TW
Tripwire
Find contracts. Test them. Review real vulns.

Analysis Run

16d829c8-3cab-4cbb-9742-3289e5bd9a3d

complete
Chain ID
1
Address
0xa26e80e7dea86279c6d778d702cc413e6cffa777
Block Number
Created
Tue, Dec 30, 2025 2:32 PM
Review Summary

What survived the funnel

Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?

back to vulns open contract
Confirmed
0
Validated
0
Source
Verified
Review Backing
Present
Best current signal
Untrusted DELEGATECALL target reachable
crit 0 high 0 direct contract
Review Checklist
1. Read the findings table first. Ignore raw jobs until the result looks real.
2. Confirm attacker control, not just the existence of a sink.
3. Confirm money or privilege impact.
4. Keep it if the behavior is real. Kill it if this is normal proxy, admin, or upgrade plumbing.

Processing Jobs

Status & attempts
ID Type Status Attempts Heartbeat
30701 report.consolidate complete 1 / 1 3 months ago
75202 artifact.fetch complete 1 / 3 1 week ago
75203 tool.cast_disasm complete 1 / 3 1 week ago
75204 analysis.bundle complete 1 / 3 1 week ago
75205 capability.graph complete 1 / 3 1 week ago
75206 detector.run complete 1 / 3 1 week ago
75207 validation.fork complete 1 / 3 1 week ago

Artifact

Runtime bytecode: available
Creation TX:
Deployer:
Proxy: no
Implementation:
Verified Source: yes

Slither

tool.slither

No slither job recorded yet.

