1e758fb3-b65b-4640-a8e8-119c824fdbf4
Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?
| ID | Type | Status | Attempts | Heartbeat |
|---|---|---|---|---|
| 31609 | report.consolidate | complete | 1 / 1 | 3 months ago |
| 111452 | artifact.fetch | complete | 1 / 3 | 1 week ago |
| 111453 | tool.cast_disasm | complete | 1 / 3 | 1 week ago |
| 111454 | analysis.bundle | complete | 1 / 3 | 1 week ago |
| 111455 | capability.graph | complete | 1 / 3 | 1 week ago |
| 111456 | detector.run | complete | 1 / 3 | 1 week ago |
| 111457 | validation.fork | complete | 1 / 3 | 1 week ago |
No slither job recorded yet.
[codex:423315] OpenAI Codex v0.77.0 (research preview)
[codex:423315] --------
[codex:423315] workdir: /tmp/codex-multi-eb20ctg3
[codex:423315] model: gpt-5.2-codex
[codex:423315] provider: openai
[codex:423315] approval: never
[codex:423315] sandbox: read-only
[codex:423315] reasoning effort: xhigh
[codex:423315] reasoning summaries: auto
[codex:423315] session id: 019b882d-9bf2-78a2-a901-5ff6aa6178e0
[codex:423315] --------
[codex:423315] user
[codex:423315] You are a profit-focused exploit hunter analyzing EVM bytecode. Your ONLY goal is finding ways to extract value (ETH, tokens, NFTs) from this contract.
[codex:423315]
[codex:423315] Read `BYTECODE_BUNDLE.txt` completely before concluding.
[codex:423315]
[codex:423315] ONLY REPORT if you find a CONCRETE, EXPLOITABLE path to profit. We do NOT care about:
[codex:423315] - Gas inefficiency, code quality, or best practices
[codex:423315] - Theoretical vulnerabilities without a clear extraction path
[codex:423315] - Generic footguns (unchecked return values, etc.) unless they enable theft
[codex:423315] - Issues requiring social engineering or off-chain coordination
[codex:423315]
[codex:423315] PATTERNS WORTH INVESTIGATING in bytecode:
[codex:423315] - CALL/DELEGATECALL with controllable destination or calldata
[codex:423315] - Value transfers (CALL with non-zero value) without prior CALLER/ORIGIN checks
[codex:423315] - SSTORE to low slots (0-10) that might be owner/admin storage
[codex:423315] - ecrecover (signature validation) - look for missing nonce/replay protection
[codex:423315] - External calls before state updates (reentrancy)
[codex:423315] - SELFDESTRUCT with controllable beneficiary
[codex:423315] - Proxy patterns (DELEGATECALL to storage slot) with unprotected upgrade paths
[codex:423315]
[codex:423315] For each finding, you MUST explain:
[codex:423315] 1. The specific bytecode pattern/offsets that indicate the vulnerability
[codex:423315] 2. The concrete sequence of transactions to extract value
[codex:423315] 3. Why you believe this is exploitable (not just suspicious)
[codex:423315]
[codex:423315] If you cannot identify a concrete profit path from bytecode alone: set no_findings=true.
[codex:423315] Do NOT hallucinate. Bytecode-only analysis is limited - be honest about uncertainty.
[codex:423315]
[codex:423315] Output MUST be valid JSON matching the provided schema.
[codex:423315] - severity: info, low, medium, high, critical (use high/critical ONLY for clear extraction paths)
[codex:423315] - category: access_control, reentrancy, math, oracle, upgradeability, auth, other
[codex:423315] mcp startup: no servers
[codex:423315]
[codex:423315] thinking
[codex:423315] **Reading bytecode file with shell command**
[codex:423315] exec
[codex:423315] /bin/bash -lc ls in /tmp/codex-multi-eb20ctg3 succeeded in 5ms:
[codex:423315] BYTECODE_BUNDLE.txt
[codex:423315] codex-output-schema.json
[codex:423315] exec
[codex:423315] /bin/bash -lc 'cat BYTECODE_BUNDLE.txt' in /tmp/codex-multi-eb20ctg3 succeeded in 5ms:
[codex:423315] Runtime bytecode bundle for best-effort auditing.
[codex:423315] Note: without verified source, conclusions are low-confidence unless a concrete pattern is visible.
