1dcf1431-5e2b-4d3c-a948-3f7e50dcdadf
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 31421 | report.consolidate | complete | 1 / 1 | 3 months ago |
| 77152 | artifact.fetch | complete | 1 / 3 | 2 weeks ago |
| 77153 | tool.cast_disasm | complete | 1 / 3 | 2 weeks ago |
| 77154 | analysis.bundle | complete | 1 / 3 | 2 weeks ago |
| 77155 | capability.graph | complete | 1 / 3 | 2 weeks ago |
| 77156 | detector.run | complete | 1 / 3 | 2 weeks ago |
| 77157 | validation.fork | complete | 1 / 3 | 2 weeks ago |
No slither job recorded yet.
[codex:65] OpenAI Codex v0.77.0 (research preview)
[codex:65] --------
[codex:65] workdir: /tmp/codex-multi-xqcjy_1e
[codex:65] model: gpt-5.2-codex
[codex:65] provider: openai
[codex:65] approval: never
[codex:65] sandbox: read-only
[codex:65] reasoning effort: xhigh
[codex:65] reasoning summaries: auto
[codex:65] session id: 019b8182-0eef-7600-b27b-dd80bb48836c
[codex:65] --------
[codex:65] user
[codex:65] You are a profit-focused exploit hunter analyzing EVM bytecode. Your ONLY goal is finding ways to extract value (ETH, tokens, NFTs) from this contract.
[codex:65]
[codex:65] Read `BYTECODE_BUNDLE.txt` completely before concluding.
[codex:65]
[codex:65] ONLY REPORT if you find a CONCRETE, EXPLOITABLE path to profit. We do NOT care about:
[codex:65] - Gas inefficiency, code quality, or best practices
[codex:65] - Theoretical vulnerabilities without a clear extraction path
[codex:65] - Generic footguns (unchecked return values, etc.) unless they enable theft
[codex:65] - Issues requiring social engineering or off-chain coordination
[codex:65]
[codex:65] PATTERNS WORTH INVESTIGATING in bytecode:
[codex:65] - CALL/DELEGATECALL with controllable destination or calldata
[codex:65] - Value transfers (CALL with non-zero value) without prior CALLER/ORIGIN checks
[codex:65] - SSTORE to low slots (0-10) that might be owner/admin storage
[codex:65] - ecrecover (signature validation) - look for missing nonce/replay protection
[codex:65] - External calls before state updates (reentrancy)
[codex:65] - SELFDESTRUCT with controllable beneficiary
[codex:65] - Proxy patterns (DELEGATECALL to storage slot) with unprotected upgrade paths
[codex:65]
[codex:65] For each finding, you MUST explain:
[codex:65] 1. The specific bytecode pattern/offsets that indicate the vulnerability
[codex:65] 2. The concrete sequence of transactions to extract value
[codex:65] 3. Why you believe this is exploitable (not just suspicious)
[codex:65]
[codex:65] If you cannot identify a concrete profit path from bytecode alone: set no_findings=true.
[codex:65] Do NOT hallucinate. Bytecode-only analysis is limited - be honest about uncertainty.
[codex:65]
[codex:65] Output MUST be valid JSON matching the provided schema.
[codex:65] - severity: info, low, medium, high, critical (use high/critical ONLY for clear extraction paths)
[codex:65] - category: access_control, reentrancy, math, oracle, upgradeability, auth, other
[codex:65] mcp startup: no servers
[codex:65]
[codex:65] thinking
[codex:65] **Planning to read BYTECODE_BUNDLE.txt**
[codex:65] exec
[codex:65] /bin/bash -lc ls in /tmp/codex-multi-xqcjy_1e succeeded in 5ms:
[codex:65] BYTECODE_BUNDLE.txt
[codex:65] codex-output-schema.json
[codex:65] exec
[codex:65] /bin/bash -lc 'cat BYTECODE_BUNDLE.txt' in /tmp/codex-multi-xqcjy_1e succeeded in 5ms:
[codex:65] Runtime bytecode bundle for best-effort auditing.
[codex:65] Note: without verified source, conclusions are low-confidence unless a concrete pattern is visible.
[codex:65]
[codex:65] FILE: runtime_bytecode.hex
[codex:65] 0x606060405236156100fb5760e060020a6000350463021991e781146100fd57806303750d941461010757806306b5f02d1461012d5780630d1fce421461014b5780630e1da6c31461015e5780630f06670a1461016b5780632d9a37d31461019b5780632e1a7d4d146101b55780632fac1d36146101d857806346b305d61461020957806355b775ea1461022c578063839930ba1461024f5780638772ae3c1461025a5780638d2161861461027d578063a094a031146102af578063a1b9af3114610209578063add4c784146102bd578063bd66528a146102ed578063c7cf28fe1461031e578063cb96012e1461034b578063d8389dc51461035c575b005b6103796000545b90565b6100fb600435602435600254600160a060020a0390811633919091161461047a57610432565b6103796004356024355b606460628302046101000281900492915050565b61037930600160a060020a031631610104565b6100fb600061070e610322565b610379600435600160a060020a0333166000908152600460208190526040822090810154821415610520576104cd565b6103795b606430600160a060020a03163160050204610104565b6100fb600435600154600160a060020a039081163391909116146107405761070b565b6103796004355b600160a060020a03811660009081526004602081905260408220908101548214156104c8576104cd565b6100fb600154600090600160a060020a0390811633919091161461070b5761070b565b6100fb600435600154600160a060020a0390811633919091161461071e5761070b565b610379600354610104565b6100fb600435600154600160a060020a039081163391909116146107195761070b565b6100fb6004356024356001821080610295575060ff82115b806102a1575060035434105b80610438575061047061019f565b61037960006104c1336101df565b610379600435600160a060020a03331660009081526004602081905260408220908101548214156104d3576104cd565b6100fb600435600160a060020a03331660009081526004602081905260408220908101549091141561058357610432565b6103795b600160a060020a0333166000908152600460208190526040822090810154821461068c57610688565b6103796004355b60ff81165b919050565b610379600435604080518281529051908190036020019020610357565b60408051918252519081900360200190f35b6040805160a081018252348082526020828101868152438486018181526060868101898152600060808901818152600160a060020a0333168083526004808a52928c90209a518b55965160018b0155935160028a01559051600389015591519690910195909555855190815291820192909252808401869052925190927f97371a3349bea11f577edf6e64350a3dfb9de665d1154c7e6d08eb0805aa043092908290030190a25b5050565b115b8061044557506000805414155b1561038b57604051600160a060020a03331690600090349082818181858883f1935050505050610432565b6104363484610137565b600160a060020a038216600090815260046020819052604082200154146104a057610432565b600160a060020a039190911660009081526004602081905260409091200155565b9050610104565b600191505b50919050565b6040805160038301548582529151908190036020019020146104f4576104cd565b6040805160048301548582526020820152815190819003909101902061051990610352565b91506104cd565b604080516003830154858252915190819003602001902014610541576104cd565b60408051600183015460048401548683526020830152825191829003909201902061056b90610352565b101561057a57600191506104cd565b600091506104cd565b6040805160038301548482529151908190036020019020146105a457610432565b6040805160018301546004840154858352602083015282519182900390920190206105ce90610352565b101561064b5780546001820154600160a060020a033316916000916105f39190610137565b6040516000818181858888f15084546001860154908252602082015260408051600160a060020a03331695507ffdc49939175858b2bb557093a7d52fa6b6f3aad917d282d61758fab4805f102a945091829003019150a25b600160a060020a0333166000908152600460208190526040822082815560018101839055600281018390556003810183905501555050565b600191505b5090565b80546000901161069f5760009150610688565b60028101546014014310156106835760009150610688565b50600160a060020a03331660008181526004602052604080822080549151909392919082818181858883f1505050908152600460208190528183556001830182905560028301829055600383018290558201555b50565b15156106b75761070b565b600355565b6002805473ffffffffffffffffffffffffffffffffffffffff19168217905550565b60008054148061075557506000546116800143105b1561075f5761070b565b600154604051600160a060020a039190911690600090839082818181858883f150505050505056
[codex:65]
[codex:65] thinking
[codex:65] **Analyzing bytecode for exploits**
[codex:65] exec
[codex:65] /bin/bash -lc 'evm disasm BYTECODE_BUNDLE.txt' in /tmp/codex-multi-xqcjy_1e exited 127 in 6ms:
[codex:65] /bin/bash: line 1: evm: command not found
[codex:65]
[codex:65] thinking
[codex:65] **Planning manual bytecode disassembly**
[codex:65] exec
[codex:65] /bin/bash -lc "python - <<'PY'
[codex:65] from binascii import unhexlify
[codex:65] import re
[codex:65] import sys
[codex:65]
[codex:65] data=open('/tmp/codex-multi-xqcjy_1e/BYTECODE_BUNDLE.txt').read()
[codex:65] # extract hex after 0x
[codex:65] m=re.search(r'0x([0-9a-fA-F]+)', data)
[codex:65] hexstr=m.group(1)
[codex:65] code=bytes.fromhex(hexstr)
[codex:65] # opcode table
[codex:65] opcodes = {
[codex:65] 0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:65] 0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:65] 0x20:'SHA3',
[codex:65] 0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:65] 0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
[codex:65] 0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
[codex:65] 0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
[codex:65] 0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
[codex:65] 0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
[codex:65] 0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
[codex:65] 0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
[codex:65] }
[codex:65]
[codex:65] # simple disasm
[codex:65] pc=0
[codex:65] out=[]
[codex:65] while pc < len(code):
[codex:65] op=code[pc]
[codex:65] name=opcodes.get(op, 'UNKNOWN')
[codex:65] if 0x60 <= op <= 0x7f:
[codex:65] n=op-0x5f
[codex:65] data=code[pc+1:pc+1+n]
[codex:65] out.append(f\"{pc:04x}: {name} 0x{data.hex()}\")
[codex:65] pc+=1+n
[codex:65] else:
[codex:65] out.append(f\"{pc:04x}: {name}\")
[codex:65] pc+=1
[codex:65]
[codex:65] # print to file
[codex:65] with open('/tmp/codex-multi-xqcjy_1e/disasm.txt','w') as f:
[codex:65] f.write('\\n'.join(out))
[codex:65] print('wrote disasm')
[codex:65] PY" in /tmp/codex-multi-xqcjy_1e exited 1 in 34ms:
[codex:65] Traceback (most recent call last):
[codex:65] File "<stdin>", line 41, in <module>
[codex:65] PermissionError: [Errno 13] Permission denied: '/tmp/codex-multi-xqcjy_1e/disasm.txt'
[codex:65]
[codex:65] thinking
[codex:65] **Adapting to read-only environment**
[codex:65] exec
[codex:65] /bin/bash -lc "python - <<'PY'
[codex:65] from binascii import unhexlify
[codex:65] import re
[codex:65]
[codex:65] data=open('/tmp/codex-multi-xqcjy_1e/BYTECODE_BUNDLE.txt').read()
[codex:65] # extract hex after 0x
[codex:65] m=re.search(r'0x([0-9a-fA-F]+)', data)
[codex:65] hexstr=m.group(1)
[codex:65] code=bytes.fromhex(hexstr)
[codex:65] # opcode table
[codex:65] opcodes = {
[codex:65] 0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:65] 0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:65] 0x20:'SHA3',
[codex:65] 0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:65] 0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
[codex:65] 0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
[codex:65] 0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
[codex:65] 0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
[codex:65] 0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
[codex:65] 0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
[codex:65] 0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
[codex:65] }
[codex:65]
[codex:65] pc=0
[codex:65] while pc < len(code):
[codex:65] op=code[pc]
[codex:65] name=opcodes.get(op, 'UNKNOWN')
[codex:65] if 0x60 <= op <= 0x7f:
[codex:65] n=op-0x5f
[codex:65] data=code[pc+1:pc+1+n]
[codex:65] print(f\"{pc:04x}: {name} 0x{data.hex()}\")
[codex:65] pc+=1+n
[codex:65] else:
[codex:65] print(f\"{pc:04x}: {name}\")
[codex:65] pc+=1
[codex:65] PY" in /tmp/codex-multi-xqcjy_1e succeeded in 36ms:
[codex:65] 0000: PUSH1 0x60
[codex:65] 0002: PUSH1 0x40
[codex:65] 0004: MSTORE
[codex:65] 0005: CALLDATASIZE
[codex:65] 0006: ISZERO
[codex:65] 0007: PUSH2 0x00fb
[codex:65] 000a: JUMPI
[codex:65] 000b: PUSH1 0xe0
[codex:65] 000d: PUSH1 0x02
[codex:65] 000f: EXP
[codex:65] 0010: PUSH1 0x00
[codex:65] 0012: CALLDATALOAD
[codex:65] 0013: DIV
[codex:65] 0014: PUSH4 0x021991e7
[codex:65] 0019: DUP2
[codex:65] 001a: EQ
[codex:65] 001b: PUSH2 0x00fd
[codex:65] 001e: JUMPI
[codex:65] 001f: DUP1
[codex:65] 0020: PUSH4 0x03750d94
[codex:65]
[codex:65]
[codex:65]
[codex:65]
[codex:65] thinking
[codex:65] **Analyzing contract storage and call flow**
[codex:65] thinking
[codex:65] **Decoding conditional fund transfers and storage checks**
[codex:65]
[codex:65] I'm parsing the logic behind conditional calls that refund or transfer ETH based on input bounds and storage flags, focusing on how slot0 and slot3 control flow. I’m analyzing intricate stack operations governing whether to trigger event logging, refund msg.value, or allow a time-locked owner withdrawal with masked addresses and call arguments. Let's continue mapping these complex checks together!