Codex

report.consolidate
Job Status
complete
Attempts
1 / 1
Findings
2
No findings?
no
Summary
Found 2 issues: batchExecute can over-credit protocol fees with a single ETH payment from a valid exchange, and unchecked ERC20 transfer return values can desync accounting.
View stderr 
[codex:430718] OpenAI Codex v0.77.0 (research preview)
[codex:430718] --------
[codex:430718] workdir: /tmp/codex-multi-7u3gook8
[codex:430718] model: gpt-5.2-codex
[codex:430718] provider: openai
[codex:430718] approval: never
[codex:430718] sandbox: read-only
[codex:430718] reasoning effort: xhigh
[codex:430718] reasoning summaries: auto
[codex:430718] session id: 019b6fa5-929d-7fd0-886b-d1395f609b1a
[codex:430718] --------
[codex:430718] user
[codex:430718] You are a security auditor. Audit this Solidity codebase for exploitable vulnerabilities.
[codex:430718] Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation, oracle manipulation,
[codex:430718] accounting/invariant breaks, external call patterns, unchecked return values, and dangerous delegatecall.
[codex:430718] 
[codex:430718] Scope rules:
[codex:430718] - You MUST fully read `AUDIT_BUNDLE.txt` before concluding. It contains the complete contents of all first-party `contracts/**/*.sol` files.
[codex:430718] - Treat `lib/` and `@openzeppelin/` as third-party dependencies; skip them unless there is a concrete misuse angle in first-party code.
[codex:430718] 
[codex:430718] Output MUST be valid JSON matching the provided schema.
[codex:430718] - If you find nothing meaningful: set no_findings=true and findings=[].
[codex:430718] - Otherwise: set no_findings=false and include findings with severity/category/title and file/line locations when possible.
[codex:430718] 
[codex:430718] Output constraints (IMPORTANT):
[codex:430718] - severity MUST be exactly one of: info, low, medium, high, critical (lowercase).
[codex:430718] - category MUST be exactly one of: access_control, reentrancy, math, oracle, upgradeability, auth, other.
[codex:430718] mcp startup: no servers
[codex:430718] 
[codex:430718] thinking
[codex:430718] **Preparing to read AUDIT_BUNDLE.txt**
[codex:430718] exec
[codex:430718] /bin/bash -lc ls in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718] AUDIT_BUNDLE.txt
[codex:430718] codex-output-schema.json
[codex:430718] contracts
[codex:430718] exec
[codex:430718] /bin/bash -lc "sed -n '1,200p' AUDIT_BUNDLE.txt" in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718] This file concatenates the full contents of first-party Solidity sources for auditing.
[codex:430718] 
[codex:430718] ================================================================================
[codex:430718] FILE: contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/Staking.sol
[codex:430718] ================================================================================
[codex:430718] /*
[codex:430718] 
[codex:430718]   Copyright 2019 ZeroEx Intl.
[codex:430718] 
[codex:430718]   Licensed under the Apache License, Version 2.0 (the "License");
[codex:430718]   you may not use this file except in compliance with the License.
[codex:430718]   You may obtain a copy of the License at
[codex:430718] 
[codex:430718]     http://www.apache.org/licenses/LICENSE-2.0
[codex:430718] 
[codex:430718]   Unless required by applicable law or agreed to in writing, software
[codex:430718]   distributed under the License is distributed on an "AS IS" BASIS,
[codex:430718]   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
[codex:430718]   See the License for the specific language governing permissions and
[codex:430718]   limitations under the License.
[codex:430718] exec
[codex:430718] /bin/bash -lc "sed -n '200,400p' AUDIT_BUNDLE.txt" in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718]     function assertValidStorageParams()
[codex:430718]         public
[codex:430718]         view
[codex:430718]     {
[codex:430718]         // Epoch length must be between 5 and 30 days long
[codex:430718]         uint256 _epochDurationInSeconds = epochDurationInSeconds;
[codex:430718]         if (_epochDurationInSeconds < 5 days || _epochDurationInSeconds > 30 days) {
[codex:430718]             LibRichErrors.rrevert(
[codex:430718]                 LibStakingRichErrors.InvalidParamValueError(
[codex:430718]                     LibStakingRichErrors.InvalidParamValueErrorCodes.InvalidEpochDuration
[codex:430718]             ));
[codex:430718]         }
[codex:430718] 
[codex:430718]         // Alpha must be 0 < x <= 1
[codex:430718]         uint32 _cobbDouglasAlphaDenominator = cobbDouglasAlphaDenominator;
[codex:430718]         if (cobbDouglasAlphaNumerator > _cobbDouglasAlphaDenominator || _cobbDouglasAlphaDenominator == 0) {
[codex:430718]             LibRichErrors.rrevert(
[codex:430718]                 LibStakingRichErrors.InvalidParamValueError(
[codex:430718]                     LibStakingRichErrors.InvalidParamValueErrorCodes.InvalidCobbDouglasAlpha
[codex:430718]             ));
[codex:430718] exec
[codex:430718] /bin/bash -lc "sed -n '400,800p' AUDIT_BUNDLE.txt" in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718]         onlyStakingProxy
[codex:430718]         onlyNotInCatastrophicFailure
[codex:430718]     {
[codex:430718]         // update balance
[codex:430718]         _balances[staker] = _balances[staker].safeAdd(amount);
[codex:430718] 
[codex:430718]         // notify
[codex:430718]         emit Deposit(staker, amount);
[codex:430718] 
[codex:430718]         // deposit ZRX from staker
[codex:430718]         zrxAssetProxy.transferFrom(
[codex:430718]             _zrxAssetData,
[codex:430718]             staker,
[codex:430718]             address(this),
[codex:430718]             amount
[codex:430718]         );
[codex:430718]     }
[codex:430718] 
[codex:430718]     /// @dev Withdraw an `amount` of Zrx Tokens to `staker` from the vault.
[codex:430718]     /// Note that only the Staking contract can call this.
[codex:430718] exec
[codex:430718] /bin/bash -lc "sed -n '800,1200p' AUDIT_BUNDLE.txt" in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718]     // 100% in parts-per-million.
[codex:430718]     uint32 constant internal PPM_DENOMINATOR = 10**6;
[codex:430718] 
[codex:430718]     bytes32 constant internal NIL_POOL_ID = 0x0000000000000000000000000000000000000000000000000000000000000000;
[codex:430718] 
[codex:430718]     address constant internal NIL_ADDRESS = 0x0000000000000000000000000000000000000000;
[codex:430718] 
[codex:430718]     uint256 constant internal MIN_TOKEN_VALUE = 10**18;
[codex:430718] }
[codex:430718] 
[codex:430718] ================================================================================
[codex:430718] FILE: contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/immutable/MixinDeploymentConstants.sol
[codex:430718] ================================================================================
[codex:430718] /*
[codex:430718] 
[codex:430718]   Copyright 2019 ZeroEx Intl.
[codex:430718] 
[codex:430718]   Licensed under the Apache License, Version 2.0 (the "License");
[codex:430718]   you may not use this file except in compliance with the License.
[codex:430718]   You may obtain a copy of the License at
[codex:430718] exec
[codex:430718] /bin/bash -lc "sed -n '1200,1600p' AUDIT_BUNDLE.txt" in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718]             uint256 _epochDurationInSeconds,
[codex:430718]             uint32 _rewardDelegatedStakeWeight,
[codex:430718]             uint256 _minimumPoolStake,
[codex:430718]             uint32 _cobbDouglasAlphaNumerator,
[codex:430718]             uint32 _cobbDouglasAlphaDenominator
[codex:430718]         );
[codex:430718] 
[codex:430718]     /// @param staker of stake.
[codex:430718]     /// @param poolId Unique Id of pool.
[codex:430718]     /// @return Stake delegated to pool by staker.
[codex:430718]     function getStakeDelegatedToPoolByOwner(address staker, bytes32 poolId)
[codex:430718]         external
[codex:430718]         view
[codex:430718]         returns (IStructs.StoredBalance memory balance);
[codex:430718] 
[codex:430718]     /// @dev Returns a staking pool
[codex:430718]     /// @param poolId Unique id of pool.
[codex:430718]     function getStakingPool(bytes32 poolId)
[codex:430718]         external
[codex:430718]         view
[codex:430718] exec
[codex:430718] /bin/bash -lc "sed -n '1600,2000p' AUDIT_BUNDLE.txt" in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718]     /// @param weightedStake Amount of weighted stake in the pool.
[codex:430718]     /// @param membersStake Amount of non-operator stake in the pool.
[codex:430718]     struct PoolStats {
[codex:430718]         uint256 feesCollected;
[codex:430718]         uint256 weightedStake;
[codex:430718]         uint256 membersStake;
[codex:430718]     }
[codex:430718] 
[codex:430718]     /// @dev Holds stats aggregated across a set of pools.
[codex:430718]     /// @param rewardsAvailable Rewards (ETH) available to the epoch
[codex:430718]     ///        being finalized (the previous epoch). This is simply the balance
[codex:430718]     ///        of the contract at the end of the epoch.
[codex:430718]     /// @param numPoolsToFinalize The number of pools that have yet to be finalized through `finalizePools()`.
[codex:430718]     /// @param totalFeesCollected The total fees collected for the epoch being finalized.
[codex:430718]     /// @param totalWeightedStake The total fees collected for the epoch being finalized.
[codex:430718]     /// @param totalRewardsFinalized Amount of rewards that have been paid during finalization.
[codex:430718]     struct AggregatedStats {
[codex:430718]         uint256 rewardsAvailable;
[codex:430718]         uint256 numPoolsToFinalize;
[codex:430718]         uint256 totalFeesCollected;
[codex:430718] exec
[codex:430718] /bin/bash -lc "sed -n '2000,2400p' AUDIT_BUNDLE.txt" in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718]     /// @dev Convert signed `n` / `d` to a fixed-point number.
[codex:430718]     function toFixed(int256 n, int256 d) internal pure returns (int256 f) {
[codex:430718]         f = _div(_mul(n, FIXED_1), d);
[codex:430718]     }
[codex:430718] 
[codex:430718]     /// @dev Convert unsigned `n` / 1 to a fixed-point number.
[codex:430718]     ///      Reverts if `n` is too large to fit in a fixed-point number.
[codex:430718]     function toFixed(uint256 n) internal pure returns (int256 f) {
[codex:430718]         if (int256(n) < int256(0)) {
[codex:430718]             LibRichErrors.rrevert(LibFixedMathRichErrors.UnsignedValueError(
[codex:430718]                 LibFixedMathRichErrors.ValueErrorCodes.TOO_LARGE,
[codex:430718]                 n
[codex:430718]             ));
[codex:430718]         }
[codex:430718]         f = _mul(int256(n), FIXED_1);
[codex:430718]     }
[codex:430718] 
[codex:430718]     /// @dev Convert unsigned `n` / `d` to a fixed-point number.
[codex:430718]     ///      Reverts if `n` / `d` is too large to fit in a fixed-point number.
[codex:430718]     function toFixed(uint256 n, uint256 d) internal pure returns (int256 f) {
[codex:430718] exec
[codex:430718] /bin/bash -lc "sed -n '2400,2800p' AUDIT_BUNDLE.txt" in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718] library LibSafeDowncast {
[codex:430718] 
[codex:430718]     /// @dev Safely downcasts to a uint96
[codex:430718]     /// Note that this reverts if the input value is too large.
[codex:430718]     function downcastToUint96(uint256 a)
[codex:430718]         internal
[codex:430718]         pure
[codex:430718]         returns (uint96 b)
[codex:430718]     {
[codex:430718]         b = uint96(a);
[codex:430718]         if (uint256(b) != a) {
[codex:430718]             LibRichErrors.rrevert(LibSafeMathRichErrors.Uint256DowncastError(
[codex:430718]                 LibSafeMathRichErrors.DowncastErrorCodes.VALUE_TOO_LARGE_TO_DOWNCAST_TO_UINT96,
[codex:430718]                 a
[codex:430718]             ));
[codex:430718]         }
[codex:430718]         return b;
[codex:430718]     }
[codex:430718] 
[codex:430718]     /// @dev Safely downcasts to a uint64
[codex:430718] exec
[codex:430718] /bin/bash -lc "sed -n '2800,3200p' AUDIT_BUNDLE.txt" in /tmp/codex-multi-7u3gook8 succeeded in 7ms:
[codex:430718] */
[codex:430718] 
[codex:430718] pragma solidity ^0.5.9;
[codex:430718] pragma experimental ABIEncoderV2;
[codex:430718] 
[codex:430718] import "@0x/contracts-utils/contracts/src/LibSafeMath.sol";
[codex:430718] import "../staking_pools/MixinStakingPool.sol";
[codex:430718] import "../libs/LibStakingRichErrors.sol";
[codex:430718] 
[codex:430718] 
[codex:430718] contract MixinStake is
[codex:430718]     MixinStakingPool
[codex:430718] {
[codex:430718]     using LibSafeMath for uint256;
[codex:430718] 
[codex:430718]     /// @dev Stake ZRX tokens. Tokens are deposited into the ZRX Vault.
[codex:430718]     ///      Unstake to retrieve the ZRX. Stake is in the 'Active' status.
[codex:430718]     /// @param amount of ZRX to stake.
[codex:430718]     function stake(uint256 amount)
[codex:430718]         external
[codex:430718] exec
[codex:430718] /bin/bash -lc "sed -n '3200,3600p' AUDIT_BUNDLE.txt" in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718]         }
[codex:430718] 
[codex:430718]         // move stake for next epoch
[codex:430718]         from.nextEpochBalance = uint256(from.nextEpochBalance).safeSub(amount).downcastToUint96();
[codex:430718]         to.nextEpochBalance = uint256(to.nextEpochBalance).safeAdd(amount).downcastToUint96();
[codex:430718] 
[codex:430718]         // update state in storage
[codex:430718]         _storeBalance(fromPtr, from);
[codex:430718]         _storeBalance(toPtr, to);
[codex:430718]     }
[codex:430718] 
[codex:430718]     /// @dev Loads a balance from storage and updates its fields to reflect values for the current epoch.
[codex:430718]     /// @param balancePtr to load.
[codex:430718]     /// @return current balance.
[codex:430718]     function _loadCurrentBalance(IStructs.StoredBalance storage balancePtr)
[codex:430718]         internal
[codex:430718]         view
[codex:430718]         returns (IStructs.StoredBalance memory balance)
[codex:430718]     {
[codex:430718]         balance = balancePtr;
[codex:430718] exec
[codex:430718] /bin/bash -lc "sed -n '3600,4000p' AUDIT_BUNDLE.txt" in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718]             operatorShare: operatorShare
[codex:430718]         });
[codex:430718]         _poolById[poolId] = pool;
[codex:430718] 
[codex:430718]         // Staking pool has been created
[codex:430718]         emit StakingPoolCreated(poolId, operator, operatorShare);
[codex:430718] 
[codex:430718]         if (addOperatorAsMaker) {
[codex:430718]             joinStakingPoolAsMaker(poolId);
[codex:430718]         }
[codex:430718] 
[codex:430718]         return poolId;
[codex:430718]     }
[codex:430718] 
[codex:430718]     /// @dev Decreases the operator share for the given pool (i.e. increases pool rewards for members).
[codex:430718]     /// @param poolId Unique Id of pool.
[codex:430718]     /// @param newOperatorShare The newly decreased percentage of any rewards owned by the operator.
[codex:430718]     function decreaseStakingPoolOperatorShare(bytes32 poolId, uint32 newOperatorShare)
[codex:430718]         external
[codex:430718]         onlyStakingPoolOperator(poolId)
[codex:430718] exec
[codex:430718] /bin/bash -lc "sed -n '4000,4400p' AUDIT_BUNDLE.txt" in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718] 
[codex:430718]     /// @dev Computes the unfinalized rewards earned by a delegator in the last epoch.
[codex:430718]     /// @param delegatedStake Amount of stake delegated to pool by a specific staker
[codex:430718]     /// @param currentEpoch_ The epoch in which this call is executing
[codex:430718]     /// @param unfinalizedMembersReward Unfinalized total members reward (if any).
[codex:430718]     /// @param unfinalizedMembersStake Unfinalized total members stake (if any).
[codex:430718]     /// @return reward Balance in WETH.
[codex:430718]     function _computeUnfinalizedDelegatorReward(
[codex:430718]         IStructs.StoredBalance memory delegatedStake,
[codex:430718]         uint256 currentEpoch_,
[codex:430718]         uint256 unfinalizedMembersReward,
[codex:430718]         uint256 unfinalizedMembersStake
[codex:430718]     )
[codex:430718]         private
[codex:430718]         pure
[codex:430718]         returns (uint256)
[codex:430718]     {
[codex:430718]         // If there are unfinalized rewards this epoch, compute the member's
[codex:430718]         // share.
[codex:430718]         if (unfinalizedMembersReward == 0 || unfinalizedMembersStake == 0) {
[codex:430718] exec
[codex:430718] /bin/bash -lc "sed -n '4400,4800p' AUDIT_BUNDLE.txt" in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718] import "../libs/LibStakingRichErrors.sol";
[codex:430718] 
[codex:430718] 
[codex:430718] contract MixinParams is
[codex:430718]     IStakingEvents,
[codex:430718]     MixinStorage,
[codex:430718]     MixinConstants
[codex:430718] {
[codex:430718]     /// @dev Set all configurable parameters at once.
[codex:430718]     /// @param _epochDurationInSeconds Minimum seconds between epochs.
[codex:430718]     /// @param _rewardDelegatedStakeWeight How much delegated stake is weighted vs operator stake, in ppm.
[codex:430718]     /// @param _minimumPoolStake Minimum amount of stake required in a pool to collect rewards.
[codex:430718]     /// @param _cobbDouglasAlphaNumerator Numerator for cobb douglas alpha factor.
[codex:430718]     /// @param _cobbDouglasAlphaDenominator Denominator for cobb douglas alpha factor.
[codex:430718]     function setParams(
[codex:430718]         uint256 _epochDurationInSeconds,
[codex:430718]         uint32 _rewardDelegatedStakeWeight,
[codex:430718]         uint256 _minimumPoolStake,
[codex:430718]         uint32 _cobbDouglasAlphaNumerator,
[codex:430718]         uint32 _cobbDouglasAlphaDenominator
[codex:430718] exec
[codex:430718] /bin/bash -lc "sed -n '4800,5200p' AUDIT_BUNDLE.txt" in /tmp/codex-multi-7u3gook8 succeeded in 8ms:
[codex:430718]     )
[codex:430718]         internal
[codex:430718]     {
[codex:430718]         uint256 lastStoredEpoch = _cumulativeRewardsByPoolLastStored[poolId];
[codex:430718]         MixinCumulativeRewards._addCumulativeReward(
[codex:430718]             poolId,
[codex:430718]             reward,
[codex:430718]             stake
[codex:430718]         );
[codex:430718]         uint256 newLastStoredEpoch = _cumulativeRewardsByPoolLastStored[poolId];
[codex:430718]         if (newLastStoredEpoch != lastStoredEpoch) {
[codex:430718]             emit SetCumulativeReward(poolId, currentEpoch);
[codex:430718]         }
[codex:430718]     }
[codex:430718] }
[codex:430718] 
[codex:430718] ================================================================================
[codex:430718] FILE: contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/test/TestDelegatorRewards.sol
[codex:430718] ================================================================================
[codex:430718] /*
[codex:430718] exec
[codex:430718] /bin/bash -lc "sed -n '5200,5600p' AUDIT_BUNDLE.txt" in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718]     {
[codex:430718]         ownerRewards = LibCobbDouglas.cobbDouglas(
[codex:430718]             totalRewards,
[codex:430718]             ownerFees,
[codex:430718]             totalFees,
[codex:430718]             ownerStake,
[codex:430718]             totalStake,
[codex:430718]             cobbDouglasAlphaNumerator,
[codex:430718]             cobbDouglasAlphaDenominator
[codex:430718]         );
[codex:430718]     }
[codex:430718] 
[codex:430718]     /// @dev Expose `_getUnfinalizedPoolReward()`
[codex:430718]     function getUnfinalizedPoolRewards(bytes32 poolId)
[codex:430718]         external
[codex:430718]         view
[codex:430718]         returns (UnfinalizedPoolReward memory reward)
[codex:430718]     {
[codex:430718]         (reward.totalReward, reward.membersStake) = _getUnfinalizedPoolRewards(
[codex:430718]             poolId
[codex:430718] 
[codex:430718] thinking
[codex:430718] **Completing file read**
[codex:430718] exec
[codex:430718] /bin/bash -lc 'tail -n 20 AUDIT_BUNDLE.txt' in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718]   limitations under the License.
[codex:430718] 
[codex:430718] */
[codex:430718] 
[codex:430718] pragma solidity ^0.5.9;
[codex:430718] 
[codex:430718] 
[codex:430718] contract IOwnable {
[codex:430718] 
[codex:430718]     /// @dev Emitted by Ownable when ownership is transferred.
[codex:430718]     /// @param previousOwner The previous owner of the contract.
[codex:430718]     /// @param newOwner The new owner of the contract.
[codex:430718]     event OwnershipTransferred(address indexed previousOwner, address indexed newOwner);
[codex:430718] 
[codex:430718]     /// @dev Transfers ownership of the contract to a new address.
[codex:430718]     /// @param newOwner The address that will become the owner.
[codex:430718]     function transferOwnership(address newOwner)
[codex:430718]         public;
[codex:430718] }
[codex:430718] 
[codex:430718] 
[codex:430718] thinking
[codex:430718] **Ensuring complete file reading**
[codex:430718] exec
[codex:430718] /bin/bash -lc "sed -n '5600,6000p' AUDIT_BUNDLE.txt" in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718] ================================================================================
[codex:430718] FILE: contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/test/TestMixinParams.sol
[codex:430718] ================================================================================
[codex:430718] /*
[codex:430718] 
[codex:430718]   Copyright 2019 ZeroEx Intl.
[codex:430718] 
[codex:430718]   Licensed under the Apache License, Version 2.0 (the "License");
[codex:430718]   you may not use this file except in compliance with the License.
[codex:430718]   You may obtain a copy of the License at
[codex:430718] 
[codex:430718]     http://www.apache.org/licenses/LICENSE-2.0
[codex:430718] 
[codex:430718]   Unless required by applicable law or agreed to in writing, software
[codex:430718]   distributed under the License is distributed on an "AS IS" BASIS,
[codex:430718]   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
[codex:430718]   See the License for the specific language governing permissions and
[codex:430718]   limitations under the License.
[codex:430718] 
[codex:430718] */
[codex:430718] exec
[codex:430718] /bin/bash -lc "sed -n '6000,6400p' AUDIT_BUNDLE.txt" in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718] 
[codex:430718]   Copyright 2019 ZeroEx Intl.
[codex:430718] 
[codex:430718]   Licensed under the Apache License, Version 2.0 (the "License");
[codex:430718]   you may not use this file except in compliance with the License.
[codex:430718]   You may obtain a copy of the License at
[codex:430718] 
[codex:430718]     http://www.apache.org/licenses/LICENSE-2.0
[codex:430718] 
[codex:430718]   Unless required by applicable law or agreed to in writing, software
[codex:430718]   distributed under the License is distributed on an "AS IS" BASIS,
[codex:430718]   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
[codex:430718]   See the License for the specific language governing permissions and
[codex:430718]   limitations under the License.
[codex:430718] 
[codex:430718] */
[codex:430718] 
[codex:430718] pragma solidity ^0.5.9;
[codex:430718] pragma experimental ABIEncoderV2;
[codex:430718] 
[codex:430718] exec
[codex:430718] /bin/bash -lc "sed -n '6400,6800p' AUDIT_BUNDLE.txt" in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718]         uint256 membersStake
[codex:430718]     )
[codex:430718]         external
[codex:430718]         returns (uint256 operatorReward, uint256 membersReward)
[codex:430718]     {
[codex:430718]         return _syncPoolRewards(poolId, reward, membersStake);
[codex:430718]     }
[codex:430718] 
[codex:430718]     // Expose `_withdrawAndSyncDelegatorRewards()` for testing.
[codex:430718]     function withdrawAndSyncDelegatorRewards(
[codex:430718]         bytes32 poolId,
[codex:430718]         address member
[codex:430718]     )
[codex:430718]         external
[codex:430718]     {
[codex:430718]         return _withdrawAndSyncDelegatorRewards(
[codex:430718]             poolId,
[codex:430718]             member
[codex:430718]         );
