | ISZERO | PUSH2 0x0512 | JUMPI | PUSH1 0x00 | DUP1 | REVERT | JUMPDEST | POP | PUSH2 0x026e
c0c53b8b 0x526 :: JUMPDEST | CALLVALUE | DUP1 | ISZERO | PUSH2 0x0532 | JUMPI | PUSH1 0x00 | DUP1 | REVERT | JUMPDEST | POP | PUSH2 0x026e
c30f2e87 0x546 :: JUMPDEST | PUSH2 0x026e | PUSH2 0x0554 | CALLDATASIZE | PUSH1 0x04 | PUSH2 0x2970 | JUMP | JUMPDEST | PUSH2 0x137d | JUMP | JUMPDEST | CALLVALUE
c7977be7 0x559 :: JUMPDEST | CALLVALUE | DUP1 | ISZERO | PUSH2 0x0565 | JUMPI | PUSH1 0x00 | DUP1 | REVERT | JUMPDEST | POP | PUSH2 0x0285
7c374f99 0x469 :: JUMPDEST | CALLVALUE | DUP1 | ISZERO | PUSH2 0x0475 | JUMPI | PUSH1 0x00 | DUP1 | REVERT | JUMPDEST | POP | PUSH2 0x026e
82787cda 0x489 :: JUMPDEST | CALLVALUE | DUP1 | ISZERO | PUSH2 0x0495 | JUMPI | PUSH1 0x00 | DUP1 | REVERT | JUMPDEST | POP | PUSH2 0x026e
86013de5 0x4a9 :: JUMPDEST | CALLVALUE | DUP1 | ISZERO | PUSH2 0x04b5 | JUMPI | PUSH1 0x00 | DUP1 | REVERT | JUMPDEST | POP | PUSH2 0x026e
8da5cb5b 0x4c9 :: JUMPDEST | CALLVALUE | DUP1 | ISZERO | PUSH2 0x04d5 | JUMPI | PUSH1 0x00 | DUP1 | REVERT | JUMPDEST | POP | PUSH32 0x9016d09d72d40fdae2fd8ceac6b6234c7706214fd39c1cd1e609a0528c199300
5c975abb 0x3df :: JUMPDEST | CALLVALUE | DUP1 | ISZERO | PUSH2 0x03eb | JUMPI | PUSH1 0x00 | DUP1 | REVERT | JUMPDEST | POP | PUSH1 0x00
5e35359e 0x404 :: JUMPDEST | CALLVALUE | DUP1 | ISZERO | PUSH2 0x0410 | JUMPI | PUSH1 0x00 | DUP1 | REVERT | JUMPDEST | POP | PUSH2 0x026e
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
bytecode_hex=obj['artifact']['runtime_bytecode']['full'][2:]
bytecode=bytes.fromhex(bytecode_hex)
# disassemble
opnames={i:f'OP_{i:02X}' for i in range(256)}
for i in range(256):
pass
ops=[]
pc=0
while pc < len(bytecode):
op=bytecode[pc]
name=opnames[op]
imm=b''
pc_next=pc+1
if 0x60 <= op <= 0x7f:
n=op-0x5f
imm=bytecode[pc_next:pc_next+n]
pc_next += n
ops.append((pc,name,imm))
pc=pc_next
# gather function entry points from earlier mapping
# parse dispatcher selectors
selectors=[]
for i in range(len(ops)-4):
if ops[i][1]=='PUSH4' and ops[i+1][1]=='EQ' and ops[i+2][1] in ('PUSH2','PUSH3') and ops[i+3][1]=='JUMPI':
sel=ops[i][2].hex()
dest=int.from_bytes(ops[i+2][2], 'big')
selectors.append((sel,dest))
# dedupe
entries=sorted({dest for _,dest in selectors})
# helper to find closest entry <= pc
import bisect
entries_sorted=sorted(entries)
def closest_entry(pc):
idx=bisect.bisect_right(entries_sorted, pc)-1
if idx>=0:
return entries_sorted[idx]
return None
# find push4 a9059cbb and 23b872dd
for target in ['a9059cbb','23b872dd']:
print('\\nPUSH4',target)
for pc,name,imm in ops:
if name=='PUSH4' and imm.hex()==target:
entry=closest_entry(pc)
print(f'pc 0x{pc:x} entry 0x{entry:x}' if entry else f'pc 0x{pc:x} entry None')
PY" in /tmp/codex-wucv6ne8 succeeded in 57ms:
PUSH4 a9059cbb
PUSH4 23b872dd
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
hexstr=obj['artifact']['runtime_bytecode']['full'][2:]
for s in ['a9059cbb','23b872dd','70a08231','095ea7b3']:
idx=hexstr.find(s)
print(s, idx)
PY" in /tmp/codex-wucv6ne8 succeeded in 34ms:
a9059cbb 12870
23b872dd 13126
70a08231 14400
095ea7b3 -1
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
hexstr=obj['artifact']['runtime_bytecode']['full'][2:]
bytecode=bytes.fromhex(hexstr)
# build disassembly index pc->(name,imm)
opnames={i:f'OP_{i:02X}' for i in range(256)}
# add simple names
names={0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
0x5b:'JUMPDEST',0x56:'JUMP',0x57:'JUMPI',0x52:'MSTORE',0x51:'MLOAD',0x54:'SLOAD',0x55:'SSTORE',0x33:'CALLER',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',0x20:'SHA3',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x5a:'GAS',0xf1:'CALL',0xfa:'STATICCALL',0xfd:'REVERT',0xf3:'RETURN',0x50:'POP',0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',0x34:'CALLVALUE',0x30:'ADDRESS',0x3b:'EXTCODESIZE'}
opnames.update(names)
ops=[]
pc=0
while pc < len(bytecode):
op=bytecode[pc]
name=opnames.get(op, f'OP_{op:02X}')
