TW
Tripwire
Find contracts. Test them. Review real vulns.

Analysis Run

0a245749-8d3f-4751-8e6c-07a72a8f580c

complete
Chain ID
1
Address
0x01bd2da640345f1c29831b7cef9a434298408172
Block Number
Created
Thu, Jan 1, 2026 1:39 PM
Review Summary

What survived the funnel

Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?

back to vulns open contract
Confirmed
0
Validated
0
Source
Bytecode only
Review Backing
Not yet
Best current signal
Untrusted CALL target/value reachable
crit 0 high 0 direct contract
Review Checklist
1. Read the findings table first. Ignore raw jobs until the result looks real.
2. Confirm attacker control, not just the existence of a sink.
3. Confirm money or privilege impact.
4. Keep it if the behavior is real. Kill it if this is normal proxy, admin, or upgrade plumbing.

Processing Jobs

Status & attempts
ID Type Status Attempts Heartbeat
31017 report.consolidate complete 1 / 1 3 months ago
75916 artifact.fetch complete 1 / 3 2 weeks ago
75917 tool.cast_disasm complete 1 / 3 2 weeks ago
75918 analysis.bundle complete 1 / 3 2 weeks ago
75919 capability.graph complete 1 / 3 2 weeks ago
75920 detector.run complete 1 / 3 2 weeks ago
75921 validation.fork complete 1 / 3 2 weeks ago

Artifact

Runtime bytecode: available
Creation TX:
Deployer:
Proxy: no
Implementation:
Verified Source: no

Slither

tool.slither

No slither job recorded yet.