[codex:430718]     }
[codex:430718] exec
[codex:430718] /bin/bash -lc "sed -n '6800,7200p' AUDIT_BUNDLE.txt" in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718] ================================================================================
[codex:430718] /*
[codex:430718] 
[codex:430718]   Copyright 2019 ZeroEx Intl.
[codex:430718] 
[codex:430718]   Licensed under the Apache License, Version 2.0 (the "License");
[codex:430718]   you may not use this file except in compliance with the License.
[codex:430718]   You may obtain a copy of the License at
[codex:430718] 
[codex:430718]     http://www.apache.org/licenses/LICENSE-2.0
[codex:430718] 
[codex:430718]   Unless required by applicable law or agreed to in writing, software
[codex:430718]   distributed under the License is distributed on an "AS IS" BASIS,
[codex:430718]   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
[codex:430718]   See the License for the specific language governing permissions and
[codex:430718]   limitations under the License.
[codex:430718] 
[codex:430718] */
[codex:430718] 
[codex:430718] pragma solidity ^0.5.9;
[codex:430718] exec
[codex:430718] /bin/bash -lc "sed -n '7200,7600p' AUDIT_BUNDLE.txt" in /tmp/codex-multi-7u3gook8 succeeded in 7ms:
[codex:430718]                 offset
[codex:430718]             )
[codex:430718]             slot := add(slot, 0x1)
[codex:430718] 
[codex:430718]             assertSlotAndOffset(
[codex:430718]                 lastPoolId_slot,
[codex:430718]                 lastPoolId_offset,
[codex:430718]                 slot,
[codex:430718]                 offset
[codex:430718]             )
[codex:430718]             slot := add(slot, 0x1)
[codex:430718] 
[codex:430718]             assertSlotAndOffset(
[codex:430718]                 poolIdByMaker_slot,
[codex:430718]                 poolIdByMaker_offset,
[codex:430718]                 slot,
[codex:430718]                 offset
[codex:430718]             )
[codex:430718]             slot := add(slot, 0x1)
[codex:430718] 
[codex:430718] exec
[codex:430718] /bin/bash -lc "sed -n '7600,8000p' AUDIT_BUNDLE.txt" in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718]         returns (uint256);
[codex:430718] }
[codex:430718] 
[codex:430718] ================================================================================
[codex:430718] FILE: contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/node_modules/@0x/contracts-erc20/contracts/src/interfaces/IEtherToken.sol
[codex:430718] ================================================================================
[codex:430718] /*
[codex:430718] 
[codex:430718]   Copyright 2019 ZeroEx Intl.
[codex:430718] 
[codex:430718]   Licensed under the Apache License, Version 2.0 (the "License");
[codex:430718]   you may not use this file except in compliance with the License.
[codex:430718]   You may obtain a copy of the License at
[codex:430718] 
[codex:430718]     http://www.apache.org/licenses/LICENSE-2.0
[codex:430718] 
[codex:430718]   Unless required by applicable law or agreed to in writing, software
[codex:430718]   distributed under the License is distributed on an "AS IS" BASIS,
[codex:430718]   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
[codex:430718]   See the License for the specific language governing permissions and
[codex:430718] exec
[codex:430718] /bin/bash -lc "sed -n '8000,8400p' AUDIT_BUNDLE.txt" in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718]         _removeAuthorizedAddressAtIndex(target, index);
[codex:430718]     }
[codex:430718] 
[codex:430718]     /// @dev Gets all authorized addresses.
[codex:430718]     /// @return Array of authorized addresses.
[codex:430718]     function getAuthorizedAddresses()
[codex:430718]         external
[codex:430718]         view
[codex:430718]         returns (address[] memory)
[codex:430718]     {
[codex:430718]         return authorities;
[codex:430718]     }
[codex:430718] 
[codex:430718]     /// @dev Reverts if msg.sender is not authorized.
[codex:430718]     function _assertSenderIsAuthorized()
[codex:430718]         internal
[codex:430718]         view
[codex:430718]     {
[codex:430718]         if (!authorized[msg.sender]) {
[codex:430718]             LibRichErrors.rrevert(LibAuthorizableRichErrors.SenderNotAuthorizedError(msg.sender));
[codex:430718] 
[codex:430718] 
[codex:430718] 
[codex:430718] thinking
[codex:430718] **Analyzing staking contract security and upgradeability**
[codex:430718] 
[codex:430718] I'm working through a detailed security audit of the 0x staking contracts, focusing on vulnerabilities like reentrancy, unchecked ERC20 return values, access control, and upgradeability risks. There’s a lot to consider with delegatecalls, proxy authorization, and external calls to tokens like WETH and ZRX, especially around transfer return values and initialization logic during upgrades. I’m carefully assessing whether any of these patterns could lead to exploitable flaws or unexpected behaviors.
[codex:430718] thinking
[codex:430718] **Evaluating staking pool accounting and access controls**
[codex:430718] 
[codex:430718] I'm analyzing delegation logic, stake accounting, and access controls for authorized functions, focusing on edge cases like delegations to nonexistent pools, parameter initialization, and unchecked ERC20 return values. I'm also looking at how upgradeability and fallback delegatecalls might impact security and whether subtle bugs arise from state updates or reentrancy possibilities. There’s plenty of nuance in reward calculations and protocol fee handling to consider!
[codex:430718] thinking
[codex:430718] **Deepening review of ERC20 transfers and proxy upgrade patterns**
[codex:430718] 
[codex:430718] I'm focusing on unchecked ERC20 transfer returns in vault and rewards contracts, and examining proxy upgrade and authorization flows for potential admin risks or state inconsistencies. There’s also interesting interplay in catastrophic failure mode handling, staking accounting, and fee attributions that I want to clarify further. The details here help frame severity and robustness.
[codex:430718] exec
[codex:430718] /bin/bash -lc 'rg --files contracts | head' in /tmp/codex-multi-7u3gook8 succeeded in 12ms:
[codex:430718] contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/immutable/MixinConstants.sol
[codex:430718] contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/immutable/MixinDeploymentConstants.sol
[codex:430718] contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/immutable/MixinStorage.sol
[codex:430718] contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/staking_pools/MixinStakingPoolRewards.sol
[codex:430718] contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/staking_pools/MixinStakingPool.sol
[codex:430718] contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/staking_pools/MixinCumulativeRewards.sol
[codex:430718] contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/StakingProxy.sol
[codex:430718] contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/ZrxVault.sol
[codex:430718] contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/Staking.sol
[codex:430718] contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/node_modules/@0x/contracts-asset-proxy/contracts/src/interfaces/IAssetData.sol
[codex:430718] 
[codex:430718] thinking
[codex:430718] **Locating transfer calls with line numbers**
[codex:430718] exec
[codex:430718] /bin/bash -lc "rg -n \"_zrxToken\\.transfer\" -n contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/ZrxVault.sol" in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718] 215:        _zrxToken.transfer(
[codex:430718] 
[codex:430718] thinking
[codex:430718] **Checking WETH transfer in staking rewards**
[codex:430718] exec
[codex:430718] /bin/bash -lc "rg -n \"getWethContract\\(\\)\\.transfer\" contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/staking_pools/MixinStakingPoolRewards.sol" in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718] 131:            getWethContract().transfer(member, balance);
[codex:430718] 169:            getWethContract().transfer(pool.operator, operatorReward);
[codex:430718] 
[codex:430718] 
[codex:430718] thinking
[codex:430718] **Analyzing unchecked returns and batchExecute risks**
[codex:430718] 
[codex:430718] This is a thorough review of unchecked ERC20 transfer returns across multiple contracts and a deep dive into a potential batchExecute vulnerability where msg.value is reused across delegatecalls, allowing authorized exchanges to possibly inflate protocol fee credits without paying extra ETH, affecting rewards distribution. I'm weighing the exploitability against trust assumptions on exchanges and confirming there are no other significant vulnerabilities while noting subtle design issues and potential risks from unchecked returns and reward accounting.
[codex:430718] thinking
[codex:430718] **Examining catastrophic failure mode and staking accounting gaps**
[codex:430718] 
[codex:430718] I’m exploring how catastrophic failure mode in ZrxVault allows users to withdraw tokens without updating stake records, potentially enabling reward claims on nonexistent stakes if staking operations continue. I’m also assessing interactions like batchExecute’s reuse of msg.value and implications on fee accounting and reward distributions, alongside subtle unchecked transfer return issues and accounting nuances throughout staking logic.
[codex:430718] exec
[codex:430718] /bin/bash -lc 'rg -n "batchExecute" contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/StakingProxy.sol' in /tmp/codex-multi-7u3gook8 succeeded in 8ms:
[codex:430718] 103:    function batchExecute(bytes[] calldata data)
[codex:430718] 
[codex:430718] thinking
[codex:430718] **Considering fee detail inclusion**
[codex:430718] exec
[codex:430718] /bin/bash -lc 'rg -n "payProtocolFee" contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/fees/MixinExchangeFees.sol' in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718] 45:    function payProtocolFee(
[codex:430718] 155:    /// @dev Checks that the protocol fee passed into `payProtocolFee()` is
[codex:430718] 158:    ///        `payProtocolFee.`
[codex:430718] 
[codex:430718] thinking
[codex:430718] **Drafting detailed vulnerability findings and JSON output**
[codex:430718] 
[codex:430718] I'll outline two findings: one about batchExecute reusing msg.value across delegatecalls that inflates protocol fees with medium severity and category "other," and another on unchecked ERC20 transfer return values causing low-severity risk. I'll incorporate exploit scenarios, recommendations, evidence with file paths and line numbers, and format everything to comply with the required JSON output schema.
[codex:430718] exec
[codex:430718] /bin/bash -lc "nl -ba contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/StakingProxy.sol | sed -n '90,140p'" in /tmp/codex-multi-7u3gook8 succeeded in 7ms:
[codex:430718]     90	    /// @dev Detach the current staking contract.
[codex:430718]     91	    /// Note that this is callable only by an authorized address.
[codex:430718]     92	    function detachStakingContract()
[codex:430718]     93	        external
[codex:430718]     94	        onlyAuthorized
[codex:430718]     95	    {
[codex:430718]     96	        stakingContract = NIL_ADDRESS;
[codex:430718]     97	        emit StakingContractDetachedFromProxy();
[codex:430718]     98	    }
[codex:430718]     99	
[codex:430718]    100	    /// @dev Batch executes a series of calls to the staking contract.
[codex:430718]    101	    /// @param data An array of data that encodes a sequence of functions to
[codex:430718]    102	    ///             call in the staking contracts.
[codex:430718]    103	    function batchExecute(bytes[] calldata data)
[codex:430718]    104	        external
[codex:430718]    105	        returns (bytes[] memory batchReturnData)
[codex:430718]    106	    {
[codex:430718]    107	        // Initialize commonly used variables.
[codex:430718]    108	        bool success;
[codex:430718]    109	        bytes memory returnData;
[codex:430718] 
[codex:430718] thinking
[codex:430718] **Reviewing payProtocolFee usage**
[codex:430718] exec
[codex:430718] /bin/bash -lc "nl -ba contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/fees/MixinExchangeFees.sol | sed -n '30,90p'" in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718]     30	
[codex:430718]     31	
[codex:430718]     32	contract MixinExchangeFees is
[codex:430718]     33	    MixinExchangeManager,
[codex:430718]     34	    MixinStakingPool,
[codex:430718]     35	    MixinFinalizer
[codex:430718]     36	{
[codex:430718]     37	    using LibSafeMath for uint256;
[codex:430718]     38	
[codex:430718]     39	    /// @dev Pays a protocol fee in ETH or WETH.
[codex:430718]     40	    ///      Only a known 0x exchange can call this method. See
[codex:430718]     41	    ///      (MixinExchangeManager).
[codex:430718]     42	    /// @param makerAddress The address of the order's maker.
[codex:430718]     43	    /// @param payerAddress The address of the protocol fee payer.
[codex:430718]     44	    /// @param protocolFee The protocol fee amount. This is either passed as ETH or transferred as WETH.
[codex:430718]     45	    function payProtocolFee(
[codex:430718]     46	        address makerAddress,
[codex:430718]     47	        address payerAddress,
[codex:430718]     48	        uint256 protocolFee
[codex:430718]     49	    )
[codex:430718] 
[codex:430718] thinking
[codex:430718] **Reviewing ZrxVault transfer lines**
[codex:430718] exec
[codex:430718] /bin/bash -lc "nl -ba contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/ZrxVault.sol | sed -n '200,240p'" in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718]    200	    /// @dev Withdraw an `amount` of Zrx Tokens to `staker` from the vault.
[codex:430718]    201	    /// @param staker of Zrx Tokens.
[codex:430718]    202	    /// @param amount of Zrx Tokens to withdraw.
[codex:430718]    203	    function _withdrawFrom(address staker, uint256 amount)
[codex:430718]    204	        internal
[codex:430718]    205	    {
[codex:430718]    206	        // update balance
[codex:430718]    207	        // note that this call will revert if trying to withdraw more
[codex:430718]    208	        // than the current balance
[codex:430718]    209	        _balances[staker] = _balances[staker].safeSub(amount);
[codex:430718]    210	
[codex:430718]    211	        // notify
[codex:430718]    212	        emit Withdraw(staker, amount);
[codex:430718]    213	
[codex:430718]    214	        // withdraw ZRX to staker
[codex:430718]    215	        _zrxToken.transfer(
[codex:430718]    216	            staker,
[codex:430718]    217	            amount
[codex:430718]    218	        );
[codex:430718]    219	    }
[codex:430718] 
[codex:430718] thinking
[codex:430718] **Reviewing MixinStakingPoolRewards section**
[codex:430718] exec
[codex:430718] /bin/bash -lc "nl -ba contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/staking_pools/MixinStakingPoolRewards.sol | sed -n '120,190p'" in /tmp/codex-multi-7u3gook8 succeeded in 6ms:
[codex:430718]    120	        // `_computeDelegatorReward` during this epoch will return 0, 
[codex:430718]    121	        // preventing a delegator from withdrawing more than once an epoch.
[codex:430718]    122	        _delegatedStakeToPoolByOwner[member][poolId] =
[codex:430718]    123	            _loadCurrentBalance(_delegatedStakeToPoolByOwner[member][poolId]);
[codex:430718]    124	
[codex:430718]    125	        // Withdraw non-0 balance
[codex:430718]    126	        if (balance != 0) {
[codex:430718]    127	            // Decrease the balance of the pool
[codex:430718]    128	            _decreasePoolRewards(poolId, balance);
[codex:430718]    129	
[codex:430718]    130	            // Withdraw the member's WETH balance
[codex:430718]    131	            getWethContract().transfer(member, balance);
[codex:430718]    132	        }
[codex:430718]    133	
[codex:430718]    134	        // Ensure a cumulative reward entry exists for this epoch,
[codex:430718]    135	        // copying the previous epoch's CR if one doesn't exist already.
[codex:430718]    136	        _updateCumulativeReward(poolId);
[codex:430718]    137	    }
[codex:430718]    138	
[codex:430718]    139	    /// @dev Handles a pool's reward at the current epoch.
[codex:430718] 
[codex:430718] thinking
[codex:430718] **Preparing detailed findings JSON**
[codex:430718] 
[codex:430718] I’m carefully assembling a JSON report describing two main issues: the batchExecute function’s misuse of msg.value causing protocol fee inflation, and unchecked ERC20 transfer returns risking reward accounting errors. I’m paying attention to clear, accurate evidence, line-numbered file locations, categories, severity, exploit scenarios, and recommendations to make the findings useful and valid for output.
[codex:430718] codex
[codex:430718] {"no_findings":false,"summary":"Found 2 issues: batchExecute can over-credit protocol fees with a single ETH payment from a valid exchange, and unchecked ERC20 transfer return values can desync accounting.","findings":[{"severity":"medium","category":"other","title":"batchExecute reuses msg.value across delegatecalls, enabling protocol-fee inflation","exploit_scenario":"A whitelisted exchange calls batchExecute with msg.value equal to protocolFee and includes multiple payProtocolFee calls. Each delegatecall sees the same msg.value, so the fee check passes and fees are credited multiple times while only one ETH payment was made, skewing reward distribution toward the chosen pool.","recommendation":"Disallow non-zero msg.value in batchExecute, or split/consume msg.value per call. Alternatively add a guard in payProtocolFee to only accept ETH for direct calls (not via batching) or track ETH paid per call.","evidence":"batchExecute loops delegatecall without adjusting msg.value, while payProtocolFee treats msg.value == protocolFee as a full ETH payment.","locations":["contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/StakingProxy.sol:103","contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/fees/MixinExchangeFees.sol:45"]},{"severity":"low","category":"other","title":"Unchecked ERC20 transfer return values in ZRX vault and reward payouts","exploit_scenario":"If ZRX or WETH tokens return false without reverting (or are replaced with non-standard tokens on other deployments), the contract will update balances and reserves even though transfers failed, leading to lost rewards or stuck withdrawals.","recommendation":"Check the return value of ERC20 transfer and revert on failure (or use a SafeERC20 helper) for both ZRX withdrawals and WETH reward payouts.","evidence":"ZRX withdrawals and WETH reward transfers ignore the boolean return value of transfer().","locations":["contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/ZrxVault.sol:215","contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/staking_pools/MixinStakingPoolRewards.sol:131","contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/staking_pools/MixinStakingPoolRewards.sol:169"]}]}
[codex:430718] tokens used
[codex:430718] 151,555
[codex:430718] {"no_findings":false,"summary":"Found 2 issues: batchExecute can over-credit protocol fees with a single ETH payment from a valid exchange, and unchecked ERC20 transfer return values can desync accounting.","findings":[{"severity":"medium","category":"other","title":"batchExecute reuses msg.value across delegatecalls, enabling protocol-fee inflation","exploit_scenario":"A whitelisted exchange calls batchExecute with msg.value equal to protocolFee and includes multiple payProtocolFee calls. Each delegatecall sees the same msg.value, so the fee check passes and fees are credited multiple times while only one ETH payment was made, skewing reward distribution toward the chosen pool.","recommendation":"Disallow non-zero msg.value in batchExecute, or split/consume msg.value per call. Alternatively add a guard in payProtocolFee to only accept ETH for direct calls (not via batching) or track ETH paid per call.","evidence":"batchExecute loops delegatecall without adjusting msg.value, while payProtocolFee treats msg.value == protocolFee as a full ETH payment.","locations":["contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/StakingProxy.sol:103","contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/fees/MixinExchangeFees.sol:45"]},{"severity":"low","category":"other","title":"Unchecked ERC20 transfer return values in ZRX vault and reward payouts","exploit_scenario":"If ZRX or WETH tokens return false without reverting (or are replaced with non-standard tokens on other deployments), the contract will update balances and reserves even though transfers failed, leading to lost rewards or stuck withdrawals.","recommendation":"Check the return value of ERC20 transfer and revert on failure (or use a SafeERC20 helper) for both ZRX withdrawals and WETH reward payouts.","evidence":"ZRX withdrawals and WETH reward transfers ignore the boolean return value of transfer().","locations":["contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/ZrxVault.sol:215","contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/staking_pools/MixinStakingPoolRewards.sol:131","contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/staking_pools/MixinStakingPoolRewards.sol:169"]}]}
Metadata 
{
    "codex": {
        "ran_at": "2025-12-30T14:32:49.504281+00:00",
        "returncode": 0
    },
    "summary": "Found 2 issues: batchExecute can over-credit protocol fees with a single ETH payment from a valid exchange, and unchecked ERC20 transfer return values can desync accounting.",
    "raw_final": {
        "summary": "Found 2 issues: batchExecute can over-credit protocol fees with a single ETH payment from a valid exchange, and unchecked ERC20 transfer return values can desync accounting.",
        "findings": [
            {
                "title": "batchExecute reuses msg.value across delegatecalls, enabling protocol-fee inflation",
                "category": "other",
                "evidence": "batchExecute loops delegatecall without adjusting msg.value, while payProtocolFee treats msg.value == protocolFee as a full ETH payment.",
                "severity": "medium",
                "locations": [
                    "contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/StakingProxy.sol:103",
                    "contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/fees/MixinExchangeFees.sol:45"
                ],
                "recommendation": "Disallow non-zero msg.value in batchExecute, or split/consume msg.value per call. Alternatively add a guard in payProtocolFee to only accept ETH for direct calls (not via batching) or track ETH paid per call.",
                "exploit_scenario": "A whitelisted exchange calls batchExecute with msg.value equal to protocolFee and includes multiple payProtocolFee calls. Each delegatecall sees the same msg.value, so the fee check passes and fees are credited multiple times while only one ETH payment was made, skewing reward distribution toward the chosen pool."
            },
            {
                "title": "Unchecked ERC20 transfer return values in ZRX vault and reward payouts",
                "category": "other",
                "evidence": "ZRX withdrawals and WETH reward transfers ignore the boolean return value of transfer().",
                "severity": "low",
                "locations": [
                    "contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/ZrxVault.sol:215",
                    "contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/staking_pools/MixinStakingPoolRewards.sol:131",
                    "contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/staking_pools/MixinStakingPoolRewards.sol:169"
                ],
                "recommendation": "Check the return value of ERC20 transfer and revert on failure (or use a SafeERC20 helper) for both ZRX withdrawals and WETH reward payouts.",
                "exploit_scenario": "If ZRX or WETH tokens return false without reverting (or are replaced with non-standard tokens on other deployments), the contract will update balances and reserves even though transfers failed, leading to lost rewards or stuck withdrawals."
            }
        ],
        "no_findings": false
    },
    "no_findings": false,
    "schema_version": 1
}

