TW
Tripwire
Find contracts. Test them. Review real vulns.

Analysis Run

4261794a-4fb6-401c-be21-015a8bfdc915

complete
Chain ID
1
Address
0xf0b8c683a759dfc3534133dc7a9882d0ec4611b7
Block Number
Created
Fri, Jan 2, 2026 10:19 PM
Review Summary

What survived the funnel

Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?

back to vulns open contract
Confirmed
0
Validated
0
Source
Bytecode only
Review Backing
Not yet
Best current signal
Untrusted CALL target/value reachable
crit 0 high 0 direct contract
Review Checklist
1. Read the findings table first. Ignore raw jobs until the result looks real.
2. Confirm attacker control, not just the existence of a sink.
3. Confirm money or privilege impact.
4. Keep it if the behavior is real. Kill it if this is normal proxy, admin, or upgrade plumbing.

Processing Jobs

Status & attempts
ID Type Status Attempts Heartbeat
31362 report.consolidate complete 1 / 1 3 months ago
111170 artifact.fetch complete 1 / 3 1 week ago
111171 tool.cast_disasm complete 1 / 3 1 week ago
111172 analysis.bundle complete 1 / 3 1 week ago
111173 capability.graph complete 1 / 3 1 week ago
111174 detector.run complete 1 / 3 1 week ago
111175 validation.fork complete 1 / 3 1 week ago

Artifact

Runtime bytecode: available
Creation TX:
Deployer:
Proxy: no
Implementation:
Verified Source: no

Slither

tool.slither

No slither job recorded yet.