Codex

report.consolidate
Job Status
complete
Attempts
1 / 1
Findings
0
No findings?
yes
Summary
No concrete, exploitable profit path is evident from the provided runtime bytecode; all value-moving paths appear gated by hardcoded or storage-based caller checks.
View stderr 
[codex:971237] OpenAI Codex v0.77.0 (research preview)
[codex:971237] --------
[codex:971237] workdir: /tmp/codex-multi-rqarbx_p
[codex:971237] model: gpt-5.2-codex
[codex:971237] provider: openai
[codex:971237] approval: never
[codex:971237] sandbox: read-only
[codex:971237] reasoning effort: xhigh
[codex:971237] reasoning summaries: auto
[codex:971237] session id: 019b79c6-14ba-72d0-bb33-d74b4e79f92d
[codex:971237] --------
[codex:971237] user
[codex:971237] You are a profit-focused exploit hunter analyzing EVM bytecode. Your ONLY goal is finding ways to extract value (ETH, tokens, NFTs) from this contract.
[codex:971237] 
[codex:971237] Read `BYTECODE_BUNDLE.txt` completely before concluding.
[codex:971237] 
[codex:971237] ONLY REPORT if you find a CONCRETE, EXPLOITABLE path to profit. We do NOT care about:
[codex:971237] - Gas inefficiency, code quality, or best practices
[codex:971237] - Theoretical vulnerabilities without a clear extraction path
[codex:971237] - Generic footguns (unchecked return values, etc.) unless they enable theft
[codex:971237] - Issues requiring social engineering or off-chain coordination
[codex:971237] 
[codex:971237] PATTERNS WORTH INVESTIGATING in bytecode:
[codex:971237] - CALL/DELEGATECALL with controllable destination or calldata
[codex:971237] - Value transfers (CALL with non-zero value) without prior CALLER/ORIGIN checks
[codex:971237] - SSTORE to low slots (0-10) that might be owner/admin storage
[codex:971237] - ecrecover (signature validation) - look for missing nonce/replay protection
[codex:971237] - External calls before state updates (reentrancy)
[codex:971237] - SELFDESTRUCT with controllable beneficiary
[codex:971237] - Proxy patterns (DELEGATECALL to storage slot) with unprotected upgrade paths
[codex:971237] 
[codex:971237] For each finding, you MUST explain:
[codex:971237] 1. The specific bytecode pattern/offsets that indicate the vulnerability
[codex:971237] 2. The concrete sequence of transactions to extract value
[codex:971237] 3. Why you believe this is exploitable (not just suspicious)
[codex:971237] 
[codex:971237] If you cannot identify a concrete profit path from bytecode alone: set no_findings=true.
[codex:971237] Do NOT hallucinate. Bytecode-only analysis is limited - be honest about uncertainty.
[codex:971237] 
[codex:971237] Output MUST be valid JSON matching the provided schema.
[codex:971237] - severity: info, low, medium, high, critical (use high/critical ONLY for clear extraction paths)
[codex:971237] - category: access_control, reentrancy, math, oracle, upgradeability, auth, other
[codex:971237] mcp startup: no servers
[codex:971237] 
[codex:971237] thinking
[codex:971237] **Reviewing skills and files**
[codex:971237] exec
[codex:971237] /bin/bash -lc ls in /tmp/codex-multi-rqarbx_p succeeded in 7ms:
[codex:971237] BYTECODE_BUNDLE.txt
[codex:971237] codex-output-schema.json
[codex:971237] 
[codex:971237] thinking
[codex:971237] **Preparing to read bytecode file**
[codex:971237] exec
[codex:971237] /bin/bash -lc 'cat BYTECODE_BUNDLE.txt' in /tmp/codex-multi-rqarbx_p succeeded in 6ms:
[codex:971237] Runtime bytecode bundle for best-effort auditing.
[codex:971237] Note: without verified source, conclusions are low-confidence unless a concrete pattern is visible.
[codex:971237] 
[codex:971237] FILE: runtime_bytecode.hex