Opcode Heuristics

tool.cast_disasm
Delegatecall
3
Selfdestruct
0
CREATE2
0
CALL-family (heavy)
0
EXT*/BALANCE
0
Total opcodes
3057
Flags
delegatecall_present
View cast disassembly output 
00000000: PUSH1 0x80
00000002: PUSH1 0x40
00000004: MSTORE
00000005: PUSH1 0x04
00000007: CALLDATASIZE
00000008: LT
00000009: PUSH2 0x01ac
0000000c: JUMPI
0000000d: PUSH1 0x00
0000000f: CALLDATALOAD
00000010: PUSH1 0xe0
00000012: SHR
00000013: DUP1
00000014: PUSH4 0x8da5cb5b
00000019: GT
0000001a: PUSH2 0x00ec
0000001d: JUMPI
0000001e: DUP1
0000001f: PUSH4 0xc6f3a427
00000024: GT
00000025: PUSH2 0x008a
00000028: JUMPI
00000029: DUP1
0000002a: PUSH4 0xe8eeb3f8
0000002f: GT
00000030: PUSH2 0x0064
00000033: JUMPI
00000034: DUP1
00000035: PUSH4 0xe8eeb3f8
0000003a: EQ
0000003b: PUSH2 0x0539
0000003e: JUMPI
0000003f: DUP1
00000040: PUSH4 0xee99205c
00000045: EQ
00000046: PUSH2 0x054e
00000049: JUMPI
0000004a: DUP1
0000004b: PUSH4 0xf1876532
00000050: EQ
00000051: PUSH2 0x0563
00000054: JUMPI
00000055: DUP1
00000056: PUSH4 0xf2fde38b
0000005b: EQ
0000005c: PUSH2 0x0583
0000005f: JUMPI
00000060: PUSH2 0x01ac
00000063: JUMP
00000064: JUMPDEST
00000065: DUP1
00000066: PUSH4 0xc6f3a427
0000006b: EQ
0000006c: PUSH2 0x04ed
0000006f: JUMPI
00000070: DUP1
00000071: PUSH4 0xd39de6e9
00000076: EQ
00000077: PUSH2 0x0502
0000007a: JUMPI
0000007b: DUP1
0000007c: PUSH4 0xe0ee036e
00000081: EQ
00000082: PUSH2 0x0524
00000085: JUMPI
00000086: PUSH2 0x01ac
00000089: JUMP
0000008a: JUMPDEST
0000008b: DUP1
0000008c: PUSH4 0xa657e579
00000091: GT
00000092: PUSH2 0x00c6
00000095: JUMPI
00000096: DUP1
00000097: PUSH4 0xa657e579
0000009c: EQ
0000009d: PUSH2 0x0483
000000a0: JUMPI
000000a1: DUP1
000000a2: PUSH4 0xb0531524
000000a7: EQ
000000a8: PUSH2 0x0498
000000ab: JUMPI
000000ac: DUP1
000000ad: PUSH4 0xb9181611
000000b2: EQ
000000b3: PUSH2 0x04ad
000000b6: JUMPI
000000b7: DUP1
000000b8: PUSH4 0xc18c9141
000000bd: EQ
000000be: PUSH2 0x04cd
000000c1: JUMPI
000000c2: PUSH2 0x01ac
000000c5: JUMP
000000c6: JUMPDEST
000000c7: DUP1
000000c8: PUSH4 0x8da5cb5b
000000cd: EQ
000000ce: PUSH2 0x0439
000000d1: JUMPI
000000d2: DUP1
000000d3: PUSH4 0x9ad26744
000000d8: EQ
000000d9: PUSH2 0x044e
000000dc: JUMPI
000000dd: DUP1
000000de: PUSH4 0xa26171e2
000000e3: EQ
000000e4: PUSH2 0x046e
000000e7: JUMPI
000000e8: PUSH2 0x01ac
000000eb: JUMP
000000ec: JUMPDEST
000000ed: DUP1
000000ee: PUSH4 0x5bd4ab73
000000f3: GT
000000f4: PUSH2 0x0159
000000f7: JUMPI
000000f8: DUP1
000000f9: PUSH4 0x70712939
000000fe: GT
000000ff: PUSH2 0x0133
00000102: JUMPI
00000103: DUP1
00000104: PUSH4 0x70712939
00000109: EQ
0000010a: PUSH2 0x03b5
0000010d: JUMPI
0000010e: DUP1
0000010f: PUSH4 0x76671808
00000114: EQ
00000115: PUSH2 0x03d5
00000118: JUMPI
00000119: DUP1
0000011a: PUSH4 0x81666796
0000011f: EQ
00000120: PUSH2 0x03ea
00000123: JUMPI
00000124: DUP1
00000125: PUSH4 0x856a65eb
0000012a: EQ
0000012b: PUSH2 0x040c
0000012e: JUMPI
0000012f: PUSH2 0x01ac
00000132: JUMP
00000133: JUMPDEST
00000134: DUP1
00000135: PUSH4 0x5bd4ab73
0000013a: EQ
0000013b: PUSH2 0x0353
0000013e: JUMPI
0000013f: DUP1
00000140: PUSH4 0x63403801
00000145: EQ
00000146: PUSH2 0x0380
00000149: JUMPI
0000014a: DUP1
0000014b: PUSH4 0x66615d56
00000150: EQ
00000151: PUSH2 0x0395
00000154: JUMPI
00000155: PUSH2 0x01ac
00000158: JUMP
00000159: JUMPDEST
0000015a: DUP1
0000015b: PUSH4 0x42f1181e
00000160: GT
00000161: PUSH2 0x018a
00000164: JUMPI
00000165: DUP1
00000166: PUSH4 0x42f1181e
0000016b: EQ
0000016c: PUSH2 0x02e4
0000016f: JUMPI
00000170: DUP1
00000171: PUSH4 0x494503d4
00000176: EQ
00000177: PUSH2 0x0304
0000017a: JUMPI
0000017b: DUP1
0000017c: PUSH4 0x587da023
00000181: EQ
00000182: PUSH2 0x0331
00000185: JUMPI
00000186: PUSH2 0x01ac
00000189: JUMP
0000018a: JUMPDEST
0000018b: DUP1
0000018c: PUSH4 0x2a94c279
00000191: EQ
00000192: PUSH2 0x0264
00000195: JUMPI
00000196: DUP1
00000197: PUSH4 0x37b006a6
0000019c: EQ
0000019d: PUSH2 0x029c
000001a0: JUMPI
000001a1: DUP1
000001a2: PUSH4 0x38229d93
000001a7: EQ
000001a8: PUSH2 0x02b3
000001ab: JUMPI
000001ac: JUMPDEST
000001ad: PUSH1 0x03
000001af: SLOAD
000001b0: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
000001c5: AND
000001c6: DUP1
000001c7: PUSH2 0x01da
000001ca: JUMPI
000001cb: PUSH2 0x01da
000001ce: PUSH2 0x01d5
000001d1: PUSH2 0x05a3
000001d4: JUMP
000001d5: JUMPDEST
000001d6: PUSH2 0x05db
000001d9: JUMP
000001da: JUMPDEST
000001db: PUSH1 0x00
000001dd: PUSH1 0x60
000001df: DUP3
000001e0: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
000001f5: AND
000001f6: PUSH1 0x00
000001f8: CALLDATASIZE
000001f9: PUSH1 0x40
000001fb: MLOAD
000001fc: PUSH2 0x0206
000001ff: SWAP3
00000200: SWAP2
00000201: SWAP1
00000202: PUSH2 0x14be
00000205: JUMP
00000206: JUMPDEST
00000207: PUSH1 0x00
00000209: PUSH1 0x40
0000020b: MLOAD
0000020c: DUP1
0000020d: DUP4
0000020e: SUB
0000020f: DUP2
00000210: DUP6
00000211: GAS
00000212: DELEGATECALL
00000213: SWAP2
00000214: POP
00000215: POP
00000216: RETURNDATASIZE
00000217: DUP1
00000218: PUSH1 0x00
0000021a: DUP2
0000021b: EQ
0000021c: PUSH2 0x0241
0000021f: JUMPI
00000220: PUSH1 0x40
00000222: MLOAD
00000223: SWAP2
00000224: POP
00000225: PUSH1 0x1f
00000227: NOT
00000228: PUSH1 0x3f
0000022a: RETURNDATASIZE
0000022b: ADD
0000022c: AND
0000022d: DUP3
0000022e: ADD
0000022f: PUSH1 0x40
00000231: MSTORE
00000232: RETURNDATASIZE
00000233: DUP3
00000234: MSTORE
00000235: RETURNDATASIZE
00000236: PUSH1 0x00
00000238: PUSH1 0x20
0000023a: DUP5
0000023b: ADD
0000023c: RETURNDATACOPY
0000023d: PUSH2 0x0246
00000240: JUMP
00000241: JUMPDEST
00000242: PUSH1 0x60
00000244: SWAP2
00000245: POP
00000246: JUMPDEST
00000247: POP
00000248: SWAP2
00000249: POP
0000024a: SWAP2
0000024b: POP
0000024c: DUP2
0000024d: PUSH1 0x00
0000024f: DUP2
00000250: EQ
00000251: PUSH2 0x025c
00000254: JUMPI
00000255: DUP2
00000256: MLOAD
00000257: DUP3
00000258: PUSH1 0x20
0000025a: ADD
0000025b: RETURN
0000025c: JUMPDEST
0000025d: DUP2
0000025e: MLOAD
0000025f: DUP3
00000260: PUSH1 0x20
00000262: ADD
00000263: REVERT
00000264: JUMPDEST
00000265: CALLVALUE
00000266: DUP1
00000267: ISZERO
00000268: PUSH2 0x0270
0000026b: JUMPI
0000026c: PUSH1 0x00
0000026e: DUP1
0000026f: REVERT
00000270: JUMPDEST
00000271: POP
00000272: PUSH2 0x0284
00000275: PUSH2 0x027f
00000278: CALLDATASIZE
00000279: PUSH1 0x04
0000027b: PUSH2 0x149d
0000027e: JUMP
0000027f: JUMPDEST
00000280: PUSH2 0x05e3
00000283: JUMP
00000284: JUMPDEST
00000285: PUSH1 0x40
00000287: MLOAD
00000288: PUSH2 0x0293
0000028b: SWAP4
0000028c: SWAP3
0000028d: SWAP2
0000028e: SWAP1
0000028f: PUSH2 0x1661
00000292: JUMP
00000293: JUMPDEST
00000294: PUSH1 0x40
00000296: MLOAD
00000297: DUP1
00000298: SWAP2
00000299: SUB
0000029a: SWAP1
0000029b: RETURN
0000029c: JUMPDEST
0000029d: CALLVALUE
0000029e: DUP1
0000029f: ISZERO
000002a0: PUSH2 0x02a8
000002a3: JUMPI
000002a4: PUSH1 0x00
000002a6: DUP1
000002a7: REVERT
000002a8: JUMPDEST
000002a9: POP
000002aa: PUSH2 0x02b1
000002ad: PUSH2 0x060f
000002b0: JUMP
000002b1: JUMPDEST
000002b2: STOP
000002b3: JUMPDEST
000002b4: CALLVALUE
000002b5: DUP1
000002b6: ISZERO
000002b7: PUSH2 0x02bf
000002ba: JUMPI
000002bb: PUSH1 0x00
000002bd: DUP1
000002be: REVERT
000002bf: JUMPDEST
000002c0: POP
000002c1: PUSH2 0x02d3
000002c4: PUSH2 0x02ce
000002c7: CALLDATASIZE
000002c8: PUSH1 0x04
000002ca: PUSH2 0x1485
000002cd: JUMP
000002ce: JUMPDEST
000002cf: PUSH2 0x066a
000002d2: JUMP
000002d3: JUMPDEST
000002d4: PUSH1 0x40
000002d6: MLOAD
000002d7: PUSH2 0x0293
000002da: SWAP6
000002db: SWAP5
000002dc: SWAP4
000002dd: SWAP3
000002de: SWAP2
000002df: SWAP1
000002e0: PUSH2 0x1677
000002e3: JUMP
000002e4: JUMPDEST
000002e5: CALLVALUE
000002e6: DUP1
000002e7: ISZERO
000002e8: PUSH2 0x02f0
000002eb: JUMPI
000002ec: PUSH1 0x00
000002ee: DUP1
000002ef: REVERT
000002f0: JUMPDEST
000002f1: POP
000002f2: PUSH2 0x02b1
000002f5: PUSH2 0x02ff
000002f8: CALLDATASIZE
000002f9: PUSH1 0x04
000002fb: PUSH2 0x13cd
000002fe: JUMP
000002ff: JUMPDEST
00000300: PUSH2 0x0699
00000303: JUMP
00000304: JUMPDEST
00000305: CALLVALUE
00000306: DUP1
00000307: ISZERO
00000308: PUSH2 0x0310
0000030b: JUMPI
0000030c: PUSH1 0x00
0000030e: DUP1
0000030f: REVERT
00000310: JUMPDEST
00000311: POP
00000312: PUSH2 0x0324
00000315: PUSH2 0x031f
00000318: CALLDATASIZE
00000319: PUSH1 0x04
0000031b: PUSH2 0x1485
0000031e: JUMP
0000031f: JUMPDEST
00000320: PUSH2 0x06ad
00000323: JUMP
00000324: JUMPDEST
00000325: PUSH1 0x40
00000327: MLOAD
00000328: PUSH2 0x0293
0000032b: SWAP2
0000032c: SWAP1
0000032d: PUSH2 0x14ea
00000330: JUMP
00000331: JUMPDEST
00000332: CALLVALUE
00000333: DUP1
00000334: ISZERO
00000335: PUSH2 0x033d
00000338: JUMPI
00000339: PUSH1 0x00
0000033b: DUP1
0000033c: REVERT
0000033d: JUMPDEST
0000033e: POP
0000033f: PUSH2 0x0346
00000342: PUSH2 0x06e1
00000345: JUMP
00000346: JUMPDEST
00000347: PUSH1 0x40
00000349: MLOAD
0000034a: PUSH2 0x0293
0000034d: SWAP2
0000034e: SWAP1
0000034f: PUSH2 0x164a
00000352: JUMP
00000353: JUMPDEST
00000354: CALLVALUE
00000355: DUP1
00000356: ISZERO
00000357: PUSH2 0x035f
0000035a: JUMPI
0000035b: PUSH1 0x00
0000035d: DUP1
0000035e: REVERT
0000035f: JUMPDEST
00000360: POP
00000361: PUSH2 0x0373
00000364: PUSH2 0x036e
00000367: CALLDATASIZE
00000368: PUSH1 0x04
0000036a: PUSH2 0x13cd
0000036d: JUMP
0000036e: JUMPDEST
0000036f: PUSH2 0x06e7
00000372: JUMP
00000373: JUMPDEST
00000374: PUSH1 0x40
00000376: MLOAD
00000377: PUSH2 0x0293
0000037a: SWAP2
0000037b: SWAP1
0000037c: PUSH2 0x163f
0000037f: JUMP
00000380: JUMPDEST
00000381: CALLVALUE
00000382: DUP1
00000383: ISZERO
00000384: PUSH2 0x038c
00000387: JUMPI
00000388: PUSH1 0x00
0000038a: DUP1
0000038b: REVERT
0000038c: JUMPDEST
0000038d: POP
0000038e: PUSH2 0x0346
00000391: PUSH2 0x06fc
00000394: JUMP
00000395: JUMPDEST
00000396: CALLVALUE
00000397: DUP1
00000398: ISZERO
00000399: PUSH2 0x03a1
0000039c: JUMPI
0000039d: PUSH1 0x00
0000039f: DUP1
000003a0: REVERT
000003a1: JUMPDEST
000003a2: POP
000003a3: PUSH2 0x02b1
000003a6: PUSH2 0x03b0
000003a9: CALLDATASIZE
000003aa: PUSH1 0x04
000003ac: PUSH2 0x13cd
000003af: JUMP
000003b0: JUMPDEST
000003b1: PUSH2 0x0702
000003b4: JUMP
000003b5: JUMPDEST
000003b6: CALLVALUE
000003b7: DUP1
000003b8: ISZERO
000003b9: PUSH2 0x03c1
000003bc: JUMPI
000003bd: PUSH1 0x00
000003bf: DUP1
000003c0: REVERT
000003c1: JUMPDEST
000003c2: POP
000003c3: PUSH2 0x02b1
000003c6: PUSH2 0x03d0
000003c9: CALLDATASIZE
000003ca: PUSH1 0x04
000003cc: PUSH2 0x13cd
000003cf: JUMP
000003d0: JUMPDEST
000003d1: PUSH2 0x0713
000003d4: JUMP
000003d5: JUMPDEST
000003d6: CALLVALUE
000003d7: DUP1
000003d8: ISZERO
000003d9: PUSH2 0x03e1
000003dc: JUMPI
000003dd: PUSH1 0x00
000003df: DUP1
000003e0: REVERT
000003e1: JUMPDEST
000003e2: POP
000003e3: PUSH2 0x0346
000003e6: PUSH2 0x07c8
000003e9: JUMP
000003ea: JUMPDEST
000003eb: CALLVALUE
000003ec: DUP1
000003ed: ISZERO
000003ee: PUSH2 0x03f6
000003f1: JUMPI
000003f2: PUSH1 0x00
000003f4: DUP1
000003f5: REVERT
000003f6: JUMPDEST
000003f7: POP
000003f8: PUSH2 0x03ff
000003fb: PUSH2 0x07ce
000003fe: JUMP
000003ff: JUMPDEST
00000400: PUSH1 0x40
00000402: MLOAD
00000403: PUSH2 0x0293
00000406: SWAP2
00000407: SWAP1
00000408: PUSH2 0x169a
0000040b: JUMP
0000040c: JUMPDEST
0000040d: CALLVALUE
0000040e: DUP1
0000040f: ISZERO
00000410: PUSH2 0x0418
00000413: JUMPI
00000414: PUSH1 0x00
00000416: DUP1
00000417: REVERT
00000418: JUMPDEST
00000419: POP
0000041a: PUSH2 0x042c
0000041d: PUSH2 0x0427
00000420: CALLDATASIZE
00000421: PUSH1 0x04
00000423: PUSH2 0x1419
00000426: JUMP
00000427: JUMPDEST
00000428: PUSH2 0x07da
0000042b: JUMP
0000042c: JUMPDEST
0000042d: PUSH1 0x40
0000042f: MLOAD
00000430: PUSH2 0x0293
00000433: SWAP2
00000434: SWAP1
00000435: PUSH2 0x158b
00000438: JUMP
00000439: JUMPDEST
0000043a: CALLVALUE
0000043b: DUP1
0000043c: ISZERO
0000043d: PUSH2 0x0445
00000440: JUMPI
00000441: PUSH1 0x00
00000443: DUP1
00000444: REVERT
00000445: JUMPDEST
00000446: POP
00000447: PUSH2 0x0324
0000044a: PUSH2 0x0967
0000044d: JUMP
0000044e: JUMPDEST
0000044f: CALLVALUE
00000450: DUP1
00000451: ISZERO
00000452: PUSH2 0x045a
00000455: JUMPI
00000456: PUSH1 0x00
00000458: DUP1
00000459: REVERT
0000045a: JUMPDEST
0000045b: POP
0000045c: PUSH2 0x02b1
0000045f: PUSH2 0x0469
00000462: CALLDATASIZE
00000463: PUSH1 0x04
00000465: PUSH2 0x13ef
00000468: JUMP
00000469: JUMPDEST
0000046a: PUSH2 0x0983
0000046d: JUMP
0000046e: JUMPDEST
0000046f: CALLVALUE
00000470: DUP1
00000471: ISZERO
00000472: PUSH2 0x047a
00000475: JUMPI
00000476: PUSH1 0x00
00000478: DUP1
00000479: REVERT
0000047a: JUMPDEST
0000047b: POP
0000047c: PUSH2 0x0346
0000047f: PUSH2 0x0995
00000482: JUMP
00000483: JUMPDEST
00000484: CALLVALUE
00000485: DUP1
00000486: ISZERO
00000487: PUSH2 0x048f
0000048a: JUMPI
0000048b: PUSH1 0x00
0000048d: DUP1
0000048e: REVERT
0000048f: JUMPDEST
00000490: POP
00000491: PUSH2 0x0346
00000494: PUSH2 0x099b
00000497: JUMP
00000498: JUMPDEST
00000499: CALLVALUE
0000049a: DUP1
0000049b: ISZERO
0000049c: PUSH2 0x04a4
0000049f: JUMPI
000004a0: PUSH1 0x00
000004a2: DUP1
000004a3: REVERT
000004a4: JUMPDEST
000004a5: POP
000004a6: PUSH2 0x0346
000004a9: PUSH2 0x09a1
000004ac: JUMP
000004ad: JUMPDEST
000004ae: CALLVALUE
000004af: DUP1
000004b0: ISZERO
000004b1: PUSH2 0x04b9
000004b4: JUMPI
000004b5: PUSH1 0x00
000004b7: DUP1
000004b8: REVERT
000004b9: JUMPDEST
000004ba: POP
000004bb: PUSH2 0x0373
000004be: PUSH2 0x04c8
000004c1: CALLDATASIZE
000004c2: PUSH1 0x04
000004c4: PUSH2 0x13cd
000004c7: JUMP
000004c8: JUMPDEST
000004c9: PUSH2 0x09a7
000004cc: JUMP
000004cd: JUMPDEST
000004ce: CALLVALUE
000004cf: DUP1
000004d0: ISZERO
000004d1: PUSH2 0x04d9
000004d4: JUMPI
000004d5: PUSH1 0x00
000004d7: DUP1
000004d8: REVERT
000004d9: JUMPDEST
000004da: POP
000004db: PUSH2 0x0346
000004de: PUSH2 0x04e8
000004e1: CALLDATASIZE
000004e2: PUSH1 0x04
000004e4: PUSH2 0x1485
000004e7: JUMP
000004e8: JUMPDEST
000004e9: PUSH2 0x09bc
000004ec: JUMP
000004ed: JUMPDEST
000004ee: CALLVALUE
000004ef: DUP1
000004f0: ISZERO
000004f1: PUSH2 0x04f9
000004f4: JUMPI
000004f5: PUSH1 0x00
000004f7: DUP1
000004f8: REVERT
000004f9: JUMPDEST
000004fa: POP
000004fb: PUSH2 0x02b1
000004fe: PUSH2 0x09ce
00000501: JUMP
00000502: JUMPDEST
00000503: CALLVALUE
00000504: DUP1
00000505: ISZERO
00000506: PUSH2 0x050e
00000509: JUMPI
0000050a: PUSH1 0x00
0000050c: DUP1
0000050d: REVERT
0000050e: JUMPDEST
0000050f: POP
00000510: PUSH2 0x0517
00000513: PUSH2 0x0a67