Codex

report.consolidate
Job Status
complete
Attempts
1 / 1
Findings
0
No findings?
yes
Summary
No concrete, exploitable profit path identified from the runtime bytecode in BYTECODE_BUNDLE.txt.
View stderr 
[codex:686724] OpenAI Codex v0.77.0 (research preview)
[codex:686724] --------
[codex:686724] workdir: /tmp/codex-multi-8x99heaw
[codex:686724] model: gpt-5.2-codex
[codex:686724] provider: openai
[codex:686724] approval: never
[codex:686724] sandbox: read-only
[codex:686724] reasoning effort: xhigh
[codex:686724] reasoning summaries: auto
[codex:686724] session id: 019b80c1-d42f-7ce0-9c8b-67fdfbd39f53
[codex:686724] --------
[codex:686724] user
[codex:686724] You are a profit-focused exploit hunter analyzing EVM bytecode. Your ONLY goal is finding ways to extract value (ETH, tokens, NFTs) from this contract.
[codex:686724] 
[codex:686724] Read `BYTECODE_BUNDLE.txt` completely before concluding.
[codex:686724] 
[codex:686724] ONLY REPORT if you find a CONCRETE, EXPLOITABLE path to profit. We do NOT care about:
[codex:686724] - Gas inefficiency, code quality, or best practices
[codex:686724] - Theoretical vulnerabilities without a clear extraction path
[codex:686724] - Generic footguns (unchecked return values, etc.) unless they enable theft
[codex:686724] - Issues requiring social engineering or off-chain coordination
[codex:686724] 
[codex:686724] PATTERNS WORTH INVESTIGATING in bytecode:
[codex:686724] - CALL/DELEGATECALL with controllable destination or calldata
[codex:686724] - Value transfers (CALL with non-zero value) without prior CALLER/ORIGIN checks
[codex:686724] - SSTORE to low slots (0-10) that might be owner/admin storage
[codex:686724] - ecrecover (signature validation) - look for missing nonce/replay protection
[codex:686724] - External calls before state updates (reentrancy)
[codex:686724] - SELFDESTRUCT with controllable beneficiary
[codex:686724] - Proxy patterns (DELEGATECALL to storage slot) with unprotected upgrade paths
[codex:686724] 
[codex:686724] For each finding, you MUST explain:
[codex:686724] 1. The specific bytecode pattern/offsets that indicate the vulnerability
[codex:686724] 2. The concrete sequence of transactions to extract value
[codex:686724] 3. Why you believe this is exploitable (not just suspicious)
[codex:686724] 
[codex:686724] If you cannot identify a concrete profit path from bytecode alone: set no_findings=true.
[codex:686724] Do NOT hallucinate. Bytecode-only analysis is limited - be honest about uncertainty.
[codex:686724] 
[codex:686724] Output MUST be valid JSON matching the provided schema.
[codex:686724] - severity: info, low, medium, high, critical (use high/critical ONLY for clear extraction paths)
[codex:686724] - category: access_control, reentrancy, math, oracle, upgradeability, auth, other
[codex:686724] mcp startup: no servers
[codex:686724] 
[codex:686724] thinking
[codex:686724] **Preparing to read BYTECODE_BUNDLE.txt**
[codex:686724] exec
[codex:686724] /bin/bash -lc ls in /tmp/codex-multi-8x99heaw succeeded in 5ms:
[codex:686724] BYTECODE_BUNDLE.txt
[codex:686724] codex-output-schema.json
[codex:686724] exec
[codex:686724] /bin/bash -lc 'cat BYTECODE_BUNDLE.txt' in /tmp/codex-multi-8x99heaw succeeded in 5ms:
[codex:686724] Runtime bytecode bundle for best-effort auditing.
[codex:686724] Note: without verified source, conclusions are low-confidence unless a concrete pattern is visible.
[codex:686724] 
[codex:686724] FILE: runtime_bytecode.hex
[codex:686724] 0x60806040526004361061003f5760003560e01c8063251c1aa3146100e157806342d5f4b21461010c57806395756c041461012c578063fa449d831461014c575b6001546001600160a01b03163314156100df57600254421161007c5760405162461bcd60e51b815260040161007390610370565b60405180910390fd5b6001546040516001600160a01b039091169047906100999061036d565b60006040518083038185875af1925050503d80600081146100d6576040519150601f19603f3d011682016040523d82523d6000602084013e6100db565b606091505b5050505b005b3480156100ed57600080fd5b506100f661016c565b604051610103919061038e565b60405180910390f35b34801561011857600080fd5b506100df61012736600461029e565b610172565b34801561013857600080fd5b506100df61014736600461031c565b6101ef565b34801561015857600080fd5b506100df610167366004610345565b610266565b60025481565b6000546001600160a01b0316331461018957600080fd5b826001600160a01b0316600083836040516101a592919061035d565b60006040518083038185875af1925050503d80600081146101e2576040519150601f19603f3d011682016040523d82523d6000602084013e6101e7565b606091505b505050505050565b6000546001600160a01b0316331461020657600080fd5b816001600160a01b03168160405161021d9061036d565b60006040518083038185875af1925050503d806000811461025a576040519150601f19603f3d011682016040523d82523d6000602084013e61025f565b606091505b5050505050565b6000546001600160a01b0316331461027d57600080fd5b600255565b80356001600160a01b038116811461029957600080fd5b919050565b6000806000604084860312156102b2578283fd5b6102bb84610282565b9250602084013567ffffffffffffffff808211156102d7578384fd5b818601915086601f8301126102ea578384fd5b8135818111156102f8578485fd5b876020828501011115610309578485fd5b6020830194508093505050509250925092565b6000806040838503121561032e578182fd5b61033783610282565b946020939093013593505050565b600060208284031215610356578081fd5b5035919050565b6000828483379101908152919050565b90565b60208082526004908201526374696d6560e01b604082015260600190565b9081526020019056fea2646970667358221220691e2252f87cf2fdc59bd78a41b0ef6b66b0ae1772e5eea34b15b14fb3a6552f64736f6c63430008010033
[codex:686724] 
[codex:686724] thinking
[codex:686724] **Interpreting EVM bytecode for exploit patterns**
[codex:686724] exec
[codex:686724] /bin/bash -lc "python - <<'PY'
[codex:686724] import binascii, textwrap
[codex:686724] from pathlib import Path
[codex:686724] bc = Path('/tmp/codex-multi-8x99heaw/runtime_bytecode.hex').read_text().strip()
[codex:686724] if bc.startswith('0x'): bc=bc[2:]
[codex:686724] code=bytes.fromhex(bc)
[codex:686724] # opcode mapping minimal
[codex:686724] opcodes={
[codex:686724] 0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:686724] 0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:686724] 0x20:'SHA3',
[codex:686724] 0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:686724] 0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
[codex:686724] 0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
[codex:686724] 0x5f:'PUSH0',
[codex:686724] 0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
[codex:686724] 0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
[codex:686724] 0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
[codex:686724] 0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
[codex:686724] 0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
[codex:686724] }
[codex:686724] 
[codex:686724] # disassemble
[codex:686724] pc=0
[codex:686724] lines=[]
[codex:686724] while pc < len(code):
[codex:686724]     op=code[pc]
[codex:686724]     name=opcodes.get(op, f'UNKNOWN_{op:02x}')
[codex:686724]     if 0x60 <= op <= 0x7f:
[codex:686724]         n=op-0x5f
[codex:686724]         data=code[pc+1:pc+1+n]
[codex:686724]         lines.append(f\"{pc:04x}: {name} 0x{data.hex()}\")
[codex:686724]         pc += 1+n
[codex:686724]     else:
[codex:686724]         lines.append(f\"{pc:04x}: {name}\")
[codex:686724]         pc +=1
[codex:686724] 
[codex:686724] print('\\n'.join(lines))
[codex:686724] PY" in /tmp/codex-multi-8x99heaw exited 1 in 36ms:
[codex:686724] Traceback (most recent call last):
[codex:686724]   File "<stdin>", line 3, in <module>
[codex:686724]   File "/home/noahkuhn/.local/share/uv/python/cpython-3.13.11-linux-x86_64-gnu/lib/python3.13/pathlib/_local.py", line 546, in read_text
[codex:686724]     return PathBase.read_text(self, encoding, errors, newline)
[codex:686724]            ~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[codex:686724]   File "/home/noahkuhn/.local/share/uv/python/cpython-3.13.11-linux-x86_64-gnu/lib/python3.13/pathlib/_abc.py", line 632, in read_text
[codex:686724]     with self.open(mode='r', encoding=encoding, errors=errors, newline=newline) as f:
[codex:686724]          ~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[codex:686724]   File "/home/noahkuhn/.local/share/uv/python/cpython-3.13.11-linux-x86_64-gnu/lib/python3.13/pathlib/_local.py", line 537, in open
[codex:686724]     return io.open(self, mode, buffering, encoding, errors, newline)
[codex:686724]            ~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
[codex:686724] FileNotFoundError: [Errno 2] No such file or directory: '/tmp/codex-multi-8x99heaw/runtime_bytecode.hex'