[codex:423315]
[codex:423315] FILE: runtime_bytecode.hex
[codex:423315] 0x6080604052600436106100775763ffffffff7c01000000000000000000000000000000000000000000000000000000006000350416630b6902bb81146100795780632cdb71801461009d57806368923c3b146100ce57806376f1525c146100ef578063e35a76cb14610116578063ed563d601461012e575b005b34801561008557600080fd5b50610077600160a060020a0360043516602435610143565b3480156100a957600080fd5b506100b26101d1565b60408051600160a060020a039092168252519081900360200190f35b3480156100da57600080fd5b50610077600160a060020a03600435166101e0565b3480156100fb57600080fd5b50610104610254565b60408051918252519081900360200190f35b34801561012257600080fd5b50610077600435610259565b34801561013a57600080fd5b506100776102c6565b60008054600160a060020a0316331461015b57600080fd5b6000821161016857600080fd5b600160a060020a038316151561017d57600080fd5b610186826102e9565b60ff16905060008111156101cc57604051600160a060020a0384169083156108fc029084906000818181858888f193505050501580156101ca573d6000803e3d6000fd5b505b505050565b600054600160a060020a031690565b600054600160a060020a031633146101f757600080fd5b600160a060020a038082161061020c57600080fd5b600160a060020a03908103908116151561022557600080fd5b6000805473ffffffffffffffffffffffffffffffffffffffff1916600160a060020a0392909216919091179055565b303190565b60008054600160a060020a0316331461027157600080fd5b6000821161027e57600080fd5b610287826102e9565b60ff16905060008111156102c257604051339083156108fc029084906000818181858888f193505050501580156101cc573d6000803e3d6000fd5b5050565b600080548190600160a060020a031633146102e057600080fd5b30319150610287825b6000303181101561030f5730318211156103175760003031111561030f5750600061031b565b50600061031b565b5060015b9190505600a165627a7a72305820e7fdb1057bca4839494f61f7a12494fea33a244caaad94937cfbe1710a6348740029
[codex:423315]
[codex:423315] thinking
[codex:423315] **Analyzing smart contract bytecode**
[codex:423315] exec
[codex:423315] /bin/bash -lc 'which evm' in /tmp/codex-multi-eb20ctg3 exited 1 in 5ms:
[codex:423315]
[codex:423315]
[codex:423315] thinking
[codex:423315] **Considering disassembly approach**
[codex:423315] exec
[codex:423315] /bin/bash -lc "python - <<'PY'
[codex:423315] import sys, binascii
[codex:423315] hexstr=open('BYTECODE_BUNDLE.txt').read().split('runtime_bytecode.hex',1)[1]
[codex:423315] # extract 0x...
[codex:423315] import re
[codex:423315] m=re.search(r'0x[0-9a-fA-F]+', hexstr)
[codex:423315] code=bytes.fromhex(m.group(0)[2:])
[codex:423315] # simple disasm
[codex:423315] opcodes={
[codex:423315] 0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:423315] 0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:423315] 0x20:'SHA3',
[codex:423315] 0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:423315] 0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
[codex:423315] 0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
[codex:423315] 0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
[codex:423315] 0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
[codex:423315] 0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
[codex:423315] 0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
[codex:423315] 0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
[codex:423315] }
[codex:423315] # disasm with offsets
[codex:423315] i=0
[codex:423315] out=[]
[codex:423315] while i<len(code):
[codex:423315] op=code[i]
[codex:423315] name=opcodes.get(op,'UNKNOWN')
[codex:423315] if 0x60<=op<=0x7f:
[codex:423315] n=op-0x5f
[codex:423315] data=code[i+1:i+1+n]
[codex:423315] out.append((i,name,data.hex()))
[codex:423315] i+=1+n
[codex:423315] else:
[codex:423315] out.append((i,name,''))
[codex:423315] i+=1
[codex:423315]
[codex:423315] # print a subset with offsets
[codex:423315] for off,name,data in out:
[codex:423315] if data:
[codex:423315] print(f\"{off:04x}: {name} 0x{data}\")
[codex:423315] else:
[codex:423315] print(f\"{off:04x}: {name}\")
[codex:423315] PY" in /tmp/codex-multi-eb20ctg3 succeeded in 24ms:
[codex:423315] 0000: PUSH1 0x80
[codex:423315] 0002: PUSH1 0x40
[codex:423315] 0004: MSTORE
[codex:423315] 0005: PUSH1 0x04
[codex:423315] 0007: CALLDATASIZE
[codex:423315] 0008: LT
[codex:423315] 0009: PUSH2 0x0077
[codex:423315] 000c: JUMPI
[codex:423315] 000d: PUSH4 0xffffffff
[codex:423315] 0012: PUSH29 0x0100000000000000000000000000000000000000000000000000000000
[codex:423315] 0030: PUSH1 0x00
[codex:423315] 0032: CALLDATALOAD
[codex:423315] 0033: DIV
[codex:423315] 0034: AND
[codex:423315] 0035: PUSH4 0x0b6902bb
[codex:423315] 003a: DUP2
[codex:423315] 003b: EQ
[codex:423315] 003c: PUSH2 0x0079
[codex:423315] 003f: JUMPI
[codex:423315] 0040: DUP1
[codex:423315]
[codex:423315]
[codex:423315]
[codex:423315] thinking
[codex:423315] **Analyzing low-level function mechanics**
[codex:423315]
[codex:423315] I’m carefully parsing the EVM bytecode of several functions to understand their parameter passing, owner checks, and balance validations, simulating the stack and control flow to decipher what each function does, especially around withdraw and balance queries. There is a lot of detail here about stack manipulation and jump destinations as I reconstruct the call logic.