00000516: JUMP
00000517: JUMPDEST
00000518: PUSH1 0x40
0000051a: MLOAD
0000051b: PUSH2 0x0293
0000051e: SWAP2
0000051f: SWAP1
00000520: PUSH2 0x1532
00000523: JUMP
00000524: JUMPDEST
00000525: CALLVALUE
00000526: DUP1
00000527: ISZERO
00000528: PUSH2 0x0530
0000052b: JUMPI
0000052c: PUSH1 0x00
0000052e: DUP1
0000052f: REVERT
00000530: JUMPDEST
00000531: POP
00000532: PUSH2 0x03ff
00000535: PUSH2 0x0ad6
00000538: JUMP
00000539: JUMPDEST
0000053a: CALLVALUE
0000053b: DUP1
0000053c: ISZERO
0000053d: PUSH2 0x0545
00000540: JUMPI
00000541: PUSH1 0x00
00000543: DUP1
00000544: REVERT
00000545: JUMPDEST
00000546: POP
00000547: PUSH2 0x03ff
0000054a: PUSH2 0x0ae2
0000054d: JUMP
0000054e: JUMPDEST
0000054f: CALLVALUE
00000550: DUP1
00000551: ISZERO
00000552: PUSH2 0x055a
00000555: JUMPI
00000556: PUSH1 0x00
00000558: DUP1
00000559: REVERT
0000055a: JUMPDEST
0000055b: POP
0000055c: PUSH2 0x0324
0000055f: PUSH2 0x0af6
00000562: JUMP
00000563: JUMPDEST
00000564: CALLVALUE
00000565: DUP1
00000566: ISZERO
00000567: PUSH2 0x056f
0000056a: JUMPI
0000056b: PUSH1 0x00
0000056d: DUP1
0000056e: REVERT
0000056f: JUMPDEST
00000570: POP
00000571: PUSH2 0x0346
00000574: PUSH2 0x057e
00000577: CALLDATASIZE
00000578: PUSH1 0x04
0000057a: PUSH2 0x13cd
0000057d: JUMP
0000057e: JUMPDEST
0000057f: PUSH2 0x0b12
00000582: JUMP
00000583: JUMPDEST
00000584: CALLVALUE
00000585: DUP1
00000586: ISZERO
00000587: PUSH2 0x058f
0000058a: JUMPI
0000058b: PUSH1 0x00
0000058d: DUP1
0000058e: REVERT
0000058f: JUMPDEST
00000590: POP
00000591: PUSH2 0x02b1
00000594: PUSH2 0x059e
00000597: CALLDATASIZE
00000598: PUSH1 0x04
0000059a: PUSH2 0x13cd
0000059d: JUMP
0000059e: JUMPDEST
0000059f: PUSH2 0x0b24
000005a2: JUMP
000005a3: JUMPDEST
000005a4: PUSH1 0x40
000005a6: DUP1
000005a7: MLOAD
000005a8: DUP1
000005a9: DUP3
000005aa: ADD
000005ab: SWAP1
000005ac: SWAP2
000005ad: MSTORE
000005ae: PUSH1 0x04
000005b0: DUP2
000005b1: MSTORE
000005b2: PUSH32 0x6eff828500000000000000000000000000000000000000000000000000000000
000005d3: PUSH1 0x20
000005d5: DUP3
000005d6: ADD
000005d7: MSTORE
000005d8: JUMPDEST
000005d9: SWAP1
000005da: JUMP
000005db: JUMPDEST
000005dc: DUP1
000005dd: MLOAD
000005de: PUSH1 0x20
000005e0: DUP3
000005e1: ADD
000005e2: REVERT
000005e3: JUMPDEST
000005e4: PUSH1 0x15
000005e6: PUSH1 0x20
000005e8: SWAP1
000005e9: DUP2
000005ea: MSTORE
000005eb: PUSH1 0x00
000005ed: SWAP3
000005ee: DUP4
000005ef: MSTORE
000005f0: PUSH1 0x40
000005f2: DUP1
000005f3: DUP5
000005f4: KECCAK256
000005f5: SWAP1
000005f6: SWAP2
000005f7: MSTORE
000005f8: SWAP1
000005f9: DUP3
000005fa: MSTORE
000005fb: SWAP1
000005fc: KECCAK256
000005fd: DUP1
000005fe: SLOAD
000005ff: PUSH1 0x01
00000601: DUP3
00000602: ADD
00000603: SLOAD
00000604: PUSH1 0x02
00000606: SWAP1
00000607: SWAP3
00000608: ADD
00000609: SLOAD
0000060a: SWAP1
0000060b: SWAP2
0000060c: SWAP1
0000060d: DUP4
0000060e: JUMP
0000060f: JUMPDEST
00000610: PUSH2 0x0617
00000613: PUSH2 0x0bc7
00000616: JUMP
00000617: JUMPDEST
00000618: PUSH1 0x03
0000061a: DUP1
0000061b: SLOAD
0000061c: PUSH32 0xffffffffffffffffffffffff0000000000000000000000000000000000000000
0000063d: AND
0000063e: SWAP1
0000063f: SSTORE
00000640: PUSH1 0x40
00000642: MLOAD
00000643: PUSH32 0x6caedcb22a5c22c8ebd0caf751fec1228a6e006e6ee37169321e02d31ecc8183
00000664: SWAP1
00000665: PUSH1 0x00
00000667: SWAP1
00000668: LOG1
00000669: JUMP
0000066a: JUMPDEST
0000066b: PUSH1 0x16
0000066d: PUSH1 0x20
0000066f: MSTORE
00000670: PUSH1 0x00
00000672: SWAP1
00000673: DUP2
00000674: MSTORE
00000675: PUSH1 0x40
00000677: SWAP1
00000678: KECCAK256
00000679: DUP1
0000067a: SLOAD
0000067b: PUSH1 0x01
0000067d: DUP3
0000067e: ADD
0000067f: SLOAD
00000680: PUSH1 0x02
00000682: DUP4
00000683: ADD
00000684: SLOAD
00000685: PUSH1 0x03
00000687: DUP5
00000688: ADD
00000689: SLOAD
0000068a: PUSH1 0x04
0000068c: SWAP1
0000068d: SWAP5
0000068e: ADD
0000068f: SLOAD
00000690: SWAP3
00000691: SWAP4
00000692: SWAP2
00000693: SWAP3
00000694: SWAP1
00000695: SWAP2
00000696: SWAP1
00000697: DUP6
00000698: JUMP
00000699: JUMPDEST
0000069a: PUSH2 0x06a1
0000069d: PUSH2 0x0bec
000006a0: JUMP
000006a1: JUMPDEST
000006a2: PUSH2 0x06aa
000006a5: DUP2
000006a6: PUSH2 0x0c33
000006a9: JUMP
000006aa: JUMPDEST
000006ab: POP
000006ac: JUMP
000006ad: JUMPDEST
000006ae: PUSH1 0x02
000006b0: DUP2
000006b1: DUP2
000006b2: SLOAD
000006b3: DUP2
000006b4: LT
000006b5: PUSH2 0x06ba
000006b8: JUMPI
000006b9: INVALID
000006ba: JUMPDEST
000006bb: PUSH1 0x00
000006bd: SWAP2
000006be: DUP3
000006bf: MSTORE
000006c0: PUSH1 0x20
000006c2: SWAP1
000006c3: SWAP2
000006c4: KECCAK256
000006c5: ADD
000006c6: SLOAD
000006c7: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
000006dc: AND
000006dd: SWAP1
000006de: POP
000006df: DUP2
000006e0: JUMP
000006e1: JUMPDEST
000006e2: PUSH1 0x0d
000006e4: SLOAD
000006e5: DUP2
000006e6: JUMP
000006e7: JUMPDEST
000006e8: PUSH1 0x10
000006ea: PUSH1 0x20
000006ec: MSTORE
000006ed: PUSH1 0x00
000006ef: SWAP1
000006f0: DUP2
000006f1: MSTORE
000006f2: PUSH1 0x40
000006f4: SWAP1
000006f5: KECCAK256
000006f6: SLOAD
000006f7: PUSH1 0xff
000006f9: AND
000006fa: DUP2
000006fb: JUMP
000006fc: JUMPDEST
000006fd: PUSH1 0x11
000006ff: SLOAD
00000700: DUP2
00000701: JUMP
00000702: JUMPDEST
00000703: PUSH2 0x070a
00000706: PUSH2 0x0bc7
00000709: JUMP
0000070a: JUMPDEST
0000070b: PUSH2 0x06aa
0000070e: DUP2
0000070f: PUSH2 0x0d64
00000712: JUMP
00000713: JUMPDEST
00000714: PUSH2 0x071b
00000717: PUSH2 0x0bec
0000071a: JUMP
0000071b: JUMPDEST
0000071c: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00000731: DUP2
00000732: AND
00000733: PUSH1 0x00
00000735: SWAP1
00000736: DUP2
00000737: MSTORE
00000738: PUSH1 0x01
0000073a: PUSH1 0x20
0000073c: MSTORE
0000073d: PUSH1 0x40
0000073f: SWAP1
00000740: KECCAK256
00000741: SLOAD
00000742: PUSH1 0xff
00000744: AND
00000745: PUSH2 0x0754
00000748: JUMPI
00000749: PUSH2 0x0754
0000074c: PUSH2 0x01d5
0000074f: DUP3
00000750: PUSH2 0x0ebf
00000753: JUMP
00000754: JUMPDEST
00000755: PUSH1 0x00
00000757: JUMPDEST
00000758: PUSH1 0x02
0000075a: SLOAD
0000075b: DUP2
0000075c: LT
0000075d: ISZERO
0000075e: PUSH2 0x07c4
00000761: JUMPI
00000762: DUP2
00000763: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00000778: AND
00000779: PUSH1 0x02
0000077b: DUP3
0000077c: DUP2
0000077d: SLOAD
0000077e: DUP2
0000077f: LT
00000780: PUSH2 0x0785
00000783: JUMPI
00000784: INVALID
00000785: JUMPDEST
00000786: PUSH1 0x00
00000788: SWAP2
00000789: DUP3
0000078a: MSTORE
0000078b: PUSH1 0x20
0000078d: SWAP1
0000078e: SWAP2
0000078f: KECCAK256
00000790: ADD
00000791: SLOAD
00000792: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
000007a7: AND
000007a8: EQ
000007a9: ISZERO
000007aa: PUSH2 0x07bc
000007ad: JUMPI
000007ae: PUSH2 0x07b7
000007b1: DUP3
000007b2: DUP3
000007b3: PUSH2 0x0f5e
000007b6: JUMP
000007b7: JUMPDEST
000007b8: PUSH2 0x07c4
000007bb: JUMP
000007bc: JUMPDEST
000007bd: PUSH1 0x01
000007bf: ADD
000007c0: PUSH2 0x0757
000007c3: JUMP
000007c4: JUMPDEST
000007c5: POP
000007c6: POP
000007c7: JUMP
000007c8: JUMPDEST
000007c9: PUSH1 0x0c
000007cb: SLOAD
000007cc: DUP2
000007cd: JUMP
000007ce: JUMPDEST
000007cf: PUSH1 0x14
000007d1: SLOAD
000007d2: PUSH4 0xffffffff
000007d7: AND
000007d8: DUP2
000007d9: JUMP
000007da: JUMPDEST
000007db: PUSH1 0x40
000007dd: DUP1
000007de: MLOAD
000007df: DUP3
000007e0: DUP2
000007e1: MSTORE
000007e2: PUSH1 0x20
000007e4: DUP1
000007e5: DUP5
000007e6: MUL
000007e7: DUP3
000007e8: ADD
000007e9: ADD
000007ea: SWAP1
000007eb: SWAP2
000007ec: MSTORE
000007ed: PUSH1 0x60
000007ef: SWAP1
000007f0: PUSH1 0x00
000007f2: SWAP1
000007f3: DUP3
000007f4: SWAP1
000007f5: DUP5
000007f6: SWAP1
000007f7: DUP2
000007f8: DUP1
000007f9: ISZERO
000007fa: PUSH2 0x0817
000007fd: JUMPI
000007fe: DUP2
000007ff: PUSH1 0x20
00000801: ADD
00000802: JUMPDEST
00000803: PUSH1 0x60
00000805: DUP2
00000806: MSTORE
00000807: PUSH1 0x20
00000809: ADD
0000080a: SWAP1
0000080b: PUSH1 0x01
0000080d: SWAP1
0000080e: SUB
0000080f: SWAP1
00000810: DUP2
00000811: PUSH2 0x0802
00000814: JUMPI
00000815: SWAP1
00000816: POP
00000817: JUMPDEST
00000818: POP
00000819: PUSH1 0x03
0000081b: SLOAD
0000081c: SWAP1
0000081d: SWAP5
0000081e: POP
0000081f: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00000834: AND
00000835: DUP1
00000836: PUSH2 0x0844
00000839: JUMPI
0000083a: PUSH2 0x0844
0000083d: PUSH2 0x01d5
00000840: PUSH2 0x05a3
00000843: JUMP
00000844: JUMPDEST
00000845: PUSH1 0x00
00000847: JUMPDEST
00000848: DUP3
00000849: DUP2
0000084a: EQ
0000084b: PUSH2 0x095b
0000084e: JUMPI
0000084f: DUP2
00000850: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00000865: AND
00000866: DUP9
00000867: DUP9
00000868: DUP4
00000869: DUP2
0000086a: DUP2
0000086b: LT
0000086c: PUSH2 0x0871
0000086f: JUMPI
00000870: INVALID
00000871: JUMPDEST
00000872: PUSH1 0x20
00000874: MUL
00000875: DUP3
00000876: ADD
00000877: SWAP1
00000878: POP
00000879: DUP1
0000087a: CALLDATALOAD
0000087b: PUSH32 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe1
0000089c: CALLDATASIZE
0000089d: DUP5
0000089e: SWAP1
0000089f: SUB
000008a0: ADD
000008a1: DUP2
000008a2: SLT
000008a3: PUSH2 0x08ab
000008a6: JUMPI
000008a7: PUSH1 0x00
000008a9: DUP1
000008aa: REVERT
000008ab: JUMPDEST
000008ac: SWAP1
000008ad: SWAP2
000008ae: ADD
000008af: PUSH1 0x20
000008b1: DUP2
000008b2: ADD
000008b3: SWAP2
000008b4: POP
000008b5: CALLDATALOAD
000008b6: PUSH8 0xffffffffffffffff
000008bf: DUP2
000008c0: GT
000008c1: ISZERO
000008c2: PUSH2 0x08ca
000008c5: JUMPI
000008c6: PUSH1 0x00
000008c8: DUP1
000008c9: REVERT
000008ca: JUMPDEST
000008cb: CALLDATASIZE
000008cc: DUP2
000008cd: SWAP1
000008ce: SUB
000008cf: DUP3
000008d0: SGT
000008d1: ISZERO
000008d2: PUSH2 0x08da
000008d5: JUMPI
000008d6: PUSH1 0x00
000008d8: DUP1
000008d9: REVERT
000008da: JUMPDEST
000008db: PUSH1 0x40
000008dd: MLOAD
000008de: PUSH2 0x08e8
000008e1: SWAP3
000008e2: SWAP2
000008e3: SWAP1
000008e4: PUSH2 0x14be
000008e7: JUMP
000008e8: JUMPDEST
000008e9: PUSH1 0x00
000008eb: PUSH1 0x40
000008ed: MLOAD
000008ee: DUP1
000008ef: DUP4
000008f0: SUB
000008f1: DUP2
000008f2: DUP6
000008f3: GAS
000008f4: DELEGATECALL
000008f5: SWAP2
000008f6: POP
000008f7: POP
000008f8: RETURNDATASIZE
000008f9: DUP1
000008fa: PUSH1 0x00
000008fc: DUP2
000008fd: EQ
000008fe: PUSH2 0x0923
00000901: JUMPI
00000902: PUSH1 0x40
00000904: MLOAD
00000905: SWAP2
00000906: POP
00000907: PUSH1 0x1f
00000909: NOT
0000090a: PUSH1 0x3f
0000090c: RETURNDATASIZE
0000090d: ADD
0000090e: AND
0000090f: DUP3
00000910: ADD
00000911: PUSH1 0x40
00000913: MSTORE
00000914: RETURNDATASIZE
00000915: DUP3
00000916: MSTORE
00000917: RETURNDATASIZE
00000918: PUSH1 0x00
0000091a: PUSH1 0x20
0000091c: DUP5
0000091d: ADD
0000091e: RETURNDATACOPY
0000091f: PUSH2 0x0928
00000922: JUMP
00000923: JUMPDEST
00000924: PUSH1 0x60
00000926: SWAP2
00000927: POP
00000928: JUMPDEST
00000929: POP
0000092a: SWAP1
0000092b: SWAP6
0000092c: POP
0000092d: SWAP4
0000092e: POP
0000092f: DUP5
00000930: PUSH2 0x093b
00000933: JUMPI
00000934: DUP4
00000935: MLOAD
00000936: DUP5
00000937: PUSH1 0x20
00000939: ADD
0000093a: REVERT
0000093b: JUMPDEST
0000093c: DUP4
0000093d: DUP7
0000093e: DUP3
0000093f: DUP2
00000940: MLOAD
00000941: DUP2
00000942: LT
00000943: PUSH2 0x0948
00000946: JUMPI
00000947: INVALID
00000948: JUMPDEST
00000949: PUSH1 0x20
0000094b: SWAP1
0000094c: DUP2
0000094d: MUL
0000094e: SWAP2
0000094f: SWAP1
00000950: SWAP2
00000951: ADD
00000952: ADD
00000953: MSTORE
00000954: PUSH1 0x01
00000956: ADD
00000957: PUSH2 0x0847
0000095a: JUMP
0000095b: JUMPDEST
0000095c: POP
0000095d: POP
0000095e: POP
0000095f: POP
00000960: POP
00000961: JUMPDEST
00000962: SWAP3
00000963: SWAP2
00000964: POP
00000965: POP
00000966: JUMP
00000967: JUMPDEST
00000968: PUSH1 0x00
0000096a: SLOAD
0000096b: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00000980: AND
00000981: DUP2
00000982: JUMP
00000983: JUMPDEST
00000984: PUSH2 0x098b
00000987: PUSH2 0x0bec
0000098a: JUMP
0000098b: JUMPDEST
0000098c: PUSH2 0x07c4
0000098f: DUP3
00000990: DUP3
00000991: PUSH2 0x0f5e
00000994: JUMP
00000995: JUMPDEST
00000996: PUSH1 0x13
00000998: SLOAD
00000999: DUP2
0000099a: JUMP
0000099b: JUMPDEST
0000099c: PUSH1 0x08
0000099e: SLOAD
0000099f: DUP2
000009a0: JUMP
000009a1: JUMPDEST
000009a2: PUSH1 0x17
000009a4: SLOAD
000009a5: DUP2
000009a6: JUMP
000009a7: JUMPDEST
000009a8: PUSH1 0x01
000009aa: PUSH1 0x20
000009ac: MSTORE
000009ad: PUSH1 0x00
000009af: SWAP1
000009b0: DUP2
000009b1: MSTORE
000009b2: PUSH1 0x40
000009b4: SWAP1
000009b5: KECCAK256
000009b6: SLOAD
000009b7: PUSH1 0xff
000009b9: AND
000009ba: DUP2
000009bb: JUMP
000009bc: JUMPDEST
000009bd: PUSH1 0x0b
000009bf: PUSH1 0x20
000009c1: MSTORE
000009c2: PUSH1 0x00
000009c4: SWAP1
000009c5: DUP2
000009c6: MSTORE
000009c7: PUSH1 0x40
000009c9: SWAP1
000009ca: KECCAK256
000009cb: SLOAD
000009cc: DUP2
000009cd: JUMP
000009ce: JUMPDEST
000009cf: PUSH1 0x11
000009d1: SLOAD
000009d2: PUSH3 0x069780
000009d6: DUP2
000009d7: LT
000009d8: DUP1
000009d9: PUSH2 0x09e4
000009dc: JUMPI
000009dd: POP
000009de: PUSH3 0x278d00
000009e2: DUP2
000009e3: GT
000009e4: JUMPDEST
000009e5: ISZERO
000009e6: PUSH2 0x09f6
000009e9: JUMPI
000009ea: PUSH2 0x09f6
000009ed: PUSH2 0x01d5
000009f0: PUSH1 0x04
000009f2: PUSH2 0x11ad
000009f5: JUMP
000009f6: JUMPDEST
000009f7: PUSH1 0x14
000009f9: SLOAD
000009fa: PUSH4 0xffffffff
000009ff: PUSH5 0x0100000000
00000a05: DUP3
00000a06: DIV
00000a07: DUP2
00000a08: AND
00000a09: SWAP2
00000a0a: AND
00000a0b: DUP2
00000a0c: LT
00000a0d: DUP1
00000a0e: PUSH2 0x0a1b
00000a11: JUMPI
00000a12: POP
00000a13: PUSH4 0xffffffff
00000a18: DUP2
00000a19: AND
00000a1a: ISZERO
00000a1b: JUMPDEST
00000a1c: ISZERO
00000a1d: PUSH2 0x0a2d
00000a20: JUMPI
00000a21: PUSH2 0x0a2d
00000a24: PUSH2 0x01d5
00000a27: PUSH1 0x00
00000a29: PUSH2 0x11ad
00000a2c: JUMP
00000a2d: JUMPDEST
00000a2e: PUSH1 0x12
00000a30: SLOAD
00000a31: PUSH3 0x0f4240
00000a35: PUSH4 0xffffffff
00000a3a: SWAP1
00000a3b: SWAP2
00000a3c: AND
00000a3d: GT
00000a3e: ISZERO
00000a3f: PUSH2 0x0a4f
00000a42: JUMPI
00000a43: PUSH2 0x0a4f
00000a46: PUSH2 0x01d5
00000a49: PUSH1 0x01
00000a4b: PUSH2 0x11ad
00000a4e: JUMP
00000a4f: JUMPDEST
00000a50: PUSH1 0x02
00000a52: PUSH1 0x13
00000a54: SLOAD
00000a55: LT
00000a56: ISZERO
00000a57: PUSH2 0x07c4
00000a5a: JUMPI
00000a5b: PUSH2 0x07c4
00000a5e: PUSH2 0x01d5