[codex:686724] 
[codex:686724] thinking
[codex:686724] **Implementing bundle parsing**
[codex:686724] exec
[codex:686724] /bin/bash -lc "python - <<'PY'
[codex:686724] import re
[codex:686724] from pathlib import Path
[codex:686724] text=Path('/tmp/codex-multi-8x99heaw/BYTECODE_BUNDLE.txt').read_text()
[codex:686724] # extract runtime bytecode hex line after 'FILE: runtime_bytecode.hex'
[codex:686724] # find 0x... pattern
[codex:686724] m=re.search(r'0x[0-9a-fA-F]+', text)
[codex:686724] if not m:
[codex:686724]     raise SystemExit('no hex')
[codex:686724] hexstr=m.group(0)
[codex:686724] print('len',len(hexstr))
[codex:686724] code=bytes.fromhex(hexstr[2:])
[codex:686724] # disassemble
[codex:686724] opcodes={
[codex:686724] 0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:686724] 0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:686724] 0x20:'SHA3',
[codex:686724] 0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:686724] 0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
[codex:686724] 0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
[codex:686724] 0x5f:'PUSH0',
[codex:686724] 0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
[codex:686724] 0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
[codex:686724] 0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
[codex:686724] 0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
[codex:686724] 0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
[codex:686724] }
[codex:686724] 
[codex:686724] pc=0
[codex:686724] lines=[]
[codex:686724] while pc < len(code):
[codex:686724]     op=code[pc]
[codex:686724]     name=opcodes.get(op, f'UNKNOWN_{op:02x}')
[codex:686724]     if 0x60 <= op <= 0x7f:
[codex:686724]         n=op-0x5f
[codex:686724]         data=code[pc+1:pc+1+n]
[codex:686724]         lines.append(f\"{pc:04x}: {name} 0x{data.hex()}\")
[codex:686724]         pc += 1+n
[codex:686724]     else:
[codex:686724]         lines.append(f\"{pc:04x}: {name}\")
[codex:686724]         pc +=1
[codex:686724] 
[codex:686724] print('\\n'.join(lines))
[codex:686724] PY" in /tmp/codex-multi-8x99heaw succeeded in 28ms:
[codex:686724] len 1948
[codex:686724] 0000: PUSH1 0x80
[codex:686724] 0002: PUSH1 0x40
[codex:686724] 0004: MSTORE
[codex:686724] 0005: PUSH1 0x04
[codex:686724] 0007: CALLDATASIZE
[codex:686724] 0008: LT
[codex:686724] 0009: PUSH2 0x003f
[codex:686724] 000c: JUMPI
[codex:686724] 000d: PUSH1 0x00
[codex:686724] 000f: CALLDATALOAD
[codex:686724] 0010: PUSH1 0xe0
[codex:686724] 0012: SHR
[codex:686724] 0013: DUP1
[codex:686724] 0014: PUSH4 0x251c1aa3
[codex:686724] 0019: EQ
[codex:686724] 001a: PUSH2 0x00e1
[codex:686724] 001d: JUMPI
[codex:686724] 001e: DUP1
[codex:686724] 001f: PUSH4 0x42d5f4b2
[codex:686724] 
[codex:686724] 
[codex:686724] 
[codex:686724] thinking
[codex:686724] **Analyzing contract functions and security**
[codex:686724] 
[codex:686724] I’m carefully unpacking the contract’s functions, their storage slots, and access controls, focusing on who can call what and how value and data pass through calls. There’s a potential timelock with separate owner and beneficiary slots, owner-restricted execute calls, and a withdraw fallback limited to the beneficiary after unlock time. I’m double-checking if any functions lack proper access checks or allow unauthorized fund transfers, but so far owner controls seem solid and storage slots don’t appear modifiable. Let’s see if any subtle exploit paths appear.
[codex:686724] thinking
[codex:686724] **Examining fallback reentrancy and call argument flow**
[codex:686724] 
[codex:686724] I’m carefully tracing the fallback’s stack and call setup to confirm how ETH transfers happen, checking that call data sizes and memory pointers align with expectations. I’m also analyzing functions with dynamic bytes parameters and owner checks to see if any call or reentrancy paths could be abused. After a deep dive into argument decoding and call stacks, I don’t see any overlooked access controls or exploitable call sequences that would let non-owners profit.
[codex:686724] thinking
[codex:686724] **Verifying function call protections and callvalue constraints**
[codex:686724] 
[codex:686724] I’m carefully reviewing function selectors and dispatcher checks to confirm which functions accept ETH and how callvalue is restricted. I’m verifying owner checks and fallback payable behavior to ensure only authorized addresses trigger sensitive calls. By analyzing stack layouts and call argument patterns, I’m confirming call data handling and that fallback’s ETH withdrawal can’t be exploited via reentrancy or missing authorization. I’m setting up to symbolically simulate stack states in key functions to track argument flow and verify access controls precisely.
[codex:686724] exec
[codex:686724] /bin/bash -lc "python - <<'PY'
[codex:686724] from pathlib import Path
[codex:686724] import re
[codex:686724] text=Path('/tmp/codex-multi-8x99heaw/BYTECODE_BUNDLE.txt').read_text()
[codex:686724] hexstr=re.search(r'0x[0-9a-fA-F]+', text).group(0)[2:]
[codex:686724] code=bytes.fromhex(hexstr)
[codex:686724] # disassemble to list of (pc, op, arg)
[codex:686724] opcodes={
[codex:686724] 0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:686724] 0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:686724] 0x20:'SHA3',
[codex:686724] 0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:686724] 0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
[codex:686724] 0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
[codex:686724] 0x5f:'PUSH0',
[codex:686724] 0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
[codex:686724] 0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
[codex:686724] 0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
[codex:686724] 0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
[codex:686724] 0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
[codex:686724] }
[codex:686724] 
[codex:686724] # build pc->(op,arg)
[codex:686724] ops={}
[codex:686724] pc=0
[codex:686724] while pc < len(code):
[codex:686724]     op=code[pc]
[codex:686724]     name=opcodes.get(op, f'UNKNOWN_{op:02x}')
[codex:686724]     arg=None
[codex:686724]     if 0x60 <= op <= 0x7f:
[codex:686724]         n=op-0x5f
[codex:686724]         arg=code[pc+1:pc+1+n]
[codex:686724]         pc2=pc+1+n
[codex:686724]     else:
[codex:686724]         pc2=pc+1
[codex:686724]     ops[pc]=(name,arg)
[codex:686724]     pc=pc2
[codex:686724] 
[codex:686724] # simple symbolic execution for function 0x01ef -> 0x021d call
[codex:686724] start=0x01ef
[codex:686724] end=0x021d
[codex:686724] # We'll follow straight-line ignoring branches; stop at CALL at 0x022a
[codex:686724] stack=['R','A','B']  # bottom->top (R bottom)
[codex:686724] 
[codex:686724] def push(x):
[codex:686724]     stack.append(x)
[codex:686724] 
[codex:686724] def pop():
[codex:686724]     return stack.pop()
[codex:686724] 
[codex:686724] def dup(n):
[codex:686724]     stack.append(stack[-n])
[codex:686724] 
[codex:686724] def swap(n):
[codex:686724]     stack[-1], stack[-1-n] = stack[-1-n], stack[-1]
[codex:686724] 
[codex:686724] pc=start
[codex:686724] visited=set()
[codex:686724] while True:
[codex:686724]     name,arg = ops[pc]
[codex:686724]     if pc==0x022a:  # CALL in this function
[codex:686724]         print('stack before CALL:', stack)
[codex:686724]         break
[codex:686724]     # print(pc, name, arg.hex() if arg else '')
[codex:686724]     if name.startswith('PUSH'):
[codex:686724]         val=int.from_bytes(arg,'big')
[codex:686724]         push(f'const_{val:x}')
[codex:686724]     elif name.startswith('DUP'):
[codex:686724]         n=int(name[3:])
[codex:686724]         dup(n)
[codex:686724]     elif name.startswith('SWAP'):
[codex:686724]         n=int(name[4:])
[codex:686724]         swap(n)
[codex:686724]     elif name in ('POP','MLOAD','SLOAD','CALLER','CALLVALUE','TIMESTAMP','SELFBALANCE','GAS','RETURNDATASIZE'):
[codex:686724]         # treat as push of symbolic or pop
[codex:686724]         if name=='POP':
[codex:686724]             pop()
[codex:686724]         elif name in ('MLOAD','SLOAD','CALLER','CALLVALUE','TIMESTAMP','SELFBALANCE','GAS','RETURNDATASIZE'):
[codex:686724]             # pop for MLOAD and SLOAD? MLOAD pops offset, SLOAD pops slot
[codex:686724]             if name in ('MLOAD','SLOAD'):
[codex:686724]                 pop()
[codex:686724]             push(f'{name.lower()}_{pc:x}')