imm=b''
pc_next=pc+1
if 0x60 <= op <= 0x7f:
n=op-0x5f
imm=bytecode[pc_next:pc_next+n]
pc_next += n
ops.append((pc,name,imm))
pc=pc_next
# function to print context around byte offset
def print_context(byte_offset, window=20):
# find op index with pc<=offset
idx=max(i for i,(pc,_,_) in enumerate(ops) if pc<=byte_offset)
start=max(0, idx-window)
end=min(len(ops), idx+window)
print(f'-- context around pc 0x{byte_offset:x} (idx {idx}) --')
for j in range(start,end):
pc,name,imm=ops[j]
if imm:
print(f'{pc:05x}: {name} 0x{imm.hex()}')
else:
print(f'{pc:05x}: {name}')
for s in ['a9059cbb','23b872dd','70a08231']:
idx=hexstr.find(s)
if idx>=0:
byte_off=idx//2
print('\\nstring',s,'at byte',byte_off)
print_context(byte_off)
PY" in /tmp/codex-wucv6ne8 succeeded in 49ms:
string a9059cbb at byte 6435
-- context around pc 0x1923 (idx 4057) --
0190a: DUP4
0190b: DUP2
0190c: AND
0190d: PUSH1 0x24
0190f: DUP4
01910: OP_01
01911: MSTORE
01912: PUSH1 0x44
01914: DUP3
01915: OP_01
01916: DUP4
01917: SWAP1
01918: MSTORE
01919: PUSH2 0x195d
0191c: SWAP2
0191d: OP_85
0191e: SWAP2
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
bytecode=bytes.fromhex(obj['artifact']['runtime_bytecode']['full'][2:])
# disassemble
opnames={i:f'OP_{i:02X}' for i in range(256)}
names={0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
0x5b:'JUMPDEST',0x56:'JUMP',0x57:'JUMPI',0x52:'MSTORE',0x51:'MLOAD',0x54:'SLOAD',0x55:'SSTORE',0x33:'CALLER',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',0x20:'SHA3',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x5a:'GAS',0xf1:'CALL',0xfa:'STATICCALL',0xfd:'REVERT',0xf3:'RETURN',0x50:'POP',0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',0x34:'CALLVALUE',0x30:'ADDRESS',0x3b:'EXTCODESIZE',0x10:'LT',0x11:'GT',0x01:'ADD',0x03:'SUB'}
opnames.update(names)
ops=[]
pc=0
while pc < len(bytecode):
op=bytecode[pc]
name=opnames.get(op, f'OP_{op:02X}')
imm=b''
pc_next=pc+1
if 0x60 <= op <= 0x7f:
n=op-0x5f
imm=bytecode[pc_next:pc_next+n]
pc_next += n
ops.append((pc,name,imm))
pc=pc_next
# print context around 0x19af
start=0x1980
end=0x1a40
for pc,name,imm in ops:
if start <= pc <= end:
if imm:
print(f'{pc:05x}: {name} 0x{imm.hex()}')
else:
print(f'{pc:05x}: {name}')
PY" in /tmp/codex-wucv6ne8 succeeded in 70ms:
01980: SHL
01981: SUB
01982: DUP5
01983: DUP2
01984: AND
01985: PUSH1 0x24
01987: DUP4
01988: ADD
01989: MSTORE
0198a: DUP4
0198b: DUP2
0198c: AND
0198d: PUSH1 0x44
0198f: DUP4
01990: ADD
01991: MSTORE
01992: PUSH1 0x64
01994: DUP3
01995: ADD
01996: DUP4
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
bytecode=bytes.fromhex(obj['artifact']['runtime_bytecode']['full'][2:])
opnames={i:f'OP_{i:02X}' for i in range(256)}
# fill names for readability
names={
0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',0x20:'SHA3',
0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
}
opnames.update(names)
ops=[]
pc=0
while pc < len(bytecode):
op=bytecode[pc]
name=opnames.get(op, f'OP_{op:02X}')
imm=b''
pc_next=pc+1
if 0x60 <= op <= 0x7f:
n=op-0x5f
imm=bytecode[pc_next:pc_next+n]
pc_next += n
ops.append((pc,name,imm))
pc=pc_next
# print disassembly around entry 0x672 to 0x820
start=0x672
end=0x820
for pc,name,imm in ops:
if start <= pc <= end:
if imm:
print(f'{pc:05x}: {name} 0x{imm.hex()}')
else:
print(f'{pc:05x}: {name}')
PY" in /tmp/codex-wucv6ne8 succeeded in 55ms:
00672: JUMPDEST
00673: CALLVALUE
00674: DUP1
00675: ISZERO
00676: PUSH2 0x067e
00679: JUMPI
0067a: PUSH1 0x00
0067c: DUP1
0067d: REVERT
0067e: JUMPDEST
0067f: POP
00680: PUSH2 0x0285
00683: PUSH1 0x06
00685: SLOAD
00686: DUP2
00687: JUMP
00688: JUMPDEST
00689: PUSH2 0x0690
0068c: PUSH2 0x1796
0068f: JUMP
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
bytecode=bytes.fromhex(obj['artifact']['runtime_bytecode']['full'][2:])
opnames={i:f'OP_{i:02X}' for i in range(256)}