00000a61: PUSH1 0x03
00000a63: PUSH2 0x11ad
00000a66: JUMP
00000a67: JUMPDEST
00000a68: PUSH1 0x60
00000a6a: PUSH1 0x02
00000a6c: DUP1
00000a6d: SLOAD
00000a6e: DUP1
00000a6f: PUSH1 0x20
00000a71: MUL
00000a72: PUSH1 0x20
00000a74: ADD
00000a75: PUSH1 0x40
00000a77: MLOAD
00000a78: SWAP1
00000a79: DUP2
00000a7a: ADD
00000a7b: PUSH1 0x40
00000a7d: MSTORE
00000a7e: DUP1
00000a7f: SWAP3
00000a80: SWAP2
00000a81: SWAP1
00000a82: DUP2
00000a83: DUP2
00000a84: MSTORE
00000a85: PUSH1 0x20
00000a87: ADD
00000a88: DUP3
00000a89: DUP1
00000a8a: SLOAD
00000a8b: DUP1
00000a8c: ISZERO
00000a8d: PUSH2 0x0acc
00000a90: JUMPI
00000a91: PUSH1 0x20
00000a93: MUL
00000a94: DUP3
00000a95: ADD
00000a96: SWAP2
00000a97: SWAP1
00000a98: PUSH1 0x00
00000a9a: MSTORE
00000a9b: PUSH1 0x20
00000a9d: PUSH1 0x00
00000a9f: KECCAK256
00000aa0: SWAP1
00000aa1: JUMPDEST
00000aa2: DUP2
00000aa3: SLOAD
00000aa4: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00000ab9: AND
00000aba: DUP2
00000abb: MSTORE
00000abc: PUSH1 0x01
00000abe: SWAP1
00000abf: SWAP2
00000ac0: ADD
00000ac1: SWAP1
00000ac2: PUSH1 0x20
00000ac4: ADD
00000ac5: DUP1
00000ac6: DUP4
00000ac7: GT
00000ac8: PUSH2 0x0aa1
00000acb: JUMPI
00000acc: JUMPDEST
00000acd: POP
00000ace: POP
00000acf: POP
00000ad0: POP
00000ad1: POP
00000ad2: SWAP1
00000ad3: POP
00000ad4: SWAP1
00000ad5: JUMP
00000ad6: JUMPDEST
00000ad7: PUSH1 0x12
00000ad9: SLOAD
00000ada: PUSH4 0xffffffff
00000adf: AND
00000ae0: DUP2
00000ae1: JUMP
00000ae2: JUMPDEST
00000ae3: PUSH1 0x14
00000ae5: SLOAD
00000ae6: PUSH5 0x0100000000
00000aec: SWAP1
00000aed: DIV
00000aee: PUSH4 0xffffffff
00000af3: AND
00000af4: DUP2
00000af5: JUMP
00000af6: JUMPDEST
00000af7: PUSH1 0x03
00000af9: SLOAD
00000afa: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00000b0f: AND
00000b10: DUP2
00000b11: JUMP
00000b12: JUMPDEST
00000b13: PUSH1 0x09
00000b15: PUSH1 0x20
00000b17: MSTORE
00000b18: PUSH1 0x00
00000b1a: SWAP1
00000b1b: DUP2
00000b1c: MSTORE
00000b1d: PUSH1 0x40
00000b1f: SWAP1
00000b20: KECCAK256
00000b21: SLOAD
00000b22: DUP2
00000b23: JUMP
00000b24: JUMPDEST
00000b25: PUSH2 0x0b2c
00000b28: PUSH2 0x0bec
00000b2b: JUMP
00000b2c: JUMPDEST
00000b2d: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00000b42: DUP2
00000b43: AND
00000b44: PUSH2 0x0b57
00000b47: JUMPI
00000b48: PUSH2 0x0b52
00000b4b: PUSH2 0x01d5
00000b4e: PUSH2 0x11ec
00000b51: JUMP
00000b52: JUMPDEST
00000b53: PUSH2 0x06aa
00000b56: JUMP
00000b57: JUMPDEST
00000b58: PUSH1 0x00
00000b5a: DUP1
00000b5b: SLOAD
00000b5c: PUSH32 0xffffffffffffffffffffffff0000000000000000000000000000000000000000
00000b7d: AND
00000b7e: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00000b93: DUP4
00000b94: AND
00000b95: SWAP1
00000b96: DUP2
00000b97: OR
00000b98: DUP3
00000b99: SSTORE
00000b9a: PUSH1 0x40
00000b9c: MLOAD
00000b9d: SWAP1
00000b9e: SWAP2
00000b9f: CALLER
00000ba0: SWAP2
00000ba1: PUSH32 0x8be0079c531659141344cd1fd0a4f28419497f9722a3daafe3b4186f6b6457e0
00000bc2: SWAP2
00000bc3: SWAP1
00000bc4: LOG3
00000bc5: POP
00000bc6: JUMP
00000bc7: JUMPDEST
00000bc8: CALLER
00000bc9: PUSH1 0x00
00000bcb: SWAP1
00000bcc: DUP2
00000bcd: MSTORE
00000bce: PUSH1 0x01
00000bd0: PUSH1 0x20
00000bd2: MSTORE
00000bd3: PUSH1 0x40
00000bd5: SWAP1
00000bd6: KECCAK256
00000bd7: SLOAD
00000bd8: PUSH1 0xff
00000bda: AND
00000bdb: PUSH2 0x0bea
00000bde: JUMPI
00000bdf: PUSH2 0x0bea
00000be2: PUSH2 0x01d5
00000be5: CALLER
00000be6: PUSH2 0x1223
00000be9: JUMP
00000bea: JUMPDEST
00000beb: JUMP
00000bec: JUMPDEST
00000bed: PUSH1 0x00
00000bef: SLOAD
00000bf0: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00000c05: AND
00000c06: CALLER
00000c07: EQ
00000c08: PUSH2 0x0bea
00000c0b: JUMPI
00000c0c: PUSH1 0x00
00000c0e: SLOAD
00000c0f: PUSH2 0x0bea
00000c12: SWAP1
00000c13: PUSH2 0x01d5
00000c16: SWAP1
00000c17: CALLER
00000c18: SWAP1
00000c19: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00000c2e: AND
00000c2f: PUSH2 0x123e
00000c32: JUMP
00000c33: JUMPDEST
00000c34: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00000c49: DUP2
00000c4a: AND
00000c4b: PUSH2 0x0c59
00000c4e: JUMPI
00000c4f: PUSH2 0x0c59
00000c52: PUSH2 0x01d5
00000c55: PUSH2 0x12e0
00000c58: JUMP
00000c59: JUMPDEST
00000c5a: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00000c6f: DUP2
00000c70: AND
00000c71: PUSH1 0x00
00000c73: SWAP1
00000c74: DUP2
00000c75: MSTORE
00000c76: PUSH1 0x01
00000c78: PUSH1 0x20
00000c7a: MSTORE
00000c7b: PUSH1 0x40
00000c7d: SWAP1
00000c7e: KECCAK256
00000c7f: SLOAD
00000c80: PUSH1 0xff
00000c82: AND
00000c83: ISZERO
00000c84: PUSH2 0x0c93
00000c87: JUMPI
00000c88: PUSH2 0x0c93
00000c8b: PUSH2 0x01d5
00000c8e: DUP3
00000c8f: PUSH2 0x1317
00000c92: JUMP
00000c93: JUMPDEST
00000c94: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00000ca9: DUP2
00000caa: AND
00000cab: PUSH1 0x00
00000cad: DUP2
00000cae: DUP2
00000caf: MSTORE
00000cb0: PUSH1 0x01
00000cb2: PUSH1 0x20
00000cb4: DUP2
00000cb5: SWAP1
00000cb6: MSTORE
00000cb7: PUSH1 0x40
00000cb9: DUP1
00000cba: DUP4
00000cbb: KECCAK256
00000cbc: DUP1
00000cbd: SLOAD
00000cbe: PUSH32 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00
00000cdf: AND
00000ce0: DUP4
00000ce1: OR
00000ce2: SWAP1
00000ce3: SSTORE
00000ce4: PUSH1 0x02
00000ce6: DUP1
00000ce7: SLOAD
00000ce8: SWAP3
00000ce9: DUP4
00000cea: ADD
00000ceb: DUP2
00000cec: SSTORE
00000ced: DUP4
00000cee: MSTORE
00000cef: PUSH32 0x405787fa12a823e0f2b7631cc41b3ba8828b3321ca811111fa75cd3aa3bb5ace
00000d10: SWAP1
00000d11: SWAP2
00000d12: ADD
00000d13: DUP1
00000d14: SLOAD
00000d15: PUSH32 0xffffffffffffffffffffffff0000000000000000000000000000000000000000
00000d36: AND
00000d37: DUP5
00000d38: OR
00000d39: SWAP1
00000d3a: SSTORE
00000d3b: MLOAD
00000d3c: CALLER
00000d3d: SWAP3
00000d3e: SWAP2
00000d3f: PUSH32 0x3147867c59d17e8fa9d522465651d44aae0a9e38f902f3475b97e58072f0ed4c
00000d60: SWAP2
00000d61: LOG3
00000d62: POP
00000d63: JUMP
00000d64: JUMPDEST
00000d65: PUSH1 0x03
00000d67: DUP1
00000d68: SLOAD
00000d69: PUSH32 0xffffffffffffffffffffffff0000000000000000000000000000000000000000
00000d8a: AND
00000d8b: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00000da0: DUP4
00000da1: AND
00000da2: OR
00000da3: SWAP1
00000da4: SSTORE
00000da5: PUSH1 0x40
00000da7: MLOAD
00000da8: PUSH32 0x048368388f801041f7690185c4e28b6f3505c740c47be8ac104b55df666bfc84
00000dc9: SWAP1
00000dca: PUSH2 0x0dd4
00000dcd: SWAP1
00000dce: DUP4
00000dcf: SWAP1
00000dd0: PUSH2 0x14ea
00000dd3: JUMP
00000dd4: JUMPDEST
00000dd5: PUSH1 0x40
00000dd7: MLOAD
00000dd8: DUP1
00000dd9: SWAP2
00000dda: SUB
00000ddb: SWAP1
00000ddc: LOG1
00000ddd: PUSH1 0x03
00000ddf: SLOAD
00000de0: PUSH1 0x40
00000de2: DUP1
00000de3: MLOAD
00000de4: PUSH1 0x04
00000de6: DUP2
00000de7: MSTORE
00000de8: PUSH1 0x24
00000dea: DUP2
00000deb: ADD
00000dec: DUP3
00000ded: MSTORE
00000dee: PUSH1 0x20
00000df0: DUP2
00000df1: ADD
00000df2: DUP1
00000df3: MLOAD
00000df4: PUSH28 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffff
00000e11: AND
00000e12: PUSH32 0xe1c7392a00000000000000000000000000000000000000000000000000000000
00000e33: OR
00000e34: SWAP1
00000e35: MSTORE
00000e36: SWAP1
00000e37: MLOAD
00000e38: PUSH1 0x00
00000e3a: SWAP3
00000e3b: PUSH1 0x60
00000e3d: SWAP3
00000e3e: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00000e53: SWAP1
00000e54: SWAP2
00000e55: AND
00000e56: SWAP2
00000e57: PUSH2 0x0e60
00000e5a: SWAP2
00000e5b: SWAP1
00000e5c: PUSH2 0x14ce
00000e5f: JUMP
00000e60: JUMPDEST
00000e61: PUSH1 0x00
00000e63: PUSH1 0x40
00000e65: MLOAD
00000e66: DUP1
00000e67: DUP4
00000e68: SUB
00000e69: DUP2
00000e6a: DUP6
00000e6b: GAS
00000e6c: DELEGATECALL
00000e6d: SWAP2
00000e6e: POP
00000e6f: POP
00000e70: RETURNDATASIZE
00000e71: DUP1
00000e72: PUSH1 0x00
00000e74: DUP2
00000e75: EQ
00000e76: PUSH2 0x0e9b
00000e79: JUMPI
00000e7a: PUSH1 0x40
00000e7c: MLOAD
00000e7d: SWAP2
00000e7e: POP
00000e7f: PUSH1 0x1f
00000e81: NOT
00000e82: PUSH1 0x3f
00000e84: RETURNDATASIZE
00000e85: ADD
00000e86: AND
00000e87: DUP3
00000e88: ADD
00000e89: PUSH1 0x40
00000e8b: MSTORE
00000e8c: RETURNDATASIZE
00000e8d: DUP3
00000e8e: MSTORE
00000e8f: RETURNDATASIZE
00000e90: PUSH1 0x00
00000e92: PUSH1 0x20
00000e94: DUP5
00000e95: ADD
00000e96: RETURNDATACOPY
00000e97: PUSH2 0x0ea0
00000e9a: JUMP
00000e9b: JUMPDEST
00000e9c: PUSH1 0x60
00000e9e: SWAP2
00000e9f: POP
00000ea0: JUMPDEST
00000ea1: POP
00000ea2: SWAP2
00000ea3: POP
00000ea4: SWAP2
00000ea5: POP
00000ea6: DUP2
00000ea7: PUSH2 0x0eb2
00000eaa: JUMPI
00000eab: DUP1
00000eac: MLOAD
00000ead: PUSH1 0x20
00000eaf: DUP3
00000eb0: ADD
00000eb1: REVERT
00000eb2: JUMPDEST
00000eb3: PUSH2 0x0eba
00000eb6: PUSH2 0x09ce
00000eb9: JUMP
00000eba: JUMPDEST
00000ebb: POP
00000ebc: POP
00000ebd: POP
00000ebe: JUMP
00000ebf: JUMPDEST
00000ec0: PUSH1 0x60
00000ec2: PUSH4 0xeb5108a2
00000ec7: PUSH1 0xe0
00000ec9: SHL
00000eca: DUP3
00000ecb: PUSH1 0x40
00000ecd: MLOAD
00000ece: PUSH1 0x24
00000ed0: ADD
00000ed1: PUSH2 0x0eda
00000ed4: SWAP2
00000ed5: SWAP1
00000ed6: PUSH2 0x14ea
00000ed9: JUMP
00000eda: JUMPDEST
00000edb: PUSH1 0x40
00000edd: DUP1
00000ede: MLOAD
00000edf: PUSH32 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe0
00000f00: DUP2
00000f01: DUP5
00000f02: SUB
00000f03: ADD
00000f04: DUP2
00000f05: MSTORE
00000f06: SWAP2
00000f07: SWAP1
00000f08: MSTORE
00000f09: PUSH1 0x20
00000f0b: DUP2
00000f0c: ADD
00000f0d: DUP1
00000f0e: MLOAD
00000f0f: PUSH28 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffff
00000f2c: AND
00000f2d: PUSH32 0xffffffff00000000000000000000000000000000000000000000000000000000
00000f4e: SWAP1
00000f4f: SWAP4
00000f50: AND
00000f51: SWAP3
00000f52: SWAP1
00000f53: SWAP3
00000f54: OR
00000f55: SWAP1
00000f56: SWAP2
00000f57: MSTORE
00000f58: SWAP1
00000f59: POP
00000f5a: SWAP2
00000f5b: SWAP1
00000f5c: POP
00000f5d: JUMP
00000f5e: JUMPDEST
00000f5f: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00000f74: DUP3
00000f75: AND
00000f76: PUSH1 0x00
00000f78: SWAP1
00000f79: DUP2
00000f7a: MSTORE
00000f7b: PUSH1 0x01
00000f7d: PUSH1 0x20
00000f7f: MSTORE
00000f80: PUSH1 0x40
00000f82: SWAP1
00000f83: KECCAK256
00000f84: SLOAD
00000f85: PUSH1 0xff
00000f87: AND
00000f88: PUSH2 0x0f97
00000f8b: JUMPI
00000f8c: PUSH2 0x0f97
00000f8f: PUSH2 0x01d5
00000f92: DUP4
00000f93: PUSH2 0x0ebf
00000f96: JUMP
00000f97: JUMPDEST
00000f98: PUSH1 0x02
00000f9a: SLOAD
00000f9b: DUP2
00000f9c: LT
00000f9d: PUSH2 0x0fb2
00000fa0: JUMPI
00000fa1: PUSH2 0x0fb2
00000fa4: PUSH2 0x01d5
00000fa7: DUP3
00000fa8: PUSH1 0x02
00000faa: DUP1
00000fab: SLOAD
00000fac: SWAP1
00000fad: POP
00000fae: PUSH2 0x1332
00000fb1: JUMP
00000fb2: JUMPDEST
00000fb3: DUP2
00000fb4: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00000fc9: AND
00000fca: PUSH1 0x02
00000fcc: DUP3
00000fcd: DUP2
00000fce: SLOAD
00000fcf: DUP2
00000fd0: LT
00000fd1: PUSH2 0x0fd6
00000fd4: JUMPI
00000fd5: INVALID
00000fd6: JUMPDEST
00000fd7: PUSH1 0x00
00000fd9: SWAP2
00000fda: DUP3
00000fdb: MSTORE
00000fdc: PUSH1 0x20
00000fde: SWAP1
00000fdf: SWAP2
00000fe0: KECCAK256
00000fe1: ADD
00000fe2: SLOAD
00000fe3: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00000ff8: AND
00000ff9: EQ
00000ffa: PUSH2 0x1038
00000ffd: JUMPI
00000ffe: PUSH2 0x1038
00001001: PUSH2 0x01d5
00001004: PUSH1 0x02
00001006: DUP4
00001007: DUP2
00001008: SLOAD
00001009: DUP2
0000100a: LT
0000100b: PUSH2 0x1010
0000100e: JUMPI
0000100f: INVALID
00001010: JUMPDEST
00001011: PUSH1 0x00
00001013: SWAP2
00001014: DUP3
00001015: MSTORE
00001016: PUSH1 0x20
00001018: SWAP1
00001019: SWAP2
0000101a: KECCAK256
0000101b: ADD
0000101c: SLOAD
0000101d: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00001032: AND
00001033: DUP5
00001034: PUSH2 0x134f
00001037: JUMP
00001038: JUMPDEST
00001039: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
0000104e: DUP3
0000104f: AND
00001050: PUSH1 0x00
00001052: SWAP1
00001053: DUP2
00001054: MSTORE
00001055: PUSH1 0x01
00001057: PUSH1 0x20
00001059: MSTORE
0000105a: PUSH1 0x40
0000105c: SWAP1
0000105d: KECCAK256
0000105e: DUP1
0000105f: SLOAD
00001060: PUSH32 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff00
00001081: AND
00001082: SWAP1
00001083: SSTORE
00001084: PUSH1 0x02
00001086: DUP1
00001087: SLOAD
00001088: PUSH32 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
000010a9: DUP2
000010aa: ADD
000010ab: SWAP1
000010ac: DUP2
000010ad: LT
000010ae: PUSH2 0x10b3
000010b1: JUMPI
000010b2: INVALID
000010b3: JUMPDEST
000010b4: PUSH1 0x00
000010b6: SWAP2
000010b7: DUP3
000010b8: MSTORE
000010b9: PUSH1 0x20
000010bb: SWAP1
000010bc: SWAP2
000010bd: KECCAK256
000010be: ADD
000010bf: SLOAD
000010c0: PUSH1 0x02
000010c2: DUP1
000010c3: SLOAD
000010c4: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
000010d9: SWAP1
000010da: SWAP3
000010db: AND
000010dc: SWAP2
000010dd: DUP4
000010de: SWAP1
000010df: DUP2
000010e0: LT
000010e1: PUSH2 0x10e6
000010e4: JUMPI
000010e5: INVALID
000010e6: JUMPDEST
000010e7: PUSH1 0x00
000010e9: SWAP2
000010ea: DUP3
000010eb: MSTORE
000010ec: PUSH1 0x20
000010ee: SWAP1
000010ef: SWAP2
000010f0: KECCAK256
000010f1: ADD
000010f2: DUP1
000010f3: SLOAD
000010f4: PUSH32 0xffffffffffffffffffffffff0000000000000000000000000000000000000000
00001115: AND
00001116: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
0000112b: SWAP3
0000112c: SWAP1
0000112d: SWAP3
0000112e: AND
0000112f: SWAP2
00001130: SWAP1
00001131: SWAP2
00001132: OR
00001133: SWAP1
00001134: SSTORE
00001135: PUSH1 0x02
00001137: DUP1
00001138: SLOAD
00001139: PUSH32 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
0000115a: ADD
0000115b: SWAP1
0000115c: PUSH2 0x1165
0000115f: SWAP1
00001160: DUP3
00001161: PUSH2 0x136c
00001164: JUMP
00001165: JUMPDEST
00001166: POP
00001167: PUSH1 0x40
00001169: MLOAD
0000116a: CALLER
0000116b: SWAP1
0000116c: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00001181: DUP5
00001182: AND
00001183: SWAP1
00001184: PUSH32 0x1f32c1b084e2de0713b8fb16bd46bb9df710a3dbeae2f3ca93af46e016dcc6b0
000011a5: SWAP1
000011a6: PUSH1 0x00
000011a8: SWAP1
000011a9: LOG3
000011aa: POP
000011ab: POP
000011ac: JUMP
000011ad: JUMPDEST
000011ae: PUSH1 0x60
000011b0: PUSH32 0xfc45bd1100000000000000000000000000000000000000000000000000000000
000011d1: DUP3
000011d2: PUSH1 0x04
000011d4: DUP2
000011d5: GT
000011d6: ISZERO
000011d7: PUSH2 0x11dc
000011da: JUMPI
000011db: INVALID
000011dc: JUMPDEST