[codex:686724]     elif name in ('AND','EQ','ISZERO','SUB','ADD','SHL','GT','LT','SLT','SGT','OR','XOR','NOT','BYTE','SAR','SHR','ADDMOD','MULMOD','EXP','DIV','MOD'):
[codex:686724]         # pop operands; push new symbol
[codex:686724]         # for binary ops
[codex:686724]         if name in ('NOT',):
[codex:686724]             a=pop(); push(f'not({a})')
[codex:686724]         else:
[codex:686724]             b=pop(); a=pop(); push(f'{name.lower()}({a},{b})')
[codex:686724]     elif name in ('JUMP','JUMPI'):
[codex:686724]         # handle unconditional jumps to known addresses
[codex:686724]         if name=='JUMP':
[codex:686724]             dest=pop()
[codex:686724]             # if dest is a const, jump
[codex:686724]             if dest.startswith('const_'):
[codex:686724]                 pc=int(dest.split('_')[1],16)
[codex:686724]                 continue
[codex:686724]             else:
[codex:686724]                 print('dynamic jump to', dest)
[codex:686724]                 break
[codex:686724]         else:
[codex:686724]             # JUMPI: pop dest and condition, assume condition true and jump to const if available, else continue
[codex:686724]             dest=pop(); cond=pop()
[codex:686724]             if isinstance(dest,str) and dest.startswith('const_'):
[codex:686724]                 pc=int(dest.split('_')[1],16)
[codex:686724]                 continue
[codex:686724]             else:
[codex:686724]                 break
[codex:686724]     elif name=='CALLDATACOPY' or name=='MSTORE' or name=='MSTORE8' or name=='CALLDATALOAD':
[codex:686724]         # CALLDATACOPY pops 3 args, MSTORE pops 2, CALLDATALOAD pops 1 push value
[codex:686724]         if name=='CALLDATACOPY':
[codex:686724]             pop(); pop(); pop()
[codex:686724]         elif name=='MSTORE':
[codex:686724]             pop(); pop()
[codex:686724]         elif name=='MSTORE8':
[codex:686724]             pop(); pop()
[codex:686724]         elif name=='CALLDATALOAD':
[codex:686724]             pop(); push(f'calldata_{pc:x}')
[codex:686724]     elif name=='REVERT':
[codex:686724]         break
[codex:686724]     elif name=='JUMPDEST':
[codex:686724]         pass
[codex:686724]     elif name=='CALL':
[codex:686724]         # should not reach
[codex:686724]         break
[codex:686724]     else:
[codex:686724]         # ignore other
[codex:686724]         pass
[codex:686724]     # advance pc
[codex:686724]     # find next pc sequentially
[codex:686724]     # compute size
[codex:686724]     if name.startswith('PUSH'):
[codex:686724]         pc += 1 + (len(arg))
[codex:686724]     else:
[codex:686724]         pc +=1
[codex:686724] 
[codex:686724] PY" in /tmp/codex-multi-8x99heaw succeeded in 34ms:
[codex:686724] stack before CALL: ['R', 'A', 'B', 'and(A,sub(const_1,shl(const_1,const_a0)))', 'B', 'mload_214', 'const_0', 'mload_222', 'sub(mload_222,mload_214)', 'mload_222', 'B', 'and(A,sub(const_1,shl(const_1,const_a0)))', 'gas_229']
[codex:686724] 
[codex:686724] thinking
[codex:686724] **Analyzing CALL stack parameters**
[codex:686724] exec
[codex:686724] /bin/bash -lc "python - <<'PY'
[codex:686724] from pathlib import Path
[codex:686724] import re
[codex:686724] text=Path('/tmp/codex-multi-8x99heaw/BYTECODE_BUNDLE.txt').read_text()
[codex:686724] hexstr=re.search(r'0x[0-9a-fA-F]+', text).group(0)[2:]
[codex:686724] code=bytes.fromhex(hexstr)
[codex:686724] # opcodes mapping (same as before)
[codex:686724] opcodes={
[codex:686724] 0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:686724] 0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:686724] 0x20:'SHA3',
[codex:686724] 0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:686724] 0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
[codex:686724] 0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
[codex:686724] 0x5f:'PUSH0',
[codex:686724] 0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
[codex:686724] 0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
[codex:686724] 0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
[codex:686724] 0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
[codex:686724] 0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
[codex:686724] }
[codex:686724] 
[codex:686724] # build pc->(op,arg)
[codex:686724] ops={}
[codex:686724] pc=0
[codex:686724] while pc < len(code):
[codex:686724]     op=code[pc]
[codex:686724]     name=opcodes.get(op, f'UNKNOWN_{op:02x}')
[codex:686724]     arg=None
[codex:686724]     if 0x60 <= op <= 0x7f:
[codex:686724]         n=op-0x5f
[codex:686724]         arg=code[pc+1:pc+1+n]
[codex:686724]         pc2=pc+1+n
[codex:686724]     else:
[codex:686724]         pc2=pc+1
[codex:686724]     ops[pc]=(name,arg)
[codex:686724]     pc=pc2
[codex:686724] 
[codex:686724] # symbolic execution for function 0x0172 call
[codex:686724] stack=['R','A','B','C']  # R bottom, C top
[codex:686724] 
[codex:686724] # helper functions
[codex:686724] 
[codex:686724] def push(x):
[codex:686724]     stack.append(x)
[codex:686724] 
[codex:686724] def pop():
[codex:686724]     return stack.pop()
[codex:686724] 
[codex:686724] def dup(n):
[codex:686724]     stack.append(stack[-n])
[codex:686724] 
[codex:686724] def swap(n):
[codex:686724]     stack[-1], stack[-1-n] = stack[-1-n], stack[-1]
[codex:686724] 
[codex:686724] pc=0x0172
[codex:686724] steps=0
[codex:686724] while True:
[codex:686724]     name,arg=ops[pc]
[codex:686724]     if pc==0x01b2:  # CALL
[codex:686724]         print('stack before CALL:', stack)
[codex:686724]         break
[codex:686724]     # print(hex(pc), name, arg.hex() if arg else '')
[codex:686724]     if name.startswith('PUSH'):
[codex:686724]         val=int.from_bytes(arg,'big')
[codex:686724]         push(f'const_{val:x}')
[codex:686724]     elif name.startswith('DUP'):
[codex:686724]         dup(int(name[3:]))
[codex:686724]     elif name.startswith('SWAP'):
[codex:686724]         swap(int(name[4:]))
[codex:686724]     elif name in ('POP','MLOAD','SLOAD','CALLER','CALLVALUE','TIMESTAMP','SELFBALANCE','GAS','RETURNDATASIZE'):
[codex:686724]         if name=='POP':
[codex:686724]             pop()
[codex:686724]         elif name in ('MLOAD','SLOAD'):
[codex:686724]             pop(); push(f'{name.lower()}_{pc:x}')
[codex:686724]         else:
[codex:686724]             push(f'{name.lower()}_{pc:x}')
[codex:686724]     elif name in ('AND','EQ','ISZERO','SUB','ADD','SHL','GT','LT','SLT','SGT','OR','XOR','NOT','BYTE','SAR','SHR','ADDMOD','MULMOD','EXP','DIV','MOD'):
[codex:686724]         if name=='NOT':
[codex:686724]             a=pop(); push(f'not({a})')
[codex:686724]         else:
[codex:686724]             b=pop(); a=pop(); push(f'{name.lower()}({a},{b})')
[codex:686724]     elif name=='CALLDATACOPY':
[codex:686724]         pop(); pop(); pop()
[codex:686724]     elif name=='MSTORE':
[codex:686724]         pop(); pop()
[codex:686724]     elif name=='CALLDATALOAD':
[codex:686724]         pop(); push(f'calldata_{pc:x}')
[codex:686724]     elif name in ('JUMP','JUMPI'):
[codex:686724]         if name=='JUMP':
[codex:686724]             dest=pop()
[codex:686724]             if dest.startswith('const_'):
[codex:686724]                 pc=int(dest.split('_')[1],16)
[codex:686724]                 continue
[codex:686724]             else:
[codex:686724]                 print('dynamic jump to',dest); break
[codex:686724]         else:
[codex:686724]             dest=pop(); cond=pop()
[codex:686724]             if dest.startswith('const_'):
[codex:686724]                 pc=int(dest.split('_')[1],16)
[codex:686724]                 continue
[codex:686724]             else:
[codex:686724]                 break
[codex:686724]     elif name in ('REVERT','RETURN','STOP'):
[codex:686724]         break
[codex:686724]     elif name=='JUMPDEST':
[codex:686724]         pass
[codex:686724]     else:
[codex:686724]         pass
[codex:686724]     # advance pc
[codex:686724]     if name.startswith('PUSH'):
[codex:686724]         pc += 1 + len(arg)
[codex:686724]     else:
[codex:686724]         pc += 1
[codex:686724]     steps+=1
[codex:686724]     if steps>1000:
[codex:686724]         break
[codex:686724] 
[codex:686724] PY" in /tmp/codex-multi-8x99heaw succeeded in 29ms:
[codex:686724] stack before CALL: ['R', 'A', 'B', 'C', 'and(A,sub(const_1,shl(const_1,const_a0)))', 'const_0', 'add(mload_19a,C)', 'const_0', 'mload_1aa', 'sub(mload_1aa,add(mload_19a,C))', 'mload_1aa', 'const_0', 'and(A,sub(const_1,shl(const_1,const_a0)))', 'gas_1b1']
[codex:686724] 
[codex:686724] 