[codex:971237] 0x5f355f1a806001146300000041578060fa1463000000ad57806010146300000083578060031463000002f6576004146300000351573415630000038d57600080f35b60013560e01c4318630000038d57734dd36c49b200a6d52ebb365f01bf0e4db8b9f7653318630000038d57630000029560053560f01c600701600763000000cb565b335f5418600435301817630000038d575f805563000002ae60a43560f01c60a60160a663000000cb565b335f5418630000038d575f805563000002ae60843560f01c60860160865b8035805f1a82019180600701358260061a1c8260011a8015630000024557806003169060021c308560d01c61ffff168015630000010a5785013560601c905b508560e01c61ffff1685013560601c8360031463000001b757935f83630000012e57905b84600114630000017d575b855f5563022c0d9f5f5260205260405260605260808052858703806002018060a052908060f01b60c0528760c2375f809160a401601c82875af11563000003855796565b63022c0d9f5f52602052604052606052608080525f60a05250505f60a4601c8280945af115630000038557838310158557505063000000cb565b805f5563128acb085f52906020528160405292196001016060526401000276a49063000001fc57507a063f17bd71ea20266779abf07c4c864192ac8b31fd1d5263988d255b60805260a08052848603806002018060c052908060f01b60e0528660e2375f809160c401601c82865af115630000038557602080604051025f3e5f516060511863000003855795565b508260d01c61ffff1682013560601c63a9059cbb5f526020526040525f806044601c5f73c02aaa39b223fe8d0a0e5c4f27ead9083c756cc25af115630000038557838310158557505063000000cb565b34801563000002ae575f80808093415af1156300000385575b600080f35b80600e013560601c903560901c8163a9059cbb5f526020526040525f806044601c5f73c02aaa39b223fe8d0a0e5c4f27ead9083c756cc25af11563000003855790565b734dd36c49b200a6d52ebb365f01bf0e4db8b9f7653318630000038d57632e1a7d4d5f52600135806020525f806024601c5f73c02aaa39b223fe8d0a0e5c4f27ead9083c756cc25af115630000038557630000037256600080f35b734dd36c49b200a6d52ebb365f01bf0e4db8b9f7653318630000038d576001355b5f80808093335af115630000038d575f80f35b3d805f803e5ffd5b5f80fd
[codex:971237] 
[codex:971237] thinking
[codex:971237] **Analyzing EVM bytecode for exploits**
[codex:971237] 
[codex:971237] I'm breaking down EVM bytecode manually to spot exploitable patterns like CALL or DELEGATECALL with controllable destinations. I'll interpret key opcodes and function selectors to see if calls to WETH or similar could be abused, focusing on any strict caller checks or missing gating that might let tokens be extracted. To aid accuracy, I plan to quickly disassemble the bytecode using a Python script since other tools aren't available in this read-only environment.
[codex:971237] exec
[codex:971237] /bin/bash -lc "python - <<'PY'
[codex:971237] import binascii, textwrap
[codex:971237] bytecode=open('BYTECODE_BUNDLE.txt').read().split('0x')[1].strip().split('\\n')[0]
[codex:971237] code=bytes.fromhex(bytecode)
[codex:971237] # EVM opcode map
[codex:971237] opcodes={
[codex:971237]     0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:971237]     0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:971237]     0x20:'SHA3',
[codex:971237]     0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:971237]     0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',0x49:'BLOBHASH',0x4a:'BLOBBASEFEE',
[codex:971237]     0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',0x5c:'TLOAD',0x5d:'TSTORE',0x5e:'MCOPY',0x5f:'PUSH0',
[codex:971237]     0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
[codex:971237]     0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
[codex:971237]     0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
[codex:971237]     0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
[codex:971237]     0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
[codex:971237] }
[codex:971237] 
[codex:971237] pc=0