[codex:65] thinking
[codex:65] **Tracing stack manipulations for owner withdrawal call**
[codex:65]
[codex:65] I'm carefully reconstructing the stack swaps and bitwise operations to determine how the call to transfer ETH to the owner is prepared, confirming that the call’s value comes from an input argument and the recipient is masked from storage. It looks like this function enables time-locked owner withdrawals with complex argument reordering to craft the CALL parameters.
[codex:65] thinking
[codex:65] **Planning symbolic stack analysis for withdrawal call**
[codex:65]
[codex:65] I’m outlining an approach to build a symbolic stack emulator to track stack values through the withdrawal function, aiming to clearly identify CALL parameters and verify if any unprotected or reentrant withdrawal is possible. This will help confirm if the call uses caller-controlled values or protected storage slots.
[codex:65] exec
[codex:65] /bin/bash -lc "python - <<'PY'
[codex:65] import re
[codex:65]
[codex:65] data=open('/tmp/codex-multi-xqcjy_1e/BYTECODE_BUNDLE.txt').read()
[codex:65] hexstr=re.search(r'0x([0-9a-fA-F]+)', data).group(1)
[codex:65] code=bytes.fromhex(hexstr)
[codex:65]
[codex:65] # simple opcode lengths
[codex:65]
[codex:65] def disasm(pc):
[codex:65] op=code[pc]
[codex:65] if 0x60 <= op <= 0x7f:
[codex:65] n=op-0x5f
[codex:65] data=code[pc+1:pc+1+n]
[codex:65] return op, data, pc+1+n
[codex:65] return op, b'', pc+1
[codex:65]
[codex:65] # symbols
[codex:65] class Sym(str):
[codex:65] pass
[codex:65]
[codex:65] # minimal stack simulator
[codex:65]
[codex:65] def simulate(start, end=None, initial_stack=None):
[codex:65] stack=list(initial_stack or [])
[codex:65] mem={}
[codex:65] pc=start
[codex:65] steps=0
[codex:65] while pc < len(code):
[codex:65] if end is not None and pc>=end:
[codex:65] break
[codex:65] op,data,next_pc = disasm(pc)
[codex:65] #print(hex(pc), op, data)
[codex:65] name=None
[codex:65] # handle push
[codex:65] if 0x60 <= op <= 0x7f:
[codex:65] val=f\"0x{data.hex()}\"
[codex:65] stack.append(val)
[codex:65] elif op==0x50: # POP
[codex:65] if stack: stack.pop()
[codex:65] elif op==0x01: # ADD
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}+{b})\")
[codex:65] elif op==0x03: # SUB
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}-{b})\")
[codex:65] elif op==0x16: # AND
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}&{b})\")
[codex:65] elif op==0x14: # EQ
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}=={b})\")
[codex:65] elif op==0x10: # LT
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}<{b})\")
[codex:65] elif op==0x11: # GT
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}>{b})\")
[codex:65] elif op==0x15: # ISZERO
[codex:65] a=stack.pop(); stack.append(f\"("'!{a})")
[codex:65] elif op==0x20: # SHA3
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f"keccak({a},{b})")
[codex:65] elif op==0x33: # CALLER
[codex:65] stack.append("CALLER")
[codex:65] elif op==0x34: # CALLVALUE
[codex:65] stack.append("CALLVALUE")
[codex:65] elif op==0x43: # NUMBER
[codex:65] stack.append("BLOCKNUM")
[codex:65] elif op==0x54: # SLOAD
[codex:65] key=stack.pop(); stack.append(f"SLOAD[{key}]")
[codex:65] elif op==0x55: # SSTORE
[codex:65] val=stack.pop(); key=stack.pop(); stack.append(f"SSTORE({key},{val})")
[codex:65] elif op==0x51: # MLOAD
[codex:65] addr=stack.pop(); stack.append(mem.get(addr, f"MLOAD[{addr}]") )
[codex:65] elif op==0x52: # MSTORE
[codex:65] val=stack.pop(); addr=stack.pop(); mem[addr]=val
[codex:65] elif 0x80 <= op <= 0x8f: # DUP
[codex:65] idx=op-0x7f
[codex:65] if len(stack)>=idx:
[codex:65] stack.append(stack[-idx])
[codex:65] elif 0x90 <= op <= 0x9f: # SWAP
[codex:65] idx=op-0x8f
[codex:65] if len(stack)>idx:
[codex:65] stack[-1], stack[-1-idx] = stack[-1-idx], stack[-1]
[codex:65] elif op==0xf1: # CALL
[codex:65] # CALL pops 7 args
[codex:65] args=stack[-7:]
[codex:65] print(f"CALL at {pc:#x} stack args(top last): {args}")
[codex:65] # remove
[codex:65] for _ in range(7): stack.pop()
[codex:65] stack.append("CALLRET")
[codex:65] elif op==0x56: # JUMP
[codex:65] dest=stack.pop()
[codex:65] # stop on jump for this trace
[codex:65] #print('"'JUMP to', dest)
[codex:65] break
[codex:65] elif op==0x57: # JUMPI
[codex:65] dest=stack.pop(); cond=stack.pop()
[codex:65] # ignore
[codex:65] # other ops ignored
[codex:65] pc=next_pc
[codex:65] steps+=1
[codex:65] if steps>1000:
[codex:65] print('too many steps')
[codex:65] break
[codex:65] print('final stack', stack)
[codex:65]
[codex:65] # simulate from 0x06b7 to include call
[codex:65] simulate(0x06b7, end=0x06e3, initial_stack=['RET','ARG'])
[codex:65] PY" in /tmp/codex-multi-xqcjy_1e succeeded in 28ms:
[codex:65] CALL at 0x6e2 stack args(top last): ['0x00', 'MLOAD[0x40]', '0x00', 'MLOAD[0x40]', 'SLOAD[keccak(0x40,0x00)]', '((0xa0-0x02)&CALLER)', '0x00']
[codex:65] final stack ['RET', '0x01', 'keccak(0x40,0x00)', '((0xa0-0x02)&CALLER)', '0x00', 'SLOAD[keccak(0x40,0x00)]', 'MLOAD[0x40]', 'CALLRET']
[codex:65]
[codex:65] thinking
[codex:65] **Analyzing EVM CALL stack arguments**
[codex:65]
[codex:65] I'm examining how the CALL opcode consumes its 7 stack arguments in the right order, clarifying how the symbolic stack slice maps to gas, to, value, etc. I notice the gas argument looks like zero, which would cause the call to fail, so I suspect the initial symbolic stack used in simulation is incomplete, missing earlier pushes and DUPs that supply the actual gas value. To fix this, I plan to simulate from an earlier entry point with a more complete initial stack and manually steer jump conditions to ensure reaching the CALL instruction accurately. This means coding a symbolic executor that follows a specific jump path with known jump destinations and tracks stack updates precisely. I'll write such a script next.