[codex:686724] thinking
[codex:686724] **Analyzing stack and call parameters**
[codex:686724] thinking
[codex:686724] **Investigating dynamic bytes decoding behavior**
[codex:686724] 
[codex:686724] I’m piecing together how the decoder 0x029e reads and verifies the uint64 argument and handles dynamic bytes by inspecting calldata offsets and length checks. It looks like the function actually returns multiple related values for the dynamic bytes—likely both offset and length—besides the fixed args, which explains the stack usage and helps clarify how the call copies calldata into memory before invoking the external call. This refined decoding helps me understand the parameters feeding into the call more precisely.
[codex:686724] exec
[codex:686724] /bin/bash -lc "python - <<'PY'
[codex:686724] from pathlib import Path
[codex:686724] import re
[codex:686724] text=Path('/tmp/codex-multi-8x99heaw/BYTECODE_BUNDLE.txt').read_text()
[codex:686724] hexstr=re.search(r'0x[0-9a-fA-F]+', text).group(0)[2:]
[codex:686724] code=bytes.fromhex(hexstr)
[codex:686724] # opcodes mapping
[codex:686724] opcodes={
[codex:686724] 0x00:'STOP',0x01:'ADD',0x02:'MUL',0x03:'SUB',0x04:'DIV',0x05:'SDIV',0x06:'MOD',0x07:'SMOD',0x08:'ADDMOD',0x09:'MULMOD',0x0a:'EXP',0x0b:'SIGNEXTEND',
[codex:686724] 0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1a:'BYTE',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:686724] 0x20:'SHA3',
[codex:686724] 0x30:'ADDRESS',0x31:'BALANCE',0x32:'ORIGIN',0x33:'CALLER',0x34:'CALLVALUE',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY',0x38:'CODESIZE',0x39:'CODECOPY',0x3a:'GASPRICE',0x3b:'EXTCODESIZE',0x3c:'EXTCODECOPY',0x3d:'RETURNDATASIZE',0x3e:'RETURNDATACOPY',0x3f:'EXTCODEHASH',
[codex:686724] 0x40:'BLOCKHASH',0x41:'COINBASE',0x42:'TIMESTAMP',0x43:'NUMBER',0x44:'DIFFICULTY',0x45:'GASLIMIT',0x46:'CHAINID',0x47:'SELFBALANCE',0x48:'BASEFEE',
[codex:686724] 0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x58:'PC',0x59:'MSIZE',0x5a:'GAS',0x5b:'JUMPDEST',
[codex:686724] 0x5f:'PUSH0',
[codex:686724] 0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
[codex:686724] 0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
[codex:686724] 0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
[codex:686724] 0xa0:'LOG0',0xa1:'LOG1',0xa2:'LOG2',0xa3:'LOG3',0xa4:'LOG4',
[codex:686724] 0xf0:'CREATE',0xf1:'CALL',0xf2:'CALLCODE',0xf3:'RETURN',0xf4:'DELEGATECALL',0xf5:'CREATE2',0xfa:'STATICCALL',0xfd:'REVERT',0xfe:'INVALID',0xff:'SELFDESTRUCT'
[codex:686724] }
[codex:686724] 
[codex:686724] ops={}
[codex:686724] pc=0
[codex:686724] while pc < len(code):
[codex:686724]     op=code[pc]; name=opcodes.get(op, f'UNKNOWN_{op:02x}'); arg=None
[codex:686724]     if 0x60 <= op <= 0x7f:
[codex:686724]         n=op-0x5f
[codex:686724]         arg=code[pc+1:pc+1+n]
[codex:686724]         pc2=pc+1+n
[codex:686724]     else:
[codex:686724]         pc2=pc+1
[codex:686724]     ops[pc]=(name,arg)
[codex:686724]     pc=pc2
[codex:686724] 
[codex:686724] # symbolic expression class
[codex:686724] class Expr:
[codex:686724]     def __init__(self, name, args=None):
[codex:686724]         self.name=name
[codex:686724]         self.args=args or []
[codex:686724]     def __repr__(self):
[codex:686724]         if not self.args:
[codex:686724]             return self.name
[codex:686724]         return f\"{self.name}({','.join(map(str,self.args))})\"
[codex:686724] 
[codex:686724] # simple simplification for add/sub with constants
[codex:686724] 
[codex:686724] def is_const(e):
[codex:686724]     return isinstance(e, Expr) and e.name.startswith('const_')
[codex:686724] 
[codex:686724] def const_val(e):
[codex:686724]     return int(e.name.split('_')[1],16)
[codex:686724] 
[codex:686724] def make_const(val):
[codex:686724]     return Expr(f'const_{val:x}')
[codex:686724] 
[codex:686724] # start stack at entry: [ret0, ret1, cds, off]
[codex:686724] stack=[Expr('ret0'), Expr('ret1'), Expr('cds'), Expr('off')]
[codex:686724] 
[codex:686724] pc=0x029e
[codex:686724] steps=0
[codex:686724] 
[codex:686724] # function to resolve call data label
[codex:686724] 
[codex:686724] def label_calldataload(offset_expr):
[codex:686724]     # try to compute offset if expression is const or off+const
[codex:686724]     if is_const(offset_expr):
[codex:686724]         off=const_val(offset_expr)
[codex:686724]         if off==0x04:
[codex:686724]             return Expr('arg1_addr_raw')
[codex:686724]     # off + const
[codex:686724]     if isinstance(offset_expr, Expr) and offset_expr.name=='add' and len(offset_expr.args)==2:
[codex:686724]         a,b=offset_expr.args
[codex:686724]         # if a is off and b const
[codex:686724]         if a.name=='off' and is_const(b):
[codex:686724]             off = const_val(b)
[codex:686724]             if off==0x20:
[codex:686724]                 return Expr('arg2_uint64_raw')
[codex:686724]             if off==0x40:
[codex:686724]                 return Expr('arg3_offset_raw')
[codex:686724]     # unknown
[codex:686724]     return Expr(f'calldata({offset_expr})')
[codex:686724] 
[codex:686724] while True:
[codex:686724]     name,arg=ops[pc]
[codex:686724]     if pc==0x031a:  # before final jump
[codex:686724]         print('stack before final jump:', stack)
[codex:686724]         break
[codex:686724]     # print(hex(pc), name, arg.hex() if arg else '')
[codex:686724]     if name.startswith('PUSH'):
[codex:686724]         val=int.from_bytes(arg,'big'); stack.append(make_const(val))
[codex:686724]     elif name.startswith('DUP'):
[codex:686724]         n=int(name[3:]); stack.append(stack[-n])
[codex:686724]     elif name.startswith('SWAP'):
[codex:686724]         n=int(name[4:]); stack[-1], stack[-1-n] = stack[-1-n], stack[-1]
[codex:686724]     elif name=='POP':
[codex:686724]         stack.pop()
[codex:686724]     elif name=='CALLDATALOAD':
[codex:686724]         off=stack.pop()
[codex:686724]         stack.append(label_calldataload(off))
[codex:686724]     elif name=='CALLDATASIZE':
[codex:686724]         stack.append(Expr('cds'))
[codex:686724]     elif name in ('MLOAD','SLOAD'):
[codex:686724]         stack.pop(); stack.append(Expr(name.lower()))
[codex:686724]     elif name in ('ADD','SUB','GT','LT','SLT','SGT','EQ','AND','OR','XOR','SHL','SHR','SAR'):
[codex:686724]         b=stack.pop(); a=stack.pop();
[codex:686724]         # attempt constant folding for add/sub
[codex:686724]         if name=='ADD' and is_const(a) and is_const(b):
[codex:686724]             stack.append(make_const(const_val(a)+const_val(b)))
[codex:686724]         elif name=='SUB' and is_const(a) and is_const(b):
[codex:686724]             stack.append(make_const((const_val(a)-const_val(b)) & ((1<<256)-1)))
[codex:686724]         else:
[codex:686724]             stack.append(Expr(name.lower(), [a,b]))
[codex:686724]     elif name=='ISZERO':
[codex:686724]         a=stack.pop(); stack.append(Expr('iszero',[a]))
[codex:686724]     elif name=='JUMPI':
[codex:686724]         dest=stack.pop(); cond=stack.pop()
[codex:686724]         # assume cond true
[codex:686724]         if is_const(dest):
[codex:686724]             pc=const_val(dest); continue
[codex:686724]         else:
[codex:686724]             print('dynamic JUMPI dest', dest); break
[codex:686724]     elif name=='JUMP':
[codex:686724]         dest=stack.pop()
[codex:686724]         if is_const(dest):
[codex:686724]             pc=const_val(dest); continue
[codex:686724]         else:
[codex:686724]             print('dynamic JUMP dest', dest); break
[codex:686724]     elif name=='CALLDATACOPY':
[codex:686724]         # pop 3 args
[codex:686724]         stack.pop(); stack.pop(); stack.pop()
[codex:686724]     elif name in ('REVERT','RETURN','STOP'):
[codex:686724]         print('halt'); break
[codex:686724]     elif name=='JUMPDEST':
[codex:686724]         pass
[codex:686724]     else:
[codex:686724]         # ignore other ops
[codex:686724]         pass
[codex:686724]     # advance pc
[codex:686724]     if name.startswith('PUSH'):
[codex:686724]         pc += 1 + len(arg)
[codex:686724]     else:
[codex:686724]         pc += 1
[codex:686724]     steps+=1
[codex:686724]     if steps>2000:
[codex:686724]         print('too many steps'); break
[codex:686724] 
[codex:686724] PY" in /tmp/codex-multi-8x99heaw succeeded in 28ms:
[codex:686724] stack before final jump: [ret0, ret1, add(const_20,add(calldata(add(const_20,off)),off)), calldata(add(calldata(add(const_20,off)),off)), calldata(off)]
[codex:686724] 