[codex:423315] thinking
[codex:423315] **Tracing stack state through nested calls**
[codex:423315]
[codex:423315] I’m methodically modeling the stack layout during the internal function calls, clarifying how arguments like amount and address are passed and validated against the contract balance, paying close attention to subtle stack shifts from pushes, duplicates, and jumps to accurately understand data flow.
[codex:423315] thinking
[codex:423315] **Analyzing internal function return logic**
[codex:423315]
[codex:423315] I'm carefully stepping through the internal function's bytecode to see how it returns a boolean indicating if the amount is within the contract's balance, following each stack operation and jump to reconstruct the function’s control flow and return value setup.
[codex:423315] exec
[codex:423315] /bin/bash -lc "python - <<'PY'
[codex:423315] # simulate stack for sequence from 0x0186 onward
[codex:423315] from collections import deque
[codex:423315]
[codex:423315] def push(stack, item):
[codex:423315] stack.append(item)
[codex:423315]
[codex:423315] def dup(stack, n):
[codex:423315] stack.append(stack[-n])
[codex:423315]
[codex:423315] def swap(stack, n):
[codex:423315] stack[-1], stack[-1-n] = stack[-1-n], stack[-1]
[codex:423315]
[codex:423315] # initial stack at 0x0186
[codex:423315] stack = ['r','a','v', 'retVal']
[codex:423315]
[codex:423315] # 0187 PUSH1 0xff, AND
[codex:423315] push(stack,'0xff')
[codex:423315] # AND uses top two
[codex:423315] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}&{b})\")
[codex:423315] # SWAP1, POP
[codex:423315] swap(stack,1)
[codex:423315] stack.pop()
[codex:423315] # PUSH1 0x00, DUP2, GT, ISZERO, JUMPI not taken (retVal>0). We'll assume retVal=1 so not jump.
[codex:423315] push(stack,'0')
[codex:423315] dup(stack,2)
[codex:423315] # GT
[codex:423315] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}>{b})\")
[codex:423315] # ISZERO
[codex:423315] b=stack.pop(); stack.append(f\"iszero({b})\")
[codex:423315] # JUMPI not taken: pop dest and cond, but dest pushed before JUMPI; we skip as if not taken. Let's just simulate popping cond and dest.
[codex:423315] push(stack,'dest')
[codex:423315] stack.pop(); stack.pop() # pop dest and cond
[codex:423315] # At 0195 MLOAD etc: we ignore free mem pointer symbol 'mem'
[codex:423315] push(stack,'mem')
[codex:423315] # compute mask and AND with DUP5 to get address
[codex:423315] push(stack,'mask')
[codex:423315] dup(stack,5)
[codex:423315] # AND
[codex:423315] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}&{b})\")
[codex:423315] # SWAP1
[codex:423315] swap(stack,1)
[codex:423315] # DUP4, ISZERO, MUL to get gas
[codex:423315] # DUP4
[codex:423315] print('stack before DUP4', stack)
[codex:423315] dup(stack,4)
[codex:423315] # ISZERO
[codex:423315] b=stack.pop(); stack.append(f\"iszero({b})\")
[codex:423315] # MUL with 0x08fc
[codex:423315] push(stack,'2300')
[codex:423315] # MUL
[codex:423315] b=stack.pop(); a=stack.pop(); stack.append(f\"({a}*{b})\")
[codex:423315] # SWAP1
[codex:423315] swap(stack,1)
[codex:423315] # DUP5
[codex:423315] print('stack before DUP5', stack)
[codex:423315] dup(stack,5)
[codex:423315] # SWAP1
[codex:423315] swap(stack,1)
[codex:423315] # PUSH1 0x00
[codex:423315] push(stack,'0')
[codex:423315] # DUP2
[codex:423315] dup(stack,2)
[codex:423315] # DUP2
[codex:423315] dup(stack,2)
[codex:423315] # DUP2
[codex:423315] dup(stack,2)