[codex:65] exec
[codex:65] /bin/bash -lc "python - <<'PY'
[codex:65] import re
[codex:65]
[codex:65] data=open('/tmp/codex-multi-xqcjy_1e/BYTECODE_BUNDLE.txt').read()
[codex:65] hexstr=re.search(r'0x([0-9a-fA-F]+)', data).group(1)
[codex:65] code=bytes.fromhex(hexstr)
[codex:65]
[codex:65] # opcode lengths
[codex:65]
[codex:65] def op_at(pc):
[codex:65] op=code[pc]
[codex:65] if 0x60 <= op <= 0x7f:
[codex:65] n=op-0x5f
[codex:65] data=code[pc+1:pc+1+n]
[codex:65] return op, data, pc+1+n
[codex:65] return op, b'', pc+1
[codex:65]
[codex:65] # symbolic
[codex:65]
[codex:65] def is_const(x):
[codex:65] return isinstance(x,str) and x.startswith('0x')
[codex:65]
[codex:65] def to_int(x):
[codex:65] return int(x,16)
[codex:65]
[codex:65]
[codex:65] def simulate(pc, stack, mem, max_steps=10000):
[codex:65] steps=0
[codex:65] while pc < len(code) and steps<max_steps:
[codex:65] op,data,next_pc = op_at(pc)
[codex:65] #print(hex(pc), op, data, stack)
[codex:65] if 0x60 <= op <= 0x7f:
[codex:65] stack.append('0x'+data.hex())
[codex:65] elif op==0x50: # POP
[codex:65] stack.pop()
[codex:65] elif op==0x01: # ADD
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}+{b})\")
[codex:65] elif op==0x03: # SUB
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}-{b})\")
[codex:65] elif op==0x16: # AND
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}&{b})\")
[codex:65] elif op==0x14: # EQ
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}=={b})\")
[codex:65] elif op==0x10: # LT
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}<{b})\")
[codex:65] elif op==0x11: # GT
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}>{b})\")
[codex:65] elif op==0x15: # ISZERO
[codex:65] a=stack.pop(); stack.append(f\"("'!{a})")
[codex:65] elif op==0x20: # SHA3
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f"keccak({a},{b})")
[codex:65] elif op==0x33: # CALLER
[codex:65] stack.append('"'CALLER')
[codex:65] elif op==0x34: # CALLVALUE
[codex:65] stack.append('CALLVALUE')
[codex:65] elif op==0x43: # NUMBER
[codex:65] stack.append('BLOCKNUM')
[codex:65] elif op==0x54: # SLOAD
[codex:65] key=stack.pop(); stack.append(f\"SLOAD[{key}]\")
[codex:65] elif op==0x55: # SSTORE
[codex:65] val=stack.pop(); key=stack.pop(); stack.append(f\"SSTORE({key},{val})\")
[codex:65] elif op==0x51: # MLOAD
[codex:65] addr=stack.pop(); stack.append(mem.get(addr, f\"MLOAD[{addr}]\") )
[codex:65] elif op==0x52: # MSTORE
[codex:65] val=stack.pop(); addr=stack.pop(); mem[addr]=val
[codex:65] elif 0x80 <= op <= 0x8f:
[codex:65] idx=op-0x7f
[codex:65] stack.append(stack[-idx])
[codex:65] elif 0x90 <= op <= 0x9f:
[codex:65] idx=op-0x8f
[codex:65] stack[-1], stack[-1-idx] = stack[-1-idx], stack[-1]
[codex:65] elif op==0xf1:
[codex:65] args=stack[-7:]
[codex:65] print(f\"CALL at {pc:#x} args(bottom->top): {args}\")
[codex:65] for _ in range(7): stack.pop()
[codex:65] stack.append('CALLRET')
[codex:65] elif op==0x56: # JUMP
[codex:65] dest=stack.pop()
[codex:65] if is_const(dest):
[codex:65] pc=to_int(dest); continue
[codex:65] else:
[codex:65] print('non-const jump dest', dest); break
[codex:65] elif op==0x57: # JUMPI
[codex:65] dest=stack.pop(); cond=stack.pop()
[codex:65] # take jump if dest matches path we want
[codex:65] if is_const(dest):
[codex:65] d=to_int(dest)
[codex:65] # decide based on dest address: prefer taking jumps to 0x068c,0x069f,0x0683,0x06b7
[codex:65] take = d in (0x068c,0x069f,0x0683,0x06b7)
[codex:65] # also if dest is 0x070e? hmm
[codex:65] if take:
[codex:65] pc=d; continue
[codex:65] # else fallthrough
[codex:65] elif op==0x00: # STOP
[codex:65] break
[codex:65] # default
[codex:65] pc=next_pc
[codex:65] steps+=1
[codex:65] return stack
[codex:65]
[codex:65] # simulate from 0x015e -> 0x0322 path manually
[codex:65] stack=['RET']
[codex:65] mem={}
[codex:65] # emulate 015e sequence
[codex:65] stack.append('0x00')
[codex:65] stack.append('0x070e')
[codex:65] # jump to 0322
[codex:65] final=simulate(0x0322, stack, mem, max_steps=2000)
[codex:65] print('final stack', final)
[codex:65] PY" in /tmp/codex-multi-xqcjy_1e succeeded in 26ms:
[codex:65] final stack ['RET', '0x00', '0xe0', '0x02', '0x00']
[codex:65]
[codex:65] thinking
[codex:65] **Planning detailed symbolic stack simulation**
[codex:65]
[codex:65] I see the simulation is ending unexpectedly around jump instructions with non-constant destinations, so I want to try a more explicit, manual symbolic simulation for the 06b7 function and carefully track the stack state at key jump points like 068c and 070e. To achieve this, I’ll instrument a targeted stepping script to trace stack evolution from 0322 until entering 068c, ensuring I follow jump conditions precisely for better insight.
[codex:65] exec
[codex:65] /bin/bash -lc "python - <<'PY'
[codex:65] import re
[codex:65]
[codex:65] data=open('/tmp/codex-multi-xqcjy_1e/BYTECODE_BUNDLE.txt').read()
[codex:65] hexstr=re.search(r'0x([0-9a-fA-F]+)', data).group(1)
[codex:65] code=bytes.fromhex(hexstr)
[codex:65]
[codex:65] # op parse
[codex:65]
[codex:65] def op_at(pc):
[codex:65] op=code[pc]
[codex:65] if 0x60 <= op <= 0x7f:
[codex:65] n=op-0x5f
[codex:65] data=code[pc+1:pc+1+n]
[codex:65] return op, data, pc+1+n
[codex:65] return op, b'', pc+1
[codex:65]
[codex:65] # symbolic helpers
[codex:65]
[codex:65] def is_const(x):
[codex:65] return isinstance(x,str) and x.startswith('0x')
[codex:65]
[codex:65] def to_int(x):
[codex:65] return int(x,16)
[codex:65]
[codex:65]
[codex:65] def step(pc, stack, mem):
[codex:65] op,data,next_pc=op_at(pc)
[codex:65] #print(hex(pc), op, data, stack)
[codex:65] if 0x60 <= op <= 0x7f:
[codex:65] stack.append('0x'+data.hex())
[codex:65] elif op==0x50:
[codex:65] stack.pop()
[codex:65] elif op==0x01:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}+{b})\")
[codex:65] elif op==0x03:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}-{b})\")
[codex:65] elif op==0x16:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}&{b})\")
[codex:65] elif op==0x14:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}=={b})\")
[codex:65] elif op==0x10:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}<{b})\")
[codex:65] elif op==0x11:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}>{b})\")
[codex:65] elif op==0x15:
[codex:65] a=stack.pop(); stack.append(f\"("'!{a})")
[codex:65] elif op==0x20:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f"keccak({a},{b})")
[codex:65] elif op==0x33:
[codex:65] stack.append('"'CALLER')
[codex:65] elif op==0x34:
[codex:65] stack.append('CALLVALUE')
[codex:65] elif op==0x43:
[codex:65] stack.append('BLOCKNUM')
[codex:65] elif op==0x54:
[codex:65] key=stack.pop(); stack.append(f\"SLOAD[{key}]\")
[codex:65] elif op==0x51:
[codex:65] addr=stack.pop(); stack.append(mem.get(addr, f\"MLOAD[{addr}]\") )
[codex:65] elif op==0x52:
[codex:65] val=stack.pop(); addr=stack.pop(); mem[addr]=val
[codex:65] elif 0x80 <= op <= 0x8f:
[codex:65] idx=op-0x7f
[codex:65] stack.append(stack[-idx])
[codex:65] elif 0x90 <= op <= 0x9f:
[codex:65] idx=op-0x8f
[codex:65] stack[-1], stack[-1-idx] = stack[-1-idx], stack[-1]
[codex:65] elif op==0x56:
[codex:65] dest=stack.pop()
[codex:65] return ('JUMP', dest, next_pc)
[codex:65] elif op==0x57:
[codex:65] dest=stack.pop(); cond=stack.pop()
[codex:65] return ('JUMPI', dest, cond, next_pc)
[codex:65] return ('CONT', None, next_pc)
[codex:65]
[codex:65] # simulate from 0x0322 until pc==0x068c
[codex:65] pc=0x0322
[codex:65] stack=['RET_MAIN','PARAM0','RET_070e']
[codex:65] mem={}
[codex:65] steps=0
[codex:65] while pc"'!=0x068c and steps<500:
[codex:65] res=step(pc, stack, mem)
[codex:65] if res[0]=='"'JUMPI':
[codex:65] _, dest, cond, next_pc = res
[codex:65] # take jump if dest==0x068c
[codex:65] if dest=='0x068c':
[codex:65] pc=0x068c
[codex:65] break
[codex:65] else:
[codex:65] pc=next_pc
[codex:65] elif res[0]=='JUMP':
[codex:65] _, dest, next_pc = res
[codex:65] # not expected
[codex:65] pc=next_pc
[codex:65] else:
[codex:65] pc=res[2]
[codex:65] steps+=1
[codex:65]
[codex:65] print('pc', hex(pc))
[codex:65] print('stack at 068c entry', stack)
[codex:65] print('mem', mem)
[codex:65] PY" in /tmp/codex-multi-xqcjy_1e succeeded in 24ms:
[codex:65] pc 0x68c
[codex:65] stack at 068c entry ['RET_MAIN', 'PARAM0', 'RET_070e', '0x01', '0x00', 'keccak(0x40,0x00)']
[codex:65] mem {'((0xa0-0x02)&CALLER)': '0x00', '0x04': '0x20'}
[codex:65]
[codex:65] thinking
[codex:65] **Analyzing stack state and planning simulation**
[codex:65] exec
[codex:65] /bin/bash -lc "python - <<'PY'
[codex:65] import re
[codex:65]
[codex:65] data=open('/tmp/codex-multi-xqcjy_1e/BYTECODE_BUNDLE.txt').read()
[codex:65] hexstr=re.search(r'0x([0-9a-fA-F]+)', data).group(1)
[codex:65] code=bytes.fromhex(hexstr)
[codex:65]
[codex:65] # op parse
[codex:65]
[codex:65] def op_at(pc):
[codex:65] op=code[pc]
[codex:65] if 0x60 <= op <= 0x7f:
[codex:65] n=op-0x5f
[codex:65] data=code[pc+1:pc+1+n]
[codex:65] return op, data, pc+1+n
[codex:65] return op, b'', pc+1
[codex:65]
[codex:65] # symbolic helpers
[codex:65]
[codex:65] def is_const(x):
[codex:65] return isinstance(x,str) and x.startswith('0x')
[codex:65]
[codex:65] def to_int(x):
[codex:65] return int(x,16)
[codex:65]
[codex:65]
[codex:65] def step(pc, stack, mem):
[codex:65] op,data,next_pc=op_at(pc)
[codex:65] if 0x60 <= op <= 0x7f:
[codex:65] stack.append('0x'+data.hex())
[codex:65] elif op==0x50:
[codex:65] stack.pop()
[codex:65] elif op==0x01:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}+{b})\")
[codex:65] elif op==0x03:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}-{b})\")
[codex:65] elif op==0x16:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}&{b})\")
[codex:65] elif op==0x14:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}=={b})\")
[codex:65] elif op==0x10:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}<{b})\")
[codex:65] elif op==0x11:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}>{b})\")
[codex:65] elif op==0x15:
[codex:65] a=stack.pop(); stack.append(f\"("'!{a})")
[codex:65] elif op==0x20:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f"keccak({a},{b})")
[codex:65] elif op==0x33:
[codex:65] stack.append('"'CALLER')
[codex:65] elif op==0x34:
[codex:65] stack.append('CALLVALUE')
[codex:65] elif op==0x43:
[codex:65] stack.append('BLOCKNUM')
[codex:65] elif op==0x54:
[codex:65] key=stack.pop(); stack.append(f\"SLOAD[{key}]\")
[codex:65] elif op==0x51:
[codex:65] addr=stack.pop(); stack.append(mem.get(addr, f\"MLOAD[{addr}]\") )
[codex:65] elif op==0x52:
[codex:65] val=stack.pop(); addr=stack.pop(); mem[addr]=val
[codex:65] elif 0x80 <= op <= 0x8f:
[codex:65] idx=op-0x7f
[codex:65] stack.append(stack[-idx])
[codex:65] elif 0x90 <= op <= 0x9f:
[codex:65] idx=op-0x8f
[codex:65] stack[-1], stack[-1-idx] = stack[-1-idx], stack[-1]
[codex:65] elif op==0x56:
[codex:65] dest=stack.pop();
[codex:65] return ('JUMP', dest, next_pc)
[codex:65] elif op==0x57:
[codex:65] dest=stack.pop(); cond=stack.pop();
[codex:65] return ('JUMPI', dest, cond, next_pc)
[codex:65] return ('CONT', None, next_pc)
[codex:65]
[codex:65] # Start from stack at 068c entry (from previous run)