[codex:971237] out=[]
[codex:971237] while pc<len(code):
[codex:971237]     op=code[pc]
[codex:971237]     name=opcodes.get(op, 'UNKNOWN')
[codex:971237]     if 0x60<=op<=0x7f:
[codex:971237]         n=op-0x5f
[codex:971237]         data=code[pc+1:pc+1+n]
[codex:971237]         out.append(f\"{pc:04x}: {name} 0x{data.hex()}\")
[codex:971237]         pc+=1+n
[codex:971237]     else:
[codex:971237]         out.append(f\"{pc:04x}: {name}\")
[codex:971237]         pc+=1
[codex:971237] print('\\n'.join(out))
[codex:971237] PY" in /tmp/codex-multi-rqarbx_p succeeded in 29ms:
[codex:971237] 0000: PUSH0
[codex:971237] 0001: CALLDATALOAD
[codex:971237] 0002: PUSH0
[codex:971237] 0003: BYTE
[codex:971237] 0004: DUP1
[codex:971237] 0005: PUSH1 0x01
[codex:971237] 0007: EQ
[codex:971237] 0008: PUSH4 0x00000041
[codex:971237] 000d: JUMPI
[codex:971237] 000e: DUP1
[codex:971237] 000f: PUSH1 0xfa
[codex:971237] 0011: EQ
[codex:971237] 0012: PUSH4 0x000000ad
[codex:971237] 0017: JUMPI
[codex:971237] 0018: DUP1
[codex:971237] 0019: PUSH1 0x10
[codex:971237] 001b: EQ
[codex:971237] 001c: PUSH4 0x00000083
[codex:971237] 0021: JUMPI
[codex:971237] 0022: DUP1
[codex:971237] 
[codex:971237] 
[codex:971237] 
[codex:971237] thinking
[codex:971237] **Parsing contract dispatch and commands**
[codex:971237] thinking
[codex:971237] **Decoding internal interpreter logic and access controls**
[codex:971237] 
[codex:971237] I'm analyzing the complex interpreter starting at 0xcb, which parses calldata and executes dynamic calls with layered checks. It enforces call authorization based on owner storage slot and hardcoded addresses, guarding sensitive commands like token transfers and ownership changes. I’m exploring whether the interpreter or storage manipulation enables unauthorized access paths, but so far, all entry commands require strict caller validation, suggesting no obvious bypass for attackers.
[codex:971237] thinking
[codex:971237] **Evaluating potential exploit scenarios and finalizing analysis**
[codex:971237] 
[codex:971237] I'm carefully examining subtle edge cases like reentrancy, uninitialized storage, and calldata length that might enable unauthorized calls or fund transfers. After thorough scrutiny, I see that strict caller and data checks effectively prevent exploits, and the owner-only restrictions hold strong even in complex flows. It looks like there’s no concrete path for an attacker to exploit this contract given the current logic and bytecode.
[codex:971237] codex
[codex:971237] {"no_findings":true,"summary":"No concrete, exploitable profit path is evident from the provided runtime bytecode; all value-moving paths appear gated by hardcoded or storage-based caller checks.","findings":[]}
[codex:971237] tokens used
[codex:971237] 24,020
[codex:971237] {"no_findings":true,"summary":"No concrete, exploitable profit path is evident from the provided runtime bytecode; all value-moving paths appear gated by hardcoded or storage-based caller checks.","findings":[]}
Metadata 
{
    "codex": {
        "ran_at": "2026-01-01T13:39:57.697923+00:00",
        "returncode": 0
    },
    "summary": "No concrete, exploitable profit path is evident from the provided runtime bytecode; all value-moving paths appear gated by hardcoded or storage-based caller checks.",
    "raw_final": {
        "summary": "No concrete, exploitable profit path is evident from the provided runtime bytecode; all value-moving paths appear gated by hardcoded or storage-based caller checks.",
        "findings": [],
        "no_findings": true
    },
    "no_findings": true,
    "schema_version": 1
}