[codex:423315] # DUP6
[codex:423315] print('stack before DUP6', stack)
[codex:423315] dup(stack,6)
[codex:423315] # DUP9
[codex:423315] print('stack before DUP9', stack)
[codex:423315] dup(stack,9)
[codex:423315] # DUP9
[codex:423315] print('stack before DUP9 second', stack)
[codex:423315] dup(stack,9)
[codex:423315]
[codex:423315] print('final stack before CALL', stack)
[codex:423315] PY" in /tmp/codex-multi-eb20ctg3 succeeded in 22ms:
[codex:423315] stack before DUP4 ['r', 'a', '(retVal&0xff)', '(mask&r)', 'mem']
[codex:423315] stack before DUP5 ['r', 'a', '(retVal&0xff)', '(mask&r)', '(iszero(a)*2300)', 'mem']
[codex:423315] stack before DUP6 ['r', 'a', '(retVal&0xff)', '(mask&r)', '(iszero(a)*2300)', 'a', 'mem', '0', 'mem', '0', 'mem']
[codex:423315] stack before DUP9 ['r', 'a', '(retVal&0xff)', '(mask&r)', '(iszero(a)*2300)', 'a', 'mem', '0', 'mem', '0', 'mem', 'a']
[codex:423315] stack before DUP9 second ['r', 'a', '(retVal&0xff)', '(mask&r)', '(iszero(a)*2300)', 'a', 'mem', '0', 'mem', '0', 'mem', 'a', '(mask&r)']
[codex:423315] final stack before CALL ['r', 'a', '(retVal&0xff)', '(mask&r)', '(iszero(a)*2300)', 'a', 'mem', '0', 'mem', '0', 'mem', 'a', '(mask&r)', '(iszero(a)*2300)']
[codex:423315]
[codex:423315] thinking
[codex:423315] **Analyzing EVM function behaviors**
[codex:423315] exec
[codex:423315] /bin/bash -lc "python - <<'PY'
[codex:423315] import re
[codex:423315] hexstr=open('BYTECODE_BUNDLE.txt').read()
[codex:423315] code=bytes.fromhex(re.search(r'0x[0-9a-fA-F]+', hexstr).group(0)[2:])
[codex:423315] for i in range(0x02c0,0x02f5):
[codex:423315] print(f\"{i:04x}: {code[i]:02x}\")
[codex:423315] PY" in /tmp/codex-multi-eb20ctg3 succeeded in 23ms:
[codex:423315] 02c0: 00
[codex:423315] 02c1: fd
[codex:423315] 02c2: 5b
[codex:423315] 02c3: 50
[codex:423315] 02c4: 50
[codex:423315] 02c5: 56
[codex:423315] 02c6: 5b
[codex:423315] 02c7: 60
[codex:423315] 02c8: 00
[codex:423315] 02c9: 80
[codex:423315] 02ca: 54
[codex:423315] 02cb: 81
[codex:423315] 02cc: 90
[codex:423315] 02cd: 60
[codex:423315] 02ce: 01
[codex:423315] 02cf: 60
[codex:423315] 02d0: a0
[codex:423315] 02d1: 60
[codex:423315] 02d2: 02
[codex:423315] 02d3: 0a
[codex:423315]
[codex:423315] thinking
[codex:423315] **Analyzing bytecode for exploits**
[codex:423315] codex
[codex:423315] {"no_findings":true,"summary":"No concrete, exploitable profit path identified from the runtime bytecode; value transfers appear owner-gated and no unprotected delegatecall/selfdestruct patterns are visible.","findings":[]}
[codex:423315] tokens used
[codex:423315] 34,424
[codex:423315] {"no_findings":true,"summary":"No concrete, exploitable profit path identified from the runtime bytecode; value transfers appear owner-gated and no unprotected delegatecall/selfdestruct patterns are visible.","findings":[]}
{
"codex": {
"ran_at": "2026-01-04T08:50:28.291373+00:00",
"returncode": 0
},
"summary": "No concrete, exploitable profit path identified from the runtime bytecode; value transfers appear owner-gated and no unprotected delegatecall/selfdestruct patterns are visible.",
"raw_final": {
"summary": "No concrete, exploitable profit path identified from the runtime bytecode; value transfers appear owner-gated and no unprotected delegatecall/selfdestruct patterns are visible.",
"findings": [],
"no_findings": true
},
"no_findings": true,
"schema_version": 1
}