[codex:65] stack=['RET_MAIN','PARAM0','RET_070e','0x01','0x00','keccak(0x40,0x00)']
[codex:65] mem={'((0xa0-0x02)&CALLER)':'0x00','0x04':'0x20'}
[codex:65] pc=0x068c
[codex:65] steps=0
[codex:65] while steps<1000:
[codex:65] if pc==0x06b7:
[codex:65] break
[codex:65] res=step(pc, stack, mem)
[codex:65] if res[0]=='JUMPI':
[codex:65] _, dest, cond, next_pc = res
[codex:65] if dest in ('0x069f','0x0683','0x06b7'):
[codex:65] pc=int(dest,16); continue
[codex:65] else:
[codex:65] pc=next_pc
[codex:65] elif res[0]=='JUMP':
[codex:65] _, dest, next_pc = res
[codex:65] if dest=='0x0688' or dest=='0x070e':
[codex:65] pc=int(dest,16); continue
[codex:65] else:
[codex:65] pc=next_pc
[codex:65] else:
[codex:65] pc=res[2]
[codex:65] steps+=1
[codex:65]
[codex:65] print('pc', hex(pc))
[codex:65] print('stack at 06b7 entry', stack)
[codex:65] PY" in /tmp/codex-multi-xqcjy_1e exited 1 in 28ms:
[codex:65] Traceback (most recent call last):
[codex:65] File "<stdin>", line 82, in <module>
[codex:65] File "<stdin>", line 65, in step
[codex:65] IndexError: list index out of range
[codex:65]
[codex:65] thinking
[codex:65] **Debugging stack underflow**
[codex:65] exec
[codex:65] /bin/bash -lc "python - <<'PY'
[codex:65] import re
[codex:65]
[codex:65] data=open('/tmp/codex-multi-xqcjy_1e/BYTECODE_BUNDLE.txt').read()
[codex:65] hexstr=re.search(r'0x([0-9a-fA-F]+)', data).group(1)
[codex:65] code=bytes.fromhex(hexstr)
[codex:65]
[codex:65] # op parse
[codex:65]
[codex:65] def op_at(pc):
[codex:65] op=code[pc]
[codex:65] if 0x60 <= op <= 0x7f:
[codex:65] n=op-0x5f
[codex:65] data=code[pc+1:pc+1+n]
[codex:65] return op, data, pc+1+n
[codex:65] return op, b'', pc+1
[codex:65]
[codex:65] # symbolic helpers
[codex:65]
[codex:65] def step(pc, stack, mem):
[codex:65] op,data,next_pc=op_at(pc)
[codex:65] if 0x60 <= op <= 0x7f:
[codex:65] stack.append('0x'+data.hex())
[codex:65] elif op==0x50:
[codex:65] stack.pop()
[codex:65] elif op==0x01:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}+{b})\")
[codex:65] elif op==0x03:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}-{b})\")
[codex:65] elif op==0x16:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}&{b})\")
[codex:65] elif op==0x14:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}=={b})\")
[codex:65] elif op==0x10:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}<{b})\")
[codex:65] elif op==0x11:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}>{b})\")
[codex:65] elif op==0x15:
[codex:65] a=stack.pop(); stack.append(f\"("'!{a})")
[codex:65] elif op==0x20:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f"keccak({a},{b})")
[codex:65] elif op==0x33:
[codex:65] stack.append('"'CALLER')
[codex:65] elif op==0x34:
[codex:65] stack.append('CALLVALUE')
[codex:65] elif op==0x43:
[codex:65] stack.append('BLOCKNUM')
[codex:65] elif op==0x54:
[codex:65] key=stack.pop(); stack.append(f\"SLOAD[{key}]\")
[codex:65] elif op==0x51:
[codex:65] addr=stack.pop(); stack.append(mem.get(addr, f\"MLOAD[{addr}]\") )
[codex:65] elif op==0x52:
[codex:65] val=stack.pop(); addr=stack.pop(); mem[addr]=val
[codex:65] elif 0x80 <= op <= 0x8f:
[codex:65] idx=op-0x7f
[codex:65] stack.append(stack[-idx])
[codex:65] elif 0x90 <= op <= 0x9f:
[codex:65] idx=op-0x8f
[codex:65] stack[-1], stack[-1-idx] = stack[-1-idx], stack[-1]
[codex:65] elif op==0x56:
[codex:65] dest=stack.pop();
[codex:65] return ('JUMP', dest, next_pc)
[codex:65] elif op==0x57:
[codex:65] dest=stack.pop(); cond=stack.pop();
[codex:65] return ('JUMPI', dest, cond, next_pc)
[codex:65] return ('CONT', None, next_pc)
[codex:65]
[codex:65] stack=['RET_MAIN','PARAM0','RET_070e','0x01','0x00','keccak(0x40,0x00)']
[codex:65] mem={'((0xa0-0x02)&CALLER)':'0x00','0x04':'0x20'}
[codex:65] pc=0x068c
[codex:65] steps=0
[codex:65] while steps<1000:
[codex:65] try:
[codex:65] res=step(pc, stack, mem)
[codex:65] except Exception as e:
[codex:65] print('error at', hex(pc), 'stack', stack)
[codex:65] raise
[codex:65] if res[0]=='JUMPI':
[codex:65] _, dest, cond, next_pc = res
[codex:65] if dest in ('0x069f','0x0683','0x06b7'):
[codex:65] pc=int(dest,16); continue
[codex:65] else:
[codex:65] pc=next_pc
[codex:65] elif res[0]=='JUMP':
[codex:65] _, dest, next_pc = res
[codex:65] if dest=='0x0688' or dest=='0x070e':
[codex:65] pc=int(dest,16); continue
[codex:65] else:
[codex:65] pc=next_pc
[codex:65] else:
[codex:65] pc=res[2]
[codex:65] steps+=1
[codex:65]
[codex:65] print('end pc', hex(pc))
[codex:65] print('stack', stack)
[codex:65] PY" in /tmp/codex-multi-xqcjy_1e exited 1 in 29ms:
[codex:65] error at 0x68a stack ['0x01']
[codex:65] Traceback (most recent call last):
[codex:65] File "<stdin>", line 73, in <module>
[codex:65] File "<stdin>", line 58, in step
[codex:65] IndexError: list index out of range
[codex:65]
[codex:65] thinking
[codex:65] **Analyzing potential reentrancy and storage access**
[codex:65]
[codex:65] I'm examining the stack behavior and call instructions to understand if a reentrancy exploit is possible, focusing on the CALL to the caller with value loaded from storage before storage is updated. The call’s gas parameter and absence of reentrancy guards complicate confirming an exploit. I’m also checking for unauthorized storage writes or critical owner changes but find no obvious vulnerable SSTOREs or delegatecalls. Next, I plan to symbolically simulate a specific function that uses mapping lookups and conditional jumps to trace access control and call safety more precisely.
[codex:65] exec
[codex:65] /bin/bash -lc "python - <<'PY'
[codex:65] import re
[codex:65]
[codex:65] data=open('/tmp/codex-multi-xqcjy_1e/BYTECODE_BUNDLE.txt').read()
[codex:65] hexstr=re.search(r'0x([0-9a-fA-F]+)', data).group(1)
[codex:65] code=bytes.fromhex(hexstr)
[codex:65]
[codex:65] def op_at(pc):
[codex:65] op=code[pc]
[codex:65] if 0x60 <= op <= 0x7f:
[codex:65] n=op-0x5f
[codex:65] data=code[pc+1:pc+1+n]
[codex:65] return op, data, pc+1+n
[codex:65] return op, b'', pc+1
[codex:65]
[codex:65] # symbolic stack sim with memory
[codex:65]
[codex:65] def simulate_to(pc_start, target_pc, initial_stack):
[codex:65] stack=list(initial_stack)
[codex:65] mem={}
[codex:65] pc=pc_start
[codex:65] steps=0
[codex:65] while pc"'!=target_pc and steps<1000:
[codex:65] op,data,next_pc=op_at(pc)
[codex:65] if 0x60 <= op <= 0x7f:
[codex:65] stack.append('"'0x'+data.hex())
[codex:65] elif op==0x50:
[codex:65] stack.pop()
[codex:65] elif op==0x01:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}+{b})\")
[codex:65] elif op==0x03:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}-{b})\")
[codex:65] elif op==0x16:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}&{b})\")
[codex:65] elif op==0x14:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}=={b})\")
[codex:65] elif op==0x10:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}<{b})\")
[codex:65] elif op==0x11:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}>{b})\")
[codex:65] elif op==0x15:
[codex:65] a=stack.pop(); stack.append(f\"("'!{a})")
[codex:65] elif op==0x20:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f"keccak({a},{b})")
[codex:65] elif op==0x33:
[codex:65] stack.append('"'CALLER')
[codex:65] elif op==0x54:
[codex:65] key=stack.pop(); stack.append(f\"SLOAD[{key}]\")
[codex:65] elif op==0x51:
[codex:65] addr=stack.pop(); stack.append(mem.get(addr, f\"MLOAD[{addr}]\") )
[codex:65] elif op==0x52:
[codex:65] val=stack.pop(); addr=stack.pop(); mem[addr]=val
[codex:65] elif 0x80 <= op <= 0x8f:
[codex:65] idx=op-0x7f
[codex:65] stack.append(stack[-idx])
[codex:65] elif 0x90 <= op <= 0x9f:
[codex:65] idx=op-0x8f
[codex:65] stack[-1], stack[-1-idx] = stack[-1-idx], stack[-1]
[codex:65] elif op==0x57:
[codex:65] # JUMPI
[codex:65] dest=stack.pop(); cond=stack.pop()
[codex:65] if dest=='0x0583':
[codex:65] pc=0x0583
[codex:65] break
[codex:65] else:
[codex:65] pc=next_pc
[codex:65] steps+=1
[codex:65] continue
[codex:65] elif op==0x56:
[codex:65] dest=stack.pop()
[codex:65] pc=next_pc
[codex:65] steps+=1
[codex:65] continue
[codex:65] pc=next_pc
[codex:65] steps+=1
[codex:65] print('Reached', hex(pc))
[codex:65] print('Stack', stack)
[codex:65] return stack
[codex:65]
[codex:65] # initial stack at function 02ed entry: [RET]
[codex:65] stack=simulate_to(0x02ed, 0x0583, ['RET','ARG'])
[codex:65]
[codex:65] # Now simulate from 0x0583 to the CALL at 0x05ff
[codex:65]
[codex:65] def simulate_call(pc_start, initial_stack):
[codex:65] stack=list(initial_stack)
[codex:65] mem={}
[codex:65] pc=pc_start
[codex:65] steps=0
[codex:65] while pc< len(code) and steps<500:
[codex:65] op,data,next_pc=op_at(pc)
[codex:65] if 0x60 <= op <= 0x7f:
[codex:65] stack.append('0x'+data.hex())
[codex:65] elif op==0x50:
[codex:65] stack.pop()
[codex:65] elif op==0x01:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}+{b})\")
[codex:65] elif op==0x03:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}-{b})\")
[codex:65] elif op==0x16:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}&{b})\")
[codex:65] elif op==0x14:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}=={b})\")
[codex:65] elif op==0x10:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}<{b})\")
[codex:65] elif op==0x11:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}>{b})\")
[codex:65] elif op==0x15:
[codex:65] a=stack.pop(); stack.append(f\"("'!{a})")
[codex:65] elif op==0x20:
[codex:65] b=stack.pop(); a=stack.pop(); stack.append(f"keccak({a},{b})")
[codex:65] elif op==0x33:
[codex:65] stack.append('"'CALLER')
[codex:65] elif op==0x54:
[codex:65] key=stack.pop(); stack.append(f\"SLOAD[{key}]\")
[codex:65] elif op==0x51:
[codex:65] addr=stack.pop(); stack.append(mem.get(addr, f\"MLOAD[{addr}]\") )
[codex:65] elif op==0x52:
[codex:65] val=stack.pop(); addr=stack.pop(); mem[addr]=val
[codex:65] elif 0x80 <= op <= 0x8f:
[codex:65] idx=op-0x7f
[codex:65] stack.append(stack[-idx])
[codex:65] elif 0x90 <= op <= 0x9f:
[codex:65] idx=op-0x8f
[codex:65] stack[-1], stack[-1-idx] = stack[-1-idx], stack[-1]
[codex:65] elif op==0xf1:
[codex:65] args=stack[-7:]
[codex:65] print('CALL args bottom->top', args)
[codex:65] return
[codex:65] elif op==0x57:
[codex:65] dest=stack.pop(); cond=stack.pop();
[codex:65] # assume we take any JUMPI to keep going
[codex:65] if isinstance(dest,str) and dest.startswith('0x'):
[codex:65] pc=int(dest,16); continue
[codex:65] elif op==0x56:
[codex:65] dest=stack.pop();
[codex:65] if isinstance(dest,str) and dest.startswith('0x'):
[codex:65] pc=int(dest,16); continue
[codex:65] pc=next_pc
[codex:65] steps+=1
[codex:65]
[codex:65] simulate_call(0x0583, stack)
[codex:65] PY" in /tmp/codex-multi-xqcjy_1e succeeded in 31ms:
[codex:65] Reached 0x583
[codex:65] Stack ['RET', 'ARG', '0x00fb', '0x04', '0x01', 'keccak(0x40,0x00)']
[codex:65]
[codex:65] thinking
[codex:65] **Analyzing bytecode for exploits**
[codex:65]
[codex:65] I'm reviewing the call sites in the bytecode, checking if any calls are unprotected or allow unauthorized value extraction. Since no concrete exploit paths appear and owner checks hold, I’ll prepare a JSON response indicating no findings with a concise summary.