[codex:686724] thinking
[codex:686724] **Analyzing final decoder stack and jumps**
[codex:686724] exec
[codex:686724] /bin/bash -lc "python - <<'PY'
[codex:686724] from pathlib import Path
[codex:686724] import re
[codex:686724] text=Path('/tmp/codex-multi-8x99heaw/BYTECODE_BUNDLE.txt').read_text()
[codex:686724] hexstr=re.search(r'0x[0-9a-fA-F]+', text).group(0)[2:]
[codex:686724] code=bytes.fromhex(hexstr)
[codex:686724] # opcodes mapping truncated for needed
[codex:686724] opcodes={
[codex:686724] 0x50:'POP',0x51:'MLOAD',0x52:'MSTORE',0x53:'MSTORE8',0x54:'SLOAD',0x55:'SSTORE',0x56:'JUMP',0x57:'JUMPI',0x5b:'JUMPDEST',
[codex:686724] 0x5f:'PUSH0',
[codex:686724] 0x60:'PUSH1',0x61:'PUSH2',0x62:'PUSH3',0x63:'PUSH4',0x64:'PUSH5',0x65:'PUSH6',0x66:'PUSH7',0x67:'PUSH8',0x68:'PUSH9',0x69:'PUSH10',0x6a:'PUSH11',0x6b:'PUSH12',0x6c:'PUSH13',0x6d:'PUSH14',0x6e:'PUSH15',0x6f:'PUSH16',0x70:'PUSH17',0x71:'PUSH18',0x72:'PUSH19',0x73:'PUSH20',0x74:'PUSH21',0x75:'PUSH22',0x76:'PUSH23',0x77:'PUSH24',0x78:'PUSH25',0x79:'PUSH26',0x7a:'PUSH27',0x7b:'PUSH28',0x7c:'PUSH29',0x7d:'PUSH30',0x7e:'PUSH31',0x7f:'PUSH32',
[codex:686724] 0x80:'DUP1',0x81:'DUP2',0x82:'DUP3',0x83:'DUP4',0x84:'DUP5',0x85:'DUP6',0x86:'DUP7',0x87:'DUP8',0x88:'DUP9',0x89:'DUP10',0x8a:'DUP11',0x8b:'DUP12',0x8c:'DUP13',0x8d:'DUP14',0x8e:'DUP15',0x8f:'DUP16',
[codex:686724] 0x90:'SWAP1',0x91:'SWAP2',0x92:'SWAP3',0x93:'SWAP4',0x94:'SWAP5',0x95:'SWAP6',0x96:'SWAP7',0x97:'SWAP8',0x98:'SWAP9',0x99:'SWAP10',0x9a:'SWAP11',0x9b:'SWAP12',0x9c:'SWAP13',0x9d:'SWAP14',0x9e:'SWAP15',0x9f:'SWAP16',
[codex:686724] 0x10:'LT',0x11:'GT',0x12:'SLT',0x13:'SGT',0x14:'EQ',0x15:'ISZERO',0x16:'AND',0x17:'OR',0x18:'XOR',0x19:'NOT',0x1b:'SHL',0x1c:'SHR',0x1d:'SAR',
[codex:686724] 0x01:'ADD',0x03:'SUB',0x35:'CALLDATALOAD',0x36:'CALLDATASIZE',0x37:'CALLDATACOPY'
[codex:686724] }
[codex:686724] 
[codex:686724] ops={}
[codex:686724] pc=0
[codex:686724] while pc < len(code):
[codex:686724]     op=code[pc]; name=opcodes.get(op, f'UNKNOWN_{op:02x}'); arg=None
[codex:686724]     if 0x60 <= op <= 0x7f:
[codex:686724]         n=op-0x5f
[codex:686724]         arg=code[pc+1:pc+1+n]
[codex:686724]         pc2=pc+1+n
[codex:686724]     else:
[codex:686724]         pc2=pc+1
[codex:686724]     ops[pc]=(name,arg)
[codex:686724]     pc=pc2
[codex:686724] 
[codex:686724] class Expr:
[codex:686724]     def __init__(self, name, args=None):
[codex:686724]         self.name=name; self.args=args or []
[codex:686724]     def __repr__(self):
[codex:686724]         if not self.args: return self.name
[codex:686724]         return f\"{self.name}({','.join(map(str,self.args))})\"
[codex:686724] 
[codex:686724] # helper
[codex:686724] 
[codex:686724] def is_const(e):
[codex:686724]     return isinstance(e, Expr) and e.name.startswith('const_')
[codex:686724] 
[codex:686724] def const_val(e):
[codex:686724]     return int(e.name.split('_')[1],16)
[codex:686724] 
[codex:686724] def make_const(v):
[codex:686724]     return Expr(f'const_{v:x}')
[codex:686724] 
[codex:686724] def label_calldataload(offset_expr):
[codex:686724]     # simple labels
[codex:686724]     if is_const(offset_expr):
[codex:686724]         if const_val(offset_expr)==0x04:
[codex:686724]             return Expr('arg_addr')
[codex:686724]     if isinstance(offset_expr, Expr) and offset_expr.name=='add':
[codex:686724]         a,b=offset_expr.args
[codex:686724]         if a.name=='off' and is_const(b) and const_val(b)==0x20:
[codex:686724]             return Expr('arg_offset')
[codex:686724]     return Expr(f'calldata({offset_expr})')
[codex:686724] 
[codex:686724] stack=[Expr('ret0'), Expr('ret1'), Expr('cds'), Expr('off')]
[codex:686724] pc=0x029e
[codex:686724] steps=0
[codex:686724] 
[codex:686724] while True:
[codex:686724]     name,arg=ops[pc]
[codex:686724]     if pc==0x031b:  # before JUMP
[codex:686724]         print('stack before JUMP at 0x031b:', stack)
[codex:686724]         dest=stack[-1]
[codex:686724]         print('jump dest', dest)
[codex:686724]         break
[codex:686724]     if name.startswith('PUSH'):
[codex:686724]         stack.append(make_const(int.from_bytes(arg,'big')))
[codex:686724]     elif name.startswith('DUP'):
[codex:686724]         stack.append(stack[-int(name[3:])])
[codex:686724]     elif name.startswith('SWAP'):
[codex:686724]         n=int(name[4:]); stack[-1], stack[-1-n] = stack[-1-n], stack[-1]
[codex:686724]     elif name=='POP':
[codex:686724]         stack.pop()
[codex:686724]     elif name=='CALLDATALOAD':
[codex:686724]         off=stack.pop(); stack.append(label_calldataload(off))
[codex:686724]     elif name=='CALLDATASIZE':
[codex:686724]         stack.append(Expr('cds'))
[codex:686724]     elif name in ('ADD','SUB','GT','LT','SLT','SGT','EQ','AND','OR','XOR','SHL','SHR','SAR'):
[codex:686724]         b=stack.pop(); a=stack.pop();
[codex:686724]         if name=='ADD' and is_const(a) and is_const(b):
[codex:686724]             stack.append(make_const(const_val(a)+const_val(b)))
[codex:686724]         elif name=='SUB' and is_const(a) and is_const(b):
[codex:686724]             stack.append(make_const((const_val(a)-const_val(b)) & ((1<<256)-1)))
[codex:686724]         else:
[codex:686724]             stack.append(Expr(name.lower(), [a,b]))
[codex:686724]     elif name=='ISZERO':
[codex:686724]         a=stack.pop(); stack.append(Expr('iszero',[a]))
[codex:686724]     elif name=='JUMPI':
[codex:686724]         dest=stack.pop(); cond=stack.pop();
[codex:686724]         if is_const(dest):
[codex:686724]             pc=const_val(dest); continue
[codex:686724]         else:
[codex:686724]             break
[codex:686724]     elif name=='JUMP':
[codex:686724]         dest=stack.pop();
[codex:686724]         if is_const(dest):
[codex:686724]             pc=const_val(dest); continue
[codex:686724]         else:
[codex:686724]             break
[codex:686724]     elif name=='CALLDATACOPY':
[codex:686724]         stack.pop(); stack.pop(); stack.pop()
[codex:686724]     else:
[codex:686724]         pass
[codex:686724]     pc += 1 + (len(arg) if name.startswith('PUSH') else 0)
[codex:686724]     steps+=1
[codex:686724]     if steps>2000:
[codex:686724]         break
[codex:686724] 
[codex:686724] PY" in /tmp/codex-multi-8x99heaw succeeded in 28ms:
[codex:686724] stack before JUMP at 0x031b: [ret0, calldata(off), add(const_20,add(calldata(add(const_20,off)),off)), calldata(add(calldata(add(const_20,off)),off)), ret1]
[codex:686724] jump dest ret1
[codex:686724] 
[codex:686724] thinking
[codex:686724] **Analyzing bytecode for vulnerabilities**
[codex:686724] exec
[codex:686724] /bin/bash -lc 'cat /tmp/codex-multi-8x99heaw/codex-output-schema.json' in /tmp/codex-multi-8x99heaw succeeded in 6ms:
[codex:686724] {"type": "object", "additionalProperties": false, "required": ["no_findings", "summary", "findings"], "properties": {"no_findings": {"type": "boolean"}, "summary": {"type": "string"}, "findings": {"type": "array", "items": {"type": "object", "additionalProperties": false, "required": ["severity", "category", "title", "evidence", "locations", "exploit_scenario", "recommendation"], "properties": {"severity": {"type": "string", "enum": ["info", "low", "medium", "high", "critical"]}, "category": {"type": "string", "enum": ["access_control", "reentrancy", "math", "oracle", "upgradeability", "auth", "other"]}, "title": {"type": "string"}, "exploit_scenario": {"type": "string"}, "recommendation": {"type": "string"}, "evidence": {"type": "string"}, "locations": {"type": "array", "items": {"type": "string"}}}}}}}
[codex:686724] 
[codex:686724] thinking
[codex:686724] **Preparing JSON output with no findings**
[codex:686724] codex
[codex:686724] {"no_findings":true,"summary":"No concrete, exploitable profit path identified from the runtime bytecode in BYTECODE_BUNDLE.txt.","findings":[]}
[codex:686724] tokens used
[codex:686724] 68,275
[codex:686724] {"no_findings":true,"summary":"No concrete, exploitable profit path identified from the runtime bytecode in BYTECODE_BUNDLE.txt.","findings":[]}
Metadata 
{
    "codex": {
        "ran_at": "2026-01-02T22:19:18.734206+00:00",
        "returncode": 0
    },
    "summary": "No concrete, exploitable profit path identified from the runtime bytecode in BYTECODE_BUNDLE.txt.",
    "raw_final": {
        "summary": "No concrete, exploitable profit path identified from the runtime bytecode in BYTECODE_BUNDLE.txt.",
        "findings": [],
        "no_findings": true
    },
    "no_findings": true,
    "schema_version": 1
}