00000000: PUSH1 0x80 00000002: PUSH1 0x40 00000004: MSTORE 00000005: PUSH1 0x04 00000007: CALLDATASIZE 00000008: LT 00000009: PUSH2 0x0077 0000000c: JUMPI 0000000d: PUSH4 0xffffffff 00000012: PUSH29 0x0100000000000000000000000000000000000000000000000000000000 00000030: PUSH1 0x00 00000032: CALLDATALOAD 00000033: DIV 00000034: AND 00000035: PUSH4 0x0b6902bb 0000003a: DUP2 0000003b: EQ 0000003c: PUSH2 0x0079 0000003f: JUMPI 00000040: DUP1 00000041: PUSH4 0x2cdb7180 00000046: EQ 00000047: PUSH2 0x009d 0000004a: JUMPI 0000004b: DUP1 0000004c: PUSH4 0x68923c3b 00000051: EQ 00000052: PUSH2 0x00ce 00000055: JUMPI 00000056: DUP1 00000057: PUSH4 0x76f1525c 0000005c: EQ 0000005d: PUSH2 0x00ef 00000060: JUMPI 00000061: DUP1 00000062: PUSH4 0xe35a76cb 00000067: EQ 00000068: PUSH2 0x0116 0000006b: JUMPI 0000006c: DUP1 0000006d: PUSH4 0xed563d60 00000072: EQ 00000073: PUSH2 0x012e 00000076: JUMPI 00000077: JUMPDEST 00000078: STOP 00000079: JUMPDEST 0000007a: CALLVALUE 0000007b: DUP1 0000007c: ISZERO 0000007d: PUSH2 0x0085 00000080: JUMPI 00000081: PUSH1 0x00 00000083: DUP1 00000084: REVERT 00000085: JUMPDEST 00000086: POP 00000087: PUSH2 0x0077 0000008a: PUSH1 0x01 0000008c: PUSH1 0xa0 0000008e: PUSH1 0x02 00000090: EXP 00000091: SUB 00000092: PUSH1 0x04 00000094: CALLDATALOAD 00000095: AND 00000096: PUSH1 0x24 00000098: CALLDATALOAD 00000099: PUSH2 0x0143 0000009c: JUMP 0000009d: JUMPDEST 0000009e: CALLVALUE 0000009f: DUP1 000000a0: ISZERO 000000a1: PUSH2 0x00a9 000000a4: JUMPI 000000a5: PUSH1 0x00 000000a7: DUP1 000000a8: REVERT 000000a9: JUMPDEST 000000aa: POP 000000ab: PUSH2 0x00b2 000000ae: PUSH2 0x01d1 000000b1: JUMP 000000b2: JUMPDEST 000000b3: PUSH1 0x40 000000b5: DUP1 000000b6: MLOAD 000000b7: PUSH1 0x01 000000b9: PUSH1 0xa0 000000bb: PUSH1 0x02 000000bd: EXP 000000be: SUB 000000bf: SWAP1 000000c0: SWAP3 000000c1: AND 000000c2: DUP3 000000c3: MSTORE 000000c4: MLOAD 000000c5: SWAP1 000000c6: DUP2 000000c7: SWAP1 000000c8: SUB 000000c9: PUSH1 0x20 000000cb: ADD 000000cc: SWAP1 000000cd: RETURN 000000ce: JUMPDEST 000000cf: CALLVALUE 000000d0: DUP1 000000d1: ISZERO 000000d2: PUSH2 0x00da 000000d5: JUMPI 000000d6: PUSH1 0x00 000000d8: DUP1 000000d9: REVERT 000000da: JUMPDEST 000000db: POP 000000dc: PUSH2 0x0077 000000df: PUSH1 0x01 000000e1: PUSH1 0xa0 000000e3: PUSH1 0x02 000000e5: EXP 000000e6: SUB 000000e7: PUSH1 0x04 000000e9: CALLDATALOAD 000000ea: AND 000000eb: PUSH2 0x01e0 000000ee: JUMP 000000ef: JUMPDEST 000000f0: CALLVALUE 000000f1: DUP1 000000f2: ISZERO 000000f3: PUSH2 0x00fb 000000f6: JUMPI 000000f7: PUSH1 0x00 000000f9: DUP1 000000fa: REVERT 000000fb: JUMPDEST 000000fc: POP 000000fd: PUSH2 0x0104 00000100: PUSH2 0x0254 00000103: JUMP 00000104: JUMPDEST 00000105: PUSH1 0x40 00000107: DUP1 00000108: MLOAD 00000109: SWAP2 0000010a: DUP3 0000010b: MSTORE 0000010c: MLOAD 0000010d: SWAP1 0000010e: DUP2 0000010f: SWAP1 00000110: SUB 00000111: PUSH1 0x20 00000113: ADD 00000114: SWAP1 00000115: RETURN 00000116: JUMPDEST 00000117: CALLVALUE 00000118: DUP1 00000119: ISZERO 0000011a: PUSH2 0x0122 0000011d: JUMPI 0000011e: PUSH1 0x00 00000120: DUP1 00000121: REVERT 00000122: JUMPDEST 00000123: POP 00000124: PUSH2 0x0077 00000127: PUSH1 0x04 00000129: CALLDATALOAD 0000012a: PUSH2 0x0259 0000012d: JUMP 0000012e: JUMPDEST 0000012f: CALLVALUE 00000130: DUP1 00000131: ISZERO 00000132: PUSH2 0x013a 00000135: JUMPI 00000136: PUSH1 0x00 00000138: DUP1 00000139: REVERT 0000013a: JUMPDEST 0000013b: POP 0000013c: PUSH2 0x0077 0000013f: PUSH2 0x02c6 00000142: JUMP 00000143: JUMPDEST 00000144: PUSH1 0x00 00000146: DUP1 00000147: SLOAD 00000148: PUSH1 0x01 0000014a: PUSH1 0xa0 0000014c: PUSH1 0x02 0000014e: EXP 0000014f: SUB 00000150: AND 00000151: CALLER 00000152: EQ 00000153: PUSH2 0x015b 00000156: JUMPI 00000157: PUSH1 0x00 00000159: DUP1 0000015a: REVERT 0000015b: JUMPDEST 0000015c: PUSH1 0x00 0000015e: DUP3 0000015f: GT 00000160: PUSH2 0x0168 00000163: JUMPI 00000164: PUSH1 0x00 00000166: DUP1 00000167: REVERT 00000168: JUMPDEST 00000169: PUSH1 0x01 0000016b: PUSH1 0xa0 0000016d: PUSH1 0x02 0000016f: EXP 00000170: SUB 00000171: DUP4 00000172: AND 00000173: ISZERO 00000174: ISZERO 00000175: PUSH2 0x017d 00000178: JUMPI 00000179: PUSH1 0x00 0000017b: DUP1 0000017c: REVERT 0000017d: JUMPDEST 0000017e: PUSH2 0x0186 00000181: DUP3 00000182: PUSH2 0x02e9 00000185: JUMP 00000186: JUMPDEST 00000187: PUSH1 0xff 00000189: AND 0000018a: SWAP1 0000018b: POP 0000018c: PUSH1 0x00 0000018e: DUP2 0000018f: GT 00000190: ISZERO 00000191: PUSH2 0x01cc 00000194: JUMPI 00000195: PUSH1 0x40 00000197: MLOAD 00000198: PUSH1 0x01 0000019a: PUSH1 0xa0 0000019c: PUSH1 0x02 0000019e: EXP 0000019f: SUB 000001a0: DUP5 000001a1: AND 000001a2: SWAP1 000001a3: DUP4 000001a4: ISZERO 000001a5: PUSH2 0x08fc 000001a8: MUL 000001a9: SWAP1 000001aa: DUP5 000001ab: SWAP1 000001ac: PUSH1 0x00 000001ae: DUP2 000001af: DUP2 000001b0: DUP2 000001b1: DUP6 000001b2: DUP9 000001b3: DUP9 000001b4: CALL 000001b5: SWAP4 000001b6: POP 000001b7: POP 000001b8: POP 000001b9: POP 000001ba: ISZERO 000001bb: DUP1 000001bc: ISZERO 000001bd: PUSH2 0x01ca 000001c0: JUMPI 000001c1: RETURNDATASIZE 000001c2: PUSH1 0x00 000001c4: DUP1 000001c5: RETURNDATACOPY 000001c6: RETURNDATASIZE 000001c7: PUSH1 0x00 000001c9: REVERT 000001ca: JUMPDEST 000001cb: POP 000001cc: JUMPDEST 000001cd: POP 000001ce: POP 000001cf: POP 000001d0: JUMP 000001d1: JUMPDEST 000001d2: PUSH1 0x00 000001d4: SLOAD 000001d5: PUSH1 0x01 000001d7: PUSH1 0xa0 000001d9: PUSH1 0x02 000001db: EXP 000001dc: SUB 000001dd: AND 000001de: SWAP1 000001df: JUMP 000001e0: JUMPDEST 000001e1: PUSH1 0x00 000001e3: SLOAD 000001e4: PUSH1 0x01 000001e6: PUSH1 0xa0 000001e8: PUSH1 0x02 000001ea: EXP 000001eb: SUB 000001ec: AND 000001ed: CALLER 000001ee: EQ 000001ef: PUSH2 0x01f7 000001f2: JUMPI 000001f3: PUSH1 0x00 000001f5: DUP1 000001f6: REVERT 000001f7: JUMPDEST 000001f8: PUSH1 0x01 000001fa: PUSH1 0xa0 000001fc: PUSH1 0x02 000001fe: EXP 000001ff: SUB 00000200: DUP1 00000201: DUP3 00000202: AND 00000203: LT 00000204: PUSH2 0x020c 00000207: JUMPI 00000208: PUSH1 0x00 0000020a: DUP1 0000020b: REVERT 0000020c: JUMPDEST 0000020d: PUSH1 0x01 0000020f: PUSH1 0xa0 00000211: PUSH1 0x02 00000213: EXP 00000214: SUB 00000215: SWAP1 00000216: DUP2 00000217: SUB 00000218: SWAP1 00000219: DUP2 0000021a: AND 0000021b: ISZERO 0000021c: ISZERO 0000021d: PUSH2 0x0225 00000220: JUMPI 00000221: PUSH1 0x00 00000223: DUP1 00000224: REVERT 00000225: JUMPDEST 00000226: PUSH1 0x00 00000228: DUP1 00000229: SLOAD 0000022a: PUSH20 0xffffffffffffffffffffffffffffffffffffffff 0000023f: NOT 00000240: AND 00000241: PUSH1 0x01 00000243: PUSH1 0xa0 00000245: PUSH1 0x02 00000247: EXP 00000248: SUB 00000249: SWAP3 0000024a: SWAP1 0000024b: SWAP3 0000024c: AND 0000024d: SWAP2 0000024e: SWAP1 0000024f: SWAP2 00000250: OR 00000251: SWAP1 00000252: SSTORE 00000253: JUMP 00000254: JUMPDEST 00000255: ADDRESS 00000256: BALANCE 00000257: SWAP1 00000258: JUMP 00000259: JUMPDEST 0000025a: PUSH1 0x00 0000025c: DUP1 0000025d: SLOAD 0000025e: PUSH1 0x01 00000260: PUSH1 0xa0 00000262: PUSH1 0x02 00000264: EXP 00000265: SUB 00000266: AND 00000267: CALLER 00000268: EQ 00000269: PUSH2 0x0271 0000026c: JUMPI 0000026d: PUSH1 0x00 0000026f: DUP1 00000270: REVERT 00000271: JUMPDEST 00000272: PUSH1 0x00 00000274: DUP3 00000275: GT 00000276: PUSH2 0x027e 00000279: JUMPI 0000027a: PUSH1 0x00 0000027c: DUP1 0000027d: REVERT 0000027e: JUMPDEST 0000027f: PUSH2 0x0287 00000282: DUP3 00000283: PUSH2 0x02e9 00000286: JUMP 00000287: JUMPDEST 00000288: PUSH1 0xff 0000028a: AND 0000028b: SWAP1 0000028c: POP 0000028d: PUSH1 0x00 0000028f: DUP2 00000290: GT 00000291: ISZERO 00000292: PUSH2 0x02c2 00000295: JUMPI 00000296: PUSH1 0x40 00000298: MLOAD 00000299: CALLER 0000029a: SWAP1 0000029b: DUP4 0000029c: ISZERO 0000029d: PUSH2 0x08fc 000002a0: MUL 000002a1: SWAP1 000002a2: DUP5 000002a3: SWAP1 000002a4: PUSH1 0x00 000002a6: DUP2 000002a7: DUP2 000002a8: DUP2 000002a9: DUP6 000002aa: DUP9 000002ab: DUP9 000002ac: CALL 000002ad: SWAP4 000002ae: POP 000002af: POP 000002b0: POP 000002b1: POP 000002b2: ISZERO 000002b3: DUP1 000002b4: ISZERO 000002b5: PUSH2 0x01cc 000002b8: JUMPI 000002b9: RETURNDATASIZE 000002ba: PUSH1 0x00 000002bc: DUP1 000002bd: RETURNDATACOPY 000002be: RETURNDATASIZE 000002bf: PUSH1 0x00 000002c1: REVERT 000002c2: JUMPDEST 000002c3: POP 000002c4: POP 000002c5: JUMP 000002c6: JUMPDEST 000002c7: PUSH1 0x00 000002c9: DUP1 000002ca: SLOAD 000002cb: DUP2 000002cc: SWAP1 000002cd: PUSH1 0x01 000002cf: PUSH1 0xa0 000002d1: PUSH1 0x02 000002d3: EXP 000002d4: SUB 000002d5: AND 000002d6: CALLER 000002d7: EQ 000002d8: PUSH2 0x02e0 000002db: JUMPI 000002dc: PUSH1 0x00 000002de: DUP1 000002df: REVERT 000002e0: JUMPDEST 000002e1: ADDRESS 000002e2: BALANCE 000002e3: SWAP2 000002e4: POP 000002e5: PUSH2 0x0287 000002e8: DUP3 000002e9: JUMPDEST 000002ea: PUSH1 0x00 000002ec: ADDRESS 000002ed: BALANCE 000002ee: DUP2 000002ef: LT 000002f0: ISZERO 000002f1: PUSH2 0x030f 000002f4: JUMPI 000002f5: ADDRESS 000002f6: BALANCE 000002f7: DUP3 000002f8: GT 000002f9: ISZERO 000002fa: PUSH2 0x0317 000002fd: JUMPI 000002fe: PUSH1 0x00 00000300: ADDRESS 00000301: BALANCE 00000302: GT 00000303: ISZERO 00000304: PUSH2 0x030f 00000307: JUMPI 00000308: POP 00000309: PUSH1 0x00 0000030b: PUSH2 0x031b 0000030e: JUMP 0000030f: JUMPDEST 00000310: POP 00000311: PUSH1 0x00 00000313: PUSH2 0x031b 00000316: JUMP 00000317: JUMPDEST 00000318: POP 00000319: PUSH1 0x01 0000031b: JUMPDEST 0000031c: SWAP2 0000031d: SWAP1 0000031e: POP 0000031f: JUMP 00000320: STOP 00000321: LOG1 00000322: PUSH6 0x627a7a723058 00000329: KECCAK256 0000032a: UNKNOWN(0xE7) 0000032b: REVERT 0000032c: UNKNOWN(0xB1) 0000032d: SDIV 0000032e: PUSH28 0xca4839494f61f7a12494fea33a244caaad94937cfbe1710a63487400 0000034b: UNKNOWN(0x29)
| Severity | Category | Tool | Title | Confidence | Validated | Confirmed | Details |
|---|---|---|---|---|---|---|---|
| high | other | detector | Untrusted CALL target/value reachable | 60 | no | no |
viewtrace_id: 0xb8eed1463d5289ae39112586caa482f9496cc5b63c2b67963e0240defed54e55
call_targets:
0x697dfeea12f5133627ce3afa48e857ac8544ffcf
target_varies:
no
classification:
constant_target
validation_json{
"sink": "CALL",
"errors": 0,
"status": "sink_reached",
"attempts": 1,
"trace_id": "0xb8eed1463d5289ae39112586caa482f9496cc5b63c2b67963e0240defed54e55",
"confirmed": false,