[codex:65] codex
[codex:65] {"no_findings":true,"summary":"Reviewed the full runtime bytecode bundle and identified multiple CALL sites with owner/mapping checks and refund logic, but no concrete, exploitable value-extraction path without authorized state was evident from bytecode alone.","findings":[]}
[codex:65] tokens used
[codex:65] 125,187
[codex:65] {"no_findings":true,"summary":"Reviewed the full runtime bytecode bundle and identified multiple CALL sites with owner/mapping checks and refund logic, but no concrete, exploitable value-extraction path without authorized state was evident from bytecode alone.","findings":[]}
{
"codex": {
"ran_at": "2026-01-03T01:48:39.158929+00:00",
"returncode": 0
},
"summary": "Reviewed the full runtime bytecode bundle and identified multiple CALL sites with owner/mapping checks and refund logic, but no concrete, exploitable value-extraction path without authorized state was evident from bytecode alone.",
"raw_final": {
"summary": "Reviewed the full runtime bytecode bundle and identified multiple CALL sites with owner/mapping checks and refund logic, but no concrete, exploitable value-extraction path without authorized state was evident from bytecode alone.",
"findings": [],
"no_findings": true
},
"no_findings": true,
"schema_version": 1
}
00000000: PUSH1 0x60 00000002: PUSH1 0x40 00000004: MSTORE 00000005: CALLDATASIZE 00000006: ISZERO 00000007: PUSH2 0x00fb 0000000a: JUMPI 0000000b: PUSH1 0xe0 0000000d: PUSH1 0x02 0000000f: EXP 00000010: PUSH1 0x00 00000012: CALLDATALOAD 00000013: DIV 00000014: PUSH4 0x021991e7 00000019: DUP2 0000001a: EQ 0000001b: PUSH2 0x00fd 0000001e: JUMPI 0000001f: DUP1 00000020: PUSH4 0x03750d94 00000025: EQ 00000026: PUSH2 0x0107 00000029: JUMPI 0000002a: DUP1 0000002b: PUSH4 0x06b5f02d 00000030: EQ 00000031: PUSH2 0x012d 00000034: JUMPI 00000035: DUP1 00000036: PUSH4 0x0d1fce42 0000003b: EQ 0000003c: PUSH2 0x014b 0000003f: JUMPI 00000040: DUP1 00000041: PUSH4 0x0e1da6c3 00000046: EQ 00000047: PUSH2 0x015e 0000004a: JUMPI 0000004b: DUP1 0000004c: PUSH4 0x0f06670a 00000051: EQ 00000052: PUSH2 0x016b 00000055: JUMPI 00000056: DUP1 00000057: PUSH4 0x2d9a37d3 0000005c: EQ 0000005d: PUSH2 0x019b 00000060: JUMPI 00000061: DUP1 00000062: PUSH4 0x2e1a7d4d 00000067: EQ 00000068: PUSH2 0x01b5 0000006b: JUMPI 0000006c: DUP1 0000006d: PUSH4 0x2fac1d36 00000072: EQ 00000073: PUSH2 0x01d8 00000076: JUMPI 00000077: DUP1 00000078: PUSH4 0x46b305d6 0000007d: EQ 0000007e: PUSH2 0x0209 00000081: JUMPI 00000082: DUP1 00000083: PUSH4 0x55b775ea 00000088: EQ 00000089: PUSH2 0x022c 0000008c: JUMPI 0000008d: DUP1 0000008e: PUSH4 0x839930ba 00000093: EQ 00000094: PUSH2 0x024f 00000097: JUMPI 00000098: DUP1 00000099: PUSH4 0x8772ae3c 0000009e: EQ 0000009f: PUSH2 0x025a 000000a2: JUMPI 000000a3: DUP1 000000a4: PUSH4 0x8d216186 000000a9: EQ 000000aa: PUSH2 0x027d 000000ad: JUMPI 000000ae: DUP1 000000af: PUSH4 0xa094a031 000000b4: EQ 000000b5: PUSH2 0x02af 000000b8: JUMPI 000000b9: DUP1 000000ba: PUSH4 0xa1b9af31 000000bf: EQ 000000c0: PUSH2 0x0209 000000c3: JUMPI 000000c4: DUP1 000000c5: PUSH4 0xadd4c784 000000ca: EQ 000000cb: PUSH2 0x02bd 000000ce: JUMPI 000000cf: DUP1 000000d0: PUSH4 0xbd66528a 000000d5: EQ 000000d6: PUSH2 0x02ed 000000d9: JUMPI 000000da: DUP1 000000db: PUSH4 0xc7cf28fe 000000e0: EQ 000000e1: PUSH2 0x031e 000000e4: JUMPI 000000e5: DUP1 000000e6: PUSH4 0xcb96012e 000000eb: EQ 000000ec: PUSH2 0x034b 000000ef: JUMPI 000000f0: DUP1 000000f1: PUSH4 0xd8389dc5 000000f6: EQ 000000f7: PUSH2 0x035c 000000fa: JUMPI 000000fb: JUMPDEST 000000fc: STOP 000000fd: JUMPDEST 000000fe: PUSH2 0x0379 00000101: PUSH1 0x00 00000103: SLOAD 00000104: JUMPDEST 00000105: SWAP1 00000106: JUMP 00000107: JUMPDEST 00000108: PUSH2 0x00fb 0000010b: PUSH1 0x04 0000010d: CALLDATALOAD 0000010e: PUSH1 0x24 00000110: CALLDATALOAD 00000111: PUSH1 0x02 00000113: SLOAD 00000114: PUSH1 0x01 00000116: PUSH1 0xa0 00000118: PUSH1 0x02 0000011a: EXP 0000011b: SUB 0000011c: SWAP1 0000011d: DUP2 0000011e: AND 0000011f: CALLER 00000120: SWAP2 00000121: SWAP1 00000122: SWAP2 00000123: AND 00000124: EQ 00000125: PUSH2 0x047a 00000128: JUMPI 00000129: PUSH2 0x0432 0000012c: JUMP 0000012d: JUMPDEST 0000012e: PUSH2 0x0379 00000131: PUSH1 0x04 00000133: CALLDATALOAD 00000134: PUSH1 0x24 00000136: CALLDATALOAD 00000137: JUMPDEST 00000138: PUSH1 0x64 0000013a: PUSH1 0x62 0000013c: DUP4 0000013d: MUL 0000013e: DIV 0000013f: PUSH2 0x0100 00000142: MUL 00000143: DUP2 00000144: SWAP1 00000145: DIV 00000146: SWAP3 00000147: SWAP2 00000148: POP 00000149: POP 0000014a: JUMP 0000014b: JUMPDEST 0000014c: PUSH2 0x0379 0000014f: ADDRESS 00000150: PUSH1 0x01 00000152: PUSH1 0xa0 00000154: PUSH1 0x02 00000156: EXP 00000157: SUB 00000158: AND 00000159: BALANCE 0000015a: PUSH2 0x0104 0000015d: JUMP 0000015e: JUMPDEST 0000015f: PUSH2 0x00fb 00000162: PUSH1 0x00 00000164: PUSH2 0x070e 00000167: PUSH2 0x0322 0000016a: JUMP 0000016b: JUMPDEST 0000016c: PUSH2 0x0379 0000016f: PUSH1 0x04 00000171: CALLDATALOAD 00000172: PUSH1 0x01 00000174: PUSH1 0xa0 00000176: PUSH1 0x02 00000178: EXP 00000179: SUB 0000017a: CALLER 0000017b: AND 0000017c: PUSH1 0x00 0000017e: SWAP1 0000017f: DUP2 00000180: MSTORE 00000181: PUSH1 0x04 00000183: PUSH1 0x20 00000185: DUP2 00000186: SWAP1 00000187: MSTORE 00000188: PUSH1 0x40 0000018a: DUP3 0000018b: KECCAK256 0000018c: SWAP1 0000018d: DUP2 0000018e: ADD 0000018f: SLOAD 00000190: DUP3 00000191: EQ 00000192: ISZERO 00000193: PUSH2 0x0520 00000196: JUMPI 00000197: PUSH2 0x04cd 0000019a: JUMP 0000019b: JUMPDEST 0000019c: PUSH2 0x0379 0000019f: JUMPDEST 000001a0: PUSH1 0x64 000001a2: ADDRESS 000001a3: PUSH1 0x01 000001a5: PUSH1 0xa0 000001a7: PUSH1 0x02 000001a9: EXP 000001aa: SUB 000001ab: AND 000001ac: BALANCE 000001ad: PUSH1 0x05 000001af: MUL 000001b0: DIV 000001b1: PUSH2 0x0104 000001b4: JUMP 000001b5: JUMPDEST 000001b6: PUSH2 0x00fb 000001b9: PUSH1 0x04 000001bb: CALLDATALOAD 000001bc: PUSH1 0x01 000001be: SLOAD 000001bf: PUSH1 0x01 000001c1: PUSH1 0xa0 000001c3: PUSH1 0x02 000001c5: EXP 000001c6: SUB 000001c7: SWAP1 000001c8: DUP2 000001c9: AND 000001ca: CALLER 000001cb: SWAP2 000001cc: SWAP1 000001cd: SWAP2 000001ce: AND 000001cf: EQ 000001d0: PUSH2 0x0740 000001d3: JUMPI 000001d4: PUSH2 0x070b 000001d7: JUMP 000001d8: JUMPDEST 000001d9: PUSH2 0x0379 000001dc: PUSH1 0x04 000001de: CALLDATALOAD 000001df: JUMPDEST 000001e0: PUSH1 0x01 000001e2: PUSH1 0xa0 000001e4: PUSH1 0x02 000001e6: EXP 000001e7: SUB 000001e8: DUP2 000001e9: AND 000001ea: PUSH1 0x00 000001ec: SWAP1 000001ed: DUP2 000001ee: MSTORE 000001ef: PUSH1 0x04 000001f1: PUSH1 0x20 000001f3: DUP2 000001f4: SWAP1 000001f5: MSTORE 000001f6: PUSH1 0x40 000001f8: DUP3 000001f9: KECCAK256 000001fa: SWAP1 000001fb: DUP2 000001fc: ADD 000001fd: SLOAD 000001fe: DUP3 000001ff: EQ 00000200: ISZERO 00000201: PUSH2 0x04c8 00000204: JUMPI 00000205: PUSH2 0x04cd 00000208: JUMP 00000209: JUMPDEST 0000020a: PUSH2 0x00fb 0000020d: PUSH1 0x01 0000020f: SLOAD 00000210: PUSH1 0x00 00000212: SWAP1 00000213: PUSH1 0x01 00000215: PUSH1 0xa0 00000217: PUSH1 0x02 00000219: EXP 0000021a: SUB 0000021b: SWAP1 0000021c: DUP2 0000021d: AND 0000021e: CALLER 0000021f: SWAP2 00000220: SWAP1 00000221: SWAP2 00000222: AND 00000223: EQ 00000224: PUSH2 0x070b 00000227: JUMPI 00000228: PUSH2 0x070b 0000022b: JUMP 0000022c: JUMPDEST 0000022d: PUSH2 0x00fb 00000230: PUSH1 0x04 00000232: CALLDATALOAD 00000233: PUSH1 0x01 00000235: SLOAD 00000236: PUSH1 0x01 00000238: PUSH1 0xa0 0000023a: PUSH1 0x02 0000023c: EXP 0000023d: SUB 0000023e: SWAP1 0000023f: DUP2 00000240: AND 00000241: CALLER 00000242: SWAP2 00000243: SWAP1 00000244: SWAP2 00000245: AND 00000246: EQ 00000247: PUSH2 0x071e 0000024a: JUMPI 0000024b: PUSH2 0x070b 0000024e: JUMP 0000024f: JUMPDEST 00000250: PUSH2 0x0379 00000253: PUSH1 0x03 00000255: SLOAD 00000256: PUSH2 0x0104 00000259: JUMP 0000025a: JUMPDEST 0000025b: PUSH2 0x00fb 0000025e: PUSH1 0x04 00000260: CALLDATALOAD 00000261: PUSH1 0x01 00000263: SLOAD 00000264: PUSH1 0x01 00000266: PUSH1 0xa0 00000268: PUSH1 0x02 0000026a: EXP 0000026b: SUB 0000026c: SWAP1 0000026d: DUP2 0000026e: AND 0000026f: CALLER 00000270: SWAP2 00000271: SWAP1 00000272: SWAP2 00000273: AND 00000274: EQ 00000275: PUSH2 0x0719 00000278: JUMPI 00000279: PUSH2 0x070b 0000027c: JUMP 0000027d: JUMPDEST 0000027e: PUSH2 0x00fb 00000281: PUSH1 0x04 00000283: CALLDATALOAD 00000284: PUSH1 0x24 00000286: CALLDATALOAD 00000287: PUSH1 0x01 00000289: DUP3 0000028a: LT 0000028b: DUP1 0000028c: PUSH2 0x0295 0000028f: JUMPI 00000290: POP 00000291: PUSH1 0xff 00000293: DUP3 00000294: GT 00000295: JUMPDEST 00000296: DUP1 00000297: PUSH2 0x02a1 0000029a: JUMPI 0000029b: POP 0000029c: PUSH1 0x03 0000029e: SLOAD 0000029f: CALLVALUE 000002a0: LT 000002a1: JUMPDEST 000002a2: DUP1 000002a3: PUSH2 0x0438 000002a6: JUMPI 000002a7: POP 000002a8: PUSH2 0x0470 000002ab: PUSH2 0x019f 000002ae: JUMP 000002af: JUMPDEST 000002b0: PUSH2 0x0379 000002b3: PUSH1 0x00 000002b5: PUSH2 0x04c1 000002b8: CALLER 000002b9: PUSH2 0x01df 000002bc: JUMP 000002bd: JUMPDEST 000002be: PUSH2 0x0379 000002c1: PUSH1 0x04 000002c3: CALLDATALOAD 000002c4: PUSH1 0x01 000002c6: PUSH1 0xa0 000002c8: PUSH1 0x02 000002ca: EXP 000002cb: SUB 000002cc: CALLER 000002cd: AND 000002ce: PUSH1 0x00 000002d0: SWAP1 000002d1: DUP2 000002d2: MSTORE 000002d3: PUSH1 0x04 000002d5: PUSH1 0x20 000002d7: DUP2 000002d8: SWAP1 000002d9: MSTORE 000002da: PUSH1 0x40 000002dc: DUP3 000002dd: KECCAK256 000002de: SWAP1 000002df: DUP2 000002e0: ADD 000002e1: SLOAD 000002e2: DUP3 000002e3: EQ 000002e4: ISZERO 000002e5: PUSH2 0x04d3 000002e8: JUMPI 000002e9: PUSH2 0x04cd 000002ec: JUMP 000002ed: JUMPDEST 000002ee: PUSH2 0x00fb 000002f1: PUSH1 0x04 000002f3: CALLDATALOAD 000002f4: PUSH1 0x01 000002f6: PUSH1 0xa0 000002f8: PUSH1 0x02 000002fa: EXP 000002fb: SUB 000002fc: CALLER 000002fd: AND 000002fe: PUSH1 0x00 00000300: SWAP1 00000301: DUP2 00000302: MSTORE 00000303: PUSH1 0x04 00000305: PUSH1 0x20 00000307: DUP2 00000308: SWAP1 00000309: MSTORE 0000030a: PUSH1 0x40 0000030c: DUP3 0000030d: KECCAK256 0000030e: SWAP1 0000030f: DUP2 00000310: ADD 00000311: SLOAD 00000312: SWAP1 00000313: SWAP2 00000314: EQ 00000315: ISZERO 00000316: PUSH2 0x0583 00000319: JUMPI 0000031a: PUSH2 0x0432 0000031d: JUMP 0000031e: JUMPDEST 0000031f: PUSH2 0x0379 00000322: JUMPDEST 00000323: PUSH1 0x01 00000325: PUSH1 0xa0 00000327: PUSH1 0x02 00000329: EXP 0000032a: SUB 0000032b: CALLER 0000032c: AND 0000032d: PUSH1 0x00 0000032f: SWAP1 00000330: DUP2 00000331: MSTORE 00000332: PUSH1 0x04 00000334: PUSH1 0x20 00000336: DUP2 00000337: SWAP1 00000338: MSTORE 00000339: PUSH1 0x40 0000033b: DUP3 0000033c: KECCAK256 0000033d: SWAP1 0000033e: DUP2 0000033f: ADD 00000340: SLOAD 00000341: DUP3 00000342: EQ 00000343: PUSH2 0x068c 00000346: JUMPI 00000347: PUSH2 0x0688 0000034a: JUMP 0000034b: JUMPDEST 0000034c: PUSH2 0x0379 0000034f: PUSH1 0x04 00000351: CALLDATALOAD 00000352: JUMPDEST 00000353: PUSH1 0xff 00000355: DUP2 00000356: AND 00000357: JUMPDEST 00000358: SWAP2 00000359: SWAP1 0000035a: POP 0000035b: JUMP 0000035c: JUMPDEST 0000035d: PUSH2 0x0379 00000360: PUSH1 0x04 00000362: CALLDATALOAD 00000363: PUSH1 0x40 00000365: DUP1 00000366: MLOAD 00000367: DUP3 00000368: DUP2 00000369: MSTORE 0000036a: SWAP1 0000036b: MLOAD 0000036c: SWAP1 0000036d: DUP2 0000036e: SWAP1 0000036f: SUB 00000370: PUSH1 0x20 00000372: ADD 00000373: SWAP1 00000374: KECCAK256 00000375: PUSH2 0x0357 00000378: JUMP 00000379: JUMPDEST 0000037a: PUSH1 0x40 0000037c: DUP1 0000037d: MLOAD 0000037e: SWAP2 0000037f: DUP3 00000380: MSTORE 00000381: MLOAD 00000382: SWAP1 00000383: DUP2 00000384: SWAP1 00000385: SUB 00000386: PUSH1 0x20 00000388: ADD 00000389: SWAP1 0000038a: RETURN 0000038b: JUMPDEST 0000038c: PUSH1 0x40 0000038e: DUP1 0000038f: MLOAD 00000390: PUSH1 0xa0 00000392: DUP2 00000393: ADD 00000394: DUP3 00000395: MSTORE 00000396: CALLVALUE 00000397: DUP1 00000398: DUP3 00000399: MSTORE 0000039a: PUSH1 0x20 0000039c: DUP3 0000039d: DUP2 0000039e: ADD 0000039f: DUP7 000003a0: DUP2 000003a1: MSTORE 000003a2: NUMBER 000003a3: DUP5 000003a4: DUP7 000003a5: ADD 000003a6: DUP2 000003a7: DUP2 000003a8: MSTORE 000003a9: PUSH1 0x60 000003ab: DUP7 000003ac: DUP2 000003ad: ADD 000003ae: DUP10 000003af: DUP2 000003b0: MSTORE 000003b1: PUSH1 0x00 000003b3: PUSH1 0x80 000003b5: DUP10 000003b6: ADD 000003b7: DUP2 000003b8: DUP2 000003b9: MSTORE 000003ba: PUSH1 0x01 000003bc: PUSH1 0xa0 000003be: PUSH1 0x02 000003c0: EXP 000003c1: SUB 000003c2: CALLER 000003c3: AND 000003c4: DUP1 000003c5: DUP4 000003c6: MSTORE 000003c7: PUSH1 0x04 000003c9: DUP1 000003ca: DUP11 000003cb: MSTORE 000003cc: SWAP3 000003cd: DUP13 000003ce: SWAP1 000003cf: KECCAK256 000003d0: SWAP11 000003d1: MLOAD 000003d2: DUP12 000003d3: SSTORE 000003d4: SWAP7 000003d5: MLOAD 000003d6: PUSH1 0x01 000003d8: DUP12 000003d9: ADD 000003da: SSTORE 000003db: SWAP4 000003dc: MLOAD 000003dd: PUSH1 0x02 000003df: DUP11 000003e0: ADD 000003e1: SSTORE 000003e2: SWAP1 000003e3: MLOAD 000003e4: PUSH1 0x03 000003e6: DUP10 000003e7: ADD 000003e8: SSTORE 000003e9: SWAP2 000003ea: MLOAD 000003eb: SWAP7 000003ec: SWAP1 000003ed: SWAP2 000003ee: ADD 000003ef: SWAP6 000003f0: SWAP1 000003f1: SWAP6 000003f2: SSTORE 000003f3: DUP6 000003f4: MLOAD 000003f5: SWAP1 000003f6: DUP2 000003f7: MSTORE 000003f8: SWAP2 000003f9: DUP3 000003fa: ADD 000003fb: SWAP3 000003fc: SWAP1 000003fd: SWAP3 000003fe: MSTORE 000003ff: DUP1 00000400: DUP5 00000401: ADD 00000402: DUP7 00000403: SWAP1 00000404: MSTORE 00000405: SWAP3 00000406: MLOAD 00000407: SWAP1 00000408: SWAP3 00000409: PUSH32 0x97371a3349bea11f577edf6e64350a3dfb9de665d1154c7e6d08eb0805aa0430 0000042a: SWAP3 0000042b: SWAP1 0000042c: DUP3 0000042d: SWAP1 0000042e: SUB 0000042f: ADD 00000430: SWAP1 00000431: LOG2 00000432: JUMPDEST 00000433: POP 00000434: POP 00000435: JUMP 00000436: JUMPDEST 00000437: GT 00000438: JUMPDEST 00000439: DUP1 0000043a: PUSH2 0x0445 0000043d: JUMPI 0000043e: POP 0000043f: PUSH1 0x00 00000441: DUP1 00000442: SLOAD 00000443: EQ 00000444: ISZERO 00000445: JUMPDEST 00000446: ISZERO 00000447: PUSH2 0x038b 0000044a: JUMPI 0000044b: PUSH1 0x40 0000044d: MLOAD 0000044e: PUSH1 0x01 00000450: PUSH1 0xa0 00000452: PUSH1 0x02 00000454: EXP 00000455: SUB 00000456: CALLER 00000457: AND 00000458: SWAP1 00000459: PUSH1 0x00 0000045b: SWAP1 0000045c: CALLVALUE 0000045d: SWAP1 