Opcode Heuristics

tool.cast_disasm
Delegatecall
0
Selfdestruct
0
CREATE2
0
CALL-family (heavy)
3
EXT*/BALANCE
0
Total opcodes
691
Flags
No heuristic flags raised.
View cast disassembly output 
00000000: PUSH1 0x80
00000002: PUSH1 0x40
00000004: MSTORE
00000005: PUSH1 0x04
00000007: CALLDATASIZE
00000008: LT
00000009: PUSH2 0x003f
0000000c: JUMPI
0000000d: PUSH1 0x00
0000000f: CALLDATALOAD
00000010: PUSH1 0xe0
00000012: SHR
00000013: DUP1
00000014: PUSH4 0x251c1aa3
00000019: EQ
0000001a: PUSH2 0x00e1
0000001d: JUMPI
0000001e: DUP1
0000001f: PUSH4 0x42d5f4b2
00000024: EQ
00000025: PUSH2 0x010c
00000028: JUMPI
00000029: DUP1
0000002a: PUSH4 0x95756c04
0000002f: EQ
00000030: PUSH2 0x012c
00000033: JUMPI
00000034: DUP1
00000035: PUSH4 0xfa449d83
0000003a: EQ
0000003b: PUSH2 0x014c
0000003e: JUMPI
0000003f: JUMPDEST
00000040: PUSH1 0x01
00000042: SLOAD
00000043: PUSH1 0x01
00000045: PUSH1 0x01
00000047: PUSH1 0xa0
00000049: SHL
0000004a: SUB
0000004b: AND
0000004c: CALLER
0000004d: EQ
0000004e: ISZERO
0000004f: PUSH2 0x00df
00000052: JUMPI
00000053: PUSH1 0x02
00000055: SLOAD
00000056: TIMESTAMP
00000057: GT
00000058: PUSH2 0x007c
0000005b: JUMPI
0000005c: PUSH1 0x40
0000005e: MLOAD
0000005f: PUSH3 0x461bcd
00000063: PUSH1 0xe5
00000065: SHL
00000066: DUP2
00000067: MSTORE
00000068: PUSH1 0x04
0000006a: ADD
0000006b: PUSH2 0x0073
0000006e: SWAP1
0000006f: PUSH2 0x0370
00000072: JUMP
00000073: JUMPDEST
00000074: PUSH1 0x40
00000076: MLOAD
00000077: DUP1
00000078: SWAP2
00000079: SUB
0000007a: SWAP1
0000007b: REVERT
0000007c: JUMPDEST
0000007d: PUSH1 0x01
0000007f: SLOAD
00000080: PUSH1 0x40
00000082: MLOAD
00000083: PUSH1 0x01
00000085: PUSH1 0x01
00000087: PUSH1 0xa0
00000089: SHL
0000008a: SUB
0000008b: SWAP1
0000008c: SWAP2
0000008d: AND
0000008e: SWAP1
0000008f: SELFBALANCE
00000090: SWAP1
00000091: PUSH2 0x0099
00000094: SWAP1
00000095: PUSH2 0x036d
00000098: JUMP
00000099: JUMPDEST
0000009a: PUSH1 0x00
0000009c: PUSH1 0x40
0000009e: MLOAD
0000009f: DUP1
000000a0: DUP4
000000a1: SUB
000000a2: DUP2
000000a3: DUP6
000000a4: DUP8
000000a5: GAS
000000a6: CALL
000000a7: SWAP3
000000a8: POP
000000a9: POP
000000aa: POP
000000ab: RETURNDATASIZE
000000ac: DUP1
000000ad: PUSH1 0x00
000000af: DUP2
000000b0: EQ
000000b1: PUSH2 0x00d6
000000b4: JUMPI
000000b5: PUSH1 0x40
000000b7: MLOAD
000000b8: SWAP2
000000b9: POP
000000ba: PUSH1 0x1f
000000bc: NOT
000000bd: PUSH1 0x3f
000000bf: RETURNDATASIZE
000000c0: ADD
000000c1: AND
000000c2: DUP3
000000c3: ADD
000000c4: PUSH1 0x40
000000c6: MSTORE
000000c7: RETURNDATASIZE
000000c8: DUP3
000000c9: MSTORE
000000ca: RETURNDATASIZE
000000cb: PUSH1 0x00
000000cd: PUSH1 0x20
000000cf: DUP5
000000d0: ADD
000000d1: RETURNDATACOPY
000000d2: PUSH2 0x00db
000000d5: JUMP
000000d6: JUMPDEST
000000d7: PUSH1 0x60
000000d9: SWAP2
000000da: POP
000000db: JUMPDEST
000000dc: POP
000000dd: POP
000000de: POP
000000df: JUMPDEST
000000e0: STOP
000000e1: JUMPDEST
000000e2: CALLVALUE
000000e3: DUP1
000000e4: ISZERO
000000e5: PUSH2 0x00ed
000000e8: JUMPI
000000e9: PUSH1 0x00
000000eb: DUP1
000000ec: REVERT
000000ed: JUMPDEST
000000ee: POP
000000ef: PUSH2 0x00f6
000000f2: PUSH2 0x016c
000000f5: JUMP
000000f6: JUMPDEST
000000f7: PUSH1 0x40
000000f9: MLOAD
000000fa: PUSH2 0x0103
000000fd: SWAP2
000000fe: SWAP1
000000ff: PUSH2 0x038e
00000102: JUMP
00000103: JUMPDEST
00000104: PUSH1 0x40
00000106: MLOAD
00000107: DUP1
00000108: SWAP2
00000109: SUB
0000010a: SWAP1
0000010b: RETURN
0000010c: JUMPDEST
0000010d: CALLVALUE
0000010e: DUP1
0000010f: ISZERO
00000110: PUSH2 0x0118
00000113: JUMPI
00000114: PUSH1 0x00
00000116: DUP1
00000117: REVERT
00000118: JUMPDEST
00000119: POP
0000011a: PUSH2 0x00df
0000011d: PUSH2 0x0127
00000120: CALLDATASIZE
00000121: PUSH1 0x04
00000123: PUSH2 0x029e
00000126: JUMP
00000127: JUMPDEST
00000128: PUSH2 0x0172
0000012b: JUMP
0000012c: JUMPDEST
0000012d: CALLVALUE
0000012e: DUP1
0000012f: ISZERO
00000130: PUSH2 0x0138
00000133: JUMPI
00000134: PUSH1 0x00
00000136: DUP1
00000137: REVERT
00000138: JUMPDEST
00000139: POP
0000013a: PUSH2 0x00df
0000013d: PUSH2 0x0147
00000140: CALLDATASIZE
00000141: PUSH1 0x04
00000143: PUSH2 0x031c
00000146: JUMP
00000147: JUMPDEST
00000148: PUSH2 0x01ef
0000014b: JUMP
0000014c: JUMPDEST
0000014d: CALLVALUE
0000014e: DUP1
0000014f: ISZERO
00000150: PUSH2 0x0158
00000153: JUMPI
00000154: PUSH1 0x00
00000156: DUP1
00000157: REVERT
00000158: JUMPDEST
00000159: POP
0000015a: PUSH2 0x00df
0000015d: PUSH2 0x0167
00000160: CALLDATASIZE
00000161: PUSH1 0x04
00000163: PUSH2 0x0345
00000166: JUMP
00000167: JUMPDEST
00000168: PUSH2 0x0266
0000016b: JUMP
0000016c: JUMPDEST
0000016d: PUSH1 0x02
0000016f: SLOAD
00000170: DUP2
00000171: JUMP
00000172: JUMPDEST
00000173: PUSH1 0x00
00000175: SLOAD
00000176: PUSH1 0x01
00000178: PUSH1 0x01
0000017a: PUSH1 0xa0
0000017c: SHL
0000017d: SUB
0000017e: AND
0000017f: CALLER
00000180: EQ
00000181: PUSH2 0x0189
00000184: JUMPI
00000185: PUSH1 0x00
00000187: DUP1
00000188: REVERT
00000189: JUMPDEST
0000018a: DUP3
0000018b: PUSH1 0x01
0000018d: PUSH1 0x01
0000018f: PUSH1 0xa0
00000191: SHL
00000192: SUB
00000193: AND
00000194: PUSH1 0x00
00000196: DUP4
00000197: DUP4
00000198: PUSH1 0x40
0000019a: MLOAD
0000019b: PUSH2 0x01a5
0000019e: SWAP3
0000019f: SWAP2
000001a0: SWAP1
000001a1: PUSH2 0x035d
000001a4: JUMP
000001a5: JUMPDEST
000001a6: PUSH1 0x00
000001a8: PUSH1 0x40
000001aa: MLOAD
000001ab: DUP1
000001ac: DUP4
000001ad: SUB
000001ae: DUP2
000001af: DUP6
000001b0: DUP8
000001b1: GAS
000001b2: CALL
000001b3: SWAP3
000001b4: POP
000001b5: POP
000001b6: POP
000001b7: RETURNDATASIZE
000001b8: DUP1
000001b9: PUSH1 0x00
000001bb: DUP2
000001bc: EQ
000001bd: PUSH2 0x01e2
000001c0: JUMPI
000001c1: PUSH1 0x40
000001c3: MLOAD
000001c4: SWAP2
000001c5: POP
000001c6: PUSH1 0x1f
000001c8: NOT
000001c9: PUSH1 0x3f
000001cb: RETURNDATASIZE
000001cc: ADD
000001cd: AND
000001ce: DUP3
000001cf: ADD
000001d0: PUSH1 0x40
000001d2: MSTORE
000001d3: RETURNDATASIZE
000001d4: DUP3
000001d5: MSTORE
000001d6: RETURNDATASIZE
000001d7: PUSH1 0x00
000001d9: PUSH1 0x20
000001db: DUP5
000001dc: ADD
000001dd: RETURNDATACOPY
000001de: PUSH2 0x01e7
000001e1: JUMP
000001e2: JUMPDEST
000001e3: PUSH1 0x60
000001e5: SWAP2
000001e6: POP
000001e7: JUMPDEST
000001e8: POP
000001e9: POP
000001ea: POP
000001eb: POP
000001ec: POP
000001ed: POP
000001ee: JUMP
000001ef: JUMPDEST
000001f0: PUSH1 0x00
000001f2: SLOAD
000001f3: PUSH1 0x01
000001f5: PUSH1 0x01
000001f7: PUSH1 0xa0
000001f9: SHL
000001fa: SUB
000001fb: AND
000001fc: CALLER
000001fd: EQ
000001fe: PUSH2 0x0206
00000201: JUMPI
00000202: PUSH1 0x00
00000204: DUP1
00000205: REVERT
00000206: JUMPDEST
00000207: DUP2
00000208: PUSH1 0x01
0000020a: PUSH1 0x01
0000020c: PUSH1 0xa0
0000020e: SHL
0000020f: SUB
00000210: AND
00000211: DUP2
00000212: PUSH1 0x40
00000214: MLOAD
00000215: PUSH2 0x021d
00000218: SWAP1
00000219: PUSH2 0x036d
0000021c: JUMP
0000021d: JUMPDEST
0000021e: PUSH1 0x00
00000220: PUSH1 0x40
00000222: MLOAD
00000223: DUP1
00000224: DUP4
00000225: SUB
00000226: DUP2
00000227: DUP6
00000228: DUP8
00000229: GAS
0000022a: CALL
0000022b: SWAP3
0000022c: POP
0000022d: POP
0000022e: POP
0000022f: RETURNDATASIZE
00000230: DUP1
00000231: PUSH1 0x00
00000233: DUP2
00000234: EQ
00000235: PUSH2 0x025a
00000238: JUMPI
00000239: PUSH1 0x40
0000023b: MLOAD
0000023c: SWAP2
0000023d: POP
0000023e: PUSH1 0x1f
00000240: NOT
00000241: PUSH1 0x3f
00000243: RETURNDATASIZE
00000244: ADD
00000245: AND
00000246: DUP3
00000247: ADD
00000248: PUSH1 0x40
0000024a: MSTORE
0000024b: RETURNDATASIZE
0000024c: DUP3
0000024d: MSTORE
0000024e: RETURNDATASIZE
0000024f: PUSH1 0x00
00000251: PUSH1 0x20
00000253: DUP5
00000254: ADD
00000255: RETURNDATACOPY
00000256: PUSH2 0x025f
00000259: JUMP
0000025a: JUMPDEST
0000025b: PUSH1 0x60
0000025d: SWAP2
0000025e: POP
0000025f: JUMPDEST
00000260: POP
00000261: POP
00000262: POP
00000263: POP
00000264: POP
00000265: JUMP
00000266: JUMPDEST
00000267: PUSH1 0x00
00000269: SLOAD
0000026a: PUSH1 0x01
0000026c: PUSH1 0x01
0000026e: PUSH1 0xa0
00000270: SHL
00000271: SUB
00000272: AND
00000273: CALLER
00000274: EQ
00000275: PUSH2 0x027d
00000278: JUMPI
00000279: PUSH1 0x00
0000027b: DUP1
0000027c: REVERT
0000027d: JUMPDEST
0000027e: PUSH1 0x02
00000280: SSTORE
00000281: JUMP
00000282: JUMPDEST
00000283: DUP1
00000284: CALLDATALOAD
00000285: PUSH1 0x01
00000287: PUSH1 0x01
00000289: PUSH1 0xa0
0000028b: SHL
0000028c: SUB
0000028d: DUP2
0000028e: AND
0000028f: DUP2
00000290: EQ
00000291: PUSH2 0x0299
00000294: JUMPI
00000295: PUSH1 0x00
00000297: DUP1
00000298: REVERT
00000299: JUMPDEST
0000029a: SWAP2
0000029b: SWAP1
0000029c: POP
0000029d: JUMP
0000029e: JUMPDEST
0000029f: PUSH1 0x00
000002a1: DUP1
000002a2: PUSH1 0x00
000002a4: PUSH1 0x40
000002a6: DUP5
000002a7: DUP7
000002a8: SUB
000002a9: SLT
000002aa: ISZERO
000002ab: PUSH2 0x02b2
000002ae: JUMPI
000002af: DUP3
000002b0: DUP4
000002b1: REVERT
000002b2: JUMPDEST
000002b3: PUSH2 0x02bb
000002b6: DUP5
000002b7: PUSH2 0x0282
000002ba: JUMP
000002bb: JUMPDEST
000002bc: SWAP3
000002bd: POP
000002be: PUSH1 0x20
000002c0: DUP5
000002c1: ADD
000002c2: CALLDATALOAD
000002c3: PUSH8 0xffffffffffffffff
000002cc: DUP1
000002cd: DUP3
000002ce: GT
000002cf: ISZERO
000002d0: PUSH2 0x02d7
000002d3: JUMPI
000002d4: DUP4
000002d5: DUP5
000002d6: REVERT
000002d7: JUMPDEST
000002d8: DUP2
000002d9: DUP7
000002da: ADD
000002db: SWAP2
000002dc: POP
000002dd: DUP7
000002de: PUSH1 0x1f
000002e0: DUP4
000002e1: ADD
000002e2: SLT
000002e3: PUSH2 0x02ea
000002e6: JUMPI
000002e7: DUP4
000002e8: DUP5
000002e9: REVERT
000002ea: JUMPDEST
000002eb: DUP2
000002ec: CALLDATALOAD
000002ed: DUP2
000002ee: DUP2
000002ef: GT
000002f0: ISZERO
000002f1: PUSH2 0x02f8
000002f4: JUMPI
000002f5: DUP5
000002f6: DUP6
000002f7: REVERT
000002f8: JUMPDEST
000002f9: DUP8
000002fa: PUSH1 0x20
000002fc: DUP3
000002fd: DUP6
000002fe: ADD
000002ff: ADD
00000300: GT
00000301: ISZERO
00000302: PUSH2 0x0309
00000305: JUMPI
00000306: DUP5
00000307: DUP6
00000308: REVERT
00000309: JUMPDEST
0000030a: PUSH1 0x20
0000030c: DUP4
0000030d: ADD
0000030e: SWAP5
0000030f: POP
00000310: DUP1
00000311: SWAP4
00000312: POP
00000313: POP
00000314: POP
00000315: POP
00000316: SWAP3
00000317: POP
00000318: SWAP3
00000319: POP
0000031a: SWAP3
0000031b: JUMP
0000031c: JUMPDEST
0000031d: PUSH1 0x00
0000031f: DUP1
00000320: PUSH1 0x40
00000322: DUP4
00000323: DUP6
00000324: SUB
00000325: SLT
00000326: ISZERO
00000327: PUSH2 0x032e
0000032a: JUMPI
0000032b: DUP2
0000032c: DUP3
0000032d: REVERT
0000032e: JUMPDEST
0000032f: PUSH2 0x0337
00000332: DUP4
00000333: PUSH2 0x0282
00000336: JUMP
00000337: JUMPDEST
00000338: SWAP5
00000339: PUSH1 0x20
0000033b: SWAP4
0000033c: SWAP1
0000033d: SWAP4
0000033e: ADD
0000033f: CALLDATALOAD
00000340: SWAP4
00000341: POP
00000342: POP
00000343: POP
00000344: JUMP
00000345: JUMPDEST
00000346: PUSH1 0x00
00000348: PUSH1 0x20
0000034a: DUP3
0000034b: DUP5
0000034c: SUB
0000034d: SLT
0000034e: ISZERO
0000034f: PUSH2 0x0356
00000352: JUMPI
00000353: DUP1
00000354: DUP2
00000355: REVERT
00000356: JUMPDEST
00000357: POP
00000358: CALLDATALOAD
00000359: SWAP2
0000035a: SWAP1
0000035b: POP
0000035c: JUMP
0000035d: JUMPDEST
0000035e: PUSH1 0x00
00000360: DUP3
00000361: DUP5
00000362: DUP4
00000363: CALLDATACOPY
00000364: SWAP2
00000365: ADD
00000366: SWAP1
00000367: DUP2
00000368: MSTORE
00000369: SWAP2
0000036a: SWAP1
0000036b: POP
0000036c: JUMP
0000036d: JUMPDEST
0000036e: SWAP1
0000036f: JUMP
00000370: JUMPDEST
00000371: PUSH1 0x20
00000373: DUP1
00000374: DUP3
00000375: MSTORE
00000376: PUSH1 0x04
00000378: SWAP1
00000379: DUP3
0000037a: ADD
0000037b: MSTORE
0000037c: PUSH4 0x74696d65
00000381: PUSH1 0xe0
00000383: SHL
00000384: PUSH1 0x40
00000386: DUP3
00000387: ADD
00000388: MSTORE
00000389: PUSH1 0x60
0000038b: ADD
0000038c: SWAP1
0000038d: JUMP
0000038e: JUMPDEST
0000038f: SWAP1
00000390: DUP2
00000391: MSTORE
00000392: PUSH1 0x20
00000394: ADD
00000395: SWAP1
00000396: JUMP
00000397: INVALID
00000398: LOG2
00000399: PUSH5 0x6970667358
0000039f: UNKNOWN(0x22)
000003a0: SLT
000003a1: KECCAK256
000003a2: PUSH10 0x1e2252f87cf2fdc59bd7
000003ad: DUP11
000003ae: COINBASE
000003af: UNKNOWN(0xB0)
000003b0: UNKNOWN(0xEF)
000003b1: PUSH12 0x66b0ae1772e5eea34b15b14f
000003be: UNKNOWN(0xB3)
000003bf: UNKNOWN(0xA6)
000003c0: SSTORE
000003c1: UNKNOWN(0x2F)
000003c2: PUSH5 0x736f6c6343
000003c8: STOP
000003c9: ADDMOD
000003ca: ADD
000003cb: STOP
000003cc: CALLER