# fill names
names={0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',0x5b:'JUMPDEST',0x56:'JUMP',0x57:'JUMPI',0x52:'MSTORE',0x51:'MLOAD',0x54:'SLOAD',0x55:'SSTORE',0x33:'CALLER',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',0x20:'SHA3',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x5a:'GAS',0xf1:'CALL',0xfa:'STATICCALL',0xfd:'REVERT',0xf3:'RETURN',0x50:'POP',0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',0x34:'CALLVALUE',0x30:'ADDRESS',0x3b:'EXTCODESIZE',0x10:'LT',0x11:'GT',0x01:'ADD',0x03:'SUB'}
opnames.update(names)
ops=[]
pc=0
while pc < len(bytecode):
op=bytecode[pc]
name=opnames.get(op, f'OP_{op:02X}')
imm=b''
pc_next=pc+1
if 0x60 <= op <= 0x7f:
n=op-0x5f
imm=bytecode[pc_next:pc_next+n]
pc_next += n
ops.append((pc,name,imm))
pc=pc_next
# list SSTORE contexts
for i,(pc,name,imm) in enumerate(ops):
if name=='SSTORE':
start=max(0,i-6)
end=min(len(ops), i+2)
print('\\nSSTORE at pc',hex(pc))
for j in range(start,end):
pc2,name2,imm2=ops[j]
if imm2:
print(f'{pc2:05x}: {name2} 0x{imm2.hex()}')
else:
print(f'{pc2:05x}: {name2}')
PY" in /tmp/codex-wucv6ne8 succeeded in 73ms:
SSTORE at pc 0x6d6
006d0: DUP4
006d1: AND
006d2: DUP2
006d3: OR
006d4: SWAP1
006d5: SWAP4
006d6: SSTORE
006d7: PUSH1 0x40
SSTORE at pc 0x81f
00817: DUP4
00818: PUSH2 0x2a20
0081b: JUMP
0081c: JUMPDEST
0081d: SWAP1
0081e: SWAP2
0081f: SSTORE
00820: POP
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
bytecode=bytes.fromhex(obj['artifact']['runtime_bytecode']['full'][2:])
# disassemble
opnames={i:f'OP_{i:02X}' for i in range(256)}
# add names for key ops
names={
0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',0x20:'SHA3',
0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
}
opnames.update(names)
ops=[]
pc=0
while pc < len(bytecode):
op=bytecode[pc]
name=opnames.get(op, f'OP_{op:02X}')
imm=b''
pc_next=pc+1
if 0x60 <= op <= 0x7f:
n=op-0x5f
imm=bytecode[pc_next:pc_next+n]
pc_next += n
ops.append((pc,name,imm))
pc=pc_next
# parse selector entries
selectors=[]
for i in range(len(ops)-4):
if ops[i][1]=='PUSH4' and ops[i+1][1]=='EQ' and ops[i+2][1] in ('PUSH2','PUSH3') and ops[i+3][1]=='JUMPI':
sel=ops[i][2].hex()
dest=int.from_bytes(ops[i+2][2],'big')
selectors.append((sel,dest))
# dedupe
sel_to_entry={}
for sel,dest in selectors:
sel_to_entry.setdefault(sel,dest)
entries=sorted(sel_to_entry.values())
# map pc to op index
pc_to_idx={pc:i for i,(pc,_,_) in enumerate(ops)}
# analyze each function range
print('Potentially unguarded functions (heuristic):')
for sel,entry in sel_to_entry.items():
start_idx=pc_to_idx.get(entry)
if start_idx is None:
continue
# end at next entry or end of bytecode
next_entries=[e for e in entries if e>entry]
end_pc= next_entries[0] if next_entries else len(bytecode)
end_idx=pc_to_idx.get(end_pc, len(ops))
segment=ops[start_idx:end_idx]
has_caller=False
has_guard=False
has_sstore=False
has_call=False
# simple pattern detection: CALLER + SLOAD + EQ + JUMPI
for i,(pc,name,imm) in enumerate(segment):
if name=='CALLER':
has_caller=True
if name in ('CALL','DELEGATECALL','STATICCALL'):
has_call=True
if name=='SSTORE':
has_sstore=True
# check for pattern ... SLOAD ... CALLER ... EQ ... JUMPI within 10 ops
if name=='SLOAD':
window=segment[i:i+10]
names=[n for _,n,_ in window]
if 'CALLER' in names and 'EQ' in names and 'JUMPI' in names:
has_guard=True
if (has_sstore or has_call) and not has_guard:
print(f'selector {sel} entry 0x{entry:x} has_sstore={has_sstore} has_call={has_call} has_guard={has_guard} has_caller={has_caller}')
PY" in /tmp/codex-wucv6ne8 succeeded in 66ms:
Potentially unguarded functions (heuristic):
selector fe9ae209 entry 0x672 has_sstore=True has_call=True has_guard=False has_caller=True
exec
/bin/bash -lc "python - <<'PY'
import json
from pathlib import Path
obj=json.loads(Path('BYTECODE_BUNDLE.json').read_text())
bytecode=bytes.fromhex(obj['artifact']['runtime_bytecode']['full'][2:])
# disassemble
opnames={i:f'OP_{i:02X}' for i in range(256)}
# minimal names for readability
names={0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