0000045e: DUP3 0000045f: DUP2 00000460: DUP2 00000461: DUP2 00000462: DUP6 00000463: DUP9 00000464: DUP4 00000465: CALL 00000466: SWAP4 00000467: POP 00000468: POP 00000469: POP 0000046a: POP 0000046b: POP 0000046c: PUSH2 0x0432 0000046f: JUMP 00000470: JUMPDEST 00000471: PUSH2 0x0436 00000474: CALLVALUE 00000475: DUP5 00000476: PUSH2 0x0137 00000479: JUMP 0000047a: JUMPDEST 0000047b: PUSH1 0x01 0000047d: PUSH1 0xa0 0000047f: PUSH1 0x02 00000481: EXP 00000482: SUB 00000483: DUP3 00000484: AND 00000485: PUSH1 0x00 00000487: SWAP1 00000488: DUP2 00000489: MSTORE 0000048a: PUSH1 0x04 0000048c: PUSH1 0x20 0000048e: DUP2 0000048f: SWAP1 00000490: MSTORE 00000491: PUSH1 0x40 00000493: DUP3 00000494: KECCAK256 00000495: ADD 00000496: SLOAD 00000497: EQ 00000498: PUSH2 0x04a0 0000049b: JUMPI 0000049c: PUSH2 0x0432 0000049f: JUMP 000004a0: JUMPDEST 000004a1: PUSH1 0x01 000004a3: PUSH1 0xa0 000004a5: PUSH1 0x02 000004a7: EXP 000004a8: SUB 000004a9: SWAP2 000004aa: SWAP1 000004ab: SWAP2 000004ac: AND 000004ad: PUSH1 0x00 000004af: SWAP1 000004b0: DUP2 000004b1: MSTORE 000004b2: PUSH1 0x04 000004b4: PUSH1 0x20 000004b6: DUP2 000004b7: SWAP1 000004b8: MSTORE 000004b9: PUSH1 0x40 000004bb: SWAP1 000004bc: SWAP2 000004bd: KECCAK256 000004be: ADD 000004bf: SSTORE 000004c0: JUMP 000004c1: JUMPDEST 000004c2: SWAP1 000004c3: POP 000004c4: PUSH2 0x0104 000004c7: JUMP 000004c8: JUMPDEST 000004c9: PUSH1 0x01 000004cb: SWAP2 000004cc: POP 000004cd: JUMPDEST 000004ce: POP 000004cf: SWAP2 000004d0: SWAP1 000004d1: POP 000004d2: JUMP 000004d3: JUMPDEST 000004d4: PUSH1 0x40 000004d6: DUP1 000004d7: MLOAD 000004d8: PUSH1 0x03 000004da: DUP4 000004db: ADD 000004dc: SLOAD 000004dd: DUP6 000004de: DUP3 000004df: MSTORE 000004e0: SWAP2 000004e1: MLOAD 000004e2: SWAP1 000004e3: DUP2 000004e4: SWAP1 000004e5: SUB 000004e6: PUSH1 0x20 000004e8: ADD 000004e9: SWAP1 000004ea: KECCAK256 000004eb: EQ 000004ec: PUSH2 0x04f4 000004ef: JUMPI 000004f0: PUSH2 0x04cd 000004f3: JUMP 000004f4: JUMPDEST 000004f5: PUSH1 0x40 000004f7: DUP1 000004f8: MLOAD 000004f9: PUSH1 0x04 000004fb: DUP4 000004fc: ADD 000004fd: SLOAD 000004fe: DUP6 000004ff: DUP3 00000500: MSTORE 00000501: PUSH1 0x20 00000503: DUP3 00000504: ADD 00000505: MSTORE 00000506: DUP2 00000507: MLOAD 00000508: SWAP1 00000509: DUP2 0000050a: SWAP1 0000050b: SUB 0000050c: SWAP1 0000050d: SWAP2 0000050e: ADD 0000050f: SWAP1 00000510: KECCAK256 00000511: PUSH2 0x0519 00000514: SWAP1 00000515: PUSH2 0x0352 00000518: JUMP 00000519: JUMPDEST 0000051a: SWAP2 0000051b: POP 0000051c: PUSH2 0x04cd 0000051f: JUMP 00000520: JUMPDEST 00000521: PUSH1 0x40 00000523: DUP1 00000524: MLOAD 00000525: PUSH1 0x03 00000527: DUP4 00000528: ADD 00000529: SLOAD 0000052a: DUP6 0000052b: DUP3 0000052c: MSTORE 0000052d: SWAP2 0000052e: MLOAD 0000052f: SWAP1 00000530: DUP2 00000531: SWAP1 00000532: SUB 00000533: PUSH1 0x20 00000535: ADD 00000536: SWAP1 00000537: KECCAK256 00000538: EQ 00000539: PUSH2 0x0541 0000053c: JUMPI 0000053d: PUSH2 0x04cd 00000540: JUMP 00000541: JUMPDEST 00000542: PUSH1 0x40 00000544: DUP1 00000545: MLOAD 00000546: PUSH1 0x01 00000548: DUP4 00000549: ADD 0000054a: SLOAD 0000054b: PUSH1 0x04 0000054d: DUP5 0000054e: ADD 0000054f: SLOAD 00000550: DUP7 00000551: DUP4 00000552: MSTORE 00000553: PUSH1 0x20 00000555: DUP4 00000556: ADD 00000557: MSTORE 00000558: DUP3 00000559: MLOAD 0000055a: SWAP2 0000055b: DUP3 0000055c: SWAP1 0000055d: SUB 0000055e: SWAP1 0000055f: SWAP3 00000560: ADD 00000561: SWAP1 00000562: KECCAK256 00000563: PUSH2 0x056b 00000566: SWAP1 00000567: PUSH2 0x0352 0000056a: JUMP 0000056b: JUMPDEST 0000056c: LT 0000056d: ISZERO 0000056e: PUSH2 0x057a 00000571: JUMPI 00000572: PUSH1 0x01 00000574: SWAP2 00000575: POP 00000576: PUSH2 0x04cd 00000579: JUMP 0000057a: JUMPDEST 0000057b: PUSH1 0x00 0000057d: SWAP2 0000057e: POP 0000057f: PUSH2 0x04cd 00000582: JUMP 00000583: JUMPDEST 00000584: PUSH1 0x40 00000586: DUP1 00000587: MLOAD 00000588: PUSH1 0x03 0000058a: DUP4 0000058b: ADD 0000058c: SLOAD 0000058d: DUP5 0000058e: DUP3 0000058f: MSTORE 00000590: SWAP2 00000591: MLOAD 00000592: SWAP1 00000593: DUP2 00000594: SWAP1 00000595: SUB 00000596: PUSH1 0x20 00000598: ADD 00000599: SWAP1 0000059a: KECCAK256 0000059b: EQ 0000059c: PUSH2 0x05a4 0000059f: JUMPI 000005a0: PUSH2 0x0432 000005a3: JUMP 000005a4: JUMPDEST 000005a5: PUSH1 0x40 000005a7: DUP1 000005a8: MLOAD 000005a9: PUSH1 0x01 000005ab: DUP4 000005ac: ADD 000005ad: SLOAD 000005ae: PUSH1 0x04 000005b0: DUP5 000005b1: ADD 000005b2: SLOAD 000005b3: DUP6 000005b4: DUP4 000005b5: MSTORE 000005b6: PUSH1 0x20 000005b8: DUP4 000005b9: ADD 000005ba: MSTORE 000005bb: DUP3 000005bc: MLOAD 000005bd: SWAP2 000005be: DUP3 000005bf: SWAP1 000005c0: SUB 000005c1: SWAP1 000005c2: SWAP3 000005c3: ADD 000005c4: SWAP1 000005c5: KECCAK256 000005c6: PUSH2 0x05ce 000005c9: SWAP1 000005ca: PUSH2 0x0352 000005cd: JUMP 000005ce: JUMPDEST 000005cf: LT 000005d0: ISZERO 000005d1: PUSH2 0x064b 000005d4: JUMPI 000005d5: DUP1 000005d6: SLOAD 000005d7: PUSH1 0x01 000005d9: DUP3 000005da: ADD 000005db: SLOAD 000005dc: PUSH1 0x01 000005de: PUSH1 0xa0 000005e0: PUSH1 0x02 000005e2: EXP 000005e3: SUB 000005e4: CALLER 000005e5: AND 000005e6: SWAP2 000005e7: PUSH1 0x00 000005e9: SWAP2 000005ea: PUSH2 0x05f3 000005ed: SWAP2 000005ee: SWAP1 000005ef: PUSH2 0x0137 000005f2: JUMP 000005f3: JUMPDEST 000005f4: PUSH1 0x40 000005f6: MLOAD 000005f7: PUSH1 0x00 000005f9: DUP2 000005fa: DUP2 000005fb: DUP2 000005fc: DUP6 000005fd: DUP9 000005fe: DUP9 000005ff: CALL 00000600: POP 00000601: DUP5 00000602: SLOAD 00000603: PUSH1 0x01 00000605: DUP7 00000606: ADD 00000607: SLOAD 00000608: SWAP1 00000609: DUP3 0000060a: MSTORE 0000060b: PUSH1 0x20 0000060d: DUP3 0000060e: ADD 0000060f: MSTORE 00000610: PUSH1 0x40 00000612: DUP1 00000613: MLOAD 00000614: PUSH1 0x01 00000616: PUSH1 0xa0 00000618: PUSH1 0x02 0000061a: EXP 0000061b: SUB 0000061c: CALLER 0000061d: AND 0000061e: SWAP6 0000061f: POP 00000620: PUSH32 0xfdc49939175858b2bb557093a7d52fa6b6f3aad917d282d61758fab4805f102a 00000641: SWAP5 00000642: POP 00000643: SWAP2 00000644: DUP3 00000645: SWAP1 00000646: SUB 00000647: ADD 00000648: SWAP2 00000649: POP 0000064a: LOG2 0000064b: JUMPDEST 0000064c: PUSH1 0x01 0000064e: PUSH1 0xa0 00000650: PUSH1 0x02 00000652: EXP 00000653: SUB 00000654: CALLER 00000655: AND 00000656: PUSH1 0x00 00000658: SWAP1 00000659: DUP2 0000065a: MSTORE 0000065b: PUSH1 0x04 0000065d: PUSH1 0x20 0000065f: DUP2 00000660: SWAP1 00000661: MSTORE 00000662: PUSH1 0x40 00000664: DUP3 00000665: KECCAK256 00000666: DUP3 00000667: DUP2 00000668: SSTORE 00000669: PUSH1 0x01 0000066b: DUP2 0000066c: ADD 0000066d: DUP4 0000066e: SWAP1 0000066f: SSTORE 00000670: PUSH1 0x02 00000672: DUP2 00000673: ADD 00000674: DUP4 00000675: SWAP1 00000676: SSTORE 00000677: PUSH1 0x03 00000679: DUP2 0000067a: ADD 0000067b: DUP4 0000067c: SWAP1 0000067d: SSTORE 0000067e: ADD 0000067f: SSTORE 00000680: POP 00000681: POP 00000682: JUMP 00000683: JUMPDEST 00000684: PUSH1 0x01 00000686: SWAP2 00000687: POP 00000688: JUMPDEST 00000689: POP 0000068a: SWAP1 0000068b: JUMP 0000068c: JUMPDEST 0000068d: DUP1 0000068e: SLOAD 0000068f: PUSH1 0x00 00000691: SWAP1 00000692: GT 00000693: PUSH2 0x069f 00000696: JUMPI 00000697: PUSH1 0x00 00000699: SWAP2 0000069a: POP 0000069b: PUSH2 0x0688 0000069e: JUMP 0000069f: JUMPDEST 000006a0: PUSH1 0x02 000006a2: DUP2 000006a3: ADD 000006a4: SLOAD 000006a5: PUSH1 0x14 000006a7: ADD 000006a8: NUMBER 000006a9: LT 000006aa: ISZERO 000006ab: PUSH2 0x0683 000006ae: JUMPI 000006af: PUSH1 0x00 000006b1: SWAP2 000006b2: POP 000006b3: PUSH2 0x0688 000006b6: JUMP 000006b7: JUMPDEST 000006b8: POP 000006b9: PUSH1 0x01 000006bb: PUSH1 0xa0 000006bd: PUSH1 0x02 000006bf: EXP 000006c0: SUB 000006c1: CALLER 000006c2: AND 000006c3: PUSH1 0x00 000006c5: DUP2 000006c6: DUP2 000006c7: MSTORE 000006c8: PUSH1 0x04 000006ca: PUSH1 0x20 000006cc: MSTORE 000006cd: PUSH1 0x40 000006cf: DUP1 000006d0: DUP3 000006d1: KECCAK256 000006d2: DUP1 000006d3: SLOAD 000006d4: SWAP2 000006d5: MLOAD 000006d6: SWAP1 000006d7: SWAP4 000006d8: SWAP3 000006d9: SWAP2 000006da: SWAP1 000006db: DUP3 000006dc: DUP2 000006dd: DUP2 000006de: DUP2 000006df: DUP6 000006e0: DUP9 000006e1: DUP4 000006e2: CALL 000006e3: POP 000006e4: POP 000006e5: POP 000006e6: SWAP1 000006e7: DUP2 000006e8: MSTORE 000006e9: PUSH1 0x04 000006eb: PUSH1 0x20 000006ed: DUP2 000006ee: SWAP1 000006ef: MSTORE 000006f0: DUP2 000006f1: DUP4 000006f2: SSTORE 000006f3: PUSH1 0x01 000006f5: DUP4 000006f6: ADD 000006f7: DUP3 000006f8: SWAP1 000006f9: SSTORE 000006fa: PUSH1 0x02 000006fc: DUP4 000006fd: ADD 000006fe: DUP3 000006ff: SWAP1 00000700: SSTORE 00000701: PUSH1 0x03 00000703: DUP4 00000704: ADD 00000705: DUP3 00000706: SWAP1 00000707: SSTORE 00000708: DUP3 00000709: ADD 0000070a: SSTORE 0000070b: JUMPDEST 0000070c: POP 0000070d: JUMP 0000070e: JUMPDEST 0000070f: ISZERO 00000710: ISZERO 00000711: PUSH2 0x06b7 00000714: JUMPI 00000715: PUSH2 0x070b 00000718: JUMP 00000719: JUMPDEST 0000071a: PUSH1 0x03 0000071c: SSTORE 0000071d: JUMP 0000071e: JUMPDEST 0000071f: PUSH1 0x02 00000721: DUP1 00000722: SLOAD 00000723: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 00000738: NOT 00000739: AND 0000073a: DUP3 0000073b: OR 0000073c: SWAP1 0000073d: SSTORE 0000073e: POP 0000073f: JUMP 00000740: JUMPDEST 00000741: PUSH1 0x00 00000743: DUP1 00000744: SLOAD 00000745: EQ 00000746: DUP1 00000747: PUSH2 0x0755 0000074a: JUMPI 0000074b: POP 0000074c: PUSH1 0x00 0000074e: SLOAD 0000074f: PUSH2 0x1680 00000752: ADD 00000753: NUMBER 00000754: LT 00000755: JUMPDEST 00000756: ISZERO 00000757: PUSH2 0x075f 0000075a: JUMPI 0000075b: PUSH2 0x070b 0000075e: JUMP 0000075f: JUMPDEST 00000760: PUSH1 0x01 00000762: SLOAD 00000763: PUSH1 0x40 00000765: MLOAD 00000766: PUSH1 0x01 00000768: PUSH1 0xa0 0000076a: PUSH1 0x02 0000076c: EXP 0000076d: SUB 0000076e: SWAP2 0000076f: SWAP1 00000770: SWAP2 00000771: AND 00000772: SWAP1 00000773: PUSH1 0x00 00000775: SWAP1 00000776: DUP4 00000777: SWAP1 00000778: DUP3 00000779: DUP2 0000077a: DUP2 0000077b: DUP2 0000077c: DUP6 0000077d: DUP9 0000077e: DUP4 0000077f: CALL 00000780: POP 00000781: POP 00000782: POP 00000783: POP 00000784: POP 00000785: POP 00000786: JUMP
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | other | detector | Untrusted CALL target/value reachable | 60 | no | no |
viewtrace_id: 0x2e90517fcb45cf084892e54930a1ccb2b85e04b66456712add5d7aee956a41f9
call_targets:
0xc4c51de1abf5d60dbd329ec0f999fd8f021ae9fc
target_varies:
no
classification:
constant_target
validation_json{
"sink": "CALL",
"errors": 0,
"status": "sink_reached",
"attempts": 1,
"trace_id": "0x2e90517fcb45cf084892e54930a1ccb2b85e04b66456712add5d7aee956a41f9",
"confirmed": false,
"trace_mode": "callTracer",
"call_targets": [
"0xc4c51de1abf5d60dbd329ec0f999fd8f021ae9fc"
],
"matched_probe": null,
"target_varies": false,
"classification": "constant_target"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x021991e7",
"selector": "0x021991e7",
"calldata_variants": [
"0x021991e7",
"0x021991e70000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x03750d94",
"selector": "0x03750d94",
"calldata_variants": [
"0x03750d94",
"0x03750d940000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x06b5f02d",
"selector": "0x06b5f02d",
"calldata_variants": [
"0x06b5f02d",
"0x06b5f02d0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x0d1fce42",
"selector": "0x0d1fce42",
"calldata_variants": [
"0x0d1fce42",
"0x0d1fce420000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x0e1da6c3",
"selector": "0x0e1da6c3",
"calldata_variants": [
"0x0e1da6c3",
"0x0e1da6c30000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x0f06670a",
"selector": "0x0f06670a",
"calldata_variants": [
"0x0f06670a",
"0x0f06670a0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x2d9a37d3",
"selector": "0x2d9a37d3",
"calldata_variants": [
"0x2d9a37d3",
"0x2d9a37d30000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x2e1a7d4d",
"selector": "0x2e1a7d4d",
"calldata_variants": [
"0x2e1a7d4d",
"0x2e1a7d4d0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 1125,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 1535,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 1762,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 4,
"guards_detected": [],
"untrusted_call_count": 4
}
|
| high | other | detector | ETH value transfer possible | 55 | no | no |
viewtrace_id: 0x2e90517fcb45cf084892e54930a1ccb2b85e04b66456712add5d7aee956a41f9
call_targets:
0xc4c51de1abf5d60dbd329ec0f999fd8f021ae9fc
target_varies:
no
classification:
constant_target
validation_json{
"sink": "CALL",
"errors": 0,
"status": "sink_reached",
"attempts": 1,
"trace_id": "0x2e90517fcb45cf084892e54930a1ccb2b85e04b66456712add5d7aee956a41f9",
"confirmed": false,
"trace_mode": "callTracer",
"call_targets": [
"0xc4c51de1abf5d60dbd329ec0f999fd8f021ae9fc"
],
"matched_probe": null,
"target_varies": false,
"classification": "constant_target"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x021991e7",
"selector": "0x021991e7",
"calldata_variants": [
"0x021991e7",
"0x021991e70000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x03750d94",
"selector": "0x03750d94",
"calldata_variants": [
"0x03750d94",
"0x03750d940000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x06b5f02d",
"selector": "0x06b5f02d",
"calldata_variants": [
"0x06b5f02d",
"0x06b5f02d0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x0d1fce42",
"selector": "0x0d1fce42",
"calldata_variants": [
"0x0d1fce42",
"0x0d1fce420000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x0e1da6c3",
"selector": "0x0e1da6c3",
"calldata_variants": [
"0x0e1da6c3",
"0x0e1da6c30000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x0f06670a",
"selector": "0x0f06670a",
"calldata_variants": [
"0x0f06670a",
"0x0f06670a0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x2d9a37d3",
"selector": "0x2d9a37d3",
"calldata_variants": [
"0x2d9a37d3",
"0x2d9a37d30000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x2e1a7d4d",
"selector": "0x2e1a7d4d",
"calldata_variants": [
"0x2e1a7d4d",
"0x2e1a7d4d0000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 1125,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 1535,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 1762,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 4,
"guards_detected": []
}
|