Findings

validated = confirmed for call sinks; sink observed for others
Severity Category Tool Title Confidence Validated Confirmed Details
high other detector Untrusted CALL target/value reachable 60 no no
view
trace_id: 0xe039be567fc6e8643f54dcf2f49487ab63e37fdbcc6a851ef5374065bcbe551c
call_targets: 0xf0b8c683a759dfc3534133dc7a9882d0ec4611b7
target_varies: no
classification: constant_target
validation_json 
{
    "sink": "CALL",
    "errors": 0,
    "status": "sink_reached",
    "attempts": 1,
    "trace_id": "0xe039be567fc6e8643f54dcf2f49487ab63e37fdbcc6a851ef5374065bcbe551c",
    "confirmed": false,
    "trace_mode": "callTracer",
    "call_targets": [
        "0xf0b8c683a759dfc3534133dc7a9882d0ec4611b7"
    ],
    "matched_probe": null,
    "target_varies": false,
    "classification": "constant_target"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x251c1aa3",
            "selector": "0x251c1aa3",
            "calldata_variants": [
                "0x251c1aa3",
                "0x251c1aa30000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x42d5f4b2",
            "selector": "0x42d5f4b2",
            "calldata_variants": [
                "0x42d5f4b2",
                "0x42d5f4b20000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x95756c04",
            "selector": "0x95756c04",
            "calldata_variants": [
                "0x95756c04",
                "0x95756c040000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xfa449d83",
            "selector": "0xfa449d83",
            "calldata_variants": [
                "0xfa449d83",
                "0xfa449d830000000000000000000000000000000000000000000000000000000000000000"
            ]
        }
    ]
}
evidence_json 
{
    "examples": [
        {
            "pc": 166,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        },
        {
            "pc": 434,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        },
        {
            "pc": 554,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        }
    ],
    "call_count": 3,
    "guards_detected": [],
    "untrusted_call_count": 3
}
high other detector ETH value transfer possible 55 no no
view
trace_id: 0xe039be567fc6e8643f54dcf2f49487ab63e37fdbcc6a851ef5374065bcbe551c
call_targets: 0xf0b8c683a759dfc3534133dc7a9882d0ec4611b7
target_varies: no
classification: constant_target
validation_json 
{
    "sink": "CALL",
    "errors": 0,
    "status": "sink_reached",
    "attempts": 1,
    "trace_id": "0xe039be567fc6e8643f54dcf2f49487ab63e37fdbcc6a851ef5374065bcbe551c",
    "confirmed": false,
    "trace_mode": "callTracer",
    "call_targets": [
        "0xf0b8c683a759dfc3534133dc7a9882d0ec4611b7"
    ],
    "matched_probe": null,
    "target_varies": false,
    "classification": "constant_target"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x251c1aa3",
            "selector": "0x251c1aa3",
            "calldata_variants": [
                "0x251c1aa3",
                "0x251c1aa30000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x42d5f4b2",
            "selector": "0x42d5f4b2",
            "calldata_variants": [
                "0x42d5f4b2",
                "0x42d5f4b20000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0x95756c04",
            "selector": "0x95756c04",
            "calldata_variants": [
                "0x95756c04",
                "0x95756c040000000000000000000000000000000000000000000000000000000000000000"
            ]
        },
        {
            "calldata": "0xfa449d83",
            "selector": "0xfa449d83",
            "calldata_variants": [
                "0xfa449d83",
                "0xfa449d830000000000000000000000000000000000000000000000000000000000000000"
            ]
        }
    ]
}
evidence_json 
{
    "examples": [
        {
            "pc": 166,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        },
        {
            "pc": 434,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        },
        {
            "pc": 554,
            "opcode": "CALL",
            "returndata_checked": null,
            "value_expression_category": "computed",
            "target_expression_category": "computed"
        }
    ],
    "eth_value_calls": 3,
    "guards_detected": []
}