"trace_mode": "callTracer",
"call_targets": [
"0x697dfeea12f5133627ce3afa48e857ac8544ffcf"
],
"matched_probe": null,
"target_varies": false,
"classification": "constant_target"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x0b6902bb",
"selector": "0x0b6902bb",
"calldata_variants": [
"0x0b6902bb",
"0x0b6902bb0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x2cdb7180",
"selector": "0x2cdb7180",
"calldata_variants": [
"0x2cdb7180",
"0x2cdb71800000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x68923c3b",
"selector": "0x68923c3b",
"calldata_variants": [
"0x68923c3b",
"0x68923c3b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x76f1525c",
"selector": "0x76f1525c",
"calldata_variants": [
"0x76f1525c",
"0x76f1525c0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xe35a76cb",
"selector": "0xe35a76cb",
"calldata_variants": [
"0xe35a76cb",
"0xe35a76cb0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xed563d60",
"selector": "0xed563d60",
"calldata_variants": [
"0xed563d60",
"0xed563d600000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 436,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 684,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"call_count": 2,
"guards_detected": [],
"untrusted_call_count": 2
}
|
| high | other | detector | ETH value transfer possible | 55 | no | no |
viewtrace_id: 0xb8eed1463d5289ae39112586caa482f9496cc5b63c2b67963e0240defed54e55
call_targets:
0x697dfeea12f5133627ce3afa48e857ac8544ffcf
target_varies:
no
classification:
constant_target
validation_json{
"sink": "CALL",
"errors": 0,
"status": "sink_reached",
"attempts": 1,
"trace_id": "0xb8eed1463d5289ae39112586caa482f9496cc5b63c2b67963e0240defed54e55",
"confirmed": false,
"trace_mode": "callTracer",
"call_targets": [
"0x697dfeea12f5133627ce3afa48e857ac8544ffcf"
],
"matched_probe": null,
"target_varies": false,
"classification": "constant_target"
}
witness_json{
"notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
"constraints": [],
"entrypoints": [
{
"calldata": "0x0b6902bb",
"selector": "0x0b6902bb",
"calldata_variants": [
"0x0b6902bb",
"0x0b6902bb0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x2cdb7180",
"selector": "0x2cdb7180",
"calldata_variants": [
"0x2cdb7180",
"0x2cdb71800000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x68923c3b",
"selector": "0x68923c3b",
"calldata_variants": [
"0x68923c3b",
"0x68923c3b0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0x76f1525c",
"selector": "0x76f1525c",
"calldata_variants": [
"0x76f1525c",
"0x76f1525c0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xe35a76cb",
"selector": "0xe35a76cb",
"calldata_variants": [
"0xe35a76cb",
"0xe35a76cb0000000000000000000000000000000000000000000000000000000000000000"
]
},
{
"calldata": "0xed563d60",
"selector": "0xed563d60",
"calldata_variants": [
"0xed563d60",
"0xed563d600000000000000000000000000000000000000000000000000000000000000000"
]
}
]
}
evidence_json{
"examples": [
{
"pc": 436,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
},
{
"pc": 684,
"opcode": "CALL",
"returndata_checked": null,
"value_expression_category": "computed",
"target_expression_category": "computed"
}
],
"eth_value_calls": 2,
"guards_detected": []
}
|
| info | other | cast | Heavy EXTCODE*/BALANCE usage | 55 | no | — |
viewevidence_json{
"notes": "frequent external code or balance checks; may indicate introspection or validation logic",
"ext_balance_count": 5
}
|