Opcode Heuristics

tool.cast_disasm
Delegatecall
0
Selfdestruct
0
CREATE2
0
CALL-family (heavy)
8
EXT*/BALANCE
0
Total opcodes
501
Flags
No heuristic flags raised.
View cast disassembly output 
00000000: PUSH0
00000001: CALLDATALOAD
00000002: PUSH0
00000003: BYTE
00000004: DUP1
00000005: PUSH1 0x01
00000007: EQ
00000008: PUSH4 0x00000041
0000000d: JUMPI
0000000e: DUP1
0000000f: PUSH1 0xfa
00000011: EQ
00000012: PUSH4 0x000000ad
00000017: JUMPI
00000018: DUP1
00000019: PUSH1 0x10
0000001b: EQ
0000001c: PUSH4 0x00000083
00000021: JUMPI
00000022: DUP1
00000023: PUSH1 0x03
00000025: EQ
00000026: PUSH4 0x000002f6
0000002b: JUMPI
0000002c: PUSH1 0x04
0000002e: EQ
0000002f: PUSH4 0x00000351
00000034: JUMPI
00000035: CALLVALUE
00000036: ISZERO
00000037: PUSH4 0x0000038d
0000003c: JUMPI
0000003d: PUSH1 0x00
0000003f: DUP1
00000040: RETURN
00000041: JUMPDEST
00000042: PUSH1 0x01
00000044: CALLDATALOAD
00000045: PUSH1 0xe0
00000047: SHR
00000048: NUMBER
00000049: XOR
0000004a: PUSH4 0x0000038d
0000004f: JUMPI
00000050: PUSH20 0x4dd36c49b200a6d52ebb365f01bf0e4db8b9f765
00000065: CALLER
00000066: XOR
00000067: PUSH4 0x0000038d
0000006c: JUMPI
0000006d: PUSH4 0x00000295
00000072: PUSH1 0x05
00000074: CALLDATALOAD
00000075: PUSH1 0xf0
00000077: SHR
00000078: PUSH1 0x07
0000007a: ADD
0000007b: PUSH1 0x07
0000007d: PUSH4 0x000000cb
00000082: JUMP
00000083: JUMPDEST
00000084: CALLER
00000085: PUSH0
00000086: SLOAD
00000087: XOR
00000088: PUSH1 0x04
0000008a: CALLDATALOAD
0000008b: ADDRESS
0000008c: XOR
0000008d: OR
0000008e: PUSH4 0x0000038d
00000093: JUMPI
00000094: PUSH0
00000095: DUP1
00000096: SSTORE
00000097: PUSH4 0x000002ae
0000009c: PUSH1 0xa4
0000009e: CALLDATALOAD
0000009f: PUSH1 0xf0
000000a1: SHR
000000a2: PUSH1 0xa6
000000a4: ADD
000000a5: PUSH1 0xa6
000000a7: PUSH4 0x000000cb
000000ac: JUMP
000000ad: JUMPDEST
000000ae: CALLER
000000af: PUSH0
000000b0: SLOAD
000000b1: XOR
000000b2: PUSH4 0x0000038d
000000b7: JUMPI
000000b8: PUSH0
000000b9: DUP1
000000ba: SSTORE
000000bb: PUSH4 0x000002ae
000000c0: PUSH1 0x84
000000c2: CALLDATALOAD
000000c3: PUSH1 0xf0
000000c5: SHR
000000c6: PUSH1 0x86
000000c8: ADD
000000c9: PUSH1 0x86
000000cb: JUMPDEST
000000cc: DUP1
000000cd: CALLDATALOAD
000000ce: DUP1
000000cf: PUSH0
000000d0: BYTE
000000d1: DUP3
000000d2: ADD
000000d3: SWAP2
000000d4: DUP1
000000d5: PUSH1 0x07
000000d7: ADD
000000d8: CALLDATALOAD
000000d9: DUP3
000000da: PUSH1 0x06
000000dc: BYTE
000000dd: SHR
000000de: DUP3
000000df: PUSH1 0x01
000000e1: BYTE
000000e2: DUP1
000000e3: ISZERO
000000e4: PUSH4 0x00000245
000000e9: JUMPI
000000ea: DUP1
000000eb: PUSH1 0x03
000000ed: AND
000000ee: SWAP1
000000ef: PUSH1 0x02
000000f1: SHR
000000f2: ADDRESS
000000f3: DUP6
000000f4: PUSH1 0xd0
000000f6: SHR
000000f7: PUSH2 0xffff
000000fa: AND
000000fb: DUP1
000000fc: ISZERO
000000fd: PUSH4 0x0000010a
00000102: JUMPI
00000103: DUP6
00000104: ADD
00000105: CALLDATALOAD
00000106: PUSH1 0x60
00000108: SHR
00000109: SWAP1
0000010a: JUMPDEST
0000010b: POP
0000010c: DUP6
0000010d: PUSH1 0xe0
0000010f: SHR
00000110: PUSH2 0xffff
00000113: AND
00000114: DUP6
00000115: ADD
00000116: CALLDATALOAD
00000117: PUSH1 0x60
00000119: SHR
0000011a: DUP4