0x5b:'JUMPDEST',0x56:'JUMP',0x57:'JUMPI',0x52:'MSTORE',0x51:'MLOAD',0x54:'SLOAD',0x55:'SSTORE',0x33:'CALLER',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',0x20:'SHA3',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x5a:'GAS',0xf1:'CALL',0xfa:'STATICCALL',0xfd:'REVERT',0xf3:'RETURN',0x50:'POP',0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',0x34:'CALLVALUE',0x30:'ADDRESS',0x3b:'EXTCODESIZE',0x10:'LT',0x11:'GT',0x01:'ADD',0x03:'SUB'}
opnames.update(names)
ops=[]
pc=0
while pc < len(bytecode):
op=bytecode[pc]
name=opnames.get(op, f'OP_{op:02X}')
imm=b''
pc_next=pc+1
if 0x60 <= op <= 0x7f:
n=op-0x5f
imm=bytecode[pc_next:pc_next+n]
pc_next += n
ops.append((pc,name,imm))
pc=pc_next
start=0x2540
end=0x2600
for pc,name,imm in ops:
if start <= pc <= end:
if imm:
print(f'{pc:05x}: {name} 0x{imm.hex()}')
else:
print(f'{pc:05x}: {name}')
PY" in /tmp/codex-wucv6ne8 succeeded in 48ms:
02540: JUMPDEST
02541: SWAP1
02542: POP
02543: JUMPDEST
02544: SWAP3
02545: SWAP2
02546: POP
02547: POP
02548: JUMP
02549: JUMPDEST
0254a: PUSH20 0xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeed
0255f: OP_19
02560: PUSH1 0x01
02562: PUSH1 0x01
02564: PUSH1 0xa0
02566: SHL
02567: SUB
02568: DUP5
02569: AND
0256a: ADD
codex
{"no_findings":false,"summary":"One low-severity access control/centralization risk observed: a privileged function can issue arbitrary external calls (including ETH value) based on calldata.","findings":[{"severity":"low","category":"access_control","title":"Privileged arbitrary external call can move ETH/tokens","exploit_scenario":"If the role stored in slot 0x03 (used in the caller check) is compromised or misconfigured, an attacker can invoke selector 0xfe9ae209 to perform arbitrary CALLs with calldata‑supplied target/value, potentially draining ETH/tokens or invoking arbitrary contracts.","recommendation":"Confirm this admin/execute capability is intentional. Restrict it to a multisig/timelock, and consider allow‑listing targets or removing the capability entirely if not required.","evidence":"In selector 0xfe9ae209, the code checks caller against a masked SLOAD from slot 0x03 (pc:0x731) and then executes a raw CALL with computed parameters (pc:0x7ab). The callsite is marked as computed target/value in the bundle (callsite pc 1963).","locations":["selector:0xfe9ae209","pc:0x731","pc:0x7ab"]}]}
tokens used
114,863
{
"codex": {
"ran_at": "2026-01-30T14:42:05.102327+00:00",
"returncode": 0
},
"project": {
"mode": "bytecode",
"bytecode_length": 23574,
"bytecode_truncated": false,
"capability_graph_present": true,
"analysis_artifact_present": true
},
"summary": "One low-severity access control/centralization risk observed: a privileged function can issue arbitrary external calls (including ETH value) based on calldata.",
"raw_final": {
"summary": "One low-severity access control/centralization risk observed: a privileged function can issue arbitrary external calls (including ETH value) based on calldata.",
"findings": [
{
"title": "Privileged arbitrary external call can move ETH/tokens",
"category": "access_control",
"evidence": "In selector 0xfe9ae209, the code checks caller against a masked SLOAD from slot 0x03 (pc:0x731) and then executes a raw CALL with computed parameters (pc:0x7ab). The callsite is marked as computed target/value in the bundle (callsite pc 1963).",
"severity": "low",
"locations": [
"selector:0xfe9ae209",
"pc:0x731",
"pc:0x7ab"
],
"recommendation": "Confirm this admin/execute capability is intentional. Restrict it to a multisig/timelock, and consider allow\u2011listing targets or removing the capability entirely if not required.",
"exploit_scenario": "If the role stored in slot 0x03 (used in the caller check) is compromised or misconfigured, an attacker can invoke selector 0xfe9ae209 to perform arbitrary CALLs with calldata\u2011supplied target/value, potentially draining ETH/tokens or invoking arbitrary contracts."