000011dd: PUSH1 0x40
000011df: MLOAD
000011e0: PUSH1 0x24
000011e2: ADD
000011e3: PUSH2 0x0eda
000011e6: SWAP2
000011e7: SWAP1
000011e8: PUSH2 0x16ab
000011eb: JUMP
000011ec: JUMPDEST
000011ed: PUSH1 0x40
000011ef: DUP1
000011f0: MLOAD
000011f1: DUP1
000011f2: DUP3
000011f3: ADD
000011f4: SWAP1
000011f5: SWAP2
000011f6: MSTORE
000011f7: PUSH1 0x04
000011f9: DUP2
000011fa: MSTORE
000011fb: PUSH32 0xe69edc3e00000000000000000000000000000000000000000000000000000000
0000121c: PUSH1 0x20
0000121e: DUP3
0000121f: ADD
00001220: MSTORE
00001221: SWAP1
00001222: JUMP
00001223: JUMPDEST
00001224: PUSH1 0x60
00001226: PUSH4 0xb65a25b9
0000122b: PUSH1 0xe0
0000122d: SHL
0000122e: DUP3
0000122f: PUSH1 0x40
00001231: MLOAD
00001232: PUSH1 0x24
00001234: ADD
00001235: PUSH2 0x0eda
00001238: SWAP2
00001239: SWAP1
0000123a: PUSH2 0x14ea
0000123d: JUMP
0000123e: JUMPDEST
0000123f: PUSH1 0x60
00001241: PUSH4 0x1de45ad1
00001246: PUSH1 0xe0
00001248: SHL
00001249: DUP4
0000124a: DUP4
0000124b: PUSH1 0x40
0000124d: MLOAD
0000124e: PUSH1 0x24
00001250: ADD
00001251: PUSH2 0x125b
00001254: SWAP3
00001255: SWAP2
00001256: SWAP1
00001257: PUSH2 0x150b
0000125a: JUMP
0000125b: JUMPDEST
0000125c: PUSH1 0x40
0000125e: DUP1
0000125f: MLOAD
00001260: PUSH32 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe0
00001281: DUP2
00001282: DUP5
00001283: SUB
00001284: ADD
00001285: DUP2
00001286: MSTORE
00001287: SWAP2
00001288: SWAP1
00001289: MSTORE
0000128a: PUSH1 0x20
0000128c: DUP2
0000128d: ADD
0000128e: DUP1
0000128f: MLOAD
00001290: PUSH28 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffff
000012ad: AND
000012ae: PUSH32 0xffffffff00000000000000000000000000000000000000000000000000000000
000012cf: SWAP1
000012d0: SWAP4
000012d1: AND
000012d2: SWAP3
000012d3: SWAP1
000012d4: SWAP3
000012d5: OR
000012d6: SWAP1
000012d7: SWAP2
000012d8: MSTORE
000012d9: SWAP1
000012da: POP
000012db: SWAP3
000012dc: SWAP2
000012dd: POP
000012de: POP
000012df: JUMP
000012e0: JUMPDEST
000012e1: PUSH1 0x40
000012e3: DUP1
000012e4: MLOAD
000012e5: DUP1
000012e6: DUP3
000012e7: ADD
000012e8: SWAP1
000012e9: SWAP2
000012ea: MSTORE
000012eb: PUSH1 0x04
000012ed: DUP2
000012ee: MSTORE
000012ef: PUSH32 0x57654fe400000000000000000000000000000000000000000000000000000000
00001310: PUSH1 0x20
00001312: DUP3
00001313: ADD
00001314: MSTORE
00001315: SWAP1
00001316: JUMP
00001317: JUMPDEST
00001318: PUSH1 0x60
0000131a: PUSH4 0xde16f1a0
0000131f: PUSH1 0xe0
00001321: SHL
00001322: DUP3
00001323: PUSH1 0x40
00001325: MLOAD
00001326: PUSH1 0x24
00001328: ADD
00001329: PUSH2 0x0eda
0000132c: SWAP2
0000132d: SWAP1
0000132e: PUSH2 0x14ea
00001331: JUMP
00001332: JUMPDEST
00001333: PUSH1 0x60
00001335: PUSH4 0xe9f83771
0000133a: PUSH1 0xe0
0000133c: SHL
0000133d: DUP4
0000133e: DUP4
0000133f: PUSH1 0x40
00001341: MLOAD
00001342: PUSH1 0x24
00001344: ADD
00001345: PUSH2 0x125b
00001348: SWAP3
00001349: SWAP2
0000134a: SWAP1
0000134b: PUSH2 0x1653
0000134e: JUMP
0000134f: JUMPDEST
00001350: PUSH1 0x60
00001352: PUSH4 0x140a84db
00001357: PUSH1 0xe0
00001359: SHL
0000135a: DUP4
0000135b: DUP4
0000135c: PUSH1 0x40
0000135e: MLOAD
0000135f: PUSH1 0x24
00001361: ADD
00001362: PUSH2 0x125b
00001365: SWAP3
00001366: SWAP2
00001367: SWAP1
00001368: PUSH2 0x150b
0000136b: JUMP
0000136c: JUMPDEST
0000136d: DUP2
0000136e: SLOAD
0000136f: DUP2
00001370: DUP4
00001371: SSTORE
00001372: DUP2
00001373: DUP2
00001374: GT
00001375: ISZERO
00001376: PUSH2 0x0eba
00001379: JUMPI
0000137a: PUSH1 0x00
0000137c: DUP4
0000137d: DUP2
0000137e: MSTORE
0000137f: PUSH1 0x20
00001381: SWAP1
00001382: KECCAK256
00001383: PUSH2 0x0eba
00001386: SWAP2
00001387: DUP2
00001388: ADD
00001389: SWAP1
0000138a: DUP4
0000138b: ADD
0000138c: PUSH2 0x05d8
0000138f: SWAP2
00001390: SWAP1
00001391: JUMPDEST
00001392: DUP1
00001393: DUP3
00001394: GT
00001395: ISZERO
00001396: PUSH2 0x13a5
00001399: JUMPI
0000139a: PUSH1 0x00
0000139c: DUP2
0000139d: SSTORE
0000139e: PUSH1 0x01
000013a0: ADD
000013a1: PUSH2 0x1391
000013a4: JUMP
000013a5: JUMPDEST
000013a6: POP
000013a7: SWAP1
000013a8: JUMP
000013a9: JUMPDEST
000013aa: DUP1
000013ab: CALLDATALOAD
000013ac: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
000013c1: DUP2
000013c2: AND
000013c3: DUP2
000013c4: EQ
000013c5: PUSH2 0x0961
000013c8: JUMPI
000013c9: PUSH1 0x00
000013cb: DUP1
000013cc: REVERT
000013cd: JUMPDEST
000013ce: PUSH1 0x00
000013d0: PUSH1 0x20
000013d2: DUP3
000013d3: DUP5
000013d4: SUB
000013d5: SLT
000013d6: ISZERO
000013d7: PUSH2 0x13de
000013da: JUMPI
000013db: DUP1
000013dc: DUP2
000013dd: REVERT
000013de: JUMPDEST
000013df: PUSH2 0x13e8
000013e2: DUP4
000013e3: DUP4
000013e4: PUSH2 0x13a9
000013e7: JUMP
000013e8: JUMPDEST
000013e9: SWAP4
000013ea: SWAP3
000013eb: POP
000013ec: POP
000013ed: POP
000013ee: JUMP
000013ef: JUMPDEST
000013f0: PUSH1 0x00
000013f2: DUP1
000013f3: PUSH1 0x40
000013f5: DUP4
000013f6: DUP6
000013f7: SUB
000013f8: SLT
000013f9: ISZERO
000013fa: PUSH2 0x1401
000013fd: JUMPI
000013fe: DUP1
000013ff: DUP2
00001400: REVERT
00001401: JUMPDEST
00001402: PUSH2 0x140b
00001405: DUP5
00001406: DUP5
00001407: PUSH2 0x13a9
0000140a: JUMP
0000140b: JUMPDEST
0000140c: SWAP5
0000140d: PUSH1 0x20
0000140f: SWAP4
00001410: SWAP1
00001411: SWAP4
00001412: ADD
00001413: CALLDATALOAD
00001414: SWAP4
00001415: POP
00001416: POP
00001417: POP
00001418: JUMP
00001419: JUMPDEST
0000141a: PUSH1 0x00
0000141c: DUP1
0000141d: PUSH1 0x20
0000141f: DUP4
00001420: DUP6
00001421: SUB
00001422: SLT
00001423: ISZERO
00001424: PUSH2 0x142b
00001427: JUMPI
00001428: DUP2
00001429: DUP3
0000142a: REVERT
0000142b: JUMPDEST
0000142c: DUP3
0000142d: CALLDATALOAD
0000142e: PUSH8 0xffffffffffffffff
00001437: DUP1
00001438: DUP3
00001439: GT
0000143a: ISZERO
0000143b: PUSH2 0x1442
0000143e: JUMPI
0000143f: DUP4
00001440: DUP5
00001441: REVERT
00001442: JUMPDEST
00001443: DUP2
00001444: DUP6
00001445: ADD
00001446: DUP7
00001447: PUSH1 0x1f
00001449: DUP3
0000144a: ADD
0000144b: SLT
0000144c: PUSH2 0x1453
0000144f: JUMPI
00001450: DUP5
00001451: DUP6
00001452: REVERT
00001453: JUMPDEST
00001454: DUP1
00001455: CALLDATALOAD
00001456: SWAP3
00001457: POP
00001458: DUP2
00001459: DUP4
0000145a: GT
0000145b: ISZERO
0000145c: PUSH2 0x1463
0000145f: JUMPI
00001460: DUP5
00001461: DUP6
00001462: REVERT
00001463: JUMPDEST
00001464: DUP7
00001465: PUSH1 0x20
00001467: DUP1
00001468: DUP6
00001469: MUL
0000146a: DUP4
0000146b: ADD
0000146c: ADD
0000146d: GT
0000146e: ISZERO
0000146f: PUSH2 0x1476
00001472: JUMPI
00001473: DUP5
00001474: DUP6
00001475: REVERT
00001476: JUMPDEST
00001477: PUSH1 0x20
00001479: ADD
0000147a: SWAP7
0000147b: SWAP2
0000147c: SWAP6
0000147d: POP
0000147e: SWAP1
0000147f: SWAP4
00001480: POP
00001481: POP
00001482: POP
00001483: POP
00001484: JUMP
00001485: JUMPDEST
00001486: PUSH1 0x00
00001488: PUSH1 0x20
0000148a: DUP3
0000148b: DUP5
0000148c: SUB
0000148d: SLT
0000148e: ISZERO
0000148f: PUSH2 0x1496
00001492: JUMPI
00001493: DUP1
00001494: DUP2
00001495: REVERT
00001496: JUMPDEST
00001497: POP
00001498: CALLDATALOAD
00001499: SWAP2
0000149a: SWAP1
0000149b: POP
0000149c: JUMP
0000149d: JUMPDEST
0000149e: PUSH1 0x00
000014a0: DUP1
000014a1: PUSH1 0x40
000014a3: DUP4
000014a4: DUP6
000014a5: SUB
000014a6: SLT
000014a7: ISZERO
000014a8: PUSH2 0x14af
000014ab: JUMPI
000014ac: DUP2
000014ad: DUP3
000014ae: REVERT
000014af: JUMPDEST
000014b0: POP
000014b1: POP
000014b2: DUP1
000014b3: CALLDATALOAD
000014b4: SWAP3
000014b5: PUSH1 0x20
000014b7: SWAP1
000014b8: SWAP2
000014b9: ADD
000014ba: CALLDATALOAD
000014bb: SWAP2
000014bc: POP
000014bd: JUMP
000014be: JUMPDEST
000014bf: PUSH1 0x00
000014c1: DUP3
000014c2: DUP5
000014c3: DUP4
000014c4: CALLDATACOPY
000014c5: SWAP2
000014c6: ADD
000014c7: SWAP1
000014c8: DUP2
000014c9: MSTORE
000014ca: SWAP2
000014cb: SWAP1
000014cc: POP
000014cd: JUMP
000014ce: JUMPDEST
000014cf: PUSH1 0x00
000014d1: DUP3
000014d2: MLOAD
000014d3: PUSH2 0x14e0
000014d6: DUP2
000014d7: DUP5
000014d8: PUSH1 0x20
000014da: DUP8
000014db: ADD
000014dc: PUSH2 0x16b9
000014df: JUMP
000014e0: JUMPDEST
000014e1: SWAP2
000014e2: SWAP1
000014e3: SWAP2
000014e4: ADD
000014e5: SWAP3
000014e6: SWAP2
000014e7: POP
000014e8: POP
000014e9: JUMP
000014ea: JUMPDEST
000014eb: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00001500: SWAP2
00001501: SWAP1
00001502: SWAP2
00001503: AND
00001504: DUP2
00001505: MSTORE
00001506: PUSH1 0x20
00001508: ADD
00001509: SWAP1
0000150a: JUMP
0000150b: JUMPDEST
0000150c: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
00001521: SWAP3
00001522: DUP4
00001523: AND
00001524: DUP2
00001525: MSTORE
00001526: SWAP2
00001527: AND
00001528: PUSH1 0x20
0000152a: DUP3
0000152b: ADD
0000152c: MSTORE
0000152d: PUSH1 0x40
0000152f: ADD
00001530: SWAP1
00001531: JUMP
00001532: JUMPDEST
00001533: PUSH1 0x20
00001535: DUP1
00001536: DUP3
00001537: MSTORE
00001538: DUP3
00001539: MLOAD
0000153a: DUP3
0000153b: DUP3
0000153c: ADD
0000153d: DUP2
0000153e: SWAP1
0000153f: MSTORE
00001540: PUSH1 0x00
00001542: SWAP2
00001543: DUP5
00001544: ADD
00001545: SWAP1
00001546: PUSH1 0x40
00001548: DUP5
00001549: ADD
0000154a: SWAP1
0000154b: DUP4
0000154c: JUMPDEST
0000154d: DUP2
0000154e: DUP2
0000154f: LT
00001550: ISZERO
00001551: PUSH2 0x1580
00001554: JUMPI
00001555: DUP4
00001556: MLOAD
00001557: PUSH20 0xffffffffffffffffffffffffffffffffffffffff
0000156c: AND
0000156d: DUP4
0000156e: MSTORE
0000156f: PUSH1 0x20
00001571: SWAP4
00001572: DUP5
00001573: ADD
00001574: SWAP4
00001575: SWAP1
00001576: SWAP3
00001577: ADD
00001578: SWAP2
00001579: PUSH1 0x01
0000157b: ADD
0000157c: PUSH2 0x154c
0000157f: JUMP
00001580: JUMPDEST
00001581: POP
00001582: SWAP1
00001583: SWAP6
00001584: SWAP5
00001585: POP
00001586: POP
00001587: POP
00001588: POP
00001589: POP
0000158a: JUMP
0000158b: JUMPDEST
0000158c: PUSH1 0x00
0000158e: PUSH1 0x20
00001590: DUP1
00001591: DUP4
00001592: ADD
00001593: DUP2
00001594: DUP5
00001595: MSTORE
00001596: DUP1
00001597: DUP6
00001598: MLOAD
00001599: DUP1
0000159a: DUP4
0000159b: MSTORE
0000159c: PUSH1 0x40
0000159e: DUP7
0000159f: ADD
000015a0: SWAP2
000015a1: POP
000015a2: PUSH1 0x40
000015a4: DUP5
000015a5: DUP3
000015a6: MUL
000015a7: DUP8
000015a8: ADD
000015a9: ADD
000015aa: SWAP3
000015ab: POP
000015ac: DUP4
000015ad: DUP8
000015ae: ADD
000015af: DUP6
000015b0: JUMPDEST
000015b1: DUP3
000015b2: DUP2
000015b3: LT
000015b4: ISZERO
000015b5: PUSH2 0x1632
000015b8: JUMPI
000015b9: PUSH32 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc0
000015da: DUP9
000015db: DUP7
000015dc: SUB
000015dd: ADD
000015de: DUP5
000015df: MSTORE
000015e0: DUP2
000015e1: MLOAD
000015e2: DUP1
000015e3: MLOAD
000015e4: DUP1
000015e5: DUP8
000015e6: MSTORE
000015e7: PUSH2 0x15f5
000015ea: DUP2
000015eb: DUP10
000015ec: DUP10
000015ed: ADD
000015ee: DUP11
000015ef: DUP6
000015f0: ADD
000015f1: PUSH2 0x16b9
000015f4: JUMP
000015f5: JUMPDEST
000015f6: PUSH1 0x1f
000015f8: ADD
000015f9: PUSH32 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe0
0000161a: AND
0000161b: SWAP6
0000161c: SWAP1
0000161d: SWAP6
0000161e: ADD
0000161f: DUP7
00001620: ADD
00001621: SWAP5
00001622: POP
00001623: SWAP3
00001624: DUP6
00001625: ADD
00001626: SWAP3
00001627: SWAP1
00001628: DUP6
00001629: ADD
0000162a: SWAP1
0000162b: PUSH1 0x01
0000162d: ADD
0000162e: PUSH2 0x15b0
00001631: JUMP
00001632: JUMPDEST
00001633: POP
00001634: SWAP3
00001635: SWAP8
00001636: SWAP7
00001637: POP
00001638: POP
00001639: POP
0000163a: POP
0000163b: POP
0000163c: POP
0000163d: POP
0000163e: JUMP
0000163f: JUMPDEST
00001640: SWAP1
00001641: ISZERO
00001642: ISZERO
00001643: DUP2
00001644: MSTORE
00001645: PUSH1 0x20
00001647: ADD
00001648: SWAP1
00001649: JUMP
0000164a: JUMPDEST
0000164b: SWAP1
0000164c: DUP2
0000164d: MSTORE
0000164e: PUSH1 0x20
00001650: ADD
00001651: SWAP1
00001652: JUMP
00001653: JUMPDEST
00001654: SWAP2
00001655: DUP3
00001656: MSTORE
00001657: PUSH1 0x20
00001659: DUP3
0000165a: ADD
0000165b: MSTORE
0000165c: PUSH1 0x40
0000165e: ADD
0000165f: SWAP1
00001660: JUMP
00001661: JUMPDEST
00001662: SWAP3
00001663: DUP4
00001664: MSTORE
00001665: PUSH1 0x20
00001667: DUP4
00001668: ADD
00001669: SWAP2
0000166a: SWAP1
0000166b: SWAP2
0000166c: MSTORE
0000166d: PUSH1 0x40
0000166f: DUP3
00001670: ADD
00001671: MSTORE
00001672: PUSH1 0x60
00001674: ADD
00001675: SWAP1
00001676: JUMP
00001677: JUMPDEST
00001678: SWAP5
00001679: DUP6
0000167a: MSTORE
0000167b: PUSH1 0x20
0000167d: DUP6
0000167e: ADD
0000167f: SWAP4
00001680: SWAP1
00001681: SWAP4
00001682: MSTORE
00001683: PUSH1 0x40
00001685: DUP5
00001686: ADD
00001687: SWAP2
00001688: SWAP1
00001689: SWAP2
0000168a: MSTORE
0000168b: PUSH1 0x60
0000168d: DUP4
0000168e: ADD
0000168f: MSTORE
00001690: PUSH1 0x80
00001692: DUP3
00001693: ADD
00001694: MSTORE
00001695: PUSH1 0xa0
00001697: ADD
00001698: SWAP1
00001699: JUMP
0000169a: JUMPDEST
0000169b: PUSH4 0xffffffff
000016a0: SWAP2
000016a1: SWAP1
000016a2: SWAP2
000016a3: AND
000016a4: DUP2
000016a5: MSTORE
000016a6: PUSH1 0x20
000016a8: ADD
000016a9: SWAP1
000016aa: JUMP
000016ab: JUMPDEST
000016ac: PUSH1 0xff
000016ae: SWAP2
000016af: SWAP1
000016b0: SWAP2
000016b1: AND
000016b2: DUP2
000016b3: MSTORE
000016b4: PUSH1 0x20
000016b6: ADD
000016b7: SWAP1
000016b8: JUMP
000016b9: JUMPDEST
000016ba: PUSH1 0x00
000016bc: JUMPDEST
000016bd: DUP4
000016be: DUP2
000016bf: LT
000016c0: ISZERO
000016c1: PUSH2 0x16d4
000016c4: JUMPI
000016c5: DUP2
000016c6: DUP2
000016c7: ADD
000016c8: MLOAD
000016c9: DUP4
000016ca: DUP3
000016cb: ADD
000016cc: MSTORE
000016cd: PUSH1 0x20
000016cf: ADD
000016d0: PUSH2 0x16bc
000016d3: JUMP
000016d4: JUMPDEST
000016d5: DUP4
000016d6: DUP2
000016d7: GT
000016d8: ISZERO
000016d9: PUSH2 0x16e3
000016dc: JUMPI
000016dd: PUSH1 0x00
000016df: DUP5
000016e0: DUP5
000016e1: ADD
000016e2: MSTORE
000016e3: JUMPDEST
000016e4: POP
000016e5: POP
000016e6: POP
000016e7: POP
000016e8: JUMP
000016e9: INVALID
000016ea: LOG3
000016eb: PUSH6 0x627a7a723158
000016f2: KECCAK256
000016f3: DUP3
000016f4: UNKNOWN(0xBD)
000016f5: UNKNOWN(0x29)
000016f6: DUP7
000016f7: UNKNOWN(0xEC)
000016f8: RETURNDATASIZE
000016f9: LOG3
000016fa: UNKNOWN(0x2F)
000016fb: STOP
000016fc: GT
000016fd: REVERT
000016fe: UNKNOWN(0xEE)
000016ff: EXP
00001700: UNKNOWN(0x2F)
00001701: PUSH2 0xc6ea
00001704: PUSH16 0x9f18a5309e902c44b47b2152cb3b6c65
00001715: PUSH25