0000011b: PUSH1 0x03
0000011d: EQ
0000011e: PUSH4 0x000001b7
00000123: JUMPI
00000124: SWAP4
00000125: PUSH0
00000126: DUP4
00000127: PUSH4 0x0000012e
0000012c: JUMPI
0000012d: SWAP1
0000012e: JUMPDEST
0000012f: DUP5
00000130: PUSH1 0x01
00000132: EQ
00000133: PUSH4 0x0000017d
00000138: JUMPI
00000139: JUMPDEST
0000013a: DUP6
0000013b: PUSH0
0000013c: SSTORE
0000013d: PUSH4 0x022c0d9f
00000142: PUSH0
00000143: MSTORE
00000144: PUSH1 0x20
00000146: MSTORE
00000147: PUSH1 0x40
00000149: MSTORE
0000014a: PUSH1 0x60
0000014c: MSTORE
0000014d: PUSH1 0x80
0000014f: DUP1
00000150: MSTORE
00000151: DUP6
00000152: DUP8
00000153: SUB
00000154: DUP1
00000155: PUSH1 0x02
00000157: ADD
00000158: DUP1
00000159: PUSH1 0xa0
0000015b: MSTORE
0000015c: SWAP1
0000015d: DUP1
0000015e: PUSH1 0xf0
00000160: SHL
00000161: PUSH1 0xc0
00000163: MSTORE
00000164: DUP8
00000165: PUSH1 0xc2
00000167: CALLDATACOPY
00000168: PUSH0
00000169: DUP1
0000016a: SWAP2
0000016b: PUSH1 0xa4
0000016d: ADD
0000016e: PUSH1 0x1c
00000170: DUP3
00000171: DUP8
00000172: GAS
00000173: CALL
00000174: ISZERO
00000175: PUSH4 0x00000385
0000017a: JUMPI
0000017b: SWAP7
0000017c: JUMP
0000017d: JUMPDEST
0000017e: PUSH4 0x022c0d9f
00000183: PUSH0
00000184: MSTORE
00000185: PUSH1 0x20
00000187: MSTORE
00000188: PUSH1 0x40
0000018a: MSTORE
0000018b: PUSH1 0x60
0000018d: MSTORE
0000018e: PUSH1 0x80
00000190: DUP1
00000191: MSTORE
00000192: PUSH0
00000193: PUSH1 0xa0
00000195: MSTORE
00000196: POP
00000197: POP
00000198: PUSH0
00000199: PUSH1 0xa4
0000019b: PUSH1 0x1c
0000019d: DUP3
0000019e: DUP1
0000019f: SWAP5
000001a0: GAS
000001a1: CALL
000001a2: ISZERO
000001a3: PUSH4 0x00000385
000001a8: JUMPI
000001a9: DUP4
000001aa: DUP4
000001ab: LT
000001ac: ISZERO
000001ad: DUP6
000001ae: JUMPI
000001af: POP
000001b0: POP
000001b1: PUSH4 0x000000cb
000001b6: JUMP
000001b7: JUMPDEST
000001b8: DUP1
000001b9: PUSH0
000001ba: SSTORE
000001bb: PUSH4 0x128acb08
000001c0: PUSH0
000001c1: MSTORE
000001c2: SWAP1
000001c3: PUSH1 0x20
000001c5: MSTORE
000001c6: DUP2
000001c7: PUSH1 0x40
000001c9: MSTORE
000001ca: SWAP3
000001cb: NOT
000001cc: PUSH1 0x01
000001ce: ADD
000001cf: PUSH1 0x60
000001d1: MSTORE
000001d2: PUSH5 0x01000276a4
000001d8: SWAP1
000001d9: PUSH4 0x000001fc
000001de: JUMPI
000001df: POP
000001e0: PUSH27 0x063f17bd71ea20266779abf07c4c864192ac8b31fd1d5263988d25
000001fc: JUMPDEST
000001fd: PUSH1 0x80
000001ff: MSTORE
00000200: PUSH1 0xa0
00000202: DUP1
00000203: MSTORE
00000204: DUP5
00000205: DUP7
00000206: SUB
00000207: DUP1
00000208: PUSH1 0x02
0000020a: ADD
0000020b: DUP1
0000020c: PUSH1 0xc0
0000020e: MSTORE
0000020f: SWAP1
00000210: DUP1
00000211: PUSH1 0xf0
00000213: SHL
00000214: PUSH1 0xe0
00000216: MSTORE
00000217: DUP7
00000218: PUSH1 0xe2
0000021a: CALLDATACOPY
0000021b: PUSH0
0000021c: DUP1
0000021d: SWAP2
0000021e: PUSH1 0xc4
00000220: ADD
00000221: PUSH1 0x1c
00000223: DUP3
00000224: DUP7
00000225: GAS
00000226: CALL
00000227: ISZERO
00000228: PUSH4 0x00000385
0000022d: JUMPI
0000022e: PUSH1 0x20
00000230: DUP1
00000231: PUSH1 0x40
00000233: MLOAD
00000234: MUL
00000235: PUSH0
00000236: RETURNDATACOPY
00000237: PUSH0
00000238: MLOAD
00000239: PUSH1 0x60