}
],
"no_findings": false
},
"no_findings": false,
"proxy_context": {
"proxy_run_id": "019c0ea9-090d-708e-8500-724695b54269",
"proxy_address": "0x32e297877fec71e93ff3bb40e1fb10f9f9c32800",
"implementation_run_id": "019c0eab-4fce-73b8-bbdb-0d0d0ffdf301",
"implementation_address": "0x9c3a4329ff26934b04312162f83c8f69d52aa060"
},
"schema_version": 1
}
00000000: PUSH1 0x80 00000002: PUSH1 0x40 00000004: MSTORE 00000005: PUSH2 0x000c 00000008: PUSH2 0x000e 0000000b: JUMP 0000000c: JUMPDEST 0000000d: STOP 0000000e: JUMPDEST 0000000f: PUSH32 0x0000000000000000000000001d77f6ec8fdceb252ee6815bc165656a3a5cd560 00000030: PUSH1 0x01 00000032: PUSH1 0x01 00000034: PUSH1 0xa0 00000036: SHL 00000037: SUB 00000038: AND 00000039: CALLER 0000003a: SUB 0000003b: PUSH2 0x007b 0000003e: JUMPI 0000003f: PUSH1 0x00 00000041: CALLDATALOAD 00000042: PUSH1 0x01 00000044: PUSH1 0x01 00000046: PUSH1 0xe0 00000048: SHL 00000049: SUB 0000004a: NOT 0000004b: AND 0000004c: PUSH4 0x278f7943 00000051: PUSH1 0xe1 00000053: SHL 00000054: EQ 00000055: PUSH2 0x0071 00000058: JUMPI 00000059: PUSH1 0x40 0000005b: MLOAD 0000005c: PUSH4 0x34ad5dbb 00000061: PUSH1 0xe2 00000063: SHL 00000064: DUP2 00000065: MSTORE 00000066: PUSH1 0x04 00000068: ADD 00000069: PUSH1 0x40 0000006b: MLOAD 0000006c: DUP1 0000006d: SWAP2 0000006e: SUB 0000006f: SWAP1 00000070: REVERT 00000071: JUMPDEST 00000072: PUSH2 0x0079 00000075: PUSH2 0x0083 00000078: JUMP 00000079: JUMPDEST 0000007a: JUMP 0000007b: JUMPDEST 0000007c: PUSH2 0x0079 0000007f: PUSH2 0x00b2 00000082: JUMP 00000083: JUMPDEST 00000084: PUSH1 0x00 00000086: DUP1 00000087: PUSH2 0x0093 0000008a: CALLDATASIZE 0000008b: PUSH1 0x04 0000008d: DUP2 0000008e: DUP5 0000008f: PUSH2 0x0312 00000092: JUMP 00000093: JUMPDEST 00000094: DUP2 00000095: ADD 00000096: SWAP1 00000097: PUSH2 0x00a0 0000009a: SWAP2 0000009b: SWAP1 0000009c: PUSH2 0x0352 0000009f: JUMP 000000a0: JUMPDEST 000000a1: SWAP2 000000a2: POP 000000a3: SWAP2 000000a4: POP 000000a5: PUSH2 0x00ae 000000a8: DUP3 000000a9: DUP3 000000aa: PUSH2 0x00c2 000000ad: JUMP 000000ae: JUMPDEST 000000af: POP 000000b0: POP 000000b1: JUMP 000000b2: JUMPDEST 000000b3: PUSH2 0x0079 000000b6: PUSH2 0x00bd 000000b9: PUSH2 0x011d 000000bc: JUMP 000000bd: JUMPDEST 000000be: PUSH2 0x0155 000000c1: JUMP 000000c2: JUMPDEST 000000c3: PUSH2 0x00cb 000000c6: DUP3 000000c7: PUSH2 0x0179 000000ca: JUMP 000000cb: JUMPDEST 000000cc: PUSH1 0x40 000000ce: MLOAD 000000cf: PUSH1 0x01 000000d1: PUSH1 0x01 000000d3: PUSH1 0xa0 000000d5: SHL 000000d6: SUB 000000d7: DUP4 000000d8: AND 000000d9: SWAP1 000000da: PUSH32 0xbc7cd75a20ee27fd9adebab32041f755214dbc6bffa90cc0225b39da2e5c2d3b 000000fb: SWAP1 000000fc: PUSH1 0x00 000000fe: SWAP1 000000ff: LOG2 00000100: DUP1 00000101: MLOAD 00000102: ISZERO 00000103: PUSH2 0x0115 00000106: JUMPI 00000107: PUSH2 0x0110 0000010a: DUP3 0000010b: DUP3 0000010c: PUSH2 0x01f5 0000010f: JUMP 00000110: JUMPDEST 00000111: POP 00000112: POP 00000113: POP 00000114: JUMP 00000115: JUMPDEST 00000116: PUSH2 0x00ae 00000119: PUSH2 0x026b 0000011c: JUMP 0000011d: JUMPDEST 0000011e: PUSH1 0x00 00000120: PUSH2 0x0150 00000123: PUSH32 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc 00000144: SLOAD 00000145: PUSH1 0x01 00000147: PUSH1 0x01 00000149: PUSH1 0xa0 0000014b: SHL 0000014c: SUB 0000014d: AND 0000014e: SWAP1 0000014f: JUMP 00000150: JUMPDEST 00000151: SWAP1 00000152: POP 00000153: SWAP1 00000154: JUMP 00000155: JUMPDEST 00000156: CALLDATASIZE 00000157: PUSH1 0x00 00000159: DUP1 0000015a: CALLDATACOPY 0000015b: PUSH1 0x00 0000015d: DUP1 0000015e: CALLDATASIZE 0000015f: PUSH1 0x00 00000161: DUP5 00000162: GAS 00000163: DELEGATECALL 00000164: RETURNDATASIZE 00000165: PUSH1 0x00 00000167: DUP1 00000168: RETURNDATACOPY 00000169: DUP1 0000016a: DUP1 0000016b: ISZERO 0000016c: PUSH2 0x0174 0000016f: JUMPI 00000170: RETURNDATASIZE 00000171: PUSH1 0x00 00000173: RETURN 00000174: JUMPDEST 00000175: RETURNDATASIZE 00000176: PUSH1 0x00 00000178: REVERT 00000179: JUMPDEST 0000017a: DUP1 0000017b: PUSH1 0x01 0000017d: PUSH1 0x01 0000017f: PUSH1 0xa0 00000181: SHL 00000182: SUB 00000183: AND 00000184: EXTCODESIZE 00000185: PUSH1 0x00 00000187: SUB 00000188: PUSH2 0x01b4 0000018b: JUMPI 0000018c: PUSH1 0x40 0000018e: MLOAD 0000018f: PUSH4 0x4c9c8ce3 00000194: PUSH1 0xe0 00000196: SHL 00000197: DUP2 00000198: MSTORE 00000199: PUSH1 0x01 0000019b: PUSH1 0x01 0000019d: PUSH1 0xa0 0000019f: SHL 000001a0: SUB 000001a1: DUP3 000001a2: AND 000001a3: PUSH1 0x04 000001a5: DUP3 000001a6: ADD 000001a7: MSTORE 000001a8: PUSH1 0x24 000001aa: ADD 000001ab: JUMPDEST 000001ac: PUSH1 0x40 000001ae: MLOAD 000001af: DUP1 000001b0: SWAP2 000001b1: SUB 000001b2: SWAP1 000001b3: REVERT 000001b4: JUMPDEST 000001b5: PUSH32 0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc 000001d6: DUP1 000001d7: SLOAD 000001d8: PUSH1 0x01 000001da: PUSH1 0x01 000001dc: PUSH1 0xa0 000001de: SHL 000001df: SUB 000001e0: NOT 000001e1: AND 000001e2: PUSH1 0x01 000001e4: PUSH1 0x01 000001e6: PUSH1 0xa0 000001e8: SHL 000001e9: SUB 000001ea: SWAP3 000001eb: SWAP1 000001ec: SWAP3 000001ed: AND 000001ee: SWAP2 000001ef: SWAP1 000001f0: SWAP2 000001f1: OR 000001f2: SWAP1 000001f3: SSTORE 000001f4: JUMP 000001f5: JUMPDEST 000001f6: PUSH1 0x60 000001f8: PUSH1 0x00 000001fa: DUP1 000001fb: DUP5 000001fc: PUSH1 0x01 000001fe: PUSH1 0x01 00000200: PUSH1 0xa0 00000202: SHL 00000203: SUB 00000204: AND 00000205: DUP5 00000206: PUSH1 0x40 00000208: MLOAD 00000209: PUSH2 0x0212 0000020c: SWAP2 0000020d: SWAP1 0000020e: PUSH2 0x0422 00000211: JUMP 00000212: JUMPDEST 00000213: PUSH1 0x00 00000215: PUSH1 0x40 00000217: MLOAD 00000218: DUP1 00000219: DUP4 0000021a: SUB 0000021b: DUP2 0000021c: DUP6 0000021d: GAS 0000021e: DELEGATECALL 0000021f: SWAP2 00000220: POP 00000221: POP 00000222: RETURNDATASIZE 00000223: DUP1 00000224: PUSH1 0x00 00000226: DUP2 00000227: EQ 00000228: PUSH2 0x024d 0000022b: JUMPI 0000022c: PUSH1 0x40 0000022e: MLOAD 0000022f: SWAP2 00000230: POP 00000231: PUSH1 0x1f 00000233: NOT 00000234: PUSH1 0x3f 00000236: RETURNDATASIZE 00000237: ADD 00000238: AND 00000239: DUP3 0000023a: ADD 0000023b: PUSH1 0x40 0000023d: MSTORE 0000023e: RETURNDATASIZE 0000023f: DUP3 00000240: MSTORE 00000241: RETURNDATASIZE 00000242: PUSH1 0x00 00000244: PUSH1 0x20 00000246: DUP5 00000247: ADD 00000248: RETURNDATACOPY 00000249: PUSH2 0x0252 0000024c: JUMP 0000024d: JUMPDEST 0000024e: PUSH1 0x60 00000250: SWAP2 00000251: POP 00000252: JUMPDEST 00000253: POP 00000254: SWAP2 00000255: POP 00000256: SWAP2 00000257: POP 00000258: PUSH2 0x0262 0000025b: DUP6 0000025c: DUP4 0000025d: DUP4 0000025e: PUSH2 0x028a 00000261: JUMP 00000262: JUMPDEST 00000263: SWAP6 00000264: SWAP5 00000265: POP 00000266: POP 00000267: POP 00000268: POP 00000269: POP 0000026a: JUMP 0000026b: JUMPDEST 0000026c: CALLVALUE 0000026d: ISZERO 0000026e: PUSH2 0x0079 00000271: JUMPI 00000272: PUSH1 0x40 00000274: MLOAD 00000275: PUSH4 0xb398979f 0000027a: PUSH1 0xe0 0000027c: SHL 0000027d: DUP2 0000027e: MSTORE 0000027f: PUSH1 0x04 00000281: ADD 00000282: PUSH1 0x40 00000284: MLOAD 00000285: DUP1 00000286: SWAP2 00000287: SUB 00000288: SWAP1 00000289: REVERT 0000028a: JUMPDEST 0000028b: PUSH1 0x60 0000028d: DUP3 0000028e: PUSH2 0x029f 00000291: JUMPI 00000292: PUSH2 0x029a 00000295: DUP3 00000296: PUSH2 0x02e9 00000299: JUMP 0000029a: JUMPDEST 0000029b: PUSH2 0x02e2 0000029e: JUMP 0000029f: JUMPDEST 000002a0: DUP2 000002a1: MLOAD 000002a2: ISZERO 000002a3: DUP1 000002a4: ISZERO 000002a5: PUSH2 0x02b6 000002a8: JUMPI 000002a9: POP 000002aa: PUSH1 0x01 000002ac: PUSH1 0x01 000002ae: PUSH1 0xa0 000002b0: SHL 000002b1: SUB 000002b2: DUP5 000002b3: AND 000002b4: EXTCODESIZE 000002b5: ISZERO 000002b6: JUMPDEST 000002b7: ISZERO 000002b8: PUSH2 0x02df 000002bb: JUMPI 000002bc: PUSH1 0x40 000002be: MLOAD 