Findings

validated = confirmed for call sinks; sink observed for others
Severity Category Tool Title Confidence Validated Confirmed Details
critical upgradeability detector Untrusted DELEGATECALL target reachable 70 no no
view
trace_id: 0xec236aed6e6b34a8ffb73d5e4b00bb2a993180286268345dd7eed39d12ae0f74
validation_json 
{
    "sink": "DELEGATECALL",
    "errors": 0,
    "status": "unknown",
    "attempts": 192,
    "trace_id": "0xec236aed6e6b34a8ffb73d5e4b00bb2a993180286268345dd7eed39d12ae0f74",
    "confirmed": false,
    "trace_mode": "callTracer",
    "call_targets": null,
    "matched_probe": null,
    "target_varies": null,
    "classification": "no_sink"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0xe8eeb3f8",
            "selector": "0xe8eeb3f8",
            "calldata_variants": [
                "0xe8eeb3f8",
                "0xe8eeb3f80000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xee99205c",
            "selector": "0xee99205c",
            "calldata_variants": [
                "0xee99205c",
                "0xee99205c0000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xf1876532",
            "selector": "0xf1876532",
            "calldata_variants": [
                "0xf1876532",
                "0xf18765320000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xf2fde38b",
            "selector": "0xf2fde38b",
            "calldata_variants": [
                "0xf2fde38b",
                "0xf2fde38b0000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xc6f3a427",
            "selector": "0xc6f3a427",
            "calldata_variants": [
                "0xc6f3a427",
                "0xc6f3a4270000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xd39de6e9",
            "selector": "0xd39de6e9",
            "calldata_variants": [
                "0xd39de6e9",
                "0xd39de6e90000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xe0ee036e",
            "selector": "0xe0ee036e",
            "calldata_variants": [
                "0xe0ee036e",
                "0xe0ee036e0000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xa657e579",
            "selector": "0xa657e579",
            "calldata_variants": [
                "0xa657e579",
                "0xa657e5790000000000000000000000000000000000000000000000000000000000000000"
            ]
        }
    ]
}
evidence_json 
{
    "examples": [
        {
            "pc": 530,
            "opcode": "DELEGATECALL",
            "returndata_checked": null,
            "value_expression_category": "n/a",
            "target_expression_category": "computed"
        },
        {
            "pc": 2292,
            "opcode": "DELEGATECALL",
            "returndata_checked": null,
            "value_expression_category": "n/a",
            "target_expression_category": "computed"
        },
        {
            "pc": 3692,
            "opcode": "DELEGATECALL",
            "returndata_checked": null,
            "value_expression_category": "n/a",
            "target_expression_category": "computed"
        }
    ],
    "guards_detected": [],
    "delegatecall_count": 3,
    "untrusted_delegatecall_count": 3
}
medium other codex batchExecute reuses msg.value across delegatecalls, enabling protocol-fee inflation 75 no
view
evidence_json 
{
    "evidence": "batchExecute loops delegatecall without adjusting msg.value, while payProtocolFee treats msg.value == protocolFee as a full ETH payment.",
    "locations": [
        "contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/StakingProxy.sol:103",
        "contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/fees/MixinExchangeFees.sol:45"
    ],
    "recommendation": "Disallow non-zero msg.value in batchExecute, or split/consume msg.value per call. Alternatively add a guard in payProtocolFee to only accept ETH for direct calls (not via batching) or track ETH paid per call.",
    "exploit_scenario": "A whitelisted exchange calls batchExecute with msg.value equal to protocolFee and includes multiple payProtocolFee calls. Each delegatecall sees the same msg.value, so the fee check passes and fees are credited multiple times while only one ETH payment was made, skewing reward distribution toward the chosen pool."
}
medium upgradeability cast DELEGATECALL present 80 no
view
evidence_json 
{
    "notes": "delegatecall enables execution in caller context; common in proxies/upgradeable patterns",
    "delegatecall_count": 3
}
low other codex Unchecked ERC20 transfer return values in ZRX vault and reward payouts 65 no
view
evidence_json 
{
    "evidence": "ZRX withdrawals and WETH reward transfers ignore the boolean return value of transfer().",
    "locations": [
        "contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/ZrxVault.sol:215",
        "contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/staking_pools/MixinStakingPoolRewards.sol:131",
        "contracts/Users/amir/github/0xproject/0x-monorepo/contracts/staking/contracts/src/staking_pools/MixinStakingPoolRewards.sol:169"
    ],
    "recommendation": "Check the return value of ERC20 transfer and revert on failure (or use a SafeERC20 helper) for both ZRX withdrawals and WETH reward payouts.",
    "exploit_scenario": "If ZRX or WETH tokens return false without reverting (or are replaced with non-standard tokens on other deployments), the contract will update balances and reserves even though transfers failed, leading to lost rewards or stuck withdrawals."
}