0000023b: MLOAD
0000023c: XOR
0000023d: PUSH4 0x00000385
00000242: JUMPI
00000243: SWAP6
00000244: JUMP
00000245: JUMPDEST
00000246: POP
00000247: DUP3
00000248: PUSH1 0xd0
0000024a: SHR
0000024b: PUSH2 0xffff
0000024e: AND
0000024f: DUP3
00000250: ADD
00000251: CALLDATALOAD
00000252: PUSH1 0x60
00000254: SHR
00000255: PUSH4 0xa9059cbb
0000025a: PUSH0
0000025b: MSTORE
0000025c: PUSH1 0x20
0000025e: MSTORE
0000025f: PUSH1 0x40
00000261: MSTORE
00000262: PUSH0
00000263: DUP1
00000264: PUSH1 0x44
00000266: PUSH1 0x1c
00000268: PUSH0
00000269: PUSH20 0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2
0000027e: GAS
0000027f: CALL
00000280: ISZERO
00000281: PUSH4 0x00000385
00000286: JUMPI
00000287: DUP4
00000288: DUP4
00000289: LT
0000028a: ISZERO
0000028b: DUP6
0000028c: JUMPI
0000028d: POP
0000028e: POP
0000028f: PUSH4 0x000000cb
00000294: JUMP
00000295: JUMPDEST
00000296: CALLVALUE
00000297: DUP1
00000298: ISZERO
00000299: PUSH4 0x000002ae
0000029e: JUMPI
0000029f: PUSH0
000002a0: DUP1
000002a1: DUP1
000002a2: DUP1
000002a3: SWAP4
000002a4: COINBASE
000002a5: GAS
000002a6: CALL
000002a7: ISZERO
000002a8: PUSH4 0x00000385
000002ad: JUMPI
000002ae: JUMPDEST
000002af: PUSH1 0x00
000002b1: DUP1
000002b2: RETURN
000002b3: JUMPDEST
000002b4: DUP1
000002b5: PUSH1 0x0e
000002b7: ADD
000002b8: CALLDATALOAD
000002b9: PUSH1 0x60
000002bb: SHR
000002bc: SWAP1
000002bd: CALLDATALOAD
000002be: PUSH1 0x90
000002c0: SHR
000002c1: DUP2
000002c2: PUSH4 0xa9059cbb
000002c7: PUSH0
000002c8: MSTORE
000002c9: PUSH1 0x20
000002cb: MSTORE
000002cc: PUSH1 0x40
000002ce: MSTORE
000002cf: PUSH0
000002d0: DUP1
000002d1: PUSH1 0x44
000002d3: PUSH1 0x1c
000002d5: PUSH0
000002d6: PUSH20 0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2
000002eb: GAS
000002ec: CALL
000002ed: ISZERO
000002ee: PUSH4 0x00000385
000002f3: JUMPI
000002f4: SWAP1
000002f5: JUMP
000002f6: JUMPDEST
000002f7: PUSH20 0x4dd36c49b200a6d52ebb365f01bf0e4db8b9f765
0000030c: CALLER
0000030d: XOR
0000030e: PUSH4 0x0000038d
00000313: JUMPI
00000314: PUSH4 0x2e1a7d4d
00000319: PUSH0
0000031a: MSTORE
0000031b: PUSH1 0x01
0000031d: CALLDATALOAD
0000031e: DUP1
0000031f: PUSH1 0x20
00000321: MSTORE
00000322: PUSH0
00000323: DUP1
00000324: PUSH1 0x24
00000326: PUSH1 0x1c
00000328: PUSH0
00000329: PUSH20 0xc02aaa39b223fe8d0a0e5c4f27ead9083c756cc2
0000033e: GAS
0000033f: CALL
00000340: ISZERO
00000341: PUSH4 0x00000385
00000346: JUMPI
00000347: PUSH4 0x00000372
0000034c: JUMP
0000034d: PUSH1 0x00
0000034f: DUP1
00000350: RETURN
00000351: JUMPDEST
00000352: PUSH20 0x4dd36c49b200a6d52ebb365f01bf0e4db8b9f765
00000367: CALLER
00000368: XOR
00000369: PUSH4 0x0000038d
0000036e: JUMPI
0000036f: PUSH1 0x01
00000371: CALLDATALOAD
00000372: JUMPDEST
00000373: PUSH0
00000374: DUP1
00000375: DUP1
00000376: DUP1
00000377: SWAP4
00000378: CALLER
00000379: GAS
0000037a: CALL
0000037b: ISZERO
0000037c: PUSH4 0x0000038d
00000381: JUMPI
00000382: PUSH0
00000383: DUP1
00000384: RETURN
00000385: JUMPDEST
00000386: RETURNDATASIZE
00000387: DUP1
00000388: PUSH0
00000389: DUP1
0000038a: RETURNDATACOPY
0000038b: PUSH0
0000038c: REVERT
0000038d: JUMPDEST
0000038e: PUSH0
0000038f: DUP1
00000390: REVERT