000002bf: PUSH4 0x9996b315 000002c4: PUSH1 0xe0 000002c6: SHL 000002c7: DUP2 000002c8: MSTORE 000002c9: PUSH1 0x01 000002cb: PUSH1 0x01 000002cd: PUSH1 0xa0 000002cf: SHL 000002d0: SUB 000002d1: DUP6 000002d2: AND 000002d3: PUSH1 0x04 000002d5: DUP3 000002d6: ADD 000002d7: MSTORE 000002d8: PUSH1 0x24 000002da: ADD 000002db: PUSH2 0x01ab 000002de: JUMP 000002df: JUMPDEST 000002e0: POP 000002e1: DUP1 000002e2: JUMPDEST 000002e3: SWAP4 000002e4: SWAP3 000002e5: POP 000002e6: POP 000002e7: POP 000002e8: JUMP 000002e9: JUMPDEST 000002ea: DUP1 000002eb: MLOAD 000002ec: ISZERO 000002ed: PUSH2 0x02f9 000002f0: JUMPI 000002f1: DUP1 000002f2: MLOAD 000002f3: DUP1 000002f4: DUP3 000002f5: PUSH1 0x20 000002f7: ADD 000002f8: REVERT 000002f9: JUMPDEST 000002fa: PUSH1 0x40 000002fc: MLOAD 000002fd: PUSH4 0x0a12f521 00000302: PUSH1 0xe1 00000304: SHL 00000305: DUP2 00000306: MSTORE 00000307: PUSH1 0x04 00000309: ADD 0000030a: PUSH1 0x40 0000030c: MLOAD 0000030d: DUP1 0000030e: SWAP2 0000030f: SUB 00000310: SWAP1 00000311: REVERT 00000312: JUMPDEST 00000313: PUSH1 0x00 00000315: DUP1 00000316: DUP6 00000317: DUP6 00000318: GT 00000319: ISZERO 0000031a: PUSH2 0x0322 0000031d: JUMPI 0000031e: PUSH1 0x00 00000320: DUP1 00000321: REVERT 00000322: JUMPDEST 00000323: DUP4 00000324: DUP7 00000325: GT 00000326: ISZERO 00000327: PUSH2 0x032f 0000032a: JUMPI 0000032b: PUSH1 0x00 0000032d: DUP1 0000032e: REVERT 0000032f: JUMPDEST 00000330: POP 00000331: POP 00000332: DUP3 00000333: ADD 00000334: SWAP4 00000335: SWAP2 00000336: SWAP1 00000337: SWAP3 00000338: SUB 00000339: SWAP2 0000033a: POP 0000033b: JUMP 0000033c: JUMPDEST 0000033d: PUSH4 0x4e487b71 00000342: PUSH1 0xe0 00000344: SHL 00000345: PUSH1 0x00 00000347: MSTORE 00000348: PUSH1 0x41 0000034a: PUSH1 0x04 0000034c: MSTORE 0000034d: PUSH1 0x24 0000034f: PUSH1 0x00 00000351: REVERT 00000352: JUMPDEST 00000353: PUSH1 0x00 00000355: DUP1 00000356: PUSH1 0x40 00000358: DUP4 00000359: DUP6 0000035a: SUB 0000035b: SLT 0000035c: ISZERO 0000035d: PUSH2 0x0365 00000360: JUMPI 00000361: PUSH1 0x00 00000363: DUP1 00000364: REVERT 00000365: JUMPDEST 00000366: DUP3 00000367: CALLDATALOAD 00000368: PUSH1 0x01 0000036a: PUSH1 0x01 0000036c: PUSH1 0xa0 0000036e: SHL 0000036f: SUB 00000370: DUP2 00000371: AND 00000372: DUP2 00000373: EQ 00000374: PUSH2 0x037c 00000377: JUMPI 00000378: PUSH1 0x00 0000037a: DUP1 0000037b: REVERT 0000037c: JUMPDEST 0000037d: SWAP2 0000037e: POP 0000037f: PUSH1 0x20 00000381: DUP4 00000382: ADD 00000383: CALLDATALOAD 00000384: PUSH8 0xffffffffffffffff 0000038d: DUP1 0000038e: DUP3 0000038f: GT 00000390: ISZERO 00000391: PUSH2 0x0399 00000394: JUMPI 00000395: PUSH1 0x00 00000397: DUP1 00000398: REVERT 00000399: JUMPDEST 0000039a: DUP2 0000039b: DUP6 0000039c: ADD 0000039d: SWAP2 0000039e: POP 0000039f: DUP6 000003a0: PUSH1 0x1f 000003a2: DUP4 000003a3: ADD 000003a4: SLT 000003a5: PUSH2 0x03ad 000003a8: JUMPI 000003a9: PUSH1 0x00 000003ab: DUP1 000003ac: REVERT 000003ad: JUMPDEST 000003ae: DUP2 000003af: CALLDATALOAD 000003b0: DUP2 000003b1: DUP2 000003b2: GT 000003b3: ISZERO 000003b4: PUSH2 0x03bf 000003b7: JUMPI 000003b8: PUSH2 0x03bf 000003bb: PUSH2 0x033c 000003be: JUMP 000003bf: JUMPDEST 000003c0: PUSH1 0x40 000003c2: MLOAD 000003c3: PUSH1 0x1f 000003c5: DUP3 000003c6: ADD 000003c7: PUSH1 0x1f 000003c9: NOT 000003ca: SWAP1 000003cb: DUP2 000003cc: AND 000003cd: PUSH1 0x3f 000003cf: ADD 000003d0: AND 000003d1: DUP2 000003d2: ADD 000003d3: SWAP1 000003d4: DUP4 000003d5: DUP3 000003d6: GT 000003d7: DUP2 000003d8: DUP4 000003d9: LT 000003da: OR 000003db: ISZERO 000003dc: PUSH2 0x03e7 000003df: JUMPI 000003e0: PUSH2 0x03e7 000003e3: PUSH2 0x033c 000003e6: JUMP 000003e7: JUMPDEST 000003e8: DUP2 000003e9: PUSH1 0x40 000003eb: MSTORE 000003ec: DUP3 000003ed: DUP2 000003ee: MSTORE 000003ef: DUP9 000003f0: PUSH1 0x20 000003f2: DUP5 000003f3: DUP8 000003f4: ADD 000003f5: ADD 000003f6: GT 000003f7: ISZERO 000003f8: PUSH2 0x0400 000003fb: JUMPI 000003fc: PUSH1 0x00 000003fe: DUP1 000003ff: REVERT 00000400: JUMPDEST 00000401: DUP3 00000402: PUSH1 0x20 00000404: DUP7 00000405: ADD 00000406: PUSH1 0x20 00000408: DUP4 00000409: ADD 0000040a: CALLDATACOPY 0000040b: PUSH1 0x00 0000040d: PUSH1 0x20 0000040f: DUP5 00000410: DUP4 00000411: ADD 00000412: ADD 00000413: MSTORE 00000414: DUP1 00000415: SWAP6 00000416: POP 00000417: POP 00000418: POP 00000419: POP 0000041a: POP 0000041b: POP 0000041c: SWAP3 0000041d: POP 0000041e: SWAP3 0000041f: SWAP1 00000420: POP 00000421: JUMP 00000422: JUMPDEST 00000423: PUSH1 0x00 00000425: DUP3 00000426: MLOAD 00000427: PUSH1 0x00 00000429: JUMPDEST 0000042a: DUP2 0000042b: DUP2 0000042c: LT 0000042d: ISZERO 0000042e: PUSH2 0x0443 00000431: JUMPI 00000432: PUSH1 0x20 00000434: DUP2 00000435: DUP7 00000436: ADD 00000437: DUP2 00000438: ADD 00000439: MLOAD 0000043a: DUP6 0000043b: DUP4 0000043c: ADD 0000043d: MSTORE 0000043e: ADD 0000043f: PUSH2 0x0429 00000442: JUMP 00000443: JUMPDEST 00000444: POP 00000445: PUSH1 0x00 00000447: SWAP3 00000448: ADD 00000449: SWAP2 0000044a: DUP3 0000044b: MSTORE 0000044c: POP 0000044d: SWAP2 0000044e: SWAP1 0000044f: POP 00000450: JUMP 00000451: INVALID 00000452: LOG2 00000453: PUSH5 0x6970667358 00000459: UNKNOWN(0x22) 0000045a: SLT 0000045b: KECCAK256 0000045c: UNKNOWN(0x27) 0000045d: UNKNOWN(0xF8) 0000045e: ADD 0000045f: PUSH23 0x059c85af4ee8751015dd9e5db167736b2eedc4be4d13ff 00000477: UNKNOWN(0xC8) 00000478: PUSH16
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| critical | upgradeability | detector | Untrusted DELEGATECALL target reachable | 70 | no | no |
viewtrace_id: 0x9b71234d355ad7f06aff9901108d4bcf2c8e002ea1fde972106e9aa6b850d8f4
call_targets:
0x9c3a4329ff26934b04312162f83c8f69d52aa060
target_varies:
no
classification:
constant_target
validation_json{
"sink": "DELEGATECALL",
"errors": 0,
"status": "sink_reached",
"attempts": 1,
"trace_id": "0x9b71234d355ad7f06aff9901108d4bcf2c8e002ea1fde972106e9aa6b850d8f4",
"confirmed": false,
"trace_mode": "callTracer",
"call_targets": [
"0x9c3a4329ff26934b04312162f83c8f69d52aa060"
],
"matched_probe": null,
"target_varies": false,
"classification": "constant_target"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x278f7943",
"selector": "0x278f7943",
"calldata_variants": [
"0x278f7943",
"0x278f79430000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 355,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
},
{
"pc": 542,
"opcode": "DELEGATECALL",
"returndata_checked": null,
"value_expression_category": "n/a",
"target_expression_category": "computed"
}
],
"guards_detected": [],
"delegatecall_count": 2,
"untrusted_delegatecall_count": 2
}
|
| medium | upgradeability | cast | DELEGATECALL present | 80 | no | — |
viewevidence_json{
"notes": "delegatecall enables execution in caller context; common in proxies/upgradeable patterns",
"delegatecall_count": 2
}
|
| low | access_control | codex | Privileged arbitrary external call can move ETH/tokens | 65 | no | — |
viewevidence_json{
"evidence": "In selector 0xfe9ae209, the code checks caller against a masked SLOAD from slot 0x03 (pc:0x731) and then executes a raw CALL with computed parameters (pc:0x7ab). The callsite is marked as computed target/value in the bundle (callsite pc 1963).",
"locations": [
"selector:0xfe9ae209",
"pc:0x731",
"pc:0x7ab"
],
"recommendation": "Confirm this admin/execute capability is intentional. Restrict it to a multisig/timelock, and consider allow\u2011listing targets or removing the capability entirely if not required.",
"exploit_scenario": "If the role stored in slot 0x03 (used in the caller check) is compromised or misconfigured, an attacker can invoke selector 0xfe9ae209 to perform arbitrary CALLs with calldata\u2011supplied target/value, potentially draining ETH/tokens or invoking arbitrary contracts."
}
|