Findings

validated = confirmed for call sinks; sink observed for others
Severity Category Tool Title Confidence Validated Confirmed Details
high other detector Untrusted CALL target/value reachable 60 no no
view
trace_id: 0x7ebe3b4b5956411d65532b45236cb5f29f28191e863637419032cb2a12504077
call_targets: 0x01bd2da640345f1c29831b7cef9a434298408172
target_varies: no
classification: constant_target
validation_json 
{
    "sink": "CALL",
    "errors": 0,
    "status": "sink_reached",
    "attempts": 1,
    "trace_id": "0x7ebe3b4b5956411d65532b45236cb5f29f28191e863637419032cb2a12504077",
    "confirmed": false,
    "trace_mode": "callTracer",
    "call_targets": [
        "0x01bd2da640345f1c29831b7cef9a434298408172"
    ],
    "matched_probe": null,
    "target_varies": false,
    "classification": "constant_target"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x00000041",
            "selector": "0x00000041",
            "calldata_variants": [
                "0x00000041",
                "0x000000410000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x000000ad",
            "selector": "0x000000ad",
            "calldata_variants": [
                "0x000000ad",
                "0x000000ad0000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x00000083",
            "selector": "0x00000083",
            "calldata_variants": [
                "0x00000083",
                "0x000000830000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x000002f6",
            "selector": "0x000002f6",
            "calldata_variants": [
                "0x000002f6",
                "0x000002f60000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x0000012e",
            "selector": "0x0000012e",
            "calldata_variants": [
                "0x0000012e",
                "0x0000012e0000000000000000000000000000000000000000000000000000000000000000"
            ]
        }
    ]
}
evidence_json 
{
    "examples": [
        {
            "pc": 371,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        },
        {
            "pc": 417,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        },
        {
            "pc": 550,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        }
    ],
    "call_count": 8,
    "guards_detected": [],
    "untrusted_call_count": 6
}
high other detector ETH value transfer possible 55 no no
view
trace_id: 0x7ebe3b4b5956411d65532b45236cb5f29f28191e863637419032cb2a12504077
call_targets: 0x01bd2da640345f1c29831b7cef9a434298408172
target_varies: no
classification: constant_target
validation_json 
{
    "sink": "CALL",
    "errors": 0,
    "status": "sink_reached",
    "attempts": 1,
    "trace_id": "0x7ebe3b4b5956411d65532b45236cb5f29f28191e863637419032cb2a12504077",
    "confirmed": false,
    "trace_mode": "callTracer",
    "call_targets": [
        "0x01bd2da640345f1c29831b7cef9a434298408172"
    ],
    "matched_probe": null,
    "target_varies": false,
    "classification": "constant_target"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x00000041",
            "selector": "0x00000041",
            "calldata_variants": [
                "0x00000041",
                "0x000000410000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x000000ad",
            "selector": "0x000000ad",
            "calldata_variants": [
                "0x000000ad",
                "0x000000ad0000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x00000083",
            "selector": "0x00000083",
            "calldata_variants": [
                "0x00000083",
                "0x000000830000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x000002f6",
            "selector": "0x000002f6",
            "calldata_variants": [
                "0x000002f6",
                "0x000002f60000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x0000012e",
            "selector": "0x0000012e",
            "calldata_variants": [
                "0x0000012e",
                "0x0000012e0000000000000000000000000000000000000000000000000000000000000000"
            ]
        }
    ]
}
evidence_json 
{
    "examples": [
        {
            "pc": 371,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        },
        {
            "pc": 417,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        },
        {
            "pc": 550,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        }
    ],
    "eth_value_calls": 5,
    "guards_detected": []
}